idnits 2.17.1 draft-ietf-radius-auth-clientmib-00.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-24) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == The page length should not exceed 58 lines per page, but there was 10 longer pages, the longest (page 2) being 66 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 10 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 110 instances of too long lines in the document, the longest one being 11 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 13 has weird spacing: '...), its areas...' == Line 14 has weird spacing: '... its worki...' == Line 18 has weird spacing: '... and may ...' == Line 19 has weird spacing: '...afts as refer...' == Line 22 has weird spacing: '... To learn...' == (32 more instances...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (9 August 1997) is 9755 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: '2' is defined on line 401, but no explicit reference was found in the text == Unused Reference: '3' is defined on line 404, but no explicit reference was found in the text == Unused Reference: '4' is defined on line 407, but no explicit reference was found in the text == Unused Reference: '5' is defined on line 412, but no explicit reference was found in the text == Unused Reference: '6' is defined on line 417, but no explicit reference was found in the text == Unused Reference: '7' is defined on line 423, but no explicit reference was found in the text == Unused Reference: '8' is defined on line 428, but no explicit reference was found in the text == Unused Reference: '9' is defined on line 434, but no explicit reference was found in the text == Unused Reference: '10' is defined on line 439, but no explicit reference was found in the text == Unused Reference: '11' is defined on line 444, but no explicit reference was found in the text == Unused Reference: '12' is defined on line 450, but no explicit reference was found in the text == Unused Reference: '13' is defined on line 456, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2138 (ref. '1') (Obsoleted by RFC 2865) ** Obsolete normative reference: RFC 2139 (ref. '2') (Obsoleted by RFC 2866) == Outdated reference: A later version (-06) exists of draft-ietf-radius-ext-00 ** Downref: Normative reference to an Informational draft: draft-ietf-radius-ext (ref. '3') -- Possible downref: Non-RFC (?) normative reference: ref. '4' ** Downref: Normative reference to an Historic RFC: RFC 1901 (ref. '5') ** Obsolete normative reference: RFC 1902 (ref. '6') (Obsoleted by RFC 2578) ** Obsolete normative reference: RFC 1903 (ref. '7') (Obsoleted by RFC 2579) ** Obsolete normative reference: RFC 1904 (ref. '8') (Obsoleted by RFC 2580) ** Obsolete normative reference: RFC 1905 (ref. '9') (Obsoleted by RFC 3416) ** Obsolete normative reference: RFC 1906 (ref. '10') (Obsoleted by RFC 3417) ** Obsolete normative reference: RFC 1907 (ref. '11') (Obsoleted by RFC 3418) ** Obsolete normative reference: RFC 1908 (ref. '12') (Obsoleted by RFC 2576) ** Downref: Normative reference to an Historic RFC: RFC 1909 (ref. '13') Summary: 22 errors (**), 0 flaws (~~), 21 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 RADIUS Working Group Bernard Aboba 3 INTERNET-DRAFT Microsoft 4 Category: Standards Track Glen Zorn 5 Microsoft 6 9 August 1997 8 RADIUS Authentication Client MIB 10 1. Status of this Memo 12 This document is an Internet-Draft. Internet-Drafts are working docu- 13 ments of the Internet Engineering Task Force (IETF), its areas, and 14 its working groups. Note that other groups may also distribute work- 15 ing documents as Internet-Drafts. 17 Internet-Drafts are draft documents valid for a maximum of six months 18 and may be updated, replaced, or obsoleted by other documents at any 19 time. It is inappropriate to use Internet-Drafts as reference mate- 20 rial or to cite them other than as ``work in progress.'' 22 To learn the current status of any Internet-Draft, please check the 23 ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow 24 Directories on ds.internic.net (US East Coast), nic.nordu.net 25 (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). 27 The distribution of this memo is unlimited. It is filed as , and expires February 1, 1998. 29 Please send comments to the authors. 31 2. Abstract 33 This memo defines a set of extensions which instrument RADIUS authen- 34 tication client functions. These extensions represent a portion of the 35 Management Information Base (MIB) for use with network management pro- 36 tocols in the Internet community. Using these extensions IP-based 37 management stations can manage RADIUS authentication clients. 39 3. Introduction 41 This memo defines a portion of the Management Information Base (MIB) 42 for use with network management protocols in the Internet community. 43 In particular, it describes managed objects used for managing RADIUS 44 authentication clients. 46 Today a wide range of network devices, including routers and NASes, 47 act as RADIUS authentication clients in order to provide authentica- 48 tion and authorization services. As a result, the effective management 49 of RADIUS authentication clients is of considerable importance. 51 4. The SNMPv2 Network Management Framework 53 The SNMPv2 Network Management Framework consists of four major compo- 54 nents. They are: 56 o RFC 1902 which defines the SMI, the mechanisms used for 57 describing and naming objects for the purpose of management. 59 o RFC 1905 which defines the protocol used for network access to 60 managed objects. 62 o RFC 1907 defines the core set of managed objects for the 63 Internet suite of protocols. 65 o RFC 1909 which defines the administrative aspects of the 66 framework. 68 The Framework permits new objects to be defined for the purpose of 69 experimentation and evaluation. 71 4.1. Object Definitions 73 Managed objects are accessed via a virtual information store, termed 74 the Management Information Base or MIB. Objects in the MIB are 75 defined using the subset of Abstract Syntax Notation One (ASN.1) 76 defined in the SMI. In particular, each object object type is named by 77 an OBJECT IDENTIFIER, an administratively assigned name. The object 78 type together with an object instance serves to uniquely identify a 79 specific instantiation of the object. For human convenience, we often 80 use a textual string, termed the descriptor, to refer to the object 81 type. 83 5. Overview 85 The RADIUS authentication protocol, described in [1], distinguishes 86 between the client function and the server function. In RADIUS authen- 87 tication, clients send Access-Requests, and servers reply with Access- 88 Accepts, Access-Rejects, and Access-Challenges. Typically NAS devices 89 implement the client function, and thus would be expected to implement 90 the RADIUS authentication client MIB, while RADIUS authentication 91 servers implement the server function, and thus would be expected to 92 implement the RADIUS authentication server MIB. 94 However, it is possible for a RADIUS authentication entity to perform 95 both client and server functions. For example, a RADIUS proxy may act 96 as a server to one or more RADIUS authentication clients, while simul- 97 taneously acting as an authentication client to one or more authenti- 98 cation servers. In such situations, it is expected that RADIUS enti- 99 ties combining client and server functionality will support both the 100 client and server MIBs. 102 5.1. Selected objects 103 This MIB module contains two scalars as well as a single table: 105 (1) the RADIUS Authentication Server Table contains one row for each 106 RADIUS authentication server that the client shares a secret with. 108 Each entry in the RADIUS Authentication Server Table includes thirteen 109 entries presenting a view of the activity of the RADIUS authentication 110 client. 112 6. Definitions 114 RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN 116 IMPORTS 117 MODULE-IDENTITY, OBJECT-TYPE, 118 OBJECT-IDENTITY, experimental, 119 Counter32, Gauge32, Integer32, 120 IpAddress, TimeTicks FROM SNMPv2-SMI 121 TEXTUAL-CONVENTION, RowStatus, 122 TruthValue, DisplayString FROM SNMPv2-TC 123 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 125 radius OBJECT-IDENTITY 126 STATUS current 127 DESCRIPTION 128 "The OID assigned to RADIUS MIB work by the IANA." 129 ::= { experimental 79 } 131 radiusAuthentication OBJECT-IDENTIFIER ::= {radius 1} 133 radiusAuthClientMIB MODULE-IDENTITY 134 LAST-UPDATED "9708211659Z" 135 ORGANIZATION "IETF RADIUS Working Group." 136 CONTACT-INFO 137 " Bernard Aboba 138 Microsoft 139 One Microsoft Way 140 Redmond, WA 98052 141 US 143 Phone: +1 425 936 6605 144 EMail: bernarda@microsoft.com" 145 DESCRIPTION 146 "The MIB module for entities implementing the client side of 147 the Remote Access Dialin User Service (RADIUS) authentication 148 protocol." 149 ::= { radiusAuthentication 2 } 151 radiusAuthClientMIBObjects OBJECT IDENTIFIER ::= { radiusAuthClientMIB 1 } 153 radiusAuthClient OBJECT IDENTIFIER ::= { radiusAuthClientMIBObjects 1 } 154 radiusAuthClientInvalidServerAddresses OBJECT-TYPE 155 SYNTAX Counter32 156 MAX-ACCESS read-only 157 STATUS current 158 DESCRIPTION 159 "The total number of RADIUS Access-Response packets 160 received from unknown addresses since client start-up." 161 ::= { radiusAuthClient 1 } 163 radiusAuthClientIdentifier OBJECT-TYPE 164 SYNTAX DisplayString 165 MAX-ACCESS read-only 166 STATUS current 167 DESCRIPTION 168 "The NAS-Identifier of the RADIUS authentication client." 169 ::= { radiusAuthClient 2 } 171 radiusAuthServerTable OBJECT-TYPE 172 SYNTAX SEQUENCE OF RadiusAuthServerEntry 173 MAX-ACCESS not-accessible 174 STATUS current 175 DESCRIPTION 176 "The (conceptual) table listing the RADIUS authentication 177 servers with which the client shares a secret." 178 ::= { radiusAuthClient 3 } 180 radiusAuthServerEntry OBJECT-TYPE 181 SYNTAX RadiusAuthServerEntry 182 MAX-ACCESS not-accessible 183 STATUS current 184 DESCRIPTION 185 "An entry (conceptual row) representing a RADIUS 186 authentication server with which the client shares a secret." 187 INDEX { radiusAuthServerIndex } 188 ::= { radiusAuthServerTable 1 } 190 RadiusAuthServerEntry ::= SEQUENCE { 191 radiusAuthServerIndex Integer32, 192 radiusAuthServerAddress IpAddress, 193 radiusAuthClientRoundTripTime TimeTicks, 194 radiusAuthClientAccessRequests Counter32, 195 radiusAuthClientAccessRetransmissions Counter32, 196 radiusAuthClientAccessAccepts Counter32, 197 radiusAuthClientAccessRejects Counter32, 198 radiusAuthClientAccessChallenges Counter32, 199 radiusAuthClientMalformedAccessResponses Counter32, 200 radiusAuthClientAuthenticationBadAuthenticators Counter32, 201 radiusAuthClientAuthenticationPendingRequests Counter32, 202 radiusAuthClientAuthenticationTimeouts Counter32, 203 radiusAuthClientUnknownType Counter32 204 } 206 radiusAuthServerIndex OBJECT-TYPE 207 SYNTAX Integer32 208 MAX-ACCESS not-accessible 209 STATUS current 210 DESCRIPTION 211 "The RADIUS authentication server with which 212 the client interacts." 213 ::= { radiusAuthServerEntry 1 } 215 radiusAuthServerAddress OBJECT-TYPE 216 SYNTAX IpAddress 217 MAX-ACCESS read-only 218 STATUS current 219 DESCRIPTION 220 "The IP address of the RADIUS authentication server 221 referred to in this table entry." 222 ::= { radiusAuthServerEntry 2 } 224 radiusAuthClientRoundTripTime OBJECT-TYPE 225 SYNTAX TimeTicks 226 MAX-ACCESS read-only 227 STATUS current 228 DESCRIPTION 229 "The total roundtrip time of the last packet sent 230 between the authentication client and the RADIUS server 231 referred to in this table entry." 232 ::= { radiusAuthServerEntry 3 } 234 radiusAuthClientAccessRequests OBJECT-TYPE 235 SYNTAX Counter32 236 MAX-ACCESS read-only 237 STATUS current 238 DESCRIPTION 239 "The total number of RADIUS Access-Request packets sent 240 to this server since client start-up. This does not 241 include retransmissions." 242 ::= { radiusAuthServerEntry 4 } 244 radiusAuthClientAccessRetransmissions OBJECT-TYPE 245 SYNTAX Counter32 246 MAX-ACCESS read-only 247 STATUS current 248 DESCRIPTION 249 "The total number of RADIUS Access-Request packets 250 retransmitted to the same server since client start-up." 251 ::= { radiusAuthServerEntry 5 } 253 radiusAuthClientAccessAccepts OBJECT-TYPE 254 SYNTAX Counter32 255 MAX-ACCESS read-only 256 STATUS current 257 DESCRIPTION 258 "The total number of RADIUS Access-Accept packets 259 received from this server since client start-up." 260 ::= { radiusAuthServerEntry 6 } 262 radiusAuthClientAccessRejects OBJECT-TYPE 263 SYNTAX Counter32 264 MAX-ACCESS read-only 265 STATUS current 266 DESCRIPTION 267 "The total number of RADIUS Access-Reject packets 268 received from this server since client start-up." 269 ::= { radiusAuthServerEntry 7 } 271 radiusAuthClientAccessChallenges OBJECT-TYPE 272 SYNTAX Counter32 273 MAX-ACCESS read-only 274 STATUS current 275 DESCRIPTION 276 "The total number of RADIUS Access-Challenge packets 277 received from this server since client start-up." 278 ::= { radiusAuthServerEntry 8 } 280 -- "Access-Response" includes an Access-Accept, Access-Challenge 281 -- or Access-Reject 283 radiusAuthClientMalformedAccessResponses OBJECT-TYPE 284 SYNTAX Counter32 285 MAX-ACCESS read-only 286 STATUS current 287 DESCRIPTION 288 "The total number of malformed RADIUS Access-Response 289 packets received from this server since client 290 start-up. Bad authenticators are not included as 291 malformed access responses." 292 ::= { radiusAuthServerEntry 9 } 294 radiusAuthClientAuthenticationBadAuthenticators OBJECT-TYPE 295 SYNTAX Counter32 296 MAX-ACCESS read-only 297 STATUS current 298 DESCRIPTION 299 "The total number of RADIUS Access-Response packets 300 containing invalid authenticators received from this server 301 since client start-up." 302 ::= { radiusAuthServerEntry 10 } 304 radiusAuthClientAuthenticationPendingRequests OBJECT-TYPE 305 SYNTAX Counter32 306 MAX-ACCESS read-only 307 STATUS current 308 DESCRIPTION 309 "The total number of RADIUS Access-Request packets 310 destined for this server that have not yet timed out 311 or received a response. This variable is incremented 312 when an Access-Request is sent and decremented due to 313 a timeout or retransmission." 314 ::= { radiusAuthServerEntry 11 } 316 radiusAuthClientAuthenticationTimeouts OBJECT-TYPE 317 SYNTAX Counter32 318 MAX-ACCESS read-only 319 STATUS current 320 DESCRIPTION 321 "The total number of authentication timeouts to this server 322 since client startup. After a timeout the client may 323 retry to the same server, send to a different server, or 324 give up. A retry to the same server is counted as a 325 retransmit as well as a timeout. A send to a different 326 server is counted as a Request as well as a timeout." 327 ::= { radiusAuthServerEntry 12 } 329 radiusAuthClientUnknownType OBJECT-TYPE 330 SYNTAX Counter32 331 MAX-ACCESS read-only 332 STATUS current 333 DESCRIPTION 334 "The total number of RADIUS packets of unknown type which 335 were received from this server on the authentication port 336 since client start-up." 337 ::= { radiusAuthServerEntry 13 } 339 -- conformance information 341 radiusAuthClientMIBConformance 342 OBJECT IDENTIFIER ::= { radiusAuthClientMIB 2 } 343 radiusAuthClientMIBCompliances 344 OBJECT IDENTIFIER ::= { radiusAuthClientMIBConformance 1 } 345 radiusAuthClientMIBGroups 346 OBJECT IDENTIFIER ::= { radiusAuthClientMIBConformance 2 } 348 -- compliance statements 350 radiusAuthClientMIBCompliance MODULE-COMPLIANCE 351 STATUS current 352 DESCRIPTION 353 "The compliance statement for authentication clients 354 implementing the RADIUS Authentication Client MIB." 355 MODULE -- this module 356 MANDATORY-GROUPS { radiusAuthClientMIBGroup } 358 ::= { radiusAuthClientMIBCompliances 1 } 360 -- units of conformance 362 radiusAuthClientMIBGroup OBJECT-GROUP 363 OBJECTS { radiusAuthClientInvalidServerAddresses, 364 radiusAuthServerAddress, 365 radiusAuthClientRoundTripTime, 366 radiusAuthClientAccessRequests, 367 radiusAuthClientAccessRetransmissions, 368 radiusAuthClientAccessAccepts, 369 radiusAuthClientAccessRejects, 370 radiusAuthClientAccessChallenges, 371 radiusAuthClientMalformedAccessResponses, 372 radiusAuthClientAuthenticationBadAuthenticators, 373 radiusAuthClientAuthenticationPendingRequests, 374 radiusAuthClientAuthenticationTimeouts, 375 radiusAuthClientUnknownType 376 } 377 STATUS current 378 DESCRIPTION 379 "The basic collection of objects providing management of 380 RADIUS Authentication Clients." 381 ::= { radiusAuthClientMIBGroups 1 } 383 END 385 7. Security considerations 387 All MIB variables described in this document are read-only. 389 8. Acknowledgments 391 Thanks to Narendra Gidwani of Microsoft, Allan C. Rubens of MERIT, 392 Carl Rigney of Livingston and Peter Heitman of American Internet Cor- 393 poration for useful discussions of this problem space. 395 9. References 397 [1] C. Rigney, A. Rubens, W. Simpson, S. Willens. "Remote Authenti- 398 cation Dial In User Service (RADIUS)." RFC 2138, Livingston, Merit, 399 Daydreamer, April, 1997. 401 [2] C. Rigney. "RADIUS Authentication." RFC 2139, Livingston, April, 402 1997. 404 [3] C. Rigney, W. Willats. "RADIUS Extensions." draft-ietf-radius- 405 ext-00.txt, Livingston, January, 1997. 407 [4] "Information processing systems - Open Systems Interconnection - 408 Specification of Abstract Syntax Notation One (ASN.1)", International 409 Organization for Standardization, International Standard 8824, Decem- 410 ber 1987. 412 [5] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Introduc- 413 tion to Community-based SNMPv2", RFC 1901, SNMP Research, Inc., Cisco 414 Systems, Dover Beach Consulting, Inc., International Network Services, 415 January, 1996. 417 [6] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure 418 of Management Information for Version 2 of the Simple Network 419 Management Protocol (SNMPv2)", RFC 1902, SNMP Research, Inc., Cisco 420 Systems, Dover Beach Consulting, Inc., International Network Services, 421 January, 1996. 423 [7] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual 424 Conventions for version 2 of the the Simple Network Management Proto- 425 col (SNMPv2)", RFC 1903, SNMP Research, Inc., Cisco Systems, Dover 426 Beach Consulting, Inc., International Network Services, January, 1996. 428 [8] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Confor- 429 mance Statements for version 2 of the the Simple Network Management 430 Protocol (SNMPv2)", RFC 1904, SNMP Research, Inc., Cisco Systems, 431 Dover Beach Consulting, Inc., International Network Services, January, 432 1996. 434 [9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol 435 Operations for Version 2 of the Simple Network Management Protocol 436 (SNMPv2)", RFC 1905, SNMP Research, Inc., Cisco Systems, Dover Beach 437 Consulting, Inc., International Network Services, January, 1996. 439 [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport 440 Mappings for Version 2 of the Simple Network Management Protocol 441 (SNMPv2)", RFC 1906, SNMP Research, Inc., Cisco Systems, Dover Beach 442 Consulting, Inc., International Network Services, January, 1996. 444 [11] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Manage- 445 ment Information Base for Version 2 of the Simple Network Management 446 Protocol (SNMPv2)", RFC 1907, SNMP Research, Inc., Cisco Systems, 447 Dover Beach Consulting, Inc., International Network Services, January, 448 1996. 450 [12] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Coexis- 451 tence between Version 1 and Version 2 of the Internet-standard Network 452 Management Framework", RFC 1908, SNMP Research, Inc., Cisco Systems, 453 Dover Beach Consulting, Inc., International Network Services, January, 454 1996. 456 [13] McCloghrie, K., "An Administrative Infrastructure for SNMPv2", 457 RFC 1909, Cisco Systems, February, 1996. 459 10. Authors' Addresses 461 Bernard Aboba 462 Microsoft Corporation 463 One Microsoft Way 464 Redmond, WA 98052 466 Phone: 425-936-6605 467 EMail: bernarda@microsoft.com 469 Glen Zorn 470 Microsoft Corporation 471 One Microsoft Way 472 Redmond, WA 98052 474 Phone: 425-703-1559 475 EMail: glennz@microsoft.com