idnits 2.17.1 draft-ietf-radius-auth-clientmib-03.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity. ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 92 instances of weird spacing in the document. Is it really formatted ragged-right, rather than justified? ** There are 6 instances of too long lines in the document, the longest one being 6 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 12 has weird spacing: '...This document...' == Line 18 has weird spacing: '...Drafts are dr...' == Line 19 has weird spacing: '...e. It is...' == Line 20 has weird spacing: '...opriate to u...' == Line 23 has weird spacing: '...To view th...' == (87 more instances...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (2 February 1999) is 9208 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '1' on line 443 looks like a reference -- Missing reference section? '2' on line 448 looks like a reference -- Missing reference section? '3' on line 452 looks like a reference -- Missing reference section? '4' on line 455 looks like a reference -- Missing reference section? '5' on line 458 looks like a reference -- Missing reference section? '6' on line 464 looks like a reference -- Missing reference section? '7' on line 470 looks like a reference -- Missing reference section? '8' on line 476 looks like a reference -- Missing reference section? '9' on line 481 looks like a reference -- Missing reference section? '10' on line 486 looks like a reference -- Missing reference section? '11' on line 492 looks like a reference -- Missing reference section? '12' on line 555 looks like a reference -- Missing reference section? '13' on line 501 looks like a reference -- Missing reference section? '14' on line 507 looks like a reference -- Missing reference section? '15' on line 556 looks like a reference -- Missing reference section? '16' on line 516 looks like a reference Summary: 10 errors (**), 0 flaws (~~), 7 warnings (==), 18 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 RADIUS Working Group Bernard Aboba 3 INTERNET-DRAFT Microsoft 4 Category: Standards Track Glen Zorn 5 Microsoft 6 2 February 1999 8 RADIUS Authentication Client MIB 10 1. Status of this Memo 12 This document is an Internet-Draft and is in full conformance with all 13 provisions of Section 10 of RFC2026. 15 Internet-Drafts are working documents of the Internet Engineering Task 16 Force (IETF), its areas, and its working groups. Note that other groups 17 may also distribute working documents as Internet-Drafts. Internet- 18 Drafts are draft documents valid for a maximum of six months and may be 19 updated, replaced, or obsoleted by other documents at any time. It is 20 inappropriate to use Internet- Drafts as reference material or to cite 21 them other than as "work in progress." 23 To view the list Internet-Draft Shadow Directories, see 24 http://www.ietf.org/shadow.html. 26 The distribution of this memo is unlimited. It is filed as , and expires August 1, 1999. Please send 28 comments to the authors. 30 2. Copyright Notice 32 Copyright (C) The Internet Society (1999). All Rights Reserved. 34 3. Abstract 36 This memo defines a set of extensions which instrument RADIUS 37 authentication client functions. These extensions represent a portion of 38 the Management Information Base (MIB) for use with network management 39 protocols in the Internet community. Using these extensions IP-based 40 management stations can manage RADIUS authentication clients. 42 4. Introduction 44 This memo defines a portion of the Management Information Base (MIB) for 45 use with network management protocols in the Internet community. In 46 particular, it describes managed objects used for managing RADIUS 47 authentication clients. 49 Today a wide range of network devices, including routers and NASes, act 50 as RADIUS authentication clients in order to provide authentication and 51 authorization services. As a result, the effective management of RADIUS 52 authentication clients is of considerable importance. 54 5. The SNMP Management Framework 56 The SNMP Management Framework presently consists of five major 57 components: 59 o An overall architecture, described in RFC 2271 [1]. 61 o Mechanisms for describing and naming objects and events for the 62 purpose of management. The first version of this Structure of 63 Management Information (SMI) is called SMIv1 and described in 64 RFC 1155 [2], RFC 1212 [3] and RFC 1215 [4]. The second version, 65 called SMIv2, is described in RFC 1902 [5], RFC 1903 [6] and RFC 66 1904 [7]. 68 o Message protocols for transferring management information. The 69 first version of the SNMP message protocol is called SNMPv1 and 70 described in RFC 1157 [8]. A second version of the SNMP message 71 protocol, which is not an Internet standards track protocol, is 72 called SNMPv2c and described in RFC 1901 [9] and RFC 1906 [10]. 73 The third version of the message protocol is called SNMPv3 and 74 described in RFC 1906 [10], RFC 2272 [11] and RFC 2274 [12]. 76 o Protocol operations for accessing management information. The 77 first set of protocol operations and associated PDU formats is 78 described in RFC 1157 [8]. A second set of protocol operations 79 and associated PDU formats is described in RFC 1905 [13]. 81 o A set of fundamental applications described in RFC 2273 [14] and 82 the view-based access control mechanism described in RFC 2275 83 [15]. 85 Managed objects are accessed via a virtual information store, termed the 86 Management Information Base or MIB. Objects in the MIB are defined 87 using the mechanisms defined in the SMI. 89 This memo specifies a MIB module that is compliant to the SMIv2. A MIB 90 conforming to the SMIv1 can be produced through the appropriate 91 translations. The resulting translated MIB must be semantically 92 equivalent, except where objects or events are omitted because no 93 translation is possible (use of Counter64). Some machine readable 94 information in SMIv2 will be converted into textual descriptions in 95 SMIv1 during the translation process. However, this loss of machine 96 readable information is not considered to change the semantics of the 97 MIB. 99 6. Overview 101 The RADIUS authentication protocol, described in [16], distinguishes 102 between the client function and the server function. In RADIUS 103 authentication, clients send Access-Requests, and servers reply with 104 Access-Accepts, Access-Rejects, and Access-Challenges. Typically NAS 105 devices implement the client function, and thus would be expected to 106 implement the RADIUS authentication client MIB, while RADIUS 107 authentication servers implement the server function, and thus would be 108 expected to implement the RADIUS authentication server MIB. 110 However, it is possible for a RADIUS authentication entity to perform 111 both client and server functions. For example, a RADIUS proxy may act as 112 a server to one or more RADIUS authentication clients, while 113 simultaneously acting as an authentication client to one or more 114 authentication servers. In such situations, it is expected that RADIUS 115 entities combining client and server functionality will support both the 116 client and server MIBs. 118 6.1. Selected objects 119 This MIB module contains two scalars as well as a single table: 121 (1) the RADIUS Authentication Server Table contains one row for each 122 RADIUS authentication server that the client shares a secret with. 124 Each entry in the RADIUS Authentication Server Table includes fifteen 125 columns presenting a view of the activity of the RADIUS authentication 126 client. 128 7. Definitions 130 RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN 132 IMPORTS 133 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 134 Counter32, Integer32, Gauge32, 135 IpAddress, TimeTicks FROM SNMPv2-SMI 136 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 137 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF 138 mib-2 FROM RFC1213-MIB; 140 radiusAuthClientMIB MODULE-IDENTITY 141 LAST-UPDATED "9901290000Z" 142 ORGANIZATION "IETF RADIUS Working Group." 143 CONTACT-INFO 144 " Bernard Aboba 145 Microsoft 146 One Microsoft Way 147 Redmond, WA 98052 148 US 150 Phone: +1 425 936 6605 151 EMail: bernarda@microsoft.com" 152 DESCRIPTION 153 "The MIB module for entities implementing the client side of 154 the Remote Access Dialin User Service (RADIUS) authentication 155 protocol." 156 REVISION "9901290000Z" -- 29 Jan 1999 157 DESCRIPTION "Initial version as published in RFC xxxx" 158 -- RCC xxxx to be assigned by IANA 159 ::= { radiusAuthentication 2 } 161 radiusMIB OBJECT-IDENTITY 162 STATUS current 163 DESCRIPTION 164 "The OID assigned to RADIUS MIB work by the IANA." 165 ::= { mib-2 xxx } -- To be assigned by IANA 167 radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} 169 radiusAuthClientMIBObjects OBJECT IDENTIFIER ::= { radiusAuthClientMIB 1 } 171 radiusAuthClient OBJECT IDENTIFIER ::= { radiusAuthClientMIBObjects 1 } 173 radiusAuthClientInvalidServerAddresses OBJECT-TYPE 174 SYNTAX Counter32 175 MAX-ACCESS read-only 176 STATUS current 177 DESCRIPTION 178 "The number of RADIUS Access-Response packets 179 received from unknown addresses." 180 ::= { radiusAuthClient 1 } 182 radiusAuthClientIdentifier OBJECT-TYPE 183 SYNTAX SnmpAdminString 184 MAX-ACCESS read-only 185 STATUS current 186 DESCRIPTION 187 "The NAS-Identifier of the RADIUS authentication client. 188 This is not necessarily the same as sysName in MIB II." 189 ::= { radiusAuthClient 2 } 191 radiusAuthServerTable OBJECT-TYPE 192 SYNTAX SEQUENCE OF RadiusAuthServerEntry 193 MAX-ACCESS not-accessible 194 STATUS current 195 DESCRIPTION 196 "The (conceptual) table listing the RADIUS authentication 197 servers with which the client shares a secret." 198 ::= { radiusAuthClient 3 } 200 radiusAuthServerEntry OBJECT-TYPE 201 SYNTAX RadiusAuthServerEntry 202 MAX-ACCESS not-accessible 203 STATUS current 204 DESCRIPTION 205 "An entry (conceptual row) representing a RADIUS 206 authentication server with which the client shares a secret." 207 INDEX { radiusAuthServerIndex } 208 ::= { radiusAuthServerTable 1 } 210 RadiusAuthServerEntry ::= SEQUENCE { 211 radiusAuthServerIndex Integer32, 212 radiusAuthServerAddress IpAddress, 213 radiusAuthClientServerPortNumber Integer32, 214 radiusAuthClientRoundTripTime TimeTicks, 215 radiusAuthClientAccessRequests Counter32, 216 radiusAuthClientAccessRetransmissions Counter32, 217 radiusAuthClientAccessAccepts Counter32, 218 radiusAuthClientAccessRejects Counter32, 219 radiusAuthClientAccessChallenges Counter32, 220 radiusAuthClientMalformedAccessResponses Counter32, 221 radiusAuthClientBadAuthenticators Counter32, 222 radiusAuthClientPendingRequests Gauge32, 223 radiusAuthClientTimeouts Counter32, 224 radiusAuthClientUnknownTypes Counter32, 225 radiusAuthClientPacketsDropped Counter32 226 } 228 radiusAuthServerIndex OBJECT-TYPE 229 SYNTAX Integer32 (1..MAX) 230 MAX-ACCESS not-accessible 231 STATUS current 232 DESCRIPTION 233 "A number uniquely identifying each RADIUS 234 Authentication server with which this client 235 communicates." 236 ::= { radiusAuthServerEntry 1 } 238 radiusAuthServerAddress OBJECT-TYPE 239 SYNTAX IpAddress 240 MAX-ACCESS read-only 241 STATUS current 242 DESCRIPTION 243 "The IP address of the RADIUS authentication server 244 referred to in this table entry." 245 ::= { radiusAuthServerEntry 2 } 247 radiusAuthClientServerPortNumber OBJECT-TYPE 248 SYNTAX Integer32 249 MAX-ACCESS read-only 250 STATUS current 251 DESCRIPTION 252 "The UDP port the client is using to send requests to 253 this server." 254 ::= { radiusAuthServerEntry 3 } 256 radiusAuthClientRoundTripTime OBJECT-TYPE 257 SYNTAX TimeTicks 258 MAX-ACCESS read-only 259 STATUS current 260 DESCRIPTION 261 "The time interval (in hundredths of a second) between 262 the most recent Access-Reply/Access-Challenge and the 263 Access-Request that matched it from this RADIUS 264 authentication server." 265 ::= { radiusAuthServerEntry 4 } 267 -- Request/Response statistics 268 -- 269 -- TotalIncomingPackets = Accepts + Rejects + Challenges + UnknownTypes 270 -- 271 -- TotalIncomingPackets - MalformedResponses - BadAuthenticators - 272 -- UnknownTypes - PacketsDropped = Successfully received 273 -- 274 -- AccessRequests + PendingRequests + ClientTimeouts = Successfully Received 275 -- 276 -- 277 radiusAuthClientAccessRequests OBJECT-TYPE 278 SYNTAX Counter32 279 MAX-ACCESS read-only 280 STATUS current 281 DESCRIPTION 282 "The number of RADIUS Access-Request packets sent 283 to this server. This does not include retransmissions." 284 ::= { radiusAuthServerEntry 5 } 286 radiusAuthClientAccessRetransmissions OBJECT-TYPE 287 SYNTAX Counter32 288 MAX-ACCESS read-only 289 STATUS current 290 DESCRIPTION 291 "The number of RADIUS Access-Request packets 292 retransmitted to this RADIUS authentication server." 293 ::= { radiusAuthServerEntry 6 } 295 radiusAuthClientAccessAccepts OBJECT-TYPE 296 SYNTAX Counter32 297 MAX-ACCESS read-only 298 STATUS current 299 DESCRIPTION 300 "The number of RADIUS Access-Accept packets 301 (valid or invalid) received from this server." 302 ::= { radiusAuthServerEntry 7 } 304 radiusAuthClientAccessRejects OBJECT-TYPE 305 SYNTAX Counter32 306 MAX-ACCESS read-only 307 STATUS current 308 DESCRIPTION 309 "The number of RADIUS Access-Reject packets 310 (valid or invalid) received from this server." 311 ::= { radiusAuthServerEntry 8 } 313 radiusAuthClientAccessChallenges OBJECT-TYPE 314 SYNTAX Counter32 315 MAX-ACCESS read-only 316 STATUS current 317 DESCRIPTION 318 "The number of RADIUS Access-Challenge packets 319 (valid or invalid) received from this server." 320 ::= { radiusAuthServerEntry 9 } 322 -- "Access-Response" includes an Access-Accept, Access-Challenge 323 -- or Access-Reject 324 radiusAuthClientMalformedAccessResponses OBJECT-TYPE 325 SYNTAX Counter32 326 MAX-ACCESS read-nly 327 STATUS current 328 DESCRIPTION 329 "The number of malformed RADIUS Access-Response 330 packets received from this server. 331 Malformed packets include packets with 332 an invalid length. Bad authenticators or 333 Signature attributes or unknown types are not 334 included as malformed access responses." 335 ::= { radiusAuthServerEntry 10 } 337 radiusAuthClientBadAuthenticators OBJECT-TYPE 338 SYNTAX Counter32 339 MAX-ACCESS read-only 340 STATUS current 341 DESCRIPTION 342 "The number of RADIUS Access-Response packets 343 containing invalid authenticators or Signature 344 attributes received from this server." 345 ::= { radiusAuthServerEntry 11 } 347 radiusAuthClientPendingRequests OBJECT-TYPE 348 SYNTAX Gauge32 349 MAX-ACCESS read-only 350 STATUS current 351 DESCRIPTION 352 "The number of RADIUS Access-Request packets 353 destined for this server that have not yet timed out 354 or received a response. This variable is incremented 355 when an Access-Request is sent and decremented due to 356 receipt of an Acess-Accept, Access-Reject or Access-Challenge, 357 a timeout or retransmission." 358 ::= { radiusAuthServerEntry 12 } 360 radiusAuthClientTimeouts OBJECT-TYPE 361 SYNTAX Counter32 362 MAX-ACCESS read-only 363 STATUS current 364 DESCRIPTION 365 "The number of authentication timeouts to this server. 366 After a timeout the client may retry to the same 367 server, send to a different server, or 368 give up. A retry to the same server is counted as a 369 retransmit as well as a timeout. A send to a different 370 server is counted as a Request as well as a timeout." 371 ::= { radiusAuthServerEntry 13 } 373 radiusAuthClientUnknownTypes OBJECT-TYPE 374 SYNTAX Counter32 375 MAX-ACCESS read-only 376 STATUS current 377 DESCRIPTION 378 "The number of RADIUS packets of unknown type which 379 were received from this server on the authentication port." 380 ::= { radiusAuthServerEntry 14 } 382 radiusAuthClientPacketsDropped OBJECT-TYPE 383 SYNTAX Counter32 384 MAX-ACCESS read-only 385 STATUS current 386 DESCRIPTION 387 "The number of RADIUS packets of which were 388 received from this server on the authentication port 389 and dropped for some other reason." 390 ::= { radiusAuthServerEntry 15 } 392 -- conformance information 394 radiusAuthClientMIBConformance 395 OBJECT IDENTIFIER ::= { radiusAuthClientMIB 2 } 396 radiusAuthClientMIBCompliances 397 OBJECT IDENTIFIER ::= { radiusAuthClientMIBConformance 1 } 398 radiusAuthClientMIBGroups 399 OBJECT IDENTIFIER ::= { radiusAuthClientMIBConformance 2 } 401 -- compliance statements 403 radiusAuthClientMIBCompliance MODULE-COMPLIANCE 404 STATUS current 405 DESCRIPTION 406 "The compliance statement for authentication clients 407 implementing the RADIUS Authentication Client MIB." 408 MODULE -- this module 409 MANDATORY-GROUPS { radiusAuthClientMIBGroup } 411 ::= { radiusAuthClientMIBCompliances 1 } 413 -- units of conformance 415 radiusAuthClientMIBGroup OBJECT-GROUP 416 OBJECTS { radiusAuthClientIdentifier, 417 radiusAuthClientInvalidServerAddresses, 418 radiusAuthServerAddress, 419 radiusAuthClientServerPortNumber, 420 radiusAuthClientRoundTripTime, 421 radiusAuthClientAccessRequests, 422 radiusAuthClientAccessRetransmissions, 423 radiusAuthClientAccessAccepts, 424 radiusAuthClientAccessRejects, 425 radiusAuthClientAccessChallenges, 426 radiusAuthClientMalformedAccessResponses, 427 radiusAuthClientBadAuthenticators, 428 radiusAuthClientPendingRequests, 429 radiusAuthClientTimeouts, 430 radiusAuthClientUnknownTypes, 431 radiusAuthClientPacketsDropped 432 } 433 STATUS current 434 DESCRIPTION 435 "The basic collection of objects providing management of 436 RADIUS Authentication Clients." 437 ::= { radiusAuthClientMIBGroups 1 } 439 END 441 8. References 443 [1] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for 444 Describing SNMP Management Frameworks", RFC 2271, Cabletron 445 Systems, Inc., BMC Software, Inc., IBM T. J. Watson Research, 446 January 1998. 448 [2] Rose, M., and K. McCloghrie, "Structure and Identification of 449 Management Information for TCP/IP-based Internets", RFC 1155, 450 Performance Systems International, Hughes LAN Systems, May 1990. 452 [3] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 1212, 453 Performance Systems International, Hughes LAN Systems, March 1991. 455 [4] M. Rose, "A Convention for Defining Traps for use with the SNMP", 456 RFC 1215, Performance Systems International, March 1991. 458 [5] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure 459 of Management Information for Version 2 of the Simple Network 460 Management Protocol (SNMPv2)", RFC 1902, SNMP Research,Inc., Cisco 461 Systems, Inc., Dover Beach Consulting, Inc., International Network 462 Services, January 1996. 464 [6] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual 465 Conventions for Version 2 of the Simple Network Management Protocol 466 (SNMPv2)", RFC 1903, SNMP Research, Inc., Cisco Systems, Inc., 467 Dover Beach Consulting, Inc., International Network Services, 468 January 1996. 470 [7] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Conformance 471 Statements for Version 2 of the Simple Network Management Protocol 472 (SNMPv2)", RFC 1904, SNMP Research, Inc., Cisco Systems, Inc., 473 Dover Beach Consulting, Inc., International Network Services, 474 January 1996. 476 [8] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network 477 Management Protocol", RFC 1157, SNMP Research, Performance Systems 478 International, Performance Systems International, MIT Laboratory 479 for Computer Science, May 1990. 481 [9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 482 "Introduction to Community-based SNMPv2", RFC 1901, SNMP Research, 483 Inc., Cisco Systems, Inc., Dover Beach Consulting, Inc., 484 International Network Services, January 1996. 486 [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport 487 Mappings for Version 2 of the Simple Network Management Protocol 488 (SNMPv2)", RFC 1906, SNMP Research, Inc., Cisco Systems, Inc., 489 Dover Beach Consulting, Inc., International Network Services, 490 January 1996. 492 [11] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message 493 Processing and Dispatching for the Simple Network Management 494 Protocol (SNMP)", RFC 2272, SNMP Research, Inc., Cabletron Systems, 495 Inc., BMC Software, Inc., IBM T. J. Watson Research, January 1998. 497 [12] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for 498 version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 499 2274, IBM T. J. Watson Research, January 1998. 501 [13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol 502 Operations for Version 2 of the Simple Network Management Protocol 503 (SNMPv2)", RFC 1905, SNMP Research, Inc., Cisco Systems, Inc., 504 Dover Beach Consulting, Inc., International Network Services, 505 January 196. 507 [14] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", RFC 508 2273, SNMP Research, Inc., Secure Computing Corporation, Cisco 509 Systems, January 1998 511 [15] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access 512 Control Model (VACM) for the Simple Network Management Protocol 513 (SNMP)", RFC 2275, IBM T. J. Watson Research, BMC Software, Inc., 514 Cisco Systems, Inc., January 1998 516 [16] Rigney, C., Rubens, A., Simpson W., and S. Willens, "Remote 517 Authentication Dial In User Service (RADIUS)", RFC 2138, April 518 1997. 520 9. Security considerations 522 There are no management objects defined in this MIB that have a MAX- 523 ACCESS clause of read-write and/or read-create. So, if this MIB is 524 implemented correctly, then there is no risk that an intruder can alter 525 or create any management objects of this MIB via direct SNMP SET 526 operations. 528 There are a number of managed objects in this MIB that may contain 529 sensitive information. These are: 531 radiusAuthServerAddress 532 This can be used to determine the address of the RADIUS 533 authentication server with which the client is communicating. 534 This information could be useful in mounting an attack on the 535 authentication server. 537 radiusAuthClientServerPortNumber 538 This can be used to determine the port number on which the 539 RADIUS authentication client is sending. This information 540 could be useful in impersonating the client in order to send 541 data to the authentication server. 543 It is thus important to control even GET access to these objects and 544 possibly to even encrypt the values of these object when sending them 545 over the network via SNMP. Not all versions of SNMP provide features 546 for such a secure environment. 548 SNMPv1 by itself is not a secure environment. Even if the network itself 549 is secure (for example by using IPSec), there is no control as to who on 550 the secure network is allowed to access and GET/SET 551 (read/change/create/delete) the objects in this MIB. 553 It is recommended that the implementers consider the security features 554 as provided by the SNMPv3 framework. Specifically, the use of the User- 555 based Security Model RFC 2274 [12] and the View-based Access Control 556 Model RFC 2275 [15] is recommended. Using these security features, 557 customer/users can give access to the objects only to those principals 558 (users) that have legitimate rights to GET or SET (change/create/delete) 559 them. 561 10. Acknowledgments 563 Thanks to Narendra Gidwani of Microsoft, Allan C. Rubens of MERIT, Carl 564 Rigney of Livingston and Peter Heitman of American Internet Corporation 565 for useful discussions of this problem space. 567 11. Authors' Addresses 569 Bernard Aboba 570 Microsoft Corporation 571 One Microsoft Wy 572 Redmond, WA 98052 574 Phone: 425-936-6605 575 EMail: bernarda@microsoft.com 577 Glen Zorn 578 Microsoft Corporation 579 One Microsoft Way 580 Redmond, WA 98052 582 Phone: 425-703-1559 583 EMail: glennz@microsoft.com 585 12. Intellectural Property Statement 587 The IETF takes no position regarding the validity or scope of any 588 intellectual property or other rights that might be claimed to pertain 589 to the implementation or use of the technology described in this 590 document or the extent to which any license under such rights might or 591 might not be available; neither does it represent that it has made any 592 effort to identify any such rights. Information on the IETF's 593 procedures with respect to rights in standards-track and standards- 594 related documentation can be found in BCP-11. Copies of claims of 595 rights made available for publication and any assurances of licenses to 596 be made available, or the result of an attempt made to obtain a general 597 license or permission for the use of such proprietary rights by 598 implementors or users of this specification can be obtained from the 599 IETF Secretariat. 601 The IETF invites any interested party to bring to its attention any 602 copyrights, patents or patent applications, or other proprietary rights 603 which may cover technology that may be required to practice this 604 standard. Please address the information to the IETF Executive 605 Director. 607 13. Full Copyright Statement 609 Copyright (C) The Internet Society (1999). All Rights Reserved. 610 This document and translations of it may be copied and furnished to 611 others, and derivative works that comment on or otherwise explain it or 612 assist in its implmentation may be prepared, copied, published and 613 distributed, in whole or in part, without restriction of any kind, 614 provided that the above copyright notice and this paragraph are included 615 on all such copies and derivative works. However, this document itself 616 may not be modified in any way, such as by removing the copyright notice 617 or references to the Internet Society or other Internet organizations, 618 except as needed for the purpose of developing Internet standards in 619 which case the procedures for copyrights defined in the Internet 620 Standards process must be followed, or as required to translate it into 621 languages other than English. The limited permissions granted above are 622 perpetual and will not be revoked by the Internet Society or its 623 successors or assigns. This document and the information contained 624 herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE 625 INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR 626 IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 627 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 628 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 630 14. Expiration Date 632 This memo is filed as , and 633 expires August 1, 1999.