idnits 2.17.1 draft-ietf-radius-auth-servmib-02.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Found some kind of copyright notice around line 708 but it does not match any copyright boilerplate known by this tool. Expected boilerplate is as follows today (2024-04-25) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == The page length should not exceed 58 lines per page, but there was 15 longer pages, the longest (page 2) being 61 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 77 instances of weird spacing in the document. Is it really formatted ragged-right, rather than justified? ** There are 201 instances of too long lines in the document, the longest one being 10 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 13 has weird spacing: '...), its areas...' == Line 14 has weird spacing: '... its worki...' == Line 18 has weird spacing: '... and may ...' == Line 19 has weird spacing: '...afts as refer...' == Line 22 has weird spacing: '... To learn...' == (72 more instances...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (11 November 1998) is 9297 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '1' on line 557 looks like a reference -- Missing reference section? '2' on line 562 looks like a reference -- Missing reference section? '3' on line 566 looks like a reference -- Missing reference section? '4' on line 570 looks like a reference -- Missing reference section? '5' on line 573 looks like a reference -- Missing reference section? '6' on line 579 looks like a reference -- Missing reference section? '7' on line 585 looks like a reference -- Missing reference section? '8' on line 591 looks like a reference -- Missing reference section? '9' on line 596 looks like a reference -- Missing reference section? '10' on line 601 looks like a reference -- Missing reference section? '11' on line 607 looks like a reference -- Missing reference section? '12' on line 676 looks like a reference -- Missing reference section? '13' on line 617 looks like a reference -- Missing reference section? '14' on line 623 looks like a reference -- Missing reference section? '15' on line 677 looks like a reference -- Missing reference section? '16' on line 632 looks like a reference -- Missing reference section? '17' on line 636 looks like a reference Summary: 11 errors (**), 0 flaws (~~), 8 warnings (==), 19 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 RADIUS Working Group Glen Zorn 3 INTERNET-DRAFT Microsoft 4 Category: Standards Track Bernard Aboba 5 Microsoft 6 11 November 1998 8 RADIUS Authentication Server MIB 10 1. Status of this Memo 12 This document is an Internet-Draft. Internet-Drafts are working docu- 13 ments of the Internet Engineering Task Force (IETF), its areas, and 14 its working groups. Note that other groups may also distribute work- 15 ing documents as Internet-Drafts. 17 Internet-Drafts are draft documents valid for a maximum of six months 18 and may be updated, replaced, or obsoleted by other documents at any 19 time. It is inappropriate to use Internet-Drafts as reference mate- 20 rial or to cite them other than as ``work in progress.'' 22 To learn the current status of any Internet-Draft, please check the 23 ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow 24 Directories on ftp.ietf.org (US East Coast), nic.nordu.net 25 (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). 27 The distribution of this memo is unlimited. It is filed as , and expires May 1, 1999. Please 29 send comments to the authors. 31 2. Copyright Notice 33 Copyright (C) The Internet Society (1998). All Rights Reserved. 35 3. Abstract 37 This memo defines a set of extensions which instrument RADIUS authen- 38 tication server functions. These extensions represent a portion of the 39 Management Information Base (MIB) for use with network management pro- 40 tocols in the Internet community. Using these extensions IP-based 41 management stations can manage RADIUS authentication servers. 43 4. Introduction 45 This memo defines a portion of the Management Information Base (MIB) 46 for use with network management protocols in the Internet community. 47 In particular, it describes managed objects used for managing RADIUS 48 authentication servers. 50 RADIUS authentication servers are today widely deployed by dialup 51 Internet Service Providers, in order to provide authentication ser- 52 vices. As a result, the effective management of RADIUS authentication 53 servers is of considerable importance. 55 5. The SNMP Management Framework 57 The SNMP Management Framework presently consists of five major compo- 58 nents: 60 o An overall architecture, described in RFC 2271 [1]. 62 o Mechanisms for describing and naming objects and events for 63 the purpose of management. The first version of this Structure 64 of Management Information (SMI) is called SMIv1 and described 65 in RFC 1155 [2], RFC 1212 [3] and RFC 1215 [4]. The second 66 version, called SMIv2, is described in RFC 1902 [5], RFC 1903 67 [6] and RFC 1904 [7]. 69 o Message protocols for transferring management information. The 70 first version of the SNMP message protocol is called SNMPv1 71 and described in RFC 1157 [8]. A second version of the SNMP 72 message protocol, which is not an Internet standards track 73 protocol, is called SNMPv2c and described in RFC 1901 [9] and 74 RFC 1906 [10]. The third version of the message protocol is 75 called SNMPv3 and described in RFC 1906 [10], RFC 2272 [11] 76 and RFC 2274 [12]. 78 o Protocol operations for accessing management information. The 79 first set of protocol operations and associated PDU formats is 80 described in RFC 1157 [8]. A second set of protocol operations 81 and associated PDU formats is described in RFC 1905 [13]. 83 o A set of fundamental applications described in RFC 2273 [14] 84 and the view-based access control mechanism described in RFC 85 2275 [15]. 87 Managed objects are accessed via a virtual information store, termed 88 the Management Information Base or MIB. Objects in the MIB are 89 defined using the mechanisms defined in the SMI. 91 This memo specifies a MIB module that is compliant to the SMIv2. A MIB 92 conforming to the SMIv1 can be produced through the appropriate trans- 93 lations. The resulting translated MIB must be semantically equivalent, 94 except where objects or events are omitted because no translation is 95 possible (use of Counter64). Some machine readable information in 96 SMIv2 will be converted into textual descriptions in SMIv1 during the 97 translation process. However, this loss of machine readable informa- 98 tion is not considered to change the semantics of the MIB. 100 6. Overview 102 The RADIUS authentication protocol, described in [16], distinguishes 103 between the client function and the server function. In RADIUS authen- 104 tication, clients send Access-Requests, and servers reply with Access- 105 Accepts, Access-Rejects, and Access-Challenges. Typically NAS devices 106 implement the client function, and thus would be expected to implement 107 the RADIUS authentication client MIB, while RADIUS authentication 108 servers implement the server function, and thus would be expected to 109 implement the RADIUS authentication server MIB. 111 However, it is possible for a RADIUS authentication entity to perform 112 both client and server functions. For example, a RADIUS proxy may act 113 as a server to one or more RADIUS authentication clients, while simul- 114 taneously acting as an authentication client to one or more authenti- 115 cation servers. In such situations, it is expected that RADIUS enti- 116 ties combining client and server functionality will support both the 117 client and server MIBs. 119 6.1. Selected objects 121 This MIB module contains fourteen scalars as well as a single table: 123 (1) the RADIUS Authentication Client Table contains one row for each 124 RADIUS authentication client that the server shares a secret with. 126 Each entry in the RADIUS Authentication Client Table includes twelve 127 columns presenting a view of the activity of the RADIUS authentication 128 server. 130 7. Definitions 132 RADIUS-AUTH-SERVER-MIB DEFINITIONS ::= BEGIN 134 IMPORTS 135 MODULE-IDENTITY, OBJECT-TYPE, 136 OBJECT-IDENTITY, experimental, 137 Counter32, Gauge32, Integer32, 138 IpAddress FROM SNMPv2-SMI 139 TEXTUAL-CONVENTION, DisplayString FROM SNMPv2-TC 140 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 142 radius OBJECT-IDENTITY 143 STATUS current 144 DESCRIPTION 145 "The OID assigned to RADIUS MIB work by the IANA." 146 ::= { experimental 79 } 148 radiusAuthentication OBJECT IDENTIFIER ::= {radius 1} 150 radiusAuthServMIB MODULE-IDENTITY 151 LAST-UPDATED "9811161659Z" 152 ORGANIZATION "IETF RADIUS Working Group." 153 CONTACT-INFO 154 " Glen Zorn 155 Microsoft 156 One Microsoft Way 157 Redmond, WA 98052 158 US 160 Phone: +1 425 703 1559 161 EMail: glennz@microsoft.com" 162 DESCRIPTION 163 "The MIB module for entities impleenting the server 164 side of the Remote Access Dialin User Service (RADIUS) 165 authentication protocol." 166 ::= { radiusAuthentication 1 } 168 radiusAuthServMIBObjects OBJECT IDENTIFIER ::= { radiusAuthServMIB 1 } 170 radiusAuthServ OBJECT IDENTIFIER ::= { radiusAuthServMIBObjects 1 } 172 -- Textual conventions 174 RadiusTime ::= TEXTUAL-CONVENTION 175 DISPLAY-HINT "4d" 176 STATUS current 177 DESCRIPTION 178 "RadiusTime values are 32-bit unsigned integers which 179 measure time in seconds." 180 SYNTAX Gauge32 182 radiusAuthServIdent OBJECT-TYPE 183 SYNTAX DisplayString 184 MAX-ACCESS read-only 185 STATUS current 186 DESCRIPTION 187 "The implementation identification string for the 188 RADIUS authentication server software in use on the 189 system, for example; `FNS-2.1'" 190 ::= {radiusAuthServ 1} 192 radiusAuthServUpTime OBJECT-TYPE 193 SYNTAX RadiusTime 194 MAX-ACCESS read-only 195 STATUS current 196 DESCRIPTION 197 "If the server has a persistent state (e.g., a process), 198 this value will be the time elapsed since it started. 199 For software without persistent state, this value will 200 be zero." 201 ::= {radiusAuthServ 2} 203 radiusAuthServResetTime OBJECT-TYPE 204 SYNTAX RadiusTime 205 MAX-ACCESS read-only 206 STATUS current 207 DESCRIPTION 208 "If the server has a persistent state (e.g., a process) 209 and supports a `reset' operation (e.g., can be told to 210 re-read configuration files), this value will be the 211 time elapsed since the last time the name server was 212 `reset.' For software that does not have persistence or 213 does not support a `reset' operation, this value will be 214 zero." 215 ::= {radiusAuthServ 3} 217 radiusAuthServConfigReset OBJECT-TYPE 218 SYNTAX INTEGER { other(1), 219 reset(2), 220 initializing(3), 221 running(4)} 222 MAX-ACCESS read-write 223 STATUS current 224 DESCRIPTION 225 "Status/action object to reinitialize any persistent 226 server state. When set to reset(2), any persistent 227 server state (such as a process) is reinitialized as if 228 the server had just been started. This value will 229 never be returned by a read operation. When read, one of 230 the following values will be returned: 231 other(1) - server in some unknown state; 232 initializing(3) - server (re)initializing; 233 running(4) - server currently running." 234 ::= {radiusAuthServ 4} 236 -- New Stats proposed by Dale E. Reed Jr (daler@iea-software.com) 238 radiusAuthServTotalAccessRequests OBJECT-TYPE 239 SYNTAX Counter32 240 MAX-ACCESS read-only 241 STATUS current 242 DESCRIPTION 243 "The total number of packets received on the 244 authentication port since server start-up." 245 ::= { radiusAuthServ 5} 247 radiusAuthServTotalInvalidRequests OBJECT-TYPE 248 SYNTAX Counter32 249 MAX-ACCESS read-only 250 STATUS current 251 DESCRIPTION 252 "The total number of RADIUS Access-Request packets 253 received from unknown addresses since server start-up." 254 ::= { radiusAuthServ 6 } 256 radiusAuthServTotalDupAccessRequests OBJECT-TYPE 257 SYNTAX Counter32 258 MAX-ACCESS read-only 259 STATUS current 260 DESCRIPTION 261 "The total number of duplicate RADIUS Access-Request 262 packets received since server start-up." 263 ::= { radiusAuthServ 7 } 265 radiusAuthServTotalAccessAccepts OBJECT-TYPE 266 SYNTAX Counter32 267 MAX-ACCESS read-only 268 STATUS current 269 DESCRIPTION 270 "The total number of RADIUS Access-Accept packets 271 sent since server start-up." 272 ::= { radiusAuthServ 8 } 274 radiusAuthServTotalAccessRejects OBJECT-TYPE 275 SYNTAX Counter32 276 MAX-ACCESS read-only 277 STATUS current 278 DESCRIPTION 279 "The total number of RADIUS Access-Reject packets 280 sent since server start-up." 281 ::= { radiusAuthServ 9 } 283 radiusAuthServTotalAccessChallenges OBJECT-TYPE 284 SYNTAX Counter32 285 MAX-ACCESS read-only 286 STATUS current 287 DESCRIPTION 288 "The total number of RADIUS Access-Challenge packets 289 sent since server start-up." 290 ::= { radiusAuthServ 10 } 292 radiusAuthServTotalMalformedAccessRequests OBJECT-TYPE 293 SYNTAX Counter32 294 MAX-ACCESS read-only 295 STATUS current 296 DESCRIPTION 297 "The total number of malformed RADIUS Access-Request 298 packets received since server start-up. Bad authenticators 299 and unknown types are not included as 300 malformed Access-Requests." 301 ::= { radiusAuthServ 11 } 303 radiusAuthServTotalBadAuthenticators OBJECT-TYPE 304 SYNTAX Counter32 305 MAX-ACCESS read-only 306 STATUS current 307 DESCRIPTION 308 "The total number of RADIUS Authentication-Request packets 309 which contained invalid Signature attributes received 310 since server start-up." 311 ::= { radiusAuthServ 12 } 313 radiusAuthServTotalPacketsDropped OBJECT-TYPE 314 SYNTAX Counter32 315 MAX-ACCESS read-only 316 STATUS current 317 DESCRIPTION 318 "The total number of incoming packets 319 silently discarded for some reason other 320 than malformed, bad authenticators or 321 unknown types." 322 ::= { radiusAuthServ 13 } 324 radiusAuthServTotalUnknownTypes OBJECT-TYPE 325 SYNTAX Counter32 326 MAX-ACCESS read-only 327 STATUS current 329 DESCRIPTION 330 "The total number of RADIUS packets of unknown type which 331 were received since server start-up." 332 ::= { radiusAuthServ 14 } 334 -- End of new 336 radiusAuthClientTable OBJECT-TYPE 337 SYNTAX SEQUENCE OF RadiusAuthClientEntry 338 MAX-ACCESS not-accessible 339 STATUS current 340 DESCRIPTION 341 "The (conceptual) table listing the RADIUS authentication 342 clients with which the server shares a secret." 343 ::= { radiusAuthServ 15 } 345 radiusAuthClientEntry OBJECT-TYPE 346 SYNTAX RadiusAuthClientEntry 347 MAX-ACCESS not-accessible 348 STATUS current 349 DESCRIPTION 350 "An entry (conceptual row) representing a RADIUS 351 authentication client with which the server shares a secret." 352 INDEX { radiusAuthClientIndex } 353 ::= { radiusAuthClientTable 1 } 355 RadiusAuthClientEntry ::= SEQUENCE { 356 radiusAuthClientIndex Integer32, 357 radiusAuthClientAddress IpAddress, 358 radiusAuthClientID DisplayString, 359 radiusAuthServAccessRequests Counter32, 360 radiusAuthServDupAccessRequests Counter32, 361 radiusAuthServAccessAccepts Counter32, 362 radiusAuthServAccessRejects Counter32, 363 radiusAuthServAccessChallenges Counter32, 364 radiusAuthServMalformedAccessRequests Counter32, 365 radiusAuthServBadAuthenticators Counter32, 366 radiusAuthServPacketsDropped Counter32, 367 radiusAuthServUnknownTypes Counter32 369 } 371 radiusAuthClientIndex OBJECT-TYPE 372 SYNTAX Integer32 (0..MAX) 373 MAX-ACCESS not-accessible 374 STATUS current 375 DESCRIPTION 376 "A number uniquely identifying each RADIUS 377 authentication client with which this server 378 communicates." 379 ::= { radiusAuthClientEntry 1 } 381 radiusAuthClientAddress OBJECT-TYPE 382 SYNTAX IpAddress 383 MAX-ACCESS read-only 384 STATUS current 385 DESCRIPTION 386 "The NAS-IP-Address of the RADIUS authentication client 387 referred to in this table entry." 388 ::= { radiusAuthClientEntry 2 } 390 radiusAuthClientID OBJECT-TYPE 391 SYNTAX DisplayString 392 MAX-ACCESS read-only 393 STATUS current 394 DESCRIPTION 395 "The NAS-Identifier of the RADIUS authentication client 396 referred to in this table entry. This is not necessarily 397 the same as sysName in MIB II." 398 ::= { radiusAuthClientEntry 3 } 400 -- Server Counters 401 -- 402 -- Responses = AccessAccepts + AccessRejects + AccessChallenges 403 -- 404 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 405 -- UnknownTypes - PacketsDropped - Responses = Pending 406 -- 407 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 408 -- UnknownTypes - PacketsDropped = entries logged 410 radiusAuthServAccessRequests OBJECT-TYPE 411 SYNTAX Counter32 412 MAX-ACCESS read-only 413 STATUS current 414 DESCRIPTION 415 "The total number of packets received on the authentication 416 port from this client since server start-up." 417 ::= { radiusAuthClientEntry 4 } 419 radiusAuthServDupAccessRequests OBJECT-TYPE 420 SYNTAX Counter32 421 MAX-ACCESS read-only 422 STATUS current 423 DESCRIPTION 424 "The total number of duplicate RADIUS Access-Request 425 packets received from this client since server start-up." 426 ::= { radiusAuthClientEntry 5 } 428 radiusAuthServAccessAccepts OBJECT-TYPE 429 SYNTAX Counter32 430 MAX-ACCESS read-only 431 STATUS current 432 DESCRIPTION 433 "The total number of RADIUS Access-Accept packets 434 sent to this client since server start-up." 435 ::= { radiusAuthClientEntry 6 } 437 radiusAuthServAccessRejects OBJECT-TYPE 438 SYNTAX Counter32 439 MAX-ACCESS read-only 440 STATUS current 441 DESCRIPTION 442 "The total number of RADIUS Access-Reject packets 443 sent to this client since server start-up." 444 ::= { radiusAuthClientEntry 7 } 446 radiusAuthServAccessChallenges OBJECT-TYPE 447 SYNTAX Counter32 448 MAX-ACCESS read-only 449 STATUS current 450 DESCRIPTION 451 "The total number of RADIUS Access-Challenge packets 452 sent to this client since server start-up." 453 ::= { radiusAuthClientEntry 8 } 455 radiusAuthServMalformedAccessRequests OBJECT-TYPE 456 SYNTAX Counter32 457 MAX-ACCESS read-only 458 STATUS current 459 DESCRIPTION 460 "The total number of malformed RADIUS Access-Request 461 packets received from this client since server start-up. 462 Bad authenticators and unknown types are not included as 463 malformed Access-Requests." 464 ::= { radiusAuthClientEntry 9 } 466 radiusAuthServBadAuthenticators OBJECT-TYPE 467 SYNTAX Counter32 468 MAX-ACCESS read-only 469 STATUS current 470 DESCRIPTION 471 "The total number of RADIUS Authentication-Request packets 472 which contained invalid Signature attributes received 473 from this client since server start-up." 474 ::= { radiusAuthClientEntry 10 } 476 radiusAuthServPacketsDropped OBJECT-TYPE 477 SYNTAX Counter32 478 MAX-ACCESS read-only 479 STATUS current 480 DESCRIPTION 481 "The total number of incoming packets from this 482 client silently discarded for some reason other 483 than malformed, bad authenticators or 484 unknown types." 485 ::= { radiusAuthClientEntry 11 } 487 radiusAuthServUnknownTypes OBJECT-TYPE 488 SYNTAX Counter32 489 MAX-ACCESS read-only 490 STATUS current 491 DESCRIPTION 492 "The total number of RADIUS packets of unknown type which 493 were received from this client since authentication server 494 start-up." 495 ::= { radiusAuthClientEntry 12 } 497 -- conformance information 499 radiusAuthServMIBConformance 500 OBJECT IDENTIFIER ::= { radiusAuthServMIB 2 } 501 radiusAuthServMIBCompliances 502 OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 1 } 503 radiusAuthServMIBGroups 504 OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 2 } 506 -- compliance statements 508 radiusAuthServMIBCompliance MODULE-COMPLIANCE 509 STATUS current 510 DESCRIPTION 511 "The compliance statement for authentication servers 512 implementing the RADIUS Authentication Server MIB." 513 MODULE -- this module 514 MANDATORY-GROUPS { radiusAuthServMIBGroup } 516 ::= { radiusAuthServMIBCompliances 1 } 518 -- units of conformance 520 radiusAuthServMIBGroup OBJECT-GROUP 521 OBJECTS {radiusAuthServIdent, 522 radiusAuthServUpTime, 523 radiusAuthServResetTime, 524 radiusAuthServConfigReset, 525 radiusAuthServTotalAccessRequests, 526 radiusAuthServTotalInvalidRequests, 527 radiusAuthServTotalDupAccessRequests, 528 radiusAuthServTotalAccessAccepts, 529 radiusAuthServTotalAccessRejects, 530 radiusAuthServTotalAccessChallenges, 531 radiusAuthServTotalMalformedAccessRequests, 532 radiusAuthServTotalBadAuthenticators, 533 radiusAuthServTotalPacketsDropped, 534 radiusAuthServTotalUnknownTypes, 535 radiusAuthClientAddress, 536 radiusAuthClientID, 537 radiusAuthServAccessRequests, 538 radiusAuthServDupAccessRequests, 539 radiusAuthServAccessAccepts, 540 radiusAuthServAccessRejects, 541 radiusAuthServAccessChallenges, 542 radiusAuthServMalformedAccessRequests, 543 radiusAuthServBadAuthenticators, 544 radiusAuthServPacketsDropped, 545 radiusAuthServUnknownTypes 546 } 547 STATUS current 548 DESCRIPTION 549 "The collection of objects providing management of 550 a RADIUS Authentication Server." 551 ::= { radiusAuthServMIBGroups 1 } 553 END 555 8. References 557 [1] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for 558 Describing SNMP Management Frameworks", RFC 2271, Cabletron Sys- 559 tems, Inc., BMC Software, Inc., IBM T. J. Watson Research, Jan- 560 uary 1998. 562 [2] Rose, M., and K. McCloghrie, "Structure and Identification of 563 Management Information for TCP/IP-based Internets", RFC 1155, 564 Performance Systems International, Hughes LAN Systems, May 1990. 566 [3] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 1212, 567 Performance Systems International, Hughes LAN Systems, March 568 1991. 570 [4] M. Rose, "A Convention for Defining Traps for use with the SNMP", 571 RFC 1215, Performance Systems International, March 1991. 573 [5] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure 574 of Management Information for Version 2 of the Simple Network 575 Management Protocol (SNMPv2)", RFC 1902, SNMP Research,Inc., 576 Cisco Systems, Inc., Dover Beach Consulting, Inc., International 577 Network Services, January 1996. 579 [6] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual 580 Conventions for Version 2 of the Simple Network Management Proto- 581 col (SNMPv2)", RFC 1903, SNMP Research, Inc., Cisco Systems, 582 Inc., Dover Beach Consulting, Inc., International Network Ser- 583 vices, January 1996. 585 [7] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Confor- 586 mance Statements for Version 2 of the Simple Network Management 587 Protocol (SNMPv2)", RFC 1904, SNMP Research, Inc., Cisco Systems, 588 Inc., Dover Beach Consulting, Inc., International Network Ser- 589 vices, January 1996. 591 [8] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Net- 592 work Management Protocol", RFC 1157, SNMP Research, Performance 593 Systems International, Performance Systems International, MIT 594 Laboratory for Computer Science, May 1990. 596 [9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Introduc- 597 tion to Community-based SNMPv2", RFC 1901, SNMP Research, Inc., 598 Cisco Systems, Inc., Dover Beach Consulting, Inc., International 599 Network Services, January 1996. 601 [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport 602 Mappings for Version 2 of the Simple Network Management Protocol 603 (SNMPv2)", RFC 1906, SNMP Research, Inc., Cisco Systems, Inc., 604 Dover Beach Consulting, Inc., International Network Services, 605 January 1996. 607 [11] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message Pro- 608 cessing and Dispatching for the Simple Network Management Proto- 609 col (SNMP)", RFC 2272, SNMP Research, Inc., Cabletron Systems, 610 Inc., BMC Software, Inc., IBM T. J. Watson Research, January 611 1998. 613 [12] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) 614 for version 3 of the Simple Network Management Protocol 615 (SNMPv3)", RFC 2274, IBM T. J. Watson Research, January 1998. 617 [13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol 618 Operations for Version 2 of the Simple Network Management Proto- 619 col (SNMPv2)", RFC 1905, SNMP Research, Inc., Cisco Systems, 620 Inc., Dover Beach Consulting, Inc., International Network Ser- 621 vices, January 196. 623 [14] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", RFC 624 2273, SNMP Research, Inc., Secure Computing Corporation, Cisco 625 Systems, January 1998 627 [15] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access 628 Control Model (VACM) for the Simple Network Management Protocol 629 (SNMP)", RFC 2275, IBM T. J. Watson Research, BMC Software, Inc., 630 Cisco Systems, Inc., January 1998 632 [16] Rigney, C., Rubens, A., Simpson W., and S. Willens, "Remote 633 Authentication Dial In User Service (RADIUS)", RFC 2138, April 634 1997. 636 [17] "Information processing systems - Open Systems Interconnection - 637 Specification of Abstract Syntax Notation One (ASN.1)", Interna- 638 tional Organization for Standardization, International Standard 639 8824, December 1987. 641 9. Security considerations 643 There are a number of management objects defined in this MIB that have 644 a MAX-ACCESS clause of read-write and/or read-create. Such objects 645 may be considered sensitive or vulnerable in some network environ- 646 ments. The support for SET operations in a non-secure environment 647 without proper protection can have a negative effect on network opera- 648 tions. 650 There are a number of managed objects in this MIB that may contain 651 sensitive information. These are: 653 radiusAuthClientAddress 654 This can be used to determine the address of the RADIUS 655 authentication client with which the server is communicat- 656 ing. This information could be useful in impersonating the 657 client. 659 radiusAuthClientID 660 This can be used to determine the client ID of the authenti- 661 cation client with which the server is communicating. This 662 information could be useful in impersonating the client. 664 It is thus important to control even GET access to these objects and 665 possibly to even encrypt the values of these object when sending them 666 over the network via SNMP. Not all versions of SNMP provide features 667 for such a secure environment. 669 SNMPv1 by itself is not a secure environment. Even if the network 670 itself is secure (for example by using IPSec), there is no control as 671 to who on the secure network is allowed to access and GET/SET 672 (read/change/create/delete) the objects in this MIB. 674 It is recommended that the implementers consider the security features 675 as provided by the SNMPv3 framework. Specifically, the use of the 676 User-based Security Model RFC 2274 [12] and the View-based Access Con- 677 trol Model RFC 2275 [15] is recommended. Using these security fea- 678 tures, customer/users can give access to the objects only to those 679 principals (users) that have legitimate rights to GET or SET 680 (change/create/delete) them. 682 10. Acknowledgments 684 Thanks to Narendra Gidwani of Microsoft, Allan C. Rubens of MERIT, 685 Carl Rigney of Livingston and Peter Heitman of American Internet Cor- 686 poration for useful discussions of this problem space. 688 11. Authors' Addresses 690 Bernard Aboba 691 Microsoft Corporation 692 One Microsoft Way 693 Redmond, WA 98052 695 Phone: 425-936-6605 696 EMail: bernarda@microsoft.com 698 Glen Zorn 699 Microsoft Corporation 700 One Microsoft Way 701 Redmond, WA 98052 703 Phone: 425-703-1559 704 EMail: glennz@microsoft.com 706 12. Full Copyright Statement 708 Copyright (C) The Internet Society (1997). All Rights Reserved. 709 This document and translations of it may be copied and furnished to 710 others, and derivative works that comment on or otherwise explain it 711 or assist in its implmentation may be prepared, copied, published and 712 distributed, in whole or in part, without restriction of any kind, 713 provided that the above copyright notice and this paragraph are 714 included on all such copies and derivative works. However, this docu- 715 ment itself may not be modified in any way, such as by removing the 716 copyright notice or references to the Internet Society or other Inter- 717 net organizations, except as needed for the purpose of developing 718 Internet standards in which case the procedures for copyrights defined 719 in the Internet Standards process must be followed, or as required to 720 translate it into languages other than English. The limited permis- 721 sions granted above are perpetual and will not be revoked by the 722 Internet Society or its successors or assigns. This document and the 723 information contained herein is provided on an "AS IS" basis and THE 724 INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL 725 WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WAR- 726 RANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY 727 RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A 728 PARTICULAR PURPOSE." 729 13. Expiration Date 731 This memo is filed as , and 732 expires May 1, 1999.