idnits 2.17.1 draft-nelson-rfc2618bis-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 909. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 886. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 893. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 899. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Updates: ' line in the draft header should list only the _numbers_ of the RFCs which will be updated by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year (Using the creation date from RFC2618, updated by this document, for RFC5378 checks: 1997-08-26) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 16, 2005) is 6860 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 4001' is mentioned on line 110, but not defined == Unused Reference: 'RFC3418' is defined on line 843, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2574 (Obsoleted by RFC 3414) ** Obsolete normative reference: RFC 2575 (Obsoleted by RFC 3415) ** Downref: Normative reference to an Informational RFC: RFC 3410 -- Obsolete informational reference (is this intentional?): RFC 2618 (Obsoleted by RFC 4668) Summary: 6 errors (**), 0 flaws (~~), 5 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Nelson 3 Internet-Draft Enterasys Networks 4 Updates: RFC 2618 (if approved) July 16, 2005 5 Expires: January 17, 2006 7 RADIUS Auth Client MIB (IPv6) 8 draft-nelson-rfc2618bis-01.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on January 17, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2005). 39 Abstract 41 This memo updates RFC 2618 by deprecating the MIB table containing 42 IPv4-only address formats and defining a new table to add support for 43 version neutral IP address formats. 45 Table of Contents 47 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 48 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 49 3. The Internet-Standard Management Framework . . . . . . . . . 3 50 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . 3 51 5. Structure of the MIB Module . . . . . . . . . . . . . . . . 4 52 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . 4 53 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . 4 54 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . 17 55 9. Security Considerations . . . . . . . . . . . . . . . . . . 17 56 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 57 10.1 Normative References . . . . . . . . . . . . . . . . . . 18 58 10.2 Informative References . . . . . . . . . . . . . . . . . 19 59 Author's Address . . . . . . . . . . . . . . . . . . . . . . 19 60 A. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 19 61 Intellectual Property and Copyright Statements . . . . . . . 21 63 1. Terminology 65 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 66 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 67 document are to be interpreted as described in RFC 2119 [RFC2119]. 69 This document uses terminology from RFC 2865 [RFC2865]. 71 2. Introduction 73 This memo defines a portion of the Management Information Base (MIB) 74 for use with network management protocols in the Internet community. 75 The objects defined within this memo relate to the Remote 76 Authentication Dial-In User Service (RADIUS) Authentication Client as 77 defined in RFC 2865 [RFC2865]. 79 3. The Internet-Standard Management Framework 81 For a detailed overview of the documents that describe the current 82 Internet-Standard Management Framework, please refer to section 7 of 83 RFC 3410 [RFC3410]. 85 Managed objects are accessed via a virtual information store, termed 86 the Management Information Base or MIB. MIB objects are generally 87 accessed through the Simple Network Management Protocol (SNMP). 88 Objects in the MIB are defined using the mechanisms defined in the 89 Structure of Management Information (SMI). This memo specifies a MIB 90 module that is compliant to the SMIv2, which is described in STD 58, 91 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 92 [RFC2580]. 94 4. Scope of Changes 96 This document updates RFC 2618 [RFC2618], RADIUS Authentication 97 Client MIB, by deprecating the radiusAuthServerTable table and adding 98 a new table, radiusAuthServerExtTable, containing 99 radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and 100 radiusAuthClientServerInetPortNumber. The purpose of these added MIB 101 objects is to support version neutral IP addressing formats. The 102 existing table containing radiusAuthServerAddress and 103 radiusAuthClientServerPortNumber is deprecated. 105 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for 106 IPv6 addresses, contains the following recommendation. 108 'In particular, when revising a MIB module that contains IPv4 109 specific tables, it is suggested to define new tables using the 110 textual conventions defined in this memo [RFC 4001] that support all 111 versions of IP. The status of the new tables SHOULD be "current", 112 whereas the status of the old IP version specific tables SHOULD be 113 changed to "deprecated". The other approach, of having multiple 114 similar tables for different IP versions, is strongly discouraged.' 116 5. Structure of the MIB Module 118 The structure of the MIB Module defined in this memo corresponds to 119 the structure of the MIB Module defined in RADIUS Authentication 120 Client MIB, RFC 2618 [RFC2618]. This MIB module contains two scalars 121 as well as a single table, the RADIUS Authentication Server Table, 122 which contains one row for each RADIUS authentication server with 123 which the client shares a secret. 125 Each entry in the RADIUS Authentication Server Table includes sixteen 126 columns presenting a view of the activity of the RADIUS 127 authentication client. 129 6. Deprecated Objects 131 The deprecated table in this MIB is carried forward from RFC 2618 132 [RFC2618]. There are two conditions under which it MAY be desirable 133 for managed entities to continue to support the deprecated table: 135 1. The managed entity only supports IPv4 address formats. 136 2. The managed entity supports both IPv4 and IPv6 address formats, 137 and the deprecated table is supported for backwards compatibility 138 with older management stations. This option SHOULD only be used 139 when the IP addresses in the new table are in IPv4 format and can 140 accurately be represented in both the new table and the 141 deprecated table. 143 Managed entities SHOULD NOT instantiate the deprecated table 144 containing IPv4-only address objects when the RADIUS server address 145 represented in the table row is not an IPv4 address. Managed 146 entities SHOULD NOT return inaccurate values of IP address or SNMP 147 object access errors for IPv4-only address objects in otherwise 148 populated tables. 150 7. Definitions 152 RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN 154 IMPORTS 155 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 156 Counter32, Integer32, Gauge32, 157 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI 158 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 159 InetAddressType, InetAddress, 160 InetPortNumber FROM INET-ADDRESS-MIB 161 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 163 radiusAuthClientMIB MODULE-IDENTITY 164 LAST-UPDATED "200507150000Z" -- 15 Jul 2005 165 ORGANIZATION "IETF RADIUS Working Group." 166 CONTACT-INFO 167 " Bernard Aboba 168 Microsoft 169 One Microsoft Way 170 Redmond, WA 98052 171 US 172 Phone: +1 425 936 6605 173 EMail: bernarda@microsoft.com" 174 DESCRIPTION 175 "The MIB module for entities implementing the client 176 side of the Remote Authentication Dial-In User Service 177 (RADIUS) authentication protocol." 178 REVISION "9906110000Z" -- 11 Jun 1999 179 DESCRIPTION "Initial version as published in RFC 2618" 180 REVISION "200507150000Z" -- 15 Jul 2005 181 DESCRIPTION "Revised version as published in RFC XXXX" 183 -- RFC Editor: replace xxx with actual RFC number at the time of 184 -- publication, and remove this note. 186 ::= { radiusAuthentication 2 } 188 radiusMIB OBJECT-IDENTITY 189 STATUS current 190 DESCRIPTION 191 "The OID assigned to RADIUS MIB work by the IANA." 192 ::= { mib-2 67 } 194 radiusAuthClientExtMIB OBJECT-IDENTITY 195 STATUS current 196 DESCRIPTION 197 "The OID assigned to RADIUS MIB Extension work by 198 the IANA." 199 ::= { mib-2 TBA } 201 -- RFC Editor: replace TBA with IANA assigned OID value, and 202 -- remove this note. 204 radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} 205 radiusAuthClientMIBObjects OBJECT IDENTIFIER 206 ::= { radiusAuthClientMIB 1 } 208 radiusAuthClient OBJECT IDENTIFIER 209 ::= { radiusAuthClientMIBObjects 1 } 211 radiusAuthClientInvalidServerAddresses OBJECT-TYPE 212 SYNTAX Counter32 213 MAX-ACCESS read-only 214 STATUS current 215 DESCRIPTION 216 "The number of RADIUS Access-Response packets 217 received from unknown addresses." 218 ::= { radiusAuthClient 1 } 220 radiusAuthClientIdentifier OBJECT-TYPE 221 SYNTAX SnmpAdminString 222 MAX-ACCESS read-only 223 STATUS current 224 DESCRIPTION 225 "The NAS-Identifier of the RADIUS authentication client. 226 This is not necessarily the same as sysName in MIB II." 227 ::= { radiusAuthClient 2 } 229 radiusAuthServerTable OBJECT-TYPE 230 SYNTAX SEQUENCE OF RadiusAuthServerEntry 231 MAX-ACCESS not-accessible 232 STATUS deprecated 233 DESCRIPTION 234 "The (conceptual) table listing the RADIUS authentication 235 servers with which the client shares a secret." 236 ::= { radiusAuthClient 3 } 238 radiusAuthServerEntry OBJECT-TYPE 239 SYNTAX RadiusAuthServerEntry 240 MAX-ACCESS not-accessible 241 STATUS deprecated 242 DESCRIPTION 243 "An entry (conceptual row) representing a RADIUS 244 authentication server with which the client shares 245 a secret." 246 INDEX { radiusAuthServerIndex } 247 ::= { radiusAuthServerTable 1 } 249 RadiusAuthServerEntry ::= SEQUENCE { 250 radiusAuthServerIndex Integer32, 251 radiusAuthServerAddress IpAddress, 252 radiusAuthClientServerPortNumber Integer32, 253 radiusAuthClientRoundTripTime TimeTicks, 254 radiusAuthClientAccessRequests Counter32, 255 radiusAuthClientAccessRetransmissions Counter32, 256 radiusAuthClientAccessAccepts Counter32, 257 radiusAuthClientAccessRejects Counter32, 258 radiusAuthClientAccessChallenges Counter32, 259 radiusAuthClientMalformedAccessResponses Counter32, 260 radiusAuthClientBadAuthenticators Counter32, 261 radiusAuthClientPendingRequests Gauge32, 262 radiusAuthClientTimeouts Counter32, 263 radiusAuthClientUnknownTypes Counter32, 264 radiusAuthClientPacketsDropped Counter32 265 } 267 radiusAuthServerIndex OBJECT-TYPE 268 SYNTAX Integer32 (1..2147483647) 269 MAX-ACCESS not-accessible 270 STATUS deprecated 271 DESCRIPTION 272 "A number uniquely identifying each RADIUS 273 Authentication server with which this client 274 communicates." 275 ::= { radiusAuthServerEntry 1 } 277 radiusAuthServerAddress OBJECT-TYPE 278 SYNTAX IpAddress 279 MAX-ACCESS read-only 280 STATUS deprecated 281 DESCRIPTION 282 "The IP address of the RADIUS authentication server 283 referred to in this table entry." 284 ::= { radiusAuthServerEntry 2 } 286 radiusAuthClientServerPortNumber OBJECT-TYPE 287 SYNTAX Integer32 (0..65535) 288 MAX-ACCESS read-only 289 STATUS deprecated 290 DESCRIPTION 291 "The UDP port the client is using to send requests to 292 this server." 293 ::= { radiusAuthServerEntry 3 } 295 radiusAuthClientRoundTripTime OBJECT-TYPE 296 SYNTAX TimeTicks 297 MAX-ACCESS read-only 298 STATUS deprecated 299 DESCRIPTION 300 "The time interval (in hundredths of a second) between 301 the most recent Access-Reply/Access-Challenge and the 302 Access-Request that matched it from this RADIUS 303 authentication server." 304 ::= { radiusAuthServerEntry 4 } 306 -- Request/Response statistics 307 -- 308 -- TotalIncomingPackets = Accepts + Rejects + Challenges + 309 -- UnknownTypes 310 -- 311 -- TotalIncomingPackets - MalformedResponses - 312 -- BadAuthenticators - UnknownTypes - PacketsDropped = 313 -- Successfully received 314 -- 315 -- AccessRequests + PendingRequests + ClientTimeouts = 316 -- Successfully received 317 -- 318 -- 320 radiusAuthClientAccessRequests OBJECT-TYPE 321 SYNTAX Counter32 322 MAX-ACCESS read-only 323 STATUS deprecated 324 DESCRIPTION 325 "The number of RADIUS Access-Request packets sent 326 to this server. This does not include retransmissions." 327 ::= { radiusAuthServerEntry 5 } 329 radiusAuthClientAccessRetransmissions OBJECT-TYPE 330 SYNTAX Counter32 331 MAX-ACCESS read-only 332 STATUS deprecated 333 DESCRIPTION 334 "The number of RADIUS Access-Request packets 335 retransmitted to this RADIUS authentication server." 336 ::= { radiusAuthServerEntry 6 } 338 radiusAuthClientAccessAccepts OBJECT-TYPE 339 SYNTAX Counter32 340 MAX-ACCESS read-only 341 STATUS deprecated 342 DESCRIPTION 343 "The number of RADIUS Access-Accept packets 344 (valid or invalid) received from this server." 345 ::= { radiusAuthServerEntry 7 } 347 radiusAuthClientAccessRejects OBJECT-TYPE 348 SYNTAX Counter32 349 MAX-ACCESS read-only 350 STATUS deprecated 351 DESCRIPTION 352 "The number of RADIUS Access-Reject packets 353 (valid or invalid) received from this server." 354 ::= { radiusAuthServerEntry 8 } 356 radiusAuthClientAccessChallenges OBJECT-TYPE 357 SYNTAX Counter32 358 MAX-ACCESS read-only 359 STATUS deprecated 360 DESCRIPTION 361 "The number of RADIUS Access-Challenge packets 362 (valid or invalid) received from this server." 363 ::= { radiusAuthServerEntry 9 } 365 -- "Access-Response" includes an Access-Accept, Access-Challenge 366 -- or Access-Reject 368 radiusAuthClientMalformedAccessResponses OBJECT-TYPE 369 SYNTAX Counter32 370 MAX-ACCESS read-only 371 STATUS deprecated 372 DESCRIPTION 373 "The number of malformed RADIUS Access-Response 374 packets received from this server. 375 Malformed packets include packets with 376 an invalid length. Bad authenticators or 377 Message Authenticator attributes or unknown types 378 are not included as malformed access responses." 379 ::= { radiusAuthServerEntry 10 } 381 radiusAuthClientBadAuthenticators OBJECT-TYPE 382 SYNTAX Counter32 383 MAX-ACCESS read-only 384 STATUS deprecated 385 DESCRIPTION 386 "The number of RADIUS Access-Response packets 387 containing invalid authenticators or Message 388 Authenticator attributes received from this server." 389 ::= { radiusAuthServerEntry 11 } 391 radiusAuthClientPendingRequests OBJECT-TYPE 392 SYNTAX Gauge32 393 MAX-ACCESS read-only 394 STATUS deprecated 395 DESCRIPTION 396 "The number of RADIUS Access-Request packets 397 destined for this server that have not yet timed out 398 or received a response. This variable is incremented 399 when an Access-Request is sent and decremented due to 400 receipt of an Acess-Accept, Access-Reject or 401 Access-Challenge, a timeout or retransmission." 402 ::= { radiusAuthServerEntry 12 } 404 radiusAuthClientTimeouts OBJECT-TYPE 405 SYNTAX Counter32 406 MAX-ACCESS read-only 407 STATUS deprecated 408 DESCRIPTION 409 "The number of authentication timeouts to this server. 410 After a timeout the client may retry to the same 411 server, send to a different server, or 412 give up. A retry to the same server is counted as a 413 retransmit as well as a timeout. A send to a different 414 server is counted as a Request as well as a timeout." 415 ::= { radiusAuthServerEntry 13 } 417 radiusAuthClientUnknownTypes OBJECT-TYPE 418 SYNTAX Counter32 419 MAX-ACCESS read-only 420 STATUS deprecated 421 DESCRIPTION 422 "The number of RADIUS packets of unknown type which 423 were received from this server on the authentication 424 port." 425 ::= { radiusAuthServerEntry 14 } 427 radiusAuthClientPacketsDropped OBJECT-TYPE 428 SYNTAX Counter32 429 MAX-ACCESS read-only 430 STATUS deprecated 431 DESCRIPTION 432 "The number of RADIUS packets of which were 433 received from this server on the authentication port 434 and dropped for some other reason." 435 ::= { radiusAuthServerEntry 15 } 437 -- Extended MIB Objects 439 radiusAuthClientExtMIBNotifications OBJECT IDENTIFIER 440 ::= { radiusAuthClientExtMIB 0 } 442 radiusAuthClientExtMIBObjects OBJECT IDENTIFIER 443 ::= { radiusAuthClientExtMIB 1 } 445 radiusAuthClientExtMIBConformance OBJECT IDENTIFIER 446 ::= { radiusAuthClientExtMIB 2 } 448 radiusAuthServerExtTable OBJECT-TYPE 449 SYNTAX SEQUENCE OF RadiusAuthServerExtEntry 450 MAX-ACCESS not-accessible 451 STATUS current 452 DESCRIPTION 453 "The (conceptual) table listing the RADIUS authentication 454 servers with which the client shares a secret." 455 ::= { radiusAuthClientExtMIB 1 } 457 radiusAuthServerExtEntry OBJECT-TYPE 458 SYNTAX RadiusAuthServerExtEntry 459 MAX-ACCESS not-accessible 460 STATUS current 461 DESCRIPTION 462 "An entry (conceptual row) representing a RADIUS 463 authentication server with which the client shares 464 a secret." 465 INDEX { radiusAuthServerExtIndex } 466 ::= { radiusAuthServerExtTable 1 } 468 RadiusAuthServerExtEntry ::= SEQUENCE { 469 radiusAuthServerExtIndex Integer32, 470 radiusAuthServerInetAddressType InetAddressType, 471 radiusAuthServerInetAddress InetAddress, 472 radiusAuthClientServerInetPortNumber InetPortNumber, 473 radiusAuthClientExtRoundTripTime TimeTicks, 474 radiusAuthClientExtAccessRequests Counter32, 475 radiusAuthClientExtAccessRetransmissions Counter32, 476 radiusAuthClientExtAccessAccepts Counter32, 477 radiusAuthClientExtAccessRejects Counter32, 478 radiusAuthClientExtAccessChallenges Counter32, 479 radiusAuthClientExtMalformedAccessResponses Counter32, 480 radiusAuthClientExtBadAuthenticators Counter32, 481 radiusAuthClientExtPendingRequests Gauge32, 482 radiusAuthClientExtTimeouts Counter32, 483 radiusAuthClientExtUnknownTypes Counter32, 484 radiusAuthClientExtPacketsDropped Counter32 485 } 487 radiusAuthServerExtIndex OBJECT-TYPE 488 SYNTAX Integer32 (1..2147483647) 489 MAX-ACCESS not-accessible 490 STATUS current 491 DESCRIPTION 492 "A number uniquely identifying each RADIUS 493 Authentication server with which this client 494 communicates." 495 ::= { radiusAuthServerExtEntry 1 } 497 radiusAuthServerInetAddressType OBJECT-TYPE 498 SYNTAX InetAddressType 499 MAX-ACCESS read-only 500 STATUS current 501 DESCRIPTION 502 "The type of address format used for the 503 radiusAuthServerInetAddress object." 504 ::= { radiusAuthServerExtEntry 2 } 506 radiusAuthServerInetAddress OBJECT-TYPE 507 SYNTAX InetAddress 508 MAX-ACCESS read-only 509 STATUS current 510 DESCRIPTION 511 "The IP address of the RADIUS authentication 512 server referred to in this table entry, using 513 the IPv6 adddess format." 514 ::= { radiusAuthServerExtEntry 3 } 516 radiusAuthClientServerInetPortNumber OBJECT-TYPE 517 SYNTAX InetPortNumber 518 MAX-ACCESS read-only 519 STATUS current 520 DESCRIPTION 521 "The UDP port the client is using to send requests 522 to this server." 523 ::= { radiusAuthServerExtEntry 4 } 525 radiusAuthClientExtRoundTripTime OBJECT-TYPE 526 SYNTAX TimeTicks 527 MAX-ACCESS read-only 528 STATUS current 529 DESCRIPTION 530 "The time interval (in hundredths of a second) between 531 the most recent Access-Reply/Access-Challenge and the 532 Access-Request that matched it from this RADIUS 533 authentication server." 534 ::= { radiusAuthServerExtEntry 5 } 536 -- Request/Response statistics 537 -- 538 -- TotalIncomingPackets = Accepts + Rejects + Challenges + 539 -- UnknownTypes 540 -- 541 -- TotalIncomingPackets - MalformedResponses - 542 -- BadAuthenticators - UnknownTypes - PacketsDropped = 543 -- Successfully received 544 -- 545 -- AccessRequests + PendingRequests + ClientTimeouts = 546 -- Successfully received 547 -- 548 -- 550 radiusAuthClientExtAccessRequests OBJECT-TYPE 551 SYNTAX Counter32 552 MAX-ACCESS read-only 553 STATUS current 554 DESCRIPTION 555 "The number of RADIUS Access-Request packets sent 556 to this server. This does not include retransmissions." 557 ::= { radiusAuthServerExtEntry 6 } 559 radiusAuthClientExtAccessRetransmissions OBJECT-TYPE 560 SYNTAX Counter32 561 MAX-ACCESS read-only 562 STATUS current 563 DESCRIPTION 564 "The number of RADIUS Access-Request packets 565 retransmitted to this RADIUS authentication server." 566 ::= { radiusAuthServerExtEntry 7 } 568 radiusAuthClientExtAccessAccepts OBJECT-TYPE 569 SYNTAX Counter32 570 MAX-ACCESS read-only 571 STATUS current 572 DESCRIPTION 573 "The number of RADIUS Access-Accept packets 574 (valid or invalid) received from this server." 575 ::= { radiusAuthServerExtEntry 8 } 577 radiusAuthClientExtAccessRejects OBJECT-TYPE 578 SYNTAX Counter32 579 MAX-ACCESS read-only 580 STATUS current 581 DESCRIPTION 582 "The number of RADIUS Access-Reject packets 583 (valid or invalid) received from this server." 584 ::= { radiusAuthServerExtEntry 9 } 586 radiusAuthClientExtAccessChallenges OBJECT-TYPE 587 SYNTAX Counter32 588 MAX-ACCESS read-only 589 STATUS current 590 DESCRIPTION 591 "The number of RADIUS Access-Challenge packets 592 (valid or invalid) received from this server." 593 ::= { radiusAuthServerExtEntry 10 } 595 -- "Access-Response" includes an Access-Accept, Access-Challenge 596 -- or Access-Reject 598 radiusAuthClientExtMalformedAccessResponses OBJECT-TYPE 599 SYNTAX Counter32 600 MAX-ACCESS read-only 601 STATUS current 602 DESCRIPTION 603 "The number of malformed RADIUS Access-Response 604 packets received from this server. 605 Malformed packets include packets with 606 an invalid length. Bad authenticators or 607 Message Authenticator attributes or unknown types 608 are not included as malformed access responses." 609 ::= { radiusAuthServerExtEntry 11 } 611 radiusAuthClientExtBadAuthenticators OBJECT-TYPE 612 SYNTAX Counter32 613 MAX-ACCESS read-only 614 STATUS current 615 DESCRIPTION 616 "The number of RADIUS Access-Response packets 617 containing invalid authenticators or Message 618 Authenticator attributes received from this server." 619 ::= { radiusAuthServerExtEntry 12 } 621 radiusAuthClientExtPendingRequests OBJECT-TYPE 622 SYNTAX Gauge32 623 MAX-ACCESS read-only 624 STATUS current 625 DESCRIPTION 626 "The number of RADIUS Access-Request packets 627 destined for this server that have not yet timed out 628 or received a response. This variable is incremented 629 when an Access-Request is sent and decremented due to 630 receipt of an Acess-Accept, Access-Reject or 631 Access-Challenge, a timeout or retransmission." 632 ::= { radiusAuthServerExtEntry 13 } 634 radiusAuthClientExtTimeouts OBJECT-TYPE 635 SYNTAX Counter32 636 MAX-ACCESS read-only 637 STATUS current 638 DESCRIPTION 639 "The number of authentication timeouts to this server. 640 After a timeout the client may retry to the same 641 server, send to a different server, or 642 give up. A retry to the same server is counted as a 643 retransmit as well as a timeout. A send to a different 644 server is counted as a Request as well as a timeout." 645 ::= { radiusAuthServerExtEntry 14 } 647 radiusAuthClientExtUnknownTypes OBJECT-TYPE 648 SYNTAX Counter32 649 MAX-ACCESS read-only 650 STATUS current 651 DESCRIPTION 652 "The number of RADIUS packets of unknown type which 653 were received from this server on the authentication 654 port." 655 ::= { radiusAuthServerExtEntry 15 } 657 radiusAuthClientExtPacketsDropped OBJECT-TYPE 658 SYNTAX Counter32 659 MAX-ACCESS read-only 660 STATUS current 661 DESCRIPTION 662 "The number of RADIUS packets of which were 663 received from this server on the authentication port 664 and dropped for some other reason." 665 ::= { radiusAuthServerExtEntry 16 } 667 -- conformance information 669 radiusAuthClientMIBConformance OBJECT IDENTIFIER 670 ::= { radiusAuthClientMIB 2 } 672 radiusAuthClientMIBCompliances OBJECT IDENTIFIER 673 ::= { radiusAuthClientMIBConformance 1 } 675 radiusAuthClientMIBGroups OBJECT IDENTIFIER 676 ::= { radiusAuthClientMIBConformance 2 } 678 radiusAuthClientExtMIBCompliances OBJECT IDENTIFIER 679 ::= { radiusAuthClientExtMIBConformance 1 } 681 radiusAuthClientExtMIBGroups OBJECT IDENTIFIER 682 ::= { radiusAuthClientExtMIBConformance 2 } 684 -- compliance statements 686 radiusAuthClientMIBCompliance MODULE-COMPLIANCE 687 STATUS deprecated 688 DESCRIPTION 689 "The compliance statement for authentication clients 690 implementing the RADIUS Authentication Client MIB." 691 MODULE -- this module 692 MANDATORY-GROUPS { radiusAuthClientMIBGroup } 694 ::= { radiusAuthClientMIBCompliances 1 } 696 radiusAuthClientExtMIBCompliance MODULE-COMPLIANCE 697 STATUS current 698 DESCRIPTION 699 "The compliance statement for authentication 700 clients implementing the RADIUS Authentication 701 Client IPv6 Extensions MIB." 702 MODULE -- this module 703 MANDATORY-GROUPS { radiusAuthClientExtMIBGroup } 705 ::= { radiusAuthClientExtMIBCompliances 1 } 707 -- units of conformance 709 radiusAuthClientMIBGroup OBJECT-GROUP 710 OBJECTS { radiusAuthClientIdentifier, 711 radiusAuthClientInvalidServerAddresses, 712 radiusAuthServerAddress, 713 radiusAuthClientServerPortNumber, 714 radiusAuthClientRoundTripTime, 715 radiusAuthClientAccessRequests, 716 radiusAuthClientAccessRetransmissions, 717 radiusAuthClientAccessAccepts, 718 radiusAuthClientAccessRejects, 719 radiusAuthClientAccessChallenges, 720 radiusAuthClientMalformedAccessResponses, 721 radiusAuthClientBadAuthenticators, 722 radiusAuthClientPendingRequests, 723 radiusAuthClientTimeouts, 724 radiusAuthClientUnknownTypes, 725 radiusAuthClientPacketsDropped 726 } 727 STATUS deprecated 728 DESCRIPTION 729 "The basic collection of objects providing management of 730 RADIUS Authentication Clients." 732 ::= { radiusAuthClientMIBGroups 1 } 734 radiusAuthClientExtMIBGroup OBJECT-GROUP 735 OBJECTS { radiusAuthClientIdentifier, 736 radiusAuthClientInvalidServerAddresses, 737 radiusAuthServerInetAddressType, 738 radiusAuthServerInetAddress, 739 radiusAuthClientServerInetPortNumber, 740 radiusAuthClientExtRoundTripTime, 741 radiusAuthClientExtAccessRequests, 742 radiusAuthClientExtAccessRetransmissions, 743 radiusAuthClientExtAccessAccepts, 744 radiusAuthClientExtAccessRejects, 745 radiusAuthClientExtAccessChallenges, 746 radiusAuthClientExtMalformedAccessResponses, 747 radiusAuthClientExtBadAuthenticators, 748 radiusAuthClientExtPendingRequests, 749 radiusAuthClientExtTimeouts, 750 radiusAuthClientExtUnknownTypes, 751 radiusAuthClientExtPacketsDropped 752 } 753 STATUS current 754 DESCRIPTION 755 "The collection of extended objects providing 756 management of RADIUS Authentication Clients 757 using version neutral IP address format." 758 ::= { radiusAuthClientExtMIBGroups 1 } 760 END 762 8. IANA Considerations 764 This document requires IANA assignment of a number in the MIB-2 OID 765 number space. 767 9. Security Considerations 769 There are no management objects defined in this MIB that have a MAX- 770 ACCESS clause of read-write and/or read-create. So, if this MIB is 771 implemented correctly, then there is no risk that an intruder can 772 alter or create any management objects of this MIB via direct SNMP 773 SET operations. 775 There are a number of managed objects in this MIB that may contain 776 sensitive information. These are: 778 radiusAuthServerIPAddress This can be used to determine the address 779 of the RADIUS authentication server with which the client is 780 communicating. This information could be useful in mounting an 781 attack on the authentication server. 783 radiusAuthServerInetAddress This can be used to determine the address 784 of the RADIUS authentication server with which the client is 785 communicating. This information could be useful in mounting an 786 attack on the authentication server. 788 radiusAuthClientServerInetPortNumber This can be used to determine 789 the port number on which the RADIUS authentication client is 790 sending. This information could be useful in impersonating the 791 client in order to send data to the authentication server. 793 It is thus important to control even GET access to these objects and 794 possibly to even encrypt the values of these object when sending them 795 over the network via SNMP. Not all versions of SNMP provide features 796 for such a secure environment. 798 SNMP versions prior to SNMPv3 do not provide a secure environment. 799 Even if the network itself is secure (for example by using IPSec), 800 there is no control as to who on the secure network is allowed to 801 access and GET/SET (read/change/create/delete) the objects in this 802 MIB. 804 It is recommended that the implementers consider the security 805 features as provided by the SNMPv3 framework. Specifically, the use 806 of the User-based Security Model [RFC2574] and the View-based Access 807 Control Model [RFC2575] is recommended. Using these security 808 features, customer/users can give access to the objects only to those 809 principals (users) that have legitimate rights to GET or SET (change/ 810 create/delete) them. 812 10. References 814 10.1 Normative References 816 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 817 Requirement Levels", BCP 14, RFC 2119, March 1997. 819 [RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model 820 (USM) for version 3 of the Simple Network Management 821 Protocol (SNMPv3)", RFC 2574, April 1999. 823 [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 824 Access Control Model (VACM) for the Simple Network 825 Management Protocol (SNMP)", RFC 2575, April 1999. 827 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 828 Schoenwaelder, Ed., "Structure of Management Information 829 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 831 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 832 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 833 STD 58, RFC 2579, April 1999. 835 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 836 "Conformance Statements for SMIv2", STD 58, RFC 2580, 837 April 1999. 839 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 840 "Introduction and Applicability Statements for Internet- 841 Standard Management Framework", RFC 3410, December 2002. 843 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 844 Simple Network Management Protocol (SNMP)", STD 62, 845 RFC 3418, December 2002. 847 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 848 Schoenwaelder, "Textual Conventions for Internet Network 849 Addresses", RFC 4001, February 2005. 851 10.2 Informative References 853 [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", 854 RFC 2618, June 1999. 856 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 857 "Remote Authentication Dial In User Service (RADIUS)", 858 RFC 2865, June 2000. 860 Author's Address 862 David B. Nelson 863 Enterasys Networks 864 50 Minuteman Road 865 Andover, MA 01810 866 USA 868 Email: dnelson@enterasys.com 870 Appendix A. Acknowledgments 872 The Authors of the original MIB are Bernard Aboba and Glen Zorn. 874 Many thanks to all reviewers, especially to Dave Harrington, Dan 875 Romascanu, C.M. Heard, Bruno Pape and Greg Weber. 877 Intellectual Property Statement 879 The IETF takes no position regarding the validity or scope of any 880 Intellectual Property Rights or other rights that might be claimed to 881 pertain to the implementation or use of the technology described in 882 this document or the extent to which any license under such rights 883 might or might not be available; nor does it represent that it has 884 made any independent effort to identify any such rights. Information 885 on the procedures with respect to rights in RFC documents can be 886 found in BCP 78 and BCP 79. 888 Copies of IPR disclosures made to the IETF Secretariat and any 889 assurances of licenses to be made available, or the result of an 890 attempt made to obtain a general license or permission for the use of 891 such proprietary rights by implementers or users of this 892 specification can be obtained from the IETF on-line IPR repository at 893 http://www.ietf.org/ipr. 895 The IETF invites any interested party to bring to its attention any 896 copyrights, patents or patent applications, or other proprietary 897 rights that may cover technology that may be required to implement 898 this standard. Please address the information to the IETF at 899 ietf-ipr@ietf.org. 901 Disclaimer of Validity 903 This document and the information contained herein are provided on an 904 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 905 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 906 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 907 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 908 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 909 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 911 Copyright Statement 913 Copyright (C) The Internet Society (2005). This document is subject 914 to the rights, licenses and restrictions contained in BCP 78, and 915 except as set forth therein, the authors retain all their rights. 917 Acknowledgment 919 Funding for the RFC Editor function is currently provided by the 920 Internet Society.