idnits 2.17.1 draft-nelson-rfc2619bis-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 960. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 937. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 944. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 950. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Updates: ' line in the draft header should list only the _numbers_ of the RFCs which will be updated by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year (Using the creation date from RFC2619, updated by this document, for RFC5378 checks: 1997-08-26) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 16, 2005) is 6859 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 4001' is mentioned on line 109, but not defined == Unused Reference: 'RFC3418' is defined on line 894, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2574 (Obsoleted by RFC 3414) ** Obsolete normative reference: RFC 2575 (Obsoleted by RFC 3415) ** Downref: Normative reference to an Informational RFC: RFC 3410 -- Obsolete informational reference (is this intentional?): RFC 2619 (Obsoleted by RFC 4669) Summary: 6 errors (**), 0 flaws (~~), 5 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Nelson 3 Internet-Draft Enterasys Networks 4 Updates: RFC 2619 (if approved) July 16, 2005 5 Expires: January 17, 2006 7 RADIUS Auth Server MIB (IPv6) 8 draft-nelson-rfc2619bis-01.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on January 17, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2005). 39 Abstract 41 This memo updates RFC 2619 by deprecating the MIB table containing 42 IPv4-only address formats and defining a new table to add support for 43 version neutral IP address formats. 45 Table of Contents 47 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 48 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 49 3. The Internet-Standard Management Framework . . . . . . . . . 3 50 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . 3 51 5. Structure of the MIB Module . . . . . . . . . . . . . . . . 4 52 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . 4 53 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . 4 54 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . 19 55 9. Security Considerations . . . . . . . . . . . . . . . . . . 19 56 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 57 10.1 Normative References . . . . . . . . . . . . . . . . . . 20 58 10.2 Informative References . . . . . . . . . . . . . . . . . 20 59 Author's Address . . . . . . . . . . . . . . . . . . . . . . 21 60 A. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 21 61 Intellectual Property and Copyright Statements . . . . . . . 22 63 1. Terminology 65 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 66 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 67 document are to be interpreted as described in RFC 2119 [RFC2119]. 69 This document uses terminology from RFC 2865 [RFC2865]. 71 2. Introduction 73 This memo defines a portion of the Management Information Base (MIB) 74 for use with network management protocols in the Internet community. 75 The objects defined within this memo relate to the Remote 76 Authentication Dial-In User Service (RADIUS) Authentication Server as 77 defined in RFC 2865 [RFC2865]. 79 3. The Internet-Standard Management Framework 81 For a detailed overview of the documents that describe the current 82 Internet-Standard Management Framework, please refer to section 7 of 83 RFC 3410 [RFC3410]. 85 Managed objects are accessed via a virtual information store, termed 86 the Management Information Base or MIB. MIB objects are generally 87 accessed through the Simple Network Management Protocol (SNMP). 88 Objects in the MIB are defined using the mechanisms defined in the 89 Structure of Management Information (SMI). This memo specifies a MIB 90 module that is compliant to the SMIv2, which is described in STD 58, 91 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 92 [RFC2580]. 94 4. Scope of Changes 96 This document updates RFC 2619 [RFC2619], RADIUS Authentication 97 Server MIB, by deprecating the radiusAuthClientTable table and adding 98 a new table, radiusAuthClientExtTable, containing 99 radiusAuthClientInetAddressType and radiusAuthClientInetAddress. The 100 purpose of these added MIB objects is to support version neutral IP 101 addressing formats. The existing table containing 102 radiusAuthClientAddress is deprecated. 104 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for 105 version neutral IP addresses, contains the following recommendation. 107 'In particular, when revising a MIB module that contains IPv4 108 specific tables, it is suggested to define new tables using the 109 textual conventions defined in this memo [RFC 4001] that support all 110 versions of IP. The status of the new tables SHOULD be "current", 111 whereas the status of the old IP version specific tables SHOULD be 112 changed to "deprecated". The other approach, of having multiple 113 similar tables for different IP versions, is strongly discouraged.' 115 5. Structure of the MIB Module 117 The structure of the MIB Module defined in this memo corresponds to 118 the structure of the MIB Module defined in RADIUS Authentication 119 Server MIB, RFC 2619 [RFC2619]. This MIB module contains fourteen 120 scalars as well as a single table, the RADIUS Authentication Client 121 Table, which contains one row for each RADIUS authentication client 122 with which the server shares a secret. 124 Each entry in the RADIUS Authentication Client Table includes 125 thirteen columns presenting a view of the activity of the RADIUS 126 authentication server. 128 6. Deprecated Objects 130 The deprecated table in this MIB is carried forward from RFC 2619 131 [RFC2619]. There are two conditions under which it MAY be desirable 132 for managed entities to continue to support the deprecated table: 134 1. The managed entity only supports IPv4 address formats. 135 2. The managed entity supports both IPv4 and IPv6 address formats, 136 and the deprecated table is supported for backwards compatibility 137 with older management stations. This option SHOULD only be used 138 when the IP addresses in the new table are in IPv4 format and can 139 accurately be represented in both the new table and the 140 deprecated table. 142 Managed entities SHOULD NOT instantiate the deprecated table 143 containing IPv4-only address objects when the RADIUS server address 144 represented in the table row is not an IPv4 address. Managed 145 entities SHOULD NOT return inaccurate values of IP address or SNMP 146 object access errors for IPv4-only address objects in otherwise 147 populated tables. 149 7. Definitions 151 4. Definitions 153 RADIUS-AUTH-SERVER-MIB DEFINITIONS ::= BEGIN 155 IMPORTS 156 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 157 Counter32, Integer32, 158 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI 159 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 160 InetAddressType, InetAddress, 161 InetPortNumber FROM INET-ADDRESS-MIB 162 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 164 radiusAuthServMIB MODULE-IDENTITY 165 LAST-UPDATED "200507150000Z" -- 15 Jul 2005 166 ORGANIZATION "IETF RADIUS Working Group." 167 CONTACT-INFO 168 " Bernard Aboba 169 Microsoft 170 One Microsoft Way 171 Redmond, WA 98052 172 US 173 Phone: +1 425 936 6605 174 EMail: bernarda@microsoft.com" 175 DESCRIPTION 176 "The MIB module for entities implementing the server 177 side of the Remote Authentication Dial-In User 178 Service (RADIUS) authentication protocol." 179 REVISION "9906110000Z" -- 11 Jun 1999 180 DESCRIPTION "Initial version as published in RFC 2619" 181 REVISION "200507150000Z" -- 15 Jul 2005 182 DESCRIPTION "Revised version as published in RFC xxxx." 184 -- RFC Editor: replace xxxx with actual RFC number at the time of 185 -- publication, and remove this note. 187 ::= { radiusAuthentication 1 } 189 radiusMIB OBJECT-IDENTITY 190 STATUS current 191 DESCRIPTION 192 "The OID assigned to RADIUS MIB work by the IANA." 193 ::= { mib-2 67 } 195 radiusAuthServerExtMIB OBJECT-IDENTITY 196 STATUS current 197 DESCRIPTION 198 "The OID assigned to RADIUS MIB Extension 199 work by the IANA." 200 ::= { mib-2 TBA } 202 -- RFC Editor: replace TBA with IANA assigned OID value, and 203 -- remove this note. 205 radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} 206 radiusAuthServMIBObjects OBJECT IDENTIFIER 207 ::= { radiusAuthServMIB 1 } 209 radiusAuthServ OBJECT IDENTIFIER 210 ::= { radiusAuthServMIBObjects 1 } 212 radiusAuthServerExtMIBNotifications OBJECT IDENTIFIER 213 ::= { radiusAuthServerExtMIB 0 } 215 radiusAuthServerExtMIBObjects OBJECT IDENTIFIER 216 ::= { radiusAuthServerExtMIB 1 } 218 radiusAuthServIdent OBJECT-TYPE 219 SYNTAX SnmpAdminString 220 MAX-ACCESS read-only 221 STATUS current 222 DESCRIPTION 223 "The implementation identification string for the 224 RADIUS authentication server software in use on the 225 system, for example; `FNS-2.1'" 226 ::= {radiusAuthServ 1} 228 radiusAuthServUpTime OBJECT-TYPE 229 SYNTAX TimeTicks 230 MAX-ACCESS read-only 231 STATUS current 232 DESCRIPTION 233 "If the server has a persistent state (e.g., a 234 process), this value will be the time elapsed (in 235 hundredths of a second) since the server process 236 was started. For software without persistent state, 237 this value will be zero." 238 ::= {radiusAuthServ 2} 240 radiusAuthServResetTime OBJECT-TYPE 241 SYNTAX TimeTicks 242 MAX-ACCESS read-only 243 STATUS current 244 DESCRIPTION 245 "If the server has a persistent state (e.g., a process) 246 and supports a `reset' operation (e.g., can be told to 247 re-read configuration files), this value will be the 248 time elapsed (in hundredths of a second) since the 249 server was `reset.' For software that does not 250 have persistence or does not support a `reset' 251 operation, this value will be zero." 252 ::= {radiusAuthServ 3} 254 radiusAuthServConfigReset OBJECT-TYPE 255 SYNTAX INTEGER { other(1), 256 reset(2), 257 initializing(3), 258 running(4)} 259 MAX-ACCESS read-write 260 STATUS current 261 DESCRIPTION 262 "Status/action object to reinitialize any persistent 263 server state. When set to reset(2), any persistent 264 server state (such as a process) is reinitialized as 265 if the server had just been started. This value will 266 never be returned by a read operation. When read, 267 one of the following values will be returned: 268 other(1) - server in some unknown state; 269 initializing(3) - server (re)initializing; 270 running(4) - server currently running." 271 ::= {radiusAuthServ 4} 273 radiusAuthServTotalAccessRequests OBJECT-TYPE 274 SYNTAX Counter32 275 MAX-ACCESS read-only 276 STATUS current 277 DESCRIPTION 278 "The number of packets received on the 279 authentication port." 280 ::= { radiusAuthServ 5} 282 radiusAuthServTotalInvalidRequests OBJECT-TYPE 283 SYNTAX Counter32 284 MAX-ACCESS read-only 285 STATUS current 286 DESCRIPTION 287 "The number of RADIUS Access-Request packets 288 received from unknown addresses." 289 ::= { radiusAuthServ 6 } 291 radiusAuthServTotalDupAccessRequests OBJECT-TYPE 292 SYNTAX Counter32 293 MAX-ACCESS read-only 294 STATUS current 295 DESCRIPTION 296 "The number of duplicate RADIUS Access-Request 297 packets received." 298 ::= { radiusAuthServ 7 } 300 radiusAuthServTotalAccessAccepts OBJECT-TYPE 301 SYNTAX Counter32 302 MAX-ACCESS read-only 303 STATUS current 304 DESCRIPTION 305 "The number of RADIUS Access-Accept packets sent." 306 ::= { radiusAuthServ 8 } 308 radiusAuthServTotalAccessRejects OBJECT-TYPE 309 SYNTAX Counter32 310 MAX-ACCESS read-only 311 STATUS current 312 DESCRIPTION 313 "The number of RADIUS Access-Reject packets sent." 314 ::= { radiusAuthServ 9 } 316 radiusAuthServTotalAccessChallenges OBJECT-TYPE 317 SYNTAX Counter32 318 MAX-ACCESS read-only 319 STATUS current 320 DESCRIPTION 321 "The number of RADIUS Access-Challenge packets sent." 322 ::= { radiusAuthServ 10 } 324 radiusAuthServTotalMalformedAccessRequests OBJECT-TYPE 325 SYNTAX Counter32 326 MAX-ACCESS read-only 327 STATUS current 328 DESCRIPTION 329 "The number of malformed RADIUS Access-Request 330 packets received. Bad authenticators 331 and unknown types are not included as 332 malformed Access-Requests." 333 ::= { radiusAuthServ 11 } 335 radiusAuthServTotalBadAuthenticators OBJECT-TYPE 336 SYNTAX Counter32 337 MAX-ACCESS read-only 338 STATUS current 339 DESCRIPTION 340 "The number of RADIUS Authentication-Request packets 341 which contained invalid Message Authenticator 342 attributes received." 343 ::= { radiusAuthServ 12 } 345 radiusAuthServTotalPacketsDropped OBJECT-TYPE 346 SYNTAX Counter32 347 MAX-ACCESS read-only 348 STATUS current 349 DESCRIPTION 350 "The number of incoming packets 351 silently discarded for some reason other 352 than malformed, bad authenticators or 353 unknown types." 354 ::= { radiusAuthServ 13 } 356 radiusAuthServTotalUnknownTypes OBJECT-TYPE 357 SYNTAX Counter32 358 MAX-ACCESS read-only 359 STATUS current 360 DESCRIPTION 361 "The number of RADIUS packets of unknown type which 362 were received." 363 ::= { radiusAuthServ 14 } 365 radiusAuthClientTable OBJECT-TYPE 366 SYNTAX SEQUENCE OF RadiusAuthClientEntry 367 MAX-ACCESS not-accessible 368 STATUS deprecated 369 DESCRIPTION 370 "The (conceptual) table listing the RADIUS 371 authentication clients with which the server shares 372 a secret." 373 ::= { radiusAuthServ 15 } 375 radiusAuthClientEntry OBJECT-TYPE 376 SYNTAX RadiusAuthClientEntry 377 MAX-ACCESS not-accessible 378 STATUS deprecated 379 DESCRIPTION 380 "An entry (conceptual row) representing a RADIUS 381 authentication client with which the server shares a 382 secret." 383 INDEX { radiusAuthClientIndex } 384 ::= { radiusAuthClientTable 1 } 386 RadiusAuthClientEntry ::= SEQUENCE { 387 radiusAuthClientIndex Integer32, 388 radiusAuthClientAddress IpAddress, 389 radiusAuthClientID SnmpAdminString, 390 radiusAuthServAccessRequests Counter32, 391 radiusAuthServDupAccessRequests Counter32, 392 radiusAuthServAccessAccepts Counter32, 393 radiusAuthServAccessRejects Counter32, 394 radiusAuthServAccessChallenges Counter32, 395 radiusAuthServMalformedAccessRequests Counter32, 396 radiusAuthServBadAuthenticators Counter32, 397 radiusAuthServPacketsDropped Counter32, 398 radiusAuthServUnknownTypes Counter32 399 } 401 radiusAuthClientIndex OBJECT-TYPE 402 SYNTAX Integer32 (1..2147483647) 403 MAX-ACCESS not-accessible 404 STATUS deprecated 405 DESCRIPTION 406 "A number uniquely identifying each RADIUS 407 authentication client with which this server 408 communicates." 409 ::= { radiusAuthClientEntry 1 } 411 radiusAuthClientAddress OBJECT-TYPE 412 SYNTAX IpAddress 413 MAX-ACCESS read-only 414 STATUS deprecated 415 DESCRIPTION 416 "The NAS-IP-Address of the RADIUS authentication client 417 referred to in this table entry." 418 ::= { radiusAuthClientEntry 2 } 420 radiusAuthClientID OBJECT-TYPE 421 SYNTAX SnmpAdminString 422 MAX-ACCESS read-only 423 STATUS deprecated 424 DESCRIPTION 425 "The NAS-Identifier of the RADIUS authentication client 426 referred to in this table entry. This is not 427 necessarily the same as sysName in MIB II." 428 ::= { radiusAuthClientEntry 3 } 430 -- Server Counters 432 -- 433 -- Responses = AccessAccepts + AccessRejects + AccessChallenges 434 -- 435 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 436 -- UnknownTypes - PacketsDropped - Responses = Pending 437 -- 438 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 439 -- UnknownTypes - PacketsDropped = entries logged 441 radiusAuthServAccessRequests OBJECT-TYPE 442 SYNTAX Counter32 443 MAX-ACCESS read-only 444 STATUS deprecated 445 DESCRIPTION 446 "The number of packets received on the authentication 447 port from this client." 448 ::= { radiusAuthClientEntry 4 } 450 radiusAuthServDupAccessRequests OBJECT-TYPE 451 SYNTAX Counter32 452 MAX-ACCESS read-only 453 STATUS deprecated 454 DESCRIPTION 455 "The number of duplicate RADIUS Access-Request 456 packets received from this client." 457 ::= { radiusAuthClientEntry 5 } 459 radiusAuthServAccessAccepts OBJECT-TYPE 460 SYNTAX Counter32 461 MAX-ACCESS read-only 462 STATUS deprecated 463 DESCRIPTION 464 "The number of RADIUS Access-Accept packets 465 sent to this client." 466 ::= { radiusAuthClientEntry 6 } 468 radiusAuthServAccessRejects OBJECT-TYPE 469 SYNTAX Counter32 470 MAX-ACCESS read-only 471 STATUS deprecated 472 DESCRIPTION 473 "The number of RADIUS Access-Reject packets 474 sent to this client." 475 ::= { radiusAuthClientEntry 7 } 477 radiusAuthServAccessChallenges OBJECT-TYPE 478 SYNTAX Counter32 479 MAX-ACCESS read-only 480 STATUS deprecated 481 DESCRIPTION 482 "The number of RADIUS Access-Challenge packets 483 sent to this client." 484 ::= { radiusAuthClientEntry 8 } 486 radiusAuthServMalformedAccessRequests OBJECT-TYPE 487 SYNTAX Counter32 488 MAX-ACCESS read-only 489 STATUS deprecated 490 DESCRIPTION 491 "The number of malformed RADIUS Access-Request 492 packets received from this client. 493 Bad authenticators and unknown types are not included 494 as malformed Access-Requests." 495 ::= { radiusAuthClientEntry 9 } 497 radiusAuthServBadAuthenticators OBJECT-TYPE 498 SYNTAX Counter32 499 MAX-ACCESS read-only 500 STATUS deprecated 501 DESCRIPTION 502 "The number of RADIUS Authentication-Request packets 503 which contained invalid Message Authenticator 504 attributes received from this client." 505 ::= { radiusAuthClientEntry 10 } 507 radiusAuthServPacketsDropped OBJECT-TYPE 508 SYNTAX Counter32 509 MAX-ACCESS read-only 510 STATUS deprecated 511 DESCRIPTION 512 "The number of incoming packets from this 513 client silently discarded for some reason other 514 than malformed, bad authenticators or 515 unknown types." 516 ::= { radiusAuthClientEntry 11 } 518 radiusAuthServUnknownTypes OBJECT-TYPE 519 SYNTAX Counter32 520 MAX-ACCESS read-only 521 STATUS deprecated 522 DESCRIPTION 523 "The number of RADIUS packets of unknown type which 524 were received from this client." 525 ::= { radiusAuthClientEntry 12 } 527 -- new table 529 radiusAuthClientExtTable OBJECT-TYPE 530 SYNTAX SEQUENCE OF RadiusAuthClientExtEntry 531 MAX-ACCESS not-accessible 532 STATUS current 533 DESCRIPTION 534 "The (conceptual) table listing the RADIUS 535 authentication clients with which the server shares 536 a secret." 537 ::= { radiusAuthServerExtMIBObjects 1 } 539 radiusAuthClientExtEntry OBJECT-TYPE 540 SYNTAX RadiusAuthClientExtEntry 541 MAX-ACCESS not-accessible 542 STATUS current 543 DESCRIPTION 544 "An entry (conceptual row) representing a RADIUS 545 authentication client with which the server shares a 546 secret." 547 INDEX { radiusAuthClientExtIndex } 548 ::= { radiusAuthClientExtTable 1 } 550 RadiusAuthClientExtEntry ::= SEQUENCE { 551 radiusAuthClientExtIndex Integer32, 552 radiusAuthClientInetAddressType InetAddressType, 553 radiusAuthClientInetAddress InetAddress, 554 radiusAuthClientExtID SnmpAdminString, 555 radiusAuthServExtAccessRequests Counter32, 556 radiusAuthServDupAccessRequests Counter32, 557 radiusAuthServExtAccessAccepts Counter32, 558 radiusAuthServExtAccessRejects Counter32, 559 radiusAuthServExtAccessChallenges Counter32, 560 radiusAuthServExtMalformedAccessRequests Counter32, 561 radiusAuthServExtBadAuthenticators Counter32, 562 radiusAuthServExtPacketsDropped Counter32, 563 radiusAuthServExtUnknownTypes Counter32 564 } 566 radiusAuthClientExtIndex OBJECT-TYPE 567 SYNTAX Integer32 (1..2147483647) 568 MAX-ACCESS not-accessible 569 STATUS current 570 DESCRIPTION 571 "A number uniquely identifying each RADIUS 572 authentication client with which this server 573 communicates." 574 ::= { radiusAuthClientExtEntry 1 } 576 radiusAuthClientInetAddressType OBJECT-TYPE 577 SYNTAX InetAddressType 578 MAX-ACCESS read-only 579 STATUS current 580 DESCRIPTION 581 "The type of address format used for the 582 radiusAuthClientInetAddress object." 583 ::= { radiusAuthClientExtEntry 2 } 585 radiusAuthClientInetAddress OBJECT-TYPE 586 SYNTAX InetAddress 587 MAX-ACCESS read-only 588 STATUS current 589 DESCRIPTION 590 "The IP address of the RADIUS authentication 591 client referred to in this table entry, using 592 the version neutral IP adddess format." 593 ::= { radiusAuthClientExtEntry 3 } 595 radiusAuthClientExtID OBJECT-TYPE 596 SYNTAX SnmpAdminString 597 MAX-ACCESS read-only 598 STATUS current 599 DESCRIPTION 600 "The NAS-Identifier of the RADIUS authentication client 601 referred to in this table entry. This is not 602 necessarily the same as sysName in MIB II." 603 ::= { radiusAuthClientExtEntry 4 } 605 -- Server Counters 607 -- 608 -- Responses = AccessAccepts + AccessRejects + AccessChallenges 609 -- 610 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 611 -- UnknownTypes - PacketsDropped - Responses = Pending 612 -- 613 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 614 -- UnknownTypes - PacketsDropped = entries logged 616 radiusAuthServExtAccessRequests OBJECT-TYPE 617 SYNTAX Counter32 618 MAX-ACCESS read-only 619 STATUS current 620 DESCRIPTION 621 "The number of packets received on the authentication 622 port from this client." 623 ::= { radiusAuthClientExtEntry 5 } 625 radiusAuthServExtDupAccessRequests OBJECT-TYPE 626 SYNTAX Counter32 627 MAX-ACCESS read-only 628 STATUS current 629 DESCRIPTION 630 "The number of duplicate RADIUS Access-Request 631 packets received from this client." 632 ::= { radiusAuthClientExtEntry 6 } 634 radiusAuthServExtAccessAccepts OBJECT-TYPE 635 SYNTAX Counter32 636 MAX-ACCESS read-only 637 STATUS current 638 DESCRIPTION 639 "The number of RADIUS Access-Accept packets 640 sent to this client." 641 ::= { radiusAuthClientExtEntry 7 } 643 radiusAuthServExtAccessRejects OBJECT-TYPE 644 SYNTAX Counter32 645 MAX-ACCESS read-only 646 STATUS current 647 DESCRIPTION 648 "The number of RADIUS Access-Reject packets 649 sent to this client." 650 ::= { radiusAuthClientExtEntry 8 } 652 radiusAuthServExtAccessChallenges OBJECT-TYPE 653 SYNTAX Counter32 654 MAX-ACCESS read-only 655 STATUS current 656 DESCRIPTION 657 "The number of RADIUS Access-Challenge packets 658 sent to this client." 659 ::= { radiusAuthClientExtEntry 9 } 661 radiusAuthServExtMalformedAccessRequests OBJECT-TYPE 662 SYNTAX Counter32 663 MAX-ACCESS read-only 664 STATUS current 665 DESCRIPTION 666 "The number of malformed RADIUS Access-Request 667 packets received from this client. 668 Bad authenticators and unknown types are not included 669 as malformed Access-Requests." 670 ::= { radiusAuthClientExtEntry 10 } 672 radiusAuthServExtBadAuthenticators OBJECT-TYPE 673 SYNTAX Counter32 674 MAX-ACCESS read-only 675 STATUS current 676 DESCRIPTION 677 "The number of RADIUS Authentication-Request packets 678 which contained invalid Message Authenticator 679 attributes received from this client." 680 ::= { radiusAuthClientExtEntry 11 } 682 radiusAuthServExtPacketsDropped OBJECT-TYPE 683 SYNTAX Counter32 684 MAX-ACCESS read-only 685 STATUS current 686 DESCRIPTION 687 "The number of incoming packets from this 688 client silently discarded for some reason other 689 than malformed, bad authenticators or 690 unknown types." 691 ::= { radiusAuthClientExtEntry 12 } 693 radiusAuthServExtUnknownTypes OBJECT-TYPE 694 SYNTAX Counter32 695 MAX-ACCESS read-only 696 STATUS current 697 DESCRIPTION 698 "The number of RADIUS packets of unknown type which 699 were received from this client." 700 ::= { radiusAuthClientExtEntry 13 } 702 -- conformance information 704 radiusAuthServMIBConformance OBJECT IDENTIFIER 705 ::= { radiusAuthServMIB 2 } 706 radiusAuthServMIBCompliances OBJECT IDENTIFIER 707 ::= { radiusAuthServMIBConformance 1 } 708 radiusAuthServMIBGroups OBJECT IDENTIFIER 709 ::= { radiusAuthServMIBConformance 2 } 711 radiusAuthServerExtMIBConformance OBJECT IDENTIFIER 712 ::= { radiusAuthServerExtMIB 2 } 713 radiusAuthServMIBExtCompliances OBJECT IDENTIFIER 714 ::= { radiusAuthServExtMIBConformance 1 } 715 radiusAuthServMIBExtGroups OBJECT IDENTIFIER 716 ::= { radiusAuthServMIBExtConformance 2 } 718 -- compliance statements 720 radiusAuthServMIBCompliance MODULE-COMPLIANCE 721 STATUS deprecated 722 DESCRIPTION 723 "The compliance statement for authentication 724 servers implementing the RADIUS Authentication 725 Server MIB." 726 MODULE -- this module 727 MANDATORY-GROUPS { radiusAuthServMIBGroup } 728 OBJECT radiusAuthServConfigReset 729 WRITE-SYNTAX INTEGER { reset(2) } 730 DESCRIPTION "The only SETable value is 'reset' (2)." 732 ::= { radiusAuthServMIBCompliances 1 } 734 radiusAuthServMIBExtCompliance MODULE-COMPLIANCE 735 STATUS current 736 DESCRIPTION 737 "The compliance statement for authentication 738 servers implementing the RADIUS Authentication 739 Server MIB." 740 MODULE -- this module 741 MANDATORY-GROUPS { radiusAuthServMIBExtGroup } 743 OBJECT radiusAuthServConfigReset 744 WRITE-SYNTAX INTEGER { reset(2) } 745 DESCRIPTION "The only SETable value is 'reset' (2)." 747 ::= { radiusAuthServMIBCompliances 1 } 749 -- units of conformance 751 radiusAuthServMIBGroup OBJECT-GROUP 752 OBJECTS {radiusAuthServIdent, 753 radiusAuthServUpTime, 754 radiusAuthServResetTime, 755 radiusAuthServConfigReset, 756 radiusAuthServTotalAccessRequests, 757 radiusAuthServTotalInvalidRequests, 758 radiusAuthServTotalDupAccessRequests, 759 radiusAuthServTotalAccessAccepts, 760 radiusAuthServTotalAccessRejects, 761 radiusAuthServTotalAccessChallenges, 762 radiusAuthServTotalMalformedAccessRequests, 763 radiusAuthServTotalBadAuthenticators, 764 radiusAuthServTotalPacketsDropped, 765 radiusAuthServTotalUnknownTypes, 766 radiusAuthClientAddress, 767 radiusAuthClientID, 768 radiusAuthServAccessRequests, 769 radiusAuthServDupAccessRequests, 770 radiusAuthServAccessAccepts, 771 radiusAuthServAccessRejects, 772 radiusAuthServAccessChallenges, 773 radiusAuthServMalformedAccessRequests, 774 radiusAuthServBadAuthenticators, 775 radiusAuthServPacketsDropped, 776 radiusAuthServUnknownTypes 777 } 778 STATUS depcecated 779 DESCRIPTION 780 "The collection of objects providing management of 781 a RADIUS Authentication Server." 782 ::= { radiusAuthServMIBGroups 1 } 784 radiusAuthServMIBExtGroup OBJECT-GROUP 785 OBJECTS {radiusAuthServIdent, 786 radiusAuthServUpTime, 787 radiusAuthServResetTime, 788 radiusAuthServConfigReset, 789 radiusAuthServTotalAccessRequests, 790 radiusAuthServTotalInvalidRequests, 791 radiusAuthServTotalDupAccessRequests, 792 radiusAuthServTotalAccessAccepts, 793 radiusAuthServTotalAccessRejects, 794 radiusAuthServTotalAccessChallenges, 795 radiusAuthServTotalMalformedAccessRequests, 796 radiusAuthServTotalBadAuthenticators, 797 radiusAuthServTotalPacketsDropped, 798 radiusAuthServTotalUnknownTypes, 799 radiusAuthClientInetAddressType, 800 radiusAuthClientInetAddress, 801 radiusAuthClientExtID, 802 radiusAuthServExtAccessRequests, 803 radiusAuthServExtDupAccessRequests, 804 radiusAuthServExtAccessAccepts, 805 radiusAuthServExtAccessRejects, 806 radiusAuthServExtAccessChallenges, 807 radiusAuthServExtMalformedAccessRequests, 808 radiusAuthServExtBadAuthenticators, 809 radiusAuthServExtPacketsDropped, 810 radiusAuthServExtUnknownTypes 811 } 812 STATUS current 813 DESCRIPTION 814 "The collection of objects providing management of 815 a RADIUS Authentication Server." 816 ::= { radiusAuthServMIBExtGroups 1 } 818 END 820 8. IANA Considerations 822 This document requires IANA assignment of a number in the MIB-2 OID 823 number space. 825 9. Security Considerations 827 There are no management objects defined in this MIB that have a MAX- 828 ACCESS clause of read-write and/or read-create. So, if this MIB is 829 implemented correctly, then there is no risk that an intruder can 830 alter or create any management objects of this MIB via direct SNMP 831 SET operations. 833 There are a number of managed objects in this MIB that may contain 834 sensitive information. These are: 836 radiusAuthClientIPAddress This can be used to determine the address 837 of the RADIUS authentication client with which the server is 838 communicating. This information could be useful in mounting an 839 attack on the authentication client. 840 radiusAuthClientInetAddress This can be used to determine the address 841 of the RADIUS authentication client with which the server is 842 communicating. This information could be useful in mounting an 843 attack on the authentication client. 845 It is thus important to control even GET access to these objects and 846 possibly to even encrypt the values of these object when sending them 847 over the network via SNMP. Not all versions of SNMP provide features 848 for such a secure environment. 850 SNMP versions prior to SNMPv3 do not provide a secure environment. 851 Even if the network itself is secure (for example by using IPSec), 852 there is no control as to who on the secure network is allowed to 853 access and GET/SET (read/change/create/delete) the objects in this 854 MIB. 856 It is recommended that the implementers consider the security 857 features as provided by the SNMPv3 framework. Specifically, the use 858 of the User-based Security Model [RFC2574] and the View-based Access 859 Control Model [RFC2575] is recommended. Using these security 860 features, customer/users can give access to the objects only to those 861 principals (users) that have legitimate rights to GET or SET (change/ 862 create/delete) them. 864 10. References 865 10.1 Normative References 867 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 868 Requirement Levels", BCP 14, RFC 2119, March 1997. 870 [RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model 871 (USM) for version 3 of the Simple Network Management 872 Protocol (SNMPv3)", RFC 2574, April 1999. 874 [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 875 Access Control Model (VACM) for the Simple Network 876 Management Protocol (SNMP)", RFC 2575, April 1999. 878 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 879 Schoenwaelder, Ed., "Structure of Management Information 880 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 882 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 883 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 884 STD 58, RFC 2579, April 1999. 886 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 887 "Conformance Statements for SMIv2", STD 58, RFC 2580, 888 April 1999. 890 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 891 "Introduction and Applicability Statements for Internet- 892 Standard Management Framework", RFC 3410, December 2002. 894 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 895 Simple Network Management Protocol (SNMP)", STD 62, 896 RFC 3418, December 2002. 898 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 899 Schoenwaelder, "Textual Conventions for Internet Network 900 Addresses", RFC 4001, February 2005. 902 10.2 Informative References 904 [RFC2619] Zorn, G. and B. Aboba, "RADIUS Authentication Server MIB", 905 RFC 2619, June 1999. 907 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 908 "Remote Authentication Dial In User Service (RADIUS)", 909 RFC 2865, June 2000. 911 Author's Address 913 David B. Nelson 914 Enterasys Networks 915 50 Minuteman Road 916 Andover, MA 01810 917 USA 919 Email: dnelson@enterasys.com 921 Appendix A. Acknowledgments 923 The Authors of the original MIB are Bernard Aboba and Glen Zorn. 925 Many thanks to all reviewers, especially to David Harrington, C.M. 926 Heard and Bruno Pape. 928 Intellectual Property Statement 930 The IETF takes no position regarding the validity or scope of any 931 Intellectual Property Rights or other rights that might be claimed to 932 pertain to the implementation or use of the technology described in 933 this document or the extent to which any license under such rights 934 might or might not be available; nor does it represent that it has 935 made any independent effort to identify any such rights. Information 936 on the procedures with respect to rights in RFC documents can be 937 found in BCP 78 and BCP 79. 939 Copies of IPR disclosures made to the IETF Secretariat and any 940 assurances of licenses to be made available, or the result of an 941 attempt made to obtain a general license or permission for the use of 942 such proprietary rights by implementers or users of this 943 specification can be obtained from the IETF on-line IPR repository at 944 http://www.ietf.org/ipr. 946 The IETF invites any interested party to bring to its attention any 947 copyrights, patents or patent applications, or other proprietary 948 rights that may cover technology that may be required to implement 949 this standard. Please address the information to the IETF at 950 ietf-ipr@ietf.org. 952 Disclaimer of Validity 954 This document and the information contained herein are provided on an 955 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 956 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 957 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 958 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 959 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 960 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 962 Copyright Statement 964 Copyright (C) The Internet Society (2005). This document is subject 965 to the rights, licenses and restrictions contained in BCP 78, and 966 except as set forth therein, the authors retain all their rights. 968 Acknowledgment 970 Funding for the RFC Editor function is currently provided by the 971 Internet Society.