idnits 2.17.1 draft-nelson-rfc2620bis-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 849. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 826. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 833. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 839. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Updates: ' line in the draft header should list only the _numbers_ of the RFCs which will be updated by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year (Using the creation date from RFC2620, updated by this document, for RFC5378 checks: 1997-08-26) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 17, 2005) is 6858 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 4001' is mentioned on line 110, but not defined == Unused Reference: 'RFC3418' is defined on line 785, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2574 (Obsoleted by RFC 3414) ** Obsolete normative reference: RFC 2575 (Obsoleted by RFC 3415) ** Downref: Normative reference to an Informational RFC: RFC 3410 -- Obsolete informational reference (is this intentional?): RFC 2620 (Obsoleted by RFC 4670) Summary: 6 errors (**), 0 flaws (~~), 5 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Nelson 3 Internet-Draft Enterasys Networks 4 Updates: RFC 2620 (if approved) July 17, 2005 5 Expires: January 18, 2006 7 RADIUS Acct Client MIB (IPv6) 8 draft-nelson-rfc2620bis-01.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on January 18, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2005). 39 Abstract 41 This memo updates RFC 2620 by deprecating the MIB table containing 42 IPv4-only address formats and defining a new table to add support for 43 version neutral IP address formats. 45 Table of Contents 47 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 48 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 49 3. The Internet-Standard Management Framework . . . . . . . . . 3 50 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . 3 51 5. Structure of the MIB Module . . . . . . . . . . . . . . . . 4 52 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . 4 53 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . 4 54 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . 16 55 9. Security Considerations . . . . . . . . . . . . . . . . . . 16 56 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 57 10.1 Normative References . . . . . . . . . . . . . . . . . . 17 58 10.2 Informative References . . . . . . . . . . . . . . . . . 18 59 Author's Address . . . . . . . . . . . . . . . . . . . . . . 18 60 A. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 18 61 Intellectual Property and Copyright Statements . . . . . . . 19 63 1. Terminology 65 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 66 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 67 document are to be interpreted as described in RFC 2119 [RFC2119]. 69 This document uses terminology from RFC 2866 [RFC2866]. 71 2. Introduction 73 This memo defines a portion of the Management Information Base (MIB) 74 for use with network management protocols in the Internet community. 75 The objects defined within this memo relate to the Remote 76 Authentication Dial-In User Service (RADIUS) Accounting Client as 77 defined in RFC 2866 [RFC2866]. 79 3. The Internet-Standard Management Framework 81 For a detailed overview of the documents that describe the current 82 Internet-Standard Management Framework, please refer to section 7 of 83 RFC 3410 [RFC3410]. 85 Managed objects are accessed via a virtual information store, termed 86 the Management Information Base or MIB. MIB objects are generally 87 accessed through the Simple Network Management Protocol (SNMP). 88 Objects in the MIB are defined using the mechanisms defined in the 89 Structure of Management Information (SMI). This memo specifies a MIB 90 module that is compliant to the SMIv2, which is described in STD 58, 91 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 92 [RFC2580]. 94 4. Scope of Changes 96 This document updates RFC 2620 [RFC2620], RADIUS Authentication 97 Client MIB, by deprecating the radiusAuthServerTable table and adding 98 a new table, radiusAuthServerExtTable, containing 99 radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and 100 radiusAuthClientServerInetPortNumber. The purpose of these added MIB 101 objects is to support version neutral IP addressing formats. The 102 existing table containing radiusAuthServerAddress and 103 radiusAuthClientServerPortNumber is deprecated. 105 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for 106 IPv6 addresses, contains the following recommendation. 108 'In particular, when revising a MIB module that contains IPv4 109 specific tables, it is suggested to define new tables using the 110 textual conventions defined in this memo [RFC 4001] that support all 111 versions of IP. The status of the new tables SHOULD be "current", 112 whereas the status of the old IP version specific tables SHOULD be 113 changed to "deprecated". The other approach, of having multiple 114 similar tables for different IP versions, is strongly discouraged.' 116 5. Structure of the MIB Module 118 The structure of the MIB Module defined in this memo corresponds to 119 the structure of the MIB Module defined in RADIUS Authentication 120 Client MIB, RFC 2620 [RFC2620]. This MIB module contains two scalars 121 as well as a single table, the RADIUS Accounting Server Table, which 122 contains one row for each RADIUS server with which the client shares 123 a secret. 125 Each entry in the RADIUS Accounting Server Table includes fifteen 126 columns presenting a view of the activity of the RADIUS client. 128 6. Deprecated Objects 130 The deprecated table in this MIB is carried forward from RFC 2620 131 [RFC2620]. There are two conditions under which it MAY be desirable 132 for managed entities to continue to support the deprecated table: 134 1. The managed entity only supports IPv4 address formats. 135 2. The managed entity supports both IPv4 and IPv6 address formats, 136 and the deprecated table is supported for backwards compatibility 137 with older management stations. This option SHOULD only be used 138 when the IP addresses in the new table are in IPv4 format and can 139 accurately be represented in both the new table and the 140 deprecated table. 142 Managed entities SHOULD NOT instantiate the deprecated table 143 containing IPv4-only address objects when the RADIUS server address 144 represented in the table row is not an IPv4 address. Managed 145 entities SHOULD NOT return inaccurate values of IP address or SNMP 146 object access errors for IPv4-only address objects in otherwise 147 populated tables. 149 7. Definitions 151 RADIUS-ACCT-CLIENT-MIB DEFINITIONS ::= BEGIN 153 IMPORTS 154 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 155 Counter32, Integer32, Gauge32, 156 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI 157 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 158 InetAddressType, InetAddress, 159 InetPortNumber FROM INET-ADDRESS-MIB 160 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 162 radiusAccClientMIB MODULE-IDENTITY 163 LAST-UPDATED "200507150000Z" -- 15 Jul 2005 164 ORGANIZATION "IETF RADIUS Working Group." 165 CONTACT-INFO 166 " Bernard Aboba 167 Microsoft 168 One Microsoft Way 169 Redmond, WA 98052 170 US 171 Phone: +1 425 936 6605 172 EMail: bernarda@microsoft.com" 173 DESCRIPTION 174 "The MIB module for entities implementing the client 175 side of the Remote Authentication Dial-In User Service 176 (RADIUS) accounting protocol." 177 REVISION "9906110000Z" -- 11 Jun 1999 178 DESCRIPTION "Initial version as published in RFC 2620" 179 REVISION "200507150000Z" -- 15 Jul 2005 180 DESCRIPTION "Revised version as published in RFC XXXX" 182 -- RFC Editor: replace xxx with actual RFC number at the time of 183 -- publication, and remove this note. 185 ::= { radiusAccounting 2 } 187 radiusMIB OBJECT-IDENTITY 188 STATUS current 189 DESCRIPTION 190 "The OID assigned to RADIUS MIB work by the IANA." 191 ::= { mib-2 67 } 193 radiusAccClientExtMIB OBJECT-IDENTITY 194 STATUS current 195 DESCRIPTION 196 "The OID assigned to RADIUS MIB Extension work by 197 the IANA." 198 ::= { mib-2 TBA } 200 -- RFC Editor: replace TBA with IANA assigned OID value, and 201 -- remove this note. 203 radiusAccounting OBJECT IDENTIFIER ::= {radiusMIB 2} 205 radiusAccClientMIBObjects OBJECT IDENTIFIER 206 ::= { radiusAccClientMIB 1 } 208 radiusAccClient OBJECT IDENTIFIER 209 ::= { radiusAccClientMIBObjects 1 } 211 radiusAccClientInvalidServerAddresses OBJECT-TYPE 212 SYNTAX Counter32 213 MAX-ACCESS read-only 214 STATUS current 215 DESCRIPTION 216 "The number of RADIUS Accounting-Response packets 217 received from unknown addresses." 218 ::= { radiusAccClient 1 } 220 radiusAccClientIdentifier OBJECT-TYPE 221 SYNTAX SnmpAdminString 222 MAX-ACCESS read-only 223 STATUS current 224 DESCRIPTION 225 "The NAS-Identifier of the RADIUS accounting client. 226 This is not necessarily the same as sysName in MIB 227 II." 228 ::= { radiusAccClient 2 } 230 radiusAccServerTable OBJECT-TYPE 231 SYNTAX SEQUENCE OF RadiusAccServerEntry 232 MAX-ACCESS not-accessible 233 STATUS deprecated 234 DESCRIPTION 235 "The (conceptual) table listing the RADIUS accounting 236 servers with which the client shares a secret." 237 ::= { radiusAccClient 3 } 239 radiusAccServerEntry OBJECT-TYPE 240 SYNTAX RadiusAccServerEntry 241 MAX-ACCESS not-accessible 242 STATUS deprecated 243 DESCRIPTION 244 "An entry (conceptual row) representing a RADIUS 245 accounting server with which the client shares a 246 secret." 247 INDEX { radiusAccServerIndex } 248 ::= { radiusAccServerTable 1 } 250 RadiusAccServerEntry ::= SEQUENCE { 251 radiusAccServerIndex Integer32, 252 radiusAccServerAddress IpAddress, 253 radiusAccClientServerPortNumber Integer32, 254 radiusAccClientRoundTripTime TimeTicks, 255 radiusAccClientRequests Counter32, 256 radiusAccClientRetransmissions Counter32, 257 radiusAccClientResponses Counter32, 258 radiusAccClientMalformedResponses Counter32, 259 radiusAccClientBadAuthenticators Counter32, 260 radiusAccClientPendingRequests Gauge32, 261 radiusAccClientTimeouts Counter32, 262 radiusAccClientUnknownTypes Counter32, 263 radiusAccClientPacketsDropped Counter32 264 } 266 radiusAccServerIndex OBJECT-TYPE 267 SYNTAX Integer32 (1..2147483647) 268 MAX-ACCESS not-accessible 269 STATUS deprecated 270 DESCRIPTION 271 "A number uniquely identifying each RADIUS 272 Accounting server with which this client 273 communicates." 274 ::= { radiusAccServerEntry 1 } 276 radiusAccServerAddress OBJECT-TYPE 277 SYNTAX IpAddress 278 MAX-ACCESS read-only 279 STATUS deprecated 280 DESCRIPTION 281 "The IP address of the RADIUS accounting server 282 referred to in this table entry." 283 ::= { radiusAccServerEntry 2 } 285 radiusAccClientServerPortNumber OBJECT-TYPE 286 SYNTAX Integer32 (0..65535) 287 MAX-ACCESS read-only 288 STATUS deprecated 289 DESCRIPTION 290 "The UDP port the client is using to send requests to 291 this server." 292 ::= { radiusAccServerEntry 3 } 294 radiusAccClientRoundTripTime OBJECT-TYPE 295 SYNTAX TimeTicks 296 MAX-ACCESS read-only 297 STATUS deprecated 298 DESCRIPTION 299 "The time interval between the most recent 300 Accounting-Response and the Accounting-Request that 301 matched it from this RADIUS accounting server." 303 ::= { radiusAccServerEntry 4 } 305 -- Request/Response statistics 306 -- 307 -- Requests = Responses + PendingRequests + ClientTimeouts 308 -- 309 -- Responses - MalformedResponses - BadAuthenticators - 310 -- UnknownTypes - PacketsDropped = Successfully received 312 radiusAccClientRequests OBJECT-TYPE 313 SYNTAX Counter32 314 MAX-ACCESS read-only 315 STATUS deprecated 316 DESCRIPTION 317 "The number of RADIUS Accounting-Request packets 318 sent. This does not include retransmissions." 319 ::= { radiusAccServerEntry 5 } 321 radiusAccClientRetransmissions OBJECT-TYPE 322 SYNTAX Counter32 323 MAX-ACCESS read-only 324 STATUS deprecated 325 DESCRIPTION 326 "The number of RADIUS Accounting-Request packets 327 retransmitted to this RADIUS accounting server. 328 Retransmissions include retries where the 329 Identifier and Acct-Delay have been updated, as 330 well as those in which they remain the same." 331 ::= { radiusAccServerEntry 6 } 333 radiusAccClientResponses OBJECT-TYPE 334 SYNTAX Counter32 335 MAX-ACCESS read-only 336 STATUS deprecated 337 DESCRIPTION 338 "The number of RADIUS packets received on the 339 accounting port from this server." 340 ::= { radiusAccServerEntry 7 } 342 radiusAccClientMalformedResponses OBJECT-TYPE 343 SYNTAX Counter32 344 MAX-ACCESS read-only 345 STATUS deprecated 346 DESCRIPTION 347 "The number of malformed RADIUS Accounting-Response 348 packets received from this server. Malformed packets 349 include packets with an invalid length. Bad 350 authenticators and unknown types are not included as 351 malformed accounting responses." 352 ::= { radiusAccServerEntry 8 } 354 radiusAccClientBadAuthenticators OBJECT-TYPE 355 SYNTAX Counter32 356 MAX-ACCESS read-only 357 STATUS deprecated 358 DESCRIPTION 359 "The number of RADIUS Accounting-Response 360 packets which contained invalid authenticators 361 received from this server." 362 ::= { radiusAccServerEntry 9 } 364 radiusAccClientPendingRequests OBJECT-TYPE 365 SYNTAX Gauge32 366 MAX-ACCESS read-only 367 STATUS deprecated 368 DESCRIPTION 369 "The number of RADIUS Accounting-Request packets 370 sent to this server that have not yet timed out or 371 received a response. This variable is incremented 372 when an Accounting-Request is sent and decremented 373 due to receipt of an Accounting-Response, a timeout 374 or a retransmission." 375 ::= { radiusAccServerEntry 10 } 377 radiusAccClientTimeouts OBJECT-TYPE 378 SYNTAX Counter32 379 MAX-ACCESS read-only 380 STATUS deprecated 381 DESCRIPTION 382 "The number of accounting timeouts to this server. 383 After a timeout the client may retry to the same 384 server, send to a different server, or give up. 385 A retry to the same server is counted as a 386 retransmit as well as a timeout. A send to a different 387 server is counted as an Accounting-Request as well as 388 a timeout." 389 ::= { radiusAccServerEntry 11 } 391 radiusAccClientUnknownTypes OBJECT-TYPE 392 SYNTAX Counter32 393 MAX-ACCESS read-only 394 STATUS deprecated 395 DESCRIPTION 396 "The number of RADIUS packets of unknown type which 397 were received from this server on the accounting port." 398 ::= { radiusAccServerEntry 12 } 400 radiusAccClientPacketsDropped OBJECT-TYPE 401 SYNTAX Counter32 402 MAX-ACCESS read-only 403 STATUS deprecated 404 DESCRIPTION 405 "The number of RADIUS packets which were received from 406 this server on the accounting port and dropped for some 407 other reason." 408 ::= { radiusAccServerEntry 13 } 410 -- Extended MIB Objects 412 radiusAccClientExtMIBObjects OBJECT IDENTIFIER 413 ::= { radiusAccClientExtMIB 1 } 415 radiusAccClientExt OBJECT IDENTIFIER 416 ::= { radiusAccClientExtMIBObjects 1 } 418 radiusAccServerExtTable OBJECT-TYPE 419 SYNTAX SEQUENCE OF RadiusAccServerExtEntry 420 MAX-ACCESS not-accessible 421 STATUS current 422 DESCRIPTION 423 "The (conceptual) table listing the RADIUS accounting 424 servers with which the client shares a secret." 425 ::= { radiusAccClientExt 1 } 427 radiusAccServerExtEntry OBJECT-TYPE 428 SYNTAX RadiusAccServerExtEntry 429 MAX-ACCESS not-accessible 430 STATUS current 431 DESCRIPTION 432 "An entry (conceptual row) representing a RADIUS 433 accounting server with which the client shares a 434 secret." 435 INDEX { radiusAccServerExtIndex } 436 ::= { radiusAccServerExtTable 1 } 438 RadiusAccServerExtEntry ::= SEQUENCE { 439 radiusAccServerExtIndex Integer32, 440 radiusAccServerInetAddressType InetAddressType, 441 radiusAccServerInetAddress InetAddress, 442 radiusAccClientServerInetPortNumber InetPortNumber, 443 radiusAccClientExtRoundTripTime TimeTicks, 444 radiusAccClientExtRequests Counter32, 445 radiusAccClientExtRetransmissions Counter32, 446 radiusAccClientExtResponses Counter32, 447 radiusAccClientExtMalformedResponses Counter32, 448 radiusAccClientExtBadAuthenticators Counter32, 449 radiusAccClientExtPendingRequests Gauge32, 450 radiusAccClientExtTimeouts Counter32, 451 radiusAccClientExtUnknownTypes Counter32, 452 radiusAccClientExtPacketsDropped Counter32 453 } 455 radiusAccServerExtIndex OBJECT-TYPE 456 SYNTAX Integer32 (1..2147483647) 457 MAX-ACCESS not-accessible 458 STATUS current 459 DESCRIPTION 460 "A number uniquely identifying each RADIUS 461 Accounting server with which this client 462 communicates." 463 ::= { radiusAccServerExtEntry 1 } 465 radiusAccServerInetAddressType OBJECT-TYPE 466 SYNTAX InetAddressType 467 MAX-ACCESS read-only 468 STATUS current 469 DESCRIPTION 470 "The type of address format used for the 471 radiusAccServerInetAddress object." 472 ::= { radiusAccServerExtEntry 2 } 474 radiusAccServerInetAddress OBJECT-TYPE 475 SYNTAX InetAddress 476 MAX-ACCESS read-only 477 STATUS current 478 DESCRIPTION 479 "The IP address of the RADIUS accounting 480 server referred to in this table entry, using 481 the IPv6 adddess format." 482 ::= { radiusAccServerExtEntry 3 } 484 radiusAccClientServerInetPortNumber OBJECT-TYPE 485 SYNTAX InetPortNumber 486 MAX-ACCESS read-only 487 STATUS current 488 DESCRIPTION 489 "The UDP port the client is using to send requests 490 to this accounting server." 491 ::= { radiusAccServerExtEntry 4 } 493 radiusAccClientExtRoundTripTime OBJECT-TYPE 494 SYNTAX TimeTicks 495 MAX-ACCESS read-only 496 STATUS current 497 DESCRIPTION 498 "The time interval between the most recent 499 Accounting-Response and the Accounting-Request that 500 matched it from this RADIUS accounting server." 501 ::= { radiusAccServerExtEntry 5 } 503 -- Request/Response statistics 504 -- 505 -- Requests = Responses + PendingRequests + ClientTimeouts 506 -- 507 -- Responses - MalformedResponses - BadAuthenticators - 508 -- UnknownTypes - PacketsDropped = Successfully received 510 radiusAccClientExtRequests OBJECT-TYPE 511 SYNTAX Counter32 512 MAX-ACCESS read-only 513 STATUS current 514 DESCRIPTION 515 "The number of RADIUS Accounting-Request packets 516 sent. This does not include retransmissions." 517 ::= { radiusAccServerExtEntry 6 } 519 radiusAccClientExtRetransmissions OBJECT-TYPE 520 SYNTAX Counter32 521 MAX-ACCESS read-only 522 STATUS current 523 DESCRIPTION 524 "The number of RADIUS Accounting-Request packets 525 retransmitted to this RADIUS accounting server. 526 Retransmissions include retries where the 527 Identifier and Acct-Delay have been updated, as 528 well as those in which they remain the same." 529 ::= { radiusAccServerExtEntry 7 } 531 radiusAccClientExtResponses OBJECT-TYPE 532 SYNTAX Counter32 533 MAX-ACCESS read-only 534 STATUS current 535 DESCRIPTION 536 "The number of RADIUS packets received on the 537 accounting port from this server." 538 ::= { radiusAccServerExtEntry 8 } 540 radiusAccClientExtMalformedResponses OBJECT-TYPE 541 SYNTAX Counter32 542 MAX-ACCESS read-only 543 STATUS current 544 DESCRIPTION 545 "The number of malformed RADIUS Accounting-Response 546 packets received from this server. Malformed packets 547 include packets with an invalid length. Bad 548 authenticators and unknown types are not included as 549 malformed accounting responses." 550 ::= { radiusAccServerExtEntry 9 } 552 radiusAccClientExtBadAuthenticators OBJECT-TYPE 553 SYNTAX Counter32 554 MAX-ACCESS read-only 555 STATUS current 556 DESCRIPTION 557 "The number of RADIUS Accounting-Response 558 packets which contained invalid authenticators 559 received from this server." 560 ::= { radiusAccServerExtEntry 10 } 562 radiusAccClientExtPendingRequests OBJECT-TYPE 563 SYNTAX Gauge32 564 MAX-ACCESS read-only 565 STATUS current 566 DESCRIPTION 567 "The number of RADIUS Accounting-Request packets 568 sent to this server that have not yet timed out or 569 received a response. This variable is incremented 570 when an Accounting-Request is sent and decremented 571 due to receipt of an Accounting-Response, a timeout 572 or a retransmission." 573 ::= { radiusAccServerExtEntry 11 } 575 radiusAccClientExtTimeouts OBJECT-TYPE 576 SYNTAX Counter32 577 MAX-ACCESS read-only 578 STATUS current 579 DESCRIPTION 580 "The number of accounting timeouts to this server. 581 After a timeout the client may retry to the same 582 server, send to a different server, or give up. 583 A retry to the same server is counted as a 584 retransmit as well as a timeout. A send to a different 585 server is counted as an Accounting-Request as well as 586 a timeout." 587 ::= { radiusAccServerExtEntry 12 } 589 radiusAccClientExtUnknownTypes OBJECT-TYPE 590 SYNTAX Counter32 591 MAX-ACCESS read-only 592 STATUS current 593 DESCRIPTION 594 "The number of RADIUS packets of unknown type which 595 were received from this server on the accounting port." 596 ::= { radiusAccServerExtEntry 13 } 598 radiusAccClientExtPacketsDropped OBJECT-TYPE 599 SYNTAX Counter32 600 MAX-ACCESS read-only 601 STATUS current 602 DESCRIPTION 603 "The number of RADIUS packets which were received from 604 this server on the accounting port and dropped for some 605 other reason." 606 ::= { radiusAccServerExtEntry 14 } 608 -- conformance information 610 radiusAccClientMIBConformance OBJECT IDENTIFIER 611 ::= { radiusAccClientMIB 2 } 613 radiusAccClientMIBCompliances OBJECT IDENTIFIER 614 ::= { radiusAccClientMIBConformance 1 } 616 radiusAccClientMIBGroups OBJECT IDENTIFIER 617 ::= { radiusAccClientMIBConformance 2 } 619 radiusAccClientExtMIBConformance OBJECT IDENTIFIER 620 ::= { radiusAccClientExtMIB 2 } 622 radiusAccClientExtMIBCompliances OBJECT IDENTIFIER 623 ::= { radiusAccClientExtMIBConformance 1 } 625 radiusAccClientExtMIBGroups OBJECT IDENTIFIER 626 ::= { radiusAccClientExtMIBConformance 2 } 628 -- units of conformance 630 radiusAccClientMIBCompliance MODULE-COMPLIANCE 631 STATUS deprecated 632 DESCRIPTION 633 "The compliance statement for accounting clients 634 implementing the RADIUS Accounting Client MIB." 635 MODULE -- this module 636 MANDATORY-GROUPS { radiusAccClientMIBGroup } 638 ::= { radiusAccClientMIBCompliances 1 } 640 radiusAccClientExtMIBCompliance MODULE-COMPLIANCE 641 STATUS current 642 DESCRIPTION 643 "The compliance statement for accounting clients 644 implementing the RADIUS Accounting Client MIB." 645 MODULE -- this module 646 MANDATORY-GROUPS { radiusAccClientMIBGroup } 648 ::= { radiusAccClientExtMIBCompliances 1 } 650 -- units of conformance 652 radiusAccClientMIBGroup OBJECT-GROUP 653 OBJECTS { radiusAccClientIdentifier, 654 radiusAccClientInvalidServerAddresses, 655 radiusAccServerAddress, 656 radiusAccClientServerPortNumber, 657 radiusAccClientRoundTripTime, 658 radiusAccClientRequests, 659 radiusAccClientRetransmissions, 660 radiusAccClientResponses, 661 radiusAccClientMalformedResponses, 662 radiusAccClientBadAuthenticators, 663 radiusAccClientPendingRequests, 664 radiusAccClientTimeouts, 665 radiusAccClientUnknownTypes, 666 radiusAccClientPacketsDropped 667 } 668 STATUS deprecated 669 DESCRIPTION 670 "The basic collection of objects providing management of 671 RADIUS Accounting Clients." 672 ::= { radiusAccClientMIBGroups 1 } 674 radiusAccClientExtMIBGroup OBJECT-GROUP 675 OBJECTS { radiusAccClientIdentifier, 676 radiusAccClientInvalidServerAddresses, 677 radiusAccServerInetAddressType, 678 radiusAccServerInetAddress, 679 radiusAccClientExtServerInetPortNumber, 680 radiusAccClientExtRoundTripTime, 681 radiusAccClientExtRequests, 682 radiusAccClientExtRetransmissions, 683 radiusAccClientExtResponses, 684 radiusAccClientExtMalformedResponses, 685 radiusAccClientExtBadAuthenticators, 686 radiusAccClientExtPendingRequests, 687 radiusAccClientExtTimeouts, 688 radiusAccClientExtUnknownTypes, 689 radiusAccClientExtPacketsDropped 690 } 691 STATUS current 692 DESCRIPTION 693 "The basic collection of objects providing management of 694 RADIUS Accounting Clients." 695 ::= { radiusAccClientExtMIBGroups 1 } 697 END 699 8. IANA Considerations 701 This document requires IANA assignment of a number in the MIB-2 OID 702 number space. 704 9. Security Considerations 706 There are no management objects defined in this MIB that have a MAX- 707 ACCESS clause of read-write and/or read-create. So, if this MIB is 708 implemented correctly, then there is no risk that an intruder can 709 alter or create any management objects of this MIB via direct SNMP 710 SET operations. 712 There are a number of managed objects in this MIB that may contain 713 sensitive information. These are: 715 radiusAcctServerIPAddress This can be used to determine the address 716 of the RADIUS accounting server with which the client is 717 communicating. This information could be useful in mounting an 718 attack on the accounting server. 720 radiusAcctServerInetAddress This can be used to determine the address 721 of the RADIUS accounting server with which the client is 722 communicating. This information could be useful in mounting an 723 attack on the accounting server. 725 radiusAcctClientServerPortNumber This can be used to determine the 726 port number on which the RADIUS accounting client is sending. 727 This information could be useful in impersonating the client in 728 order to send data to the accounting server. 730 radiusAcctClientServerInetPortNumber This can be used to determine 731 the port number on which the RADIUS accounting client is sending. 732 This information could be useful in impersonating the client in 733 order to send data to the accounting server. 735 It is thus important to control even GET access to these objects and 736 possibly to even encrypt the values of these object when sending them 737 over the network via SNMP. Not all versions of SNMP provide features 738 for such a secure environment. 740 SNMP versions prior to SNMPv3 do not provide a secure environment. 741 Even if the network itself is secure (for example by using IPSec), 742 there is no control as to who on the secure network is allowed to 743 access and GET/SET (read/change/create/delete) the objects in this 744 MIB. 746 It is recommended that the implementers consider the security 747 features as provided by the SNMPv3 framework. Specifically, the use 748 of the User-based Security Model [RFC2574] and the View-based Access 749 Control Model [RFC2575] is recommended. Using these security 750 features, customer/users can give access to the objects only to those 751 principals (users) that have legitimate rights to GET or SET (change/ 752 create/delete) them. 754 10. References 756 10.1 Normative References 758 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 759 Requirement Levels", BCP 14, RFC 2119, March 1997. 761 [RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model 762 (USM) for version 3 of the Simple Network Management 763 Protocol (SNMPv3)", RFC 2574, April 1999. 765 [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 766 Access Control Model (VACM) for the Simple Network 767 Management Protocol (SNMP)", RFC 2575, April 1999. 769 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 770 Schoenwaelder, Ed., "Structure of Management Information 771 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 773 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 774 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 775 STD 58, RFC 2579, April 1999. 777 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 778 "Conformance Statements for SMIv2", STD 58, RFC 2580, 779 April 1999. 781 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 782 "Introduction and Applicability Statements for Internet- 783 Standard Management Framework", RFC 3410, December 2002. 785 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 786 Simple Network Management Protocol (SNMP)", STD 62, 787 RFC 3418, December 2002. 789 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 790 Schoenwaelder, "Textual Conventions for Internet Network 791 Addresses", RFC 4001, February 2005. 793 10.2 Informative References 795 [RFC2620] Aboba, B. and G. Zorn, "RADIUS Accounting Client MIB", 796 RFC 2620, June 1999. 798 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. 800 Author's Address 802 David B. Nelson 803 Enterasys Networks 804 50 Minuteman Road 805 Andover, MA 01810 806 USA 808 Email: dnelson@enterasys.com 810 Appendix A. Acknowledgments 812 The Authors of the original MIB are Bernard Aboba and Glen Zorn. 814 Many thanks to all reviewers, especially to Dave Harrington, Dan 815 Romascanu, C.M. Heard, Bruno Pape and Greg Weber. 817 Intellectual Property Statement 819 The IETF takes no position regarding the validity or scope of any 820 Intellectual Property Rights or other rights that might be claimed to 821 pertain to the implementation or use of the technology described in 822 this document or the extent to which any license under such rights 823 might or might not be available; nor does it represent that it has 824 made any independent effort to identify any such rights. Information 825 on the procedures with respect to rights in RFC documents can be 826 found in BCP 78 and BCP 79. 828 Copies of IPR disclosures made to the IETF Secretariat and any 829 assurances of licenses to be made available, or the result of an 830 attempt made to obtain a general license or permission for the use of 831 such proprietary rights by implementers or users of this 832 specification can be obtained from the IETF on-line IPR repository at 833 http://www.ietf.org/ipr. 835 The IETF invites any interested party to bring to its attention any 836 copyrights, patents or patent applications, or other proprietary 837 rights that may cover technology that may be required to implement 838 this standard. Please address the information to the IETF at 839 ietf-ipr@ietf.org. 841 Disclaimer of Validity 843 This document and the information contained herein are provided on an 844 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 845 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 846 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 847 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 848 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 849 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 851 Copyright Statement 853 Copyright (C) The Internet Society (2005). This document is subject 854 to the rights, licenses and restrictions contained in BCP 78, and 855 except as set forth therein, the authors retain all their rights. 857 Acknowledgment 859 Funding for the RFC Editor function is currently provided by the 860 Internet Society.