[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 RFC 2618

     RADIUS Working Group                                     Bernard Aboba
     INTERNET-DRAFT                                               Microsoft
     Category: Standards Track                                    Glen Zorn
     <draft-ietf-radius-auth-clientmib-02.txt>                    Microsoft
     11 November 1998
     
     
                        RADIUS Authentication Client MIB
     
     
     1.  Status of this Memo
     
     This document is an Internet-Draft.  Internet-Drafts are working docu-
     ments of the Internet Engineering Task Force (IETF),  its  areas,  and
     its  working groups.  Note that other groups may also distribute work-
     ing documents as Internet-Drafts.
     
     Internet-Drafts are draft documents valid for a maximum of six  months
     and  may  be updated, replaced, or obsoleted by other documents at any
     time.  It is inappropriate to use Internet-Drafts as  reference  mate-
     rial or to cite them other than as ``work in progress.''
     
     To  learn  the  current status of any Internet-Draft, please check the
     ``1id-abstracts.txt'' listing contained in the Internet-Drafts  Shadow
     Directories   on   ftp.ietf.org   (US  East  Coast),  nic.nordu.net
     (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
     
     The  distribution  of  this memo is unlimited.  It is filed as <draft-
     ietf-radius-auth-clientmib-02.txt>, and  expires May 1,  1999.  Please
     send comments to the authors.
     
     
     2.  Copyright Notice
     
     Copyright (C) The Internet Society (1998).  All Rights Reserved.
     
     
     3.  Abstract
     
     This  memo defines a set of extensions which instrument RADIUS authen-
     tication client functions. These extensions represent a portion of the
     Management Information Base (MIB) for use with network management pro-
     tocols in the Internet community.   Using  these  extensions  IP-based
     management stations can manage RADIUS authentication clients.
     
     
     4.  Introduction
     
     This  memo  defines a portion of the Management Information Base (MIB)
     for use with network management protocols in the  Internet  community.
     In  particular,  it describes managed objects used for managing RADIUS
     authentication clients.
     
     
     
     
     
     Aboba & Zorn                Standards Track                   [Page 1]


     INTERNET-DRAFT     RADIUS Authentication Client MIB   11 November 1998
     
     
     Today a wide range of network devices, including  routers  and  NASes,
     act  as  RADIUS authentication clients in order to provide authentica-
     tion and authorization services. As a result, the effective management
     of RADIUS authentication clients is of considerable importance.
     
     
     5.  The SNMP Management Framework
     
     The  SNMP Management Framework presently consists of five major compo-
     nents:
     
         o   An overall architecture, described in RFC 2271 [1].
     
         o   Mechanisms for describing and naming objects  and  events  for
             the purpose of management. The first version of this Structure
             of Management Information (SMI) is called SMIv1 and  described
             in  RFC  1155  [2],  RFC 1212 [3] and RFC 1215 [4]. The second
             version, called SMIv2, is described in RFC 1902 [5], RFC  1903
             [6] and RFC 1904 [7].
     
         o   Message protocols for transferring management information. The
             first version of the SNMP message protocol  is  called  SNMPv1
             and  described  in  RFC 1157 [8]. A second version of the SNMP
             message protocol, which is not  an  Internet  standards  track
             protocol,  is called SNMPv2c and described in RFC 1901 [9] and
             RFC 1906 [10]. The third version of the  message  protocol  is
             called  SNMPv3  and  described in RFC 1906 [10], RFC 2272 [11]
             and RFC 2274 [12].
     
         o   Protocol operations for accessing management information.  The
             first set of protocol operations and associated PDU formats is
             described in RFC 1157 [8]. A second set of protocol operations
             and associated PDU formats is described in RFC 1905 [13].
     
         o   A  set  of fundamental applications described in RFC 2273 [14]
             and the view-based access control mechanism described  in  RFC
             2275 [15].
     
     Managed  objects  are accessed via a virtual information store, termed
     the Management Information Base  or  MIB.   Objects  in  the  MIB  are
     defined using the mechanisms defined in the SMI.
     
     This memo specifies a MIB module that is compliant to the SMIv2. A MIB
     conforming to the SMIv1 can be produced through the appropriate trans-
     lations. The resulting translated MIB must be semantically equivalent,
     except where objects or events are omitted because no  translation  is
     possible  (use  of  Counter64).  Some  machine readable information in
     SMIv2 will be converted into textual descriptions in SMIv1 during  the
     translation  process.  However, this loss of machine readable informa-
     tion is not considered to change the semantics of the MIB.
     
     
     
     
     
     
     
     Aboba & Zorn                Standards Track                   [Page 2]


     INTERNET-DRAFT     RADIUS Authentication Client MIB   11 November 1998
     
     
     6.  Overview
     
     The RADIUS authentication protocol, described in  [16],  distinguishes
     between the client function and the server function. In RADIUS authen-
     tication, clients send Access-Requests, and servers reply with Access-
     Accepts, Access-Rejects, and Access-Challenges.  Typically NAS devices
     implement the client function, and thus would be expected to implement
     the  RADIUS  authentication  client  MIB,  while RADIUS authentication
     servers implement the server function, and thus would be  expected  to
     implement the RADIUS authentication server MIB.
     
     However,  it is possible for a RADIUS authentication entity to perform
     both client and server functions. For example, a RADIUS proxy may  act
     as a server to one or more RADIUS authentication clients, while simul-
     taneously acting as an authentication client to one or more  authenti-
     cation  servers.  In such situations, it is expected that RADIUS enti-
     ties combining client and server functionality will support  both  the
     client and server MIBs.
     
     
     6.1.  Selected objects
     This MIB module contains two scalars as well as a single table:
     
     (1)  the RADIUS Authentication Server Table contains one row for each
          RADIUS authentication server that the client shares a secret with.
     
     Each  entry in the RADIUS Authentication Server Table includes fifteen
     columns presenting a view of the activity of the RADIUS authentication
     client.
     
     
     7.  Definitions
     
     RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN
     
     IMPORTS
            MODULE-IDENTITY, OBJECT-TYPE,
            OBJECT-IDENTITY, experimental,
            Counter32, Integer32, Gauge32,
            IpAddress, TimeTicks             FROM SNMPv2-SMI
            DisplayString        FROM SNMPv2-TC
            MODULE-COMPLIANCE, OBJECT-GROUP  FROM SNMPv2-CONF;
     
     
     radius OBJECT-IDENTITY
            STATUS  current
            DESCRIPTION
                  "The OID assigned to RADIUS MIB work by the IANA."
            ::= { experimental 79 }
     
     radiusAuthentication  OBJECT IDENTIFIER ::= {radius 1}
     
     radiusAuthClientMIB MODULE-IDENTITY
            LAST-UPDATED "9811161659Z"
     
     
     
     Aboba & Zorn                Standards Track                   [Page 3]


     INTERNET-DRAFT     RADIUS Authentication Client MIB   11 November 1998
     
     
            ORGANIZATION "IETF RADIUS Working Group."
            CONTACT-INFO
                   " Bernard Aboba
                     Microsoft
                     One Microsoft Way
                     Redmond, WA  98052
                     US
     
                     Phone: +1 425 936 6605
                     EMail: bernarda@microsoft.com"
            DESCRIPTION
                  "The MIB dule for entities implementing the client side of
                   the Remote Access Dialin User Service (RADIUS) authentication
                   protocol."
            ::= { radiusAuthentication 2 }
     
     radiusAuthClientMIBObjects     OBJECT IDENTIFIER ::= { radiusAuthClientMIB 1 }
     
     radiusAuthClient  OBJECT IDENTIFIER ::= { radiusAuthClientMIBObjects 1 }
     
     radiusAuthClientInvalidServerAddresses OBJECT-TYPE
           SYNTAX Counter32
           MAX-ACCESS read-only
           STATUS current
           DESCRIPTION
                 "The total number of RADIUS Access-Response packets
                  received from unknown addresses since client start-up."
           ::= { radiusAuthClient 1 }
     
     radiusAuthClientIdentifier OBJECT-TYPE
           SYNTAX DisplayString
           MAX-ACCESS read-only
           STATUS current
           DESCRIPTION
              "The NAS-Identifier of the RADIUS authentication client.
                This is not necessarily the same as sysName in MIB II."
           ::= { radiusAuthClient 2 }
     
     radiusAuthServerTable OBJECT-TYPE
           SYNTAX     SEQUENCE OF RadiusAuthServerEntry
           MAX-ACCESS not-accessible
           STATUS     current
           DESCRIPTION
                 "The (conceptual) table listing the RADIUS authentication
                  servers with which the client shares a secret."
           ::= { radiusAuthClient 3 }
     
     radiusAuthServerEntry OBJECT-TYPE
           SYNTAX     RadiusAuthServerEntry
           MAX-ACCESS not-accessible
           STATUS     current
           DESCRIPTION
                 "An entry (conceptual row) representing a RADIUS
                  authentication server with which the client shares a secret."
     
     
     
     Aboba & Zorn                Standards Track                   [Page 4]


     INTERNET-DRAFT     RADIUS Authentication Client MIB   11 November 1998
     
     
           INDEX      { radiusAuthServerIndex }
           ::= { radiusAuthServerTable 1 }
     
     RadiusAuthServerEntry ::= SEQUENCE {
           radiusAuthServerIndex                           Integer32,
           radiusAuthServerAddress                         IpAddress,
           radiusAuthClientServerPortNumber                Integer32,
           radiusAuthClientRoundTripTime                   TimeTicks,
           radiusAuthClientAccessRequests                  Counter32,
           radiusAuthClientAccessRetransmissions           Counter32,
           radiusAuthClientAccessAccepts                   Counter32,
           radiusAuthClientAccessRejects                   Counter32,
           radiusAuthClientAccessChallenges                Counter32,
           radiusAuthClientMalformedAccessResponses        Counter32,
           radiusAuthClientBadAuthenticators               Counter32,
           radiusAuthClientPendingRequests                   Gauge32,
           radiusAuthClientTimeouts                        Counter32,
           radiusAuthClientUnknownTypes                    Counter32,
           radiusAuthClientPacketsDropped                  Counter32
     }
     
     radiusAuthServerIndex OBJECT-TYPE
           SYNTAX     Integer32 (0..MAX)
           MAX-ACCESS not-accessible
           STATUS     current
           DESCRIPTION
              "A number uniquely identifying each RADIUS
                Authentication server with which this client
                communicates."
           ::= { radiusAuthServerEntry 1 }
     
     radiusAuthServerAddress OBJECT-TYPE
           SYNTAX     IpAddress
           MAX-ACCESS read-only
           STATUS     current
           DESCRIPTION
                 "The IP address of the RADIUS authentication server
                 referred to in this table entry."
           ::= { radiusAuthServerEntry 2 }
     
     radiusAuthClientServerPortNumber  OBJECT-TYPE
           SYNTAX Integer32
           MAX-ACCESS read-only
           STATUS current
           DESCRIPTION
              "The UDP port the client is using to send requests to
               this server."
           ::= { radiusAuthServerEntry 3 }
     
     radiusAuthClientRoundTripTime  OBJECT-TYPE
           SYNTAX TimeTicks
           MAX-ACCESS read-only
           STATUS current
           DESCRIPTION
     
     
     
     Aboba & Zorn                Standards Track                   [Page 5]


     INTERNET-DRAFT     RADIUS Authentication Client MIB   11 November 1998
     
     
              "The time interval between the most recent
                Access-Reply/Access-Challenge and the Access-Request that
                matched it from this RADIUS authentication server."
           ::= { radiusAuthServerEntry 4 }
     
     -- Request/Response statistics
     --
     -- TotalIncomingPackets = Accepts + Rejects + Challenges + UnknownTypes
     --
     -- TotalIncomingPackets - MalformedResponses - BadAuthenticators -
     -- UnknownTypes - PacketsDropped = Successfully received
     --
     -- AccessRequests + PendingRequests + ClientTimeouts = Successfully Received
     --
     --
     
     radiusAuthClientAccessRequests OBJECT-TYPE
           SYNTAX Counter32
           MAX-ACCESS read-only
           STATUS current
           DESCRIPTION
                 "The total number of RADIUS Access-Request packets sent
                 to this server since client start-up. This does not
                 include retransmissions."
           ::= { radiusAuthServerEntry 5 }
     
     radiusAuthClientAccessRetransmissions OBJECT-TYPE
           SYNTAX Counter32
           MAX-ACCESS read-only
           STATUS current
           DESCRIPTION
                 "The total number of RADIUS Access-Request packets
                  retransmitted to this RADIUS authentication server
                  since client start-up."
           ::= { radiusAuthServerEntry 6 }
     
     radiusAuthClientAccessAccepts OBJECT-TYPE
           SYNTAX Counter32
           MAX-ACCESS read-only
           STATUS current
           DESCRIPTION
                 "The total number of RADIUS Access-Accept packets
                  (valid or invalid) received from this server
                  since client start-up."
           ::= { radiusAuthServerEntry 7 }
     
     radiusAuthClientAccessRejects OBJECT-TYPE
          SYNTAX Counter32
          MAX-ACCESS read-only
          STATUS current
          DESCRIPTION
                 "The total number of RADIUS Access-Reject packets
                  (valid or invalid) received from this server
                  since client start-up."
     
     
     
     Aboba & Zorn                Standards Track                   [Page 6]


     INTERNET-DRAFT     RADIUS Authentication Client MIB   11 November 1998
     
     
           ::= { radiusAuthServerEntry  8 }
     
     radiusAuthClientAccessChallenges OBJECT-TYPE
           SYNTAX Counter32
           MAX-ACCESS read-only
           STATUS current
           DESCRIPTION
                 "The total number of RADIUS Access-Challenge packets
                  (valid or invalid) received from this server since
                  client start-up."
           ::= { radiusAuthServerEntry 9 }
     
     -- "Access-Response" includes an Access-Accept, Access-Challenge
     -- or Access-Reject
     
     radiusAuthClientMalformedAccessResponses OBJECT-TYPE
           SYNTAX Counter32
           MAX-ACCESS read-only
           STATUS current
           DESCRIPTION
                 "The total number of malformed RADIUS Access-Response
                  packets received from this server since client
                  start-up. Malformed packets include packets with
                  an invalid length. Bad authenticators or
                  Signature attributes or unknown types are not
                  included as malformed access responses."
           ::= { radiusAuthServerEntry 10 }
     
     radiusAuthClientBadAuthenticators OBJECT-TYPE
           SYNTAX Counter32
           MAX-ACCESS read-only
           STATUS current
           DESCRIPTION
                 "The total number of RADIUS Access-Response packets
                 containing invalid authenticators or Signature
                 attributes received from this server since client
                 start-up."
           ::= { radiusAuthServerEntry 11 }
     
     radiusAuthClientPendingRequests OBJECT-TYPE
           SYNTAX Gauge32
           MAX-ACCESS read-only
           STATUS current
           DESCRIPTION
                 "The total number of RADIUS Access-Request packets
                 destined for this server that have not yet timed out
                 or received a response. This variable is incremented
                 when an Access-Request is sent and decremented due to
                 receipt of an Acess-Accept, Access-Reject or Access-Challenge,
                 a timeout or retransmission."
           ::= { radiusAuthServerEntry 12 }
     
     radiusAuthClientTimeouts OBJECT-TYPE
          SYNTAX Counter32
     
     
     
     Aboba & Zorn                Standards Track                   [Page 7]


     INTERNET-DRAFT     RADIUS Authentication Client MIB   11 November 1998
     
     
          MAX-ACCESS read-only
          STATUS current
          DESCRIPTION
                 "The total number of authentication timeouts to this server
                  since client startup. After a timeout the client may
                  retry to the same server, send to a different server, or
                  give up. A retry to the same server is counted as a
                  retransmit as well as a timeout. A send to a different
                  server is counted as a Request as well as a timeout."
           ::= { radiusAuthServerEntry  13 }
     
     radiusAuthClientUnknownTypes OBJECT-TYPE
           SYNTAX Counter32
           MAX-ACCESS read-only
           STATUS current
           DESCRIPTION
                 "The total number of RADIUS packets of unknown type which
                  were received from this server on the authentication port
                  since client start-up."
           ::= { radiusAuthServerEntry  14 }
     
     radiusAuthClientPacketsDropped OBJECT-TYPE
           SYNTAX Counter32
           MAX-ACCESS read-only
           STATUS current
           DESCRIPTION
                 "The total number of RADIUS packets of which were
                  received from this server on the authentication port
                  and dropped for some other reason since client
                  start-up."
           ::= { radiusAuthServerEntry  15 }
     
     
     -- conformance information
     
     radiusAuthClientMIBConformance
                  OBJECT IDENTIFIER ::= { radiusAuthClientMIB 2 }
     radiusAuthClientMIBCompliances
                  OBJECT IDENTIFIER ::= { radiusAuthClientMIBConformance 1 }
     radiusAuthClientMIBGroups
                  OBJECT IDENTIFIER ::= { radiusAuthClientMIBConformance 2 }
     
     
     -- compliance statements
     
     radiusAuthClientMIBCompliance MODULE-COMPLIANCE
          STATUS  current
          DESCRIPTION
                "The compliance statement for authentication clients
                 implementing the RADIUS Authentication Client MIB."
          MODULE  -- this module
                 MANDATORY-GROUPS { radiusAuthClientMIBGroup }
     
          ::= { radiusAuthClientMIBCompliances 1 }
     
     
     
     Aboba & Zorn                Standards Track                   [Page 8]


     INTERNET-DRAFT     RADIUS Authentication Client MIB   11 November 1998
     
     
     -- units of conformance
     
     radiusAuthClientMIBGroup OBJECT-GROUP
          OBJECTS { radiusAuthClientIdentifier,
                    radiusAuthClientInvalidServerAddresses,
                    radiusAuthServerAddress,
                    radiusAuthClientServerPortNumber,
                    radiusAuthClientRoundTripTime,
                    radiusAuthClientAccessRequests,
                    radiusAuthClientAccessRetransmissions,
                    radiusAuthClientAccessAccepts,
                    radiusAuthClientAccessRejects,
                    radiusAuthClientAccessChallenges,
                    radiusAuthClientMalformedAccessResponses,
                    radiusAuthClientBadAuthenticators,
                    radiusAuthClientPendingRequests,
                    radiusAuthClientTimeouts,
                    radiusAuthClientUnknownTypes,
                    radiusAuthClientPacketsDropped
                 }
          STATUS  current
          DESCRIPTION
                "The basic collection of objects providing management of
                 RADIUS Authentication Clients."
          ::= { radiusAuthClientMIBGroups 1 }
     
     END
     
     
     8.  References
     
     
     [1]  Harrington,  D., Presuhn, R., and B. Wijnen, "An Architecture for
          Describing SNMP Management Frameworks", RFC 2271, Cabletron  Sys-
          tems,  Inc.,  BMC Software, Inc., IBM T. J. Watson Research, Jan-
          uary 1998.
     
     [2]  Rose, M., and K. McCloghrie,  "Structure  and  Identification  of
          Management  Information  for  TCP/IP-based  Internets", RFC 1155,
          Performance Systems International, Hughes LAN Systems, May  1990.
     
     [3]  Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 1212,
          Performance Systems  International,  Hughes  LAN  Systems,  March
          1991.
     
     [4]  M. Rose, "A Convention for Defining Traps for use with the SNMP",
          RFC 1215, Performance Systems International, March 1991.
     
     [5]  Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure
          of  Management  Information  for  Version 2 of the Simple Network
          Management Protocol  (SNMPv2)",  RFC  1902,  SNMP  Research,Inc.,
          Cisco  Systems, Inc., Dover Beach Consulting, Inc., International
          Network Services, January 1996.
     
     
     
     
     Aboba & Zorn                Standards Track                   [Page 9]


     INTERNET-DRAFT     RADIUS Authentication Client MIB   11 November 1998
     
     
     [6]  Case, J., McCloghrie, K., Rose, M., and S.  Waldbusser,  "Textual
          Conventions for Version 2 of the Simple Network Management Proto-
          col (SNMPv2)", RFC 1903,  SNMP  Research,  Inc.,  Cisco  Systems,
          Inc.,  Dover  Beach  Consulting, Inc., International Network Ser-
          vices, January 1996.
     
     [7]  Case, J., McCloghrie, K., Rose, M., and S.  Waldbusser,  "Confor-
          mance  Statements  for Version 2 of the Simple Network Management
          Protocol (SNMPv2)", RFC 1904, SNMP Research, Inc., Cisco Systems,
          Inc.,  Dover  Beach  Consulting, Inc., International Network Ser-
          vices, January 1996.
     
     [8]  Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple  Net-
          work  Management  Protocol", RFC 1157, SNMP Research, Performance
          Systems International,  Performance  Systems  International,  MIT
          Laboratory for Computer Science, May 1990.
     
     [9]  Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Introduc-
          tion to Community-based SNMPv2", RFC 1901, SNMP  Research,  Inc.,
          Cisco  Systems, Inc., Dover Beach Consulting, Inc., International
          Network Services, January 1996.
     
     [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport
          Mappings  for Version 2 of the Simple Network Management Protocol
          (SNMPv2)", RFC 1906, SNMP Research, Inc.,  Cisco  Systems,  Inc.,
          Dover  Beach  Consulting,  Inc.,  International Network Services,
          January 1996.
     
     [11] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message Pro-
          cessing  and Dispatching for the Simple Network Management Proto-
          col (SNMP)", RFC 2272, SNMP Research,  Inc.,  Cabletron  Systems,
          Inc.,  BMC  Software,  Inc.,  IBM  T. J. Watson Research, January
          1998.
     
     [12] Blumenthal, U., and B. Wijnen, "User-based Security  Model  (USM)
          for   version   3  of  the  Simple  Network  Management  Protocol
          (SNMPv3)", RFC 2274, IBM T. J. Watson Research, January 1998.
     
     [13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,  "Protocol
          Operations  for Version 2 of the Simple Network Management Proto-
          col (SNMPv2)", RFC 1905,  SNMP  Research,  Inc.,  Cisco  Systems,
          Inc.,  Dover  Beach  Consulting, Inc., International Network Ser-
          vices, January 196.
     
     [14] Levi, D., Meyer, P., and B. Stewart, "SNMPv3  Applications",  RFC
          2273,  SNMP  Research,  Inc., Secure Computing Corporation, Cisco
          Systems, January 1998
     
     [15] Wijnen, B., Presuhn, R., and K.  McCloghrie,  "View-based  Access
          Control  Model  (VACM) for the Simple Network Management Protocol
          (SNMP)", RFC 2275, IBM T. J. Watson Research, BMC Software, Inc.,
          Cisco Systems, Inc., January 1998
     
     
     
     
     
     Aboba & Zorn                Standards Track                  [Page 10]


     INTERNET-DRAFT     RADIUS Authentication Client MIB   11 November 1998
     
     
     [16] Rigney,  C.,  Rubens,  A.,  Simpson  W.,  and S. Willens, "Remote
          Authentication Dial In User Service (RADIUS)",  RFC  2138,  April
          1997.
     
     [17] "Information  processing systems - Open Systems Interconnection -
          Specification of Abstract Syntax Notation One (ASN.1)",  Interna-
          tional  Organization  for Standardization, International Standard
          8824, December 1987.
     
     
     9.  Security considerations
     
     There are no management objects defined in this MIB that have  a  MAX-
     ACCESS  clause  of  read-write and/or read-create.  So, if this MIB is
     implemented correctly, then there is no  risk  that  an  intruder  can
     alter or create any management objects of this MIB via direct SNMP SET
     operations.
     
     There are a number of managed objects in this  MIB  that  may  contain
     sensitive information. These are:
     
     radiusAuthServerAddress
               This  can  be  used  to  determine the address of the RADIUS
               authentication server with which the client  is  communicat-
               ing.  This information could be useful in mounting an attack
               on the authentication server.
     
     radiusAuthClientServerPortNumber
               This can be used to determine the port number on  which  the
               RADIUS  authentication  client  is sending. This information
               could be useful in impersonating the client in order to send
               data to the authentication server.
     
     It  is  thus important to control even GET access to these objects and
     possibly to even encrypt the values of these object when sending  them
     over  the network via SNMP.  Not all versions of SNMP provide features
     for such a secure environment.
     
     SNMPv1 by itself is not a secure  environment.  Even  if  the  network
     itself  is secure (for example by using IPSec), there is no control as
     to who on  the  secure  network  is  allowed  to  access  and  GET/SET
     (read/change/create/delete) the objects in this MIB.
     
     It is recommended that the implementers consider the security features
     as provided by the SNMPv3 framework.  Specifically,  the  use  of  the
     User-based Security Model RFC 2274 [12] and the View-based Access Con-
     trol Model RFC 2275 [15] is recommended.  Using  these  security  fea-
     tures,   customer/users  can  give access to the objects only to those
     principals  (users)  that  have  legitimate  rights  to  GET  or   SET
     (change/create/delete) them.
     
     
     
     
     
     
     
     Aboba & Zorn                Standards Track                  [Page 11]


     INTERNET-DRAFT     RADIUS Authentication Client MIB   11 November 1998
     
     
     10.  Acknowledgments
     
     Thanks  to  Narendra  Gidwani  of Microsoft, Allan C. Rubens of MERIT,
     Carl Rigney of Livingston and Peter Heitman of American Internet  Cor-
     poration for useful discussions of this problem space.
     
     
     11.  Authors' Addresses
     
     Bernard Aboba
     Microsoft Corporation
     One Microsoft Way
     Redmond, WA 98052
     
     Phone: 425-936-6605
     EMail: bernarda@microsoft.com
     
     Glen Zorn
     Microsoft Corporation
     One Microsoft Way
     Redmond, WA 98052
     
     Phone: 425-703-1559
     EMail: glennz@microsoft.com
     
     
     12.  Full Copyright Statement
     
     Copyright (C) The Internet Society (1997).  All Rights Reserved.
     This  document  and  translations of it may be copied and furnished to
     others, and derivative works that comment on or otherwise  explain  it
     or  assist in its implmentation may be prepared, copied, published and
     distributed, in whole or in part, without  restriction  of  any  kind,
     provided  that  the  above  copyright  notice  and  this paragraph are
     included on all such copies and derivative works.  However, this docu-
     ment  itself  may  not be modified in any way, such as by removing the
     copyright notice or references to the Internet Society or other Inter-
     net  organizations,  except  as  needed  for the purpose of developing
     Internet standards in which case the procedures for copyrights defined
     in  the Internet Standards process must be followed, or as required to
     translate it into languages other than English.  The  limited  permis-
     sions  granted  above  are  perpetual  and  will not be revoked by the
     Internet Society or its successors or assigns.  This document and  the
     information  contained  herein is provided on an "AS IS" basis and THE
     INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL
     WARRANTIES,  EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WAR-
     RANTY THAT THE USE OF THE INFORMATION HEREIN  WILL  NOT  INFRINGE  ANY
     RIGHTS  OR  ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
     PARTICULAR PURPOSE."
     
     
     
     
     
     
     
     
     Aboba & Zorn                Standards Track                  [Page 12]


     INTERNET-DRAFT     RADIUS Authentication Client MIB   11 November 1998
     
     
     13.  Expiration Date
     
     This memo is filed as  <draft-ietf-radius-auth-clientmib-02.txt>,  and
     expires May 1, 1999.
     
     
     
     m o
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     Aboba & Zorn                Standards Track                  [Page 13]
     

Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/