draft-ietf-ips-auth-mib-00.txt   draft-ietf-ips-auth-mib-01.txt 
Internet Draft Mark Bakke Internet Draft Mark Bakke
<draft-ietf-ips-auth-mib-00.txt> Jim Muchow <draft-ietf-ips-auth-mib-01.txt> Jim Muchow
Expires August 2002 Cisco Systems Expires December 2002 Cisco Systems
February 2002 June 2002
Definitions of Managed Objects for User Identity Authentication Definitions of Managed Objects for User Identity Authentication
1. Status of this Memo 1. Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 3, line 39 skipping to change at page 3, line 39
person; a user can also be a host, an application, a cluster of person; a user can also be a host, an application, a cluster of
hosts, or any other identifiable entity that can be authenticated and hosts, or any other identifiable entity that can be authenticated and
granted access to a resource. granted access to a resource.
Most objects in this MIB have a MAX-ACCESS of read-create; the MIB is Most objects in this MIB have a MAX-ACCESS of read-create; the MIB is
intended to allow configuration of user identities and their names, intended to allow configuration of user identities and their names,
addresses, and credentials. MIN-ACCESS for all objects is read-only addresses, and credentials. MIN-ACCESS for all objects is read-only
for those implementations that configure through other means, but for those implementations that configure through other means, but
require the ability to monitor user identities. require the ability to monitor user identities.
4.1. Revision History
The following modifications were made from draft-00 to draft-01
- The Kerberos and SPKM (public key certificate) authentication
methods were removed. - Added the capability to include Fibre
Channel addresses.
5. Relationship to Other MIBs 5. Relationship to Other MIBs
The identity authentication MIB does not directly address objects The identity authentication MIB does not directly address objects
within other MIBs. The identity address objects contain IPv4, IPv6, within other MIBs. The identity address objects contain IPv4, IPv6,
or other address types, and as such may be indirectly related to or other address types, and as such may be indirectly related to
objects within the IPv4 MIB [RFC1213, RFC2011] or IPv6 [RFC2465] MIB. objects within the IPv4 MIB [RFC1213, RFC2011] or IPv6 [RFC2465] MIB.
This MIB does not cover authorization. This should generally be done This MIB does not cover authorization. This should generally be done
in MIBs that reference identities in this one. It also does not in MIBs that reference identities in this one. It also does not
cover login or authentication failure statistics or notifications, as cover login or authentication failure statistics or notifications, as
skipping to change at page 4, line 26 skipping to change at page 4, line 33
credentials, and certificates which when combined will authenticate credentials, and certificates which when combined will authenticate
that identity. that identity.
The authentication MIB is structured around two primary "objects", The authentication MIB is structured around two primary "objects",
the authentication instance, and the identity, which serve as the authentication instance, and the identity, which serve as
containers for the remainder of the objects. This section contains a containers for the remainder of the objects. This section contains a
brief description of the "object" hierarchy and a description of each brief description of the "object" hierarchy and a description of each
object, followed by a discussion of the actual SNMP table structure object, followed by a discussion of the actual SNMP table structure
within the objects. within the objects.
6.1. Identity Authentication MIB Object Model 6.1. Authentication MIB Object Model
The top-level object in this structure is the authentication The top-level object in this structure is the authentication
instance, which "contains" all of the other objects. The indexing instance, which "contains" all of the other objects. The indexing
hierarchy of this MIB looks like: hierarchy of this MIB looks like:
ipsAuthInstance ipsAuthInstance
-- A distinct authentication entity within the managed system. -- A distinct authentication entity within the managed system.
-- Most implementations will have just one of these. -- Most implementations will have just one of these.
ipsAuthCertificate
-- A public key certificate, which can be pointed to by
-- an ipsAuthIdentity.
ipsAuthIdentity ipsAuthIdentity
-- A user identity, consisting of a set of identity names, -- A user identity, consisting of a set of identity names,
-- addresses, and credentials reflected in the following -- addresses, and credentials reflected in the following
-- objects, as well as a RowPointer to an ipsAuthCertificate. -- objects, as well as a RowPointer to an ipsAuthCertificate.
ipsAuthIdentityName ipsAuthIdentityName
-- A name for a user identity. A name should be globally -- A name for a user identity. A name should be globally
-- unique, and unchanging over time. Some protocols may -- unique, and unchanging over time. Some protocols may
-- not require this one. -- not require this one.
ipsAuthIdentityAddress ipsAuthIdentityAddress
-- An address range, typically but not necessarily an -- An address range, typically but not necessarily an
-- IPv4 or IPv6 address range, at which the identity is -- IPv4, IPv6, or Fibre Channel address range, at which
-- allowed to reside. -- the identity is allowed to reside.
ipsAuthCredential ipsAuthCredential
-- A single credential, such as a CHAP username/password, -- A single credential, such as a CHAP username/password,
-- which can ipsAuthenticate the identity. -- which can ipsAuthenticate the identity.
ipsAuthCredChap ipsAuthCredChap
-- CHAP-specific attributes for an ipsAuthCredential -- CHAP-specific attributes for an ipsAuthCredential
ipsAuthCredSrp ipsAuthCredSrp
-- SRP-specific attributes -- SRP-specific attributes
ipsAuthCredSpkm
-- SPKM-specific attributes Each identity contains the information necessary to authenticate a
ipsAuthCredKerberos particular end-point that wishes to access a service, such as iSCSI.
-- Kerberos-specific attributes
An identity can contain multiple names, addresses, and credentials. An identity can contain multiple names, addresses, and credentials.
Work - Add some examples here. Work - Add some examples here.
Work - need examples showing how this can work on a client and a Work - need examples showing how this can work on a client and a
server, for mutual authentication. server, for mutual authentication.
6.2. ipsAuthInstance 6.2. ipsAuthInstance
skipping to change at page 5, line 46 skipping to change at page 6, line 5
- A set of stackable systems, each with their own set of identities, - A set of stackable systems, each with their own set of identities,
may be managed by a common SNMP agent. Each individual system may be managed by a common SNMP agent. Each individual system
would have its own authentication instance. would have its own authentication instance.
- Multiple protocols, each with their own set of identities, may - Multiple protocols, each with their own set of identities, may
exist within a single system and be managed by a single SNMP agent. exist within a single system and be managed by a single SNMP agent.
In this case, each protocol may have its own authentication In this case, each protocol may have its own authentication
instance. instance.
6.3. ipsAuthCertificate 6.3. ipsAuthIdentity
The ipsAuthCertAttributesTable contains a list of certificates which
can be used to authenticate user identities within the
ipsAuthIdentAttributesTable. Rather than copying each certificate
for each of its uses within the identities, the certificates are
instead kept in their own list, and may be pointed to by individual
identities. This avoids duplication of certificates that may be used
by more than one identity, as well as providing a way to keep track
of certificates that are not currently in use by any given identity.
The attribute ipsAuthCert contains the binary certificate, in X.509
format [X.509].
WORK - Need to say which attribute matches the identifier.
WORK - some other references that may be helpful (remove if not):
RFC2538 - Storing Certificates in the Domain Name System
RFC2693 - SPKI Certificate Theory
RFC2797 - Certificate Management Messages over CMS
If the implementation making use of this MIB does not require the use
of public key certificates, this table will be empty.
6.4. ipsAuthIdentity
The ipsAuthIdentAttributesTable contains one entry for each The ipsAuthIdentAttributesTable contains one entry for each
configured user identity. The identity contains only a description configured user identity. The identity contains only a description
of what the identity is used for; its attributes are all contained in of what the identity is used for; its attributes are all contained in
other tables, since they can have multiple values. other tables, since they can have multiple values.
Other MIBs containing lists of users authorized to access a Other MIBs containing lists of users authorized to access a
particular resource should generally contain a RowPointer to the particular resource should generally contain a RowPointer to the
ipsAuthIdentAttributesEntry which will, if authenticated, be allowed ipsAuthIdentAttributesEntry which will, if authenticated, be allowed
access. access.
All other table entries make use of the indices to this table as All other table entries make use of the indices to this table as
their primary indices. their primary indices.
6.5. ipsAuthIdentityName 6.4. ipsAuthIdentityName
The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names, The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names,
each of which belong to, and may be used to identify, a particular each of which belong to, and may be used to identify, a particular
identity in the authIdentity table. identity in the authIdentity table.
Implementations making use of the authentication MIB may identify Implementations making use of the authentication MIB may identify
their resources by names, addresses, or both. A name is typically a their resources by names, addresses, or both. A name is typically a
unique (within the required scope), unchanging identifier for a unique (within the required scope), unchanging identifier for a
resource. It will normally meet some or all of the requirements for a resource. It will normally meet some or all of the requirements for a
Uniform Resource Name [RFC1737], although a name in the context of Uniform Resource Name [RFC1737], although a name in the context of
skipping to change at page 7, line 19 skipping to change at page 6, line 46
An example of an identity name is the iSCSI Name, defined in [ISCSI]. An example of an identity name is the iSCSI Name, defined in [ISCSI].
If this table contains no entries associated with a particular user If this table contains no entries associated with a particular user
identity, the implementation does not need to check any name identity, the implementation does not need to check any name
paramenters when authenticating that identity. If the table contains paramenters when authenticating that identity. If the table contains
multiple entries associated with a particular user identity, the multiple entries associated with a particular user identity, the
implementation should consider a match with any one of these entries implementation should consider a match with any one of these entries
to be valid. to be valid.
6.6. ipsAuthIdentityAddress 6.5. ipsAuthIdentityAddress
The ipsAuthIdentAddrAttributesTable contains a list of addresses at The ipsAuthIdentAddrAttributesTable contains a list of addresses at
which the identity may be authenticated. For example, an identity which the identity may be authenticated. For example, an identity
may be allowed access to a resource only from a certain IP address, may be allowed access to a resource only from a certain IP address,
or only if its address is in a certain range or set of ranges. or only if its address is in a certain range or set of ranges.
Each entry contains a starting and ending address. If a single Each entry contains a starting and ending address. If a single
address is desired in the list, both starting and ending addresses address is desired in the list, both starting and ending addresses
should be identical. must be identical.
Each entry contains an AddrType attribute. This attribute contains Each entry contains an AddrType attribute. This attribute contains
an enumeration registered as an IANA Address Family type [IANA-AF]. an enumeration registered as an IANA Address Family type [IANA-AF].
Although many implementations will use IPv4 or IPv6 address types for Although many implementations will use IPv4 or IPv6 address types for
these entries, any IANA-registered type may be used, as long as it these entries, any IANA-registered type may be used, as long as it
makes sense to the application. makes sense to the application.
Matching any address within any range within the list associated with Matching any address within any range within the list associated with
a particular identity is considered to be a valid match. If no a particular identity is considered to be a valid match. If no
entries are present in this list for a given identity, its address is entries are present in this list for a given identity, its address is
not checked during authentication. not checked during authentication.
WORK: Is it better to make ending == starting for a single address, Netmasks are not supported, since an address range can express the
or should the attribute simply not be returned? same thing with more flexibility. An application specifying
addresses using network masks may do so, and convert to and from
WORK: Is there any point to having a netmask if we have a range? address ranges when reading or writing this MIB.
6.7. ipsAuthCredential 6.6. ipsAuthCredential
The ipsAuthCredentialAttributesTable contains a list of credentials, The ipsAuthCredentialAttributesTable contains a list of credentials,
each of which may authenticate a particular identity. each of which may authenticate a particular identity.
Each credential contains an authentication method to be used, such as Each credential contains an authentication method to be used, such as
CHAP [RFC1994], SRP [RFC2945], Kerberos [RFC1510], or SPKM [RFC2025]. CHAP [RFC1994], or SRP [RFC2945]. This attribute contains an object
This attribute contains an object identifier instead of an enumerated identifier instead of an enumerated type, allowing other MIBs to add
type, allowing other MIBs to add their own authentication methods, their own authentication methods, without modifying this MIB.
without modifying this MIB.
For each entry in this table, there will exist an entry in another For each entry in this table, there will exist an entry in another
table containing its attributes. The table in which to place the table containing its attributes. The table in which to place the
entry depends on the AuthMethod attribute: entry depends on the AuthMethod attribute:
CHAP If the AuthMethod is set to the CHAP OID, an entry using the CHAP If the AuthMethod is set to the CHAP OID, an entry using the
same indices as the ipsAuthCredential will exist in the same indices as the ipsAuthCredential will exist in the
ipsAuthCredChap table, which contains the CHAP username and ipsAuthCredChap table, which contains the CHAP username and
password expected. password expected.
SRP If the AuthMethod is set to the SRP OID, an entry using the SRP If the AuthMethod is set to the SRP OID, an entry using the
same indices as the ipsAuthCredential will exist in the same indices as the ipsAuthCredential will exist in the
ipsAuthCredSrp table, which contains the SRP username, ipsAuthCredSrp table, which contains the SRP username,
password verifier, and salt. password verifier, and salt.
SPKM If the AuthMethod is set to the SPKM OID, an entry using the
same indices as the ipsAuthCredential will exist in the
ipsAuthCredSpkm table, which contains the indices of the
authCertificate entries that are expected.
Kerberos If the AuthMethod is set to the Kerberos OID, an entry using
the same indices as the ipsAuthCredential will exist in the
ipsAuthCredKerberos table. Contents are TBD.
Other If the AuthMethod is set to any OID not defined in this MIB, Other If the AuthMethod is set to any OID not defined in this MIB,
an entry using the same indices as the ipsAuthCredential an entry using the same indices as the ipsAuthCredential
entry should be placed in the other MIB that define whatever entry should be placed in the other MIB that define whatever
attributes are needed for that type of credential. attributes are needed for that type of credential.
6.8. IP and Other Addresses 6.7. IP, Fibre Channel, and Other Addresses
WORK: Re-write based on address family types.
The IP addresses in this MIB are represented by two attributes, one The IP addresses in this MIB are represented by two attributes, one
of type InetAddressType, and the other of type InetAddress. These of type AddressFamilyNumbers, and the other of type AuthAddress.
are taken from [IPV6MIB], which is an update to [RFC2851] specifying Each address can take on any of the types within the list of address
how to support addresses that may be either IPv4 or IPv6. family numbers; the most likely being IPv4, IPv6, or one of the Fibre
Channel address types.
6.9. Descriptors: Using OIDs in Place of Enumerated Types The type AuthAddress is an octet string. If the address family is
IPv4 or IPv6, the format is taken from the InetAddress specified in
[RFC3291]. If the address family is one of the Fibre Channel types,
the format is identical to the FcNameIdOrZero type defined in
[FCMGMT].
6.8. Descriptors: Using OIDs in Place of Enumerated Types
Some attributes, particularly the authentication method attribute, Some attributes, particularly the authentication method attribute,
would normally require an enumerated type. However, implementations would normally require an enumerated type. However, implementations
will likely need to add new authentication method types of their own, will likely need to add new authentication method types of their own,
without extending this MIB. To make this work, the MIB defines a set without extending this MIB. To make this work, the MIB defines a set
of object identities within ipsAuthDescriptors. Each of these object of object identities within ipsAuthDescriptors. Each of these object
identities is basically an enumerated type. identities is basically an enumerated type.
Attributes that make use of these object identities have a value Attributes that make use of these object identities have a value
which is an OID instead of an enumerated type. These OIDs can either which is an OID instead of an enumerated type. These OIDs can either
indicate the object identities defined in this MIB, or object indicate the object identities defined in this MIB, or object
identities defined elsewhere, such as in an enterprise MIB. Those identities defined elsewhere, such as in an enterprise MIB. Those
implementations that add their own authentication methods should also implementations that add their own authentication methods should also
define a corresponding object identity for each of these methods define a corresponding object identity for each of these methods
within their own enterprise MIB, and return its OID whenever one of within their own enterprise MIB, and return its OID whenever one of
these attributes is using that method. these attributes is using that method.
6.10. Notifications 6.9. Notifications
Monitoring of authentication failures and other notification events Monitoring of authentication failures and other notification events
are outside the scope of this MIB, as they are generally application- are outside the scope of this MIB, as they are generally application-
specific. No notifications are provided or required. specific. No notifications are provided or required.
7. MIB Definitions 7. MIB Definitions
IPS-AUTH-MIB DEFINITIONS ::= BEGIN IPS-AUTH-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, NOTIFICATION-TYPE, MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Unsigned32,
Unsigned32,
experimental experimental
FROM SNMPv2-SMI FROM SNMPv2-SMI
TEXTUAL-CONVENTION, RowStatus, TEXTUAL-CONVENTION,
RowStatus,
AutonomousType AutonomousType
FROM SNMPv2-TC FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP MODULE-COMPLIANCE,
OBJECT-GROUP
FROM SNMPv2-CONF FROM SNMPv2-CONF
SnmpAdminString SnmpAdminString
FROM SNMP-FRAMEWORK-MIB -- RFC 2571 FROM SNMP-FRAMEWORK-MIB -- RFC 2571
InetAddressType, InetAddress AddressFamilyNumbers
FROM INET-ADDRESS-MIB FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB
; ;
ipsAuthModule MODULE-IDENTITY ipsAuthModule MODULE-IDENTITY
LAST-UPDATED "200202210000Z" LAST-UPDATED "200206260000Z"
ORGANIZATION "IETF IPS Working Group" ORGANIZATION "IETF IPS Working Group"
CONTACT-INFO CONTACT-INFO
" "
Mark Bakke Mark Bakke
Postal: Cisco Systems, Inc Postal: Cisco Systems, Inc
6450 Wedgwood Road, Suite 130 6450 Wedgwood Road, Suite 130
Maple Grove, MN Maple Grove, MN
USA 55311 USA 55311
Tel: +1 763-398-1000 Tel: +1 763-398-1000
skipping to change at page 11, line 4 skipping to change at page 9, line 45
Mark Bakke Mark Bakke
Postal: Cisco Systems, Inc Postal: Cisco Systems, Inc
6450 Wedgwood Road, Suite 130 6450 Wedgwood Road, Suite 130
Maple Grove, MN Maple Grove, MN
USA 55311 USA 55311
Tel: +1 763-398-1000 Tel: +1 763-398-1000
Fax: +1 763-398-1001 Fax: +1 763-398-1001
E-mail: mbakke@cisco.com" E-mail: mbakke@cisco.com"
DESCRIPTION DESCRIPTION
"The IP Storage Authorization MIB module." "The IP Storage Authorization MIB module."
REVISION "200202210000Z" -- February 21, 2001 REVISION "200206260000Z" -- June 26, 2002
DESCRIPTION DESCRIPTION
"Initial revision published as RFC xxxx." "Initial revision published as RFC xxxx."
::= { experimental 99999 } -- in case you want to COMPILE --::= { mib-2 xx }
-- in case you want to COMPILE
::= { experimental 99999 }
ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthModule 1 } ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthModule 1 }
ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthModule 2 } ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthModule 2 }
ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthModule 3 } ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthModule 3 }
-- Textual Conventions -- Textual Conventions
IpsAuthAddress ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"IP Storage requires the use of address information
that uses not only the InetAddress type defined in the
INET-ADDRESS-MIB, but also Fibre Channel type defined
in the Fibre Channel Management MIB. Although these
address types are recognized in the IANA Address Family
Numbers MIB, the addressing mechanisms have not been
merged into a well-known, common type. This data type,
the IpsAuthAddress, performs this function for this MIB."
REFERENCE
"IANA-ADDRESS-FAMILY-NUMBERS-MIB;
INET-ADDRESS-MIB (RFC 2851);
Fibre Channel Management MIB (presently defined in
draft-ietf-ips-fcmgmt-mib-01.txt)."
SYNTAX OCTET STRING (SIZE(0..255))
------------------------------------------------------------------------ ------------------------------------------------------------------------
ipsAuthDescriptors OBJECT IDENTIFIER ::= { ipsAuthObjects 1 } ipsAuthDescriptors OBJECT IDENTIFIER ::= { ipsAuthObjects 1 }
ipsAuthMethodTypes OBJECT IDENTIFIER ::= { ipsAuthDescriptors 1 } ipsAuthMethodTypes OBJECT IDENTIFIER ::= { ipsAuthDescriptors 1 }
ipsAuthMethodNone OBJECT-IDENTITY ipsAuthMethodNone OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The authoritative identifier when no authentication "The authoritative identifier when no authentication
skipping to change at page 11, line 50 skipping to change at page 11, line 16
::= { ipsAuthMethodTypes 2 } ::= { ipsAuthMethodTypes 2 }
ipsAuthMethodChap OBJECT-IDENTITY ipsAuthMethodChap OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The authoritative identifier when the authentication "The authoritative identifier when the authentication
method is CHAP." method is CHAP."
REFERENCE "iSCSI Protocol Specification." REFERENCE "iSCSI Protocol Specification."
::= { ipsAuthMethodTypes 3 } ::= { ipsAuthMethodTypes 3 }
ipsAuthMethodKrb5 OBJECT-IDENTITY
STATUS current
DESCRIPTION
"The authoritative identifier when the authentication
method is KRB-5."
REFERENCE "iSCSI Protocol Specification."
::= { ipsAuthMethodTypes 4 }
ipsAuthMethodSpkm1 OBJECT-IDENTITY
STATUS current
DESCRIPTION
"The authoritative identifier when the authentication
method is SPKM-1."
REFERENCE "iSCSI Protocol Specification."
::= { ipsAuthMethodTypes 5 }
ipsAuthMethodSpkm2 OBJECT-IDENTITY
STATUS current
DESCRIPTION
"The authoritative identifier when the authentication
method is SPKM-2."
REFERENCE "iSCSI Protocol Specification."
::= { ipsAuthMethodTypes 6 }
---------------------------------------------------------------------- ----------------------------------------------------------------------
ipsAuthInstance OBJECT IDENTIFIER ::= { ipsAuthObjects 2 } ipsAuthInstance OBJECT IDENTIFIER ::= { ipsAuthObjects 2 }
-- Instance Attributes Table -- Instance Attributes Table
ipsAuthInstanceAttributesTable OBJECT-TYPE ipsAuthInstanceAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthInstanceAttributesEntry SYNTAX SEQUENCE OF IpsAuthInstanceAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
skipping to change at page 13, line 28 skipping to change at page 12, line 19
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string, determined by the implementation to describe "An octet string, determined by the implementation to describe
the authentication instance. When only a single instance is present, the authentication instance. When only a single instance is present,
this object may be set to the zero-length string; with multiple this object may be set to the zero-length string; with multiple
authentication instances, it may be used in an implementation-dependent authentication instances, it may be used in an implementation-dependent
manner to describe the purpose of the respective instance." manner to describe the purpose of the respective instance."
::= { ipsAuthInstanceAttributesEntry 2 } ::= { ipsAuthInstanceAttributesEntry 2 }
ipsAuthCertificate OBJECT IDENTIFIER ::= { ipsAuthObjects 3 } ipsAuthIdentity OBJECT IDENTIFIER ::= { ipsAuthObjects 3 }
ipsAuthCertAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCertAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A list of certificates that may be used to authenticate
user identities."
::= { ipsAuthCertificate 1 }
ipsAuthCertAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthCertAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (row) containing management information
applicable to a certificate which may be used to authenticate
a user identity within an authentication instance."
INDEX { ipsAuthInstIndex, ipsAuthCertIndex }
::= { ipsAuthCertAttributesTable 1 }
IpsAuthCertAttributesEntry ::= SEQUENCE {
ipsAuthCertIndex Unsigned32,
ipsAuthCertDescription SnmpAdminString,
ipsAuthCertIdentity OCTET STRING,
ipsAuthCert OCTET STRING,
ipsAuthCertRowStatus RowStatus
}
ipsAuthCertIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An arbitrary integer used to uniquely identify a particular
certificate instance within an authentication instance present
on the node."
::= { ipsAuthCertAttributesEntry 1 }
ipsAuthCertDescription OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An octet string describing this certificate."
::= { ipsAuthCertAttributesEntry 2 }
ipsAuthCertIdentity OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An octet string, which is either a copy of the XXX attribute
from the certificate, or an empty string. If this attribute
is not empty, it MUST match value of the XXX attribute from
the certificate."
::= { ipsAuthCertAttributesEntry 3 }
ipsAuthCert OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The certificate, encoded in X.509 format."
::= { ipsAuthCertAttributesEntry 4 }
ipsAuthCertRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This field allows entries to be dynamically added and
removed from this table via SNMP."
::= { ipsAuthCertAttributesEntry 5 }
ipsAuthIdentity OBJECT IDENTIFIER ::= { ipsAuthObjects 4 }
-- iSCSI User Identity Attributes Table -- iSCSI User Identity Attributes Table
ipsAuthIdentAttributesTable OBJECT-TYPE ipsAuthIdentAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthIdentAttributesEntry SYNTAX SEQUENCE OF IpsAuthIdentAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A list of user identities, each belonging to a particular "A list of user identities, each belonging to a particular
ipsAuthInstance." ipsAuthInstance."
skipping to change at page 16, line 22 skipping to change at page 13, line 28
ipsAuthIdentRowStatus OBJECT-TYPE ipsAuthIdentRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP." removed from this table via SNMP."
::= { ipsAuthIdentAttributesEntry 3 } ::= { ipsAuthIdentAttributesEntry 3 }
ipsAuthIdentityName OBJECT IDENTIFIER ::= { ipsAuthObjects 5 } ipsAuthIdentityName OBJECT IDENTIFIER ::= { ipsAuthObjects 4 }
-- iSCSI User Initiator Name Attributes Table -- iSCSI User Initiator Name Attributes Table
ipsAuthIdentNameAttributesTable OBJECT-TYPE ipsAuthIdentNameAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthIdentNameAttributesEntry SYNTAX SEQUENCE OF IpsAuthIdentNameAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A list of unique names that can be used to positively "A list of unique names that can be used to positively
identify a particular user identity." identify a particular user identity."
skipping to change at page 17, line 34 skipping to change at page 14, line 42
ipsAuthIdentNameRowStatus OBJECT-TYPE ipsAuthIdentNameRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP." removed from this table via SNMP."
::= { ipsAuthIdentNameAttributesEntry 3 } ::= { ipsAuthIdentNameAttributesEntry 3 }
ipsAuthIdentityAddress OBJECT IDENTIFIER ::= { ipsAuthObjects 6 } ipsAuthIdentityAddress OBJECT IDENTIFIER ::= { ipsAuthObjects 5 }
-- iSCSI User Initiator Address Attributes Table -- iSCSI User Initiator Address Attributes Table
ipsAuthIdentAddrAttributesTable OBJECT-TYPE ipsAuthIdentAddrAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthIdentAddrAttributesEntry SYNTAX SEQUENCE OF IpsAuthIdentAddrAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A list of address ranges that are allowed to serve "A list of address ranges that are allowed to serve
as the endpoint addresses of a particular identity. as the endpoint addresses of a particular identity.
An address range includes a starting and ending address An address range includes a starting and ending address
and an optional netmask, and an address type indicator, and an optional netmask, and an address type indicator,
which can specify whether the address is IPv4, IPv6, which can specify whether the address is IPv4, IPv6,
skipping to change at page 18, line 19 skipping to change at page 15, line 25
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to an address range which is used as part applicable to an address range which is used as part
of the authentication of an identity of the authentication of an identity
within an authentication instance on this node." within an authentication instance on this node."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthIdentAddrIndex } INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthIdentAddrIndex }
::= { ipsAuthIdentAddrAttributesTable 1 } ::= { ipsAuthIdentAddrAttributesTable 1 }
IpsAuthIdentAddrAttributesEntry ::= SEQUENCE { IpsAuthIdentAddrAttributesEntry ::= SEQUENCE {
ipsAuthIdentAddrIndex Unsigned32, ipsAuthIdentAddrIndex Unsigned32,
ipsAuthIdentAddrType InetAddressType, ipsAuthIdentAddrType AddressFamilyNumbers,
ipsAuthIdentAddrStart InetAddress, ipsAuthIdentAddrStart IpsAuthAddress,
ipsAuthIdentAddrEnd InetAddress, ipsAuthIdentAddrEnd IpsAuthAddress,
ipsAuthIdentAddrMask InetAddress,
ipsAuthIdentAddrRowStatus RowStatus ipsAuthIdentAddrRowStatus RowStatus
} }
ipsAuthIdentAddrIndex OBJECT-TYPE ipsAuthIdentAddrIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295) SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer used to uniquely identify a particular "An arbitrary integer used to uniquely identify a particular
ipsAuthIdentAddress instance within an ipsAuthIdentity within an ipsAuthIdentAddress instance within an ipsAuthIdentity within an
authentication instance present on the node." authentication instance present on the node."
::= { ipsAuthIdentAddrAttributesEntry 1 } ::= { ipsAuthIdentAddrAttributesEntry 1 }
ipsAuthIdentAddrType OBJECT-TYPE ipsAuthIdentAddrType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX AddressFamilyNumbers
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The type of Address in the ipsAuthIdentAddress start, end, "The type of Address in the ipsAuthIdentAddress start, end,
and mask fields. This type is taken from the IANA address and mask fields. This type is taken from the IANA address
family types; more types may be registered independently family types; more types may be registered independently
of this MIB." of this MIB."
::= { ipsAuthIdentAddrAttributesEntry 2 } ::= { ipsAuthIdentAddrAttributesEntry 2 }
ipsAuthIdentAddrStart OBJECT-TYPE ipsAuthIdentAddrStart OBJECT-TYPE
SYNTAX InetAddress SYNTAX IpsAuthAddress
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The starting address of the allowed address range." "The starting address of the allowed address range."
::= { ipsAuthIdentAddrAttributesEntry 3 } ::= { ipsAuthIdentAddrAttributesEntry 3 }
ipsAuthIdentAddrEnd OBJECT-TYPE ipsAuthIdentAddrEnd OBJECT-TYPE
SYNTAX InetAddress SYNTAX IpsAuthAddress
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The ending address of the allowed address range. If the "The ending address of the allowed address range. If the
ipsAuthIdentAddrEntry specifies a single address, this shall ipsAuthIdentAddrEntry specifies a single address, this shall
match the ipsAuthIdentAddrStart." match the ipsAuthIdentAddrStart."
::= { ipsAuthIdentAddrAttributesEntry 4 } ::= { ipsAuthIdentAddrAttributesEntry 4 }
ipsAuthIdentAddrMask OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The Address mask. -- NEED TO SPECIFY EXACTLY HOW USED W/RANGE"
::= { ipsAuthIdentAddrAttributesEntry 5 }
ipsAuthIdentAddrRowStatus OBJECT-TYPE ipsAuthIdentAddrRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP." removed from this table via SNMP."
::= { ipsAuthIdentAddrAttributesEntry 6 } ::= { ipsAuthIdentAddrAttributesEntry 5 }
ipsAuthCredential OBJECT IDENTIFIER ::= { ipsAuthObjects 7 } ipsAuthCredential OBJECT IDENTIFIER ::= { ipsAuthObjects 6 }
-- Identity Credential Attributes Table -- Identity Credential Attributes Table
ipsAuthCredentialAttributesTable OBJECT-TYPE ipsAuthCredentialAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredentialAttributesEntry SYNTAX SEQUENCE OF IpsAuthCredentialAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A list of credentials related to user identities "A list of credentials related to user identities
that are allowed as valid authenticators of the that are allowed as valid authenticators of the
skipping to change at page 20, line 17 skipping to change at page 17, line 13
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to a credential which authenticates a user applicable to a credential which authenticates a user
identity within an authentication instance." identity within an authentication instance."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex }
::= { ipsAuthCredentialAttributesTable 1 } ::= { ipsAuthCredentialAttributesTable 1 }
IpsAuthCredentialAttributesEntry ::= SEQUENCE { IpsAuthCredentialAttributesEntry ::= SEQUENCE {
ipsAuthCredIndex Unsigned32, ipsAuthCredIndex Unsigned32,
ipsAuthCredAuthMethod AutonomousType, ipsAuthCredAuthMethod AutonomousType,
ipsAuthCredUserName SnmpAdminString,
ipsAuthCredRowStatus RowStatus ipsAuthCredRowStatus RowStatus
} }
ipsAuthCredIndex OBJECT-TYPE ipsAuthCredIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295) SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer used to uniquely identify a particular "An arbitrary integer used to uniquely identify a particular
iSCSI Credential instance within an iSCSI instance present on the iSCSI Credential instance within an iSCSI instance present on the
skipping to change at page 20, line 44 skipping to change at page 17, line 39
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object contains an OBJECT IDENTIFIER "This object contains an OBJECT IDENTIFIER
which identifies the authentication method which identifies the authentication method
used with this credential. used with this credential.
Some standardized values for this object are defined Some standardized values for this object are defined
within the ipsAuthMethods subtree." within the ipsAuthMethods subtree."
::= { ipsAuthCredentialAttributesEntry 2 } ::= { ipsAuthCredentialAttributesEntry 2 }
ipsAuthCredUserName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An octet string containing the user name for this credential,
if it is applicable to the ipsAuthCredAuthMethod."
::= { ipsAuthCredentialAttributesEntry 3 }
ipsAuthCredRowStatus OBJECT-TYPE ipsAuthCredRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP." removed from this table via SNMP."
::= { ipsAuthCredentialAttributesEntry 4 } ::= { ipsAuthCredentialAttributesEntry 3 }
ipsAuthCredChap OBJECT IDENTIFIER ::= { ipsAuthObjects 8 } ipsAuthCredChap OBJECT IDENTIFIER ::= { ipsAuthObjects 7 }
-- Credential Chap-Specific Attributes Table -- Credential Chap-Specific Attributes Table
ipsAuthCredChapAttributesTable OBJECT-TYPE ipsAuthCredChapAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredChapAttributesEntry SYNTAX SEQUENCE OF IpsAuthCredChapAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A list of CHAP attributes for credentials that "A list of CHAP attributes for credentials that
have their ipsAuthCredAuthMethod == ipsAuthMethodChap." have their ipsAuthCredAuthMethod == ipsAuthMethodChap."
skipping to change at page 22, line 27 skipping to change at page 19, line 11
ipsAuthCredChapRowStatus OBJECT-TYPE ipsAuthCredChapRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP." removed from this table via SNMP."
::= { ipsAuthCredChapAttributesEntry 3 } ::= { ipsAuthCredChapAttributesEntry 3 }
ipsAuthCredSrp OBJECT IDENTIFIER ::= { ipsAuthObjects 9 } ipsAuthCredSrp OBJECT IDENTIFIER ::= { ipsAuthObjects 8 }
-- Credential Srp-Specific Attributes Table -- Credential Srp-Specific Attributes Table
ipsAuthCredSrpAttributesTable OBJECT-TYPE ipsAuthCredSrpAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredSrpAttributesEntry SYNTAX SEQUENCE OF IpsAuthCredSrpAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A list of SRP-specific attributes for credentials that "A list of SRP-specific attributes for credentials that
have their ipsAuthCredAuthMethod == ipsAuthMethodSrp." have their ipsAuthCredAuthMethod == ipsAuthMethodSrp."
skipping to change at page 23, line 5 skipping to change at page 19, line 37
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to a credential which has the ipsAuthCredAuthMethod applicable to a credential which has the ipsAuthCredAuthMethod
set to the OID of ipsAuthMethodSrp." set to the OID of ipsAuthMethodSrp."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex }
::= { ipsAuthCredSrpAttributesTable 1 } ::= { ipsAuthCredSrpAttributesTable 1 }
IpsAuthCredSrpAttributesEntry ::= SEQUENCE { IpsAuthCredSrpAttributesEntry ::= SEQUENCE {
ipsAuthCredSrpUserName SnmpAdminString, ipsAuthCredSrpUserName SnmpAdminString,
ipsAuthCredSrpPasswordVerifier SnmpAdminString, ipsAuthCredSrpPassword SnmpAdminString,
ipsAuthCredSrpSalt SnmpAdminString,
ipsAuthCredSrpRowStatus RowStatus ipsAuthCredSrpRowStatus RowStatus
} }
ipsAuthCredSrpUserName OBJECT-TYPE ipsAuthCredSrpUserName OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string containing the CHAP user name for this "An octet string containing the CHAP user name for this
credential." credential."
::= { ipsAuthCredSrpAttributesEntry 1 } ::= { ipsAuthCredSrpAttributesEntry 1 }
ipsAuthCredSrpPasswordVerifier OBJECT-TYPE ipsAuthCredSrpPassword OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string containing the SRP password verifier "An octet string containing the password for this
for this credential." credential. If written, it changes the password for
the credential. If read, it returns a zero-length
string."
::= { ipsAuthCredSrpAttributesEntry 2 } ::= { ipsAuthCredSrpAttributesEntry 2 }
ipsAuthCredSrpSalt OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An octet string containing the salt value related to
this credential."
::= { ipsAuthCredSrpAttributesEntry 3 }
ipsAuthCredSrpRowStatus OBJECT-TYPE ipsAuthCredSrpRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP." removed from this table via SNMP."
::= { ipsAuthCredSrpAttributesEntry 4 } ::= { ipsAuthCredSrpAttributesEntry 3 }
ipsAuthCredSpkm OBJECT IDENTIFIER ::= { ipsAuthObjects 10 }
ipsAuthCredSpkmAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredSpkmAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A list of SPKM-specific attributes for credentials that
have their ipsAuthCredAuthMethod == ipsAuthMethodSpkm."
::= { ipsAuthCredSpkm 1 }
ipsAuthCredSpkmAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthCredSpkmAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (row) containing management information
applicable to a credential which has the ipsAuthCredAuthMethod
set to the OID of ipsAuthMethodSpkm."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex }
::= { ipsAuthCredSpkmAttributesTable 1 }
IpsAuthCredSpkmAttributesEntry ::= SEQUENCE {
ipsAuthCredSpkmPeerIdentity OCTET STRING,
ipsAuthCredSpkmPeerCert Unsigned32,
ipsAuthCredSpkmMyCert Unsigned32,
ipsAuthCredSpkmRowStatus RowStatus
}
ipsAuthCredSpkmPeerIdentity OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The identity to be authenticated by the public
key certificate. If ipsAuthCredSpkmPeerCert is not
zero, this identity much match the XXXXXXX attribute
within the certificate referenced by PeerCert."
::= { ipsAuthCredSpkmAttributesEntry 1 }
ipsAuthCredSpkmPeerCert OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The index of the ipsAuthCertificateEntry that contains
the certificate for the peer that is expected for
this credential to be authenticated, or zero if this
attribute is not used."
::= { ipsAuthCredSpkmAttributesEntry 2 }
ipsAuthCredSpkmMyCert OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The index of the ipsAuthCertificateEntry that contains
the certificate that will be provided to the other
system when this this credential to be authenticated,
or zero if this attribute is not used."
::= { ipsAuthCredSpkmAttributesEntry 3 }
ipsAuthCredSpkmRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This field allows entries to be dynamically added and
removed from this table via SNMP."
::= { ipsAuthCredSpkmAttributesEntry 4 }
ipsAuthCredKerberos OBJECT IDENTIFIER ::= { ipsAuthObjects 11 }
ipsAuthCredKerbAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredKerbAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A list of SRP-specific attributes for credentials that
have their ipsAuthCredAuthMethod == ipsAuthMethodKerberos."
::= { ipsAuthCredKerberos 1 }
ipsAuthCredKerbAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthCredKerbAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (row) containing management information
applicable to a credential which has the ipsAuthCredAuthMethod
set to the OID of ipsAuthMethodKerberos."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex }
::= { ipsAuthCredKerbAttributesTable 1 }
IpsAuthCredKerbAttributesEntry ::= SEQUENCE {
ipsAuthCredKerbAttribute SnmpAdminString,
ipsAuthCredKerbRowStatus RowStatus
}
ipsAuthCredKerbAttribute OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An octet string containing a Kerberos attribute
for this credential."
::= { ipsAuthCredKerbAttributesEntry 1 }
ipsAuthCredKerbRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This field allows entries to be dynamically added and
removed from this table via SNMP."
::= { ipsAuthCredKerbAttributesEntry 2 }
------------------------------------------------------------------------ ------------------------------------------------------------------------
-- Notifications -- Notifications
-- There are no notifications necessary in this MIB. -- There are no notifications necessary in this MIB.
------------------------------------------------------------------------ ------------------------------------------------------------------------
-- Conformance Statements -- Conformance Statements
skipping to change at page 27, line 13 skipping to change at page 20, line 44
ipsAuthInstanceAttributesGroup OBJECT-GROUP ipsAuthInstanceAttributesGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipsAuthInstDescr ipsAuthInstDescr
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing information about "A collection of objects providing information about
authentication instances." authentication instances."
::= { ipsAuthGroups 1 } ::= { ipsAuthGroups 1 }
ipsAuthIdentCertAttributesGroup OBJECT-GROUP
OBJECTS {
ipsAuthCertDescription,
ipsAuthCert,
ipsAuthCertIdentity,
ipsAuthCertRowStatus
}
STATUS current
DESCRIPTION
"A collection of objects providing information about
certicates within an authentication instance."
::= { ipsAuthGroups 2 }
ipsAuthIdentAttributesGroup OBJECT-GROUP ipsAuthIdentAttributesGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipsAuthIdentDescription, ipsAuthIdentDescription,
ipsAuthIdentRowStatus ipsAuthIdentRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing information about "A collection of objects providing information about
user identities within an authentication instance." user identities within an authentication instance."
::= { ipsAuthGroups 3 } ::= { ipsAuthGroups 2 }
ipsAuthIdentNameAttributesGroup OBJECT-GROUP ipsAuthIdentNameAttributesGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipsAuthIdentName, ipsAuthIdentName,
ipsAuthIdentNameRowStatus ipsAuthIdentNameRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing information about "A collection of objects providing information about
user names within user identities within an authentication user names within user identities within an authentication
instance." instance."
::= { ipsAuthGroups 4 } ::= { ipsAuthGroups 3 }
ipsAuthIdentAddrAttributesGroup OBJECT-GROUP ipsAuthIdentAddrAttributesGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipsAuthIdentAddrType, ipsAuthIdentAddrType,
ipsAuthIdentAddrStart, ipsAuthIdentAddrStart,
ipsAuthIdentAddrEnd, ipsAuthIdentAddrEnd,
ipsAuthIdentAddrMask,
ipsAuthIdentAddrRowStatus ipsAuthIdentAddrRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing information about "A collection of objects providing information about
address ranges within user identities within an authentication address ranges within user identities within an authentication
instance." instance."
::= { ipsAuthGroups 5 } ::= { ipsAuthGroups 4 }
ipsAuthIdentCredAttributesGroup OBJECT-GROUP ipsAuthIdentCredAttributesGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipsAuthCredAuthMethod, ipsAuthCredAuthMethod,
ipsAuthCredUserName,
ipsAuthCredRowStatus ipsAuthCredRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing information about "A collection of objects providing information about
credentials within user identities within an authentication credentials within user identities within an authentication
instance." instance."
::= { ipsAuthGroups 6 } ::= { ipsAuthGroups 5 }
ipsAuthIdentChapAttrGroup OBJECT-GROUP ipsAuthIdentChapAttrGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipsAuthCredChapUserName, ipsAuthCredChapUserName,
ipsAuthCredChapPassword, ipsAuthCredChapPassword,
ipsAuthCredChapRowStatus ipsAuthCredChapRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing information about CHAP "A collection of objects providing information about CHAP
credentials within user identities within an authentication credentials within user identities within an authentication
instance." instance."
::= { ipsAuthGroups 7 } ::= { ipsAuthGroups 6 }
ipsAuthIdentSrpAttrGroup OBJECT-GROUP ipsAuthIdentSrpAttrGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipsAuthCredSrpUserName, ipsAuthCredSrpUserName,
ipsAuthCredSrpPasswordVerifier, ipsAuthCredSrpPassword,
ipsAuthCredSrpSalt,
ipsAuthCredSrpRowStatus ipsAuthCredSrpRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing information about SRP "A collection of objects providing information about SRP
credentials within user identities within an authentication credentials within user identities within an authentication
instance." instance."
::= { ipsAuthGroups 8 } ::= { ipsAuthGroups 7 }
ipsAuthIdentSpkmAttrGroup OBJECT-GROUP
OBJECTS {
ipsAuthCredSpkmPeerIdentity,
ipsAuthCredSpkmPeerCert,
ipsAuthCredSpkmMyCert,
ipsAuthCredSpkmRowStatus
}
STATUS current
DESCRIPTION
"A collection of objects providing information about SPKM
credentials within user identities within an authentication
instance."
::= { ipsAuthGroups 9 }
ipsAuthIdentKerberosAttrGroup OBJECT-GROUP
OBJECTS {
ipsAuthCredKerbAttribute,
ipsAuthCredKerbRowStatus
}
STATUS current
DESCRIPTION
"A collection of objects providing information about Kerberos
credentials within user identities within an authentication
instance."
::= { ipsAuthGroups 10 }
------------------------------------------------------------------------ ------------------------------------------------------------------------
ipsAuthCompliances OBJECT IDENTIFIER ::= { ipsAuthConformance 2 } ipsAuthCompliances OBJECT IDENTIFIER ::= { ipsAuthConformance 2 }
ipsAuthComplianceV1 MODULE-COMPLIANCE ipsAuthComplianceV1 MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Initial version of compliance statement based on "Initial version of compliance statement based on
initial version of MIB. initial version of MIB.
skipping to change at page 30, line 26 skipping to change at page 23, line 13
GROUP ipsAuthIdentAddrAttributesGroup GROUP ipsAuthIdentAddrAttributesGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for all implementations "This group is mandatory for all implementations
that use addresses to help authenticate identities." that use addresses to help authenticate identities."
GROUP ipsAuthIdentCredAttributesGroup GROUP ipsAuthIdentCredAttributesGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for all implementations "This group is mandatory for all implementations
that use credentials to help authenticate identities." that use credentials to help authenticate identities."
GROUP ipsAuthIdentCertAttributesGroup
DESCRIPTION
"This group is mandatory for all implementations
that make use of public key certificates."
::= { ipsAuthCompliances 1 } ::= { ipsAuthCompliances 1 }
END END
8. Security Considerations 8. Security Considerations
WORK: Need some text about all the bad things that can happen when
someone gains write access to this MIB.
WORK: Considerations for read only.
SNMPv1 by itself is not a secure environment. Even if the network SNMPv1 by itself is not a secure environment. Even if the network
itself is secure (for example by using IPSec), even then, there is no itself is secure (for example by using IPSec), even then, there is no
control as to who on the secure network is allowed to access and control as to who on the secure network is allowed to access and
GET/SET (read/change/create/delete) the objects in this MIB. GET/SET (read/change/create/delete) the objects in this MIB.
It is recommended that the implementers consider the security It is recommended that the implementers consider the security
features as provided by the SNMPv3 framework. Specifically, the use features as provided by the SNMPv3 framework. Specifically, the use
of the User-based Security Model RFC 2574 [RFC2574] and the View- of the User-based Security Model RFC 2574 [RFC2574] and the View-
based Access Control Model RFC 2575 [RFC2575] is recommended. based Access Control Model RFC 2575 [RFC2575] is recommended.
It is then a customer/user responsibility to ensure that the SNMP It is then a customer/user responsibility to ensure that the SNMP
entity giving access to an instance of this MIB, is properly entity giving access to an instance of this MIB, is properly
configured to give access to the objects only to those principals configured to give access to the objects only to those principals
(users) that have legitimate rights to indeed GET or SET (users) that have legitimate rights to indeed GET or SET
(change/create/delete) them. (change/create/delete) them.
9. References Read access to this MIB provides the ability to find out which names,
addresses, and credentials would be required to access services on
the managed system. If these credentials are easily spoofed
(particularly the name or address), read access to the MIB must be
tightly controlled.
Write access to the MIB provides the ability to set up which
credentials may be used to access services on the managed system, to
remove legitimate credentials (a denial of service), or to remove
individual credentials to weaken the requirements for access of a
particular service. Write access must always be tightly controlled.
9. Normative References
[ISCSI] Satran, J., et. al., "iSCSI", draft-ietf-ips-iSCSI-13, June
2002.
[RFC2571] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture [RFC2571] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture
for Describing SNMP Management Frameworks", RFC 2571, April for Describing SNMP Management Frameworks", RFC 2571, April
1999. 1999.
[RFC1155] Rose, M., and K. McCloghrie, "Structure and Identification [RFC1155] Rose, M., and K. McCloghrie, "Structure and Identification
of Management Information for TCP/IP-based Internets", STD of Management Information for TCP/IP-based Internets", STD
16, RFC 1155, May 1990. 16, RFC 1155, May 1990.
[RFC1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", STD [RFC1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", STD
skipping to change at page 32, line 32 skipping to change at page 25, line 28
Management Protocol (SNMP)", RFC 2575, April 1999. Management Protocol (SNMP)", RFC 2575, April 1999.
[RFC2570] Case, J., Mundy, R., Partain, D., and B. Stewart, [RFC2570] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction to Version 3 of the Internet-standard Network "Introduction to Version 3 of the Internet-standard Network
Management Framework", RFC 2570, April 1999. Management Framework", RFC 2570, April 1999.
[RFC2012] McCloghrie, K., "SNMPv2 Management Information Base for the [RFC2012] McCloghrie, K., "SNMPv2 Management Information Base for the
Transmission Control Protocol using SMIv2", RFC 2012, Transmission Control Protocol using SMIv2", RFC 2012,
November 1996. November 1996.
[RFC2851] Daniele, M., et. al., "Textual Conventions for Internet [RFC3291] Daniele, M., et. al., "Textual Conventions for Internet
Network Addresses", RFC 2851, June 2000.
[IPV6MIB] Daniele, M., et. al., "Textual Conventions for Internet
Network Addresses", draft-ietf-ops-rfc2851-update-06.txt, Network Addresses", draft-ietf-ops-rfc2851-update-06.txt,
February 2001 February 2001
[IANA-AF] IANA, "WORK: something about assigned enum types for address [IANA-AF] IANA, "IANA Address Family Numbers MIB",
families", http://www.iana.org/something. http://www.iana.org/assignments/ianaaddressfamilynumbers-mib
[RFC1213] K. McCloghrie, M.T. Rose, "Management Information Base for [RFC1213] K. McCloghrie, M.T. Rose, "Management Information Base for
Network Management of TCP/IP-based internets:MIB-II", March Network Management of TCP/IP-based internets:MIB-II", March
1991. 1991.
[RFC2011] K. McCloghrie, "SNMPv2 Management Information Base for the [RFC2011] K. McCloghrie, "SNMPv2 Management Information Base for the
Internet Protocol using SMIv2", November 1996. Internet Protocol using SMIv2", November 1996.
[RFC1994] W. Simpson, "PPP Challenge Handshake Authentication Protocol
(CHAP)", August 1996.
[RFC1510] J. Kohl, C. Neuman, "The Kerberos Network Authentication
Service (V5)", September 1993.
[RFC2025] C. Adams, "The Simple Public-Key GSS-API Mechanism (SPKM)",
October 1996.
[RFC2945] T. Wu, "The SRP Authentication and Key Exchange System",
September 2000.
[RFC2465] D. Haskin, S. Onishi, "Management Information Base for IP [RFC2465] D. Haskin, S. Onishi, "Management Information Base for IP
Version 6: Textual Conventions and General Group", December Version 6: Textual Conventions and General Group", December
1998. 1998.
[ISCSI] Satran, J., et. al., "iSCSI", draft-ietf-ips-iSCSI-10, [X.509] ITU-T Recommendation X.509 (1997 E), "Information Technology
Febrary 2002. - Open Systems Interconnection - The Directory:
Authentication Framework", June 1997.
[FCMGMT] K. McCloghrie, "Fibre Channel Management MIB", draft-ietf-
ips-fcmgmt-mib-01, February 2002.
10. Informative References
[RFC1737] K. Sollins, L. Masinter, "Functional Requirements for [RFC1737] K. Sollins, L. Masinter, "Functional Requirements for
Uniform Resource Names", December 1994. Uniform Resource Names", December 1994.
[X.509] ITU-T Recommendation X.509 (1997 E), "Information Technology [RFC1994] W. Simpson, "PPP Challenge Handshake Authentication Protocol
- Open Systems Interconnection - The Directory: (CHAP)", August 1996.
Authentication Framework", June 1997.
10. Authors' Addresses [RFC2945] T. Wu, "The SRP Authentication and Key Exchange System",
September 2000.
11. Authors' Addresses
Mark Bakke Mark Bakke
Postal: Cisco Systems, Inc Postal: Cisco Systems, Inc
6450 Wedgwood Road, Suite 130 6450 Wedgwood Road, Suite 130
Maple Grove, MN Maple Grove, MN
USA 55311 USA 55311
Tel: +1 763-398-1000 Tel: +1 763-398-1000
Fax: +1 763-398-1001 Fax: +1 763-398-1001
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/