draft-ietf-ips-auth-mib-04.txt   draft-ietf-ips-auth-mib-05.txt 
Internet Draft Mark Bakke Internet Draft Mark Bakke
<draft-ietf-ips-auth-mib-04.txt> Jim Muchow <draft-ietf-ips-auth-mib-05.txt> Cisco Systems
Expires September 2003 Cisco Systems Expires June 2004 Jim Muchow
March 2003 December 2003
Definitions of Managed Objects for User Identity Authentication Definitions of Managed Objects for User Identity Authorization
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions This document is an Internet-Draft and is subject to all provisions
of Section 10 of RFC2026. of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved. Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract Abstract
This memo defines a portion of the Management Information Base (MIB) This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in TCP/IP based internets. for use with network management protocols in TCP/IP based internets.
In particular it defines objects for managing user identities and the In particular it defines objects for managing user identities and the
names, addresses, and credentials required to authenticate them, for names, addresses, and credentials required manage access control, for
use with various protocols. This draft was motivated by the need for use with various protocols. This draft was motivated by the need for
the configuration of authenticated user identities for the iSCSI the configuration of authorized user identities for the iSCSI
protocol, but has been extended to be useful for other protocols that protocol, but has been extended to be useful for other protocols that
have similar requirements. It is important to note that this MIB have similar requirements. It is important to note that this MIB
provides only the set of identities and the means to authenticate provides only the set of identities to be used within access lists;
them; it is the responsibility of other MIBs making use of this one it is the responsibility of other MIBs making use of this one to tie
to tie them to authorization lists. them to their own access lists or other authorization control
methods.
Acknowledgments Acknowledgments
In addition to the authors, several people contributed to the In addition to the authors, several people contributed to the
development of this MIB through discussions of authentication, development of this MIB through discussions of authentication,
authorization, and access within the iSCSI MIB and security teams, authorization, and access within the iSCSI MIB and security teams,
including John Hufferd, Marjorie Krueger, Keith McCloghrie, Tom including John Hufferd, Marjorie Krueger, Keith McCloghrie, Tom
McSweeney, Steve Senum, and Josh Tseng. Thanks also to Bill McSweeney, Steve Senum, and Josh Tseng. Thanks also to Bill
Studenmund (Wasabi Systems) for adding the Kerberos method, and to Studenmund (Wasabi Systems) for adding the Kerberos method, and to
Ayman Ghanem for finding and suggesting changes to several problems Ayman Ghanem for finding and suggesting changes to several problems
found in the MIB. found in the MIB.
Thanks especially to Keith McCloghrie for serving as advisor for this Thanks especially to Keith McCloghrie for serving as advisor for this
MIB. MIB.
Table of Contents Table of Contents
1. Introduction..............................................2 1. Introduction..............................................2
2. The Internet-Standard Management Framework................3 2. The Internet-Standard Management Framework................3
3. Relationship to Other MIBs................................3 3. Relationship to Other MIBs................................3
4. Discussion................................................3 4. Discussion................................................4
4.1. Authentication MIB Object Model.........................4 4.1. Authorization MIB Object Model..........................4
4.2. ipsAuthInstance.........................................5 4.2. ipsAuthInstance.........................................5
4.3. ipsAuthIdentity.........................................5 4.3. ipsAuthIdentity.........................................5
4.4. ipsAuthIdentityName.....................................5 4.4. ipsAuthIdentityName.....................................5
4.5. ipsAuthIdentityAddress..................................6 4.5. ipsAuthIdentityAddress..................................6
4.6. ipsAuthCredential.......................................7 4.6. ipsAuthCredential.......................................7
4.7. IP, Fibre Channel, and Other Addresses..................7 4.7. IP, Fibre Channel, and Other Addresses..................7
4.8. Descriptors: Using OIDs in Place of Enumerated Types....8 4.8. Descriptors: Using OIDs in Place of Enumerated Types....8
4.9. Notifications...........................................8 4.9. Notifications...........................................8
5. MIB Definitions...........................................9 5. MIB Definitions...........................................9
6. Security Considerations..................................28 6. Security Considerations..................................27
7. Normative References.....................................29 7. Normative References.....................................28
8. Informative References...................................29 8. Informative References...................................28
9. Authors' Addresses.......................................30 9. Authors' Addresses.......................................29
10. IPR Notice..............................................30 10. IPR Notice..............................................29
11. Full Copyright Notice...................................31 11. Full Copyright Notice...................................30
1. Introduction 1. Introduction
This MIB will be used to configure and/or look at the configuration This MIB will be used to configure and/or look at the configuration
of user identities and their authentication information. For the of user identities and their credential information. For the
purposes of this MIB, a "user" identity does not need to be an actual purposes of this MIB, a "user" identity does not need to be an actual
person; a user can also be a host, an application, a cluster of person; a user can also be a host, an application, a cluster of
hosts, or any other identifiable entity that can be authenticated and hosts, or any other identifiable entity that can be authorized to
granted access to a resource. access a resource.
Most objects in this MIB have a MAX-ACCESS of read-create; the MIB is Most objects in this MIB have a MAX-ACCESS of read-create; the MIB is
intended to allow configuration of user identities and their names, intended to allow configuration of user identities and their names,
addresses, and credentials. MIN-ACCESS for all objects is read-only addresses, and credentials. MIN-ACCESS for all objects is read-only
for those implementations that configure through other means, but for those implementations that configure through other means, but
require the ability to monitor user identities. require the ability to monitor user identities.
2. The Internet-Standard Management Framework 2. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current For a detailed overview of the documents that describe the current
skipping to change at page 3, line 26 skipping to change at page 3, line 28
the Management Information Base or MIB. MIB objects are generally the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP). accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58, module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580]. [RFC2580].
3. Relationship to Other MIBs 3. Relationship to Other MIBs
The identity authentication MIB does not directly address objects The identity authorization MIB does not directly address objects
within other MIBs. The identity address objects contain IPv4, IPv6, within other MIBs. The identity address objects contain IPv4, IPv6,
or other address types, and as such may be indirectly related to or other address types, and as such may be indirectly related to
objects within the IPv4 MIB [RFC1213] [RFC2011] or IPv6 [RFC2465] objects within the IPv4 MIB [RFC1213] [RFC2011] or IPv6 [RFC2465]
MIB. MIB.
This MIB does not cover authorization. This should generally be done This MIB does not provide actual authorization or access control
in MIBs that reference identities in this one. It also does not lists; it provides a means to identify entities that can be included
cover login or authentication failure statistics or notifications, as in other authorization lists. This should generally be done in MIBs
these are all fairly application-specific, and not generic enough to that reference identities in this one. It also does not cover login
or authentication failure statistics or notifications, as these are
all fairly application-specific, and are not generic enough to
include here. include here.
The user identity objects within this MIB are typically referenced The user identity objects within this MIB are typically referenced
from other MIBs by a RowPointer within that MIB. A MIB containing from other MIBs by a RowPointer within that MIB. A MIB containing
resources for which it requires a list of authorized user identities resources for which it requires a list of authorized user identities
may create such a list, with a single RowPointer within each list may create such a list, with a single RowPointer within each list
element pointing to a user identity within this MIB. This is neither element pointing to a user identity within this MIB. This is neither
required nor restricted by this MIB. required nor restricted by this MIB.
4. Discussion 4. Discussion
This MIB structure is intended to allow the configuration of a list This MIB structure is intended to allow the configuration of a list
of user identities, each with a list of names, addresses, of user identities, each with a list of names, addresses,
credentials, and certificates which when combined will authenticate credentials, and certificates which when combined will distinguish
that identity. that identity.
The authentication MIB is structured around two primary "objects", The authorization MIB is structured around two primary "objects", the
the authentication instance, and the identity, which serve as authorization instance, and the identity, which serve as containers
containers for the remainder of the objects. This section contains a for the remainder of the objects. This section contains a brief
brief description of the "object" hierarchy and a description of each description of the "object" hierarchy and a description of each
object, followed by a discussion of the actual SNMP table structure object, followed by a discussion of the actual SNMP table structure
within the objects. within the objects.
4.1. Authentication MIB Object Model 4.1. Authorization MIB Object Model
The top-level object in this structure is the authentication The top-level object in this structure is the authorization instance,
instance, which "contains" all of the other objects. The indexing which "contains" all of the other objects. The indexing hierarchy of
hierarchy of this MIB looks like: this MIB looks like:
ipsAuthInstance ipsAuthInstance
-- A distinct authentication entity within the managed system. -- A distinct authorization entity within the managed system.
-- Most implementations will have just one of these. -- Most implementations will have just one of these.
ipsAuthIdentity ipsAuthIdentity
-- A user identity, consisting of a set of identity names, -- A user identity, consisting of a set of identity names,
-- addresses, and credentials reflected in the following -- addresses, and credentials reflected in the following
-- objects, as well as a RowPointer to an ipsAuthCertificate. -- objects:
ipsAuthIdentityName ipsAuthIdentityName
-- A name for a user identity. A name should be globally -- A name for a user identity. A name should be globally
-- unique, and unchanging over time. Some protocols may -- unique, and unchanging over time. Some protocols may
-- not require this one. -- not require this one.
ipsAuthIdentityAddress ipsAuthIdentityAddress
-- An address range, typically but not necessarily an -- An address range, typically but not necessarily an
-- IPv4, IPv6, or Fibre Channel address range, at which -- IPv4, IPv6, or Fibre Channel address range, at which
-- the identity is allowed to reside. -- the identity is allowed to reside.
ipsAuthCredential ipsAuthCredential
-- A single credential, such as a CHAP username/password, -- A single credential, such as a CHAP username,
-- which can ipsAuthenticate the identity. -- which can be used to verify the identity.
ipsAuthCredChap ipsAuthCredChap
-- CHAP-specific attributes for an ipsAuthCredential -- CHAP-specific attributes for an ipsAuthCredential
ipsAuthCredSrp ipsAuthCredSrp
-- SRP-specific attributes -- SRP-specific attributes
ipsAuthCredKerberos ipsAuthCredKerberos
-- Kerberos-specific attributes -- Kerberos-specific attributes
Each identity contains the information necessary to authenticate a Each identity contains the information necessary to identify a
particular end-point that wishes to access a service, such as iSCSI. particular end-point that wishes to access a service, such as iSCSI.
An identity can contain multiple names, addresses, and credentials. An identity can contain multiple names, addresses, and credentials.
4.2. ipsAuthInstance 4.2. ipsAuthInstance
The ipsAuthInstanceAttributesTable is the primary table of the The ipsAuthInstanceAttributesTable is the primary table of the
authentication MIB. Every other table entry in this MIB includes the authorization MIB. Every other table entry in this MIB includes the
index of an ipsAuthInstanceAttributesEntry as its primary index. An index of an ipsAuthInstanceAttributesEntry as its primary index. An
authentication instance is basically a managed set of identities. authorization instance is basically a managed set of identities.
Many implementations will include just one authentication instance Many implementations will include just one authorization instance row
row in this table. However, there will be cases where multiple rows in this table. However, there will be cases where multiple rows in
in this table may be used: this table may be used:
- A large system may be "partitioned" into multiple, distinct virtual - A large system may be "partitioned" into multiple, distinct virtual
systems, perhaps sharing the SNMP agent but not their lists of systems, perhaps sharing the SNMP agent but not their lists of
identities. Each virtual system would have its own authentication identities. Each virtual system would have its own authorization
instance. instance.
- A set of stackable systems, each with their own set of identities, - A set of stackable systems, each with their own set of identities,
may be managed by a common SNMP agent. Each individual system may be represented by a common SNMP agent. Each individual system
would have its own authentication instance. would have its own authorization instance.
- Multiple protocols, each with their own set of identities, may - Multiple protocols, each with their own set of identities, may
exist within a single system and be managed by a single SNMP agent. exist within a single system and be represented by a single SNMP
In this case, each protocol may have its own authentication agent. In this case, each protocol may have its own authorization
instance. instance.
4.3. ipsAuthIdentity 4.3. ipsAuthIdentity
The ipsAuthIdentAttributesTable contains one entry for each The ipsAuthIdentAttributesTable contains one entry for each
configured user identity. The identity contains only a description configured user identity. The identity contains only a description
of what the identity is used for; its attributes are all contained in of what the identity is used for; its attributes are all contained in
other tables, since they can have multiple values. other tables, since they can each have multiple values.
Other MIBs containing lists of users authorized to access a Other MIBs containing lists of users authorized to access a
particular resource should generally contain a RowPointer to the particular resource should generally contain a RowPointer to the
ipsAuthIdentAttributesEntry which will, if authenticated, be allowed ipsAuthIdentAttributesEntry which will, if authenticated, be allowed
access. access to the resource.
All other table entries make use of the indices to this table as All other table entries make use of the indices to this table as
their primary indices. their primary indices.
4.4. ipsAuthIdentityName 4.4. ipsAuthIdentityName
The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names, The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names,
each of which belong to, and may be used to identify, a particular each of which belong to, and may be used to identify, a particular
identity in the authIdentity table. identity in the authIdentity table.
Implementations making use of the authentication MIB may identify Implementations making use of the authorization MIB may identify
their resources by names, addresses, or both. A name is typically a their resources by names, addresses, or both. A name is typically a
unique (within the required scope), unchanging identifier for a unique (within the required scope), unchanging identifier for a
resource. It will normally meet some or all of the requirements for a resource. It will normally meet some or all of the requirements for a
Uniform Resource Name [RFC1737], although a name in the context of Uniform Resource Name [RFC1737], although a name in the context of
this MIB does not need to be a URN. Identifiers that typically this MIB does not need to be a URN. Identifiers that typically
change over time should generally be placed into the change over time should generally be placed into the
ipsAuthIdentityAddress table; names that have no uniqueness ipsAuthIdentityAddress table; names that have no uniqueness
properties should usually be placed into the description attribute properties should usually be placed into the description attribute
for the identity. for the identity.
An example of an identity name is the iSCSI Name, defined in [ISCSI]. An example of an identity name is the iSCSI Name, defined in [ISCSI].
If this table contains no entries associated with a particular user If this table contains no entries associated with a particular user
identity, the implementation does not need to check any name identity, the implementation does not need to check any name
parameters when authenticating that identity. If the table contains parameters when verifying that identity. If the table contains
multiple entries associated with a particular user identity, the multiple entries associated with a particular user identity, the
implementation should consider a match with any one of these entries implementation should consider a match with any one of these entries
to be valid. to be valid.
4.5. ipsAuthIdentityAddress 4.5. ipsAuthIdentityAddress
The ipsAuthIdentAddrAttributesTable contains a list of addresses at The ipsAuthIdentAddrAttributesTable contains a list of addresses at
which the identity may be authenticated. For example, an identity which the identity may reside. For example, an identity may be
may be allowed access to a resource only from a certain IP address, allowed access to a resource only from a certain IP address, or only
or only if its address is in a certain range or set of ranges. if its address is in a certain range or set of ranges.
Each entry contains a starting and ending address. If a single Each entry contains a starting and ending address. If a single
address is desired in the list, both starting and ending addresses address is desired in the list, both starting and ending addresses
must be identical. must be identical.
Each entry contains an AddrType attribute. This attribute contains Each entry contains an AddrType attribute. This attribute contains
an enumeration registered as an IANA Address Family type [IANA-AF]. an enumeration registered as an IANA Address Family type [IANA-AF].
Although many implementations will use IPv4 or IPv6 address types for Although many implementations will use IPv4 or IPv6 address types for
these entries, any IANA-registered type may be used, as long as it these entries, any IANA-registered type may be used, as long as it
makes sense to the application. makes sense to the application.
Matching any address within any range within the list associated with Matching any address within any range within the list associated with
a particular identity is considered to be a valid match. If no a particular identity is considered to be a valid match. If no
entries are present in this list for a given identity, its address is entries are present in this list for a given identity, its address is
not checked during authentication. automatically assumed to match the identity.
Netmasks are not supported, since an address range can express the Netmasks are not supported, since an address range can express the
same thing with more flexibility. An application specifying same thing with more flexibility. An application specifying
addresses using network masks may do so, and convert to and from addresses using network masks may do so, and convert to and from
address ranges when reading or writing this MIB. address ranges when reading or writing this MIB.
4.6. ipsAuthCredential 4.6. ipsAuthCredential
The ipsAuthCredentialAttributesTable contains a list of credentials, The ipsAuthCredentialAttributesTable contains a list of credentials,
each of which may authenticate a particular identity. each of which may be used to verify a particular identity.
Each credential contains an authentication method to be used, such as Each credential contains an authentication method to be used, such as
CHAP [RFC1994], SRP [RFC2945], or Kerberos [RFC1510]. This attribute CHAP [RFC1994], SRP [RFC2945], or Kerberos [RFC1510]. This attribute
contains an object identifier instead of an enumerated type, allowing contains an object identifier instead of an enumerated type, allowing
other MIBs to add their own authentication methods, without modifying other MIBs to add their own authentication methods, without modifying
this MIB. this MIB.
For each entry in this table, there will exist an entry in another For each entry in this table, there will exist an entry in another
table containing its attributes. The table in which to place the table containing its attributes. The table in which to place the
entry depends on the AuthMethod attribute: entry depends on the AuthMethod attribute:
skipping to change at page 9, line 28 skipping to change at page 9, line 28
FROM SNMPv2-CONF FROM SNMPv2-CONF
SnmpAdminString SnmpAdminString
FROM SNMP-FRAMEWORK-MIB -- RFC 2571 FROM SNMP-FRAMEWORK-MIB -- RFC 2571
AddressFamilyNumbers AddressFamilyNumbers
FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB
; ;
ipsAuthModule MODULE-IDENTITY ipsAuthModule MODULE-IDENTITY
LAST-UPDATED "200211010000Z" -- November 1, 2002 LAST-UPDATED "200312090000Z" -- December 9, 2003
ORGANIZATION "IETF IPS Working Group" ORGANIZATION "IETF IPS Working Group"
CONTACT-INFO CONTACT-INFO
" "
Mark Bakke Mark Bakke
Postal: Cisco Systems, Inc Postal: Cisco Systems, Inc
6450 Wedgwood Road, Suite 130 6450 Wedgwood Road, Suite 130
Maple Grove, MN Maple Grove, MN
USA 55311 USA 55311
Tel: +1 763-398-1000 Tel: +1 763-398-1000
Fax: +1 763-398-1001 Fax: +1 763-398-1001
E-mail: mbakke@cisco.com E-mail: mbakke@cisco.com
Jim Muchow Jim Muchow
Postal: Cisco Systems, Inc E-mail: jamesdmuchow@yahoo.com"
6450 Wedgwood Road, Suite 130
Maple Grove, MN
USA 55311
Tel: +1 763-398-1000
Fax: +1 763-398-1001
E-mail: jmuchow@cisco.com"
DESCRIPTION DESCRIPTION
"The IP Storage Authentication MIB module." "The IP Storage Authorization MIB module."
REVISION "200211010000Z" -- November 1, 2002 REVISION "200312090000Z" -- December 9, 2003
DESCRIPTION DESCRIPTION
"Initial revision published as RFC xxxx." "Initial revision published as RFC xxxx."
--::= { mib-2 xx } --::= { mib-2 xx }
-- in case you want to COMPILE -- in case you want to COMPILE
::= { experimental 99999 } ::= { experimental 99999 }
ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthModule 1 } ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthModule 1 }
ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthModule 2 } ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthModule 2 }
ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthModule 3 } ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthModule 3 }
skipping to change at page 11, line 42 skipping to change at page 11, line 34
ipsAuthInstance OBJECT IDENTIFIER ::= { ipsAuthObjects 2 } ipsAuthInstance OBJECT IDENTIFIER ::= { ipsAuthObjects 2 }
-- Instance Attributes Table -- Instance Attributes Table
ipsAuthInstanceAttributesTable OBJECT-TYPE ipsAuthInstanceAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthInstanceAttributesEntry SYNTAX SEQUENCE OF IpsAuthInstanceAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A list of Authentication instances present on the system." "A list of Authorization instances present on the system."
::= { ipsAuthInstance 2 } ::= { ipsAuthInstance 2 }
ipsAuthInstanceAttributesEntry OBJECT-TYPE ipsAuthInstanceAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthInstanceAttributesEntry SYNTAX IpsAuthInstanceAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to a particular Authentication instance." applicable to a particular Authorization instance."
INDEX { ipsAuthInstIndex } INDEX { ipsAuthInstIndex }
::= { ipsAuthInstanceAttributesTable 1 } ::= { ipsAuthInstanceAttributesTable 1 }
IpsAuthInstanceAttributesEntry ::= SEQUENCE { IpsAuthInstanceAttributesEntry ::= SEQUENCE {
ipsAuthInstIndex Unsigned32, ipsAuthInstIndex Unsigned32,
ipsAuthInstDescr SnmpAdminString ipsAuthInstDescr SnmpAdminString
} }
ipsAuthInstIndex OBJECT-TYPE ipsAuthInstIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295) SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
skipping to change at page 12, line 18 skipping to change at page 12, line 9
ipsAuthInstIndex Unsigned32, ipsAuthInstIndex Unsigned32,
ipsAuthInstDescr SnmpAdminString ipsAuthInstDescr SnmpAdminString
} }
ipsAuthInstIndex OBJECT-TYPE ipsAuthInstIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295) SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer used to uniquely identify a "An arbitrary integer used to uniquely identify a
particular authentication instance." particular authorization instance."
::= { ipsAuthInstanceAttributesEntry 1 } ::= { ipsAuthInstanceAttributesEntry 1 }
ipsAuthInstDescr OBJECT-TYPE ipsAuthInstDescr OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string, determined by the implementation to "An octet string, determined by the implementation to
describe the authentication instance. When only a single describe the authorization instance. When only a single
instance is present, this object may be set to the instance is present, this object may be set to the
zero-length string; with multiple authentication zero-length string; with multiple authorization
instances, it may be used in an implementation-dependent instances, it may be used in an implementation-dependent
manner to describe the purpose of the respective instance." manner to describe the purpose of the respective instance."
::= { ipsAuthInstanceAttributesEntry 2 } ::= { ipsAuthInstanceAttributesEntry 2 }
ipsAuthIdentity OBJECT IDENTIFIER ::= { ipsAuthObjects 3 } ipsAuthIdentity OBJECT IDENTIFIER ::= { ipsAuthObjects 3 }
-- User Identity Attributes Table -- User Identity Attributes Table
ipsAuthIdentAttributesTable OBJECT-TYPE ipsAuthIdentAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthIdentAttributesEntry SYNTAX SEQUENCE OF IpsAuthIdentAttributesEntry
skipping to change at page 13, line 4 skipping to change at page 12, line 44
"A list of user identities, each belonging to a "A list of user identities, each belonging to a
particular ipsAuthInstance." particular ipsAuthInstance."
::= { ipsAuthIdentity 1 } ::= { ipsAuthIdentity 1 }
ipsAuthIdentAttributesEntry OBJECT-TYPE ipsAuthIdentAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthIdentAttributesEntry SYNTAX IpsAuthIdentAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
describing a user identity within an authentication describing a user identity within an authorization
instance on this node." instance on this node."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex } INDEX { ipsAuthInstIndex, ipsAuthIdentIndex }
::= { ipsAuthIdentAttributesTable 1 } ::= { ipsAuthIdentAttributesTable 1 }
IpsAuthIdentAttributesEntry ::= SEQUENCE { IpsAuthIdentAttributesEntry ::= SEQUENCE {
ipsAuthIdentIndex Unsigned32, ipsAuthIdentIndex Unsigned32,
ipsAuthIdentDescription SnmpAdminString, ipsAuthIdentDescription SnmpAdminString,
ipsAuthIdentRowStatus RowStatus ipsAuthIdentRowStatus RowStatus
} }
ipsAuthIdentIndex OBJECT-TYPE ipsAuthIdentIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295) SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer used to uniquely identify a "An arbitrary integer used to uniquely identify a
particular identity instance within an authentication particular identity instance within an authorization
instance present on the node." instance present on the node."
::= { ipsAuthIdentAttributesEntry 1 } ::= { ipsAuthIdentAttributesEntry 1 }
ipsAuthIdentDescription OBJECT-TYPE ipsAuthIdentDescription OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string describing this particular identity." "An octet string describing this particular identity."
::= { ipsAuthIdentAttributesEntry 2 } ::= { ipsAuthIdentAttributesEntry 2 }
skipping to change at page 14, line 15 skipping to change at page 14, line 7
::= { ipsAuthIdentityName 1 } ::= { ipsAuthIdentityName 1 }
ipsAuthIdentNameAttributesEntry OBJECT-TYPE ipsAuthIdentNameAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthIdentNameAttributesEntry SYNTAX IpsAuthIdentNameAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to a unique identity name which can be used applicable to a unique identity name which can be used
to identify a user identity within a particular to identify a user identity within a particular
authentication instance." authorization instance."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, INDEX { ipsAuthInstIndex, ipsAuthIdentIndex,
ipsAuthIdentNameIndex } ipsAuthIdentNameIndex }
::= { ipsAuthIdentNameAttributesTable 1 } ::= { ipsAuthIdentNameAttributesTable 1 }
IpsAuthIdentNameAttributesEntry ::= SEQUENCE { IpsAuthIdentNameAttributesEntry ::= SEQUENCE {
ipsAuthIdentNameIndex Unsigned32, ipsAuthIdentNameIndex Unsigned32,
ipsAuthIdentName SnmpAdminString, ipsAuthIdentName SnmpAdminString,
ipsAuthIdentNameRowStatus RowStatus ipsAuthIdentNameRowStatus RowStatus
} }
ipsAuthIdentNameIndex OBJECT-TYPE ipsAuthIdentNameIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295) SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer used to uniquely identify a "An arbitrary integer used to uniquely identify a
particular identity name instance within an particular identity name instance within an
ipsAuthIdentity within an authentication instance." ipsAuthIdentity within an authorization instance."
::= { ipsAuthIdentNameAttributesEntry 1 } ::= { ipsAuthIdentNameAttributesEntry 1 }
ipsAuthIdentName OBJECT-TYPE ipsAuthIdentName OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A character string which is the unique name of an "A character string which is the unique name of an
identity that may be used to identify this ipsAuthIdent identity that may be used to identify this ipsAuthIdent
entry." entry."
skipping to change at page 15, line 31 skipping to change at page 15, line 23
FC-WWPN, or FC-WWNN." FC-WWPN, or FC-WWNN."
::= { ipsAuthIdentityAddress 1 } ::= { ipsAuthIdentityAddress 1 }
ipsAuthIdentAddrAttributesEntry OBJECT-TYPE ipsAuthIdentAddrAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthIdentAddrAttributesEntry SYNTAX IpsAuthIdentAddrAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to an address range which is used as part applicable to an address range which is used as part
of the authentication of an identity of the authorization of an identity
within an authentication instance on this node." within an authorization instance on this node."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, INDEX { ipsAuthInstIndex, ipsAuthIdentIndex,
ipsAuthIdentAddrIndex } ipsAuthIdentAddrIndex }
::= { ipsAuthIdentAddrAttributesTable 1 } ::= { ipsAuthIdentAddrAttributesTable 1 }
IpsAuthIdentAddrAttributesEntry ::= SEQUENCE { IpsAuthIdentAddrAttributesEntry ::= SEQUENCE {
ipsAuthIdentAddrIndex Unsigned32, ipsAuthIdentAddrIndex Unsigned32,
ipsAuthIdentAddrType AddressFamilyNumbers, ipsAuthIdentAddrType AddressFamilyNumbers,
ipsAuthIdentAddrStart IpsAuthAddress, ipsAuthIdentAddrStart IpsAuthAddress,
ipsAuthIdentAddrEnd IpsAuthAddress, ipsAuthIdentAddrEnd IpsAuthAddress,
ipsAuthIdentAddrRowStatus RowStatus ipsAuthIdentAddrRowStatus RowStatus
} }
ipsAuthIdentAddrIndex OBJECT-TYPE ipsAuthIdentAddrIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295) SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer used to uniquely identify a "An arbitrary integer used to uniquely identify a
particular ipsAuthIdentAddress instance within an particular ipsAuthIdentAddress instance within an
ipsAuthIdentity within an authentication instance ipsAuthIdentity within an authorization instance
present on the node." present on the node."
::= { ipsAuthIdentAddrAttributesEntry 1 } ::= { ipsAuthIdentAddrAttributesEntry 1 }
ipsAuthIdentAddrType OBJECT-TYPE ipsAuthIdentAddrType OBJECT-TYPE
SYNTAX AddressFamilyNumbers SYNTAX AddressFamilyNumbers
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The type of Address in the ipsAuthIdentAddress "The type of Address in the ipsAuthIdentAddress
start, end, and mask fields. This type is taken start, end, and mask fields. This type is taken
skipping to change at page 17, line 18 skipping to change at page 17, line 11
that are allowed as valid authenticators of the that are allowed as valid authenticators of the
particular identity." particular identity."
::= { ipsAuthCredential 1 } ::= { ipsAuthCredential 1 }
ipsAuthCredentialAttributesEntry OBJECT-TYPE ipsAuthCredentialAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthCredentialAttributesEntry SYNTAX IpsAuthCredentialAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to a credential which authenticates a user applicable to a credential which verifies a user
identity within an authentication instance." identity within an authorization instance."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex }
::= { ipsAuthCredentialAttributesTable 1 } ::= { ipsAuthCredentialAttributesTable 1 }
IpsAuthCredentialAttributesEntry ::= SEQUENCE { IpsAuthCredentialAttributesEntry ::= SEQUENCE {
ipsAuthCredIndex Unsigned32, ipsAuthCredIndex Unsigned32,
ipsAuthCredAuthMethod AutonomousType, ipsAuthCredAuthMethod AutonomousType,
ipsAuthCredRowStatus RowStatus ipsAuthCredRowStatus RowStatus
} }
ipsAuthCredIndex OBJECT-TYPE ipsAuthCredIndex OBJECT-TYPE
skipping to change at page 18, line 40 skipping to change at page 18, line 31
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to a credential which uses applicable to a credential which uses
ipsAuthMethodChap as their ipsAuthCredAuthMethod." ipsAuthMethodChap as their ipsAuthCredAuthMethod."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex }
::= { ipsAuthCredChapAttributesTable 1 } ::= { ipsAuthCredChapAttributesTable 1 }
IpsAuthCredChapAttributesEntry ::= SEQUENCE { IpsAuthCredChapAttributesEntry ::= SEQUENCE {
ipsAuthCredChapUserName SnmpAdminString, ipsAuthCredChapUserName SnmpAdminString,
ipsAuthCredChapPassword SnmpAdminString,
ipsAuthCredChapRowStatus RowStatus ipsAuthCredChapRowStatus RowStatus
} }
ipsAuthCredChapUserName OBJECT-TYPE ipsAuthCredChapUserName OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string containing the CHAP user name for this "An octet string containing the CHAP user name for this
credential." credential."
::= { ipsAuthCredChapAttributesEntry 1 } ::= { ipsAuthCredChapAttributesEntry 1 }
ipsAuthCredChapPassword OBJECT-TYPE -- ipsAuthCredChapPassword (2) deleted
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An octet string containing the password for this
credential. If written, it changes the password for
the credential. If read, it returns a zero-length
string."
::= { ipsAuthCredChapAttributesEntry 2 }
ipsAuthCredChapRowStatus OBJECT-TYPE ipsAuthCredChapRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP." removed from this table via SNMP."
::= { ipsAuthCredChapAttributesEntry 3 } ::= { ipsAuthCredChapAttributesEntry 3 }
skipping to change at page 19, line 51 skipping to change at page 19, line 31
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to a credential which uses applicable to a credential which uses
ipsAuthMethodSrp as its ipsAuthCredAuthMethod." ipsAuthMethodSrp as its ipsAuthCredAuthMethod."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex }
::= { ipsAuthCredSrpAttributesTable 1 } ::= { ipsAuthCredSrpAttributesTable 1 }
IpsAuthCredSrpAttributesEntry ::= SEQUENCE { IpsAuthCredSrpAttributesEntry ::= SEQUENCE {
ipsAuthCredSrpUserName SnmpAdminString, ipsAuthCredSrpUserName SnmpAdminString,
ipsAuthCredSrpPassword SnmpAdminString,
ipsAuthCredSrpRowStatus RowStatus ipsAuthCredSrpRowStatus RowStatus
} }
ipsAuthCredSrpUserName OBJECT-TYPE ipsAuthCredSrpUserName OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string containing the CHAP user name for this "An octet string containing the CHAP user name for this
credential." credential."
::= { ipsAuthCredSrpAttributesEntry 1 } ::= { ipsAuthCredSrpAttributesEntry 1 }
ipsAuthCredSrpPassword OBJECT-TYPE -- ipsAuthCredSrpPassword (2) deleted
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An octet string containing the password for this
credential. If written, it changes the password for
the credential. If read, it returns a zero-length
string."
::= { ipsAuthCredSrpAttributesEntry 2 }
ipsAuthCredSrpRowStatus OBJECT-TYPE ipsAuthCredSrpRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP." removed from this table via SNMP."
::= { ipsAuthCredSrpAttributesEntry 3 } ::= { ipsAuthCredSrpAttributesEntry 3 }
skipping to change at page 22, line 5 skipping to change at page 21, line 22
ipsAuthGroups OBJECT IDENTIFIER ::= { ipsAuthConformance 1 } ipsAuthGroups OBJECT IDENTIFIER ::= { ipsAuthConformance 1 }
ipsAuthInstanceAttributesGroup OBJECT-GROUP ipsAuthInstanceAttributesGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipsAuthInstDescr ipsAuthInstDescr
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing information about "A collection of objects providing information about
authentication instances." authorization instances."
::= { ipsAuthGroups 1 } ::= { ipsAuthGroups 1 }
ipsAuthIdentAttributesGroup OBJECT-GROUP ipsAuthIdentAttributesGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipsAuthIdentDescription, ipsAuthIdentDescription,
ipsAuthIdentRowStatus ipsAuthIdentRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing information about "A collection of objects providing information about
user identities within an authentication instance." user identities within an authorization instance."
::= { ipsAuthGroups 2 } ::= { ipsAuthGroups 2 }
ipsAuthIdentNameAttributesGroup OBJECT-GROUP ipsAuthIdentNameAttributesGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipsAuthIdentName, ipsAuthIdentName,
ipsAuthIdentNameRowStatus ipsAuthIdentNameRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing information about "A collection of objects providing information about
user names within user identities within an authentication user names within user identities within an authorization
instance." instance."
::= { ipsAuthGroups 3 } ::= { ipsAuthGroups 3 }
ipsAuthIdentAddrAttributesGroup OBJECT-GROUP ipsAuthIdentAddrAttributesGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipsAuthIdentAddrType, ipsAuthIdentAddrType,
ipsAuthIdentAddrStart, ipsAuthIdentAddrStart,
ipsAuthIdentAddrEnd, ipsAuthIdentAddrEnd,
ipsAuthIdentAddrRowStatus ipsAuthIdentAddrRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing information about "A collection of objects providing information about
address ranges within user identities within an address ranges within user identities within an
authentication instance." authorization instance."
::= { ipsAuthGroups 4 } ::= { ipsAuthGroups 4 }
ipsAuthIdentCredAttributesGroup OBJECT-GROUP ipsAuthIdentCredAttributesGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipsAuthCredAuthMethod, ipsAuthCredAuthMethod,
ipsAuthCredRowStatus ipsAuthCredRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing information about "A collection of objects providing information about
credentials within user identities within an authentication credentials within user identities within an authorization
instance." instance."
::= { ipsAuthGroups 5 } ::= { ipsAuthGroups 5 }
ipsAuthIdentChapAttrGroup OBJECT-GROUP ipsAuthIdentChapAttrGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipsAuthCredChapUserName, ipsAuthCredChapUserName,
ipsAuthCredChapPassword,
ipsAuthCredChapRowStatus ipsAuthCredChapRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing information about "A collection of objects providing information about
CHAP credentials within user identities within an CHAP credentials within user identities within an
authentication instance." authorization instance."
::= { ipsAuthGroups 6 } ::= { ipsAuthGroups 6 }
ipsAuthIdentSrpAttrGroup OBJECT-GROUP ipsAuthIdentSrpAttrGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipsAuthCredSrpUserName, ipsAuthCredSrpUserName,
ipsAuthCredSrpPassword,
ipsAuthCredSrpRowStatus ipsAuthCredSrpRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing information about "A collection of objects providing information about
SRP credentials within user identities within an SRP credentials within user identities within an
authentication instance." authorization instance."
::= { ipsAuthGroups 7 } ::= { ipsAuthGroups 7 }
ipsAuthIdentKerberosAttrGroup OBJECT-GROUP ipsAuthIdentKerberosAttrGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipsAuthCredKerbPrincipal, ipsAuthCredKerbPrincipal,
ipsAuthCredKerbRowStatus ipsAuthCredKerbRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing information about "A collection of objects providing information about
Kerberos credentials within user identities within an Kerberos credentials within user identities within an
authentication instance." authorization instance."
::= { ipsAuthGroups 8 } ::= { ipsAuthGroups 8 }
------------------------------------------------------------------------ ------------------------------------------------------------------------
ipsAuthCompliances OBJECT IDENTIFIER ::= { ipsAuthConformance 2 } ipsAuthCompliances OBJECT IDENTIFIER ::= { ipsAuthConformance 2 }
ipsAuthComplianceV1 MODULE-COMPLIANCE ipsAuthComplianceV1 MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Initial version of compliance statement based on "Initial version of compliance statement based on
skipping to change at page 24, line 30 skipping to change at page 23, line 44
-- the mandatory groups when necessary. -- the mandatory groups when necessary.
GROUP ipsAuthIdentNameAttributesGroup GROUP ipsAuthIdentNameAttributesGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for all implementations "This group is mandatory for all implementations
that make use of unique identity names." that make use of unique identity names."
GROUP ipsAuthIdentAddrAttributesGroup GROUP ipsAuthIdentAddrAttributesGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for all implementations "This group is mandatory for all implementations
that use addresses to help authenticate identities." that use addresses to help verify identities."
GROUP ipsAuthIdentCredAttributesGroup GROUP ipsAuthIdentCredAttributesGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for all implementations "This group is mandatory for all implementations
that use credentials to help authenticate identities." that use credentials to help verify identities."
GROUP ipsAuthIdentChapAttrGroup GROUP ipsAuthIdentChapAttrGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for all implementations "This group is mandatory for all implementations
that use CHAP to help authenticate identities. that use CHAP to help verify identities.
The ipsAuthIdentCredAttributesGroup must be The ipsAuthIdentCredAttributesGroup must be
implemented if this group is implemented." implemented if this group is implemented."
GROUP ipsAuthIdentSrpAttrGroup GROUP ipsAuthIdentSrpAttrGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for all implementations "This group is mandatory for all implementations
that use SRP to help authenticate identities. that use SRP to help verify identities.
The ipsAuthIdentCredAttributesGroup must be The ipsAuthIdentCredAttributesGroup must be
implemented if this group is implemented." implemented if this group is implemented."
GROUP ipsAuthIdentKerberosAttrGroup GROUP ipsAuthIdentKerberosAttrGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for all implementations "This group is mandatory for all implementations
that use Kerberos to help authenticate identities. that use Kerberos to help verify identities.
The ipsAuthIdentCredAttributesGroup must be The ipsAuthIdentCredAttributesGroup must be
implemented if this group is implemented." implemented if this group is implemented."
OBJECT ipsAuthInstDescr OBJECT ipsAuthInstDescr
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT ipsAuthIdentDescription OBJECT ipsAuthIdentDescription
skipping to change at page 26, line 40 skipping to change at page 26, line 7
"Write access is not required, and only one of the "Write access is not required, and only one of the
six enumerated values for the RowStatus textual six enumerated values for the RowStatus textual
convention need be supported, specifically: convention need be supported, specifically:
active(1)." active(1)."
OBJECT ipsAuthCredChapUserName OBJECT ipsAuthCredChapUserName
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT ipsAuthCredChapPassword
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthCredChapRowStatus OBJECT ipsAuthCredChapRowStatus
SYNTAX INTEGER { active(1) } -- subset of RowStatus SYNTAX INTEGER { active(1) } -- subset of RowStatus
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required, and only one of the "Write access is not required, and only one of the
six enumerated values for the RowStatus textual six enumerated values for the RowStatus textual
convention need be supported, specifically: convention need be supported, specifically:
active(1)." active(1)."
OBJECT ipsAuthCredSrpUserName OBJECT ipsAuthCredSrpUserName
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT ipsAuthCredSrpPassword
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthCredSrpRowStatus OBJECT ipsAuthCredSrpRowStatus
SYNTAX INTEGER { active(1) } -- subset of RowStatus SYNTAX INTEGER { active(1) } -- subset of RowStatus
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required, and only one of the "Write access is not required, and only one of the
six enumerated values for the RowStatus textual six enumerated values for the RowStatus textual
convention need be supported, specifically: convention need be supported, specifically:
active(1)." active(1)."
OBJECT ipsAuthCredKerbPrincipal OBJECT ipsAuthCredKerbPrincipal
skipping to change at page 28, line 19 skipping to change at page 27, line 19
objects may be considered sensitive or vulnerable in some network objects may be considered sensitive or vulnerable in some network
environments. The support for SET operations in a non-secure environments. The support for SET operations in a non-secure
environment without proper protection can have a negative effect on environment without proper protection can have a negative effect on
network operations. These are the tables and objects and their network operations. These are the tables and objects and their
sensitivity/vulnerability: sensitivity/vulnerability:
All tables provide the ability to set up which credentials may be All tables provide the ability to set up which credentials may be
used to access services on the managed system, to remove used to access services on the managed system, to remove
legitimate credentials (a denial of service), or to remove legitimate credentials (a denial of service), or to remove
individual credentials to weaken the requirements for access of a individual credentials to weaken the requirements for access of a
particular service. In addition, write access may be used to particular service. Write access must always be tightly
change CHAP or SRP passwords to a known value. Write access must controlled. Note that some types of credentials, such as CHAP or
always be tightly controlled. SRP, also require passwords or verifiers to be associated with the
credential. These are managed outside this MIB.
Some of the readable objects in this MIB module (i.e., objects with a Some of the readable objects in this MIB module (i.e., objects with a
MAX-ACCESS other than not-accessible) may be considered sensitive or MAX-ACCESS other than not-accessible) may be considered sensitive or
vulnerable in some network environments. It is thus important to vulnerable in some network environments. It is thus important to
control even GET and/or NOTIFY access to these objects and possibly control even GET and/or NOTIFY access to these objects and possibly
to even encrypt the values of these objects when sending them over to even encrypt the values of these objects when sending them over
the network via SNMP. These are the tables and objects and their the network via SNMP. These are the tables and objects and their
sensitivity/vulnerability: sensitivity/vulnerability:
All tables provide the ability to find out which names, addresses, All tables provide the ability to find out which names, addresses,
skipping to change at page 30, line 31 skipping to change at page 29, line 31
6450 Wedgwood Road, Suite 130 6450 Wedgwood Road, Suite 130
Maple Grove, MN Maple Grove, MN
USA 55311 USA 55311
Tel: +1 763-398-1000 Tel: +1 763-398-1000
Fax: +1 763-398-1001 Fax: +1 763-398-1001
E-mail: mbakke@cisco.com E-mail: mbakke@cisco.com
Jim Muchow Jim Muchow
Postal: Cisco Systems, Inc
6450 Wedgwood Road, Suite 130
Maple Grove, MN
USA 55311
Tel: +1 763-398-1000
Fax: +1 763-398-1001
E-mail: jamesdmuchow@yahoo.com" E-mail: jamesdmuchow@yahoo.com"
10. IPR Notice 10. IPR Notice
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it might or might not be available; neither does it represent that it
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/