--- 1/draft-ietf-radext-dynauth-server-mib-00.txt 2006-02-05 01:15:39.000000000 +0100 +++ 2/draft-ietf-radext-dynauth-server-mib-01.txt 2006-02-05 01:15:40.000000000 +0100 @@ -1,21 +1,20 @@ Network Working Group S. De Cnodder Internet-Draft Alcatel -Expires: November 19, 2005 N. Jonnala - Consult +Expires: January 8, 2006 N. Jonnala M. Chiba Cisco Systems, Inc. - May 18, 2005 + July 7, 2005 Dynamic Authorization Server MIB - draft-ietf-radext-dynauth-server-mib-00.txt + draft-ietf-radext-dynauth-server-mib-01.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -26,21 +25,21 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on November 19, 2005. + This Internet-Draft will expire on January 8, 2006. Copyright Notice Copyright (C) The Internet Society (2005). Abstract This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes the RADIUS dynamic authorization server @@ -102,21 +101,23 @@ Dynamic Authorization Server (DAS) The component that resides on the NAS which processes the Disconnect and CoA requests sent by the Dynamic Authorization Client as described in [RFC3576]. Dynamic Authorization Client (DAC) The component which sends the Disconnect and CoA requests to the - Dynamic Authorization Server as described in [RFC3576]. + Dynamic Authorization Server as described in [RFC3576]. This is + typically a RADIUS Server, but is not limited to it and may, for + example, be a Rating Engine used for Prepaid Billing. Dynamic Authorization Server Port The UDP port on which the Dynamic Authorization server listens for the Disconnect and CoA requests sent by the Dynamic Authorization Client. 5. Overview The RADIUS dynamic authorization extensions defined in [RFC3576], @@ -157,131 +158,141 @@ mentioned above, a typical case would be where the MIBs for a RADIUS authentication server, a RADIUS accounting server, and a RADIUS dynamic authorization client are implemented by the same device. However, also for these 3 MIBs, they can be implemented independent from each other. A RADIUS proxy might implement any of these 6 MIBs, but can also implement any subset of these MIBs. +---------------+ +---------------+ User 1----| | Disconnect-Request | | | Dynamic | CoA-Request | Dynamic | - user 2----| Authorization |<---------------------| Authorization | + User 2----| Authorization |<---------------------| Authorization | | Server |--------------------->| Client | User 3----| (DAS) | Disconnect-Ack | (DAC) | | | Disconnect-NAK | | +---------------+ CoA-Ack/CoA-NAK +---------------+ Figure 1: Mapping of clients and servers. This MIB module for the dynamic authorization server contains the following: 1. Two scalar objects 2. One Dynamic Authorization Client Table. This table contains one - row for each DAC that the DAS shares a secret with. + row for each DAC with which the DAS shares a secret. 6. RADIUS Dynamic Authorization Server MIB Definitions RADIUS-DYNAUTH-SERVER-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Counter32, Integer32, mib-2 FROM SNMPv2-SMI SnmpAdminString FROM SNMP-FRAMEWORK-MIB InetAddressType, InetAddress FROM INET-ADDRESS-MIB MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; radiusDynAuthServerMIB MODULE-IDENTITY - LAST-UPDATED "200505160000Z" -- 16 May 2005 + LAST-UPDATED "200507020000Z" -- 2 July 2005 ORGANIZATION "IETF RADEXT Working Group" CONTACT-INFO " Stefaan De Cnodder Alcatel Francis Wellesplein 1 B-2018 Antwerp Belgium Phone: +32 3 240 85 15 EMail: stefaan.de_cnodder@alcatel.be Nagi Reddy Jonnala - Consult - 4-486, Nutakki - AP, India, PIN: 522303 + Cisco Systems, Inc. + Divyasree Chambers, B Wing, + O'Shaugnessy Road, + Bangalore-560027, India. - Phone: +91 8645 275314 - EMail: nagireddyj@yahoo.com + Phone: +91 98456 99445 + EMail: njonnala@cisco.com Murtaza Chiba Cisco Systems, Inc. 170 West Tasman Dr. San Jose CA, 95134 Phone: +1 408 525 7198 EMail: mchiba@cisco.com " DESCRIPTION "The MIB module for entities implementing the server side of the Dynamic Authorization extensions Remote Access Dialin User Service (RADIUS) protocol. Copyright (C) The Internet Society (2005). This initial version of this MIB module was published in RFC yyyy; for full legal notices see the RFC itself. Supplementary information may be available on http://www.ietf.org/copyrights/ianamib.html." -- RFC Ed.: replace yyyy with actual RFC number & remove this note - REVISION "200505160000Z" -- 16 May 2005 + REVISION "200507020000Z" -- 2 July 2005 DESCRIPTION "Initial version as published in RFC yyyy." -- RFC Ed.: replace yyyy with actual RFC number & remove this note ::= { radiusDynamicAuthorization 1 } radiusDynamicAuthorization OBJECT IDENTIFIER ::= { mib-2 xxx } -- The value xxx to be assigned by IANA. radiusDynAuthServerMIBObjects OBJECT IDENTIFIER ::= { radiusDynAuthServerMIB 1 } radiusDynAuthServer OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBObjects 1 } - radiusDynAuthServerInvalidClientAddresses OBJECT-TYPE + radiusDynAuthServerDisconInvalidClientAddresses OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION - "The number of RADIUS dynamic authorization messages - (both Disconnect and CoA) received from unknown + "The number of Disconnect messages received from unknown addresses." ::= { radiusDynAuthServer 1 } + radiusDynAuthServerCoAInvalidClientAddresses OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of CoA messages received from unknown + addresses." + ::= { radiusDynAuthServer 2 } + radiusDynAuthServerIdentifier OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The NAS-Identifier of the RADIUS dynamic authorization server." REFERENCE "RFC 2865, Section 5.32, NAS-Identifier." - ::= { radiusDynAuthServer 2 } + ::= { radiusDynAuthServer 3 } radiusDynAuthClientTable OBJECT-TYPE SYNTAX SEQUENCE OF RadiusDynAuthClientEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The (conceptual) table listing the RADIUS dynamic authorization clients with which the server shares a secret." - ::= { radiusDynAuthServer 3 } + ::= { radiusDynAuthServer 4 } + radiusDynAuthClientEntry OBJECT-TYPE SYNTAX RadiusDynAuthClientEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) representing one Dynamic Authorization Client with which the server shares a secret." INDEX { radiusDynAuthClientIndex } ::= { radiusDynAuthClientTable 1 } @@ -392,21 +403,21 @@ SYNTAX Counter32 UNITS "sessions" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of user sessions removed for the Disconnect-Requests received from this Dynamic Authorization Client. Depending on site specific policies, a single Disconnect request can remove multiple user sessions. In the case this - Dynamic Autorization Server has no knowledge on + Dynamic Autorization Server has no knowledge of the number of user sessions that are affected, then it counts a single user session for each such Disconnect-Request." REFERENCE "RFC 3576, Section 2.1, Disconnect Messages (DM)." ::= { radiusDynAuthClientEntry 8 } radiusDynAuthServMalformedDisconRequests OBJECT-TYPE SYNTAX Counter32 UNITS "requests" @@ -422,21 +433,21 @@ Section 2.3, Packet Format." ::= { radiusDynAuthClientEntry 9 } radiusDynAuthServDisconBadAuthenticators OBJECT-TYPE SYNTAX Counter32 UNITS "requests" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of RADIUS Disconnect-Request packets - which contained invalid Signature attributes + which contained invalid Authenticator field received from this Dynamic Authorization Client." REFERENCE "RFC 3576, Section 2.1, Disconnect Messages (DM), and Section 2.3, Packet Format." ::= { radiusDynAuthClientEntry 10 } radiusDynAuthServDisconPacketsDropped OBJECT-TYPE SYNTAX Counter32 UNITS "requests" MAX-ACCESS read-only @@ -497,33 +508,32 @@ UNITS "replies" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of RADIUS CoA-NAK packets sent to this Dynamic Authorization Client." REFERENCE "RFC 3576, Section 2.2, Change-of-Authorization Messages (CoA)." ::= { radiusDynAuthClientEntry 15 } - radiusDynAuthServCoAUserSessChanged OBJECT-TYPE SYNTAX Counter32 UNITS "sessions" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of user sessions authorization changed for the CoA-Requests received from this - Dynamic Authorization Cient. Depending on site + Dynamic Authorization Client. Depending on site specific policies, a single CoA request can change - multiple user sessions authorization. In the case - this Dynamic Autorization Server has no knowledge on + multiple user sessions' authorization. In the case + this Dynamic Autorization Server has no knowledge of the number of user sessions that are affected, then it counts a single user session for each such CoA-Request." REFERENCE "RFC 3576, Section 2.2, Change-of-Authorization Messages (CoA)." ::= { radiusDynAuthClientEntry 16 } radiusDynAuthServMalformedCoARequests OBJECT-TYPE SYNTAX Counter32 @@ -540,37 +550,36 @@ Messages (CoA), and Section 2.3, Packet Format." ::= { radiusDynAuthClientEntry 17 } radiusDynAuthServCoABadAuthenticators OBJECT-TYPE SYNTAX Counter32 UNITS "requests" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of RADIUS CoA-Request packets which - contained invalid Signature attributes received + contained invalid Authenticator field received from this Dynamic Authorization client." REFERENCE "RFC 3576, Section 2.2, Change-of-Authorization Messages (CoA), and Section 2.3, Packet Format." ::= { radiusDynAuthClientEntry 18 } - radiusDynAuthServCoAPacketsDropped OBJECT-TYPE SYNTAX Counter32 UNITS "requests" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of incoming CoA packets from this Dynamic Authorization Client silently discarded by the server application for some reason other than - malformed, bad clisdfauthenticators or unknown types." + malformed, bad authenticators or unknown types." REFERENCE "RFC 3576, Section 2.2, Change-of-Authorization Messages (CoA), and Section 2.3, Packet Format." ::= { radiusDynAuthClientEntry 19 } radiusDynAuthServUnknownTypes OBJECT-TYPE SYNTAX Counter32 UNITS "requests" MAX-ACCESS read-only STATUS current @@ -595,23 +604,23 @@ radiusAuthServerMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for entities implementing the RADIUS Dynamic Authorization Server." MODULE -- this module MANDATORY-GROUPS { radiusDynAuthServerMIBGroup } ::= { radiusDynAuthServerMIBCompliances 1 } -- units of conformance - radiusDynAuthServerMIBGroup OBJECT-GROUP - OBJECTS { radiusDynAuthServerInvalidClientAddresses, + OBJECTS { radiusDynAuthServerDisconInvalidClientAddresses, + radiusDynAuthServerCoAInvalidClientAddresses, radiusDynAuthServerIdentifier, radiusDynAuthClientAddressType, radiusDynAuthClientAddress, radiusDynAuthServDisconRequests, radiusDynAuthServDupDisconRequests, radiusDynAuthServDisconAcks, radiusDynAuthServDisconNaks, radiusDynAuthServDisconUserSessRemoved, radiusDynAuthServMalformedDisconRequests, radiusDynAuthServDisconBadAuthenticators, @@ -657,21 +666,22 @@ an attack on the DAC. radiusDynAuthServerIdentifier This can be used to determine the Identifier of the DAS. This information could be useful in impersonating the DAS. The other readable objects are not really considered as being sensitive or vulnerable. These objects are: - radiusDynAuthServerInvalidClientAddresses, + radiusDynAuthServerDisconInvalidClientAddresses, + radiusDynAuthServerCoAInvalidClientAddresses, radiusDynAuthServDisconRequests, radiusDynAuthServDupDisconRequests, radiusDynAuthServDisconAcks, radiusDynAuthServDisconNaks, radiusDynAuthServDisconUserSessRemoved, radiusDynAuthServMalformedDisconRequests, radiusDynAuthServDisconBadAuthenticators, radiusDynAuthServDisconPacketsDropped, radiusDynAuthServCoARequests, radiusDynAuthServDupCoARequests, @@ -713,21 +723,21 @@ The authors would also like to acknowledge the following people for their comments to this document: Anjaneyulu Pata, Dan Romascanu, and Bert Wijnen. 10. References 10.1 Normative References [DYNCLNT] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic - Auhtorization Client MIB", + Authorization Client MIB", draft-decnodder-radext-dynauth-client-mib-01.txt, work in progress, June 2004. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. @@ -768,26 +778,26 @@ Stefaan De Cnodder Alcatel Francis Wellesplein 1 B-2018 Antwerp Belgium Phone: +32 3 240 85 15 Email: stefaan.de_cnodder@alcatel.be Nagi Reddy Jonnala - Consult - 4-486, Nutakki - AP, India, PIN: 522303 + Cisco Systems, Inc. + Divyasree Chambers, B Wing, O'Shaugnessy Road + Bangalore-560027, India - Phone: +91 8645 275314 - Email: nagireddyj@yahoo.com + Phone: +91 98456 99445 + Email: njonnala@cisco.com Murtaza Chiba Cisco Systems, Inc. 170 West Tasman Dr. San Jose CA, 95134 Phone: +1 408 525 7198 Email: mchiba@cisco.com Intellectual Property Statement