draft-ietf-radext-rfc2618bis-01.txt | draft-ietf-radext-rfc2618bis-02.txt | |||
---|---|---|---|---|
Network Working Group D. Nelson | Network Working Group D. Nelson | |||
Internet-Draft Enterasys Networks | Internet-Draft Enterasys Networks | |||
Obsoletes: RFC 2618 (if approved) October 18, 2005 | Obsoletes: RFC 2618 (if approved) January 20, 2006 | |||
Expires: April 21, 2006 | Expires: July 24, 2006 | |||
RADIUS Auth Client MIB (IPv6) | RADIUS Auth Client MIB (IPv6) | |||
draft-ietf-radext-rfc2618bis-01.txt | draft-ietf-radext-rfc2618bis-02.txt | |||
Status of this Memo | Status of this Memo | |||
By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
skipping to change at page 1, line 34 | skipping to change at page 1, line 34 | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
This Internet-Draft will expire on April 21, 2006. | This Internet-Draft will expire on July 24, 2006. | |||
Copyright Notice | Copyright Notice | |||
Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2006). | |||
Abstract | Abstract | |||
This memo defines a set of extensions which instrument RADIUS | ||||
authentication client functions. These extensions represent a | ||||
portion of the Management Information Base (MIB) for use with network | ||||
management protocols in the Internet community. Using these | ||||
extensions IP-based management stations can manage RADIUS | ||||
authentication clients. | ||||
This memo obsoletes RFC 2618 by deprecating the MIB table containing | This memo obsoletes RFC 2618 by deprecating the MIB table containing | |||
IPv4-only address formats and defining a new table to add support for | IPv4-only address formats and defining a new table to add support for | |||
version neutral IP address formats. The remaining MIB objects from | version neutral IP address formats. The remaining MIB objects from | |||
RFC 2618 are carried forward into this document. | RFC 2618 are carried forward into this document. The memo also adds | |||
UNITS and REFERENCE clauses to selected objects. | ||||
Table of Contents | Table of Contents | |||
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
3. The Internet-Standard Management Framework . . . . . . . . . . 3 | 3. The Internet-Standard Management Framework . . . . . . . . . . 3 | |||
4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 | 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 | 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 | |||
6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 4 | 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 5 | |||
7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 | |||
9. Security Considerations . . . . . . . . . . . . . . . . . . . 17 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | |||
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 | 10. Normative References . . . . . . . . . . . . . . . . . . . . . 20 | |||
10.1. Normative References . . . . . . . . . . . . . . . . . . 18 | Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 21 | |||
10.2. Informative References . . . . . . . . . . . . . . . . . 19 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 19 | Intellectual Property and Copyright Statements . . . . . . . . . . 23 | |||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 20 | ||||
Intellectual Property and Copyright Statements . . . . . . . . . . 21 | ||||
1. Terminology | 1. Terminology | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
This document uses terminology from RFC 2865 [RFC2865]. | This document uses terminology from RFC 2865 [RFC2865]. | |||
This document uses the word "malformed" with respect to RADIUS | ||||
packets, particularly in the context of counters of "malformed | ||||
packets". While RFC 2865 does not provide an explicit definition of | ||||
"malformed", malformed generally means that the implementation has | ||||
determined the packet does not match the format defined in RFC 2865. | ||||
Some implementations may determine that packets are malformed when | ||||
the Vendor Specific Attribute (VSA) format does not follow the RFC | ||||
2865 recommendations for VSAs. Those implementations are used in | ||||
deployments today, and thus set the de-facto definition of | ||||
"malformed". | ||||
2. Introduction | 2. Introduction | |||
This memo defines a portion of the Management Information Base (MIB) | This memo defines a portion of the Management Information Base (MIB) | |||
for use with network management protocols in the Internet community. | for use with network management protocols in the Internet community. | |||
The objects defined within this memo relate to the Remote | The objects defined within this memo relate to the Remote | |||
Authentication Dial-In User Service (RADIUS) Authentication Client as | Authentication Dial-In User Service (RADIUS) Authentication Client as | |||
defined in RFC 2865 [RFC2865]. | defined in RFC 2865 [RFC2865]. | |||
3. The Internet-Standard Management Framework | 3. The Internet-Standard Management Framework | |||
skipping to change at page 3, line 46 | skipping to change at page 4, line 11 | |||
4. Scope of Changes | 4. Scope of Changes | |||
This document obsoletes RFC 2618 [RFC2618], RADIUS Authentication | This document obsoletes RFC 2618 [RFC2618], RADIUS Authentication | |||
Client MIB, by deprecating the radiusAuthServerTable table and adding | Client MIB, by deprecating the radiusAuthServerTable table and adding | |||
a new table, radiusAuthServerExtTable, containing | a new table, radiusAuthServerExtTable, containing | |||
radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and | radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and | |||
radiusAuthClientServerInetPortNumber. The purpose of these added MIB | radiusAuthClientServerInetPortNumber. The purpose of these added MIB | |||
objects is to support version neutral IP addressing formats. The | objects is to support version neutral IP addressing formats. The | |||
existing table containing radiusAuthServerAddress and | existing table containing radiusAuthServerAddress and | |||
radiusAuthClientServerPortNumber is deprecated. The remaining MIB | radiusAuthClientServerPortNumber is deprecated. The remaining MIB | |||
objects are carried forward from RFC 2618 into this document. | objects are carried forward from RFC 2618 into this document. This | |||
memo also adds UNITS and REFERENCE clauses to selected objects. | ||||
RFC 4001 [RFC4001], which defines the SMI Textual Conventions for | RFC 4001 [RFC4001], which defines the SMI Textual Conventions for | |||
IPv6 addresses, contains the following recommendation. | IPv6 addresses, contains the following recommendation. | |||
'In particular, when revising a MIB module that contains IPv4 | 'In particular, when revising a MIB module that contains IPv4 | |||
specific tables, it is suggested to define new tables using the | specific tables, it is suggested to define new tables using the | |||
textual conventions defined in this memo [RFC 4001] that support all | textual conventions defined in this memo [RFC 4001] that support all | |||
versions of IP. The status of the new tables SHOULD be "current", | versions of IP. The status of the new tables SHOULD be "current", | |||
whereas the status of the old IP version specific tables SHOULD be | whereas the status of the old IP version specific tables SHOULD be | |||
changed to "deprecated". The other approach, of having multiple | changed to "deprecated". The other approach, of having multiple | |||
similar tables for different IP versions, is strongly discouraged.' | similar tables for different IP versions, is strongly discouraged.' | |||
5. Structure of the MIB Module | 5. Structure of the MIB Module | |||
The RADIUS authentication protocol, described in RFC 2865 [RFC2865], | The RADIUS authentication protocol, described in RFC 2865 [RFC2865], | |||
distinguishes between the client function and the server function. | distinguishes between the client function and the server function. | |||
In RADIUS authentication, clients send Access-Requests, and servers | In RADIUS authentication, clients send Access-Requests, and servers | |||
reply with Access-Accepts, Access-Rejects, and Access-Challenges. | reply with Access-Accepts, Access-Rejects, and Access-Challenges. | |||
Typically NAS devices implement the client function, and thus would | Typically Network Access Server (NAS) devices implement the client | |||
be expected to implement the RADIUS authentication client MIB, while | function, and thus would be expected to implement the RADIUS | |||
RADIUS authentication servers implement the server function, and thus | authentication client MIB, while RADIUS authentication servers | |||
would be expected to implement the RADIUS authentication server MIB. | implement the server function, and thus would be expected to | |||
implement the RADIUS authentication server MIB. | ||||
However, it is possible for a RADIUS authentication entity to perform | However, it is possible for a RADIUS authentication entity to perform | |||
both client and server functions. For example, a RADIUS proxy may | both client and server functions. For example, a RADIUS proxy may | |||
act as a server to one or more RADIUS authentication clients, while | act as a server to one or more RADIUS authentication clients, while | |||
simultaneously acting as an authentication client to one or more | simultaneously acting as an authentication client to one or more | |||
authentication servers. In such situations, it is expected that | authentication servers. In such situations, it is expected that | |||
RADIUS entities combining client and server functionality will | RADIUS entities combining client and server functionality will | |||
support both the client and server MIBs. | support both the client and server MIBs. | |||
This MIB module contains two scalars as well as a single table, the | This MIB module contains two scalars as well as a single table, the | |||
RADIUS Authentication Server Table, which contains one row for each | RADIUS Authentication Server Table, which contains one row for each | |||
RADIUS authentication server with which the client shares a secret. | RADIUS authentication server with which the client shares a secret. | |||
Each entry in the RADIUS Authentication Server Table includes sixteen | Each entry in the RADIUS Authentication Server Table includes fifteen | |||
columns presenting a view of the activity of the RADIUS | columns presenting a view of the activity of the RADIUS | |||
authentication client. | authentication client. | |||
6. Deprecated Objects | 6. Deprecated Objects | |||
The deprecated table in this MIB is carried forward from RFC 2618 | The deprecated table in this MIB is carried forward from RFC 2618 | |||
[RFC2618]. There are two conditions under which it MAY be desirable | [RFC2618]. There are two conditions under which it MAY be desirable | |||
for managed entities to continue to support the deprecated table: | for managed entities to continue to support the deprecated table: | |||
1. The managed entity only supports IPv4 address formats. | 1. The managed entity only supports IPv4 address formats. | |||
2. The managed entity supports both IPv4 and IPv6 address formats, | 2. The managed entity supports both IPv4 and IPv6 address formats, | |||
and the deprecated table is supported for backwards compatibility | and the deprecated table is supported for backwards compatibility | |||
with older management stations. This option SHOULD only be used | with older management stations. This option SHOULD only be used | |||
when the IP addresses in the new table are in IPv4 format and can | when the IP addresses in the new table are in IPv4 format and can | |||
accurately be represented in both the new table and the | accurately be represented in both the new table and the | |||
deprecated table. | deprecated table. | |||
Managed entities SHOULD NOT instantiate the deprecated table | Managed entities SHOULD NOT instantiate row entries in the deprecated | |||
containing IPv4-only address objects when the RADIUS server address | table, containing IPv4-only address objects, when the RADIUS server | |||
represented in the table row is not an IPv4 address. Managed | address represented in such a table row is not an IPv4 address. | |||
entities SHOULD NOT return inaccurate values of IP address or SNMP | Managed entities SHOULD NOT return inaccurate values of IP address or | |||
object access errors for IPv4-only address objects in otherwise | SNMP object access errors for IPv4-only address objects in otherwise | |||
populated tables. | populated tables. When row entries exist in both the deprecated | |||
IPv4-only table and the new IP version neutral table that describe | ||||
the same RADIUS server, the row indexes SHOULD be the same for the | ||||
corresponding rows in each table, to facilitate correlation of these | ||||
related rows by management applications. | ||||
7. Definitions | 7. Definitions | |||
RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN | RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN | |||
IMPORTS | IMPORTS | |||
MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, | MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, | |||
Counter32, Integer32, Gauge32, | Counter32, Integer32, Gauge32, | |||
IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI | IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI | |||
SnmpAdminString FROM SNMP-FRAMEWORK-MIB | SnmpAdminString FROM SNMP-FRAMEWORK-MIB | |||
InetAddressType, InetAddress, | InetAddressType, InetAddress, | |||
InetPortNumber FROM INET-ADDRESS-MIB | InetPortNumber FROM INET-ADDRESS-MIB | |||
MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; | MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; | |||
radiusAuthClientMIB MODULE-IDENTITY | radiusAuthClientMIB MODULE-IDENTITY | |||
LAST-UPDATED "200510170000Z" -- 17 Oct 2005 | LAST-UPDATED "200601200000Z" -- 20 Jan 2006 | |||
ORGANIZATION "IETF RADIUS Extensions Working Group." | ORGANIZATION "IETF RADIUS Extensions Working Group." | |||
CONTACT-INFO | CONTACT-INFO | |||
" Bernard Aboba | " Bernard Aboba | |||
Microsoft | Microsoft | |||
One Microsoft Way | One Microsoft Way | |||
Redmond, WA 98052 | Redmond, WA 98052 | |||
US | US | |||
Phone: +1 425 936 6605 | Phone: +1 425 936 6605 | |||
EMail: bernarda@microsoft.com" | EMail: bernarda@microsoft.com" | |||
DESCRIPTION | DESCRIPTION | |||
"The MIB module for entities implementing the client | "The MIB module for entities implementing the client | |||
side of the Remote Authentication Dial-In User Service | side of the Remote Authentication Dial-In User Service | |||
(RADIUS) authentication protocol." | (RADIUS) authentication protocol." | |||
REVISION "200510170000Z" -- 17 Oct 2005 | REVISION "200601200000Z" -- 20 Jan 2006 | |||
DESCRIPTION "Revised version as published in RFC xxxx. This | DESCRIPTION "Revised version as published in RFC xxxx. This | |||
version obsoletes that of RFC 2618 by deprecating the MIB | version obsoletes that of RFC 2618 by deprecating the MIB | |||
table containing IPv4-only address formats and defining a | table containing IPv4-only address formats and defining a | |||
new table to add support for version neutral IP address | new table to add support for version neutral IP address | |||
formats. The remaining MIB objects from RFC 2618 are carried | formats. The remaining MIB objects from RFC 2618 are carried | |||
forward into this version." | forward into this version." | |||
REVISION "9906110000Z" -- 11 Jun 1999 | REVISION "9906110000Z" -- 11 Jun 1999 | |||
DESCRIPTION "Initial version as published in RFC 2618" | DESCRIPTION "Initial version as published in RFC 2618." | |||
-- RFC Editor: replace xxxx with actual RFC number at the time of | -- RFC Editor: replace xxxx with actual RFC number at the time of | |||
-- publication, and remove this note. | -- publication, and remove this note. | |||
::= { radiusAuthentication 2 } | ::= { radiusAuthentication 2 } | |||
radiusMIB OBJECT-IDENTITY | radiusMIB OBJECT-IDENTITY | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The OID assigned to RADIUS MIB work by the IANA." | "The OID assigned to RADIUS MIB work by the IANA." | |||
::= { mib-2 67 } | ::= { mib-2 67 } | |||
skipping to change at page 6, line 25 | skipping to change at page 6, line 42 | |||
radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} | radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} | |||
radiusAuthClientMIBObjects OBJECT IDENTIFIER | radiusAuthClientMIBObjects OBJECT IDENTIFIER | |||
::= { radiusAuthClientMIB 1 } | ::= { radiusAuthClientMIB 1 } | |||
radiusAuthClient OBJECT IDENTIFIER | radiusAuthClient OBJECT IDENTIFIER | |||
::= { radiusAuthClientMIBObjects 1 } | ::= { radiusAuthClientMIBObjects 1 } | |||
radiusAuthClientInvalidServerAddresses OBJECT-TYPE | radiusAuthClientInvalidServerAddresses OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS Access-Response packets | "The number of RADIUS Access-Response packets | |||
received from unknown addresses." | received from unknown addresses." | |||
::= { radiusAuthClient 1 } | ::= { radiusAuthClient 1 } | |||
radiusAuthClientIdentifier OBJECT-TYPE | radiusAuthClientIdentifier OBJECT-TYPE | |||
SYNTAX SnmpAdminString | SYNTAX SnmpAdminString | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The NAS-Identifier of the RADIUS authentication client. | "The NAS-Identifier of the RADIUS authentication client. | |||
This is not necessarily the same as sysName in MIB II." | This is not necessarily the same as sysName in MIB II." | |||
REFERENCE "RFC 2865 section 5.32" | ||||
::= { radiusAuthClient 2 } | ::= { radiusAuthClient 2 } | |||
radiusAuthServerTable OBJECT-TYPE | radiusAuthServerTable OBJECT-TYPE | |||
SYNTAX SEQUENCE OF RadiusAuthServerEntry | SYNTAX SEQUENCE OF RadiusAuthServerEntry | |||
MAX-ACCESS not-accessible | MAX-ACCESS not-accessible | |||
STATUS deprecated | STATUS deprecated | |||
DESCRIPTION | DESCRIPTION | |||
"The (conceptual) table listing the RADIUS authentication | "The (conceptual) table listing the RADIUS authentication | |||
servers with which the client shares a secret." | servers with which the client shares a secret." | |||
::= { radiusAuthClient 3 } | ::= { radiusAuthClient 3 } | |||
skipping to change at page 8, line 9 | skipping to change at page 8, line 28 | |||
referred to in this table entry." | referred to in this table entry." | |||
::= { radiusAuthServerEntry 2 } | ::= { radiusAuthServerEntry 2 } | |||
radiusAuthClientServerPortNumber OBJECT-TYPE | radiusAuthClientServerPortNumber OBJECT-TYPE | |||
SYNTAX Integer32 (0..65535) | SYNTAX Integer32 (0..65535) | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS deprecated | STATUS deprecated | |||
DESCRIPTION | DESCRIPTION | |||
"The UDP port the client is using to send requests to | "The UDP port the client is using to send requests to | |||
this server." | this server." | |||
REFERENCE "RFC 2865 section 3" | ||||
::= { radiusAuthServerEntry 3 } | ::= { radiusAuthServerEntry 3 } | |||
radiusAuthClientRoundTripTime OBJECT-TYPE | radiusAuthClientRoundTripTime OBJECT-TYPE | |||
SYNTAX TimeTicks | SYNTAX TimeTicks | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS deprecated | STATUS deprecated | |||
DESCRIPTION | DESCRIPTION | |||
"The time interval (in hundredths of a second) between | "The time interval (in hundredths of a second) between | |||
the most recent Access-Reply/Access-Challenge and the | the most recent Access-Reply/Access-Challenge and the | |||
Access-Request that matched it from this RADIUS | Access-Request that matched it from this RADIUS | |||
skipping to change at page 8, line 38 | skipping to change at page 9, line 10 | |||
-- BadAuthenticators - UnknownTypes - PacketsDropped = | -- BadAuthenticators - UnknownTypes - PacketsDropped = | |||
-- Successfully received | -- Successfully received | |||
-- | -- | |||
-- AccessRequests + PendingRequests + ClientTimeouts = | -- AccessRequests + PendingRequests + ClientTimeouts = | |||
-- Successfully received | -- Successfully received | |||
-- | -- | |||
-- | -- | |||
radiusAuthClientAccessRequests OBJECT-TYPE | radiusAuthClientAccessRequests OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS deprecated | STATUS deprecated | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS Access-Request packets sent | "The number of RADIUS Access-Request packets sent | |||
to this server. This does not include retransmissions." | to this server. This does not include retransmissions." | |||
REFERENCE "RFC 2865 section 4.1" | ||||
::= { radiusAuthServerEntry 5 } | ::= { radiusAuthServerEntry 5 } | |||
radiusAuthClientAccessRetransmissions OBJECT-TYPE | radiusAuthClientAccessRetransmissions OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS deprecated | STATUS deprecated | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS Access-Request packets | "The number of RADIUS Access-Request packets | |||
retransmitted to this RADIUS authentication server." | retransmitted to this RADIUS authentication server." | |||
REFERENCE "RFC 2865 sections 2.5, 4.1" | ||||
::= { radiusAuthServerEntry 6 } | ::= { radiusAuthServerEntry 6 } | |||
radiusAuthClientAccessAccepts OBJECT-TYPE | radiusAuthClientAccessAccepts OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS deprecated | STATUS deprecated | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS Access-Accept packets | "The number of RADIUS Access-Accept packets | |||
(valid or invalid) received from this server." | (valid or invalid) received from this server." | |||
REFERENCE "RFC 2865 section 4.2" | ||||
::= { radiusAuthServerEntry 7 } | ::= { radiusAuthServerEntry 7 } | |||
radiusAuthClientAccessRejects OBJECT-TYPE | radiusAuthClientAccessRejects OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS deprecated | STATUS deprecated | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS Access-Reject packets | "The number of RADIUS Access-Reject packets | |||
(valid or invalid) received from this server." | (valid or invalid) received from this server." | |||
REFERENCE "RFC 2865 section 4.3" | ||||
::= { radiusAuthServerEntry 8 } | ::= { radiusAuthServerEntry 8 } | |||
radiusAuthClientAccessChallenges OBJECT-TYPE | radiusAuthClientAccessChallenges OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS deprecated | STATUS deprecated | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS Access-Challenge packets | "The number of RADIUS Access-Challenge packets | |||
(valid or invalid) received from this server." | (valid or invalid) received from this server." | |||
REFERENCE "RFC 2865 section 4.4" | ||||
::= { radiusAuthServerEntry 9 } | ::= { radiusAuthServerEntry 9 } | |||
-- "Access-Response" includes an Access-Accept, Access-Challenge | -- "Access-Response" includes an Access-Accept, Access-Challenge | |||
-- or Access-Reject | -- or Access-Reject | |||
radiusAuthClientMalformedAccessResponses OBJECT-TYPE | radiusAuthClientMalformedAccessResponses OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS deprecated | STATUS deprecated | |||
DESCRIPTION | DESCRIPTION | |||
"The number of malformed RADIUS Access-Response | "The number of malformed RADIUS Access-Response | |||
packets received from this server. | packets received from this server. | |||
Malformed packets include packets with | Malformed packets include packets with | |||
an invalid length. Bad authenticators or | an invalid length. Bad authenticators or | |||
Message Authenticator attributes or unknown types | Message Authenticator attributes or unknown types | |||
are not included as malformed access responses." | are not included as malformed access responses." | |||
::= { radiusAuthServerEntry 10 } | ::= { radiusAuthServerEntry 10 } | |||
radiusAuthClientBadAuthenticators OBJECT-TYPE | radiusAuthClientBadAuthenticators OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS deprecated | STATUS deprecated | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS Access-Response packets | "The number of RADIUS Access-Response packets | |||
containing invalid authenticators or Message | containing invalid authenticators or Message | |||
Authenticator attributes received from this server." | Authenticator attributes received from this server." | |||
REFERENCE "RFC 2865 section 3, RFC 2869 section 5.14" | ||||
::= { radiusAuthServerEntry 11 } | ::= { radiusAuthServerEntry 11 } | |||
radiusAuthClientPendingRequests OBJECT-TYPE | radiusAuthClientPendingRequests OBJECT-TYPE | |||
SYNTAX Gauge32 | SYNTAX Gauge32 | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS deprecated | STATUS deprecated | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS Access-Request packets | "The number of RADIUS Access-Request packets | |||
destined for this server that have not yet timed out | destined for this server that have not yet timed out | |||
or received a response. This variable is incremented | or received a response. This variable is incremented | |||
when an Access-Request is sent and decremented due to | when an Access-Request is sent and decremented due to | |||
receipt of an Acess-Accept, Access-Reject or | receipt of an Access-Accept, Access-Reject or | |||
Access-Challenge, a timeout or retransmission." | Access-Challenge, a timeout or retransmission." | |||
REFERENCE "RFC 2865 section 2" | ||||
::= { radiusAuthServerEntry 12 } | ::= { radiusAuthServerEntry 12 } | |||
radiusAuthClientTimeouts OBJECT-TYPE | radiusAuthClientTimeouts OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "timeouts" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS deprecated | STATUS deprecated | |||
DESCRIPTION | DESCRIPTION | |||
"The number of authentication timeouts to this server. | "The number of authentication timeouts to this server. | |||
After a timeout the client may retry to the same | After a timeout the client may retry to the same | |||
server, send to a different server, or | server, send to a different server, or | |||
give up. A retry to the same server is counted as a | give up. A retry to the same server is counted as a | |||
retransmit as well as a timeout. A send to a different | retransmit as well as a timeout. A send to a different | |||
server is counted as a Request as well as a timeout." | server is counted as a Request as well as a timeout." | |||
REFERENCE "RFC 2865 section 2, RFC 2869 section 2.3.2" | ||||
::= { radiusAuthServerEntry 13 } | ::= { radiusAuthServerEntry 13 } | |||
radiusAuthClientUnknownTypes OBJECT-TYPE | radiusAuthClientUnknownTypes OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS deprecated | STATUS deprecated | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS packets of unknown type which | "The number of RADIUS packets of unknown type which | |||
were received from this server on the authentication | were received from this server on the authentication | |||
port." | port." | |||
::= { radiusAuthServerEntry 14 } | ::= { radiusAuthServerEntry 14 } | |||
radiusAuthClientPacketsDropped OBJECT-TYPE | radiusAuthClientPacketsDropped OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS deprecated | STATUS deprecated | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS packets of which were | "The number of RADIUS packets of which were | |||
received from this server on the authentication port | received from this server on the authentication port | |||
and dropped for some other reason." | and dropped for some other reason." | |||
::= { radiusAuthServerEntry 15 } | ::= { radiusAuthServerEntry 15 } | |||
-- New MIB Objects in this revision | -- New MIB Objects in this revision | |||
skipping to change at page 12, line 29 | skipping to change at page 13, line 20 | |||
radiusAuthServerInetAddress object." | radiusAuthServerInetAddress object." | |||
::= { radiusAuthServerExtEntry 2 } | ::= { radiusAuthServerExtEntry 2 } | |||
radiusAuthServerInetAddress OBJECT-TYPE | radiusAuthServerInetAddress OBJECT-TYPE | |||
SYNTAX InetAddress | SYNTAX InetAddress | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The IP address of the RADIUS authentication | "The IP address of the RADIUS authentication | |||
server referred to in this table entry, using | server referred to in this table entry, using | |||
the version neutral IP adddess format." | the version neutral IP address format." | |||
::= { radiusAuthServerExtEntry 3 } | ::= { radiusAuthServerExtEntry 3 } | |||
radiusAuthClientServerInetPortNumber OBJECT-TYPE | radiusAuthClientServerInetPortNumber OBJECT-TYPE | |||
SYNTAX InetPortNumber | SYNTAX InetPortNumber | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The UDP port the client is using to send requests | "The UDP port the client is using to send requests | |||
to this server." | to this server." | |||
REFERENCE "RFC 2865 section 3" | ||||
::= { radiusAuthServerExtEntry 4 } | ::= { radiusAuthServerExtEntry 4 } | |||
radiusAuthClientExtRoundTripTime OBJECT-TYPE | radiusAuthClientExtRoundTripTime OBJECT-TYPE | |||
SYNTAX TimeTicks | SYNTAX TimeTicks | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The time interval (in hundredths of a second) between | "The time interval (in hundredths of a second) between | |||
the most recent Access-Reply/Access-Challenge and the | the most recent Access-Reply/Access-Challenge and the | |||
Access-Request that matched it from this RADIUS | Access-Request that matched it from this RADIUS | |||
authentication server." | authentication server." | |||
REFERENCE "RFC 2865 section 2" | ||||
::= { radiusAuthServerExtEntry 5 } | ::= { radiusAuthServerExtEntry 5 } | |||
-- Request/Response statistics | -- Request/Response statistics | |||
-- | -- | |||
-- TotalIncomingPackets = Accepts + Rejects + Challenges + | -- TotalIncomingPackets = Accepts + Rejects + Challenges + | |||
-- UnknownTypes | -- UnknownTypes | |||
-- | -- | |||
-- TotalIncomingPackets - MalformedResponses - | -- TotalIncomingPackets - MalformedResponses - | |||
-- BadAuthenticators - UnknownTypes - PacketsDropped = | -- BadAuthenticators - UnknownTypes - PacketsDropped = | |||
-- Successfully received | -- Successfully received | |||
-- | -- | |||
-- AccessRequests + PendingRequests + ClientTimeouts = | -- AccessRequests + PendingRequests + ClientTimeouts = | |||
skipping to change at page 13, line 20 | skipping to change at page 14, line 13 | |||
-- BadAuthenticators - UnknownTypes - PacketsDropped = | -- BadAuthenticators - UnknownTypes - PacketsDropped = | |||
-- Successfully received | -- Successfully received | |||
-- | -- | |||
-- AccessRequests + PendingRequests + ClientTimeouts = | -- AccessRequests + PendingRequests + ClientTimeouts = | |||
-- Successfully received | -- Successfully received | |||
-- | -- | |||
-- | -- | |||
radiusAuthClientExtAccessRequests OBJECT-TYPE | radiusAuthClientExtAccessRequests OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS Access-Request packets sent | "The number of RADIUS Access-Request packets sent | |||
to this server. This does not include retransmissions." | to this server. This does not include retransmissions." | |||
REFERENCE "RFC 2865 section 4.1" | ||||
::= { radiusAuthServerExtEntry 6 } | ::= { radiusAuthServerExtEntry 6 } | |||
radiusAuthClientExtAccessRetransmissions OBJECT-TYPE | radiusAuthClientExtAccessRetransmissions OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS Access-Request packets | "The number of RADIUS Access-Request packets | |||
retransmitted to this RADIUS authentication server." | retransmitted to this RADIUS authentication server." | |||
REFERENCE "RFC 2865 sections 2.5, 4.1" | ||||
::= { radiusAuthServerExtEntry 7 } | ::= { radiusAuthServerExtEntry 7 } | |||
radiusAuthClientExtAccessAccepts OBJECT-TYPE | radiusAuthClientExtAccessAccepts OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS Access-Accept packets | "The number of RADIUS Access-Accept packets | |||
(valid or invalid) received from this server." | (valid or invalid) received from this server." | |||
REFERENCE "RFC 2865 section 4.2" | ||||
::= { radiusAuthServerExtEntry 8 } | ::= { radiusAuthServerExtEntry 8 } | |||
radiusAuthClientExtAccessRejects OBJECT-TYPE | radiusAuthClientExtAccessRejects OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS Access-Reject packets | "The number of RADIUS Access-Reject packets | |||
(valid or invalid) received from this server." | (valid or invalid) received from this server." | |||
REFERENCE "RFC 2865 section 4.3" | ||||
::= { radiusAuthServerExtEntry 9 } | ::= { radiusAuthServerExtEntry 9 } | |||
radiusAuthClientExtAccessChallenges OBJECT-TYPE | radiusAuthClientExtAccessChallenges OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS Access-Challenge packets | "The number of RADIUS Access-Challenge packets | |||
(valid or invalid) received from this server." | (valid or invalid) received from this server." | |||
REFERENCE "RFC 2865 section 4.4" | ||||
::= { radiusAuthServerExtEntry 10 } | ::= { radiusAuthServerExtEntry 10 } | |||
-- "Access-Response" includes an Access-Accept, Access-Challenge | -- "Access-Response" includes an Access-Accept, Access-Challenge | |||
-- or Access-Reject | -- or Access-Reject | |||
radiusAuthClientExtMalformedAccessResponses OBJECT-TYPE | radiusAuthClientExtMalformedAccessResponses OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of malformed RADIUS Access-Response | "The number of malformed RADIUS Access-Response | |||
packets received from this server. | packets received from this server. | |||
Malformed packets include packets with | Malformed packets include packets with | |||
an invalid length. Bad authenticators or | an invalid length. Bad authenticators or | |||
Message Authenticator attributes or unknown types | Message Authenticator attributes or unknown types | |||
are not included as malformed access responses." | are not included as malformed access responses." | |||
REFERENCE "RFC 2865 sections 3, 4" | ||||
::= { radiusAuthServerExtEntry 11 } | ::= { radiusAuthServerExtEntry 11 } | |||
radiusAuthClientExtBadAuthenticators OBJECT-TYPE | radiusAuthClientExtBadAuthenticators OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS Access-Response packets | "The number of RADIUS Access-Response packets | |||
containing invalid authenticators or Message | containing invalid authenticators or Message | |||
Authenticator attributes received from this server." | Authenticator attributes received from this server." | |||
REFERENCE "RFC 2865 section 3" | ||||
::= { radiusAuthServerExtEntry 12 } | ::= { radiusAuthServerExtEntry 12 } | |||
radiusAuthClientExtPendingRequests OBJECT-TYPE | radiusAuthClientExtPendingRequests OBJECT-TYPE | |||
SYNTAX Gauge32 | SYNTAX Gauge32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS Access-Request packets | "The number of RADIUS Access-Request packets | |||
destined for this server that have not yet timed out | destined for this server that have not yet timed out | |||
or received a response. This variable is incremented | or received a response. This variable is incremented | |||
when an Access-Request is sent and decremented due to | when an Access-Request is sent and decremented due to | |||
receipt of an Acess-Accept, Access-Reject or | receipt of an Access-Accept, Access-Reject or | |||
Access-Challenge, a timeout or retransmission." | Access-Challenge, a timeout or retransmission." | |||
REFERENCE "RFC 2865 section 2" | ||||
::= { radiusAuthServerExtEntry 13 } | ::= { radiusAuthServerExtEntry 13 } | |||
radiusAuthClientExtTimeouts OBJECT-TYPE | radiusAuthClientExtTimeouts OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "timeouts" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of authentication timeouts to this server. | "The number of authentication timeouts to this server. | |||
After a timeout the client may retry to the same | After a timeout the client may retry to the same | |||
server, send to a different server, or | server, send to a different server, or | |||
give up. A retry to the same server is counted as a | give up. A retry to the same server is counted as a | |||
retransmit as well as a timeout. A send to a different | retransmit as well as a timeout. A send to a different | |||
server is counted as a Request as well as a timeout." | server is counted as a Request as well as a timeout." | |||
REFERENCE "RFC 2865 sections 2.5, 4.1" | ||||
::= { radiusAuthServerExtEntry 14 } | ::= { radiusAuthServerExtEntry 14 } | |||
radiusAuthClientExtUnknownTypes OBJECT-TYPE | radiusAuthClientExtUnknownTypes OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS packets of unknown type which | "The number of RADIUS packets of unknown type which | |||
were received from this server on the authentication | were received from this server on the authentication | |||
port." | port." | |||
REFERENCE "RFC 2865 section 4" | ||||
::= { radiusAuthServerExtEntry 15 } | ::= { radiusAuthServerExtEntry 15 } | |||
radiusAuthClientExtPacketsDropped OBJECT-TYPE | radiusAuthClientExtPacketsDropped OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | ||||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS packets of which were | "The number of RADIUS packets of which were | |||
received from this server on the authentication port | received from this server on the authentication port | |||
and dropped for some other reason." | and dropped for some other reason." | |||
::= { radiusAuthServerExtEntry 16 } | ::= { radiusAuthServerExtEntry 16 } | |||
-- conformance information | -- conformance information | |||
radiusAuthClientMIBConformance OBJECT IDENTIFIER | radiusAuthClientMIBConformance OBJECT IDENTIFIER | |||
::= { radiusAuthClientMIB 2 } | ::= { radiusAuthClientMIB 2 } | |||
radiusAuthClientMIBCompliances OBJECT IDENTIFIER | radiusAuthClientMIBCompliances OBJECT IDENTIFIER | |||
::= { radiusAuthClientMIBConformance 1 } | ::= { radiusAuthClientMIBConformance 1 } | |||
radiusAuthClientMIBGroups OBJECT IDENTIFIER | radiusAuthClientMIBGroups OBJECT IDENTIFIER | |||
::= { radiusAuthClientMIBConformance 2 } | ::= { radiusAuthClientMIBConformance 2 } | |||
skipping to change at page 16, line 4 | skipping to change at page 17, line 16 | |||
radiusAuthClientMIBConformance OBJECT IDENTIFIER | radiusAuthClientMIBConformance OBJECT IDENTIFIER | |||
::= { radiusAuthClientMIB 2 } | ::= { radiusAuthClientMIB 2 } | |||
radiusAuthClientMIBCompliances OBJECT IDENTIFIER | radiusAuthClientMIBCompliances OBJECT IDENTIFIER | |||
::= { radiusAuthClientMIBConformance 1 } | ::= { radiusAuthClientMIBConformance 1 } | |||
radiusAuthClientMIBGroups OBJECT IDENTIFIER | radiusAuthClientMIBGroups OBJECT IDENTIFIER | |||
::= { radiusAuthClientMIBConformance 2 } | ::= { radiusAuthClientMIBConformance 2 } | |||
-- compliance statements | -- compliance statements | |||
radiusAuthClientMIBCompliance MODULE-COMPLIANCE | radiusAuthClientMIBCompliance MODULE-COMPLIANCE | |||
STATUS deprecated | STATUS deprecated | |||
DESCRIPTION | DESCRIPTION | |||
"The compliance statement for authentication clients | "The compliance statement for authentication clients | |||
implementing the RADIUS Authentication Client MIB." | implementing the RADIUS Authentication Client MIB. | |||
Implementation of this module is for IPv4-only | ||||
entities, or for backwards compatibility use with | ||||
entities that support both IPv4 and IPv6." | ||||
MODULE -- this module | MODULE -- this module | |||
MANDATORY-GROUPS { radiusAuthClientMIBGroup } | MANDATORY-GROUPS { radiusAuthClientMIBGroup } | |||
::= { radiusAuthClientMIBCompliances 1 } | ::= { radiusAuthClientMIBCompliances 1 } | |||
radiusAuthClientExtMIBCompliance MODULE-COMPLIANCE | radiusAuthClientExtMIBCompliance MODULE-COMPLIANCE | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The compliance statement for authentication | "The compliance statement for authentication | |||
clients implementing the RADIUS Authentication | clients implementing the RADIUS Authentication | |||
Client IPv6 Extensions MIB." | Client IPv6 Extensions MIB. Implementation of | |||
this module is for entities that support IPv6, | ||||
or support IPv4 and IPv6." | ||||
MODULE -- this module | MODULE -- this module | |||
MANDATORY-GROUPS { radiusAuthClientExtMIBGroup } | MANDATORY-GROUPS { radiusAuthClientExtMIBGroup } | |||
::= { radiusAuthClientMIBCompliances 2 } | ::= { radiusAuthClientMIBCompliances 2 } | |||
-- units of conformance | -- units of conformance | |||
radiusAuthClientMIBGroup OBJECT-GROUP | radiusAuthClientMIBGroup OBJECT-GROUP | |||
OBJECTS { radiusAuthClientIdentifier, | OBJECTS { radiusAuthClientIdentifier, | |||
radiusAuthClientInvalidServerAddresses, | radiusAuthClientInvalidServerAddresses, | |||
skipping to change at page 17, line 44 | skipping to change at page 19, line 17 | |||
This document requires no new IANA assignments. | This document requires no new IANA assignments. | |||
9. Security Considerations | 9. Security Considerations | |||
There are no management objects defined in this MIB that have a MAX- | There are no management objects defined in this MIB that have a MAX- | |||
ACCESS clause of read-write and/or read-create. So, if this MIB is | ACCESS clause of read-write and/or read-create. So, if this MIB is | |||
implemented correctly, then there is no risk that an intruder can | implemented correctly, then there is no risk that an intruder can | |||
alter or create any management objects of this MIB via direct SNMP | alter or create any management objects of this MIB via direct SNMP | |||
SET operations. | SET operations. | |||
There are a number of managed objects in this MIB that may contain | Some of the readable objects in this MIB module (i.e., objects with a | |||
sensitive information. These are: | MAX-ACCESS other than not-accessible) may be considered sensitive or | |||
vulnerable in some network environments. It is thus important to | ||||
control even GET and/or NOTIFY access to these objects and possibly | ||||
to even encrypt the values of these objects when sending them over | ||||
the network via SNMP. These are the tables and objects and their | ||||
sensitivity/vulnerability: | ||||
radiusAuthServerIPAddress This can be used to determine the address | radiusAuthServerIPAddress This can be used to determine the address | |||
of the RADIUS authentication server with which the client is | of the RADIUS authentication server with which the client is | |||
communicating. This information could be useful in mounting an | communicating. This information could be useful in mounting an | |||
attack on the authentication server. | attack on the authentication server. | |||
radiusAuthServerInetAddress This can be used to determine the address | radiusAuthServerInetAddress This can be used to determine the address | |||
of the RADIUS authentication server with which the client is | of the RADIUS authentication server with which the client is | |||
communicating. This information could be useful in mounting an | communicating. This information could be useful in mounting an | |||
attack on the authentication server. | attack on the authentication server. | |||
radiusAuthClientServerInetPortNumber This can be used to determine | radiusAuthClientServerInetPortNumber This can be used to determine | |||
the port number on which the RADIUS authentication client is | the port number on which the RADIUS authentication client is | |||
sending. This information could be useful in impersonating the | sending. This information could be useful in impersonating the | |||
client in order to send data to the authentication server. | client in order to send data to the authentication server. | |||
It is thus important to control even GET access to these objects and | SNMP versions prior to SNMPv3 did not include adequate security. | |||
possibly to even encrypt the values of these object when sending them | Even if the network itself is secure (for example by using IPsec), | |||
over the network via SNMP. Not all versions of SNMP provide features | even then, there is no control as to who on the secure network is | |||
for such a secure environment. | allowed to access and GET/SET (read/change/create/delete) the objects | |||
in this MIB module. | ||||
SNMP versions prior to SNMPv3 do not provide a secure environment. | ||||
Even if the network itself is secure (for example by using IPSec), | ||||
there is no control as to who on the secure network is allowed to | ||||
access and GET/SET (read/change/create/delete) the objects in this | ||||
MIB. | ||||
It is recommended that the implementers consider the security | It is RECOMMENDED that implementers consider the security features as | |||
features as provided by the SNMPv3 framework. Specifically, the use | provided by the SNMPv3 framework (see [RFC3410], section 8), | |||
of the User-based Security Model [RFC2574] and the View-based Access | including full support for the SNMPv3 cryptographic mechanisms (for | |||
Control Model [RFC2575] is recommended. Using these security | authentication and privacy). | |||
features, customer/users can give access to the objects only to those | ||||
principals (users) that have legitimate rights to GET or SET (change/ | ||||
create/delete) them. | ||||
10. References | Further, deployment of SNMP versions prior to SNMPv3 is NOT | |||
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to | ||||
enable cryptographic security. It is then a customer/operator | ||||
responsibility to ensure that the SNMP entity giving access to an | ||||
instance of this MIB module is properly configured to give access to | ||||
the objects only to those principals (users) that have legitimate | ||||
rights to indeed GET or SET (change/create/delete) them | ||||
10.1. Normative References | 10. Normative References | |||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
[RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model | [RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model | |||
(USM) for version 3 of the Simple Network Management | (USM) for version 3 of the Simple Network Management | |||
Protocol (SNMPv3)", RFC 2574, April 1999. | Protocol (SNMPv3)", RFC 2574, April 1999. | |||
[RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based | [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based | |||
Access Control Model (VACM) for the Simple Network | Access Control Model (VACM) for the Simple Network | |||
skipping to change at page 19, line 18 | skipping to change at page 20, line 36 | |||
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. | Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. | |||
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. | [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. | |||
Schoenwaelder, Ed., "Textual Conventions for SMIv2", | Schoenwaelder, Ed., "Textual Conventions for SMIv2", | |||
STD 58, RFC 2579, April 1999. | STD 58, RFC 2579, April 1999. | |||
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, | [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, | |||
"Conformance Statements for SMIv2", STD 58, RFC 2580, | "Conformance Statements for SMIv2", STD 58, RFC 2580, | |||
April 1999. | April 1999. | |||
[RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", | ||||
RFC 2618, June 1999. | ||||
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, | ||||
"Remote Authentication Dial In User Service (RADIUS)", | ||||
RFC 2865, June 2000. | ||||
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, | [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, | |||
"Introduction and Applicability Statements for Internet- | "Introduction and Applicability Statements for Internet- | |||
Standard Management Framework", RFC 3410, December 2002. | Standard Management Framework", RFC 3410, December 2002. | |||
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An | ||||
Architecture for Describing Simple Network Management | ||||
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, | ||||
December 2002. | ||||
[RFC3418] Presuhn, R., "Management Information Base (MIB) for the | [RFC3418] Presuhn, R., "Management Information Base (MIB) for the | |||
Simple Network Management Protocol (SNMP)", STD 62, | Simple Network Management Protocol (SNMP)", STD 62, | |||
RFC 3418, December 2002. | RFC 3418, December 2002. | |||
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. | [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. | |||
Schoenwaelder, "Textual Conventions for Internet Network | Schoenwaelder, "Textual Conventions for Internet Network | |||
Addresses", RFC 4001, February 2005. | Addresses", RFC 4001, February 2005. | |||
10.2. Informative References | ||||
[RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", | ||||
RFC 2618, June 1999. | ||||
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, | ||||
"Remote Authentication Dial In User Service (RADIUS)", | ||||
RFC 2865, June 2000. | ||||
Appendix A. Acknowledgments | Appendix A. Acknowledgments | |||
The Authors of the original MIB are Bernard Aboba and Glen Zorn. | The Authors of the original MIB are Bernard Aboba and Glen Zorn. | |||
Many thanks to all reviewers, especially to Dave Harrington, Dan | Many thanks to all reviewers, especially to Dave Harrington, Dan | |||
Romascanu, C.M. Heard, Bruno Pape and Greg Weber. | Romascanu, C.M. Heard, Bruno Pape and Greg Weber. | |||
Author's Address | Author's Address | |||
David B. Nelson | David B. Nelson | |||
skipping to change at page 21, line 41 | skipping to change at page 23, line 41 | |||
This document and the information contained herein are provided on an | This document and the information contained herein are provided on an | |||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | |||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | |||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | |||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | |||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | |||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | |||
Copyright Statement | Copyright Statement | |||
Copyright (C) The Internet Society (2005). This document is subject | Copyright (C) The Internet Society (2006). This document is subject | |||
to the rights, licenses and restrictions contained in BCP 78, and | to the rights, licenses and restrictions contained in BCP 78, and | |||
except as set forth therein, the authors retain all their rights. | except as set forth therein, the authors retain all their rights. | |||
Acknowledgment | Acknowledgment | |||
Funding for the RFC Editor function is currently provided by the | Funding for the RFC Editor function is currently provided by the | |||
Internet Society. | Internet Society. | |||
End of changes. 78 change blocks. | ||||
68 lines changed or deleted | 147 lines changed or added | |||
This html diff was produced by rfcdiff 1.28, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ |