| draft-ietf-radext-rfc2618bis-01.txt | draft-ietf-radext-rfc2618bis-02.txt | |||
|---|---|---|---|---|
| Network Working Group D. Nelson | Network Working Group D. Nelson | |||
| Internet-Draft Enterasys Networks | Internet-Draft Enterasys Networks | |||
| Obsoletes: RFC 2618 (if approved) October 18, 2005 | Obsoletes: RFC 2618 (if approved) January 20, 2006 | |||
| Expires: April 21, 2006 | Expires: July 24, 2006 | |||
| RADIUS Auth Client MIB (IPv6) | RADIUS Auth Client MIB (IPv6) | |||
| draft-ietf-radext-rfc2618bis-01.txt | draft-ietf-radext-rfc2618bis-02.txt | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 34 | skipping to change at page 1, line 34 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on April 21, 2006. | This Internet-Draft will expire on July 24, 2006. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2006). | |||
| Abstract | Abstract | |||
| This memo defines a set of extensions which instrument RADIUS | ||||
| authentication client functions. These extensions represent a | ||||
| portion of the Management Information Base (MIB) for use with network | ||||
| management protocols in the Internet community. Using these | ||||
| extensions IP-based management stations can manage RADIUS | ||||
| authentication clients. | ||||
| This memo obsoletes RFC 2618 by deprecating the MIB table containing | This memo obsoletes RFC 2618 by deprecating the MIB table containing | |||
| IPv4-only address formats and defining a new table to add support for | IPv4-only address formats and defining a new table to add support for | |||
| version neutral IP address formats. The remaining MIB objects from | version neutral IP address formats. The remaining MIB objects from | |||
| RFC 2618 are carried forward into this document. | RFC 2618 are carried forward into this document. The memo also adds | |||
| UNITS and REFERENCE clauses to selected objects. | ||||
| Table of Contents | Table of Contents | |||
| 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. The Internet-Standard Management Framework . . . . . . . . . . 3 | 3. The Internet-Standard Management Framework . . . . . . . . . . 3 | |||
| 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 | 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 | 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 | |||
| 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 4 | 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 17 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 | 10. Normative References . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 18 | Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 21 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 19 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 19 | Intellectual Property and Copyright Statements . . . . . . . . . . 23 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 20 | ||||
| Intellectual Property and Copyright Statements . . . . . . . . . . 21 | ||||
| 1. Terminology | 1. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| This document uses terminology from RFC 2865 [RFC2865]. | This document uses terminology from RFC 2865 [RFC2865]. | |||
| This document uses the word "malformed" with respect to RADIUS | ||||
| packets, particularly in the context of counters of "malformed | ||||
| packets". While RFC 2865 does not provide an explicit definition of | ||||
| "malformed", malformed generally means that the implementation has | ||||
| determined the packet does not match the format defined in RFC 2865. | ||||
| Some implementations may determine that packets are malformed when | ||||
| the Vendor Specific Attribute (VSA) format does not follow the RFC | ||||
| 2865 recommendations for VSAs. Those implementations are used in | ||||
| deployments today, and thus set the de-facto definition of | ||||
| "malformed". | ||||
| 2. Introduction | 2. Introduction | |||
| This memo defines a portion of the Management Information Base (MIB) | This memo defines a portion of the Management Information Base (MIB) | |||
| for use with network management protocols in the Internet community. | for use with network management protocols in the Internet community. | |||
| The objects defined within this memo relate to the Remote | The objects defined within this memo relate to the Remote | |||
| Authentication Dial-In User Service (RADIUS) Authentication Client as | Authentication Dial-In User Service (RADIUS) Authentication Client as | |||
| defined in RFC 2865 [RFC2865]. | defined in RFC 2865 [RFC2865]. | |||
| 3. The Internet-Standard Management Framework | 3. The Internet-Standard Management Framework | |||
| skipping to change at page 3, line 46 | skipping to change at page 4, line 11 | |||
| 4. Scope of Changes | 4. Scope of Changes | |||
| This document obsoletes RFC 2618 [RFC2618], RADIUS Authentication | This document obsoletes RFC 2618 [RFC2618], RADIUS Authentication | |||
| Client MIB, by deprecating the radiusAuthServerTable table and adding | Client MIB, by deprecating the radiusAuthServerTable table and adding | |||
| a new table, radiusAuthServerExtTable, containing | a new table, radiusAuthServerExtTable, containing | |||
| radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and | radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and | |||
| radiusAuthClientServerInetPortNumber. The purpose of these added MIB | radiusAuthClientServerInetPortNumber. The purpose of these added MIB | |||
| objects is to support version neutral IP addressing formats. The | objects is to support version neutral IP addressing formats. The | |||
| existing table containing radiusAuthServerAddress and | existing table containing radiusAuthServerAddress and | |||
| radiusAuthClientServerPortNumber is deprecated. The remaining MIB | radiusAuthClientServerPortNumber is deprecated. The remaining MIB | |||
| objects are carried forward from RFC 2618 into this document. | objects are carried forward from RFC 2618 into this document. This | |||
| memo also adds UNITS and REFERENCE clauses to selected objects. | ||||
| RFC 4001 [RFC4001], which defines the SMI Textual Conventions for | RFC 4001 [RFC4001], which defines the SMI Textual Conventions for | |||
| IPv6 addresses, contains the following recommendation. | IPv6 addresses, contains the following recommendation. | |||
| 'In particular, when revising a MIB module that contains IPv4 | 'In particular, when revising a MIB module that contains IPv4 | |||
| specific tables, it is suggested to define new tables using the | specific tables, it is suggested to define new tables using the | |||
| textual conventions defined in this memo [RFC 4001] that support all | textual conventions defined in this memo [RFC 4001] that support all | |||
| versions of IP. The status of the new tables SHOULD be "current", | versions of IP. The status of the new tables SHOULD be "current", | |||
| whereas the status of the old IP version specific tables SHOULD be | whereas the status of the old IP version specific tables SHOULD be | |||
| changed to "deprecated". The other approach, of having multiple | changed to "deprecated". The other approach, of having multiple | |||
| similar tables for different IP versions, is strongly discouraged.' | similar tables for different IP versions, is strongly discouraged.' | |||
| 5. Structure of the MIB Module | 5. Structure of the MIB Module | |||
| The RADIUS authentication protocol, described in RFC 2865 [RFC2865], | The RADIUS authentication protocol, described in RFC 2865 [RFC2865], | |||
| distinguishes between the client function and the server function. | distinguishes between the client function and the server function. | |||
| In RADIUS authentication, clients send Access-Requests, and servers | In RADIUS authentication, clients send Access-Requests, and servers | |||
| reply with Access-Accepts, Access-Rejects, and Access-Challenges. | reply with Access-Accepts, Access-Rejects, and Access-Challenges. | |||
| Typically NAS devices implement the client function, and thus would | Typically Network Access Server (NAS) devices implement the client | |||
| be expected to implement the RADIUS authentication client MIB, while | function, and thus would be expected to implement the RADIUS | |||
| RADIUS authentication servers implement the server function, and thus | authentication client MIB, while RADIUS authentication servers | |||
| would be expected to implement the RADIUS authentication server MIB. | implement the server function, and thus would be expected to | |||
| implement the RADIUS authentication server MIB. | ||||
| However, it is possible for a RADIUS authentication entity to perform | However, it is possible for a RADIUS authentication entity to perform | |||
| both client and server functions. For example, a RADIUS proxy may | both client and server functions. For example, a RADIUS proxy may | |||
| act as a server to one or more RADIUS authentication clients, while | act as a server to one or more RADIUS authentication clients, while | |||
| simultaneously acting as an authentication client to one or more | simultaneously acting as an authentication client to one or more | |||
| authentication servers. In such situations, it is expected that | authentication servers. In such situations, it is expected that | |||
| RADIUS entities combining client and server functionality will | RADIUS entities combining client and server functionality will | |||
| support both the client and server MIBs. | support both the client and server MIBs. | |||
| This MIB module contains two scalars as well as a single table, the | This MIB module contains two scalars as well as a single table, the | |||
| RADIUS Authentication Server Table, which contains one row for each | RADIUS Authentication Server Table, which contains one row for each | |||
| RADIUS authentication server with which the client shares a secret. | RADIUS authentication server with which the client shares a secret. | |||
| Each entry in the RADIUS Authentication Server Table includes sixteen | Each entry in the RADIUS Authentication Server Table includes fifteen | |||
| columns presenting a view of the activity of the RADIUS | columns presenting a view of the activity of the RADIUS | |||
| authentication client. | authentication client. | |||
| 6. Deprecated Objects | 6. Deprecated Objects | |||
| The deprecated table in this MIB is carried forward from RFC 2618 | The deprecated table in this MIB is carried forward from RFC 2618 | |||
| [RFC2618]. There are two conditions under which it MAY be desirable | [RFC2618]. There are two conditions under which it MAY be desirable | |||
| for managed entities to continue to support the deprecated table: | for managed entities to continue to support the deprecated table: | |||
| 1. The managed entity only supports IPv4 address formats. | 1. The managed entity only supports IPv4 address formats. | |||
| 2. The managed entity supports both IPv4 and IPv6 address formats, | 2. The managed entity supports both IPv4 and IPv6 address formats, | |||
| and the deprecated table is supported for backwards compatibility | and the deprecated table is supported for backwards compatibility | |||
| with older management stations. This option SHOULD only be used | with older management stations. This option SHOULD only be used | |||
| when the IP addresses in the new table are in IPv4 format and can | when the IP addresses in the new table are in IPv4 format and can | |||
| accurately be represented in both the new table and the | accurately be represented in both the new table and the | |||
| deprecated table. | deprecated table. | |||
| Managed entities SHOULD NOT instantiate the deprecated table | Managed entities SHOULD NOT instantiate row entries in the deprecated | |||
| containing IPv4-only address objects when the RADIUS server address | table, containing IPv4-only address objects, when the RADIUS server | |||
| represented in the table row is not an IPv4 address. Managed | address represented in such a table row is not an IPv4 address. | |||
| entities SHOULD NOT return inaccurate values of IP address or SNMP | Managed entities SHOULD NOT return inaccurate values of IP address or | |||
| object access errors for IPv4-only address objects in otherwise | SNMP object access errors for IPv4-only address objects in otherwise | |||
| populated tables. | populated tables. When row entries exist in both the deprecated | |||
| IPv4-only table and the new IP version neutral table that describe | ||||
| the same RADIUS server, the row indexes SHOULD be the same for the | ||||
| corresponding rows in each table, to facilitate correlation of these | ||||
| related rows by management applications. | ||||
| 7. Definitions | 7. Definitions | |||
| RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN | RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN | |||
| IMPORTS | IMPORTS | |||
| MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, | MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, | |||
| Counter32, Integer32, Gauge32, | Counter32, Integer32, Gauge32, | |||
| IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI | IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI | |||
| SnmpAdminString FROM SNMP-FRAMEWORK-MIB | SnmpAdminString FROM SNMP-FRAMEWORK-MIB | |||
| InetAddressType, InetAddress, | InetAddressType, InetAddress, | |||
| InetPortNumber FROM INET-ADDRESS-MIB | InetPortNumber FROM INET-ADDRESS-MIB | |||
| MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; | MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; | |||
| radiusAuthClientMIB MODULE-IDENTITY | radiusAuthClientMIB MODULE-IDENTITY | |||
| LAST-UPDATED "200510170000Z" -- 17 Oct 2005 | LAST-UPDATED "200601200000Z" -- 20 Jan 2006 | |||
| ORGANIZATION "IETF RADIUS Extensions Working Group." | ORGANIZATION "IETF RADIUS Extensions Working Group." | |||
| CONTACT-INFO | CONTACT-INFO | |||
| " Bernard Aboba | " Bernard Aboba | |||
| Microsoft | Microsoft | |||
| One Microsoft Way | One Microsoft Way | |||
| Redmond, WA 98052 | Redmond, WA 98052 | |||
| US | US | |||
| Phone: +1 425 936 6605 | Phone: +1 425 936 6605 | |||
| EMail: bernarda@microsoft.com" | EMail: bernarda@microsoft.com" | |||
| DESCRIPTION | DESCRIPTION | |||
| "The MIB module for entities implementing the client | "The MIB module for entities implementing the client | |||
| side of the Remote Authentication Dial-In User Service | side of the Remote Authentication Dial-In User Service | |||
| (RADIUS) authentication protocol." | (RADIUS) authentication protocol." | |||
| REVISION "200510170000Z" -- 17 Oct 2005 | REVISION "200601200000Z" -- 20 Jan 2006 | |||
| DESCRIPTION "Revised version as published in RFC xxxx. This | DESCRIPTION "Revised version as published in RFC xxxx. This | |||
| version obsoletes that of RFC 2618 by deprecating the MIB | version obsoletes that of RFC 2618 by deprecating the MIB | |||
| table containing IPv4-only address formats and defining a | table containing IPv4-only address formats and defining a | |||
| new table to add support for version neutral IP address | new table to add support for version neutral IP address | |||
| formats. The remaining MIB objects from RFC 2618 are carried | formats. The remaining MIB objects from RFC 2618 are carried | |||
| forward into this version." | forward into this version." | |||
| REVISION "9906110000Z" -- 11 Jun 1999 | REVISION "9906110000Z" -- 11 Jun 1999 | |||
| DESCRIPTION "Initial version as published in RFC 2618" | DESCRIPTION "Initial version as published in RFC 2618." | |||
| -- RFC Editor: replace xxxx with actual RFC number at the time of | -- RFC Editor: replace xxxx with actual RFC number at the time of | |||
| -- publication, and remove this note. | -- publication, and remove this note. | |||
| ::= { radiusAuthentication 2 } | ::= { radiusAuthentication 2 } | |||
| radiusMIB OBJECT-IDENTITY | radiusMIB OBJECT-IDENTITY | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The OID assigned to RADIUS MIB work by the IANA." | "The OID assigned to RADIUS MIB work by the IANA." | |||
| ::= { mib-2 67 } | ::= { mib-2 67 } | |||
| skipping to change at page 6, line 25 | skipping to change at page 6, line 42 | |||
| radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} | radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} | |||
| radiusAuthClientMIBObjects OBJECT IDENTIFIER | radiusAuthClientMIBObjects OBJECT IDENTIFIER | |||
| ::= { radiusAuthClientMIB 1 } | ::= { radiusAuthClientMIB 1 } | |||
| radiusAuthClient OBJECT IDENTIFIER | radiusAuthClient OBJECT IDENTIFIER | |||
| ::= { radiusAuthClientMIBObjects 1 } | ::= { radiusAuthClientMIBObjects 1 } | |||
| radiusAuthClientInvalidServerAddresses OBJECT-TYPE | radiusAuthClientInvalidServerAddresses OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS Access-Response packets | "The number of RADIUS Access-Response packets | |||
| received from unknown addresses." | received from unknown addresses." | |||
| ::= { radiusAuthClient 1 } | ::= { radiusAuthClient 1 } | |||
| radiusAuthClientIdentifier OBJECT-TYPE | radiusAuthClientIdentifier OBJECT-TYPE | |||
| SYNTAX SnmpAdminString | SYNTAX SnmpAdminString | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The NAS-Identifier of the RADIUS authentication client. | "The NAS-Identifier of the RADIUS authentication client. | |||
| This is not necessarily the same as sysName in MIB II." | This is not necessarily the same as sysName in MIB II." | |||
| REFERENCE "RFC 2865 section 5.32" | ||||
| ::= { radiusAuthClient 2 } | ::= { radiusAuthClient 2 } | |||
| radiusAuthServerTable OBJECT-TYPE | radiusAuthServerTable OBJECT-TYPE | |||
| SYNTAX SEQUENCE OF RadiusAuthServerEntry | SYNTAX SEQUENCE OF RadiusAuthServerEntry | |||
| MAX-ACCESS not-accessible | MAX-ACCESS not-accessible | |||
| STATUS deprecated | STATUS deprecated | |||
| DESCRIPTION | DESCRIPTION | |||
| "The (conceptual) table listing the RADIUS authentication | "The (conceptual) table listing the RADIUS authentication | |||
| servers with which the client shares a secret." | servers with which the client shares a secret." | |||
| ::= { radiusAuthClient 3 } | ::= { radiusAuthClient 3 } | |||
| skipping to change at page 8, line 9 | skipping to change at page 8, line 28 | |||
| referred to in this table entry." | referred to in this table entry." | |||
| ::= { radiusAuthServerEntry 2 } | ::= { radiusAuthServerEntry 2 } | |||
| radiusAuthClientServerPortNumber OBJECT-TYPE | radiusAuthClientServerPortNumber OBJECT-TYPE | |||
| SYNTAX Integer32 (0..65535) | SYNTAX Integer32 (0..65535) | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS deprecated | STATUS deprecated | |||
| DESCRIPTION | DESCRIPTION | |||
| "The UDP port the client is using to send requests to | "The UDP port the client is using to send requests to | |||
| this server." | this server." | |||
| REFERENCE "RFC 2865 section 3" | ||||
| ::= { radiusAuthServerEntry 3 } | ::= { radiusAuthServerEntry 3 } | |||
| radiusAuthClientRoundTripTime OBJECT-TYPE | radiusAuthClientRoundTripTime OBJECT-TYPE | |||
| SYNTAX TimeTicks | SYNTAX TimeTicks | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS deprecated | STATUS deprecated | |||
| DESCRIPTION | DESCRIPTION | |||
| "The time interval (in hundredths of a second) between | "The time interval (in hundredths of a second) between | |||
| the most recent Access-Reply/Access-Challenge and the | the most recent Access-Reply/Access-Challenge and the | |||
| Access-Request that matched it from this RADIUS | Access-Request that matched it from this RADIUS | |||
| skipping to change at page 8, line 38 | skipping to change at page 9, line 10 | |||
| -- BadAuthenticators - UnknownTypes - PacketsDropped = | -- BadAuthenticators - UnknownTypes - PacketsDropped = | |||
| -- Successfully received | -- Successfully received | |||
| -- | -- | |||
| -- AccessRequests + PendingRequests + ClientTimeouts = | -- AccessRequests + PendingRequests + ClientTimeouts = | |||
| -- Successfully received | -- Successfully received | |||
| -- | -- | |||
| -- | -- | |||
| radiusAuthClientAccessRequests OBJECT-TYPE | radiusAuthClientAccessRequests OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS deprecated | STATUS deprecated | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS Access-Request packets sent | "The number of RADIUS Access-Request packets sent | |||
| to this server. This does not include retransmissions." | to this server. This does not include retransmissions." | |||
| REFERENCE "RFC 2865 section 4.1" | ||||
| ::= { radiusAuthServerEntry 5 } | ::= { radiusAuthServerEntry 5 } | |||
| radiusAuthClientAccessRetransmissions OBJECT-TYPE | radiusAuthClientAccessRetransmissions OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS deprecated | STATUS deprecated | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS Access-Request packets | "The number of RADIUS Access-Request packets | |||
| retransmitted to this RADIUS authentication server." | retransmitted to this RADIUS authentication server." | |||
| REFERENCE "RFC 2865 sections 2.5, 4.1" | ||||
| ::= { radiusAuthServerEntry 6 } | ::= { radiusAuthServerEntry 6 } | |||
| radiusAuthClientAccessAccepts OBJECT-TYPE | radiusAuthClientAccessAccepts OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS deprecated | STATUS deprecated | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS Access-Accept packets | "The number of RADIUS Access-Accept packets | |||
| (valid or invalid) received from this server." | (valid or invalid) received from this server." | |||
| REFERENCE "RFC 2865 section 4.2" | ||||
| ::= { radiusAuthServerEntry 7 } | ::= { radiusAuthServerEntry 7 } | |||
| radiusAuthClientAccessRejects OBJECT-TYPE | radiusAuthClientAccessRejects OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS deprecated | STATUS deprecated | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS Access-Reject packets | "The number of RADIUS Access-Reject packets | |||
| (valid or invalid) received from this server." | (valid or invalid) received from this server." | |||
| REFERENCE "RFC 2865 section 4.3" | ||||
| ::= { radiusAuthServerEntry 8 } | ::= { radiusAuthServerEntry 8 } | |||
| radiusAuthClientAccessChallenges OBJECT-TYPE | radiusAuthClientAccessChallenges OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS deprecated | STATUS deprecated | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS Access-Challenge packets | "The number of RADIUS Access-Challenge packets | |||
| (valid or invalid) received from this server." | (valid or invalid) received from this server." | |||
| REFERENCE "RFC 2865 section 4.4" | ||||
| ::= { radiusAuthServerEntry 9 } | ::= { radiusAuthServerEntry 9 } | |||
| -- "Access-Response" includes an Access-Accept, Access-Challenge | -- "Access-Response" includes an Access-Accept, Access-Challenge | |||
| -- or Access-Reject | -- or Access-Reject | |||
| radiusAuthClientMalformedAccessResponses OBJECT-TYPE | radiusAuthClientMalformedAccessResponses OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS deprecated | STATUS deprecated | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of malformed RADIUS Access-Response | "The number of malformed RADIUS Access-Response | |||
| packets received from this server. | packets received from this server. | |||
| Malformed packets include packets with | Malformed packets include packets with | |||
| an invalid length. Bad authenticators or | an invalid length. Bad authenticators or | |||
| Message Authenticator attributes or unknown types | Message Authenticator attributes or unknown types | |||
| are not included as malformed access responses." | are not included as malformed access responses." | |||
| ::= { radiusAuthServerEntry 10 } | ::= { radiusAuthServerEntry 10 } | |||
| radiusAuthClientBadAuthenticators OBJECT-TYPE | radiusAuthClientBadAuthenticators OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS deprecated | STATUS deprecated | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS Access-Response packets | "The number of RADIUS Access-Response packets | |||
| containing invalid authenticators or Message | containing invalid authenticators or Message | |||
| Authenticator attributes received from this server." | Authenticator attributes received from this server." | |||
| REFERENCE "RFC 2865 section 3, RFC 2869 section 5.14" | ||||
| ::= { radiusAuthServerEntry 11 } | ::= { radiusAuthServerEntry 11 } | |||
| radiusAuthClientPendingRequests OBJECT-TYPE | radiusAuthClientPendingRequests OBJECT-TYPE | |||
| SYNTAX Gauge32 | SYNTAX Gauge32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS deprecated | STATUS deprecated | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS Access-Request packets | "The number of RADIUS Access-Request packets | |||
| destined for this server that have not yet timed out | destined for this server that have not yet timed out | |||
| or received a response. This variable is incremented | or received a response. This variable is incremented | |||
| when an Access-Request is sent and decremented due to | when an Access-Request is sent and decremented due to | |||
| receipt of an Acess-Accept, Access-Reject or | receipt of an Access-Accept, Access-Reject or | |||
| Access-Challenge, a timeout or retransmission." | Access-Challenge, a timeout or retransmission." | |||
| REFERENCE "RFC 2865 section 2" | ||||
| ::= { radiusAuthServerEntry 12 } | ::= { radiusAuthServerEntry 12 } | |||
| radiusAuthClientTimeouts OBJECT-TYPE | radiusAuthClientTimeouts OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "timeouts" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS deprecated | STATUS deprecated | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of authentication timeouts to this server. | "The number of authentication timeouts to this server. | |||
| After a timeout the client may retry to the same | After a timeout the client may retry to the same | |||
| server, send to a different server, or | server, send to a different server, or | |||
| give up. A retry to the same server is counted as a | give up. A retry to the same server is counted as a | |||
| retransmit as well as a timeout. A send to a different | retransmit as well as a timeout. A send to a different | |||
| server is counted as a Request as well as a timeout." | server is counted as a Request as well as a timeout." | |||
| REFERENCE "RFC 2865 section 2, RFC 2869 section 2.3.2" | ||||
| ::= { radiusAuthServerEntry 13 } | ::= { radiusAuthServerEntry 13 } | |||
| radiusAuthClientUnknownTypes OBJECT-TYPE | radiusAuthClientUnknownTypes OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS deprecated | STATUS deprecated | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS packets of unknown type which | "The number of RADIUS packets of unknown type which | |||
| were received from this server on the authentication | were received from this server on the authentication | |||
| port." | port." | |||
| ::= { radiusAuthServerEntry 14 } | ::= { radiusAuthServerEntry 14 } | |||
| radiusAuthClientPacketsDropped OBJECT-TYPE | radiusAuthClientPacketsDropped OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS deprecated | STATUS deprecated | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS packets of which were | "The number of RADIUS packets of which were | |||
| received from this server on the authentication port | received from this server on the authentication port | |||
| and dropped for some other reason." | and dropped for some other reason." | |||
| ::= { radiusAuthServerEntry 15 } | ::= { radiusAuthServerEntry 15 } | |||
| -- New MIB Objects in this revision | -- New MIB Objects in this revision | |||
| skipping to change at page 12, line 29 | skipping to change at page 13, line 20 | |||
| radiusAuthServerInetAddress object." | radiusAuthServerInetAddress object." | |||
| ::= { radiusAuthServerExtEntry 2 } | ::= { radiusAuthServerExtEntry 2 } | |||
| radiusAuthServerInetAddress OBJECT-TYPE | radiusAuthServerInetAddress OBJECT-TYPE | |||
| SYNTAX InetAddress | SYNTAX InetAddress | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The IP address of the RADIUS authentication | "The IP address of the RADIUS authentication | |||
| server referred to in this table entry, using | server referred to in this table entry, using | |||
| the version neutral IP adddess format." | the version neutral IP address format." | |||
| ::= { radiusAuthServerExtEntry 3 } | ::= { radiusAuthServerExtEntry 3 } | |||
| radiusAuthClientServerInetPortNumber OBJECT-TYPE | radiusAuthClientServerInetPortNumber OBJECT-TYPE | |||
| SYNTAX InetPortNumber | SYNTAX InetPortNumber | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The UDP port the client is using to send requests | "The UDP port the client is using to send requests | |||
| to this server." | to this server." | |||
| REFERENCE "RFC 2865 section 3" | ||||
| ::= { radiusAuthServerExtEntry 4 } | ::= { radiusAuthServerExtEntry 4 } | |||
| radiusAuthClientExtRoundTripTime OBJECT-TYPE | radiusAuthClientExtRoundTripTime OBJECT-TYPE | |||
| SYNTAX TimeTicks | SYNTAX TimeTicks | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The time interval (in hundredths of a second) between | "The time interval (in hundredths of a second) between | |||
| the most recent Access-Reply/Access-Challenge and the | the most recent Access-Reply/Access-Challenge and the | |||
| Access-Request that matched it from this RADIUS | Access-Request that matched it from this RADIUS | |||
| authentication server." | authentication server." | |||
| REFERENCE "RFC 2865 section 2" | ||||
| ::= { radiusAuthServerExtEntry 5 } | ::= { radiusAuthServerExtEntry 5 } | |||
| -- Request/Response statistics | -- Request/Response statistics | |||
| -- | -- | |||
| -- TotalIncomingPackets = Accepts + Rejects + Challenges + | -- TotalIncomingPackets = Accepts + Rejects + Challenges + | |||
| -- UnknownTypes | -- UnknownTypes | |||
| -- | -- | |||
| -- TotalIncomingPackets - MalformedResponses - | -- TotalIncomingPackets - MalformedResponses - | |||
| -- BadAuthenticators - UnknownTypes - PacketsDropped = | -- BadAuthenticators - UnknownTypes - PacketsDropped = | |||
| -- Successfully received | -- Successfully received | |||
| -- | -- | |||
| -- AccessRequests + PendingRequests + ClientTimeouts = | -- AccessRequests + PendingRequests + ClientTimeouts = | |||
| skipping to change at page 13, line 20 | skipping to change at page 14, line 13 | |||
| -- BadAuthenticators - UnknownTypes - PacketsDropped = | -- BadAuthenticators - UnknownTypes - PacketsDropped = | |||
| -- Successfully received | -- Successfully received | |||
| -- | -- | |||
| -- AccessRequests + PendingRequests + ClientTimeouts = | -- AccessRequests + PendingRequests + ClientTimeouts = | |||
| -- Successfully received | -- Successfully received | |||
| -- | -- | |||
| -- | -- | |||
| radiusAuthClientExtAccessRequests OBJECT-TYPE | radiusAuthClientExtAccessRequests OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS Access-Request packets sent | "The number of RADIUS Access-Request packets sent | |||
| to this server. This does not include retransmissions." | to this server. This does not include retransmissions." | |||
| REFERENCE "RFC 2865 section 4.1" | ||||
| ::= { radiusAuthServerExtEntry 6 } | ::= { radiusAuthServerExtEntry 6 } | |||
| radiusAuthClientExtAccessRetransmissions OBJECT-TYPE | radiusAuthClientExtAccessRetransmissions OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS Access-Request packets | "The number of RADIUS Access-Request packets | |||
| retransmitted to this RADIUS authentication server." | retransmitted to this RADIUS authentication server." | |||
| REFERENCE "RFC 2865 sections 2.5, 4.1" | ||||
| ::= { radiusAuthServerExtEntry 7 } | ::= { radiusAuthServerExtEntry 7 } | |||
| radiusAuthClientExtAccessAccepts OBJECT-TYPE | radiusAuthClientExtAccessAccepts OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS Access-Accept packets | "The number of RADIUS Access-Accept packets | |||
| (valid or invalid) received from this server." | (valid or invalid) received from this server." | |||
| REFERENCE "RFC 2865 section 4.2" | ||||
| ::= { radiusAuthServerExtEntry 8 } | ::= { radiusAuthServerExtEntry 8 } | |||
| radiusAuthClientExtAccessRejects OBJECT-TYPE | radiusAuthClientExtAccessRejects OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS Access-Reject packets | "The number of RADIUS Access-Reject packets | |||
| (valid or invalid) received from this server." | (valid or invalid) received from this server." | |||
| REFERENCE "RFC 2865 section 4.3" | ||||
| ::= { radiusAuthServerExtEntry 9 } | ::= { radiusAuthServerExtEntry 9 } | |||
| radiusAuthClientExtAccessChallenges OBJECT-TYPE | radiusAuthClientExtAccessChallenges OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS Access-Challenge packets | "The number of RADIUS Access-Challenge packets | |||
| (valid or invalid) received from this server." | (valid or invalid) received from this server." | |||
| REFERENCE "RFC 2865 section 4.4" | ||||
| ::= { radiusAuthServerExtEntry 10 } | ::= { radiusAuthServerExtEntry 10 } | |||
| -- "Access-Response" includes an Access-Accept, Access-Challenge | -- "Access-Response" includes an Access-Accept, Access-Challenge | |||
| -- or Access-Reject | -- or Access-Reject | |||
| radiusAuthClientExtMalformedAccessResponses OBJECT-TYPE | radiusAuthClientExtMalformedAccessResponses OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of malformed RADIUS Access-Response | "The number of malformed RADIUS Access-Response | |||
| packets received from this server. | packets received from this server. | |||
| Malformed packets include packets with | Malformed packets include packets with | |||
| an invalid length. Bad authenticators or | an invalid length. Bad authenticators or | |||
| Message Authenticator attributes or unknown types | Message Authenticator attributes or unknown types | |||
| are not included as malformed access responses." | are not included as malformed access responses." | |||
| REFERENCE "RFC 2865 sections 3, 4" | ||||
| ::= { radiusAuthServerExtEntry 11 } | ::= { radiusAuthServerExtEntry 11 } | |||
| radiusAuthClientExtBadAuthenticators OBJECT-TYPE | radiusAuthClientExtBadAuthenticators OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS Access-Response packets | "The number of RADIUS Access-Response packets | |||
| containing invalid authenticators or Message | containing invalid authenticators or Message | |||
| Authenticator attributes received from this server." | Authenticator attributes received from this server." | |||
| REFERENCE "RFC 2865 section 3" | ||||
| ::= { radiusAuthServerExtEntry 12 } | ::= { radiusAuthServerExtEntry 12 } | |||
| radiusAuthClientExtPendingRequests OBJECT-TYPE | radiusAuthClientExtPendingRequests OBJECT-TYPE | |||
| SYNTAX Gauge32 | SYNTAX Gauge32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS Access-Request packets | "The number of RADIUS Access-Request packets | |||
| destined for this server that have not yet timed out | destined for this server that have not yet timed out | |||
| or received a response. This variable is incremented | or received a response. This variable is incremented | |||
| when an Access-Request is sent and decremented due to | when an Access-Request is sent and decremented due to | |||
| receipt of an Acess-Accept, Access-Reject or | receipt of an Access-Accept, Access-Reject or | |||
| Access-Challenge, a timeout or retransmission." | Access-Challenge, a timeout or retransmission." | |||
| REFERENCE "RFC 2865 section 2" | ||||
| ::= { radiusAuthServerExtEntry 13 } | ::= { radiusAuthServerExtEntry 13 } | |||
| radiusAuthClientExtTimeouts OBJECT-TYPE | radiusAuthClientExtTimeouts OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "timeouts" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of authentication timeouts to this server. | "The number of authentication timeouts to this server. | |||
| After a timeout the client may retry to the same | After a timeout the client may retry to the same | |||
| server, send to a different server, or | server, send to a different server, or | |||
| give up. A retry to the same server is counted as a | give up. A retry to the same server is counted as a | |||
| retransmit as well as a timeout. A send to a different | retransmit as well as a timeout. A send to a different | |||
| server is counted as a Request as well as a timeout." | server is counted as a Request as well as a timeout." | |||
| REFERENCE "RFC 2865 sections 2.5, 4.1" | ||||
| ::= { radiusAuthServerExtEntry 14 } | ::= { radiusAuthServerExtEntry 14 } | |||
| radiusAuthClientExtUnknownTypes OBJECT-TYPE | radiusAuthClientExtUnknownTypes OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS packets of unknown type which | "The number of RADIUS packets of unknown type which | |||
| were received from this server on the authentication | were received from this server on the authentication | |||
| port." | port." | |||
| REFERENCE "RFC 2865 section 4" | ||||
| ::= { radiusAuthServerExtEntry 15 } | ::= { radiusAuthServerExtEntry 15 } | |||
| radiusAuthClientExtPacketsDropped OBJECT-TYPE | radiusAuthClientExtPacketsDropped OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | ||||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS packets of which were | "The number of RADIUS packets of which were | |||
| received from this server on the authentication port | received from this server on the authentication port | |||
| and dropped for some other reason." | and dropped for some other reason." | |||
| ::= { radiusAuthServerExtEntry 16 } | ::= { radiusAuthServerExtEntry 16 } | |||
| -- conformance information | -- conformance information | |||
| radiusAuthClientMIBConformance OBJECT IDENTIFIER | radiusAuthClientMIBConformance OBJECT IDENTIFIER | |||
| ::= { radiusAuthClientMIB 2 } | ::= { radiusAuthClientMIB 2 } | |||
| radiusAuthClientMIBCompliances OBJECT IDENTIFIER | radiusAuthClientMIBCompliances OBJECT IDENTIFIER | |||
| ::= { radiusAuthClientMIBConformance 1 } | ::= { radiusAuthClientMIBConformance 1 } | |||
| radiusAuthClientMIBGroups OBJECT IDENTIFIER | radiusAuthClientMIBGroups OBJECT IDENTIFIER | |||
| ::= { radiusAuthClientMIBConformance 2 } | ::= { radiusAuthClientMIBConformance 2 } | |||
| skipping to change at page 16, line 4 | skipping to change at page 17, line 16 | |||
| radiusAuthClientMIBConformance OBJECT IDENTIFIER | radiusAuthClientMIBConformance OBJECT IDENTIFIER | |||
| ::= { radiusAuthClientMIB 2 } | ::= { radiusAuthClientMIB 2 } | |||
| radiusAuthClientMIBCompliances OBJECT IDENTIFIER | radiusAuthClientMIBCompliances OBJECT IDENTIFIER | |||
| ::= { radiusAuthClientMIBConformance 1 } | ::= { radiusAuthClientMIBConformance 1 } | |||
| radiusAuthClientMIBGroups OBJECT IDENTIFIER | radiusAuthClientMIBGroups OBJECT IDENTIFIER | |||
| ::= { radiusAuthClientMIBConformance 2 } | ::= { radiusAuthClientMIBConformance 2 } | |||
| -- compliance statements | -- compliance statements | |||
| radiusAuthClientMIBCompliance MODULE-COMPLIANCE | radiusAuthClientMIBCompliance MODULE-COMPLIANCE | |||
| STATUS deprecated | STATUS deprecated | |||
| DESCRIPTION | DESCRIPTION | |||
| "The compliance statement for authentication clients | "The compliance statement for authentication clients | |||
| implementing the RADIUS Authentication Client MIB." | implementing the RADIUS Authentication Client MIB. | |||
| Implementation of this module is for IPv4-only | ||||
| entities, or for backwards compatibility use with | ||||
| entities that support both IPv4 and IPv6." | ||||
| MODULE -- this module | MODULE -- this module | |||
| MANDATORY-GROUPS { radiusAuthClientMIBGroup } | MANDATORY-GROUPS { radiusAuthClientMIBGroup } | |||
| ::= { radiusAuthClientMIBCompliances 1 } | ::= { radiusAuthClientMIBCompliances 1 } | |||
| radiusAuthClientExtMIBCompliance MODULE-COMPLIANCE | radiusAuthClientExtMIBCompliance MODULE-COMPLIANCE | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The compliance statement for authentication | "The compliance statement for authentication | |||
| clients implementing the RADIUS Authentication | clients implementing the RADIUS Authentication | |||
| Client IPv6 Extensions MIB." | Client IPv6 Extensions MIB. Implementation of | |||
| this module is for entities that support IPv6, | ||||
| or support IPv4 and IPv6." | ||||
| MODULE -- this module | MODULE -- this module | |||
| MANDATORY-GROUPS { radiusAuthClientExtMIBGroup } | MANDATORY-GROUPS { radiusAuthClientExtMIBGroup } | |||
| ::= { radiusAuthClientMIBCompliances 2 } | ::= { radiusAuthClientMIBCompliances 2 } | |||
| -- units of conformance | -- units of conformance | |||
| radiusAuthClientMIBGroup OBJECT-GROUP | radiusAuthClientMIBGroup OBJECT-GROUP | |||
| OBJECTS { radiusAuthClientIdentifier, | OBJECTS { radiusAuthClientIdentifier, | |||
| radiusAuthClientInvalidServerAddresses, | radiusAuthClientInvalidServerAddresses, | |||
| skipping to change at page 17, line 44 | skipping to change at page 19, line 17 | |||
| This document requires no new IANA assignments. | This document requires no new IANA assignments. | |||
| 9. Security Considerations | 9. Security Considerations | |||
| There are no management objects defined in this MIB that have a MAX- | There are no management objects defined in this MIB that have a MAX- | |||
| ACCESS clause of read-write and/or read-create. So, if this MIB is | ACCESS clause of read-write and/or read-create. So, if this MIB is | |||
| implemented correctly, then there is no risk that an intruder can | implemented correctly, then there is no risk that an intruder can | |||
| alter or create any management objects of this MIB via direct SNMP | alter or create any management objects of this MIB via direct SNMP | |||
| SET operations. | SET operations. | |||
| There are a number of managed objects in this MIB that may contain | Some of the readable objects in this MIB module (i.e., objects with a | |||
| sensitive information. These are: | MAX-ACCESS other than not-accessible) may be considered sensitive or | |||
| vulnerable in some network environments. It is thus important to | ||||
| control even GET and/or NOTIFY access to these objects and possibly | ||||
| to even encrypt the values of these objects when sending them over | ||||
| the network via SNMP. These are the tables and objects and their | ||||
| sensitivity/vulnerability: | ||||
| radiusAuthServerIPAddress This can be used to determine the address | radiusAuthServerIPAddress This can be used to determine the address | |||
| of the RADIUS authentication server with which the client is | of the RADIUS authentication server with which the client is | |||
| communicating. This information could be useful in mounting an | communicating. This information could be useful in mounting an | |||
| attack on the authentication server. | attack on the authentication server. | |||
| radiusAuthServerInetAddress This can be used to determine the address | radiusAuthServerInetAddress This can be used to determine the address | |||
| of the RADIUS authentication server with which the client is | of the RADIUS authentication server with which the client is | |||
| communicating. This information could be useful in mounting an | communicating. This information could be useful in mounting an | |||
| attack on the authentication server. | attack on the authentication server. | |||
| radiusAuthClientServerInetPortNumber This can be used to determine | radiusAuthClientServerInetPortNumber This can be used to determine | |||
| the port number on which the RADIUS authentication client is | the port number on which the RADIUS authentication client is | |||
| sending. This information could be useful in impersonating the | sending. This information could be useful in impersonating the | |||
| client in order to send data to the authentication server. | client in order to send data to the authentication server. | |||
| It is thus important to control even GET access to these objects and | SNMP versions prior to SNMPv3 did not include adequate security. | |||
| possibly to even encrypt the values of these object when sending them | Even if the network itself is secure (for example by using IPsec), | |||
| over the network via SNMP. Not all versions of SNMP provide features | even then, there is no control as to who on the secure network is | |||
| for such a secure environment. | allowed to access and GET/SET (read/change/create/delete) the objects | |||
| in this MIB module. | ||||
| SNMP versions prior to SNMPv3 do not provide a secure environment. | ||||
| Even if the network itself is secure (for example by using IPSec), | ||||
| there is no control as to who on the secure network is allowed to | ||||
| access and GET/SET (read/change/create/delete) the objects in this | ||||
| MIB. | ||||
| It is recommended that the implementers consider the security | It is RECOMMENDED that implementers consider the security features as | |||
| features as provided by the SNMPv3 framework. Specifically, the use | provided by the SNMPv3 framework (see [RFC3410], section 8), | |||
| of the User-based Security Model [RFC2574] and the View-based Access | including full support for the SNMPv3 cryptographic mechanisms (for | |||
| Control Model [RFC2575] is recommended. Using these security | authentication and privacy). | |||
| features, customer/users can give access to the objects only to those | ||||
| principals (users) that have legitimate rights to GET or SET (change/ | ||||
| create/delete) them. | ||||
| 10. References | Further, deployment of SNMP versions prior to SNMPv3 is NOT | |||
| RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to | ||||
| enable cryptographic security. It is then a customer/operator | ||||
| responsibility to ensure that the SNMP entity giving access to an | ||||
| instance of this MIB module is properly configured to give access to | ||||
| the objects only to those principals (users) that have legitimate | ||||
| rights to indeed GET or SET (change/create/delete) them | ||||
| 10.1. Normative References | 10. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model | [RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model | |||
| (USM) for version 3 of the Simple Network Management | (USM) for version 3 of the Simple Network Management | |||
| Protocol (SNMPv3)", RFC 2574, April 1999. | Protocol (SNMPv3)", RFC 2574, April 1999. | |||
| [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based | [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based | |||
| Access Control Model (VACM) for the Simple Network | Access Control Model (VACM) for the Simple Network | |||
| skipping to change at page 19, line 18 | skipping to change at page 20, line 36 | |||
| Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. | Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. | |||
| [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. | [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. | |||
| Schoenwaelder, Ed., "Textual Conventions for SMIv2", | Schoenwaelder, Ed., "Textual Conventions for SMIv2", | |||
| STD 58, RFC 2579, April 1999. | STD 58, RFC 2579, April 1999. | |||
| [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, | [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, | |||
| "Conformance Statements for SMIv2", STD 58, RFC 2580, | "Conformance Statements for SMIv2", STD 58, RFC 2580, | |||
| April 1999. | April 1999. | |||
| [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", | ||||
| RFC 2618, June 1999. | ||||
| [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, | ||||
| "Remote Authentication Dial In User Service (RADIUS)", | ||||
| RFC 2865, June 2000. | ||||
| [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, | [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, | |||
| "Introduction and Applicability Statements for Internet- | "Introduction and Applicability Statements for Internet- | |||
| Standard Management Framework", RFC 3410, December 2002. | Standard Management Framework", RFC 3410, December 2002. | |||
| [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An | ||||
| Architecture for Describing Simple Network Management | ||||
| Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, | ||||
| December 2002. | ||||
| [RFC3418] Presuhn, R., "Management Information Base (MIB) for the | [RFC3418] Presuhn, R., "Management Information Base (MIB) for the | |||
| Simple Network Management Protocol (SNMP)", STD 62, | Simple Network Management Protocol (SNMP)", STD 62, | |||
| RFC 3418, December 2002. | RFC 3418, December 2002. | |||
| [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. | [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. | |||
| Schoenwaelder, "Textual Conventions for Internet Network | Schoenwaelder, "Textual Conventions for Internet Network | |||
| Addresses", RFC 4001, February 2005. | Addresses", RFC 4001, February 2005. | |||
| 10.2. Informative References | ||||
| [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", | ||||
| RFC 2618, June 1999. | ||||
| [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, | ||||
| "Remote Authentication Dial In User Service (RADIUS)", | ||||
| RFC 2865, June 2000. | ||||
| Appendix A. Acknowledgments | Appendix A. Acknowledgments | |||
| The Authors of the original MIB are Bernard Aboba and Glen Zorn. | The Authors of the original MIB are Bernard Aboba and Glen Zorn. | |||
| Many thanks to all reviewers, especially to Dave Harrington, Dan | Many thanks to all reviewers, especially to Dave Harrington, Dan | |||
| Romascanu, C.M. Heard, Bruno Pape and Greg Weber. | Romascanu, C.M. Heard, Bruno Pape and Greg Weber. | |||
| Author's Address | Author's Address | |||
| David B. Nelson | David B. Nelson | |||
| skipping to change at page 21, line 41 | skipping to change at page 23, line 41 | |||
| This document and the information contained herein are provided on an | This document and the information contained herein are provided on an | |||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | |||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | |||
| ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | |||
| INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | |||
| INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | |||
| WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | |||
| Copyright Statement | Copyright Statement | |||
| Copyright (C) The Internet Society (2005). This document is subject | Copyright (C) The Internet Society (2006). This document is subject | |||
| to the rights, licenses and restrictions contained in BCP 78, and | to the rights, licenses and restrictions contained in BCP 78, and | |||
| except as set forth therein, the authors retain all their rights. | except as set forth therein, the authors retain all their rights. | |||
| Acknowledgment | Acknowledgment | |||
| Funding for the RFC Editor function is currently provided by the | Funding for the RFC Editor function is currently provided by the | |||
| Internet Society. | Internet Society. | |||
| End of changes. 78 change blocks. | ||||
| 68 lines changed or deleted | 147 lines changed or added | |||
This html diff was produced by rfcdiff 1.28, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||