draft-ietf-radext-rfc2618bis-04.txt | rfc4668.txt | |||
---|---|---|---|---|
Network Working Group D. Nelson | Network Working Group D. Nelson | |||
Internet-Draft Enterasys Networks | Request for Comments: 4668 Enterasys Networks | |||
Obsoletes: RFC 2618 (if approved) June 26, 2006 | Obsoletes: 2618 August 2006 | |||
Expires: December 28, 2006 | Category: Standards Track | |||
RADIUS Authentication Client MIB for IPV6 | ||||
draft-ietf-radext-rfc2618bis-04.txt | ||||
Status of this Memo | ||||
By submitting this Internet-Draft, each author represents that any | ||||
applicable patent or other IPR claims of which he or she is aware | ||||
have been or will be disclosed, and any of which he or she becomes | ||||
aware will be disclosed, in accordance with Section 6 of BCP 79. | ||||
Internet-Drafts are working documents of the Internet Engineering | ||||
Task Force (IETF), its areas, and its working groups. Note that | ||||
other groups may also distribute working documents as Internet- | ||||
Drafts. | ||||
Internet-Drafts are draft documents valid for a maximum of six months | ||||
and may be updated, replaced, or obsoleted by other documents at any | ||||
time. It is inappropriate to use Internet-Drafts as reference | ||||
material or to cite them other than as "work in progress." | ||||
The list of current Internet-Drafts can be accessed at | RADIUS Authentication Client MIB for IPv6 | |||
http://www.ietf.org/ietf/1id-abstracts.txt. | ||||
The list of Internet-Draft Shadow Directories can be accessed at | Status of This Memo | |||
http://www.ietf.org/shadow.html. | ||||
This Internet-Draft will expire on December 28, 2006. | This document specifies an Internet standards track protocol for the | |||
Internet community, and requests discussion and suggestions for | ||||
improvements. Please refer to the current edition of the "Internet | ||||
Official Protocol Standards" (STD 1) for the standardization state | ||||
and status of this protocol. Distribution of this memo is unlimited. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (C) The Internet Society (2006). | Copyright (C) The Internet Society (2006). | |||
Abstract | Abstract | |||
This memo defines a set of extensions, which instrument RADIUS | This memo defines a set of extensions that instrument RADIUS | |||
authentication client functions. These extensions represent a | authentication client functions. These extensions represent a | |||
portion of the Management Information Base (MIB) for use with network | portion of the Management Information Base (MIB) for use with network | |||
management protocols in the Internet community. Using these | management protocols in the Internet community. Using these | |||
extensions IP-based management stations can manage RADIUS | extensions, IP-based management stations can manage RADIUS | |||
authentication clients. | authentication clients. | |||
This memo obsoletes RFC 2618 by deprecating the MIB table containing | This memo obsoletes RFC 2618 by deprecating the MIB table containing | |||
IPv4-only address formats and defining a new table to add support for | IPv4-only address formats and defining a new table to add support for | |||
version neutral IP address formats. The remaining MIB objects from | version-neutral IP address formats. The remaining MIB objects from | |||
RFC 2618 are carried forward into this document. The memo also adds | RFC 2618 are carried forward into this document. The memo also adds | |||
UNITS and REFERENCE clauses to selected objects. | UNITS and REFERENCE clauses to selected objects. | |||
Table of Contents | Table of Contents | |||
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction ....................................................3 | |||
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology .....................................................3 | |||
3. The Internet-Standard Management Framework . . . . . . . . . . 3 | 3. The Internet-Standard Management Framework ......................3 | |||
4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 | 4. Scope of Changes ................................................3 | |||
5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 | 5. Structure of the MIB Module .....................................4 | |||
6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 5 | 6. Deprecated Objects ..............................................5 | |||
7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 7. Definitions .....................................................5 | |||
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 | 8. Security Considerations ........................................20 | |||
9. Security Considerations . . . . . . . . . . . . . . . . . . . 20 | 9. References .....................................................22 | |||
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 | 9.1. Normative References ......................................22 | |||
10.1. Normative References . . . . . . . . . . . . . . . . . . 22 | 9.2. Informative References ....................................22 | |||
10.2. Informative References . . . . . . . . . . . . . . . . . 22 | Appendix A. Acknowledgements ......................................23 | |||
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 22 | ||||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 23 | ||||
Intellectual Property and Copyright Statements . . . . . . . . . . 24 | ||||
1. Terminology | 1. Introduction | |||
This memo defines a portion of the Management Information Base (MIB) | ||||
for use with network management protocols in the Internet community. | ||||
The objects defined within this memo relate to the Remote | ||||
Authentication Dial-In User Service (RADIUS) Authentication Client as | ||||
defined in RFC 2865 [RFC2865]. | ||||
2. Terminology | ||||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
This document uses terminology from RFC 2865 [RFC2865]. | This document uses terminology from RFC 2865 [RFC2865]. | |||
This document uses the word "malformed" with respect to RADIUS | This document uses the word "malformed" with respect to RADIUS | |||
packets, particularly in the context of counters of "malformed | packets, particularly in the context of counters of "malformed | |||
packets". While RFC 2865 does not provide an explicit definition of | packets". While RFC 2865 does not provide an explicit definition of | |||
"malformed", malformed generally means that the implementation has | "malformed", malformed generally means that the implementation has | |||
determined the packet does not match the format defined in RFC 2865. | determined the packet does not match the format defined in RFC 2865. | |||
Some implementations may determine that packets are malformed when | Some implementations may determine that packets are malformed when | |||
the Vendor Specific Attribute (VSA) format does not follow the RFC | the Vendor Specific Attribute (VSA) format does not follow the RFC | |||
2865 recommendations for VSAs. Those implementations are used in | 2865 recommendations for VSAs. Those implementations are used in | |||
deployments today, and thus set the de-facto definition of | deployments today, and thus set the de facto definition of | |||
"malformed". | "malformed". | |||
2. Introduction | ||||
This memo defines a portion of the Management Information Base (MIB) | ||||
for use with network management protocols in the Internet community. | ||||
The objects defined within this memo relate to the Remote | ||||
Authentication Dial-In User Service (RADIUS) Authentication Client as | ||||
defined in RFC 2865 [RFC2865]. | ||||
3. The Internet-Standard Management Framework | 3. The Internet-Standard Management Framework | |||
For a detailed overview of the documents that describe the current | For a detailed overview of the documents that describe the current | |||
Internet-Standard Management Framework, please refer to section 7 of | Internet-Standard Management Framework, please refer to section 7 of | |||
RFC 3410 [RFC3410]. | RFC 3410 [RFC3410]. | |||
Managed objects are accessed via a virtual information store, termed | Managed objects are accessed via a virtual information store, termed | |||
the Management Information Base or MIB. MIB objects are generally | the Management Information Base or MIB. MIB objects are generally | |||
accessed through the Simple Network Management Protocol (SNMP). | accessed through the Simple Network Management Protocol (SNMP). | |||
Objects in the MIB are defined using the mechanisms defined in the | Objects in the MIB are defined using the mechanisms defined in the | |||
skipping to change at page 4, line 8 | skipping to change at page 4, line 5 | |||
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 | RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 | |||
[RFC2580]. | [RFC2580]. | |||
4. Scope of Changes | 4. Scope of Changes | |||
This document obsoletes RFC 2618 [RFC2618], RADIUS Authentication | This document obsoletes RFC 2618 [RFC2618], RADIUS Authentication | |||
Client MIB, by deprecating the radiusAuthServerTable table and adding | Client MIB, by deprecating the radiusAuthServerTable table and adding | |||
a new table, radiusAuthServerExtTable, containing | a new table, radiusAuthServerExtTable, containing | |||
radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and | radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and | |||
radiusAuthClientServerInetPortNumber. The purpose of these added MIB | radiusAuthClientServerInetPortNumber. The purpose of these added MIB | |||
objects is to support version neutral IP addressing formats. The | objects is to support version-neutral IP addressing formats. The | |||
existing table containing radiusAuthServerAddress and | existing table containing radiusAuthServerAddress and | |||
radiusAuthClientServerPortNumber is deprecated. The remaining MIB | radiusAuthClientServerPortNumber is deprecated. The remaining MIB | |||
objects are carried forward from RFC 2618 into this document. This | objects are carried forward from RFC 2618 into this document. This | |||
memo also adds UNITS and REFERENCE clauses to selected objects. | memo also adds UNITS and REFERENCE clauses to selected objects. | |||
RFC 4001 [RFC4001], which defines the SMI Textual Conventions for | RFC 4001 [RFC4001], which defines the SMI Textual Conventions for | |||
IPv6 addresses, contains the following recommendation. | IPv6 addresses, contains the following recommendation. | |||
'In particular, when revising a MIB module that contains IPv4 | 'In particular, when revising a MIB module that contains IPv4 | |||
specific tables, it is suggested to define new tables using the | specific tables, it is suggested to define new tables using the | |||
skipping to change at page 4, line 31 | skipping to change at page 4, line 28 | |||
whereas the status of the old IP version specific tables SHOULD be | whereas the status of the old IP version specific tables SHOULD be | |||
changed to "deprecated". The other approach, of having multiple | changed to "deprecated". The other approach, of having multiple | |||
similar tables for different IP versions, is strongly discouraged.' | similar tables for different IP versions, is strongly discouraged.' | |||
5. Structure of the MIB Module | 5. Structure of the MIB Module | |||
The RADIUS authentication protocol, described in RFC 2865 [RFC2865], | The RADIUS authentication protocol, described in RFC 2865 [RFC2865], | |||
distinguishes between the client function and the server function. | distinguishes between the client function and the server function. | |||
In RADIUS authentication, clients send Access-Requests, and servers | In RADIUS authentication, clients send Access-Requests, and servers | |||
reply with Access-Accepts, Access-Rejects, and Access-Challenges. | reply with Access-Accepts, Access-Rejects, and Access-Challenges. | |||
Typically Network Access Server (NAS) devices implement the client | Typically, Network Access Server (NAS) devices implement the client | |||
function, and thus would be expected to implement the RADIUS | function, and thus would be expected to implement the RADIUS | |||
authentication client MIB, while RADIUS authentication servers | authentication client MIB, while RADIUS authentication servers | |||
implement the server function, and thus would be expected to | implement the server function, and thus would be expected to | |||
implement the RADIUS authentication server MIB. | implement the RADIUS authentication server MIB. | |||
However, it is possible for a RADIUS authentication entity to perform | However, it is possible for a RADIUS authentication entity to perform | |||
both client and server functions. For example, a RADIUS proxy may | both client and server functions. For example, a RADIUS proxy may | |||
act as a server to one or more RADIUS authentication clients, while | act as a server to one or more RADIUS authentication clients, while | |||
simultaneously acting as an authentication client to one or more | simultaneously acting as an authentication client to one or more | |||
authentication servers. In such situations, it is expected that | authentication servers. In such situations, it is expected that | |||
RADIUS entities combining client and server functionality will | RADIUS entities combining client and server functionality will | |||
support both the client and server MIBs. The client MIB is defined | support both the client and server MIBs. The client MIB is defined | |||
in this document, and the server MIB is defined in [2619bis]. | in this document, and the server MIB is defined in [RFC4669]. | |||
RFC Editor: Replace the above I-D reference with the assigned RFC | ||||
number at the time of publication and delete this note. | ||||
This MIB module contains two scalars as well as a single table, the | This MIB module contains two scalars as well as a single table, the | |||
RADIUS Authentication Server Table, which contains one row for each | RADIUS Authentication Server Table, which contains one row for each | |||
RADIUS authentication server with which the client shares a secret. | RADIUS authentication server with which the client shares a secret. | |||
Each entry in the RADIUS Authentication Server Table includes sixteen | Each entry in the RADIUS Authentication Server Table includes sixteen | |||
columns presenting a view of the activity of the RADIUS | columns presenting a view of the activity of the RADIUS | |||
authentication client. | authentication client. | |||
This MIB imports from [RFC2578], [RFC2580], [RFC3411], and [RFC4001]. | ||||
6. Deprecated Objects | 6. Deprecated Objects | |||
The deprecated table in this MIB is carried forward from RFC 2618 | The deprecated table in this MIB is carried forward from RFC 2618 | |||
[RFC2618]. There are two conditions under which it MAY be desirable | [RFC2618]. There are two conditions under which it MAY be desirable | |||
for managed entities to continue to support the deprecated table: | for managed entities to continue to support the deprecated table: | |||
1. The managed entity only supports IPv4 address formats. | 1. The managed entity only supports IPv4 address formats. | |||
2. The managed entity supports both IPv4 and IPv6 address formats, | 2. The managed entity supports both IPv4 and IPv6 address formats, | |||
and the deprecated table is supported for backwards compatibility | and the deprecated table is supported for backwards compatibility | |||
with older management stations. This option SHOULD only be used | with older management stations. This option SHOULD only be used | |||
when the IP addresses in the new table are in IPv4 format and can | when the IP addresses in the new table are in IPv4 format and can | |||
accurately be represented in both the new table and the | accurately be represented in both the new table and the | |||
deprecated table. | deprecated table. | |||
Managed entities SHOULD NOT instantiate row entries in the deprecated | Managed entities SHOULD NOT instantiate row entries in the deprecated | |||
table, containing IPv4-only address objects, when the RADIUS server | table, containing IPv4-only address objects, when the RADIUS server | |||
address represented in such a table row is not an IPv4 address. | address represented in such a table row is not an IPv4 address. | |||
skipping to change at page 5, line 29 | skipping to change at page 5, line 26 | |||
when the IP addresses in the new table are in IPv4 format and can | when the IP addresses in the new table are in IPv4 format and can | |||
accurately be represented in both the new table and the | accurately be represented in both the new table and the | |||
deprecated table. | deprecated table. | |||
Managed entities SHOULD NOT instantiate row entries in the deprecated | Managed entities SHOULD NOT instantiate row entries in the deprecated | |||
table, containing IPv4-only address objects, when the RADIUS server | table, containing IPv4-only address objects, when the RADIUS server | |||
address represented in such a table row is not an IPv4 address. | address represented in such a table row is not an IPv4 address. | |||
Managed entities SHOULD NOT return inaccurate values of IP address or | Managed entities SHOULD NOT return inaccurate values of IP address or | |||
SNMP object access errors for IPv4-only address objects in otherwise | SNMP object access errors for IPv4-only address objects in otherwise | |||
populated tables. When row entries exist in both the deprecated | populated tables. When row entries exist in both the deprecated | |||
IPv4-only table and the new IP version neutral table that describe | IPv4-only table and the new IP-version-neutral table that describe | |||
the same RADIUS server, the row indexes SHOULD be the same for the | the same RADIUS server, the row indexes SHOULD be the same for the | |||
corresponding rows in each table, to facilitate correlation of these | corresponding rows in each table, to facilitate correlation of these | |||
related rows by management applications. | related rows by management applications. | |||
7. Definitions | 7. Definitions | |||
RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN | RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN | |||
IMPORTS | IMPORTS | |||
MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, | MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, | |||
Counter32, Integer32, Gauge32, | Counter32, Integer32, Gauge32, | |||
IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI | IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI | |||
SnmpAdminString FROM SNMP-FRAMEWORK-MIB | SnmpAdminString FROM SNMP-FRAMEWORK-MIB | |||
InetAddressType, InetAddress, | InetAddressType, InetAddress, | |||
InetPortNumber FROM INET-ADDRESS-MIB | InetPortNumber FROM INET-ADDRESS-MIB | |||
MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; | MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; | |||
radiusAuthClientMIB MODULE-IDENTITY | radiusAuthClientMIB MODULE-IDENTITY | |||
LAST-UPDATED "200608210000Z" -- 21 August 2006 | ||||
ORGANIZATION "IETF RADIUS Extensions Working Group." | ORGANIZATION "IETF RADIUS Extensions Working Group." | |||
CONTACT-INFO | CONTACT-INFO | |||
" Bernard Aboba | " Bernard Aboba | |||
Microsoft | Microsoft | |||
One Microsoft Way | One Microsoft Way | |||
Redmond, WA 98052 | Redmond, WA 98052 | |||
US | US | |||
Phone: +1 425 936 6605 | Phone: +1 425 936 6605 | |||
EMail: bernarda@microsoft.com" | EMail: bernarda@microsoft.com" | |||
DESCRIPTION | DESCRIPTION | |||
"The MIB module for entities implementing the client | "The MIB module for entities implementing the client | |||
side of the Remote Authentication Dial-In User Service | side of the Remote Authentication Dial-In User Service | |||
(RADIUS) authentication protocol. Copyright (C) The | (RADIUS) authentication protocol. Copyright (C) The | |||
Internet Society (2006). This version of this MIB | Internet Society (2006). This version of this MIB | |||
module is part of RFC xxxx; see the RFC itself for | module is part of RFC 4668; see the RFC itself for | |||
full legal notices." | full legal notices." | |||
REVISION "200608210000Z" -- 21 August 2006 | ||||
-- RFC Editor: replace xxxx with actual RFC number at the time of | ||||
-- publication, and remove this note. | ||||
DESCRIPTION | DESCRIPTION | |||
"Revised version as published in RFC xxxx. This | "Revised version as published in RFC 4668. This | |||
version obsoletes that of RFC 2618 by deprecating | version obsoletes that of RFC 2618 by deprecating | |||
the MIB table containing IPv4-only address formats | the MIB table containing IPv4-only address formats | |||
and defining a new table to add support for version | and defining a new table to add support for version | |||
neutral IP address formats. The remaining MIB objects | neutral IP address formats. The remaining MIB objects | |||
from RFC 2618 are carried forward into this version." | from RFC 2618 are carried forward into this version." | |||
-- RFC Editor: replace xxxx with actual RFC number at the time of | ||||
-- publication, and remove this note. | ||||
DESCRIPTION "Initial version as published in RFC 2618." | DESCRIPTION "Initial version as published in RFC 2618." | |||
::= { radiusAuthentication 2 } | ::= { radiusAuthentication 2 } | |||
radiusMIB OBJECT-IDENTITY | radiusMIB OBJECT-IDENTITY | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The OID assigned to RADIUS MIB work by the IANA." | "The OID assigned to RADIUS MIB work by the IANA." | |||
::= { mib-2 67 } | ::= { mib-2 67 } | |||
radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} | radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} | |||
skipping to change at page 11, line 19 | skipping to change at page 11, line 5 | |||
radiusAuthClientPendingRequests OBJECT-TYPE | radiusAuthClientPendingRequests OBJECT-TYPE | |||
SYNTAX Gauge32 | SYNTAX Gauge32 | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS deprecated | STATUS deprecated | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS Access-Request packets | "The number of RADIUS Access-Request packets | |||
destined for this server that have not yet timed out | destined for this server that have not yet timed out | |||
or received a response. This variable is incremented | or received a response. This variable is incremented | |||
when an Access-Request is sent and decremented due to | when an Access-Request is sent and decremented due to | |||
receipt of an Access-Accept, Access-Reject or | receipt of an Access-Accept, Access-Reject, | |||
Access-Challenge, a timeout or retransmission." | Access-Challenge, timeout, or retransmission." | |||
REFERENCE "RFC 2865 section 2" | REFERENCE "RFC 2865 section 2" | |||
::= { radiusAuthServerEntry 12 } | ::= { radiusAuthServerEntry 12 } | |||
radiusAuthClientTimeouts OBJECT-TYPE | radiusAuthClientTimeouts OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "timeouts" | UNITS "timeouts" | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS deprecated | STATUS deprecated | |||
DESCRIPTION | DESCRIPTION | |||
"The number of authentication timeouts to this server. | "The number of authentication timeouts to this server. | |||
After a timeout the client may retry to the same | After a timeout, the client may retry to the same | |||
server, send to a different server, or | server, send to a different server, or | |||
give up. A retry to the same server is counted as a | give up. A retry to the same server is counted as a | |||
retransmit as well as a timeout. A send to a different | retransmit as well as a timeout. A send to a different | |||
server is counted as a Request as well as a timeout." | server is counted as a Request as well as a timeout." | |||
REFERENCE "RFC 2865 section 2, RFC 2869 section 2.3.2" | REFERENCE "RFC 2865 section 2, RFC 2869 section 2.3.2" | |||
::= { radiusAuthServerEntry 13 } | ::= { radiusAuthServerEntry 13 } | |||
radiusAuthClientUnknownTypes OBJECT-TYPE | radiusAuthClientUnknownTypes OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | UNITS "packets" | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS deprecated | STATUS deprecated | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS packets of unknown type which | "The number of RADIUS packets of unknown type that | |||
were received from this server on the authentication | were received from this server on the authentication | |||
port." | port." | |||
::= { radiusAuthServerEntry 14 } | ::= { radiusAuthServerEntry 14 } | |||
radiusAuthClientPacketsDropped OBJECT-TYPE | radiusAuthClientPacketsDropped OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | UNITS "packets" | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS deprecated | STATUS deprecated | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS packets of which were | "The number of RADIUS packets that were | |||
received from this server on the authentication port | received from this server on the authentication port | |||
and dropped for some other reason." | and dropped for some other reason." | |||
::= { radiusAuthServerEntry 15 } | ::= { radiusAuthServerEntry 15 } | |||
-- New MIB Objects in this revision | -- New MIB Objects in this revision | |||
radiusAuthServerExtTable OBJECT-TYPE | radiusAuthServerExtTable OBJECT-TYPE | |||
SYNTAX SEQUENCE OF RadiusAuthServerExtEntry | SYNTAX SEQUENCE OF RadiusAuthServerExtEntry | |||
MAX-ACCESS not-accessible | MAX-ACCESS not-accessible | |||
STATUS current | STATUS current | |||
skipping to change at page 13, line 34 | skipping to change at page 13, line 20 | |||
radiusAuthServerInetAddress object." | radiusAuthServerInetAddress object." | |||
::= { radiusAuthServerExtEntry 2 } | ::= { radiusAuthServerExtEntry 2 } | |||
radiusAuthServerInetAddress OBJECT-TYPE | radiusAuthServerInetAddress OBJECT-TYPE | |||
SYNTAX InetAddress | SYNTAX InetAddress | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The IP address of the RADIUS authentication | "The IP address of the RADIUS authentication | |||
server referred to in this table entry, using | server referred to in this table entry, using | |||
the version neutral IP address format." | the version-neutral IP address format." | |||
::= { radiusAuthServerExtEntry 3 } | ::= { radiusAuthServerExtEntry 3 } | |||
radiusAuthClientServerInetPortNumber OBJECT-TYPE | radiusAuthClientServerInetPortNumber OBJECT-TYPE | |||
SYNTAX InetPortNumber ( 1..65535 ) | SYNTAX InetPortNumber ( 1..65535 ) | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The UDP port the client is using to send requests | "The UDP port the client is using to send requests | |||
to this server. The value of zero (0) is invalid." | to this server. The value of zero (0) is invalid." | |||
REFERENCE "RFC 2865 section 3" | REFERENCE "RFC 2865 section 3" | |||
skipping to change at page 16, line 7 | skipping to change at page 15, line 40 | |||
"The number of RADIUS Access-Challenge packets | "The number of RADIUS Access-Challenge packets | |||
(valid or invalid) received from this server. | (valid or invalid) received from this server. | |||
This counter may experience a discontinuity when | This counter may experience a discontinuity when | |||
the RADIUS Client module within the managed | the RADIUS Client module within the managed | |||
entity is reinitialized, as indicated by the | entity is reinitialized, as indicated by the | |||
current value of | current value of | |||
radiusAuthClientCounterDiscontinuity." | radiusAuthClientCounterDiscontinuity." | |||
REFERENCE "RFC 2865 section 4.4" | REFERENCE "RFC 2865 section 4.4" | |||
::= { radiusAuthServerExtEntry 10 } | ::= { radiusAuthServerExtEntry 10 } | |||
-- "Access-Response" includes an Access-Accept, Access-Challenge | -- "Access-Response" includes an Access-Accept, Access-Challenge, | |||
-- or Access-Reject | -- or Access-Reject | |||
radiusAuthClientExtMalformedAccessResponses OBJECT-TYPE | radiusAuthClientExtMalformedAccessResponses OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | UNITS "packets" | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of malformed RADIUS Access-Response | "The number of malformed RADIUS Access-Response | |||
packets received from this server. | packets received from this server. | |||
skipping to change at page 17, line 7 | skipping to change at page 16, line 40 | |||
radiusAuthClientExtPendingRequests OBJECT-TYPE | radiusAuthClientExtPendingRequests OBJECT-TYPE | |||
SYNTAX Gauge32 | SYNTAX Gauge32 | |||
UNITS "packets" | UNITS "packets" | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS Access-Request packets | "The number of RADIUS Access-Request packets | |||
destined for this server that have not yet timed out | destined for this server that have not yet timed out | |||
or received a response. This variable is incremented | or received a response. This variable is incremented | |||
when an Access-Request is sent and decremented due to | when an Access-Request is sent and decremented due to | |||
receipt of an Access-Accept, Access-Reject or | receipt of an Access-Accept, Access-Reject, | |||
Access-Challenge, a timeout or retransmission." | Access-Challenge, timeout, or retransmission." | |||
REFERENCE "RFC 2865 section 2" | REFERENCE "RFC 2865 section 2" | |||
::= { radiusAuthServerExtEntry 13 } | ::= { radiusAuthServerExtEntry 13 } | |||
radiusAuthClientExtTimeouts OBJECT-TYPE | radiusAuthClientExtTimeouts OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "timeouts" | UNITS "timeouts" | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of authentication timeouts to this server. | "The number of authentication timeouts to this server. | |||
After a timeout the client may retry to the same | ||||
After a timeout, the client may retry to the same | ||||
server, send to a different server, or | server, send to a different server, or | |||
give up. A retry to the same server is counted as a | give up. A retry to the same server is counted as a | |||
retransmit as well as a timeout. A send to a different | retransmit as well as a timeout. A send to a different | |||
server is counted as a Request as well as a timeout. | server is counted as a Request as well as a timeout. | |||
This counter may experience a discontinuity when the | This counter may experience a discontinuity when the | |||
RADIUS Client module within the managed entity is | RADIUS Client module within the managed entity is | |||
reinitialized, as indicated by the current value of | reinitialized, as indicated by the current value of | |||
radiusAuthClientCounterDiscontinuity." | radiusAuthClientCounterDiscontinuity." | |||
REFERENCE "RFC 2865 sections 2.5, 4.1" | REFERENCE "RFC 2865 sections 2.5, 4.1" | |||
::= { radiusAuthServerExtEntry 14 } | ::= { radiusAuthServerExtEntry 14 } | |||
radiusAuthClientExtUnknownTypes OBJECT-TYPE | radiusAuthClientExtUnknownTypes OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | UNITS "packets" | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS packets of unknown type which | "The number of RADIUS packets of unknown type that | |||
were received from this server on the authentication | were received from this server on the authentication | |||
port. This counter may experience a discontinuity | port. This counter may experience a discontinuity | |||
when the RADIUS Client module within the managed | when the RADIUS Client module within the managed | |||
entity is reinitialized, as indicated by the current | entity is reinitialized, as indicated by the current | |||
value of radiusAuthClientCounterDiscontinuity." | value of radiusAuthClientCounterDiscontinuity." | |||
REFERENCE "RFC 2865 section 4" | REFERENCE "RFC 2865 section 4" | |||
::= { radiusAuthServerExtEntry 15 } | ::= { radiusAuthServerExtEntry 15 } | |||
radiusAuthClientExtPacketsDropped OBJECT-TYPE | radiusAuthClientExtPacketsDropped OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
UNITS "packets" | UNITS "packets" | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of RADIUS packets of which were | "The number of RADIUS packets that were | |||
received from this server on the authentication port | received from this server on the authentication port | |||
and dropped for some other reason. This counter may | and dropped for some other reason. This counter may | |||
experience a discontinuity when the RADIUS Client | experience a discontinuity when the RADIUS Client | |||
module within the managed entity is reinitialized, | module within the managed entity is reinitialized, | |||
as indicated by the current value of | as indicated by the current value of | |||
radiusAuthClientCounterDiscontinuity." | radiusAuthClientCounterDiscontinuity." | |||
::= { radiusAuthServerExtEntry 16 } | ::= { radiusAuthServerExtEntry 16 } | |||
radiusAuthClientCounterDiscontinuity OBJECT-TYPE | radiusAuthClientCounterDiscontinuity OBJECT-TYPE | |||
SYNTAX TimeTicks | SYNTAX TimeTicks | |||
skipping to change at page 20, line 31 | skipping to change at page 20, line 18 | |||
radiusAuthClientExtPendingRequests, | radiusAuthClientExtPendingRequests, | |||
radiusAuthClientExtTimeouts, | radiusAuthClientExtTimeouts, | |||
radiusAuthClientExtUnknownTypes, | radiusAuthClientExtUnknownTypes, | |||
radiusAuthClientExtPacketsDropped, | radiusAuthClientExtPacketsDropped, | |||
radiusAuthClientCounterDiscontinuity | radiusAuthClientCounterDiscontinuity | |||
} | } | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The collection of extended objects providing | "The collection of extended objects providing | |||
management of RADIUS Authentication Clients | management of RADIUS Authentication Clients | |||
using version neutral IP address format." | using version-neutral IP address format." | |||
::= { radiusAuthClientMIBGroups 2 } | ::= { radiusAuthClientMIBGroups 2 } | |||
END | END | |||
8. IANA Considerations | 8. Security Considerations | |||
This document requires no new IANA assignments. | ||||
9. Security Considerations | ||||
There are no management objects defined in this MIB that have a MAX- | There are no management objects defined in this MIB that have a MAX- | |||
ACCESS clause of read-write and/or read-create. So, if this MIB is | ACCESS clause of read-write and/or read-create. So, if this MIB is | |||
implemented correctly, then there is no risk that an intruder can | implemented correctly, then there is no risk that an intruder can | |||
alter or create any management objects of this MIB via direct SNMP | alter or create any management objects of this MIB via direct SNMP | |||
SET operations. | SET operations. | |||
Some of the readable objects in this MIB module (i.e., objects with a | Some of the readable objects in this MIB module (i.e., objects with a | |||
MAX-ACCESS other than not-accessible) may be considered sensitive or | MAX-ACCESS other than not-accessible) may be considered sensitive or | |||
vulnerable in some network environments. It is thus important to | vulnerable in some network environments. It is thus important to | |||
control even GET and/or NOTIFY access to these objects and possibly | control even GET and/or NOTIFY access to these objects and possibly | |||
to even encrypt the values of these objects when sending them over | to even encrypt the values of these objects when sending them over | |||
the network via SNMP. These are the tables and objects and their | the network via SNMP. These are the tables and objects and their | |||
sensitivity/vulnerability: | sensitivity/vulnerability: | |||
radiusAuthServerIPAddress This can be used to determine the address | radiusAuthServerIPAddress | |||
of the RADIUS authentication server with which the client is | This can be used to determine the address of the RADIUS | |||
communicating. This information could be useful in mounting an | authentication server with which the client is communicating. | |||
attack on the authentication server. | This information could be useful in mounting an attack on the | |||
authentication server. | ||||
radiusAuthClientServerPortNumber This can be used to determine the | radiusAuthClientServerPortNumber | |||
port number on which the RADIUS authentication client is sending. | This can be used to determine the port number on which the RADIUS | |||
This information could be useful in impersonating the client in | authentication client is sending. This information could be | |||
order to send data to the authentication server. | useful in impersonating the client in order to send data to the | |||
authentication server. | ||||
radiusAuthServerInetAddress This can be used to determine the address | radiusAuthServerInetAddress | |||
of the RADIUS authentication server with which the client is | This can be used to determine the address of the RADIUS | |||
communicating. This information could be useful in mounting an | authentication server with which the client is communicating. | |||
attack on the authentication server. | This information could be useful in mounting an attack on the | |||
authentication server. | ||||
radiusAuthClientServerInetPortNumber This can be used to determine | radiusAuthClientServerInetPortNumber | |||
the port number on which the RADIUS authentication client is | This can be used to determine the port number on which the RADIUS | |||
sending. This information could be useful in impersonating the | authentication client is sending. This information could be | |||
client in order to send data to the authentication server. | useful in impersonating the client in order to send data to the | |||
authentication server. | ||||
SNMP versions prior to SNMPv3 did not include adequate security. | SNMP versions prior to SNMPv3 did not include adequate security. | |||
Even if the network itself is secure (for example by using IPsec), | Even if the network itself is secure (for example by using IPsec), | |||
even then, there is no control as to who on the secure network is | even then, there is no control as to who on the secure network is | |||
allowed to access and GET/SET (read/change/create/delete) the objects | allowed to access and GET/SET (read/change/create/delete) the objects | |||
in this MIB module. | in this MIB module. | |||
It is RECOMMENDED that implementers consider the security features as | It is RECOMMENDED that implementers consider the security features as | |||
provided by the SNMPv3 framework (see [RFC3410], section 8), | provided by the SNMPv3 framework (see [RFC3410], section 8), | |||
including full support for the SNMPv3 cryptographic mechanisms (for | including full support for the SNMPv3 cryptographic mechanisms (for | |||
authentication and privacy). | authentication and privacy). | |||
Further, deployment of SNMP versions prior to SNMPv3 is NOT | Further, deployment of SNMP versions prior to SNMPv3 is NOT | |||
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to | RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to | |||
enable cryptographic security. It is then a customer/operator | enable cryptographic security. It is then a customer/operator | |||
responsibility to ensure that the SNMP entity giving access to an | responsibility to ensure that the SNMP entity giving access to an | |||
instance of this MIB module is properly configured to give access to | instance of this MIB module is properly configured to give access to | |||
the objects only to those principals (users) that have legitimate | the objects only to those principals (users) that have legitimate | |||
rights to indeed GET or SET (change/create/delete) them. | rights to indeed GET or SET (change/create/delete) them. | |||
10. References | 9. References | |||
10.1. Normative References | 9.1. Normative References | |||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. | [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. | |||
Schoenwaelder, Ed., "Structure of Management Information | Schoenwaelder, Ed., "Structure of Management Information | |||
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. | Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. | |||
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. | [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. | |||
Schoenwaelder, Ed., "Textual Conventions for SMIv2", | Schoenwaelder, Ed., "Textual Conventions for SMIv2", | |||
STD 58, RFC 2579, April 1999. | STD 58, RFC 2579, April 1999. | |||
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, | [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, | |||
"Conformance Statements for SMIv2", STD 58, RFC 2580, | "Conformance Statements for SMIv2", STD 58, RFC 2580, | |||
April 1999. | April 1999. | |||
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, | [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, | |||
"Remote Authentication Dial In User Service (RADIUS)", | "Remote Authentication Dial In User Service (RADIUS)", | |||
RFC 2865, June 2000. | RFC 2865, June 2000. | |||
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An | ||||
Architecture for Describing Simple Network Management | ||||
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, | ||||
December 2002. | ||||
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. | [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. | |||
Schoenwaelder, "Textual Conventions for Internet Network | Schoenwaelder, "Textual Conventions for Internet Network | |||
Addresses", RFC 4001, February 2005. | Addresses", RFC 4001, February 2005. | |||
10.2. Informative References | 9.2. Informative References | |||
[2619bis] Nelson, D., "RADIUS Authentication Server MIB for IPv6", | ||||
draft-ietf-radext-rfc2619bis-04.txt (work in progress), | ||||
June 2006. | ||||
[RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", | [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", | |||
RFC 2618, June 1999. | RFC 2618, June 1999. | |||
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, | [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, | |||
"Introduction and Applicability Statements for Internet- | "Introduction and Applicability Statements for Internet- | |||
Standard Management Framework", RFC 3410, December 2002. | Standard Management Framework", RFC 3410, December 2002. | |||
Appendix A. Acknowledgments | [RFC4669] Nelson, D., "RADIUS Authentication Server MIB for IPv6", | |||
RFC 4669, August 2006. | ||||
Appendix A. Acknowledgements | ||||
The authors of the original MIB are Bernard Aboba and Glen Zorn. | The authors of the original MIB are Bernard Aboba and Glen Zorn. | |||
Many thanks to all reviewers, especially to Dave Harrington, Dan | Many thanks to all reviewers, especially to Dave Harrington, Dan | |||
Romascanu, C.M. Heard, Bruno Pape, Greg Weber and Bert Wijnen. | Romascanu, C.M. Heard, Bruno Pape, Greg Weber, and Bert Wijnen. | |||
Author's Address | Author's Address | |||
David B. Nelson | David B. Nelson | |||
Enterasys Networks | Enterasys Networks | |||
50 Minuteman Road | 50 Minuteman Road | |||
Andover, MA 01810 | Andover, MA 01810 | |||
USA | USA | |||
Email: dnelson@enterasys.com | EMail: dnelson@enterasys.com | |||
Intellectual Property Statement | Full Copyright Statement | |||
Copyright (C) The Internet Society (2006). | ||||
This document is subject to the rights, licenses and restrictions | ||||
contained in BCP 78, and except as set forth therein, the authors | ||||
retain all their rights. | ||||
This document and the information contained herein are provided on an | ||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | ||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | ||||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ||||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | ||||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | ||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | ||||
Intellectual Property | ||||
The IETF takes no position regarding the validity or scope of any | The IETF takes no position regarding the validity or scope of any | |||
Intellectual Property Rights or other rights that might be claimed to | Intellectual Property Rights or other rights that might be claimed to | |||
pertain to the implementation or use of the technology described in | pertain to the implementation or use of the technology described in | |||
this document or the extent to which any license under such rights | this document or the extent to which any license under such rights | |||
might or might not be available; nor does it represent that it has | might or might not be available; nor does it represent that it has | |||
made any independent effort to identify any such rights. Information | made any independent effort to identify any such rights. Information | |||
on the procedures with respect to rights in RFC documents can be | on the procedures with respect to rights in RFC documents can be | |||
found in BCP 78 and BCP 79. | found in BCP 78 and BCP 79. | |||
skipping to change at page 24, line 29 | skipping to change at page 24, line 45 | |||
such proprietary rights by implementers or users of this | such proprietary rights by implementers or users of this | |||
specification can be obtained from the IETF on-line IPR repository at | specification can be obtained from the IETF on-line IPR repository at | |||
http://www.ietf.org/ipr. | http://www.ietf.org/ipr. | |||
The IETF invites any interested party to bring to its attention any | The IETF invites any interested party to bring to its attention any | |||
copyrights, patents or patent applications, or other proprietary | copyrights, patents or patent applications, or other proprietary | |||
rights that may cover technology that may be required to implement | rights that may cover technology that may be required to implement | |||
this standard. Please address the information to the IETF at | this standard. Please address the information to the IETF at | |||
ietf-ipr@ietf.org. | ietf-ipr@ietf.org. | |||
Disclaimer of Validity | Acknowledgement | |||
This document and the information contained herein are provided on an | ||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | ||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | ||||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ||||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | ||||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | ||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | ||||
Copyright Statement | ||||
Copyright (C) The Internet Society (2006). This document is subject | ||||
to the rights, licenses and restrictions contained in BCP 78, and | ||||
except as set forth therein, the authors retain all their rights. | ||||
Acknowledgment | ||||
Funding for the RFC Editor function is currently provided by the | Funding for the RFC Editor function is provided by the IETF | |||
Internet Society. | Administrative Support Activity (IASA). | |||
End of changes. 48 change blocks. | ||||
135 lines changed or deleted | 113 lines changed or added | |||
This html diff was produced by rfcdiff 1.32. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/ |