| draft-ietf-radext-rfc2618bis-04.txt | rfc4668.txt | |||
|---|---|---|---|---|
| Network Working Group D. Nelson | Network Working Group D. Nelson | |||
| Internet-Draft Enterasys Networks | Request for Comments: 4668 Enterasys Networks | |||
| Obsoletes: RFC 2618 (if approved) June 26, 2006 | Obsoletes: 2618 August 2006 | |||
| Expires: December 28, 2006 | Category: Standards Track | |||
| RADIUS Authentication Client MIB for IPV6 | ||||
| draft-ietf-radext-rfc2618bis-04.txt | ||||
| Status of this Memo | ||||
| By submitting this Internet-Draft, each author represents that any | ||||
| applicable patent or other IPR claims of which he or she is aware | ||||
| have been or will be disclosed, and any of which he or she becomes | ||||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF), its areas, and its working groups. Note that | ||||
| other groups may also distribute working documents as Internet- | ||||
| Drafts. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | ||||
| and may be updated, replaced, or obsoleted by other documents at any | ||||
| time. It is inappropriate to use Internet-Drafts as reference | ||||
| material or to cite them other than as "work in progress." | ||||
| The list of current Internet-Drafts can be accessed at | RADIUS Authentication Client MIB for IPv6 | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | ||||
| The list of Internet-Draft Shadow Directories can be accessed at | Status of This Memo | |||
| http://www.ietf.org/shadow.html. | ||||
| This Internet-Draft will expire on December 28, 2006. | This document specifies an Internet standards track protocol for the | |||
| Internet community, and requests discussion and suggestions for | ||||
| improvements. Please refer to the current edition of the "Internet | ||||
| Official Protocol Standards" (STD 1) for the standardization state | ||||
| and status of this protocol. Distribution of this memo is unlimited. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2006). | Copyright (C) The Internet Society (2006). | |||
| Abstract | Abstract | |||
| This memo defines a set of extensions, which instrument RADIUS | This memo defines a set of extensions that instrument RADIUS | |||
| authentication client functions. These extensions represent a | authentication client functions. These extensions represent a | |||
| portion of the Management Information Base (MIB) for use with network | portion of the Management Information Base (MIB) for use with network | |||
| management protocols in the Internet community. Using these | management protocols in the Internet community. Using these | |||
| extensions IP-based management stations can manage RADIUS | extensions, IP-based management stations can manage RADIUS | |||
| authentication clients. | authentication clients. | |||
| This memo obsoletes RFC 2618 by deprecating the MIB table containing | This memo obsoletes RFC 2618 by deprecating the MIB table containing | |||
| IPv4-only address formats and defining a new table to add support for | IPv4-only address formats and defining a new table to add support for | |||
| version neutral IP address formats. The remaining MIB objects from | version-neutral IP address formats. The remaining MIB objects from | |||
| RFC 2618 are carried forward into this document. The memo also adds | RFC 2618 are carried forward into this document. The memo also adds | |||
| UNITS and REFERENCE clauses to selected objects. | UNITS and REFERENCE clauses to selected objects. | |||
| Table of Contents | Table of Contents | |||
| 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction ....................................................3 | |||
| 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology .....................................................3 | |||
| 3. The Internet-Standard Management Framework . . . . . . . . . . 3 | 3. The Internet-Standard Management Framework ......................3 | |||
| 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 | 4. Scope of Changes ................................................3 | |||
| 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 | 5. Structure of the MIB Module .....................................4 | |||
| 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 5 | 6. Deprecated Objects ..............................................5 | |||
| 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 7. Definitions .....................................................5 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 | 8. Security Considerations ........................................20 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 20 | 9. References .....................................................22 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 | 9.1. Normative References ......................................22 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 22 | 9.2. Informative References ....................................22 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 22 | Appendix A. Acknowledgements ......................................23 | |||
| Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 22 | ||||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 23 | ||||
| Intellectual Property and Copyright Statements . . . . . . . . . . 24 | ||||
| 1. Terminology | 1. Introduction | |||
| This memo defines a portion of the Management Information Base (MIB) | ||||
| for use with network management protocols in the Internet community. | ||||
| The objects defined within this memo relate to the Remote | ||||
| Authentication Dial-In User Service (RADIUS) Authentication Client as | ||||
| defined in RFC 2865 [RFC2865]. | ||||
| 2. Terminology | ||||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| This document uses terminology from RFC 2865 [RFC2865]. | This document uses terminology from RFC 2865 [RFC2865]. | |||
| This document uses the word "malformed" with respect to RADIUS | This document uses the word "malformed" with respect to RADIUS | |||
| packets, particularly in the context of counters of "malformed | packets, particularly in the context of counters of "malformed | |||
| packets". While RFC 2865 does not provide an explicit definition of | packets". While RFC 2865 does not provide an explicit definition of | |||
| "malformed", malformed generally means that the implementation has | "malformed", malformed generally means that the implementation has | |||
| determined the packet does not match the format defined in RFC 2865. | determined the packet does not match the format defined in RFC 2865. | |||
| Some implementations may determine that packets are malformed when | Some implementations may determine that packets are malformed when | |||
| the Vendor Specific Attribute (VSA) format does not follow the RFC | the Vendor Specific Attribute (VSA) format does not follow the RFC | |||
| 2865 recommendations for VSAs. Those implementations are used in | 2865 recommendations for VSAs. Those implementations are used in | |||
| deployments today, and thus set the de-facto definition of | deployments today, and thus set the de facto definition of | |||
| "malformed". | "malformed". | |||
| 2. Introduction | ||||
| This memo defines a portion of the Management Information Base (MIB) | ||||
| for use with network management protocols in the Internet community. | ||||
| The objects defined within this memo relate to the Remote | ||||
| Authentication Dial-In User Service (RADIUS) Authentication Client as | ||||
| defined in RFC 2865 [RFC2865]. | ||||
| 3. The Internet-Standard Management Framework | 3. The Internet-Standard Management Framework | |||
| For a detailed overview of the documents that describe the current | For a detailed overview of the documents that describe the current | |||
| Internet-Standard Management Framework, please refer to section 7 of | Internet-Standard Management Framework, please refer to section 7 of | |||
| RFC 3410 [RFC3410]. | RFC 3410 [RFC3410]. | |||
| Managed objects are accessed via a virtual information store, termed | Managed objects are accessed via a virtual information store, termed | |||
| the Management Information Base or MIB. MIB objects are generally | the Management Information Base or MIB. MIB objects are generally | |||
| accessed through the Simple Network Management Protocol (SNMP). | accessed through the Simple Network Management Protocol (SNMP). | |||
| Objects in the MIB are defined using the mechanisms defined in the | Objects in the MIB are defined using the mechanisms defined in the | |||
| skipping to change at page 4, line 8 | skipping to change at page 4, line 5 | |||
| RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 | RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 | |||
| [RFC2580]. | [RFC2580]. | |||
| 4. Scope of Changes | 4. Scope of Changes | |||
| This document obsoletes RFC 2618 [RFC2618], RADIUS Authentication | This document obsoletes RFC 2618 [RFC2618], RADIUS Authentication | |||
| Client MIB, by deprecating the radiusAuthServerTable table and adding | Client MIB, by deprecating the radiusAuthServerTable table and adding | |||
| a new table, radiusAuthServerExtTable, containing | a new table, radiusAuthServerExtTable, containing | |||
| radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and | radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and | |||
| radiusAuthClientServerInetPortNumber. The purpose of these added MIB | radiusAuthClientServerInetPortNumber. The purpose of these added MIB | |||
| objects is to support version neutral IP addressing formats. The | objects is to support version-neutral IP addressing formats. The | |||
| existing table containing radiusAuthServerAddress and | existing table containing radiusAuthServerAddress and | |||
| radiusAuthClientServerPortNumber is deprecated. The remaining MIB | radiusAuthClientServerPortNumber is deprecated. The remaining MIB | |||
| objects are carried forward from RFC 2618 into this document. This | objects are carried forward from RFC 2618 into this document. This | |||
| memo also adds UNITS and REFERENCE clauses to selected objects. | memo also adds UNITS and REFERENCE clauses to selected objects. | |||
| RFC 4001 [RFC4001], which defines the SMI Textual Conventions for | RFC 4001 [RFC4001], which defines the SMI Textual Conventions for | |||
| IPv6 addresses, contains the following recommendation. | IPv6 addresses, contains the following recommendation. | |||
| 'In particular, when revising a MIB module that contains IPv4 | 'In particular, when revising a MIB module that contains IPv4 | |||
| specific tables, it is suggested to define new tables using the | specific tables, it is suggested to define new tables using the | |||
| skipping to change at page 4, line 31 | skipping to change at page 4, line 28 | |||
| whereas the status of the old IP version specific tables SHOULD be | whereas the status of the old IP version specific tables SHOULD be | |||
| changed to "deprecated". The other approach, of having multiple | changed to "deprecated". The other approach, of having multiple | |||
| similar tables for different IP versions, is strongly discouraged.' | similar tables for different IP versions, is strongly discouraged.' | |||
| 5. Structure of the MIB Module | 5. Structure of the MIB Module | |||
| The RADIUS authentication protocol, described in RFC 2865 [RFC2865], | The RADIUS authentication protocol, described in RFC 2865 [RFC2865], | |||
| distinguishes between the client function and the server function. | distinguishes between the client function and the server function. | |||
| In RADIUS authentication, clients send Access-Requests, and servers | In RADIUS authentication, clients send Access-Requests, and servers | |||
| reply with Access-Accepts, Access-Rejects, and Access-Challenges. | reply with Access-Accepts, Access-Rejects, and Access-Challenges. | |||
| Typically Network Access Server (NAS) devices implement the client | Typically, Network Access Server (NAS) devices implement the client | |||
| function, and thus would be expected to implement the RADIUS | function, and thus would be expected to implement the RADIUS | |||
| authentication client MIB, while RADIUS authentication servers | authentication client MIB, while RADIUS authentication servers | |||
| implement the server function, and thus would be expected to | implement the server function, and thus would be expected to | |||
| implement the RADIUS authentication server MIB. | implement the RADIUS authentication server MIB. | |||
| However, it is possible for a RADIUS authentication entity to perform | However, it is possible for a RADIUS authentication entity to perform | |||
| both client and server functions. For example, a RADIUS proxy may | both client and server functions. For example, a RADIUS proxy may | |||
| act as a server to one or more RADIUS authentication clients, while | act as a server to one or more RADIUS authentication clients, while | |||
| simultaneously acting as an authentication client to one or more | simultaneously acting as an authentication client to one or more | |||
| authentication servers. In such situations, it is expected that | authentication servers. In such situations, it is expected that | |||
| RADIUS entities combining client and server functionality will | RADIUS entities combining client and server functionality will | |||
| support both the client and server MIBs. The client MIB is defined | support both the client and server MIBs. The client MIB is defined | |||
| in this document, and the server MIB is defined in [2619bis]. | in this document, and the server MIB is defined in [RFC4669]. | |||
| RFC Editor: Replace the above I-D reference with the assigned RFC | ||||
| number at the time of publication and delete this note. | ||||
| This MIB module contains two scalars as well as a single table, the | This MIB module contains two scalars as well as a single table, the | |||
| RADIUS Authentication Server Table, which contains one row for each | RADIUS Authentication Server Table, which contains one row for each | |||
| RADIUS authentication server with which the client shares a secret. | RADIUS authentication server with which the client shares a secret. | |||
| Each entry in the RADIUS Authentication Server Table includes sixteen | Each entry in the RADIUS Authentication Server Table includes sixteen | |||
| columns presenting a view of the activity of the RADIUS | columns presenting a view of the activity of the RADIUS | |||
| authentication client. | authentication client. | |||
| This MIB imports from [RFC2578], [RFC2580], [RFC3411], and [RFC4001]. | ||||
| 6. Deprecated Objects | 6. Deprecated Objects | |||
| The deprecated table in this MIB is carried forward from RFC 2618 | The deprecated table in this MIB is carried forward from RFC 2618 | |||
| [RFC2618]. There are two conditions under which it MAY be desirable | [RFC2618]. There are two conditions under which it MAY be desirable | |||
| for managed entities to continue to support the deprecated table: | for managed entities to continue to support the deprecated table: | |||
| 1. The managed entity only supports IPv4 address formats. | 1. The managed entity only supports IPv4 address formats. | |||
| 2. The managed entity supports both IPv4 and IPv6 address formats, | 2. The managed entity supports both IPv4 and IPv6 address formats, | |||
| and the deprecated table is supported for backwards compatibility | and the deprecated table is supported for backwards compatibility | |||
| with older management stations. This option SHOULD only be used | with older management stations. This option SHOULD only be used | |||
| when the IP addresses in the new table are in IPv4 format and can | when the IP addresses in the new table are in IPv4 format and can | |||
| accurately be represented in both the new table and the | accurately be represented in both the new table and the | |||
| deprecated table. | deprecated table. | |||
| Managed entities SHOULD NOT instantiate row entries in the deprecated | Managed entities SHOULD NOT instantiate row entries in the deprecated | |||
| table, containing IPv4-only address objects, when the RADIUS server | table, containing IPv4-only address objects, when the RADIUS server | |||
| address represented in such a table row is not an IPv4 address. | address represented in such a table row is not an IPv4 address. | |||
| skipping to change at page 5, line 29 | skipping to change at page 5, line 26 | |||
| when the IP addresses in the new table are in IPv4 format and can | when the IP addresses in the new table are in IPv4 format and can | |||
| accurately be represented in both the new table and the | accurately be represented in both the new table and the | |||
| deprecated table. | deprecated table. | |||
| Managed entities SHOULD NOT instantiate row entries in the deprecated | Managed entities SHOULD NOT instantiate row entries in the deprecated | |||
| table, containing IPv4-only address objects, when the RADIUS server | table, containing IPv4-only address objects, when the RADIUS server | |||
| address represented in such a table row is not an IPv4 address. | address represented in such a table row is not an IPv4 address. | |||
| Managed entities SHOULD NOT return inaccurate values of IP address or | Managed entities SHOULD NOT return inaccurate values of IP address or | |||
| SNMP object access errors for IPv4-only address objects in otherwise | SNMP object access errors for IPv4-only address objects in otherwise | |||
| populated tables. When row entries exist in both the deprecated | populated tables. When row entries exist in both the deprecated | |||
| IPv4-only table and the new IP version neutral table that describe | IPv4-only table and the new IP-version-neutral table that describe | |||
| the same RADIUS server, the row indexes SHOULD be the same for the | the same RADIUS server, the row indexes SHOULD be the same for the | |||
| corresponding rows in each table, to facilitate correlation of these | corresponding rows in each table, to facilitate correlation of these | |||
| related rows by management applications. | related rows by management applications. | |||
| 7. Definitions | 7. Definitions | |||
| RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN | RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN | |||
| IMPORTS | IMPORTS | |||
| MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, | MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, | |||
| Counter32, Integer32, Gauge32, | Counter32, Integer32, Gauge32, | |||
| IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI | IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI | |||
| SnmpAdminString FROM SNMP-FRAMEWORK-MIB | SnmpAdminString FROM SNMP-FRAMEWORK-MIB | |||
| InetAddressType, InetAddress, | InetAddressType, InetAddress, | |||
| InetPortNumber FROM INET-ADDRESS-MIB | InetPortNumber FROM INET-ADDRESS-MIB | |||
| MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; | MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; | |||
| radiusAuthClientMIB MODULE-IDENTITY | radiusAuthClientMIB MODULE-IDENTITY | |||
| LAST-UPDATED "200608210000Z" -- 21 August 2006 | ||||
| ORGANIZATION "IETF RADIUS Extensions Working Group." | ORGANIZATION "IETF RADIUS Extensions Working Group." | |||
| CONTACT-INFO | CONTACT-INFO | |||
| " Bernard Aboba | " Bernard Aboba | |||
| Microsoft | Microsoft | |||
| One Microsoft Way | One Microsoft Way | |||
| Redmond, WA 98052 | Redmond, WA 98052 | |||
| US | US | |||
| Phone: +1 425 936 6605 | Phone: +1 425 936 6605 | |||
| EMail: bernarda@microsoft.com" | EMail: bernarda@microsoft.com" | |||
| DESCRIPTION | DESCRIPTION | |||
| "The MIB module for entities implementing the client | "The MIB module for entities implementing the client | |||
| side of the Remote Authentication Dial-In User Service | side of the Remote Authentication Dial-In User Service | |||
| (RADIUS) authentication protocol. Copyright (C) The | (RADIUS) authentication protocol. Copyright (C) The | |||
| Internet Society (2006). This version of this MIB | Internet Society (2006). This version of this MIB | |||
| module is part of RFC xxxx; see the RFC itself for | module is part of RFC 4668; see the RFC itself for | |||
| full legal notices." | full legal notices." | |||
| REVISION "200608210000Z" -- 21 August 2006 | ||||
| -- RFC Editor: replace xxxx with actual RFC number at the time of | ||||
| -- publication, and remove this note. | ||||
| DESCRIPTION | DESCRIPTION | |||
| "Revised version as published in RFC xxxx. This | "Revised version as published in RFC 4668. This | |||
| version obsoletes that of RFC 2618 by deprecating | version obsoletes that of RFC 2618 by deprecating | |||
| the MIB table containing IPv4-only address formats | the MIB table containing IPv4-only address formats | |||
| and defining a new table to add support for version | and defining a new table to add support for version | |||
| neutral IP address formats. The remaining MIB objects | neutral IP address formats. The remaining MIB objects | |||
| from RFC 2618 are carried forward into this version." | from RFC 2618 are carried forward into this version." | |||
| -- RFC Editor: replace xxxx with actual RFC number at the time of | ||||
| -- publication, and remove this note. | ||||
| DESCRIPTION "Initial version as published in RFC 2618." | DESCRIPTION "Initial version as published in RFC 2618." | |||
| ::= { radiusAuthentication 2 } | ::= { radiusAuthentication 2 } | |||
| radiusMIB OBJECT-IDENTITY | radiusMIB OBJECT-IDENTITY | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The OID assigned to RADIUS MIB work by the IANA." | "The OID assigned to RADIUS MIB work by the IANA." | |||
| ::= { mib-2 67 } | ::= { mib-2 67 } | |||
| radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} | radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} | |||
| skipping to change at page 11, line 19 | skipping to change at page 11, line 5 | |||
| radiusAuthClientPendingRequests OBJECT-TYPE | radiusAuthClientPendingRequests OBJECT-TYPE | |||
| SYNTAX Gauge32 | SYNTAX Gauge32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS deprecated | STATUS deprecated | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS Access-Request packets | "The number of RADIUS Access-Request packets | |||
| destined for this server that have not yet timed out | destined for this server that have not yet timed out | |||
| or received a response. This variable is incremented | or received a response. This variable is incremented | |||
| when an Access-Request is sent and decremented due to | when an Access-Request is sent and decremented due to | |||
| receipt of an Access-Accept, Access-Reject or | receipt of an Access-Accept, Access-Reject, | |||
| Access-Challenge, a timeout or retransmission." | Access-Challenge, timeout, or retransmission." | |||
| REFERENCE "RFC 2865 section 2" | REFERENCE "RFC 2865 section 2" | |||
| ::= { radiusAuthServerEntry 12 } | ::= { radiusAuthServerEntry 12 } | |||
| radiusAuthClientTimeouts OBJECT-TYPE | radiusAuthClientTimeouts OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "timeouts" | UNITS "timeouts" | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS deprecated | STATUS deprecated | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of authentication timeouts to this server. | "The number of authentication timeouts to this server. | |||
| After a timeout the client may retry to the same | After a timeout, the client may retry to the same | |||
| server, send to a different server, or | server, send to a different server, or | |||
| give up. A retry to the same server is counted as a | give up. A retry to the same server is counted as a | |||
| retransmit as well as a timeout. A send to a different | retransmit as well as a timeout. A send to a different | |||
| server is counted as a Request as well as a timeout." | server is counted as a Request as well as a timeout." | |||
| REFERENCE "RFC 2865 section 2, RFC 2869 section 2.3.2" | REFERENCE "RFC 2865 section 2, RFC 2869 section 2.3.2" | |||
| ::= { radiusAuthServerEntry 13 } | ::= { radiusAuthServerEntry 13 } | |||
| radiusAuthClientUnknownTypes OBJECT-TYPE | radiusAuthClientUnknownTypes OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | UNITS "packets" | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS deprecated | STATUS deprecated | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS packets of unknown type which | "The number of RADIUS packets of unknown type that | |||
| were received from this server on the authentication | were received from this server on the authentication | |||
| port." | port." | |||
| ::= { radiusAuthServerEntry 14 } | ::= { radiusAuthServerEntry 14 } | |||
| radiusAuthClientPacketsDropped OBJECT-TYPE | radiusAuthClientPacketsDropped OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | UNITS "packets" | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS deprecated | STATUS deprecated | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS packets of which were | "The number of RADIUS packets that were | |||
| received from this server on the authentication port | received from this server on the authentication port | |||
| and dropped for some other reason." | and dropped for some other reason." | |||
| ::= { radiusAuthServerEntry 15 } | ::= { radiusAuthServerEntry 15 } | |||
| -- New MIB Objects in this revision | -- New MIB Objects in this revision | |||
| radiusAuthServerExtTable OBJECT-TYPE | radiusAuthServerExtTable OBJECT-TYPE | |||
| SYNTAX SEQUENCE OF RadiusAuthServerExtEntry | SYNTAX SEQUENCE OF RadiusAuthServerExtEntry | |||
| MAX-ACCESS not-accessible | MAX-ACCESS not-accessible | |||
| STATUS current | STATUS current | |||
| skipping to change at page 13, line 34 | skipping to change at page 13, line 20 | |||
| radiusAuthServerInetAddress object." | radiusAuthServerInetAddress object." | |||
| ::= { radiusAuthServerExtEntry 2 } | ::= { radiusAuthServerExtEntry 2 } | |||
| radiusAuthServerInetAddress OBJECT-TYPE | radiusAuthServerInetAddress OBJECT-TYPE | |||
| SYNTAX InetAddress | SYNTAX InetAddress | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The IP address of the RADIUS authentication | "The IP address of the RADIUS authentication | |||
| server referred to in this table entry, using | server referred to in this table entry, using | |||
| the version neutral IP address format." | the version-neutral IP address format." | |||
| ::= { radiusAuthServerExtEntry 3 } | ::= { radiusAuthServerExtEntry 3 } | |||
| radiusAuthClientServerInetPortNumber OBJECT-TYPE | radiusAuthClientServerInetPortNumber OBJECT-TYPE | |||
| SYNTAX InetPortNumber ( 1..65535 ) | SYNTAX InetPortNumber ( 1..65535 ) | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The UDP port the client is using to send requests | "The UDP port the client is using to send requests | |||
| to this server. The value of zero (0) is invalid." | to this server. The value of zero (0) is invalid." | |||
| REFERENCE "RFC 2865 section 3" | REFERENCE "RFC 2865 section 3" | |||
| skipping to change at page 16, line 7 | skipping to change at page 15, line 40 | |||
| "The number of RADIUS Access-Challenge packets | "The number of RADIUS Access-Challenge packets | |||
| (valid or invalid) received from this server. | (valid or invalid) received from this server. | |||
| This counter may experience a discontinuity when | This counter may experience a discontinuity when | |||
| the RADIUS Client module within the managed | the RADIUS Client module within the managed | |||
| entity is reinitialized, as indicated by the | entity is reinitialized, as indicated by the | |||
| current value of | current value of | |||
| radiusAuthClientCounterDiscontinuity." | radiusAuthClientCounterDiscontinuity." | |||
| REFERENCE "RFC 2865 section 4.4" | REFERENCE "RFC 2865 section 4.4" | |||
| ::= { radiusAuthServerExtEntry 10 } | ::= { radiusAuthServerExtEntry 10 } | |||
| -- "Access-Response" includes an Access-Accept, Access-Challenge | -- "Access-Response" includes an Access-Accept, Access-Challenge, | |||
| -- or Access-Reject | -- or Access-Reject | |||
| radiusAuthClientExtMalformedAccessResponses OBJECT-TYPE | radiusAuthClientExtMalformedAccessResponses OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | UNITS "packets" | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of malformed RADIUS Access-Response | "The number of malformed RADIUS Access-Response | |||
| packets received from this server. | packets received from this server. | |||
| skipping to change at page 17, line 7 | skipping to change at page 16, line 40 | |||
| radiusAuthClientExtPendingRequests OBJECT-TYPE | radiusAuthClientExtPendingRequests OBJECT-TYPE | |||
| SYNTAX Gauge32 | SYNTAX Gauge32 | |||
| UNITS "packets" | UNITS "packets" | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS Access-Request packets | "The number of RADIUS Access-Request packets | |||
| destined for this server that have not yet timed out | destined for this server that have not yet timed out | |||
| or received a response. This variable is incremented | or received a response. This variable is incremented | |||
| when an Access-Request is sent and decremented due to | when an Access-Request is sent and decremented due to | |||
| receipt of an Access-Accept, Access-Reject or | receipt of an Access-Accept, Access-Reject, | |||
| Access-Challenge, a timeout or retransmission." | Access-Challenge, timeout, or retransmission." | |||
| REFERENCE "RFC 2865 section 2" | REFERENCE "RFC 2865 section 2" | |||
| ::= { radiusAuthServerExtEntry 13 } | ::= { radiusAuthServerExtEntry 13 } | |||
| radiusAuthClientExtTimeouts OBJECT-TYPE | radiusAuthClientExtTimeouts OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "timeouts" | UNITS "timeouts" | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of authentication timeouts to this server. | "The number of authentication timeouts to this server. | |||
| After a timeout the client may retry to the same | ||||
| After a timeout, the client may retry to the same | ||||
| server, send to a different server, or | server, send to a different server, or | |||
| give up. A retry to the same server is counted as a | give up. A retry to the same server is counted as a | |||
| retransmit as well as a timeout. A send to a different | retransmit as well as a timeout. A send to a different | |||
| server is counted as a Request as well as a timeout. | server is counted as a Request as well as a timeout. | |||
| This counter may experience a discontinuity when the | This counter may experience a discontinuity when the | |||
| RADIUS Client module within the managed entity is | RADIUS Client module within the managed entity is | |||
| reinitialized, as indicated by the current value of | reinitialized, as indicated by the current value of | |||
| radiusAuthClientCounterDiscontinuity." | radiusAuthClientCounterDiscontinuity." | |||
| REFERENCE "RFC 2865 sections 2.5, 4.1" | REFERENCE "RFC 2865 sections 2.5, 4.1" | |||
| ::= { radiusAuthServerExtEntry 14 } | ::= { radiusAuthServerExtEntry 14 } | |||
| radiusAuthClientExtUnknownTypes OBJECT-TYPE | radiusAuthClientExtUnknownTypes OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | UNITS "packets" | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS packets of unknown type which | "The number of RADIUS packets of unknown type that | |||
| were received from this server on the authentication | were received from this server on the authentication | |||
| port. This counter may experience a discontinuity | port. This counter may experience a discontinuity | |||
| when the RADIUS Client module within the managed | when the RADIUS Client module within the managed | |||
| entity is reinitialized, as indicated by the current | entity is reinitialized, as indicated by the current | |||
| value of radiusAuthClientCounterDiscontinuity." | value of radiusAuthClientCounterDiscontinuity." | |||
| REFERENCE "RFC 2865 section 4" | REFERENCE "RFC 2865 section 4" | |||
| ::= { radiusAuthServerExtEntry 15 } | ::= { radiusAuthServerExtEntry 15 } | |||
| radiusAuthClientExtPacketsDropped OBJECT-TYPE | radiusAuthClientExtPacketsDropped OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| UNITS "packets" | UNITS "packets" | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of RADIUS packets of which were | "The number of RADIUS packets that were | |||
| received from this server on the authentication port | received from this server on the authentication port | |||
| and dropped for some other reason. This counter may | and dropped for some other reason. This counter may | |||
| experience a discontinuity when the RADIUS Client | experience a discontinuity when the RADIUS Client | |||
| module within the managed entity is reinitialized, | module within the managed entity is reinitialized, | |||
| as indicated by the current value of | as indicated by the current value of | |||
| radiusAuthClientCounterDiscontinuity." | radiusAuthClientCounterDiscontinuity." | |||
| ::= { radiusAuthServerExtEntry 16 } | ::= { radiusAuthServerExtEntry 16 } | |||
| radiusAuthClientCounterDiscontinuity OBJECT-TYPE | radiusAuthClientCounterDiscontinuity OBJECT-TYPE | |||
| SYNTAX TimeTicks | SYNTAX TimeTicks | |||
| skipping to change at page 20, line 31 | skipping to change at page 20, line 18 | |||
| radiusAuthClientExtPendingRequests, | radiusAuthClientExtPendingRequests, | |||
| radiusAuthClientExtTimeouts, | radiusAuthClientExtTimeouts, | |||
| radiusAuthClientExtUnknownTypes, | radiusAuthClientExtUnknownTypes, | |||
| radiusAuthClientExtPacketsDropped, | radiusAuthClientExtPacketsDropped, | |||
| radiusAuthClientCounterDiscontinuity | radiusAuthClientCounterDiscontinuity | |||
| } | } | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The collection of extended objects providing | "The collection of extended objects providing | |||
| management of RADIUS Authentication Clients | management of RADIUS Authentication Clients | |||
| using version neutral IP address format." | using version-neutral IP address format." | |||
| ::= { radiusAuthClientMIBGroups 2 } | ::= { radiusAuthClientMIBGroups 2 } | |||
| END | END | |||
| 8. IANA Considerations | 8. Security Considerations | |||
| This document requires no new IANA assignments. | ||||
| 9. Security Considerations | ||||
| There are no management objects defined in this MIB that have a MAX- | There are no management objects defined in this MIB that have a MAX- | |||
| ACCESS clause of read-write and/or read-create. So, if this MIB is | ACCESS clause of read-write and/or read-create. So, if this MIB is | |||
| implemented correctly, then there is no risk that an intruder can | implemented correctly, then there is no risk that an intruder can | |||
| alter or create any management objects of this MIB via direct SNMP | alter or create any management objects of this MIB via direct SNMP | |||
| SET operations. | SET operations. | |||
| Some of the readable objects in this MIB module (i.e., objects with a | Some of the readable objects in this MIB module (i.e., objects with a | |||
| MAX-ACCESS other than not-accessible) may be considered sensitive or | MAX-ACCESS other than not-accessible) may be considered sensitive or | |||
| vulnerable in some network environments. It is thus important to | vulnerable in some network environments. It is thus important to | |||
| control even GET and/or NOTIFY access to these objects and possibly | control even GET and/or NOTIFY access to these objects and possibly | |||
| to even encrypt the values of these objects when sending them over | to even encrypt the values of these objects when sending them over | |||
| the network via SNMP. These are the tables and objects and their | the network via SNMP. These are the tables and objects and their | |||
| sensitivity/vulnerability: | sensitivity/vulnerability: | |||
| radiusAuthServerIPAddress This can be used to determine the address | radiusAuthServerIPAddress | |||
| of the RADIUS authentication server with which the client is | This can be used to determine the address of the RADIUS | |||
| communicating. This information could be useful in mounting an | authentication server with which the client is communicating. | |||
| attack on the authentication server. | This information could be useful in mounting an attack on the | |||
| authentication server. | ||||
| radiusAuthClientServerPortNumber This can be used to determine the | radiusAuthClientServerPortNumber | |||
| port number on which the RADIUS authentication client is sending. | This can be used to determine the port number on which the RADIUS | |||
| This information could be useful in impersonating the client in | authentication client is sending. This information could be | |||
| order to send data to the authentication server. | useful in impersonating the client in order to send data to the | |||
| authentication server. | ||||
| radiusAuthServerInetAddress This can be used to determine the address | radiusAuthServerInetAddress | |||
| of the RADIUS authentication server with which the client is | This can be used to determine the address of the RADIUS | |||
| communicating. This information could be useful in mounting an | authentication server with which the client is communicating. | |||
| attack on the authentication server. | This information could be useful in mounting an attack on the | |||
| authentication server. | ||||
| radiusAuthClientServerInetPortNumber This can be used to determine | radiusAuthClientServerInetPortNumber | |||
| the port number on which the RADIUS authentication client is | This can be used to determine the port number on which the RADIUS | |||
| sending. This information could be useful in impersonating the | authentication client is sending. This information could be | |||
| client in order to send data to the authentication server. | useful in impersonating the client in order to send data to the | |||
| authentication server. | ||||
| SNMP versions prior to SNMPv3 did not include adequate security. | SNMP versions prior to SNMPv3 did not include adequate security. | |||
| Even if the network itself is secure (for example by using IPsec), | Even if the network itself is secure (for example by using IPsec), | |||
| even then, there is no control as to who on the secure network is | even then, there is no control as to who on the secure network is | |||
| allowed to access and GET/SET (read/change/create/delete) the objects | allowed to access and GET/SET (read/change/create/delete) the objects | |||
| in this MIB module. | in this MIB module. | |||
| It is RECOMMENDED that implementers consider the security features as | It is RECOMMENDED that implementers consider the security features as | |||
| provided by the SNMPv3 framework (see [RFC3410], section 8), | provided by the SNMPv3 framework (see [RFC3410], section 8), | |||
| including full support for the SNMPv3 cryptographic mechanisms (for | including full support for the SNMPv3 cryptographic mechanisms (for | |||
| authentication and privacy). | authentication and privacy). | |||
| Further, deployment of SNMP versions prior to SNMPv3 is NOT | Further, deployment of SNMP versions prior to SNMPv3 is NOT | |||
| RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to | RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to | |||
| enable cryptographic security. It is then a customer/operator | enable cryptographic security. It is then a customer/operator | |||
| responsibility to ensure that the SNMP entity giving access to an | responsibility to ensure that the SNMP entity giving access to an | |||
| instance of this MIB module is properly configured to give access to | instance of this MIB module is properly configured to give access to | |||
| the objects only to those principals (users) that have legitimate | the objects only to those principals (users) that have legitimate | |||
| rights to indeed GET or SET (change/create/delete) them. | rights to indeed GET or SET (change/create/delete) them. | |||
| 10. References | 9. References | |||
| 10.1. Normative References | 9.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. | [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. | |||
| Schoenwaelder, Ed., "Structure of Management Information | Schoenwaelder, Ed., "Structure of Management Information | |||
| Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. | Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. | |||
| [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. | [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. | |||
| Schoenwaelder, Ed., "Textual Conventions for SMIv2", | Schoenwaelder, Ed., "Textual Conventions for SMIv2", | |||
| STD 58, RFC 2579, April 1999. | STD 58, RFC 2579, April 1999. | |||
| [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, | [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, | |||
| "Conformance Statements for SMIv2", STD 58, RFC 2580, | "Conformance Statements for SMIv2", STD 58, RFC 2580, | |||
| April 1999. | April 1999. | |||
| [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, | [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, | |||
| "Remote Authentication Dial In User Service (RADIUS)", | "Remote Authentication Dial In User Service (RADIUS)", | |||
| RFC 2865, June 2000. | RFC 2865, June 2000. | |||
| [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An | ||||
| Architecture for Describing Simple Network Management | ||||
| Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, | ||||
| December 2002. | ||||
| [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. | [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. | |||
| Schoenwaelder, "Textual Conventions for Internet Network | Schoenwaelder, "Textual Conventions for Internet Network | |||
| Addresses", RFC 4001, February 2005. | Addresses", RFC 4001, February 2005. | |||
| 10.2. Informative References | 9.2. Informative References | |||
| [2619bis] Nelson, D., "RADIUS Authentication Server MIB for IPv6", | ||||
| draft-ietf-radext-rfc2619bis-04.txt (work in progress), | ||||
| June 2006. | ||||
| [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", | [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", | |||
| RFC 2618, June 1999. | RFC 2618, June 1999. | |||
| [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, | [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, | |||
| "Introduction and Applicability Statements for Internet- | "Introduction and Applicability Statements for Internet- | |||
| Standard Management Framework", RFC 3410, December 2002. | Standard Management Framework", RFC 3410, December 2002. | |||
| Appendix A. Acknowledgments | [RFC4669] Nelson, D., "RADIUS Authentication Server MIB for IPv6", | |||
| RFC 4669, August 2006. | ||||
| Appendix A. Acknowledgements | ||||
| The authors of the original MIB are Bernard Aboba and Glen Zorn. | The authors of the original MIB are Bernard Aboba and Glen Zorn. | |||
| Many thanks to all reviewers, especially to Dave Harrington, Dan | Many thanks to all reviewers, especially to Dave Harrington, Dan | |||
| Romascanu, C.M. Heard, Bruno Pape, Greg Weber and Bert Wijnen. | Romascanu, C.M. Heard, Bruno Pape, Greg Weber, and Bert Wijnen. | |||
| Author's Address | Author's Address | |||
| David B. Nelson | David B. Nelson | |||
| Enterasys Networks | Enterasys Networks | |||
| 50 Minuteman Road | 50 Minuteman Road | |||
| Andover, MA 01810 | Andover, MA 01810 | |||
| USA | USA | |||
| Email: dnelson@enterasys.com | EMail: dnelson@enterasys.com | |||
| Intellectual Property Statement | Full Copyright Statement | |||
| Copyright (C) The Internet Society (2006). | ||||
| This document is subject to the rights, licenses and restrictions | ||||
| contained in BCP 78, and except as set forth therein, the authors | ||||
| retain all their rights. | ||||
| This document and the information contained herein are provided on an | ||||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | ||||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | ||||
| ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ||||
| INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | ||||
| INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | ||||
| WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | ||||
| Intellectual Property | ||||
| The IETF takes no position regarding the validity or scope of any | The IETF takes no position regarding the validity or scope of any | |||
| Intellectual Property Rights or other rights that might be claimed to | Intellectual Property Rights or other rights that might be claimed to | |||
| pertain to the implementation or use of the technology described in | pertain to the implementation or use of the technology described in | |||
| this document or the extent to which any license under such rights | this document or the extent to which any license under such rights | |||
| might or might not be available; nor does it represent that it has | might or might not be available; nor does it represent that it has | |||
| made any independent effort to identify any such rights. Information | made any independent effort to identify any such rights. Information | |||
| on the procedures with respect to rights in RFC documents can be | on the procedures with respect to rights in RFC documents can be | |||
| found in BCP 78 and BCP 79. | found in BCP 78 and BCP 79. | |||
| skipping to change at page 24, line 29 | skipping to change at page 24, line 45 | |||
| such proprietary rights by implementers or users of this | such proprietary rights by implementers or users of this | |||
| specification can be obtained from the IETF on-line IPR repository at | specification can be obtained from the IETF on-line IPR repository at | |||
| http://www.ietf.org/ipr. | http://www.ietf.org/ipr. | |||
| The IETF invites any interested party to bring to its attention any | The IETF invites any interested party to bring to its attention any | |||
| copyrights, patents or patent applications, or other proprietary | copyrights, patents or patent applications, or other proprietary | |||
| rights that may cover technology that may be required to implement | rights that may cover technology that may be required to implement | |||
| this standard. Please address the information to the IETF at | this standard. Please address the information to the IETF at | |||
| ietf-ipr@ietf.org. | ietf-ipr@ietf.org. | |||
| Disclaimer of Validity | Acknowledgement | |||
| This document and the information contained herein are provided on an | ||||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | ||||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | ||||
| ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ||||
| INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | ||||
| INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | ||||
| WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | ||||
| Copyright Statement | ||||
| Copyright (C) The Internet Society (2006). This document is subject | ||||
| to the rights, licenses and restrictions contained in BCP 78, and | ||||
| except as set forth therein, the authors retain all their rights. | ||||
| Acknowledgment | ||||
| Funding for the RFC Editor function is currently provided by the | Funding for the RFC Editor function is provided by the IETF | |||
| Internet Society. | Administrative Support Activity (IASA). | |||
| End of changes. 48 change blocks. | ||||
| 135 lines changed or deleted | 113 lines changed or added | |||
This html diff was produced by rfcdiff 1.32. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||