--- 1/draft-ietf-radext-rfc2619bis-02.txt 2006-05-15 22:12:41.000000000 +0200 +++ 2/draft-ietf-radext-rfc2619bis-03.txt 2006-05-15 22:12:41.000000000 +0200 @@ -1,18 +1,18 @@ Network Working Group D. Nelson Internet-Draft Enterasys Networks -Obsoletes: RFC 2619 (if approved) January 20, 2006 -Expires: July 24, 2006 +Obsoletes: RFC 2619 (if approved) May 12, 2006 +Expires: November 13, 2006 RADIUS Auth Server MIB (IPv6) - draft-ietf-radext-rfc2619bis-02.txt + draft-ietf-radext-rfc2619bis-03.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -23,21 +23,21 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on July 24, 2006. + This Internet-Draft will expire on November 13, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This memo defines a set of extensions which instrument RADIUS authentication server functions. These extensions represent a portion of the Management Information Base (MIB) for use with network @@ -53,28 +53,28 @@ Table of Contents 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. The Internet-Standard Management Framework . . . . . . . . . . 3 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 5 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 - 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 - 9. Security Considerations . . . . . . . . . . . . . . . . . . . 20 - 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 - 10.1. Normative References . . . . . . . . . . . . . . . . . . 21 - 10.2. Informative References . . . . . . . . . . . . . . . . . 22 - Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 22 - Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 24 - Intellectual Property and Copyright Statements . . . . . . . . . . 25 + 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 + 9. Security Considerations . . . . . . . . . . . . . . . . . . . 22 + 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 + 10.1. Normative References . . . . . . . . . . . . . . . . . . 23 + 10.2. Informative References . . . . . . . . . . . . . . . . . 23 + Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 24 + Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 25 + Intellectual Property and Copyright Statements . . . . . . . . . . 26 1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. This document uses terminology from RFC 2865 [RFC2865]. This document uses the word "malformed" with respect to RADIUS @@ -150,21 +150,21 @@ act as a server to one or more RADIUS authentication clients, while simultaneously acting as an authentication client to one or more authentication servers. In such situations, it is expected that RADIUS entities combining client and server functionality will support both the client and server MIBs. This MIB module contains fourteen scalars as well as a single table, the RADIUS Authentication Client Table, which contains one row for each RADIUS authentication client with which the server shares a secret. Each entry in the RADIUS Authentication Client Table - includes twelve columns presenting a view of the activity of the + includes thirteen columns presenting a view of the activity of the RADIUS authentication server. 6. Deprecated Objects The deprecated table in this MIB is carried forward from RFC 2619 [RFC2619]. There are two conditions under which it MAY be desirable for managed entities to continue to support the deprecated table: 1. The managed entity only supports IPv4 address formats. 2. The managed entity supports both IPv4 and IPv6 address formats, @@ -191,47 +191,56 @@ IMPORTS MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Counter32, Integer32, IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI SnmpAdminString FROM SNMP-FRAMEWORK-MIB InetAddressType, InetAddress FROM INET-ADDRESS-MIB MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; radiusAuthServMIB MODULE-IDENTITY - LAST-UPDATED "200601200000Z" -- 20 Jan 2006 + LAST-UPDATED "200605100000Z" -- 10 May 2006 ORGANIZATION "IETF RADIUS Extensions Working Group." CONTACT-INFO " Bernard Aboba Microsoft One Microsoft Way Redmond, WA 98052 US Phone: +1 425 936 6605 EMail: bernarda@microsoft.com" DESCRIPTION "The MIB module for entities implementing the server side of the Remote Authentication Dial-In User - Service (RADIUS) authentication protocol." - REVISION "200601200000Z" -- 20 Jan 2006 - DESCRIPTION "Revised version as published in RFC xxxx. - This version obsoletes that of RFC 2619 by deprecating the - MIB table containing IPv4-only address formats and defining - a new table to add support for version neutral IP address - formats. The remaining MIB objects from RFC 2619 are carried - forward into this version." - REVISION "9906110000Z" -- 11 Jun 1999 - DESCRIPTION "Initial version as published in RFC 2619." + Service (RADIUS) authentication protocol. Copyright + (C) The Internet Society (2006). This version of this + MIB module is part of RFC xxxx; see the RFC itself for + full legal notices." -- RFC Editor: replace xxxx with actual RFC number at the time of -- publication, and remove this note. + REVISION "200605100000Z" -- 10 May 2006 + DESCRIPTION + "Revised version as published in RFC xxxx. This + version obsoletes that of RFC 2619 by deprecating the + MIB table containing IPv4-only address formats and + defining a new table to add support for version neutral + IP address formats. The remaining MIB objects from RFC + 2619 are carried forward into this version." + + -- RFC Editor: replace xxxx with actual RFC number at the time of + -- publication, and remove this note. + + REVISION "199906110000Z" -- 11 Jun 1999 + DESCRIPTION "Initial version as published in RFC 2619." + ::= { radiusAuthentication 1 } radiusMIB OBJECT-IDENTITY STATUS current DESCRIPTION "The OID assigned to RADIUS MIB work by the IANA." ::= { mib-2 67 } radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} @@ -616,21 +628,22 @@ radiusAuthClientInetAddress InetAddress, radiusAuthClientExtID SnmpAdminString, radiusAuthServExtAccessRequests Counter32, radiusAuthServExtDupAccessRequests Counter32, radiusAuthServExtAccessAccepts Counter32, radiusAuthServExtAccessRejects Counter32, radiusAuthServExtAccessChallenges Counter32, radiusAuthServExtMalformedAccessRequests Counter32, radiusAuthServExtBadAuthenticators Counter32, radiusAuthServExtPacketsDropped Counter32, - radiusAuthServExtUnknownTypes Counter32 + radiusAuthServExtUnknownTypes Counter32, + radiusAuthServCounterDiscontinuity TimeTicks } radiusAuthClientExtIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A number uniquely identifying each RADIUS authentication client with which this server communicates." @@ -676,115 +690,160 @@ -- Requests - DupRequests - BadAuthenticators - MalformedRequests - -- UnknownTypes - PacketsDropped = entries logged radiusAuthServExtAccessRequests OBJECT-TYPE SYNTAX Counter32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of packets received on the authentication - port from this client." + port from this client. This counter may experience a + discontinuity when the RADIUS Server module within the + managed entity is reinitialized, as indicated by the + current value of radiusAuthServCounterDiscontinuity." REFERENCE "RFC 2865 section 4.1" ::= { radiusAuthClientExtEntry 5 } radiusAuthServExtDupAccessRequests OBJECT-TYPE SYNTAX Counter32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of duplicate RADIUS Access-Request - packets received from this client." + packets received from this client. This counter may + experience a discontinuity when the RADIUS Server + module within the managed entity is reinitialized, as + indicated by the current value of + radiusAuthServCounterDiscontinuity." REFERENCE "RFC 2865 section 4.1" ::= { radiusAuthClientExtEntry 6 } radiusAuthServExtAccessAccepts OBJECT-TYPE SYNTAX Counter32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of RADIUS Access-Accept packets - sent to this client." + sent to this client. This counter may experience a + discontinuity when the RADIUS Server module within the + managed entity is reinitialized, as indicated by the + current value of radiusAuthServCounterDiscontinuity." REFERENCE "RFC 2865 section 4.2" ::= { radiusAuthClientExtEntry 7 } radiusAuthServExtAccessRejects OBJECT-TYPE SYNTAX Counter32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of RADIUS Access-Reject packets - sent to this client." + sent to this client. This counter may experience a + discontinuity when the RADIUS Server module within the + managed entity is reinitialized, as indicated by the + current value of radiusAuthServCounterDiscontinuity." REFERENCE "RFC 2865 section 4.3" ::= { radiusAuthClientExtEntry 8 } radiusAuthServExtAccessChallenges OBJECT-TYPE SYNTAX Counter32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of RADIUS Access-Challenge packets - sent to this client." + sent to this client. This counter may experience a + discontinuity when the RADIUS Server module within the + managed entity is reinitialized, as indicated by the + current value of radiusAuthServCounterDiscontinuity." REFERENCE "RFC 2865 section 4.4" ::= { radiusAuthClientExtEntry 9 } + radiusAuthServExtMalformedAccessRequests OBJECT-TYPE SYNTAX Counter32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of malformed RADIUS Access-Request - packets received from this client. - Bad authenticators and unknown types are not included - as malformed Access-Requests." + packets received from this client. Bad authenticators + and unknown types are not included as malformed + Access-Requests. This counter may experience a + discontinuity when the RADIUS Server module within the + managed entity is reinitialized, as indicated by the + current value of radiusAuthServCounterDiscontinuity." REFERENCE "RFC 2865 sections 3, 4.1" ::= { radiusAuthClientExtEntry 10 } radiusAuthServExtBadAuthenticators OBJECT-TYPE SYNTAX Counter32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of RADIUS Authentication-Request packets which contained invalid Message Authenticator - attributes received from this client." + attributes received from this client. This counter + may experience a discontinuity when the RADIUS Server + module within the managed entity is reinitialized, as + indicated by the current value of + radiusAuthServCounterDiscontinuity." REFERENCE "RFC 2865 section 3" ::= { radiusAuthClientExtEntry 11 } radiusAuthServExtPacketsDropped OBJECT-TYPE SYNTAX Counter32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION - "The number of incoming packets from this - client silently discarded for some reason other - than malformed, bad authenticators or - unknown types." + "The number of incoming packets from this client + silently discarded for some reason other than + malformed, bad authenticators or unknown types. + This counter may experience a discontinuity when the + RADIUS Server module within the managed entity is + reinitialized, as indicated by the current value of + radiusAuthServCounterDiscontinuity." REFERENCE "RFC 2865 section 3" ::= { radiusAuthClientExtEntry 12 } radiusAuthServExtUnknownTypes OBJECT-TYPE SYNTAX Counter32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of RADIUS packets of unknown type which - were received from this client." + were received from this client. This counter may + experience a discontinuity when the RADIUS Server + module within the managed entity is reinitialized, as + indicated by the current value of + radiusAuthServCounterDiscontinuity." REFERENCE "RFC 2865 section 4" ::= { radiusAuthClientExtEntry 13 } + + radiusAuthServCounterDiscontinuity OBJECT-TYPE + SYNTAX TimeTicks + UNITS "centiseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of centiseconds since the last + discontinuity in the RADIUS Server counters. + A discontinuity may be the result of a + reinitialization of the RADIUS Server module + within the managed entity." + ::= { radiusAuthClientExtEntry 14 } + -- conformance information radiusAuthServMIBConformance OBJECT IDENTIFIER ::= { radiusAuthServMIB 2 } radiusAuthServMIBCompliances OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 1 } radiusAuthServMIBGroups OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 2 } @@ -817,21 +876,34 @@ Server IPv6 Extensions MIB. Implementation of this module is for entities that support IPv6, or support IPv4 and IPv6." MODULE -- this module MANDATORY-GROUPS { radiusAuthServExtMIBGroup } OBJECT radiusAuthServConfigReset WRITE-SYNTAX INTEGER { reset(2) } DESCRIPTION "The only SETable value is 'reset' (2)." + OBJECT radiusAuthClientInetAddressType + SYNTAX InetAddressType { ipv4(1), ipv6(2) } + DESCRIPTION + "An implementation is only required to support + IPv4 and globally unique IPv6 addresses." + + OBJECT radiusAuthClientInetAddress + SYNTAX InetAddress ( SIZE (4|16) ) + DESCRIPTION + "An implementation is only required to support + IPv4 and globally unique IPv6 addresses." + ::= { radiusAuthServMIBCompliances 2 } + -- units of conformance radiusAuthServMIBGroup OBJECT-GROUP OBJECTS {radiusAuthServIdent, radiusAuthServUpTime, radiusAuthServResetTime, radiusAuthServConfigReset, radiusAuthServTotalAccessRequests, radiusAuthServTotalInvalidRequests, radiusAuthServTotalDupAccessRequests, @@ -879,28 +951,28 @@ radiusAuthClientInetAddress, radiusAuthClientExtID, radiusAuthServExtAccessRequests, radiusAuthServExtDupAccessRequests, radiusAuthServExtAccessAccepts, radiusAuthServExtAccessRejects, radiusAuthServExtAccessChallenges, radiusAuthServExtMalformedAccessRequests, radiusAuthServExtBadAuthenticators, radiusAuthServExtPacketsDropped, - radiusAuthServExtUnknownTypes + radiusAuthServExtUnknownTypes, + radiusAuthServCounterDiscontinuity } STATUS current DESCRIPTION "The collection of objects providing management of a RADIUS Authentication Server." ::= { radiusAuthServMIBGroups 2 } - END 8. IANA Considerations This document requires no new IANA assignments. 9. Security Considerations There are a number of management objects defined in this MIB that have a MAX-ACCESS clause of read-write and/or read-create. Such @@ -953,72 +1025,55 @@ the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them 10. References 10.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. - [RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model - (USM) for version 3 of the Simple Network Management - Protocol (SNMPv3)", RFC 2574, April 1999. - - [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based - Access Control Model (VACM) for the Simple Network - Management Protocol (SNMP)", RFC 2575, April 1999. - [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. +10.2. Informative References + + [RFC2619] Zorn, G. and B. Aboba, "RADIUS Authentication Server MIB", + RFC 2619, June 1999. + [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, December 2002. - [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An - Architecture for Describing Simple Network Management - Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, - December 2002. - - [RFC3418] Presuhn, R., "Management Information Base (MIB) for the - Simple Network Management Protocol (SNMP)", STD 62, - RFC 3418, December 2002. - [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, "Textual Conventions for Internet Network Addresses", RFC 4001, February 2005. -10.2. Informative References - - [RFC2619] Zorn, G. and B. Aboba, "RADIUS Authentication Server MIB", - RFC 2619, June 1999. - Appendix A. Acknowledgments - The Authors of the original MIB are Bernard Aboba and Glen Zorn. + The authors of the original MIB are Bernard Aboba and Glen Zorn. Many thanks to all reviewers, especially to David Harrington, Dan - Romascanu, C.M. Heard, Bruno Pape and Greg Weber. + Romascanu, C.M. Heard, Bruno Pape, Greg Weber and Bert Wijnen. Author's Address David B. Nelson Enterasys Networks 50 Minuteman Road Andover, MA 01810 USA Email: dnelson@enterasys.com