summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc2619.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc2619.txt')
-rw-r--r--doc/rfc/rfc2619.txt899
1 files changed, 899 insertions, 0 deletions
diff --git a/doc/rfc/rfc2619.txt b/doc/rfc/rfc2619.txt
new file mode 100644
index 0000000..838cd56
--- /dev/null
+++ b/doc/rfc/rfc2619.txt
@@ -0,0 +1,899 @@
+
+
+
+
+
+
+Network Working Group G. Zorn
+Request for Comments: 2619 B. Aboba
+Category: Standards Track Microsoft
+ June 1999
+
+
+ RADIUS Authentication Server MIB
+
+Status of this Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (1999). All Rights Reserved.
+
+Abstract
+
+ This memo defines a set of extensions which instrument RADIUS
+ authentication server functions. These extensions represent a portion
+ of the Management Information Base (MIB) for use with network
+ management protocols in the Internet community. Using these
+ extensions IP-based management stations can manage RADIUS
+ authentication servers.
+
+1. Introduction
+
+ This memo defines a portion of the Management Information Base (MIB)
+ for use with network management protocols in the Internet community.
+ In particular, it describes managed objects used for managing RADIUS
+ authentication servers.
+
+ RADIUS authentication servers are today widely deployed by dialup
+ Internet Service Providers, in order to provide authentication
+ services. As a result, the effective management of RADIUS
+ authentication servers is of considerable importance.
+
+
+
+
+
+
+
+
+
+
+
+Zorn & Aboba Standards Track [Page 1]
+
+RFC 2619 RADIUS Authentication Server MIB June 1999
+
+
+2. The SNMP Management Framework
+
+ The SNMP Management Framework presently consists of five major
+ components:
+
+ o An overall architecture, described in RFC 2571 [1].
+
+ o Mechanisms for describing and naming objects and events for the
+ purpose of management. The first version of this Structure of
+ Management Information (SMI) is called SMIv1 and described in
+ STD 16, RFC 1155 [2], STD 16, RFC 1212 [3] and RFC 1215 [4].
+ The second version, called SMIv2, is described in STD 58, RFC
+ 2578 [5], RFC 2579 [6] and RFC 2580 [7].
+
+ o Message protocols for transferring management information. The
+ first version of the SNMP message protocol is called SNMPv1 and
+ described in STD 15, RFC 1157 [8]. A second version of the
+ SNMP message protocol, which is not an Internet standards
+ track protocol, is called SNMPv2c and described in RFC 1901
+ [9] and RFC 1906 [10]. The third version of the message
+ protocol is called SNMPv3 and described in RFC 1906 [10], RFC
+ 2572 [11] and RFC 2574 [12].
+
+ o Protocol operations for accessing management information. The
+ first set of protocol operations and associated PDU formats is
+ described in STD 15, RFC 1157 [8]. A second set of protocol
+ operations and associated PDU formats is described in RFC 1905
+ [13].
+
+ o A set of fundamental applications described in RFC 2573 [14] and
+ the view-based access control mechanism described in RFC 2575
+ [15].
+
+ Managed objects are accessed via a virtual information store, termed
+ the Management Information Base or MIB. Objects in the MIB are
+ defined using the mechanisms defined in the SMI.
+
+ This memo specifies a MIB module that is compliant to the SMIv2. A
+ MIB conforming to the SMIv1 can be produced through the appropriate
+ translations. The resulting translated MIB must be semantically
+ equivalent, except where objects or events are omitted because no
+ translation is possible (use of Counter64). Some machine readable
+ information in SMIv2 will be converted into textual descriptions in
+ SMIv1 during the translation process. However, this loss of machine
+ readable information is not considered to change the semantics of the
+ MIB.
+
+
+
+
+
+Zorn & Aboba Standards Track [Page 2]
+
+RFC 2619 RADIUS Authentication Server MIB June 1999
+
+
+3. Overview
+
+ The RADIUS authentication protocol, described in [16], distinguishes
+ between the client function and the server function. In RADIUS
+ authentication, clients send Access-Requests, and servers reply with
+ Access-Accepts, Access-Rejects, and Access-Challenges. Typically NAS
+ devices implement the client function, and thus would be expected to
+ implement the RADIUS authentication client MIB, while RADIUS
+ authentication servers implement the server function, and thus would
+ be expected to implement the RADIUS authentication server MIB.
+
+ However, it is possible for a RADIUS authentication entity to perform
+ both client and server functions. For example, a RADIUS proxy may act
+ as a server to one or more RADIUS authentication clients, while
+ simultaneously acting as an authentication client to one or more
+ authentication servers. In such situations, it is expected that
+ RADIUS entities combining client and server functionality will
+ support both the client and server MIBs.
+
+3.1. Selected objects
+
+ This MIB module contains fourteen scalars as well as a single table:
+
+ (1) the RADIUS Authentication Client Table contains one row for
+ each RADIUS authentication client that the server shares a
+ secret with.
+
+ Each entry in the RADIUS Authentication Client Table includes twelve
+ columns presenting a view of the activity of the RADIUS
+ authentication server.
+
+4. Definitions
+
+RADIUS-AUTH-SERVER-MIB DEFINITIONS ::= BEGIN
+
+IMPORTS
+ MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
+ Counter32, Integer32,
+ IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI
+ SnmpAdminString FROM SNMP-FRAMEWORK-MIB
+ MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF;
+
+radiusAuthServMIB MODULE-IDENTITY
+ LAST-UPDATED "9906110000Z"
+ ORGANIZATION "IETF RADIUS Working Group."
+ CONTACT-INFO
+ " Bernard Aboba
+ Microsoft
+
+
+
+Zorn & Aboba Standards Track [Page 3]
+
+RFC 2619 RADIUS Authentication Server MIB June 1999
+
+
+ One Microsoft Way
+ Redmond, WA 98052
+ US
+
+ Phone: +1 425 936 6605
+ EMail: bernarda@microsoft.com"
+ DESCRIPTION
+ "The MIB module for entities implementing the server
+ side of the Remote Access Dialin User Service (RADIUS)
+ authentication protocol."
+ REVISION "9906110000Z" -- 11 Jun 1999
+ DESCRIPTION "Initial version as published in RFC 2619"
+ ::= { radiusAuthentication 1 }
+
+radiusMIB OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION
+ "The OID assigned to RADIUS MIB work by the IANA."
+ ::= { mib-2 67 }
+
+radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1}
+
+radiusAuthServMIBObjects OBJECT IDENTIFIER ::=
+ { radiusAuthServMIB 1 }
+
+radiusAuthServ OBJECT IDENTIFIER ::= { radiusAuthServMIBObjects 1 }
+
+radiusAuthServIdent OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The implementation identification string for the
+ RADIUS authentication server software in use on the
+ system, for example; `FNS-2.1'"
+ ::= {radiusAuthServ 1}
+
+radiusAuthServUpTime OBJECT-TYPE
+ SYNTAX TimeTicks
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "If the server has a persistent state (e.g., a process),
+ this value will be the time elapsed (in hundredths of a
+ seco) since the server process was started.
+ For software without persistent state, this value will
+ be zero."
+ ::= {radiusAuthServ 2}
+
+
+
+Zorn & Aboba Standards Track [Page 4]
+
+RFC 2619 RADIUS Authentication Server MIB June 1999
+
+
+radiusAuthServResetTime OBJECT-TYPE
+ SYNTAX TimeTicks
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "If the server has a persistent state (e.g., a process)
+ and supports a `reset' operation (e.g., can be told to
+ re-read configuration files), this value will be the
+ time elapsed (in hundredths of a second) since the
+ server was `reset.' For software that does not
+ have persistence or does not support a `reset' operation,
+ this value will be zero."
+ ::= {radiusAuthServ 3}
+
+radiusAuthServConfigReset OBJECT-TYPE
+ SYNTAX INTEGER { other(1),
+ reset(2),
+ initializing(3),
+ running(4)}
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "Status/action object to reinitialize any persistent
+ server state. When set to reset(2), any persistent
+ server state (such as a process) is reinitialized as if
+ the server had just been started. This value will
+ never be returned by a read operation. When read, one of
+ the following values will be returned:
+ other(1) - server in some unknown state;
+ initializing(3) - server (re)initializing;
+ running(4) - server currently running."
+ ::= {radiusAuthServ 4}
+
+-- New Stats proposed by Dale E. Reed Jr (daler@iea-software.com)
+
+radiusAuthServTotalAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of packets received on the
+ authentication port."
+ ::= { radiusAuthServ 5}
+
+radiusAuthServTotalInvalidRequests OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+
+
+
+Zorn & Aboba Standards Track [Page 5]
+
+RFC 2619 RADIUS Authentication Server MIB June 1999
+
+
+ DESCRIPTION
+ "The number of RADIUS Access-Request packets
+ received from unknown addresses."
+ ::= { radiusAuthServ 6 }
+
+radiusAuthServTotalDupAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of duplicate RADIUS Access-Request
+ packets received."
+ ::= { radiusAuthServ 7 }
+
+radiusAuthServTotalAccessAccepts OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Accept packets sent."
+ ::= { radiusAuthServ 8 }
+
+radiusAuthServTotalAccessRejects OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Reject packets sent."
+ ::= { radiusAuthServ 9 }
+
+radiusAuthServTotalAccessChallenges OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Challenge packets sent."
+ ::= { radiusAuthServ 10 }
+
+radiusAuthServTotalMalformedAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of malformed RADIUS Access-Request
+ packets received. Bad authenticators
+ and unknown types are not included as
+ malformed Access-Requests."
+ ::= { radiusAuthServ 11 }
+
+
+
+Zorn & Aboba Standards Track [Page 6]
+
+RFC 2619 RADIUS Authentication Server MIB June 1999
+
+
+radiusAuthServTotalBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Authentication-Request packets
+ which contained invalid Signature attributes received."
+ ::= { radiusAuthServ 12 }
+
+radiusAuthServTotalPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of incoming packets
+ silently discarded for some reason other
+ than malformed, bad authenticators or
+ unknown types."
+ ::= { radiusAuthServ 13 }
+
+radiusAuthServTotalUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS packets of unknown type which
+ were received."
+ ::= { radiusAuthServ 14 }
+
+-- End of new
+
+radiusAuthClientTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF RadiusAuthClientEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The (conceptual) table listing the RADIUS authentication
+ clients with which the server shares a secret."
+ ::= { radiusAuthServ 15 }
+
+radiusAuthClientEntry OBJECT-TYPE
+ SYNTAX RadiusAuthClientEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An entry (conceptual row) representing a RADIUS
+ authentication client with which the server shares a
+ secret."
+
+
+
+Zorn & Aboba Standards Track [Page 7]
+
+RFC 2619 RADIUS Authentication Server MIB June 1999
+
+
+ INDEX { radiusAuthClientIndex }
+ ::= { radiusAuthClientTable 1 }
+
+RadiusAuthClientEntry ::= SEQUENCE {
+ radiusAuthClientIndex Integer32,
+ radiusAuthClientAddress IpAddress,
+ radiusAuthClientID SnmpAdminString,
+ radiusAuthServAccessRequests Counter32,
+ radiusAuthServDupAccessRequests Counter32,
+ radiusAuthServAccessAccepts Counter32,
+ radiusAuthServAccessRejects Counter32,
+ radiusAuthServAccessChallenges Counter32,
+ radiusAuthServMalformedAccessRequests Counter32,
+ radiusAuthServBadAuthenticators Counter32,
+ radiusAuthServPacketsDropped Counter32,
+ radiusAuthServUnknownTypes Counter32
+}
+
+radiusAuthClientIndex OBJECT-TYPE
+ SYNTAX Integer32 (1..2147483647)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A number uniquely identifying each RADIUS
+ authentication client with which this server
+ communicates."
+ ::= { radiusAuthClientEntry 1 }
+
+radiusAuthClientAddress OBJECT-TYPE
+ SYNTAX IpAddress
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The NAS-IP-Address of the RADIUS authentication client
+ referred to in this table entry."
+ ::= { radiusAuthClientEntry 2 }
+
+radiusAuthClientID OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The NAS-Identifier of the RADIUS authentication client
+ referred to in this table entry. This is not necessarily
+ the same as sysName in MIB II."
+ ::= { radiusAuthClientEntry 3 }
+
+-- Server Counters
+
+
+
+Zorn & Aboba Standards Track [Page 8]
+
+RFC 2619 RADIUS Authentication Server MIB June 1999
+
+
+--
+-- Responses = AccessAccepts + AccessRejects + AccessChallenges
+--
+-- Requests - DupRequests - BadAuthenticators - MalformedRequests -
+-- UnknownTypes - PacketsDropped - Responses = Pending
+--
+-- Requests - DupRequests - BadAuthenticators - MalformedRequests -
+-- UnknownTypes - PacketsDropped = entries logged
+
+radiusAuthServAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of packets received on the authentication
+ port from this client."
+ ::= { radiusAuthClientEntry 4 }
+
+radiusAuthServDupAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of duplicate RADIUS Access-Request
+ packets received from this client."
+ ::= { radiusAuthClientEntry 5 }
+
+radiusAuthServAccessAccepts OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Accept packets
+ sent to this client."
+ ::= { radiusAuthClientEntry 6 }
+
+radiusAuthServAccessRejects OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Reject packets
+ sent to this client."
+ ::= { radiusAuthClientEntry 7 }
+
+radiusAuthServAccessChallenges OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+
+
+
+Zorn & Aboba Standards Track [Page 9]
+
+RFC 2619 RADIUS Authentication Server MIB June 1999
+
+
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Challenge packets
+ sent to this client."
+ ::= { radiusAuthClientEntry 8 }
+
+radiusAuthServMalformedAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of malformed RADIUS Access-Request
+ packets received from this client.
+ Bad authenticators and unknown types are not included as
+ malformed Access-Requests."
+ ::= { radiusAuthClientEntry 9 }
+
+radiusAuthServBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Authentication-Request packets
+ which contained invalid Signature attributes received
+ from this client."
+ ::= { radiusAuthClientEntry 10 }
+
+radiusAuthServPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of incoming packets from this
+ client silently discarded for some reason other
+ than malformed, bad authenticators or
+ unknown types."
+ ::= { radiusAuthClientEntry 11 }
+
+radiusAuthServUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS packets of unknown type which
+ were received from this client."
+ ::= { radiusAuthClientEntry 12 }
+
+
+
+
+
+Zorn & Aboba Standards Track [Page 10]
+
+RFC 2619 RADIUS Authentication Server MIB June 1999
+
+
+-- conformance information
+
+radiusAuthServMIBConformance
+ OBJECT IDENTIFIER ::= { radiusAuthServMIB 2 }
+radiusAuthServMIBCompliances
+ OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 1 }
+radiusAuthServMIBGroups
+ OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 2 }
+
+
+-- compliance statements
+
+radiusAuthServMIBCompliance MODULE-COMPLIANCE
+ STATUS current
+ DESCRIPTION
+ "The compliance statement for authentication servers
+ implementing the RADIUS Authentication Server MIB."
+ MODULE -- this module
+ MANDATORY-GROUPS { radiusAuthServMIBGroup }
+
+ OBJECT radiusAuthServConfigReset
+ WRITE-SYNTAX INTEGER { reset(2) }
+ DESCRIPTION "The only SETable value is 'reset' (2)."
+
+ ::= { radiusAuthServMIBCompliances 1 }
+
+-- units of conformance
+
+radiusAuthServMIBGroup OBJECT-GROUP
+ OBJECTS {radiusAuthServIdent,
+ radiusAuthServUpTime,
+ radiusAuthServResetTime,
+ radiusAuthServConfigReset,
+ radiusAuthServTotalAccessRequests,
+ radiusAuthServTotalInvalidRequests,
+ radiusAuthServTotalDupAccessRequests,
+ radiusAuthServTotalAccessAccepts,
+ radiusAuthServTotalAccessRejects,
+ radiusAuthServTotalAccessChallenges,
+ radiusAuthServTotalMalformedAccessRequests,
+ radiusAuthServTotalBadAuthenticators,
+ radiusAuthServTotalPacketsDropped,
+ radiusAuthServTotalUnknownTypes,
+ radiusAuthClientAddress,
+ radiusAuthClientID,
+ radiusAuthServAccessRequests,
+ radiusAuthServDupAccessRequests,
+ radiusAuthServAccessAccepts,
+
+
+
+Zorn & Aboba Standards Track [Page 11]
+
+RFC 2619 RADIUS Authentication Server MIB June 1999
+
+
+ radiusAuthServAccessRejects,
+ radiusAuthServAccessChallenges,
+ radiusAuthServMalformedAccessRequests,
+ radiusAuthServBadAuthenticators,
+ radiusAuthServPacketsDropped,
+ radiusAuthServUnknownTypes
+ }
+ STATUS current
+ DESCRIPTION
+ "The collection of objects providing management of
+ a RADIUS Authentication Server."
+ ::= { radiusAuthServMIBGroups 1 }
+
+END
+
+5. References
+
+ [1] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for
+ Describing SNMP Management Frameworks", RFC 2571, April 1999.
+
+ [2] Rose, M., and K. McCloghrie, "Structure and Identification of
+ Management Information for TCP/IP-based Internets", STD 16, RFC
+ 1155, May 1990.
+
+ [3] Rose, M., and K. McCloghrie, "Concise MIB Definitions", STD 16,
+ RFC 1212, March 1991.
+
+ [4] Rose, M., "A Convention for Defining Traps for use with the
+ SNMP", RFC 1215, March 1991.
+
+ [5] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose,
+ M. and S. Waldbusser, "Structure of Management Information
+ Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
+
+ [6] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose,
+ M. and S. Waldbusser, "Textual Conventions for SMIv2", STD 58,
+ RFC 2579, April 1999.
+
+ [7] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose,
+ M. and S. Waldbusser, "Conformance Statements for SMIv2", STD
+ 58, RFC 2580, April 1999.
+
+ [8] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple
+ Network Management Protocol", STD 15, RFC 1157, May 1990.
+
+ [9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
+ "Introduction to Community-based SNMPv2", RFC 1901, January
+ 1996.
+
+
+
+Zorn & Aboba Standards Track [Page 12]
+
+RFC 2619 RADIUS Authentication Server MIB June 1999
+
+
+ [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
+ "Transport Mappings for Version 2 of the Simple Network
+ Management Protocol (SNMPv2)", RFC 1906, January 1996.
+
+ [11] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message
+ Processing and Dispatching for the Simple Network
+ Management Protocol (SNMP)", RFC 2572, April 1999.
+
+ [12] Blumenthal, U., and B. Wijnen, "User-based Security Model for
+ Version 3 of the Simple Network Management Protocol (SNMPv3)",
+ RFC 2574, April 1999.
+
+ [13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol
+ Operations for Version 2 of the Simple Network Management
+ Protocol (SNMPv2)", RFC 1905, January 1996.
+
+ [14] Levi, D., Meyer, P., and B. Stewart, "SNMP Applications", RFC
+ 2573, April 1999.
+
+ [15] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access
+ Control Model for the Simple Network Management Protocol
+ (SNMP)", RFC 2575, April 1999.
+
+ [16] Rigney, C., Rubens, A., Simpson W. and S. Willens, "Remote
+ Authentication Dial In User Service (RADIUS)", RFC 2138, April
+ 1997.
+
+6. Security Considerations
+
+ There are a number of management objects defined in this MIB that
+ have a MAX-ACCESS clause of read-write and/or read-create. Such
+ objects may be considered sensitive or vulnerable in some network
+ environments. The support for SET operations in a non-secure
+ environment without proper protection can have a negative effect on
+ network operations.
+
+ There are a number of managed objects in this MIB that may contain
+ sensitive information. These are:
+
+ radiusAuthClientAddress
+ This can be used to determine the address of the RADIUS
+ authentication client with which the server is
+ communicating. This information could be useful in
+ impersonating the client.
+
+ radiusAuthClientID This can be used to determine the client ID of the
+ authentication client with which the server is
+ communicating. This information could be useful in
+
+
+
+Zorn & Aboba Standards Track [Page 13]
+
+RFC 2619 RADIUS Authentication Server MIB June 1999
+
+
+ impersonating the client.
+
+ It is thus important to control even GET access to these objects and
+ possibly to even encrypt the values of these object when sending them
+ over the network via SNMP. Not all versions of SNMP provide features
+ for such a secure environment.
+
+ SNMPv1 by itself is not a secure environment. Even if the network
+ itself is secure (for example by using IPSec), there is no control as
+ to who on the secure network is allowed to access and GET/SET
+ (read/change/create/delete) the objects in this MIB.
+
+ It is recommended that the implementers consider the security
+ features as provided by the SNMPv3 framework. Specifically, the use
+ of the User-based Security Model RFC 2574 [12] and the View-based
+ Access Control Model RFC 2575 [15] is recommended. Using these
+ security features, customer/users can give access to the objects only
+ to those principals (users) that have legitimate rights to GET or SET
+ (change/create/delete) them.
+
+7. Acknowledgments
+
+ The authors acknowledge the contributions of the RADIUS Working Group
+ in the development of this MIB. Thanks to Narendra Gidwani of
+ Microsoft, Allan C. Rubens of MERIT, Carl Rigney of Livingston and
+ Peter Heitman of American Internet Corporation for useful discussions
+ of this problem space.
+
+8. Authors' Addresses
+
+ Bernard Aboba
+ Microsoft Corporation
+ One Microsoft Way
+ Redmond, WA 98052
+
+ Phone: 425-936-6605
+ EMail: bernarda@microsoft.com
+
+ Glen Zorn
+ Microsoft Corporation
+ One Microsoft Way
+ Redmond, WA 98052
+
+ Phone: 425-703-1559
+ EMail: glennz@microsoft.com
+
+9. Intellectural Property Statement
+
+
+
+
+Zorn & Aboba Standards Track [Page 14]
+
+RFC 2619 RADIUS Authentication Server MIB June 1999
+
+
+ The IETF takes no position regarding the validity or scope of any
+ intellectual property or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; neither does it represent that it
+ has made any effort to identify any such rights. Information on the
+ IETF's procedures with respect to rights in standards-track and
+ standards- related documentation can be found in BCP-11. Copies of
+ claims of rights made available for publication and any assurances of
+ licenses to be made available, or the result of an attempt made to
+ obtain a general license or permission for the use of such
+ proprietary rights by implementors or users of this specification can
+ be obtained from the IETF Secretariat.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights which may cover technology that may be required to practice
+ this standard. Please address the information to the IETF Executive
+ Director.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zorn & Aboba Standards Track [Page 15]
+
+RFC 2619 RADIUS Authentication Server MIB June 1999
+
+
+10. Full Copyright Statement
+
+ Copyright (C) The Internet Society (1999). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implmentation may be prepared, copied, published and
+ distributed, in whole or in part, without restriction of any kind,
+ provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zorn & Aboba Standards Track [Page 16]
+