summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc4669.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc4669.txt')
-rw-r--r--doc/rfc/rfc4669.txt1403
1 files changed, 1403 insertions, 0 deletions
diff --git a/doc/rfc/rfc4669.txt b/doc/rfc/rfc4669.txt
new file mode 100644
index 0000000..2d093fb
--- /dev/null
+++ b/doc/rfc/rfc4669.txt
@@ -0,0 +1,1403 @@
+
+
+
+
+
+
+Network Working Group D. Nelson
+Request for Comments: 4669 Enterasys Networks
+Obsoletes: 2619 August 2006
+Category: Standards Track
+
+
+ RADIUS Authentication Server MIB for IPv6
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This memo defines a set of extensions that instrument RADIUS
+ authentication server functions. These extensions represent a
+ portion of the Management Information Base (MIB) for use with network
+ management protocols in the Internet community. Using these
+ extensions, IP-based management stations can manage RADIUS
+ authentication servers.
+
+ This memo obsoletes RFC 2619 by deprecating the MIB table containing
+ IPv4-only address formats and defining a new table to add support for
+ version-neutral IP address formats. The remaining MIB objects from
+ RFC 2619 are carried forward into this document. This memo also adds
+ UNITS and REFERENCE clauses to selected objects.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Standards Track [Page 1]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 2. Terminology .....................................................3
+ 3. The Internet-Standard Management Framework ......................3
+ 4. Scope of Changes ................................................3
+ 5. Structure of the MIB Module .....................................4
+ 6. Deprecated Objects ..............................................5
+ 7. Definitions .....................................................5
+ 8. Security Considerations ........................................21
+ 9. References .....................................................23
+ 9.1. Normative References ......................................23
+ 9.2. Informative References ....................................23
+ Appendix A. Acknowledgements ......................................24
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Standards Track [Page 2]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+1. Introduction
+
+ This memo defines a portion of the Management Information Base (MIB)
+ for use with network management protocols in the Internet community.
+ The objects defined within this memo relate to the Remote
+ Authentication Dial-In User Service (RADIUS) Authentication Server as
+ defined in RFC 2865 [RFC2865].
+
+2. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [RFC2119].
+
+ This document uses terminology from RFC 2865 [RFC2865].
+
+ This document uses the word "malformed" with respect to RADIUS
+ packets, particularly in the context of counters of "malformed
+ packets". While RFC 2865 does not provide an explicit definition of
+ "malformed", malformed generally means that the implementation has
+ determined the packet does not match the format defined in RFC 2865.
+ Some implementations may determine that packets are malformed when
+ the Vendor Specific Attribute (VSA) format does not follow the RFC
+ 2865 recommendations for VSAs. Those implementations are used in
+ deployments today, and thus set the de facto definition of
+ "malformed".
+
+3. The Internet-Standard Management Framework
+
+ For a detailed overview of the documents that describe the current
+ Internet-Standard Management Framework, please refer to section 7 of
+ RFC 3410 [RFC3410].
+
+ Managed objects are accessed via a virtual information store, termed
+ the Management Information Base or MIB. MIB objects are generally
+ accessed through the Simple Network Management Protocol (SNMP).
+ Objects in the MIB are defined using the mechanisms defined in the
+ Structure of Management Information (SMI). This memo specifies a MIB
+ module that is compliant to the SMIv2, which is described in STD 58,
+ RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
+ [RFC2580].
+
+4. Scope of Changes
+
+ This document obsoletes RFC 2619 [RFC2619], RADIUS Authentication
+ Server MIB, by deprecating the radiusAuthClientTable table and adding
+ a new table, radiusAuthClientExtTable, containing
+ radiusAuthClientInetAddressType and radiusAuthClientInetAddress. The
+
+
+
+Nelson Standards Track [Page 3]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ purpose of these added MIB objects is to support version-neutral IP
+ addressing formats. The existing table containing
+ radiusAuthClientAddress is deprecated. The remaining MIB objects
+ from RFC 2619 are carried forward into this document. This memo also
+ adds UNITS and REFERENCE clauses to selected objects.
+
+ RFC 4001 [RFC4001], which defines the SMI Textual Conventions for
+ version-neutral IP addresses, contains the following recommendation.
+
+ 'In particular, when revising a MIB module that contains IPv4
+ specific tables, it is suggested to define new tables using the
+ textual conventions defined in this memo [RFC4001] that support all
+ versions of IP. The status of the new tables SHOULD be "current",
+ whereas the status of the old IP version specific tables SHOULD be
+ changed to "deprecated". The other approach, of having multiple
+ similar tables for different IP versions, is strongly discouraged.'
+
+5. Structure of the MIB Module
+
+ The RADIUS authentication protocol, described in RFC 2865 [RFC2865],
+ distinguishes between the client function and the server function.
+ In RADIUS authentication, clients send Access-Requests, and servers
+ reply with Access-Accepts, Access-Rejects, and Access-Challenges.
+ Typically, NAS devices implement the client function, and thus would
+ be expected to implement the RADIUS authentication client MIB, while
+ RADIUS authentication servers implement the server function, and thus
+ would be expected to implement the RADIUS authentication server MIB.
+
+ However, it is possible for a RADIUS authentication entity to perform
+ both client and server functions. For example, a RADIUS proxy may
+ act as a server to one or more RADIUS authentication clients, while
+ simultaneously acting as an authentication client to one or more
+ authentication servers. In such situations, it is expected that
+ RADIUS entities combining client and server functionality will
+ support both the client and server MIBs. The server MIB is defined
+ in this document, and the client MIB is defined in [RFC4668].
+
+ This MIB module contains fourteen scalars as well as a single table,
+ the RADIUS Authentication Client Table, which contains one row for
+ each RADIUS authentication client with which the server shares a
+ secret. Each entry in the RADIUS Authentication Client Table
+ includes thirteen columns presenting a view of the activity of the
+ RADIUS authentication server.
+
+ This MIB imports from [RFC2578], [RFC2580], [RFC3411], and [RFC4001].
+
+
+
+
+
+
+Nelson Standards Track [Page 4]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+6. Deprecated Objects
+
+ The deprecated table in this MIB is carried forward from RFC 2619
+ [RFC2619]. There are two conditions under which it MAY be desirable
+ for managed entities to continue to support the deprecated table:
+
+ 1. The managed entity only supports IPv4 address formats.
+
+ 2. The managed entity supports both IPv4 and IPv6 address formats,
+ and the deprecated table is supported for backwards compatibility
+ with older management stations. This option SHOULD only be used
+ when the IP addresses in the new table are in IPv4 format and can
+ accurately be represented in both the new table and the
+ deprecated table.
+
+ Managed entities SHOULD NOT instantiate row entries in the deprecated
+ table, containing IPv4-only address objects, when the RADIUS client
+ address represented in such a table row is not an IPv4 address.
+ Managed entities SHOULD NOT return inaccurate values of IP address or
+ SNMP object access errors for IPv4-only address objects in otherwise
+ populated tables. When row entries exist in both the deprecated
+ IPv4-only table and the new IP-version-neutral table that describe
+ the same RADIUS client, the row indexes SHOULD be the same for the
+ corresponding rows in each table, to facilitate correlation of these
+ related rows by management applications.
+
+7. Definitions
+
+ RADIUS-AUTH-SERVER-MIB DEFINITIONS ::= BEGIN
+
+ IMPORTS
+ MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
+ Counter32, Integer32,
+ IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI
+ SnmpAdminString FROM SNMP-FRAMEWORK-MIB
+ InetAddressType, InetAddress FROM INET-ADDRESS-MIB
+ MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF;
+
+ radiusAuthServMIB MODULE-IDENTITY
+ LAST-UPDATED "200608210000Z" -- 21 August 2006
+ ORGANIZATION "IETF RADIUS Extensions Working Group."
+ CONTACT-INFO
+ " Bernard Aboba
+ Microsoft
+ One Microsoft Way
+ Redmond, WA 98052
+ US
+ Phone: +1 425 936 6605
+
+
+
+Nelson Standards Track [Page 5]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ EMail: bernarda@microsoft.com"
+ DESCRIPTION
+ "The MIB module for entities implementing the server
+ side of the Remote Authentication Dial-In User
+ Service (RADIUS) authentication protocol. Copyright
+ (C) The Internet Society (2006). This version of this
+ MIB module is part of RFC 4669; see the RFC itself for
+ full legal notices."
+ REVISION "200608210000Z" -- 21 August 2006
+ DESCRIPTION
+ "Revised version as published in RFC 4669. This
+ version obsoletes that of RFC 2619 by deprecating the
+ MIB table containing IPv4-only address formats and
+ defining a new table to add support for version-neutral
+ IP address formats. The remaining MIB objects from RFC
+ 2619 are carried forward into this version."
+ REVISION "199906110000Z" -- 11 Jun 1999
+ DESCRIPTION "Initial version as published in RFC 2619."
+ ::= { radiusAuthentication 1 }
+
+ radiusMIB OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION
+ "The OID assigned to RADIUS MIB work by the IANA."
+ ::= { mib-2 67 }
+
+ radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1}
+
+ radiusAuthServMIBObjects OBJECT IDENTIFIER
+ ::= { radiusAuthServMIB 1 }
+
+ radiusAuthServ OBJECT IDENTIFIER
+ ::= { radiusAuthServMIBObjects 1 }
+
+ radiusAuthServIdent OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The implementation identification string for the
+ RADIUS authentication server software in use on the
+ system, for example, 'FNS-2.1'."
+ ::= {radiusAuthServ 1}
+
+ radiusAuthServUpTime OBJECT-TYPE
+ SYNTAX TimeTicks
+ MAX-ACCESS read-only
+ STATUS current
+
+
+
+Nelson Standards Track [Page 6]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ DESCRIPTION
+ "If the server has a persistent state (e.g., a
+ process), this value will be the time elapsed (in
+ hundredths of a second) since the server process
+ was started. For software without persistent state,
+ this value will be zero."
+ ::= {radiusAuthServ 2}
+
+ radiusAuthServResetTime OBJECT-TYPE
+ SYNTAX TimeTicks
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "If the server has a persistent state (e.g., a process)
+ and supports a 'reset' operation (e.g., can be told to
+ re-read configuration files), this value will be the
+ time elapsed (in hundredths of a second) since the
+ server was 'reset.' For software that does not
+ have persistence or does not support a 'reset'
+ operation, this value will be zero."
+ ::= {radiusAuthServ 3}
+
+ radiusAuthServConfigReset OBJECT-TYPE
+ SYNTAX INTEGER { other(1),
+ reset(2),
+ initializing(3),
+ running(4)}
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "Status/action object to reinitialize any persistent
+ server state. When set to reset(2), any persistent
+ server state (such as a process) is reinitialized as
+ if the server had just been started. This value will
+ never be returned by a read operation. When read,
+ one of the following values will be returned:
+ other(1) - server in some unknown state;
+ initializing(3) - server (re)initializing;
+ running(4) - server currently running."
+ ::= {radiusAuthServ 4}
+
+ radiusAuthServTotalAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of packets received on the
+
+
+
+Nelson Standards Track [Page 7]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ authentication port."
+ REFERENCE "RFC 2865 section 4.1"
+ ::= { radiusAuthServ 5}
+
+ radiusAuthServTotalInvalidRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Request packets
+ received from unknown addresses."
+ REFERENCE "RFC 2865 section 4.1"
+ ::= { radiusAuthServ 6 }
+
+ radiusAuthServTotalDupAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of duplicate RADIUS Access-Request
+ packets received."
+ REFERENCE "RFC 2865 section 4.1"
+ ::= { radiusAuthServ 7 }
+
+ radiusAuthServTotalAccessAccepts OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Accept packets sent."
+ REFERENCE "RFC 2865 section 4.2"
+ ::= { radiusAuthServ 8 }
+
+ radiusAuthServTotalAccessRejects OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Reject packets sent."
+ REFERENCE "RFC 2865 section 4.3"
+ ::= { radiusAuthServ 9 }
+
+ radiusAuthServTotalAccessChallenges OBJECT-TYPE
+ SYNTAX Counter32
+
+
+
+Nelson Standards Track [Page 8]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Challenge packets sent."
+ REFERENCE "RFC 2865 section 4.4"
+ ::= { radiusAuthServ 10 }
+
+ radiusAuthServTotalMalformedAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of malformed RADIUS Access-Request
+ packets received. Bad authenticators
+ and unknown types are not included as
+ malformed Access-Requests."
+ REFERENCE "RFC 2865 section 4.1"
+ ::= { radiusAuthServ 11 }
+
+ radiusAuthServTotalBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Authentication-Request packets
+ that contained invalid Message Authenticator
+ attributes received."
+ REFERENCE "RFC 2865 section 3"
+ ::= { radiusAuthServ 12 }
+
+ radiusAuthServTotalPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of incoming packets
+ silently discarded for some reason other
+ than malformed, bad authenticators or
+ unknown types."
+ REFERENCE "RFC 2865 section 3"
+ ::= { radiusAuthServ 13 }
+
+ radiusAuthServTotalUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+
+
+
+Nelson Standards Track [Page 9]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS packets of unknown type that
+ were received."
+ REFERENCE "RFC 2865 section 4"
+ ::= { radiusAuthServ 14 }
+
+
+ radiusAuthClientTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF RadiusAuthClientEntry
+ MAX-ACCESS not-accessible
+ STATUS deprecated
+ DESCRIPTION
+ "The (conceptual) table listing the RADIUS
+ authentication clients with which the server shares
+ a secret."
+ ::= { radiusAuthServ 15 }
+
+
+ radiusAuthClientEntry OBJECT-TYPE
+ SYNTAX RadiusAuthClientEntry
+ MAX-ACCESS not-accessible
+ STATUS deprecated
+ DESCRIPTION
+ "An entry (conceptual row) representing a RADIUS
+ authentication client with which the server shares a
+ secret."
+ INDEX { radiusAuthClientIndex }
+ ::= { radiusAuthClientTable 1 }
+
+ RadiusAuthClientEntry ::= SEQUENCE {
+ radiusAuthClientIndex Integer32,
+ radiusAuthClientAddress IpAddress,
+ radiusAuthClientID SnmpAdminString,
+ radiusAuthServAccessRequests Counter32,
+ radiusAuthServDupAccessRequests Counter32,
+ radiusAuthServAccessAccepts Counter32,
+ radiusAuthServAccessRejects Counter32,
+ radiusAuthServAccessChallenges Counter32,
+ radiusAuthServMalformedAccessRequests Counter32,
+ radiusAuthServBadAuthenticators Counter32,
+ radiusAuthServPacketsDropped Counter32,
+ radiusAuthServUnknownTypes Counter32
+ }
+
+ radiusAuthClientIndex OBJECT-TYPE
+
+
+
+Nelson Standards Track [Page 10]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ SYNTAX Integer32 (1..2147483647)
+ MAX-ACCESS not-accessible
+ STATUS deprecated
+ DESCRIPTION
+ "A number uniquely identifying each RADIUS
+ authentication client with which this server
+ communicates."
+ ::= { radiusAuthClientEntry 1 }
+
+ radiusAuthClientAddress OBJECT-TYPE
+ SYNTAX IpAddress
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The NAS-IP-Address of the RADIUS authentication client
+ referred to in this table entry."
+ REFERENCE "RFC 2865 section 2"
+ ::= { radiusAuthClientEntry 2 }
+
+ radiusAuthClientID OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The NAS-Identifier of the RADIUS authentication client
+ referred to in this table entry. This is not
+ necessarily the same as sysName in MIB II."
+ REFERENCE "RFC 2865 section 5.32"
+ ::= { radiusAuthClientEntry 3 }
+
+ -- Server Counters
+
+ --
+ -- Responses = AccessAccepts + AccessRejects + AccessChallenges
+ --
+ -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
+ -- UnknownTypes - PacketsDropped - Responses = Pending
+ --
+ -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
+ -- UnknownTypes - PacketsDropped = entries logged
+
+ radiusAuthServAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of packets received on the authentication
+
+
+
+Nelson Standards Track [Page 11]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ port from this client."
+ REFERENCE "RFC 2865 section 4.1"
+ ::= { radiusAuthClientEntry 4 }
+
+ radiusAuthServDupAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of duplicate RADIUS Access-Request
+ packets received from this client."
+ REFERENCE "RFC 2865 section 4.1"
+ ::= { radiusAuthClientEntry 5 }
+
+ radiusAuthServAccessAccepts OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Access-Accept packets
+ sent to this client."
+ REFERENCE "RFC 2865 section 4.2"
+ ::= { radiusAuthClientEntry 6 }
+
+ radiusAuthServAccessRejects OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Access-Reject packets
+ sent to this client."
+ REFERENCE "RFC 2865 section 4.3"
+ ::= { radiusAuthClientEntry 7 }
+
+ radiusAuthServAccessChallenges OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Access-Challenge packets
+ sent to this client."
+ REFERENCE "RFC 2865 section 4.4"
+ ::= { radiusAuthClientEntry 8 }
+
+
+
+
+Nelson Standards Track [Page 12]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ radiusAuthServMalformedAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of malformed RADIUS Access-Request
+ packets received from this client.
+ Bad authenticators and unknown types are not included
+ as malformed Access-Requests."
+ REFERENCE "RFC 2865 section 3"
+ ::= { radiusAuthClientEntry 9 }
+
+ radiusAuthServBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Authentication-Request packets
+ that contained invalid Message Authenticator
+ attributes received from this client."
+ REFERENCE "RFC 2865 section 3"
+ ::= { radiusAuthClientEntry 10 }
+
+ radiusAuthServPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of incoming packets from this
+ client silently discarded for some reason other
+ than malformed, bad authenticators or
+ unknown types."
+ REFERENCE "RFC 2865 section 3"
+ ::= { radiusAuthClientEntry 11 }
+
+ radiusAuthServUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS packets of unknown type that
+ were received from this client."
+ REFERENCE "RFC 2865 section 4"
+ ::= { radiusAuthClientEntry 12 }
+
+
+
+Nelson Standards Track [Page 13]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ -- New MIB objects added in this revision
+
+ radiusAuthClientExtTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF RadiusAuthClientExtEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The (conceptual) table listing the RADIUS
+ authentication clients with which the server shares
+ a secret."
+ ::= { radiusAuthServ 16 }
+
+ radiusAuthClientExtEntry OBJECT-TYPE
+ SYNTAX RadiusAuthClientExtEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An entry (conceptual row) representing a RADIUS
+ authentication client with which the server shares a
+ secret."
+ INDEX { radiusAuthClientExtIndex }
+ ::= { radiusAuthClientExtTable 1 }
+
+ RadiusAuthClientExtEntry ::= SEQUENCE {
+ radiusAuthClientExtIndex Integer32,
+ radiusAuthClientInetAddressType InetAddressType,
+ radiusAuthClientInetAddress InetAddress,
+ radiusAuthClientExtID SnmpAdminString,
+ radiusAuthServExtAccessRequests Counter32,
+ radiusAuthServExtDupAccessRequests Counter32,
+ radiusAuthServExtAccessAccepts Counter32,
+ radiusAuthServExtAccessRejects Counter32,
+ radiusAuthServExtAccessChallenges Counter32,
+ radiusAuthServExtMalformedAccessRequests Counter32,
+ radiusAuthServExtBadAuthenticators Counter32,
+ radiusAuthServExtPacketsDropped Counter32,
+ radiusAuthServExtUnknownTypes Counter32,
+ radiusAuthServCounterDiscontinuity TimeTicks
+ }
+
+ radiusAuthClientExtIndex OBJECT-TYPE
+ SYNTAX Integer32 (1..2147483647)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A number uniquely identifying each RADIUS
+ authentication client with which this server
+ communicates."
+
+
+
+Nelson Standards Track [Page 14]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ ::= { radiusAuthClientExtEntry 1 }
+
+ radiusAuthClientInetAddressType OBJECT-TYPE
+ SYNTAX InetAddressType
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The type of address format used for the
+ radiusAuthClientInetAddress object."
+ ::= { radiusAuthClientExtEntry 2 }
+
+ radiusAuthClientInetAddress OBJECT-TYPE
+ SYNTAX InetAddress
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The IP address of the RADIUS authentication
+ client referred to in this table entry, using
+ the version-neutral IP address format."
+ ::= { radiusAuthClientExtEntry 3 }
+
+
+ radiusAuthClientExtID OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The NAS-Identifier of the RADIUS authentication client
+ referred to in this table entry. This is not
+ necessarily the same as sysName in MIB II."
+ REFERENCE "RFC 2865 section 5.32"
+ ::= { radiusAuthClientExtEntry 4 }
+
+ -- Server Counters
+
+ --
+ -- Responses = AccessAccepts + AccessRejects + AccessChallenges
+ --
+ -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
+ -- UnknownTypes - PacketsDropped - Responses = Pending
+ --
+ -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
+ -- UnknownTypes - PacketsDropped = entries logged
+
+ radiusAuthServExtAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+
+
+
+Nelson Standards Track [Page 15]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ STATUS current
+ DESCRIPTION
+ "The number of packets received on the authentication
+ port from this client. This counter may experience a
+ discontinuity when the RADIUS Server module within the
+ managed entity is reinitialized, as indicated by the
+ current value of radiusAuthServCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 4.1"
+ ::= { radiusAuthClientExtEntry 5 }
+
+ radiusAuthServExtDupAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of duplicate RADIUS Access-Request
+ packets received from this client. This counter may
+ experience a discontinuity when the RADIUS Server
+ module within the managed entity is reinitialized, as
+ indicated by the current value of
+ radiusAuthServCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 4.1"
+ ::= { radiusAuthClientExtEntry 6 }
+
+ radiusAuthServExtAccessAccepts OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Accept packets
+ sent to this client. This counter may experience a
+ discontinuity when the RADIUS Server module within the
+ managed entity is reinitialized, as indicated by the
+ current value of radiusAuthServCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 4.2"
+ ::= { radiusAuthClientExtEntry 7 }
+
+ radiusAuthServExtAccessRejects OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Reject packets
+ sent to this client. This counter may experience a
+ discontinuity when the RADIUS Server module within the
+
+
+
+Nelson Standards Track [Page 16]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ managed entity is reinitialized, as indicated by the
+ current value of radiusAuthServCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 4.3"
+ ::= { radiusAuthClientExtEntry 8 }
+
+ radiusAuthServExtAccessChallenges OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Challenge packets
+ sent to this client. This counter may experience a
+ discontinuity when the RADIUS Server module within the
+ managed entity is reinitialized, as indicated by the
+ current value of radiusAuthServCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 4.4"
+ ::= { radiusAuthClientExtEntry 9 }
+
+ radiusAuthServExtMalformedAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of malformed RADIUS Access-Request
+ packets received from this client. Bad authenticators
+ and unknown types are not included as malformed
+ Access-Requests. This counter may experience a
+ discontinuity when the RADIUS Server module within the
+ managed entity is reinitialized, as indicated by the
+ current value of radiusAuthServCounterDiscontinuity."
+ REFERENCE "RFC 2865 sections 3, 4.1"
+ ::= { radiusAuthClientExtEntry 10 }
+
+ radiusAuthServExtBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Authentication-Request packets
+ that contained invalid Message Authenticator
+ attributes received from this client. This counter
+ may experience a discontinuity when the RADIUS Server
+ module within the managed entity is reinitialized, as
+ indicated by the current value of
+ radiusAuthServCounterDiscontinuity."
+
+
+
+Nelson Standards Track [Page 17]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ REFERENCE "RFC 2865 section 3"
+ ::= { radiusAuthClientExtEntry 11 }
+
+ radiusAuthServExtPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of incoming packets from this client
+ silently discarded for some reason other than
+ malformed, bad authenticators or unknown types.
+ This counter may experience a discontinuity when the
+ RADIUS Server module within the managed entity is
+ reinitialized, as indicated by the current value of
+ radiusAuthServCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 3"
+ ::= { radiusAuthClientExtEntry 12 }
+
+ radiusAuthServExtUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS packets of unknown type that
+ were received from this client. This counter may
+ experience a discontinuity when the RADIUS Server
+ module within the managed entity is reinitialized, as
+ indicated by the current value of
+ radiusAuthServCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 4"
+ ::= { radiusAuthClientExtEntry 13 }
+
+ radiusAuthServCounterDiscontinuity OBJECT-TYPE
+ SYNTAX TimeTicks
+ UNITS "centiseconds"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of centiseconds since the last
+ discontinuity in the RADIUS Server counters.
+ A discontinuity may be the result of a
+ reinitialization of the RADIUS Server module
+ within the managed entity."
+ ::= { radiusAuthClientExtEntry 14 }
+
+
+
+
+
+Nelson Standards Track [Page 18]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ -- conformance information
+
+ radiusAuthServMIBConformance OBJECT IDENTIFIER
+ ::= { radiusAuthServMIB 2 }
+
+ radiusAuthServMIBCompliances OBJECT IDENTIFIER
+ ::= { radiusAuthServMIBConformance 1 }
+
+ radiusAuthServMIBGroups OBJECT IDENTIFIER
+ ::= { radiusAuthServMIBConformance 2 }
+
+ -- compliance statements
+
+ radiusAuthServMIBCompliance MODULE-COMPLIANCE
+ STATUS deprecated
+ DESCRIPTION
+ "The compliance statement for authentication
+ servers implementing the RADIUS Authentication
+ Server MIB. Implementation of this module is for
+ IPv4-only entities, or for backwards compatibility
+ use with entities that support both IPv4 and
+ IPv6."
+ MODULE -- this module
+ MANDATORY-GROUPS { radiusAuthServMIBGroup }
+
+ OBJECT radiusAuthServConfigReset
+ WRITE-SYNTAX INTEGER { reset(2) }
+ DESCRIPTION "The only SETable value is 'reset' (2)."
+
+ ::= { radiusAuthServMIBCompliances 1 }
+
+
+ radiusAuthServMIBExtCompliance MODULE-COMPLIANCE
+ STATUS current
+ DESCRIPTION
+ "The compliance statement for authentication
+ servers implementing the RADIUS Authentication
+ Server IPv6 Extensions MIB. Implementation of
+ this module is for entities that support IPv6,
+ or support IPv4 and IPv6."
+ MODULE -- this module
+ MANDATORY-GROUPS { radiusAuthServExtMIBGroup }
+
+ OBJECT radiusAuthServConfigReset
+ WRITE-SYNTAX INTEGER { reset(2) }
+ DESCRIPTION "The only SETable value is 'reset' (2)."
+
+ OBJECT radiusAuthClientInetAddressType
+
+
+
+Nelson Standards Track [Page 19]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ SYNTAX InetAddressType { ipv4(1), ipv6(2) }
+ DESCRIPTION
+ "An implementation is only required to support
+ IPv4 and globally unique IPv6 addresses."
+
+ OBJECT radiusAuthClientInetAddress
+ SYNTAX InetAddress ( SIZE (4|16) )
+ DESCRIPTION
+ "An implementation is only required to support
+ IPv4 and globally unique IPv6 addresses."
+
+ ::= { radiusAuthServMIBCompliances 2 }
+
+
+ -- units of conformance
+
+ radiusAuthServMIBGroup OBJECT-GROUP
+ OBJECTS {radiusAuthServIdent,
+ radiusAuthServUpTime,
+ radiusAuthServResetTime,
+ radiusAuthServConfigReset,
+ radiusAuthServTotalAccessRequests,
+ radiusAuthServTotalInvalidRequests,
+ radiusAuthServTotalDupAccessRequests,
+ radiusAuthServTotalAccessAccepts,
+ radiusAuthServTotalAccessRejects,
+ radiusAuthServTotalAccessChallenges,
+ radiusAuthServTotalMalformedAccessRequests,
+ radiusAuthServTotalBadAuthenticators,
+ radiusAuthServTotalPacketsDropped,
+ radiusAuthServTotalUnknownTypes,
+ radiusAuthClientAddress,
+ radiusAuthClientID,
+ radiusAuthServAccessRequests,
+ radiusAuthServDupAccessRequests,
+ radiusAuthServAccessAccepts,
+ radiusAuthServAccessRejects,
+ radiusAuthServAccessChallenges,
+ radiusAuthServMalformedAccessRequests,
+ radiusAuthServBadAuthenticators,
+ radiusAuthServPacketsDropped,
+ radiusAuthServUnknownTypes
+ }
+ STATUS deprecated
+ DESCRIPTION
+ "The collection of objects providing management of
+ a RADIUS Authentication Server."
+ ::= { radiusAuthServMIBGroups 1 }
+
+
+
+Nelson Standards Track [Page 20]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ radiusAuthServExtMIBGroup OBJECT-GROUP
+ OBJECTS {radiusAuthServIdent,
+ radiusAuthServUpTime,
+ radiusAuthServResetTime,
+ radiusAuthServConfigReset,
+ radiusAuthServTotalAccessRequests,
+ radiusAuthServTotalInvalidRequests,
+ radiusAuthServTotalDupAccessRequests,
+ radiusAuthServTotalAccessAccepts,
+ radiusAuthServTotalAccessRejects,
+ radiusAuthServTotalAccessChallenges,
+ radiusAuthServTotalMalformedAccessRequests,
+ radiusAuthServTotalBadAuthenticators,
+ radiusAuthServTotalPacketsDropped,
+ radiusAuthServTotalUnknownTypes,
+ radiusAuthClientInetAddressType,
+ radiusAuthClientInetAddress,
+ radiusAuthClientExtID,
+ radiusAuthServExtAccessRequests,
+ radiusAuthServExtDupAccessRequests,
+ radiusAuthServExtAccessAccepts,
+ radiusAuthServExtAccessRejects,
+ radiusAuthServExtAccessChallenges,
+ radiusAuthServExtMalformedAccessRequests,
+ radiusAuthServExtBadAuthenticators,
+ radiusAuthServExtPacketsDropped,
+ radiusAuthServExtUnknownTypes,
+ radiusAuthServCounterDiscontinuity
+ }
+ STATUS current
+ DESCRIPTION
+ "The collection of objects providing management of
+ a RADIUS Authentication Server."
+ ::= { radiusAuthServMIBGroups 2 }
+
+ END
+
+8. Security Considerations
+
+ There are a number of management objects defined in this MIB that
+ have a MAX-ACCESS clause of read-write and/or read-create. Such
+ objects may be considered sensitive or vulnerable in some network
+ environments. The support for SET operations in a non-secure
+ environment without proper protection can have a negative effect on
+ network operations. These are:
+
+
+
+
+
+
+Nelson Standards Track [Page 21]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ radiusAuthServConfigReset
+ This object can be used to reinitialize the persistent state of
+ any server. When set to reset(2), any persistent server state
+ (such as a process) is reinitialized as if the server had just
+ been started. Depending on the server implementation details,
+ this action may or may not interrupt the processing of pending
+ request in the server. Abuse of this object may lead to a Denial
+ of Service attack on the server.
+
+ There are a number of managed objects in this MIB that may contain
+ sensitive information. These are:
+
+ radiusAuthClientIPAddress
+ This can be used to determine the address of the RADIUS
+ authentication client with which the server is communicating.
+ This information could be useful in mounting an attack on the
+ authentication client.
+
+ radiusAuthClientInetAddress
+ This can be used to determine the address of the RADIUS
+ authentication client with which the server is communicating.
+ This information could be useful in mounting an attack on the
+ authentication client.
+
+ It is thus important to control even GET access to these objects and
+ possibly to even encrypt the values of these object when sending them
+ over the network via SNMP. Not all versions of SNMP provide features
+ for such a secure environment.
+
+ SNMP versions prior to SNMPv3 do not provide a secure environment.
+ Even if the network itself is secure (for example by using IPsec),
+ there is no control as to who on the secure network is allowed to
+ access and GET/SET (read/change/create/delete) the objects in this
+ MIB.
+
+ It is RECOMMENDED that implementers consider the security features as
+ provided by the SNMPv3 framework (see [RFC3410], section 8),
+ including full support for the SNMPv3 cryptographic mechanisms (for
+ authentication and privacy).
+
+ Further, deployment of SNMP versions prior to SNMPv3 is NOT
+ RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
+ enable cryptographic security. It is then a customer/operator
+ responsibility to ensure that the SNMP entity giving access to an
+ instance of this MIB module is properly configured to give access to
+ the objects only to those principals (users) that have legitimate
+ rights to indeed GET or SET (change/create/delete) them.
+
+
+
+
+Nelson Standards Track [Page 22]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+9. References
+
+9.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
+ Schoenwaelder, Ed., "Structure of Management Information
+ Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
+
+ [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
+ Schoenwaelder, Ed., "Textual Conventions for SMIv2",
+ STD 58, RFC 2579, April 1999.
+
+ [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
+ "Conformance Statements for SMIv2", STD 58, RFC 2580,
+ April 1999.
+
+ [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
+ "Remote Authentication Dial In User Service (RADIUS)",
+ RFC 2865, June 2000.
+
+ [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
+ Architecture for Describing Simple Network Management
+ Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
+ December 2002.
+
+ [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
+ Schoenwaelder, "Textual Conventions for Internet Network
+ Addresses", RFC 4001, February 2005.
+
+9.2. Informative References
+
+ [RFC2619] Zorn, G. and B. Aboba, "RADIUS Authentication Server MIB",
+ RFC 2619, June 1999.
+
+ [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
+ "Introduction and Applicability Statements for Internet-
+ Standard Management Framework", RFC 3410, December 2002.
+
+ [RFC4668] Nelson, D., "RADIUS Authentication Client MIB for IPv6",
+ RFC 4668, August 2006.
+
+
+
+
+
+
+
+
+Nelson Standards Track [Page 23]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+Appendix A. Acknowledgements
+
+ The authors of the original MIB are Bernard Aboba and Glen Zorn.
+
+ Many thanks to all reviewers, especially to David Harrington, Dan
+ Romascanu, C.M. Heard, Bruno Pape, Greg Weber, and Bert Wijnen.
+
+Author's Address
+
+ David B. Nelson
+ Enterasys Networks
+ 50 Minuteman Road
+ Andover, MA 01810
+ USA
+
+ EMail: dnelson@enterasys.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Standards Track [Page 24]
+
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2006).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Nelson Standards Track [Page 25]
+