diff options
Diffstat (limited to 'doc/rfc/rfc4671.txt')
-rw-r--r-- | doc/rfc/rfc4671.txt | 1347 |
1 files changed, 1347 insertions, 0 deletions
diff --git a/doc/rfc/rfc4671.txt b/doc/rfc/rfc4671.txt new file mode 100644 index 0000000..8ec2e7f --- /dev/null +++ b/doc/rfc/rfc4671.txt @@ -0,0 +1,1347 @@ + + + + + + +Network Working Group D. Nelson +Request for Comments: 4671 Enterasys Networks +Obsoletes: 2621 August 2006 +Category: Informational + + + RADIUS Accounting Server MIB for IPv6 + +Status of This Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2006). + +Abstract + + This memo defines a set of extensions that instrument RADIUS + accounting server functions. These extensions represent a portion of + the Management Information Base (MIB) for use with network management + protocols in the Internet community. Using these extensions, + IP-based management stations can manage RADIUS accounting servers. + + This memo obsoletes RFC 2621 by deprecating the MIB table containing + IPv4-only address formats and defining a new table to add support for + version-neutral IP address formats. The remaining MIB objects from + RFC 2621 are carried forward into this document. This memo also adds + UNITS and REFERENCE clauses to selected objects. + + + + + + + + + + + + + + + + + + + + +Nelson Informational [Page 1] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + +Table of Contents + + 1. Introduction ....................................................3 + 2. Terminology .....................................................3 + 3. The Internet-Standard Management Framework ......................3 + 4. Scope of Changes ................................................3 + 5. Structure of the MIB Module .....................................4 + 6. Deprecated Objects ..............................................5 + 7. Definitions .....................................................5 + 8. Security Considerations ........................................20 + 9. References .....................................................22 + 9.1. Normative References ......................................22 + 9.2. Informative References ....................................22 + Appendix A. Acknowledgements ......................................23 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Nelson Informational [Page 2] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + +1. Introduction + + This memo defines a portion of the Management Information Base (MIB) + for use with network management protocols in the Internet community. + The objects defined within this memo relate to the Remote + Authentication Dial-In User Service (RADIUS) Accounting Server as + defined in RFC 2866 [RFC2866]. + +2. Terminology + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [RFC2119]. + + This document uses terminology from RFC 2865 [RFC2865] and RFC 2866 + [RFC2866]. + + This document uses the word "malformed" with respect to RADIUS + packets, particularly in the context of counters of "malformed + packets". While RFC 2866 does not provide an explicit definition of + "malformed", malformed generally means that the implementation has + determined the packet does not match the format defined in RFC 2866. + Those implementations are used in deployments today, and thus set the + de facto definition of "malformed". + +3. The Internet-Standard Management Framework + + For a detailed overview of the documents that describe the current + Internet-Standard Management Framework, please refer to section 7 of + RFC 3410 [RFC3410]. + + Managed objects are accessed via a virtual information store, termed + the Management Information Base or MIB. MIB objects are generally + accessed through the Simple Network Management Protocol (SNMP). + Objects in the MIB are defined using the mechanisms defined in the + Structure of Management Information (SMI). This memo specifies a MIB + module that is compliant to the SMIv2, which is described in STD 58, + RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 + [RFC2580]. + +4. Scope of Changes + + This document obsoletes RFC 2621 [RFC2621], RADIUS Accounting Server + MIB, by deprecating the radiusAccClientTable table and adding a new + table, radiusAccClientExtTable, containing + radiusAccClientInetAddressType and radiusAccClientInetAddress. The + purpose of these added MIB objects is to support version-neutral IP + addressing formats. The existing table containing + + + +Nelson Informational [Page 3] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + + radiusAccClientAddress is deprecated. The remaining MIB objects from + RFC 2621 are carried forward into this document. This memo also adds + UNITS and REFERENCE clauses to selected objects. + + RFC 4001 [RFC4001], which defines the SMI Textual Conventions for + version-neutral IP addresses, contains the following recommendation. + + 'In particular, when revising a MIB module that contains IPv4 + specific tables, it is suggested to define new tables using the + textual conventions defined in this memo [RFC4001] that support all + versions of IP. The status of the new tables SHOULD be "current", + whereas the status of the old IP version specific tables SHOULD be + changed to "deprecated". The other approach, of having multiple + similar tables for different IP versions, is strongly discouraged.' + +5. Structure of the MIB Module + + The RADIUS accounting protocol, described in RFC 2866 [RFC2866], + distinguishes between the client function and the server function. + In RADIUS accounting, clients send Accounting-Requests, and servers + reply with Accounting-Responses. Typically, Network Access Server + (NAS) devices implement the client function, and thus would be + expected to implement the RADIUS accounting client MIB, while RADIUS + accounting servers implement the server function, and thus would be + expected to implement the RADIUS accounting server MIB. + + However, it is possible for a RADIUS accounting entity to perform + both client and server functions. For example, a RADIUS proxy may + act as a server to one or more RADIUS accounting clients, while + simultaneously acting as an accounting client to one or more + accounting servers. In such situations, it is expected that RADIUS + entities combining client and server functionality will support both + the client and server MIBs. The server MIB is defined in this + document, and the client MIB is defined in [RFC4670]. + + This MIB module contains thirteen scalars as well as a single table, + the RADIUS Accounting Client Table, which contains one row for each + RADIUS accounting client with which the server shares a secret. Each + entry in the RADIUS Accounting Client Table includes twelve columns + presenting a view of the activity of the RADIUS accounting server. + + This MIB imports from [RFC2578], [RFC2580], [RFC3411], and [RFC4001]. + + + + + + + + + +Nelson Informational [Page 4] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + +6. Deprecated Objects + + The deprecated table in this MIB is carried forward from RFC 2621 + [RFC2621]. There are two conditions under which it MAY be desirable + for managed entities to continue to support the deprecated table: + + 1. The managed entity only supports IPv4 address formats. + + 2. The managed entity supports both IPv4 and IPv6 address formats, + and the deprecated table is supported for backwards compatibility + with older management stations. This option SHOULD only be used + when the IP addresses in the new table are in IPv4 format and can + accurately be represented in both the new table and the + deprecated table. + + Managed entities SHOULD NOT instantiate row entries in the deprecated + table, containing IPv4-only address objects, when the RADIUS + accounting client address represented in such a table row is not an + IPv4 address. Managed entities SHOULD NOT return inaccurate values + of IP address or SNMP object access errors for IPv4-only address + objects in otherwise populated tables. When row entries exist in + both the deprecated IPv4-only table and the new IP-version-neutral + table that describe the same RADIUS accounting client, the row + indexes SHOULD be the same for the corresponding rows in each table, + to facilitate correlation of these related rows by management + applications. + +7. Definitions + + RADIUS-ACC-SERVER-MIB DEFINITIONS ::= BEGIN + + IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, + Counter32, Integer32, + IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI + SnmpAdminString FROM SNMP-FRAMEWORK-MIB + InetAddressType, InetAddress FROM INET-ADDRESS-MIB + MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; + + radiusAccServMIB MODULE-IDENTITY + LAST-UPDATED "200608210000Z" -- 21 August 2006 + ORGANIZATION "IETF RADIUS Extensions Working Group." + CONTACT-INFO + " Bernard Aboba + Microsoft + One Microsoft Way + Redmond, WA 98052 + US + + + +Nelson Informational [Page 5] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + + Phone: +1 425 936 6605 + EMail: bernarda@microsoft.com" + DESCRIPTION + "The MIB module for entities implementing the server + side of the Remote Authentication Dial-In User + Service (RADIUS) accounting protocol. Copyright (C) + The Internet Society (2006). This version of this + MIB module is part of RFC 4671; see the RFC itself + for full legal notices." + REVISION "200608210000Z" -- 21 August 2006 + DESCRIPTION + "Revised version as published in RFC 4671. This + version obsoletes that of RFC 2621 by deprecating + the MIB table containing IPv4-only address formats + and defining a new table to add support for version- + neutral IP address formats. The remaining MIB objects + from RFC 2621 are carried forward into this version." + REVISION "199906110000Z" -- 11 Jun 1999 + DESCRIPTION "Initial version as published in RFC 2621." + ::= { radiusAccounting 1 } + + radiusMIB OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The OID assigned to RADIUS MIB work by the IANA." + ::= { mib-2 67 } + + radiusAccounting OBJECT IDENTIFIER ::= {radiusMIB 2} + + radiusAccServMIBObjects OBJECT IDENTIFIER + ::= { radiusAccServMIB 1 } + + radiusAccServ OBJECT IDENTIFIER + ::= { radiusAccServMIBObjects 1 } + + radiusAccServIdent OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The implementation identification string for the + RADIUS accounting server software in use on the + system, for example, 'FNS-2.1'." + ::= {radiusAccServ 1} + + radiusAccServUpTime OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + + + +Nelson Informational [Page 6] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + + STATUS current + DESCRIPTION + "If the server has a persistent state (e.g., a + process), this value will be the time elapsed (in + hundredths of a second) since the server process was + started. For software without persistent state, this + value will be zero." + ::= {radiusAccServ 2} + + radiusAccServResetTime OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "If the server has a persistent state (e.g., a process) + and supports a 'reset' operation (e.g., can be told to + re-read configuration files), this value will be the + time elapsed (in hundredths of a second) since the + server was 'reset.' For software that does not + have persistence or does not support a 'reset' + operation, this value will be zero." + ::= {radiusAccServ 3} + + radiusAccServConfigReset OBJECT-TYPE + SYNTAX INTEGER { other(1), + reset(2), + initializing(3), + running(4)} + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Status/action object to reinitialize any persistent + server state. When set to reset(2), any persistent + server state (such as a process) is reinitialized as + if the server had just been started. This value will + never be returned by a read operation. When read, + one of the following values will be returned: + other(1) - server in some unknown state; + initializing(3) - server (re)initializing; + running(4) - server currently running." + ::= {radiusAccServ 4} + + radiusAccServTotalRequests OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + + + +Nelson Informational [Page 7] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + + "The number of packets received on the + accounting port." + REFERENCE "RFC 2866 section 4.1" + ::= { radiusAccServ 5 } + + radiusAccServTotalInvalidRequests OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS Accounting-Request packets + received from unknown addresses." + REFERENCE "RFC 2866 sections 2, 4.1" + ::= { radiusAccServ 6 } + + radiusAccServTotalDupRequests OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of duplicate RADIUS Accounting-Request + packets received." + REFERENCE "RFC 2866 section 4.1" + ::= { radiusAccServ 7 } + + radiusAccServTotalResponses OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS Accounting-Response packets + sent." + REFERENCE "RFC 2866 section 4.2" + ::= { radiusAccServ 8 } + + radiusAccServTotalMalformedRequests OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of malformed RADIUS Accounting-Request + packets received. Bad authenticators or unknown + types are not included as malformed Access-Requests." + REFERENCE "RFC 2866 section 3" + + + +Nelson Informational [Page 8] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + + ::= { radiusAccServ 9 } + + radiusAccServTotalBadAuthenticators OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS Accounting-Request packets + that contained an invalid authenticator." + REFERENCE "RFC 2866 section 3" + ::= { radiusAccServ 10 } + + radiusAccServTotalPacketsDropped OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of incoming packets silently discarded + for a reason other than malformed, bad authenticators, + or unknown types." + REFERENCE "RFC 2866 section 3" + ::= { radiusAccServ 11 } + + radiusAccServTotalNoRecords OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS Accounting-Request packets + that were received and responded to but not + recorded." + ::= { radiusAccServ 12 } + + radiusAccServTotalUnknownTypes OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS packets of unknown type that + were received." + REFERENCE "RFC 2866 section 4" + ::= { radiusAccServ 13 } + + radiusAccClientTable OBJECT-TYPE + + + +Nelson Informational [Page 9] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + + SYNTAX SEQUENCE OF RadiusAccClientEntry + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "The (conceptual) table listing the RADIUS accounting + clients with which the server shares a secret." + ::= { radiusAccServ 14 } + + radiusAccClientEntry OBJECT-TYPE + SYNTAX RadiusAccClientEntry + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "An entry (conceptual row) representing a RADIUS + accounting client with which the server shares a + secret." + INDEX { radiusAccClientIndex } + ::= { radiusAccClientTable 1 } + + RadiusAccClientEntry ::= SEQUENCE { + radiusAccClientIndex Integer32, + radiusAccClientAddress IpAddress, + radiusAccClientID SnmpAdminString, + radiusAccServPacketsDropped Counter32, + radiusAccServRequests Counter32, + radiusAccServDupRequests Counter32, + radiusAccServResponses Counter32, + radiusAccServBadAuthenticators Counter32, + radiusAccServMalformedRequests Counter32, + radiusAccServNoRecords Counter32, + radiusAccServUnknownTypes Counter32 + } + + radiusAccClientIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "A number uniquely identifying each RADIUS accounting + client with which this server communicates." + ::= { radiusAccClientEntry 1 } + + radiusAccClientAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The NAS-IP-Address of the RADIUS accounting client + + + +Nelson Informational [Page 10] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + + referred to in this table entry." + ::= { radiusAccClientEntry 2 } + + radiusAccClientID OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The NAS-Identifier of the RADIUS accounting client + referred to in this table entry. This is not + necessarily the same as sysName in MIB II." + REFERENCE "RFC 2865 section 5.32" + ::= { radiusAccClientEntry 3 } + + -- Server Counters + -- + -- Requests - DupRequests - BadAuthenticators - MalformedRequests - + -- UnknownTypes - PacketsDropped - Responses = Pending + -- + -- Requests - DupRequests - BadAuthenticators - MalformedRequests - + -- UnknownTypes - PacketsDropped - NoRecords = entries logged + + radiusAccServPacketsDropped OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of incoming packets received + from this client and silently discarded + for a reason other than malformed, bad + authenticators, or unknown types." + REFERENCE "RFC 2866 section 3" + ::= { radiusAccClientEntry 4 } + + radiusAccServRequests OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of packets received from this + client on the accounting port." + REFERENCE "RFC 2866 section 4.1" + ::= { radiusAccClientEntry 5 } + + radiusAccServDupRequests OBJECT-TYPE + SYNTAX Counter32 + + + +Nelson Informational [Page 11] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + + UNITS "packets" + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of duplicate RADIUS Accounting-Request + packets received from this client." + REFERENCE "RFC 2866 section 4.1" + ::= { radiusAccClientEntry 6 } + + radiusAccServResponses OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of RADIUS Accounting-Response packets + sent to this client." + REFERENCE "RFC 2866 section 4.2" + ::= { radiusAccClientEntry 7 } + + radiusAccServBadAuthenticators OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of RADIUS Accounting-Request packets + that contained invalid authenticators received + from this client." + REFERENCE "RFC 2866 section 3" + ::= { radiusAccClientEntry 8 } + + radiusAccServMalformedRequests OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of malformed RADIUS Accounting-Request + packets that were received from this client. + Bad authenticators and unknown types + are not included as malformed Accounting-Requests." + REFERENCE "RFC 2866 section 3" + ::= { radiusAccClientEntry 9 } + + radiusAccServNoRecords OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + + + +Nelson Informational [Page 12] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of RADIUS Accounting-Request packets + that were received and responded to but not + recorded." + ::= { radiusAccClientEntry 10 } + + radiusAccServUnknownTypes OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of RADIUS packets of unknown type that + were received from this client." + REFERENCE "RFC 2866 section 4" + ::= { radiusAccClientEntry 11 } + + + -- New MIB objects added in this revision + + radiusAccClientExtTable OBJECT-TYPE + SYNTAX SEQUENCE OF RadiusAccClientExtEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The (conceptual) table listing the RADIUS accounting + clients with which the server shares a secret." + ::= { radiusAccServ 15 } + + radiusAccClientExtEntry OBJECT-TYPE + SYNTAX RadiusAccClientExtEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry (conceptual row) representing a RADIUS + accounting client with which the server shares a + secret." + INDEX { radiusAccClientExtIndex } + ::= { radiusAccClientExtTable 1 } + + RadiusAccClientExtEntry ::= SEQUENCE { + radiusAccClientExtIndex Integer32, + radiusAccClientInetAddressType InetAddressType, + radiusAccClientInetAddress InetAddress, + radiusAccClientExtID SnmpAdminString, + radiusAccServExtPacketsDropped Counter32, + + + +Nelson Informational [Page 13] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + + radiusAccServExtRequests Counter32, + radiusAccServExtDupRequests Counter32, + radiusAccServExtResponses Counter32, + radiusAccServExtBadAuthenticators Counter32, + radiusAccServExtMalformedRequests Counter32, + radiusAccServExtNoRecords Counter32, + radiusAccServExtUnknownTypes Counter32, + radiusAccServerCounterDiscontinuity TimeTicks + } + + radiusAccClientExtIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A number uniquely identifying each RADIUS accounting + client with which this server communicates." + ::= { radiusAccClientExtEntry 1 } + + radiusAccClientInetAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The type of address format used for the + radiusAccClientInetAddress object." + ::= { radiusAccClientExtEntry 2 } + + radiusAccClientInetAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP address of the RADIUS accounting + client referred to in this table entry, using + the IPv6 address format." + ::= { radiusAccClientExtEntry 3 } + + radiusAccClientExtID OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The NAS-Identifier of the RADIUS accounting client + referred to in this table entry. This is not + necessarily the same as sysName in MIB II." + REFERENCE "RFC 2865 section 5.32" + ::= { radiusAccClientExtEntry 4 } + + + +Nelson Informational [Page 14] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + + -- Server Counters + -- + -- Requests - DupRequests - BadAuthenticators - MalformedRequests - + -- UnknownTypes - PacketsDropped - Responses = Pending + -- + -- Requests - DupRequests - BadAuthenticators - MalformedRequests - + -- UnknownTypes - PacketsDropped - NoRecords = entries logged + + radiusAccServExtPacketsDropped OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of incoming packets received from this + client and silently discarded for a reason other + than malformed, bad authenticators, or unknown types. + This counter may experience a discontinuity when the + RADIUS Accounting Server module within the managed + entity is reinitialized, as indicated by the current + value of radiusAccServerCounterDiscontinuity." + REFERENCE "RFC 2866 section 3" + ::= { radiusAccClientExtEntry 5 } + + radiusAccServExtRequests OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of packets received from this + client on the accounting port. This counter + may experience a discontinuity when the + RADIUS Accounting Server module within the + managed entity is reinitialized, as indicated by + the current value of + radiusAccServerCounterDiscontinuity." + REFERENCE "RFC 2866 section 4.1" + ::= { radiusAccClientExtEntry 6 } + + radiusAccServExtDupRequests OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of duplicate RADIUS Accounting-Request + packets received from this client. This counter + + + +Nelson Informational [Page 15] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + + may experience a discontinuity when the RADIUS + Accounting Server module within the managed + entity is reinitialized, as indicated by the + current value of + radiusAccServerCounterDiscontinuity." + REFERENCE "RFC 2866 section 4.1" + ::= { radiusAccClientExtEntry 7 } + + radiusAccServExtResponses OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS Accounting-Response packets + sent to this client. This counter may experience + a discontinuity when the RADIUS Accounting Server + module within the managed entity is reinitialized, + as indicated by the current value of + radiusAccServerCounterDiscontinuity." + REFERENCE "RFC 2866 section 4.2" + ::= { radiusAccClientExtEntry 8 } + + radiusAccServExtBadAuthenticators OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS Accounting-Request packets + that contained invalid authenticators received + from this client. This counter may experience a + discontinuity when the RADIUS Accounting Server + module within the managed entity is reinitialized, + as indicated by the current value of + radiusAccServerCounterDiscontinuity." + REFERENCE "RFC 2866 section 3" + ::= { radiusAccClientExtEntry 9 } + + radiusAccServExtMalformedRequests OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of malformed RADIUS Accounting-Request + packets that were received from this client. + Bad authenticators and unknown types are not + + + +Nelson Informational [Page 16] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + + included as malformed Accounting-Requests. This + counter may experience a discontinuity when the + RADIUS Accounting Server module within the managed + entity is reinitialized, as indicated by the current + value of radiusAccServerCounterDiscontinuity." + REFERENCE "RFC 2866 section 3" + ::= { radiusAccClientExtEntry 10 } + + radiusAccServExtNoRecords OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS Accounting-Request packets + that were received and responded to but not + recorded. This counter may experience a + discontinuity when the RADIUS Accounting Server + module within the managed entity is reinitialized, + as indicated by the current value of + radiusAccServerCounterDiscontinuity." + ::= { radiusAccClientExtEntry 11 } + + radiusAccServExtUnknownTypes OBJECT-TYPE + SYNTAX Counter32 + UNITS "packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS packets of unknown type that + were received from this client. This counter may + experience a discontinuity when the RADIUS Accounting + Server module within the managed entity is + reinitialized, as indicated by the current value of + radiusAccServerCounterDiscontinuity." + REFERENCE "RFC 2866 section 4" + ::= { radiusAccClientExtEntry 12 } + + radiusAccServerCounterDiscontinuity OBJECT-TYPE + SYNTAX TimeTicks + UNITS "centiseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of centiseconds since the last + discontinuity in the RADIUS Accounting Server + counters. A discontinuity may be the result of + a reinitialization of the RADIUS Accounting Server + + + +Nelson Informational [Page 17] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + + module within the managed entity." + ::= { radiusAccClientExtEntry 13 } + + + -- conformance information + + radiusAccServMIBConformance OBJECT IDENTIFIER + ::= { radiusAccServMIB 2 } + + radiusAccServMIBCompliances OBJECT IDENTIFIER + ::= { radiusAccServMIBConformance 1 } + + radiusAccServMIBGroups OBJECT IDENTIFIER + ::= { radiusAccServMIBConformance 2 } + + + -- compliance statements + + radiusAccServMIBCompliance MODULE-COMPLIANCE + STATUS deprecated + DESCRIPTION + "The compliance statement for accounting servers + implementing the RADIUS Accounting Server MIB. + Implementation of this module is for IPv4-only + entities, or for backwards compatibility use with + entities that support both IPv4 and IPv6." + MODULE -- this module + MANDATORY-GROUPS { radiusAccServMIBGroup } + + OBJECT radiusAccServConfigReset + WRITE-SYNTAX INTEGER { reset(2) } + DESCRIPTION "The only SETable value is 'reset' (2)." + + ::= { radiusAccServMIBCompliances 1 } + + radiusAccServExtMIBCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for accounting + servers implementing the RADIUS Accounting + Server IPv6 Extensions MIB. Implementation of + this module is for entities that support IPv6, + or support IPv4 and IPv6." + MODULE -- this module + MANDATORY-GROUPS { radiusAccServExtMIBGroup } + + OBJECT radiusAccServConfigReset + WRITE-SYNTAX INTEGER { reset(2) } + + + +Nelson Informational [Page 18] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + + DESCRIPTION "The only SETable value is 'reset' (2)." + + OBJECT radiusAccClientInetAddressType + SYNTAX InetAddressType { ipv4(1), ipv6(2) } + DESCRIPTION + "An implementation is only required to support + IPv4 and globally unique IPv6 addresses." + + OBJECT radiusAccClientInetAddress + SYNTAX InetAddress ( SIZE (4|16) ) + DESCRIPTION + "An implementation is only required to support + IPv4 and globally unique IPv6 addresses." + + ::= { radiusAccServMIBCompliances 2 } + + + -- units of conformance + + radiusAccServMIBGroup OBJECT-GROUP + OBJECTS {radiusAccServIdent, + radiusAccServUpTime, + radiusAccServResetTime, + radiusAccServConfigReset, + radiusAccServTotalRequests, + radiusAccServTotalInvalidRequests, + radiusAccServTotalDupRequests, + radiusAccServTotalResponses, + radiusAccServTotalMalformedRequests, + radiusAccServTotalBadAuthenticators, + radiusAccServTotalPacketsDropped, + radiusAccServTotalNoRecords, + radiusAccServTotalUnknownTypes, + radiusAccClientAddress, + radiusAccClientID, + radiusAccServPacketsDropped, + radiusAccServRequests, + radiusAccServDupRequests, + radiusAccServResponses, + radiusAccServBadAuthenticators, + radiusAccServMalformedRequests, + radiusAccServNoRecords, + radiusAccServUnknownTypes + } + STATUS deprecated + DESCRIPTION + "The collection of objects providing management of + a RADIUS Accounting Server." + + + +Nelson Informational [Page 19] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + + ::= { radiusAccServMIBGroups 1 } + + radiusAccServExtMIBGroup OBJECT-GROUP + OBJECTS {radiusAccServIdent, + radiusAccServUpTime, + radiusAccServResetTime, + radiusAccServConfigReset, + radiusAccServTotalRequests, + radiusAccServTotalInvalidRequests, + radiusAccServTotalDupRequests, + radiusAccServTotalResponses, + radiusAccServTotalMalformedRequests, + radiusAccServTotalBadAuthenticators, + radiusAccServTotalPacketsDropped, + radiusAccServTotalNoRecords, + radiusAccServTotalUnknownTypes, + radiusAccClientInetAddressType, + radiusAccClientInetAddress, + radiusAccClientExtID, + radiusAccServExtPacketsDropped, + radiusAccServExtRequests, + radiusAccServExtDupRequests, + radiusAccServExtResponses, + radiusAccServExtBadAuthenticators, + radiusAccServExtMalformedRequests, + radiusAccServExtNoRecords, + radiusAccServExtUnknownTypes, + radiusAccServerCounterDiscontinuity + } + STATUS current + DESCRIPTION + "The collection of objects providing management of + a RADIUS Accounting Server." + ::= { radiusAccServMIBGroups 2 } + + END + +8. Security Considerations + + There are management objects (radiusAccServConfigReset) defined in + this MIB that have a MAX-ACCESS clause of read-write and/or read- + create. Such objects may be considered sensitive or vulnerable in + some network environments. The support for SET operations in a non- + secure environment without proper protection can have a negative + effect on network operations. These are: + + + + + + +Nelson Informational [Page 20] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + + radiusAccServConfigReset + This object can be used to reinitialize the persistent state of + any server. When set to reset(2), any persistent server state + (such as a process) is reinitialized as if the server had just + been started. Depending on the server implementation details, + this action may or may not interrupt the processing of pending + request in the server. Abuse of this object may lead to a Denial + of Service attack on the server. + + There are a number of managed objects in this MIB that may contain + sensitive information. These are: + + radiusAccClientIPAddress + This can be used to determine the address of the RADIUS accounting + client with which the server is communicating. This information + could be useful in mounting an attack on the accounting client. + + radiusAccClientInetAddress + This can be used to determine the address of the RADIUS accounting + client with which the server is communicating. This information + could be useful in mounting an attack on the accounting client. + + It is thus important to control even GET access to these objects and + possibly to even encrypt the values of these object when sending them + over the network via SNMP. Not all versions of SNMP provide features + for such a secure environment. + + SNMP versions prior to SNMPv3 do not provide a secure environment. + Even if the network itself is secure (for example by using IPsec), + there is no control as to who on the secure network is allowed to + access and GET/SET (read/change/create/delete) the objects in this + MIB. + + It is RECOMMENDED that implementers consider the security features as + provided by the SNMPv3 framework (see [RFC3410], section 8), + including full support for the SNMPv3 cryptographic mechanisms (for + authentication and privacy). + + Further, deployment of SNMP versions prior to SNMPv3 is NOT + RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to + enable cryptographic security. It is then a customer/operator + responsibility to ensure that the SNMP entity giving access to an + instance of this MIB module is properly configured to give access to + the objects only to those principals (users) that have legitimate + rights to indeed GET or SET (change/create/delete) them. + + + + + + +Nelson Informational [Page 21] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + +9. References + +9.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. + Schoenwaelder, Ed., "Structure of Management Information + Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. + + [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. + Schoenwaelder, Ed., "Textual Conventions for SMIv2", + STD 58, RFC 2579, April 1999. + + [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, + "Conformance Statements for SMIv2", STD 58, RFC 2580, + April 1999. + + [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. + + [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An + Architecture for Describing Simple Network Management + Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, + December 2002. + + [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. + Schoenwaelder, "Textual Conventions for Internet Network + Addresses", RFC 4001, February 2005. + +9.2. Informative References + + [RFC2621] Zorn, G. and B. Aboba, "RADIUS Accounting Server MIB", + RFC 2621, June 1999. + + [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, + "Remote Authentication Dial In User Service (RADIUS)", + RFC 2865, June 2000. + + [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, + "Introduction and Applicability Statements for Internet- + Standard Management Framework", RFC 3410, December 2002. + + [RFC4670] Nelson, D., "RADIUS Accounting Client MIB for IPv6", RFC + 4670, August 2006. + + + + + + +Nelson Informational [Page 22] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + +Appendix A. Acknowledgements + + The authors of the original MIB are Bernard Aboba and Glen Zorn. + + Many thanks to all reviewers, especially to Dave Harrington, Dan + Romascanu, C.M. Heard, Bruno Pape, Greg Weber, and Bert Wijnen. + +Author's Address + + David B. Nelson + Enterasys Networks + 50 Minuteman Road + Andover, MA 01810 + USA + + EMail: dnelson@enterasys.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Nelson Informational [Page 23] + +RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + +Nelson Informational [Page 24] + |