summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc4671.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc4671.txt')
-rw-r--r--doc/rfc/rfc4671.txt1347
1 files changed, 1347 insertions, 0 deletions
diff --git a/doc/rfc/rfc4671.txt b/doc/rfc/rfc4671.txt
new file mode 100644
index 0000000..8ec2e7f
--- /dev/null
+++ b/doc/rfc/rfc4671.txt
@@ -0,0 +1,1347 @@
+
+
+
+
+
+
+Network Working Group D. Nelson
+Request for Comments: 4671 Enterasys Networks
+Obsoletes: 2621 August 2006
+Category: Informational
+
+
+ RADIUS Accounting Server MIB for IPv6
+
+Status of This Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This memo defines a set of extensions that instrument RADIUS
+ accounting server functions. These extensions represent a portion of
+ the Management Information Base (MIB) for use with network management
+ protocols in the Internet community. Using these extensions,
+ IP-based management stations can manage RADIUS accounting servers.
+
+ This memo obsoletes RFC 2621 by deprecating the MIB table containing
+ IPv4-only address formats and defining a new table to add support for
+ version-neutral IP address formats. The remaining MIB objects from
+ RFC 2621 are carried forward into this document. This memo also adds
+ UNITS and REFERENCE clauses to selected objects.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Informational [Page 1]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 2. Terminology .....................................................3
+ 3. The Internet-Standard Management Framework ......................3
+ 4. Scope of Changes ................................................3
+ 5. Structure of the MIB Module .....................................4
+ 6. Deprecated Objects ..............................................5
+ 7. Definitions .....................................................5
+ 8. Security Considerations ........................................20
+ 9. References .....................................................22
+ 9.1. Normative References ......................................22
+ 9.2. Informative References ....................................22
+ Appendix A. Acknowledgements ......................................23
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Informational [Page 2]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+1. Introduction
+
+ This memo defines a portion of the Management Information Base (MIB)
+ for use with network management protocols in the Internet community.
+ The objects defined within this memo relate to the Remote
+ Authentication Dial-In User Service (RADIUS) Accounting Server as
+ defined in RFC 2866 [RFC2866].
+
+2. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [RFC2119].
+
+ This document uses terminology from RFC 2865 [RFC2865] and RFC 2866
+ [RFC2866].
+
+ This document uses the word "malformed" with respect to RADIUS
+ packets, particularly in the context of counters of "malformed
+ packets". While RFC 2866 does not provide an explicit definition of
+ "malformed", malformed generally means that the implementation has
+ determined the packet does not match the format defined in RFC 2866.
+ Those implementations are used in deployments today, and thus set the
+ de facto definition of "malformed".
+
+3. The Internet-Standard Management Framework
+
+ For a detailed overview of the documents that describe the current
+ Internet-Standard Management Framework, please refer to section 7 of
+ RFC 3410 [RFC3410].
+
+ Managed objects are accessed via a virtual information store, termed
+ the Management Information Base or MIB. MIB objects are generally
+ accessed through the Simple Network Management Protocol (SNMP).
+ Objects in the MIB are defined using the mechanisms defined in the
+ Structure of Management Information (SMI). This memo specifies a MIB
+ module that is compliant to the SMIv2, which is described in STD 58,
+ RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
+ [RFC2580].
+
+4. Scope of Changes
+
+ This document obsoletes RFC 2621 [RFC2621], RADIUS Accounting Server
+ MIB, by deprecating the radiusAccClientTable table and adding a new
+ table, radiusAccClientExtTable, containing
+ radiusAccClientInetAddressType and radiusAccClientInetAddress. The
+ purpose of these added MIB objects is to support version-neutral IP
+ addressing formats. The existing table containing
+
+
+
+Nelson Informational [Page 3]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ radiusAccClientAddress is deprecated. The remaining MIB objects from
+ RFC 2621 are carried forward into this document. This memo also adds
+ UNITS and REFERENCE clauses to selected objects.
+
+ RFC 4001 [RFC4001], which defines the SMI Textual Conventions for
+ version-neutral IP addresses, contains the following recommendation.
+
+ 'In particular, when revising a MIB module that contains IPv4
+ specific tables, it is suggested to define new tables using the
+ textual conventions defined in this memo [RFC4001] that support all
+ versions of IP. The status of the new tables SHOULD be "current",
+ whereas the status of the old IP version specific tables SHOULD be
+ changed to "deprecated". The other approach, of having multiple
+ similar tables for different IP versions, is strongly discouraged.'
+
+5. Structure of the MIB Module
+
+ The RADIUS accounting protocol, described in RFC 2866 [RFC2866],
+ distinguishes between the client function and the server function.
+ In RADIUS accounting, clients send Accounting-Requests, and servers
+ reply with Accounting-Responses. Typically, Network Access Server
+ (NAS) devices implement the client function, and thus would be
+ expected to implement the RADIUS accounting client MIB, while RADIUS
+ accounting servers implement the server function, and thus would be
+ expected to implement the RADIUS accounting server MIB.
+
+ However, it is possible for a RADIUS accounting entity to perform
+ both client and server functions. For example, a RADIUS proxy may
+ act as a server to one or more RADIUS accounting clients, while
+ simultaneously acting as an accounting client to one or more
+ accounting servers. In such situations, it is expected that RADIUS
+ entities combining client and server functionality will support both
+ the client and server MIBs. The server MIB is defined in this
+ document, and the client MIB is defined in [RFC4670].
+
+ This MIB module contains thirteen scalars as well as a single table,
+ the RADIUS Accounting Client Table, which contains one row for each
+ RADIUS accounting client with which the server shares a secret. Each
+ entry in the RADIUS Accounting Client Table includes twelve columns
+ presenting a view of the activity of the RADIUS accounting server.
+
+ This MIB imports from [RFC2578], [RFC2580], [RFC3411], and [RFC4001].
+
+
+
+
+
+
+
+
+
+Nelson Informational [Page 4]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+6. Deprecated Objects
+
+ The deprecated table in this MIB is carried forward from RFC 2621
+ [RFC2621]. There are two conditions under which it MAY be desirable
+ for managed entities to continue to support the deprecated table:
+
+ 1. The managed entity only supports IPv4 address formats.
+
+ 2. The managed entity supports both IPv4 and IPv6 address formats,
+ and the deprecated table is supported for backwards compatibility
+ with older management stations. This option SHOULD only be used
+ when the IP addresses in the new table are in IPv4 format and can
+ accurately be represented in both the new table and the
+ deprecated table.
+
+ Managed entities SHOULD NOT instantiate row entries in the deprecated
+ table, containing IPv4-only address objects, when the RADIUS
+ accounting client address represented in such a table row is not an
+ IPv4 address. Managed entities SHOULD NOT return inaccurate values
+ of IP address or SNMP object access errors for IPv4-only address
+ objects in otherwise populated tables. When row entries exist in
+ both the deprecated IPv4-only table and the new IP-version-neutral
+ table that describe the same RADIUS accounting client, the row
+ indexes SHOULD be the same for the corresponding rows in each table,
+ to facilitate correlation of these related rows by management
+ applications.
+
+7. Definitions
+
+ RADIUS-ACC-SERVER-MIB DEFINITIONS ::= BEGIN
+
+ IMPORTS
+ MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
+ Counter32, Integer32,
+ IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI
+ SnmpAdminString FROM SNMP-FRAMEWORK-MIB
+ InetAddressType, InetAddress FROM INET-ADDRESS-MIB
+ MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF;
+
+ radiusAccServMIB MODULE-IDENTITY
+ LAST-UPDATED "200608210000Z" -- 21 August 2006
+ ORGANIZATION "IETF RADIUS Extensions Working Group."
+ CONTACT-INFO
+ " Bernard Aboba
+ Microsoft
+ One Microsoft Way
+ Redmond, WA 98052
+ US
+
+
+
+Nelson Informational [Page 5]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ Phone: +1 425 936 6605
+ EMail: bernarda@microsoft.com"
+ DESCRIPTION
+ "The MIB module for entities implementing the server
+ side of the Remote Authentication Dial-In User
+ Service (RADIUS) accounting protocol. Copyright (C)
+ The Internet Society (2006). This version of this
+ MIB module is part of RFC 4671; see the RFC itself
+ for full legal notices."
+ REVISION "200608210000Z" -- 21 August 2006
+ DESCRIPTION
+ "Revised version as published in RFC 4671. This
+ version obsoletes that of RFC 2621 by deprecating
+ the MIB table containing IPv4-only address formats
+ and defining a new table to add support for version-
+ neutral IP address formats. The remaining MIB objects
+ from RFC 2621 are carried forward into this version."
+ REVISION "199906110000Z" -- 11 Jun 1999
+ DESCRIPTION "Initial version as published in RFC 2621."
+ ::= { radiusAccounting 1 }
+
+ radiusMIB OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION
+ "The OID assigned to RADIUS MIB work by the IANA."
+ ::= { mib-2 67 }
+
+ radiusAccounting OBJECT IDENTIFIER ::= {radiusMIB 2}
+
+ radiusAccServMIBObjects OBJECT IDENTIFIER
+ ::= { radiusAccServMIB 1 }
+
+ radiusAccServ OBJECT IDENTIFIER
+ ::= { radiusAccServMIBObjects 1 }
+
+ radiusAccServIdent OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The implementation identification string for the
+ RADIUS accounting server software in use on the
+ system, for example, 'FNS-2.1'."
+ ::= {radiusAccServ 1}
+
+ radiusAccServUpTime OBJECT-TYPE
+ SYNTAX TimeTicks
+ MAX-ACCESS read-only
+
+
+
+Nelson Informational [Page 6]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ STATUS current
+ DESCRIPTION
+ "If the server has a persistent state (e.g., a
+ process), this value will be the time elapsed (in
+ hundredths of a second) since the server process was
+ started. For software without persistent state, this
+ value will be zero."
+ ::= {radiusAccServ 2}
+
+ radiusAccServResetTime OBJECT-TYPE
+ SYNTAX TimeTicks
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "If the server has a persistent state (e.g., a process)
+ and supports a 'reset' operation (e.g., can be told to
+ re-read configuration files), this value will be the
+ time elapsed (in hundredths of a second) since the
+ server was 'reset.' For software that does not
+ have persistence or does not support a 'reset'
+ operation, this value will be zero."
+ ::= {radiusAccServ 3}
+
+ radiusAccServConfigReset OBJECT-TYPE
+ SYNTAX INTEGER { other(1),
+ reset(2),
+ initializing(3),
+ running(4)}
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "Status/action object to reinitialize any persistent
+ server state. When set to reset(2), any persistent
+ server state (such as a process) is reinitialized as
+ if the server had just been started. This value will
+ never be returned by a read operation. When read,
+ one of the following values will be returned:
+ other(1) - server in some unknown state;
+ initializing(3) - server (re)initializing;
+ running(4) - server currently running."
+ ::= {radiusAccServ 4}
+
+ radiusAccServTotalRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+
+
+
+Nelson Informational [Page 7]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ "The number of packets received on the
+ accounting port."
+ REFERENCE "RFC 2866 section 4.1"
+ ::= { radiusAccServ 5 }
+
+ radiusAccServTotalInvalidRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ received from unknown addresses."
+ REFERENCE "RFC 2866 sections 2, 4.1"
+ ::= { radiusAccServ 6 }
+
+ radiusAccServTotalDupRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of duplicate RADIUS Accounting-Request
+ packets received."
+ REFERENCE "RFC 2866 section 4.1"
+ ::= { radiusAccServ 7 }
+
+ radiusAccServTotalResponses OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Accounting-Response packets
+ sent."
+ REFERENCE "RFC 2866 section 4.2"
+ ::= { radiusAccServ 8 }
+
+ radiusAccServTotalMalformedRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of malformed RADIUS Accounting-Request
+ packets received. Bad authenticators or unknown
+ types are not included as malformed Access-Requests."
+ REFERENCE "RFC 2866 section 3"
+
+
+
+Nelson Informational [Page 8]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ ::= { radiusAccServ 9 }
+
+ radiusAccServTotalBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ that contained an invalid authenticator."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccServ 10 }
+
+ radiusAccServTotalPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of incoming packets silently discarded
+ for a reason other than malformed, bad authenticators,
+ or unknown types."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccServ 11 }
+
+ radiusAccServTotalNoRecords OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ that were received and responded to but not
+ recorded."
+ ::= { radiusAccServ 12 }
+
+ radiusAccServTotalUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS packets of unknown type that
+ were received."
+ REFERENCE "RFC 2866 section 4"
+ ::= { radiusAccServ 13 }
+
+ radiusAccClientTable OBJECT-TYPE
+
+
+
+Nelson Informational [Page 9]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ SYNTAX SEQUENCE OF RadiusAccClientEntry
+ MAX-ACCESS not-accessible
+ STATUS deprecated
+ DESCRIPTION
+ "The (conceptual) table listing the RADIUS accounting
+ clients with which the server shares a secret."
+ ::= { radiusAccServ 14 }
+
+ radiusAccClientEntry OBJECT-TYPE
+ SYNTAX RadiusAccClientEntry
+ MAX-ACCESS not-accessible
+ STATUS deprecated
+ DESCRIPTION
+ "An entry (conceptual row) representing a RADIUS
+ accounting client with which the server shares a
+ secret."
+ INDEX { radiusAccClientIndex }
+ ::= { radiusAccClientTable 1 }
+
+ RadiusAccClientEntry ::= SEQUENCE {
+ radiusAccClientIndex Integer32,
+ radiusAccClientAddress IpAddress,
+ radiusAccClientID SnmpAdminString,
+ radiusAccServPacketsDropped Counter32,
+ radiusAccServRequests Counter32,
+ radiusAccServDupRequests Counter32,
+ radiusAccServResponses Counter32,
+ radiusAccServBadAuthenticators Counter32,
+ radiusAccServMalformedRequests Counter32,
+ radiusAccServNoRecords Counter32,
+ radiusAccServUnknownTypes Counter32
+ }
+
+ radiusAccClientIndex OBJECT-TYPE
+ SYNTAX Integer32 (1..2147483647)
+ MAX-ACCESS not-accessible
+ STATUS deprecated
+ DESCRIPTION
+ "A number uniquely identifying each RADIUS accounting
+ client with which this server communicates."
+ ::= { radiusAccClientEntry 1 }
+
+ radiusAccClientAddress OBJECT-TYPE
+ SYNTAX IpAddress
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The NAS-IP-Address of the RADIUS accounting client
+
+
+
+Nelson Informational [Page 10]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ referred to in this table entry."
+ ::= { radiusAccClientEntry 2 }
+
+ radiusAccClientID OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The NAS-Identifier of the RADIUS accounting client
+ referred to in this table entry. This is not
+ necessarily the same as sysName in MIB II."
+ REFERENCE "RFC 2865 section 5.32"
+ ::= { radiusAccClientEntry 3 }
+
+ -- Server Counters
+ --
+ -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
+ -- UnknownTypes - PacketsDropped - Responses = Pending
+ --
+ -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
+ -- UnknownTypes - PacketsDropped - NoRecords = entries logged
+
+ radiusAccServPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of incoming packets received
+ from this client and silently discarded
+ for a reason other than malformed, bad
+ authenticators, or unknown types."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccClientEntry 4 }
+
+ radiusAccServRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of packets received from this
+ client on the accounting port."
+ REFERENCE "RFC 2866 section 4.1"
+ ::= { radiusAccClientEntry 5 }
+
+ radiusAccServDupRequests OBJECT-TYPE
+ SYNTAX Counter32
+
+
+
+Nelson Informational [Page 11]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of duplicate RADIUS Accounting-Request
+ packets received from this client."
+ REFERENCE "RFC 2866 section 4.1"
+ ::= { radiusAccClientEntry 6 }
+
+ radiusAccServResponses OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Accounting-Response packets
+ sent to this client."
+ REFERENCE "RFC 2866 section 4.2"
+ ::= { radiusAccClientEntry 7 }
+
+ radiusAccServBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ that contained invalid authenticators received
+ from this client."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccClientEntry 8 }
+
+ radiusAccServMalformedRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of malformed RADIUS Accounting-Request
+ packets that were received from this client.
+ Bad authenticators and unknown types
+ are not included as malformed Accounting-Requests."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccClientEntry 9 }
+
+ radiusAccServNoRecords OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+
+
+
+Nelson Informational [Page 12]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ that were received and responded to but not
+ recorded."
+ ::= { radiusAccClientEntry 10 }
+
+ radiusAccServUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS packets of unknown type that
+ were received from this client."
+ REFERENCE "RFC 2866 section 4"
+ ::= { radiusAccClientEntry 11 }
+
+
+ -- New MIB objects added in this revision
+
+ radiusAccClientExtTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF RadiusAccClientExtEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The (conceptual) table listing the RADIUS accounting
+ clients with which the server shares a secret."
+ ::= { radiusAccServ 15 }
+
+ radiusAccClientExtEntry OBJECT-TYPE
+ SYNTAX RadiusAccClientExtEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An entry (conceptual row) representing a RADIUS
+ accounting client with which the server shares a
+ secret."
+ INDEX { radiusAccClientExtIndex }
+ ::= { radiusAccClientExtTable 1 }
+
+ RadiusAccClientExtEntry ::= SEQUENCE {
+ radiusAccClientExtIndex Integer32,
+ radiusAccClientInetAddressType InetAddressType,
+ radiusAccClientInetAddress InetAddress,
+ radiusAccClientExtID SnmpAdminString,
+ radiusAccServExtPacketsDropped Counter32,
+
+
+
+Nelson Informational [Page 13]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ radiusAccServExtRequests Counter32,
+ radiusAccServExtDupRequests Counter32,
+ radiusAccServExtResponses Counter32,
+ radiusAccServExtBadAuthenticators Counter32,
+ radiusAccServExtMalformedRequests Counter32,
+ radiusAccServExtNoRecords Counter32,
+ radiusAccServExtUnknownTypes Counter32,
+ radiusAccServerCounterDiscontinuity TimeTicks
+ }
+
+ radiusAccClientExtIndex OBJECT-TYPE
+ SYNTAX Integer32 (1..2147483647)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A number uniquely identifying each RADIUS accounting
+ client with which this server communicates."
+ ::= { radiusAccClientExtEntry 1 }
+
+ radiusAccClientInetAddressType OBJECT-TYPE
+ SYNTAX InetAddressType
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The type of address format used for the
+ radiusAccClientInetAddress object."
+ ::= { radiusAccClientExtEntry 2 }
+
+ radiusAccClientInetAddress OBJECT-TYPE
+ SYNTAX InetAddress
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The IP address of the RADIUS accounting
+ client referred to in this table entry, using
+ the IPv6 address format."
+ ::= { radiusAccClientExtEntry 3 }
+
+ radiusAccClientExtID OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The NAS-Identifier of the RADIUS accounting client
+ referred to in this table entry. This is not
+ necessarily the same as sysName in MIB II."
+ REFERENCE "RFC 2865 section 5.32"
+ ::= { radiusAccClientExtEntry 4 }
+
+
+
+Nelson Informational [Page 14]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ -- Server Counters
+ --
+ -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
+ -- UnknownTypes - PacketsDropped - Responses = Pending
+ --
+ -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
+ -- UnknownTypes - PacketsDropped - NoRecords = entries logged
+
+ radiusAccServExtPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of incoming packets received from this
+ client and silently discarded for a reason other
+ than malformed, bad authenticators, or unknown types.
+ This counter may experience a discontinuity when the
+ RADIUS Accounting Server module within the managed
+ entity is reinitialized, as indicated by the current
+ value of radiusAccServerCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccClientExtEntry 5 }
+
+ radiusAccServExtRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of packets received from this
+ client on the accounting port. This counter
+ may experience a discontinuity when the
+ RADIUS Accounting Server module within the
+ managed entity is reinitialized, as indicated by
+ the current value of
+ radiusAccServerCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 4.1"
+ ::= { radiusAccClientExtEntry 6 }
+
+ radiusAccServExtDupRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of duplicate RADIUS Accounting-Request
+ packets received from this client. This counter
+
+
+
+Nelson Informational [Page 15]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ may experience a discontinuity when the RADIUS
+ Accounting Server module within the managed
+ entity is reinitialized, as indicated by the
+ current value of
+ radiusAccServerCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 4.1"
+ ::= { radiusAccClientExtEntry 7 }
+
+ radiusAccServExtResponses OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Accounting-Response packets
+ sent to this client. This counter may experience
+ a discontinuity when the RADIUS Accounting Server
+ module within the managed entity is reinitialized,
+ as indicated by the current value of
+ radiusAccServerCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 4.2"
+ ::= { radiusAccClientExtEntry 8 }
+
+ radiusAccServExtBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ that contained invalid authenticators received
+ from this client. This counter may experience a
+ discontinuity when the RADIUS Accounting Server
+ module within the managed entity is reinitialized,
+ as indicated by the current value of
+ radiusAccServerCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccClientExtEntry 9 }
+
+ radiusAccServExtMalformedRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of malformed RADIUS Accounting-Request
+ packets that were received from this client.
+ Bad authenticators and unknown types are not
+
+
+
+Nelson Informational [Page 16]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ included as malformed Accounting-Requests. This
+ counter may experience a discontinuity when the
+ RADIUS Accounting Server module within the managed
+ entity is reinitialized, as indicated by the current
+ value of radiusAccServerCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccClientExtEntry 10 }
+
+ radiusAccServExtNoRecords OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ that were received and responded to but not
+ recorded. This counter may experience a
+ discontinuity when the RADIUS Accounting Server
+ module within the managed entity is reinitialized,
+ as indicated by the current value of
+ radiusAccServerCounterDiscontinuity."
+ ::= { radiusAccClientExtEntry 11 }
+
+ radiusAccServExtUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS packets of unknown type that
+ were received from this client. This counter may
+ experience a discontinuity when the RADIUS Accounting
+ Server module within the managed entity is
+ reinitialized, as indicated by the current value of
+ radiusAccServerCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 4"
+ ::= { radiusAccClientExtEntry 12 }
+
+ radiusAccServerCounterDiscontinuity OBJECT-TYPE
+ SYNTAX TimeTicks
+ UNITS "centiseconds"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of centiseconds since the last
+ discontinuity in the RADIUS Accounting Server
+ counters. A discontinuity may be the result of
+ a reinitialization of the RADIUS Accounting Server
+
+
+
+Nelson Informational [Page 17]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ module within the managed entity."
+ ::= { radiusAccClientExtEntry 13 }
+
+
+ -- conformance information
+
+ radiusAccServMIBConformance OBJECT IDENTIFIER
+ ::= { radiusAccServMIB 2 }
+
+ radiusAccServMIBCompliances OBJECT IDENTIFIER
+ ::= { radiusAccServMIBConformance 1 }
+
+ radiusAccServMIBGroups OBJECT IDENTIFIER
+ ::= { radiusAccServMIBConformance 2 }
+
+
+ -- compliance statements
+
+ radiusAccServMIBCompliance MODULE-COMPLIANCE
+ STATUS deprecated
+ DESCRIPTION
+ "The compliance statement for accounting servers
+ implementing the RADIUS Accounting Server MIB.
+ Implementation of this module is for IPv4-only
+ entities, or for backwards compatibility use with
+ entities that support both IPv4 and IPv6."
+ MODULE -- this module
+ MANDATORY-GROUPS { radiusAccServMIBGroup }
+
+ OBJECT radiusAccServConfigReset
+ WRITE-SYNTAX INTEGER { reset(2) }
+ DESCRIPTION "The only SETable value is 'reset' (2)."
+
+ ::= { radiusAccServMIBCompliances 1 }
+
+ radiusAccServExtMIBCompliance MODULE-COMPLIANCE
+ STATUS current
+ DESCRIPTION
+ "The compliance statement for accounting
+ servers implementing the RADIUS Accounting
+ Server IPv6 Extensions MIB. Implementation of
+ this module is for entities that support IPv6,
+ or support IPv4 and IPv6."
+ MODULE -- this module
+ MANDATORY-GROUPS { radiusAccServExtMIBGroup }
+
+ OBJECT radiusAccServConfigReset
+ WRITE-SYNTAX INTEGER { reset(2) }
+
+
+
+Nelson Informational [Page 18]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ DESCRIPTION "The only SETable value is 'reset' (2)."
+
+ OBJECT radiusAccClientInetAddressType
+ SYNTAX InetAddressType { ipv4(1), ipv6(2) }
+ DESCRIPTION
+ "An implementation is only required to support
+ IPv4 and globally unique IPv6 addresses."
+
+ OBJECT radiusAccClientInetAddress
+ SYNTAX InetAddress ( SIZE (4|16) )
+ DESCRIPTION
+ "An implementation is only required to support
+ IPv4 and globally unique IPv6 addresses."
+
+ ::= { radiusAccServMIBCompliances 2 }
+
+
+ -- units of conformance
+
+ radiusAccServMIBGroup OBJECT-GROUP
+ OBJECTS {radiusAccServIdent,
+ radiusAccServUpTime,
+ radiusAccServResetTime,
+ radiusAccServConfigReset,
+ radiusAccServTotalRequests,
+ radiusAccServTotalInvalidRequests,
+ radiusAccServTotalDupRequests,
+ radiusAccServTotalResponses,
+ radiusAccServTotalMalformedRequests,
+ radiusAccServTotalBadAuthenticators,
+ radiusAccServTotalPacketsDropped,
+ radiusAccServTotalNoRecords,
+ radiusAccServTotalUnknownTypes,
+ radiusAccClientAddress,
+ radiusAccClientID,
+ radiusAccServPacketsDropped,
+ radiusAccServRequests,
+ radiusAccServDupRequests,
+ radiusAccServResponses,
+ radiusAccServBadAuthenticators,
+ radiusAccServMalformedRequests,
+ radiusAccServNoRecords,
+ radiusAccServUnknownTypes
+ }
+ STATUS deprecated
+ DESCRIPTION
+ "The collection of objects providing management of
+ a RADIUS Accounting Server."
+
+
+
+Nelson Informational [Page 19]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ ::= { radiusAccServMIBGroups 1 }
+
+ radiusAccServExtMIBGroup OBJECT-GROUP
+ OBJECTS {radiusAccServIdent,
+ radiusAccServUpTime,
+ radiusAccServResetTime,
+ radiusAccServConfigReset,
+ radiusAccServTotalRequests,
+ radiusAccServTotalInvalidRequests,
+ radiusAccServTotalDupRequests,
+ radiusAccServTotalResponses,
+ radiusAccServTotalMalformedRequests,
+ radiusAccServTotalBadAuthenticators,
+ radiusAccServTotalPacketsDropped,
+ radiusAccServTotalNoRecords,
+ radiusAccServTotalUnknownTypes,
+ radiusAccClientInetAddressType,
+ radiusAccClientInetAddress,
+ radiusAccClientExtID,
+ radiusAccServExtPacketsDropped,
+ radiusAccServExtRequests,
+ radiusAccServExtDupRequests,
+ radiusAccServExtResponses,
+ radiusAccServExtBadAuthenticators,
+ radiusAccServExtMalformedRequests,
+ radiusAccServExtNoRecords,
+ radiusAccServExtUnknownTypes,
+ radiusAccServerCounterDiscontinuity
+ }
+ STATUS current
+ DESCRIPTION
+ "The collection of objects providing management of
+ a RADIUS Accounting Server."
+ ::= { radiusAccServMIBGroups 2 }
+
+ END
+
+8. Security Considerations
+
+ There are management objects (radiusAccServConfigReset) defined in
+ this MIB that have a MAX-ACCESS clause of read-write and/or read-
+ create. Such objects may be considered sensitive or vulnerable in
+ some network environments. The support for SET operations in a non-
+ secure environment without proper protection can have a negative
+ effect on network operations. These are:
+
+
+
+
+
+
+Nelson Informational [Page 20]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ radiusAccServConfigReset
+ This object can be used to reinitialize the persistent state of
+ any server. When set to reset(2), any persistent server state
+ (such as a process) is reinitialized as if the server had just
+ been started. Depending on the server implementation details,
+ this action may or may not interrupt the processing of pending
+ request in the server. Abuse of this object may lead to a Denial
+ of Service attack on the server.
+
+ There are a number of managed objects in this MIB that may contain
+ sensitive information. These are:
+
+ radiusAccClientIPAddress
+ This can be used to determine the address of the RADIUS accounting
+ client with which the server is communicating. This information
+ could be useful in mounting an attack on the accounting client.
+
+ radiusAccClientInetAddress
+ This can be used to determine the address of the RADIUS accounting
+ client with which the server is communicating. This information
+ could be useful in mounting an attack on the accounting client.
+
+ It is thus important to control even GET access to these objects and
+ possibly to even encrypt the values of these object when sending them
+ over the network via SNMP. Not all versions of SNMP provide features
+ for such a secure environment.
+
+ SNMP versions prior to SNMPv3 do not provide a secure environment.
+ Even if the network itself is secure (for example by using IPsec),
+ there is no control as to who on the secure network is allowed to
+ access and GET/SET (read/change/create/delete) the objects in this
+ MIB.
+
+ It is RECOMMENDED that implementers consider the security features as
+ provided by the SNMPv3 framework (see [RFC3410], section 8),
+ including full support for the SNMPv3 cryptographic mechanisms (for
+ authentication and privacy).
+
+ Further, deployment of SNMP versions prior to SNMPv3 is NOT
+ RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
+ enable cryptographic security. It is then a customer/operator
+ responsibility to ensure that the SNMP entity giving access to an
+ instance of this MIB module is properly configured to give access to
+ the objects only to those principals (users) that have legitimate
+ rights to indeed GET or SET (change/create/delete) them.
+
+
+
+
+
+
+Nelson Informational [Page 21]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+9. References
+
+9.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
+ Schoenwaelder, Ed., "Structure of Management Information
+ Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
+
+ [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
+ Schoenwaelder, Ed., "Textual Conventions for SMIv2",
+ STD 58, RFC 2579, April 1999.
+
+ [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
+ "Conformance Statements for SMIv2", STD 58, RFC 2580,
+ April 1999.
+
+ [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
+
+ [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
+ Architecture for Describing Simple Network Management
+ Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
+ December 2002.
+
+ [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
+ Schoenwaelder, "Textual Conventions for Internet Network
+ Addresses", RFC 4001, February 2005.
+
+9.2. Informative References
+
+ [RFC2621] Zorn, G. and B. Aboba, "RADIUS Accounting Server MIB",
+ RFC 2621, June 1999.
+
+ [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
+ "Remote Authentication Dial In User Service (RADIUS)",
+ RFC 2865, June 2000.
+
+ [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
+ "Introduction and Applicability Statements for Internet-
+ Standard Management Framework", RFC 3410, December 2002.
+
+ [RFC4670] Nelson, D., "RADIUS Accounting Client MIB for IPv6", RFC
+ 4670, August 2006.
+
+
+
+
+
+
+Nelson Informational [Page 22]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+Appendix A. Acknowledgements
+
+ The authors of the original MIB are Bernard Aboba and Glen Zorn.
+
+ Many thanks to all reviewers, especially to Dave Harrington, Dan
+ Romascanu, C.M. Heard, Bruno Pape, Greg Weber, and Bert Wijnen.
+
+Author's Address
+
+ David B. Nelson
+ Enterasys Networks
+ 50 Minuteman Road
+ Andover, MA 01810
+ USA
+
+ EMail: dnelson@enterasys.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Informational [Page 23]
+
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2006).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Nelson Informational [Page 24]
+