From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc4673.txt | 1347 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1347 insertions(+) create mode 100644 doc/rfc/rfc4673.txt (limited to 'doc/rfc/rfc4673.txt') diff --git a/doc/rfc/rfc4673.txt b/doc/rfc/rfc4673.txt new file mode 100644 index 0000000..61e3875 --- /dev/null +++ b/doc/rfc/rfc4673.txt @@ -0,0 +1,1347 @@ + + + + + + +Network Working Group S. De Cnodder +Request for Comments: 4673 Alcatel +Category: Informational N. Jonnala + M. Chiba + Cisco Systems, Inc. + September 2006 + + + RADIUS Dynamic Authorization Server MIB + +Status of This Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2006). + +Abstract + + This memo defines a portion of the Management Information Base (MIB) + for use with network management protocols in the Internet community. + In particular, it describes the Remote Authentication Dial-In User + Service (RADIUS) (RFC 2865) Dynamic Authorization Server (DAS) + functions that support the dynamic authorization extensions as + defined in RFC 3576. + +Table of Contents + + 1. Introduction ....................................................2 + 1.1. Requirements Notation ......................................2 + 1.2. Terminology ................................................2 + 2. The Internet-Standard Management Framework ......................2 + 3. Overview ........................................................3 + 4. RADIUS Dynamic Authorization Server MIB Definitions .............5 + 5. Security Considerations ........................................20 + 6. IANA Considerations ............................................21 + 7. Acknowledgements ...............................................21 + 8. References .....................................................21 + 8.1. Normative References ......................................21 + 8.2. Informative References ....................................22 + + + + + + + + +De Cnodder, et al. Informational [Page 1] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + +1. Introduction + + This memo defines a portion of the Management Information Base (MIB) + for use with network management protocols in the Internet community. + It is becoming increasingly important to support Dynamic + Authorization extensions on the network access server (NAS) devices + to handle the Disconnect and Change-of-Authorization (CoA) messages + as described in [RFC3576]. As a result, the effective management of + RADIUS Dynamic Authorization entities is of considerable importance. + This RADIUS Dynamic Authorization Server (DAS) MIB complements the + managed objects used for managing RADIUS authentication and + accounting clients as described in [RFC4668] and [RFC4670], + respectively. + +1.1. Requirements Notation + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. + +1.2. Terminology + + Dynamic Authorization Server (DAS) + + The component that resides on the NAS that processes the Disconnect + and Change-of-Authorization (CoA) Request packets [RFC3576] sent by + the Dynamic Authorization Client. + + Dynamic Authorization Client (DAC) + + The component that sends Disconnect and CoA-Request packets to the + Dynamic Authorization Server. Although this component often resides + on the RADIUS server, it is also possible for it to be located on a + separate host, such as a Rating Engine. + + Dynamic Authorization Server Port + + The UDP port on which the Dynamic Authorization Server listens for + the Disconnect and CoA requests sent by the Dynamic Authorization + Client. + +2. The Internet-Standard Management Framework + + For a detailed overview of the documents that describe the current + Internet-Standard Management Framework, please refer to section 7 of + [RFC3410]. + + + + + +De Cnodder, et al. Informational [Page 2] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + + Managed objects are accessed via a virtual information store, termed + the Management Information Base, or MIB. MIB objects are generally + accessed through the Simple Network Management Protocol (SNMP). + Objects in the MIB are defined using the mechanisms defined in the + Structure of Management Information (SMI). This memo specifies a MIB + module that is compliant to the SMIv2, which is described in STD 58, + RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579], and STD 58, RFC 2580 + [RFC2580]. + +3. Overview + + "Dynamic Authorization Extensions to RADIUS" [RFC3576] defines the + operation of Disconnect-Request, Disconnect-ACK, Disconnect-NAK, + CoA-Request, CoA-ACK, and CoA-NAK packets. Typically, NAS devices + implement the DAS function, and thus would be expected to implement + the RADIUS Dynamic Authorization Server MIB, whereas DACs implement + the client function and thus would be expected to implement the + RADIUS Dynamic Authorization Client MIB. + + However, it is possible for a RADIUS Dynamic Authorization entity to + perform both client and server functions. For example, a RADIUS + proxy may act as a DAS to one or more DACs while simultaneously + acting as a DAC to one or more DASs. In such situations, it is + expected that RADIUS entities combining client and server + functionality will support both the client and server MIBs. + + This memo describes the MIB for Dynamic Authorization Servers and + relates to the following documents as follows: + + [RFC4668] describes the MIB for a RADIUS Auth Client MIB. + + [RFC4669] describes the MIB for a RADIUS Auth Server MIB. + + [RFC4670] describes the MIB for a RADIUS Acct Client MIB. + + [RFC4671] describes the MIB for a RADIUS Acct Server MIB. + + [RFC4672] describes the MIB for a RADIUS Dynamic Auth Client. + + A NAS typically implements the MIBs for a RADIUS Authentication + Client, a RADIUS accounting client, and a RADIUS Dynamic + Authorization Server. However, any one MIB can be implemented + without implementing any of the other MIBs; i.e., the MIBs have no + dependencies on each other. A typical case would be for a device to + implement the MIBs RADIUS authentication server, RADIUS accounting + server, and RADIUS Dynamic Authorization Client. A RADIUS proxy + might implement any, all, or a subset of the MIBs listed above and + the MIB as defined in this document. + + + +De Cnodder, et al. Informational [Page 3] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + + +---------------+ +---------------+ + User 1----| | Disconnect-Request | | + | Dynamic | CoA-Request | Dynamic | + User 2----| Authorization |<---------------------| Authorization | + | Server |--------------------->| Client | + User 3----| (DAS) | Disconnect-Ack | (DAC) | + | | Disconnect-NAK | | + +---------------+ CoA-Ack/CoA-NAK +---------------+ + + Figure 1. Mapping of clients and servers + + This MIB module for the Dynamic Authorization Server contains the + following: + + 1. Three scalar objects. + + 2. One Dynamic Authorization Client Table. This table contains one + row for each DAC with which the DAS shares a secret. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +De Cnodder, et al. Informational [Page 4] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + +4. RADIUS Dynamic Authorization Server MIB Definitions + +RADIUS-DYNAUTH-SERVER-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, + Counter32, Integer32, mib-2, + TimeTicks FROM SNMPv2-SMI -- [RFC2578] + SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411] + InetAddressType, + InetAddress FROM INET-ADDRESS-MIB -- [RFC4001] + MODULE-COMPLIANCE, + OBJECT-GROUP FROM SNMPv2-CONF; -- [RFC2580] + +radiusDynAuthServerMIB MODULE-IDENTITY + LAST-UPDATED "200608290000Z" -- 29 August 2006 + ORGANIZATION "IETF RADEXT Working Group" + CONTACT-INFO + " Stefaan De Cnodder + Alcatel + Francis Wellesplein 1 + B-2018 Antwerp + Belgium + + Phone: +32 3 240 85 15 + EMail: stefaan.de_cnodder@alcatel.be + + Nagi Reddy Jonnala + Cisco Systems, Inc. + Divyasree Chambers, B Wing, + O'Shaugnessy Road, + Bangalore-560027, India. + + Phone: +91 94487 60828 + EMail: njonnala@cisco.com + + Murtaza Chiba + Cisco Systems, Inc. + 170 West Tasman Dr. + San Jose CA, 95134 + + Phone: +1 408 525 7198 + EMail: mchiba@cisco.com " + DESCRIPTION + "The MIB module for entities implementing the server + side of the Dynamic Authorization Extensions to the + Remote Authentication Dial-In User Service (RADIUS) + protocol. Copyright (C) The Internet Society (2006). + + + +De Cnodder, et al. Informational [Page 5] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + + Initial version as published in RFC 4673; for full + legal notices see the RFC itself." + + REVISION "200608290000Z" -- 29 August 2006 + DESCRIPTION "Initial version as published in RFC 4673." + ::= { mib-2 146 } + +radiusDynAuthServerMIBObjects OBJECT IDENTIFIER ::= + { radiusDynAuthServerMIB 1 } + +radiusDynAuthServerScalars OBJECT IDENTIFIER ::= + { radiusDynAuthServerMIBObjects 1 } + +radiusDynAuthServerDisconInvalidClientAddresses OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of Disconnect-Request packets received from + unknown addresses. This counter may experience a + discontinuity when the DAS module (re)starts, as + indicated by the value of + radiusDynAuthServerCounterDiscontinuity." + ::= { radiusDynAuthServerScalars 1 } + +radiusDynAuthServerCoAInvalidClientAddresses OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of CoA-Request packets received from unknown + addresses. This counter may experience a discontinuity + when the DAS module (re)starts, as indicated by the + value of radiusDynAuthServerCounterDiscontinuity." + ::= { radiusDynAuthServerScalars 2 } + +radiusDynAuthServerIdentifier OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The NAS-Identifier of the RADIUS Dynamic Authorization + Server. This is not necessarily the same as sysName in + MIB II." + REFERENCE + "RFC 2865, Section 5.32, NAS-Identifier." + ::= { radiusDynAuthServerScalars 3 } + + + + +De Cnodder, et al. Informational [Page 6] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + +radiusDynAuthClientTable OBJECT-TYPE + SYNTAX SEQUENCE OF RadiusDynAuthClientEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The (conceptual) table listing the RADIUS Dynamic + Authorization Clients with which the server shares a + secret." + ::= { radiusDynAuthServerMIBObjects 2 } + +radiusDynAuthClientEntry OBJECT-TYPE + SYNTAX RadiusDynAuthClientEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry (conceptual row) representing one Dynamic + Authorization Client with which the server shares a + secret." + INDEX { radiusDynAuthClientIndex } + ::= { radiusDynAuthClientTable 1 } + +RadiusDynAuthClientEntry ::= SEQUENCE { + radiusDynAuthClientIndex Integer32, + radiusDynAuthClientAddressType InetAddressType, + radiusDynAuthClientAddress InetAddress, + radiusDynAuthServDisconRequests Counter32, + radiusDynAuthServDisconAuthOnlyRequests Counter32, + radiusDynAuthServDupDisconRequests Counter32, + radiusDynAuthServDisconAcks Counter32, + radiusDynAuthServDisconNaks Counter32, + radiusDynAuthServDisconNakAuthOnlyRequests Counter32, + radiusDynAuthServDisconNakSessNoContext Counter32, + radiusDynAuthServDisconUserSessRemoved Counter32, + radiusDynAuthServMalformedDisconRequests Counter32, + radiusDynAuthServDisconBadAuthenticators Counter32, + radiusDynAuthServDisconPacketsDropped Counter32, + radiusDynAuthServCoARequests Counter32, + radiusDynAuthServCoAAuthOnlyRequests Counter32, + radiusDynAuthServDupCoARequests Counter32, + radiusDynAuthServCoAAcks Counter32, + radiusDynAuthServCoANaks Counter32, + radiusDynAuthServCoANakAuthOnlyRequests Counter32, + radiusDynAuthServCoANakSessNoContext Counter32, + radiusDynAuthServCoAUserSessChanged Counter32, + radiusDynAuthServMalformedCoARequests Counter32, + radiusDynAuthServCoABadAuthenticators Counter32, + radiusDynAuthServCoAPacketsDropped Counter32, + radiusDynAuthServUnknownTypes Counter32, + + + +De Cnodder, et al. Informational [Page 7] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + + radiusDynAuthServerCounterDiscontinuity TimeTicks +} + + +radiusDynAuthClientIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A number uniquely identifying each RADIUS Dynamic + Authorization Client with which this Dynamic + Authorization Server communicates. This number is + allocated by the agent implementing this MIB module + and is unique in this context." + ::= { radiusDynAuthClientEntry 1 } + +radiusDynAuthClientAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The type of IP address of the RADIUS Dynamic + Authorization Client referred to in this table entry." + ::= { radiusDynAuthClientEntry 2 } + +radiusDynAuthClientAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP address value of the RADIUS Dynamic + Authorization Client referred to in this table entry, + using the version neutral IP address format. The type + of this address is determined by the value of + the radiusDynAuthClientAddressType object." + ::= { radiusDynAuthClientEntry 3 } + +radiusDynAuthServDisconRequests OBJECT-TYPE + SYNTAX Counter32 + UNITS "requests" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS Disconnect-Requests received + from this Dynamic Authorization Client. This also + includes the RADIUS Disconnect-Requests that have a + Service-Type attribute with value 'Authorize Only'. + This counter may experience a discontinuity when the + + + +De Cnodder, et al. Informational [Page 8] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + + DAS module (re)starts as indicated by the value of + radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.1, Disconnect Messages (DM)." + ::= { radiusDynAuthClientEntry 4 } + +radiusDynAuthServDisconAuthOnlyRequests OBJECT-TYPE + SYNTAX Counter32 + UNITS "requests" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS Disconnect-Requests that include + a Service-Type attribute with value 'Authorize Only' + received from this Dynamic Authorization Client. This + counter may experience a discontinuity when the DAS + module (re)starts, as indicated by the value of + radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.1, Disconnect Messages (DM)." + ::= { radiusDynAuthClientEntry 5 } + +radiusDynAuthServDupDisconRequests OBJECT-TYPE + SYNTAX Counter32 + UNITS "requests" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of duplicate RADIUS Disconnect-Request + packets received from this Dynamic Authorization + Client. This counter may experience a discontinuity + when the DAS module (re)starts, as indicated by the + value of radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.1, Disconnect Messages (DM)." + ::= { radiusDynAuthClientEntry 6 } + +radiusDynAuthServDisconAcks OBJECT-TYPE + SYNTAX Counter32 + UNITS "replies" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS Disconnect-ACK packets sent to + this Dynamic Authorization Client. This counter may + experience a discontinuity when the DAS module + (re)starts, as indicated by the value of + radiusDynAuthServerCounterDiscontinuity." + + + +De Cnodder, et al. Informational [Page 9] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + + REFERENCE + "RFC 3576, Section 2.1, Disconnect Messages (DM)." + ::= { radiusDynAuthClientEntry 7 } + +radiusDynAuthServDisconNaks OBJECT-TYPE + SYNTAX Counter32 + UNITS "replies" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS Disconnect-NAK packets + sent to this Dynamic Authorization Client. This + includes the RADIUS Disconnect-NAK packets sent + with a Service-Type attribute with value 'Authorize + Only' and the RADIUS Disconnect-NAK packets sent + because no session context was found. This counter + may experience a discontinuity when the DAS module + (re)starts, as indicated by the value of + radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.1, Disconnect Messages (DM)." + ::= { radiusDynAuthClientEntry 8 } + +radiusDynAuthServDisconNakAuthOnlyRequests OBJECT-TYPE + SYNTAX Counter32 + UNITS "replies" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS Disconnect-NAK packets that + include a Service-Type attribute with value + 'Authorize Only' sent to this Dynamic Authorization + Client. This counter may experience a discontinuity + when the DAS module (re)starts, as indicated by the + value of radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.1, Disconnect Messages (DM)." + ::= { radiusDynAuthClientEntry 9 } + +radiusDynAuthServDisconNakSessNoContext OBJECT-TYPE + SYNTAX Counter32 + UNITS "replies" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS Disconnect-NAK packets + sent to this Dynamic Authorization Client + because no session context was found. This counter may + + + +De Cnodder, et al. Informational [Page 10] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + + experience a discontinuity when the DAS module + (re)starts, as indicated by the value of + radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.1, Disconnect Messages (DM)." + ::= { radiusDynAuthClientEntry 10 } + +radiusDynAuthServDisconUserSessRemoved OBJECT-TYPE + SYNTAX Counter32 + UNITS "sessions" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of user sessions removed for the + Disconnect-Requests received from this + Dynamic Authorization Client. Depending on site- + specific policies, a single Disconnect request + can remove multiple user sessions. In cases where + this Dynamic Authorization Server has no + knowledge of the number of user sessions that + are affected by a single request, each such + Disconnect-Request will count as a single + affected user session only. This counter may experience + a discontinuity when the DAS module (re)starts, as + indicated by the value of + radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.1, Disconnect Messages (DM)." + ::= { radiusDynAuthClientEntry 11 } + +radiusDynAuthServMalformedDisconRequests OBJECT-TYPE + SYNTAX Counter32 + UNITS "requests" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of malformed RADIUS Disconnect-Request + packets received from this Dynamic Authorization + Client. Bad authenticators and unknown types are not + included as malformed Disconnect-Requests. This counter + may experience a discontinuity when the DAS module + (re)starts, as indicated by the value of + radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.1, Disconnect Messages (DM), and + Section 2.3, Packet Format." + ::= { radiusDynAuthClientEntry 12 } + + + + +De Cnodder, et al. Informational [Page 11] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + +radiusDynAuthServDisconBadAuthenticators OBJECT-TYPE + SYNTAX Counter32 + UNITS "requests" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS Disconnect-Request packets + that contained an invalid Authenticator field + received from this Dynamic Authorization Client. This + counter may experience a discontinuity when the DAS + module (re)starts, as indicated by the value of + radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.1, Disconnect Messages (DM), and + Section 2.3, Packet Format." + ::= { radiusDynAuthClientEntry 13 } + +radiusDynAuthServDisconPacketsDropped OBJECT-TYPE + SYNTAX Counter32 + UNITS "requests" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of incoming Disconnect-Requests + from this Dynamic Authorization Client silently + discarded by the server application for some reason + other than malformed, bad authenticators, or unknown + types. This counter may experience a discontinuity + when the DAS module (re)starts, as indicated by the + value of radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.1, Disconnect Messages (DM), and + Section 2.3, Packet Format." + ::= { radiusDynAuthClientEntry 14 } + +radiusDynAuthServCoARequests OBJECT-TYPE + SYNTAX Counter32 + UNITS "requests" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS CoA-requests received from this + Dynamic Authorization Client. This also includes + the CoA requests that have a Service-Type attribute + with value 'Authorize Only'. This counter may + experience a discontinuity when the DAS module + (re)starts, as indicated by the value of + radiusDynAuthServerCounterDiscontinuity." + + + +De Cnodder, et al. Informational [Page 12] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + + REFERENCE + "RFC 3576, Section 2.2, Change-of-Authorization + Messages (CoA)." + ::= { radiusDynAuthClientEntry 15 } + +radiusDynAuthServCoAAuthOnlyRequests OBJECT-TYPE + SYNTAX Counter32 + UNITS "requests" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS CoA-requests that include a + Service-Type attribute with value 'Authorize Only' + received from this Dynamic Authorization Client. This + counter may experience a discontinuity when the DAS + module (re)starts, as indicated by the value of + radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.2, Change-of-Authorization + Messages (CoA)." + ::= { radiusDynAuthClientEntry 16 } + + +radiusDynAuthServDupCoARequests OBJECT-TYPE + SYNTAX Counter32 + UNITS "requests" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of duplicate RADIUS CoA-Request packets + received from this Dynamic Authorization Client. This + counter may experience a discontinuity when the DAS + module (re)starts, as indicated by the value of + radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.2, Change-of-Authorization + Messages (CoA)." + ::= { radiusDynAuthClientEntry 17 } + +radiusDynAuthServCoAAcks OBJECT-TYPE + SYNTAX Counter32 + UNITS "replies" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS CoA-ACK packets sent to this + Dynamic Authorization Client. This counter may + experience a discontinuity when the DAS module + + + +De Cnodder, et al. Informational [Page 13] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + + (re)starts, as indicated by the value of + radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.2, Change-of-Authorization + Messages (CoA)." + ::= { radiusDynAuthClientEntry 18 } + +radiusDynAuthServCoANaks OBJECT-TYPE + SYNTAX Counter32 + UNITS "replies" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS CoA-NAK packets sent to + this Dynamic Authorization Client. This includes + the RADIUS CoA-NAK packets sent with a Service-Type + attribute with value 'Authorize Only' and the RADIUS + CoA-NAK packets sent because no session context was + found. This counter may experience a discontinuity + when the DAS module (re)starts, as indicated by the + value of radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.2, Change-of-Authorization + Messages (CoA)." + ::= { radiusDynAuthClientEntry 19 } + +radiusDynAuthServCoANakAuthOnlyRequests OBJECT-TYPE + SYNTAX Counter32 + UNITS "replies" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS CoA-NAK packets that include a + Service-Type attribute with value 'Authorize Only' + sent to this Dynamic Authorization Client. This counter + may experience a discontinuity when the DAS module + (re)starts, as indicated by the value of + radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.2, Change-of-Authorization + Messages (CoA)." + ::= { radiusDynAuthClientEntry 20 } + +radiusDynAuthServCoANakSessNoContext OBJECT-TYPE + SYNTAX Counter32 + UNITS "replies" + MAX-ACCESS read-only + STATUS current + + + +De Cnodder, et al. Informational [Page 14] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + + DESCRIPTION + "The number of RADIUS CoA-NAK packets sent to this + Dynamic Authorization Client because no session context + was found. This counter may experience a discontinuity + when the DAS module (re)starts, as indicated by the + value of radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.2, Change-of-Authorization + Messages (CoA)." + ::= { radiusDynAuthClientEntry 21 } + +radiusDynAuthServCoAUserSessChanged OBJECT-TYPE + SYNTAX Counter32 + UNITS "sessions" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of user sessions authorization + changed for the CoA-Requests received from this + Dynamic Authorization Client. Depending on site- + specific policies, a single CoA request can change + multiple user sessions' authorization. In cases where + this Dynamic Authorization Server has no knowledge of + the number of user sessions that are affected by a + single request, each such CoA-Request will + count as a single affected user session only. This + counter may experience a discontinuity when the DAS + module (re)starts, as indicated by the value of + radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.2, Change-of-Authorization + Messages (CoA)." + ::= { radiusDynAuthClientEntry 22 } + +radiusDynAuthServMalformedCoARequests OBJECT-TYPE + SYNTAX Counter32 + UNITS "requests" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of malformed RADIUS CoA-Request packets + received from this Dynamic Authorization Client. Bad + authenticators and unknown types are not included as + malformed CoA-Requests. This counter may experience a + discontinuity when the DAS module (re)starts, as + indicated by the value of + radiusDynAuthServerCounterDiscontinuity." + REFERENCE + + + +De Cnodder, et al. Informational [Page 15] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + + "RFC 3576, Section 2.2, Change-of-Authorization + Messages (CoA), and Section 2.3, Packet Format." + ::= { radiusDynAuthClientEntry 23 } + +radiusDynAuthServCoABadAuthenticators OBJECT-TYPE + SYNTAX Counter32 + UNITS "requests" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RADIUS CoA-Request packets that + contained an invalid Authenticator field received + from this Dynamic Authorization Client. This counter + may experience a discontinuity when the DAS module + (re)starts, as indicated by the value of + radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.2, Change-of-Authorization + Messages (CoA), and Section 2.3, Packet Format." + ::= { radiusDynAuthClientEntry 24 } + +radiusDynAuthServCoAPacketsDropped OBJECT-TYPE + SYNTAX Counter32 + UNITS "requests" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of incoming CoA packets from this + Dynamic Authorization Client silently discarded + by the server application for some reason other than + malformed, bad authenticators, or unknown types. This + counter may experience a discontinuity when the DAS + module (re)starts, as indicated by the value of + radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.2, Change-of-Authorization + Messages (CoA), and Section 2.3, Packet Format." + ::= { radiusDynAuthClientEntry 25 } + +radiusDynAuthServUnknownTypes OBJECT-TYPE + SYNTAX Counter32 + UNITS "requests" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of incoming packets of unknown types that + were received on the Dynamic Authorization port. This + counter may experience a discontinuity when the DAS + + + +De Cnodder, et al. Informational [Page 16] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + + module (re)starts, as indicated by the value of + radiusDynAuthServerCounterDiscontinuity." + REFERENCE + "RFC 3576, Section 2.3, Packet Format." + ::= { radiusDynAuthClientEntry 26 } + +radiusDynAuthServerCounterDiscontinuity OBJECT-TYPE + SYNTAX TimeTicks + UNITS "hundredths of a second" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The time (in hundredths of a second) since the + last counter discontinuity. A discontinuity may + be the result of a reinitialization of the DAS + module within the managed entity." + ::= { radiusDynAuthClientEntry 27 } + + +-- conformance information + +radiusDynAuthServerMIBConformance + OBJECT IDENTIFIER ::= { radiusDynAuthServerMIB 2 } +radiusDynAuthServerMIBCompliances + OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 1 } +radiusDynAuthServerMIBGroups + OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 2 } + +-- compliance statements + +radiusAuthServerMIBCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for entities implementing + the RADIUS Dynamic Authorization Server. Implementation + of this module is for entities that support IPv4 and/or + IPv6." + MODULE -- this module + MANDATORY-GROUPS { radiusDynAuthServerMIBGroup } + + OBJECT radiusDynAuthClientAddressType + SYNTAX InetAddressType { ipv4(1), ipv6(2) } + DESCRIPTION + "An implementation is only required to support IPv4 and + globally unique IPv6 addresses." + + OBJECT radiusDynAuthClientAddress + SYNTAX InetAddress (SIZE(4|16)) + + + +De Cnodder, et al. Informational [Page 17] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + + DESCRIPTION + "An implementation is only required to support IPv4 and + globally unique IPv6 addresses." + + GROUP radiusDynAuthServerAuthOnlyGroup + DESCRIPTION + "Only required for Dynamic Authorization Clients that + are supporting Service-Type attributes with value + 'Authorize-Only'." + + + GROUP radiusDynAuthServerNoSessGroup + DESCRIPTION + "This group is not required if the Dynamic + Authorization Server cannot easily determine whether + a session exists (e.g., in case of a RADIUS + proxy)." + + ::= { radiusDynAuthServerMIBCompliances 1 } + +-- units of conformance + +radiusDynAuthServerMIBGroup OBJECT-GROUP + OBJECTS { radiusDynAuthServerDisconInvalidClientAddresses, + radiusDynAuthServerCoAInvalidClientAddresses, + radiusDynAuthServerIdentifier, + radiusDynAuthClientAddressType, + radiusDynAuthClientAddress, + radiusDynAuthServDisconRequests, + radiusDynAuthServDupDisconRequests, + radiusDynAuthServDisconAcks, + radiusDynAuthServDisconNaks, + radiusDynAuthServDisconUserSessRemoved, + radiusDynAuthServMalformedDisconRequests, + radiusDynAuthServDisconBadAuthenticators, + radiusDynAuthServDisconPacketsDropped, + radiusDynAuthServCoARequests, + radiusDynAuthServDupCoARequests, + radiusDynAuthServCoAAcks, + radiusDynAuthServCoANaks, + radiusDynAuthServCoAUserSessChanged, + radiusDynAuthServMalformedCoARequests, + radiusDynAuthServCoABadAuthenticators, + radiusDynAuthServCoAPacketsDropped, + radiusDynAuthServUnknownTypes, + radiusDynAuthServerCounterDiscontinuity + } + STATUS current + + + +De Cnodder, et al. Informational [Page 18] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + + DESCRIPTION + "The collection of objects providing management of + a RADIUS Dynamic Authorization Server." + ::= { radiusDynAuthServerMIBGroups 1 } + +radiusDynAuthServerAuthOnlyGroup OBJECT-GROUP + OBJECTS { radiusDynAuthServDisconAuthOnlyRequests, + radiusDynAuthServDisconNakAuthOnlyRequests, + radiusDynAuthServCoAAuthOnlyRequests, + radiusDynAuthServCoANakAuthOnlyRequests + } + STATUS current + DESCRIPTION + "The collection of objects supporting the RADIUS + messages including Service-Type attribute with + value 'Authorize Only'." + ::= { radiusDynAuthServerMIBGroups 2 } + +radiusDynAuthServerNoSessGroup OBJECT-GROUP + OBJECTS { radiusDynAuthServDisconNakSessNoContext, + radiusDynAuthServCoANakSessNoContext + } + STATUS current + DESCRIPTION + "The collection of objects supporting the RADIUS + messages that are referring to non-existing sessions." + ::= { radiusDynAuthServerMIBGroups 3 } + + +END + + + + + + + + + + + + + + + + + + + + + +De Cnodder, et al. Informational [Page 19] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + +5. Security Considerations + + There are no management objects defined in this MIB module that have + a MAX-ACCESS clause of read-write and/or read-create. So, if this + MIB module is implemented correctly, then there is no risk that an + intruder can alter or create any management objects of this MIB + module via direct SNMP SET operations. + + Some of the readable objects in this MIB module (i.e., objects with a + MAX-ACCESS other than not-accessible) may be considered sensitive or + vulnerable in some network environments. It is thus important to + control even GET and/or NOTIFY access to these objects and possibly + to even encrypt the values of these objects when sending them over + the network via SNMP. These are the tables and objects and their + sensitivity/vulnerability: + + radiusDynAuthClientAddress and radiusDynAuthClientAddressType + + These can be used to determine the address of the DAC with which + the DAS is communicating. This information could be useful in + mounting an attack on the DAC. + + radiusDynAuthServerIdentifier + + This can be used to determine the Identifier of the DAS. This + information could be useful in impersonating the DAS. + + SNMP versions prior to SNMPv3 did not include adequate security. + Even if the network itself is secure (for example by using IPsec), + even then, there is no control as to who on the secure network is + allowed to access and GET/SET (read/change/create/delete) the objects + in this MIB module. + + It is RECOMMENDED that implementers consider the security features as + provided by the SNMPv3 framework (see [RFC3410], section 8), + including full support for the SNMPv3 cryptographic mechanisms (for + authentication and privacy). + + Further, deployment of SNMP versions prior to SNMPv3 is NOT + RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to + enable cryptographic security. It is then a customer/operator + responsibility to ensure that the SNMP entity giving access to an + instance of this MIB module is properly configured to give access to + the objects only to those principals (users) that have legitimate + rights to indeed GET or SET (change/create/delete) them. + + + + + + +De Cnodder, et al. Informational [Page 20] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + +6. IANA Considerations + + The IANA has assigned OID number 146 under mib-2. + +7. Acknowledgements + + The authors would like to acknowledge the following people for their + comments on this document: Bernard Aboba, Alan DeKok, David Nelson, + Anjaneyulu Pata, Dan Romascanu, Juergen Schoenwaelder, Greg Weber, + Bert Wijnen, and Glen Zorn. + +8. References + +8.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder, + "Structure of Management Information Version 2 (SMIv2)", + STD 58, RFC 2578, April 1999. + + [RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder, + "Textual Conventions for SMIv2", STD 58, RFC 2579, April + 1999. + + [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, + "Conformance Statements for SMIv2", STD 58, RFC 2580, + April 1999. + + [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An + Architecture for Describing Simple Network Management + Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, + December 2002. + + [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. + Aboba, "Dynamic Authorization Extensions to Remote + Authentication Dial In User Service (RADIUS)", RFC 3576, + July 2003. + + [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. + Schoenwaelder, "Textual Conventions for Internet Network + Addresses", RFC 4001, February 2005. + + + + + + + + +De Cnodder, et al. Informational [Page 21] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + +8.2. Informative References + + [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, + "Remote Authentication Dial In User Service (RADIUS)", RFC + 2865, June 2000. + + [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, + "Introduction and Applicability Statements for Internet- + Standard Management Framework", RFC 3410, December 2002. + + [RFC4668] Nelson, D., "RADIUS Authentication Client MIB for IPv6", + RFC 4668, August 2006. + + [RFC4669] Nelson, D., "RADIUS Authentication Server MIB for IPv6", + RFC 4669, August 2006. + + [RFC4670] Nelson, D., "RADIUS Accounting Client MIB for IPv6", RFC + 4670, August 2006. + + [RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", RFC + 4671, August 2006. + + [RFC4672] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic + Authorization Client MIB", RFC 4672, September 2006. + + + + + + + + + + + + + + + + + + + + + + + + + + + +De Cnodder, et al. Informational [Page 22] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + +Authors' Addresses + + Stefaan De Cnodder + Alcatel + Francis Wellesplein 1 + B-2018 Antwerp + Belgium + + Phone: +32 3 240 85 15 + EMail: stefaan.de_cnodder@alcatel.be + + + Nagi Reddy Jonnala + Cisco Systems, Inc. + Divyasree Chambers, B Wing, O'Shaugnessy Road + Bangalore-560027, India + + Phone: +91 94487 60828 + EMail: njonnala@cisco.com + + + Murtaza Chiba + Cisco Systems, Inc. + 170 West Tasman Dr. + San Jose CA, 95134 + + Phone: +1 408 525 7198 + EMail: mchiba@cisco.com + + + + + + + + + + + + + + + + + + + + + + + +De Cnodder, et al. Informational [Page 23] + +RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + +De Cnodder, et al. Informational [Page 24] + -- cgit v1.2.3