draft-ietf-radius-auth-clientmib-02.txt   draft-ietf-radius-auth-clientmib-03.txt 
RADIUS Working Group Bernard Aboba RADIUS Working Group Bernard Aboba
INTERNET-DRAFT Microsoft INTERNET-DRAFT Microsoft
Category: Standards Track Glen Zorn Category: Standards Track Glen Zorn
<draft-ietf-radius-auth-clientmib-02.txt> Microsoft <draft-ietf-radius-auth-clientmib-03.txt> Microsoft
11 November 1998 2 February 1999
RADIUS Authentication Client MIB RADIUS Authentication Client MIB
1. Status of this Memo 1. Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working docu- This document is an Internet-Draft and is in full conformance with all
ments of the Internet Engineering Task Force (IETF), its areas, and provisions of Section 10 of RFC2026.
its working groups. Note that other groups may also distribute work-
ing documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are working documents of the Internet Engineering Task
and may be updated, replaced, or obsoleted by other documents at any Force (IETF), its areas, and its working groups. Note that other groups
time. It is inappropriate to use Internet-Drafts as reference mate- may also distribute working documents as Internet-Drafts. Internet-
rial or to cite them other than as ``work in progress.'' Drafts are draft documents valid for a maximum of six months and may be
updated, replaced, or obsoleted by other documents at any time. It is
inappropriate to use Internet- Drafts as reference material or to cite
them other than as "work in progress."
To learn the current status of any Internet-Draft, please check the To view the list Internet-Draft Shadow Directories, see
``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow http://www.ietf.org/shadow.html.
Directories on ftp.ietf.org (US East Coast), nic.nordu.net
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
The distribution of this memo is unlimited. It is filed as <draft- The distribution of this memo is unlimited. It is filed as <draft-ietf-
ietf-radius-auth-clientmib-02.txt>, and expires May 1, 1999. Please radius-auth-clientmib-03.txt>, and expires August 1, 1999. Please send
send comments to the authors. comments to the authors.
2. Copyright Notice 2. Copyright Notice
Copyright (C) The Internet Society (1998). All Rights Reserved. Copyright (C) The Internet Society (1999). All Rights Reserved.
3. Abstract 3. Abstract
This memo defines a set of extensions which instrument RADIUS authen- This memo defines a set of extensions which instrument RADIUS
tication client functions. These extensions represent a portion of the authentication client functions. These extensions represent a portion of
Management Information Base (MIB) for use with network management pro- the Management Information Base (MIB) for use with network management
tocols in the Internet community. Using these extensions IP-based protocols in the Internet community. Using these extensions IP-based
management stations can manage RADIUS authentication clients. management stations can manage RADIUS authentication clients.
4. Introduction 4. Introduction
This memo defines a portion of the Management Information Base (MIB) This memo defines a portion of the Management Information Base (MIB) for
for use with network management protocols in the Internet community. use with network management protocols in the Internet community. In
In particular, it describes managed objects used for managing RADIUS particular, it describes managed objects used for managing RADIUS
authentication clients. authentication clients.
Today a wide range of network devices, including routers and NASes, Today a wide range of network devices, including routers and NASes, act
act as RADIUS authentication clients in order to provide authentica- as RADIUS authentication clients in order to provide authentication and
tion and authorization services. As a result, the effective management authorization services. As a result, the effective management of RADIUS
of RADIUS authentication clients is of considerable importance. authentication clients is of considerable importance.
5. The SNMP Management Framework 5. The SNMP Management Framework
The SNMP Management Framework presently consists of five major compo- The SNMP Management Framework presently consists of five major
nents: components:
o An overall architecture, described in RFC 2271 [1]. o An overall architecture, described in RFC 2271 [1].
o Mechanisms for describing and naming objects and events for o Mechanisms for describing and naming objects and events for the
the purpose of management. The first version of this Structure purpose of management. The first version of this Structure of
of Management Information (SMI) is called SMIv1 and described Management Information (SMI) is called SMIv1 and described in
in RFC 1155 [2], RFC 1212 [3] and RFC 1215 [4]. The second RFC 1155 [2], RFC 1212 [3] and RFC 1215 [4]. The second version,
version, called SMIv2, is described in RFC 1902 [5], RFC 1903 called SMIv2, is described in RFC 1902 [5], RFC 1903 [6] and RFC
[6] and RFC 1904 [7]. 1904 [7].
o Message protocols for transferring management information. The o Message protocols for transferring management information. The
first version of the SNMP message protocol is called SNMPv1 first version of the SNMP message protocol is called SNMPv1 and
and described in RFC 1157 [8]. A second version of the SNMP described in RFC 1157 [8]. A second version of the SNMP message
message protocol, which is not an Internet standards track protocol, which is not an Internet standards track protocol, is
protocol, is called SNMPv2c and described in RFC 1901 [9] and called SNMPv2c and described in RFC 1901 [9] and RFC 1906 [10].
RFC 1906 [10]. The third version of the message protocol is The third version of the message protocol is called SNMPv3 and
called SNMPv3 and described in RFC 1906 [10], RFC 2272 [11] described in RFC 1906 [10], RFC 2272 [11] and RFC 2274 [12].
and RFC 2274 [12].
o Protocol operations for accessing management information. The o Protocol operations for accessing management information. The
first set of protocol operations and associated PDU formats is first set of protocol operations and associated PDU formats is
described in RFC 1157 [8]. A second set of protocol operations described in RFC 1157 [8]. A second set of protocol operations
and associated PDU formats is described in RFC 1905 [13]. and associated PDU formats is described in RFC 1905 [13].
o A set of fundamental applications described in RFC 2273 [14] o A set of fundamental applications described in RFC 2273 [14] and
and the view-based access control mechanism described in RFC the view-based access control mechanism described in RFC 2275
2275 [15]. [15].
Managed objects are accessed via a virtual information store, termed Managed objects are accessed via a virtual information store, termed the
the Management Information Base or MIB. Objects in the MIB are Management Information Base or MIB. Objects in the MIB are defined
defined using the mechanisms defined in the SMI. using the mechanisms defined in the SMI.
This memo specifies a MIB module that is compliant to the SMIv2. A MIB This memo specifies a MIB module that is compliant to the SMIv2. A MIB
conforming to the SMIv1 can be produced through the appropriate trans- conforming to the SMIv1 can be produced through the appropriate
lations. The resulting translated MIB must be semantically equivalent, translations. The resulting translated MIB must be semantically
except where objects or events are omitted because no translation is equivalent, except where objects or events are omitted because no
possible (use of Counter64). Some machine readable information in translation is possible (use of Counter64). Some machine readable
SMIv2 will be converted into textual descriptions in SMIv1 during the information in SMIv2 will be converted into textual descriptions in
translation process. However, this loss of machine readable informa- SMIv1 during the translation process. However, this loss of machine
tion is not considered to change the semantics of the MIB. readable information is not considered to change the semantics of the
MIB.
6. Overview 6. Overview
The RADIUS authentication protocol, described in [16], distinguishes The RADIUS authentication protocol, described in [16], distinguishes
between the client function and the server function. In RADIUS authen- between the client function and the server function. In RADIUS
tication, clients send Access-Requests, and servers reply with Access- authentication, clients send Access-Requests, and servers reply with
Accepts, Access-Rejects, and Access-Challenges. Typically NAS devices Access-Accepts, Access-Rejects, and Access-Challenges. Typically NAS
implement the client function, and thus would be expected to implement devices implement the client function, and thus would be expected to
the RADIUS authentication client MIB, while RADIUS authentication implement the RADIUS authentication client MIB, while RADIUS
servers implement the server function, and thus would be expected to authentication servers implement the server function, and thus would be
implement the RADIUS authentication server MIB. expected to implement the RADIUS authentication server MIB.
However, it is possible for a RADIUS authentication entity to perform However, it is possible for a RADIUS authentication entity to perform
both client and server functions. For example, a RADIUS proxy may act both client and server functions. For example, a RADIUS proxy may act as
as a server to one or more RADIUS authentication clients, while simul- a server to one or more RADIUS authentication clients, while
taneously acting as an authentication client to one or more authenti- simultaneously acting as an authentication client to one or more
cation servers. In such situations, it is expected that RADIUS enti- authentication servers. In such situations, it is expected that RADIUS
ties combining client and server functionality will support both the entities combining client and server functionality will support both the
client and server MIBs. client and server MIBs.
6.1. Selected objects 6.1. Selected objects
This MIB module contains two scalars as well as a single table: This MIB module contains two scalars as well as a single table:
(1) the RADIUS Authentication Server Table contains one row for each (1) the RADIUS Authentication Server Table contains one row for each
RADIUS authentication server that the client shares a secret with. RADIUS authentication server that the client shares a secret with.
Each entry in the RADIUS Authentication Server Table includes fifteen Each entry in the RADIUS Authentication Server Table includes fifteen
columns presenting a view of the activity of the RADIUS authentication columns presenting a view of the activity of the RADIUS authentication
client. client.
7. Definitions 7. Definitions
RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
OBJECT-IDENTITY, experimental,
Counter32, Integer32, Gauge32, Counter32, Integer32, Gauge32,
IpAddress, TimeTicks FROM SNMPv2-SMI IpAddress, TimeTicks FROM SNMPv2-SMI
DisplayString FROM SNMPv2-TC SnmpAdminString FROM SNMP-FRAMEWORK-MIB
MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF
mib-2 FROM RFC1213-MIB;
radius OBJECT-IDENTITY
STATUS current
DESCRIPTION
"The OID assigned to RADIUS MIB work by the IANA."
::= { experimental 79 }
radiusAuthentication OBJECT IDENTIFIER ::= {radius 1}
radiusAuthClientMIB MODULE-IDENTITY radiusAuthClientMIB MODULE-IDENTITY
LAST-UPDATED "9811161659Z" LAST-UPDATED "9901290000Z"
ORGANIZATION "IETF RADIUS Working Group." ORGANIZATION "IETF RADIUS Working Group."
CONTACT-INFO CONTACT-INFO
" Bernard Aboba " Bernard Aboba
Microsoft Microsoft
One Microsoft Way One Microsoft Way
Redmond, WA 98052 Redmond, WA 98052
US US
Phone: +1 425 936 6605 Phone: +1 425 936 6605
EMail: bernarda@microsoft.com" EMail: bernarda@microsoft.com"
DESCRIPTION DESCRIPTION
"The MIB dule for entities implementing the client side of "The MIB module for entities implementing the client side of
the Remote Access Dialin User Service (RADIUS) authentication the Remote Access Dialin User Service (RADIUS) authentication
protocol." protocol."
DESCRIPTION "Initial version as published in RFC xxxx"
-- RCC xxxx to be assigned by IANA
::= { radiusAuthentication 2 } ::= { radiusAuthentication 2 }
radiusMIB OBJECT-IDENTITY
STATUS current
DESCRIPTION
"The OID assigned to RADIUS MIB work by the IANA."
::= { mib-2 xxx } -- To be assigned by IANA
radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1}
radiusAuthClientMIBObjects OBJECT IDENTIFIER ::= { radiusAuthClientMIB 1 } radiusAuthClientMIBObjects OBJECT IDENTIFIER ::= { radiusAuthClientMIB 1 }
radiusAuthClient OBJECT IDENTIFIER ::= { radiusAuthClientMIBObjects 1 } radiusAuthClient OBJECT IDENTIFIER ::= { radiusAuthClientMIBObjects 1 }
radiusAuthClientInvalidServerAddresses OBJECT-TYPE radiusAuthClientInvalidServerAddresses OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS Access-Response packets "The number of RADIUS Access-Response packets
received from unknown addresses since client start-up." received from unknown addresses."
::= { radiusAuthClient 1 } ::= { radiusAuthClient 1 }
radiusAuthClientIdentifier OBJECT-TYPE radiusAuthClientIdentifier OBJECT-TYPE
SYNTAX DisplayString SYNTAX SnmpAdminString
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The NAS-Identifier of the RADIUS authentication client. "The NAS-Identifier of the RADIUS authentication client.
This is not necessarily the same as sysName in MIB II." This is not necessarily the same as sysName in MIB II."
::= { radiusAuthClient 2 } ::= { radiusAuthClient 2 }
radiusAuthServerTable OBJECT-TYPE radiusAuthServerTable OBJECT-TYPE
SYNTAX SEQUENCE OF RadiusAuthServerEntry SYNTAX SEQUENCE OF RadiusAuthServerEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
skipping to change at page 5, line 26 skipping to change at page 5, line 52
radiusAuthClientAccessChallenges Counter32, radiusAuthClientAccessChallenges Counter32,
radiusAuthClientMalformedAccessResponses Counter32, radiusAuthClientMalformedAccessResponses Counter32,
radiusAuthClientBadAuthenticators Counter32, radiusAuthClientBadAuthenticators Counter32,
radiusAuthClientPendingRequests Gauge32, radiusAuthClientPendingRequests Gauge32,
radiusAuthClientTimeouts Counter32, radiusAuthClientTimeouts Counter32,
radiusAuthClientUnknownTypes Counter32, radiusAuthClientUnknownTypes Counter32,
radiusAuthClientPacketsDropped Counter32 radiusAuthClientPacketsDropped Counter32
} }
radiusAuthServerIndex OBJECT-TYPE radiusAuthServerIndex OBJECT-TYPE
SYNTAX Integer32 (0..MAX) SYNTAX Integer32 (1..MAX)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A number uniquely identifying each RADIUS "A number uniquely identifying each RADIUS
Authentication server with which this client Authentication server with which this client
communicates." communicates."
::= { radiusAuthServerEntry 1 } ::= { radiusAuthServerEntry 1 }
radiusAuthServerAddress OBJECT-TYPE radiusAuthServerAddress OBJECT-TYPE
SYNTAX IpAddress SYNTAX IpAddress
skipping to change at page 6, line 4 skipping to change at page 6, line 35
DESCRIPTION DESCRIPTION
"The UDP port the client is using to send requests to "The UDP port the client is using to send requests to
this server." this server."
::= { radiusAuthServerEntry 3 } ::= { radiusAuthServerEntry 3 }
radiusAuthClientRoundTripTime OBJECT-TYPE radiusAuthClientRoundTripTime OBJECT-TYPE
SYNTAX TimeTicks SYNTAX TimeTicks
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The time interval between the most recent "The time interval (in hundredths of a second) between
Access-Reply/Access-Challenge and the Access-Request that the most recent Access-Reply/Access-Challenge and the
matched it from this RADIUS authentication server." Access-Request that matched it from this RADIUS
authentication server."
::= { radiusAuthServerEntry 4 } ::= { radiusAuthServerEntry 4 }
-- Request/Response statistics -- Request/Response statistics
-- --
-- TotalIncomingPackets = Accepts + Rejects + Challenges + UnknownTypes -- TotalIncomingPackets = Accepts + Rejects + Challenges + UnknownTypes
-- --
-- TotalIncomingPackets - MalformedResponses - BadAuthenticators - -- TotalIncomingPackets - MalformedResponses - BadAuthenticators -
-- UnknownTypes - PacketsDropped = Successfully received -- UnknownTypes - PacketsDropped = Successfully received
-- --
-- AccessRequests + PendingRequests + ClientTimeouts = Successfully Received -- AccessRequests + PendingRequests + ClientTimeouts = Successfully Received
-- --
-- --
radiusAuthClientAccessRequests OBJECT-TYPE radiusAuthClientAccessRequests OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS Access-Request packets sent "The number of RADIUS Access-Request packets sent
to this server since client start-up. This does not to this server. This does not include retransmissions."
include retransmissions."
::= { radiusAuthServerEntry 5 } ::= { radiusAuthServerEntry 5 }
radiusAuthClientAccessRetransmissions OBJECT-TYPE radiusAuthClientAccessRetransmissions OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS Access-Request packets "The number of RADIUS Access-Request packets
retransmitted to this RADIUS authentication server retransmitted to this RADIUS authentication server."
since client start-up."
::= { radiusAuthServerEntry 6 } ::= { radiusAuthServerEntry 6 }
radiusAuthClientAccessAccepts OBJECT-TYPE radiusAuthClientAccessAccepts OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS Access-Accept packets "The number of RADIUS Access-Accept packets
(valid or invalid) received from this server (valid or invalid) received from this server."
since client start-up."
::= { radiusAuthServerEntry 7 } ::= { radiusAuthServerEntry 7 }
radiusAuthClientAccessRejects OBJECT-TYPE radiusAuthClientAccessRejects OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS Access-Reject packets "The number of RADIUS Access-Reject packets
(valid or invalid) received from this server (valid or invalid) received from this server."
since client start-up."
::= { radiusAuthServerEntry 8 } ::= { radiusAuthServerEntry 8 }
radiusAuthClientAccessChallenges OBJECT-TYPE radiusAuthClientAccessChallenges OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS Access-Challenge packets "The number of RADIUS Access-Challenge packets
(valid or invalid) received from this server since (valid or invalid) received from this server."
client start-up."
::= { radiusAuthServerEntry 9 } ::= { radiusAuthServerEntry 9 }
-- "Access-Response" includes an Access-Accept, Access-Challenge -- "Access-Response" includes an Access-Accept, Access-Challenge
-- or Access-Reject -- or Access-Reject
radiusAuthClientMalformedAccessResponses OBJECT-TYPE radiusAuthClientMalformedAccessResponses OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-nly
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of malformed RADIUS Access-Response "The number of malformed RADIUS Access-Response
packets received from this server since client packets received from this server.
start-up. Malformed packets include packets with Malformed packets include packets with
an invalid length. Bad authenticators or an invalid length. Bad authenticators or
Signature attributes or unknown types are not Signature attributes or unknown types are not
included as malformed access responses." included as malformed access responses."
::= { radiusAuthServerEntry 10 } ::= { radiusAuthServerEntry 10 }
radiusAuthClientBadAuthenticators OBJECT-TYPE radiusAuthClientBadAuthenticators OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS Access-Response packets "The number of RADIUS Access-Response packets
containing invalid authenticators or Signature containing invalid authenticators or Signature
attributes received from this server since client attributes received from this server."
start-up."
::= { radiusAuthServerEntry 11 } ::= { radiusAuthServerEntry 11 }
radiusAuthClientPendingRequests OBJECT-TYPE radiusAuthClientPendingRequests OBJECT-TYPE
SYNTAX Gauge32 SYNTAX Gauge32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS Access-Request packets "The number of RADIUS Access-Request packets
destined for this server that have not yet timed out destined for this server that have not yet timed out
or received a response. This variable is incremented or received a response. This variable is incremented
when an Access-Request is sent and decremented due to when an Access-Request is sent and decremented due to
receipt of an Acess-Accept, Access-Reject or Access-Challenge, receipt of an Acess-Accept, Access-Reject or Access-Challenge,
a timeout or retransmission." a timeout or retransmission."
::= { radiusAuthServerEntry 12 } ::= { radiusAuthServerEntry 12 }
radiusAuthClientTimeouts OBJECT-TYPE radiusAuthClientTimeouts OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of authentication timeouts to this server "The number of authentication timeouts to this server.
since client startup. After a timeout the client may After a timeout the client may retry to the same
retry to the same server, send to a different server, or server, send to a different server, or
give up. A retry to the same server is counted as a give up. A retry to the same server is counted as a
retransmit as well as a timeout. A send to a different retransmit as well as a timeout. A send to a different
server is counted as a Request as well as a timeout." server is counted as a Request as well as a timeout."
::= { radiusAuthServerEntry 13 } ::= { radiusAuthServerEntry 13 }
radiusAuthClientUnknownTypes OBJECT-TYPE radiusAuthClientUnknownTypes OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS packets of unknown type which "The number of RADIUS packets of unknown type which
were received from this server on the authentication port were received from this server on the authentication port."
since client start-up."
::= { radiusAuthServerEntry 14 } ::= { radiusAuthServerEntry 14 }
radiusAuthClientPacketsDropped OBJECT-TYPE radiusAuthClientPacketsDropped OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS packets of which were "The number of RADIUS packets of which were
received from this server on the authentication port received from this server on the authentication port
and dropped for some other reason since client and dropped for some other reason."
start-up."
::= { radiusAuthServerEntry 15 } ::= { radiusAuthServerEntry 15 }
-- conformance information -- conformance information
radiusAuthClientMIBConformance radiusAuthClientMIBConformance
OBJECT IDENTIFIER ::= { radiusAuthClientMIB 2 } OBJECT IDENTIFIER ::= { radiusAuthClientMIB 2 }
radiusAuthClientMIBCompliances radiusAuthClientMIBCompliances
OBJECT IDENTIFIER ::= { radiusAuthClientMIBConformance 1 } OBJECT IDENTIFIER ::= { radiusAuthClientMIBConformance 1 }
radiusAuthClientMIBGroups radiusAuthClientMIBGroups
OBJECT IDENTIFIER ::= { radiusAuthClientMIBConformance 2 } OBJECT IDENTIFIER ::= { radiusAuthClientMIBConformance 2 }
skipping to change at page 9, line 35 skipping to change at page 10, line 30
DESCRIPTION DESCRIPTION
"The basic collection of objects providing management of "The basic collection of objects providing management of
RADIUS Authentication Clients." RADIUS Authentication Clients."
::= { radiusAuthClientMIBGroups 1 } ::= { radiusAuthClientMIBGroups 1 }
END END
8. References 8. References
[1] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for [1] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for
Describing SNMP Management Frameworks", RFC 2271, Cabletron Sys- Describing SNMP Management Frameworks", RFC 2271, Cabletron
tems, Inc., BMC Software, Inc., IBM T. J. Watson Research, Jan- Systems, Inc., BMC Software, Inc., IBM T. J. Watson Research,
uary 1998. January 1998.
[2] Rose, M., and K. McCloghrie, "Structure and Identification of [2] Rose, M., and K. McCloghrie, "Structure and Identification of
Management Information for TCP/IP-based Internets", RFC 1155, Management Information for TCP/IP-based Internets", RFC 1155,
Performance Systems International, Hughes LAN Systems, May 1990. Performance Systems International, Hughes LAN Systems, May 1990.
[3] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 1212, [3] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 1212,
Performance Systems International, Hughes LAN Systems, March Performance Systems International, Hughes LAN Systems, March 1991.
1991.
[4] M. Rose, "A Convention for Defining Traps for use with the SNMP", [4] M. Rose, "A Convention for Defining Traps for use with the SNMP",
RFC 1215, Performance Systems International, March 1991. RFC 1215, Performance Systems International, March 1991.
[5] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure [5] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure
of Management Information for Version 2 of the Simple Network of Management Information for Version 2 of the Simple Network
Management Protocol (SNMPv2)", RFC 1902, SNMP Research,Inc., Management Protocol (SNMPv2)", RFC 1902, SNMP Research,Inc., Cisco
Cisco Systems, Inc., Dover Beach Consulting, Inc., International Systems, Inc., Dover Beach Consulting, Inc., International Network
Network Services, January 1996. Services, January 1996.
[6] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual [6] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual
Conventions for Version 2 of the Simple Network Management Proto- Conventions for Version 2 of the Simple Network Management Protocol
col (SNMPv2)", RFC 1903, SNMP Research, Inc., Cisco Systems, (SNMPv2)", RFC 1903, SNMP Research, Inc., Cisco Systems, Inc.,
Inc., Dover Beach Consulting, Inc., International Network Ser- Dover Beach Consulting, Inc., International Network Services,
vices, January 1996. January 1996.
[7] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Confor- [7] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Conformance
mance Statements for Version 2 of the Simple Network Management Statements for Version 2 of the Simple Network Management Protocol
Protocol (SNMPv2)", RFC 1904, SNMP Research, Inc., Cisco Systems, (SNMPv2)", RFC 1904, SNMP Research, Inc., Cisco Systems, Inc.,
Inc., Dover Beach Consulting, Inc., International Network Ser- Dover Beach Consulting, Inc., International Network Services,
vices, January 1996. January 1996.
[8] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Net- [8] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network
work Management Protocol", RFC 1157, SNMP Research, Performance Management Protocol", RFC 1157, SNMP Research, Performance Systems
Systems International, Performance Systems International, MIT International, Performance Systems International, MIT Laboratory
Laboratory for Computer Science, May 1990. for Computer Science, May 1990.
[9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Introduc- [9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
tion to Community-based SNMPv2", RFC 1901, SNMP Research, Inc., "Introduction to Community-based SNMPv2", RFC 1901, SNMP Research,
Cisco Systems, Inc., Dover Beach Consulting, Inc., International Inc., Cisco Systems, Inc., Dover Beach Consulting, Inc.,
Network Services, January 1996. International Network Services, January 1996.
[10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport
Mappings for Version 2 of the Simple Network Management Protocol Mappings for Version 2 of the Simple Network Management Protocol
(SNMPv2)", RFC 1906, SNMP Research, Inc., Cisco Systems, Inc., (SNMPv2)", RFC 1906, SNMP Research, Inc., Cisco Systems, Inc.,
Dover Beach Consulting, Inc., International Network Services, Dover Beach Consulting, Inc., International Network Services,
January 1996. January 1996.
[11] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message Pro- [11] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message
cessing and Dispatching for the Simple Network Management Proto- Processing and Dispatching for the Simple Network Management
col (SNMP)", RFC 2272, SNMP Research, Inc., Cabletron Systems, Protocol (SNMP)", RFC 2272, SNMP Research, Inc., Cabletron Systems,
Inc., BMC Software, Inc., IBM T. J. Watson Research, January Inc., BMC Software, Inc., IBM T. J. Watson Research, January 1998.
1998.
[12] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) [12] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for
for version 3 of the Simple Network Management Protocol version 3 of the Simple Network Management Protocol (SNMPv3)", RFC
(SNMPv3)", RFC 2274, IBM T. J. Watson Research, January 1998. 2274, IBM T. J. Watson Research, January 1998.
[13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol [13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol
Operations for Version 2 of the Simple Network Management Proto- Operations for Version 2 of the Simple Network Management Protocol
col (SNMPv2)", RFC 1905, SNMP Research, Inc., Cisco Systems, (SNMPv2)", RFC 1905, SNMP Research, Inc., Cisco Systems, Inc.,
Inc., Dover Beach Consulting, Inc., International Network Ser- Dover Beach Consulting, Inc., International Network Services,
vices, January 196. January 196.
[14] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", RFC [14] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", RFC
2273, SNMP Research, Inc., Secure Computing Corporation, Cisco 2273, SNMP Research, Inc., Secure Computing Corporation, Cisco
Systems, January 1998 Systems, January 1998
[15] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access [15] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access
Control Model (VACM) for the Simple Network Management Protocol Control Model (VACM) for the Simple Network Management Protocol
(SNMP)", RFC 2275, IBM T. J. Watson Research, BMC Software, Inc., (SNMP)", RFC 2275, IBM T. J. Watson Research, BMC Software, Inc.,
Cisco Systems, Inc., January 1998 Cisco Systems, Inc., January 1998
[16] Rigney, C., Rubens, A., Simpson W., and S. Willens, "Remote [16] Rigney, C., Rubens, A., Simpson W., and S. Willens, "Remote
Authentication Dial In User Service (RADIUS)", RFC 2138, April Authentication Dial In User Service (RADIUS)", RFC 2138, April
1997. 1997.
[17] "Information processing systems - Open Systems Interconnection -
Specification of Abstract Syntax Notation One (ASN.1)", Interna-
tional Organization for Standardization, International Standard
8824, December 1987.
9. Security considerations 9. Security considerations
There are no management objects defined in this MIB that have a MAX- There are no management objects defined in this MIB that have a MAX-
ACCESS clause of read-write and/or read-create. So, if this MIB is ACCESS clause of read-write and/or read-create. So, if this MIB is
implemented correctly, then there is no risk that an intruder can implemented correctly, then there is no risk that an intruder can alter
alter or create any management objects of this MIB via direct SNMP SET or create any management objects of this MIB via direct SNMP SET
operations. operations.
There are a number of managed objects in this MIB that may contain There are a number of managed objects in this MIB that may contain
sensitive information. These are: sensitive information. These are:
radiusAuthServerAddress radiusAuthServerAddress
This can be used to determine the address of the RADIUS This can be used to determine the address of the RADIUS
authentication server with which the client is communicat- authentication server with which the client is communicating.
ing. This information could be useful in mounting an attack This information could be useful in mounting an attack on the
on the authentication server. authentication server.
radiusAuthClientServerPortNumber radiusAuthClientServerPortNumber
This can be used to determine the port number on which the This can be used to determine the port number on which the
RADIUS authentication client is sending. This information RADIUS authentication client is sending. This information
could be useful in impersonating the client in order to send could be useful in impersonating the client in order to send
data to the authentication server. data to the authentication server.
It is thus important to control even GET access to these objects and It is thus important to control even GET access to these objects and
possibly to even encrypt the values of these object when sending them possibly to even encrypt the values of these object when sending them
over the network via SNMP. Not all versions of SNMP provide features over the network via SNMP. Not all versions of SNMP provide features
for such a secure environment. for such a secure environment.
SNMPv1 by itself is not a secure environment. Even if the network SNMPv1 by itself is not a secure environment. Even if the network itself
itself is secure (for example by using IPSec), there is no control as is secure (for example by using IPSec), there is no control as to who on
to who on the secure network is allowed to access and GET/SET the secure network is allowed to access and GET/SET
(read/change/create/delete) the objects in this MIB. (read/change/create/delete) the objects in this MIB.
It is recommended that the implementers consider the security features It is recommended that the implementers consider the security features
as provided by the SNMPv3 framework. Specifically, the use of the as provided by the SNMPv3 framework. Specifically, the use of the User-
User-based Security Model RFC 2274 [12] and the View-based Access Con- based Security Model RFC 2274 [12] and the View-based Access Control
trol Model RFC 2275 [15] is recommended. Using these security fea- Model RFC 2275 [15] is recommended. Using these security features,
tures, customer/users can give access to the objects only to those customer/users can give access to the objects only to those principals
principals (users) that have legitimate rights to GET or SET
(change/create/delete) them. (users) that have legitimate rights to GET or SET (change/create/delete)
them.
10. Acknowledgments 10. Acknowledgments
Thanks to Narendra Gidwani of Microsoft, Allan C. Rubens of MERIT, Thanks to Narendra Gidwani of Microsoft, Allan C. Rubens of MERIT, Carl
Carl Rigney of Livingston and Peter Heitman of American Internet Cor- Rigney of Livingston and Peter Heitman of American Internet Corporation
poration for useful discussions of this problem space. for useful discussions of this problem space.
11. Authors' Addresses 11. Authors' Addresses
Bernard Aboba Bernard Aboba
Microsoft Corporation Microsoft Corporation
One Microsoft Way One Microsoft Wy
Redmond, WA 98052 Redmond, WA 98052
Phone: 425-936-6605 Phone: 425-936-6605
EMail: bernarda@microsoft.com EMail: bernarda@microsoft.com
Glen Zorn Glen Zorn
Microsoft Corporation Microsoft Corporation
One Microsoft Way One Microsoft Way
Redmond, WA 98052 Redmond, WA 98052
Phone: 425-703-1559 Phone: 425-703-1559
EMail: glennz@microsoft.com EMail: glennz@microsoft.com
12. Full Copyright Statement 12. Intellectural Property Statement
Copyright (C) The Internet Society (1997). All Rights Reserved. The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to pertain
to the implementation or use of the technology described in this
document or the extent to which any license under such rights might or
might not be available; neither does it represent that it has made any
effort to identify any such rights. Information on the IETF's
procedures with respect to rights in standards-track and standards-
related documentation can be found in BCP-11. Copies of claims of
rights made available for publication and any assurances of licenses to
be made available, or the result of an attempt made to obtain a general
license or permission for the use of such proprietary rights by
implementors or users of this specification can be obtained from the
IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary rights
which may cover technology that may be required to practice this
standard. Please address the information to the IETF Executive
Director.
13. Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it or
or assist in its implmentation may be prepared, copied, published and assist in its implmentation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind, distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are provided that the above copyright notice and this paragraph are included
included on all such copies and derivative works. However, this docu- on all such copies and derivative works. However, this document itself
ment itself may not be modified in any way, such as by removing the may not be modified in any way, such as by removing the copyright notice
copyright notice or references to the Internet Society or other Inter- or references to the Internet Society or other Internet organizations,
net organizations, except as needed for the purpose of developing except as needed for the purpose of developing Internet standards in
Internet standards in which case the procedures for copyrights defined which case the procedures for copyrights defined in the Internet
in the Internet Standards process must be followed, or as required to Standards process must be followed, or as required to translate it into
translate it into languages other than English. The limited permis- languages other than English. The limited permissions granted above are
sions granted above are perpetual and will not be revoked by the perpetual and will not be revoked by the Internet Society or its
Internet Society or its successors or assigns. This document and the successors or assigns. This document and the information contained
information contained herein is provided on an "AS IS" basis and THE herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE
INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WAR- IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
RANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
PARTICULAR PURPOSE."
13. Expiration Date
This memo is filed as <draft-ietf-radius-auth-clientmib-02.txt>, and 14. Expiration Date
expires May 1, 1999.
m o This memo is filed as <draft-ietf-radius-auth-clientmib-03.txt>, and
expires August 1, 1999.
 End of changes. 65 change blocks. 
205 lines changed or deleted 214 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/