RADIUS Working Group                                         Glen Zorn
     INTERNET-DRAFT                                               Microsoft
     Category: Standards Track                                Bernard Aboba
     <draft-ietf-radius-auth-servmib-01.txt>
     <draft-ietf-radius-auth-servmib-02.txt>                      Microsoft
     12 February
     11 November 1998

                        RADIUS Authentication Server MIB

     1.  Status of this Memo

     This document is an Internet-Draft.  Internet-Drafts are working docu-
     ments of the Internet Engineering Task Force (IETF),  its  areas,  and
     its  working groups.  Note that other groups may also distribute work-
     ing documents as Internet-Drafts.

     Internet-Drafts are draft documents valid for a maximum of six  months
     and  may  be updated, replaced, or obsoleted by other documents at any
     time.  It is inappropriate to use Internet-Drafts as  reference  mate-
     rial or to cite them other than as ``work in progress.''

     To  learn  the  current status of any Internet-Draft, please check the
     ``1id-abstracts.txt'' listing contained in the Internet-Drafts  Shadow
     Directories   on   ds.internic.net   ftp.ietf.org   (US  East  Coast),  nic.nordu.net
     (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).

     The  distribution  of  this memo is unlimited.  It is filed as <draft-
     ietf-radius-auth-servmib-01.txt>,
     ietf-radius-auth-servmib-02.txt>, and  expires August  May  1, 1998.  1999.  Please
     send comments to the authors.

     2.  Copyright Notice

     Copyright (C) The Internet Society (1998).  All Rights Reserved.

     3.  Abstract

     This  memo defines a set of extensions which instrument RADIUS authen-
     tication server functions. These extensions represent a portion of the
     Management Information Base (MIB) for use with network management pro-
     tocols in the Internet community.   Using  these  extensions  IP-based
     management stations can manage RADIUS authentication servers.

     3.

     4.  Introduction

     This  memo  defines a portion of the Management Information Base (MIB)
     for use with network management protocols in the  Internet  community.
     In  particular,  it describes managed objects used for managing RADIUS
     authentication servers.

     RADIUS authentication servers are  today  widely  deployed  by  dialup
     Internet  Service  Providers,  in order to provide authentication ser-
     vices. As a result, the effective management of RADIUS  authentication
     servers is of considerable importance.

     4.

     5.  The SNMPv2 Network SNMP Management Framework

     The  SNMPv2 Network  SNMP Management Framework presently consists of four five major compo-
     nents.  They are:
     nents:

         o   An overall architecture, described in RFC 1902 which defines the SMI, the mechanisms used 2271 [1].

         o   Mechanisms for describing and naming objects  and  events  for
             the purpose of management.

           o The first version of this Structure
             of Management Information (SMI) is called SMIv1 and  described
             in  RFC 1905 which defines  1155  [2],  RFC 1212 [3] and RFC 1215 [4]. The second
             version, called SMIv2, is described in RFC 1902 [5], RFC  1903
             [6] and RFC 1904 [7].

         o   Message protocols for transferring management information. The
             first version of the SNMP message protocol used for network access to
              managed objects.

           o  is  called  SNMPv1
             and  described  in  RFC 1907 defines the core set 1157 [8]. A second version of managed objects for the SNMP
             message protocol, which is not  an  Internet suite of protocols.

           o  standards  track
             protocol,  is called SNMPv2c and described in RFC 1909 which defines the administrative aspects 1901 [9] and
             RFC 1906 [10]. The third version of the
              framework.

     The Framework permits new objects to be defined  message  protocol  is
             called  SNMPv3  and  described in RFC 1906 [10], RFC 2272 [11]
             and RFC 2274 [12].

         o   Protocol operations for  the  purpose accessing management information.  The
             first set of
     experimentation protocol operations and evaluation.

     4.1.  Object Definitions associated PDU formats is
             described in RFC 1157 [8]. A second set of protocol operations
             and associated PDU formats is described in RFC 1905 [13].

         o   A  set  of fundamental applications described in RFC 2273 [14]
             and the view-based access control mechanism described  in  RFC
             2275 [15].

     Managed  objects  are accessed via a virtual information store, termed
     the Management Information Base  or  MIB.   Objects  in  the  MIB  are
     defined using the  subset  of Abstract Syntax Notation One (ASN.1) mechanisms defined in the SMI. In particular, each object object type

     This memo specifies a MIB module that is named by an  OBJECT
     IDENTIFIER,  an  administratively  assigned  name.   The  object  type
     together with an object instance serves compliant to uniquely  identify  a  spe-
     cific instantiation of the object. For human convenience, we often use
     a SMIv2. A MIB
     conforming to the SMIv1 can be produced through the appropriate trans-
     lations. The resulting translated MIB must be semantically equivalent,
     except where objects or events are omitted because no  translation  is
     possible  (use  of  Counter64).  Some  machine readable information in
     SMIv2 will be converted into textual string, termed descriptions in SMIv1 during  the descriptor, to refer
     translation  process.  However, this loss of machine readable informa-
     tion is not considered to change the object  type.

     5. semantics of the MIB.

     6.  Overview

     The RADIUS authentication protocol, described in [1],  [16],  distinguishes
     between the client function and the server function. In RADIUS authen-
     tication, clients send Access-Requests, and servers reply with Access-
     Accepts, Access-Rejects, and Access-Challenges.  Typically NAS devices
     implement the client function, and thus would be expected to implement
     the  RADIUS  authentication  client  MIB,  while RADIUS authentication
     servers implement the server function, and thus would be  expected  to
     implement the RADIUS authentication server MIB.

     However,  it is possible for a RADIUS authentication entity to perform
     both client and server functions. For example, a RADIUS proxy may  act
     as a server to one or more RADIUS authentication clients, while simul-
     taneously acting as an authentication client to one or more  authenti-
     cation  servers.  In such situations, it is expected that RADIUS enti-
     ties combining client and server functionality will support  both  the
     client and server MIBs.

     5.1.

     6.1.  Selected objects

     This MIB module contains five fourteen scalars as well as a single table:

     (1)  the RADIUS Authentication Client Table contains one row for each
          RADIUS authentication client that the server shares a secret with.

     Each  entry  in the RADIUS Authentication Client Table includes twelve
     entries
     columns presenting a view of the activity of the RADIUS authentication
     server.

     6.

     7.  Definitions

     RADIUS-AUTH-SERVER-MIB DEFINITIONS ::= BEGIN

     IMPORTS
            MODULE-IDENTITY, OBJECT-TYPE,
            OBJECT-IDENTITY, experimental,
            Counter32, Gauge32, Integer32,
            IpAddress                          FROM SNMPv2-SMI
            TEXTUAL-CONVENTION, DisplayString  FROM SNMPv2-TC
            MODULE-COMPLIANCE, OBJECT-GROUP    FROM SNMPv2-CONF;

     radius OBJECT-IDENTITY
            STATUS  current
            DESCRIPTION
                  "The OID assigned to RADIUS MIB work by the IANA."
            ::= { experimental 79 }

     radiusAuthentication  OBJECT IDENTIFIER ::= {radius 1}

     radiusAuthServMIB MODULE-IDENTITY
            LAST-UPDATED "9802121659Z" "9811161659Z"
            ORGANIZATION "IETF RADIUS Working Group."
            CONTACT-INFO
                   " Glen Zorn
                     Microsoft
                     One Microsoft Way
                     Redmond, WA  98052
                     US

                     Phone: +1 425 703 1559
                     EMail: glennz@microsoft.com"
            DESCRIPTION
                  "The MIB module for entities implementing impleenting the server
                   side of the Remote Access Dialin User Service (RADIUS)
                   authentication protocol."
            ::= { radiusAuthentication 1 }

     radius OBJECT-IDENTITY
            STATUS  current
            DESCRIPTION
                  "The OID assigned to RADIUS MIB work by the IANA."
            ::= { experimental 79 }

     radiusAuthentication  OBJECT IDENTIFIER ::= {radius 1}

     radiusAuthServMIBObjects     OBJECT IDENTIFIER ::= { radiusAuthServMIB 1 }

     radiusAuthServ      OBJECT IDENTIFIER ::= { radiusAuthServMIBObjects 1 }

     -- Textual conventions

     RadiusTime ::= TEXTUAL-CONVENTION
            DISPLAY-HINT "4d"
            STATUS  current
            DESCRIPTION
                 "RadiusTime values are 32-bit unsigned integers which
                  measure time in seconds."
            SYNTAX  Gauge32

     radiusAuthServIdent OBJECT-TYPE
            SYNTAX      DisplayString
            MAX-ACCESS  read-only
            STATUS      current
            DESCRIPTION
                  "The implementation identification string for the
                   RADIUS authentication server software in use on the
                   system, for example; `FNS-2.1'"
            ::= {radiusAuthServ 1}

     radiusAuthServUpTime OBJECT-TYPE
            SYNTAX      RadiusTime
            MAX-ACCESS  read-only
            STATUS      current
            DESCRIPTION
                  "If the server has a persistent state (e.g., a process),
                   this value will be the time elapsed since it started.
                   For software without persistent state, this value will
                   be zero."
            ::= {radiusAuthServ 2}

     radiusAuthServResetTime OBJECT-TYPE
            SYNTAX      RadiusTime
            MAX-ACCESS  read-only
            STATUS      current
            DESCRIPTION
                  "If the server has a persistent state (e.g., a process)
                   and supports a `reset' operation (e.g., can be told to
                   re-read configuration files), this value will be the
                   time elapsed since the last time the name server was
                   `reset.'  For software that does not have persistence or
                   does not support a `reset' operation, this value will be
                   zero."
            ::= {radiusAuthServ 3}

     radiusAuthServConfigReset OBJECT-TYPE
            SYNTAX INTEGER { other(1),
                             reset(2),
                             initializing(3),
                             running(4)}
            MAX-ACCESS  read-write
            STATUS      current
            DESCRIPTION
                   "Status/action object to reinitialize any persistent
                    server state.  When set to reset(2), any persistent
                    server state (such as a process) is reinitialized as if
                    the server had just been started.  This value will
                    never be returned by a read operation.  When read, one of
                    the following values will be returned:
                        other(1) - server in some unknown state;
                        initializing(3) - server (re)initializing;
                        running(4) - server currently running."
            ::= {radiusAuthServ 4}

     -- New Stats proposed by Dale E. Reed Jr (daler@iea-software.com)

         radiusAuthServTotalAccessRequests OBJECT-TYPE
                 SYNTAX Counter32
                 MAX-ACCESS read-only
                 STATUS current
                 DESCRIPTION
                       "The total number of RADIUS Access-Request packets received on the
                        authentication port since server start-up."
                 ::= { radiusAuthServ 5}

          radiusAuthServTotalInvalidRequests OBJECT-TYPE
                 SYNTAX Counter32
                 MAX-ACCESS read-only
                 STATUS current
                 DESCRIPTION
                       "The total number of RADIUS Access-Request packets
                        received from unknown addresses since server start-up."
                 ::= { radiusAuthServ 6 }

          radiusAuthServTotalDupAccessRequests OBJECT-TYPE
                 SYNTAX Counter32
                 MAX-ACCESS read-only
                 STATUS current
                 DESCRIPTION
                       "The total number of duplicate RADIUS Access-Request
                        packets received since server start-up."
                 ::= { radiusAuthServ 7 }

          radiusAuthServTotalAccessAccepts OBJECT-TYPE
                 SYNTAX Counter32
                 MAX-ACCESS read-only
                 STATUS current
                 DESCRIPTION
                       "The total number of RADIUS Access-Accept packets
                        sent since server start-up."
                 ::= { radiusAuthServ 8 }

          radiusAuthServTotalAccessRejects OBJECT-TYPE
                SYNTAX Counter32
                MAX-ACCESS read-only
                STATUS current
                DESCRIPTION
                       "The total number of RADIUS Access-Reject packets
                        sent since server start-up."
                 ::= { radiusAuthServ 9 }

          radiusAuthServTotalAccessChallenges OBJECT-TYPE
                 SYNTAX Counter32
                 MAX-ACCESS read-only
                 STATUS current
                 DESCRIPTION
                       "The total number of RADIUS Access-Challenge packets
                        sent since server start-up."
                 ::= { radiusAuthServ 10 }

          radiusAuthServTotalMalformedAccessRequests OBJECT-TYPE
                 SYNTAX Counter32
                 MAX-ACCESS read-only
                 STATUS current
                 DESCRIPTION
                       "The total number of malformed RADIUS Access-Request
                        packets received since server start-up. Bad authenticators
                        and unknown types are not included as
                        malformed Access-Requests."
                 ::= { radiusAuthServ 11 }

          radiusAuthServTotalBadAuthenticators OBJECT-TYPE
                 SYNTAX Counter32
                 MAX-ACCESS read-only
                 STATUS current
                 DESCRIPTION
                       "The total number of RADIUS Authentication-Request packets
                        which contained invalid Signature attributes received
                        since server start-up."
                 ::= { radiusAuthServ 12 }

          radiusAuthServTotalPacketsDropped OBJECT-TYPE
                SYNTAX Counter32
                MAX-ACCESS read-only
                STATUS current
                DESCRIPTION
                       "The total number of incoming packets dropped with no reply sent."
                        silently discarded for some reason other
                        than malformed, bad authenticators or
                        unknown types."
                 ::= { radiusAuthServ 13 }

          radiusAuthServTotalUnknownType

          radiusAuthServTotalUnknownTypes OBJECT-TYPE
                 SYNTAX Counter32
                 MAX-ACCESS read-only
                 STATUS current

                 DESCRIPTION
                       "The total number of RADIUS packets of unknown type which
                        were received since server start-up."
                 ::= { radiusAuthServ 14 }

     -- End of new

     radiusAuthClientTable OBJECT-TYPE
            SYNTAX     SEQUENCE OF RadiusAuthClientEntry
            MAX-ACCESS not-accessible
            STATUS     current
            DESCRIPTION
                  "The (conceptual) table listing the RADIUS authentication
                   clients with which the server shares a secret."
            ::= { radiusAuthServ 15 }

     radiusAuthClientEntry OBJECT-TYPE
            SYNTAX     RadiusAuthClientEntry
            MAX-ACCESS not-accessible
            STATUS     current
            DESCRIPTION
                  "An entry (conceptual row) representing a RADIUS
                   authentication client with which the server shares a secret."
            INDEX      { radiusAuthClientIndex }
            ::= { radiusAuthClientTable 1 }

     RadiusAuthClientEntry ::= SEQUENCE {
            radiusAuthClientIndex                           Integer32,
            radiusAuthClientAddress                         IpAddress,
            radiusAuthClientID                              DisplayString,
            radiusAuthServAccessRequests                    Counter32,
            radiusAuthServDupAccessRequests                 Counter32,
            radiusAuthServAccessAccepts                     Counter32,
            radiusAuthServAccessRejects                     Counter32,
            radiusAuthServAccessChallenges                  Counter32,
            radiusAuthServMalformedAccessRequests           Counter32,
            radiusAuthServBadAuthenticators                 Counter32,
            radiusAuthServPacketsDropped                    Counter32,
            radiusAuthServUnknownType
            radiusAuthServUnknownTypes                      Counter32
     }

     radiusAuthClientIndex OBJECT-TYPE
            SYNTAX     Integer32 (0..MAX)
            MAX-ACCESS not-accessible
            STATUS     current
            DESCRIPTION
                   "A number uniquely identifying each RADIUS
                   authentication client with which this server
                   communicates."
            ::= { radiusAuthClientEntry 1 }

     radiusAuthClientAddress OBJECT-TYPE
            SYNTAX     IpAddress
            MAX-ACCESS read-only
            STATUS     current
            DESCRIPTION
                  "The NAS-IP-Address of the RADIUS authentication client
                   referred to in this table entry."
            ::= { radiusAuthClientEntry 2 }

     radiusAuthClientID OBJECT-TYPE
            SYNTAX     DisplayString
            MAX-ACCESS read-only
            STATUS     current
            DESCRIPTION
                  "The NAS-Identifier of the RADIUS authentication client
                   referred to in this table entry. This is not necessarily
                   the same as sysName in MIB II."
            ::= { radiusAuthClientEntry 3 }

     -- Server Counters
     --
     -- Responses = AccessAccepts + AccessRejects + AccessChallenges
     --
     -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
     -- UnknownTypes -  PacketsDropped - Responses = Pending
     --
     -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
     -- UnknownTypes - PacketsDropped = entries logged

     radiusAuthServAccessRequests OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of RADIUS Access-Request packets received on the authentication
                   port from this client since server start-up."
            ::= { radiusAuthClientEntry  4 }

     radiusAuthServDupAccessRequests OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of duplicate RADIUS Access-Request
                   packets received from this client since server start-up."
            ::= { radiusAuthClientEntry  5 }

     radiusAuthServAccessAccepts OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of RADIUS Access-Accept packets
                   sent to this client since server start-up."
            ::= { radiusAuthClientEntry  6 }

     radiusAuthServAccessRejects OBJECT-TYPE
           SYNTAX Counter32
           MAX-ACCESS read-only
           STATUS current
           DESCRIPTION
                  "The total number of RADIUS Access-Reject packets
                   sent to this client since server start-up."
            ::= { radiusAuthClientEntry  7 }

     radiusAuthServAccessChallenges OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of RADIUS Access-Challenge packets
                   sent to this client since server start-up."
            ::= { radiusAuthClientEntry  8 }

     radiusAuthServMalformedAccessRequests OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of malformed RADIUS Access-Request
                   packets received from this client since server start-up.
                   Bad authenticators and unknown types are not included as
                   malformed Access-Requests."
            ::= { radiusAuthClientEntry  9 }

     radiusAuthServBadAuthenticators OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of RADIUS Authentication-Request packets
                   which contained invalid Signature attributes received
                   from this client since server start-up."
            ::= { radiusAuthClientEntry  10 }

     radiusAuthServPacketsDropped OBJECT-TYPE
           SYNTAX Counter32
           MAX-ACCESS read-only
           STATUS current
           DESCRIPTION
                   "The total number of incoming packets dropped from this client,
                   with no reply sent."
                    client silently discarded for some reason other
                    than malformed, bad authenticators or
                    unknown types."
            ::= { radiusAuthClientEntry  11 }

     radiusAuthServUnknownType

     radiusAuthServUnknownTypes OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of RADIUS packets of unknown type which
                   were received from this client since authentication server
                   start-up."
            ::= { radiusAuthClientEntry  12 }

     -- conformance information

     radiusAuthServMIBConformance
                   OBJECT IDENTIFIER ::= { radiusAuthServMIB 2 }
     radiusAuthServMIBCompliances
                   OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 1 }
     radiusAuthServMIBGroups
                   OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 2 }

     -- compliance statements

     radiusAuthServMIBCompliance MODULE-COMPLIANCE
            STATUS  current
            DESCRIPTION
                  "The compliance statement for authentication servers
                   implementing the RADIUS Authentication Server MIB."
            MODULE  -- this module
            MANDATORY-GROUPS { radiusAuthServMIBGroup }

            ::= { radiusAuthServMIBCompliances 1 }

     -- units of conformance

     radiusAuthServMIBGroup OBJECT-GROUP
           OBJECTS {radiusAuthServIdent,
                    radiusAuthServUpTime,
                    radiusAuthServResetTime,
                    radiusAuthServConfigReset,
                    radiusAuthServTotalAccessRequests,
                    radiusAuthServTotalInvalidRequests,
                    radiusAuthServTotalDupAccessRequests,
                    radiusAuthServTotalAccessAccepts,
                    radiusAuthServTotalAccessRejects,
                    radiusAuthServTotalAccessChallenges,
                    radiusAuthServTotalMalformedAccessRequests,
                    radiusAuthServTotalBadAuthenticators,
                    radiusAuthServTotalPacketsDropped,
                    radiusAuthServTotalUnknownType,
                    radiusAuthServTotalUnknownTypes,
                    radiusAuthClientAddress,
                    radiusAuthClientID,
                    radiusAuthServAccessRequests,
                    radiusAuthServDupAccessRequests,
                    radiusAuthServAccessAccepts,
                    radiusAuthServAccessRejects,
                    radiusAuthServAccessChallenges,
                    radiusAuthServMalformedAccessRequests,
                    radiusAuthServBadAuthenticators,
                    radiusAuthServPacketsDropped,
                    radiusAuthServUnknownType
                    radiusAuthServUnknownTypes
                   }
           STATUS  current
           DESCRIPTION
                 "The collection of objects providing management of
                  a RADIUS Authentication Server."
           ::= { radiusAuthServMIBGroups 1 }

     END

     7.  Security considerations

     All MIB variables described in this document are read-only,  with  the
     exception of radiusAuthServConfigReset.

     8.  Acknowledgments

     Thanks  to  Narendra  Gidwani  of Microsoft, Allan C. Rubens of MERIT,
     Carl Rigney of Livingston, and Peter Heitman of American Internet Cor-
     poration for useful discussions of this problem space.

     9.  References

     [1]   C. Rigney, A. Rubens, W. Simpson, S. Willens.  "Remote Authenti-
     cation Dial In User Service (RADIUS)."  Harrington,  D., Presuhn, R., and B. Wijnen, "An Architecture for
          Describing SNMP Management Frameworks", RFC  2138,  Livingston,  Merit,
     Daydreamer, April, 1997. 2271, Cabletron  Sys-
          tems,  Inc.,  BMC Software, Inc., IBM T. J. Watson Research, Jan-
          uary 1998.

     [2]  C. Rigney.  "RADIUS Authentication." RFC 2139, Livingston, April,
     1997.

     [3] C. Rigney, W. Willats.   "RADIUS  Extensions."  draft-ietf-radius-
     ext-00.txt, Livingston, January, 1997.

     [4]  "Information  processing systems - Open Systems Interconnection -
     Specification  Rose, M., and K. McCloghrie,  "Structure  and  Identification  of Abstract Syntax Notation One (ASN.1)",  International
     Organization
          Management  Information  for Standardization, International Standard 8824, Decem-
     ber 1987.

     [5] Case, J., McCloghrie, K.,  TCP/IP-based  Internets", RFC 1155,
          Performance Systems International, Hughes LAN Systems, May  1990.

     [3]  Rose, M., and S. Waldbusser,  "Introduc-
     tion  to Community-based SNMPv2", K. McCloghrie, "Concise MIB Definitions", RFC 1901, SNMP Research, Inc., Cisco 1212,
          Performance Systems  International,  Hughes  LAN  Systems, Dover Beach Consulting, Inc., International Network Services,
     January, 1996.

     [6]  March
          1991.

     [4]  M. Rose, "A Convention for Defining Traps for use with the SNMP",
          RFC 1215, Performance Systems International, March 1991.

     [5]  Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure
          of  Management  Information  for  Version 2 of the Simple Network  Manage-
     ment
          Management Protocol  (SNMPv2)",  RFC  1902,  SNMP Research, Inc.,  Research,Inc.,
          Cisco  Systems, Inc., Dover Beach Consulting, Inc., International
          Network Services, January, January 1996.

     [7]

     [6]  Case, J., McCloghrie, K., Rose, M., and S.  Waldbusser,  "Textual
          Conventions for version Version 2 of the the Simple Network Management Proto-
          col (SNMPv2)", RFC 1903,  SNMP  Research,  Inc.,  Cisco  Systems,
          Inc.,  Dover  Beach  Consulting, Inc., International Network Services, January, Ser-
          vices, January 1996.

     [8]

     [7]  Case, J., McCloghrie, K., Rose, M., and S.  Waldbusser,  "Confor-
          mance  Statements  for version Version 2 of the the Simple Network Management
          Protocol (SNMPv2)", RFC 1904, SNMP Research, Inc., Cisco Systems,
          Inc.,  Dover  Beach  Consulting, Inc., International Network Services, January, Ser-
          vices, January 1996.

     [9]

     [8]  Case, J., McCloghrie, K., Rose, Fedor, M., Schoffstall, M., and S. Waldbusser, "Protocol
     Operations for Version 2 of the  Simple  Network J. Davin, "Simple  Net-
          work  Management  Protocol
     (SNMPv2)",  Protocol", RFC  1905, 1157, SNMP Research, Performance
          Systems International,  Performance  Systems  International,  MIT
          Laboratory for Computer Science, May 1990.

     [9]  Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Introduc-
          tion to Community-based SNMPv2", RFC 1901, SNMP  Research,  Inc.,
          Cisco  Systems, Inc., Dover Beach Consulting, Inc., International
          Network Services, January, January 1996.

     [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport
          Mappings  for Version 2 of the Simple Network Management Protocol
          (SNMPv2)", RFC 1906, SNMP Research, Inc.,  Cisco  Systems,  Inc.,
          Dover  Beach  Consulting,  Inc.,  International Network Services, January,
          January 1996.

     [11] Case, J., McCloghrie, K., Rose, M., Harrington D., Presuhn R., and B. Wijnen, "Message Pro-
          cessing  and S. Waldbusser, "Manage-
     ment Information Base Dispatching for Version 2 of the Simple Network Management
     Protocol (SNMPv2)", Proto-
          col (SNMP)", RFC 1907, 2272, SNMP Research, nc., Cisco  Inc.,  Cabletron  Systems, Dover
     Beach Consulting,
          Inc., International Network Services, January, 1996.  BMC  Software,  Inc.,  IBM  T. J. Watson Research, January
          1998.

     [12] Blumenthal, U., and B. Wijnen, "User-based Security  Model  (USM)
          for   version   3  of  the  Simple  Network  Management  Protocol
          (SNMPv3)", RFC 2274, IBM T. J. Watson Research, January 1998.

     [13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Coexis-
     tence between Version 1 and  "Protocol
          Operations  for Version 2 of the Internet-standard Simple Network Management  Framework", Proto-
          col (SNMPv2)", RFC 1908, 1905,  SNMP  Research,  Inc.,  Cisco  Systems,
          Inc.,  Dover  Beach  Consulting, Inc., International Network Services, January,
     1996.

     [13] Ser-
          vices, January 196.

     [14] Levi, D., Meyer, P., and B. Stewart, "SNMPv3  Applications",  RFC
          2273,  SNMP  Research,  Inc., Secure Computing Corporation, Cisco
          Systems, January 1998

     [15] Wijnen, B., Presuhn, R., and K.  McCloghrie,  K.,  "An Administrative Infrastructure  "View-based  Access
          Control  Model  (VACM) for SNMPv2", the Simple Network Management Protocol
          (SNMP)", RFC 1909, 2275, IBM T. J. Watson Research, BMC Software, Inc.,
          Cisco Systems, February, 1996. Inc., January 1998
     [16] Rigney,  C.,  Rubens,  A.,  Simpson  W.,  and S. Willens, "Remote
          Authentication Dial In User Service (RADIUS)",  RFC  2138,  April
          1997.

     [17] "Information  processing systems - Open Systems Interconnection -
          Specification of Abstract Syntax Notation One (ASN.1)",  Interna-
          tional  Organization  for Standardization, International Standard
          8824, December 1987.

     9.  Security considerations

     There are a number of management objects defined in this MIB that have
     a  MAX-ACCESS  clause  of read-write and/or read-create.  Such objects
     may be considered sensitive or vulnerable  in  some  network  environ-
     ments.   The  support  for  SET operations in a non-secure environment
     without proper protection can have a negative effect on network opera-
     tions.

     There  are  a  number  of managed objects in this MIB that may contain
     sensitive information. These are:

     radiusAuthClientAddress
               This can be used to determine  the  address  of  the  RADIUS
               authentication  client  with which the server is communicat-
               ing. This information could be useful in  impersonating  the
               client.

     radiusAuthClientID
               This can be used to determine the client ID of the authenti-
               cation client with which the server is  communicating.  This
               information could be useful in impersonating the client.

     It  is  thus important to control even GET access to these objects and
     possibly to even encrypt the values of these object when sending  them
     over  the network via SNMP.  Not all versions of SNMP provide features
     for such a secure environment.

     SNMPv1 by itself is not a secure  environment.  Even  if  the  network
     itself  is secure (for example by using IPSec), there is no control as
     to who on  the  secure  network  is  allowed  to  access  and  GET/SET
     (read/change/create/delete) the objects in this MIB.

     It is recommended that the implementers consider the security features
     as provided by the SNMPv3 framework.  Specifically,  the  use  of  the
     User-based Security Model RFC 2274 [12] and the View-based Access Con-
     trol Model RFC 2275 [15] is recommended.  Using  these  security  fea-
     tures,   customer/users  can  give access to the objects only to those
     principals  (users)  that  have  legitimate  rights  to  GET  or   SET
     (change/create/delete) them.

     10.  Acknowledgments

     Thanks  to  Narendra  Gidwani  of Microsoft, Allan C. Rubens of MERIT,
     Carl Rigney of Livingston and Peter Heitman of American Internet  Cor-
     poration for useful discussions of this problem space.

     11.  Authors' Addresses

     Glen Zorn

     Bernard Aboba
     Microsoft Corporation
     One Microsoft Way
     Redmond, WA 98052

     Phone: 425-703-1559 425-936-6605
     EMail: glennz@microsoft.com

     Bernard Aboba bernarda@microsoft.com

     Glen Zorn
     Microsoft Corporation
     One Microsoft Way
     Redmond, WA 98052

     Phone: 425-936-6605 425-703-1559
     EMail: bernarda@microsoft.com glennz@microsoft.com

     12.  Full Copyright Statement

     Copyright (C) The Internet Society (1997).  All Rights Reserved.
     This  document  and  translations of it may be copied and furnished to
     others, and derivative works that comment on or otherwise  explain  it
     or  assist in its implmentation may be prepared, copied, published and
     distributed, in whole or in part, without  restriction  of  any  kind,
     provided  that  the  above  copyright  notice  and  this paragraph are
     included on all such copies and derivative works.  However, this docu-
     ment  itself  may  not be modified in any way, such as by removing the
     copyright notice or references to the Internet Society or other Inter-
     net  organizations,  except  as  needed  for the purpose of developing
     Internet standards in which case the procedures for copyrights defined
     in  the Internet Standards process must be followed, or as required to
     translate it into languages other than English.  The  limited  permis-
     sions  granted  above  are  perpetual  and  will not be revoked by the
     Internet Society or its successors or assigns.  This document and  the
     information  contained  herein is provided on an "AS IS" basis and THE
     INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL
     WARRANTIES,  EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WAR-
     RANTY THAT THE USE OF THE INFORMATION HEREIN  WILL  NOT  INFRINGE  ANY
     RIGHTS  OR  ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
     PARTICULAR PURPOSE."
     13.  Expiration Date

     This memo is filed as  <draft-ietf-radius-auth-servermib-02.txt>,  and
     expires May 1, 1999.