draft-ietf-radius-auth-servmib-02.txt   draft-ietf-radius-auth-servmib-03.txt 
RADIUS Working Group Glen Zorn RADIUS Working Group Glen Zorn
INTERNET-DRAFT Microsoft INTERNET-DRAFT Microsoft
Category: Standards Track Bernard Aboba Category: Standards Track Bernard Aboba
<draft-ietf-radius-auth-servmib-02.txt> Microsoft <draft-ietf-radius-auth-servmib-03.txt> Microsoft
11 November 1998 2 February 1999
RADIUS Authentication Server MIB RADIUS Authentication Server MIB
1. Status of this Memo 1. Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working docu- This document is an Internet-Draft and is in full conformance with all
ments of the Internet Engineering Task Force (IETF), its areas, and provisions of Section 10 of RFC2026.
its working groups. Note that other groups may also distribute work-
ing documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are working documents of the Internet Engineering Task
and may be updated, replaced, or obsoleted by other documents at any Force (IETF), its areas, and its working groups. Note that other groups
time. It is inappropriate to use Internet-Drafts as reference mate- may also distribute working documents as Internet-Drafts. Internet-
rial or to cite them other than as ``work in progress.'' Drafts are draft documents valid for a maximum of six months and may be
updated, replaced, or obsoleted by other documents at any time. It is
inappropriate to use Internet- Drafts as reference material or to cite
them other than as "work in progress."
To learn the current status of any Internet-Draft, please check the To view the list Internet-Draft Shadow Directories, see
``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow http://www.ietf.org/shadow.html.
Directories on ftp.ietf.org (US East Coast), nic.nordu.net
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
The distribution of this memo is unlimited. It is filed as <draft- The distribution of this memo is unlimited. It is filed as <draft-ietf-
ietf-radius-auth-servmib-02.txt>, and expires May 1, 1999. Please radius-auth-servmib-03.txt>, and expires August 1, 1999. Please send
send comments to the authors. comments to the authors.
2. Copyright Notice 2. Copyright Notice
Copyright (C) The Internet Society (1998). All Rights Reserved. Copyright (C) The Internet Society (1999). All Rights Reserved.
3. Abstract 3. Abstract
This memo defines a set of extensions which instrument RADIUS authen- This memo defines a set of extensions which instrument RADIUS
tication server functions. These extensions represent a portion of the authentication server functions. These extensions represent a portion of
Management Information Base (MIB) for use with network management pro- the Management Information Base (MIB) for use with network management
tocols in the Internet community. Using these extensions IP-based protocols in the Internet community. Using these extensions IP-based
management stations can manage RADIUS authentication servers. management stations can manage RADIUS authentication servers.
4. Introduction 4. Introduction
This memo defines a portion of the Management Information Base (MIB) This memo defines a portion of the Management Information Base (MIB) for
for use with network management protocols in the Internet community. use with network management protocols in the Internet community. In
In particular, it describes managed objects used for managing RADIUS particular, it describes managed objects used for managing RADIUS
authentication servers. authentication servers.
RADIUS authentication servers are today widely deployed by dialup RADIUS authentication servers are today widely deployed by dialup
Internet Service Providers, in order to provide authentication ser- Internet Service Providers, in order to provide authentication services.
vices. As a result, the effective management of RADIUS authentication As a result, the effective management of RADIUS authentication servers
servers is of considerable importance. is of considerable importance.
5. The SNMP Management Framework 5. The SNMP Management Framework
The SNMP Management Framework presently consists of five major compo- The SNMP Management Framework presently consists of five major
nents: components:
o An overall architecture, described in RFC 2271 [1]. o An overall architecture, described in RFC 2271 [1].
o Mechanisms for describing and naming objects and events for o Mechanisms for describing and naming objects and events for the
the purpose of management. The first version of this Structure purpose of management. The first version of this Structure of
of Management Information (SMI) is called SMIv1 and described Management Information (SMI) is called SMIv1 and described in
in RFC 1155 [2], RFC 1212 [3] and RFC 1215 [4]. The second RFC 1155 [2], RFC 1212 [3] and RFC 1215 [4]. The second version,
version, called SMIv2, is described in RFC 1902 [5], RFC 1903 called SMIv2, is described in RFC 1902 [5], RFC 1903 [6] and RFC
[6] and RFC 1904 [7]. 1904 [7].
o Message protocols for transferring management information. The o Message protocols for transferring management information. The
first version of the SNMP message protocol is called SNMPv1 first version of the SNMP message protocol is called SNMPv1 and
and described in RFC 1157 [8]. A second version of the SNMP described in RFC 1157 [8]. A second version of the SNMP message
message protocol, which is not an Internet standards track protocol, which is not an Internet standards track protocol, is
protocol, is called SNMPv2c and described in RFC 1901 [9] and called SNMPv2c and described in RFC 1901 [9] and RFC 1906 [10].
RFC 1906 [10]. The third version of the message protocol is The third version of the message protocol is called SNMPv3 and
called SNMPv3 and described in RFC 1906 [10], RFC 2272 [11] described in RFC 1906 [10], RFC 2272 [11] and RFC 2274 [12].
and RFC 2274 [12].
o Protocol operations for accessing management information. The o Protocol operations for accessing management information. The
first set of protocol operations and associated PDU formats is first set of protocol operations and associated PDU formats is
described in RFC 1157 [8]. A second set of protocol operations described in RFC 1157 [8]. A second set of protocol operations
and associated PDU formats is described in RFC 1905 [13]. and associated PDU formats is described in RFC 1905 [13].
o A set of fundamental applications described in RFC 2273 [14] o A set of fundamental applications described in RFC 2273 [14] and
and the view-based access control mechanism described in RFC the view-based access control mechanism described in RFC 2275
2275 [15]. [15].
Managed objects are accessed via a virtual information store, termed Managed objects are accessed via a virtual information store, termed the
the Management Information Base or MIB. Objects in the MIB are Management Information Base or MIB. Objects in the MIB are defined
defined using the mechanisms defined in the SMI. using the mechanisms defined in the SMI.
This memo specifies a MIB module that is compliant to the SMIv2. A MIB This memo specifies a MIB module that is compliant to the SMIv2. A MIB
conforming to the SMIv1 can be produced through the appropriate trans- conforming to the SMIv1 can be produced through the appropriate
lations. The resulting translated MIB must be semantically equivalent, translations. The resulting translated MIB must be semantically
except where objects or events are omitted because no translation is equivalent, except where objects or events are omitted because no
possible (use of Counter64). Some machine readable information in translation is possible (use of Counter64). Some machine readable
SMIv2 will be converted into textual descriptions in SMIv1 during the information in SMIv2 will be converted into textual descriptions in
translation process. However, this loss of machine readable informa- SMIv1 during the translation process. However, this loss of machine
tion is not considered to change the semantics of the MIB. readable information is not considered to change the semantics of the
MIB.
6. Overview 6. Overview
The RADIUS authentication protocol, described in [16], distinguishes The RADIUS authentication protocol, described in [16], distinguishes
between the client function and the server function. In RADIUS authen- between the client function and the server function. In RADIUS
tication, clients send Access-Requests, and servers reply with Access- authentication, clients send Access-Requests, and servers reply with
Accepts, Access-Rejects, and Access-Challenges. Typically NAS devices Access-Accepts, Access-Rejects, and Access-Challenges. Typically NAS
implement the client function, and thus would be expected to implement devices implement the client function, and thus would be expected to
the RADIUS authentication client MIB, while RADIUS authentication implement the RADIUS authentication client MIB, while RADIUS
servers implement the server function, and thus would be expected to authentication servers implement the server function, and thus would be
implement the RADIUS authentication server MIB. expected to implement the RADIUS authentication server MIB.
However, it is possible for a RADIUS authentication entity to perform However, it is possible for a RADIUS authentication entity to perform
both client and server functions. For example, a RADIUS proxy may act both client and server functions. For example, a RADIUS proxy may act as
as a server to one or more RADIUS authentication clients, while simul- a server to one or more RADIUS authentication clients, while
taneously acting as an authentication client to one or more authenti- simultaneously acting as an authentication client to one or more
cation servers. In such situations, it is expected that RADIUS enti- authentication servers. In such situations, it is expected that RADIUS
ties combining client and server functionality will support both the entities combining client and server functionality will support both the
client and server MIBs. client and server MIBs.
6.1. Selected objects 6.1. Selected objects
This MIB module contains fourteen scalars as well as a single table: This MIB module contains fourteen scalars as well as a single table:
(1) the RADIUS Authentication Client Table contains one row for each (1) the RADIUS Authentication Client Table contains one row for each
RADIUS authentication client that the server shares a secret with. RADIUS authentication client that the server shares a secret with.
Each entry in the RADIUS Authentication Client Table includes twelve Each entry in the RADIUS Authentication Client Table includes twelve
columns presenting a view of the activity of the RADIUS authentication columns presenting a view of the activity of the RADIUS authentication
server. server.
7. Definitions 7. Definitions
RADIUS-AUTH-SERVER-MIB DEFINITIONS ::= BEGIN RADIUS-AUTH-SERVER-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
OBJECT-IDENTITY, experimental, Counter32, Integer32,
Counter32, Gauge32, Integer32, IpAddress, TimeTicks FROM SNMPv2-SMI
IpAddress FROM SNMPv2-SMI SnmpAdminString FROM SNMP-FRAMEWORK-MIB
TEXTUAL-CONVENTION, DisplayString FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF
MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; mib-2 FROM RFC1213-MIB;
radius OBJECT-IDENTITY
STATUS current
DESCRIPTION
"The OID assigned to RADIUS MIB work by the IANA."
::= { experimental 79 }
radiusAuthentication OBJECT IDENTIFIER ::= {radius 1}
radiusAuthServMIB MODULE-IDENTITY radiusAuthServMIB MODULE-IDENTITY
LAST-UPDATED "9811161659Z" LAST-UPDATED "9901290000Z"
ORGANIZATION "IETF RADIUS Working Group." ORGANIZATION "IETF RADIUS Working Group."
CONTACT-INFO CONTACT-INFO
" Glen Zorn " Bernard Aboba
Microsoft Microsoft
One Microsoft Way One Microsoft Way
Redmond, WA 98052 Redmond, WA 98052
US US
Phone: +1 425 703 1559 Phone: +1 425 936 6605
EMail: glennz@microsoft.com" EMail: bernarda@microsoft.com"
DESCRIPTION DESCRIPTION
"The MIB module for entities impleenting the server "The MIB module for entities implementing the server
side of the Remote Access Dialin User Service (RADIUS) side of the Remote Access Dialin User Service (RADIUS)
authentication protocol." authentication protocol."
DESCRIPTION "Initial version as published in RFC xxxx"
-- RCC xxx to be assigned by IANA
::= { radiusAuthentication 1 } ::= { radiusAuthentication 1 }
radiusAuthServMIBObjects OBJECT IDENTIFIER ::= { radiusAuthServMIB 1 } radiusMIB OBJECT-IDENTITY
STATUS current
DESCRIPTION
"The OID assigned to RADIUS MIB work by the IANA."
::= { mib-2 xxx } -- To be assigned by IANA
radiusAuthServ OBJECT IDENTIFIER ::= { radiusAuthServMIBObjects 1 } radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1}
-- Textual conventions radiusAuthServMIBObjects OBJECT IDENTIFIER ::= { radiusAuthServMIB 1 }
RadiusTime ::= TEXTUAL-CONVENTION radiusAuthServ OBJECT IDENTIFIER ::= { radiusAuthServMIBObjects 1 }
DISPLAY-HINT "4d"
STATUS current
DESCRIPTION
"RadiusTime values are 32-bit unsigned integers which
measure time in seconds."
SYNTAX Gauge32
radiusAuthServIdent OBJECT-TYPE radiusAuthServIdent OBJECT-TYPE
SYNTAX DisplayString SYNTAX SnmpAdminString
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The implementation identification string for the "The implementation identification string for the
RADIUS authentication server software in use on the RADIUS authentication server software in use on the
system, for example; `FNS-2.1'" system, for example; `FNS-2.1'"
::= {radiusAuthServ 1} ::= {radiusAuthServ 1}
radiusAuthServUpTime OBJECT-TYPE radiusAuthServUpTime OBJECT-TYPE
SYNTAX RadiusTime SYNTAX TimeTicks
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If the server has a persistent state (e.g., a process), "If the server has a persistent state (e.g., a process),
this value will be the time elapsed since it started. this value will be the time elapsed (in hundredths of a
seco) since the server process was started.
For software without persistent state, this value will For software without persistent state, this value will
be zero." be zero."
::= {radiusAuthServ 2} ::= {radiusAuthServ 2}
radiusAuthServResetTime OBJECT-TYPE radiusAuthServResetTime OBJECT-TYPE
SYNTAX RadiusTime SYNTAX TimeTicks
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If the server has a persistent state (e.g., a process) "If the server has a persistent state (e.g., a process)
and supports a `reset' operation (e.g., can be told to and supports a `reset' operation (e.g., can be told to
re-read configuration files), this value will be the re-read configuration files), this value will be the
time elapsed since the last time the name server was time elapsed (in hundredths of a second) since the
`reset.' For software that does not have persistence or server was `reset.' For software that does not
does not support a `reset' operation, this value will be have persistence or does not support a `reset' operation,
zero." this value will be zero."
::= {radiusAuthServ 3} ::= {radiusAuthServ 3}
radiusAuthServConfigReset OBJECT-TYPE radiusAuthServConfigReset OBJECT-TYPE
SYNTAX INTEGER { other(1), SYNTAX INTEGER { other(1),
reset(2), reset(2),
initializing(3), initializing(3),
running(4)} running(4)}
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 5, line 35 skipping to change at page 6, line 4
server state (such as a process) is reinitialized as if server state (such as a process) is reinitialized as if
the server had just been started. This value will the server had just been started. This value will
never be returned by a read operation. When read, one of never be returned by a read operation. When read, one of
the following values will be returned: the following values will be returned:
other(1) - server in some unknown state; other(1) - server in some unknown state;
initializing(3) - server (re)initializing; initializing(3) - server (re)initializing;
running(4) - server currently running." running(4) - server currently running."
::= {radiusAuthServ 4} ::= {radiusAuthServ 4}
-- New Stats proposed by Dale E. Reed Jr (daler@iea-software.com) -- New Stats proposed by Dale E. Reed Jr (daler@iea-software.com)
radiusAuthServTotalAccessRequests OBJECT-TYPE radiusAuthServTotalAccessRequests OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of packets received on the "The number of packets received on the
authentication port since server start-up." authentication port."
::= { radiusAuthServ 5} ::= { radiusAuthServ 5}
radiusAuthServTotalInvalidRequests OBJECT-TYPE radiusAuthServTotalInvalidRequests OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS Access-Request packets "The number of RADIUS Access-Request packets
received from unknown addresses since server start-up." received from unknown addresses."
::= { radiusAuthServ 6 } ::= { radiusAuthServ 6 }
radiusAuthServTotalDupAccessRequests OBJECT-TYPE radiusAuthServTotalDupAccessRequests OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of duplicate RADIUS Access-Request "The number of duplicate RADIUS Access-Request
packets received since server start-up." packets received."
::= { radiusAuthServ 7 } ::= { radiusAuthServ 7 }
radiusAuthServTotalAccessAccepts OBJECT-TYPE radiusAuthServTotalAccessAccepts OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS Access-Accept packets "The number of RADIUS Access-Accept packets sent."
sent since server start-up."
::= { radiusAuthServ 8 } ::= { radiusAuthServ 8 }
radiusAuthServTotalAccessRejects OBJECT-TYPE radiusAuthServTotalAccessRejects OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS Access-Reject packets "The number of RADIUS Access-Reject packets sent."
sent since server start-up."
::= { radiusAuthServ 9 } ::= { radiusAuthServ 9 }
radiusAuthServTotalAccessChallenges OBJECT-TYPE radiusAuthServTotalAccessChallenges OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS Access-Challenge packets "The number of RADIUS Access-Challenge packets sent."
sent since server start-up."
::= { radiusAuthServ 10 } ::= { radiusAuthServ 10 }
radiusAuthServTotalMalformedAccessRequests OBJECT-TYPE radiusAuthServTotalMalformedAccessRequests OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of malformed RADIUS Access-Request "The number of malformed RADIUS Access-Request
packets received since server start-up. Bad authenticators packets received. Bad authenticators
and unknown types are not included as and unknown types are not included as
malformed Access-Requests." malformed Access-Requests."
::= { radiusAuthServ 11 } ::= { radiusAuthServ 11 }
radiusAuthServTotalBadAuthenticators OBJECT-TYPE radiusAuthServTotalBadAuthenticators OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS Authentication-Request packets "The number of RADIUS Authentication-Request packets
which contained invalid Signature attributes received which contained invalid Signature attributes received."
since server start-up."
::= { radiusAuthServ 12 } ::= { radiusAuthServ 12 }
radiusAuthServTotalPacketsDropped OBJECT-TYPE radiusAuthServTotalPacketsDropped OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of incoming packets "The number of incoming packets
silently discarded for some reason other silently discarded for some reason other
than malformed, bad authenticators or than malformed, bad authenticators or
unknown types." unknown types."
::= { radiusAuthServ 13 } ::= { radiusAuthServ 13 }
radiusAuthServTotalUnknownTypes OBJECT-TYPE radiusAuthServTotalUnknownTypes OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS packets of unknown type which "The number of RADIUS packets of unknown type which
were received since server start-up." were received."
::= { radiusAuthServ 14 } ::= { radiusAuthServ 14 }
-- End of new -- End of new
radiusAuthClientTable OBJECT-TYPE radiusAuthClientTable OBJECT-TYPE
SYNTAX SEQUENCE OF RadiusAuthClientEntry SYNTAX SEQUENCE OF RadiusAuthClientEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The (conceptual) table listing the RADIUS authentication "The (conceptual) table listing the RADIUS authentication
skipping to change at page 7, line 48 skipping to change at page 8, line 24
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (conceptual row) representing a RADIUS "An entry (conceptual row) representing a RADIUS
authentication client with which the server shares a secret." authentication client with which the server shares a secret."
INDEX { radiusAuthClientIndex } INDEX { radiusAuthClientIndex }
::= { radiusAuthClientTable 1 } ::= { radiusAuthClientTable 1 }
RadiusAuthClientEntry ::= SEQUENCE { RadiusAuthClientEntry ::= SEQUENCE {
radiusAuthClientIndex Integer32, radiusAuthClientIndex Integer32,
radiusAuthClientAddress IpAddress, radiusAuthClientAddress IpAddress,
radiusAuthClientID DisplayString, radiusAuthClientID SnmpAdminString,
radiusAuthServAccessRequests Counter32, radiusAuthServAccessRequests Counter32,
radiusAuthServDupAccessRequests Counter32, radiusAuthServDupAccessRequests Counter32,
radiusAuthServAccessAccepts Counter32, radiusAuthServAccessAccepts Counter32,
radiusAuthServAccessRejects Counter32, radiusAuthServAccessRejects Counter32,
radiusAuthServAccessChallenges Counter32, radiusAuthServAccessChallenges Counter32,
radiusAuthServMalformedAccessRequests Counter32, radiusAuthServMalformedAccessRequests Counter32,
radiusAuthServBadAuthenticators Counter32, radiusAuthServBadAuthenticators Counter32,
radiusAuthServPacketsDropped Counter32, radiusAuthServPacketsDropped Counter32,
radiusAuthServUnknownTypes Counter32 radiusAuthServUnknownTypes Counter32
} }
radiusAuthClientIndex OBJECT-TYPE radiusAuthClientIndex OBJECT-TYPE
SYNTAX Integer32 (0..MAX) SYNTAX Integer32 (1..MAX)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A number uniquely identifying each RADIUS "A number uniquely identifying each RADIUS
authentication client with which this server authentication client with which this server
communicates." communicates."
::= { radiusAuthClientEntry 1 } ::= { radiusAuthClientEntry 1 }
radiusAuthClientAddress OBJECT-TYPE radiusAuthClientAddress OBJECT-TYPE
SYNTAX IpAddress SYNTAX IpAddress
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The NAS-IP-Address of the RADIUS authentication client "The NAS-IP-Address of the RADIUS authentication client
referred to in this table entry." referred to in this table entry."
::= { radiusAuthClientEntry 2 } ::= { radiusAuthClientEntry 2 }
radiusAuthClientID OBJECT-TYPE radiusAuthClientID OBJECT-TYPE
SYNTAX DisplayString SYNTAX SnmpAdminString
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The NAS-Identifier of the RADIUS authentication client "The NAS-Identifier of the RADIUS authentication client
referred to in this table entry. This is not necessarily referred to in this table entry. This is not necessarily
the same as sysName in MIB II." the same as sysName in MIB II."
::= { radiusAuthClientEntry 3 } ::= { radiusAuthClientEntry 3 }
-- Server Counters -- Server Counters
-- --
skipping to change at page 8, line 50 skipping to change at page 9, line 32
-- UnknownTypes - PacketsDropped - Responses = Pending -- UnknownTypes - PacketsDropped - Responses = Pending
-- --
-- Requests - DupRequests - BadAuthenticators - MalformedRequests - -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
-- UnknownTypes - PacketsDropped = entries logged -- UnknownTypes - PacketsDropped = entries logged
radiusAuthServAccessRequests OBJECT-TYPE radiusAuthServAccessRequests OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of packets received on the authentication "The number of packets received on the authentication
port from this client since server start-up." port from this client."
::= { radiusAuthClientEntry 4 } ::= { radiusAuthClientEntry 4 }
radiusAuthServDupAccessRequests OBJECT-TYPE radiusAuthServDupAccessRequests OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of duplicate RADIUS Access-Request "The number of duplicate RADIUS Access-Request
packets received from this client since server start-up." packets received from this client."
::= { radiusAuthClientEntry 5 } ::= { radiusAuthClientEntry 5 }
radiusAuthServAccessAccepts OBJECT-TYPE radiusAuthServAccessAccepts OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS Access-Accept packets "The number of RADIUS Access-Accept packets
sent to this client since server start-up." sent to this client."
::= { radiusAuthClientEntry 6 } ::= { radiusAuthClientEntry 6 }
radiusAuthServAccessRejects OBJECT-TYPE radiusAuthServAccessRejects OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS Access-Reject packets "The number of RADIUS Access-Reject packets
sent to this client since server start-up." sent to this client."
::= { radiusAuthClientEntry 7 } ::= { radiusAuthClientEntry 7 }
radiusAuthServAccessChallenges OBJECT-TYPE radiusAuthServAccessChallenges OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS Access-Challenge packets "The number of RADIUS Access-Challenge packets
sent to this client since server start-up." sent to this client."
::= { radiusAuthClientEntry 8 } ::= { radiusAuthClientEntry 8 }
radiusAuthServMalformedAccessRequests OBJECT-TYPE radiusAuthServMalformedAccessRequests OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of malformed RADIUS Access-Request "The number of malformed RADIUS Access-Request
packets received from this client since server start-up. packets received from this client.
Bad authenticators and unknown types are not included as Bad authenticators and unknown types are not included as
malformed Access-Requests." malformed Access-Requests."
::= { radiusAuthClientEntry 9 } ::= { radiusAuthClientEntry 9 }
radiusAuthServBadAuthenticators OBJECT-TYPE radiusAuthServBadAuthenticators OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS Authentication-Request packets "The number of RADIUS Authentication-Request packets
which contained invalid Signature attributes received which contained invalid Signature attributes received
from this client since server start-up." from this client."
::= { radiusAuthClientEntry 10 } ::= { radiusAuthClientEntry 10 }
radiusAuthServPacketsDropped OBJECT-TYPE radiusAuthServPacketsDropped OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of incoming packets from this "The number of incoming packets from this
client silently discarded for some reason other client silently discarded for some reason other
than malformed, bad authenticators or than malformed, bad authenticators or
unknown types." unknown types."
::= { radiusAuthClientEntry 11 } ::= { radiusAuthClientEntry 11 }
radiusAuthServUnknownTypes OBJECT-TYPE radiusAuthServUnknownTypes OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The total number of RADIUS packets of unknown type which "The number of RADIUS packets of unknown type which
were received from this client since authentication server were received from this client."
start-up."
::= { radiusAuthClientEntry 12 } ::= { radiusAuthClientEntry 12 }
-- conformance information -- conformance information
radiusAuthServMIBConformance radiusAuthServMIBConformance
OBJECT IDENTIFIER ::= { radiusAuthServMIB 2 } OBJECT IDENTIFIER ::= { radiusAuthServMIB 2 }
radiusAuthServMIBCompliances radiusAuthServMIBCompliances
OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 1 } OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 1 }
radiusAuthServMIBGroups radiusAuthServMIBGroups
OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 2 } OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 2 }
skipping to change at page 10, line 43 skipping to change at page 11, line 36
-- compliance statements -- compliance statements
radiusAuthServMIBCompliance MODULE-COMPLIANCE radiusAuthServMIBCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The compliance statement for authentication servers "The compliance statement for authentication servers
implementing the RADIUS Authentication Server MIB." implementing the RADIUS Authentication Server MIB."
MODULE -- this module MODULE -- this module
MANDATORY-GROUPS { radiusAuthServMIBGroup } MANDATORY-GROUPS { radiusAuthServMIBGroup }
OBJECT radiusAuthServConfigReset
WRITE-SYNTAX INTEGER { reset(2) }
DESCRIPTION "The only SETable value is 'reset' (2)."
::= { radiusAuthServMIBCompliances 1 } ::= { radiusAuthServMIBCompliances 1 }
-- units of conformance -- units of conformance
radiusAuthServMIBGroup OBJECT-GROUP radiusAuthServMIBGroup OBJECT-GROUP
OBJECTS {radiusAuthServIdent, OBJECTS {radiusAuthServIdent,
radiusAuthServUpTime, radiusAuthServUpTime,
radiusAuthServResetTime, radiusAuthServResetTime,
radiusAuthServConfigReset, radiusAuthServConfigReset,
radiusAuthServTotalAccessRequests, radiusAuthServTotalAccessRequests,
skipping to change at page 11, line 34 skipping to change at page 12, line 38
DESCRIPTION DESCRIPTION
"The collection of objects providing management of "The collection of objects providing management of
a RADIUS Authentication Server." a RADIUS Authentication Server."
::= { radiusAuthServMIBGroups 1 } ::= { radiusAuthServMIBGroups 1 }
END END
8. References 8. References
[1] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for [1] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for
Describing SNMP Management Frameworks", RFC 2271, Cabletron Sys- Describing SNMP Management Frameworks", RFC 2271, Cabletron
tems, Inc., BMC Software, Inc., IBM T. J. Watson Research, Jan- Systems, Inc., BMC Software, Inc., IBM T. J. Watson Research,
uary 1998. January 1998.
[2] Rose, M., and K. McCloghrie, "Structure and Identification of [2] Rose, M., and K. McCloghrie, "Structure and Identification of
Management Information for TCP/IP-based Internets", RFC 1155, Management Information for TCP/IP-based Internets", RFC 1155,
Performance Systems International, Hughes LAN Systems, May 1990. Performance Systems International, Hughes LAN Systems, May 1990.
[3] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 1212, [3] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 1212,
Performance Systems International, Hughes LAN Systems, March Performance Systems International, Hughes LAN Systems, March 1991.
1991.
[4] M. Rose, "A Convention for Defining Traps for use with the SNMP", [4] M. Rose, "A Convention for Defining Traps for use with the SNMP",
RFC 1215, Performance Systems International, March 1991. RFC 1215, Performance Systems International, March 1991.
[5] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure [5] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure
of Management Information for Version 2 of the Simple Network of Management Information for Version 2 of the Simple Network
Management Protocol (SNMPv2)", RFC 1902, SNMP Research,Inc., Management Protocol (SNMPv2)", RFC 1902, SNMP Research,Inc., Cisco
Cisco Systems, Inc., Dover Beach Consulting, Inc., International Systems, Inc., Dover Beach Consulting, Inc., International Network
Network Services, January 1996. Services, January 1996.
[6] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual [6] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual
Conventions for Version 2 of the Simple Network Management Proto- Conventions for Version 2 of the Simple Network Management Protocol
col (SNMPv2)", RFC 1903, SNMP Research, Inc., Cisco Systems, (SNMPv2)", RFC 1903, SNMP Research, Inc., Cisco Systems, Inc.,
Inc., Dover Beach Consulting, Inc., International Network Ser- Dover Beach Consulting, Inc., International Network Services,
vices, January 1996. January 1996.
[7] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Confor- [7] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Conformance
mance Statements for Version 2 of the Simple Network Management Statements for Version 2 of the Simple Network Management Protocol
Protocol (SNMPv2)", RFC 1904, SNMP Research, Inc., Cisco Systems, (SNMPv2)", RFC 1904, SNMP Research, Inc., Cisco Systems, Inc.,
Inc., Dover Beach Consulting, Inc., International Network Ser- Dover Beach Consulting, Inc., International Network Services,
vices, January 1996. January 1996.
[8] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Net- [8] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network
work Management Protocol", RFC 1157, SNMP Research, Performance Management Protocol", RFC 1157, SNMP Research, Performance Systems
Systems International, Performance Systems International, MIT International, Performance Systems International, MIT Laboratory
Laboratory for Computer Science, May 1990. for Computer Science, May 1990.
[9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Introduc- [9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
tion to Community-based SNMPv2", RFC 1901, SNMP Research, Inc., "Introduction to Community-based SNMPv2", RFC 1901, SNMP Research,
Cisco Systems, Inc., Dover Beach Consulting, Inc., International Inc., Cisco Systems, Inc., Dover Beach Consulting, Inc.,
Network Services, January 1996. International Network Services, January 1996.
[10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport
Mappings for Version 2 of the Simple Network Management Protocol Mappings for Version 2 of the Simple Network Management Protocol
(SNMPv2)", RFC 1906, SNMP Research, Inc., Cisco Systems, Inc., (SNMPv2)", RFC 1906, SNMP Research, Inc., Cisco Systems, Inc.,
Dover Beach Consulting, Inc., International Network Services, Dover Beach Consulting, Inc., International Network Services,
January 1996. January 1996.
[11] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message Pro- [11] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message
cessing and Dispatching for the Simple Network Management Proto- Processing and Dispatching for the Simple Network Management
col (SNMP)", RFC 2272, SNMP Research, Inc., Cabletron Systems, Protocol (SNMP)", RFC 2272, SNMP Research, Inc., Cabletron Systems,
Inc., BMC Software, Inc., IBM T. J. Watson Research, January Inc., BMC Software, Inc., IBM T. J. Watson Research, January 1998.
1998.
[12] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) [12] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for
for version 3 of the Simple Network Management Protocol version 3 of the Simple Network Management Protocol (SNMPv3)", RFC
(SNMPv3)", RFC 2274, IBM T. J. Watson Research, January 1998. 2274, IBM T. J. Watson Research, January 1998.
[13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol [13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol
Operations for Version 2 of the Simple Network Management Proto- Operations for Version 2 of the Simple Network Management Protocol
col (SNMPv2)", RFC 1905, SNMP Research, Inc., Cisco Systems, (SNMPv2)", RFC 1905, SNMP Research, Inc., Cisco Systems, Inc.,
Inc., Dover Beach Consulting, Inc., International Network Ser- Dover Beach Consulting, Inc., International Network Services,
vices, January 196. January 196.
[14] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", RFC [14] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", RFC
2273, SNMP Research, Inc., Secure Computing Corporation, Cisco 2273, SNMP Research, Inc., Secure Computing Corporation, Cisco
Systems, January 1998 Systems, January 1998
[15] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access [15] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access
Control Model (VACM) for the Simple Network Management Protocol Control Model (VACM) for the Simple Network Management Protocol
(SNMP)", RFC 2275, IBM T. J. Watson Research, BMC Software, Inc., (SNMP)", RFC 2275, IBM T. J. Watson Research, BMC Software, Inc.,
Cisco Systems, Inc., January 1998 Cisco Systems, Inc., January 1998
[16] Rigney, C., Rubens, A., Simpson W., and S. Willens, "Remote [16] Rigney, C., Rubens, A., Simpson W., and S. Willens, "Remote
Authentication Dial In User Service (RADIUS)", RFC 2138, April Authentication Dial In User Service (RADIUS)", RFC 2138, April
1997. 1997.
[17] "Information processing systems - Open Systems Interconnection -
Specification of Abstract Syntax Notation One (ASN.1)", Interna-
tional Organization for Standardization, International Standard
8824, December 1987.
9. Security considerations 9. Security considerations
There are a number of management objects defined in this MIB that have There are a number of management objects defined in this MIB that have a
a MAX-ACCESS clause of read-write and/or read-create. Such objects MAX-ACCESS clause of read-write and/or read-create. Such objects may be
may be considered sensitive or vulnerable in some network environ- considered sensitive or vulnerable in some network environments. The
ments. The support for SET operations in a non-secure environment support for SET operations in a non-secure environment without proper
without proper protection can have a negative effect on network opera- protection can have a negative effect on network operations.
tions.
There are a number of managed objects in this MIB that may contain There are a number of managed objects in this MIB that may contain
sensitive information. These are: sensitive information. These are:
radiusAuthClientAddress radiusAuthClientAddress
This can be used to determine the address of the RADIUS This can be used to determine the address of the RADIUS
authentication client with which the server is communicat- authentication client with which the server is communicating.
ing. This information could be useful in impersonating the This information could be useful in impersonating the client.
client.
radiusAuthClientID radiusAuthClientID
This can be used to determine the client ID of the authenti- This can be used to determine the client ID of the
cation client with which the server is communicating. This authentication client with which the server is communicating.
information could be useful in impersonating the client. This information could be useful in impersonating the client.
It is thus important to control even GET access to these objects and It is thus important to control even GET access to these objects and
possibly to even encrypt the values of these object when sending them possibly to even encrypt the values of these object when sending them
over the network via SNMP. Not all versions of SNMP provide features over the network via SNMP. Not all versions of SNMP provide features
for such a secure environment. for such a secure environment.
SNMPv1 by itself is not a secure environment. Even if the network SNMPv1 by itself is not a secure environment. Even if the network itself
itself is secure (for example by using IPSec), there is no control as is secure (for example by using IPSec), there is no control as to who on
to who on the secure network is allowed to access and GET/SET the secure network is allowed to access and GET/SET
(read/change/create/delete) the objects in this MIB. (read/change/create/delete) the objects in this MIB.
It is recommended that the implementers consider the security features It is recommended that the implementers consider the security features
as provided by the SNMPv3 framework. Specifically, the use of the as provided by the SNMPv3 framework. Specifically, the use of the User-
User-based Security Model RFC 2274 [12] and the View-based Access Con- based Security Model RFC 2274 [12] and the View-based Access Control
trol Model RFC 2275 [15] is recommended. Using these security fea- Model RFC 2275 [15] is recommended. Using these security features,
tures, customer/users can give access to the objects only to those customer/users can give access to the objects only to those principals
principals (users) that have legitimate rights to GET or SET (users) that have legitimate rights to GET or SET (change/create/delete)
(change/create/delete) them. them.
10. Acknowledgments 10. Acknowledgments
Thanks to Narendra Gidwani of Microsoft, Allan C. Rubens of MERIT, Thanks to Narendra Gidwani of Microsoft, Allan C. Rubens of MERIT, Carl
Carl Rigney of Livingston and Peter Heitman of American Internet Cor- Rigney of Livingston and Peter Heitman of American Internet Corporation
poration for useful discussions of this problem space. for useful discussions of this problem space.
11. Authors' Addresses 11. Authors' Addresses
Bernard Aboba Bernard Aboba
Microsoft Corporation Microsoft Corporation
One Microsoft Way One Microsoft Way
Redmond, WA 98052 Redmond, WA 98052
Phone: 425-936-6605 Phone: 425-936-6605
EMail: bernarda@microsoft.com EMail: bernarda@microsoft.com
Glen Zorn Glen Zorn
Microsoft Corporation Microsoft Corporation
One Microsoft Way One Microsoft Way
Redmond, WA 98052 Redmond, WA 98052
Phone: 425-703-1559 Phone: 425-703-1559
EMail: glennz@microsoft.com EMail: glennz@microsoft.com
12. Full Copyright Statement 12. Intellectural Property Statement
Copyright (C) The Internet Society (1997). All Rights Reserved. The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to pertain
to the implementation or use of the technology described in this
document or the extent to which any license under such rights might or
might not be available; neither does it represent that it has made any
effort to identify any such rights. Information on the IETF's
procedures with respect to rights in standards-track and standards-
related documentation can be found in BCP-11. Copies of claims of
rights made available for publication and any assurances of licenses to
be made available, or the result of an attempt made to obtain a general
license or permission for the use of such proprietary rights by
implementors or users of this specification can be obtained from the
IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary rights
which may cover technology that may be required to practice this
standard. Please address the information to the IETF Executive
Director.
13. Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it or
or assist in its implmentation may be prepared, copied, published and assist in its implmentation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind, distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are provided that the above copyright notice and this paragraph are included
included on all such copies and derivative works. However, this docu- on all such copies and derivative works. However, this document itself
ment itself may not be modified in any way, such as by removing the may not be modified in any way, such as by removing the copyright notice
copyright notice or references to the Internet Society or other Inter- or references to the Internet Society or other Internet organizations,
net organizations, except as needed for the purpose of developing except as needed for the purpose of developing Internet standards in
Internet standards in which case the procedures for copyrights defined which case the procedures for copyrights defined in the Internet
in the Internet Standards process must be followed, or as required to Standards process must be followed, or as required to translate it into
translate it into languages other than English. The limited permis- languages other than English. The limited permissions granted above are
sions granted above are perpetual and will not be revoked by the perpetual and will not be revoked by the Internet Society or its
Internet Society or its successors or assigns. This document and the successors or assigns. This document and the information contained
information contained herein is provided on an "AS IS" basis and THE herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE
INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WAR- IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
RANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
PARTICULAR PURPOSE."
13. Expiration Date
This memo is filed as <draft-ietf-radius-auth-servermib-02.txt>, and 14. Expiration Date
expires May 1, 1999.
This memo is filed as <draft-ietf-radius-auth-servermib-03.txt>, and
expires August 1, 1999.
 End of changes. 80 change blocks. 
234 lines changed or deleted 237 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/