7 Network Working Group D. Nelson
8 Request for Comments: 4668 Enterasys Networks
9 Obsoletes: 2618 August 2006
10 Category: Standards Track
13 RADIUS Authentication Client MIB for IPv6
17 This document specifies an Internet standards track protocol for the
18 Internet community, and requests discussion and suggestions for
19 improvements. Please refer to the current edition of the "Internet
20 Official Protocol Standards" (STD 1) for the standardization state
21 and status of this protocol. Distribution of this memo is unlimited.
25 Copyright (C) The Internet Society (2006).
29 This memo defines a set of extensions that instrument RADIUS
30 authentication client functions. These extensions represent a
31 portion of the Management Information Base (MIB) for use with network
32 management protocols in the Internet community. Using these
33 extensions, IP-based management stations can manage RADIUS
34 authentication clients.
36 This memo obsoletes RFC 2618 by deprecating the MIB table containing
37 IPv4-only address formats and defining a new table to add support for
38 version-neutral IP address formats. The remaining MIB objects from
39 RFC 2618 are carried forward into this document. The memo also adds
40 UNITS and REFERENCE clauses to selected objects.
58 Nelson Standards Track [Page 1]
60 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
65 1. Introduction ....................................................3
66 2. Terminology .....................................................3
67 3. The Internet-Standard Management Framework ......................3
68 4. Scope of Changes ................................................3
69 5. Structure of the MIB Module .....................................4
70 6. Deprecated Objects ..............................................5
71 7. Definitions .....................................................5
72 8. Security Considerations ........................................20
73 9. References .....................................................22
74 9.1. Normative References ......................................22
75 9.2. Informative References ....................................22
76 Appendix A. Acknowledgements ......................................23
114 Nelson Standards Track [Page 2]
116 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
121 This memo defines a portion of the Management Information Base (MIB)
122 for use with network management protocols in the Internet community.
123 The objects defined within this memo relate to the Remote
124 Authentication Dial-In User Service (RADIUS) Authentication Client as
125 defined in RFC 2865 [RFC2865].
129 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
130 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
131 document are to be interpreted as described in RFC 2119 [RFC2119].
133 This document uses terminology from RFC 2865 [RFC2865].
135 This document uses the word "malformed" with respect to RADIUS
136 packets, particularly in the context of counters of "malformed
137 packets". While RFC 2865 does not provide an explicit definition of
138 "malformed", malformed generally means that the implementation has
139 determined the packet does not match the format defined in RFC 2865.
140 Some implementations may determine that packets are malformed when
141 the Vendor Specific Attribute (VSA) format does not follow the RFC
142 2865 recommendations for VSAs. Those implementations are used in
143 deployments today, and thus set the de facto definition of
146 3. The Internet-Standard Management Framework
148 For a detailed overview of the documents that describe the current
149 Internet-Standard Management Framework, please refer to section 7 of
152 Managed objects are accessed via a virtual information store, termed
153 the Management Information Base or MIB. MIB objects are generally
154 accessed through the Simple Network Management Protocol (SNMP).
155 Objects in the MIB are defined using the mechanisms defined in the
156 Structure of Management Information (SMI). This memo specifies a MIB
157 module that is compliant to the SMIv2, which is described in STD 58,
158 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
163 This document obsoletes RFC 2618 [RFC2618], RADIUS Authentication
164 Client MIB, by deprecating the radiusAuthServerTable table and adding
165 a new table, radiusAuthServerExtTable, containing
166 radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and
170 Nelson Standards Track [Page 3]
172 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
175 radiusAuthClientServerInetPortNumber. The purpose of these added MIB
176 objects is to support version-neutral IP addressing formats. The
177 existing table containing radiusAuthServerAddress and
178 radiusAuthClientServerPortNumber is deprecated. The remaining MIB
179 objects are carried forward from RFC 2618 into this document. This
180 memo also adds UNITS and REFERENCE clauses to selected objects.
182 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for
183 IPv6 addresses, contains the following recommendation.
185 'In particular, when revising a MIB module that contains IPv4
186 specific tables, it is suggested to define new tables using the
187 textual conventions defined in this memo [RFC4001] that support all
188 versions of IP. The status of the new tables SHOULD be "current",
189 whereas the status of the old IP version specific tables SHOULD be
190 changed to "deprecated". The other approach, of having multiple
191 similar tables for different IP versions, is strongly discouraged.'
193 5. Structure of the MIB Module
195 The RADIUS authentication protocol, described in RFC 2865 [RFC2865],
196 distinguishes between the client function and the server function.
197 In RADIUS authentication, clients send Access-Requests, and servers
198 reply with Access-Accepts, Access-Rejects, and Access-Challenges.
199 Typically, Network Access Server (NAS) devices implement the client
200 function, and thus would be expected to implement the RADIUS
201 authentication client MIB, while RADIUS authentication servers
202 implement the server function, and thus would be expected to
203 implement the RADIUS authentication server MIB.
205 However, it is possible for a RADIUS authentication entity to perform
206 both client and server functions. For example, a RADIUS proxy may
207 act as a server to one or more RADIUS authentication clients, while
208 simultaneously acting as an authentication client to one or more
209 authentication servers. In such situations, it is expected that
210 RADIUS entities combining client and server functionality will
211 support both the client and server MIBs. The client MIB is defined
212 in this document, and the server MIB is defined in [RFC4669].
214 This MIB module contains two scalars as well as a single table, the
215 RADIUS Authentication Server Table, which contains one row for each
216 RADIUS authentication server with which the client shares a secret.
217 Each entry in the RADIUS Authentication Server Table includes sixteen
218 columns presenting a view of the activity of the RADIUS
219 authentication client.
221 This MIB imports from [RFC2578], [RFC2580], [RFC3411], and [RFC4001].
226 Nelson Standards Track [Page 4]
228 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
231 6. Deprecated Objects
233 The deprecated table in this MIB is carried forward from RFC 2618
234 [RFC2618]. There are two conditions under which it MAY be desirable
235 for managed entities to continue to support the deprecated table:
237 1. The managed entity only supports IPv4 address formats.
239 2. The managed entity supports both IPv4 and IPv6 address formats,
240 and the deprecated table is supported for backwards compatibility
241 with older management stations. This option SHOULD only be used
242 when the IP addresses in the new table are in IPv4 format and can
243 accurately be represented in both the new table and the
246 Managed entities SHOULD NOT instantiate row entries in the deprecated
247 table, containing IPv4-only address objects, when the RADIUS server
248 address represented in such a table row is not an IPv4 address.
249 Managed entities SHOULD NOT return inaccurate values of IP address or
250 SNMP object access errors for IPv4-only address objects in otherwise
251 populated tables. When row entries exist in both the deprecated
252 IPv4-only table and the new IP-version-neutral table that describe
253 the same RADIUS server, the row indexes SHOULD be the same for the
254 corresponding rows in each table, to facilitate correlation of these
255 related rows by management applications.
259 RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN
262 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
263 Counter32, Integer32, Gauge32,
264 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI
265 SnmpAdminString FROM SNMP-FRAMEWORK-MIB
266 InetAddressType, InetAddress,
267 InetPortNumber FROM INET-ADDRESS-MIB
268 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF;
271 radiusAuthClientMIB MODULE-IDENTITY
272 LAST-UPDATED "200608210000Z" -- 21 August 2006
273 ORGANIZATION "IETF RADIUS Extensions Working Group."
282 Nelson Standards Track [Page 5]
284 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
288 Phone: +1 425 936 6605
289 EMail: bernarda@microsoft.com"
291 "The MIB module for entities implementing the client
292 side of the Remote Authentication Dial-In User Service
293 (RADIUS) authentication protocol. Copyright (C) The
294 Internet Society (2006). This version of this MIB
295 module is part of RFC 4668; see the RFC itself for
297 REVISION "200608210000Z" -- 21 August 2006
299 "Revised version as published in RFC 4668. This
300 version obsoletes that of RFC 2618 by deprecating
301 the MIB table containing IPv4-only address formats
302 and defining a new table to add support for version
303 neutral IP address formats. The remaining MIB objects
304 from RFC 2618 are carried forward into this version."
305 REVISION "199906110000Z" -- 11 Jun 1999
306 DESCRIPTION "Initial version as published in RFC 2618."
307 ::= { radiusAuthentication 2 }
309 radiusMIB OBJECT-IDENTITY
312 "The OID assigned to RADIUS MIB work by the IANA."
315 radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1}
317 radiusAuthClientMIBObjects OBJECT IDENTIFIER
318 ::= { radiusAuthClientMIB 1 }
320 radiusAuthClient OBJECT IDENTIFIER
321 ::= { radiusAuthClientMIBObjects 1 }
323 radiusAuthClientInvalidServerAddresses OBJECT-TYPE
329 "The number of RADIUS Access-Response packets
330 received from unknown addresses."
331 ::= { radiusAuthClient 1 }
333 radiusAuthClientIdentifier OBJECT-TYPE
334 SYNTAX SnmpAdminString
338 Nelson Standards Track [Page 6]
340 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
346 "The NAS-Identifier of the RADIUS authentication client.
347 This is not necessarily the same as sysName in MIB II."
348 REFERENCE "RFC 2865 section 5.32"
349 ::= { radiusAuthClient 2 }
351 radiusAuthServerTable OBJECT-TYPE
352 SYNTAX SEQUENCE OF RadiusAuthServerEntry
353 MAX-ACCESS not-accessible
356 "The (conceptual) table listing the RADIUS authentication
357 servers with which the client shares a secret."
358 ::= { radiusAuthClient 3 }
360 radiusAuthServerEntry OBJECT-TYPE
361 SYNTAX RadiusAuthServerEntry
362 MAX-ACCESS not-accessible
365 "An entry (conceptual row) representing a RADIUS
366 authentication server with which the client shares
368 INDEX { radiusAuthServerIndex }
369 ::= { radiusAuthServerTable 1 }
371 RadiusAuthServerEntry ::= SEQUENCE {
372 radiusAuthServerIndex Integer32,
373 radiusAuthServerAddress IpAddress,
374 radiusAuthClientServerPortNumber Integer32,
375 radiusAuthClientRoundTripTime TimeTicks,
376 radiusAuthClientAccessRequests Counter32,
377 radiusAuthClientAccessRetransmissions Counter32,
378 radiusAuthClientAccessAccepts Counter32,
379 radiusAuthClientAccessRejects Counter32,
380 radiusAuthClientAccessChallenges Counter32,
381 radiusAuthClientMalformedAccessResponses Counter32,
382 radiusAuthClientBadAuthenticators Counter32,
383 radiusAuthClientPendingRequests Gauge32,
384 radiusAuthClientTimeouts Counter32,
385 radiusAuthClientUnknownTypes Counter32,
386 radiusAuthClientPacketsDropped Counter32
389 radiusAuthServerIndex OBJECT-TYPE
390 SYNTAX Integer32 (1..2147483647)
394 Nelson Standards Track [Page 7]
396 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
399 MAX-ACCESS not-accessible
402 "A number uniquely identifying each RADIUS
403 Authentication server with which this client
405 ::= { radiusAuthServerEntry 1 }
407 radiusAuthServerAddress OBJECT-TYPE
412 "The IP address of the RADIUS authentication server
413 referred to in this table entry."
414 ::= { radiusAuthServerEntry 2 }
416 radiusAuthClientServerPortNumber OBJECT-TYPE
417 SYNTAX Integer32 (0..65535)
421 "The UDP port the client is using to send requests to
423 REFERENCE "RFC 2865 section 3"
424 ::= { radiusAuthServerEntry 3 }
426 radiusAuthClientRoundTripTime OBJECT-TYPE
431 "The time interval (in hundredths of a second) between
432 the most recent Access-Reply/Access-Challenge and the
433 Access-Request that matched it from this RADIUS
434 authentication server."
435 ::= { radiusAuthServerEntry 4 }
437 -- Request/Response statistics
439 -- TotalIncomingPackets = Accepts + Rejects + Challenges +
442 -- TotalIncomingPackets - MalformedResponses -
443 -- BadAuthenticators - UnknownTypes - PacketsDropped =
444 -- Successfully received
446 -- AccessRequests + PendingRequests + ClientTimeouts =
450 Nelson Standards Track [Page 8]
452 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
455 -- Successfully received
459 radiusAuthClientAccessRequests OBJECT-TYPE
465 "The number of RADIUS Access-Request packets sent
466 to this server. This does not include retransmissions."
467 REFERENCE "RFC 2865 section 4.1"
468 ::= { radiusAuthServerEntry 5 }
470 radiusAuthClientAccessRetransmissions OBJECT-TYPE
476 "The number of RADIUS Access-Request packets
477 retransmitted to this RADIUS authentication server."
478 REFERENCE "RFC 2865 sections 2.5, 4.1"
479 ::= { radiusAuthServerEntry 6 }
481 radiusAuthClientAccessAccepts OBJECT-TYPE
487 "The number of RADIUS Access-Accept packets
488 (valid or invalid) received from this server."
489 REFERENCE "RFC 2865 section 4.2"
490 ::= { radiusAuthServerEntry 7 }
492 radiusAuthClientAccessRejects OBJECT-TYPE
498 "The number of RADIUS Access-Reject packets
499 (valid or invalid) received from this server."
500 REFERENCE "RFC 2865 section 4.3"
501 ::= { radiusAuthServerEntry 8 }
506 Nelson Standards Track [Page 9]
508 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
511 radiusAuthClientAccessChallenges OBJECT-TYPE
517 "The number of RADIUS Access-Challenge packets
518 (valid or invalid) received from this server."
519 REFERENCE "RFC 2865 section 4.4"
520 ::= { radiusAuthServerEntry 9 }
522 -- "Access-Response" includes an Access-Accept, Access-Challenge
525 radiusAuthClientMalformedAccessResponses OBJECT-TYPE
531 "The number of malformed RADIUS Access-Response
532 packets received from this server.
533 Malformed packets include packets with
534 an invalid length. Bad authenticators or
535 Message Authenticator attributes or unknown types
536 are not included as malformed access responses."
537 ::= { radiusAuthServerEntry 10 }
539 radiusAuthClientBadAuthenticators OBJECT-TYPE
545 "The number of RADIUS Access-Response packets
546 containing invalid authenticators or Message
547 Authenticator attributes received from this server."
548 REFERENCE "RFC 2865 section 3, RFC 2869 section 5.14"
549 ::= { radiusAuthServerEntry 11 }
551 radiusAuthClientPendingRequests OBJECT-TYPE
556 "The number of RADIUS Access-Request packets
557 destined for this server that have not yet timed out
558 or received a response. This variable is incremented
562 Nelson Standards Track [Page 10]
564 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
567 when an Access-Request is sent and decremented due to
568 receipt of an Access-Accept, Access-Reject,
569 Access-Challenge, timeout, or retransmission."
570 REFERENCE "RFC 2865 section 2"
571 ::= { radiusAuthServerEntry 12 }
573 radiusAuthClientTimeouts OBJECT-TYPE
579 "The number of authentication timeouts to this server.
580 After a timeout, the client may retry to the same
581 server, send to a different server, or
582 give up. A retry to the same server is counted as a
583 retransmit as well as a timeout. A send to a different
584 server is counted as a Request as well as a timeout."
585 REFERENCE "RFC 2865 section 2, RFC 2869 section 2.3.2"
586 ::= { radiusAuthServerEntry 13 }
588 radiusAuthClientUnknownTypes OBJECT-TYPE
594 "The number of RADIUS packets of unknown type that
595 were received from this server on the authentication
597 ::= { radiusAuthServerEntry 14 }
599 radiusAuthClientPacketsDropped OBJECT-TYPE
605 "The number of RADIUS packets that were
606 received from this server on the authentication port
607 and dropped for some other reason."
608 ::= { radiusAuthServerEntry 15 }
611 -- New MIB Objects in this revision
613 radiusAuthServerExtTable OBJECT-TYPE
614 SYNTAX SEQUENCE OF RadiusAuthServerExtEntry
618 Nelson Standards Track [Page 11]
620 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
623 MAX-ACCESS not-accessible
626 "The (conceptual) table listing the RADIUS authentication
627 servers with which the client shares a secret."
628 ::= { radiusAuthClient 4 }
630 radiusAuthServerExtEntry OBJECT-TYPE
631 SYNTAX RadiusAuthServerExtEntry
632 MAX-ACCESS not-accessible
635 "An entry (conceptual row) representing a RADIUS
636 authentication server with which the client shares
638 INDEX { radiusAuthServerExtIndex }
639 ::= { radiusAuthServerExtTable 1 }
641 RadiusAuthServerExtEntry ::= SEQUENCE {
642 radiusAuthServerExtIndex Integer32,
643 radiusAuthServerInetAddressType InetAddressType,
644 radiusAuthServerInetAddress InetAddress,
645 radiusAuthClientServerInetPortNumber InetPortNumber,
646 radiusAuthClientExtRoundTripTime TimeTicks,
647 radiusAuthClientExtAccessRequests Counter32,
648 radiusAuthClientExtAccessRetransmissions Counter32,
649 radiusAuthClientExtAccessAccepts Counter32,
650 radiusAuthClientExtAccessRejects Counter32,
651 radiusAuthClientExtAccessChallenges Counter32,
652 radiusAuthClientExtMalformedAccessResponses Counter32,
653 radiusAuthClientExtBadAuthenticators Counter32,
654 radiusAuthClientExtPendingRequests Gauge32,
655 radiusAuthClientExtTimeouts Counter32,
656 radiusAuthClientExtUnknownTypes Counter32,
657 radiusAuthClientExtPacketsDropped Counter32,
658 radiusAuthClientCounterDiscontinuity TimeTicks
661 radiusAuthServerExtIndex OBJECT-TYPE
662 SYNTAX Integer32 (1..2147483647)
663 MAX-ACCESS not-accessible
666 "A number uniquely identifying each RADIUS
667 Authentication server with which this client
669 ::= { radiusAuthServerExtEntry 1 }
674 Nelson Standards Track [Page 12]
676 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
679 radiusAuthServerInetAddressType OBJECT-TYPE
680 SYNTAX InetAddressType
684 "The type of address format used for the
685 radiusAuthServerInetAddress object."
686 ::= { radiusAuthServerExtEntry 2 }
688 radiusAuthServerInetAddress OBJECT-TYPE
693 "The IP address of the RADIUS authentication
694 server referred to in this table entry, using
695 the version-neutral IP address format."
696 ::= { radiusAuthServerExtEntry 3 }
698 radiusAuthClientServerInetPortNumber OBJECT-TYPE
699 SYNTAX InetPortNumber ( 1..65535 )
703 "The UDP port the client is using to send requests
704 to this server. The value of zero (0) is invalid."
705 REFERENCE "RFC 2865 section 3"
706 ::= { radiusAuthServerExtEntry 4 }
708 radiusAuthClientExtRoundTripTime OBJECT-TYPE
713 "The time interval (in hundredths of a second) between
714 the most recent Access-Reply/Access-Challenge and the
715 Access-Request that matched it from this RADIUS
716 authentication server."
717 REFERENCE "RFC 2865 section 2"
718 ::= { radiusAuthServerExtEntry 5 }
720 -- Request/Response statistics
722 -- TotalIncomingPackets = Accepts + Rejects + Challenges +
725 -- TotalIncomingPackets - MalformedResponses -
726 -- BadAuthenticators - UnknownTypes - PacketsDropped =
730 Nelson Standards Track [Page 13]
732 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
735 -- Successfully received
737 -- AccessRequests + PendingRequests + ClientTimeouts =
738 -- Successfully received
742 radiusAuthClientExtAccessRequests OBJECT-TYPE
748 "The number of RADIUS Access-Request packets sent
749 to this server. This does not include retransmissions.
750 This counter may experience a discontinuity when the
751 RADIUS Client module within the managed entity is
752 reinitialized, as indicated by the current value of
753 radiusAuthClientCounterDiscontinuity."
754 REFERENCE "RFC 2865 section 4.1"
755 ::= { radiusAuthServerExtEntry 6 }
757 radiusAuthClientExtAccessRetransmissions OBJECT-TYPE
763 "The number of RADIUS Access-Request packets
764 retransmitted to this RADIUS authentication server.
765 This counter may experience a discontinuity when
766 the RADIUS Client module within the managed entity
767 is reinitialized, as indicated by the current value
768 of radiusAuthClientCounterDiscontinuity."
769 REFERENCE "RFC 2865 sections 2.5, 4.1"
770 ::= { radiusAuthServerExtEntry 7 }
772 radiusAuthClientExtAccessAccepts OBJECT-TYPE
778 "The number of RADIUS Access-Accept packets
779 (valid or invalid) received from this server.
780 This counter may experience a discontinuity when
781 the RADIUS Client module within the managed entity
782 is reinitialized, as indicated by the current value
786 Nelson Standards Track [Page 14]
788 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
791 of radiusAuthClientCounterDiscontinuity."
792 REFERENCE "RFC 2865 section 4.2"
793 ::= { radiusAuthServerExtEntry 8 }
795 radiusAuthClientExtAccessRejects OBJECT-TYPE
801 "The number of RADIUS Access-Reject packets
802 (valid or invalid) received from this server.
803 This counter may experience a discontinuity when
804 the RADIUS Client module within the managed
805 entity is reinitialized, as indicated by the
807 radiusAuthClientCounterDiscontinuity."
808 REFERENCE "RFC 2865 section 4.3"
809 ::= { radiusAuthServerExtEntry 9 }
811 radiusAuthClientExtAccessChallenges OBJECT-TYPE
817 "The number of RADIUS Access-Challenge packets
818 (valid or invalid) received from this server.
819 This counter may experience a discontinuity when
820 the RADIUS Client module within the managed
821 entity is reinitialized, as indicated by the
823 radiusAuthClientCounterDiscontinuity."
824 REFERENCE "RFC 2865 section 4.4"
825 ::= { radiusAuthServerExtEntry 10 }
827 -- "Access-Response" includes an Access-Accept, Access-Challenge,
830 radiusAuthClientExtMalformedAccessResponses OBJECT-TYPE
836 "The number of malformed RADIUS Access-Response
837 packets received from this server.
838 Malformed packets include packets with
842 Nelson Standards Track [Page 15]
844 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
847 an invalid length. Bad authenticators or
848 Message Authenticator attributes or unknown types
849 are not included as malformed access responses.
850 This counter may experience a discontinuity when
851 the RADIUS Client module within the managed entity
852 is reinitialized, as indicated by the current value
853 of radiusAuthClientCounterDiscontinuity."
854 REFERENCE "RFC 2865 sections 3, 4"
855 ::= { radiusAuthServerExtEntry 11 }
857 radiusAuthClientExtBadAuthenticators OBJECT-TYPE
863 "The number of RADIUS Access-Response packets
864 containing invalid authenticators or Message
865 Authenticator attributes received from this server.
866 This counter may experience a discontinuity when
867 the RADIUS Client module within the managed entity
868 is reinitialized, as indicated by the current value
869 of radiusAuthClientCounterDiscontinuity."
870 REFERENCE "RFC 2865 section 3"
871 ::= { radiusAuthServerExtEntry 12 }
873 radiusAuthClientExtPendingRequests OBJECT-TYPE
879 "The number of RADIUS Access-Request packets
880 destined for this server that have not yet timed out
881 or received a response. This variable is incremented
882 when an Access-Request is sent and decremented due to
883 receipt of an Access-Accept, Access-Reject,
884 Access-Challenge, timeout, or retransmission."
885 REFERENCE "RFC 2865 section 2"
886 ::= { radiusAuthServerExtEntry 13 }
888 radiusAuthClientExtTimeouts OBJECT-TYPE
894 "The number of authentication timeouts to this server.
898 Nelson Standards Track [Page 16]
900 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
903 After a timeout, the client may retry to the same
904 server, send to a different server, or
905 give up. A retry to the same server is counted as a
906 retransmit as well as a timeout. A send to a different
907 server is counted as a Request as well as a timeout.
908 This counter may experience a discontinuity when the
909 RADIUS Client module within the managed entity is
910 reinitialized, as indicated by the current value of
911 radiusAuthClientCounterDiscontinuity."
912 REFERENCE "RFC 2865 sections 2.5, 4.1"
913 ::= { radiusAuthServerExtEntry 14 }
915 radiusAuthClientExtUnknownTypes OBJECT-TYPE
921 "The number of RADIUS packets of unknown type that
922 were received from this server on the authentication
923 port. This counter may experience a discontinuity
924 when the RADIUS Client module within the managed
925 entity is reinitialized, as indicated by the current
926 value of radiusAuthClientCounterDiscontinuity."
927 REFERENCE "RFC 2865 section 4"
928 ::= { radiusAuthServerExtEntry 15 }
930 radiusAuthClientExtPacketsDropped OBJECT-TYPE
936 "The number of RADIUS packets that were
937 received from this server on the authentication port
938 and dropped for some other reason. This counter may
939 experience a discontinuity when the RADIUS Client
940 module within the managed entity is reinitialized,
941 as indicated by the current value of
942 radiusAuthClientCounterDiscontinuity."
943 ::= { radiusAuthServerExtEntry 16 }
945 radiusAuthClientCounterDiscontinuity OBJECT-TYPE
954 Nelson Standards Track [Page 17]
956 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
959 "The number of centiseconds since the last discontinuity
960 in the RADIUS Client counters. A discontinuity may
961 be the result of a reinitialization of the RADIUS
962 Client module within the managed entity."
963 ::= { radiusAuthServerExtEntry 17 }
966 -- conformance information
968 radiusAuthClientMIBConformance OBJECT IDENTIFIER
969 ::= { radiusAuthClientMIB 2 }
971 radiusAuthClientMIBCompliances OBJECT IDENTIFIER
972 ::= { radiusAuthClientMIBConformance 1 }
974 radiusAuthClientMIBGroups OBJECT IDENTIFIER
975 ::= { radiusAuthClientMIBConformance 2 }
978 -- compliance statements
980 radiusAuthClientMIBCompliance MODULE-COMPLIANCE
983 "The compliance statement for authentication clients
984 implementing the RADIUS Authentication Client MIB.
985 Implementation of this module is for IPv4-only
986 entities, or for backwards compatibility use with
987 entities that support both IPv4 and IPv6."
988 MODULE -- this module
989 MANDATORY-GROUPS { radiusAuthClientMIBGroup }
991 ::= { radiusAuthClientMIBCompliances 1 }
993 radiusAuthClientExtMIBCompliance MODULE-COMPLIANCE
996 "The compliance statement for authentication
997 clients implementing the RADIUS Authentication
998 Client IPv6 Extensions MIB. Implementation of
999 this module is for entities that support IPv6,
1000 or support IPv4 and IPv6."
1001 MODULE -- this module
1002 MANDATORY-GROUPS { radiusAuthClientExtMIBGroup }
1004 OBJECT radiusAuthServerInetAddressType
1005 SYNTAX InetAddressType { ipv4(1), ipv6(2) }
1010 Nelson Standards Track [Page 18]
1012 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
1015 "An implementation is only required to support
1016 IPv4 and globally unique IPv6 addresses."
1018 OBJECT radiusAuthServerInetAddress
1019 SYNTAX InetAddress ( SIZE (4|16) )
1021 "An implementation is only required to support
1022 IPv4 and globally unique IPv6 addresses."
1023 ::= { radiusAuthClientMIBCompliances 2 }
1026 -- units of conformance
1028 radiusAuthClientMIBGroup OBJECT-GROUP
1029 OBJECTS { radiusAuthClientIdentifier,
1030 radiusAuthClientInvalidServerAddresses,
1031 radiusAuthServerAddress,
1032 radiusAuthClientServerPortNumber,
1033 radiusAuthClientRoundTripTime,
1034 radiusAuthClientAccessRequests,
1035 radiusAuthClientAccessRetransmissions,
1036 radiusAuthClientAccessAccepts,
1037 radiusAuthClientAccessRejects,
1038 radiusAuthClientAccessChallenges,
1039 radiusAuthClientMalformedAccessResponses,
1040 radiusAuthClientBadAuthenticators,
1041 radiusAuthClientPendingRequests,
1042 radiusAuthClientTimeouts,
1043 radiusAuthClientUnknownTypes,
1044 radiusAuthClientPacketsDropped
1048 "The basic collection of objects providing management of
1049 RADIUS Authentication Clients."
1050 ::= { radiusAuthClientMIBGroups 1 }
1053 radiusAuthClientExtMIBGroup OBJECT-GROUP
1054 OBJECTS { radiusAuthClientIdentifier,
1055 radiusAuthClientInvalidServerAddresses,
1056 radiusAuthServerInetAddressType,
1057 radiusAuthServerInetAddress,
1058 radiusAuthClientServerInetPortNumber,
1059 radiusAuthClientExtRoundTripTime,
1060 radiusAuthClientExtAccessRequests,
1061 radiusAuthClientExtAccessRetransmissions,
1062 radiusAuthClientExtAccessAccepts,
1066 Nelson Standards Track [Page 19]
1068 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
1071 radiusAuthClientExtAccessRejects,
1072 radiusAuthClientExtAccessChallenges,
1073 radiusAuthClientExtMalformedAccessResponses,
1074 radiusAuthClientExtBadAuthenticators,
1075 radiusAuthClientExtPendingRequests,
1076 radiusAuthClientExtTimeouts,
1077 radiusAuthClientExtUnknownTypes,
1078 radiusAuthClientExtPacketsDropped,
1079 radiusAuthClientCounterDiscontinuity
1083 "The collection of extended objects providing
1084 management of RADIUS Authentication Clients
1085 using version-neutral IP address format."
1086 ::= { radiusAuthClientMIBGroups 2 }
1090 8. Security Considerations
1092 There are no management objects defined in this MIB that have a MAX-
1093 ACCESS clause of read-write and/or read-create. So, if this MIB is
1094 implemented correctly, then there is no risk that an intruder can
1095 alter or create any management objects of this MIB via direct SNMP
1098 Some of the readable objects in this MIB module (i.e., objects with a
1099 MAX-ACCESS other than not-accessible) may be considered sensitive or
1100 vulnerable in some network environments. It is thus important to
1101 control even GET and/or NOTIFY access to these objects and possibly
1102 to even encrypt the values of these objects when sending them over
1103 the network via SNMP. These are the tables and objects and their
1104 sensitivity/vulnerability:
1106 radiusAuthServerIPAddress
1107 This can be used to determine the address of the RADIUS
1108 authentication server with which the client is communicating.
1109 This information could be useful in mounting an attack on the
1110 authentication server.
1112 radiusAuthClientServerPortNumber
1113 This can be used to determine the port number on which the RADIUS
1114 authentication client is sending. This information could be
1115 useful in impersonating the client in order to send data to the
1116 authentication server.
1122 Nelson Standards Track [Page 20]
1124 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
1127 radiusAuthServerInetAddress
1128 This can be used to determine the address of the RADIUS
1129 authentication server with which the client is communicating.
1130 This information could be useful in mounting an attack on the
1131 authentication server.
1133 radiusAuthClientServerInetPortNumber
1134 This can be used to determine the port number on which the RADIUS
1135 authentication client is sending. This information could be
1136 useful in impersonating the client in order to send data to the
1137 authentication server.
1139 SNMP versions prior to SNMPv3 did not include adequate security.
1140 Even if the network itself is secure (for example by using IPsec),
1141 even then, there is no control as to who on the secure network is
1142 allowed to access and GET/SET (read/change/create/delete) the objects
1145 It is RECOMMENDED that implementers consider the security features as
1146 provided by the SNMPv3 framework (see [RFC3410], section 8),
1147 including full support for the SNMPv3 cryptographic mechanisms (for
1148 authentication and privacy).
1150 Further, deployment of SNMP versions prior to SNMPv3 is NOT
1151 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
1152 enable cryptographic security. It is then a customer/operator
1153 responsibility to ensure that the SNMP entity giving access to an
1154 instance of this MIB module is properly configured to give access to
1155 the objects only to those principals (users) that have legitimate
1156 rights to indeed GET or SET (change/create/delete) them.
1178 Nelson Standards Track [Page 21]
1180 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
1185 9.1. Normative References
1187 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1188 Requirement Levels", BCP 14, RFC 2119, March 1997.
1190 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
1191 Schoenwaelder, Ed., "Structure of Management Information
1192 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
1194 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
1195 Schoenwaelder, Ed., "Textual Conventions for SMIv2",
1196 STD 58, RFC 2579, April 1999.
1198 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
1199 "Conformance Statements for SMIv2", STD 58, RFC 2580,
1202 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
1203 "Remote Authentication Dial In User Service (RADIUS)",
1204 RFC 2865, June 2000.
1206 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
1207 Architecture for Describing Simple Network Management
1208 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
1211 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
1212 Schoenwaelder, "Textual Conventions for Internet Network
1213 Addresses", RFC 4001, February 2005.
1215 9.2. Informative References
1217 [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB",
1218 RFC 2618, June 1999.
1220 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
1221 "Introduction and Applicability Statements for Internet-
1222 Standard Management Framework", RFC 3410, December 2002.
1224 [RFC4669] Nelson, D., "RADIUS Authentication Server MIB for IPv6",
1225 RFC 4669, August 2006.
1234 Nelson Standards Track [Page 22]
1236 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
1239 Appendix A. Acknowledgements
1241 The authors of the original MIB are Bernard Aboba and Glen Zorn.
1243 Many thanks to all reviewers, especially to Dave Harrington, Dan
1244 Romascanu, C.M. Heard, Bruno Pape, Greg Weber, and Bert Wijnen.
1254 EMail: dnelson@enterasys.com
1290 Nelson Standards Track [Page 23]
1292 RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
1295 Full Copyright Statement
1297 Copyright (C) The Internet Society (2006).
1299 This document is subject to the rights, licenses and restrictions
1300 contained in BCP 78, and except as set forth therein, the authors
1301 retain all their rights.
1303 This document and the information contained herein are provided on an
1304 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1305 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1306 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1307 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1308 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1309 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1311 Intellectual Property
1313 The IETF takes no position regarding the validity or scope of any
1314 Intellectual Property Rights or other rights that might be claimed to
1315 pertain to the implementation or use of the technology described in
1316 this document or the extent to which any license under such rights
1317 might or might not be available; nor does it represent that it has
1318 made any independent effort to identify any such rights. Information
1319 on the procedures with respect to rights in RFC documents can be
1320 found in BCP 78 and BCP 79.
1322 Copies of IPR disclosures made to the IETF Secretariat and any
1323 assurances of licenses to be made available, or the result of an
1324 attempt made to obtain a general license or permission for the use of
1325 such proprietary rights by implementers or users of this
1326 specification can be obtained from the IETF on-line IPR repository at
1327 http://www.ietf.org/ipr.
1329 The IETF invites any interested party to bring to its attention any
1330 copyrights, patents or patent applications, or other proprietary
1331 rights that may cover technology that may be required to implement
1332 this standard. Please address the information to the IETF at
1337 Funding for the RFC Editor function is provided by the IETF
1338 Administrative Support Activity (IASA).
1346 Nelson Standards Track [Page 24]