7 Network Working Group D. Nelson
8 Request for Comments: 4671 Enterasys Networks
9 Obsoletes: 2621 August 2006
10 Category: Informational
13 RADIUS Accounting Server MIB for IPv6
17 This memo provides information for the Internet community. It does
18 not specify an Internet standard of any kind. Distribution of this
23 Copyright (C) The Internet Society (2006).
27 This memo defines a set of extensions that instrument RADIUS
28 accounting server functions. These extensions represent a portion of
29 the Management Information Base (MIB) for use with network management
30 protocols in the Internet community. Using these extensions,
31 IP-based management stations can manage RADIUS accounting servers.
33 This memo obsoletes RFC 2621 by deprecating the MIB table containing
34 IPv4-only address formats and defining a new table to add support for
35 version-neutral IP address formats. The remaining MIB objects from
36 RFC 2621 are carried forward into this document. This memo also adds
37 UNITS and REFERENCE clauses to selected objects.
58 Nelson Informational [Page 1]
60 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
65 1. Introduction ....................................................3
66 2. Terminology .....................................................3
67 3. The Internet-Standard Management Framework ......................3
68 4. Scope of Changes ................................................3
69 5. Structure of the MIB Module .....................................4
70 6. Deprecated Objects ..............................................5
71 7. Definitions .....................................................5
72 8. Security Considerations ........................................20
73 9. References .....................................................22
74 9.1. Normative References ......................................22
75 9.2. Informative References ....................................22
76 Appendix A. Acknowledgements ......................................23
114 Nelson Informational [Page 2]
116 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
121 This memo defines a portion of the Management Information Base (MIB)
122 for use with network management protocols in the Internet community.
123 The objects defined within this memo relate to the Remote
124 Authentication Dial-In User Service (RADIUS) Accounting Server as
125 defined in RFC 2866 [RFC2866].
129 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
130 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
131 document are to be interpreted as described in RFC 2119 [RFC2119].
133 This document uses terminology from RFC 2865 [RFC2865] and RFC 2866
136 This document uses the word "malformed" with respect to RADIUS
137 packets, particularly in the context of counters of "malformed
138 packets". While RFC 2866 does not provide an explicit definition of
139 "malformed", malformed generally means that the implementation has
140 determined the packet does not match the format defined in RFC 2866.
141 Those implementations are used in deployments today, and thus set the
142 de facto definition of "malformed".
144 3. The Internet-Standard Management Framework
146 For a detailed overview of the documents that describe the current
147 Internet-Standard Management Framework, please refer to section 7 of
150 Managed objects are accessed via a virtual information store, termed
151 the Management Information Base or MIB. MIB objects are generally
152 accessed through the Simple Network Management Protocol (SNMP).
153 Objects in the MIB are defined using the mechanisms defined in the
154 Structure of Management Information (SMI). This memo specifies a MIB
155 module that is compliant to the SMIv2, which is described in STD 58,
156 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
161 This document obsoletes RFC 2621 [RFC2621], RADIUS Accounting Server
162 MIB, by deprecating the radiusAccClientTable table and adding a new
163 table, radiusAccClientExtTable, containing
164 radiusAccClientInetAddressType and radiusAccClientInetAddress. The
165 purpose of these added MIB objects is to support version-neutral IP
166 addressing formats. The existing table containing
170 Nelson Informational [Page 3]
172 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
175 radiusAccClientAddress is deprecated. The remaining MIB objects from
176 RFC 2621 are carried forward into this document. This memo also adds
177 UNITS and REFERENCE clauses to selected objects.
179 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for
180 version-neutral IP addresses, contains the following recommendation.
182 'In particular, when revising a MIB module that contains IPv4
183 specific tables, it is suggested to define new tables using the
184 textual conventions defined in this memo [RFC4001] that support all
185 versions of IP. The status of the new tables SHOULD be "current",
186 whereas the status of the old IP version specific tables SHOULD be
187 changed to "deprecated". The other approach, of having multiple
188 similar tables for different IP versions, is strongly discouraged.'
190 5. Structure of the MIB Module
192 The RADIUS accounting protocol, described in RFC 2866 [RFC2866],
193 distinguishes between the client function and the server function.
194 In RADIUS accounting, clients send Accounting-Requests, and servers
195 reply with Accounting-Responses. Typically, Network Access Server
196 (NAS) devices implement the client function, and thus would be
197 expected to implement the RADIUS accounting client MIB, while RADIUS
198 accounting servers implement the server function, and thus would be
199 expected to implement the RADIUS accounting server MIB.
201 However, it is possible for a RADIUS accounting entity to perform
202 both client and server functions. For example, a RADIUS proxy may
203 act as a server to one or more RADIUS accounting clients, while
204 simultaneously acting as an accounting client to one or more
205 accounting servers. In such situations, it is expected that RADIUS
206 entities combining client and server functionality will support both
207 the client and server MIBs. The server MIB is defined in this
208 document, and the client MIB is defined in [RFC4670].
210 This MIB module contains thirteen scalars as well as a single table,
211 the RADIUS Accounting Client Table, which contains one row for each
212 RADIUS accounting client with which the server shares a secret. Each
213 entry in the RADIUS Accounting Client Table includes twelve columns
214 presenting a view of the activity of the RADIUS accounting server.
216 This MIB imports from [RFC2578], [RFC2580], [RFC3411], and [RFC4001].
226 Nelson Informational [Page 4]
228 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
231 6. Deprecated Objects
233 The deprecated table in this MIB is carried forward from RFC 2621
234 [RFC2621]. There are two conditions under which it MAY be desirable
235 for managed entities to continue to support the deprecated table:
237 1. The managed entity only supports IPv4 address formats.
239 2. The managed entity supports both IPv4 and IPv6 address formats,
240 and the deprecated table is supported for backwards compatibility
241 with older management stations. This option SHOULD only be used
242 when the IP addresses in the new table are in IPv4 format and can
243 accurately be represented in both the new table and the
246 Managed entities SHOULD NOT instantiate row entries in the deprecated
247 table, containing IPv4-only address objects, when the RADIUS
248 accounting client address represented in such a table row is not an
249 IPv4 address. Managed entities SHOULD NOT return inaccurate values
250 of IP address or SNMP object access errors for IPv4-only address
251 objects in otherwise populated tables. When row entries exist in
252 both the deprecated IPv4-only table and the new IP-version-neutral
253 table that describe the same RADIUS accounting client, the row
254 indexes SHOULD be the same for the corresponding rows in each table,
255 to facilitate correlation of these related rows by management
260 RADIUS-ACC-SERVER-MIB DEFINITIONS ::= BEGIN
263 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
264 Counter32, Integer32,
265 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI
266 SnmpAdminString FROM SNMP-FRAMEWORK-MIB
267 InetAddressType, InetAddress FROM INET-ADDRESS-MIB
268 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF;
270 radiusAccServMIB MODULE-IDENTITY
271 LAST-UPDATED "200608210000Z" -- 21 August 2006
272 ORGANIZATION "IETF RADIUS Extensions Working Group."
282 Nelson Informational [Page 5]
284 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
287 Phone: +1 425 936 6605
288 EMail: bernarda@microsoft.com"
290 "The MIB module for entities implementing the server
291 side of the Remote Authentication Dial-In User
292 Service (RADIUS) accounting protocol. Copyright (C)
293 The Internet Society (2006). This version of this
294 MIB module is part of RFC 4671; see the RFC itself
295 for full legal notices."
296 REVISION "200608210000Z" -- 21 August 2006
298 "Revised version as published in RFC 4671. This
299 version obsoletes that of RFC 2621 by deprecating
300 the MIB table containing IPv4-only address formats
301 and defining a new table to add support for version-
302 neutral IP address formats. The remaining MIB objects
303 from RFC 2621 are carried forward into this version."
304 REVISION "199906110000Z" -- 11 Jun 1999
305 DESCRIPTION "Initial version as published in RFC 2621."
306 ::= { radiusAccounting 1 }
308 radiusMIB OBJECT-IDENTITY
311 "The OID assigned to RADIUS MIB work by the IANA."
314 radiusAccounting OBJECT IDENTIFIER ::= {radiusMIB 2}
316 radiusAccServMIBObjects OBJECT IDENTIFIER
317 ::= { radiusAccServMIB 1 }
319 radiusAccServ OBJECT IDENTIFIER
320 ::= { radiusAccServMIBObjects 1 }
322 radiusAccServIdent OBJECT-TYPE
323 SYNTAX SnmpAdminString
327 "The implementation identification string for the
328 RADIUS accounting server software in use on the
329 system, for example, 'FNS-2.1'."
330 ::= {radiusAccServ 1}
332 radiusAccServUpTime OBJECT-TYPE
338 Nelson Informational [Page 6]
340 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
345 "If the server has a persistent state (e.g., a
346 process), this value will be the time elapsed (in
347 hundredths of a second) since the server process was
348 started. For software without persistent state, this
350 ::= {radiusAccServ 2}
352 radiusAccServResetTime OBJECT-TYPE
357 "If the server has a persistent state (e.g., a process)
358 and supports a 'reset' operation (e.g., can be told to
359 re-read configuration files), this value will be the
360 time elapsed (in hundredths of a second) since the
361 server was 'reset.' For software that does not
362 have persistence or does not support a 'reset'
363 operation, this value will be zero."
364 ::= {radiusAccServ 3}
366 radiusAccServConfigReset OBJECT-TYPE
367 SYNTAX INTEGER { other(1),
371 MAX-ACCESS read-write
374 "Status/action object to reinitialize any persistent
375 server state. When set to reset(2), any persistent
376 server state (such as a process) is reinitialized as
377 if the server had just been started. This value will
378 never be returned by a read operation. When read,
379 one of the following values will be returned:
380 other(1) - server in some unknown state;
381 initializing(3) - server (re)initializing;
382 running(4) - server currently running."
383 ::= {radiusAccServ 4}
385 radiusAccServTotalRequests OBJECT-TYPE
394 Nelson Informational [Page 7]
396 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
399 "The number of packets received on the
401 REFERENCE "RFC 2866 section 4.1"
402 ::= { radiusAccServ 5 }
404 radiusAccServTotalInvalidRequests OBJECT-TYPE
410 "The number of RADIUS Accounting-Request packets
411 received from unknown addresses."
412 REFERENCE "RFC 2866 sections 2, 4.1"
413 ::= { radiusAccServ 6 }
415 radiusAccServTotalDupRequests OBJECT-TYPE
421 "The number of duplicate RADIUS Accounting-Request
423 REFERENCE "RFC 2866 section 4.1"
424 ::= { radiusAccServ 7 }
426 radiusAccServTotalResponses OBJECT-TYPE
432 "The number of RADIUS Accounting-Response packets
434 REFERENCE "RFC 2866 section 4.2"
435 ::= { radiusAccServ 8 }
437 radiusAccServTotalMalformedRequests OBJECT-TYPE
443 "The number of malformed RADIUS Accounting-Request
444 packets received. Bad authenticators or unknown
445 types are not included as malformed Access-Requests."
446 REFERENCE "RFC 2866 section 3"
450 Nelson Informational [Page 8]
452 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
455 ::= { radiusAccServ 9 }
457 radiusAccServTotalBadAuthenticators OBJECT-TYPE
463 "The number of RADIUS Accounting-Request packets
464 that contained an invalid authenticator."
465 REFERENCE "RFC 2866 section 3"
466 ::= { radiusAccServ 10 }
468 radiusAccServTotalPacketsDropped OBJECT-TYPE
474 "The number of incoming packets silently discarded
475 for a reason other than malformed, bad authenticators,
477 REFERENCE "RFC 2866 section 3"
478 ::= { radiusAccServ 11 }
480 radiusAccServTotalNoRecords OBJECT-TYPE
486 "The number of RADIUS Accounting-Request packets
487 that were received and responded to but not
489 ::= { radiusAccServ 12 }
491 radiusAccServTotalUnknownTypes OBJECT-TYPE
497 "The number of RADIUS packets of unknown type that
499 REFERENCE "RFC 2866 section 4"
500 ::= { radiusAccServ 13 }
502 radiusAccClientTable OBJECT-TYPE
506 Nelson Informational [Page 9]
508 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
511 SYNTAX SEQUENCE OF RadiusAccClientEntry
512 MAX-ACCESS not-accessible
515 "The (conceptual) table listing the RADIUS accounting
516 clients with which the server shares a secret."
517 ::= { radiusAccServ 14 }
519 radiusAccClientEntry OBJECT-TYPE
520 SYNTAX RadiusAccClientEntry
521 MAX-ACCESS not-accessible
524 "An entry (conceptual row) representing a RADIUS
525 accounting client with which the server shares a
527 INDEX { radiusAccClientIndex }
528 ::= { radiusAccClientTable 1 }
530 RadiusAccClientEntry ::= SEQUENCE {
531 radiusAccClientIndex Integer32,
532 radiusAccClientAddress IpAddress,
533 radiusAccClientID SnmpAdminString,
534 radiusAccServPacketsDropped Counter32,
535 radiusAccServRequests Counter32,
536 radiusAccServDupRequests Counter32,
537 radiusAccServResponses Counter32,
538 radiusAccServBadAuthenticators Counter32,
539 radiusAccServMalformedRequests Counter32,
540 radiusAccServNoRecords Counter32,
541 radiusAccServUnknownTypes Counter32
544 radiusAccClientIndex OBJECT-TYPE
545 SYNTAX Integer32 (1..2147483647)
546 MAX-ACCESS not-accessible
549 "A number uniquely identifying each RADIUS accounting
550 client with which this server communicates."
551 ::= { radiusAccClientEntry 1 }
553 radiusAccClientAddress OBJECT-TYPE
558 "The NAS-IP-Address of the RADIUS accounting client
562 Nelson Informational [Page 10]
564 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
567 referred to in this table entry."
568 ::= { radiusAccClientEntry 2 }
570 radiusAccClientID OBJECT-TYPE
571 SYNTAX SnmpAdminString
575 "The NAS-Identifier of the RADIUS accounting client
576 referred to in this table entry. This is not
577 necessarily the same as sysName in MIB II."
578 REFERENCE "RFC 2865 section 5.32"
579 ::= { radiusAccClientEntry 3 }
583 -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
584 -- UnknownTypes - PacketsDropped - Responses = Pending
586 -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
587 -- UnknownTypes - PacketsDropped - NoRecords = entries logged
589 radiusAccServPacketsDropped OBJECT-TYPE
595 "The number of incoming packets received
596 from this client and silently discarded
597 for a reason other than malformed, bad
598 authenticators, or unknown types."
599 REFERENCE "RFC 2866 section 3"
600 ::= { radiusAccClientEntry 4 }
602 radiusAccServRequests OBJECT-TYPE
608 "The number of packets received from this
609 client on the accounting port."
610 REFERENCE "RFC 2866 section 4.1"
611 ::= { radiusAccClientEntry 5 }
613 radiusAccServDupRequests OBJECT-TYPE
618 Nelson Informational [Page 11]
620 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
627 "The number of duplicate RADIUS Accounting-Request
628 packets received from this client."
629 REFERENCE "RFC 2866 section 4.1"
630 ::= { radiusAccClientEntry 6 }
632 radiusAccServResponses OBJECT-TYPE
638 "The number of RADIUS Accounting-Response packets
639 sent to this client."
640 REFERENCE "RFC 2866 section 4.2"
641 ::= { radiusAccClientEntry 7 }
643 radiusAccServBadAuthenticators OBJECT-TYPE
649 "The number of RADIUS Accounting-Request packets
650 that contained invalid authenticators received
652 REFERENCE "RFC 2866 section 3"
653 ::= { radiusAccClientEntry 8 }
655 radiusAccServMalformedRequests OBJECT-TYPE
661 "The number of malformed RADIUS Accounting-Request
662 packets that were received from this client.
663 Bad authenticators and unknown types
664 are not included as malformed Accounting-Requests."
665 REFERENCE "RFC 2866 section 3"
666 ::= { radiusAccClientEntry 9 }
668 radiusAccServNoRecords OBJECT-TYPE
674 Nelson Informational [Page 12]
676 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
682 "The number of RADIUS Accounting-Request packets
683 that were received and responded to but not
685 ::= { radiusAccClientEntry 10 }
687 radiusAccServUnknownTypes OBJECT-TYPE
693 "The number of RADIUS packets of unknown type that
694 were received from this client."
695 REFERENCE "RFC 2866 section 4"
696 ::= { radiusAccClientEntry 11 }
699 -- New MIB objects added in this revision
701 radiusAccClientExtTable OBJECT-TYPE
702 SYNTAX SEQUENCE OF RadiusAccClientExtEntry
703 MAX-ACCESS not-accessible
706 "The (conceptual) table listing the RADIUS accounting
707 clients with which the server shares a secret."
708 ::= { radiusAccServ 15 }
710 radiusAccClientExtEntry OBJECT-TYPE
711 SYNTAX RadiusAccClientExtEntry
712 MAX-ACCESS not-accessible
715 "An entry (conceptual row) representing a RADIUS
716 accounting client with which the server shares a
718 INDEX { radiusAccClientExtIndex }
719 ::= { radiusAccClientExtTable 1 }
721 RadiusAccClientExtEntry ::= SEQUENCE {
722 radiusAccClientExtIndex Integer32,
723 radiusAccClientInetAddressType InetAddressType,
724 radiusAccClientInetAddress InetAddress,
725 radiusAccClientExtID SnmpAdminString,
726 radiusAccServExtPacketsDropped Counter32,
730 Nelson Informational [Page 13]
732 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
735 radiusAccServExtRequests Counter32,
736 radiusAccServExtDupRequests Counter32,
737 radiusAccServExtResponses Counter32,
738 radiusAccServExtBadAuthenticators Counter32,
739 radiusAccServExtMalformedRequests Counter32,
740 radiusAccServExtNoRecords Counter32,
741 radiusAccServExtUnknownTypes Counter32,
742 radiusAccServerCounterDiscontinuity TimeTicks
745 radiusAccClientExtIndex OBJECT-TYPE
746 SYNTAX Integer32 (1..2147483647)
747 MAX-ACCESS not-accessible
750 "A number uniquely identifying each RADIUS accounting
751 client with which this server communicates."
752 ::= { radiusAccClientExtEntry 1 }
754 radiusAccClientInetAddressType OBJECT-TYPE
755 SYNTAX InetAddressType
759 "The type of address format used for the
760 radiusAccClientInetAddress object."
761 ::= { radiusAccClientExtEntry 2 }
763 radiusAccClientInetAddress OBJECT-TYPE
768 "The IP address of the RADIUS accounting
769 client referred to in this table entry, using
770 the IPv6 address format."
771 ::= { radiusAccClientExtEntry 3 }
773 radiusAccClientExtID OBJECT-TYPE
774 SYNTAX SnmpAdminString
778 "The NAS-Identifier of the RADIUS accounting client
779 referred to in this table entry. This is not
780 necessarily the same as sysName in MIB II."
781 REFERENCE "RFC 2865 section 5.32"
782 ::= { radiusAccClientExtEntry 4 }
786 Nelson Informational [Page 14]
788 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
793 -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
794 -- UnknownTypes - PacketsDropped - Responses = Pending
796 -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
797 -- UnknownTypes - PacketsDropped - NoRecords = entries logged
799 radiusAccServExtPacketsDropped OBJECT-TYPE
805 "The number of incoming packets received from this
806 client and silently discarded for a reason other
807 than malformed, bad authenticators, or unknown types.
808 This counter may experience a discontinuity when the
809 RADIUS Accounting Server module within the managed
810 entity is reinitialized, as indicated by the current
811 value of radiusAccServerCounterDiscontinuity."
812 REFERENCE "RFC 2866 section 3"
813 ::= { radiusAccClientExtEntry 5 }
815 radiusAccServExtRequests OBJECT-TYPE
821 "The number of packets received from this
822 client on the accounting port. This counter
823 may experience a discontinuity when the
824 RADIUS Accounting Server module within the
825 managed entity is reinitialized, as indicated by
827 radiusAccServerCounterDiscontinuity."
828 REFERENCE "RFC 2866 section 4.1"
829 ::= { radiusAccClientExtEntry 6 }
831 radiusAccServExtDupRequests OBJECT-TYPE
837 "The number of duplicate RADIUS Accounting-Request
838 packets received from this client. This counter
842 Nelson Informational [Page 15]
844 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
847 may experience a discontinuity when the RADIUS
848 Accounting Server module within the managed
849 entity is reinitialized, as indicated by the
851 radiusAccServerCounterDiscontinuity."
852 REFERENCE "RFC 2866 section 4.1"
853 ::= { radiusAccClientExtEntry 7 }
855 radiusAccServExtResponses OBJECT-TYPE
861 "The number of RADIUS Accounting-Response packets
862 sent to this client. This counter may experience
863 a discontinuity when the RADIUS Accounting Server
864 module within the managed entity is reinitialized,
865 as indicated by the current value of
866 radiusAccServerCounterDiscontinuity."
867 REFERENCE "RFC 2866 section 4.2"
868 ::= { radiusAccClientExtEntry 8 }
870 radiusAccServExtBadAuthenticators OBJECT-TYPE
876 "The number of RADIUS Accounting-Request packets
877 that contained invalid authenticators received
878 from this client. This counter may experience a
879 discontinuity when the RADIUS Accounting Server
880 module within the managed entity is reinitialized,
881 as indicated by the current value of
882 radiusAccServerCounterDiscontinuity."
883 REFERENCE "RFC 2866 section 3"
884 ::= { radiusAccClientExtEntry 9 }
886 radiusAccServExtMalformedRequests OBJECT-TYPE
892 "The number of malformed RADIUS Accounting-Request
893 packets that were received from this client.
894 Bad authenticators and unknown types are not
898 Nelson Informational [Page 16]
900 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
903 included as malformed Accounting-Requests. This
904 counter may experience a discontinuity when the
905 RADIUS Accounting Server module within the managed
906 entity is reinitialized, as indicated by the current
907 value of radiusAccServerCounterDiscontinuity."
908 REFERENCE "RFC 2866 section 3"
909 ::= { radiusAccClientExtEntry 10 }
911 radiusAccServExtNoRecords OBJECT-TYPE
917 "The number of RADIUS Accounting-Request packets
918 that were received and responded to but not
919 recorded. This counter may experience a
920 discontinuity when the RADIUS Accounting Server
921 module within the managed entity is reinitialized,
922 as indicated by the current value of
923 radiusAccServerCounterDiscontinuity."
924 ::= { radiusAccClientExtEntry 11 }
926 radiusAccServExtUnknownTypes OBJECT-TYPE
932 "The number of RADIUS packets of unknown type that
933 were received from this client. This counter may
934 experience a discontinuity when the RADIUS Accounting
935 Server module within the managed entity is
936 reinitialized, as indicated by the current value of
937 radiusAccServerCounterDiscontinuity."
938 REFERENCE "RFC 2866 section 4"
939 ::= { radiusAccClientExtEntry 12 }
941 radiusAccServerCounterDiscontinuity OBJECT-TYPE
947 "The number of centiseconds since the last
948 discontinuity in the RADIUS Accounting Server
949 counters. A discontinuity may be the result of
950 a reinitialization of the RADIUS Accounting Server
954 Nelson Informational [Page 17]
956 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
959 module within the managed entity."
960 ::= { radiusAccClientExtEntry 13 }
963 -- conformance information
965 radiusAccServMIBConformance OBJECT IDENTIFIER
966 ::= { radiusAccServMIB 2 }
968 radiusAccServMIBCompliances OBJECT IDENTIFIER
969 ::= { radiusAccServMIBConformance 1 }
971 radiusAccServMIBGroups OBJECT IDENTIFIER
972 ::= { radiusAccServMIBConformance 2 }
975 -- compliance statements
977 radiusAccServMIBCompliance MODULE-COMPLIANCE
980 "The compliance statement for accounting servers
981 implementing the RADIUS Accounting Server MIB.
982 Implementation of this module is for IPv4-only
983 entities, or for backwards compatibility use with
984 entities that support both IPv4 and IPv6."
985 MODULE -- this module
986 MANDATORY-GROUPS { radiusAccServMIBGroup }
988 OBJECT radiusAccServConfigReset
989 WRITE-SYNTAX INTEGER { reset(2) }
990 DESCRIPTION "The only SETable value is 'reset' (2)."
992 ::= { radiusAccServMIBCompliances 1 }
994 radiusAccServExtMIBCompliance MODULE-COMPLIANCE
997 "The compliance statement for accounting
998 servers implementing the RADIUS Accounting
999 Server IPv6 Extensions MIB. Implementation of
1000 this module is for entities that support IPv6,
1001 or support IPv4 and IPv6."
1002 MODULE -- this module
1003 MANDATORY-GROUPS { radiusAccServExtMIBGroup }
1005 OBJECT radiusAccServConfigReset
1006 WRITE-SYNTAX INTEGER { reset(2) }
1010 Nelson Informational [Page 18]
1012 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
1015 DESCRIPTION "The only SETable value is 'reset' (2)."
1017 OBJECT radiusAccClientInetAddressType
1018 SYNTAX InetAddressType { ipv4(1), ipv6(2) }
1020 "An implementation is only required to support
1021 IPv4 and globally unique IPv6 addresses."
1023 OBJECT radiusAccClientInetAddress
1024 SYNTAX InetAddress ( SIZE (4|16) )
1026 "An implementation is only required to support
1027 IPv4 and globally unique IPv6 addresses."
1029 ::= { radiusAccServMIBCompliances 2 }
1032 -- units of conformance
1034 radiusAccServMIBGroup OBJECT-GROUP
1035 OBJECTS {radiusAccServIdent,
1036 radiusAccServUpTime,
1037 radiusAccServResetTime,
1038 radiusAccServConfigReset,
1039 radiusAccServTotalRequests,
1040 radiusAccServTotalInvalidRequests,
1041 radiusAccServTotalDupRequests,
1042 radiusAccServTotalResponses,
1043 radiusAccServTotalMalformedRequests,
1044 radiusAccServTotalBadAuthenticators,
1045 radiusAccServTotalPacketsDropped,
1046 radiusAccServTotalNoRecords,
1047 radiusAccServTotalUnknownTypes,
1048 radiusAccClientAddress,
1050 radiusAccServPacketsDropped,
1051 radiusAccServRequests,
1052 radiusAccServDupRequests,
1053 radiusAccServResponses,
1054 radiusAccServBadAuthenticators,
1055 radiusAccServMalformedRequests,
1056 radiusAccServNoRecords,
1057 radiusAccServUnknownTypes
1061 "The collection of objects providing management of
1062 a RADIUS Accounting Server."
1066 Nelson Informational [Page 19]
1068 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
1071 ::= { radiusAccServMIBGroups 1 }
1073 radiusAccServExtMIBGroup OBJECT-GROUP
1074 OBJECTS {radiusAccServIdent,
1075 radiusAccServUpTime,
1076 radiusAccServResetTime,
1077 radiusAccServConfigReset,
1078 radiusAccServTotalRequests,
1079 radiusAccServTotalInvalidRequests,
1080 radiusAccServTotalDupRequests,
1081 radiusAccServTotalResponses,
1082 radiusAccServTotalMalformedRequests,
1083 radiusAccServTotalBadAuthenticators,
1084 radiusAccServTotalPacketsDropped,
1085 radiusAccServTotalNoRecords,
1086 radiusAccServTotalUnknownTypes,
1087 radiusAccClientInetAddressType,
1088 radiusAccClientInetAddress,
1089 radiusAccClientExtID,
1090 radiusAccServExtPacketsDropped,
1091 radiusAccServExtRequests,
1092 radiusAccServExtDupRequests,
1093 radiusAccServExtResponses,
1094 radiusAccServExtBadAuthenticators,
1095 radiusAccServExtMalformedRequests,
1096 radiusAccServExtNoRecords,
1097 radiusAccServExtUnknownTypes,
1098 radiusAccServerCounterDiscontinuity
1102 "The collection of objects providing management of
1103 a RADIUS Accounting Server."
1104 ::= { radiusAccServMIBGroups 2 }
1108 8. Security Considerations
1110 There are management objects (radiusAccServConfigReset) defined in
1111 this MIB that have a MAX-ACCESS clause of read-write and/or read-
1112 create. Such objects may be considered sensitive or vulnerable in
1113 some network environments. The support for SET operations in a non-
1114 secure environment without proper protection can have a negative
1115 effect on network operations. These are:
1122 Nelson Informational [Page 20]
1124 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
1127 radiusAccServConfigReset
1128 This object can be used to reinitialize the persistent state of
1129 any server. When set to reset(2), any persistent server state
1130 (such as a process) is reinitialized as if the server had just
1131 been started. Depending on the server implementation details,
1132 this action may or may not interrupt the processing of pending
1133 request in the server. Abuse of this object may lead to a Denial
1134 of Service attack on the server.
1136 There are a number of managed objects in this MIB that may contain
1137 sensitive information. These are:
1139 radiusAccClientIPAddress
1140 This can be used to determine the address of the RADIUS accounting
1141 client with which the server is communicating. This information
1142 could be useful in mounting an attack on the accounting client.
1144 radiusAccClientInetAddress
1145 This can be used to determine the address of the RADIUS accounting
1146 client with which the server is communicating. This information
1147 could be useful in mounting an attack on the accounting client.
1149 It is thus important to control even GET access to these objects and
1150 possibly to even encrypt the values of these object when sending them
1151 over the network via SNMP. Not all versions of SNMP provide features
1152 for such a secure environment.
1154 SNMP versions prior to SNMPv3 do not provide a secure environment.
1155 Even if the network itself is secure (for example by using IPsec),
1156 there is no control as to who on the secure network is allowed to
1157 access and GET/SET (read/change/create/delete) the objects in this
1160 It is RECOMMENDED that implementers consider the security features as
1161 provided by the SNMPv3 framework (see [RFC3410], section 8),
1162 including full support for the SNMPv3 cryptographic mechanisms (for
1163 authentication and privacy).
1165 Further, deployment of SNMP versions prior to SNMPv3 is NOT
1166 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
1167 enable cryptographic security. It is then a customer/operator
1168 responsibility to ensure that the SNMP entity giving access to an
1169 instance of this MIB module is properly configured to give access to
1170 the objects only to those principals (users) that have legitimate
1171 rights to indeed GET or SET (change/create/delete) them.
1178 Nelson Informational [Page 21]
1180 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
1185 9.1. Normative References
1187 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1188 Requirement Levels", BCP 14, RFC 2119, March 1997.
1190 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
1191 Schoenwaelder, Ed., "Structure of Management Information
1192 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
1194 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
1195 Schoenwaelder, Ed., "Textual Conventions for SMIv2",
1196 STD 58, RFC 2579, April 1999.
1198 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
1199 "Conformance Statements for SMIv2", STD 58, RFC 2580,
1202 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
1204 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
1205 Architecture for Describing Simple Network Management
1206 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
1209 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
1210 Schoenwaelder, "Textual Conventions for Internet Network
1211 Addresses", RFC 4001, February 2005.
1213 9.2. Informative References
1215 [RFC2621] Zorn, G. and B. Aboba, "RADIUS Accounting Server MIB",
1216 RFC 2621, June 1999.
1218 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
1219 "Remote Authentication Dial In User Service (RADIUS)",
1220 RFC 2865, June 2000.
1222 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
1223 "Introduction and Applicability Statements for Internet-
1224 Standard Management Framework", RFC 3410, December 2002.
1226 [RFC4670] Nelson, D., "RADIUS Accounting Client MIB for IPv6", RFC
1234 Nelson Informational [Page 22]
1236 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
1239 Appendix A. Acknowledgements
1241 The authors of the original MIB are Bernard Aboba and Glen Zorn.
1243 Many thanks to all reviewers, especially to Dave Harrington, Dan
1244 Romascanu, C.M. Heard, Bruno Pape, Greg Weber, and Bert Wijnen.
1254 EMail: dnelson@enterasys.com
1290 Nelson Informational [Page 23]
1292 RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
1295 Full Copyright Statement
1297 Copyright (C) The Internet Society (2006).
1299 This document is subject to the rights, licenses and restrictions
1300 contained in BCP 78, and except as set forth therein, the authors
1301 retain all their rights.
1303 This document and the information contained herein are provided on an
1304 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1305 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1306 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1307 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1308 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1309 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1311 Intellectual Property
1313 The IETF takes no position regarding the validity or scope of any
1314 Intellectual Property Rights or other rights that might be claimed to
1315 pertain to the implementation or use of the technology described in
1316 this document or the extent to which any license under such rights
1317 might or might not be available; nor does it represent that it has
1318 made any independent effort to identify any such rights. Information
1319 on the procedures with respect to rights in RFC documents can be
1320 found in BCP 78 and BCP 79.
1322 Copies of IPR disclosures made to the IETF Secretariat and any
1323 assurances of licenses to be made available, or the result of an
1324 attempt made to obtain a general license or permission for the use of
1325 such proprietary rights by implementers or users of this
1326 specification can be obtained from the IETF on-line IPR repository at
1327 http://www.ietf.org/ipr.
1329 The IETF invites any interested party to bring to its attention any
1330 copyrights, patents or patent applications, or other proprietary
1331 rights that may cover technology that may be required to implement
1332 this standard. Please address the information to the IETF at
1337 Funding for the RFC Editor function is provided by the IETF
1338 Administrative Support Activity (IASA).
1346 Nelson Informational [Page 24]