7 Network Working Group S. De Cnodder
8 Request for Comments: 4672 Alcatel
9 Category: Informational N. Jonnala
15 RADIUS Dynamic Authorization Client MIB
19 This memo provides information for the Internet community. It does
20 not specify an Internet standard of any kind. Distribution of this
25 Copyright (C) The Internet Society (2006).
29 This memo defines a portion of the Management Information Base (MIB)
30 for use with network management protocols in the Internet community.
31 In particular, it describes the Remote Authentication Dial-In User
32 Service (RADIUS) (RFC2865) Dynamic Authorization Client (DAC)
33 functions that support the dynamic authorization extensions as
38 1. Introduction ....................................................2
39 1.1. Requirements Notation ......................................2
40 1.2. Terminology ................................................2
41 2. The Internet-Standard Management Framework ......................3
42 3. Overview ........................................................3
43 4. RADIUS Dynamic Authorization Client MIB Definitions .............3
44 5. Security Considerations ........................................19
45 6. IANA Considerations ............................................20
46 7. Acknowledgements ...............................................20
47 8. References .....................................................21
48 8.1. Normative References ......................................21
49 8.2. Informative References ....................................21
58 De Cnodder, et al. Informational [Page 1]
60 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
65 This memo defines a portion of the Management Information Base (MIB)
66 for use with network management protocols in the Internet community.
67 In particular, it describes the Remote Authentication Dial-In User
68 Service (RADIUS) [RFC2865] Dynamic Authorization Client (DAC)
69 functions that support the dynamic authorization extensions as
72 It is becoming increasingly important to support Dynamic
73 Authorization extensions on the network access server (NAS) devices
74 to handle the Disconnect and Change-of-Authorization (CoA) messages,
75 as described in [RFC3576]. As a result, the effective management of
76 RADIUS Dynamic Authorization entities is of considerable importance.
77 This RADIUS Dynamic Authorization Client MIB complements the managed
78 objects used for managing RADIUS authentication and accounting
79 servers, as described in [RFC4669] and [RFC4671], respectively.
81 1.1. Requirements Notation
83 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
84 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
85 document are to be interpreted as described in [RFC2119].
89 Dynamic Authorization Server (DAS)
91 The component that resides on the NAS that processes the Disconnect
92 and Change-of-Authorization (CoA) Request packets [RFC3576] sent by
93 the Dynamic Authorization Client.
95 Dynamic Authorization Client (DAC)
97 The component that sends Disconnect and CoA-Request packets to the
98 Dynamic Authorization Server. Although this component often resides
99 on the RADIUS server, it is also possible for this component to be
100 located on a separate host, such as a Rating Engine.
102 Dynamic Authorization Server Port
104 The UDP port on which the Dynamic Authorization Server listens for
105 the Disconnect and CoA requests sent by the Dynamic Authorization
114 De Cnodder, et al. Informational [Page 2]
116 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
119 2. The Internet-Standard Management Framework
121 For a detailed overview of the documents that describe the current
122 Internet-Standard Management Framework, please refer to section 7 of
125 Managed objects are accessed via a virtual information store, termed
126 the Management Information Base or MIB. MIB objects are generally
127 accessed through the Simple Network Management Protocol (SNMP).
128 Objects in the MIB are defined using the mechanisms defined in the
129 Structure of Management Information (SMI). This memo specifies a MIB
130 module that is compliant to the SMIv2, which is described in STD 58,
131 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579], and STD 58, RFC 2580
136 "Dynamic Authorization Extensions to RADIUS" [RFC3576] defines the
137 operation of Disconnect-Request, Disconnect-ACK, Disconnect-NAK,
138 CoA-Request, CoA-ACK, and CoA-NAK packets. [RFC4673] defines the
139 Dynamic Authorization Server MIB and the relationship with other MIB
140 modules. This MIB module for the Dynamic Authorization Client
141 contains the following:
143 1. Two scalar objects
145 2. One Dynamic Authorization Server table. This table contains one
146 row for each DAS with which the DAC shares a secret.
148 4. RADIUS Dynamic Authorization Client MIB Definitions
150 RADIUS-DYNAUTH-CLIENT-MIB DEFINITIONS ::= BEGIN
153 MODULE-IDENTITY, OBJECT-TYPE,
154 Counter32, Gauge32, Integer32,
155 mib-2, TimeTicks FROM SNMPv2-SMI -- [RFC2578]
156 SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411]
157 InetAddressType, InetAddress,
158 InetPortNumber FROM INET-ADDRESS-MIB -- [RFC4001]
160 OBJECT-GROUP FROM SNMPv2-CONF; -- [RFC2580]
162 radiusDynAuthClientMIB MODULE-IDENTITY
163 LAST-UPDATED "200608290000Z" -- 29 August 2006
164 ORGANIZATION "IETF RADEXT Working Group"
170 De Cnodder, et al. Informational [Page 3]
172 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
176 Francis Wellesplein 1
180 Phone: +32 3 240 85 15
181 EMail: stefaan.de_cnodder@alcatel.be
185 Divyasree Chambers, B Wing,
187 Bangalore-560027, India.
189 Phone: +91 94487 60828
190 EMail: njonnala@cisco.com
197 Phone: +1 408 525 7198
198 EMail: mchiba@cisco.com "
200 "The MIB module for entities implementing the client
201 side of the Dynamic Authorization Extensions to the
202 Remote Authentication Dial-In User Service (RADIUS)
203 protocol. Copyright (C) The Internet Society (2006).
204 Initial version as published in RFC 4672;
205 for full legal notices see the RFC itself."
207 REVISION "200609290000Z" -- 29 August 2006
208 DESCRIPTION "Initial version as published in RFC 4672"
211 radiusDynAuthClientMIBObjects OBJECT IDENTIFIER ::=
212 { radiusDynAuthClientMIB 1 }
214 radiusDynAuthClientScalars OBJECT IDENTIFIER ::=
215 { radiusDynAuthClientMIBObjects 1 }
217 radiusDynAuthClientDisconInvalidServerAddresses OBJECT-TYPE
222 "The number of Disconnect-Ack and Disconnect-NAK packets
226 De Cnodder, et al. Informational [Page 4]
228 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
231 received from unknown addresses. This counter may
232 experience a discontinuity when the DAC module
233 (re)starts, as indicated by the value of
234 radiusDynAuthClientCounterDiscontinuity."
235 ::= { radiusDynAuthClientScalars 1 }
237 radiusDynAuthClientCoAInvalidServerAddresses OBJECT-TYPE
242 "The number of CoA-Ack and CoA-NAK packets received from
243 unknown addresses. Disconnect-NAK packets received
244 from unknown addresses. This counter may experience a
245 discontinuity when the DAC module (re)starts, as
246 indicated by the value of
247 radiusDynAuthClientCounterDiscontinuity."
248 ::= { radiusDynAuthClientScalars 2 }
250 radiusDynAuthServerTable OBJECT-TYPE
251 SYNTAX SEQUENCE OF RadiusDynAuthServerEntry
252 MAX-ACCESS not-accessible
255 "The (conceptual) table listing the RADIUS Dynamic
256 Authorization Servers with which the client shares a
258 ::= { radiusDynAuthClientMIBObjects 2 }
260 radiusDynAuthServerEntry OBJECT-TYPE
261 SYNTAX RadiusDynAuthServerEntry
262 MAX-ACCESS not-accessible
265 "An entry (conceptual row) representing one Dynamic
266 Authorization Server with which the client shares a
268 INDEX { radiusDynAuthServerIndex }
269 ::= { radiusDynAuthServerTable 1 }
271 RadiusDynAuthServerEntry ::= SEQUENCE {
272 radiusDynAuthServerIndex Integer32,
273 radiusDynAuthServerAddressType InetAddressType,
274 radiusDynAuthServerAddress InetAddress,
275 radiusDynAuthServerClientPortNumber InetPortNumber,
276 radiusDynAuthServerID SnmpAdminString,
277 radiusDynAuthClientRoundTripTime TimeTicks,
278 radiusDynAuthClientDisconRequests Counter32,
282 De Cnodder, et al. Informational [Page 5]
284 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
287 radiusDynAuthClientDisconAuthOnlyRequests Counter32,
288 radiusDynAuthClientDisconRetransmissions Counter32,
289 radiusDynAuthClientDisconAcks Counter32,
290 radiusDynAuthClientDisconNaks Counter32,
291 radiusDynAuthClientDisconNakAuthOnlyRequest Counter32,
292 radiusDynAuthClientDisconNakSessNoContext Counter32,
293 radiusDynAuthClientMalformedDisconResponses Counter32,
294 radiusDynAuthClientDisconBadAuthenticators Counter32,
295 radiusDynAuthClientDisconPendingRequests Gauge32,
296 radiusDynAuthClientDisconTimeouts Counter32,
297 radiusDynAuthClientDisconPacketsDropped Counter32,
298 radiusDynAuthClientCoARequests Counter32,
299 radiusDynAuthClientCoAAuthOnlyRequest Counter32,
300 radiusDynAuthClientCoARetransmissions Counter32,
301 radiusDynAuthClientCoAAcks Counter32,
302 radiusDynAuthClientCoANaks Counter32,
303 radiusDynAuthClientCoANakAuthOnlyRequest Counter32,
304 radiusDynAuthClientCoANakSessNoContext Counter32,
305 radiusDynAuthClientMalformedCoAResponses Counter32,
306 radiusDynAuthClientCoABadAuthenticators Counter32,
307 radiusDynAuthClientCoAPendingRequests Gauge32,
308 radiusDynAuthClientCoATimeouts Counter32,
309 radiusDynAuthClientCoAPacketsDropped Counter32,
310 radiusDynAuthClientUnknownTypes Counter32,
311 radiusDynAuthClientCounterDiscontinuity TimeTicks
315 radiusDynAuthServerIndex OBJECT-TYPE
316 SYNTAX Integer32 (1..2147483647)
317 MAX-ACCESS not-accessible
320 "A number uniquely identifying each RADIUS Dynamic
321 Authorization Server with which this Dynamic
322 Authorization Client communicates. This number is
323 allocated by the agent implementing this MIB module
324 and is unique in this context."
325 ::= { radiusDynAuthServerEntry 1 }
327 radiusDynAuthServerAddressType OBJECT-TYPE
328 SYNTAX InetAddressType
332 "The type of IP address of the RADIUS Dynamic
333 Authorization Server referred to in this table entry."
334 ::= { radiusDynAuthServerEntry 2 }
338 De Cnodder, et al. Informational [Page 6]
340 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
343 radiusDynAuthServerAddress OBJECT-TYPE
348 "The IP address value of the RADIUS Dynamic
349 Authorization Server referred to in this table entry
350 using the version neutral IP address format. The type
351 of this address is determined by the value of the
352 radiusDynAuthServerAddressType object."
353 ::= { radiusDynAuthServerEntry 3 }
355 radiusDynAuthServerClientPortNumber OBJECT-TYPE
356 SYNTAX InetPortNumber (1..65535)
360 "The UDP destination port that the RADIUS Dynamic
361 Authorization Client is using to send requests to this
362 server. The value zero is invalid."
363 ::= { radiusDynAuthServerEntry 4 }
366 radiusDynAuthServerID OBJECT-TYPE
367 SYNTAX SnmpAdminString
371 "The NAS-Identifier of the RADIUS Dynamic Authorization
372 Server referred to in this table entry. This is not
373 necessarily the same as sysName in MIB II."
375 "RFC 2865, Section 5.32, NAS-Identifier."
376 ::= { radiusDynAuthServerEntry 5 }
378 radiusDynAuthClientRoundTripTime OBJECT-TYPE
380 UNITS "hundredths of a second"
384 "The time interval (in hundredths of a second) between
385 the most recent Disconnect or CoA request and the
386 receipt of the corresponding Disconnect or CoA reply.
387 A value of zero is returned if no reply has been
388 received yet from this server."
389 ::= { radiusDynAuthServerEntry 6 }
394 De Cnodder, et al. Informational [Page 7]
396 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
399 radiusDynAuthClientDisconRequests OBJECT-TYPE
405 "The number of RADIUS Disconnect-Requests sent
406 to this Dynamic Authorization Server. This also
407 includes the RADIUS Disconnect-Requests that have a
408 Service-Type attribute with value 'Authorize Only'.
409 Disconnect-NAK packets received from unknown addresses.
410 This counter may experience a discontinuity when the
411 DAC module (re)starts, as indicated by the value of
412 radiusDynAuthClientCounterDiscontinuity."
414 "RFC 3576, Section 2.1, Disconnect Messages (DM)."
415 ::= { radiusDynAuthServerEntry 7 }
417 radiusDynAuthClientDisconAuthOnlyRequests OBJECT-TYPE
423 "The number of RADIUS Disconnect-Requests that include a
424 Service-Type attribute with value 'Authorize Only'
425 sent to this Dynamic Authorization Server.
426 Disconnect-NAK packets received from unknown addresses.
427 This counter may experience a discontinuity when the
428 DAC module (re)starts, as indicated by the value of
429 radiusDynAuthClientCounterDiscontinuity."
431 "RFC 3576, Section 2.1, Disconnect Messages (DM)."
432 ::= { radiusDynAuthServerEntry 8 }
434 radiusDynAuthClientDisconRetransmissions OBJECT-TYPE
436 UNITS "retransmissions"
440 "The number of RADIUS Disconnect-request packets
441 retransmitted to this RADIUS Dynamic Authorization
442 Server. Disconnect-NAK packets received from unknown
443 addresses. This counter may experience a discontinuity
444 when the DAC module (re)starts, as indicated by the
445 value of radiusDynAuthClientCounterDiscontinuity."
450 De Cnodder, et al. Informational [Page 8]
452 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
455 "RFC 3576, Section 2.1, Disconnect Messages (DM)."
456 ::= { radiusDynAuthServerEntry 9 }
458 radiusDynAuthClientDisconAcks OBJECT-TYPE
464 "The number of RADIUS Disconnect-ACK packets
465 received from this Dynamic Authorization Server. This
466 counter may experience a discontinuity when the DAC
467 module (re)starts, as indicated by the value of
468 radiusDynAuthClientCounterDiscontinuity."
470 "RFC 3576, Section 2.1, Disconnect Messages (DM)."
471 ::= { radiusDynAuthServerEntry 10 }
473 radiusDynAuthClientDisconNaks OBJECT-TYPE
479 "The number of RADIUS Disconnect-NAK packets
480 received from this Dynamic Authorization Server.
481 This includes the RADIUS Disconnect-NAK packets
482 received with a Service-Type attribute with value
483 'Authorize Only' and the RADIUS Disconnect-NAK
484 packets received if no session context was found. This
485 counter may experience a discontinuity when the DAC
486 module (re)starts, as indicated by the value of
487 radiusDynAuthClientCounterDiscontinuity."
489 "RFC 3576, Section 2.1, Disconnect Messages (DM)."
490 ::= { radiusDynAuthServerEntry 11 }
492 radiusDynAuthClientDisconNakAuthOnlyRequest OBJECT-TYPE
498 "The number of RADIUS Disconnect-NAK packets
499 that include a Service-Type attribute with value
500 'Authorize Only' received from this Dynamic
501 Authorization Server. This counter may experience a
502 discontinuity when the DAC module (re)starts, as
506 De Cnodder, et al. Informational [Page 9]
508 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
511 indicated by the value of
512 radiusDynAuthClientCounterDiscontinuity."
514 "RFC 3576, Section 2.1, Disconnect Messages (DM)."
515 ::= { radiusDynAuthServerEntry 12 }
517 radiusDynAuthClientDisconNakSessNoContext OBJECT-TYPE
523 "The number of RADIUS Disconnect-NAK packets
524 received from this Dynamic Authorization Server
525 because no session context was found; i.e., it
526 includes an Error-Cause attribute with value 503
527 ('Session Context Not Found'). This counter may
528 experience a discontinuity when the DAC module
529 (re)starts, as indicated by the value of
530 radiusDynAuthClientCounterDiscontinuity."
532 "RFC 3576, Section 2.1, Disconnect Messages (DM)."
533 ::= { radiusDynAuthServerEntry 13 }
535 radiusDynAuthClientMalformedDisconResponses OBJECT-TYPE
541 "The number of malformed RADIUS Disconnect-Ack and
542 Disconnect-NAK packets received from this Dynamic
543 Authorization Server. Bad authenticators and unknown
544 types are not included as malformed Disconnect-Ack and
545 Disconnect-NAK packets. This counter may experience a
546 discontinuity when the DAC module (re)starts, as
547 indicated by the value of
548 radiusDynAuthClientCounterDiscontinuity."
550 "RFC 3576, Section 2.1, Disconnect Messages (DM), and
551 Section 2.3, Packet Format."
552 ::= { radiusDynAuthServerEntry 14 }
554 radiusDynAuthClientDisconBadAuthenticators OBJECT-TYPE
562 De Cnodder, et al. Informational [Page 10]
564 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
568 "The number of RADIUS Disconnect-Ack and Disconnect-NAK
569 packets that contained invalid Authenticator field
570 received from this Dynamic Authorization Server. This
571 counter may experience a discontinuity when the DAC
572 module (re)starts, as indicated by the value of
573 radiusDynAuthClientCounterDiscontinuity."
575 "RFC 3576, Section 2.1, Disconnect Messages (DM), and
576 Section 2.3, Packet Format."
577 ::= { radiusDynAuthServerEntry 15 }
579 radiusDynAuthClientDisconPendingRequests OBJECT-TYPE
585 "The number of RADIUS Disconnect-request packets
586 destined for this server that have not yet timed out
587 or received a response. This variable is incremented
588 when an Disconnect-Request is sent and decremented
589 due to receipt of a Disconnect-Ack, a Disconnect-NAK,
590 a timeout, or a retransmission."
592 "RFC 3576, Section 2.1, Disconnect Messages (DM)."
593 ::= { radiusDynAuthServerEntry 16 }
595 radiusDynAuthClientDisconTimeouts OBJECT-TYPE
601 "The number of Disconnect request timeouts to this
602 server. After a timeout, the client may retry to the
603 same server or give up. A retry to the same server is
604 counted as a retransmit and as a timeout. A send
605 to a different server is counted as a
606 Disconnect-Request and as a timeout. This counter
607 may experience a discontinuity when the DAC module
608 (re)starts, as indicated by the value of
609 radiusDynAuthClientCounterDiscontinuity."
611 "RFC 3576, Section 2.1, Disconnect Messages (DM)."
612 ::= { radiusDynAuthServerEntry 17 }
614 radiusDynAuthClientDisconPacketsDropped OBJECT-TYPE
618 De Cnodder, et al. Informational [Page 11]
620 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
628 "The number of incoming Disconnect-Ack and
629 Disconnect-NAK packets from this Dynamic Authorization
630 Server silently discarded by the client application for
631 some reason other than malformed, bad authenticators,
632 or unknown types. This counter may experience a
633 discontinuity when the DAC module (re)starts, as
634 indicated by the value of
635 radiusDynAuthClientCounterDiscontinuity."
637 "RFC 3576, Section 2.1, Disconnect Messages (DM), and
638 Section 2.3, Packet Format."
639 ::= { radiusDynAuthServerEntry 18 }
641 radiusDynAuthClientCoARequests OBJECT-TYPE
647 "The number of RADIUS CoA-Requests sent to this
648 Dynamic Authorization Server. This also includes
649 CoA requests that have a Service-Type attribute
650 with value 'Authorize Only'. This counter may
651 experience a discontinuity when the DAC module
652 (re)starts, as indicated by the value of
653 radiusDynAuthClientCounterDiscontinuity."
655 "RFC 3576, Section 2.2, Change-of-Authorization
657 ::= { radiusDynAuthServerEntry 19 }
659 radiusDynAuthClientCoAAuthOnlyRequest OBJECT-TYPE
665 "The number of RADIUS CoA-requests that include a
666 Service-Type attribute with value 'Authorize Only'
667 sent to this Dynamic Authorization Client. This
668 counter may experience a discontinuity when the DAC
669 module (re)starts, as indicated by the value of
670 radiusDynAuthClientCounterDiscontinuity."
674 De Cnodder, et al. Informational [Page 12]
676 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
680 "RFC 3576, Section 2.2, Change-of-Authorization
682 ::= { radiusDynAuthServerEntry 20 }
684 radiusDynAuthClientCoARetransmissions OBJECT-TYPE
686 UNITS "retransmissions"
690 "The number of RADIUS CoA-request packets
691 retransmitted to this RADIUS Dynamic Authorization
692 Server. This counter may experience a discontinuity
693 when the DAC module (re)starts, as indicated by the
694 value of radiusDynAuthClientCounterDiscontinuity."
696 "RFC 3576, Section 2.2, Change-of-Authorization
698 ::= { radiusDynAuthServerEntry 21 }
700 radiusDynAuthClientCoAAcks OBJECT-TYPE
706 "The number of RADIUS CoA-ACK packets received from
707 this Dynamic Authorization Server. This counter may
708 experience a discontinuity when the DAC module
709 (re)starts, as indicated by the value of
710 radiusDynAuthClientCounterDiscontinuity."
712 "RFC 3576, Section 2.2, Change-of-Authorization
714 ::= { radiusDynAuthServerEntry 22 }
716 radiusDynAuthClientCoANaks OBJECT-TYPE
722 "The number of RADIUS CoA-NAK packets received from
723 this Dynamic Authorization Server. This includes the
724 RADIUS CoA-NAK packets received with a Service-Type
725 attribute with value 'Authorize Only' and the RADIUS
726 CoA-NAK packets received because no session context
730 De Cnodder, et al. Informational [Page 13]
732 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
735 was found. This counter may experience a discontinuity
736 when the DAC module (re)starts, as indicated by the
737 value of radiusDynAuthClientCounterDiscontinuity."
739 "RFC 3576, Section 2.2, Change-of-Authorization
741 ::= { radiusDynAuthServerEntry 23 }
743 radiusDynAuthClientCoANakAuthOnlyRequest OBJECT-TYPE
749 "The number of RADIUS CoA-NAK packets that include a
750 Service-Type attribute with value 'Authorize Only'
751 received from this Dynamic Authorization Server. This
752 counter may experience a discontinuity when the DAC
753 module (re)starts, as indicated by the value of
754 radiusDynAuthClientCounterDiscontinuity."
756 "RFC 3576, Section 2.2, Change-of-Authorization
758 ::= { radiusDynAuthServerEntry 24 }
760 radiusDynAuthClientCoANakSessNoContext OBJECT-TYPE
766 "The number of RADIUS CoA-NAK packets received from
767 this Dynamic Authorization Server because no session
768 context was found; i.e., it includes an Error-Cause
769 attribute with value 503 ('Session Context Not Found').
770 This counter may experience a discontinuity when the
771 DAC module (re)starts as indicated by the value of
772 radiusDynAuthClientCounterDiscontinuity."
774 "RFC 3576, Section 2.2, Change-of-Authorization
776 ::= { radiusDynAuthServerEntry 25 }
778 radiusDynAuthClientMalformedCoAResponses OBJECT-TYPE
786 De Cnodder, et al. Informational [Page 14]
788 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
792 "The number of malformed RADIUS CoA-Ack and CoA-NAK
793 packets received from this Dynamic Authorization
794 Server. Bad authenticators and unknown types are
795 not included as malformed CoA-Ack and CoA-NAK packets.
796 This counter may experience a discontinuity when the
797 DAC module (re)starts, as indicated by the value of
798 radiusDynAuthClientCounterDiscontinuity."
800 "RFC 3576, Section 2.2, Change-of-Authorization
801 Messages (CoA), and Section 2.3, Packet Format."
802 ::= { radiusDynAuthServerEntry 26 }
804 radiusDynAuthClientCoABadAuthenticators OBJECT-TYPE
810 "The number of RADIUS CoA-Ack and CoA-NAK packets
811 that contained invalid Authenticator field
812 received from this Dynamic Authorization Server.
813 This counter may experience a discontinuity when the
814 DAC module (re)starts, as indicated by the value of
815 radiusDynAuthClientCounterDiscontinuity."
817 "RFC 3576, Section 2.2, Change-of-Authorization
818 Messages (CoA), and Section 2.3, Packet Format."
819 ::= { radiusDynAuthServerEntry 27 }
821 radiusDynAuthClientCoAPendingRequests OBJECT-TYPE
827 "The number of RADIUS CoA-request packets destined for
828 this server that have not yet timed out or received a
829 response. This variable is incremented when an
830 CoA-Request is sent and decremented due to receipt of
831 a CoA-Ack, a CoA-NAK, or a timeout, or a
834 "RFC 3576, Section 2.2, Change-of-Authorization
836 ::= { radiusDynAuthServerEntry 28 }
838 radiusDynAuthClientCoATimeouts OBJECT-TYPE
842 De Cnodder, et al. Informational [Page 15]
844 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
852 "The number of CoA request timeouts to this server.
853 After a timeout, the client may retry to the same
854 server or give up. A retry to the same server is
855 counted as a retransmit and as a timeout. A send to
856 a different server is counted as a CoA-Request and
857 as a timeout. This counter may experience a
858 discontinuity when the DAC module (re)starts, as
859 indicated by the value of
860 radiusDynAuthClientCounterDiscontinuity."
862 "RFC 3576, Section 2.2, Change-of-Authorization
864 ::= { radiusDynAuthServerEntry 29 }
866 radiusDynAuthClientCoAPacketsDropped OBJECT-TYPE
872 "The number of incoming CoA-Ack and CoA-NAK from this
873 Dynamic Authorization Server silently discarded by the
874 client application for some reason other than
875 malformed, bad authenticators, or unknown types. This
876 counter may experience a discontinuity when the DAC
877 module (re)starts, as indicated by the value of
878 radiusDynAuthClientCounterDiscontinuity."
880 "RFC 3576, Section 2.2, Change-of-Authorization
881 Messages (CoA), and Section 2.3, Packet Format."
882 ::= { radiusDynAuthServerEntry 30 }
884 radiusDynAuthClientUnknownTypes OBJECT-TYPE
890 "The number of incoming packets of unknown types
891 that were received on the Dynamic Authorization port.
892 This counter may experience a discontinuity when the
893 DAC module (re)starts, as indicated by the value of
894 radiusDynAuthClientCounterDiscontinuity."
898 De Cnodder, et al. Informational [Page 16]
900 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
904 "RFC 3576, Section 2.3, Packet Format."
905 ::= { radiusDynAuthServerEntry 31 }
907 radiusDynAuthClientCounterDiscontinuity OBJECT-TYPE
909 UNITS "hundredths of a second"
913 "The time (in hundredths of a second) since the
914 last counter discontinuity. A discontinuity may
915 be the result of a reinitialization of the DAC
916 module within the managed entity."
917 ::= { radiusDynAuthServerEntry 32 }
920 -- conformance information
922 radiusDynAuthClientMIBConformance
923 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIB 2 }
924 radiusDynAuthClientMIBCompliances
925 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 1 }
926 radiusDynAuthClientMIBGroups
927 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 2 }
928 -- compliance statements
930 radiusDynAuthClientMIBCompliance MODULE-COMPLIANCE
933 "The compliance statement for entities implementing
934 the RADIUS Dynamic Authorization Client.
935 Implementation of this module is for entities that
936 support IPv4 and/or IPv6."
937 MODULE -- this module
938 MANDATORY-GROUPS { radiusDynAuthClientMIBGroup }
940 OBJECT radiusDynAuthServerAddressType
941 SYNTAX InetAddressType { ipv4(1), ipv6(2) }
943 "An implementation is only required to support IPv4 and
944 globally unique IPv6 addresses."
946 OBJECT radiusDynAuthServerAddress
947 SYNTAX InetAddress (SIZE(4|16))
949 "An implementation is only required to support IPv4 and
950 globally unique IPv6 addresses."
954 De Cnodder, et al. Informational [Page 17]
956 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
959 GROUP radiusDynAuthClientAuthOnlyGroup
961 "Only required for Dynamic Authorization Clients that
962 are supporting Service-Type attributes with value
966 GROUP radiusDynAuthClientNoSessGroup
968 "This group is not required if the Dynamic
969 Authorization Server cannot easily determine whether
970 a session exists (e.g., in case of a RADIUS
973 ::= { radiusDynAuthClientMIBCompliances 1 }
975 -- units of conformance
977 radiusDynAuthClientMIBGroup OBJECT-GROUP
978 OBJECTS { radiusDynAuthClientDisconInvalidServerAddresses,
979 radiusDynAuthClientCoAInvalidServerAddresses,
980 radiusDynAuthServerAddressType,
981 radiusDynAuthServerAddress,
982 radiusDynAuthServerClientPortNumber,
983 radiusDynAuthServerID,
984 radiusDynAuthClientRoundTripTime,
985 radiusDynAuthClientDisconRequests,
986 radiusDynAuthClientDisconRetransmissions,
987 radiusDynAuthClientDisconAcks,
988 radiusDynAuthClientDisconNaks,
989 radiusDynAuthClientMalformedDisconResponses,
990 radiusDynAuthClientDisconBadAuthenticators,
991 radiusDynAuthClientDisconPendingRequests,
992 radiusDynAuthClientDisconTimeouts,
993 radiusDynAuthClientDisconPacketsDropped,
994 radiusDynAuthClientCoARequests,
995 radiusDynAuthClientCoARetransmissions,
996 radiusDynAuthClientCoAAcks,
997 radiusDynAuthClientCoANaks,
998 radiusDynAuthClientMalformedCoAResponses,
999 radiusDynAuthClientCoABadAuthenticators,
1000 radiusDynAuthClientCoAPendingRequests,
1001 radiusDynAuthClientCoATimeouts,
1002 radiusDynAuthClientCoAPacketsDropped,
1003 radiusDynAuthClientUnknownTypes,
1004 radiusDynAuthClientCounterDiscontinuity
1010 De Cnodder, et al. Informational [Page 18]
1012 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
1016 "The collection of objects providing management of
1017 a RADIUS Dynamic Authorization Client."
1018 ::= { radiusDynAuthClientMIBGroups 1 }
1020 radiusDynAuthClientAuthOnlyGroup OBJECT-GROUP
1021 OBJECTS { radiusDynAuthClientDisconAuthOnlyRequests,
1022 radiusDynAuthClientDisconNakAuthOnlyRequest,
1023 radiusDynAuthClientCoAAuthOnlyRequest,
1024 radiusDynAuthClientCoANakAuthOnlyRequest
1028 "The collection of objects supporting the RADIUS
1029 messages including Service-Type attribute with
1030 value 'Authorize Only'."
1031 ::= { radiusDynAuthClientMIBGroups 2 }
1033 radiusDynAuthClientNoSessGroup OBJECT-GROUP
1034 OBJECTS { radiusDynAuthClientDisconNakSessNoContext,
1035 radiusDynAuthClientCoANakSessNoContext
1039 "The collection of objects supporting the RADIUS
1040 messages that are referring to non-existing sessions."
1041 ::= { radiusDynAuthClientMIBGroups 3 }
1047 5. Security Considerations
1049 There are no management objects defined in this MIB module that have
1050 a MAX-ACCESS clause of read-write and/or read-create. So, if this
1051 MIB module is implemented correctly, then there is no risk that an
1052 intruder can alter or create any management objects of this MIB
1053 module via direct SNMP SET operations.
1055 Some of the readable objects in this MIB module (i.e., objects with a
1056 MAX-ACCESS other than not-accessible) may be considered sensitive or
1057 vulnerable in some network environments. It is thus important to
1058 control even GET and/or NOTIFY access to these objects and possibly
1059 to even encrypt the values of these objects when sending them over
1060 the network via SNMP. These are the tables and objects and their
1061 sensitivity/vulnerability:
1066 De Cnodder, et al. Informational [Page 19]
1068 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
1071 radiusDynAuthServerAddress and radiusDynAuthServerAddressType
1073 These can be used to determine the address of the DAS with which
1074 the DAC is communicating. This information could be useful in
1075 mounting an attack on the DAS.
1077 radiusDynAuthServerID
1079 This can be used to determine the Identifier of the DAS. This
1080 information could be useful in impersonating the DAS.
1082 radiusDynAuthServerClientPortNumber
1084 This can be used to determine the destination port number to which
1085 the DAC is sending. This information could be useful in mounting
1086 an attack on the DAS.
1088 SNMP versions prior to SNMPv3 did not include adequate security.
1089 Even if the network itself is secure (for example by using IPsec),
1090 even then, there is no control as to who on the secure network is
1091 allowed to access and GET/SET (read/change/create/delete) the objects
1094 It is RECOMMENDED that implementers consider the security features as
1095 provided by the SNMPv3 framework (see [RFC3410], section 8),
1096 including full support for the SNMPv3 cryptographic mechanisms (for
1097 authentication and privacy).
1099 Further, deployment of SNMP versions prior to SNMPv3 is NOT
1100 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
1101 enable cryptographic security. It is then a customer/operator
1102 responsibility to ensure that the SNMP entity giving access to an
1103 instance of this MIB module is properly configured to give access to
1104 the objects only to those principals (users) that have legitimate
1105 rights to indeed GET or SET (change/create/delete) them.
1107 6. IANA Considerations
1109 The IANA has assigned OID number 145 under mib-2.
1113 The authors would also like to acknowledge the following people for
1114 their comments on this document: Bernard Aboba, Alan DeKok, David
1115 Nelson, Anjaneyulu Pata, Dan Romascanu, Juergen Schoenwaelder, Greg
1116 Weber, Bert Wijnen, and Glen Zorn.
1122 De Cnodder, et al. Informational [Page 20]
1124 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
1129 8.1. Normative References
1131 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1132 Requirement Levels", BCP 14, RFC 2119, March 1997.
1134 [RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
1135 "Structure of Management Information Version 2 (SMIv2)",
1136 STD 58, RFC 2578, April 1999.
1138 [RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
1139 "Textual Conventions for SMIv2", STD 58, RFC 2579, April
1142 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
1143 "Conformance Statements for SMIv2", STD 58, RFC 2580,
1146 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
1147 Architecture for Describing Simple Network Management
1148 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
1151 [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
1152 Aboba, "Dynamic Authorization Extensions to Remote
1153 Authentication Dial In User Service (RADIUS)", RFC 3576,
1156 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
1157 Schoenwaelder, "Textual Conventions for Internet Network
1158 Addresses", RFC 4001, February 2005.
1160 8.2. Informative References
1162 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
1163 "Remote Authentication Dial In User Service (RADIUS)", RFC
1166 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
1167 "Introduction and Applicability Statements for Internet-
1168 Standard Management Framework", RFC 3410, December 2002.
1170 [RFC4669] Nelson, D., "RADIUS Authentication Server MIB for IPv6",
1171 RFC 4669, August 2006.
1173 [RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", RFC
1178 De Cnodder, et al. Informational [Page 21]
1180 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
1183 [RFC4673] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic
1184 Authorization Server MIB", RFC 4673, September 2006.
1190 Francis Wellesplein 1
1194 Phone: +32 3 240 85 15
1195 EMail: stefaan.de_cnodder@alcatel.be
1200 Divyasree Chambers, B Wing, O'Shaugnessy Road
1201 Bangalore-560027, India
1203 Phone: +91 94487 60828
1204 EMail: njonnala@cisco.com
1212 Phone: +1 408 525 7198
1213 EMail: mchiba@cisco.com
1234 De Cnodder, et al. Informational [Page 22]
1236 RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
1239 Full Copyright Statement
1241 Copyright (C) The Internet Society (2006).
1243 This document is subject to the rights, licenses and restrictions
1244 contained in BCP 78, and except as set forth therein, the authors
1245 retain all their rights.
1247 This document and the information contained herein are provided on an
1248 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1249 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1250 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1251 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1252 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1253 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1255 Intellectual Property
1257 The IETF takes no position regarding the validity or scope of any
1258 Intellectual Property Rights or other rights that might be claimed to
1259 pertain to the implementation or use of the technology described in
1260 this document or the extent to which any license under such rights
1261 might or might not be available; nor does it represent that it has
1262 made any independent effort to identify any such rights. Information
1263 on the procedures with respect to rights in RFC documents can be
1264 found in BCP 78 and BCP 79.
1266 Copies of IPR disclosures made to the IETF Secretariat and any
1267 assurances of licenses to be made available, or the result of an
1268 attempt made to obtain a general license or permission for the use of
1269 such proprietary rights by implementers or users of this
1270 specification can be obtained from the IETF on-line IPR repository at
1271 http://www.ietf.org/ipr.
1273 The IETF invites any interested party to bring to its attention any
1274 copyrights, patents or patent applications, or other proprietary
1275 rights that may cover technology that may be required to implement
1276 this standard. Please address the information to the IETF at
1281 Funding for the RFC Editor function is provided by the IETF
1282 Administrative Support Activity (IASA).
1290 De Cnodder, et al. Informational [Page 23]