7 Network Working Group S. De Cnodder
8 Request for Comments: 4673 Alcatel
9 Category: Informational N. Jonnala
15 RADIUS Dynamic Authorization Server MIB
19 This memo provides information for the Internet community. It does
20 not specify an Internet standard of any kind. Distribution of this
25 Copyright (C) The Internet Society (2006).
29 This memo defines a portion of the Management Information Base (MIB)
30 for use with network management protocols in the Internet community.
31 In particular, it describes the Remote Authentication Dial-In User
32 Service (RADIUS) (RFC 2865) Dynamic Authorization Server (DAS)
33 functions that support the dynamic authorization extensions as
38 1. Introduction ....................................................2
39 1.1. Requirements Notation ......................................2
40 1.2. Terminology ................................................2
41 2. The Internet-Standard Management Framework ......................2
42 3. Overview ........................................................3
43 4. RADIUS Dynamic Authorization Server MIB Definitions .............5
44 5. Security Considerations ........................................20
45 6. IANA Considerations ............................................21
46 7. Acknowledgements ...............................................21
47 8. References .....................................................21
48 8.1. Normative References ......................................21
49 8.2. Informative References ....................................22
58 De Cnodder, et al. Informational [Page 1]
60 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
65 This memo defines a portion of the Management Information Base (MIB)
66 for use with network management protocols in the Internet community.
67 It is becoming increasingly important to support Dynamic
68 Authorization extensions on the network access server (NAS) devices
69 to handle the Disconnect and Change-of-Authorization (CoA) messages
70 as described in [RFC3576]. As a result, the effective management of
71 RADIUS Dynamic Authorization entities is of considerable importance.
72 This RADIUS Dynamic Authorization Server (DAS) MIB complements the
73 managed objects used for managing RADIUS authentication and
74 accounting clients as described in [RFC4668] and [RFC4670],
77 1.1. Requirements Notation
79 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
80 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
81 document are to be interpreted as described in [RFC2119].
85 Dynamic Authorization Server (DAS)
87 The component that resides on the NAS that processes the Disconnect
88 and Change-of-Authorization (CoA) Request packets [RFC3576] sent by
89 the Dynamic Authorization Client.
91 Dynamic Authorization Client (DAC)
93 The component that sends Disconnect and CoA-Request packets to the
94 Dynamic Authorization Server. Although this component often resides
95 on the RADIUS server, it is also possible for it to be located on a
96 separate host, such as a Rating Engine.
98 Dynamic Authorization Server Port
100 The UDP port on which the Dynamic Authorization Server listens for
101 the Disconnect and CoA requests sent by the Dynamic Authorization
104 2. The Internet-Standard Management Framework
106 For a detailed overview of the documents that describe the current
107 Internet-Standard Management Framework, please refer to section 7 of
114 De Cnodder, et al. Informational [Page 2]
116 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
119 Managed objects are accessed via a virtual information store, termed
120 the Management Information Base, or MIB. MIB objects are generally
121 accessed through the Simple Network Management Protocol (SNMP).
122 Objects in the MIB are defined using the mechanisms defined in the
123 Structure of Management Information (SMI). This memo specifies a MIB
124 module that is compliant to the SMIv2, which is described in STD 58,
125 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579], and STD 58, RFC 2580
130 "Dynamic Authorization Extensions to RADIUS" [RFC3576] defines the
131 operation of Disconnect-Request, Disconnect-ACK, Disconnect-NAK,
132 CoA-Request, CoA-ACK, and CoA-NAK packets. Typically, NAS devices
133 implement the DAS function, and thus would be expected to implement
134 the RADIUS Dynamic Authorization Server MIB, whereas DACs implement
135 the client function and thus would be expected to implement the
136 RADIUS Dynamic Authorization Client MIB.
138 However, it is possible for a RADIUS Dynamic Authorization entity to
139 perform both client and server functions. For example, a RADIUS
140 proxy may act as a DAS to one or more DACs while simultaneously
141 acting as a DAC to one or more DASs. In such situations, it is
142 expected that RADIUS entities combining client and server
143 functionality will support both the client and server MIBs.
145 This memo describes the MIB for Dynamic Authorization Servers and
146 relates to the following documents as follows:
148 [RFC4668] describes the MIB for a RADIUS Auth Client MIB.
150 [RFC4669] describes the MIB for a RADIUS Auth Server MIB.
152 [RFC4670] describes the MIB for a RADIUS Acct Client MIB.
154 [RFC4671] describes the MIB for a RADIUS Acct Server MIB.
156 [RFC4672] describes the MIB for a RADIUS Dynamic Auth Client.
158 A NAS typically implements the MIBs for a RADIUS Authentication
159 Client, a RADIUS accounting client, and a RADIUS Dynamic
160 Authorization Server. However, any one MIB can be implemented
161 without implementing any of the other MIBs; i.e., the MIBs have no
162 dependencies on each other. A typical case would be for a device to
163 implement the MIBs RADIUS authentication server, RADIUS accounting
164 server, and RADIUS Dynamic Authorization Client. A RADIUS proxy
165 might implement any, all, or a subset of the MIBs listed above and
166 the MIB as defined in this document.
170 De Cnodder, et al. Informational [Page 3]
172 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
175 +---------------+ +---------------+
176 User 1----| | Disconnect-Request | |
177 | Dynamic | CoA-Request | Dynamic |
178 User 2----| Authorization |<---------------------| Authorization |
179 | Server |--------------------->| Client |
180 User 3----| (DAS) | Disconnect-Ack | (DAC) |
181 | | Disconnect-NAK | |
182 +---------------+ CoA-Ack/CoA-NAK +---------------+
184 Figure 1. Mapping of clients and servers
186 This MIB module for the Dynamic Authorization Server contains the
189 1. Three scalar objects.
191 2. One Dynamic Authorization Client Table. This table contains one
192 row for each DAC with which the DAS shares a secret.
226 De Cnodder, et al. Informational [Page 4]
228 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
231 4. RADIUS Dynamic Authorization Server MIB Definitions
233 RADIUS-DYNAUTH-SERVER-MIB DEFINITIONS ::= BEGIN
236 MODULE-IDENTITY, OBJECT-TYPE,
237 Counter32, Integer32, mib-2,
238 TimeTicks FROM SNMPv2-SMI -- [RFC2578]
239 SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411]
241 InetAddress FROM INET-ADDRESS-MIB -- [RFC4001]
243 OBJECT-GROUP FROM SNMPv2-CONF; -- [RFC2580]
245 radiusDynAuthServerMIB MODULE-IDENTITY
246 LAST-UPDATED "200608290000Z" -- 29 August 2006
247 ORGANIZATION "IETF RADEXT Working Group"
251 Francis Wellesplein 1
255 Phone: +32 3 240 85 15
256 EMail: stefaan.de_cnodder@alcatel.be
260 Divyasree Chambers, B Wing,
262 Bangalore-560027, India.
264 Phone: +91 94487 60828
265 EMail: njonnala@cisco.com
272 Phone: +1 408 525 7198
273 EMail: mchiba@cisco.com "
275 "The MIB module for entities implementing the server
276 side of the Dynamic Authorization Extensions to the
277 Remote Authentication Dial-In User Service (RADIUS)
278 protocol. Copyright (C) The Internet Society (2006).
282 De Cnodder, et al. Informational [Page 5]
284 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
287 Initial version as published in RFC 4673; for full
288 legal notices see the RFC itself."
290 REVISION "200608290000Z" -- 29 August 2006
291 DESCRIPTION "Initial version as published in RFC 4673."
294 radiusDynAuthServerMIBObjects OBJECT IDENTIFIER ::=
295 { radiusDynAuthServerMIB 1 }
297 radiusDynAuthServerScalars OBJECT IDENTIFIER ::=
298 { radiusDynAuthServerMIBObjects 1 }
300 radiusDynAuthServerDisconInvalidClientAddresses OBJECT-TYPE
305 "The number of Disconnect-Request packets received from
306 unknown addresses. This counter may experience a
307 discontinuity when the DAS module (re)starts, as
308 indicated by the value of
309 radiusDynAuthServerCounterDiscontinuity."
310 ::= { radiusDynAuthServerScalars 1 }
312 radiusDynAuthServerCoAInvalidClientAddresses OBJECT-TYPE
317 "The number of CoA-Request packets received from unknown
318 addresses. This counter may experience a discontinuity
319 when the DAS module (re)starts, as indicated by the
320 value of radiusDynAuthServerCounterDiscontinuity."
321 ::= { radiusDynAuthServerScalars 2 }
323 radiusDynAuthServerIdentifier OBJECT-TYPE
324 SYNTAX SnmpAdminString
328 "The NAS-Identifier of the RADIUS Dynamic Authorization
329 Server. This is not necessarily the same as sysName in
332 "RFC 2865, Section 5.32, NAS-Identifier."
333 ::= { radiusDynAuthServerScalars 3 }
338 De Cnodder, et al. Informational [Page 6]
340 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
343 radiusDynAuthClientTable OBJECT-TYPE
344 SYNTAX SEQUENCE OF RadiusDynAuthClientEntry
345 MAX-ACCESS not-accessible
348 "The (conceptual) table listing the RADIUS Dynamic
349 Authorization Clients with which the server shares a
351 ::= { radiusDynAuthServerMIBObjects 2 }
353 radiusDynAuthClientEntry OBJECT-TYPE
354 SYNTAX RadiusDynAuthClientEntry
355 MAX-ACCESS not-accessible
358 "An entry (conceptual row) representing one Dynamic
359 Authorization Client with which the server shares a
361 INDEX { radiusDynAuthClientIndex }
362 ::= { radiusDynAuthClientTable 1 }
364 RadiusDynAuthClientEntry ::= SEQUENCE {
365 radiusDynAuthClientIndex Integer32,
366 radiusDynAuthClientAddressType InetAddressType,
367 radiusDynAuthClientAddress InetAddress,
368 radiusDynAuthServDisconRequests Counter32,
369 radiusDynAuthServDisconAuthOnlyRequests Counter32,
370 radiusDynAuthServDupDisconRequests Counter32,
371 radiusDynAuthServDisconAcks Counter32,
372 radiusDynAuthServDisconNaks Counter32,
373 radiusDynAuthServDisconNakAuthOnlyRequests Counter32,
374 radiusDynAuthServDisconNakSessNoContext Counter32,
375 radiusDynAuthServDisconUserSessRemoved Counter32,
376 radiusDynAuthServMalformedDisconRequests Counter32,
377 radiusDynAuthServDisconBadAuthenticators Counter32,
378 radiusDynAuthServDisconPacketsDropped Counter32,
379 radiusDynAuthServCoARequests Counter32,
380 radiusDynAuthServCoAAuthOnlyRequests Counter32,
381 radiusDynAuthServDupCoARequests Counter32,
382 radiusDynAuthServCoAAcks Counter32,
383 radiusDynAuthServCoANaks Counter32,
384 radiusDynAuthServCoANakAuthOnlyRequests Counter32,
385 radiusDynAuthServCoANakSessNoContext Counter32,
386 radiusDynAuthServCoAUserSessChanged Counter32,
387 radiusDynAuthServMalformedCoARequests Counter32,
388 radiusDynAuthServCoABadAuthenticators Counter32,
389 radiusDynAuthServCoAPacketsDropped Counter32,
390 radiusDynAuthServUnknownTypes Counter32,
394 De Cnodder, et al. Informational [Page 7]
396 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
399 radiusDynAuthServerCounterDiscontinuity TimeTicks
403 radiusDynAuthClientIndex OBJECT-TYPE
404 SYNTAX Integer32 (1..2147483647)
405 MAX-ACCESS not-accessible
408 "A number uniquely identifying each RADIUS Dynamic
409 Authorization Client with which this Dynamic
410 Authorization Server communicates. This number is
411 allocated by the agent implementing this MIB module
412 and is unique in this context."
413 ::= { radiusDynAuthClientEntry 1 }
415 radiusDynAuthClientAddressType OBJECT-TYPE
416 SYNTAX InetAddressType
420 "The type of IP address of the RADIUS Dynamic
421 Authorization Client referred to in this table entry."
422 ::= { radiusDynAuthClientEntry 2 }
424 radiusDynAuthClientAddress OBJECT-TYPE
429 "The IP address value of the RADIUS Dynamic
430 Authorization Client referred to in this table entry,
431 using the version neutral IP address format. The type
432 of this address is determined by the value of
433 the radiusDynAuthClientAddressType object."
434 ::= { radiusDynAuthClientEntry 3 }
436 radiusDynAuthServDisconRequests OBJECT-TYPE
442 "The number of RADIUS Disconnect-Requests received
443 from this Dynamic Authorization Client. This also
444 includes the RADIUS Disconnect-Requests that have a
445 Service-Type attribute with value 'Authorize Only'.
446 This counter may experience a discontinuity when the
450 De Cnodder, et al. Informational [Page 8]
452 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
455 DAS module (re)starts as indicated by the value of
456 radiusDynAuthServerCounterDiscontinuity."
458 "RFC 3576, Section 2.1, Disconnect Messages (DM)."
459 ::= { radiusDynAuthClientEntry 4 }
461 radiusDynAuthServDisconAuthOnlyRequests OBJECT-TYPE
467 "The number of RADIUS Disconnect-Requests that include
468 a Service-Type attribute with value 'Authorize Only'
469 received from this Dynamic Authorization Client. This
470 counter may experience a discontinuity when the DAS
471 module (re)starts, as indicated by the value of
472 radiusDynAuthServerCounterDiscontinuity."
474 "RFC 3576, Section 2.1, Disconnect Messages (DM)."
475 ::= { radiusDynAuthClientEntry 5 }
477 radiusDynAuthServDupDisconRequests OBJECT-TYPE
483 "The number of duplicate RADIUS Disconnect-Request
484 packets received from this Dynamic Authorization
485 Client. This counter may experience a discontinuity
486 when the DAS module (re)starts, as indicated by the
487 value of radiusDynAuthServerCounterDiscontinuity."
489 "RFC 3576, Section 2.1, Disconnect Messages (DM)."
490 ::= { radiusDynAuthClientEntry 6 }
492 radiusDynAuthServDisconAcks OBJECT-TYPE
498 "The number of RADIUS Disconnect-ACK packets sent to
499 this Dynamic Authorization Client. This counter may
500 experience a discontinuity when the DAS module
501 (re)starts, as indicated by the value of
502 radiusDynAuthServerCounterDiscontinuity."
506 De Cnodder, et al. Informational [Page 9]
508 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
512 "RFC 3576, Section 2.1, Disconnect Messages (DM)."
513 ::= { radiusDynAuthClientEntry 7 }
515 radiusDynAuthServDisconNaks OBJECT-TYPE
521 "The number of RADIUS Disconnect-NAK packets
522 sent to this Dynamic Authorization Client. This
523 includes the RADIUS Disconnect-NAK packets sent
524 with a Service-Type attribute with value 'Authorize
525 Only' and the RADIUS Disconnect-NAK packets sent
526 because no session context was found. This counter
527 may experience a discontinuity when the DAS module
528 (re)starts, as indicated by the value of
529 radiusDynAuthServerCounterDiscontinuity."
531 "RFC 3576, Section 2.1, Disconnect Messages (DM)."
532 ::= { radiusDynAuthClientEntry 8 }
534 radiusDynAuthServDisconNakAuthOnlyRequests OBJECT-TYPE
540 "The number of RADIUS Disconnect-NAK packets that
541 include a Service-Type attribute with value
542 'Authorize Only' sent to this Dynamic Authorization
543 Client. This counter may experience a discontinuity
544 when the DAS module (re)starts, as indicated by the
545 value of radiusDynAuthServerCounterDiscontinuity."
547 "RFC 3576, Section 2.1, Disconnect Messages (DM)."
548 ::= { radiusDynAuthClientEntry 9 }
550 radiusDynAuthServDisconNakSessNoContext OBJECT-TYPE
556 "The number of RADIUS Disconnect-NAK packets
557 sent to this Dynamic Authorization Client
558 because no session context was found. This counter may
562 De Cnodder, et al. Informational [Page 10]
564 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
567 experience a discontinuity when the DAS module
568 (re)starts, as indicated by the value of
569 radiusDynAuthServerCounterDiscontinuity."
571 "RFC 3576, Section 2.1, Disconnect Messages (DM)."
572 ::= { radiusDynAuthClientEntry 10 }
574 radiusDynAuthServDisconUserSessRemoved OBJECT-TYPE
580 "The number of user sessions removed for the
581 Disconnect-Requests received from this
582 Dynamic Authorization Client. Depending on site-
583 specific policies, a single Disconnect request
584 can remove multiple user sessions. In cases where
585 this Dynamic Authorization Server has no
586 knowledge of the number of user sessions that
587 are affected by a single request, each such
588 Disconnect-Request will count as a single
589 affected user session only. This counter may experience
590 a discontinuity when the DAS module (re)starts, as
591 indicated by the value of
592 radiusDynAuthServerCounterDiscontinuity."
594 "RFC 3576, Section 2.1, Disconnect Messages (DM)."
595 ::= { radiusDynAuthClientEntry 11 }
597 radiusDynAuthServMalformedDisconRequests OBJECT-TYPE
603 "The number of malformed RADIUS Disconnect-Request
604 packets received from this Dynamic Authorization
605 Client. Bad authenticators and unknown types are not
606 included as malformed Disconnect-Requests. This counter
607 may experience a discontinuity when the DAS module
608 (re)starts, as indicated by the value of
609 radiusDynAuthServerCounterDiscontinuity."
611 "RFC 3576, Section 2.1, Disconnect Messages (DM), and
612 Section 2.3, Packet Format."
613 ::= { radiusDynAuthClientEntry 12 }
618 De Cnodder, et al. Informational [Page 11]
620 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
623 radiusDynAuthServDisconBadAuthenticators OBJECT-TYPE
629 "The number of RADIUS Disconnect-Request packets
630 that contained an invalid Authenticator field
631 received from this Dynamic Authorization Client. This
632 counter may experience a discontinuity when the DAS
633 module (re)starts, as indicated by the value of
634 radiusDynAuthServerCounterDiscontinuity."
636 "RFC 3576, Section 2.1, Disconnect Messages (DM), and
637 Section 2.3, Packet Format."
638 ::= { radiusDynAuthClientEntry 13 }
640 radiusDynAuthServDisconPacketsDropped OBJECT-TYPE
646 "The number of incoming Disconnect-Requests
647 from this Dynamic Authorization Client silently
648 discarded by the server application for some reason
649 other than malformed, bad authenticators, or unknown
650 types. This counter may experience a discontinuity
651 when the DAS module (re)starts, as indicated by the
652 value of radiusDynAuthServerCounterDiscontinuity."
654 "RFC 3576, Section 2.1, Disconnect Messages (DM), and
655 Section 2.3, Packet Format."
656 ::= { radiusDynAuthClientEntry 14 }
658 radiusDynAuthServCoARequests OBJECT-TYPE
664 "The number of RADIUS CoA-requests received from this
665 Dynamic Authorization Client. This also includes
666 the CoA requests that have a Service-Type attribute
667 with value 'Authorize Only'. This counter may
668 experience a discontinuity when the DAS module
669 (re)starts, as indicated by the value of
670 radiusDynAuthServerCounterDiscontinuity."
674 De Cnodder, et al. Informational [Page 12]
676 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
680 "RFC 3576, Section 2.2, Change-of-Authorization
682 ::= { radiusDynAuthClientEntry 15 }
684 radiusDynAuthServCoAAuthOnlyRequests OBJECT-TYPE
690 "The number of RADIUS CoA-requests that include a
691 Service-Type attribute with value 'Authorize Only'
692 received from this Dynamic Authorization Client. This
693 counter may experience a discontinuity when the DAS
694 module (re)starts, as indicated by the value of
695 radiusDynAuthServerCounterDiscontinuity."
697 "RFC 3576, Section 2.2, Change-of-Authorization
699 ::= { radiusDynAuthClientEntry 16 }
702 radiusDynAuthServDupCoARequests OBJECT-TYPE
708 "The number of duplicate RADIUS CoA-Request packets
709 received from this Dynamic Authorization Client. This
710 counter may experience a discontinuity when the DAS
711 module (re)starts, as indicated by the value of
712 radiusDynAuthServerCounterDiscontinuity."
714 "RFC 3576, Section 2.2, Change-of-Authorization
716 ::= { radiusDynAuthClientEntry 17 }
718 radiusDynAuthServCoAAcks OBJECT-TYPE
724 "The number of RADIUS CoA-ACK packets sent to this
725 Dynamic Authorization Client. This counter may
726 experience a discontinuity when the DAS module
730 De Cnodder, et al. Informational [Page 13]
732 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
735 (re)starts, as indicated by the value of
736 radiusDynAuthServerCounterDiscontinuity."
738 "RFC 3576, Section 2.2, Change-of-Authorization
740 ::= { radiusDynAuthClientEntry 18 }
742 radiusDynAuthServCoANaks OBJECT-TYPE
748 "The number of RADIUS CoA-NAK packets sent to
749 this Dynamic Authorization Client. This includes
750 the RADIUS CoA-NAK packets sent with a Service-Type
751 attribute with value 'Authorize Only' and the RADIUS
752 CoA-NAK packets sent because no session context was
753 found. This counter may experience a discontinuity
754 when the DAS module (re)starts, as indicated by the
755 value of radiusDynAuthServerCounterDiscontinuity."
757 "RFC 3576, Section 2.2, Change-of-Authorization
759 ::= { radiusDynAuthClientEntry 19 }
761 radiusDynAuthServCoANakAuthOnlyRequests OBJECT-TYPE
767 "The number of RADIUS CoA-NAK packets that include a
768 Service-Type attribute with value 'Authorize Only'
769 sent to this Dynamic Authorization Client. This counter
770 may experience a discontinuity when the DAS module
771 (re)starts, as indicated by the value of
772 radiusDynAuthServerCounterDiscontinuity."
774 "RFC 3576, Section 2.2, Change-of-Authorization
776 ::= { radiusDynAuthClientEntry 20 }
778 radiusDynAuthServCoANakSessNoContext OBJECT-TYPE
786 De Cnodder, et al. Informational [Page 14]
788 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
792 "The number of RADIUS CoA-NAK packets sent to this
793 Dynamic Authorization Client because no session context
794 was found. This counter may experience a discontinuity
795 when the DAS module (re)starts, as indicated by the
796 value of radiusDynAuthServerCounterDiscontinuity."
798 "RFC 3576, Section 2.2, Change-of-Authorization
800 ::= { radiusDynAuthClientEntry 21 }
802 radiusDynAuthServCoAUserSessChanged OBJECT-TYPE
808 "The number of user sessions authorization
809 changed for the CoA-Requests received from this
810 Dynamic Authorization Client. Depending on site-
811 specific policies, a single CoA request can change
812 multiple user sessions' authorization. In cases where
813 this Dynamic Authorization Server has no knowledge of
814 the number of user sessions that are affected by a
815 single request, each such CoA-Request will
816 count as a single affected user session only. This
817 counter may experience a discontinuity when the DAS
818 module (re)starts, as indicated by the value of
819 radiusDynAuthServerCounterDiscontinuity."
821 "RFC 3576, Section 2.2, Change-of-Authorization
823 ::= { radiusDynAuthClientEntry 22 }
825 radiusDynAuthServMalformedCoARequests OBJECT-TYPE
831 "The number of malformed RADIUS CoA-Request packets
832 received from this Dynamic Authorization Client. Bad
833 authenticators and unknown types are not included as
834 malformed CoA-Requests. This counter may experience a
835 discontinuity when the DAS module (re)starts, as
836 indicated by the value of
837 radiusDynAuthServerCounterDiscontinuity."
842 De Cnodder, et al. Informational [Page 15]
844 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
847 "RFC 3576, Section 2.2, Change-of-Authorization
848 Messages (CoA), and Section 2.3, Packet Format."
849 ::= { radiusDynAuthClientEntry 23 }
851 radiusDynAuthServCoABadAuthenticators OBJECT-TYPE
857 "The number of RADIUS CoA-Request packets that
858 contained an invalid Authenticator field received
859 from this Dynamic Authorization Client. This counter
860 may experience a discontinuity when the DAS module
861 (re)starts, as indicated by the value of
862 radiusDynAuthServerCounterDiscontinuity."
864 "RFC 3576, Section 2.2, Change-of-Authorization
865 Messages (CoA), and Section 2.3, Packet Format."
866 ::= { radiusDynAuthClientEntry 24 }
868 radiusDynAuthServCoAPacketsDropped OBJECT-TYPE
874 "The number of incoming CoA packets from this
875 Dynamic Authorization Client silently discarded
876 by the server application for some reason other than
877 malformed, bad authenticators, or unknown types. This
878 counter may experience a discontinuity when the DAS
879 module (re)starts, as indicated by the value of
880 radiusDynAuthServerCounterDiscontinuity."
882 "RFC 3576, Section 2.2, Change-of-Authorization
883 Messages (CoA), and Section 2.3, Packet Format."
884 ::= { radiusDynAuthClientEntry 25 }
886 radiusDynAuthServUnknownTypes OBJECT-TYPE
892 "The number of incoming packets of unknown types that
893 were received on the Dynamic Authorization port. This
894 counter may experience a discontinuity when the DAS
898 De Cnodder, et al. Informational [Page 16]
900 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
903 module (re)starts, as indicated by the value of
904 radiusDynAuthServerCounterDiscontinuity."
906 "RFC 3576, Section 2.3, Packet Format."
907 ::= { radiusDynAuthClientEntry 26 }
909 radiusDynAuthServerCounterDiscontinuity OBJECT-TYPE
911 UNITS "hundredths of a second"
915 "The time (in hundredths of a second) since the
916 last counter discontinuity. A discontinuity may
917 be the result of a reinitialization of the DAS
918 module within the managed entity."
919 ::= { radiusDynAuthClientEntry 27 }
922 -- conformance information
924 radiusDynAuthServerMIBConformance
925 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIB 2 }
926 radiusDynAuthServerMIBCompliances
927 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 1 }
928 radiusDynAuthServerMIBGroups
929 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 2 }
931 -- compliance statements
933 radiusAuthServerMIBCompliance MODULE-COMPLIANCE
936 "The compliance statement for entities implementing
937 the RADIUS Dynamic Authorization Server. Implementation
938 of this module is for entities that support IPv4 and/or
940 MODULE -- this module
941 MANDATORY-GROUPS { radiusDynAuthServerMIBGroup }
943 OBJECT radiusDynAuthClientAddressType
944 SYNTAX InetAddressType { ipv4(1), ipv6(2) }
946 "An implementation is only required to support IPv4 and
947 globally unique IPv6 addresses."
949 OBJECT radiusDynAuthClientAddress
950 SYNTAX InetAddress (SIZE(4|16))
954 De Cnodder, et al. Informational [Page 17]
956 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
960 "An implementation is only required to support IPv4 and
961 globally unique IPv6 addresses."
963 GROUP radiusDynAuthServerAuthOnlyGroup
965 "Only required for Dynamic Authorization Clients that
966 are supporting Service-Type attributes with value
970 GROUP radiusDynAuthServerNoSessGroup
972 "This group is not required if the Dynamic
973 Authorization Server cannot easily determine whether
974 a session exists (e.g., in case of a RADIUS
977 ::= { radiusDynAuthServerMIBCompliances 1 }
979 -- units of conformance
981 radiusDynAuthServerMIBGroup OBJECT-GROUP
982 OBJECTS { radiusDynAuthServerDisconInvalidClientAddresses,
983 radiusDynAuthServerCoAInvalidClientAddresses,
984 radiusDynAuthServerIdentifier,
985 radiusDynAuthClientAddressType,
986 radiusDynAuthClientAddress,
987 radiusDynAuthServDisconRequests,
988 radiusDynAuthServDupDisconRequests,
989 radiusDynAuthServDisconAcks,
990 radiusDynAuthServDisconNaks,
991 radiusDynAuthServDisconUserSessRemoved,
992 radiusDynAuthServMalformedDisconRequests,
993 radiusDynAuthServDisconBadAuthenticators,
994 radiusDynAuthServDisconPacketsDropped,
995 radiusDynAuthServCoARequests,
996 radiusDynAuthServDupCoARequests,
997 radiusDynAuthServCoAAcks,
998 radiusDynAuthServCoANaks,
999 radiusDynAuthServCoAUserSessChanged,
1000 radiusDynAuthServMalformedCoARequests,
1001 radiusDynAuthServCoABadAuthenticators,
1002 radiusDynAuthServCoAPacketsDropped,
1003 radiusDynAuthServUnknownTypes,
1004 radiusDynAuthServerCounterDiscontinuity
1010 De Cnodder, et al. Informational [Page 18]
1012 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
1016 "The collection of objects providing management of
1017 a RADIUS Dynamic Authorization Server."
1018 ::= { radiusDynAuthServerMIBGroups 1 }
1020 radiusDynAuthServerAuthOnlyGroup OBJECT-GROUP
1021 OBJECTS { radiusDynAuthServDisconAuthOnlyRequests,
1022 radiusDynAuthServDisconNakAuthOnlyRequests,
1023 radiusDynAuthServCoAAuthOnlyRequests,
1024 radiusDynAuthServCoANakAuthOnlyRequests
1028 "The collection of objects supporting the RADIUS
1029 messages including Service-Type attribute with
1030 value 'Authorize Only'."
1031 ::= { radiusDynAuthServerMIBGroups 2 }
1033 radiusDynAuthServerNoSessGroup OBJECT-GROUP
1034 OBJECTS { radiusDynAuthServDisconNakSessNoContext,
1035 radiusDynAuthServCoANakSessNoContext
1039 "The collection of objects supporting the RADIUS
1040 messages that are referring to non-existing sessions."
1041 ::= { radiusDynAuthServerMIBGroups 3 }
1066 De Cnodder, et al. Informational [Page 19]
1068 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
1071 5. Security Considerations
1073 There are no management objects defined in this MIB module that have
1074 a MAX-ACCESS clause of read-write and/or read-create. So, if this
1075 MIB module is implemented correctly, then there is no risk that an
1076 intruder can alter or create any management objects of this MIB
1077 module via direct SNMP SET operations.
1079 Some of the readable objects in this MIB module (i.e., objects with a
1080 MAX-ACCESS other than not-accessible) may be considered sensitive or
1081 vulnerable in some network environments. It is thus important to
1082 control even GET and/or NOTIFY access to these objects and possibly
1083 to even encrypt the values of these objects when sending them over
1084 the network via SNMP. These are the tables and objects and their
1085 sensitivity/vulnerability:
1087 radiusDynAuthClientAddress and radiusDynAuthClientAddressType
1089 These can be used to determine the address of the DAC with which
1090 the DAS is communicating. This information could be useful in
1091 mounting an attack on the DAC.
1093 radiusDynAuthServerIdentifier
1095 This can be used to determine the Identifier of the DAS. This
1096 information could be useful in impersonating the DAS.
1098 SNMP versions prior to SNMPv3 did not include adequate security.
1099 Even if the network itself is secure (for example by using IPsec),
1100 even then, there is no control as to who on the secure network is
1101 allowed to access and GET/SET (read/change/create/delete) the objects
1104 It is RECOMMENDED that implementers consider the security features as
1105 provided by the SNMPv3 framework (see [RFC3410], section 8),
1106 including full support for the SNMPv3 cryptographic mechanisms (for
1107 authentication and privacy).
1109 Further, deployment of SNMP versions prior to SNMPv3 is NOT
1110 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
1111 enable cryptographic security. It is then a customer/operator
1112 responsibility to ensure that the SNMP entity giving access to an
1113 instance of this MIB module is properly configured to give access to
1114 the objects only to those principals (users) that have legitimate
1115 rights to indeed GET or SET (change/create/delete) them.
1122 De Cnodder, et al. Informational [Page 20]
1124 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
1127 6. IANA Considerations
1129 The IANA has assigned OID number 146 under mib-2.
1133 The authors would like to acknowledge the following people for their
1134 comments on this document: Bernard Aboba, Alan DeKok, David Nelson,
1135 Anjaneyulu Pata, Dan Romascanu, Juergen Schoenwaelder, Greg Weber,
1136 Bert Wijnen, and Glen Zorn.
1140 8.1. Normative References
1142 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1143 Requirement Levels", BCP 14, RFC 2119, March 1997.
1145 [RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
1146 "Structure of Management Information Version 2 (SMIv2)",
1147 STD 58, RFC 2578, April 1999.
1149 [RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
1150 "Textual Conventions for SMIv2", STD 58, RFC 2579, April
1153 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
1154 "Conformance Statements for SMIv2", STD 58, RFC 2580,
1157 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
1158 Architecture for Describing Simple Network Management
1159 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
1162 [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
1163 Aboba, "Dynamic Authorization Extensions to Remote
1164 Authentication Dial In User Service (RADIUS)", RFC 3576,
1167 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
1168 Schoenwaelder, "Textual Conventions for Internet Network
1169 Addresses", RFC 4001, February 2005.
1178 De Cnodder, et al. Informational [Page 21]
1180 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
1183 8.2. Informative References
1185 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
1186 "Remote Authentication Dial In User Service (RADIUS)", RFC
1189 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
1190 "Introduction and Applicability Statements for Internet-
1191 Standard Management Framework", RFC 3410, December 2002.
1193 [RFC4668] Nelson, D., "RADIUS Authentication Client MIB for IPv6",
1194 RFC 4668, August 2006.
1196 [RFC4669] Nelson, D., "RADIUS Authentication Server MIB for IPv6",
1197 RFC 4669, August 2006.
1199 [RFC4670] Nelson, D., "RADIUS Accounting Client MIB for IPv6", RFC
1202 [RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", RFC
1205 [RFC4672] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic
1206 Authorization Client MIB", RFC 4672, September 2006.
1234 De Cnodder, et al. Informational [Page 22]
1236 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
1243 Francis Wellesplein 1
1247 Phone: +32 3 240 85 15
1248 EMail: stefaan.de_cnodder@alcatel.be
1253 Divyasree Chambers, B Wing, O'Shaugnessy Road
1254 Bangalore-560027, India
1256 Phone: +91 94487 60828
1257 EMail: njonnala@cisco.com
1265 Phone: +1 408 525 7198
1266 EMail: mchiba@cisco.com
1290 De Cnodder, et al. Informational [Page 23]
1292 RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
1295 Full Copyright Statement
1297 Copyright (C) The Internet Society (2006).
1299 This document is subject to the rights, licenses and restrictions
1300 contained in BCP 78, and except as set forth therein, the authors
1301 retain all their rights.
1303 This document and the information contained herein are provided on an
1304 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1305 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1306 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1307 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1308 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1309 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1311 Intellectual Property
1313 The IETF takes no position regarding the validity or scope of any
1314 Intellectual Property Rights or other rights that might be claimed to
1315 pertain to the implementation or use of the technology described in
1316 this document or the extent to which any license under such rights
1317 might or might not be available; nor does it represent that it has
1318 made any independent effort to identify any such rights. Information
1319 on the procedures with respect to rights in RFC documents can be
1320 found in BCP 78 and BCP 79.
1322 Copies of IPR disclosures made to the IETF Secretariat and any
1323 assurances of licenses to be made available, or the result of an
1324 attempt made to obtain a general license or permission for the use of
1325 such proprietary rights by implementers or users of this
1326 specification can be obtained from the IETF on-line IPR repository at
1327 http://www.ietf.org/ipr.
1329 The IETF invites any interested party to bring to its attention any
1330 copyrights, patents or patent applications, or other proprietary
1331 rights that may cover technology that may be required to implement
1332 this standard. Please address the information to the IETF at
1337 Funding for the RFC Editor function is provided by the IETF
1338 Administrative Support Activity (IASA).
1346 De Cnodder, et al. Informational [Page 24]