7 Network Working Group D. Nelson
8 Request for Comments: 4670 Enterasys Networks
9 Obsoletes: 2620 August 2006
10 Category: Informational
13 RADIUS Accounting Client MIB for IPv6
17 This memo provides information for the Internet community. It does
18 not specify an Internet standard of any kind. Distribution of this
23 Copyright (C) The Internet Society (2006).
27 This memo defines a set of extensions that instrument RADIUS
28 accounting client functions. These extensions represent a portion of
29 the Management Information Base (MIB) for use with network management
30 protocols in the Internet community. Using these extensions,
31 IP-based management stations can manage RADIUS accounting clients.
33 This memo obsoletes RFC 2620 by deprecating the MIB table containing
34 IPv4-only address formats and defining a new table to add support for
35 version-neutral IP address formats. The remaining MIB objects from
36 RFC 2620 are carried forward into this document. This memo also adds
37 UNITS and REFERENCE clauses to selected objects.
58 Nelson Informational [Page 1]
60 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
65 1. Introduction ....................................................3
66 2. Terminology .....................................................3
67 3. The Internet-Standard Management Framework ......................3
68 4. Scope of Changes ................................................3
69 5. Structure of the MIB Module .....................................4
70 6. Deprecated Objects ..............................................5
71 7. Definitions .....................................................5
72 8. Security Considerations ........................................19
73 9. References .....................................................20
74 9.1. Normative References ......................................20
75 9.2. Informative References ....................................21
76 Appendix A. Acknowledgements ......................................22
114 Nelson Informational [Page 2]
116 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
121 This memo defines a portion of the Management Information Base (MIB)
122 for use with network management protocols in the Internet community.
123 The objects defined within this memo relate to the Remote
124 Authentication Dial-In User Service (RADIUS) Accounting Client as
125 defined in RFC 2866 [RFC2866].
129 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
130 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
131 document are to be interpreted as described in RFC 2119 [RFC2119].
133 This document uses terminology from RFC 2865 [RFC2865] and RFC 2866
136 This document uses the word "malformed" with respect to RADIUS
137 packets, particularly in the context of counters of "malformed
138 packets". While RFC 2866 does not provide an explicit definition of
139 "malformed", malformed generally means that the implementation has
140 determined the packet does not match the format defined in RFC 2866.
141 Those implementations are used in deployments today, and thus set the
142 de facto definition of "malformed".
144 3. The Internet-Standard Management Framework
146 For a detailed overview of the documents that describe the current
147 Internet-Standard Management Framework, please refer to section 7 of
150 Managed objects are accessed via a virtual information store, termed
151 the Management Information Base or MIB. MIB objects are generally
152 accessed through the Simple Network Management Protocol (SNMP).
153 Objects in the MIB are defined using the mechanisms defined in the
154 Structure of Management Information (SMI). This memo specifies a MIB
155 module that is compliant to the SMIv2, which is described in STD 58,
156 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
161 This document obsoletes RFC 2620 [RFC2620], RADIUS Accounting Client
162 MIB, by deprecating the radiusAccServerTable table and adding a new
163 table, radiusAccServerExtTable, containing
164 radiusAccServerInetAddressType, radiusAccServerInetAddress, and
165 radiusAccClientServerInetPortNumber. The purpose of these added MIB
166 objects is to support version-neutral IP addressing formats. The
170 Nelson Informational [Page 3]
172 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
175 existing table containing radiusAuthServerAddress and
176 radiusAuthClientServerPortNumber is deprecated. The remaining MIB
177 objects from RFC 2620 are carried forward into this document.
179 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for
180 IPv6 addresses, contains the following recommendation.
182 'In particular, when revising a MIB module that contains IPv4
183 specific tables, it is suggested to define new tables using the
184 textual conventions defined in this memo [RFC4001] that support all
185 versions of IP. The status of the new tables SHOULD be "current",
186 whereas the status of the old IP version specific tables SHOULD be
187 changed to "deprecated". The other approach, of having multiple
188 similar tables for different IP versions, is strongly discouraged.'
190 5. Structure of the MIB Module
192 The RADIUS accounting protocol, described in RFC 2866 [RFC2866],
193 distinguishes between the client function and the server function.
194 In RADIUS accounting, clients send Accounting-Requests, and servers
195 reply with Accounting-Responses. Typically, Network Access Server
196 (NAS) devices implement the client function, and thus would be
197 expected to implement the RADIUS accounting client MIB, while RADIUS
198 accounting servers implement the server function, and thus would be
199 expected to implement the RADIUS accounting server MIB.
201 However, it is possible for a RADIUS accounting entity to perform
202 both client and server functions. For example, a RADIUS proxy may
203 act as a server to one or more RADIUS accounting clients, while
204 simultaneously acting as an accounting client to one or more
205 accounting servers. In such situations, it is expected that RADIUS
206 entities combining client and server functionality will support both
207 the client and server MIBs. The client MIB is defined in this
208 document, and the server MIB is defined in [RFC4671].
210 This MIB module contains two scalars as well as a single table, the
211 RADIUS Accounting Server Table, which contains one row for each
212 RADIUS server with which the client shares a secret. Each entry in
213 the RADIUS Accounting Server Table includes fifteen columns
214 presenting a view of the activity of the RADIUS client.
216 This MIB imports from [RFC2578], [RFC2580], [RFC3411], and [RFC4001].
226 Nelson Informational [Page 4]
228 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
231 6. Deprecated Objects
233 The deprecated table in this MIB is carried forward from RFC 2620
234 [RFC2620]. There are two conditions under which it MAY be desirable
235 for managed entities to continue to support the deprecated table:
237 1. The managed entity only supports IPv4 address formats.
239 2. The managed entity supports both IPv4 and IPv6 address formats,
240 and the deprecated table is supported for backwards compatibility
241 with older management stations. This option SHOULD only be used
242 when the IP addresses in the new table are in IPv4 format and can
243 accurately be represented in both the new table and the
246 Managed entities SHOULD NOT instantiate row entries in the deprecated
247 table, containing IPv4-only address objects, when the RADIUS
248 accounting server address represented in such a table row is not an
249 IPv4 address. Managed entities SHOULD NOT return inaccurate values
250 of IP address or SNMP object access errors for IPv4-only address
251 objects in otherwise populated tables. When row entries exist in
252 both the deprecated IPv4-only table and the new IP-version-neutral
253 table that describe the same RADIUS accounting server, the row
254 indexes SHOULD be the same for the corresponding rows in each table,
255 to facilitate correlation of these related rows by management
260 RADIUS-ACC-CLIENT-MIB DEFINITIONS ::= BEGIN
263 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
264 Counter32, Integer32, Gauge32,
265 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI
266 SnmpAdminString FROM SNMP-FRAMEWORK-MIB
267 InetAddressType, InetAddress,
268 InetPortNumber FROM INET-ADDRESS-MIB
269 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF;
272 radiusAccClientMIB MODULE-IDENTITY
273 LAST-UPDATED "200608210000Z" -- 21 August 2006
274 ORGANIZATION "IETF RADIUS Extensions Working Group."
282 Nelson Informational [Page 5]
284 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
289 Phone: +1 425 936 6605
290 EMail: bernarda@microsoft.com"
292 "The MIB module for entities implementing the client
293 side of the Remote Authentication Dial-In User Service
294 (RADIUS) accounting protocol. Copyright (C) The
295 Internet Society (2006). This version of this MIB
296 module is part of RFC 4670; see the RFC itself for
298 REVISION "200608210000Z" -- 21 August 2006
300 "Revised version as published in RFC 4670.
301 This version obsoletes that of RFC 2620 by
302 deprecating the MIB table containing IPv4-only
303 address formats and defining a new table to add support
304 for version-neutral IP address formats. The remaining
305 MIB objects from RFC 2620 are carried forward into this
307 REVISION "199906110000Z" -- 11 Jun 1999
308 DESCRIPTION "Initial version as published in RFC 2620."
309 ::= { radiusAccounting 2 }
311 radiusMIB OBJECT-IDENTITY
314 "The OID assigned to RADIUS MIB work by the IANA."
317 radiusAccounting OBJECT IDENTIFIER ::= {radiusMIB 2}
319 radiusAccClientMIBObjects OBJECT IDENTIFIER
320 ::= { radiusAccClientMIB 1 }
322 radiusAccClient OBJECT IDENTIFIER
323 ::= { radiusAccClientMIBObjects 1 }
325 radiusAccClientInvalidServerAddresses OBJECT-TYPE
331 "The number of RADIUS Accounting-Response packets
332 received from unknown addresses."
333 ::= { radiusAccClient 1 }
338 Nelson Informational [Page 6]
340 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
343 radiusAccClientIdentifier OBJECT-TYPE
344 SYNTAX SnmpAdminString
348 "The NAS-Identifier of the RADIUS accounting client.
349 This is not necessarily the same as sysName in MIB
351 REFERENCE "RFC 2865 section 5.32"
352 ::= { radiusAccClient 2 }
354 radiusAccServerTable OBJECT-TYPE
355 SYNTAX SEQUENCE OF RadiusAccServerEntry
356 MAX-ACCESS not-accessible
359 "The (conceptual) table listing the RADIUS accounting
360 servers with which the client shares a secret."
361 ::= { radiusAccClient 3 }
363 radiusAccServerEntry OBJECT-TYPE
364 SYNTAX RadiusAccServerEntry
365 MAX-ACCESS not-accessible
368 "An entry (conceptual row) representing a RADIUS
369 accounting server with which the client shares a
371 INDEX { radiusAccServerIndex }
372 ::= { radiusAccServerTable 1 }
374 RadiusAccServerEntry ::= SEQUENCE {
375 radiusAccServerIndex Integer32,
376 radiusAccServerAddress IpAddress,
377 radiusAccClientServerPortNumber Integer32,
378 radiusAccClientRoundTripTime TimeTicks,
379 radiusAccClientRequests Counter32,
380 radiusAccClientRetransmissions Counter32,
381 radiusAccClientResponses Counter32,
382 radiusAccClientMalformedResponses Counter32,
383 radiusAccClientBadAuthenticators Counter32,
384 radiusAccClientPendingRequests Gauge32,
385 radiusAccClientTimeouts Counter32,
386 radiusAccClientUnknownTypes Counter32,
387 radiusAccClientPacketsDropped Counter32
394 Nelson Informational [Page 7]
396 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
399 radiusAccServerIndex OBJECT-TYPE
400 SYNTAX Integer32 (1..2147483647)
401 MAX-ACCESS not-accessible
404 "A number uniquely identifying each RADIUS
405 Accounting server with which this client
407 ::= { radiusAccServerEntry 1 }
409 radiusAccServerAddress OBJECT-TYPE
414 "The IP address of the RADIUS accounting server
415 referred to in this table entry."
416 ::= { radiusAccServerEntry 2 }
418 radiusAccClientServerPortNumber OBJECT-TYPE
419 SYNTAX Integer32 (0..65535)
423 "The UDP port the client is using to send requests to
425 REFERENCE "RFC 2866 section 3"
426 ::= { radiusAccServerEntry 3 }
428 radiusAccClientRoundTripTime OBJECT-TYPE
433 "The time interval between the most recent
434 Accounting-Response and the Accounting-Request that
435 matched it from this RADIUS accounting server."
436 REFERENCE "RFC 2866 section 2"
437 ::= { radiusAccServerEntry 4 }
439 -- Request/Response statistics
441 -- Requests = Responses + PendingRequests + ClientTimeouts
443 -- Responses - MalformedResponses - BadAuthenticators -
444 -- UnknownTypes - PacketsDropped = Successfully received
450 Nelson Informational [Page 8]
452 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
455 radiusAccClientRequests OBJECT-TYPE
461 "The number of RADIUS Accounting-Request packets
462 sent. This does not include retransmissions."
463 REFERENCE "RFC 2866 section 4.1"
464 ::= { radiusAccServerEntry 5 }
466 radiusAccClientRetransmissions OBJECT-TYPE
472 "The number of RADIUS Accounting-Request packets
473 retransmitted to this RADIUS accounting server.
474 Retransmissions include retries where the
475 Identifier and Acct-Delay have been updated, as
476 well as those in which they remain the same."
477 REFERENCE "RFC 2866 section 2"
478 ::= { radiusAccServerEntry 6 }
480 radiusAccClientResponses OBJECT-TYPE
486 "The number of RADIUS packets received on the
487 accounting port from this server."
488 REFERENCE "RFC 2866 section 4.2"
489 ::= { radiusAccServerEntry 7 }
491 radiusAccClientMalformedResponses OBJECT-TYPE
497 "The number of malformed RADIUS Accounting-Response
498 packets received from this server. Malformed packets
499 include packets with an invalid length. Bad
500 authenticators and unknown types are not included as
501 malformed accounting responses."
502 REFERENCE "RFC 2866 section 3"
506 Nelson Informational [Page 9]
508 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
511 ::= { radiusAccServerEntry 8 }
513 radiusAccClientBadAuthenticators OBJECT-TYPE
519 "The number of RADIUS Accounting-Response
520 packets that contained invalid authenticators
521 received from this server."
522 REFERENCE "RFC 2866 section 3"
523 ::= { radiusAccServerEntry 9 }
525 radiusAccClientPendingRequests OBJECT-TYPE
531 "The number of RADIUS Accounting-Request packets
532 sent to this server that have not yet timed out or
533 received a response. This variable is incremented
534 when an Accounting-Request is sent and decremented
535 due to receipt of an Accounting-Response, a timeout,
536 or a retransmission."
537 REFERENCE "RFC 2866 section 2"
538 ::= { radiusAccServerEntry 10 }
540 radiusAccClientTimeouts OBJECT-TYPE
546 "The number of accounting timeouts to this server.
547 After a timeout, the client may retry to the same
548 server, send to a different server, or give up.
549 A retry to the same server is counted as a
550 retransmit as well as a timeout. A send to a different
551 server is counted as an Accounting-Request as well as
553 REFERENCE "RFC 2866 section 2"
554 ::= { radiusAccServerEntry 11 }
556 radiusAccClientUnknownTypes OBJECT-TYPE
562 Nelson Informational [Page 10]
564 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
570 "The number of RADIUS packets of unknown type that
571 were received from this server on the accounting port."
572 REFERENCE "RFC 2866 section 4"
573 ::= { radiusAccServerEntry 12 }
575 radiusAccClientPacketsDropped OBJECT-TYPE
581 "The number of RADIUS packets that were received from
582 this server on the accounting port and dropped for some
584 ::= { radiusAccServerEntry 13 }
587 -- New MIB objects added in this revision
589 radiusAccServerExtTable OBJECT-TYPE
590 SYNTAX SEQUENCE OF RadiusAccServerExtEntry
591 MAX-ACCESS not-accessible
594 "The (conceptual) table listing the RADIUS accounting
595 servers with which the client shares a secret."
596 ::= { radiusAccClient 4 }
598 radiusAccServerExtEntry OBJECT-TYPE
599 SYNTAX RadiusAccServerExtEntry
600 MAX-ACCESS not-accessible
603 "An entry (conceptual row) representing a RADIUS
604 accounting server with which the client shares a
606 INDEX { radiusAccServerExtIndex }
607 ::= { radiusAccServerExtTable 1 }
609 RadiusAccServerExtEntry ::= SEQUENCE {
610 radiusAccServerExtIndex Integer32,
611 radiusAccServerInetAddressType InetAddressType,
612 radiusAccServerInetAddress InetAddress,
613 radiusAccClientServerInetPortNumber InetPortNumber,
614 radiusAccClientExtRoundTripTime TimeTicks,
618 Nelson Informational [Page 11]
620 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
623 radiusAccClientExtRequests Counter32,
624 radiusAccClientExtRetransmissions Counter32,
625 radiusAccClientExtResponses Counter32,
626 radiusAccClientExtMalformedResponses Counter32,
627 radiusAccClientExtBadAuthenticators Counter32,
628 radiusAccClientExtPendingRequests Gauge32,
629 radiusAccClientExtTimeouts Counter32,
630 radiusAccClientExtUnknownTypes Counter32,
631 radiusAccClientExtPacketsDropped Counter32,
632 radiusAccClientCounterDiscontinuity TimeTicks
635 radiusAccServerExtIndex OBJECT-TYPE
636 SYNTAX Integer32 (1..2147483647)
637 MAX-ACCESS not-accessible
640 "A number uniquely identifying each RADIUS
641 Accounting server with which this client
643 ::= { radiusAccServerExtEntry 1 }
646 radiusAccServerInetAddressType OBJECT-TYPE
647 SYNTAX InetAddressType
651 "The type of address format used for the
652 radiusAccServerInetAddress object."
653 ::= { radiusAccServerExtEntry 2 }
656 radiusAccServerInetAddress OBJECT-TYPE
661 "The IP address of the RADIUS accounting
662 server referred to in this table entry, using
663 the version-neutral IP address format."
664 ::= { radiusAccServerExtEntry 3 }
666 radiusAccClientServerInetPortNumber OBJECT-TYPE
667 SYNTAX InetPortNumber ( 1..65535 )
674 Nelson Informational [Page 12]
676 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
679 "The UDP port the client is using to send requests
680 to this accounting server. The value zero (0) is
682 REFERENCE "RFC 2866 section 3"
683 ::= { radiusAccServerExtEntry 4 }
686 radiusAccClientExtRoundTripTime OBJECT-TYPE
691 "The time interval between the most recent
692 Accounting-Response and the Accounting-Request that
693 matched it from this RADIUS accounting server."
694 REFERENCE "RFC 2866 section 2"
695 ::= { radiusAccServerExtEntry 5 }
697 -- Request/Response statistics
699 -- Requests = Responses + PendingRequests + ClientTimeouts
701 -- Responses - MalformedResponses - BadAuthenticators -
702 -- UnknownTypes - PacketsDropped = Successfully received
704 radiusAccClientExtRequests OBJECT-TYPE
710 "The number of RADIUS Accounting-Request packets
711 sent. This does not include retransmissions.
712 This counter may experience a discontinuity when the
713 RADIUS Accounting Client module within the managed
714 entity is reinitialized, as indicated by the current
715 value of radiusAccClientCounterDiscontinuity."
716 REFERENCE "RFC 2866 section 4.1"
717 ::= { radiusAccServerExtEntry 6 }
719 radiusAccClientExtRetransmissions OBJECT-TYPE
725 "The number of RADIUS Accounting-Request packets
726 retransmitted to this RADIUS accounting server.
730 Nelson Informational [Page 13]
732 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
735 Retransmissions include retries where the
736 Identifier and Acct-Delay have been updated, as
737 well as those in which they remain the same.
738 This counter may experience a discontinuity when the
739 RADIUS Accounting Client module within the managed
740 entity is reinitialized, as indicated by the current
741 value of radiusAccClientCounterDiscontinuity."
742 REFERENCE "RFC 2866 section 2"
743 ::= { radiusAccServerExtEntry 7 }
745 radiusAccClientExtResponses OBJECT-TYPE
751 "The number of RADIUS packets received on the
752 accounting port from this server. This counter
753 may experience a discontinuity when the RADIUS
754 Accounting Client module within the managed entity is
755 reinitialized, as indicated by the current value of
756 radiusAccClientCounterDiscontinuity."
757 REFERENCE "RFC 2866 section 4.2"
758 ::= { radiusAccServerExtEntry 8 }
760 radiusAccClientExtMalformedResponses OBJECT-TYPE
766 "The number of malformed RADIUS Accounting-Response
767 packets received from this server. Malformed packets
768 include packets with an invalid length. Bad
769 authenticators and unknown types are not included as
770 malformed accounting responses. This counter may
771 experience a discontinuity when the RADIUS Accounting
772 Client module within the managed entity is
773 reinitialized, as indicated by the current
774 value of radiusAccClientCounterDiscontinuity."
775 REFERENCE "RFC 2866 section 3"
776 ::= { radiusAccServerExtEntry 9 }
778 radiusAccClientExtBadAuthenticators OBJECT-TYPE
786 Nelson Informational [Page 14]
788 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
792 "The number of RADIUS Accounting-Response
793 packets that contained invalid authenticators
794 received from this server. This counter may
795 experience a discontinuity when the RADIUS
796 Accounting Client module within the managed
797 entity is reinitialized, as indicated by the
799 radiusAccClientCounterDiscontinuity."
800 REFERENCE "RFC 2866 section 3"
801 ::= { radiusAccServerExtEntry 10 }
803 radiusAccClientExtPendingRequests OBJECT-TYPE
809 "The number of RADIUS Accounting-Request packets
810 sent to this server that have not yet timed out or
811 received a response. This variable is incremented
812 when an Accounting-Request is sent and decremented
813 due to receipt of an Accounting-Response, a timeout,
814 or a retransmission. This counter may experience a
815 discontinuity when the RADIUS Accounting Client module
816 within the managed entity is reinitialized, as
817 indicated by the current value of
818 radiusAccClientCounterDiscontinuity."
819 REFERENCE "RFC 2866 section 2"
820 ::= { radiusAccServerExtEntry 11 }
822 radiusAccClientExtTimeouts OBJECT-TYPE
828 "The number of accounting timeouts to this server.
829 After a timeout, the client may retry to the same
830 server, send to a different server, or give up.
831 A retry to the same server is counted as a
832 retransmit as well as a timeout. A send to a different
833 server is counted as an Accounting-Request as well as
834 a timeout. This counter may experience a discontinuity
835 when the RADIUS Accounting Client module within the
836 managed entity is reinitialized, as indicated by the
837 current value of radiusAccClientCounterDiscontinuity."
838 REFERENCE "RFC 2866 section 2"
842 Nelson Informational [Page 15]
844 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
847 ::= { radiusAccServerExtEntry 12 }
849 radiusAccClientExtUnknownTypes OBJECT-TYPE
855 "The number of RADIUS packets of unknown type that
856 were received from this server on the accounting port.
857 This counter may experience a discontinuity when the
858 RADIUS Accounting Client module within the managed
859 entity is reinitialized, as indicated by the current
860 value of radiusAccClientCounterDiscontinuity."
861 REFERENCE "RFC 2866 section 4"
862 ::= { radiusAccServerExtEntry 13 }
864 radiusAccClientExtPacketsDropped OBJECT-TYPE
870 "The number of RADIUS packets that were received from
871 this server on the accounting port and dropped for some
872 other reason. This counter may experience a
873 discontinuity when the RADIUS Accounting Client module
874 within the managed entity is reinitialized, as indicated
875 by the current value of
876 radiusAccClientCounterDiscontinuity."
877 ::= { radiusAccServerExtEntry 14 }
879 radiusAccClientCounterDiscontinuity OBJECT-TYPE
885 "The number of centiseconds since the last
886 discontinuity in the RADIUS Accounting Client
887 counters. A discontinuity may be the result of a
888 reinitialization of the RADIUS Accounting Client
889 module within the managed entity."
890 ::= { radiusAccServerExtEntry 15 }
898 Nelson Informational [Page 16]
900 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
903 -- conformance information
905 radiusAccClientMIBConformance OBJECT IDENTIFIER
906 ::= { radiusAccClientMIB 2 }
908 radiusAccClientMIBCompliances OBJECT IDENTIFIER
909 ::= { radiusAccClientMIBConformance 1 }
911 radiusAccClientMIBGroups OBJECT IDENTIFIER
912 ::= { radiusAccClientMIBConformance 2 }
915 -- units of conformance
917 radiusAccClientMIBCompliance MODULE-COMPLIANCE
920 "The compliance statement for accounting clients
921 implementing the RADIUS Accounting Client MIB.
922 Implementation of this module is for IPv4-only
923 entities, or for backwards compatibility use with
924 entities that support both IPv4 and IPv6."
925 MODULE -- this module
926 MANDATORY-GROUPS { radiusAccClientMIBGroup }
928 ::= { radiusAccClientMIBCompliances 1 }
931 radiusAccClientExtMIBCompliance MODULE-COMPLIANCE
934 "The compliance statement for accounting
935 clients implementing the RADIUS Accounting
936 Client IPv6 Extensions MIB. Implementation of
937 this module is for entities that support IPv6,
938 or support IPv4 and IPv6."
939 MODULE -- this module
940 MANDATORY-GROUPS { radiusAccClientExtMIBGroup }
942 OBJECT radiusAccServerInetAddressType
943 SYNTAX InetAddressType { ipv4(1), ipv6(2) }
945 "An implementation is only required to support
946 IPv4 and globally unique IPv6 addresses."
948 OBJECT radiusAccServerInetAddress
949 SYNTAX InetAddress ( SIZE (4|16) )
954 Nelson Informational [Page 17]
956 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
959 "An implementation is only required to support
960 IPv4 and globally unique IPv6 addresses."
962 ::= { radiusAccClientMIBCompliances 2 }
965 -- units of conformance
967 radiusAccClientMIBGroup OBJECT-GROUP
968 OBJECTS { radiusAccClientIdentifier,
969 radiusAccClientInvalidServerAddresses,
970 radiusAccServerAddress,
971 radiusAccClientServerPortNumber,
972 radiusAccClientRoundTripTime,
973 radiusAccClientRequests,
974 radiusAccClientRetransmissions,
975 radiusAccClientResponses,
976 radiusAccClientMalformedResponses,
977 radiusAccClientBadAuthenticators,
978 radiusAccClientPendingRequests,
979 radiusAccClientTimeouts,
980 radiusAccClientUnknownTypes,
981 radiusAccClientPacketsDropped
985 "The basic collection of objects providing management of
986 RADIUS Accounting Clients."
987 ::= { radiusAccClientMIBGroups 1 }
990 radiusAccClientExtMIBGroup OBJECT-GROUP
991 OBJECTS { radiusAccClientIdentifier,
992 radiusAccClientInvalidServerAddresses,
993 radiusAccServerInetAddressType,
994 radiusAccServerInetAddress,
995 radiusAccClientServerInetPortNumber,
996 radiusAccClientExtRoundTripTime,
997 radiusAccClientExtRequests,
998 radiusAccClientExtRetransmissions,
999 radiusAccClientExtResponses,
1000 radiusAccClientExtMalformedResponses,
1001 radiusAccClientExtBadAuthenticators,
1002 radiusAccClientExtPendingRequests,
1003 radiusAccClientExtTimeouts,
1004 radiusAccClientExtUnknownTypes,
1005 radiusAccClientExtPacketsDropped,
1006 radiusAccClientCounterDiscontinuity
1010 Nelson Informational [Page 18]
1012 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
1018 "The basic collection of objects providing management of
1019 RADIUS Accounting Clients."
1020 ::= { radiusAccClientMIBGroups 2 }
1025 8. Security Considerations
1027 There are no management objects defined in this MIB that have a MAX-
1028 ACCESS clause of read-write and/or read-create. So, if this MIB is
1029 implemented correctly, then there is no risk that an intruder can
1030 alter or create any management objects of this MIB via direct SNMP
1033 There are a number of managed objects in this MIB that may contain
1034 sensitive information. These are:
1036 radiusAcctServerIPAddress
1037 This can be used to determine the address of the RADIUS accounting
1038 server with which the client is communicating. This information
1039 could be useful in mounting an attack on the accounting server.
1041 radiusAcctServerInetAddress
1042 This can be used to determine the address of the RADIUS accounting
1043 server with which the client is communicating. This information
1044 could be useful in mounting an attack on the accounting server.
1046 radiusAcctClientServerPortNumber
1047 This can be used to determine the port number on which the RADIUS
1048 accounting client is sending. This information could be useful in
1049 impersonating the client in order to send data to the accounting
1052 radiusAcctClientServerInetPortNumber
1053 This can be used to determine the port number on which the RADIUS
1054 accounting client is sending. This information could be useful in
1055 impersonating the client in order to send data to the accounting
1058 It is thus important to control even GET access to these objects and
1059 possibly to even encrypt the values of these object when sending them
1060 over the network via SNMP. Not all versions of SNMP provide features
1061 for such a secure environment.
1066 Nelson Informational [Page 19]
1068 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
1071 SNMP versions prior to SNMPv3 do not provide a secure environment.
1072 Even if the network itself is secure (for example by using IPsec),
1073 there is no control as to who on the secure network is allowed to
1074 access and GET/SET (read/change/create/delete) the objects in this
1077 It is RECOMMENDED that implementers consider the security features as
1078 provided by the SNMPv3 framework (see [RFC3410], section 8),
1079 including full support for the SNMPv3 cryptographic mechanisms (for
1080 authentication and privacy).
1082 Further, deployment of SNMP versions prior to SNMPv3 is NOT
1083 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
1084 enable cryptographic security. It is then a customer/operator
1085 responsibility to ensure that the SNMP entity giving access to an
1086 instance of this MIB module is properly configured to give access to
1087 the objects only to those principals (users) that have legitimate
1088 rights to indeed GET or SET (change/create/delete) them.
1092 9.1. Normative References
1094 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1095 Requirement Levels", BCP 14, RFC 2119, March 1997.
1097 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
1098 Schoenwaelder, Ed., "Structure of Management Information
1099 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
1101 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
1102 Schoenwaelder, Ed., "Textual Conventions for SMIv2",
1103 STD 58, RFC 2579, April 1999.
1105 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
1106 "Conformance Statements for SMIv2", STD 58, RFC 2580,
1109 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
1111 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
1112 Architecture for Describing Simple Network Management
1113 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
1116 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
1117 Schoenwaelder, "Textual Conventions for Internet Network
1118 Addresses", RFC 4001, February 2005.
1122 Nelson Informational [Page 20]
1124 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
1127 9.2. Informative References
1129 [RFC2620] Aboba, B. and G. Zorn, "RADIUS Accounting Client MIB",
1130 RFC 2620, June 1999.
1132 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
1133 "Remote Authentication Dial In User Service (RADIUS)", RFC
1136 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
1137 "Introduction and Applicability Statements for Internet-
1138 Standard Management Framework", RFC 3410, December 2002.
1140 [RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", RFC
1178 Nelson Informational [Page 21]
1180 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
1183 Appendix A. Acknowledgements
1185 The authors of the original MIB are Bernard Aboba and Glen Zorn.
1187 Many thanks to all reviewers, especially to Dave Harrington, Dan
1188 Romascanu, C.M. Heard, Bruno Pape, Greg Weber, and Bert Wijnen.
1198 EMail: dnelson@enterasys.com
1234 Nelson Informational [Page 22]
1236 RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
1239 Full Copyright Statement
1241 Copyright (C) The Internet Society (2006).
1243 This document is subject to the rights, licenses and restrictions
1244 contained in BCP 78, and except as set forth therein, the authors
1245 retain all their rights.
1247 This document and the information contained herein are provided on an
1248 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1249 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1250 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1251 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1252 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1253 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1255 Intellectual Property
1257 The IETF takes no position regarding the validity or scope of any
1258 Intellectual Property Rights or other rights that might be claimed to
1259 pertain to the implementation or use of the technology described in
1260 this document or the extent to which any license under such rights
1261 might or might not be available; nor does it represent that it has
1262 made any independent effort to identify any such rights. Information
1263 on the procedures with respect to rights in RFC documents can be
1264 found in BCP 78 and BCP 79.
1266 Copies of IPR disclosures made to the IETF Secretariat and any
1267 assurances of licenses to be made available, or the result of an
1268 attempt made to obtain a general license or permission for the use of
1269 such proprietary rights by implementers or users of this
1270 specification can be obtained from the IETF on-line IPR repository at
1271 http://www.ietf.org/ipr.
1273 The IETF invites any interested party to bring to its attention any
1274 copyrights, patents or patent applications, or other proprietary
1275 rights that may cover technology that may be required to implement
1276 this standard. Please address the information to the IETF at
1281 Funding for the RFC Editor function is provided by the IETF
1282 Administrative Support Activity (IASA).
1290 Nelson Informational [Page 23]