--- /dev/null
+
+
+
+
+
+
+Network Working Group D. Nelson
+Request for Comments: 4668 Enterasys Networks
+Obsoletes: 2618 August 2006
+Category: Standards Track
+
+
+ RADIUS Authentication Client MIB for IPv6
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This memo defines a set of extensions that instrument RADIUS
+ authentication client functions. These extensions represent a
+ portion of the Management Information Base (MIB) for use with network
+ management protocols in the Internet community. Using these
+ extensions, IP-based management stations can manage RADIUS
+ authentication clients.
+
+ This memo obsoletes RFC 2618 by deprecating the MIB table containing
+ IPv4-only address formats and defining a new table to add support for
+ version-neutral IP address formats. The remaining MIB objects from
+ RFC 2618 are carried forward into this document. The memo also adds
+ UNITS and REFERENCE clauses to selected objects.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Standards Track [Page 1]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 2. Terminology .....................................................3
+ 3. The Internet-Standard Management Framework ......................3
+ 4. Scope of Changes ................................................3
+ 5. Structure of the MIB Module .....................................4
+ 6. Deprecated Objects ..............................................5
+ 7. Definitions .....................................................5
+ 8. Security Considerations ........................................20
+ 9. References .....................................................22
+ 9.1. Normative References ......................................22
+ 9.2. Informative References ....................................22
+ Appendix A. Acknowledgements ......................................23
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Standards Track [Page 2]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+1. Introduction
+
+ This memo defines a portion of the Management Information Base (MIB)
+ for use with network management protocols in the Internet community.
+ The objects defined within this memo relate to the Remote
+ Authentication Dial-In User Service (RADIUS) Authentication Client as
+ defined in RFC 2865 [RFC2865].
+
+2. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [RFC2119].
+
+ This document uses terminology from RFC 2865 [RFC2865].
+
+ This document uses the word "malformed" with respect to RADIUS
+ packets, particularly in the context of counters of "malformed
+ packets". While RFC 2865 does not provide an explicit definition of
+ "malformed", malformed generally means that the implementation has
+ determined the packet does not match the format defined in RFC 2865.
+ Some implementations may determine that packets are malformed when
+ the Vendor Specific Attribute (VSA) format does not follow the RFC
+ 2865 recommendations for VSAs. Those implementations are used in
+ deployments today, and thus set the de facto definition of
+ "malformed".
+
+3. The Internet-Standard Management Framework
+
+ For a detailed overview of the documents that describe the current
+ Internet-Standard Management Framework, please refer to section 7 of
+ RFC 3410 [RFC3410].
+
+ Managed objects are accessed via a virtual information store, termed
+ the Management Information Base or MIB. MIB objects are generally
+ accessed through the Simple Network Management Protocol (SNMP).
+ Objects in the MIB are defined using the mechanisms defined in the
+ Structure of Management Information (SMI). This memo specifies a MIB
+ module that is compliant to the SMIv2, which is described in STD 58,
+ RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
+ [RFC2580].
+
+4. Scope of Changes
+
+ This document obsoletes RFC 2618 [RFC2618], RADIUS Authentication
+ Client MIB, by deprecating the radiusAuthServerTable table and adding
+ a new table, radiusAuthServerExtTable, containing
+ radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and
+
+
+
+Nelson Standards Track [Page 3]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+ radiusAuthClientServerInetPortNumber. The purpose of these added MIB
+ objects is to support version-neutral IP addressing formats. The
+ existing table containing radiusAuthServerAddress and
+ radiusAuthClientServerPortNumber is deprecated. The remaining MIB
+ objects are carried forward from RFC 2618 into this document. This
+ memo also adds UNITS and REFERENCE clauses to selected objects.
+
+ RFC 4001 [RFC4001], which defines the SMI Textual Conventions for
+ IPv6 addresses, contains the following recommendation.
+
+ 'In particular, when revising a MIB module that contains IPv4
+ specific tables, it is suggested to define new tables using the
+ textual conventions defined in this memo [RFC4001] that support all
+ versions of IP. The status of the new tables SHOULD be "current",
+ whereas the status of the old IP version specific tables SHOULD be
+ changed to "deprecated". The other approach, of having multiple
+ similar tables for different IP versions, is strongly discouraged.'
+
+5. Structure of the MIB Module
+
+ The RADIUS authentication protocol, described in RFC 2865 [RFC2865],
+ distinguishes between the client function and the server function.
+ In RADIUS authentication, clients send Access-Requests, and servers
+ reply with Access-Accepts, Access-Rejects, and Access-Challenges.
+ Typically, Network Access Server (NAS) devices implement the client
+ function, and thus would be expected to implement the RADIUS
+ authentication client MIB, while RADIUS authentication servers
+ implement the server function, and thus would be expected to
+ implement the RADIUS authentication server MIB.
+
+ However, it is possible for a RADIUS authentication entity to perform
+ both client and server functions. For example, a RADIUS proxy may
+ act as a server to one or more RADIUS authentication clients, while
+ simultaneously acting as an authentication client to one or more
+ authentication servers. In such situations, it is expected that
+ RADIUS entities combining client and server functionality will
+ support both the client and server MIBs. The client MIB is defined
+ in this document, and the server MIB is defined in [RFC4669].
+
+ This MIB module contains two scalars as well as a single table, the
+ RADIUS Authentication Server Table, which contains one row for each
+ RADIUS authentication server with which the client shares a secret.
+ Each entry in the RADIUS Authentication Server Table includes sixteen
+ columns presenting a view of the activity of the RADIUS
+ authentication client.
+
+ This MIB imports from [RFC2578], [RFC2580], [RFC3411], and [RFC4001].
+
+
+
+
+Nelson Standards Track [Page 4]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+6. Deprecated Objects
+
+ The deprecated table in this MIB is carried forward from RFC 2618
+ [RFC2618]. There are two conditions under which it MAY be desirable
+ for managed entities to continue to support the deprecated table:
+
+ 1. The managed entity only supports IPv4 address formats.
+
+ 2. The managed entity supports both IPv4 and IPv6 address formats,
+ and the deprecated table is supported for backwards compatibility
+ with older management stations. This option SHOULD only be used
+ when the IP addresses in the new table are in IPv4 format and can
+ accurately be represented in both the new table and the
+ deprecated table.
+
+ Managed entities SHOULD NOT instantiate row entries in the deprecated
+ table, containing IPv4-only address objects, when the RADIUS server
+ address represented in such a table row is not an IPv4 address.
+ Managed entities SHOULD NOT return inaccurate values of IP address or
+ SNMP object access errors for IPv4-only address objects in otherwise
+ populated tables. When row entries exist in both the deprecated
+ IPv4-only table and the new IP-version-neutral table that describe
+ the same RADIUS server, the row indexes SHOULD be the same for the
+ corresponding rows in each table, to facilitate correlation of these
+ related rows by management applications.
+
+7. Definitions
+
+ RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN
+
+ IMPORTS
+ MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
+ Counter32, Integer32, Gauge32,
+ IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI
+ SnmpAdminString FROM SNMP-FRAMEWORK-MIB
+ InetAddressType, InetAddress,
+ InetPortNumber FROM INET-ADDRESS-MIB
+ MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF;
+
+
+ radiusAuthClientMIB MODULE-IDENTITY
+ LAST-UPDATED "200608210000Z" -- 21 August 2006
+ ORGANIZATION "IETF RADIUS Extensions Working Group."
+ CONTACT-INFO
+ " Bernard Aboba
+ Microsoft
+ One Microsoft Way
+ Redmond, WA 98052
+
+
+
+Nelson Standards Track [Page 5]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+ US
+ Phone: +1 425 936 6605
+ EMail: bernarda@microsoft.com"
+ DESCRIPTION
+ "The MIB module for entities implementing the client
+ side of the Remote Authentication Dial-In User Service
+ (RADIUS) authentication protocol. Copyright (C) The
+ Internet Society (2006). This version of this MIB
+ module is part of RFC 4668; see the RFC itself for
+ full legal notices."
+ REVISION "200608210000Z" -- 21 August 2006
+ DESCRIPTION
+ "Revised version as published in RFC 4668. This
+ version obsoletes that of RFC 2618 by deprecating
+ the MIB table containing IPv4-only address formats
+ and defining a new table to add support for version
+ neutral IP address formats. The remaining MIB objects
+ from RFC 2618 are carried forward into this version."
+ REVISION "199906110000Z" -- 11 Jun 1999
+ DESCRIPTION "Initial version as published in RFC 2618."
+ ::= { radiusAuthentication 2 }
+
+ radiusMIB OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION
+ "The OID assigned to RADIUS MIB work by the IANA."
+ ::= { mib-2 67 }
+
+ radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1}
+
+ radiusAuthClientMIBObjects OBJECT IDENTIFIER
+ ::= { radiusAuthClientMIB 1 }
+
+ radiusAuthClient OBJECT IDENTIFIER
+ ::= { radiusAuthClientMIBObjects 1 }
+
+ radiusAuthClientInvalidServerAddresses OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Response packets
+ received from unknown addresses."
+ ::= { radiusAuthClient 1 }
+
+ radiusAuthClientIdentifier OBJECT-TYPE
+ SYNTAX SnmpAdminString
+
+
+
+Nelson Standards Track [Page 6]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The NAS-Identifier of the RADIUS authentication client.
+ This is not necessarily the same as sysName in MIB II."
+ REFERENCE "RFC 2865 section 5.32"
+ ::= { radiusAuthClient 2 }
+
+ radiusAuthServerTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF RadiusAuthServerEntry
+ MAX-ACCESS not-accessible
+ STATUS deprecated
+ DESCRIPTION
+ "The (conceptual) table listing the RADIUS authentication
+ servers with which the client shares a secret."
+ ::= { radiusAuthClient 3 }
+
+ radiusAuthServerEntry OBJECT-TYPE
+ SYNTAX RadiusAuthServerEntry
+ MAX-ACCESS not-accessible
+ STATUS deprecated
+ DESCRIPTION
+ "An entry (conceptual row) representing a RADIUS
+ authentication server with which the client shares
+ a secret."
+ INDEX { radiusAuthServerIndex }
+ ::= { radiusAuthServerTable 1 }
+
+ RadiusAuthServerEntry ::= SEQUENCE {
+ radiusAuthServerIndex Integer32,
+ radiusAuthServerAddress IpAddress,
+ radiusAuthClientServerPortNumber Integer32,
+ radiusAuthClientRoundTripTime TimeTicks,
+ radiusAuthClientAccessRequests Counter32,
+ radiusAuthClientAccessRetransmissions Counter32,
+ radiusAuthClientAccessAccepts Counter32,
+ radiusAuthClientAccessRejects Counter32,
+ radiusAuthClientAccessChallenges Counter32,
+ radiusAuthClientMalformedAccessResponses Counter32,
+ radiusAuthClientBadAuthenticators Counter32,
+ radiusAuthClientPendingRequests Gauge32,
+ radiusAuthClientTimeouts Counter32,
+ radiusAuthClientUnknownTypes Counter32,
+ radiusAuthClientPacketsDropped Counter32
+ }
+
+ radiusAuthServerIndex OBJECT-TYPE
+ SYNTAX Integer32 (1..2147483647)
+
+
+
+Nelson Standards Track [Page 7]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+ MAX-ACCESS not-accessible
+ STATUS deprecated
+ DESCRIPTION
+ "A number uniquely identifying each RADIUS
+ Authentication server with which this client
+ communicates."
+ ::= { radiusAuthServerEntry 1 }
+
+ radiusAuthServerAddress OBJECT-TYPE
+ SYNTAX IpAddress
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The IP address of the RADIUS authentication server
+ referred to in this table entry."
+ ::= { radiusAuthServerEntry 2 }
+
+ radiusAuthClientServerPortNumber OBJECT-TYPE
+ SYNTAX Integer32 (0..65535)
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The UDP port the client is using to send requests to
+ this server."
+ REFERENCE "RFC 2865 section 3"
+ ::= { radiusAuthServerEntry 3 }
+
+ radiusAuthClientRoundTripTime OBJECT-TYPE
+ SYNTAX TimeTicks
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The time interval (in hundredths of a second) between
+ the most recent Access-Reply/Access-Challenge and the
+ Access-Request that matched it from this RADIUS
+ authentication server."
+ ::= { radiusAuthServerEntry 4 }
+
+ -- Request/Response statistics
+ --
+ -- TotalIncomingPackets = Accepts + Rejects + Challenges +
+ -- UnknownTypes
+ --
+ -- TotalIncomingPackets - MalformedResponses -
+ -- BadAuthenticators - UnknownTypes - PacketsDropped =
+ -- Successfully received
+ --
+ -- AccessRequests + PendingRequests + ClientTimeouts =
+
+
+
+Nelson Standards Track [Page 8]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+ -- Successfully received
+ --
+ --
+
+ radiusAuthClientAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Access-Request packets sent
+ to this server. This does not include retransmissions."
+ REFERENCE "RFC 2865 section 4.1"
+ ::= { radiusAuthServerEntry 5 }
+
+ radiusAuthClientAccessRetransmissions OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Access-Request packets
+ retransmitted to this RADIUS authentication server."
+ REFERENCE "RFC 2865 sections 2.5, 4.1"
+ ::= { radiusAuthServerEntry 6 }
+
+ radiusAuthClientAccessAccepts OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Access-Accept packets
+ (valid or invalid) received from this server."
+ REFERENCE "RFC 2865 section 4.2"
+ ::= { radiusAuthServerEntry 7 }
+
+ radiusAuthClientAccessRejects OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Access-Reject packets
+ (valid or invalid) received from this server."
+ REFERENCE "RFC 2865 section 4.3"
+ ::= { radiusAuthServerEntry 8 }
+
+
+
+
+Nelson Standards Track [Page 9]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+ radiusAuthClientAccessChallenges OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Access-Challenge packets
+ (valid or invalid) received from this server."
+ REFERENCE "RFC 2865 section 4.4"
+ ::= { radiusAuthServerEntry 9 }
+
+ -- "Access-Response" includes an Access-Accept, Access-Challenge
+ -- or Access-Reject
+
+ radiusAuthClientMalformedAccessResponses OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of malformed RADIUS Access-Response
+ packets received from this server.
+ Malformed packets include packets with
+ an invalid length. Bad authenticators or
+ Message Authenticator attributes or unknown types
+ are not included as malformed access responses."
+ ::= { radiusAuthServerEntry 10 }
+
+ radiusAuthClientBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Access-Response packets
+ containing invalid authenticators or Message
+ Authenticator attributes received from this server."
+ REFERENCE "RFC 2865 section 3, RFC 2869 section 5.14"
+ ::= { radiusAuthServerEntry 11 }
+
+ radiusAuthClientPendingRequests OBJECT-TYPE
+ SYNTAX Gauge32
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Access-Request packets
+ destined for this server that have not yet timed out
+ or received a response. This variable is incremented
+
+
+
+Nelson Standards Track [Page 10]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+ when an Access-Request is sent and decremented due to
+ receipt of an Access-Accept, Access-Reject,
+ Access-Challenge, timeout, or retransmission."
+ REFERENCE "RFC 2865 section 2"
+ ::= { radiusAuthServerEntry 12 }
+
+ radiusAuthClientTimeouts OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "timeouts"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of authentication timeouts to this server.
+ After a timeout, the client may retry to the same
+ server, send to a different server, or
+ give up. A retry to the same server is counted as a
+ retransmit as well as a timeout. A send to a different
+ server is counted as a Request as well as a timeout."
+ REFERENCE "RFC 2865 section 2, RFC 2869 section 2.3.2"
+ ::= { radiusAuthServerEntry 13 }
+
+ radiusAuthClientUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS packets of unknown type that
+ were received from this server on the authentication
+ port."
+ ::= { radiusAuthServerEntry 14 }
+
+ radiusAuthClientPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS packets that were
+ received from this server on the authentication port
+ and dropped for some other reason."
+ ::= { radiusAuthServerEntry 15 }
+
+
+ -- New MIB Objects in this revision
+
+ radiusAuthServerExtTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF RadiusAuthServerExtEntry
+
+
+
+Nelson Standards Track [Page 11]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The (conceptual) table listing the RADIUS authentication
+ servers with which the client shares a secret."
+ ::= { radiusAuthClient 4 }
+
+ radiusAuthServerExtEntry OBJECT-TYPE
+ SYNTAX RadiusAuthServerExtEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An entry (conceptual row) representing a RADIUS
+ authentication server with which the client shares
+ a secret."
+ INDEX { radiusAuthServerExtIndex }
+ ::= { radiusAuthServerExtTable 1 }
+
+ RadiusAuthServerExtEntry ::= SEQUENCE {
+ radiusAuthServerExtIndex Integer32,
+ radiusAuthServerInetAddressType InetAddressType,
+ radiusAuthServerInetAddress InetAddress,
+ radiusAuthClientServerInetPortNumber InetPortNumber,
+ radiusAuthClientExtRoundTripTime TimeTicks,
+ radiusAuthClientExtAccessRequests Counter32,
+ radiusAuthClientExtAccessRetransmissions Counter32,
+ radiusAuthClientExtAccessAccepts Counter32,
+ radiusAuthClientExtAccessRejects Counter32,
+ radiusAuthClientExtAccessChallenges Counter32,
+ radiusAuthClientExtMalformedAccessResponses Counter32,
+ radiusAuthClientExtBadAuthenticators Counter32,
+ radiusAuthClientExtPendingRequests Gauge32,
+ radiusAuthClientExtTimeouts Counter32,
+ radiusAuthClientExtUnknownTypes Counter32,
+ radiusAuthClientExtPacketsDropped Counter32,
+ radiusAuthClientCounterDiscontinuity TimeTicks
+ }
+
+ radiusAuthServerExtIndex OBJECT-TYPE
+ SYNTAX Integer32 (1..2147483647)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A number uniquely identifying each RADIUS
+ Authentication server with which this client
+ communicates."
+ ::= { radiusAuthServerExtEntry 1 }
+
+
+
+
+Nelson Standards Track [Page 12]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+ radiusAuthServerInetAddressType OBJECT-TYPE
+ SYNTAX InetAddressType
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The type of address format used for the
+ radiusAuthServerInetAddress object."
+ ::= { radiusAuthServerExtEntry 2 }
+
+ radiusAuthServerInetAddress OBJECT-TYPE
+ SYNTAX InetAddress
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The IP address of the RADIUS authentication
+ server referred to in this table entry, using
+ the version-neutral IP address format."
+ ::= { radiusAuthServerExtEntry 3 }
+
+ radiusAuthClientServerInetPortNumber OBJECT-TYPE
+ SYNTAX InetPortNumber ( 1..65535 )
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The UDP port the client is using to send requests
+ to this server. The value of zero (0) is invalid."
+ REFERENCE "RFC 2865 section 3"
+ ::= { radiusAuthServerExtEntry 4 }
+
+ radiusAuthClientExtRoundTripTime OBJECT-TYPE
+ SYNTAX TimeTicks
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The time interval (in hundredths of a second) between
+ the most recent Access-Reply/Access-Challenge and the
+ Access-Request that matched it from this RADIUS
+ authentication server."
+ REFERENCE "RFC 2865 section 2"
+ ::= { radiusAuthServerExtEntry 5 }
+
+ -- Request/Response statistics
+ --
+ -- TotalIncomingPackets = Accepts + Rejects + Challenges +
+ -- UnknownTypes
+ --
+ -- TotalIncomingPackets - MalformedResponses -
+ -- BadAuthenticators - UnknownTypes - PacketsDropped =
+
+
+
+Nelson Standards Track [Page 13]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+ -- Successfully received
+ --
+ -- AccessRequests + PendingRequests + ClientTimeouts =
+ -- Successfully received
+ --
+ --
+
+ radiusAuthClientExtAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Request packets sent
+ to this server. This does not include retransmissions.
+ This counter may experience a discontinuity when the
+ RADIUS Client module within the managed entity is
+ reinitialized, as indicated by the current value of
+ radiusAuthClientCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 4.1"
+ ::= { radiusAuthServerExtEntry 6 }
+
+ radiusAuthClientExtAccessRetransmissions OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Request packets
+ retransmitted to this RADIUS authentication server.
+ This counter may experience a discontinuity when
+ the RADIUS Client module within the managed entity
+ is reinitialized, as indicated by the current value
+ of radiusAuthClientCounterDiscontinuity."
+ REFERENCE "RFC 2865 sections 2.5, 4.1"
+ ::= { radiusAuthServerExtEntry 7 }
+
+ radiusAuthClientExtAccessAccepts OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Accept packets
+ (valid or invalid) received from this server.
+ This counter may experience a discontinuity when
+ the RADIUS Client module within the managed entity
+ is reinitialized, as indicated by the current value
+
+
+
+Nelson Standards Track [Page 14]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+ of radiusAuthClientCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 4.2"
+ ::= { radiusAuthServerExtEntry 8 }
+
+ radiusAuthClientExtAccessRejects OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Reject packets
+ (valid or invalid) received from this server.
+ This counter may experience a discontinuity when
+ the RADIUS Client module within the managed
+ entity is reinitialized, as indicated by the
+ current value of
+ radiusAuthClientCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 4.3"
+ ::= { radiusAuthServerExtEntry 9 }
+
+ radiusAuthClientExtAccessChallenges OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Challenge packets
+ (valid or invalid) received from this server.
+ This counter may experience a discontinuity when
+ the RADIUS Client module within the managed
+ entity is reinitialized, as indicated by the
+ current value of
+ radiusAuthClientCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 4.4"
+ ::= { radiusAuthServerExtEntry 10 }
+
+ -- "Access-Response" includes an Access-Accept, Access-Challenge,
+ -- or Access-Reject
+
+ radiusAuthClientExtMalformedAccessResponses OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of malformed RADIUS Access-Response
+ packets received from this server.
+ Malformed packets include packets with
+
+
+
+Nelson Standards Track [Page 15]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+ an invalid length. Bad authenticators or
+ Message Authenticator attributes or unknown types
+ are not included as malformed access responses.
+ This counter may experience a discontinuity when
+ the RADIUS Client module within the managed entity
+ is reinitialized, as indicated by the current value
+ of radiusAuthClientCounterDiscontinuity."
+ REFERENCE "RFC 2865 sections 3, 4"
+ ::= { radiusAuthServerExtEntry 11 }
+
+ radiusAuthClientExtBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Response packets
+ containing invalid authenticators or Message
+ Authenticator attributes received from this server.
+ This counter may experience a discontinuity when
+ the RADIUS Client module within the managed entity
+ is reinitialized, as indicated by the current value
+ of radiusAuthClientCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 3"
+ ::= { radiusAuthServerExtEntry 12 }
+
+ radiusAuthClientExtPendingRequests OBJECT-TYPE
+ SYNTAX Gauge32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Request packets
+ destined for this server that have not yet timed out
+ or received a response. This variable is incremented
+ when an Access-Request is sent and decremented due to
+ receipt of an Access-Accept, Access-Reject,
+ Access-Challenge, timeout, or retransmission."
+ REFERENCE "RFC 2865 section 2"
+ ::= { radiusAuthServerExtEntry 13 }
+
+ radiusAuthClientExtTimeouts OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "timeouts"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of authentication timeouts to this server.
+
+
+
+Nelson Standards Track [Page 16]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+ After a timeout, the client may retry to the same
+ server, send to a different server, or
+ give up. A retry to the same server is counted as a
+ retransmit as well as a timeout. A send to a different
+ server is counted as a Request as well as a timeout.
+ This counter may experience a discontinuity when the
+ RADIUS Client module within the managed entity is
+ reinitialized, as indicated by the current value of
+ radiusAuthClientCounterDiscontinuity."
+ REFERENCE "RFC 2865 sections 2.5, 4.1"
+ ::= { radiusAuthServerExtEntry 14 }
+
+ radiusAuthClientExtUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS packets of unknown type that
+ were received from this server on the authentication
+ port. This counter may experience a discontinuity
+ when the RADIUS Client module within the managed
+ entity is reinitialized, as indicated by the current
+ value of radiusAuthClientCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 4"
+ ::= { radiusAuthServerExtEntry 15 }
+
+ radiusAuthClientExtPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS packets that were
+ received from this server on the authentication port
+ and dropped for some other reason. This counter may
+ experience a discontinuity when the RADIUS Client
+ module within the managed entity is reinitialized,
+ as indicated by the current value of
+ radiusAuthClientCounterDiscontinuity."
+ ::= { radiusAuthServerExtEntry 16 }
+
+ radiusAuthClientCounterDiscontinuity OBJECT-TYPE
+ SYNTAX TimeTicks
+ UNITS "centiseconds"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+
+
+
+Nelson Standards Track [Page 17]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+ "The number of centiseconds since the last discontinuity
+ in the RADIUS Client counters. A discontinuity may
+ be the result of a reinitialization of the RADIUS
+ Client module within the managed entity."
+ ::= { radiusAuthServerExtEntry 17 }
+
+
+ -- conformance information
+
+ radiusAuthClientMIBConformance OBJECT IDENTIFIER
+ ::= { radiusAuthClientMIB 2 }
+
+ radiusAuthClientMIBCompliances OBJECT IDENTIFIER
+ ::= { radiusAuthClientMIBConformance 1 }
+
+ radiusAuthClientMIBGroups OBJECT IDENTIFIER
+ ::= { radiusAuthClientMIBConformance 2 }
+
+
+ -- compliance statements
+
+ radiusAuthClientMIBCompliance MODULE-COMPLIANCE
+ STATUS deprecated
+ DESCRIPTION
+ "The compliance statement for authentication clients
+ implementing the RADIUS Authentication Client MIB.
+ Implementation of this module is for IPv4-only
+ entities, or for backwards compatibility use with
+ entities that support both IPv4 and IPv6."
+ MODULE -- this module
+ MANDATORY-GROUPS { radiusAuthClientMIBGroup }
+
+ ::= { radiusAuthClientMIBCompliances 1 }
+
+ radiusAuthClientExtMIBCompliance MODULE-COMPLIANCE
+ STATUS current
+ DESCRIPTION
+ "The compliance statement for authentication
+ clients implementing the RADIUS Authentication
+ Client IPv6 Extensions MIB. Implementation of
+ this module is for entities that support IPv6,
+ or support IPv4 and IPv6."
+ MODULE -- this module
+ MANDATORY-GROUPS { radiusAuthClientExtMIBGroup }
+
+ OBJECT radiusAuthServerInetAddressType
+ SYNTAX InetAddressType { ipv4(1), ipv6(2) }
+ DESCRIPTION
+
+
+
+Nelson Standards Track [Page 18]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+ "An implementation is only required to support
+ IPv4 and globally unique IPv6 addresses."
+
+ OBJECT radiusAuthServerInetAddress
+ SYNTAX InetAddress ( SIZE (4|16) )
+ DESCRIPTION
+ "An implementation is only required to support
+ IPv4 and globally unique IPv6 addresses."
+ ::= { radiusAuthClientMIBCompliances 2 }
+
+
+ -- units of conformance
+
+ radiusAuthClientMIBGroup OBJECT-GROUP
+ OBJECTS { radiusAuthClientIdentifier,
+ radiusAuthClientInvalidServerAddresses,
+ radiusAuthServerAddress,
+ radiusAuthClientServerPortNumber,
+ radiusAuthClientRoundTripTime,
+ radiusAuthClientAccessRequests,
+ radiusAuthClientAccessRetransmissions,
+ radiusAuthClientAccessAccepts,
+ radiusAuthClientAccessRejects,
+ radiusAuthClientAccessChallenges,
+ radiusAuthClientMalformedAccessResponses,
+ radiusAuthClientBadAuthenticators,
+ radiusAuthClientPendingRequests,
+ radiusAuthClientTimeouts,
+ radiusAuthClientUnknownTypes,
+ radiusAuthClientPacketsDropped
+ }
+ STATUS deprecated
+ DESCRIPTION
+ "The basic collection of objects providing management of
+ RADIUS Authentication Clients."
+ ::= { radiusAuthClientMIBGroups 1 }
+
+
+ radiusAuthClientExtMIBGroup OBJECT-GROUP
+ OBJECTS { radiusAuthClientIdentifier,
+ radiusAuthClientInvalidServerAddresses,
+ radiusAuthServerInetAddressType,
+ radiusAuthServerInetAddress,
+ radiusAuthClientServerInetPortNumber,
+ radiusAuthClientExtRoundTripTime,
+ radiusAuthClientExtAccessRequests,
+ radiusAuthClientExtAccessRetransmissions,
+ radiusAuthClientExtAccessAccepts,
+
+
+
+Nelson Standards Track [Page 19]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+ radiusAuthClientExtAccessRejects,
+ radiusAuthClientExtAccessChallenges,
+ radiusAuthClientExtMalformedAccessResponses,
+ radiusAuthClientExtBadAuthenticators,
+ radiusAuthClientExtPendingRequests,
+ radiusAuthClientExtTimeouts,
+ radiusAuthClientExtUnknownTypes,
+ radiusAuthClientExtPacketsDropped,
+ radiusAuthClientCounterDiscontinuity
+ }
+ STATUS current
+ DESCRIPTION
+ "The collection of extended objects providing
+ management of RADIUS Authentication Clients
+ using version-neutral IP address format."
+ ::= { radiusAuthClientMIBGroups 2 }
+
+ END
+
+8. Security Considerations
+
+ There are no management objects defined in this MIB that have a MAX-
+ ACCESS clause of read-write and/or read-create. So, if this MIB is
+ implemented correctly, then there is no risk that an intruder can
+ alter or create any management objects of this MIB via direct SNMP
+ SET operations.
+
+ Some of the readable objects in this MIB module (i.e., objects with a
+ MAX-ACCESS other than not-accessible) may be considered sensitive or
+ vulnerable in some network environments. It is thus important to
+ control even GET and/or NOTIFY access to these objects and possibly
+ to even encrypt the values of these objects when sending them over
+ the network via SNMP. These are the tables and objects and their
+ sensitivity/vulnerability:
+
+ radiusAuthServerIPAddress
+ This can be used to determine the address of the RADIUS
+ authentication server with which the client is communicating.
+ This information could be useful in mounting an attack on the
+ authentication server.
+
+ radiusAuthClientServerPortNumber
+ This can be used to determine the port number on which the RADIUS
+ authentication client is sending. This information could be
+ useful in impersonating the client in order to send data to the
+ authentication server.
+
+
+
+
+
+Nelson Standards Track [Page 20]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+ radiusAuthServerInetAddress
+ This can be used to determine the address of the RADIUS
+ authentication server with which the client is communicating.
+ This information could be useful in mounting an attack on the
+ authentication server.
+
+ radiusAuthClientServerInetPortNumber
+ This can be used to determine the port number on which the RADIUS
+ authentication client is sending. This information could be
+ useful in impersonating the client in order to send data to the
+ authentication server.
+
+ SNMP versions prior to SNMPv3 did not include adequate security.
+ Even if the network itself is secure (for example by using IPsec),
+ even then, there is no control as to who on the secure network is
+ allowed to access and GET/SET (read/change/create/delete) the objects
+ in this MIB module.
+
+ It is RECOMMENDED that implementers consider the security features as
+ provided by the SNMPv3 framework (see [RFC3410], section 8),
+ including full support for the SNMPv3 cryptographic mechanisms (for
+ authentication and privacy).
+
+ Further, deployment of SNMP versions prior to SNMPv3 is NOT
+ RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
+ enable cryptographic security. It is then a customer/operator
+ responsibility to ensure that the SNMP entity giving access to an
+ instance of this MIB module is properly configured to give access to
+ the objects only to those principals (users) that have legitimate
+ rights to indeed GET or SET (change/create/delete) them.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Standards Track [Page 21]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+9. References
+
+9.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
+ Schoenwaelder, Ed., "Structure of Management Information
+ Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
+
+ [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
+ Schoenwaelder, Ed., "Textual Conventions for SMIv2",
+ STD 58, RFC 2579, April 1999.
+
+ [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
+ "Conformance Statements for SMIv2", STD 58, RFC 2580,
+ April 1999.
+
+ [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
+ "Remote Authentication Dial In User Service (RADIUS)",
+ RFC 2865, June 2000.
+
+ [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
+ Architecture for Describing Simple Network Management
+ Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
+ December 2002.
+
+ [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
+ Schoenwaelder, "Textual Conventions for Internet Network
+ Addresses", RFC 4001, February 2005.
+
+9.2. Informative References
+
+ [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB",
+ RFC 2618, June 1999.
+
+ [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
+ "Introduction and Applicability Statements for Internet-
+ Standard Management Framework", RFC 3410, December 2002.
+
+ [RFC4669] Nelson, D., "RADIUS Authentication Server MIB for IPv6",
+ RFC 4669, August 2006.
+
+
+
+
+
+
+
+
+Nelson Standards Track [Page 22]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+Appendix A. Acknowledgements
+
+ The authors of the original MIB are Bernard Aboba and Glen Zorn.
+
+ Many thanks to all reviewers, especially to Dave Harrington, Dan
+ Romascanu, C.M. Heard, Bruno Pape, Greg Weber, and Bert Wijnen.
+
+Author's Address
+
+ David B. Nelson
+ Enterasys Networks
+ 50 Minuteman Road
+ Andover, MA 01810
+ USA
+
+ EMail: dnelson@enterasys.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Standards Track [Page 23]
+\f
+RFC 4668 RADIUS Auth Client MIB (IPv6) August 2006
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2006).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Nelson Standards Track [Page 24]
+\f
--- /dev/null
+
+
+
+
+
+
+Network Working Group D. Nelson
+Request for Comments: 4669 Enterasys Networks
+Obsoletes: 2619 August 2006
+Category: Standards Track
+
+
+ RADIUS Authentication Server MIB for IPv6
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This memo defines a set of extensions that instrument RADIUS
+ authentication server functions. These extensions represent a
+ portion of the Management Information Base (MIB) for use with network
+ management protocols in the Internet community. Using these
+ extensions, IP-based management stations can manage RADIUS
+ authentication servers.
+
+ This memo obsoletes RFC 2619 by deprecating the MIB table containing
+ IPv4-only address formats and defining a new table to add support for
+ version-neutral IP address formats. The remaining MIB objects from
+ RFC 2619 are carried forward into this document. This memo also adds
+ UNITS and REFERENCE clauses to selected objects.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Standards Track [Page 1]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 2. Terminology .....................................................3
+ 3. The Internet-Standard Management Framework ......................3
+ 4. Scope of Changes ................................................3
+ 5. Structure of the MIB Module .....................................4
+ 6. Deprecated Objects ..............................................5
+ 7. Definitions .....................................................5
+ 8. Security Considerations ........................................21
+ 9. References .....................................................23
+ 9.1. Normative References ......................................23
+ 9.2. Informative References ....................................23
+ Appendix A. Acknowledgements ......................................24
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Standards Track [Page 2]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+1. Introduction
+
+ This memo defines a portion of the Management Information Base (MIB)
+ for use with network management protocols in the Internet community.
+ The objects defined within this memo relate to the Remote
+ Authentication Dial-In User Service (RADIUS) Authentication Server as
+ defined in RFC 2865 [RFC2865].
+
+2. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [RFC2119].
+
+ This document uses terminology from RFC 2865 [RFC2865].
+
+ This document uses the word "malformed" with respect to RADIUS
+ packets, particularly in the context of counters of "malformed
+ packets". While RFC 2865 does not provide an explicit definition of
+ "malformed", malformed generally means that the implementation has
+ determined the packet does not match the format defined in RFC 2865.
+ Some implementations may determine that packets are malformed when
+ the Vendor Specific Attribute (VSA) format does not follow the RFC
+ 2865 recommendations for VSAs. Those implementations are used in
+ deployments today, and thus set the de facto definition of
+ "malformed".
+
+3. The Internet-Standard Management Framework
+
+ For a detailed overview of the documents that describe the current
+ Internet-Standard Management Framework, please refer to section 7 of
+ RFC 3410 [RFC3410].
+
+ Managed objects are accessed via a virtual information store, termed
+ the Management Information Base or MIB. MIB objects are generally
+ accessed through the Simple Network Management Protocol (SNMP).
+ Objects in the MIB are defined using the mechanisms defined in the
+ Structure of Management Information (SMI). This memo specifies a MIB
+ module that is compliant to the SMIv2, which is described in STD 58,
+ RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
+ [RFC2580].
+
+4. Scope of Changes
+
+ This document obsoletes RFC 2619 [RFC2619], RADIUS Authentication
+ Server MIB, by deprecating the radiusAuthClientTable table and adding
+ a new table, radiusAuthClientExtTable, containing
+ radiusAuthClientInetAddressType and radiusAuthClientInetAddress. The
+
+
+
+Nelson Standards Track [Page 3]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ purpose of these added MIB objects is to support version-neutral IP
+ addressing formats. The existing table containing
+ radiusAuthClientAddress is deprecated. The remaining MIB objects
+ from RFC 2619 are carried forward into this document. This memo also
+ adds UNITS and REFERENCE clauses to selected objects.
+
+ RFC 4001 [RFC4001], which defines the SMI Textual Conventions for
+ version-neutral IP addresses, contains the following recommendation.
+
+ 'In particular, when revising a MIB module that contains IPv4
+ specific tables, it is suggested to define new tables using the
+ textual conventions defined in this memo [RFC4001] that support all
+ versions of IP. The status of the new tables SHOULD be "current",
+ whereas the status of the old IP version specific tables SHOULD be
+ changed to "deprecated". The other approach, of having multiple
+ similar tables for different IP versions, is strongly discouraged.'
+
+5. Structure of the MIB Module
+
+ The RADIUS authentication protocol, described in RFC 2865 [RFC2865],
+ distinguishes between the client function and the server function.
+ In RADIUS authentication, clients send Access-Requests, and servers
+ reply with Access-Accepts, Access-Rejects, and Access-Challenges.
+ Typically, NAS devices implement the client function, and thus would
+ be expected to implement the RADIUS authentication client MIB, while
+ RADIUS authentication servers implement the server function, and thus
+ would be expected to implement the RADIUS authentication server MIB.
+
+ However, it is possible for a RADIUS authentication entity to perform
+ both client and server functions. For example, a RADIUS proxy may
+ act as a server to one or more RADIUS authentication clients, while
+ simultaneously acting as an authentication client to one or more
+ authentication servers. In such situations, it is expected that
+ RADIUS entities combining client and server functionality will
+ support both the client and server MIBs. The server MIB is defined
+ in this document, and the client MIB is defined in [RFC4668].
+
+ This MIB module contains fourteen scalars as well as a single table,
+ the RADIUS Authentication Client Table, which contains one row for
+ each RADIUS authentication client with which the server shares a
+ secret. Each entry in the RADIUS Authentication Client Table
+ includes thirteen columns presenting a view of the activity of the
+ RADIUS authentication server.
+
+ This MIB imports from [RFC2578], [RFC2580], [RFC3411], and [RFC4001].
+
+
+
+
+
+
+Nelson Standards Track [Page 4]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+6. Deprecated Objects
+
+ The deprecated table in this MIB is carried forward from RFC 2619
+ [RFC2619]. There are two conditions under which it MAY be desirable
+ for managed entities to continue to support the deprecated table:
+
+ 1. The managed entity only supports IPv4 address formats.
+
+ 2. The managed entity supports both IPv4 and IPv6 address formats,
+ and the deprecated table is supported for backwards compatibility
+ with older management stations. This option SHOULD only be used
+ when the IP addresses in the new table are in IPv4 format and can
+ accurately be represented in both the new table and the
+ deprecated table.
+
+ Managed entities SHOULD NOT instantiate row entries in the deprecated
+ table, containing IPv4-only address objects, when the RADIUS client
+ address represented in such a table row is not an IPv4 address.
+ Managed entities SHOULD NOT return inaccurate values of IP address or
+ SNMP object access errors for IPv4-only address objects in otherwise
+ populated tables. When row entries exist in both the deprecated
+ IPv4-only table and the new IP-version-neutral table that describe
+ the same RADIUS client, the row indexes SHOULD be the same for the
+ corresponding rows in each table, to facilitate correlation of these
+ related rows by management applications.
+
+7. Definitions
+
+ RADIUS-AUTH-SERVER-MIB DEFINITIONS ::= BEGIN
+
+ IMPORTS
+ MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
+ Counter32, Integer32,
+ IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI
+ SnmpAdminString FROM SNMP-FRAMEWORK-MIB
+ InetAddressType, InetAddress FROM INET-ADDRESS-MIB
+ MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF;
+
+ radiusAuthServMIB MODULE-IDENTITY
+ LAST-UPDATED "200608210000Z" -- 21 August 2006
+ ORGANIZATION "IETF RADIUS Extensions Working Group."
+ CONTACT-INFO
+ " Bernard Aboba
+ Microsoft
+ One Microsoft Way
+ Redmond, WA 98052
+ US
+ Phone: +1 425 936 6605
+
+
+
+Nelson Standards Track [Page 5]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ EMail: bernarda@microsoft.com"
+ DESCRIPTION
+ "The MIB module for entities implementing the server
+ side of the Remote Authentication Dial-In User
+ Service (RADIUS) authentication protocol. Copyright
+ (C) The Internet Society (2006). This version of this
+ MIB module is part of RFC 4669; see the RFC itself for
+ full legal notices."
+ REVISION "200608210000Z" -- 21 August 2006
+ DESCRIPTION
+ "Revised version as published in RFC 4669. This
+ version obsoletes that of RFC 2619 by deprecating the
+ MIB table containing IPv4-only address formats and
+ defining a new table to add support for version-neutral
+ IP address formats. The remaining MIB objects from RFC
+ 2619 are carried forward into this version."
+ REVISION "199906110000Z" -- 11 Jun 1999
+ DESCRIPTION "Initial version as published in RFC 2619."
+ ::= { radiusAuthentication 1 }
+
+ radiusMIB OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION
+ "The OID assigned to RADIUS MIB work by the IANA."
+ ::= { mib-2 67 }
+
+ radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1}
+
+ radiusAuthServMIBObjects OBJECT IDENTIFIER
+ ::= { radiusAuthServMIB 1 }
+
+ radiusAuthServ OBJECT IDENTIFIER
+ ::= { radiusAuthServMIBObjects 1 }
+
+ radiusAuthServIdent OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The implementation identification string for the
+ RADIUS authentication server software in use on the
+ system, for example, 'FNS-2.1'."
+ ::= {radiusAuthServ 1}
+
+ radiusAuthServUpTime OBJECT-TYPE
+ SYNTAX TimeTicks
+ MAX-ACCESS read-only
+ STATUS current
+
+
+
+Nelson Standards Track [Page 6]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ DESCRIPTION
+ "If the server has a persistent state (e.g., a
+ process), this value will be the time elapsed (in
+ hundredths of a second) since the server process
+ was started. For software without persistent state,
+ this value will be zero."
+ ::= {radiusAuthServ 2}
+
+ radiusAuthServResetTime OBJECT-TYPE
+ SYNTAX TimeTicks
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "If the server has a persistent state (e.g., a process)
+ and supports a 'reset' operation (e.g., can be told to
+ re-read configuration files), this value will be the
+ time elapsed (in hundredths of a second) since the
+ server was 'reset.' For software that does not
+ have persistence or does not support a 'reset'
+ operation, this value will be zero."
+ ::= {radiusAuthServ 3}
+
+ radiusAuthServConfigReset OBJECT-TYPE
+ SYNTAX INTEGER { other(1),
+ reset(2),
+ initializing(3),
+ running(4)}
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "Status/action object to reinitialize any persistent
+ server state. When set to reset(2), any persistent
+ server state (such as a process) is reinitialized as
+ if the server had just been started. This value will
+ never be returned by a read operation. When read,
+ one of the following values will be returned:
+ other(1) - server in some unknown state;
+ initializing(3) - server (re)initializing;
+ running(4) - server currently running."
+ ::= {radiusAuthServ 4}
+
+ radiusAuthServTotalAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of packets received on the
+
+
+
+Nelson Standards Track [Page 7]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ authentication port."
+ REFERENCE "RFC 2865 section 4.1"
+ ::= { radiusAuthServ 5}
+
+ radiusAuthServTotalInvalidRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Request packets
+ received from unknown addresses."
+ REFERENCE "RFC 2865 section 4.1"
+ ::= { radiusAuthServ 6 }
+
+ radiusAuthServTotalDupAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of duplicate RADIUS Access-Request
+ packets received."
+ REFERENCE "RFC 2865 section 4.1"
+ ::= { radiusAuthServ 7 }
+
+ radiusAuthServTotalAccessAccepts OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Accept packets sent."
+ REFERENCE "RFC 2865 section 4.2"
+ ::= { radiusAuthServ 8 }
+
+ radiusAuthServTotalAccessRejects OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Reject packets sent."
+ REFERENCE "RFC 2865 section 4.3"
+ ::= { radiusAuthServ 9 }
+
+ radiusAuthServTotalAccessChallenges OBJECT-TYPE
+ SYNTAX Counter32
+
+
+
+Nelson Standards Track [Page 8]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Challenge packets sent."
+ REFERENCE "RFC 2865 section 4.4"
+ ::= { radiusAuthServ 10 }
+
+ radiusAuthServTotalMalformedAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of malformed RADIUS Access-Request
+ packets received. Bad authenticators
+ and unknown types are not included as
+ malformed Access-Requests."
+ REFERENCE "RFC 2865 section 4.1"
+ ::= { radiusAuthServ 11 }
+
+ radiusAuthServTotalBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Authentication-Request packets
+ that contained invalid Message Authenticator
+ attributes received."
+ REFERENCE "RFC 2865 section 3"
+ ::= { radiusAuthServ 12 }
+
+ radiusAuthServTotalPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of incoming packets
+ silently discarded for some reason other
+ than malformed, bad authenticators or
+ unknown types."
+ REFERENCE "RFC 2865 section 3"
+ ::= { radiusAuthServ 13 }
+
+ radiusAuthServTotalUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+
+
+
+Nelson Standards Track [Page 9]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS packets of unknown type that
+ were received."
+ REFERENCE "RFC 2865 section 4"
+ ::= { radiusAuthServ 14 }
+
+
+ radiusAuthClientTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF RadiusAuthClientEntry
+ MAX-ACCESS not-accessible
+ STATUS deprecated
+ DESCRIPTION
+ "The (conceptual) table listing the RADIUS
+ authentication clients with which the server shares
+ a secret."
+ ::= { radiusAuthServ 15 }
+
+
+ radiusAuthClientEntry OBJECT-TYPE
+ SYNTAX RadiusAuthClientEntry
+ MAX-ACCESS not-accessible
+ STATUS deprecated
+ DESCRIPTION
+ "An entry (conceptual row) representing a RADIUS
+ authentication client with which the server shares a
+ secret."
+ INDEX { radiusAuthClientIndex }
+ ::= { radiusAuthClientTable 1 }
+
+ RadiusAuthClientEntry ::= SEQUENCE {
+ radiusAuthClientIndex Integer32,
+ radiusAuthClientAddress IpAddress,
+ radiusAuthClientID SnmpAdminString,
+ radiusAuthServAccessRequests Counter32,
+ radiusAuthServDupAccessRequests Counter32,
+ radiusAuthServAccessAccepts Counter32,
+ radiusAuthServAccessRejects Counter32,
+ radiusAuthServAccessChallenges Counter32,
+ radiusAuthServMalformedAccessRequests Counter32,
+ radiusAuthServBadAuthenticators Counter32,
+ radiusAuthServPacketsDropped Counter32,
+ radiusAuthServUnknownTypes Counter32
+ }
+
+ radiusAuthClientIndex OBJECT-TYPE
+
+
+
+Nelson Standards Track [Page 10]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ SYNTAX Integer32 (1..2147483647)
+ MAX-ACCESS not-accessible
+ STATUS deprecated
+ DESCRIPTION
+ "A number uniquely identifying each RADIUS
+ authentication client with which this server
+ communicates."
+ ::= { radiusAuthClientEntry 1 }
+
+ radiusAuthClientAddress OBJECT-TYPE
+ SYNTAX IpAddress
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The NAS-IP-Address of the RADIUS authentication client
+ referred to in this table entry."
+ REFERENCE "RFC 2865 section 2"
+ ::= { radiusAuthClientEntry 2 }
+
+ radiusAuthClientID OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The NAS-Identifier of the RADIUS authentication client
+ referred to in this table entry. This is not
+ necessarily the same as sysName in MIB II."
+ REFERENCE "RFC 2865 section 5.32"
+ ::= { radiusAuthClientEntry 3 }
+
+ -- Server Counters
+
+ --
+ -- Responses = AccessAccepts + AccessRejects + AccessChallenges
+ --
+ -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
+ -- UnknownTypes - PacketsDropped - Responses = Pending
+ --
+ -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
+ -- UnknownTypes - PacketsDropped = entries logged
+
+ radiusAuthServAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of packets received on the authentication
+
+
+
+Nelson Standards Track [Page 11]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ port from this client."
+ REFERENCE "RFC 2865 section 4.1"
+ ::= { radiusAuthClientEntry 4 }
+
+ radiusAuthServDupAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of duplicate RADIUS Access-Request
+ packets received from this client."
+ REFERENCE "RFC 2865 section 4.1"
+ ::= { radiusAuthClientEntry 5 }
+
+ radiusAuthServAccessAccepts OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Access-Accept packets
+ sent to this client."
+ REFERENCE "RFC 2865 section 4.2"
+ ::= { radiusAuthClientEntry 6 }
+
+ radiusAuthServAccessRejects OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Access-Reject packets
+ sent to this client."
+ REFERENCE "RFC 2865 section 4.3"
+ ::= { radiusAuthClientEntry 7 }
+
+ radiusAuthServAccessChallenges OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Access-Challenge packets
+ sent to this client."
+ REFERENCE "RFC 2865 section 4.4"
+ ::= { radiusAuthClientEntry 8 }
+
+
+
+
+Nelson Standards Track [Page 12]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ radiusAuthServMalformedAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of malformed RADIUS Access-Request
+ packets received from this client.
+ Bad authenticators and unknown types are not included
+ as malformed Access-Requests."
+ REFERENCE "RFC 2865 section 3"
+ ::= { radiusAuthClientEntry 9 }
+
+ radiusAuthServBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Authentication-Request packets
+ that contained invalid Message Authenticator
+ attributes received from this client."
+ REFERENCE "RFC 2865 section 3"
+ ::= { radiusAuthClientEntry 10 }
+
+ radiusAuthServPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of incoming packets from this
+ client silently discarded for some reason other
+ than malformed, bad authenticators or
+ unknown types."
+ REFERENCE "RFC 2865 section 3"
+ ::= { radiusAuthClientEntry 11 }
+
+ radiusAuthServUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS packets of unknown type that
+ were received from this client."
+ REFERENCE "RFC 2865 section 4"
+ ::= { radiusAuthClientEntry 12 }
+
+
+
+Nelson Standards Track [Page 13]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ -- New MIB objects added in this revision
+
+ radiusAuthClientExtTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF RadiusAuthClientExtEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The (conceptual) table listing the RADIUS
+ authentication clients with which the server shares
+ a secret."
+ ::= { radiusAuthServ 16 }
+
+ radiusAuthClientExtEntry OBJECT-TYPE
+ SYNTAX RadiusAuthClientExtEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An entry (conceptual row) representing a RADIUS
+ authentication client with which the server shares a
+ secret."
+ INDEX { radiusAuthClientExtIndex }
+ ::= { radiusAuthClientExtTable 1 }
+
+ RadiusAuthClientExtEntry ::= SEQUENCE {
+ radiusAuthClientExtIndex Integer32,
+ radiusAuthClientInetAddressType InetAddressType,
+ radiusAuthClientInetAddress InetAddress,
+ radiusAuthClientExtID SnmpAdminString,
+ radiusAuthServExtAccessRequests Counter32,
+ radiusAuthServExtDupAccessRequests Counter32,
+ radiusAuthServExtAccessAccepts Counter32,
+ radiusAuthServExtAccessRejects Counter32,
+ radiusAuthServExtAccessChallenges Counter32,
+ radiusAuthServExtMalformedAccessRequests Counter32,
+ radiusAuthServExtBadAuthenticators Counter32,
+ radiusAuthServExtPacketsDropped Counter32,
+ radiusAuthServExtUnknownTypes Counter32,
+ radiusAuthServCounterDiscontinuity TimeTicks
+ }
+
+ radiusAuthClientExtIndex OBJECT-TYPE
+ SYNTAX Integer32 (1..2147483647)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A number uniquely identifying each RADIUS
+ authentication client with which this server
+ communicates."
+
+
+
+Nelson Standards Track [Page 14]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ ::= { radiusAuthClientExtEntry 1 }
+
+ radiusAuthClientInetAddressType OBJECT-TYPE
+ SYNTAX InetAddressType
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The type of address format used for the
+ radiusAuthClientInetAddress object."
+ ::= { radiusAuthClientExtEntry 2 }
+
+ radiusAuthClientInetAddress OBJECT-TYPE
+ SYNTAX InetAddress
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The IP address of the RADIUS authentication
+ client referred to in this table entry, using
+ the version-neutral IP address format."
+ ::= { radiusAuthClientExtEntry 3 }
+
+
+ radiusAuthClientExtID OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The NAS-Identifier of the RADIUS authentication client
+ referred to in this table entry. This is not
+ necessarily the same as sysName in MIB II."
+ REFERENCE "RFC 2865 section 5.32"
+ ::= { radiusAuthClientExtEntry 4 }
+
+ -- Server Counters
+
+ --
+ -- Responses = AccessAccepts + AccessRejects + AccessChallenges
+ --
+ -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
+ -- UnknownTypes - PacketsDropped - Responses = Pending
+ --
+ -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
+ -- UnknownTypes - PacketsDropped = entries logged
+
+ radiusAuthServExtAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+
+
+
+Nelson Standards Track [Page 15]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ STATUS current
+ DESCRIPTION
+ "The number of packets received on the authentication
+ port from this client. This counter may experience a
+ discontinuity when the RADIUS Server module within the
+ managed entity is reinitialized, as indicated by the
+ current value of radiusAuthServCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 4.1"
+ ::= { radiusAuthClientExtEntry 5 }
+
+ radiusAuthServExtDupAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of duplicate RADIUS Access-Request
+ packets received from this client. This counter may
+ experience a discontinuity when the RADIUS Server
+ module within the managed entity is reinitialized, as
+ indicated by the current value of
+ radiusAuthServCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 4.1"
+ ::= { radiusAuthClientExtEntry 6 }
+
+ radiusAuthServExtAccessAccepts OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Accept packets
+ sent to this client. This counter may experience a
+ discontinuity when the RADIUS Server module within the
+ managed entity is reinitialized, as indicated by the
+ current value of radiusAuthServCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 4.2"
+ ::= { radiusAuthClientExtEntry 7 }
+
+ radiusAuthServExtAccessRejects OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Reject packets
+ sent to this client. This counter may experience a
+ discontinuity when the RADIUS Server module within the
+
+
+
+Nelson Standards Track [Page 16]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ managed entity is reinitialized, as indicated by the
+ current value of radiusAuthServCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 4.3"
+ ::= { radiusAuthClientExtEntry 8 }
+
+ radiusAuthServExtAccessChallenges OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Access-Challenge packets
+ sent to this client. This counter may experience a
+ discontinuity when the RADIUS Server module within the
+ managed entity is reinitialized, as indicated by the
+ current value of radiusAuthServCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 4.4"
+ ::= { radiusAuthClientExtEntry 9 }
+
+ radiusAuthServExtMalformedAccessRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of malformed RADIUS Access-Request
+ packets received from this client. Bad authenticators
+ and unknown types are not included as malformed
+ Access-Requests. This counter may experience a
+ discontinuity when the RADIUS Server module within the
+ managed entity is reinitialized, as indicated by the
+ current value of radiusAuthServCounterDiscontinuity."
+ REFERENCE "RFC 2865 sections 3, 4.1"
+ ::= { radiusAuthClientExtEntry 10 }
+
+ radiusAuthServExtBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Authentication-Request packets
+ that contained invalid Message Authenticator
+ attributes received from this client. This counter
+ may experience a discontinuity when the RADIUS Server
+ module within the managed entity is reinitialized, as
+ indicated by the current value of
+ radiusAuthServCounterDiscontinuity."
+
+
+
+Nelson Standards Track [Page 17]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ REFERENCE "RFC 2865 section 3"
+ ::= { radiusAuthClientExtEntry 11 }
+
+ radiusAuthServExtPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of incoming packets from this client
+ silently discarded for some reason other than
+ malformed, bad authenticators or unknown types.
+ This counter may experience a discontinuity when the
+ RADIUS Server module within the managed entity is
+ reinitialized, as indicated by the current value of
+ radiusAuthServCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 3"
+ ::= { radiusAuthClientExtEntry 12 }
+
+ radiusAuthServExtUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS packets of unknown type that
+ were received from this client. This counter may
+ experience a discontinuity when the RADIUS Server
+ module within the managed entity is reinitialized, as
+ indicated by the current value of
+ radiusAuthServCounterDiscontinuity."
+ REFERENCE "RFC 2865 section 4"
+ ::= { radiusAuthClientExtEntry 13 }
+
+ radiusAuthServCounterDiscontinuity OBJECT-TYPE
+ SYNTAX TimeTicks
+ UNITS "centiseconds"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of centiseconds since the last
+ discontinuity in the RADIUS Server counters.
+ A discontinuity may be the result of a
+ reinitialization of the RADIUS Server module
+ within the managed entity."
+ ::= { radiusAuthClientExtEntry 14 }
+
+
+
+
+
+Nelson Standards Track [Page 18]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ -- conformance information
+
+ radiusAuthServMIBConformance OBJECT IDENTIFIER
+ ::= { radiusAuthServMIB 2 }
+
+ radiusAuthServMIBCompliances OBJECT IDENTIFIER
+ ::= { radiusAuthServMIBConformance 1 }
+
+ radiusAuthServMIBGroups OBJECT IDENTIFIER
+ ::= { radiusAuthServMIBConformance 2 }
+
+ -- compliance statements
+
+ radiusAuthServMIBCompliance MODULE-COMPLIANCE
+ STATUS deprecated
+ DESCRIPTION
+ "The compliance statement for authentication
+ servers implementing the RADIUS Authentication
+ Server MIB. Implementation of this module is for
+ IPv4-only entities, or for backwards compatibility
+ use with entities that support both IPv4 and
+ IPv6."
+ MODULE -- this module
+ MANDATORY-GROUPS { radiusAuthServMIBGroup }
+
+ OBJECT radiusAuthServConfigReset
+ WRITE-SYNTAX INTEGER { reset(2) }
+ DESCRIPTION "The only SETable value is 'reset' (2)."
+
+ ::= { radiusAuthServMIBCompliances 1 }
+
+
+ radiusAuthServMIBExtCompliance MODULE-COMPLIANCE
+ STATUS current
+ DESCRIPTION
+ "The compliance statement for authentication
+ servers implementing the RADIUS Authentication
+ Server IPv6 Extensions MIB. Implementation of
+ this module is for entities that support IPv6,
+ or support IPv4 and IPv6."
+ MODULE -- this module
+ MANDATORY-GROUPS { radiusAuthServExtMIBGroup }
+
+ OBJECT radiusAuthServConfigReset
+ WRITE-SYNTAX INTEGER { reset(2) }
+ DESCRIPTION "The only SETable value is 'reset' (2)."
+
+ OBJECT radiusAuthClientInetAddressType
+
+
+
+Nelson Standards Track [Page 19]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ SYNTAX InetAddressType { ipv4(1), ipv6(2) }
+ DESCRIPTION
+ "An implementation is only required to support
+ IPv4 and globally unique IPv6 addresses."
+
+ OBJECT radiusAuthClientInetAddress
+ SYNTAX InetAddress ( SIZE (4|16) )
+ DESCRIPTION
+ "An implementation is only required to support
+ IPv4 and globally unique IPv6 addresses."
+
+ ::= { radiusAuthServMIBCompliances 2 }
+
+
+ -- units of conformance
+
+ radiusAuthServMIBGroup OBJECT-GROUP
+ OBJECTS {radiusAuthServIdent,
+ radiusAuthServUpTime,
+ radiusAuthServResetTime,
+ radiusAuthServConfigReset,
+ radiusAuthServTotalAccessRequests,
+ radiusAuthServTotalInvalidRequests,
+ radiusAuthServTotalDupAccessRequests,
+ radiusAuthServTotalAccessAccepts,
+ radiusAuthServTotalAccessRejects,
+ radiusAuthServTotalAccessChallenges,
+ radiusAuthServTotalMalformedAccessRequests,
+ radiusAuthServTotalBadAuthenticators,
+ radiusAuthServTotalPacketsDropped,
+ radiusAuthServTotalUnknownTypes,
+ radiusAuthClientAddress,
+ radiusAuthClientID,
+ radiusAuthServAccessRequests,
+ radiusAuthServDupAccessRequests,
+ radiusAuthServAccessAccepts,
+ radiusAuthServAccessRejects,
+ radiusAuthServAccessChallenges,
+ radiusAuthServMalformedAccessRequests,
+ radiusAuthServBadAuthenticators,
+ radiusAuthServPacketsDropped,
+ radiusAuthServUnknownTypes
+ }
+ STATUS deprecated
+ DESCRIPTION
+ "The collection of objects providing management of
+ a RADIUS Authentication Server."
+ ::= { radiusAuthServMIBGroups 1 }
+
+
+
+Nelson Standards Track [Page 20]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ radiusAuthServExtMIBGroup OBJECT-GROUP
+ OBJECTS {radiusAuthServIdent,
+ radiusAuthServUpTime,
+ radiusAuthServResetTime,
+ radiusAuthServConfigReset,
+ radiusAuthServTotalAccessRequests,
+ radiusAuthServTotalInvalidRequests,
+ radiusAuthServTotalDupAccessRequests,
+ radiusAuthServTotalAccessAccepts,
+ radiusAuthServTotalAccessRejects,
+ radiusAuthServTotalAccessChallenges,
+ radiusAuthServTotalMalformedAccessRequests,
+ radiusAuthServTotalBadAuthenticators,
+ radiusAuthServTotalPacketsDropped,
+ radiusAuthServTotalUnknownTypes,
+ radiusAuthClientInetAddressType,
+ radiusAuthClientInetAddress,
+ radiusAuthClientExtID,
+ radiusAuthServExtAccessRequests,
+ radiusAuthServExtDupAccessRequests,
+ radiusAuthServExtAccessAccepts,
+ radiusAuthServExtAccessRejects,
+ radiusAuthServExtAccessChallenges,
+ radiusAuthServExtMalformedAccessRequests,
+ radiusAuthServExtBadAuthenticators,
+ radiusAuthServExtPacketsDropped,
+ radiusAuthServExtUnknownTypes,
+ radiusAuthServCounterDiscontinuity
+ }
+ STATUS current
+ DESCRIPTION
+ "The collection of objects providing management of
+ a RADIUS Authentication Server."
+ ::= { radiusAuthServMIBGroups 2 }
+
+ END
+
+8. Security Considerations
+
+ There are a number of management objects defined in this MIB that
+ have a MAX-ACCESS clause of read-write and/or read-create. Such
+ objects may be considered sensitive or vulnerable in some network
+ environments. The support for SET operations in a non-secure
+ environment without proper protection can have a negative effect on
+ network operations. These are:
+
+
+
+
+
+
+Nelson Standards Track [Page 21]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+ radiusAuthServConfigReset
+ This object can be used to reinitialize the persistent state of
+ any server. When set to reset(2), any persistent server state
+ (such as a process) is reinitialized as if the server had just
+ been started. Depending on the server implementation details,
+ this action may or may not interrupt the processing of pending
+ request in the server. Abuse of this object may lead to a Denial
+ of Service attack on the server.
+
+ There are a number of managed objects in this MIB that may contain
+ sensitive information. These are:
+
+ radiusAuthClientIPAddress
+ This can be used to determine the address of the RADIUS
+ authentication client with which the server is communicating.
+ This information could be useful in mounting an attack on the
+ authentication client.
+
+ radiusAuthClientInetAddress
+ This can be used to determine the address of the RADIUS
+ authentication client with which the server is communicating.
+ This information could be useful in mounting an attack on the
+ authentication client.
+
+ It is thus important to control even GET access to these objects and
+ possibly to even encrypt the values of these object when sending them
+ over the network via SNMP. Not all versions of SNMP provide features
+ for such a secure environment.
+
+ SNMP versions prior to SNMPv3 do not provide a secure environment.
+ Even if the network itself is secure (for example by using IPsec),
+ there is no control as to who on the secure network is allowed to
+ access and GET/SET (read/change/create/delete) the objects in this
+ MIB.
+
+ It is RECOMMENDED that implementers consider the security features as
+ provided by the SNMPv3 framework (see [RFC3410], section 8),
+ including full support for the SNMPv3 cryptographic mechanisms (for
+ authentication and privacy).
+
+ Further, deployment of SNMP versions prior to SNMPv3 is NOT
+ RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
+ enable cryptographic security. It is then a customer/operator
+ responsibility to ensure that the SNMP entity giving access to an
+ instance of this MIB module is properly configured to give access to
+ the objects only to those principals (users) that have legitimate
+ rights to indeed GET or SET (change/create/delete) them.
+
+
+
+
+Nelson Standards Track [Page 22]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+9. References
+
+9.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
+ Schoenwaelder, Ed., "Structure of Management Information
+ Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
+
+ [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
+ Schoenwaelder, Ed., "Textual Conventions for SMIv2",
+ STD 58, RFC 2579, April 1999.
+
+ [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
+ "Conformance Statements for SMIv2", STD 58, RFC 2580,
+ April 1999.
+
+ [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
+ "Remote Authentication Dial In User Service (RADIUS)",
+ RFC 2865, June 2000.
+
+ [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
+ Architecture for Describing Simple Network Management
+ Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
+ December 2002.
+
+ [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
+ Schoenwaelder, "Textual Conventions for Internet Network
+ Addresses", RFC 4001, February 2005.
+
+9.2. Informative References
+
+ [RFC2619] Zorn, G. and B. Aboba, "RADIUS Authentication Server MIB",
+ RFC 2619, June 1999.
+
+ [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
+ "Introduction and Applicability Statements for Internet-
+ Standard Management Framework", RFC 3410, December 2002.
+
+ [RFC4668] Nelson, D., "RADIUS Authentication Client MIB for IPv6",
+ RFC 4668, August 2006.
+
+
+
+
+
+
+
+
+Nelson Standards Track [Page 23]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+Appendix A. Acknowledgements
+
+ The authors of the original MIB are Bernard Aboba and Glen Zorn.
+
+ Many thanks to all reviewers, especially to David Harrington, Dan
+ Romascanu, C.M. Heard, Bruno Pape, Greg Weber, and Bert Wijnen.
+
+Author's Address
+
+ David B. Nelson
+ Enterasys Networks
+ 50 Minuteman Road
+ Andover, MA 01810
+ USA
+
+ EMail: dnelson@enterasys.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Standards Track [Page 24]
+\f
+RFC 4669 RADIUS Auth Server MIB (IPv6) August 2006
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2006).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Nelson Standards Track [Page 25]
+\f
--- /dev/null
+
+
+
+
+
+
+Network Working Group D. Nelson
+Request for Comments: 4670 Enterasys Networks
+Obsoletes: 2620 August 2006
+Category: Informational
+
+
+ RADIUS Accounting Client MIB for IPv6
+
+Status of This Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This memo defines a set of extensions that instrument RADIUS
+ accounting client functions. These extensions represent a portion of
+ the Management Information Base (MIB) for use with network management
+ protocols in the Internet community. Using these extensions,
+ IP-based management stations can manage RADIUS accounting clients.
+
+ This memo obsoletes RFC 2620 by deprecating the MIB table containing
+ IPv4-only address formats and defining a new table to add support for
+ version-neutral IP address formats. The remaining MIB objects from
+ RFC 2620 are carried forward into this document. This memo also adds
+ UNITS and REFERENCE clauses to selected objects.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Informational [Page 1]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 2. Terminology .....................................................3
+ 3. The Internet-Standard Management Framework ......................3
+ 4. Scope of Changes ................................................3
+ 5. Structure of the MIB Module .....................................4
+ 6. Deprecated Objects ..............................................5
+ 7. Definitions .....................................................5
+ 8. Security Considerations ........................................19
+ 9. References .....................................................20
+ 9.1. Normative References ......................................20
+ 9.2. Informative References ....................................21
+ Appendix A. Acknowledgements ......................................22
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Informational [Page 2]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+1. Introduction
+
+ This memo defines a portion of the Management Information Base (MIB)
+ for use with network management protocols in the Internet community.
+ The objects defined within this memo relate to the Remote
+ Authentication Dial-In User Service (RADIUS) Accounting Client as
+ defined in RFC 2866 [RFC2866].
+
+2. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [RFC2119].
+
+ This document uses terminology from RFC 2865 [RFC2865] and RFC 2866
+ [RFC2866].
+
+ This document uses the word "malformed" with respect to RADIUS
+ packets, particularly in the context of counters of "malformed
+ packets". While RFC 2866 does not provide an explicit definition of
+ "malformed", malformed generally means that the implementation has
+ determined the packet does not match the format defined in RFC 2866.
+ Those implementations are used in deployments today, and thus set the
+ de facto definition of "malformed".
+
+3. The Internet-Standard Management Framework
+
+ For a detailed overview of the documents that describe the current
+ Internet-Standard Management Framework, please refer to section 7 of
+ RFC 3410 [RFC3410].
+
+ Managed objects are accessed via a virtual information store, termed
+ the Management Information Base or MIB. MIB objects are generally
+ accessed through the Simple Network Management Protocol (SNMP).
+ Objects in the MIB are defined using the mechanisms defined in the
+ Structure of Management Information (SMI). This memo specifies a MIB
+ module that is compliant to the SMIv2, which is described in STD 58,
+ RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
+ [RFC2580].
+
+4. Scope of Changes
+
+ This document obsoletes RFC 2620 [RFC2620], RADIUS Accounting Client
+ MIB, by deprecating the radiusAccServerTable table and adding a new
+ table, radiusAccServerExtTable, containing
+ radiusAccServerInetAddressType, radiusAccServerInetAddress, and
+ radiusAccClientServerInetPortNumber. The purpose of these added MIB
+ objects is to support version-neutral IP addressing formats. The
+
+
+
+Nelson Informational [Page 3]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+ existing table containing radiusAuthServerAddress and
+ radiusAuthClientServerPortNumber is deprecated. The remaining MIB
+ objects from RFC 2620 are carried forward into this document.
+
+ RFC 4001 [RFC4001], which defines the SMI Textual Conventions for
+ IPv6 addresses, contains the following recommendation.
+
+ 'In particular, when revising a MIB module that contains IPv4
+ specific tables, it is suggested to define new tables using the
+ textual conventions defined in this memo [RFC4001] that support all
+ versions of IP. The status of the new tables SHOULD be "current",
+ whereas the status of the old IP version specific tables SHOULD be
+ changed to "deprecated". The other approach, of having multiple
+ similar tables for different IP versions, is strongly discouraged.'
+
+5. Structure of the MIB Module
+
+ The RADIUS accounting protocol, described in RFC 2866 [RFC2866],
+ distinguishes between the client function and the server function.
+ In RADIUS accounting, clients send Accounting-Requests, and servers
+ reply with Accounting-Responses. Typically, Network Access Server
+ (NAS) devices implement the client function, and thus would be
+ expected to implement the RADIUS accounting client MIB, while RADIUS
+ accounting servers implement the server function, and thus would be
+ expected to implement the RADIUS accounting server MIB.
+
+ However, it is possible for a RADIUS accounting entity to perform
+ both client and server functions. For example, a RADIUS proxy may
+ act as a server to one or more RADIUS accounting clients, while
+ simultaneously acting as an accounting client to one or more
+ accounting servers. In such situations, it is expected that RADIUS
+ entities combining client and server functionality will support both
+ the client and server MIBs. The client MIB is defined in this
+ document, and the server MIB is defined in [RFC4671].
+
+ This MIB module contains two scalars as well as a single table, the
+ RADIUS Accounting Server Table, which contains one row for each
+ RADIUS server with which the client shares a secret. Each entry in
+ the RADIUS Accounting Server Table includes fifteen columns
+ presenting a view of the activity of the RADIUS client.
+
+ This MIB imports from [RFC2578], [RFC2580], [RFC3411], and [RFC4001].
+
+
+
+
+
+
+
+
+
+Nelson Informational [Page 4]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+6. Deprecated Objects
+
+ The deprecated table in this MIB is carried forward from RFC 2620
+ [RFC2620]. There are two conditions under which it MAY be desirable
+ for managed entities to continue to support the deprecated table:
+
+ 1. The managed entity only supports IPv4 address formats.
+
+ 2. The managed entity supports both IPv4 and IPv6 address formats,
+ and the deprecated table is supported for backwards compatibility
+ with older management stations. This option SHOULD only be used
+ when the IP addresses in the new table are in IPv4 format and can
+ accurately be represented in both the new table and the
+ deprecated table.
+
+ Managed entities SHOULD NOT instantiate row entries in the deprecated
+ table, containing IPv4-only address objects, when the RADIUS
+ accounting server address represented in such a table row is not an
+ IPv4 address. Managed entities SHOULD NOT return inaccurate values
+ of IP address or SNMP object access errors for IPv4-only address
+ objects in otherwise populated tables. When row entries exist in
+ both the deprecated IPv4-only table and the new IP-version-neutral
+ table that describe the same RADIUS accounting server, the row
+ indexes SHOULD be the same for the corresponding rows in each table,
+ to facilitate correlation of these related rows by management
+ applications.
+
+7. Definitions
+
+ RADIUS-ACC-CLIENT-MIB DEFINITIONS ::= BEGIN
+
+ IMPORTS
+ MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
+ Counter32, Integer32, Gauge32,
+ IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI
+ SnmpAdminString FROM SNMP-FRAMEWORK-MIB
+ InetAddressType, InetAddress,
+ InetPortNumber FROM INET-ADDRESS-MIB
+ MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF;
+
+
+ radiusAccClientMIB MODULE-IDENTITY
+ LAST-UPDATED "200608210000Z" -- 21 August 2006
+ ORGANIZATION "IETF RADIUS Extensions Working Group."
+ CONTACT-INFO
+ " Bernard Aboba
+ Microsoft
+ One Microsoft Way
+
+
+
+Nelson Informational [Page 5]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+ Redmond, WA 98052
+ US
+ Phone: +1 425 936 6605
+ EMail: bernarda@microsoft.com"
+ DESCRIPTION
+ "The MIB module for entities implementing the client
+ side of the Remote Authentication Dial-In User Service
+ (RADIUS) accounting protocol. Copyright (C) The
+ Internet Society (2006). This version of this MIB
+ module is part of RFC 4670; see the RFC itself for
+ full legal notices."
+ REVISION "200608210000Z" -- 21 August 2006
+ DESCRIPTION
+ "Revised version as published in RFC 4670.
+ This version obsoletes that of RFC 2620 by
+ deprecating the MIB table containing IPv4-only
+ address formats and defining a new table to add support
+ for version-neutral IP address formats. The remaining
+ MIB objects from RFC 2620 are carried forward into this
+ version."
+ REVISION "199906110000Z" -- 11 Jun 1999
+ DESCRIPTION "Initial version as published in RFC 2620."
+ ::= { radiusAccounting 2 }
+
+ radiusMIB OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION
+ "The OID assigned to RADIUS MIB work by the IANA."
+ ::= { mib-2 67 }
+
+ radiusAccounting OBJECT IDENTIFIER ::= {radiusMIB 2}
+
+ radiusAccClientMIBObjects OBJECT IDENTIFIER
+ ::= { radiusAccClientMIB 1 }
+
+ radiusAccClient OBJECT IDENTIFIER
+ ::= { radiusAccClientMIBObjects 1 }
+
+ radiusAccClientInvalidServerAddresses OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Accounting-Response packets
+ received from unknown addresses."
+ ::= { radiusAccClient 1 }
+
+
+
+
+Nelson Informational [Page 6]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+ radiusAccClientIdentifier OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The NAS-Identifier of the RADIUS accounting client.
+ This is not necessarily the same as sysName in MIB
+ II."
+ REFERENCE "RFC 2865 section 5.32"
+ ::= { radiusAccClient 2 }
+
+ radiusAccServerTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF RadiusAccServerEntry
+ MAX-ACCESS not-accessible
+ STATUS deprecated
+ DESCRIPTION
+ "The (conceptual) table listing the RADIUS accounting
+ servers with which the client shares a secret."
+ ::= { radiusAccClient 3 }
+
+ radiusAccServerEntry OBJECT-TYPE
+ SYNTAX RadiusAccServerEntry
+ MAX-ACCESS not-accessible
+ STATUS deprecated
+ DESCRIPTION
+ "An entry (conceptual row) representing a RADIUS
+ accounting server with which the client shares a
+ secret."
+ INDEX { radiusAccServerIndex }
+ ::= { radiusAccServerTable 1 }
+
+ RadiusAccServerEntry ::= SEQUENCE {
+ radiusAccServerIndex Integer32,
+ radiusAccServerAddress IpAddress,
+ radiusAccClientServerPortNumber Integer32,
+ radiusAccClientRoundTripTime TimeTicks,
+ radiusAccClientRequests Counter32,
+ radiusAccClientRetransmissions Counter32,
+ radiusAccClientResponses Counter32,
+ radiusAccClientMalformedResponses Counter32,
+ radiusAccClientBadAuthenticators Counter32,
+ radiusAccClientPendingRequests Gauge32,
+ radiusAccClientTimeouts Counter32,
+ radiusAccClientUnknownTypes Counter32,
+ radiusAccClientPacketsDropped Counter32
+ }
+
+
+
+
+
+Nelson Informational [Page 7]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+ radiusAccServerIndex OBJECT-TYPE
+ SYNTAX Integer32 (1..2147483647)
+ MAX-ACCESS not-accessible
+ STATUS deprecated
+ DESCRIPTION
+ "A number uniquely identifying each RADIUS
+ Accounting server with which this client
+ communicates."
+ ::= { radiusAccServerEntry 1 }
+
+ radiusAccServerAddress OBJECT-TYPE
+ SYNTAX IpAddress
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The IP address of the RADIUS accounting server
+ referred to in this table entry."
+ ::= { radiusAccServerEntry 2 }
+
+ radiusAccClientServerPortNumber OBJECT-TYPE
+ SYNTAX Integer32 (0..65535)
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The UDP port the client is using to send requests to
+ this server."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccServerEntry 3 }
+
+ radiusAccClientRoundTripTime OBJECT-TYPE
+ SYNTAX TimeTicks
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The time interval between the most recent
+ Accounting-Response and the Accounting-Request that
+ matched it from this RADIUS accounting server."
+ REFERENCE "RFC 2866 section 2"
+ ::= { radiusAccServerEntry 4 }
+
+ -- Request/Response statistics
+ --
+ -- Requests = Responses + PendingRequests + ClientTimeouts
+ --
+ -- Responses - MalformedResponses - BadAuthenticators -
+ -- UnknownTypes - PacketsDropped = Successfully received
+
+
+
+
+
+Nelson Informational [Page 8]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+ radiusAccClientRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ sent. This does not include retransmissions."
+ REFERENCE "RFC 2866 section 4.1"
+ ::= { radiusAccServerEntry 5 }
+
+ radiusAccClientRetransmissions OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ retransmitted to this RADIUS accounting server.
+ Retransmissions include retries where the
+ Identifier and Acct-Delay have been updated, as
+ well as those in which they remain the same."
+ REFERENCE "RFC 2866 section 2"
+ ::= { radiusAccServerEntry 6 }
+
+ radiusAccClientResponses OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS packets received on the
+ accounting port from this server."
+ REFERENCE "RFC 2866 section 4.2"
+ ::= { radiusAccServerEntry 7 }
+
+ radiusAccClientMalformedResponses OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of malformed RADIUS Accounting-Response
+ packets received from this server. Malformed packets
+ include packets with an invalid length. Bad
+ authenticators and unknown types are not included as
+ malformed accounting responses."
+ REFERENCE "RFC 2866 section 3"
+
+
+
+Nelson Informational [Page 9]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+ ::= { radiusAccServerEntry 8 }
+
+ radiusAccClientBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Accounting-Response
+ packets that contained invalid authenticators
+ received from this server."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccServerEntry 9 }
+
+ radiusAccClientPendingRequests OBJECT-TYPE
+ SYNTAX Gauge32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ sent to this server that have not yet timed out or
+ received a response. This variable is incremented
+ when an Accounting-Request is sent and decremented
+ due to receipt of an Accounting-Response, a timeout,
+ or a retransmission."
+ REFERENCE "RFC 2866 section 2"
+ ::= { radiusAccServerEntry 10 }
+
+ radiusAccClientTimeouts OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "timeouts"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of accounting timeouts to this server.
+ After a timeout, the client may retry to the same
+ server, send to a different server, or give up.
+ A retry to the same server is counted as a
+ retransmit as well as a timeout. A send to a different
+ server is counted as an Accounting-Request as well as
+ a timeout."
+ REFERENCE "RFC 2866 section 2"
+ ::= { radiusAccServerEntry 11 }
+
+ radiusAccClientUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+
+
+
+Nelson Informational [Page 10]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS packets of unknown type that
+ were received from this server on the accounting port."
+ REFERENCE "RFC 2866 section 4"
+ ::= { radiusAccServerEntry 12 }
+
+ radiusAccClientPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS packets that were received from
+ this server on the accounting port and dropped for some
+ other reason."
+ ::= { radiusAccServerEntry 13 }
+
+
+ -- New MIB objects added in this revision
+
+ radiusAccServerExtTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF RadiusAccServerExtEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The (conceptual) table listing the RADIUS accounting
+ servers with which the client shares a secret."
+ ::= { radiusAccClient 4 }
+
+ radiusAccServerExtEntry OBJECT-TYPE
+ SYNTAX RadiusAccServerExtEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An entry (conceptual row) representing a RADIUS
+ accounting server with which the client shares a
+ secret."
+ INDEX { radiusAccServerExtIndex }
+ ::= { radiusAccServerExtTable 1 }
+
+ RadiusAccServerExtEntry ::= SEQUENCE {
+ radiusAccServerExtIndex Integer32,
+ radiusAccServerInetAddressType InetAddressType,
+ radiusAccServerInetAddress InetAddress,
+ radiusAccClientServerInetPortNumber InetPortNumber,
+ radiusAccClientExtRoundTripTime TimeTicks,
+
+
+
+Nelson Informational [Page 11]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+ radiusAccClientExtRequests Counter32,
+ radiusAccClientExtRetransmissions Counter32,
+ radiusAccClientExtResponses Counter32,
+ radiusAccClientExtMalformedResponses Counter32,
+ radiusAccClientExtBadAuthenticators Counter32,
+ radiusAccClientExtPendingRequests Gauge32,
+ radiusAccClientExtTimeouts Counter32,
+ radiusAccClientExtUnknownTypes Counter32,
+ radiusAccClientExtPacketsDropped Counter32,
+ radiusAccClientCounterDiscontinuity TimeTicks
+ }
+
+ radiusAccServerExtIndex OBJECT-TYPE
+ SYNTAX Integer32 (1..2147483647)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A number uniquely identifying each RADIUS
+ Accounting server with which this client
+ communicates."
+ ::= { radiusAccServerExtEntry 1 }
+
+
+ radiusAccServerInetAddressType OBJECT-TYPE
+ SYNTAX InetAddressType
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The type of address format used for the
+ radiusAccServerInetAddress object."
+ ::= { radiusAccServerExtEntry 2 }
+
+
+ radiusAccServerInetAddress OBJECT-TYPE
+ SYNTAX InetAddress
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The IP address of the RADIUS accounting
+ server referred to in this table entry, using
+ the version-neutral IP address format."
+ ::= { radiusAccServerExtEntry 3 }
+
+ radiusAccClientServerInetPortNumber OBJECT-TYPE
+ SYNTAX InetPortNumber ( 1..65535 )
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+
+
+
+Nelson Informational [Page 12]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+ "The UDP port the client is using to send requests
+ to this accounting server. The value zero (0) is
+ invalid."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccServerExtEntry 4 }
+
+
+ radiusAccClientExtRoundTripTime OBJECT-TYPE
+ SYNTAX TimeTicks
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The time interval between the most recent
+ Accounting-Response and the Accounting-Request that
+ matched it from this RADIUS accounting server."
+ REFERENCE "RFC 2866 section 2"
+ ::= { radiusAccServerExtEntry 5 }
+
+ -- Request/Response statistics
+ --
+ -- Requests = Responses + PendingRequests + ClientTimeouts
+ --
+ -- Responses - MalformedResponses - BadAuthenticators -
+ -- UnknownTypes - PacketsDropped = Successfully received
+
+ radiusAccClientExtRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ sent. This does not include retransmissions.
+ This counter may experience a discontinuity when the
+ RADIUS Accounting Client module within the managed
+ entity is reinitialized, as indicated by the current
+ value of radiusAccClientCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 4.1"
+ ::= { radiusAccServerExtEntry 6 }
+
+ radiusAccClientExtRetransmissions OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ retransmitted to this RADIUS accounting server.
+
+
+
+Nelson Informational [Page 13]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+ Retransmissions include retries where the
+ Identifier and Acct-Delay have been updated, as
+ well as those in which they remain the same.
+ This counter may experience a discontinuity when the
+ RADIUS Accounting Client module within the managed
+ entity is reinitialized, as indicated by the current
+ value of radiusAccClientCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 2"
+ ::= { radiusAccServerExtEntry 7 }
+
+ radiusAccClientExtResponses OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS packets received on the
+ accounting port from this server. This counter
+ may experience a discontinuity when the RADIUS
+ Accounting Client module within the managed entity is
+ reinitialized, as indicated by the current value of
+ radiusAccClientCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 4.2"
+ ::= { radiusAccServerExtEntry 8 }
+
+ radiusAccClientExtMalformedResponses OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of malformed RADIUS Accounting-Response
+ packets received from this server. Malformed packets
+ include packets with an invalid length. Bad
+ authenticators and unknown types are not included as
+ malformed accounting responses. This counter may
+ experience a discontinuity when the RADIUS Accounting
+ Client module within the managed entity is
+ reinitialized, as indicated by the current
+ value of radiusAccClientCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccServerExtEntry 9 }
+
+ radiusAccClientExtBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+
+
+
+Nelson Informational [Page 14]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+ DESCRIPTION
+ "The number of RADIUS Accounting-Response
+ packets that contained invalid authenticators
+ received from this server. This counter may
+ experience a discontinuity when the RADIUS
+ Accounting Client module within the managed
+ entity is reinitialized, as indicated by the
+ current value of
+ radiusAccClientCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccServerExtEntry 10 }
+
+ radiusAccClientExtPendingRequests OBJECT-TYPE
+ SYNTAX Gauge32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ sent to this server that have not yet timed out or
+ received a response. This variable is incremented
+ when an Accounting-Request is sent and decremented
+ due to receipt of an Accounting-Response, a timeout,
+ or a retransmission. This counter may experience a
+ discontinuity when the RADIUS Accounting Client module
+ within the managed entity is reinitialized, as
+ indicated by the current value of
+ radiusAccClientCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 2"
+ ::= { radiusAccServerExtEntry 11 }
+
+ radiusAccClientExtTimeouts OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "timeouts"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of accounting timeouts to this server.
+ After a timeout, the client may retry to the same
+ server, send to a different server, or give up.
+ A retry to the same server is counted as a
+ retransmit as well as a timeout. A send to a different
+ server is counted as an Accounting-Request as well as
+ a timeout. This counter may experience a discontinuity
+ when the RADIUS Accounting Client module within the
+ managed entity is reinitialized, as indicated by the
+ current value of radiusAccClientCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 2"
+
+
+
+Nelson Informational [Page 15]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+ ::= { radiusAccServerExtEntry 12 }
+
+ radiusAccClientExtUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS packets of unknown type that
+ were received from this server on the accounting port.
+ This counter may experience a discontinuity when the
+ RADIUS Accounting Client module within the managed
+ entity is reinitialized, as indicated by the current
+ value of radiusAccClientCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 4"
+ ::= { radiusAccServerExtEntry 13 }
+
+ radiusAccClientExtPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS packets that were received from
+ this server on the accounting port and dropped for some
+ other reason. This counter may experience a
+ discontinuity when the RADIUS Accounting Client module
+ within the managed entity is reinitialized, as indicated
+ by the current value of
+ radiusAccClientCounterDiscontinuity."
+ ::= { radiusAccServerExtEntry 14 }
+
+ radiusAccClientCounterDiscontinuity OBJECT-TYPE
+ SYNTAX TimeTicks
+ UNITS "centiseconds"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of centiseconds since the last
+ discontinuity in the RADIUS Accounting Client
+ counters. A discontinuity may be the result of a
+ reinitialization of the RADIUS Accounting Client
+ module within the managed entity."
+ ::= { radiusAccServerExtEntry 15 }
+
+
+
+
+
+
+
+Nelson Informational [Page 16]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+ -- conformance information
+
+ radiusAccClientMIBConformance OBJECT IDENTIFIER
+ ::= { radiusAccClientMIB 2 }
+
+ radiusAccClientMIBCompliances OBJECT IDENTIFIER
+ ::= { radiusAccClientMIBConformance 1 }
+
+ radiusAccClientMIBGroups OBJECT IDENTIFIER
+ ::= { radiusAccClientMIBConformance 2 }
+
+
+ -- units of conformance
+
+ radiusAccClientMIBCompliance MODULE-COMPLIANCE
+ STATUS deprecated
+ DESCRIPTION
+ "The compliance statement for accounting clients
+ implementing the RADIUS Accounting Client MIB.
+ Implementation of this module is for IPv4-only
+ entities, or for backwards compatibility use with
+ entities that support both IPv4 and IPv6."
+ MODULE -- this module
+ MANDATORY-GROUPS { radiusAccClientMIBGroup }
+
+ ::= { radiusAccClientMIBCompliances 1 }
+
+
+ radiusAccClientExtMIBCompliance MODULE-COMPLIANCE
+ STATUS current
+ DESCRIPTION
+ "The compliance statement for accounting
+ clients implementing the RADIUS Accounting
+ Client IPv6 Extensions MIB. Implementation of
+ this module is for entities that support IPv6,
+ or support IPv4 and IPv6."
+ MODULE -- this module
+ MANDATORY-GROUPS { radiusAccClientExtMIBGroup }
+
+ OBJECT radiusAccServerInetAddressType
+ SYNTAX InetAddressType { ipv4(1), ipv6(2) }
+ DESCRIPTION
+ "An implementation is only required to support
+ IPv4 and globally unique IPv6 addresses."
+
+ OBJECT radiusAccServerInetAddress
+ SYNTAX InetAddress ( SIZE (4|16) )
+ DESCRIPTION
+
+
+
+Nelson Informational [Page 17]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+ "An implementation is only required to support
+ IPv4 and globally unique IPv6 addresses."
+
+ ::= { radiusAccClientMIBCompliances 2 }
+
+
+ -- units of conformance
+
+ radiusAccClientMIBGroup OBJECT-GROUP
+ OBJECTS { radiusAccClientIdentifier,
+ radiusAccClientInvalidServerAddresses,
+ radiusAccServerAddress,
+ radiusAccClientServerPortNumber,
+ radiusAccClientRoundTripTime,
+ radiusAccClientRequests,
+ radiusAccClientRetransmissions,
+ radiusAccClientResponses,
+ radiusAccClientMalformedResponses,
+ radiusAccClientBadAuthenticators,
+ radiusAccClientPendingRequests,
+ radiusAccClientTimeouts,
+ radiusAccClientUnknownTypes,
+ radiusAccClientPacketsDropped
+ }
+ STATUS deprecated
+ DESCRIPTION
+ "The basic collection of objects providing management of
+ RADIUS Accounting Clients."
+ ::= { radiusAccClientMIBGroups 1 }
+
+
+ radiusAccClientExtMIBGroup OBJECT-GROUP
+ OBJECTS { radiusAccClientIdentifier,
+ radiusAccClientInvalidServerAddresses,
+ radiusAccServerInetAddressType,
+ radiusAccServerInetAddress,
+ radiusAccClientServerInetPortNumber,
+ radiusAccClientExtRoundTripTime,
+ radiusAccClientExtRequests,
+ radiusAccClientExtRetransmissions,
+ radiusAccClientExtResponses,
+ radiusAccClientExtMalformedResponses,
+ radiusAccClientExtBadAuthenticators,
+ radiusAccClientExtPendingRequests,
+ radiusAccClientExtTimeouts,
+ radiusAccClientExtUnknownTypes,
+ radiusAccClientExtPacketsDropped,
+ radiusAccClientCounterDiscontinuity
+
+
+
+Nelson Informational [Page 18]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+ }
+ STATUS current
+ DESCRIPTION
+ "The basic collection of objects providing management of
+ RADIUS Accounting Clients."
+ ::= { radiusAccClientMIBGroups 2 }
+
+
+ END
+
+8. Security Considerations
+
+ There are no management objects defined in this MIB that have a MAX-
+ ACCESS clause of read-write and/or read-create. So, if this MIB is
+ implemented correctly, then there is no risk that an intruder can
+ alter or create any management objects of this MIB via direct SNMP
+ SET operations.
+
+ There are a number of managed objects in this MIB that may contain
+ sensitive information. These are:
+
+ radiusAcctServerIPAddress
+ This can be used to determine the address of the RADIUS accounting
+ server with which the client is communicating. This information
+ could be useful in mounting an attack on the accounting server.
+
+ radiusAcctServerInetAddress
+ This can be used to determine the address of the RADIUS accounting
+ server with which the client is communicating. This information
+ could be useful in mounting an attack on the accounting server.
+
+ radiusAcctClientServerPortNumber
+ This can be used to determine the port number on which the RADIUS
+ accounting client is sending. This information could be useful in
+ impersonating the client in order to send data to the accounting
+ server.
+
+ radiusAcctClientServerInetPortNumber
+ This can be used to determine the port number on which the RADIUS
+ accounting client is sending. This information could be useful in
+ impersonating the client in order to send data to the accounting
+ server.
+
+ It is thus important to control even GET access to these objects and
+ possibly to even encrypt the values of these object when sending them
+ over the network via SNMP. Not all versions of SNMP provide features
+ for such a secure environment.
+
+
+
+
+Nelson Informational [Page 19]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+ SNMP versions prior to SNMPv3 do not provide a secure environment.
+ Even if the network itself is secure (for example by using IPsec),
+ there is no control as to who on the secure network is allowed to
+ access and GET/SET (read/change/create/delete) the objects in this
+ MIB.
+
+ It is RECOMMENDED that implementers consider the security features as
+ provided by the SNMPv3 framework (see [RFC3410], section 8),
+ including full support for the SNMPv3 cryptographic mechanisms (for
+ authentication and privacy).
+
+ Further, deployment of SNMP versions prior to SNMPv3 is NOT
+ RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
+ enable cryptographic security. It is then a customer/operator
+ responsibility to ensure that the SNMP entity giving access to an
+ instance of this MIB module is properly configured to give access to
+ the objects only to those principals (users) that have legitimate
+ rights to indeed GET or SET (change/create/delete) them.
+
+9. References
+
+9.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
+ Schoenwaelder, Ed., "Structure of Management Information
+ Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
+
+ [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
+ Schoenwaelder, Ed., "Textual Conventions for SMIv2",
+ STD 58, RFC 2579, April 1999.
+
+ [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
+ "Conformance Statements for SMIv2", STD 58, RFC 2580,
+ April 1999.
+
+ [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
+
+ [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
+ Architecture for Describing Simple Network Management
+ Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
+ December 2002.
+
+ [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
+ Schoenwaelder, "Textual Conventions for Internet Network
+ Addresses", RFC 4001, February 2005.
+
+
+
+Nelson Informational [Page 20]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+9.2. Informative References
+
+ [RFC2620] Aboba, B. and G. Zorn, "RADIUS Accounting Client MIB",
+ RFC 2620, June 1999.
+
+ [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
+ "Remote Authentication Dial In User Service (RADIUS)", RFC
+ 2865, June 2000.
+
+ [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
+ "Introduction and Applicability Statements for Internet-
+ Standard Management Framework", RFC 3410, December 2002.
+
+ [RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", RFC
+ 4671, August 2006.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Informational [Page 21]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+Appendix A. Acknowledgements
+
+ The authors of the original MIB are Bernard Aboba and Glen Zorn.
+
+ Many thanks to all reviewers, especially to Dave Harrington, Dan
+ Romascanu, C.M. Heard, Bruno Pape, Greg Weber, and Bert Wijnen.
+
+Author's Address
+
+ David B. Nelson
+ Enterasys Networks
+ 50 Minuteman Road
+ Andover, MA 01810
+ USA
+
+ EMail: dnelson@enterasys.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Informational [Page 22]
+\f
+RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2006).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Nelson Informational [Page 23]
+\f
--- /dev/null
+
+
+
+
+
+
+Network Working Group D. Nelson
+Request for Comments: 4671 Enterasys Networks
+Obsoletes: 2621 August 2006
+Category: Informational
+
+
+ RADIUS Accounting Server MIB for IPv6
+
+Status of This Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This memo defines a set of extensions that instrument RADIUS
+ accounting server functions. These extensions represent a portion of
+ the Management Information Base (MIB) for use with network management
+ protocols in the Internet community. Using these extensions,
+ IP-based management stations can manage RADIUS accounting servers.
+
+ This memo obsoletes RFC 2621 by deprecating the MIB table containing
+ IPv4-only address formats and defining a new table to add support for
+ version-neutral IP address formats. The remaining MIB objects from
+ RFC 2621 are carried forward into this document. This memo also adds
+ UNITS and REFERENCE clauses to selected objects.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Informational [Page 1]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 2. Terminology .....................................................3
+ 3. The Internet-Standard Management Framework ......................3
+ 4. Scope of Changes ................................................3
+ 5. Structure of the MIB Module .....................................4
+ 6. Deprecated Objects ..............................................5
+ 7. Definitions .....................................................5
+ 8. Security Considerations ........................................20
+ 9. References .....................................................22
+ 9.1. Normative References ......................................22
+ 9.2. Informative References ....................................22
+ Appendix A. Acknowledgements ......................................23
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Informational [Page 2]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+1. Introduction
+
+ This memo defines a portion of the Management Information Base (MIB)
+ for use with network management protocols in the Internet community.
+ The objects defined within this memo relate to the Remote
+ Authentication Dial-In User Service (RADIUS) Accounting Server as
+ defined in RFC 2866 [RFC2866].
+
+2. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [RFC2119].
+
+ This document uses terminology from RFC 2865 [RFC2865] and RFC 2866
+ [RFC2866].
+
+ This document uses the word "malformed" with respect to RADIUS
+ packets, particularly in the context of counters of "malformed
+ packets". While RFC 2866 does not provide an explicit definition of
+ "malformed", malformed generally means that the implementation has
+ determined the packet does not match the format defined in RFC 2866.
+ Those implementations are used in deployments today, and thus set the
+ de facto definition of "malformed".
+
+3. The Internet-Standard Management Framework
+
+ For a detailed overview of the documents that describe the current
+ Internet-Standard Management Framework, please refer to section 7 of
+ RFC 3410 [RFC3410].
+
+ Managed objects are accessed via a virtual information store, termed
+ the Management Information Base or MIB. MIB objects are generally
+ accessed through the Simple Network Management Protocol (SNMP).
+ Objects in the MIB are defined using the mechanisms defined in the
+ Structure of Management Information (SMI). This memo specifies a MIB
+ module that is compliant to the SMIv2, which is described in STD 58,
+ RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
+ [RFC2580].
+
+4. Scope of Changes
+
+ This document obsoletes RFC 2621 [RFC2621], RADIUS Accounting Server
+ MIB, by deprecating the radiusAccClientTable table and adding a new
+ table, radiusAccClientExtTable, containing
+ radiusAccClientInetAddressType and radiusAccClientInetAddress. The
+ purpose of these added MIB objects is to support version-neutral IP
+ addressing formats. The existing table containing
+
+
+
+Nelson Informational [Page 3]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ radiusAccClientAddress is deprecated. The remaining MIB objects from
+ RFC 2621 are carried forward into this document. This memo also adds
+ UNITS and REFERENCE clauses to selected objects.
+
+ RFC 4001 [RFC4001], which defines the SMI Textual Conventions for
+ version-neutral IP addresses, contains the following recommendation.
+
+ 'In particular, when revising a MIB module that contains IPv4
+ specific tables, it is suggested to define new tables using the
+ textual conventions defined in this memo [RFC4001] that support all
+ versions of IP. The status of the new tables SHOULD be "current",
+ whereas the status of the old IP version specific tables SHOULD be
+ changed to "deprecated". The other approach, of having multiple
+ similar tables for different IP versions, is strongly discouraged.'
+
+5. Structure of the MIB Module
+
+ The RADIUS accounting protocol, described in RFC 2866 [RFC2866],
+ distinguishes between the client function and the server function.
+ In RADIUS accounting, clients send Accounting-Requests, and servers
+ reply with Accounting-Responses. Typically, Network Access Server
+ (NAS) devices implement the client function, and thus would be
+ expected to implement the RADIUS accounting client MIB, while RADIUS
+ accounting servers implement the server function, and thus would be
+ expected to implement the RADIUS accounting server MIB.
+
+ However, it is possible for a RADIUS accounting entity to perform
+ both client and server functions. For example, a RADIUS proxy may
+ act as a server to one or more RADIUS accounting clients, while
+ simultaneously acting as an accounting client to one or more
+ accounting servers. In such situations, it is expected that RADIUS
+ entities combining client and server functionality will support both
+ the client and server MIBs. The server MIB is defined in this
+ document, and the client MIB is defined in [RFC4670].
+
+ This MIB module contains thirteen scalars as well as a single table,
+ the RADIUS Accounting Client Table, which contains one row for each
+ RADIUS accounting client with which the server shares a secret. Each
+ entry in the RADIUS Accounting Client Table includes twelve columns
+ presenting a view of the activity of the RADIUS accounting server.
+
+ This MIB imports from [RFC2578], [RFC2580], [RFC3411], and [RFC4001].
+
+
+
+
+
+
+
+
+
+Nelson Informational [Page 4]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+6. Deprecated Objects
+
+ The deprecated table in this MIB is carried forward from RFC 2621
+ [RFC2621]. There are two conditions under which it MAY be desirable
+ for managed entities to continue to support the deprecated table:
+
+ 1. The managed entity only supports IPv4 address formats.
+
+ 2. The managed entity supports both IPv4 and IPv6 address formats,
+ and the deprecated table is supported for backwards compatibility
+ with older management stations. This option SHOULD only be used
+ when the IP addresses in the new table are in IPv4 format and can
+ accurately be represented in both the new table and the
+ deprecated table.
+
+ Managed entities SHOULD NOT instantiate row entries in the deprecated
+ table, containing IPv4-only address objects, when the RADIUS
+ accounting client address represented in such a table row is not an
+ IPv4 address. Managed entities SHOULD NOT return inaccurate values
+ of IP address or SNMP object access errors for IPv4-only address
+ objects in otherwise populated tables. When row entries exist in
+ both the deprecated IPv4-only table and the new IP-version-neutral
+ table that describe the same RADIUS accounting client, the row
+ indexes SHOULD be the same for the corresponding rows in each table,
+ to facilitate correlation of these related rows by management
+ applications.
+
+7. Definitions
+
+ RADIUS-ACC-SERVER-MIB DEFINITIONS ::= BEGIN
+
+ IMPORTS
+ MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
+ Counter32, Integer32,
+ IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI
+ SnmpAdminString FROM SNMP-FRAMEWORK-MIB
+ InetAddressType, InetAddress FROM INET-ADDRESS-MIB
+ MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF;
+
+ radiusAccServMIB MODULE-IDENTITY
+ LAST-UPDATED "200608210000Z" -- 21 August 2006
+ ORGANIZATION "IETF RADIUS Extensions Working Group."
+ CONTACT-INFO
+ " Bernard Aboba
+ Microsoft
+ One Microsoft Way
+ Redmond, WA 98052
+ US
+
+
+
+Nelson Informational [Page 5]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ Phone: +1 425 936 6605
+ EMail: bernarda@microsoft.com"
+ DESCRIPTION
+ "The MIB module for entities implementing the server
+ side of the Remote Authentication Dial-In User
+ Service (RADIUS) accounting protocol. Copyright (C)
+ The Internet Society (2006). This version of this
+ MIB module is part of RFC 4671; see the RFC itself
+ for full legal notices."
+ REVISION "200608210000Z" -- 21 August 2006
+ DESCRIPTION
+ "Revised version as published in RFC 4671. This
+ version obsoletes that of RFC 2621 by deprecating
+ the MIB table containing IPv4-only address formats
+ and defining a new table to add support for version-
+ neutral IP address formats. The remaining MIB objects
+ from RFC 2621 are carried forward into this version."
+ REVISION "199906110000Z" -- 11 Jun 1999
+ DESCRIPTION "Initial version as published in RFC 2621."
+ ::= { radiusAccounting 1 }
+
+ radiusMIB OBJECT-IDENTITY
+ STATUS current
+ DESCRIPTION
+ "The OID assigned to RADIUS MIB work by the IANA."
+ ::= { mib-2 67 }
+
+ radiusAccounting OBJECT IDENTIFIER ::= {radiusMIB 2}
+
+ radiusAccServMIBObjects OBJECT IDENTIFIER
+ ::= { radiusAccServMIB 1 }
+
+ radiusAccServ OBJECT IDENTIFIER
+ ::= { radiusAccServMIBObjects 1 }
+
+ radiusAccServIdent OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The implementation identification string for the
+ RADIUS accounting server software in use on the
+ system, for example, 'FNS-2.1'."
+ ::= {radiusAccServ 1}
+
+ radiusAccServUpTime OBJECT-TYPE
+ SYNTAX TimeTicks
+ MAX-ACCESS read-only
+
+
+
+Nelson Informational [Page 6]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ STATUS current
+ DESCRIPTION
+ "If the server has a persistent state (e.g., a
+ process), this value will be the time elapsed (in
+ hundredths of a second) since the server process was
+ started. For software without persistent state, this
+ value will be zero."
+ ::= {radiusAccServ 2}
+
+ radiusAccServResetTime OBJECT-TYPE
+ SYNTAX TimeTicks
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "If the server has a persistent state (e.g., a process)
+ and supports a 'reset' operation (e.g., can be told to
+ re-read configuration files), this value will be the
+ time elapsed (in hundredths of a second) since the
+ server was 'reset.' For software that does not
+ have persistence or does not support a 'reset'
+ operation, this value will be zero."
+ ::= {radiusAccServ 3}
+
+ radiusAccServConfigReset OBJECT-TYPE
+ SYNTAX INTEGER { other(1),
+ reset(2),
+ initializing(3),
+ running(4)}
+ MAX-ACCESS read-write
+ STATUS current
+ DESCRIPTION
+ "Status/action object to reinitialize any persistent
+ server state. When set to reset(2), any persistent
+ server state (such as a process) is reinitialized as
+ if the server had just been started. This value will
+ never be returned by a read operation. When read,
+ one of the following values will be returned:
+ other(1) - server in some unknown state;
+ initializing(3) - server (re)initializing;
+ running(4) - server currently running."
+ ::= {radiusAccServ 4}
+
+ radiusAccServTotalRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+
+
+
+Nelson Informational [Page 7]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ "The number of packets received on the
+ accounting port."
+ REFERENCE "RFC 2866 section 4.1"
+ ::= { radiusAccServ 5 }
+
+ radiusAccServTotalInvalidRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ received from unknown addresses."
+ REFERENCE "RFC 2866 sections 2, 4.1"
+ ::= { radiusAccServ 6 }
+
+ radiusAccServTotalDupRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of duplicate RADIUS Accounting-Request
+ packets received."
+ REFERENCE "RFC 2866 section 4.1"
+ ::= { radiusAccServ 7 }
+
+ radiusAccServTotalResponses OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Accounting-Response packets
+ sent."
+ REFERENCE "RFC 2866 section 4.2"
+ ::= { radiusAccServ 8 }
+
+ radiusAccServTotalMalformedRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of malformed RADIUS Accounting-Request
+ packets received. Bad authenticators or unknown
+ types are not included as malformed Access-Requests."
+ REFERENCE "RFC 2866 section 3"
+
+
+
+Nelson Informational [Page 8]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ ::= { radiusAccServ 9 }
+
+ radiusAccServTotalBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ that contained an invalid authenticator."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccServ 10 }
+
+ radiusAccServTotalPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of incoming packets silently discarded
+ for a reason other than malformed, bad authenticators,
+ or unknown types."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccServ 11 }
+
+ radiusAccServTotalNoRecords OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ that were received and responded to but not
+ recorded."
+ ::= { radiusAccServ 12 }
+
+ radiusAccServTotalUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS packets of unknown type that
+ were received."
+ REFERENCE "RFC 2866 section 4"
+ ::= { radiusAccServ 13 }
+
+ radiusAccClientTable OBJECT-TYPE
+
+
+
+Nelson Informational [Page 9]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ SYNTAX SEQUENCE OF RadiusAccClientEntry
+ MAX-ACCESS not-accessible
+ STATUS deprecated
+ DESCRIPTION
+ "The (conceptual) table listing the RADIUS accounting
+ clients with which the server shares a secret."
+ ::= { radiusAccServ 14 }
+
+ radiusAccClientEntry OBJECT-TYPE
+ SYNTAX RadiusAccClientEntry
+ MAX-ACCESS not-accessible
+ STATUS deprecated
+ DESCRIPTION
+ "An entry (conceptual row) representing a RADIUS
+ accounting client with which the server shares a
+ secret."
+ INDEX { radiusAccClientIndex }
+ ::= { radiusAccClientTable 1 }
+
+ RadiusAccClientEntry ::= SEQUENCE {
+ radiusAccClientIndex Integer32,
+ radiusAccClientAddress IpAddress,
+ radiusAccClientID SnmpAdminString,
+ radiusAccServPacketsDropped Counter32,
+ radiusAccServRequests Counter32,
+ radiusAccServDupRequests Counter32,
+ radiusAccServResponses Counter32,
+ radiusAccServBadAuthenticators Counter32,
+ radiusAccServMalformedRequests Counter32,
+ radiusAccServNoRecords Counter32,
+ radiusAccServUnknownTypes Counter32
+ }
+
+ radiusAccClientIndex OBJECT-TYPE
+ SYNTAX Integer32 (1..2147483647)
+ MAX-ACCESS not-accessible
+ STATUS deprecated
+ DESCRIPTION
+ "A number uniquely identifying each RADIUS accounting
+ client with which this server communicates."
+ ::= { radiusAccClientEntry 1 }
+
+ radiusAccClientAddress OBJECT-TYPE
+ SYNTAX IpAddress
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The NAS-IP-Address of the RADIUS accounting client
+
+
+
+Nelson Informational [Page 10]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ referred to in this table entry."
+ ::= { radiusAccClientEntry 2 }
+
+ radiusAccClientID OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The NAS-Identifier of the RADIUS accounting client
+ referred to in this table entry. This is not
+ necessarily the same as sysName in MIB II."
+ REFERENCE "RFC 2865 section 5.32"
+ ::= { radiusAccClientEntry 3 }
+
+ -- Server Counters
+ --
+ -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
+ -- UnknownTypes - PacketsDropped - Responses = Pending
+ --
+ -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
+ -- UnknownTypes - PacketsDropped - NoRecords = entries logged
+
+ radiusAccServPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of incoming packets received
+ from this client and silently discarded
+ for a reason other than malformed, bad
+ authenticators, or unknown types."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccClientEntry 4 }
+
+ radiusAccServRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of packets received from this
+ client on the accounting port."
+ REFERENCE "RFC 2866 section 4.1"
+ ::= { radiusAccClientEntry 5 }
+
+ radiusAccServDupRequests OBJECT-TYPE
+ SYNTAX Counter32
+
+
+
+Nelson Informational [Page 11]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of duplicate RADIUS Accounting-Request
+ packets received from this client."
+ REFERENCE "RFC 2866 section 4.1"
+ ::= { radiusAccClientEntry 6 }
+
+ radiusAccServResponses OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Accounting-Response packets
+ sent to this client."
+ REFERENCE "RFC 2866 section 4.2"
+ ::= { radiusAccClientEntry 7 }
+
+ radiusAccServBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ that contained invalid authenticators received
+ from this client."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccClientEntry 8 }
+
+ radiusAccServMalformedRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of malformed RADIUS Accounting-Request
+ packets that were received from this client.
+ Bad authenticators and unknown types
+ are not included as malformed Accounting-Requests."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccClientEntry 9 }
+
+ radiusAccServNoRecords OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+
+
+
+Nelson Informational [Page 12]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ that were received and responded to but not
+ recorded."
+ ::= { radiusAccClientEntry 10 }
+
+ radiusAccServUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS deprecated
+ DESCRIPTION
+ "The number of RADIUS packets of unknown type that
+ were received from this client."
+ REFERENCE "RFC 2866 section 4"
+ ::= { radiusAccClientEntry 11 }
+
+
+ -- New MIB objects added in this revision
+
+ radiusAccClientExtTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF RadiusAccClientExtEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The (conceptual) table listing the RADIUS accounting
+ clients with which the server shares a secret."
+ ::= { radiusAccServ 15 }
+
+ radiusAccClientExtEntry OBJECT-TYPE
+ SYNTAX RadiusAccClientExtEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An entry (conceptual row) representing a RADIUS
+ accounting client with which the server shares a
+ secret."
+ INDEX { radiusAccClientExtIndex }
+ ::= { radiusAccClientExtTable 1 }
+
+ RadiusAccClientExtEntry ::= SEQUENCE {
+ radiusAccClientExtIndex Integer32,
+ radiusAccClientInetAddressType InetAddressType,
+ radiusAccClientInetAddress InetAddress,
+ radiusAccClientExtID SnmpAdminString,
+ radiusAccServExtPacketsDropped Counter32,
+
+
+
+Nelson Informational [Page 13]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ radiusAccServExtRequests Counter32,
+ radiusAccServExtDupRequests Counter32,
+ radiusAccServExtResponses Counter32,
+ radiusAccServExtBadAuthenticators Counter32,
+ radiusAccServExtMalformedRequests Counter32,
+ radiusAccServExtNoRecords Counter32,
+ radiusAccServExtUnknownTypes Counter32,
+ radiusAccServerCounterDiscontinuity TimeTicks
+ }
+
+ radiusAccClientExtIndex OBJECT-TYPE
+ SYNTAX Integer32 (1..2147483647)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A number uniquely identifying each RADIUS accounting
+ client with which this server communicates."
+ ::= { radiusAccClientExtEntry 1 }
+
+ radiusAccClientInetAddressType OBJECT-TYPE
+ SYNTAX InetAddressType
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The type of address format used for the
+ radiusAccClientInetAddress object."
+ ::= { radiusAccClientExtEntry 2 }
+
+ radiusAccClientInetAddress OBJECT-TYPE
+ SYNTAX InetAddress
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The IP address of the RADIUS accounting
+ client referred to in this table entry, using
+ the IPv6 address format."
+ ::= { radiusAccClientExtEntry 3 }
+
+ radiusAccClientExtID OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The NAS-Identifier of the RADIUS accounting client
+ referred to in this table entry. This is not
+ necessarily the same as sysName in MIB II."
+ REFERENCE "RFC 2865 section 5.32"
+ ::= { radiusAccClientExtEntry 4 }
+
+
+
+Nelson Informational [Page 14]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ -- Server Counters
+ --
+ -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
+ -- UnknownTypes - PacketsDropped - Responses = Pending
+ --
+ -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
+ -- UnknownTypes - PacketsDropped - NoRecords = entries logged
+
+ radiusAccServExtPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of incoming packets received from this
+ client and silently discarded for a reason other
+ than malformed, bad authenticators, or unknown types.
+ This counter may experience a discontinuity when the
+ RADIUS Accounting Server module within the managed
+ entity is reinitialized, as indicated by the current
+ value of radiusAccServerCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccClientExtEntry 5 }
+
+ radiusAccServExtRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of packets received from this
+ client on the accounting port. This counter
+ may experience a discontinuity when the
+ RADIUS Accounting Server module within the
+ managed entity is reinitialized, as indicated by
+ the current value of
+ radiusAccServerCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 4.1"
+ ::= { radiusAccClientExtEntry 6 }
+
+ radiusAccServExtDupRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of duplicate RADIUS Accounting-Request
+ packets received from this client. This counter
+
+
+
+Nelson Informational [Page 15]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ may experience a discontinuity when the RADIUS
+ Accounting Server module within the managed
+ entity is reinitialized, as indicated by the
+ current value of
+ radiusAccServerCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 4.1"
+ ::= { radiusAccClientExtEntry 7 }
+
+ radiusAccServExtResponses OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Accounting-Response packets
+ sent to this client. This counter may experience
+ a discontinuity when the RADIUS Accounting Server
+ module within the managed entity is reinitialized,
+ as indicated by the current value of
+ radiusAccServerCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 4.2"
+ ::= { radiusAccClientExtEntry 8 }
+
+ radiusAccServExtBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ that contained invalid authenticators received
+ from this client. This counter may experience a
+ discontinuity when the RADIUS Accounting Server
+ module within the managed entity is reinitialized,
+ as indicated by the current value of
+ radiusAccServerCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccClientExtEntry 9 }
+
+ radiusAccServExtMalformedRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of malformed RADIUS Accounting-Request
+ packets that were received from this client.
+ Bad authenticators and unknown types are not
+
+
+
+Nelson Informational [Page 16]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ included as malformed Accounting-Requests. This
+ counter may experience a discontinuity when the
+ RADIUS Accounting Server module within the managed
+ entity is reinitialized, as indicated by the current
+ value of radiusAccServerCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 3"
+ ::= { radiusAccClientExtEntry 10 }
+
+ radiusAccServExtNoRecords OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Accounting-Request packets
+ that were received and responded to but not
+ recorded. This counter may experience a
+ discontinuity when the RADIUS Accounting Server
+ module within the managed entity is reinitialized,
+ as indicated by the current value of
+ radiusAccServerCounterDiscontinuity."
+ ::= { radiusAccClientExtEntry 11 }
+
+ radiusAccServExtUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "packets"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS packets of unknown type that
+ were received from this client. This counter may
+ experience a discontinuity when the RADIUS Accounting
+ Server module within the managed entity is
+ reinitialized, as indicated by the current value of
+ radiusAccServerCounterDiscontinuity."
+ REFERENCE "RFC 2866 section 4"
+ ::= { radiusAccClientExtEntry 12 }
+
+ radiusAccServerCounterDiscontinuity OBJECT-TYPE
+ SYNTAX TimeTicks
+ UNITS "centiseconds"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of centiseconds since the last
+ discontinuity in the RADIUS Accounting Server
+ counters. A discontinuity may be the result of
+ a reinitialization of the RADIUS Accounting Server
+
+
+
+Nelson Informational [Page 17]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ module within the managed entity."
+ ::= { radiusAccClientExtEntry 13 }
+
+
+ -- conformance information
+
+ radiusAccServMIBConformance OBJECT IDENTIFIER
+ ::= { radiusAccServMIB 2 }
+
+ radiusAccServMIBCompliances OBJECT IDENTIFIER
+ ::= { radiusAccServMIBConformance 1 }
+
+ radiusAccServMIBGroups OBJECT IDENTIFIER
+ ::= { radiusAccServMIBConformance 2 }
+
+
+ -- compliance statements
+
+ radiusAccServMIBCompliance MODULE-COMPLIANCE
+ STATUS deprecated
+ DESCRIPTION
+ "The compliance statement for accounting servers
+ implementing the RADIUS Accounting Server MIB.
+ Implementation of this module is for IPv4-only
+ entities, or for backwards compatibility use with
+ entities that support both IPv4 and IPv6."
+ MODULE -- this module
+ MANDATORY-GROUPS { radiusAccServMIBGroup }
+
+ OBJECT radiusAccServConfigReset
+ WRITE-SYNTAX INTEGER { reset(2) }
+ DESCRIPTION "The only SETable value is 'reset' (2)."
+
+ ::= { radiusAccServMIBCompliances 1 }
+
+ radiusAccServExtMIBCompliance MODULE-COMPLIANCE
+ STATUS current
+ DESCRIPTION
+ "The compliance statement for accounting
+ servers implementing the RADIUS Accounting
+ Server IPv6 Extensions MIB. Implementation of
+ this module is for entities that support IPv6,
+ or support IPv4 and IPv6."
+ MODULE -- this module
+ MANDATORY-GROUPS { radiusAccServExtMIBGroup }
+
+ OBJECT radiusAccServConfigReset
+ WRITE-SYNTAX INTEGER { reset(2) }
+
+
+
+Nelson Informational [Page 18]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ DESCRIPTION "The only SETable value is 'reset' (2)."
+
+ OBJECT radiusAccClientInetAddressType
+ SYNTAX InetAddressType { ipv4(1), ipv6(2) }
+ DESCRIPTION
+ "An implementation is only required to support
+ IPv4 and globally unique IPv6 addresses."
+
+ OBJECT radiusAccClientInetAddress
+ SYNTAX InetAddress ( SIZE (4|16) )
+ DESCRIPTION
+ "An implementation is only required to support
+ IPv4 and globally unique IPv6 addresses."
+
+ ::= { radiusAccServMIBCompliances 2 }
+
+
+ -- units of conformance
+
+ radiusAccServMIBGroup OBJECT-GROUP
+ OBJECTS {radiusAccServIdent,
+ radiusAccServUpTime,
+ radiusAccServResetTime,
+ radiusAccServConfigReset,
+ radiusAccServTotalRequests,
+ radiusAccServTotalInvalidRequests,
+ radiusAccServTotalDupRequests,
+ radiusAccServTotalResponses,
+ radiusAccServTotalMalformedRequests,
+ radiusAccServTotalBadAuthenticators,
+ radiusAccServTotalPacketsDropped,
+ radiusAccServTotalNoRecords,
+ radiusAccServTotalUnknownTypes,
+ radiusAccClientAddress,
+ radiusAccClientID,
+ radiusAccServPacketsDropped,
+ radiusAccServRequests,
+ radiusAccServDupRequests,
+ radiusAccServResponses,
+ radiusAccServBadAuthenticators,
+ radiusAccServMalformedRequests,
+ radiusAccServNoRecords,
+ radiusAccServUnknownTypes
+ }
+ STATUS deprecated
+ DESCRIPTION
+ "The collection of objects providing management of
+ a RADIUS Accounting Server."
+
+
+
+Nelson Informational [Page 19]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ ::= { radiusAccServMIBGroups 1 }
+
+ radiusAccServExtMIBGroup OBJECT-GROUP
+ OBJECTS {radiusAccServIdent,
+ radiusAccServUpTime,
+ radiusAccServResetTime,
+ radiusAccServConfigReset,
+ radiusAccServTotalRequests,
+ radiusAccServTotalInvalidRequests,
+ radiusAccServTotalDupRequests,
+ radiusAccServTotalResponses,
+ radiusAccServTotalMalformedRequests,
+ radiusAccServTotalBadAuthenticators,
+ radiusAccServTotalPacketsDropped,
+ radiusAccServTotalNoRecords,
+ radiusAccServTotalUnknownTypes,
+ radiusAccClientInetAddressType,
+ radiusAccClientInetAddress,
+ radiusAccClientExtID,
+ radiusAccServExtPacketsDropped,
+ radiusAccServExtRequests,
+ radiusAccServExtDupRequests,
+ radiusAccServExtResponses,
+ radiusAccServExtBadAuthenticators,
+ radiusAccServExtMalformedRequests,
+ radiusAccServExtNoRecords,
+ radiusAccServExtUnknownTypes,
+ radiusAccServerCounterDiscontinuity
+ }
+ STATUS current
+ DESCRIPTION
+ "The collection of objects providing management of
+ a RADIUS Accounting Server."
+ ::= { radiusAccServMIBGroups 2 }
+
+ END
+
+8. Security Considerations
+
+ There are management objects (radiusAccServConfigReset) defined in
+ this MIB that have a MAX-ACCESS clause of read-write and/or read-
+ create. Such objects may be considered sensitive or vulnerable in
+ some network environments. The support for SET operations in a non-
+ secure environment without proper protection can have a negative
+ effect on network operations. These are:
+
+
+
+
+
+
+Nelson Informational [Page 20]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+ radiusAccServConfigReset
+ This object can be used to reinitialize the persistent state of
+ any server. When set to reset(2), any persistent server state
+ (such as a process) is reinitialized as if the server had just
+ been started. Depending on the server implementation details,
+ this action may or may not interrupt the processing of pending
+ request in the server. Abuse of this object may lead to a Denial
+ of Service attack on the server.
+
+ There are a number of managed objects in this MIB that may contain
+ sensitive information. These are:
+
+ radiusAccClientIPAddress
+ This can be used to determine the address of the RADIUS accounting
+ client with which the server is communicating. This information
+ could be useful in mounting an attack on the accounting client.
+
+ radiusAccClientInetAddress
+ This can be used to determine the address of the RADIUS accounting
+ client with which the server is communicating. This information
+ could be useful in mounting an attack on the accounting client.
+
+ It is thus important to control even GET access to these objects and
+ possibly to even encrypt the values of these object when sending them
+ over the network via SNMP. Not all versions of SNMP provide features
+ for such a secure environment.
+
+ SNMP versions prior to SNMPv3 do not provide a secure environment.
+ Even if the network itself is secure (for example by using IPsec),
+ there is no control as to who on the secure network is allowed to
+ access and GET/SET (read/change/create/delete) the objects in this
+ MIB.
+
+ It is RECOMMENDED that implementers consider the security features as
+ provided by the SNMPv3 framework (see [RFC3410], section 8),
+ including full support for the SNMPv3 cryptographic mechanisms (for
+ authentication and privacy).
+
+ Further, deployment of SNMP versions prior to SNMPv3 is NOT
+ RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
+ enable cryptographic security. It is then a customer/operator
+ responsibility to ensure that the SNMP entity giving access to an
+ instance of this MIB module is properly configured to give access to
+ the objects only to those principals (users) that have legitimate
+ rights to indeed GET or SET (change/create/delete) them.
+
+
+
+
+
+
+Nelson Informational [Page 21]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+9. References
+
+9.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
+ Schoenwaelder, Ed., "Structure of Management Information
+ Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
+
+ [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
+ Schoenwaelder, Ed., "Textual Conventions for SMIv2",
+ STD 58, RFC 2579, April 1999.
+
+ [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
+ "Conformance Statements for SMIv2", STD 58, RFC 2580,
+ April 1999.
+
+ [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
+
+ [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
+ Architecture for Describing Simple Network Management
+ Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
+ December 2002.
+
+ [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
+ Schoenwaelder, "Textual Conventions for Internet Network
+ Addresses", RFC 4001, February 2005.
+
+9.2. Informative References
+
+ [RFC2621] Zorn, G. and B. Aboba, "RADIUS Accounting Server MIB",
+ RFC 2621, June 1999.
+
+ [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
+ "Remote Authentication Dial In User Service (RADIUS)",
+ RFC 2865, June 2000.
+
+ [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
+ "Introduction and Applicability Statements for Internet-
+ Standard Management Framework", RFC 3410, December 2002.
+
+ [RFC4670] Nelson, D., "RADIUS Accounting Client MIB for IPv6", RFC
+ 4670, August 2006.
+
+
+
+
+
+
+Nelson Informational [Page 22]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+Appendix A. Acknowledgements
+
+ The authors of the original MIB are Bernard Aboba and Glen Zorn.
+
+ Many thanks to all reviewers, especially to Dave Harrington, Dan
+ Romascanu, C.M. Heard, Bruno Pape, Greg Weber, and Bert Wijnen.
+
+Author's Address
+
+ David B. Nelson
+ Enterasys Networks
+ 50 Minuteman Road
+ Andover, MA 01810
+ USA
+
+ EMail: dnelson@enterasys.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nelson Informational [Page 23]
+\f
+RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2006).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Nelson Informational [Page 24]
+\f
--- /dev/null
+
+
+
+
+
+
+Network Working Group S. De Cnodder
+Request for Comments: 4672 Alcatel
+Category: Informational N. Jonnala
+ M. Chiba
+ Cisco Systems, Inc.
+ September 2006
+
+
+ RADIUS Dynamic Authorization Client MIB
+
+Status of This Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This memo defines a portion of the Management Information Base (MIB)
+ for use with network management protocols in the Internet community.
+ In particular, it describes the Remote Authentication Dial-In User
+ Service (RADIUS) (RFC2865) Dynamic Authorization Client (DAC)
+ functions that support the dynamic authorization extensions as
+ defined in RFC 3576.
+
+Table of Contents
+
+ 1. Introduction ....................................................2
+ 1.1. Requirements Notation ......................................2
+ 1.2. Terminology ................................................2
+ 2. The Internet-Standard Management Framework ......................3
+ 3. Overview ........................................................3
+ 4. RADIUS Dynamic Authorization Client MIB Definitions .............3
+ 5. Security Considerations ........................................19
+ 6. IANA Considerations ............................................20
+ 7. Acknowledgements ...............................................20
+ 8. References .....................................................21
+ 8.1. Normative References ......................................21
+ 8.2. Informative References ....................................21
+
+
+
+
+
+
+
+
+De Cnodder, et al. Informational [Page 1]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+1. Introduction
+
+ This memo defines a portion of the Management Information Base (MIB)
+ for use with network management protocols in the Internet community.
+ In particular, it describes the Remote Authentication Dial-In User
+ Service (RADIUS) [RFC2865] Dynamic Authorization Client (DAC)
+ functions that support the dynamic authorization extensions as
+ defined in RFC 3576.
+
+ It is becoming increasingly important to support Dynamic
+ Authorization extensions on the network access server (NAS) devices
+ to handle the Disconnect and Change-of-Authorization (CoA) messages,
+ as described in [RFC3576]. As a result, the effective management of
+ RADIUS Dynamic Authorization entities is of considerable importance.
+ This RADIUS Dynamic Authorization Client MIB complements the managed
+ objects used for managing RADIUS authentication and accounting
+ servers, as described in [RFC4669] and [RFC4671], respectively.
+
+1.1. Requirements Notation
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+1.2. Terminology
+
+ Dynamic Authorization Server (DAS)
+
+ The component that resides on the NAS that processes the Disconnect
+ and Change-of-Authorization (CoA) Request packets [RFC3576] sent by
+ the Dynamic Authorization Client.
+
+ Dynamic Authorization Client (DAC)
+
+ The component that sends Disconnect and CoA-Request packets to the
+ Dynamic Authorization Server. Although this component often resides
+ on the RADIUS server, it is also possible for this component to be
+ located on a separate host, such as a Rating Engine.
+
+ Dynamic Authorization Server Port
+
+ The UDP port on which the Dynamic Authorization Server listens for
+ the Disconnect and CoA requests sent by the Dynamic Authorization
+ Client.
+
+
+
+
+
+
+
+De Cnodder, et al. Informational [Page 2]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+2. The Internet-Standard Management Framework
+
+ For a detailed overview of the documents that describe the current
+ Internet-Standard Management Framework, please refer to section 7 of
+ [RFC3410].
+
+ Managed objects are accessed via a virtual information store, termed
+ the Management Information Base or MIB. MIB objects are generally
+ accessed through the Simple Network Management Protocol (SNMP).
+ Objects in the MIB are defined using the mechanisms defined in the
+ Structure of Management Information (SMI). This memo specifies a MIB
+ module that is compliant to the SMIv2, which is described in STD 58,
+ RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579], and STD 58, RFC 2580
+ [RFC2580].
+
+3. Overview
+
+ "Dynamic Authorization Extensions to RADIUS" [RFC3576] defines the
+ operation of Disconnect-Request, Disconnect-ACK, Disconnect-NAK,
+ CoA-Request, CoA-ACK, and CoA-NAK packets. [RFC4673] defines the
+ Dynamic Authorization Server MIB and the relationship with other MIB
+ modules. This MIB module for the Dynamic Authorization Client
+ contains the following:
+
+ 1. Two scalar objects
+
+ 2. One Dynamic Authorization Server table. This table contains one
+ row for each DAS with which the DAC shares a secret.
+
+4. RADIUS Dynamic Authorization Client MIB Definitions
+
+ RADIUS-DYNAUTH-CLIENT-MIB DEFINITIONS ::= BEGIN
+
+ IMPORTS
+ MODULE-IDENTITY, OBJECT-TYPE,
+ Counter32, Gauge32, Integer32,
+ mib-2, TimeTicks FROM SNMPv2-SMI -- [RFC2578]
+ SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411]
+ InetAddressType, InetAddress,
+ InetPortNumber FROM INET-ADDRESS-MIB -- [RFC4001]
+ MODULE-COMPLIANCE,
+ OBJECT-GROUP FROM SNMPv2-CONF; -- [RFC2580]
+
+ radiusDynAuthClientMIB MODULE-IDENTITY
+ LAST-UPDATED "200608290000Z" -- 29 August 2006
+ ORGANIZATION "IETF RADEXT Working Group"
+ CONTACT-INFO
+ " Stefaan De Cnodder
+
+
+
+De Cnodder, et al. Informational [Page 3]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ Alcatel
+ Francis Wellesplein 1
+ B-2018 Antwerp
+ Belgium
+
+ Phone: +32 3 240 85 15
+ EMail: stefaan.de_cnodder@alcatel.be
+
+ Nagi Reddy Jonnala
+ Cisco Systems, Inc.
+ Divyasree Chambers, B Wing,
+ O'Shaugnessy Road,
+ Bangalore-560027, India.
+
+ Phone: +91 94487 60828
+ EMail: njonnala@cisco.com
+
+ Murtaza Chiba
+ Cisco Systems, Inc.
+ 170 West Tasman Dr.
+ San Jose CA, 95134
+
+ Phone: +1 408 525 7198
+ EMail: mchiba@cisco.com "
+ DESCRIPTION
+ "The MIB module for entities implementing the client
+ side of the Dynamic Authorization Extensions to the
+ Remote Authentication Dial-In User Service (RADIUS)
+ protocol. Copyright (C) The Internet Society (2006).
+ Initial version as published in RFC 4672;
+ for full legal notices see the RFC itself."
+
+ REVISION "200609290000Z" -- 29 August 2006
+ DESCRIPTION "Initial version as published in RFC 4672"
+ ::= { mib-2 145 }
+
+ radiusDynAuthClientMIBObjects OBJECT IDENTIFIER ::=
+ { radiusDynAuthClientMIB 1 }
+
+ radiusDynAuthClientScalars OBJECT IDENTIFIER ::=
+ { radiusDynAuthClientMIBObjects 1 }
+
+ radiusDynAuthClientDisconInvalidServerAddresses OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of Disconnect-Ack and Disconnect-NAK packets
+
+
+
+De Cnodder, et al. Informational [Page 4]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ received from unknown addresses. This counter may
+ experience a discontinuity when the DAC module
+ (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ ::= { radiusDynAuthClientScalars 1 }
+
+ radiusDynAuthClientCoAInvalidServerAddresses OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of CoA-Ack and CoA-NAK packets received from
+ unknown addresses. Disconnect-NAK packets received
+ from unknown addresses. This counter may experience a
+ discontinuity when the DAC module (re)starts, as
+ indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ ::= { radiusDynAuthClientScalars 2 }
+
+ radiusDynAuthServerTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF RadiusDynAuthServerEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The (conceptual) table listing the RADIUS Dynamic
+ Authorization Servers with which the client shares a
+ secret."
+ ::= { radiusDynAuthClientMIBObjects 2 }
+
+ radiusDynAuthServerEntry OBJECT-TYPE
+ SYNTAX RadiusDynAuthServerEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An entry (conceptual row) representing one Dynamic
+ Authorization Server with which the client shares a
+ secret."
+ INDEX { radiusDynAuthServerIndex }
+ ::= { radiusDynAuthServerTable 1 }
+
+ RadiusDynAuthServerEntry ::= SEQUENCE {
+ radiusDynAuthServerIndex Integer32,
+ radiusDynAuthServerAddressType InetAddressType,
+ radiusDynAuthServerAddress InetAddress,
+ radiusDynAuthServerClientPortNumber InetPortNumber,
+ radiusDynAuthServerID SnmpAdminString,
+ radiusDynAuthClientRoundTripTime TimeTicks,
+ radiusDynAuthClientDisconRequests Counter32,
+
+
+
+De Cnodder, et al. Informational [Page 5]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ radiusDynAuthClientDisconAuthOnlyRequests Counter32,
+ radiusDynAuthClientDisconRetransmissions Counter32,
+ radiusDynAuthClientDisconAcks Counter32,
+ radiusDynAuthClientDisconNaks Counter32,
+ radiusDynAuthClientDisconNakAuthOnlyRequest Counter32,
+ radiusDynAuthClientDisconNakSessNoContext Counter32,
+ radiusDynAuthClientMalformedDisconResponses Counter32,
+ radiusDynAuthClientDisconBadAuthenticators Counter32,
+ radiusDynAuthClientDisconPendingRequests Gauge32,
+ radiusDynAuthClientDisconTimeouts Counter32,
+ radiusDynAuthClientDisconPacketsDropped Counter32,
+ radiusDynAuthClientCoARequests Counter32,
+ radiusDynAuthClientCoAAuthOnlyRequest Counter32,
+ radiusDynAuthClientCoARetransmissions Counter32,
+ radiusDynAuthClientCoAAcks Counter32,
+ radiusDynAuthClientCoANaks Counter32,
+ radiusDynAuthClientCoANakAuthOnlyRequest Counter32,
+ radiusDynAuthClientCoANakSessNoContext Counter32,
+ radiusDynAuthClientMalformedCoAResponses Counter32,
+ radiusDynAuthClientCoABadAuthenticators Counter32,
+ radiusDynAuthClientCoAPendingRequests Gauge32,
+ radiusDynAuthClientCoATimeouts Counter32,
+ radiusDynAuthClientCoAPacketsDropped Counter32,
+ radiusDynAuthClientUnknownTypes Counter32,
+ radiusDynAuthClientCounterDiscontinuity TimeTicks
+ }
+
+
+ radiusDynAuthServerIndex OBJECT-TYPE
+ SYNTAX Integer32 (1..2147483647)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A number uniquely identifying each RADIUS Dynamic
+ Authorization Server with which this Dynamic
+ Authorization Client communicates. This number is
+ allocated by the agent implementing this MIB module
+ and is unique in this context."
+ ::= { radiusDynAuthServerEntry 1 }
+
+ radiusDynAuthServerAddressType OBJECT-TYPE
+ SYNTAX InetAddressType
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The type of IP address of the RADIUS Dynamic
+ Authorization Server referred to in this table entry."
+ ::= { radiusDynAuthServerEntry 2 }
+
+
+
+De Cnodder, et al. Informational [Page 6]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ radiusDynAuthServerAddress OBJECT-TYPE
+ SYNTAX InetAddress
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The IP address value of the RADIUS Dynamic
+ Authorization Server referred to in this table entry
+ using the version neutral IP address format. The type
+ of this address is determined by the value of the
+ radiusDynAuthServerAddressType object."
+ ::= { radiusDynAuthServerEntry 3 }
+
+ radiusDynAuthServerClientPortNumber OBJECT-TYPE
+ SYNTAX InetPortNumber (1..65535)
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The UDP destination port that the RADIUS Dynamic
+ Authorization Client is using to send requests to this
+ server. The value zero is invalid."
+ ::= { radiusDynAuthServerEntry 4 }
+
+
+ radiusDynAuthServerID OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The NAS-Identifier of the RADIUS Dynamic Authorization
+ Server referred to in this table entry. This is not
+ necessarily the same as sysName in MIB II."
+ REFERENCE
+ "RFC 2865, Section 5.32, NAS-Identifier."
+ ::= { radiusDynAuthServerEntry 5 }
+
+ radiusDynAuthClientRoundTripTime OBJECT-TYPE
+ SYNTAX TimeTicks
+ UNITS "hundredths of a second"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The time interval (in hundredths of a second) between
+ the most recent Disconnect or CoA request and the
+ receipt of the corresponding Disconnect or CoA reply.
+ A value of zero is returned if no reply has been
+ received yet from this server."
+ ::= { radiusDynAuthServerEntry 6 }
+
+
+
+
+De Cnodder, et al. Informational [Page 7]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ radiusDynAuthClientDisconRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-Requests sent
+ to this Dynamic Authorization Server. This also
+ includes the RADIUS Disconnect-Requests that have a
+ Service-Type attribute with value 'Authorize Only'.
+ Disconnect-NAK packets received from unknown addresses.
+ This counter may experience a discontinuity when the
+ DAC module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthServerEntry 7 }
+
+ radiusDynAuthClientDisconAuthOnlyRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-Requests that include a
+ Service-Type attribute with value 'Authorize Only'
+ sent to this Dynamic Authorization Server.
+ Disconnect-NAK packets received from unknown addresses.
+ This counter may experience a discontinuity when the
+ DAC module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthServerEntry 8 }
+
+ radiusDynAuthClientDisconRetransmissions OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "retransmissions"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-request packets
+ retransmitted to this RADIUS Dynamic Authorization
+ Server. Disconnect-NAK packets received from unknown
+ addresses. This counter may experience a discontinuity
+ when the DAC module (re)starts, as indicated by the
+ value of radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+
+
+
+De Cnodder, et al. Informational [Page 8]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthServerEntry 9 }
+
+ radiusDynAuthClientDisconAcks OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-ACK packets
+ received from this Dynamic Authorization Server. This
+ counter may experience a discontinuity when the DAC
+ module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthServerEntry 10 }
+
+ radiusDynAuthClientDisconNaks OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-NAK packets
+ received from this Dynamic Authorization Server.
+ This includes the RADIUS Disconnect-NAK packets
+ received with a Service-Type attribute with value
+ 'Authorize Only' and the RADIUS Disconnect-NAK
+ packets received if no session context was found. This
+ counter may experience a discontinuity when the DAC
+ module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthServerEntry 11 }
+
+ radiusDynAuthClientDisconNakAuthOnlyRequest OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-NAK packets
+ that include a Service-Type attribute with value
+ 'Authorize Only' received from this Dynamic
+ Authorization Server. This counter may experience a
+ discontinuity when the DAC module (re)starts, as
+
+
+
+De Cnodder, et al. Informational [Page 9]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthServerEntry 12 }
+
+ radiusDynAuthClientDisconNakSessNoContext OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-NAK packets
+ received from this Dynamic Authorization Server
+ because no session context was found; i.e., it
+ includes an Error-Cause attribute with value 503
+ ('Session Context Not Found'). This counter may
+ experience a discontinuity when the DAC module
+ (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthServerEntry 13 }
+
+ radiusDynAuthClientMalformedDisconResponses OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of malformed RADIUS Disconnect-Ack and
+ Disconnect-NAK packets received from this Dynamic
+ Authorization Server. Bad authenticators and unknown
+ types are not included as malformed Disconnect-Ack and
+ Disconnect-NAK packets. This counter may experience a
+ discontinuity when the DAC module (re)starts, as
+ indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM), and
+ Section 2.3, Packet Format."
+ ::= { radiusDynAuthServerEntry 14 }
+
+ radiusDynAuthClientDisconBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+
+
+
+De Cnodder, et al. Informational [Page 10]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ DESCRIPTION
+ "The number of RADIUS Disconnect-Ack and Disconnect-NAK
+ packets that contained invalid Authenticator field
+ received from this Dynamic Authorization Server. This
+ counter may experience a discontinuity when the DAC
+ module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM), and
+ Section 2.3, Packet Format."
+ ::= { radiusDynAuthServerEntry 15 }
+
+ radiusDynAuthClientDisconPendingRequests OBJECT-TYPE
+ SYNTAX Gauge32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-request packets
+ destined for this server that have not yet timed out
+ or received a response. This variable is incremented
+ when an Disconnect-Request is sent and decremented
+ due to receipt of a Disconnect-Ack, a Disconnect-NAK,
+ a timeout, or a retransmission."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthServerEntry 16 }
+
+ radiusDynAuthClientDisconTimeouts OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "timeouts"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of Disconnect request timeouts to this
+ server. After a timeout, the client may retry to the
+ same server or give up. A retry to the same server is
+ counted as a retransmit and as a timeout. A send
+ to a different server is counted as a
+ Disconnect-Request and as a timeout. This counter
+ may experience a discontinuity when the DAC module
+ (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthServerEntry 17 }
+
+ radiusDynAuthClientDisconPacketsDropped OBJECT-TYPE
+
+
+
+De Cnodder, et al. Informational [Page 11]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of incoming Disconnect-Ack and
+ Disconnect-NAK packets from this Dynamic Authorization
+ Server silently discarded by the client application for
+ some reason other than malformed, bad authenticators,
+ or unknown types. This counter may experience a
+ discontinuity when the DAC module (re)starts, as
+ indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM), and
+ Section 2.3, Packet Format."
+ ::= { radiusDynAuthServerEntry 18 }
+
+ radiusDynAuthClientCoARequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-Requests sent to this
+ Dynamic Authorization Server. This also includes
+ CoA requests that have a Service-Type attribute
+ with value 'Authorize Only'. This counter may
+ experience a discontinuity when the DAC module
+ (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthServerEntry 19 }
+
+ radiusDynAuthClientCoAAuthOnlyRequest OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-requests that include a
+ Service-Type attribute with value 'Authorize Only'
+ sent to this Dynamic Authorization Client. This
+ counter may experience a discontinuity when the DAC
+ module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+
+
+
+De Cnodder, et al. Informational [Page 12]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthServerEntry 20 }
+
+ radiusDynAuthClientCoARetransmissions OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "retransmissions"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-request packets
+ retransmitted to this RADIUS Dynamic Authorization
+ Server. This counter may experience a discontinuity
+ when the DAC module (re)starts, as indicated by the
+ value of radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthServerEntry 21 }
+
+ radiusDynAuthClientCoAAcks OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-ACK packets received from
+ this Dynamic Authorization Server. This counter may
+ experience a discontinuity when the DAC module
+ (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthServerEntry 22 }
+
+ radiusDynAuthClientCoANaks OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-NAK packets received from
+ this Dynamic Authorization Server. This includes the
+ RADIUS CoA-NAK packets received with a Service-Type
+ attribute with value 'Authorize Only' and the RADIUS
+ CoA-NAK packets received because no session context
+
+
+
+De Cnodder, et al. Informational [Page 13]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ was found. This counter may experience a discontinuity
+ when the DAC module (re)starts, as indicated by the
+ value of radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthServerEntry 23 }
+
+ radiusDynAuthClientCoANakAuthOnlyRequest OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-NAK packets that include a
+ Service-Type attribute with value 'Authorize Only'
+ received from this Dynamic Authorization Server. This
+ counter may experience a discontinuity when the DAC
+ module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthServerEntry 24 }
+
+ radiusDynAuthClientCoANakSessNoContext OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-NAK packets received from
+ this Dynamic Authorization Server because no session
+ context was found; i.e., it includes an Error-Cause
+ attribute with value 503 ('Session Context Not Found').
+ This counter may experience a discontinuity when the
+ DAC module (re)starts as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthServerEntry 25 }
+
+ radiusDynAuthClientMalformedCoAResponses OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+
+
+
+De Cnodder, et al. Informational [Page 14]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ DESCRIPTION
+ "The number of malformed RADIUS CoA-Ack and CoA-NAK
+ packets received from this Dynamic Authorization
+ Server. Bad authenticators and unknown types are
+ not included as malformed CoA-Ack and CoA-NAK packets.
+ This counter may experience a discontinuity when the
+ DAC module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA), and Section 2.3, Packet Format."
+ ::= { radiusDynAuthServerEntry 26 }
+
+ radiusDynAuthClientCoABadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-Ack and CoA-NAK packets
+ that contained invalid Authenticator field
+ received from this Dynamic Authorization Server.
+ This counter may experience a discontinuity when the
+ DAC module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA), and Section 2.3, Packet Format."
+ ::= { radiusDynAuthServerEntry 27 }
+
+ radiusDynAuthClientCoAPendingRequests OBJECT-TYPE
+ SYNTAX Gauge32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-request packets destined for
+ this server that have not yet timed out or received a
+ response. This variable is incremented when an
+ CoA-Request is sent and decremented due to receipt of
+ a CoA-Ack, a CoA-NAK, or a timeout, or a
+ retransmission."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthServerEntry 28 }
+
+ radiusDynAuthClientCoATimeouts OBJECT-TYPE
+
+
+
+De Cnodder, et al. Informational [Page 15]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ SYNTAX Counter32
+ UNITS "timeouts"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of CoA request timeouts to this server.
+ After a timeout, the client may retry to the same
+ server or give up. A retry to the same server is
+ counted as a retransmit and as a timeout. A send to
+ a different server is counted as a CoA-Request and
+ as a timeout. This counter may experience a
+ discontinuity when the DAC module (re)starts, as
+ indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthServerEntry 29 }
+
+ radiusDynAuthClientCoAPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of incoming CoA-Ack and CoA-NAK from this
+ Dynamic Authorization Server silently discarded by the
+ client application for some reason other than
+ malformed, bad authenticators, or unknown types. This
+ counter may experience a discontinuity when the DAC
+ module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA), and Section 2.3, Packet Format."
+ ::= { radiusDynAuthServerEntry 30 }
+
+ radiusDynAuthClientUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of incoming packets of unknown types
+ that were received on the Dynamic Authorization port.
+ This counter may experience a discontinuity when the
+ DAC module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+
+
+
+De Cnodder, et al. Informational [Page 16]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ REFERENCE
+ "RFC 3576, Section 2.3, Packet Format."
+ ::= { radiusDynAuthServerEntry 31 }
+
+ radiusDynAuthClientCounterDiscontinuity OBJECT-TYPE
+ SYNTAX TimeTicks
+ UNITS "hundredths of a second"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The time (in hundredths of a second) since the
+ last counter discontinuity. A discontinuity may
+ be the result of a reinitialization of the DAC
+ module within the managed entity."
+ ::= { radiusDynAuthServerEntry 32 }
+
+
+ -- conformance information
+
+ radiusDynAuthClientMIBConformance
+ OBJECT IDENTIFIER ::= { radiusDynAuthClientMIB 2 }
+ radiusDynAuthClientMIBCompliances
+ OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 1 }
+ radiusDynAuthClientMIBGroups
+ OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 2 }
+ -- compliance statements
+
+ radiusDynAuthClientMIBCompliance MODULE-COMPLIANCE
+ STATUS current
+ DESCRIPTION
+ "The compliance statement for entities implementing
+ the RADIUS Dynamic Authorization Client.
+ Implementation of this module is for entities that
+ support IPv4 and/or IPv6."
+ MODULE -- this module
+ MANDATORY-GROUPS { radiusDynAuthClientMIBGroup }
+
+ OBJECT radiusDynAuthServerAddressType
+ SYNTAX InetAddressType { ipv4(1), ipv6(2) }
+ DESCRIPTION
+ "An implementation is only required to support IPv4 and
+ globally unique IPv6 addresses."
+
+ OBJECT radiusDynAuthServerAddress
+ SYNTAX InetAddress (SIZE(4|16))
+ DESCRIPTION
+ "An implementation is only required to support IPv4 and
+ globally unique IPv6 addresses."
+
+
+
+De Cnodder, et al. Informational [Page 17]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ GROUP radiusDynAuthClientAuthOnlyGroup
+ DESCRIPTION
+ "Only required for Dynamic Authorization Clients that
+ are supporting Service-Type attributes with value
+ 'Authorize-Only'."
+
+
+ GROUP radiusDynAuthClientNoSessGroup
+ DESCRIPTION
+ "This group is not required if the Dynamic
+ Authorization Server cannot easily determine whether
+ a session exists (e.g., in case of a RADIUS
+ proxy)."
+
+ ::= { radiusDynAuthClientMIBCompliances 1 }
+
+ -- units of conformance
+
+ radiusDynAuthClientMIBGroup OBJECT-GROUP
+ OBJECTS { radiusDynAuthClientDisconInvalidServerAddresses,
+ radiusDynAuthClientCoAInvalidServerAddresses,
+ radiusDynAuthServerAddressType,
+ radiusDynAuthServerAddress,
+ radiusDynAuthServerClientPortNumber,
+ radiusDynAuthServerID,
+ radiusDynAuthClientRoundTripTime,
+ radiusDynAuthClientDisconRequests,
+ radiusDynAuthClientDisconRetransmissions,
+ radiusDynAuthClientDisconAcks,
+ radiusDynAuthClientDisconNaks,
+ radiusDynAuthClientMalformedDisconResponses,
+ radiusDynAuthClientDisconBadAuthenticators,
+ radiusDynAuthClientDisconPendingRequests,
+ radiusDynAuthClientDisconTimeouts,
+ radiusDynAuthClientDisconPacketsDropped,
+ radiusDynAuthClientCoARequests,
+ radiusDynAuthClientCoARetransmissions,
+ radiusDynAuthClientCoAAcks,
+ radiusDynAuthClientCoANaks,
+ radiusDynAuthClientMalformedCoAResponses,
+ radiusDynAuthClientCoABadAuthenticators,
+ radiusDynAuthClientCoAPendingRequests,
+ radiusDynAuthClientCoATimeouts,
+ radiusDynAuthClientCoAPacketsDropped,
+ radiusDynAuthClientUnknownTypes,
+ radiusDynAuthClientCounterDiscontinuity
+ }
+ STATUS current
+
+
+
+De Cnodder, et al. Informational [Page 18]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ DESCRIPTION
+ "The collection of objects providing management of
+ a RADIUS Dynamic Authorization Client."
+ ::= { radiusDynAuthClientMIBGroups 1 }
+
+ radiusDynAuthClientAuthOnlyGroup OBJECT-GROUP
+ OBJECTS { radiusDynAuthClientDisconAuthOnlyRequests,
+ radiusDynAuthClientDisconNakAuthOnlyRequest,
+ radiusDynAuthClientCoAAuthOnlyRequest,
+ radiusDynAuthClientCoANakAuthOnlyRequest
+ }
+ STATUS current
+ DESCRIPTION
+ "The collection of objects supporting the RADIUS
+ messages including Service-Type attribute with
+ value 'Authorize Only'."
+ ::= { radiusDynAuthClientMIBGroups 2 }
+
+ radiusDynAuthClientNoSessGroup OBJECT-GROUP
+ OBJECTS { radiusDynAuthClientDisconNakSessNoContext,
+ radiusDynAuthClientCoANakSessNoContext
+ }
+ STATUS current
+ DESCRIPTION
+ "The collection of objects supporting the RADIUS
+ messages that are referring to non-existing sessions."
+ ::= { radiusDynAuthClientMIBGroups 3 }
+
+
+
+ END
+
+5. Security Considerations
+
+ There are no management objects defined in this MIB module that have
+ a MAX-ACCESS clause of read-write and/or read-create. So, if this
+ MIB module is implemented correctly, then there is no risk that an
+ intruder can alter or create any management objects of this MIB
+ module via direct SNMP SET operations.
+
+ Some of the readable objects in this MIB module (i.e., objects with a
+ MAX-ACCESS other than not-accessible) may be considered sensitive or
+ vulnerable in some network environments. It is thus important to
+ control even GET and/or NOTIFY access to these objects and possibly
+ to even encrypt the values of these objects when sending them over
+ the network via SNMP. These are the tables and objects and their
+ sensitivity/vulnerability:
+
+
+
+
+De Cnodder, et al. Informational [Page 19]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ radiusDynAuthServerAddress and radiusDynAuthServerAddressType
+
+ These can be used to determine the address of the DAS with which
+ the DAC is communicating. This information could be useful in
+ mounting an attack on the DAS.
+
+ radiusDynAuthServerID
+
+ This can be used to determine the Identifier of the DAS. This
+ information could be useful in impersonating the DAS.
+
+ radiusDynAuthServerClientPortNumber
+
+ This can be used to determine the destination port number to which
+ the DAC is sending. This information could be useful in mounting
+ an attack on the DAS.
+
+ SNMP versions prior to SNMPv3 did not include adequate security.
+ Even if the network itself is secure (for example by using IPsec),
+ even then, there is no control as to who on the secure network is
+ allowed to access and GET/SET (read/change/create/delete) the objects
+ in this MIB module.
+
+ It is RECOMMENDED that implementers consider the security features as
+ provided by the SNMPv3 framework (see [RFC3410], section 8),
+ including full support for the SNMPv3 cryptographic mechanisms (for
+ authentication and privacy).
+
+ Further, deployment of SNMP versions prior to SNMPv3 is NOT
+ RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
+ enable cryptographic security. It is then a customer/operator
+ responsibility to ensure that the SNMP entity giving access to an
+ instance of this MIB module is properly configured to give access to
+ the objects only to those principals (users) that have legitimate
+ rights to indeed GET or SET (change/create/delete) them.
+
+6. IANA Considerations
+
+ The IANA has assigned OID number 145 under mib-2.
+
+7. Acknowledgements
+
+ The authors would also like to acknowledge the following people for
+ their comments on this document: Bernard Aboba, Alan DeKok, David
+ Nelson, Anjaneyulu Pata, Dan Romascanu, Juergen Schoenwaelder, Greg
+ Weber, Bert Wijnen, and Glen Zorn.
+
+
+
+
+
+De Cnodder, et al. Informational [Page 20]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+8. References
+
+8.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
+ "Structure of Management Information Version 2 (SMIv2)",
+ STD 58, RFC 2578, April 1999.
+
+ [RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
+ "Textual Conventions for SMIv2", STD 58, RFC 2579, April
+ 1999.
+
+ [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
+ "Conformance Statements for SMIv2", STD 58, RFC 2580,
+ April 1999.
+
+ [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
+ Architecture for Describing Simple Network Management
+ Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
+ December 2002.
+
+ [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
+ Aboba, "Dynamic Authorization Extensions to Remote
+ Authentication Dial In User Service (RADIUS)", RFC 3576,
+ July 2003.
+
+ [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
+ Schoenwaelder, "Textual Conventions for Internet Network
+ Addresses", RFC 4001, February 2005.
+
+8.2. Informative References
+
+ [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
+ "Remote Authentication Dial In User Service (RADIUS)", RFC
+ 2865, June 2000.
+
+ [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
+ "Introduction and Applicability Statements for Internet-
+ Standard Management Framework", RFC 3410, December 2002.
+
+ [RFC4669] Nelson, D., "RADIUS Authentication Server MIB for IPv6",
+ RFC 4669, August 2006.
+
+ [RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", RFC
+ 4671, August 2006.
+
+
+
+De Cnodder, et al. Informational [Page 21]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ [RFC4673] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic
+ Authorization Server MIB", RFC 4673, September 2006.
+
+Authors' Addresses
+
+ Stefaan De Cnodder
+ Alcatel
+ Francis Wellesplein 1
+ B-2018 Antwerp
+ Belgium
+
+ Phone: +32 3 240 85 15
+ EMail: stefaan.de_cnodder@alcatel.be
+
+
+ Nagi Reddy Jonnala
+ Cisco Systems, Inc.
+ Divyasree Chambers, B Wing, O'Shaugnessy Road
+ Bangalore-560027, India
+
+ Phone: +91 94487 60828
+ EMail: njonnala@cisco.com
+
+
+ Murtaza Chiba
+ Cisco Systems, Inc.
+ 170 West Tasman Dr.
+ San Jose CA, 95134
+
+ Phone: +1 408 525 7198
+ EMail: mchiba@cisco.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+De Cnodder, et al. Informational [Page 22]
+\f
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2006).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+De Cnodder, et al. Informational [Page 23]
+\f
--- /dev/null
+
+
+
+
+
+
+Network Working Group S. De Cnodder
+Request for Comments: 4673 Alcatel
+Category: Informational N. Jonnala
+ M. Chiba
+ Cisco Systems, Inc.
+ September 2006
+
+
+ RADIUS Dynamic Authorization Server MIB
+
+Status of This Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This memo defines a portion of the Management Information Base (MIB)
+ for use with network management protocols in the Internet community.
+ In particular, it describes the Remote Authentication Dial-In User
+ Service (RADIUS) (RFC 2865) Dynamic Authorization Server (DAS)
+ functions that support the dynamic authorization extensions as
+ defined in RFC 3576.
+
+Table of Contents
+
+ 1. Introduction ....................................................2
+ 1.1. Requirements Notation ......................................2
+ 1.2. Terminology ................................................2
+ 2. The Internet-Standard Management Framework ......................2
+ 3. Overview ........................................................3
+ 4. RADIUS Dynamic Authorization Server MIB Definitions .............5
+ 5. Security Considerations ........................................20
+ 6. IANA Considerations ............................................21
+ 7. Acknowledgements ...............................................21
+ 8. References .....................................................21
+ 8.1. Normative References ......................................21
+ 8.2. Informative References ....................................22
+
+
+
+
+
+
+
+
+De Cnodder, et al. Informational [Page 1]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+1. Introduction
+
+ This memo defines a portion of the Management Information Base (MIB)
+ for use with network management protocols in the Internet community.
+ It is becoming increasingly important to support Dynamic
+ Authorization extensions on the network access server (NAS) devices
+ to handle the Disconnect and Change-of-Authorization (CoA) messages
+ as described in [RFC3576]. As a result, the effective management of
+ RADIUS Dynamic Authorization entities is of considerable importance.
+ This RADIUS Dynamic Authorization Server (DAS) MIB complements the
+ managed objects used for managing RADIUS authentication and
+ accounting clients as described in [RFC4668] and [RFC4670],
+ respectively.
+
+1.1. Requirements Notation
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+1.2. Terminology
+
+ Dynamic Authorization Server (DAS)
+
+ The component that resides on the NAS that processes the Disconnect
+ and Change-of-Authorization (CoA) Request packets [RFC3576] sent by
+ the Dynamic Authorization Client.
+
+ Dynamic Authorization Client (DAC)
+
+ The component that sends Disconnect and CoA-Request packets to the
+ Dynamic Authorization Server. Although this component often resides
+ on the RADIUS server, it is also possible for it to be located on a
+ separate host, such as a Rating Engine.
+
+ Dynamic Authorization Server Port
+
+ The UDP port on which the Dynamic Authorization Server listens for
+ the Disconnect and CoA requests sent by the Dynamic Authorization
+ Client.
+
+2. The Internet-Standard Management Framework
+
+ For a detailed overview of the documents that describe the current
+ Internet-Standard Management Framework, please refer to section 7 of
+ [RFC3410].
+
+
+
+
+
+De Cnodder, et al. Informational [Page 2]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+ Managed objects are accessed via a virtual information store, termed
+ the Management Information Base, or MIB. MIB objects are generally
+ accessed through the Simple Network Management Protocol (SNMP).
+ Objects in the MIB are defined using the mechanisms defined in the
+ Structure of Management Information (SMI). This memo specifies a MIB
+ module that is compliant to the SMIv2, which is described in STD 58,
+ RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579], and STD 58, RFC 2580
+ [RFC2580].
+
+3. Overview
+
+ "Dynamic Authorization Extensions to RADIUS" [RFC3576] defines the
+ operation of Disconnect-Request, Disconnect-ACK, Disconnect-NAK,
+ CoA-Request, CoA-ACK, and CoA-NAK packets. Typically, NAS devices
+ implement the DAS function, and thus would be expected to implement
+ the RADIUS Dynamic Authorization Server MIB, whereas DACs implement
+ the client function and thus would be expected to implement the
+ RADIUS Dynamic Authorization Client MIB.
+
+ However, it is possible for a RADIUS Dynamic Authorization entity to
+ perform both client and server functions. For example, a RADIUS
+ proxy may act as a DAS to one or more DACs while simultaneously
+ acting as a DAC to one or more DASs. In such situations, it is
+ expected that RADIUS entities combining client and server
+ functionality will support both the client and server MIBs.
+
+ This memo describes the MIB for Dynamic Authorization Servers and
+ relates to the following documents as follows:
+
+ [RFC4668] describes the MIB for a RADIUS Auth Client MIB.
+
+ [RFC4669] describes the MIB for a RADIUS Auth Server MIB.
+
+ [RFC4670] describes the MIB for a RADIUS Acct Client MIB.
+
+ [RFC4671] describes the MIB for a RADIUS Acct Server MIB.
+
+ [RFC4672] describes the MIB for a RADIUS Dynamic Auth Client.
+
+ A NAS typically implements the MIBs for a RADIUS Authentication
+ Client, a RADIUS accounting client, and a RADIUS Dynamic
+ Authorization Server. However, any one MIB can be implemented
+ without implementing any of the other MIBs; i.e., the MIBs have no
+ dependencies on each other. A typical case would be for a device to
+ implement the MIBs RADIUS authentication server, RADIUS accounting
+ server, and RADIUS Dynamic Authorization Client. A RADIUS proxy
+ might implement any, all, or a subset of the MIBs listed above and
+ the MIB as defined in this document.
+
+
+
+De Cnodder, et al. Informational [Page 3]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+ +---------------+ +---------------+
+ User 1----| | Disconnect-Request | |
+ | Dynamic | CoA-Request | Dynamic |
+ User 2----| Authorization |<---------------------| Authorization |
+ | Server |--------------------->| Client |
+ User 3----| (DAS) | Disconnect-Ack | (DAC) |
+ | | Disconnect-NAK | |
+ +---------------+ CoA-Ack/CoA-NAK +---------------+
+
+ Figure 1. Mapping of clients and servers
+
+ This MIB module for the Dynamic Authorization Server contains the
+ following:
+
+ 1. Three scalar objects.
+
+ 2. One Dynamic Authorization Client Table. This table contains one
+ row for each DAC with which the DAS shares a secret.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+De Cnodder, et al. Informational [Page 4]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+4. RADIUS Dynamic Authorization Server MIB Definitions
+
+RADIUS-DYNAUTH-SERVER-MIB DEFINITIONS ::= BEGIN
+
+IMPORTS
+ MODULE-IDENTITY, OBJECT-TYPE,
+ Counter32, Integer32, mib-2,
+ TimeTicks FROM SNMPv2-SMI -- [RFC2578]
+ SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411]
+ InetAddressType,
+ InetAddress FROM INET-ADDRESS-MIB -- [RFC4001]
+ MODULE-COMPLIANCE,
+ OBJECT-GROUP FROM SNMPv2-CONF; -- [RFC2580]
+
+radiusDynAuthServerMIB MODULE-IDENTITY
+ LAST-UPDATED "200608290000Z" -- 29 August 2006
+ ORGANIZATION "IETF RADEXT Working Group"
+ CONTACT-INFO
+ " Stefaan De Cnodder
+ Alcatel
+ Francis Wellesplein 1
+ B-2018 Antwerp
+ Belgium
+
+ Phone: +32 3 240 85 15
+ EMail: stefaan.de_cnodder@alcatel.be
+
+ Nagi Reddy Jonnala
+ Cisco Systems, Inc.
+ Divyasree Chambers, B Wing,
+ O'Shaugnessy Road,
+ Bangalore-560027, India.
+
+ Phone: +91 94487 60828
+ EMail: njonnala@cisco.com
+
+ Murtaza Chiba
+ Cisco Systems, Inc.
+ 170 West Tasman Dr.
+ San Jose CA, 95134
+
+ Phone: +1 408 525 7198
+ EMail: mchiba@cisco.com "
+ DESCRIPTION
+ "The MIB module for entities implementing the server
+ side of the Dynamic Authorization Extensions to the
+ Remote Authentication Dial-In User Service (RADIUS)
+ protocol. Copyright (C) The Internet Society (2006).
+
+
+
+De Cnodder, et al. Informational [Page 5]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+ Initial version as published in RFC 4673; for full
+ legal notices see the RFC itself."
+
+ REVISION "200608290000Z" -- 29 August 2006
+ DESCRIPTION "Initial version as published in RFC 4673."
+ ::= { mib-2 146 }
+
+radiusDynAuthServerMIBObjects OBJECT IDENTIFIER ::=
+ { radiusDynAuthServerMIB 1 }
+
+radiusDynAuthServerScalars OBJECT IDENTIFIER ::=
+ { radiusDynAuthServerMIBObjects 1 }
+
+radiusDynAuthServerDisconInvalidClientAddresses OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of Disconnect-Request packets received from
+ unknown addresses. This counter may experience a
+ discontinuity when the DAS module (re)starts, as
+ indicated by the value of
+ radiusDynAuthServerCounterDiscontinuity."
+ ::= { radiusDynAuthServerScalars 1 }
+
+radiusDynAuthServerCoAInvalidClientAddresses OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of CoA-Request packets received from unknown
+ addresses. This counter may experience a discontinuity
+ when the DAS module (re)starts, as indicated by the
+ value of radiusDynAuthServerCounterDiscontinuity."
+ ::= { radiusDynAuthServerScalars 2 }
+
+radiusDynAuthServerIdentifier OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The NAS-Identifier of the RADIUS Dynamic Authorization
+ Server. This is not necessarily the same as sysName in
+ MIB II."
+ REFERENCE
+ "RFC 2865, Section 5.32, NAS-Identifier."
+ ::= { radiusDynAuthServerScalars 3 }
+
+
+
+
+De Cnodder, et al. Informational [Page 6]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+radiusDynAuthClientTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF RadiusDynAuthClientEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The (conceptual) table listing the RADIUS Dynamic
+ Authorization Clients with which the server shares a
+ secret."
+ ::= { radiusDynAuthServerMIBObjects 2 }
+
+radiusDynAuthClientEntry OBJECT-TYPE
+ SYNTAX RadiusDynAuthClientEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An entry (conceptual row) representing one Dynamic
+ Authorization Client with which the server shares a
+ secret."
+ INDEX { radiusDynAuthClientIndex }
+ ::= { radiusDynAuthClientTable 1 }
+
+RadiusDynAuthClientEntry ::= SEQUENCE {
+ radiusDynAuthClientIndex Integer32,
+ radiusDynAuthClientAddressType InetAddressType,
+ radiusDynAuthClientAddress InetAddress,
+ radiusDynAuthServDisconRequests Counter32,
+ radiusDynAuthServDisconAuthOnlyRequests Counter32,
+ radiusDynAuthServDupDisconRequests Counter32,
+ radiusDynAuthServDisconAcks Counter32,
+ radiusDynAuthServDisconNaks Counter32,
+ radiusDynAuthServDisconNakAuthOnlyRequests Counter32,
+ radiusDynAuthServDisconNakSessNoContext Counter32,
+ radiusDynAuthServDisconUserSessRemoved Counter32,
+ radiusDynAuthServMalformedDisconRequests Counter32,
+ radiusDynAuthServDisconBadAuthenticators Counter32,
+ radiusDynAuthServDisconPacketsDropped Counter32,
+ radiusDynAuthServCoARequests Counter32,
+ radiusDynAuthServCoAAuthOnlyRequests Counter32,
+ radiusDynAuthServDupCoARequests Counter32,
+ radiusDynAuthServCoAAcks Counter32,
+ radiusDynAuthServCoANaks Counter32,
+ radiusDynAuthServCoANakAuthOnlyRequests Counter32,
+ radiusDynAuthServCoANakSessNoContext Counter32,
+ radiusDynAuthServCoAUserSessChanged Counter32,
+ radiusDynAuthServMalformedCoARequests Counter32,
+ radiusDynAuthServCoABadAuthenticators Counter32,
+ radiusDynAuthServCoAPacketsDropped Counter32,
+ radiusDynAuthServUnknownTypes Counter32,
+
+
+
+De Cnodder, et al. Informational [Page 7]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+ radiusDynAuthServerCounterDiscontinuity TimeTicks
+}
+
+
+radiusDynAuthClientIndex OBJECT-TYPE
+ SYNTAX Integer32 (1..2147483647)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A number uniquely identifying each RADIUS Dynamic
+ Authorization Client with which this Dynamic
+ Authorization Server communicates. This number is
+ allocated by the agent implementing this MIB module
+ and is unique in this context."
+ ::= { radiusDynAuthClientEntry 1 }
+
+radiusDynAuthClientAddressType OBJECT-TYPE
+ SYNTAX InetAddressType
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The type of IP address of the RADIUS Dynamic
+ Authorization Client referred to in this table entry."
+ ::= { radiusDynAuthClientEntry 2 }
+
+radiusDynAuthClientAddress OBJECT-TYPE
+ SYNTAX InetAddress
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The IP address value of the RADIUS Dynamic
+ Authorization Client referred to in this table entry,
+ using the version neutral IP address format. The type
+ of this address is determined by the value of
+ the radiusDynAuthClientAddressType object."
+ ::= { radiusDynAuthClientEntry 3 }
+
+radiusDynAuthServDisconRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-Requests received
+ from this Dynamic Authorization Client. This also
+ includes the RADIUS Disconnect-Requests that have a
+ Service-Type attribute with value 'Authorize Only'.
+ This counter may experience a discontinuity when the
+
+
+
+De Cnodder, et al. Informational [Page 8]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+ DAS module (re)starts as indicated by the value of
+ radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthClientEntry 4 }
+
+radiusDynAuthServDisconAuthOnlyRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-Requests that include
+ a Service-Type attribute with value 'Authorize Only'
+ received from this Dynamic Authorization Client. This
+ counter may experience a discontinuity when the DAS
+ module (re)starts, as indicated by the value of
+ radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthClientEntry 5 }
+
+radiusDynAuthServDupDisconRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of duplicate RADIUS Disconnect-Request
+ packets received from this Dynamic Authorization
+ Client. This counter may experience a discontinuity
+ when the DAS module (re)starts, as indicated by the
+ value of radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthClientEntry 6 }
+
+radiusDynAuthServDisconAcks OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-ACK packets sent to
+ this Dynamic Authorization Client. This counter may
+ experience a discontinuity when the DAS module
+ (re)starts, as indicated by the value of
+ radiusDynAuthServerCounterDiscontinuity."
+
+
+
+De Cnodder, et al. Informational [Page 9]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthClientEntry 7 }
+
+radiusDynAuthServDisconNaks OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-NAK packets
+ sent to this Dynamic Authorization Client. This
+ includes the RADIUS Disconnect-NAK packets sent
+ with a Service-Type attribute with value 'Authorize
+ Only' and the RADIUS Disconnect-NAK packets sent
+ because no session context was found. This counter
+ may experience a discontinuity when the DAS module
+ (re)starts, as indicated by the value of
+ radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthClientEntry 8 }
+
+radiusDynAuthServDisconNakAuthOnlyRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-NAK packets that
+ include a Service-Type attribute with value
+ 'Authorize Only' sent to this Dynamic Authorization
+ Client. This counter may experience a discontinuity
+ when the DAS module (re)starts, as indicated by the
+ value of radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthClientEntry 9 }
+
+radiusDynAuthServDisconNakSessNoContext OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-NAK packets
+ sent to this Dynamic Authorization Client
+ because no session context was found. This counter may
+
+
+
+De Cnodder, et al. Informational [Page 10]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+ experience a discontinuity when the DAS module
+ (re)starts, as indicated by the value of
+ radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthClientEntry 10 }
+
+radiusDynAuthServDisconUserSessRemoved OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "sessions"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of user sessions removed for the
+ Disconnect-Requests received from this
+ Dynamic Authorization Client. Depending on site-
+ specific policies, a single Disconnect request
+ can remove multiple user sessions. In cases where
+ this Dynamic Authorization Server has no
+ knowledge of the number of user sessions that
+ are affected by a single request, each such
+ Disconnect-Request will count as a single
+ affected user session only. This counter may experience
+ a discontinuity when the DAS module (re)starts, as
+ indicated by the value of
+ radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthClientEntry 11 }
+
+radiusDynAuthServMalformedDisconRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of malformed RADIUS Disconnect-Request
+ packets received from this Dynamic Authorization
+ Client. Bad authenticators and unknown types are not
+ included as malformed Disconnect-Requests. This counter
+ may experience a discontinuity when the DAS module
+ (re)starts, as indicated by the value of
+ radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM), and
+ Section 2.3, Packet Format."
+ ::= { radiusDynAuthClientEntry 12 }
+
+
+
+
+De Cnodder, et al. Informational [Page 11]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+radiusDynAuthServDisconBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-Request packets
+ that contained an invalid Authenticator field
+ received from this Dynamic Authorization Client. This
+ counter may experience a discontinuity when the DAS
+ module (re)starts, as indicated by the value of
+ radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM), and
+ Section 2.3, Packet Format."
+ ::= { radiusDynAuthClientEntry 13 }
+
+radiusDynAuthServDisconPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of incoming Disconnect-Requests
+ from this Dynamic Authorization Client silently
+ discarded by the server application for some reason
+ other than malformed, bad authenticators, or unknown
+ types. This counter may experience a discontinuity
+ when the DAS module (re)starts, as indicated by the
+ value of radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM), and
+ Section 2.3, Packet Format."
+ ::= { radiusDynAuthClientEntry 14 }
+
+radiusDynAuthServCoARequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-requests received from this
+ Dynamic Authorization Client. This also includes
+ the CoA requests that have a Service-Type attribute
+ with value 'Authorize Only'. This counter may
+ experience a discontinuity when the DAS module
+ (re)starts, as indicated by the value of
+ radiusDynAuthServerCounterDiscontinuity."
+
+
+
+De Cnodder, et al. Informational [Page 12]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthClientEntry 15 }
+
+radiusDynAuthServCoAAuthOnlyRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-requests that include a
+ Service-Type attribute with value 'Authorize Only'
+ received from this Dynamic Authorization Client. This
+ counter may experience a discontinuity when the DAS
+ module (re)starts, as indicated by the value of
+ radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthClientEntry 16 }
+
+
+radiusDynAuthServDupCoARequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of duplicate RADIUS CoA-Request packets
+ received from this Dynamic Authorization Client. This
+ counter may experience a discontinuity when the DAS
+ module (re)starts, as indicated by the value of
+ radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthClientEntry 17 }
+
+radiusDynAuthServCoAAcks OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-ACK packets sent to this
+ Dynamic Authorization Client. This counter may
+ experience a discontinuity when the DAS module
+
+
+
+De Cnodder, et al. Informational [Page 13]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+ (re)starts, as indicated by the value of
+ radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthClientEntry 18 }
+
+radiusDynAuthServCoANaks OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-NAK packets sent to
+ this Dynamic Authorization Client. This includes
+ the RADIUS CoA-NAK packets sent with a Service-Type
+ attribute with value 'Authorize Only' and the RADIUS
+ CoA-NAK packets sent because no session context was
+ found. This counter may experience a discontinuity
+ when the DAS module (re)starts, as indicated by the
+ value of radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthClientEntry 19 }
+
+radiusDynAuthServCoANakAuthOnlyRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-NAK packets that include a
+ Service-Type attribute with value 'Authorize Only'
+ sent to this Dynamic Authorization Client. This counter
+ may experience a discontinuity when the DAS module
+ (re)starts, as indicated by the value of
+ radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthClientEntry 20 }
+
+radiusDynAuthServCoANakSessNoContext OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+
+
+
+De Cnodder, et al. Informational [Page 14]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+ DESCRIPTION
+ "The number of RADIUS CoA-NAK packets sent to this
+ Dynamic Authorization Client because no session context
+ was found. This counter may experience a discontinuity
+ when the DAS module (re)starts, as indicated by the
+ value of radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthClientEntry 21 }
+
+radiusDynAuthServCoAUserSessChanged OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "sessions"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of user sessions authorization
+ changed for the CoA-Requests received from this
+ Dynamic Authorization Client. Depending on site-
+ specific policies, a single CoA request can change
+ multiple user sessions' authorization. In cases where
+ this Dynamic Authorization Server has no knowledge of
+ the number of user sessions that are affected by a
+ single request, each such CoA-Request will
+ count as a single affected user session only. This
+ counter may experience a discontinuity when the DAS
+ module (re)starts, as indicated by the value of
+ radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthClientEntry 22 }
+
+radiusDynAuthServMalformedCoARequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of malformed RADIUS CoA-Request packets
+ received from this Dynamic Authorization Client. Bad
+ authenticators and unknown types are not included as
+ malformed CoA-Requests. This counter may experience a
+ discontinuity when the DAS module (re)starts, as
+ indicated by the value of
+ radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+
+
+
+De Cnodder, et al. Informational [Page 15]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA), and Section 2.3, Packet Format."
+ ::= { radiusDynAuthClientEntry 23 }
+
+radiusDynAuthServCoABadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-Request packets that
+ contained an invalid Authenticator field received
+ from this Dynamic Authorization Client. This counter
+ may experience a discontinuity when the DAS module
+ (re)starts, as indicated by the value of
+ radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA), and Section 2.3, Packet Format."
+ ::= { radiusDynAuthClientEntry 24 }
+
+radiusDynAuthServCoAPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of incoming CoA packets from this
+ Dynamic Authorization Client silently discarded
+ by the server application for some reason other than
+ malformed, bad authenticators, or unknown types. This
+ counter may experience a discontinuity when the DAS
+ module (re)starts, as indicated by the value of
+ radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA), and Section 2.3, Packet Format."
+ ::= { radiusDynAuthClientEntry 25 }
+
+radiusDynAuthServUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of incoming packets of unknown types that
+ were received on the Dynamic Authorization port. This
+ counter may experience a discontinuity when the DAS
+
+
+
+De Cnodder, et al. Informational [Page 16]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+ module (re)starts, as indicated by the value of
+ radiusDynAuthServerCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.3, Packet Format."
+ ::= { radiusDynAuthClientEntry 26 }
+
+radiusDynAuthServerCounterDiscontinuity OBJECT-TYPE
+ SYNTAX TimeTicks
+ UNITS "hundredths of a second"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The time (in hundredths of a second) since the
+ last counter discontinuity. A discontinuity may
+ be the result of a reinitialization of the DAS
+ module within the managed entity."
+ ::= { radiusDynAuthClientEntry 27 }
+
+
+-- conformance information
+
+radiusDynAuthServerMIBConformance
+ OBJECT IDENTIFIER ::= { radiusDynAuthServerMIB 2 }
+radiusDynAuthServerMIBCompliances
+ OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 1 }
+radiusDynAuthServerMIBGroups
+ OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 2 }
+
+-- compliance statements
+
+radiusAuthServerMIBCompliance MODULE-COMPLIANCE
+ STATUS current
+ DESCRIPTION
+ "The compliance statement for entities implementing
+ the RADIUS Dynamic Authorization Server. Implementation
+ of this module is for entities that support IPv4 and/or
+ IPv6."
+ MODULE -- this module
+ MANDATORY-GROUPS { radiusDynAuthServerMIBGroup }
+
+ OBJECT radiusDynAuthClientAddressType
+ SYNTAX InetAddressType { ipv4(1), ipv6(2) }
+ DESCRIPTION
+ "An implementation is only required to support IPv4 and
+ globally unique IPv6 addresses."
+
+ OBJECT radiusDynAuthClientAddress
+ SYNTAX InetAddress (SIZE(4|16))
+
+
+
+De Cnodder, et al. Informational [Page 17]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+ DESCRIPTION
+ "An implementation is only required to support IPv4 and
+ globally unique IPv6 addresses."
+
+ GROUP radiusDynAuthServerAuthOnlyGroup
+ DESCRIPTION
+ "Only required for Dynamic Authorization Clients that
+ are supporting Service-Type attributes with value
+ 'Authorize-Only'."
+
+
+ GROUP radiusDynAuthServerNoSessGroup
+ DESCRIPTION
+ "This group is not required if the Dynamic
+ Authorization Server cannot easily determine whether
+ a session exists (e.g., in case of a RADIUS
+ proxy)."
+
+ ::= { radiusDynAuthServerMIBCompliances 1 }
+
+-- units of conformance
+
+radiusDynAuthServerMIBGroup OBJECT-GROUP
+ OBJECTS { radiusDynAuthServerDisconInvalidClientAddresses,
+ radiusDynAuthServerCoAInvalidClientAddresses,
+ radiusDynAuthServerIdentifier,
+ radiusDynAuthClientAddressType,
+ radiusDynAuthClientAddress,
+ radiusDynAuthServDisconRequests,
+ radiusDynAuthServDupDisconRequests,
+ radiusDynAuthServDisconAcks,
+ radiusDynAuthServDisconNaks,
+ radiusDynAuthServDisconUserSessRemoved,
+ radiusDynAuthServMalformedDisconRequests,
+ radiusDynAuthServDisconBadAuthenticators,
+ radiusDynAuthServDisconPacketsDropped,
+ radiusDynAuthServCoARequests,
+ radiusDynAuthServDupCoARequests,
+ radiusDynAuthServCoAAcks,
+ radiusDynAuthServCoANaks,
+ radiusDynAuthServCoAUserSessChanged,
+ radiusDynAuthServMalformedCoARequests,
+ radiusDynAuthServCoABadAuthenticators,
+ radiusDynAuthServCoAPacketsDropped,
+ radiusDynAuthServUnknownTypes,
+ radiusDynAuthServerCounterDiscontinuity
+ }
+ STATUS current
+
+
+
+De Cnodder, et al. Informational [Page 18]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+ DESCRIPTION
+ "The collection of objects providing management of
+ a RADIUS Dynamic Authorization Server."
+ ::= { radiusDynAuthServerMIBGroups 1 }
+
+radiusDynAuthServerAuthOnlyGroup OBJECT-GROUP
+ OBJECTS { radiusDynAuthServDisconAuthOnlyRequests,
+ radiusDynAuthServDisconNakAuthOnlyRequests,
+ radiusDynAuthServCoAAuthOnlyRequests,
+ radiusDynAuthServCoANakAuthOnlyRequests
+ }
+ STATUS current
+ DESCRIPTION
+ "The collection of objects supporting the RADIUS
+ messages including Service-Type attribute with
+ value 'Authorize Only'."
+ ::= { radiusDynAuthServerMIBGroups 2 }
+
+radiusDynAuthServerNoSessGroup OBJECT-GROUP
+ OBJECTS { radiusDynAuthServDisconNakSessNoContext,
+ radiusDynAuthServCoANakSessNoContext
+ }
+ STATUS current
+ DESCRIPTION
+ "The collection of objects supporting the RADIUS
+ messages that are referring to non-existing sessions."
+ ::= { radiusDynAuthServerMIBGroups 3 }
+
+
+END
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+De Cnodder, et al. Informational [Page 19]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+5. Security Considerations
+
+ There are no management objects defined in this MIB module that have
+ a MAX-ACCESS clause of read-write and/or read-create. So, if this
+ MIB module is implemented correctly, then there is no risk that an
+ intruder can alter or create any management objects of this MIB
+ module via direct SNMP SET operations.
+
+ Some of the readable objects in this MIB module (i.e., objects with a
+ MAX-ACCESS other than not-accessible) may be considered sensitive or
+ vulnerable in some network environments. It is thus important to
+ control even GET and/or NOTIFY access to these objects and possibly
+ to even encrypt the values of these objects when sending them over
+ the network via SNMP. These are the tables and objects and their
+ sensitivity/vulnerability:
+
+ radiusDynAuthClientAddress and radiusDynAuthClientAddressType
+
+ These can be used to determine the address of the DAC with which
+ the DAS is communicating. This information could be useful in
+ mounting an attack on the DAC.
+
+ radiusDynAuthServerIdentifier
+
+ This can be used to determine the Identifier of the DAS. This
+ information could be useful in impersonating the DAS.
+
+ SNMP versions prior to SNMPv3 did not include adequate security.
+ Even if the network itself is secure (for example by using IPsec),
+ even then, there is no control as to who on the secure network is
+ allowed to access and GET/SET (read/change/create/delete) the objects
+ in this MIB module.
+
+ It is RECOMMENDED that implementers consider the security features as
+ provided by the SNMPv3 framework (see [RFC3410], section 8),
+ including full support for the SNMPv3 cryptographic mechanisms (for
+ authentication and privacy).
+
+ Further, deployment of SNMP versions prior to SNMPv3 is NOT
+ RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
+ enable cryptographic security. It is then a customer/operator
+ responsibility to ensure that the SNMP entity giving access to an
+ instance of this MIB module is properly configured to give access to
+ the objects only to those principals (users) that have legitimate
+ rights to indeed GET or SET (change/create/delete) them.
+
+
+
+
+
+
+De Cnodder, et al. Informational [Page 20]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+6. IANA Considerations
+
+ The IANA has assigned OID number 146 under mib-2.
+
+7. Acknowledgements
+
+ The authors would like to acknowledge the following people for their
+ comments on this document: Bernard Aboba, Alan DeKok, David Nelson,
+ Anjaneyulu Pata, Dan Romascanu, Juergen Schoenwaelder, Greg Weber,
+ Bert Wijnen, and Glen Zorn.
+
+8. References
+
+8.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
+ "Structure of Management Information Version 2 (SMIv2)",
+ STD 58, RFC 2578, April 1999.
+
+ [RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
+ "Textual Conventions for SMIv2", STD 58, RFC 2579, April
+ 1999.
+
+ [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
+ "Conformance Statements for SMIv2", STD 58, RFC 2580,
+ April 1999.
+
+ [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
+ Architecture for Describing Simple Network Management
+ Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
+ December 2002.
+
+ [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
+ Aboba, "Dynamic Authorization Extensions to Remote
+ Authentication Dial In User Service (RADIUS)", RFC 3576,
+ July 2003.
+
+ [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
+ Schoenwaelder, "Textual Conventions for Internet Network
+ Addresses", RFC 4001, February 2005.
+
+
+
+
+
+
+
+
+De Cnodder, et al. Informational [Page 21]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+8.2. Informative References
+
+ [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
+ "Remote Authentication Dial In User Service (RADIUS)", RFC
+ 2865, June 2000.
+
+ [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
+ "Introduction and Applicability Statements for Internet-
+ Standard Management Framework", RFC 3410, December 2002.
+
+ [RFC4668] Nelson, D., "RADIUS Authentication Client MIB for IPv6",
+ RFC 4668, August 2006.
+
+ [RFC4669] Nelson, D., "RADIUS Authentication Server MIB for IPv6",
+ RFC 4669, August 2006.
+
+ [RFC4670] Nelson, D., "RADIUS Accounting Client MIB for IPv6", RFC
+ 4670, August 2006.
+
+ [RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", RFC
+ 4671, August 2006.
+
+ [RFC4672] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic
+ Authorization Client MIB", RFC 4672, September 2006.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+De Cnodder, et al. Informational [Page 22]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+Authors' Addresses
+
+ Stefaan De Cnodder
+ Alcatel
+ Francis Wellesplein 1
+ B-2018 Antwerp
+ Belgium
+
+ Phone: +32 3 240 85 15
+ EMail: stefaan.de_cnodder@alcatel.be
+
+
+ Nagi Reddy Jonnala
+ Cisco Systems, Inc.
+ Divyasree Chambers, B Wing, O'Shaugnessy Road
+ Bangalore-560027, India
+
+ Phone: +91 94487 60828
+ EMail: njonnala@cisco.com
+
+
+ Murtaza Chiba
+ Cisco Systems, Inc.
+ 170 West Tasman Dr.
+ San Jose CA, 95134
+
+ Phone: +1 408 525 7198
+ EMail: mchiba@cisco.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+De Cnodder, et al. Informational [Page 23]
+\f
+RFC 4673 RADIUS Dynamic Authorization Server MIB September 2006
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2006).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+De Cnodder, et al. Informational [Page 24]
+\f