7
Network Working Group S. De Cnodder
8
Request for Comments: 4672 Alcatel
9
Category: Informational N. Jonnala
15
RADIUS Dynamic Authorization Client MIB
19
This memo provides information for the Internet community. It does
20
not specify an Internet standard of any kind. Distribution of this
25
Copyright (C) The Internet Society (2006).
29
This memo defines a portion of the Management Information Base (MIB)
30
for use with network management protocols in the Internet community.
31
In particular, it describes the Remote Authentication Dial-In User
32
Service (RADIUS) (RFC2865) Dynamic Authorization Client (DAC)
33
functions that support the dynamic authorization extensions as
38
1. Introduction ....................................................2
39
1.1. Requirements Notation ......................................2
40
1.2. Terminology ................................................2
41
2. The Internet-Standard Management Framework ......................3
42
3. Overview ........................................................3
43
4. RADIUS Dynamic Authorization Client MIB Definitions .............3
44
5. Security Considerations ........................................19
45
6. IANA Considerations ............................................20
46
7. Acknowledgements ...............................................20
47
8. References .....................................................21
48
8.1. Normative References ......................................21
49
8.2. Informative References ....................................21
58
De Cnodder, et al. Informational [Page 1]
60
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
65
This memo defines a portion of the Management Information Base (MIB)
66
for use with network management protocols in the Internet community.
67
In particular, it describes the Remote Authentication Dial-In User
68
Service (RADIUS) [RFC2865] Dynamic Authorization Client (DAC)
69
functions that support the dynamic authorization extensions as
72
It is becoming increasingly important to support Dynamic
73
Authorization extensions on the network access server (NAS) devices
74
to handle the Disconnect and Change-of-Authorization (CoA) messages,
75
as described in [RFC3576]. As a result, the effective management of
76
RADIUS Dynamic Authorization entities is of considerable importance.
77
This RADIUS Dynamic Authorization Client MIB complements the managed
78
objects used for managing RADIUS authentication and accounting
79
servers, as described in [RFC4669] and [RFC4671], respectively.
81
1.1. Requirements Notation
83
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
84
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
85
document are to be interpreted as described in [RFC2119].
89
Dynamic Authorization Server (DAS)
91
The component that resides on the NAS that processes the Disconnect
92
and Change-of-Authorization (CoA) Request packets [RFC3576] sent by
93
the Dynamic Authorization Client.
95
Dynamic Authorization Client (DAC)
97
The component that sends Disconnect and CoA-Request packets to the
98
Dynamic Authorization Server. Although this component often resides
99
on the RADIUS server, it is also possible for this component to be
100
located on a separate host, such as a Rating Engine.
102
Dynamic Authorization Server Port
104
The UDP port on which the Dynamic Authorization Server listens for
105
the Disconnect and CoA requests sent by the Dynamic Authorization
114
De Cnodder, et al. Informational [Page 2]
116
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
119
2. The Internet-Standard Management Framework
121
For a detailed overview of the documents that describe the current
122
Internet-Standard Management Framework, please refer to section 7 of
125
Managed objects are accessed via a virtual information store, termed
126
the Management Information Base or MIB. MIB objects are generally
127
accessed through the Simple Network Management Protocol (SNMP).
128
Objects in the MIB are defined using the mechanisms defined in the
129
Structure of Management Information (SMI). This memo specifies a MIB
130
module that is compliant to the SMIv2, which is described in STD 58,
131
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579], and STD 58, RFC 2580
136
"Dynamic Authorization Extensions to RADIUS" [RFC3576] defines the
137
operation of Disconnect-Request, Disconnect-ACK, Disconnect-NAK,
138
CoA-Request, CoA-ACK, and CoA-NAK packets. [RFC4673] defines the
139
Dynamic Authorization Server MIB and the relationship with other MIB
140
modules. This MIB module for the Dynamic Authorization Client
141
contains the following:
143
1. Two scalar objects
145
2. One Dynamic Authorization Server table. This table contains one
146
row for each DAS with which the DAC shares a secret.
148
4. RADIUS Dynamic Authorization Client MIB Definitions
150
RADIUS-DYNAUTH-CLIENT-MIB DEFINITIONS ::= BEGIN
153
MODULE-IDENTITY, OBJECT-TYPE,
154
Counter32, Gauge32, Integer32,
155
mib-2, TimeTicks FROM SNMPv2-SMI -- [RFC2578]
156
SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411]
157
InetAddressType, InetAddress,
158
InetPortNumber FROM INET-ADDRESS-MIB -- [RFC4001]
160
OBJECT-GROUP FROM SNMPv2-CONF; -- [RFC2580]
162
radiusDynAuthClientMIB MODULE-IDENTITY
163
LAST-UPDATED "200608290000Z" -- 29 August 2006
164
ORGANIZATION "IETF RADEXT Working Group"
170
De Cnodder, et al. Informational [Page 3]
172
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
176
Francis Wellesplein 1
180
Phone: +32 3 240 85 15
181
EMail: stefaan.de_cnodder@alcatel.be
185
Divyasree Chambers, B Wing,
187
Bangalore-560027, India.
189
Phone: +91 94487 60828
190
EMail: njonnala@cisco.com
197
Phone: +1 408 525 7198
198
EMail: mchiba@cisco.com "
200
"The MIB module for entities implementing the client
201
side of the Dynamic Authorization Extensions to the
202
Remote Authentication Dial-In User Service (RADIUS)
203
protocol. Copyright (C) The Internet Society (2006).
204
Initial version as published in RFC 4672;
205
for full legal notices see the RFC itself."
207
REVISION "200609290000Z" -- 29 August 2006
208
DESCRIPTION "Initial version as published in RFC 4672"
211
radiusDynAuthClientMIBObjects OBJECT IDENTIFIER ::=
212
{ radiusDynAuthClientMIB 1 }
214
radiusDynAuthClientScalars OBJECT IDENTIFIER ::=
215
{ radiusDynAuthClientMIBObjects 1 }
217
radiusDynAuthClientDisconInvalidServerAddresses OBJECT-TYPE
222
"The number of Disconnect-Ack and Disconnect-NAK packets
226
De Cnodder, et al. Informational [Page 4]
228
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
231
received from unknown addresses. This counter may
232
experience a discontinuity when the DAC module
233
(re)starts, as indicated by the value of
234
radiusDynAuthClientCounterDiscontinuity."
235
::= { radiusDynAuthClientScalars 1 }
237
radiusDynAuthClientCoAInvalidServerAddresses OBJECT-TYPE
242
"The number of CoA-Ack and CoA-NAK packets received from
243
unknown addresses. Disconnect-NAK packets received
244
from unknown addresses. This counter may experience a
245
discontinuity when the DAC module (re)starts, as
246
indicated by the value of
247
radiusDynAuthClientCounterDiscontinuity."
248
::= { radiusDynAuthClientScalars 2 }
250
radiusDynAuthServerTable OBJECT-TYPE
251
SYNTAX SEQUENCE OF RadiusDynAuthServerEntry
252
MAX-ACCESS not-accessible
255
"The (conceptual) table listing the RADIUS Dynamic
256
Authorization Servers with which the client shares a
258
::= { radiusDynAuthClientMIBObjects 2 }
260
radiusDynAuthServerEntry OBJECT-TYPE
261
SYNTAX RadiusDynAuthServerEntry
262
MAX-ACCESS not-accessible
265
"An entry (conceptual row) representing one Dynamic
266
Authorization Server with which the client shares a
268
INDEX { radiusDynAuthServerIndex }
269
::= { radiusDynAuthServerTable 1 }
271
RadiusDynAuthServerEntry ::= SEQUENCE {
272
radiusDynAuthServerIndex Integer32,
273
radiusDynAuthServerAddressType InetAddressType,
274
radiusDynAuthServerAddress InetAddress,
275
radiusDynAuthServerClientPortNumber InetPortNumber,
276
radiusDynAuthServerID SnmpAdminString,
277
radiusDynAuthClientRoundTripTime TimeTicks,
278
radiusDynAuthClientDisconRequests Counter32,
282
De Cnodder, et al. Informational [Page 5]
284
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
287
radiusDynAuthClientDisconAuthOnlyRequests Counter32,
288
radiusDynAuthClientDisconRetransmissions Counter32,
289
radiusDynAuthClientDisconAcks Counter32,
290
radiusDynAuthClientDisconNaks Counter32,
291
radiusDynAuthClientDisconNakAuthOnlyRequest Counter32,
292
radiusDynAuthClientDisconNakSessNoContext Counter32,
293
radiusDynAuthClientMalformedDisconResponses Counter32,
294
radiusDynAuthClientDisconBadAuthenticators Counter32,
295
radiusDynAuthClientDisconPendingRequests Gauge32,
296
radiusDynAuthClientDisconTimeouts Counter32,
297
radiusDynAuthClientDisconPacketsDropped Counter32,
298
radiusDynAuthClientCoARequests Counter32,
299
radiusDynAuthClientCoAAuthOnlyRequest Counter32,
300
radiusDynAuthClientCoARetransmissions Counter32,
301
radiusDynAuthClientCoAAcks Counter32,
302
radiusDynAuthClientCoANaks Counter32,
303
radiusDynAuthClientCoANakAuthOnlyRequest Counter32,
304
radiusDynAuthClientCoANakSessNoContext Counter32,
305
radiusDynAuthClientMalformedCoAResponses Counter32,
306
radiusDynAuthClientCoABadAuthenticators Counter32,
307
radiusDynAuthClientCoAPendingRequests Gauge32,
308
radiusDynAuthClientCoATimeouts Counter32,
309
radiusDynAuthClientCoAPacketsDropped Counter32,
310
radiusDynAuthClientUnknownTypes Counter32,
311
radiusDynAuthClientCounterDiscontinuity TimeTicks
315
radiusDynAuthServerIndex OBJECT-TYPE
316
SYNTAX Integer32 (1..2147483647)
317
MAX-ACCESS not-accessible
320
"A number uniquely identifying each RADIUS Dynamic
321
Authorization Server with which this Dynamic
322
Authorization Client communicates. This number is
323
allocated by the agent implementing this MIB module
324
and is unique in this context."
325
::= { radiusDynAuthServerEntry 1 }
327
radiusDynAuthServerAddressType OBJECT-TYPE
328
SYNTAX InetAddressType
332
"The type of IP address of the RADIUS Dynamic
333
Authorization Server referred to in this table entry."
334
::= { radiusDynAuthServerEntry 2 }
338
De Cnodder, et al. Informational [Page 6]
340
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
343
radiusDynAuthServerAddress OBJECT-TYPE
348
"The IP address value of the RADIUS Dynamic
349
Authorization Server referred to in this table entry
350
using the version neutral IP address format. The type
351
of this address is determined by the value of the
352
radiusDynAuthServerAddressType object."
353
::= { radiusDynAuthServerEntry 3 }
355
radiusDynAuthServerClientPortNumber OBJECT-TYPE
356
SYNTAX InetPortNumber (1..65535)
360
"The UDP destination port that the RADIUS Dynamic
361
Authorization Client is using to send requests to this
362
server. The value zero is invalid."
363
::= { radiusDynAuthServerEntry 4 }
366
radiusDynAuthServerID OBJECT-TYPE
367
SYNTAX SnmpAdminString
371
"The NAS-Identifier of the RADIUS Dynamic Authorization
372
Server referred to in this table entry. This is not
373
necessarily the same as sysName in MIB II."
375
"RFC 2865, Section 5.32, NAS-Identifier."
376
::= { radiusDynAuthServerEntry 5 }
378
radiusDynAuthClientRoundTripTime OBJECT-TYPE
380
UNITS "hundredths of a second"
384
"The time interval (in hundredths of a second) between
385
the most recent Disconnect or CoA request and the
386
receipt of the corresponding Disconnect or CoA reply.
387
A value of zero is returned if no reply has been
388
received yet from this server."
389
::= { radiusDynAuthServerEntry 6 }
394
De Cnodder, et al. Informational [Page 7]
396
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
399
radiusDynAuthClientDisconRequests OBJECT-TYPE
405
"The number of RADIUS Disconnect-Requests sent
406
to this Dynamic Authorization Server. This also
407
includes the RADIUS Disconnect-Requests that have a
408
Service-Type attribute with value 'Authorize Only'.
409
Disconnect-NAK packets received from unknown addresses.
410
This counter may experience a discontinuity when the
411
DAC module (re)starts, as indicated by the value of
412
radiusDynAuthClientCounterDiscontinuity."
414
"RFC 3576, Section 2.1, Disconnect Messages (DM)."
415
::= { radiusDynAuthServerEntry 7 }
417
radiusDynAuthClientDisconAuthOnlyRequests OBJECT-TYPE
423
"The number of RADIUS Disconnect-Requests that include a
424
Service-Type attribute with value 'Authorize Only'
425
sent to this Dynamic Authorization Server.
426
Disconnect-NAK packets received from unknown addresses.
427
This counter may experience a discontinuity when the
428
DAC module (re)starts, as indicated by the value of
429
radiusDynAuthClientCounterDiscontinuity."
431
"RFC 3576, Section 2.1, Disconnect Messages (DM)."
432
::= { radiusDynAuthServerEntry 8 }
434
radiusDynAuthClientDisconRetransmissions OBJECT-TYPE
436
UNITS "retransmissions"
440
"The number of RADIUS Disconnect-request packets
441
retransmitted to this RADIUS Dynamic Authorization
442
Server. Disconnect-NAK packets received from unknown
443
addresses. This counter may experience a discontinuity
444
when the DAC module (re)starts, as indicated by the
445
value of radiusDynAuthClientCounterDiscontinuity."
450
De Cnodder, et al. Informational [Page 8]
452
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
455
"RFC 3576, Section 2.1, Disconnect Messages (DM)."
456
::= { radiusDynAuthServerEntry 9 }
458
radiusDynAuthClientDisconAcks OBJECT-TYPE
464
"The number of RADIUS Disconnect-ACK packets
465
received from this Dynamic Authorization Server. This
466
counter may experience a discontinuity when the DAC
467
module (re)starts, as indicated by the value of
468
radiusDynAuthClientCounterDiscontinuity."
470
"RFC 3576, Section 2.1, Disconnect Messages (DM)."
471
::= { radiusDynAuthServerEntry 10 }
473
radiusDynAuthClientDisconNaks OBJECT-TYPE
479
"The number of RADIUS Disconnect-NAK packets
480
received from this Dynamic Authorization Server.
481
This includes the RADIUS Disconnect-NAK packets
482
received with a Service-Type attribute with value
483
'Authorize Only' and the RADIUS Disconnect-NAK
484
packets received if no session context was found. This
485
counter may experience a discontinuity when the DAC
486
module (re)starts, as indicated by the value of
487
radiusDynAuthClientCounterDiscontinuity."
489
"RFC 3576, Section 2.1, Disconnect Messages (DM)."
490
::= { radiusDynAuthServerEntry 11 }
492
radiusDynAuthClientDisconNakAuthOnlyRequest OBJECT-TYPE
498
"The number of RADIUS Disconnect-NAK packets
499
that include a Service-Type attribute with value
500
'Authorize Only' received from this Dynamic
501
Authorization Server. This counter may experience a
502
discontinuity when the DAC module (re)starts, as
506
De Cnodder, et al. Informational [Page 9]
508
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
511
indicated by the value of
512
radiusDynAuthClientCounterDiscontinuity."
514
"RFC 3576, Section 2.1, Disconnect Messages (DM)."
515
::= { radiusDynAuthServerEntry 12 }
517
radiusDynAuthClientDisconNakSessNoContext OBJECT-TYPE
523
"The number of RADIUS Disconnect-NAK packets
524
received from this Dynamic Authorization Server
525
because no session context was found; i.e., it
526
includes an Error-Cause attribute with value 503
527
('Session Context Not Found'). This counter may
528
experience a discontinuity when the DAC module
529
(re)starts, as indicated by the value of
530
radiusDynAuthClientCounterDiscontinuity."
532
"RFC 3576, Section 2.1, Disconnect Messages (DM)."
533
::= { radiusDynAuthServerEntry 13 }
535
radiusDynAuthClientMalformedDisconResponses OBJECT-TYPE
541
"The number of malformed RADIUS Disconnect-Ack and
542
Disconnect-NAK packets received from this Dynamic
543
Authorization Server. Bad authenticators and unknown
544
types are not included as malformed Disconnect-Ack and
545
Disconnect-NAK packets. This counter may experience a
546
discontinuity when the DAC module (re)starts, as
547
indicated by the value of
548
radiusDynAuthClientCounterDiscontinuity."
550
"RFC 3576, Section 2.1, Disconnect Messages (DM), and
551
Section 2.3, Packet Format."
552
::= { radiusDynAuthServerEntry 14 }
554
radiusDynAuthClientDisconBadAuthenticators OBJECT-TYPE
562
De Cnodder, et al. Informational [Page 10]
564
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
568
"The number of RADIUS Disconnect-Ack and Disconnect-NAK
569
packets that contained invalid Authenticator field
570
received from this Dynamic Authorization Server. This
571
counter may experience a discontinuity when the DAC
572
module (re)starts, as indicated by the value of
573
radiusDynAuthClientCounterDiscontinuity."
575
"RFC 3576, Section 2.1, Disconnect Messages (DM), and
576
Section 2.3, Packet Format."
577
::= { radiusDynAuthServerEntry 15 }
579
radiusDynAuthClientDisconPendingRequests OBJECT-TYPE
585
"The number of RADIUS Disconnect-request packets
586
destined for this server that have not yet timed out
587
or received a response. This variable is incremented
588
when an Disconnect-Request is sent and decremented
589
due to receipt of a Disconnect-Ack, a Disconnect-NAK,
590
a timeout, or a retransmission."
592
"RFC 3576, Section 2.1, Disconnect Messages (DM)."
593
::= { radiusDynAuthServerEntry 16 }
595
radiusDynAuthClientDisconTimeouts OBJECT-TYPE
601
"The number of Disconnect request timeouts to this
602
server. After a timeout, the client may retry to the
603
same server or give up. A retry to the same server is
604
counted as a retransmit and as a timeout. A send
605
to a different server is counted as a
606
Disconnect-Request and as a timeout. This counter
607
may experience a discontinuity when the DAC module
608
(re)starts, as indicated by the value of
609
radiusDynAuthClientCounterDiscontinuity."
611
"RFC 3576, Section 2.1, Disconnect Messages (DM)."
612
::= { radiusDynAuthServerEntry 17 }
614
radiusDynAuthClientDisconPacketsDropped OBJECT-TYPE
618
De Cnodder, et al. Informational [Page 11]
620
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
628
"The number of incoming Disconnect-Ack and
629
Disconnect-NAK packets from this Dynamic Authorization
630
Server silently discarded by the client application for
631
some reason other than malformed, bad authenticators,
632
or unknown types. This counter may experience a
633
discontinuity when the DAC module (re)starts, as
634
indicated by the value of
635
radiusDynAuthClientCounterDiscontinuity."
637
"RFC 3576, Section 2.1, Disconnect Messages (DM), and
638
Section 2.3, Packet Format."
639
::= { radiusDynAuthServerEntry 18 }
641
radiusDynAuthClientCoARequests OBJECT-TYPE
647
"The number of RADIUS CoA-Requests sent to this
648
Dynamic Authorization Server. This also includes
649
CoA requests that have a Service-Type attribute
650
with value 'Authorize Only'. This counter may
651
experience a discontinuity when the DAC module
652
(re)starts, as indicated by the value of
653
radiusDynAuthClientCounterDiscontinuity."
655
"RFC 3576, Section 2.2, Change-of-Authorization
657
::= { radiusDynAuthServerEntry 19 }
659
radiusDynAuthClientCoAAuthOnlyRequest OBJECT-TYPE
665
"The number of RADIUS CoA-requests that include a
666
Service-Type attribute with value 'Authorize Only'
667
sent to this Dynamic Authorization Client. This
668
counter may experience a discontinuity when the DAC
669
module (re)starts, as indicated by the value of
670
radiusDynAuthClientCounterDiscontinuity."
674
De Cnodder, et al. Informational [Page 12]
676
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
680
"RFC 3576, Section 2.2, Change-of-Authorization
682
::= { radiusDynAuthServerEntry 20 }
684
radiusDynAuthClientCoARetransmissions OBJECT-TYPE
686
UNITS "retransmissions"
690
"The number of RADIUS CoA-request packets
691
retransmitted to this RADIUS Dynamic Authorization
692
Server. This counter may experience a discontinuity
693
when the DAC module (re)starts, as indicated by the
694
value of radiusDynAuthClientCounterDiscontinuity."
696
"RFC 3576, Section 2.2, Change-of-Authorization
698
::= { radiusDynAuthServerEntry 21 }
700
radiusDynAuthClientCoAAcks OBJECT-TYPE
706
"The number of RADIUS CoA-ACK packets received from
707
this Dynamic Authorization Server. This counter may
708
experience a discontinuity when the DAC module
709
(re)starts, as indicated by the value of
710
radiusDynAuthClientCounterDiscontinuity."
712
"RFC 3576, Section 2.2, Change-of-Authorization
714
::= { radiusDynAuthServerEntry 22 }
716
radiusDynAuthClientCoANaks OBJECT-TYPE
722
"The number of RADIUS CoA-NAK packets received from
723
this Dynamic Authorization Server. This includes the
724
RADIUS CoA-NAK packets received with a Service-Type
725
attribute with value 'Authorize Only' and the RADIUS
726
CoA-NAK packets received because no session context
730
De Cnodder, et al. Informational [Page 13]
732
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
735
was found. This counter may experience a discontinuity
736
when the DAC module (re)starts, as indicated by the
737
value of radiusDynAuthClientCounterDiscontinuity."
739
"RFC 3576, Section 2.2, Change-of-Authorization
741
::= { radiusDynAuthServerEntry 23 }
743
radiusDynAuthClientCoANakAuthOnlyRequest OBJECT-TYPE
749
"The number of RADIUS CoA-NAK packets that include a
750
Service-Type attribute with value 'Authorize Only'
751
received from this Dynamic Authorization Server. This
752
counter may experience a discontinuity when the DAC
753
module (re)starts, as indicated by the value of
754
radiusDynAuthClientCounterDiscontinuity."
756
"RFC 3576, Section 2.2, Change-of-Authorization
758
::= { radiusDynAuthServerEntry 24 }
760
radiusDynAuthClientCoANakSessNoContext OBJECT-TYPE
766
"The number of RADIUS CoA-NAK packets received from
767
this Dynamic Authorization Server because no session
768
context was found; i.e., it includes an Error-Cause
769
attribute with value 503 ('Session Context Not Found').
770
This counter may experience a discontinuity when the
771
DAC module (re)starts as indicated by the value of
772
radiusDynAuthClientCounterDiscontinuity."
774
"RFC 3576, Section 2.2, Change-of-Authorization
776
::= { radiusDynAuthServerEntry 25 }
778
radiusDynAuthClientMalformedCoAResponses OBJECT-TYPE
786
De Cnodder, et al. Informational [Page 14]
788
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
792
"The number of malformed RADIUS CoA-Ack and CoA-NAK
793
packets received from this Dynamic Authorization
794
Server. Bad authenticators and unknown types are
795
not included as malformed CoA-Ack and CoA-NAK packets.
796
This counter may experience a discontinuity when the
797
DAC module (re)starts, as indicated by the value of
798
radiusDynAuthClientCounterDiscontinuity."
800
"RFC 3576, Section 2.2, Change-of-Authorization
801
Messages (CoA), and Section 2.3, Packet Format."
802
::= { radiusDynAuthServerEntry 26 }
804
radiusDynAuthClientCoABadAuthenticators OBJECT-TYPE
810
"The number of RADIUS CoA-Ack and CoA-NAK packets
811
that contained invalid Authenticator field
812
received from this Dynamic Authorization Server.
813
This counter may experience a discontinuity when the
814
DAC module (re)starts, as indicated by the value of
815
radiusDynAuthClientCounterDiscontinuity."
817
"RFC 3576, Section 2.2, Change-of-Authorization
818
Messages (CoA), and Section 2.3, Packet Format."
819
::= { radiusDynAuthServerEntry 27 }
821
radiusDynAuthClientCoAPendingRequests OBJECT-TYPE
827
"The number of RADIUS CoA-request packets destined for
828
this server that have not yet timed out or received a
829
response. This variable is incremented when an
830
CoA-Request is sent and decremented due to receipt of
831
a CoA-Ack, a CoA-NAK, or a timeout, or a
834
"RFC 3576, Section 2.2, Change-of-Authorization
836
::= { radiusDynAuthServerEntry 28 }
838
radiusDynAuthClientCoATimeouts OBJECT-TYPE
842
De Cnodder, et al. Informational [Page 15]
844
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
852
"The number of CoA request timeouts to this server.
853
After a timeout, the client may retry to the same
854
server or give up. A retry to the same server is
855
counted as a retransmit and as a timeout. A send to
856
a different server is counted as a CoA-Request and
857
as a timeout. This counter may experience a
858
discontinuity when the DAC module (re)starts, as
859
indicated by the value of
860
radiusDynAuthClientCounterDiscontinuity."
862
"RFC 3576, Section 2.2, Change-of-Authorization
864
::= { radiusDynAuthServerEntry 29 }
866
radiusDynAuthClientCoAPacketsDropped OBJECT-TYPE
872
"The number of incoming CoA-Ack and CoA-NAK from this
873
Dynamic Authorization Server silently discarded by the
874
client application for some reason other than
875
malformed, bad authenticators, or unknown types. This
876
counter may experience a discontinuity when the DAC
877
module (re)starts, as indicated by the value of
878
radiusDynAuthClientCounterDiscontinuity."
880
"RFC 3576, Section 2.2, Change-of-Authorization
881
Messages (CoA), and Section 2.3, Packet Format."
882
::= { radiusDynAuthServerEntry 30 }
884
radiusDynAuthClientUnknownTypes OBJECT-TYPE
890
"The number of incoming packets of unknown types
891
that were received on the Dynamic Authorization port.
892
This counter may experience a discontinuity when the
893
DAC module (re)starts, as indicated by the value of
894
radiusDynAuthClientCounterDiscontinuity."
898
De Cnodder, et al. Informational [Page 16]
900
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
904
"RFC 3576, Section 2.3, Packet Format."
905
::= { radiusDynAuthServerEntry 31 }
907
radiusDynAuthClientCounterDiscontinuity OBJECT-TYPE
909
UNITS "hundredths of a second"
913
"The time (in hundredths of a second) since the
914
last counter discontinuity. A discontinuity may
915
be the result of a reinitialization of the DAC
916
module within the managed entity."
917
::= { radiusDynAuthServerEntry 32 }
920
-- conformance information
922
radiusDynAuthClientMIBConformance
923
OBJECT IDENTIFIER ::= { radiusDynAuthClientMIB 2 }
924
radiusDynAuthClientMIBCompliances
925
OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 1 }
926
radiusDynAuthClientMIBGroups
927
OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 2 }
928
-- compliance statements
930
radiusDynAuthClientMIBCompliance MODULE-COMPLIANCE
933
"The compliance statement for entities implementing
934
the RADIUS Dynamic Authorization Client.
935
Implementation of this module is for entities that
936
support IPv4 and/or IPv6."
937
MODULE -- this module
938
MANDATORY-GROUPS { radiusDynAuthClientMIBGroup }
940
OBJECT radiusDynAuthServerAddressType
941
SYNTAX InetAddressType { ipv4(1), ipv6(2) }
943
"An implementation is only required to support IPv4 and
944
globally unique IPv6 addresses."
946
OBJECT radiusDynAuthServerAddress
947
SYNTAX InetAddress (SIZE(4|16))
949
"An implementation is only required to support IPv4 and
950
globally unique IPv6 addresses."
954
De Cnodder, et al. Informational [Page 17]
956
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
959
GROUP radiusDynAuthClientAuthOnlyGroup
961
"Only required for Dynamic Authorization Clients that
962
are supporting Service-Type attributes with value
966
GROUP radiusDynAuthClientNoSessGroup
968
"This group is not required if the Dynamic
969
Authorization Server cannot easily determine whether
970
a session exists (e.g., in case of a RADIUS
973
::= { radiusDynAuthClientMIBCompliances 1 }
975
-- units of conformance
977
radiusDynAuthClientMIBGroup OBJECT-GROUP
978
OBJECTS { radiusDynAuthClientDisconInvalidServerAddresses,
979
radiusDynAuthClientCoAInvalidServerAddresses,
980
radiusDynAuthServerAddressType,
981
radiusDynAuthServerAddress,
982
radiusDynAuthServerClientPortNumber,
983
radiusDynAuthServerID,
984
radiusDynAuthClientRoundTripTime,
985
radiusDynAuthClientDisconRequests,
986
radiusDynAuthClientDisconRetransmissions,
987
radiusDynAuthClientDisconAcks,
988
radiusDynAuthClientDisconNaks,
989
radiusDynAuthClientMalformedDisconResponses,
990
radiusDynAuthClientDisconBadAuthenticators,
991
radiusDynAuthClientDisconPendingRequests,
992
radiusDynAuthClientDisconTimeouts,
993
radiusDynAuthClientDisconPacketsDropped,
994
radiusDynAuthClientCoARequests,
995
radiusDynAuthClientCoARetransmissions,
996
radiusDynAuthClientCoAAcks,
997
radiusDynAuthClientCoANaks,
998
radiusDynAuthClientMalformedCoAResponses,
999
radiusDynAuthClientCoABadAuthenticators,
1000
radiusDynAuthClientCoAPendingRequests,
1001
radiusDynAuthClientCoATimeouts,
1002
radiusDynAuthClientCoAPacketsDropped,
1003
radiusDynAuthClientUnknownTypes,
1004
radiusDynAuthClientCounterDiscontinuity
1010
De Cnodder, et al. Informational [Page 18]
1012
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
1016
"The collection of objects providing management of
1017
a RADIUS Dynamic Authorization Client."
1018
::= { radiusDynAuthClientMIBGroups 1 }
1020
radiusDynAuthClientAuthOnlyGroup OBJECT-GROUP
1021
OBJECTS { radiusDynAuthClientDisconAuthOnlyRequests,
1022
radiusDynAuthClientDisconNakAuthOnlyRequest,
1023
radiusDynAuthClientCoAAuthOnlyRequest,
1024
radiusDynAuthClientCoANakAuthOnlyRequest
1028
"The collection of objects supporting the RADIUS
1029
messages including Service-Type attribute with
1030
value 'Authorize Only'."
1031
::= { radiusDynAuthClientMIBGroups 2 }
1033
radiusDynAuthClientNoSessGroup OBJECT-GROUP
1034
OBJECTS { radiusDynAuthClientDisconNakSessNoContext,
1035
radiusDynAuthClientCoANakSessNoContext
1039
"The collection of objects supporting the RADIUS
1040
messages that are referring to non-existing sessions."
1041
::= { radiusDynAuthClientMIBGroups 3 }
1047
5. Security Considerations
1049
There are no management objects defined in this MIB module that have
1050
a MAX-ACCESS clause of read-write and/or read-create. So, if this
1051
MIB module is implemented correctly, then there is no risk that an
1052
intruder can alter or create any management objects of this MIB
1053
module via direct SNMP SET operations.
1055
Some of the readable objects in this MIB module (i.e., objects with a
1056
MAX-ACCESS other than not-accessible) may be considered sensitive or
1057
vulnerable in some network environments. It is thus important to
1058
control even GET and/or NOTIFY access to these objects and possibly
1059
to even encrypt the values of these objects when sending them over
1060
the network via SNMP. These are the tables and objects and their
1061
sensitivity/vulnerability:
1066
De Cnodder, et al. Informational [Page 19]
1068
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
1071
radiusDynAuthServerAddress and radiusDynAuthServerAddressType
1073
These can be used to determine the address of the DAS with which
1074
the DAC is communicating. This information could be useful in
1075
mounting an attack on the DAS.
1077
radiusDynAuthServerID
1079
This can be used to determine the Identifier of the DAS. This
1080
information could be useful in impersonating the DAS.
1082
radiusDynAuthServerClientPortNumber
1084
This can be used to determine the destination port number to which
1085
the DAC is sending. This information could be useful in mounting
1086
an attack on the DAS.
1088
SNMP versions prior to SNMPv3 did not include adequate security.
1089
Even if the network itself is secure (for example by using IPsec),
1090
even then, there is no control as to who on the secure network is
1091
allowed to access and GET/SET (read/change/create/delete) the objects
1094
It is RECOMMENDED that implementers consider the security features as
1095
provided by the SNMPv3 framework (see [RFC3410], section 8),
1096
including full support for the SNMPv3 cryptographic mechanisms (for
1097
authentication and privacy).
1099
Further, deployment of SNMP versions prior to SNMPv3 is NOT
1100
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
1101
enable cryptographic security. It is then a customer/operator
1102
responsibility to ensure that the SNMP entity giving access to an
1103
instance of this MIB module is properly configured to give access to
1104
the objects only to those principals (users) that have legitimate
1105
rights to indeed GET or SET (change/create/delete) them.
1107
6. IANA Considerations
1109
The IANA has assigned OID number 145 under mib-2.
1113
The authors would also like to acknowledge the following people for
1114
their comments on this document: Bernard Aboba, Alan DeKok, David
1115
Nelson, Anjaneyulu Pata, Dan Romascanu, Juergen Schoenwaelder, Greg
1116
Weber, Bert Wijnen, and Glen Zorn.
1122
De Cnodder, et al. Informational [Page 20]
1124
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
1129
8.1. Normative References
1131
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1132
Requirement Levels", BCP 14, RFC 2119, March 1997.
1134
[RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
1135
"Structure of Management Information Version 2 (SMIv2)",
1136
STD 58, RFC 2578, April 1999.
1138
[RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
1139
"Textual Conventions for SMIv2", STD 58, RFC 2579, April
1142
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
1143
"Conformance Statements for SMIv2", STD 58, RFC 2580,
1146
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
1147
Architecture for Describing Simple Network Management
1148
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
1151
[RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
1152
Aboba, "Dynamic Authorization Extensions to Remote
1153
Authentication Dial In User Service (RADIUS)", RFC 3576,
1156
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
1157
Schoenwaelder, "Textual Conventions for Internet Network
1158
Addresses", RFC 4001, February 2005.
1160
8.2. Informative References
1162
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
1163
"Remote Authentication Dial In User Service (RADIUS)", RFC
1166
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
1167
"Introduction and Applicability Statements for Internet-
1168
Standard Management Framework", RFC 3410, December 2002.
1170
[RFC4669] Nelson, D., "RADIUS Authentication Server MIB for IPv6",
1171
RFC 4669, August 2006.
1173
[RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", RFC
1178
De Cnodder, et al. Informational [Page 21]
1180
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
1183
[RFC4673] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic
1184
Authorization Server MIB", RFC 4673, September 2006.
1190
Francis Wellesplein 1
1194
Phone: +32 3 240 85 15
1195
EMail: stefaan.de_cnodder@alcatel.be
1200
Divyasree Chambers, B Wing, O'Shaugnessy Road
1201
Bangalore-560027, India
1203
Phone: +91 94487 60828
1204
EMail: njonnala@cisco.com
1212
Phone: +1 408 525 7198
1213
EMail: mchiba@cisco.com
1234
De Cnodder, et al. Informational [Page 22]
1236
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
1239
Full Copyright Statement
1241
Copyright (C) The Internet Society (2006).
1243
This document is subject to the rights, licenses and restrictions
1244
contained in BCP 78, and except as set forth therein, the authors
1245
retain all their rights.
1247
This document and the information contained herein are provided on an
1248
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1249
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1250
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1251
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1252
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1253
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1255
Intellectual Property
1257
The IETF takes no position regarding the validity or scope of any
1258
Intellectual Property Rights or other rights that might be claimed to
1259
pertain to the implementation or use of the technology described in
1260
this document or the extent to which any license under such rights
1261
might or might not be available; nor does it represent that it has
1262
made any independent effort to identify any such rights. Information
1263
on the procedures with respect to rights in RFC documents can be
1264
found in BCP 78 and BCP 79.
1266
Copies of IPR disclosures made to the IETF Secretariat and any
1267
assurances of licenses to be made available, or the result of an
1268
attempt made to obtain a general license or permission for the use of
1269
such proprietary rights by implementers or users of this
1270
specification can be obtained from the IETF on-line IPR repository at
1271
http://www.ietf.org/ipr.
1273
The IETF invites any interested party to bring to its attention any
1274
copyrights, patents or patent applications, or other proprietary
1275
rights that may cover technology that may be required to implement
1276
this standard. Please address the information to the IETF at
1281
Funding for the RFC Editor function is provided by the IETF
1282
Administrative Support Activity (IASA).
1290
De Cnodder, et al. Informational [Page 23]