idnits 2.17.00 (12 Aug 2021) /tmp/idnits42602/draft-ietf-radius-auth-servmib-05.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 93 instances of weird spacing in the document. Is it really formatted ragged-right, rather than justified? ** There are 2 instances of too long lines in the document, the longest one being 3 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 11 has weird spacing: '...This document...' == Line 16 has weird spacing: '...working docum...' == Line 17 has weird spacing: '...Drafts are dr...' == Line 18 has weird spacing: '...e. It is...' == Line 19 has weird spacing: '...opriate to u...' == (88 more instances...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (31 March 1999) is 8445 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '1' on line 551 looks like a reference -- Missing reference section? '2' on line 556 looks like a reference -- Missing reference section? '3' on line 560 looks like a reference -- Missing reference section? '4' on line 563 looks like a reference -- Missing reference section? '5' on line 566 looks like a reference -- Missing reference section? '6' on line 572 looks like a reference -- Missing reference section? '7' on line 578 looks like a reference -- Missing reference section? '8' on line 584 looks like a reference -- Missing reference section? '9' on line 589 looks like a reference -- Missing reference section? '10' on line 594 looks like a reference -- Missing reference section? '11' on line 600 looks like a reference -- Missing reference section? '12' on line 661 looks like a reference -- Missing reference section? '13' on line 609 looks like a reference -- Missing reference section? '14' on line 615 looks like a reference -- Missing reference section? '15' on line 662 looks like a reference -- Missing reference section? '16' on line 624 looks like a reference Summary: 8 errors (**), 0 flaws (~~), 7 warnings (==), 18 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 RADIUS Working Group Glen Zorn 2 INTERNET-DRAFT Microsoft 3 Category: Standards Track Bernard Aboba 4 Microsoft 5 31 March 1999 7 RADIUS Authentication Server MIB 9 1. Status of this Memo 11 This document is an Internet-Draft and is in full conformance with all 12 provisions of Section 10 of RFC2026. 14 Internet-Drafts are working documents of the Internet Engineering Task 15 Force (IETF), its areas, and its working groups. Note that other groups 16 may also distribute working documents as Internet-Drafts. Internet- 17 Drafts are draft documents valid for a maximum of six months and may be 18 updated, replaced, or obsoleted by other documents at any time. It is 19 inappropriate to use Internet- Drafts as reference material or to cite 20 them other than as "work in progress." 22 The list of current Internet-Drafts can be accessed at 23 http://www.ietf.org/ietf/1id-abstracts.txt 25 The list of Internet-Draft Shadow Directories can be accessed at 26 http://www.ietf.org/shadow.html. 28 The distribution of this memo is unlimited. It is filed as , and expires October 1, 1999. Please send 30 comments to the authors. 32 2. Copyright Notice 34 Copyright (C) The Internet Society (1999). All Rights Reserved. 36 3. Abstract 38 This memo defines a set of extensions which instrument RADIUS 39 authentication server functions. These extensions represent a portion of 40 the Management Information Base (MIB) for use with network management 41 protocols in the Internet community. Using these extensions IP-based 42 management stations can manage RADIUS authentication servers. 44 4. Introduction 46 This memo defines a portion of the Management Information Base (MIB) for 47 use with network management protocols in the Internet community. In 48 particular, it describes managed objects used for managing RADIUS 49 authentication servers. 51 RADIUS authentication servers are today widely deployed by dialup 52 Internet Service Providers, in order to provide authentication services. 53 As a result, the effective management of RADIUS authentication servers 54 is of considerable importance. 56 5. The SNMP Management Framework 58 The SNMP Management Framework presently consists of five major 59 components: 61 o An overall architecture, described in RFC 2271 [1]. 63 o Mechanisms for describing and naming objects and events for the 64 purpose of management. The first version of this Structure of 65 Management Information (SMI) is called SMIv1 and described in 66 RFC 1155 [2], RFC 1212 [3] and RFC 1215 [4]. The second version, 67 called SMIv2, is described in RFC 1902 [5], RFC 1903 [6] and RFC 68 1904 [7]. 70 o Message protocols for transferring management information. The 71 first version of the SNMP message protocol is called SNMPv1 and 72 described in RFC 1157 [8]. A second version of the SNMP message 73 protocol, which is not an Internet standards track protocol, is 74 called SNMPv2c and described in RFC 1901 [9] and RFC 1906 [10]. 75 The third version of the message protocol is called SNMPv3 and 76 described in RFC 1906 [10], RFC 2272 [11] and RFC 2274 [12]. 78 o Protocol operations for accessing management information. The 79 first set of protocol operations and associated PDU formats is 80 described in RFC 1157 [8]. A second set of protocol operations 81 and associated PDU formats is described in RFC 1905 [13]. 83 o A set of fundamental applications described in RFC 2273 [14] and 84 the view-based access control mechanism described in RFC 2275 85 [15]. 87 Managed objects are accessed via a virtual information store, termed the 88 Management Information Base or MIB. Objects in the MIB are defined 89 using the mechanisms defined in the SMI. 91 This memo specifies a MIB module that is compliant to the SMIv2. A MIB 92 conforming to the SMIv1 can be produced through the appropriate 93 translations. The resulting translated MIB must be semantically 94 equivalent, except where objects or events are omitted because no 95 translation is possible (use of Counter64). Some machine readable 96 information in SMIv2 will be converted into textual descriptions in 97 SMIv1 during the translation process. However, this loss of machine 98 readable information is not considered to change the semantics of the 99 MIB. 101 6. Overview 103 The RADIUS authentication protocol, described in [16], distinguishes 104 between the client function and the server function. In RADIUS 105 authentication, clients send Access-Requests, and servers reply with 106 Access-Accepts, Access-Rejects, and Access-Challenges. Typically NAS 107 devices implement the client function, and thus would be expected to 108 implement the RADIUS authentication client MIB, while RADIUS 109 authentication servers implement the server function, and thus would be 110 expected to implement the RADIUS authentication server MIB. 112 However, it is possible for a RADIUS authentication entity to perform 113 both client and server functions. For example, a RADIUS proxy may act as 114 a server to one or more RADIUS authentication clients, while 115 simultaneously acting as an authentication client to one or more 116 authentication servers. In such situations, it is expected that RADIUS 117 entities combining client and server functionality will support both the 118 client and server MIBs. 120 6.1. Selected objects 122 This MIB module contains fourteen scalars as well as a single table: 124 (1) the RADIUS Authentication Client Table contains one row for each 125 RADIUS authentication client that the server shares a secret with. 127 Each entry in the RADIUS Authentication Client Table includes twelve 128 columns presenting a view of the activity of the RADIUS authentication 129 server. 131 7. Definitions 133 RADIUS-AUTH-SERVER-MIB DEFINITIONS ::= BEGIN 135 IMPORTS 136 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 137 Counter32, Integer32, 138 IpAddress, TimeTicks FROM SNMPv2-SMI 139 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 140 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF 141 mib-2 FROM RFC1213-MIB; 143 radiusAuthServMIB MODULE-IDENTITY 144 LAST-UPDATED "9901290000Z" 145 ORGANIZATION "IETF RADIUS Working Group." 146 CONTACT-INFO 147 " Bernard Aboba 148 Microsoft 149 One Microsoft Way 150 Redmond, WA 98052 151 US 153 Phone: +1 425 936 6605 154 EMail: bernarda@microsoft.com" 155 DESCRIPTION 156 "The MIB module for entities implementing the server 157 side of the Remote Access Dialin User Service (RADIUS) 158 authentication protocol." 159 REVISION "9903290000Z" -- 29 Mar 1999 160 DESCRIPTION "Initial version as published in RFC xxxx" 161 -- RCC xxxx to be assigned by IANA 162 ::= { radiusAuthentication 1 } 164 radiusMIB OBJECT-IDENTITY 165 STATUS current 166 DESCRIPTION 167 "The OID assigned to RADIUS MIB work by the IANA." 168 ::= { mib-2 xxx } -- To be assigned by IANA 170 radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} 172 radiusAuthServMIBObjects OBJECT IDENTIFIER ::= { radiusAuthServMIB 1 } 174 radiusAuthServ OBJECT IDENTIFIER ::= { radiusAuthServMIBObjects 1 } 176 radiusAuthServIdent OBJECT-TYPE 177 SYNTAX SnmpAdminString 178 MAX-ACCESS read-only 179 STATUS current 180 DESCRIPTION 181 "The implementation identification string for the 182 RADIUS authentication server software in use on the 183 system, for example; `FNS-2.1'" 185 ::= {radiusAuthServ 1} 187 radiusAuthServUpTime OBJECT-TYPE 188 SYNTAX TimeTicks 189 MAX-ACCESS read-only 190 STATUS current 191 DESCRIPTION 192 "If the server has a persistent state (e.g., a process), 193 this value will be the time elapsed (in hundredths of a 194 seco) since the server process was started. 195 For software without persistent state, this value will 196 be zero." 197 ::= {radiusAuthServ 2} 199 radiusAuthServResetTime OBJECT-TYPE 200 SYNTAX TimeTicks 201 MAX-ACCESS read-only 202 STATUS current 203 DESCRIPTION 204 "If the server has a persistent state (e.g., a process) 205 and supports a `reset' operation (e.g., can be told to 206 re-read configuration files), this value will be the 207 time elapsed (in hundredths of a second) since the 208 server was `reset.' For software that does not 209 have persistence or does not support a `reset' operation, 210 this value will be zero." 211 ::= {radiusAuthServ 3} 213 radiusAuthServConfigReset OBJECT-TYPE 214 SYNTAX INTEGER { other(1), 215 reset(2), 216 initializing(3), 217 running(4)} 218 MAX-ACCESS read-write 219 STATUS current 220 DESCRIPTION 221 "Status/action object to reinitialize any persistent 222 server state. When set to reset(2), any persistent 223 server state (such as a process) is reinitialized as if 224 the server had just been started. This value will 225 never be returned by a read operation. When read, one of 226 the following values will be returned: 227 other(1) - server in some unknown state; 228 initializing(3) - server (re)initializing; 229 running(4) - server currently running." 230 ::= {radiusAuthServ 4} 232 -- New Stats proposed by Dale E. Reed Jr (daler@iea-software.com) 233 radiusAuthServTotalAccessRequests OBJECT-TYPE 234 SYNTAX Counter32 235 MAX-ACCESS read-only 236 STATUS current 237 DESCRIPTION 238 "The number of packets received on the 239 authentication port." 240 ::= { radiusAuthServ 5} 242 radiusAuthServTotalInvalidRequests OBJECT-TYPE 243 SYNTAX Counter32 244 MAX-ACCESS read-only 245 STATUS current 246 DESCRIPTION 247 "The number of RADIUS Access-Request packets 248 received from unknown addresses." 249 ::= { radiusAuthServ 6 } 251 radiusAuthServTotalDupAccessRequests OBJECT-TYPE 252 SYNTAX Counter32 253 MAX-ACCESS read-only 254 STATUS current 255 DESCRIPTION 256 "The number of duplicate RADIUS Access-Request 257 packets received." 258 ::= { radiusAuthServ 7 } 260 radiusAuthServTotalAccessAccepts OBJECT-TYPE 261 SYNTAX Counter32 262 MAX-ACCESS read-only 263 STATUS current 264 DESCRIPTION 265 "The number of RADIUS Access-Accept packets sent." 266 ::= { radiusAuthServ 8 } 268 radiusAuthServTotalAccessRejects OBJECT-TYPE 269 SYNTAX Counter32 270 MAX-ACCESS read-only 271 STATUS current 272 DESCRIPTION 273 "The number of RADIUS Access-Reject packets sent." 274 ::= { radiusAuthServ 9 } 276 radiusAuthServTotalAccessChallenges OBJECT-TYPE 277 SYNTAX Counter32 278 MAX-ACCESS read-only 279 STATUS current 280 DESCRIPTION 281 "The number of RADIUS Access-Challenge packets sent." 282 ::= { radiusAuthServ 10 } 284 radiusAuthServTotalMalformedAccessRequests OBJECT-TYPE 285 SYNTAX Counter32 286 MAX-ACCESS read-only 287 STATUS current 288 DESCRIPTION 289 "The number of malformed RADIUS Access-Request 290 packets received. Bad authenticators 291 and unknown types are not included as 292 malformed Access-Requests." 293 ::= { radiusAuthServ 11 } 295 radiusAuthServTotalBadAuthenticators OBJECT-TYPE 296 SYNTAX Counter32 297 MAX-ACCESS read-only 298 STATUS current 299 DESCRIPTION 300 "The number of RADIUS Authentication-Request packets 301 which contained invalid Signature attributes received." 302 ::= { radiusAuthServ 12 } 304 radiusAuthServTotalPacketsDropped OBJECT-TYPE 305 SYNTAX Counter32 306 MAX-ACCESS read-only 307 STATUS current 308 DESCRIPTION 309 "The number of incoming packets 310 silently discarded for some reason other 311 than malformed, bad authenticators or 312 unknown types." 313 ::= { radiusAuthServ 13 } 315 radiusAuthServTotalUnknownTypes OBJECT-TYPE 316 SYNTAX Counter32 317 MAX-ACCESS read-only 318 STATUS current 319 DESCRIPTION 320 "The number of RADIUS packets of unknown type which 321 were received." 322 ::= { radiusAuthServ 14 } 324 -- End of new 326 radiusAuthClientTable OBJECT-TYPE 327 SYNTAX SEQUENCE OF RadiusAuthClientEntry 328 MAX-ACCESS not-accessible 329 STATUS current 330 DESCRIPTION 331 "The (conceptual) table listing the RADIUS authentication 332 clients with which the server shares a secret." 333 ::= { radiusAuthServ 15 } 335 radiusAuthClientEntry OBJECT-TYPE 336 SYNTAX RadiusAuthClientEntry 337 MAX-ACCESS not-accessible 338 STATUS current 339 DESCRIPTION 340 "An entry (conceptual row) representing a RADIUS 341 authentication client with which the server shares a secret." 342 INDEX { radiusAuthClientIndex } 343 ::= { radiusAuthClientTable 1 } 345 RadiusAuthClientEntry ::= SEQUENCE { 346 radiusAuthClientIndex Integer32, 347 radiusAuthClientAddress IpAddress, 348 radiusAuthClientID SnmpAdminString, 349 radiusAuthServAccessRequests Counter32, 350 radiusAuthServDupAccessRequests Counter32, 351 radiusAuthServAccessAccepts Counter32, 352 radiusAuthServAccessRejects Counter32, 353 radiusAuthServAccessChallenges Counter32, 354 radiusAuthServMalformedAccessRequests Counter32, 355 radiusAuthServBadAuthenticators Counter32, 356 radiusAuthServPacketsDropped Counter32, 357 radiusAuthServUnknownTypes Counter32 358 } 360 radiusAuthClientIndex OBJECT-TYPE 361 SYNTAX Integer32 362 MAX-ACCESS not-accessible 363 STATUS current 364 DESCRIPTION 365 "A number uniquely identifying each RADIUS 366 authentication client with which this server 367 communicates." 368 ::= { radiusAuthClientEntry 1 } 370 radiusAuthClientAddress OBJECT-TYPE 371 SYNTAX IpAddress 372 MAX-ACCESS read-only 373 STATUS current 374 DESCRIPTION 375 "The NAS-IP-Address of the RADIUS authentication client 376 referred to in this table entry." 378 ::= { radiusAuthClientEntry 2 } 380 radiusAuthClientID OBJECT-TYPE 381 SYNTAX SnmpAdminString 382 MAX-ACCESS read-only 383 STATUS current 384 DESCRIPTION 385 "The NAS-Identifier of the RADIUS authentication client 386 referred to in this table entry. This is not necessarily 387 the same as sysName in MIB II." 388 ::= { radiusAuthClientEntry 3 } 390 -- Server Counters 391 -- 392 -- Responses = AccessAccepts + AccessRejects + AccessChallenges 393 -- 394 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 395 -- UnknownTypes - PacketsDropped - Responses = Pending 396 -- 397 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 398 -- UnknownTypes - PacketsDropped = entries logged 400 radiusAuthServAccessRequests OBJECT-TYPE 401 SYNTAX Counter32 402 MAX-ACCESS read-only 403 STATUS current 404 DESCRIPTION 405 "The number of packets received on the authentication 406 port from this client." 407 ::= { radiusAuthClientEntry 4 } 409 radiusAuthServDupAccessRequests OBJECT-TYPE 410 SYNTAX Counter32 411 MAX-ACCESS read-only 412 STATUS current 413 DESCRIPTION 414 "The number of duplicate RADIUS Access-Request 415 packets received from this client." 416 ::= { radiusAuthClientEntry 5 } 418 radiusAuthServAccessAccepts OBJECT-TYPE 419 SYNTAX Counter32 420 MAX-ACCESS read-only 421 STATUS current 422 DESCRIPTION 423 "The number of RADIUS Access-Accept packets 424 sent to this client." 425 ::= { radiusAuthClientEntry 6 } 427 radiusAuthServAccessRejects OBJECT-TYPE 428 SYNTAX Counter32 429 MAX-ACCESS read-only 430 STATUS current 431 DESCRIPTION 432 "The number of RADIUS Access-Reject packets 433 sent to this client." 434 ::= { radiusAuthClientEntry 7 } 436 radiusAuthServAccessChallenges OBJECT-TYPE 437 SYNTAX Counter32 438 MAX-ACCESS read-only 439 STATUS current 440 DESCRIPTION 441 "The number of RADIUS Access-Challenge packets 442 sent to this client." 443 ::= { radiusAuthClientEntry 8 } 445 radiusAuthServMalformedAccessRequests OBJECT-TYPE 446 SYNTAX Counter32 447 MAX-ACCESS read-only 448 STATUS current 449 DESCRIPTION 450 "The number of malformed RADIUS Access-Request 451 packets received from this client. 452 Bad authenticators and unknown types are not included as 453 malformed Access-Requests." 454 ::= { radiusAuthClientEntry 9 } 456 radiusAuthServBadAuthenticators OBJECT-TYPE 457 SYNTAX Counter32 458 MAX-ACCESS read-only 459 STATUS current 460 DESCRIPTION 461 "The number of RADIUS Authentication-Request packets 462 which contained invalid Signature attributes received 463 from this client." 464 ::= { radiusAuthClientEntry 10 } 466 radiusAuthServPacketsDropped OBJECT-TYPE 467 SYNTAX Counter32 468 MAX-ACCESS read-only 469 STATUS current 470 DESCRIPTION 471 "The number of incoming packets from this 472 client silently discarded for some reason other 473 than malformed, bad authenticators or 474 unknown types." 476 ::= { radiusAuthClientEntry 11 } 478 radiusAuthServUnknownTypes OBJECT-TYPE 479 SYNTAX Counter32 480 MAX-ACCESS read-only 481 STATUS current 482 DESCRIPTION 483 "The number of RADIUS packets of unknown type which 484 were received from this client." 485 ::= { radiusAuthClientEntry 12 } 487 -- conformance information 489 radiusAuthServMIBConformance 490 OBJECT IDENTIFIER ::= { radiusAuthServMIB 2 } 491 radiusAuthServMIBCompliances 492 OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 1 } 493 radiusAuthServMIBGroups 494 OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 2 } 496 -- compliance statements 498 radiusAuthServMIBCompliance MODULE-COMPLIANCE 499 STATUS current 500 DESCRIPTION 501 "The compliance statement for authentication servers 502 implementing the RADIUS Authentication Server MIB." 503 MODULE -- this module 504 MANDATORY-GROUPS { radiusAuthServMIBGroup } 506 OBJECT radiusAuthServConfigReset 507 WRITE-SYNTAX INTEGER { reset(2) } 508 DESCRIPTION "The only SETable value is 'reset' (2)." 510 ::= { radiusAuthServMIBCompliances 1 } 512 -- units of conformance 514 radiusAuthServMIBGroup OBJECT-GROUP 515 OBJECTS {radiusAuthServIdent, 516 radiusAuthServUpTime, 517 radiusAuthServResetTime, 518 radiusAuthServConfigReset, 519 radiusAuthServTotalAccessRequests, 520 radiusAuthServTotalInvalidRequests, 521 radiusAuthServTotalDupAccessRequests, 522 radiusAuthServTotalAccessAccepts, 523 radiusAuthServTotalAccessRejects, 524 radiusAuthServTotalAccessChallenges, 525 radiusAuthServTotalMalformedAccessRequests, 526 radiusAuthServTotalBadAuthenticators, 527 radiusAuthServTotalPacketsDropped, 528 radiusAuthServTotalUnknownTypes, 529 radiusAuthClientAddress, 530 radiusAuthClientID, 531 radiusAuthServAccessRequests, 532 radiusAuthServDupAccessRequests, 533 radiusAuthServAccessAccepts, 534 radiusAuthServAccessRejects, 535 radiusAuthServAccessChallenges, 536 radiusAuthServMalformedAccessRequests, 537 radiusAuthServBadAuthenticators, 538 radiusAuthServPacketsDropped, 539 radiusAuthServUnknownTypes 540 } 541 STATUS current 542 DESCRIPTION 543 "The collection of objects providing management of 544 a RADIUS Authentication Server." 545 ::= { radiusAuthServMIBGroups 1 } 547 END 549 8. References 551 [1] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for 552 Describing SNMP Management Frameworks", RFC 2271, Cabletron 553 Systems, Inc., BMC Software, Inc., IBM T. J. Watson Research, 554 January 1998. 556 [2] Rose, M., and K. McCloghrie, "Structure and Identification of 557 Management Information for TCP/IP-based Internets", RFC 1155, 558 Performance Systems International, Hughes LAN Systems, May 1990. 560 [3] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 1212, 561 Performance Systems International, Hughes LAN Systems, March 1991. 563 [4] M. Rose, "A Convention for Defining Traps for use with the SNMP", 564 RFC 1215, Performance Systems International, March 1991. 566 [5] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure 567 of Management Information for Version 2 of the Simple Network 568 Management Protocol (SNMPv2)", RFC 1902, SNMP Research,Inc., Cisco 569 Systems, Inc., Dover Beach Consulting, Inc., International Network 570 Services, January 1996. 572 [6] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual 573 Conventions for Version 2 of the Simple Network Management Protocol 574 (SNMPv2)", RFC 1903, SNMP Research, Inc., Cisco Systems, Inc., 575 Dover Beach Consulting, Inc., International Network Services, 576 January 1996. 578 [7] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Conformance 579 Statements for Version 2 of the Simple Network Management Protocol 580 (SNMPv2)", RFC 1904, SNMP Research, Inc., Cisco Systems, Inc., 581 Dover Beach Consulting, Inc., International Network Services, 582 January 1996. 584 [8] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network 585 Management Protocol", RFC 1157, SNMP Research, Performance Systems 586 International, Performance Systems International, MIT Laboratory 587 for Computer Science, May 1990. 589 [9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 590 "Introduction to Community-based SNMPv2", RFC 1901, SNMP Research, 591 Inc., Cisco Systems, Inc., Dover Beach Consulting, Inc., 592 International Network Services, January 1996. 594 [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport 595 Mappings for Version 2 of the Simple Network Management Protocol 596 (SNMPv2)", RFC 1906, SNMP Research, Inc., Cisco Systems, Inc., 597 Dover Beach Consulting, Inc., International Network Services, 598 January 1996. 600 [11] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message 601 Processing and Dispatching for the Simple Network Management 602 Protocol (SNMP)", RFC 2272, SNMP Research, Inc., Cabletron Systems, 603 Inc., BMC Software, Inc., IBM T. J. Watson Research, January 1998. 605 [12] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for 606 version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 607 2274, IBM T. J. Watson Research, January 1998. 609 [13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol 610 Operations for Version 2 of the Simple Network Management Protocol 611 (SNMPv2)", RFC 1905, SNMP Research, Inc., Cisco Systems, Inc., 612 Dover Beach Consulting, Inc., International Network Services, 613 January 196. 615 [14] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", RFC 616 2273, SNMP Research, Inc., Secure Computing Corporation, Cisco 617 Systems, January 1998 619 [15] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access 620 Control Model (VACM) for the Simple Network Management Protocol 621 (SNMP)", RFC 2275, IBM T. J. Watson Research, BMC Software, Inc., 622 Cisco Systems, Inc., January 1998 624 [16] Rigney, C., Rubens, A., Simpson W., and S. Willens, "Remote 625 Authentication Dial In User Service (RADIUS)", RFC 2138, April 626 1997. 628 9. Security considerations 630 There are a number of management objects defined in this MIB that have a 631 MAX-ACCESS clause of read-write and/or read-create. Such objects may be 632 considered sensitive or vulnerable in some network environments. The 633 support for SET operations in a non-secure environment without proper 634 protection can have a negative effect on network operations. 636 There are a number of managed objects in this MIB that may contain 637 sensitive information. These are: 639 radiusAuthClientAddress 640 This can be used to determine the address of the RADIUS 641 authentication client with which the server is communicating. 642 This information could be useful in impersonating the client. 644 radiusAuthClientID 645 This can be used to determine the client ID of the 646 authentication client with which the server is communicating. 647 This information could be useful in impersonating the client. 649 It is thus important to control even GET access to these objects and 650 possibly to even encrypt the values of these object when sending them 651 over the network via SNMP. Not all versions of SNMP provide features 652 for such a secure environment. 654 SNMPv1 by itself is not a secure environment. Even if the network itself 655 is secure (for example by using IPSec), there is no control as to who on 656 the secure network is allowed to access and GET/SET 657 (read/change/create/delete) the objects in this MIB. 659 It is recommended that the implementers consider the security features 660 as provided by the SNMPv3 framework. Specifically, the use of the User- 661 based Security Model RFC 2274 [12] and the View-based Access Control 662 Model RFC 2275 [15] is recommended. Using these security features, 663 customer/users can give access to the objects only to those principals 664 (users) that have legitimate rights to GET or SET (change/create/delete) 665 them. 667 10. Acknowledgments 669 The authors acknowledge the contributions of the RADIUS Working Group in 670 the development of this MIB. Thanks to Narendra Gidwani of Microsoft, 671 Allan C. Rubens of MERIT, Carl Rigney of Livingston and Peter Heitman of 672 American Internet Corporation for useful discussions of this problem 673 space. 675 11. Authors' Addresses 677 Bernard Aboba 678 Microsoft Corporation 679 One Microsoft Way 680 Redmond, WA 98052 682 Phone: 425-936-6605 683 EMail: bernarda@microsoft.com 685 Glen Zorn 686 Microsoft Corporation 687 One Microsoft Way 688 Redmond, WA 98052 690 Phone: 425-703-1559 691 EMail: glennz@microsoft.com 693 12. Intellectural Property Statement 695 The IETF takes no position regarding the validity or scope of any 696 intellectual property or other rights that might be claimed to pertain 697 to the implementation or use of the technology described in this 698 document or the extent to which any license under such rights might or 699 might not be available; neither does it represent that it has made any 700 effort to identify any such rights. Information on the IETF's 701 procedures with respect to rights in standards-track and standards- 702 related documentation can be found in BCP-11. Copies of claims of 703 rights made available for publication and any assurances of licenses to 704 be made available, or the result of an attempt made to obtain a general 705 license or permission for the use of such proprietary rights by 706 implementors or users of this specification can be obtained from the 707 IETF Secretariat. 709 The IETF invites any interested party to bring to its attention any 710 copyrights, patents or patent applications, or other proprietary rights 711 which may cover technology that may be required to practice this 712 standard. Please address the information to the IETF Executive 713 Director. 715 13. Full Copyright Statement 717 Copyright (C) The Internet Society (1999). All Rights Reserved. 718 This document and translations of it may be copied and furnished to 719 others, and derivative works that comment on or otherwise explain it or 720 assist in its implmentation may be prepared, copied, published and 721 distributed, in whole or in part, without restriction of any kind, 722 provided that the above copyright notice and this paragraph are included 723 on all such copies and derivative works. However, this document itself 724 may not be modified in any way, such as by removing the copyright notice 725 or references to the Internet Society or other Internet organizations, 726 except as needed for the purpose of developing Internet standards in 727 which case the procedures for copyrights defined in the Internet 728 Standards process must be followed, or as required to translate it into 729 languages other than English. The limited permissions granted above are 730 perpetual and will not be revoked by the Internet Society or its 731 successors or assigns. This document and the information contained 732 herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE 733 INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR 734 IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 735 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 736 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 738 14. Expiration Date 740 This memo is filed as , and 741 expires October 1, 1999.