idnits 2.17.00 (12 Aug 2021) /tmp/idnits47581/draft-nelson-isms-extended-vacm-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 20, 2009) is 4564 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC2579' is mentioned on line 518, but not defined == Unused Reference: 'RFC3579' is defined on line 582, but no explicit reference was found in the text == Unused Reference: 'RFC2607' is defined on line 604, but no explicit reference was found in the text == Unused Reference: 'RFC3580' is defined on line 625, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 3579 Summary: 2 errors (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group K. Narayan 3 Internet-Draft Cisco Systems, Inc. 4 Intended status: Standards Track D. Nelson 5 Expires: May 24, 2010 Elbrys Networks, Inc. 6 November 20, 2009 8 Extensions to View-based Access Control Model for use with RADIUS 9 draft-nelson-isms-extended-vacm-01.txt 11 Abstract 13 This memo describes a backward compatible extension to the View-based 14 Access Control Model for SNMPv3 for use with RADIUS and other AAA 15 services to provide authorization of MIB database access. This 16 extension is intended to be used in conjunction with secure SNMP 17 Transport Models that facilitate RADIUS authentication, such as the 18 Secure Shell Transport Model. 20 Requirements Language 22 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 23 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 24 document are to be interpreted as described in [RFC2119]. 26 Status of this Memo 28 This Internet-Draft is submitted to IETF in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF), its areas, and its working groups. Note that 33 other groups may also distribute working documents as Internet- 34 Drafts. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 The list of current Internet-Drafts can be accessed at 42 http://www.ietf.org/ietf/1id-abstracts.txt. 44 The list of Internet-Draft Shadow Directories can be accessed at 45 http://www.ietf.org/shadow.html. 47 This Internet-Draft will expire on May 24, 2010. 49 Copyright Notice 51 Copyright (c) 2009 IETF Trust and the persons identified as the 52 document authors. All rights reserved. 54 This document is subject to BCP 78 and the IETF Trust's Legal 55 Provisions Relating to IETF Documents 56 (http://trustee.ietf.org/license-info) in effect on the date of 57 publication of this document. Please review these documents 58 carefully, as they describe your rights and restrictions with respect 59 to this document. Code Components extracted from this document must 60 include Simplified BSD License text as described in Section 4.e of 61 the Trust Legal Provisions and are provided without warranty as 62 described in the BSD License. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 1.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 3 68 1.2. System Block Diagram . . . . . . . . . . . . . . . . . . . 3 69 1.3. Using RADIUS with SNMP . . . . . . . . . . . . . . . . . . 4 70 2. Extended VACM for RADIUS Authorization . . . . . . . . . . . . 5 71 3. VACM Extension for RAIDUS Authorization . . . . . . . . . . . 6 72 3.1. Dynamic Update of VACM and Extended VACM MIB Module 73 Objects . . . . . . . . . . . . . . . . . . . . . . . . . 6 74 3.2. Purging Volatile Entries in the Extended VACM MIB 75 Module . . . . . . . . . . . . . . . . . . . . . . . . . . 7 76 4. Elements of Procedure for Extended VACM . . . . . . . . . . . 7 77 5. MIB Module Definition . . . . . . . . . . . . . . . . . . . . 8 78 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 79 7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 80 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 81 8.1. Normative References . . . . . . . . . . . . . . . . . . . 13 82 8.2. Informative References . . . . . . . . . . . . . . . . . . 14 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 85 1. Introduction 87 1.1. General 89 The Simple Network Management Protocol version 3 (SNMPv3) provides 90 message security services through the Security Subsystem. Transport 91 Subsystem for the Simple Network Management Protocol [RFC5590] 92 defines a Transport Subsystem, Transport Security Model for SNMP 93 [RFC5591] a new Transport Security Model, Secure Shell Transport 94 Model for SNMP [RFC5592] a Secure Shell Transport Model and Remote 95 Authentication Dial-In User Service (RADIUS) Usage for Simple Network 96 Management Protocol (SNMP) Transport Models [RFC5608] a method for 97 authenticating SNMPv3 users via the Remote Authentication Dial-In 98 User Service (RADIUS). 100 It is now possible to authenticate SNMPv3 messages via a RADIUS when 101 those messages are sent over the SSH transport. This document builds 102 on that work and describes a means to centrally authorize a given 103 SNMP transaction using on-device, pre-existing authorization 104 configuration. In order to leverage a centralized RADIUS service to 105 its full extent, the access control decision in the Access Control 106 Subsystem needs to be based on authorization information received 107 from RADIUS as well. This document defines an extension to the View- 108 based Access Control Model to obtain authorization information for an 109 authenticated principal, from RADIUS. 111 Additional introductory material on the RADIUS operational model and 112 RADIUS usage with SNMP may be found in Sections 1.3 and 1.5 of 113 [RFC5608]. 115 It is important to understand the SNMP architecture and the 116 terminology of the architecture to understand where the Extended 117 View-based Access Control Model described in this memo fits into the 118 architecture and interacts with other subsystems and models within 119 the architecture. It is expected that reader will have also read and 120 understood RFC3411 [RFC3411], RFC3412 [RFC3412], RFC3413 [RFC3413], 121 RFC3415 [RFC3415]and RFC3418 [RFC3418]. As this document describes 122 an extension to VACM, it relies on much of the material in RFC3415 123 [RFC3415]. 125 1.2. System Block Diagram 127 A block diagram of the major system components referenced in this 128 document may be useful to understanding the text that follows. 130 +--------+ 131 +......................... |RADIUS |....+ 132 . |Server | . 133 Shared +--------+ . 134 User | . 135 Credentials RADIUS | Shared 136 . | RADIUS 137 . | Secret 138 . | . 139 +-------------+ +-----------------+ 140 | Network | | RADIUS Client / | 141 | Management | SNMP | SNMP Engine / | 142 | Application |------------------| Network Device | 143 +-------------+ SSH +-----------------+ 145 Block Diagram 147 This diagram illustrates that a network management application 148 communicates with a network device, the managed entity, using SNMP 149 over SSH. The network devices uses RADIUS to communicate with a 150 RADIUS Server to authenticate the network management application (or 151 the user whose credentials that application provides) and to obtain 152 authorization information related to access via SNMP for purpose of 153 device management. Other secure transport protocols might be used 154 instead of SSH. 156 1.3. Using RADIUS with SNMP 158 There are two use cases for RADIUS support of management access via 159 SNMP. These are (a) service authorization and (b) access control 160 authorization. RADIUS almost always involves user authentication as 161 prerequisite to authorization, and there is a user authentication 162 phase for each of these two use cases. The first use case is 163 discussed in detail in [RFC5608]. The second use case is the subject 164 of this document. This document describes how RADIUS attributes and 165 messages are applied to the specific application area of SNMP Access 166 Control Models, and VACM in particular. 168 This document assumes that Extended VACM will be used in conjunction 169 with an SNMP secure Transport Model and the SNMP Transport Security 170 Model. The rationale for this assumption is as follows. The RFC 171 3411 SNMP architecture maintains strong modularity and separation of 172 concerns, extending to separating user identity (authentication) from 173 user database access rights (authorization). The former is the 174 business of the Security Subsystem and the latter is the business of 175 the Access Control Subsystem. RADIUS, on the other hand, allows for 176 no such separation of authorization from authentication. In order to 177 use RADIUS with SNMP, binding of user authentication to user 178 authorization must be achieved, without violating the modularity of 179 the RFC 3411 SNMP architecture. 181 RADIUS does support a limited form of Authorize-Only operations. The 182 RADIUS "Authorize Only" Service-Type Attribute can be specified in an 183 Access-Request message, but only when accompanied by a RADIUS State 184 Attribute, which contains an implementation specific "cookie" 185 representing the successful outcome of a previous authentication 186 transaction. For that reason, it is not possible to completely 187 separate the use of RADIUS by the Access Control Subsystem from the 188 use of RADIUS by other subsystems. This suggests that the most 189 straightforward approach is to leverage the existing RADIUS usage, as 190 documented in [RFC5608], and the tmStateReference cache, as 191 documented in Section 5.2 of [RFC5590]. 193 This document also assumes that the detailed access control rules are 194 pre-configued in the NAS. Dynamic user authorization for MIB 195 database access control, as defined herein, is limited to mapping the 196 authenticated user to a pre-existing group, which in turn is mapped 197 to the pre-existing rules. The operative use case assumption is that 198 roles within an organization (i.e. groups and rules) change 199 infrequently while the users assigned to those roles change much more 200 frequently. It is the user to role mapping that is outsourced to the 201 RADIUS server. 203 2. Extended VACM for RADIUS Authorization 205 This document will rely on implementation specific integration of the 206 RADIUS client for user authentication and authorization. Further, it 207 will rely on implementation specific caching of MIB database access 208 policy information, in the form of the RADIUS Management-Policy-Id 209 Attribute, such that it will be available to Extended VACM. 211 A NAS that is compliant to this specification, MUST treat any RADIUS 212 Access-Accept message that provisions a specific policy for MIB 213 database access control that cannot be provided as if an Access- 214 Reject message had been received instead. 216 The RADIUS Management-Policy-Id Attribute MUST be used in an Access- 217 Accept message to provision a user-specific access control policy for 218 use in conjunction with Extended VACM. The syntax and semantics of 219 the Management-Policy-Id attribute are described in Section 6.3 of 220 [RFC5607]. 222 The intended use of the content of the Management-Policy-Id attribute 223 is to provision a mapping between the authenticated user, associated 224 with the secure transport session, and an access control group pre- 225 provisioned in the VACM MIB module. Details of this mapping are 226 described in following sections. 228 3. VACM Extension for RAIDUS Authorization 230 The extension to VACM [RFC3415] described in this document is a 231 method for one or more of its MIB module objects to be dynamically 232 provisioned based on information received from RADIUS, or some 233 similar AAA service. This extension requires no changes to the 234 Abstract Service Interface (ASI) for the Access Control Subsystem, 235 nor any changes in the Elements of Procedure (EOP) for VACM. A new 236 MIB module that augments the vacmSecurityToGroupTable is defined in 237 this document, as well as supplemental EOP for Extended VACM to 238 follow. It does require that a module of code somewhere in the NAS 239 be able to write to the VACM MIB module and Extended VACM MIB Module, 240 and that it reliably and consistently do so in immediate response to 241 access control policy information received from RADIUS. 243 3.1. Dynamic Update of VACM and Extended VACM MIB Module Objects 245 The imlementation dependent interface between the RADIUS Client 246 function in the NAS and the SNMP Engine in the NAS is responsible for 247 updating the vacmSecurityToGroupTable table within the VACM MIB 248 Module [RFC3415] and the corresponding rows of the 249 extendedVacmSecurityToGroupTable. These row objects are dynamically 250 updated from RADIUS authorization data. Specifically, the RADIUS 251 User-Name Attribute is used as the vacmSecurityName and the RADIUS 252 Management-Policy-Id Attribute is used as the vacmGroupName. The 253 vacmSecurityModel is the encoding for the Transport Security Model. 254 The vacmSecurityToGroupStorageType should be (2) volatile. 256 In creating a row entry in the vacmSecurityToGroupTable, there are 257 three cases to consider: 259 o No existing row has a matching vacmSecurityName. 260 o An existing row has a matching vacmSecurityName. 261 o No additional rows can be created, e.g. because of resource 262 constraints, etc. 264 The second and third cases require special consideration. The second 265 case may represent a conflict between dynamic access control 266 authorization from RADIUS and local access control configuration by a 267 security administrator, e.g. via remote or local SNMP MIB module 268 updates. If one assumes that the security administrator 269 intentionally configured a table entry for the "conflicting" 270 vacmSecurityName, with full knowledge that it might over-ride dynamic 271 authorization information from RADIUS, the right thing to do would be 272 nothing. That is to say, do not update the table based on RADIUS 273 authorization information. On the other hand, it is possible that 274 the "name collision" is the result of a mistake, or the result of 275 stale configuration information. 277 The behavior specified for Extended VACM is to make not update to the 278 vacmSecurityToGroupTable, and to increment the 279 extVacmSecurityNameConflict counter. 281 The third case is likely to be rare, and SHOULD result in a 282 notification of some sort being logged for action by the system 283 administrator. 285 It is expected that the value of the RADIUS Management-Policy-Id 286 Attribute match an existing vacmGroupName that cab be sucessfully 287 used as an index to the vacmAccessTable. If no matching 288 vacmGroupName exists, then the access control defaults to this will 289 result in the default access rights of "no access", which is the 290 desired result. The NAS should increment the extVacmMissingGroupName 291 counter, for troubleshooting purposes, as this most likely indicates 292 an administrative misconfiguration. 294 In addition to creating a new row in the vacmSecurityToGroupTable, 295 the NAS creates a corresponding new row in the 296 extVacmSecurityToGroupTable, using the same values for index as were 297 used to create the row in the vacmSecurityToGroupTable. The value of 298 the rowCreatedBy object is set to RADIUS (1), and the value of 299 rowLifetime is set to the value of the RADIUS Session-Timeout 300 Attribute, if one was received by the RADIUS Client for this session, 301 or to zero (0) otherwise. 303 3.2. Purging Volatile Entries in the Extended VACM MIB Module 305 When the secture transport session is torn down, disconnected or 306 times out, any volatile table rows created in the vacmSecurityToGroup 307 table by the Extended VACM function MUST be removed. The mechanism 308 to accomplish this task is implementation specific. 310 4. Elements of Procedure for Extended VACM 312 This section describes the Elements of Procedure for Extended VACM. 313 The function of the VACM extension is to manage the creation and 314 deletion of rows in the vacmSecurityToGroupTable, basedon the outcome 315 of RADIUS authorization. All access control decision functions are 316 taken by VACM, as defined in [RFC3415]. The EOP for VACM remains as 317 listed in Section 3 of that document. 319 When a RADIUS (or other AAA service) authorizes SNMP data access 320 control for a user-authenticaed secure transport session, the NAS 321 causes the RADIUS provisioning information to be made available to 322 the Extended VACM facility, which populates the 323 vacmSecurityToGroupTable, as follows: 325 1. If the the RADIUS Management-Policy-Id Attribute is not 326 available, increment the extVacmNoPolicy counter. Do not create 327 a table row. 328 2. If the the RADIUS Management-Policy-Id Attribute is available, 329 and if no existing row has a vacmSecurityName matching the RADIUS 330 User-Name Attribute, create a new row with the columns populated 331 as follows: 332 A. vacmSecurityModel = (x) secureTransportSecurityModel 333 B. vacmSecurityName = RADIUS User-Name Attribute 334 C. vacmGroupName = RADIUS Management-Policy-Id Attribute 335 D. vacmSecurityToGroupStorageType = (2) 336 E. volatilevacmSecurityToGroupStatus = createAndGo ??? 337 F. extVacmRowCreatedBy = (1) 338 G. radiusextVacmRowLifetime = RADIUS Session-Timeout Attribute | 339 zero (0) 340 H. extVacmTransportSessionID = ID provided by the Secure 341 Transport Model 342 3. If an existing table row has a matching vacmSecurityName, 343 increment the extVacmSecurityNameConflict counter. Do not create 344 a table row.If no additional table rows can be created, e.g. 345 because of resource constraints, incerment the 346 extVacmResourceError counter. 348 When a RADIUS-authenticated secure transport session is disconnected 349 by the remote peer, the NAS casues the Extended VACM to remove the 350 corresponding table row from the vacmSecurityToGroupTable. The NAS 351 provides an implementation dependent identifier of the session in 352 question to Extended VACM. 354 1. Search for a rwo with a matching extVacmTransportSessionID. 355 2. If found, check to see that the extVacmRowCreateby value is (1) 356 radius. If not, ignore the request. 357 3. If a table row exists with a matching value of 358 extVACMTransportSessionID, that row is deleted. 360 5. MIB Module Definition 362 SNMP-EXT-VIEW-BASED-ACM-MIB DEFINITIONS ::= BEGIN 363 IMPORTS 364 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF 365 MODULE-IDENTITY, OBJECT-TYPE, 366 snmpModules FROM SNMPv2-SMI 367 TestAndIncr, 368 RowStatus, StorageType FROM SNMPv2-TC 369 SnmpAdminString, 370 SnmpSecurityLevel, 371 SnmpSecurityModel, FROM SNMP-FRAMEWORK-MIB 372 vacmSecurityToGroupTable FROM SNMP-VIEW-BASED-ACM-MIB; 374 snmpExtVacmMIB MODULE-IDENTITY 375 LAST-UPDATED "200910260000Z" -- 26 Oct 2009, midnight 376 ORGANIZATION "ISMS Working Group" 377 CONTACT-INFO "WG-email: isms@ietf.org" 379 DESCRIPTION "The management and local datstore information 380 definitions for the Extended View-based Access 381 Control Model for SNMP. 383 Copyright (C) The Internet Society (2009)." 384 ::= { TBD } 386 extVacmMIBObjects OBJECT IDENTIFIER ::= { snmpExtVacmMIB 1 } 388 extVacmMIBConformance OBJECT IDENTIFIER ::= {snmpExtVacmMIB 2 } 390 extVacmCounters OBJECT IDENTIFIER ::= { extVacmMIBObjects 1 } 392 extVacmResourceError OBJECT-TYPE 393 SYNTAX Counter32 394 UNITS "lost rows" 395 MAX-ACCESS read-only 396 STATUS current 397 DESCRIPTION 398 "The number of VACM Security Name to Security 399 Group table rows that could not be created by 400 Extended VACM because of insufficient resources." 401 ::= { extVacmCounters 1 } 403 extVacmNoPolicy OBJECT-TYPE 404 SYNTAX Counter32 405 UNITS "lost rows" 406 MAX-ACCESS read-only 407 STATUS current 408 DESCRIPTION 409 "The number of VACM Security Name to Security 410 Group table rows that could not be created by 411 Extended VACM because the AAA-provisioned 412 group policy did not match an existing row in 413 the VACM access table." 414 ::= { extVacmCounters 2 } 416 extVacmSecurityNameConflict OBJECT-TYPE 417 SYNTAX Counter32 418 UNITS "lost rows" 419 MAX-ACCESS read-only 420 STATUS current 421 DESCRIPTION 422 "The number of VACM Security Name to Security 423 Group table rows that could not be created by 424 Extended VACM because the AAA-provisioned 425 security name (user name) conflicted with an 426 existing row in the table." 427 ::= { extVacmCounters 3 } 429 vacmSecurityToGroupTable OBJECT-TYPE 430 SYNTAX SEQUENCE OF VacmSecurityToGroupEntry 431 MAX-ACCESS not-accessible 432 STATUS current 433 DESCRIPTION "This table maps a combination of securityModel and 434 securityName into a groupName which is used to define 435 an access control policy for a group of principals." 436 ::= { vacmMIBObjects 2 } 438 vacmSecurityToGroupEntry OBJECT-TYPE 439 SYNTAX VacmSecurityToGroupEntry 440 MAX-ACCESS not-accessible 441 STATUS current 442 DESCRIPTION "An entry in this table maps the combination of a 443 securityModel and securityName into a groupName." 444 INDEX { 445 vacmSecurityModel, 446 vacmSecurityName 447 } 448 ::= { vacmSecurityToGroupTable 1 } 450 VacmSecurityToGroupEntry ::= SEQUENCE 451 { 452 vacmSecurityModel SnmpSecurityModel, 453 vacmSecurityName SnmpAdminString, 454 vacmGroupName SnmpAdminString, 455 vacmSecurityToGroupStorageType StorageType, 456 vacmSecurityToGroupStatus RowStatus 457 extVacmRowCreatedBy INTEGER 458 extVacmRowLifetime INTEGER 459 extVacmTransportSessionID INTEGER 460 } 462 vacmSecurityModel OBJECT-TYPE 463 SYNTAX SnmpSecurityModel(1..2147483647) 464 MAX-ACCESS not-accessible 465 STATUS current 466 DESCRIPTION "The Security Model, by which the vacmSecurityName 467 referenced by this entry is provided. 468 Note, this object may not take the 'any' (0) value." 469 ::= { vacmSecurityToGroupEntry 1 } 471 vacmSecurityName OBJECT-TYPE 472 SYNTAX SnmpAdminString (SIZE(1..32)) 473 MAX-ACCESS not-accessible 474 STATUS current 475 DESCRIPTION "The securityName for the principal, represented in a 476 Security Model independent format, which is mapped by 477 this entry to a groupName." 478 ::= { vacmSecurityToGroupEntry 2 } 480 vacmGroupName OBJECT-TYPE 481 SYNTAX SnmpAdminString (SIZE(1..32)) 482 MAX-ACCESS read-create 483 STATUS current 484 DESCRIPTION "The name of the group to which this entry (e.g., the 485 combination of securityModel and securityName) 486 belongs. 488 This groupName is used as index into the 489 vacmAccessTable to select an access control policy. 490 A value in this table does not imply that an instance 491 with the value exists in table vacmAccesTable." 492 ::= { vacmSecurityToGroupEntry 3 } 494 vacmSecurityToGroupStorageType OBJECT-TYPE 495 SYNTAX StorageType 496 MAX-ACCESS read-create 497 STATUS current 498 DESCRIPTION "The storage type for this conceptual row. 499 Conceptual rows having the value 'permanent' need not 500 allow write-access to any columnar objects in the row." 501 DEFVAL { nonVolatile } 502 ::= { vacmSecurityToGroupEntry 4 } 504 vacmSecurityToGroupStatus OBJECT-TYPE 505 SYNTAX RowStatus 506 MAX-ACCESS read-create 507 STATUS current 508 DESCRIPTION "The status of this conceptual row. 510 Until instances of all corresponding columns are 511 appropriately configured, the value of the 512 corresponding instance of the vacmSecurityToGroupStatus 513 column is 'notReady'. 515 In particular, a newly created row cannot be made 516 active until a value has been set for vacmGroupName. 518 The RowStatus TC [RFC2579] requires that this 519 DESCRIPTION clause states under which circumstances 520 other objects in this row can be modified: 522 The value of this object has no effect on whether 523 other objects in this conceptual row can be modified." 524 ::= { vacmSecurityToGroupEntry 5 } 526 extVacmRowCreatedBy OBJECT-TYPE 527 SYNTAX INTEGER 528 { radius (1), -- Row created by Extended VACM 529 other (2) -- ??? 530 ) 531 MAX-ACCESS read-create 532 STATUS current 533 DESCRIPTION "The source of the infromation in this row 534 is indicated by the value of this object. 535 In the case of VACM this column probably won't 536 exist." 537 ::= { vacmSecurityToGroupEntry 6 } 539 extVacmRowLifetime OBJECT-TYPE 540 SYNTAX INTEGER 541 MAX-ACCESS read-create 542 STATUS current 543 DESCRIPTION "The number of seconds for which this row 544 is valid. Extended VACM SHOULD delete the 545 row after this lifetime exprires." 546 ::= { vacmSecurityToGroupEntry 7 } 548 extVacmTransportSessionID OBJECT-TYPE 549 SYNTAX INTEGER 550 MAX-ACCESS read-create 551 STATUS current 552 DESCRIPTION "An identifier of the secure transport 553 model's session associated with this 554 authenticated user. The identifier 555 MUST be unique within the scope of the NAS. 556 It's content is implementation dependant 557 and it SHOULD be used merely as an index." 558 ::= { vacmSecurityToGroupEntry 8 } 560 END 562 6. IANA Considerations 564 TO DO. 566 7. Security Considerations 568 TO DO. 570 8. References 572 8.1. Normative References 574 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 575 Requirement Levels", BCP 14, RFC 2119, March 1997. 577 [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 578 Access Control Model (VACM) for the Simple Network 579 Management Protocol (SNMP)", STD 62, RFC 3415, 580 December 2002. 582 [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication 583 Dial In User Service) Support For Extensible 584 Authentication Protocol (EAP)", RFC 3579, September 2003. 586 [RFC5590] Harrington, D. and J. Schoenwaelder, "Transport Subsystem 587 for the Simple Network Management Protocol (SNMP)", 588 RFC 5590, June 2009. 590 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model 591 for the Simple Network Management Protocol (SNMP)", 592 RFC 5591, June 2009. 594 [RFC5607] Nelson, D. and G. Weber, "Remote Authentication Dial-In 595 User Service (RADIUS) Authorization for Network Access 596 Server (NAS) Management", RFC 5607, July 2009. 598 [RFC5608] Narayan, K. and D. Nelson, "Remote Authentication Dial-In 599 User Service (RADIUS) Usage for Simple Network Management 600 Protocol (SNMP) Transport Models", RFC 5608, August 2009. 602 8.2. Informative References 604 [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy 605 Implementation in Roaming", RFC 2607, June 1999. 607 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 608 Architecture for Describing Simple Network Management 609 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 610 December 2002. 612 [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, 613 "Message Processing and Dispatching for the Simple Network 614 Management Protocol (SNMP)", STD 62, RFC 3412, 615 December 2002. 617 [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network 618 Management Protocol (SNMP) Applications", STD 62, 619 RFC 3413, December 2002. 621 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 622 Simple Network Management Protocol (SNMP)", STD 62, 623 RFC 3418, December 2002. 625 [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese, 626 "IEEE 802.1X Remote Authentication Dial In User Service 627 (RADIUS) Usage Guidelines", RFC 3580, September 2003. 629 [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure 630 Shell Transport Model for the Simple Network Management 631 Protocol (SNMP)", RFC 5592, June 2009. 633 Authors' Addresses 635 Kaushik Narayan 636 Cisco Systems, Inc. 637 10 West Tasman Drive 638 San Jose, CA 95134 639 USA 641 Phone: +1.408.526.8168 642 Email: kaushik_narayan@yahoo.com 643 David Nelson 644 Elbrys Networks, Inc. 645 282 Corporate Drive, Unit #1, 646 Portsmouth, NH 03801 647 USA 649 Phone: +1.603.570.2636 650 Email: d.b.nelson@comcast.net