draft-ietf-radext-rfc2620bis-04.txt   rfc4670.txt 
Network Working Group D. Nelson Network Working Group D. Nelson
Internet-Draft Enterasys Networks Request for Comments: 4670 Enterasys Networks
Obsoletes: RFC 2620 (if approved) June 26, 2006 Obsoletes: 2620 August 2006
Expires: December 28, 2006 Category: Informational
RADIUS Accounting Client MIB for IPv6 RADIUS Accounting Client MIB for IPv6
draft-ietf-radext-rfc2620bis-04.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any Status of This Memo
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 28, 2006. This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
Abstract Abstract
This memo defines a set of extensions, which instrument RADIUS This memo defines a set of extensions that instrument RADIUS
accounting client functions. These extensions represent a portion of accounting client functions. These extensions represent a portion of
the Management Information Base (MIB) for use with network management the Management Information Base (MIB) for use with network management
protocols in the Internet community. Using these extensions IP-based protocols in the Internet community. Using these extensions,
management stations can manage RADIUS accounting clients. IP-based management stations can manage RADIUS accounting clients.
This memo obsoletes RFC 2620 by deprecating the MIB table containing This memo obsoletes RFC 2620 by deprecating the MIB table containing
IPv4-only address formats and defining a new table to add support for IPv4-only address formats and defining a new table to add support for
version neutral IP address formats. The remaining MIB objects from version-neutral IP address formats. The remaining MIB objects from
RFC 2620 are carried forward into this document. This memo also adds RFC 2620 are carried forward into this document. This memo also adds
UNITS and REFERENCE clauses to selected objects. UNITS and REFERENCE clauses to selected objects.
Table of Contents Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction ....................................................3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology .....................................................3
3. The Internet-Standard Management Framework . . . . . . . . . . 3 3. The Internet-Standard Management Framework ......................3
4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 4. Scope of Changes ................................................3
5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 5. Structure of the MIB Module .....................................4
6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 5 6. Deprecated Objects ..............................................5
7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 7. Definitions .....................................................5
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 8. Security Considerations ........................................19
9. Security Considerations . . . . . . . . . . . . . . . . . . . 19 9. References .....................................................20
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 9.1. Normative References ......................................20
10.1. Normative References . . . . . . . . . . . . . . . . . . 20 9.2. Informative References ....................................21
10.2. Informative References . . . . . . . . . . . . . . . . . 21 Appendix A. Acknowledgements ......................................22
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 21
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22
Intellectual Property and Copyright Statements . . . . . . . . . . 23
1. Terminology 1. Introduction
This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in the Internet community.
The objects defined within this memo relate to the Remote
Authentication Dial-In User Service (RADIUS) Accounting Client as
defined in RFC 2866 [RFC2866].
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
This document uses terminology from RFC 2866 [RFC2866]. This document uses terminology from RFC 2865 [RFC2865] and RFC 2866
[RFC2866].
This document uses the word "malformed" with respect to RADIUS This document uses the word "malformed" with respect to RADIUS
packets, particularly in the context of counters of "malformed packets, particularly in the context of counters of "malformed
packets". While RFC 2866 does not provide an explicit definition of packets". While RFC 2866 does not provide an explicit definition of
"malformed", malformed generally means that the implementation has "malformed", malformed generally means that the implementation has
determined the packet does not match the format defined in RFC 2866. determined the packet does not match the format defined in RFC 2866.
Those implementations are used in deployments today, and thus set the Those implementations are used in deployments today, and thus set the
de-facto definition of "malformed". de facto definition of "malformed".
2. Introduction
This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in the Internet community.
The objects defined within this memo relate to the Remote
Authentication Dial-In User Service (RADIUS) Accounting Client as
defined in RFC 2866 [RFC2866].
3. The Internet-Standard Management Framework 3. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410]. RFC 3410 [RFC3410].
Managed objects are accessed via a virtual information store, termed Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP). accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58, module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580]. [RFC2580].
4. Scope of Changes 4. Scope of Changes
This document obsoletes RFC 2620 [RFC2620], RADIUS Authentication This document obsoletes RFC 2620 [RFC2620], RADIUS Accounting Client
Client MIB, by deprecating the radiusAuthServerTable table and adding MIB, by deprecating the radiusAccServerTable table and adding a new
a new table, radiusAuthServerExtTable, containing table, radiusAccServerExtTable, containing
radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and radiusAccServerInetAddressType, radiusAccServerInetAddress, and
radiusAuthClientServerInetPortNumber. The purpose of these added MIB radiusAccClientServerInetPortNumber. The purpose of these added MIB
objects is to support version neutral IP addressing formats. The objects is to support version-neutral IP addressing formats. The
existing table containing radiusAuthServerAddress and existing table containing radiusAuthServerAddress and
radiusAuthClientServerPortNumber is deprecated. The remaining MIB radiusAuthClientServerPortNumber is deprecated. The remaining MIB
objects from RFC 2620 are carried forward into this document. objects from RFC 2620 are carried forward into this document.
RFC 4001 [RFC4001], which defines the SMI Textual Conventions for RFC 4001 [RFC4001], which defines the SMI Textual Conventions for
IPv6 addresses, contains the following recommendation. IPv6 addresses, contains the following recommendation.
'In particular, when revising a MIB module that contains IPv4 'In particular, when revising a MIB module that contains IPv4
specific tables, it is suggested to define new tables using the specific tables, it is suggested to define new tables using the
textual conventions defined in this memo [RFC4001] that support all textual conventions defined in this memo [RFC4001] that support all
versions of IP. The status of the new tables SHOULD be "current", versions of IP. The status of the new tables SHOULD be "current",
whereas the status of the old IP version specific tables SHOULD be whereas the status of the old IP version specific tables SHOULD be
changed to "deprecated". The other approach, of having multiple changed to "deprecated". The other approach, of having multiple
similar tables for different IP versions, is strongly discouraged.' similar tables for different IP versions, is strongly discouraged.'
5. Structure of the MIB Module 5. Structure of the MIB Module
The RADIUS accounting protocol, described in RFC 2866 [RFC2866], The RADIUS accounting protocol, described in RFC 2866 [RFC2866],
distinguishes between the client function and the server function. distinguishes between the client function and the server function.
In RADIUS accounting, clients send Accounting-Requests, and servers In RADIUS accounting, clients send Accounting-Requests, and servers
reply with Accounting-Responses. Typically Network Access Server reply with Accounting-Responses. Typically, Network Access Server
(NAS) devices implement the client function, and thus would be (NAS) devices implement the client function, and thus would be
expected to implement the RADIUS accounting client MIB, while RADIUS expected to implement the RADIUS accounting client MIB, while RADIUS
accounting servers implement the server function, and thus would be accounting servers implement the server function, and thus would be
expected to implement the RADIUS accounting server MIB. expected to implement the RADIUS accounting server MIB.
However, it is possible for a RADIUS accounting entity to perform However, it is possible for a RADIUS accounting entity to perform
both client and server functions. For example, a RADIUS proxy may both client and server functions. For example, a RADIUS proxy may
act as a server to one or more RADIUS accounting clients, while act as a server to one or more RADIUS accounting clients, while
simultaneously acting as an accounting client to one or more simultaneously acting as an accounting client to one or more
accounting servers. In such situations, it is expected that RADIUS accounting servers. In such situations, it is expected that RADIUS
entities combining client and server functionality will support both entities combining client and server functionality will support both
the client and server MIBs. The client MIB is defined in this the client and server MIBs. The client MIB is defined in this
document, and the server MIB is defined in [2621bis]. document, and the server MIB is defined in [RFC4671].
RFC Editor: Replace the above I-D reference with the assigned RFC
number at the time of publication and delete this note.
This MIB module contains two scalars as well as a single table, the This MIB module contains two scalars as well as a single table, the
RADIUS Accounting Server Table, which contains one row for each RADIUS Accounting Server Table, which contains one row for each
RADIUS server with which the client shares a secret. Each entry in RADIUS server with which the client shares a secret. Each entry in
the RADIUS Accounting Server Table includes fifteen columns the RADIUS Accounting Server Table includes fifteen columns
presenting a view of the activity of the RADIUS client. presenting a view of the activity of the RADIUS client.
This MIB imports from [RFC2578], [RFC2580], [RFC3411], and [RFC4001].
6. Deprecated Objects 6. Deprecated Objects
The deprecated table in this MIB is carried forward from RFC 2620 The deprecated table in this MIB is carried forward from RFC 2620
[RFC2620]. There are two conditions under which it MAY be desirable [RFC2620]. There are two conditions under which it MAY be desirable
for managed entities to continue to support the deprecated table: for managed entities to continue to support the deprecated table:
1. The managed entity only supports IPv4 address formats. 1. The managed entity only supports IPv4 address formats.
2. The managed entity supports both IPv4 and IPv6 address formats, 2. The managed entity supports both IPv4 and IPv6 address formats,
and the deprecated table is supported for backwards compatibility and the deprecated table is supported for backwards compatibility
with older management stations. This option SHOULD only be used with older management stations. This option SHOULD only be used
when the IP addresses in the new table are in IPv4 format and can when the IP addresses in the new table are in IPv4 format and can
accurately be represented in both the new table and the accurately be represented in both the new table and the
deprecated table. deprecated table.
Managed entities SHOULD NOT instantiate row entries in the deprecated Managed entities SHOULD NOT instantiate row entries in the deprecated
table, containing IPv4-only address objects, when the RADIUS table, containing IPv4-only address objects, when the RADIUS
accounting server address represented in such a table row is not an accounting server address represented in such a table row is not an
skipping to change at page 5, line 25 skipping to change at page 5, line 26
when the IP addresses in the new table are in IPv4 format and can when the IP addresses in the new table are in IPv4 format and can
accurately be represented in both the new table and the accurately be represented in both the new table and the
deprecated table. deprecated table.
Managed entities SHOULD NOT instantiate row entries in the deprecated Managed entities SHOULD NOT instantiate row entries in the deprecated
table, containing IPv4-only address objects, when the RADIUS table, containing IPv4-only address objects, when the RADIUS
accounting server address represented in such a table row is not an accounting server address represented in such a table row is not an
IPv4 address. Managed entities SHOULD NOT return inaccurate values IPv4 address. Managed entities SHOULD NOT return inaccurate values
of IP address or SNMP object access errors for IPv4-only address of IP address or SNMP object access errors for IPv4-only address
objects in otherwise populated tables. When row entries exist in objects in otherwise populated tables. When row entries exist in
both the deprecated IPv4-only table and the new IP version neutral both the deprecated IPv4-only table and the new IP-version-neutral
table that describe the same RADIUS accounting server, the row table that describe the same RADIUS accounting server, the row
indexes SHOULD be the same for the corresponding rows in each table, indexes SHOULD be the same for the corresponding rows in each table,
to facilitate correlation of these related rows by management to facilitate correlation of these related rows by management
applications. applications.
7. Definitions 7. Definitions
RADIUS-ACC-CLIENT-MIB DEFINITIONS ::= BEGIN RADIUS-ACC-CLIENT-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
Counter32, Integer32, Gauge32, Counter32, Integer32, Gauge32,
IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI
SnmpAdminString FROM SNMP-FRAMEWORK-MIB SnmpAdminString FROM SNMP-FRAMEWORK-MIB
InetAddressType, InetAddress, InetAddressType, InetAddress,
InetPortNumber FROM INET-ADDRESS-MIB InetPortNumber FROM INET-ADDRESS-MIB
MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF;
radiusAccClientMIB MODULE-IDENTITY radiusAccClientMIB MODULE-IDENTITY
LAST-UPDATED "200608210000Z" -- 21 August 2006
ORGANIZATION "IETF RADIUS Extensions Working Group." ORGANIZATION "IETF RADIUS Extensions Working Group."
CONTACT-INFO CONTACT-INFO
" Bernard Aboba " Bernard Aboba
Microsoft Microsoft
One Microsoft Way One Microsoft Way
Redmond, WA 98052 Redmond, WA 98052
US US
Phone: +1 425 936 6605 Phone: +1 425 936 6605
EMail: bernarda@microsoft.com" EMail: bernarda@microsoft.com"
DESCRIPTION DESCRIPTION
"The MIB module for entities implementing the client "The MIB module for entities implementing the client
side of the Remote Authentication Dial-In User Service side of the Remote Authentication Dial-In User Service
(RADIUS) accounting protocol.Copyright (C) The (RADIUS) accounting protocol.Copyright (C) The
Internet Society (2006). This version of this MIB Internet Society (2006). This version of this MIB
module is part of RFC xxxx; see the RFC itself for module is part of RFC 4670; see the RFC itself for
full legal notices." full legal notices."
REVISION "200608210000Z" -- 21 August 2006
-- RFC Editor: replace xxxx with actual RFC number at the time of
-- publication, and remove this note.
DESCRIPTION DESCRIPTION
"Revised version as published in RFC xxxx. "Revised version as published in RFC 4670.
This version obsoletes that of RFC 2620 by This version obsoletes that of RFC 2620 by
deprecating the MIB table containing IPv4-only deprecating the MIB table containing IPv4-only
address formats and defining a new table to add support address formats and defining a new table to add support
for version neutral IP address formats. The remaining for version-neutral IP address formats. The remaining
MIB objects from RFC 2620 are carried forward into this MIB objects from RFC 2620 are carried forward into this
version." version."
-- RFC Editor: replace xxxx with actual RFC number at the time of
-- publication, and remove this note.
DESCRIPTION "Initial version as published in RFC 2620." DESCRIPTION "Initial version as published in RFC 2620."
::= { radiusAccounting 2 } ::= { radiusAccounting 2 }
radiusMIB OBJECT-IDENTITY radiusMIB OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The OID assigned to RADIUS MIB work by the IANA." "The OID assigned to RADIUS MIB work by the IANA."
::= { mib-2 67 } ::= { mib-2 67 }
radiusAccounting OBJECT IDENTIFIER ::= {radiusMIB 2} radiusAccounting OBJECT IDENTIFIER ::= {radiusMIB 2}
skipping to change at page 10, line 20 skipping to change at page 10, line 13
REFERENCE "RFC 2866 section 3" REFERENCE "RFC 2866 section 3"
::= { radiusAccServerEntry 8 } ::= { radiusAccServerEntry 8 }
radiusAccClientBadAuthenticators OBJECT-TYPE radiusAccClientBadAuthenticators OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
UNITS "packets" UNITS "packets"
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS deprecated STATUS deprecated
DESCRIPTION DESCRIPTION
"The number of RADIUS Accounting-Response "The number of RADIUS Accounting-Response
packets which contained invalid authenticators packets that contained invalid authenticators
received from this server." received from this server."
REFERENCE "RFC 2866 section 3" REFERENCE "RFC 2866 section 3"
::= { radiusAccServerEntry 9 } ::= { radiusAccServerEntry 9 }
radiusAccClientPendingRequests OBJECT-TYPE radiusAccClientPendingRequests OBJECT-TYPE
SYNTAX Gauge32 SYNTAX Gauge32
UNITS "packets" UNITS "packets"
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS deprecated STATUS deprecated
DESCRIPTION DESCRIPTION
"The number of RADIUS Accounting-Request packets "The number of RADIUS Accounting-Request packets
sent to this server that have not yet timed out or sent to this server that have not yet timed out or
received a response. This variable is incremented received a response. This variable is incremented
when an Accounting-Request is sent and decremented when an Accounting-Request is sent and decremented
due to receipt of an Accounting-Response, a timeout due to receipt of an Accounting-Response, a timeout,
or a retransmission." or a retransmission."
REFERENCE "RFC 2866 section 2" REFERENCE "RFC 2866 section 2"
::= { radiusAccServerEntry 10 } ::= { radiusAccServerEntry 10 }
radiusAccClientTimeouts OBJECT-TYPE radiusAccClientTimeouts OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
UNITS "timeouts" UNITS "timeouts"
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS deprecated STATUS deprecated
DESCRIPTION DESCRIPTION
"The number of accounting timeouts to this server. "The number of accounting timeouts to this server.
After a timeout the client may retry to the same After a timeout, the client may retry to the same
server, send to a different server, or give up. server, send to a different server, or give up.
A retry to the same server is counted as a A retry to the same server is counted as a
retransmit as well as a timeout. A send to a different retransmit as well as a timeout. A send to a different
server is counted as an Accounting-Request as well as server is counted as an Accounting-Request as well as
a timeout." a timeout."
REFERENCE "RFC 2866 section 2" REFERENCE "RFC 2866 section 2"
::= { radiusAccServerEntry 11 } ::= { radiusAccServerEntry 11 }
radiusAccClientUnknownTypes OBJECT-TYPE radiusAccClientUnknownTypes OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
UNITS "packets" UNITS "packets"
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS deprecated STATUS deprecated
DESCRIPTION DESCRIPTION
"The number of RADIUS packets of unknown type which "The number of RADIUS packets of unknown type that
were received from this server on the accounting port." were received from this server on the accounting port."
REFERENCE "RFC 2866 section 4" REFERENCE "RFC 2866 section 4"
::= { radiusAccServerEntry 12 } ::= { radiusAccServerEntry 12 }
radiusAccClientPacketsDropped OBJECT-TYPE radiusAccClientPacketsDropped OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
UNITS "packets" UNITS "packets"
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS deprecated STATUS deprecated
DESCRIPTION DESCRIPTION
"The number of RADIUS packets which were received from "The number of RADIUS packets that were received from
this server on the accounting port and dropped for some this server on the accounting port and dropped for some
other reason." other reason."
::= { radiusAccServerEntry 13 } ::= { radiusAccServerEntry 13 }
-- New MIB objects added in this revision -- New MIB objects added in this revision
radiusAccServerExtTable OBJECT-TYPE radiusAccServerExtTable OBJECT-TYPE
SYNTAX SEQUENCE OF RadiusAccServerExtEntry SYNTAX SEQUENCE OF RadiusAccServerExtEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
skipping to change at page 12, line 48 skipping to change at page 12, line 42
radiusAccServerInetAddress object." radiusAccServerInetAddress object."
::= { radiusAccServerExtEntry 2 } ::= { radiusAccServerExtEntry 2 }
radiusAccServerInetAddress OBJECT-TYPE radiusAccServerInetAddress OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IP address of the RADIUS accounting "The IP address of the RADIUS accounting
server referred to in this table entry, using server referred to in this table entry, using
the version neutral IP address format." the version-neutral IP address format."
::= { radiusAccServerExtEntry 3 } ::= { radiusAccServerExtEntry 3 }
radiusAccClientServerInetPortNumber OBJECT-TYPE radiusAccClientServerInetPortNumber OBJECT-TYPE
SYNTAX InetPortNumber ( 1..65535 ) SYNTAX InetPortNumber ( 1..65535 )
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The UDP port the client is using to send requests "The UDP port the client is using to send requests
to this accounting server. The value zero (0) is to this accounting server. The value zero (0) is
invalid." invalid."
REFERENCE "RFC 2866 section 3" REFERENCE "RFC 2866 section 3"
::= { radiusAccServerExtEntry 4 } ::= { radiusAccServerExtEntry 4 }
skipping to change at page 15, line 4 skipping to change at page 14, line 47
packets received from this server. Malformed packets packets received from this server. Malformed packets
include packets with an invalid length. Bad include packets with an invalid length. Bad
authenticators and unknown types are not included as authenticators and unknown types are not included as
malformed accounting responses. This counter may malformed accounting responses. This counter may
experience a discontinuity when the RADIUS Accounting experience a discontinuity when the RADIUS Accounting
Client module within the managed entity is Client module within the managed entity is
reinitialized, as indicated by the current reinitialized, as indicated by the current
value of radiusAccClientCounterDiscontinuity." value of radiusAccClientCounterDiscontinuity."
REFERENCE "RFC 2866 section 3" REFERENCE "RFC 2866 section 3"
::= { radiusAccServerExtEntry 9 } ::= { radiusAccServerExtEntry 9 }
radiusAccClientExtBadAuthenticators OBJECT-TYPE radiusAccClientExtBadAuthenticators OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
UNITS "packets" UNITS "packets"
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of RADIUS Accounting-Response "The number of RADIUS Accounting-Response
packets which contained invalid authenticators packets that contained invalid authenticators
received from this server. This counter may received from this server. This counter may
experience a discontinuity when the RADIUS experience a discontinuity when the RADIUS
Accounting Client module within the managed Accounting Client module within the managed
entity is reinitialized, as indicated by the entity is reinitialized, as indicated by the
current value of current value of
radiusAccClientCounterDiscontinuity." radiusAccClientCounterDiscontinuity."
REFERENCE "RFC 2866 section 3" REFERENCE "RFC 2866 section 3"
::= { radiusAccServerExtEntry 10 } ::= { radiusAccServerExtEntry 10 }
radiusAccClientExtPendingRequests OBJECT-TYPE radiusAccClientExtPendingRequests OBJECT-TYPE
SYNTAX Gauge32 SYNTAX Gauge32
UNITS "packets" UNITS "packets"
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of RADIUS Accounting-Request packets "The number of RADIUS Accounting-Request packets
sent to this server that have not yet timed out or sent to this server that have not yet timed out or
received a response. This variable is incremented received a response. This variable is incremented
when an Accounting-Request is sent and decremented when an Accounting-Request is sent and decremented
due to receipt of an Accounting-Response, a timeout due to receipt of an Accounting-Response, a timeout,
or a retransmission. This counter may experience a or a retransmission. This counter may experience a
discontinuity when the RADIUS Accounting Client module discontinuity when the RADIUS Accounting Client module
within the managed entity is reinitialized, as within the managed entity is reinitialized, as
indicated by the current value of indicated by the current value of
radiusAccClientCounterDiscontinuity." radiusAccClientCounterDiscontinuity."
REFERENCE "RFC 2866 section 2" REFERENCE "RFC 2866 section 2"
::= { radiusAccServerExtEntry 11 } ::= { radiusAccServerExtEntry 11 }
radiusAccClientExtTimeouts OBJECT-TYPE radiusAccClientExtTimeouts OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
UNITS "timeouts" UNITS "timeouts"
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of accounting timeouts to this server. "The number of accounting timeouts to this server.
After a timeout the client may retry to the same After a timeout, the client may retry to the same
server, send to a different server, or give up. server, send to a different server, or give up.
A retry to the same server is counted as a A retry to the same server is counted as a
retransmit as well as a timeout. A send to a different retransmit as well as a timeout. A send to a different
server is counted as an Accounting-Request as well as server is counted as an Accounting-Request as well as
a timeout. This counter may experience a discontinuity a timeout. This counter may experience a discontinuity
when the RADIUS Accounting Client module within the when the RADIUS Accounting Client module within the
managed entity is reinitialized, as indicated by the managed entity is reinitialized, as indicated by the
current value of radiusAccClientCounterDiscontinuity." current value of radiusAccClientCounterDiscontinuity."
REFERENCE "RFC 2866 section 2" REFERENCE "RFC 2866 section 2"
::= { radiusAccServerExtEntry 12 } ::= { radiusAccServerExtEntry 12 }
radiusAccClientExtUnknownTypes OBJECT-TYPE radiusAccClientExtUnknownTypes OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
UNITS "packets" UNITS "packets"
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of RADIUS packets of unknown type which "The number of RADIUS packets of unknown type that
were received from this server on the accounting port. were received from this server on the accounting port.
This counter may experience a discontinuity when the This counter may experience a discontinuity when the
RADIUS Accounting Client module within the managed RADIUS Accounting Client module within the managed
entity is reinitialized, as indicated by the current entity is reinitialized, as indicated by the current
value of radiusAccClientCounterDiscontinuity." value of radiusAccClientCounterDiscontinuity."
REFERENCE "RFC 2866 section 4" REFERENCE "RFC 2866 section 4"
::= { radiusAccServerExtEntry 13 } ::= { radiusAccServerExtEntry 13 }
radiusAccClientExtPacketsDropped OBJECT-TYPE radiusAccClientExtPacketsDropped OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
UNITS "packets" UNITS "packets"
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of RADIUS packets which were received from "The number of RADIUS packets that were received from
this server on the accounting port and dropped for some this server on the accounting port and dropped for some
other reason. This counter may experience a other reason. This counter may experience a
discontinuity when the RADIUS Accounting Client module discontinuity when the RADIUS Accounting Client module
within the managed entity is reinitialized, as indicated within the managed entity is reinitialized, as indicated
by the current value of by the current value of
radiusAccClientCounterDiscontinuity." radiusAccClientCounterDiscontinuity."
::= { radiusAccServerExtEntry 14 } ::= { radiusAccServerExtEntry 14 }
radiusAccClientCounterDiscontinuity OBJECT-TYPE radiusAccClientCounterDiscontinuity OBJECT-TYPE
SYNTAX TimeTicks SYNTAX TimeTicks
skipping to change at page 19, line 16 skipping to change at page 19, line 13
radiusAccClientCounterDiscontinuity radiusAccClientCounterDiscontinuity
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The basic collection of objects providing management of "The basic collection of objects providing management of
RADIUS Accounting Clients." RADIUS Accounting Clients."
::= { radiusAccClientMIBGroups 2 } ::= { radiusAccClientMIBGroups 2 }
END END
8. IANA Considerations 8. Security Considerations
This document requires no new IANA assignments.
9. Security Considerations
There are no management objects defined in this MIB that have a MAX- There are no management objects defined in this MIB that have a MAX-
ACCESS clause of read-write and/or read-create. So, if this MIB is ACCESS clause of read-write and/or read-create. So, if this MIB is
implemented correctly, then there is no risk that an intruder can implemented correctly, then there is no risk that an intruder can
alter or create any management objects of this MIB via direct SNMP alter or create any management objects of this MIB via direct SNMP
SET operations. SET operations.
There are a number of managed objects in this MIB that may contain There are a number of managed objects in this MIB that may contain
sensitive information. These are: sensitive information. These are:
radiusAcctServerIPAddress This can be used to determine the address radiusAcctServerIPAddress
of the RADIUS accounting server with which the client is This can be used to determine the address of the RADIUS accounting
communicating. This information could be useful in mounting an server with which the client is communicating. This information
attack on the accounting server. could be useful in mounting an attack on the accounting server.
radiusAcctServerInetAddress This can be used to determine the address radiusAcctServerInetAddress
of the RADIUS accounting server with which the client is This can be used to determine the address of the RADIUS accounting
communicating. This information could be useful in mounting an server with which the client is communicating. This information
attack on the accounting server. could be useful in mounting an attack on the accounting server.
radiusAcctClientServerPortNumber This can be used to determine the radiusAcctClientServerPortNumber
port number on which the RADIUS accounting client is sending. This can be used to determine the port number on which the RADIUS
This information could be useful in impersonating the client in accounting client is sending. This information could be useful in
order to send data to the accounting server. impersonating the client in order to send data to the accounting
server.
radiusAcctClientServerInetPortNumber This can be used to determine radiusAcctClientServerInetPortNumber
the port number on which the RADIUS accounting client is sending. This can be used to determine the port number on which the RADIUS
This information could be useful in impersonating the client in accounting client is sending. This information could be useful in
order to send data to the accounting server. impersonating the client in order to send data to the accounting
server.
It is thus important to control even GET access to these objects and It is thus important to control even GET access to these objects and
possibly to even encrypt the values of these object when sending them possibly to even encrypt the values of these object when sending them
over the network via SNMP. Not all versions of SNMP provide features over the network via SNMP. Not all versions of SNMP provide features
for such a secure environment. for such a secure environment.
SNMP versions prior to SNMPv3 do not provide a secure environment. SNMP versions prior to SNMPv3 do not provide a secure environment.
Even if the network itself is secure (for example by using IPsec), Even if the network itself is secure (for example by using IPsec),
there is no control as to who on the secure network is allowed to there is no control as to who on the secure network is allowed to
access and GET/SET (read/change/create/delete) the objects in this access and GET/SET (read/change/create/delete) the objects in this
skipping to change at page 20, line 34 skipping to change at page 20, line 24
authentication and privacy). authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them. rights to indeed GET or SET (change/create/delete) them.
10. References 9. References
10.1. Normative References 9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Structure of Management Information Schoenwaelder, Ed., "Structure of Management Information
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Textual Conventions for SMIv2", Schoenwaelder, Ed., "Textual Conventions for SMIv2",
STD 58, RFC 2579, April 1999. STD 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Conformance Statements for SMIv2", STD 58, RFC 2580, "Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999. April 1999.
[RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002.
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
Schoenwaelder, "Textual Conventions for Internet Network Schoenwaelder, "Textual Conventions for Internet Network
Addresses", RFC 4001, February 2005. Addresses", RFC 4001, February 2005.
10.2. Informative References 9.2. Informative References
[2621bis] Nelson, D., "RADIUS Accounting Server MIB for IPv6",
draft-ietf-radext-rfc2621bis-04.txt (work in progress),
June 2006.
[RFC2620] Aboba, B. and G. Zorn, "RADIUS Accounting Client MIB", [RFC2620] Aboba, B. and G. Zorn, "RADIUS Accounting Client MIB",
RFC 2620, June 1999. RFC 2620, June 1999.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", RFC
2865, June 2000.
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet- "Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002. Standard Management Framework", RFC 3410, December 2002.
Appendix A. Acknowledgments [RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", RFC
4671, August 2006.
Appendix A. Acknowledgements
The authors of the original MIB are Bernard Aboba and Glen Zorn. The authors of the original MIB are Bernard Aboba and Glen Zorn.
Many thanks to all reviewers, especially to Dave Harrington, Dan Many thanks to all reviewers, especially to Dave Harrington, Dan
Romascanu, C.M. Heard, Bruno Pape, Greg Weber and Bert Wijnen. Romascanu, C.M. Heard, Bruno Pape, Greg Weber, and Bert Wijnen.
Author's Address Author's Address
David B. Nelson David B. Nelson
Enterasys Networks Enterasys Networks
50 Minuteman Road 50 Minuteman Road
Andover, MA 01810 Andover, MA 01810
USA USA
Email: dnelson@enterasys.com EMail: dnelson@enterasys.com
Intellectual Property Statement Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79. found in BCP 78 and BCP 79.
skipping to change at page 23, line 29 skipping to change at page 23, line 45
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Disclaimer of Validity Acknowledgement
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is provided by the IETF
Internet Society. Administrative Support Activity (IASA).
 End of changes. 53 change blocks. 
141 lines changed or deleted 120 lines changed or added

This html diff was produced by rfcdiff 1.32. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/