[Search] [pdf|bibtex] [Tracker] [WG] [Email] [Nits]

Versions: 00 01 02 03 04 05 rfc2619                                     
     RADIUS Working Group                                         Glen Zorn
     INTERNET-DRAFT                                               Microsoft
     Category: Standards Track                                Bernard Aboba
     <draft-ietf-radius-auth-servmib-00.txt>                      Microsoft
     9 August 1997
     
     
                        RADIUS Authentication Server MIB
     
     
     1.  Status of this Memo
     
     This document is an Internet-Draft.  Internet-Drafts are working docu-
     ments of the Internet Engineering Task Force (IETF),  its  areas,  and
     its  working groups.  Note that other groups may also distribute work-
     ing documents as Internet-Drafts.
     
     Internet-Drafts are draft documents valid for a maximum of six  months
     and  may  be updated, replaced, or obsoleted by other documents at any
     time.  It is inappropriate to use Internet-Drafts as  reference  mate-
     rial or to cite them other than as ``work in progress.''
     
     To  learn  the  current status of any Internet-Draft, please check the
     ``1id-abstracts.txt'' listing contained in the Internet-Drafts  Shadow
     Directories   on   ds.internic.net   (US  East  Coast),  nic.nordu.net
     (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
     
     The  distribution  of  this memo is unlimited.  It is filed as <draft-
     ietf-radius-auth-servmib-00.txt>,  and   expires  February  1,   1998.
     Please send comments to the authors.
     
     
     2.  Abstract
     
     This  memo defines a set of extensions which instrument RADIUS authen-
     tication server functions. These extensions represent a portion of the
     Management Information Base (MIB) for use with network management pro-
     tocols in the Internet community.   Using  these  extensions  IP-based
     management stations can manage RADIUS authentication servers.
     
     
     3.  Introduction
     
     This  memo  defines a portion of the Management Information Base (MIB)
     for use with network management protocols in the  Internet  community.
     In  particular,  it describes managed objects used for managing RADIUS
     authentication servers.
     
     RADIUS authentication servers are  today  widely  deployed  by  dialup
     Internet  Service  Providers,  in order to provide authentication ser-
     vices. As a result, the effective management of RADIUS  authentication
     servers is of considerable importance.
     
     
     
     
     
     Zorn & Aboba                                                  [Page 1]


     INTERNET-DRAFT                                           9 August 1997
     
     
     4.  The SNMPv2 Network Management Framework
     
     The  SNMPv2 Network Management Framework consists of four major compo-
     nents.  They are:
     
           o  RFC 1902 which defines the SMI, the mechanisms used for
              describing and naming objects for the purpose of management.
     
           o  RFC 1905 which defines the protocol used for network access to
              managed objects.
     
           o  RFC 1907 defines the core set of managed objects for the
              Internet suite of protocols.
     
           o  RFC 1909 which defines the administrative aspects of the
              framework.
     
     The Framework permits new objects to be defined  for  the  purpose  of
     experimentation and evaluation.
     
     
     4.1.  Object Definitions
     
     Managed  objects  are accessed via a virtual information store, termed
     the Management Information Base or MIB. Objects in the MIB are defined
     using  the  subset  of Abstract Syntax Notation One (ASN.1) defined in
     the SMI. In particular, each object object type is named by an  OBJECT
     IDENTIFIER,  an  administratively  assigned  name.   The  object  type
     together with an object instance serves to uniquely  identify  a  spe-
     cific instantiation of the object. For human convenience, we often use
     a textual string, termed the descriptor, to refer to the object  type.
     
     
     5.  Overview
     
     The  RADIUS  authentication  protocol, described in [1], distinguishes
     between the client function and the server function. In RADIUS authen-
     tication, clients send Access-Requests, and servers reply with Access-
     Accepts, Access-Rejects, and Access-Challenges. Typically NAS  devices
     implement the client function, and thus would be expected to implement
     the RADIUS authentication  client  MIB,  while  RADIUS  authentication
     servers  implement  the server function, and thus would be expected to
     implement the RADIUS authentication server MIB.
     
     However, it is possible for a RADIUS authentication entity to  perform
     both  client and server functions. For example, a RADIUS proxy may act
     as a server to one or more RADIUS authentication clients, while simul-
     taneously  acting as an authentication client to one or more authenti-
     cation servers. In such situations, it is expected that  RADIUS  enti-
     ties  combining  client and server functionality will support both the
     client and server MIBs.
     
     
     
     
     
     
     Zorn & Aboba                                                  [Page 2]


     INTERNET-DRAFT                                           9 August 1997
     
     
     5.1.  Selected objects
     
     This MIB module contains five scalars as well as a single table:
     
     (1)  the RADIUS Authentication Client Table contains one row for each
          RADIUS authentication client that the server shares a secret with.
     
     Each entry in the RADIUS Authentication Client Table  includes  twelve
     entries presenting a view of the activity of the RADIUS authentication
     server.
     
     
     6.  Definitions
     
     RADIUS-AUTH-SERVER-MIB DEFINITIONS ::= BEGIN
     
     IMPORTS
            MODULE-IDENTITY, OBJECT-TYPE,
            OBJECT-IDENTITY, experimental,
            Counter32, Gauge32, Integer32,
            IpAddress, TimeTicks             FROM SNMPv2-SMI
            TEXTUAL-CONVENTION, RowStatus,
            TruthValue, DisplayString        FROM SNMPv2-TC
            MODULE-COMPLIANCE, OBJECT-GROUP  FROM SNMPv2-CONF;
     
     
     radius OBJECT-IDENTITY
            STATUS  current
            DESCRIPTION
                  "The OID assigned to RADIUS MIB work by the IANA."
            ::= { experimental 79 }
     
     radiusAuthentication  OBJECT-IDENTIFIER ::= {radius 1}
     
     radiusAuthServMIB MODULE-IDENTITY
            LAST-UPDATED "9708211659Z"
            ORGANIZATION "IETF RADIUS Working Group."
            CONTACT-INFO
                   " Glen Zorn
                     Microsoft
                     One Microsoft Way
                     Redmond, WA  98052
                     US
     
                     Phone: +1 425 703 1559
                     EMail: glennz@microsoft.com"
            DESCRIPTION
                  "The MIB module for entities implementing the server
                   side of the Remote Access Dialin User Service (RADIUS)
                   authentication protocol."
            ::= { radiusAuthentication 1 }
     
     radiusAuthServMIBObjects     OBJECT IDENTIFIER ::= { radiusAuthServMIB 1 }
     
     
     
     
     Zorn & Aboba                                                  [Page 3]


     INTERNET-DRAFT                                           9 August 1997
     
     
     radiusAuthServ      OBJECT IDENTIFIER ::= { radiusAuthServMIBObjects 1 }
     
     -- Textual conventions
     
     RadiusTime ::= TEXTUAL-CONVENTION
            DISPLAY-HINT "4d"
            STATUS  current
            DESCRIPTION
                 "RadiusTime values are 32-bit unsigned integers which
                  measure time in seconds."
            SYNTAX  Gauge32
     
     radiusAuthServIdent OBJECT-TYPE
            SYNTAX      DisplayString
            MAX-ACCESS  read-only
            STATUS      current
            DESCRIPTION
                  "The implementation identification string for the
                   RADIUS authentication server software in use on the
                   system, for example; `FNS-2.1'"
            ::= {radiusAuthServ 1}
     
     radiusAuthServUpTime OBJECT-TYPE
            SYNTAX      RadiusTime
            MAX-ACCESS  read-only
            STATUS      current
            DESCRIPTION
                  "If the server has a persistent state (e.g., a process),
                   this value will be the time elapsed since it started.
                   For software without persistent state, this value will
                   be zero."
            ::= {radiusAuthServ 2}
     
     radiusAuthServResetTime OBJECT-TYPE
            SYNTAX      RadiusTime
            MAX-ACCESS  read-only
            STATUS      current
            DESCRIPTION
                  "If the server has a persistent state (e.g., a process)
                   and supports a `reset' operation (e.g., can be told to
                   re-read configuration files), this value will be the
                   time elapsed since the last time the name server was
                   `reset.'  For software that does not have persistence or
                   does not support a `reset' operation, this value will be
                   zero."
            ::= {radiusAuthServ 3}
     
     radiusAuthServConfigReset OBJECT-TYPE
            SYNTAX INTEGER { other(1),
                             reset(2),
                             initializing(3),
                             running(4)}
            MAX-ACCESS  read-write
            STATUS      current
     
     
     
     Zorn & Aboba                                                  [Page 4]


     INTERNET-DRAFT                                           9 August 1997
     
     
            DESCRIPTION
                   "Status/action object to reinitialize any persistent
                    server state.  When set to reset(2), any persistent
                    server state (such as a process) is reinitialized as if
                    the server had just been started.  This value will
                    never be returned by a read operation.  When read, one of
                    the following values will be returned:
                        other(1) - server in some unknown state;
                        initializing(3) - server (re)initializing;
                        running(4) - server currently running."
            ::= {radiusAuthServ 4}
     
     radiusAuthServInvalidClientAddresses OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of RADIUS Access-Request packets
                   received from unknown addresses since server start-up."
            ::= {radiusAuthServ 5}
     
     radiusAuthClientTable OBJECT-TYPE
            SYNTAX     SEQUENCE OF RadiusAuthClientEntry
            MAX-ACCESS not-accessible
            STATUS     current
            DESCRIPTION
                  "The (conceptual) table listing the RADIUS authentication
                   clients with which the server shares a secret."
            ::= { radiusAuthServ 6 }
     
     radiusAuthClientEntry OBJECT-TYPE
            SYNTAX     RadiusAuthClientEntry
            MAX-ACCESS not-accessible
            STATUS     current
            DESCRIPTION
                  "An entry (conceptual row) representing a RADIUS
                   authentication client with which the server shares a secret."
            INDEX      { radiusAuthClientIndex }
            ::= { radiusAuthClientTable 1 }
     
     RadiusAuthClientEntry ::= SEQUENCE {
            radiusAuthClientIndex                           Integer32,
            radiusAuthClientAddress                         IpAddress,
            radiusAuthClientID                              DisplayString,
            radiusAuthServAccessRequests                    Counter32,
            radiusAuthServDupAccessRequests                 Counter32,
            radiusAuthServAccessAccepts                     Counter32,
            radiusAuthServAccessRejects                     Counter32,
            radiusAuthServAccessChallenges                  Counter32,
            radiusAuthServMalformedAccessRequests           Counter32,
            radiusAuthServAuthenticationBadAuthenticators   Counter32,
            radiusAuthServPacketsDropped                    Counter32,
            radiusAuthServUnknownType                       Counter32
     }
     
     
     
     Zorn & Aboba                                                  [Page 5]


     INTERNET-DRAFT                                           9 August 1997
     
     
     radiusAuthClientIndex OBJECT-TYPE
            SYNTAX     Integer32
            MAX-ACCESS not-accessible
            STATUS     current
            DESCRIPTION
                  "The RADIUS authentication client referred to in this
                   table entry."
            ::= { radiusAuthClientEntry 1 }
     
     radiusAuthClientAddress OBJECT-TYPE
            SYNTAX     IpAddress
            MAX-ACCESS read-only
            STATUS     current
            DESCRIPTION
                  "The NAS-IP-Address of the RADIUS authentication client
                   referred to in this table entry."
            ::= { radiusAuthClientEntry 2 }
     
     radiusAuthClientID OBJECT-TYPE
            SYNTAX     DisplayString
            MAX-ACCESS read-only
            STATUS     current
            DESCRIPTION
                  "The NAS-Identifier of the RADIUS authentication client
                   referred to in this table entry."
            ::= { radiusAuthClientEntry 3 }
     
     -- Server Counters
     
     radiusAuthServAccessRequests OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of RADIUS Access-Request packets
                   received from this client since server start-up."
            ::= { radiusAuthClientEntry  4 }
     
     radiusAuthServDupAccessRequests OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of duplicate RADIUS Access-Request
                   packets received from this client since server start-up."
            ::= { radiusAuthClientEntry  5 }
     
     radiusAuthServAccessAccepts OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of RADIUS Access-Accept packets
                   sent to this client since server start-up."
     
     
     
     Zorn & Aboba                                                  [Page 6]


     INTERNET-DRAFT                                           9 August 1997
     
     
            ::= { radiusAuthClientEntry  6 }
     
     radiusAuthServAccessRejects OBJECT-TYPE
           SYNTAX Counter32
           MAX-ACCESS read-only
           STATUS current
           DESCRIPTION
                  "The total number of RADIUS Access-Reject packets
                   sent to this client since server start-up."
            ::= { radiusAuthClientEntry  7 }
     
     radiusAuthServAccessChallenges OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of RADIUS Access-Challenge packets
                   sent to this client since server start-up."
            ::= { radiusAuthClientEntry  8 }
     
     radiusAuthServMalformedAccessRequests OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of malformed RADIUS Access-Request
                   packets received from this client since server start-up.
                   Bad authenticators are not included as
                   malformed Access-Requests."
            ::= { radiusAuthClientEntry  9 }
     
     radiusAuthServAuthenticationBadAuthenticators OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of RADIUS Authentication-Request packets
                   which contained invalid Signature attributes received
                   from this client since server start-up."
            ::= { radiusAuthClientEntry  10 }
     
     radiusAuthServPacketsDropped OBJECT-TYPE
           SYNTAX Counter32
           MAX-ACCESS read-only
           STATUS current
           DESCRIPTION
                  "The total number of packets dropped from this client,
                   with no reply sent."
            ::= { radiusAuthClientEntry  11 }
     
     radiusAuthServUnknownType OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
     
     
     
     Zorn & Aboba                                                  [Page 7]


     INTERNET-DRAFT                                           9 August 1997
     
     
            DESCRIPTION
                  "The total number of RADIUS packets of unknown type which
                   were received from this client since authentication server
                   start-up."
            ::= { radiusAuthClientEntry  12 }
     
     
     -- conformance information
     
     radiusAuthServMIBConformance
                   OBJECT IDENTIFIER ::= { radiusAuthServMIB 2 }
     radiusAuthServMIBCompliances
                   OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 1 }
     radiusAuthServMIBGroups
                   OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 2 }
     
     
     -- compliance statements
     
     radiusAuthServMIBCompliance MODULE-COMPLIANCE
            STATUS  current
            DESCRIPTION
                  "The compliance statement for authentication servers
                   implementing the RADIUS Authentication Server MIB."
            MODULE  -- this module
            MANDATORY-GROUPS { radiusAuthServMIBGroup }
     
            ::= { radiusAuthServMIBCompliances 1 }
     
     
     -- units of conformance
     
     radiusAuthServMIBGroup OBJECT-GROUP
           OBJECTS {radiusAuthServIdent,
                    radiusAuthServUpTime,
                    radiusAuthServResetTime,
                    radiusAuthServConfigReset,
                    radiusAuthServInvalidClientAddresses,
                    radiusAuthClientAddress,
                    radiusAuthClientID,
                    radiusAuthServAccessRequests,
                    radiusAuthServDupAccessRequests,
                    radiusAuthServAccessAccepts,
                    radiusAuthServAccessRejects,
                    radiusAuthServAccessChallenges,
                    radiusAuthServMalformedAccessRequests,
                    radiusAuthServAuthenticationBadAuthenticators,
                    radiusAuthServPacketsDropped,
                    radiusAuthServUnknownType
                   }
           STATUS  current
           DESCRIPTION
                 "The collection of objects providing management of
                  a RADIUS Authentication Server."
     
     
     
     Zorn & Aboba                                                  [Page 8]


     INTERNET-DRAFT                                           9 August 1997
     
     
           ::= { radiusAuthServMIBGroups 1 }
     
     END
     
     
     7.  Security considerations
     
     All MIB variables described in this document are read-only,  with  the
     exception of radiusAuthServConfigReset.
     
     
     8.  Acknowledgments
     
     Thanks  to  Narendra  Gidwani  of Microsoft, Allan C. Rubens of MERIT,
     Carl Rigney of Livingston, and Peter Heitman of American Internet Cor-
     poration for useful discussions of this problem space.
     
     
     9.  References
     
     [1]   C. Rigney, A. Rubens, W. Simpson, S. Willens.  "Remote Authenti-
     cation Dial In User Service (RADIUS)." RFC  2138,  Livingston,  Merit,
     Daydreamer, April, 1997.
     
     [2]  C. Rigney.  "RADIUS Authentication." RFC 2139, Livingston, April,
     1997.
     
     [3] C. Rigney, W. Willats.   "RADIUS  Extensions."  draft-ietf-radius-
     ext-00.txt, Livingston, January, 1997.
     
     [4]  "Information  processing systems - Open Systems Interconnection -
     Specification of Abstract Syntax Notation One (ASN.1)",  International
     Organization  for Standardization, International Standard 8824, Decem-
     ber 1987.
     
     [5] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,  "Introduc-
     tion  to Community-based SNMPv2", RFC 1901, SNMP Research, Inc., Cisco
     Systems, Dover Beach Consulting, Inc., International Network Services,
     January, 1996.
     
     [6]  Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure
     of Management Information for Version 2 of the Simple Network  Manage-
     ment Protocol (SNMPv2)", RFC 1902, SNMP Research, Inc., Cisco Systems,
     Dover Beach Consulting, Inc., International Network Services, January,
     1996.
     
     [7]  Case,  J.,  McCloghrie, K., Rose, M., and S. Waldbusser, "Textual
     Conventions for version 2 of the the Simple Network Management  Proto-
     col  (SNMPv2)",  RFC  1903,  SNMP Research, Inc., Cisco Systems, Dover
     Beach Consulting, Inc., International Network Services, January, 1996.
     
     [8]  Case,  J.,  McCloghrie, K., Rose, M., and S. Waldbusser, "Confor-
     mance Statements for version 2 of the the  Simple  Network  Management
     Protocol  (SNMPv2)",  RFC  1904,  SNMP  Research, Inc., Cisco Systems,
     
     
     
     Zorn & Aboba                                                  [Page 9]


     INTERNET-DRAFT                                           9 August 1997
     
     
     Dover Beach Consulting, Inc., International Network Services, January,
     1996.
     
     [9]  Case,  J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol
     Operations for Version 2 of the  Simple  Network  Management  Protocol
     (SNMPv2)",  RFC  1905, SNMP Research, Inc., Cisco Systems, Dover Beach
     Consulting, Inc., International Network Services, January, 1996.
     
     [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport
     Mappings  for  Version  2  of  the  Simple Network Management Protocol
     (SNMPv2)", RFC 1906, SNMP Research, Inc., Cisco Systems,  Dover  Beach
     Consulting, Inc., International Network Services, January, 1996.
     
     [11]  Case,  J., McCloghrie, K., Rose, M., and S. Waldbusser, "Manage-
     ment Information Base for Version 2 of the Simple  Network  Management
     Protocol (SNMPv2)", RFC 1907, SNMP Research, nc., Cisco Systems, Dover
     Beach Consulting, Inc., International Network Services, January, 1996.
     
     [12]  Case,  J., McCloghrie, K., Rose, M., and S. Waldbusser, "Coexis-
     tence between Version 1 and Version 2 of the Internet-standard Network
     Management  Framework",  RFC 1908, SNMP Research, Inc., Cisco Systems,
     Dover Beach Consulting, Inc., International Network Services, January,
     1996.
     
     [13]  McCloghrie,  K.,  "An Administrative Infrastructure for SNMPv2",
     RFC 1909, Cisco Systems, February, 1996.
     
     
     
     
     10.  Authors' Addresses
     
     Glen Zorn
     Microsoft Corporation
     One Microsoft Way
     Redmond, WA 98052
     
     Phone: 425-703-1559
     EMail: glennz@microsoft.com
     
     Bernard Aboba
     Microsoft Corporation
     One Microsoft Way
     Redmond, WA 98052
     
     Phone: 425-936-6605
     EMail: bernarda@microsoft.com
     
     
     
     
     
     
     
     
     
     
     Zorn & Aboba                                                 [Page 10]