[Search] [pdf|bibtex] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 rfc2619                                     
     RADIUS Working Group                                         Glen Zorn
     INTERNET-DRAFT                                               Microsoft
     Category: Standards Track                                Bernard Aboba
     <draft-ietf-radius-auth-servmib-02.txt>                      Microsoft
     11 November 1998
     
     
                        RADIUS Authentication Server MIB
     
     
     1.  Status of this Memo
     
     This document is an Internet-Draft.  Internet-Drafts are working docu-
     ments of the Internet Engineering Task Force (IETF),  its  areas,  and
     its  working groups.  Note that other groups may also distribute work-
     ing documents as Internet-Drafts.
     
     Internet-Drafts are draft documents valid for a maximum of six  months
     and  may  be updated, replaced, or obsoleted by other documents at any
     time.  It is inappropriate to use Internet-Drafts as  reference  mate-
     rial or to cite them other than as ``work in progress.''
     
     To  learn  the  current status of any Internet-Draft, please check the
     ``1id-abstracts.txt'' listing contained in the Internet-Drafts  Shadow
     Directories   on   ftp.ietf.org   (US  East  Coast),  nic.nordu.net
     (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
     
     The  distribution  of  this memo is unlimited.  It is filed as <draft-
     ietf-radius-auth-servmib-02.txt>, and  expires  May  1,  1999.  Please
     send comments to the authors.
     
     
     2.  Copyright Notice
     
     Copyright (C) The Internet Society (1998).  All Rights Reserved.
     
     
     3.  Abstract
     
     This  memo defines a set of extensions which instrument RADIUS authen-
     tication server functions. These extensions represent a portion of the
     Management Information Base (MIB) for use with network management pro-
     tocols in the Internet community.   Using  these  extensions  IP-based
     management stations can manage RADIUS authentication servers.
     
     
     4.  Introduction
     
     This  memo  defines a portion of the Management Information Base (MIB)
     for use with network management protocols in the  Internet  community.
     In  particular,  it describes managed objects used for managing RADIUS
     authentication servers.
     
     
     
     
     
     Zorn & Aboba                Standards Track                   [Page 1]


     INTERNET-DRAFT     RADIUS Authentication Server MIB   11 November 1998
     
     
     RADIUS authentication servers are  today  widely  deployed  by  dialup
     Internet  Service  Providers,  in order to provide authentication ser-
     vices. As a result, the effective management of RADIUS  authentication
     servers is of considerable importance.
     
     
     5.  The SNMP Management Framework
     
     The  SNMP Management Framework presently consists of five major compo-
     nents:
     
         o   An overall architecture, described in RFC 2271 [1].
     
         o   Mechanisms for describing and naming objects  and  events  for
             the purpose of management. The first version of this Structure
             of Management Information (SMI) is called SMIv1 and  described
             in  RFC  1155  [2],  RFC 1212 [3] and RFC 1215 [4]. The second
             version, called SMIv2, is described in RFC 1902 [5], RFC  1903
             [6] and RFC 1904 [7].
     
         o   Message protocols for transferring management information. The
             first version of the SNMP message protocol  is  called  SNMPv1
             and  described  in  RFC 1157 [8]. A second version of the SNMP
             message protocol, which is not  an  Internet  standards  track
             protocol,  is called SNMPv2c and described in RFC 1901 [9] and
             RFC 1906 [10]. The third version of the  message  protocol  is
             called  SNMPv3  and  described in RFC 1906 [10], RFC 2272 [11]
             and RFC 2274 [12].
     
         o   Protocol operations for accessing management information.  The
             first set of protocol operations and associated PDU formats is
             described in RFC 1157 [8]. A second set of protocol operations
             and associated PDU formats is described in RFC 1905 [13].
     
         o   A  set  of fundamental applications described in RFC 2273 [14]
             and the view-based access control mechanism described  in  RFC
             2275 [15].
     
     Managed  objects  are accessed via a virtual information store, termed
     the Management Information Base  or  MIB.   Objects  in  the  MIB  are
     defined using the mechanisms defined in the SMI.
     
     This memo specifies a MIB module that is compliant to the SMIv2. A MIB
     conforming to the SMIv1 can be produced through the appropriate trans-
     lations. The resulting translated MIB must be semantically equivalent,
     except where objects or events are omitted because no  translation  is
     possible  (use  of  Counter64).  Some  machine readable information in
     SMIv2 will be converted into textual descriptions in SMIv1 during  the
     translation  process.  However, this loss of machine readable informa-
     tion is not considered to change the semantics of the MIB.
     
     
     
     
     
     
     
     Zorn & Aboba                Standards Track                   [Page 2]


     INTERNET-DRAFT     RADIUS Authentication Server MIB   11 November 1998
     
     
     6.  Overview
     
     The RADIUS authentication protocol, described in  [16],  distinguishes
     between the client function and the server function. In RADIUS authen-
     tication, clients send Access-Requests, and servers reply with Access-
     Accepts, Access-Rejects, and Access-Challenges.  Typically NAS devices
     implement the client function, and thus would be expected to implement
     the  RADIUS  authentication  client  MIB,  while RADIUS authentication
     servers implement the server function, and thus would be  expected  to
     implement the RADIUS authentication server MIB.
     
     However,  it is possible for a RADIUS authentication entity to perform
     both client and server functions. For example, a RADIUS proxy may  act
     as a server to one or more RADIUS authentication clients, while simul-
     taneously acting as an authentication client to one or more  authenti-
     cation  servers.  In such situations, it is expected that RADIUS enti-
     ties combining client and server functionality will support  both  the
     client and server MIBs.
     
     
     6.1.  Selected objects
     
     This MIB module contains fourteen scalars as well as a single table:
     
     (1)  the RADIUS Authentication Client Table contains one row for each
          RADIUS authentication client that the server shares a secret with.
     
     Each  entry  in the RADIUS Authentication Client Table includes twelve
     columns presenting a view of the activity of the RADIUS authentication
     server.
     
     
     7.  Definitions
     
     RADIUS-AUTH-SERVER-MIB DEFINITIONS ::= BEGIN
     
     IMPORTS
            MODULE-IDENTITY, OBJECT-TYPE,
            OBJECT-IDENTITY, experimental,
            Counter32, Gauge32, Integer32,
            IpAddress                          FROM SNMPv2-SMI
            TEXTUAL-CONVENTION, DisplayString  FROM SNMPv2-TC
            MODULE-COMPLIANCE, OBJECT-GROUP    FROM SNMPv2-CONF;
     
     radius OBJECT-IDENTITY
            STATUS  current
            DESCRIPTION
                  "The OID assigned to RADIUS MIB work by the IANA."
            ::= { experimental 79 }
     
     radiusAuthentication  OBJECT IDENTIFIER ::= {radius 1}
     
     radiusAuthServMIB MODULE-IDENTITY
            LAST-UPDATED "9811161659Z"
     
     
     
     Zorn & Aboba                Standards Track                   [Page 3]


     INTERNET-DRAFT     RADIUS Authentication Server MIB   11 November 1998
     
     
            ORGANIZATION "IETF RADIUS Working Group."
            CONTACT-INFO
                   " Glen Zorn
                     Microsoft
                     One Microsoft Way
                     Redmond, WA  98052
                     US
     
                     Phone: +1 425 703 1559
                     EMail: glennz@microsoft.com"
            DESCRIPTION
                  "The MIB module for entities impleenting the server
                   side of the Remote Access Dialin User Service (RADIUS)
                   authentication protocol."
            ::= { radiusAuthentication 1 }
     
     radiusAuthServMIBObjects     OBJECT IDENTIFIER ::= { radiusAuthServMIB 1 }
     
     radiusAuthServ      OBJECT IDENTIFIER ::= { radiusAuthServMIBObjects 1 }
     
     -- Textual conventions
     
     RadiusTime ::= TEXTUAL-CONVENTION
            DISPLAY-HINT "4d"
            STATUS  current
            DESCRIPTION
                 "RadiusTime values are 32-bit unsigned integers which
                  measure time in seconds."
            SYNTAX  Gauge32
     
     radiusAuthServIdent OBJECT-TYPE
            SYNTAX      DisplayString
            MAX-ACCESS  read-only
            STATUS      current
            DESCRIPTION
                  "The implementation identification string for the
                   RADIUS authentication server software in use on the
                   system, for example; `FNS-2.1'"
            ::= {radiusAuthServ 1}
     
     radiusAuthServUpTime OBJECT-TYPE
            SYNTAX      RadiusTime
            MAX-ACCESS  read-only
            STATUS      current
            DESCRIPTION
                  "If the server has a persistent state (e.g., a process),
                   this value will be the time elapsed since it started.
                   For software without persistent state, this value will
                   be zero."
            ::= {radiusAuthServ 2}
     
     radiusAuthServResetTime OBJECT-TYPE
            SYNTAX      RadiusTime
            MAX-ACCESS  read-only
     
     
     
     Zorn & Aboba                Standards Track                   [Page 4]


     INTERNET-DRAFT     RADIUS Authentication Server MIB   11 November 1998
     
     
            STATUS      current
            DESCRIPTION
                  "If the server has a persistent state (e.g., a process)
                   and supports a `reset' operation (e.g., can be told to
                   re-read configuration files), this value will be the
                   time elapsed since the last time the name server was
                   `reset.'  For software that does not have persistence or
                   does not support a `reset' operation, this value will be
                   zero."
            ::= {radiusAuthServ 3}
     
     radiusAuthServConfigReset OBJECT-TYPE
            SYNTAX INTEGER { other(1),
                             reset(2),
                             initializing(3),
                             running(4)}
            MAX-ACCESS  read-write
            STATUS      current
            DESCRIPTION
                   "Status/action object to reinitialize any persistent
                    server state.  When set to reset(2), any persistent
                    server state (such as a process) is reinitialized as if
                    the server had just been started.  This value will
                    never be returned by a read operation.  When read, one of
                    the following values will be returned:
                        other(1) - server in some unknown state;
                        initializing(3) - server (re)initializing;
                        running(4) - server currently running."
            ::= {radiusAuthServ 4}
     
     -- New Stats proposed by Dale E. Reed Jr (daler@iea-software.com)
     
         radiusAuthServTotalAccessRequests OBJECT-TYPE
                 SYNTAX Counter32
                 MAX-ACCESS read-only
                 STATUS current
                 DESCRIPTION
                       "The total number of packets received on the
                        authentication port since server start-up."
                 ::= { radiusAuthServ 5}
     
          radiusAuthServTotalInvalidRequests OBJECT-TYPE
                 SYNTAX Counter32
                 MAX-ACCESS read-only
                 STATUS current
                 DESCRIPTION
                       "The total number of RADIUS Access-Request packets
                        received from unknown addresses since server start-up."
                 ::= { radiusAuthServ 6 }
     
          radiusAuthServTotalDupAccessRequests OBJECT-TYPE
                 SYNTAX Counter32
                 MAX-ACCESS read-only
                 STATUS current
     
     
     
     Zorn & Aboba                Standards Track                   [Page 5]


     INTERNET-DRAFT     RADIUS Authentication Server MIB   11 November 1998
     
     
                 DESCRIPTION
                       "The total number of duplicate RADIUS Access-Request
                        packets received since server start-up."
                 ::= { radiusAuthServ 7 }
     
          radiusAuthServTotalAccessAccepts OBJECT-TYPE
                 SYNTAX Counter32
                 MAX-ACCESS read-only
                 STATUS current
                 DESCRIPTION
                       "The total number of RADIUS Access-Accept packets
                        sent since server start-up."
                 ::= { radiusAuthServ 8 }
     
          radiusAuthServTotalAccessRejects OBJECT-TYPE
                SYNTAX Counter32
                MAX-ACCESS read-only
                STATUS current
                DESCRIPTION
                       "The total number of RADIUS Access-Reject packets
                        sent since server start-up."
                 ::= { radiusAuthServ 9 }
     
          radiusAuthServTotalAccessChallenges OBJECT-TYPE
                 SYNTAX Counter32
                 MAX-ACCESS read-only
                 STATUS current
                 DESCRIPTION
                       "The total number of RADIUS Access-Challenge packets
                        sent since server start-up."
                 ::= { radiusAuthServ 10 }
     
          radiusAuthServTotalMalformedAccessRequests OBJECT-TYPE
                 SYNTAX Counter32
                 MAX-ACCESS read-only
                 STATUS current
                 DESCRIPTION
                       "The total number of malformed RADIUS Access-Request
                        packets received since server start-up. Bad authenticators
                        and unknown types are not included as
                        malformed Access-Requests."
                 ::= { radiusAuthServ 11 }
     
          radiusAuthServTotalBadAuthenticators OBJECT-TYPE
                 SYNTAX Counter32
                 MAX-ACCESS read-only
                 STATUS current
                 DESCRIPTION
                       "The total number of RADIUS Authentication-Request packets
                        which contained invalid Signature attributes received
                        since server start-up."
                 ::= { radiusAuthServ 12 }
     
          radiusAuthServTotalPacketsDropped OBJECT-TYPE
     
     
     
     Zorn & Aboba                Standards Track                   [Page 6]


     INTERNET-DRAFT     RADIUS Authentication Server MIB   11 November 1998
     
     
                SYNTAX Counter32
                MAX-ACCESS read-only
                STATUS current
                DESCRIPTION
                       "The total number of incoming packets
                        silently discarded for some reason other
                        than malformed, bad authenticators or
                        unknown types."
                 ::= { radiusAuthServ 13 }
     
          radiusAuthServTotalUnknownTypes OBJECT-TYPE
                 SYNTAX Counter32
                 MAX-ACCESS read-only
                 STATUS current
     
                 DESCRIPTION
                       "The total number of RADIUS packets of unknown type which
                        were received since server start-up."
                 ::= { radiusAuthServ 14 }
     
     -- End of new
     
     radiusAuthClientTable OBJECT-TYPE
            SYNTAX     SEQUENCE OF RadiusAuthClientEntry
            MAX-ACCESS not-accessible
            STATUS     current
            DESCRIPTION
                  "The (conceptual) table listing the RADIUS authentication
                   clients with which the server shares a secret."
            ::= { radiusAuthServ 15 }
     
     radiusAuthClientEntry OBJECT-TYPE
            SYNTAX     RadiusAuthClientEntry
            MAX-ACCESS not-accessible
            STATUS     current
            DESCRIPTION
                  "An entry (conceptual row) representing a RADIUS
                   authentication client with which the server shares a secret."
            INDEX      { radiusAuthClientIndex }
            ::= { radiusAuthClientTable 1 }
     
     RadiusAuthClientEntry ::= SEQUENCE {
            radiusAuthClientIndex                           Integer32,
            radiusAuthClientAddress                         IpAddress,
            radiusAuthClientID                              DisplayString,
            radiusAuthServAccessRequests                    Counter32,
            radiusAuthServDupAccessRequests                 Counter32,
            radiusAuthServAccessAccepts                     Counter32,
            radiusAuthServAccessRejects                     Counter32,
            radiusAuthServAccessChallenges                  Counter32,
            radiusAuthServMalformedAccessRequests           Counter32,
            radiusAuthServBadAuthenticators                 Counter32,
            radiusAuthServPacketsDropped                    Counter32,
            radiusAuthServUnknownTypes                      Counter32
     
     
     
     Zorn & Aboba                Standards Track                   [Page 7]


     INTERNET-DRAFT     RADIUS Authentication Server MIB   11 November 1998
     
     
     }
     
     radiusAuthClientIndex OBJECT-TYPE
            SYNTAX     Integer32 (0..MAX)
            MAX-ACCESS not-accessible
            STATUS     current
            DESCRIPTION
                   "A number uniquely identifying each RADIUS
                   authentication client with which this server
                   communicates."
            ::= { radiusAuthClientEntry 1 }
     
     radiusAuthClientAddress OBJECT-TYPE
            SYNTAX     IpAddress
            MAX-ACCESS read-only
            STATUS     current
            DESCRIPTION
                  "The NAS-IP-Address of the RADIUS authentication client
                   referred to in this table entry."
            ::= { radiusAuthClientEntry 2 }
     
     radiusAuthClientID OBJECT-TYPE
            SYNTAX     DisplayString
            MAX-ACCESS read-only
            STATUS     current
            DESCRIPTION
                  "The NAS-Identifier of the RADIUS authentication client
                   referred to in this table entry. This is not necessarily
                   the same as sysName in MIB II."
            ::= { radiusAuthClientEntry 3 }
     
     -- Server Counters
     --
     -- Responses = AccessAccepts + AccessRejects + AccessChallenges
     --
     -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
     -- UnknownTypes -  PacketsDropped - Responses = Pending
     --
     -- Requests - DupRequests - BadAuthenticators - MalformedRequests -
     -- UnknownTypes - PacketsDropped = entries logged
     
     radiusAuthServAccessRequests OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of packets received on the authentication
                   port from this client since server start-up."
            ::= { radiusAuthClientEntry  4 }
     
     radiusAuthServDupAccessRequests OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
     
     
     
     Zorn & Aboba                Standards Track                   [Page 8]


     INTERNET-DRAFT     RADIUS Authentication Server MIB   11 November 1998
     
     
            DESCRIPTION
                  "The total number of duplicate RADIUS Access-Request
                   packets received from this client since server start-up."
            ::= { radiusAuthClientEntry  5 }
     
     radiusAuthServAccessAccepts OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of RADIUS Access-Accept packets
                   sent to this client since server start-up."
            ::= { radiusAuthClientEntry  6 }
     
     radiusAuthServAccessRejects OBJECT-TYPE
           SYNTAX Counter32
           MAX-ACCESS read-only
           STATUS current
           DESCRIPTION
                  "The total number of RADIUS Access-Reject packets
                   sent to this client since server start-up."
            ::= { radiusAuthClientEntry  7 }
     
     radiusAuthServAccessChallenges OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of RADIUS Access-Challenge packets
                   sent to this client since server start-up."
            ::= { radiusAuthClientEntry  8 }
     
     radiusAuthServMalformedAccessRequests OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of malformed RADIUS Access-Request
                   packets received from this client since server start-up.
                   Bad authenticators and unknown types are not included as
                   malformed Access-Requests."
            ::= { radiusAuthClientEntry  9 }
     
     radiusAuthServBadAuthenticators OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of RADIUS Authentication-Request packets
                   which contained invalid Signature attributes received
                   from this client since server start-up."
            ::= { radiusAuthClientEntry  10 }
     
     radiusAuthServPacketsDropped OBJECT-TYPE
     
     
     
     Zorn & Aboba                Standards Track                   [Page 9]


     INTERNET-DRAFT     RADIUS Authentication Server MIB   11 November 1998
     
     
           SYNTAX Counter32
           MAX-ACCESS read-only
           STATUS current
           DESCRIPTION
                   "The total number of incoming packets from this
                    client silently discarded for some reason other
                    than malformed, bad authenticators or
                    unknown types."
            ::= { radiusAuthClientEntry  11 }
     
     radiusAuthServUnknownTypes OBJECT-TYPE
            SYNTAX Counter32
            MAX-ACCESS read-only
            STATUS current
            DESCRIPTION
                  "The total number of RADIUS packets of unknown type which
                   were received from this client since authentication server
                   start-up."
            ::= { radiusAuthClientEntry  12 }
     
     
     -- conformance information
     
     radiusAuthServMIBConformance
                   OBJECT IDENTIFIER ::= { radiusAuthServMIB 2 }
     radiusAuthServMIBCompliances
                   OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 1 }
     radiusAuthServMIBGroups
                   OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 2 }
     
     
     -- compliance statements
     
     radiusAuthServMIBCompliance MODULE-COMPLIANCE
            STATUS  current
            DESCRIPTION
                  "The compliance statement for authentication servers
                   implementing the RADIUS Authentication Server MIB."
            MODULE  -- this module
            MANDATORY-GROUPS { radiusAuthServMIBGroup }
     
            ::= { radiusAuthServMIBCompliances 1 }
     
     
     -- units of conformance
     
     radiusAuthServMIBGroup OBJECT-GROUP
           OBJECTS {radiusAuthServIdent,
                    radiusAuthServUpTime,
                    radiusAuthServResetTime,
                    radiusAuthServConfigReset,
                    radiusAuthServTotalAccessRequests,
                    radiusAuthServTotalInvalidRequests,
                    radiusAuthServTotalDupAccessRequests,
     
     
     
     Zorn & Aboba                Standards Track                  [Page 10]


     INTERNET-DRAFT     RADIUS Authentication Server MIB   11 November 1998
     
     
                    radiusAuthServTotalAccessAccepts,
                    radiusAuthServTotalAccessRejects,
                    radiusAuthServTotalAccessChallenges,
                    radiusAuthServTotalMalformedAccessRequests,
                    radiusAuthServTotalBadAuthenticators,
                    radiusAuthServTotalPacketsDropped,
                    radiusAuthServTotalUnknownTypes,
                    radiusAuthClientAddress,
                    radiusAuthClientID,
                    radiusAuthServAccessRequests,
                    radiusAuthServDupAccessRequests,
                    radiusAuthServAccessAccepts,
                    radiusAuthServAccessRejects,
                    radiusAuthServAccessChallenges,
                    radiusAuthServMalformedAccessRequests,
                    radiusAuthServBadAuthenticators,
                    radiusAuthServPacketsDropped,
                    radiusAuthServUnknownTypes
                   }
           STATUS  current
           DESCRIPTION
                 "The collection of objects providing management of
                  a RADIUS Authentication Server."
           ::= { radiusAuthServMIBGroups 1 }
     
     END
     
     
     8.  References
     
     
     [1]  Harrington,  D., Presuhn, R., and B. Wijnen, "An Architecture for
          Describing SNMP Management Frameworks", RFC 2271, Cabletron  Sys-
          tems,  Inc.,  BMC Software, Inc., IBM T. J. Watson Research, Jan-
          uary 1998.
     
     [2]  Rose, M., and K. McCloghrie,  "Structure  and  Identification  of
          Management  Information  for  TCP/IP-based  Internets", RFC 1155,
          Performance Systems International, Hughes LAN Systems, May  1990.
     
     [3]  Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 1212,
          Performance Systems  International,  Hughes  LAN  Systems,  March
          1991.
     
     [4]  M. Rose, "A Convention for Defining Traps for use with the SNMP",
          RFC 1215, Performance Systems International, March 1991.
     
     [5]  Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure
          of  Management  Information  for  Version 2 of the Simple Network
          Management Protocol  (SNMPv2)",  RFC  1902,  SNMP  Research,Inc.,
          Cisco  Systems, Inc., Dover Beach Consulting, Inc., International
          Network Services, January 1996.
     
     
     
     
     
     Zorn & Aboba                Standards Track                  [Page 11]


     INTERNET-DRAFT     RADIUS Authentication Server MIB   11 November 1998
     
     
     [6]  Case, J., McCloghrie, K., Rose, M., and S.  Waldbusser,  "Textual
          Conventions for Version 2 of the Simple Network Management Proto-
          col (SNMPv2)", RFC 1903,  SNMP  Research,  Inc.,  Cisco  Systems,
          Inc.,  Dover  Beach  Consulting, Inc., International Network Ser-
          vices, January 1996.
     
     [7]  Case, J., McCloghrie, K., Rose, M., and S.  Waldbusser,  "Confor-
          mance  Statements  for Version 2 of the Simple Network Management
          Protocol (SNMPv2)", RFC 1904, SNMP Research, Inc., Cisco Systems,
          Inc.,  Dover  Beach  Consulting, Inc., International Network Ser-
          vices, January 1996.
     
     [8]  Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple  Net-
          work  Management  Protocol", RFC 1157, SNMP Research, Performance
          Systems International,  Performance  Systems  International,  MIT
          Laboratory for Computer Science, May 1990.
     
     [9]  Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Introduc-
          tion to Community-based SNMPv2", RFC 1901, SNMP  Research,  Inc.,
          Cisco  Systems, Inc., Dover Beach Consulting, Inc., International
          Network Services, January 1996.
     
     [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport
          Mappings  for Version 2 of the Simple Network Management Protocol
          (SNMPv2)", RFC 1906, SNMP Research, Inc.,  Cisco  Systems,  Inc.,
          Dover  Beach  Consulting,  Inc.,  International Network Services,
          January 1996.
     
     [11] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message Pro-
          cessing  and Dispatching for the Simple Network Management Proto-
          col (SNMP)", RFC 2272, SNMP Research,  Inc.,  Cabletron  Systems,
          Inc.,  BMC  Software,  Inc.,  IBM  T. J. Watson Research, January
          1998.
     
     [12] Blumenthal, U., and B. Wijnen, "User-based Security  Model  (USM)
          for   version   3  of  the  Simple  Network  Management  Protocol
          (SNMPv3)", RFC 2274, IBM T. J. Watson Research, January 1998.
     
     [13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,  "Protocol
          Operations  for Version 2 of the Simple Network Management Proto-
          col (SNMPv2)", RFC 1905,  SNMP  Research,  Inc.,  Cisco  Systems,
          Inc.,  Dover  Beach  Consulting, Inc., International Network Ser-
          vices, January 196.
     
     [14] Levi, D., Meyer, P., and B. Stewart, "SNMPv3  Applications",  RFC
          2273,  SNMP  Research,  Inc., Secure Computing Corporation, Cisco
          Systems, January 1998
     
     [15] Wijnen, B., Presuhn, R., and K.  McCloghrie,  "View-based  Access
          Control  Model  (VACM) for the Simple Network Management Protocol
          (SNMP)", RFC 2275, IBM T. J. Watson Research, BMC Software, Inc.,
          Cisco Systems, Inc., January 1998
     
     
     
     
     
     Zorn & Aboba                Standards Track                  [Page 12]


     INTERNET-DRAFT     RADIUS Authentication Server MIB   11 November 1998
     
     
     [16] Rigney,  C.,  Rubens,  A.,  Simpson  W.,  and S. Willens, "Remote
          Authentication Dial In User Service (RADIUS)",  RFC  2138,  April
          1997.
     
     [17] "Information  processing systems - Open Systems Interconnection -
          Specification of Abstract Syntax Notation One (ASN.1)",  Interna-
          tional  Organization  for Standardization, International Standard
          8824, December 1987.
     
     
     9.  Security considerations
     
     There are a number of management objects defined in this MIB that have
     a  MAX-ACCESS  clause  of read-write and/or read-create.  Such objects
     may be considered sensitive or vulnerable  in  some  network  environ-
     ments.   The  support  for  SET operations in a non-secure environment
     without proper protection can have a negative effect on network opera-
     tions.
     
     There  are  a  number  of managed objects in this MIB that may contain
     sensitive information. These are:
     
     radiusAuthClientAddress
               This can be used to determine  the  address  of  the  RADIUS
               authentication  client  with which the server is communicat-
               ing. This information could be useful in  impersonating  the
               client.
     
     radiusAuthClientID
               This can be used to determine the client ID of the authenti-
               cation client with which the server is  communicating.  This
               information could be useful in impersonating the client.
     
     It  is  thus important to control even GET access to these objects and
     possibly to even encrypt the values of these object when sending  them
     over  the network via SNMP.  Not all versions of SNMP provide features
     for such a secure environment.
     
     SNMPv1 by itself is not a secure  environment.  Even  if  the  network
     itself  is secure (for example by using IPSec), there is no control as
     to who on  the  secure  network  is  allowed  to  access  and  GET/SET
     (read/change/create/delete) the objects in this MIB.
     
     It is recommended that the implementers consider the security features
     as provided by the SNMPv3 framework.  Specifically,  the  use  of  the
     User-based Security Model RFC 2274 [12] and the View-based Access Con-
     trol Model RFC 2275 [15] is recommended.  Using  these  security  fea-
     tures,   customer/users  can  give access to the objects only to those
     principals  (users)  that  have  legitimate  rights  to  GET  or   SET
     (change/create/delete) them.
     
     
     
     
     
     
     
     Zorn & Aboba                Standards Track                  [Page 13]


     INTERNET-DRAFT     RADIUS Authentication Server MIB   11 November 1998
     
     
     10.  Acknowledgments
     
     Thanks  to  Narendra  Gidwani  of Microsoft, Allan C. Rubens of MERIT,
     Carl Rigney of Livingston and Peter Heitman of American Internet  Cor-
     poration for useful discussions of this problem space.
     
     
     11.  Authors' Addresses
     
     Bernard Aboba
     Microsoft Corporation
     One Microsoft Way
     Redmond, WA 98052
     
     Phone: 425-936-6605
     EMail: bernarda@microsoft.com
     
     Glen Zorn
     Microsoft Corporation
     One Microsoft Way
     Redmond, WA 98052
     
     Phone: 425-703-1559
     EMail: glennz@microsoft.com
     
     
     12.  Full Copyright Statement
     
     Copyright (C) The Internet Society (1997).  All Rights Reserved.
     This  document  and  translations of it may be copied and furnished to
     others, and derivative works that comment on or otherwise  explain  it
     or  assist in its implmentation may be prepared, copied, published and
     distributed, in whole or in part, without  restriction  of  any  kind,
     provided  that  the  above  copyright  notice  and  this paragraph are
     included on all such copies and derivative works.  However, this docu-
     ment  itself  may  not be modified in any way, such as by removing the
     copyright notice or references to the Internet Society or other Inter-
     net  organizations,  except  as  needed  for the purpose of developing
     Internet standards in which case the procedures for copyrights defined
     in  the Internet Standards process must be followed, or as required to
     translate it into languages other than English.  The  limited  permis-
     sions  granted  above  are  perpetual  and  will not be revoked by the
     Internet Society or its successors or assigns.  This document and  the
     information  contained  herein is provided on an "AS IS" basis and THE
     INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL
     WARRANTIES,  EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WAR-
     RANTY THAT THE USE OF THE INFORMATION HEREIN  WILL  NOT  INFRINGE  ANY
     RIGHTS  OR  ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
     PARTICULAR PURPOSE."
     
     
     
     
     
     
     
     
     Zorn & Aboba                Standards Track                  [Page 14]


     INTERNET-DRAFT     RADIUS Authentication Server MIB   11 November 1998
     
     
     13.  Expiration Date
     
     This memo is filed as  <draft-ietf-radius-auth-servermib-02.txt>,  and
     expires May 1, 1999.
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     Zorn & Aboba                Standards Track                  [Page 15]