RADIUS Accounting Client MIB
RFC 2620
| Document | Type |
RFC
- Informational
(June 1999)
Obsoleted by RFC 4670
|
|
|---|---|---|---|
| Authors | Glen Zorn , Dr. Bernard D. Aboba | ||
| Last updated | 2013-03-02 | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Additional resources | Mailing list discussion | ||
| IESG | Responsible AD | (None) | |
| Send notices to | (None) |
RFC 2620
quot;
::= { radiusAccClient 2 }
radiusAccServerTable OBJECT-TYPE
SYNTAX SEQUENCE OF RadiusAccServerEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The (conceptual) table listing the RADIUS accounting
servers with which the client shares a secret."
::= { radiusAccClient 3 }
radiusAccServerEntry OBJECT-TYPE
SYNTAX RadiusAccServerEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (conceptual row) representing a RADIUS
accounting server with which the client shares a secret."
INDEX { radiusAccServerIndex }
Aboba & Zorn Informational [Page 4]
RFC 2620 RADIUS Accounting Client MIB June 1999
::= { radiusAccServerTable 1 }
RadiusAccServerEntry ::= SEQUENCE {
radiusAccServerIndex Integer32,
radiusAccServerAddress IpAddress,
radiusAccClientServerPortNumber Integer32,
radiusAccClientRoundTripTime TimeTicks,
radiusAccClientRequests Counter32,
radiusAccClientRetransmissions Counter32,
radiusAccClientResponses Counter32,
radiusAccClientMalformedResponses Counter32,
radiusAccClientBadAuthenticators Counter32,
radiusAccClientPendingRequests Gauge32,
radiusAccClientTimeouts Counter32,
radiusAccClientUnknownTypes Counter32,
radiusAccClientPacketsDropped Counter32
}
radiusAccServerIndex OBJECT-TYPE
SYNTAX Integer32 (1..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A number uniquely identifying each RADIUS
Accounting server with which this client
communicates."
::= { radiusAccServerEntry 1 }
radiusAccServerAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IP address of the RADIUS accounting server
referred to in this table entry."
::= { radiusAccServerEntry 2 }
radiusAccClientServerPortNumber OBJECT-TYPE
SYNTAX Integer32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The UDP port the client is using to send requests to
this server."
::= { radiusAccServerEntry 3 }
radiusAccClientRoundTripTime OBJECT-TYPE
SYNTAX TimeTicks
Aboba & Zorn Informational [Page 5]
RFC 2620 RADIUS Accounting Client MIB June 1999
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The time interval between the most recent
Accounting-Response and the Accounting-Request that
matched it from this RADIUS accounting server."
::= { radiusAccServerEntry 4 }
-- Request/Response statistics
--
-- Requests = Responses + PendingRequests + ClientTimeouts
--
-- Responses - MalformedResponses - BadAuthenticators -
-- UnknownTypes - PacketsDropped = Successfully received
radiusAccClientRequests OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of RADIUS Accounting-Request packets
sent. This does not include retransmissions."
::= { radiusAccServerEntry 5 }
radiusAccClientRetransmissions OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of RADIUS Accounting-Request packets
retransmitted to this RADIUS accounting server.
Retransmissions include retries where the
Identifier and Acct-Delay have been updated, as
well as those in which they remain the same."
::= { radiusAccServerEntry 6 }
radiusAccClientResponses OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of RADIUS packets received on the
accounting port from this server."
::= { radiusAccServerEntry 7 }
radiusAccClientMalformedResponses OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
Aboba & Zorn Informational [Page 6]
RFC 2620 RADIUS Accounting Client MIB June 1999
STATUS current
DESCRIPTION
"The number of malformed RADIUS Accounting-Response
packets received from this server. Malformed packets
include packets with an invalid length. Bad
authenticators and unknown types are not included as
malformed accounting responses."
::= { radiusAccServerEntry 8 }
radiusAccClientBadAuthenticators OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of RADIUS Accounting-Response
packets which contained invalid authenticators
received from this server."
::= { radiusAccServerEntry 9 }
radiusAccClientPendingRequests OBJECT-TYPE
SYNTAX Gauge32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of RADIUS Accounting-Request packets
sent to this server that have not yet timed out or
received a response. This variable is incremented when an
Accounting-Request is sent and decremented due to
receipt of an Accounting-Response, a timeout or
a retransmission."
::= { radiusAccServerEntry 10 }
radiusAccClientTimeouts OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of accounting timeouts to this server.
After a timeout the client may retry to the same
server, send to a different server, or give up.
A retry to the same server is counted as a
retransmit as well as a timeout. A send to a different
server is counted as an Accounting-Request as well as
a timeout."
::= { radiusAccServerEntry 11 }
radiusAccClientUnknownTypes OBJECT-TYPE
SYNTAX Counter32
Aboba & Zorn Informational [Page 7]
RFC 2620 RADIUS Accounting Client MIB June 1999
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of RADIUS packets of unknown type which
were received from this server on the accounting port."
::= { radiusAccServerEntry 12 }
radiusAccClientPacketsDropped OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of RADIUS packets which were received from
this server on the accounting port and dropped for some
other reason."
::= { radiusAccServerEntry 13 }
-- conformance information
radiusAccClientMIBConformance
OBJECT IDENTIFIER ::= { radiusAccClientMIB 2 }
radiusAccClientMIBCompliances
OBJECT IDENTIFIER ::= { radiusAccClientMIBConformance 1 }
radiusAccClientMIBGroups
OBJECT IDENTIFIER ::= { radiusAccClientMIBConformance 2 }
-- compliance statements
radiusAccClientMIBCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for accounting clients
implementing the RADIUS Accounting Client MIB."
MODULE -- this module
MANDATORY-GROUPS { radiusAccClientMIBGroup }
::= { radiusAccClientMIBCompliances 1 }
-- units of conformance
radiusAccClientMIBGroup OBJECT-GROUP
OBJECTS { radiusAccClientIdentifier,
radiusAccClientInvalidServerAddresses,
radiusAccServerAddress,
radiusAccClientServerPortNumber,
radiusAccClientRoundTripTime,
radiusAccClientRequests,
Aboba & Zorn Informational [Page 8]
RFC 2620 RADIUS Accounting Client MIB June 1999
radiusAccClientRetransmissions,
radiusAccClientResponses,
radiusAccClientMalformedResponses,
radiusAccClientBadAuthenticators,
radiusAccClientPendingRequests,
radiusAccClientTimeouts,
radiusAccClientUnknownTypes,
radiusAccClientPacketsDropped
}
STATUS current
DESCRIPTION
"The basic collection of objects providing management of
RADIUS Accounting Clients."
::= { radiusAccClientMIBGroups 1 }
END
5. References
[1] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture
for Describing SNMP Management Frameworks", RFC 2571, April
1999.
[2] Rose, M., and K. McCloghrie, "Structure and Identification of
Management Information for TCP/IP-based Internets", STD 16, RFC
1155, May 1990.
[3] Rose, M., and K. McCloghrie, "Concise MIB Definitions", STD 16,
RFC 1212, March 1991.
[4] Rose, M., "A Convention for Defining Traps for use with the
SNMP", RFC 1215, Performance Systems International, March 1991.
[5] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose,
M. and S. Waldbusser, "Structure of Management Information
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[6] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose,
M. and S. Waldbusser, "Textual Conventions for SMIv2", STD 58,
RFC 2579, April 1999.
[7] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose,
M. and S. Waldbusser, "Conformance Statements for SMIv2", STD
58, RFC 2580, April 1999.
[8] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple
Network Management Protocol", STD 15, RFC 1157, May 1990.
Aboba & Zorn Informational [Page 9]
RFC 2620 RADIUS Accounting Client MIB June 1999
[9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
"Introduction to Community-based SNMPv2", RFC 1901, January
1996.
[10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
"Transport Mappings for Version 2 of the Simple Network
Management Protocol (SNMPv2)", RFC 1906, January 1996.
[11] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message
Processing and Dispatching for the Simple Network Management
Protocol (SNMP)", RFC 2572, April 1999.
[12] Blumenthal, U., and B. Wijnen, "User-based Security Model for
Version 3 of the Simple Network Management Protocol (SNMPv3)",
RFC 2574, April 1999.
[13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol
Operations for Version 2 of the Simple Network Management
Protocol (SNMPv2)", RFC 1905, January 1996.
[14] Levi, D., Meyer, P., and B. Stewart, "SNMP Applications", RFC
2573, April 1999.
[15] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access
Control Model for the Simple Network Management Protocol
(SNMP)", RFC 2575, April 1999.
[16] Rigney, C., "RADIUS Accounting", RFC 2139, April 1997.
6. Security Considerations
There are no management objects defined in this MIB that have a MAX-
ACCESS clause of read-write and/or read-create. So, if this MIB is
implemented correctly, then there is no risk that an intruder can
alter or create any management objects of this MIB via direct SNMP
SET opertions.
There are a number of managed objects in this MIB that may contain
sensitive information. These are:
Aboba & Zorn Informational [Page 10]
RFC 2620 RADIUS Accounting Client MIB June 1999
radiusAccServerAddress
This can be used to determine the address of the RADIUS
accounting server with which the client is communicating.
This information could be useful in mounting an attack on
the acounting server, which may contain sensitive financial
data.
radiusAccClientServerPortNumber This can be used to determine the
port number on which the RADIUS accounting client is
sending. This information could be useful in impersonating
the client in order to send fraudulent data to the
accounting server.
It is thus important to control even GET access to these objects and
possibly to even encrypt the values of these object when sending them
over the network via SNMP. Not all versions of SNMP provide features
for such a secure environment.
SNMPv1 by itself is not a secure environment. Even if the network
itself is secure (for example by using IPSec), there is no control as
to who on the secure network is allowed to access and GET/SET
(read/change/create/delete) the objects in this MIB.
It is recommended that the implementers consider the security
features as provided by the SNMPv3 framework. Specifically, the use
of the User-based Security Model RFC 2574 [12] and the View-based
Access Control Model RFC 2575 [15] is recommended. Using these
security features, customer/users can give access to the objects only
to those principals (users) that have legitimate rights to GET or SET
(change/create/delete) them.
7. Acknowledgments
The authors acknowledge the contributions of the RADIUS Working Group
in the development of this MIB. Thanks to Narendra Gidwani of
Microsoft, Allan C. Rubens of MERIT, Carl Rigney of Livingston and
Peter Heitman of American Internet Corporation for useful discussions
of this problem space.
Aboba & Zorn Informational [Page 11]
RFC 2620 RADIUS Accounting Client MIB June 1999
8. Authors' Addresses
Bernard Aboba
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
Phone: 425-936-6605
EMail: bernarda@microsoft.com
Glen Zorn
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
Phone: 425-703-1559
EMail: glennz@microsoft.com
Aboba & Zorn Informational [Page 12]
RFC 2620 RADIUS Accounting Client MIB June 1999
9. Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implmentation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Aboba & Zorn Informational [Page 13]