Internet DRAFT - draft-sdanda-localauth-mib
draft-sdanda-localauth-mib
Network Working Group D. Satyanarayana
Internet-Draft V. Prakash
Intended status: Standards Track Cisco Systems
Expires: April 13, 2014 October 10, 2013
Local Auth MIB
draft-sdanda-localauth-mib-01
Abstract
This draft defines a portion of the Management Information Base (MIB)
for use with network management protocols in the Internet community.
In particular, it describes managed objects for managing Locally
authenticated users.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14, RFC 2119.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 13, 2014.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Satyanarayana & Prakash Expires April 13, 2014 [Page 1]
�
Internet-Draft LOCAL-AUTH-STD-MIB October 2013
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. The Internet-Standard Management Framework . . . . . . . . . 2
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Brief Description of MIB Objects . . . . . . . . . . . . . . 3
4.1. Local Auth User Table (localAuthUserTable) . . . . . . . 3
5. Local Auth User MIB Module Definitions . . . . . . . . . . . 3
6. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
8.1. Normative References . . . . . . . . . . . . . . . . . . 13
8.2. Informative References . . . . . . . . . . . . . . . . . 13
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 13
1. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of
RFC 3410.
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578, STD 58, RFC 2579 and STD 58, RFC 2580.
2. Introduction
Authentication, Authorization and Accounting enables the user to
control the access of the system resources. Dedicated AAA servers
cannot be used for small enterprise network deployments that provide
network access to hundreds of users. For such scenarios, the user
information or profiles can be stored locally at the network element.
This MIB can be used by the central controller to manage Local
authentication information on the central controller. One of the
use-cases would be to monitor user access on multiple vendor devices
like - user login/logout notifications - user account lifetime expiry
notifications - User account creation/deletion notifications
Satyanarayana & Prakash Expires April 13, 2014 [Page 2]
�
Internet-Draft LOCAL-AUTH-STD-MIB October 2013
This draft defines a portion of the Management Information Base (MIB)
for use with network management protocols in the Internet community.
In particular, it describes managed objects to monitor Local
authenticated users.
Comments should be made directly to the opsawg@ietf.org mailing
alias.
3. Terminology
This document adopts the definitions, acronyms and mechanisms
described in [RFC2903]. Unless otherwise stated, the mechanisms
described therein will not be re-described here.
4. Brief Description of MIB Objects
This section describes objects pertaining to Local Authenticated
users with specific information related to the MIB module specified
in this document.
The Local Authenticated MIB has one module named LocalAuthMIB which
is focussed on describing users authenticated locally by Network
Access Server.
4.1. Local Auth User Table (localAuthUserTable)
The localAuthUserTable lists the currently configured local users.
For each user object, it provides information and statistics about
the local users.
5. Local Auth User MIB Module Definitions
LOCAL-AUTH-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY,
OBJECT-TYPE,
NOTIFICATION-TYPE,
Counter32,
Unsigned32,
mib-2
FROM SNMPv2-SMI
MODULE-COMPLIANCE,
NOTIFICATION-GROUP,
OBJECT-GROUP
FROM SNMPv2-CONF
TruthValue,
DateAndTime
Satyanarayana & Prakash Expires April 13, 2014 [Page 3]
�
Internet-Draft LOCAL-AUTH-STD-MIB October 2013
FROM SNMPv2-TC
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB;
localAuthMIB MODULE-IDENTITY
LAST-UPDATED "201305090000Z"
ORGANIZATION "Operations and Management Area
Working Group"
CONTACT-INFO
"Satyanarayana Danda,
Cisco Systems, Inc
Email: sdanda@cisco.com
Prakash Vijayaragavan
Cisco Systems, Inc
Email: pravijay@cisco.com"
DESCRIPTION
"This MIB module defines objects describing users
authenticated locally by a Network Access Server (NAS).
+--------+ +--------+ +---------+
| | | | | |
| Client |<---->| Server |<------>| Network |
| | | (NAS) | | |
+--------+ +--------+ +---------+
A client is a telnet or SSH user needing access to the NAS
box directly. Network user like PPP or dot1x will request
NAS box for authentication to access the network.
NAS box authenticates user present in the local user
database.
GLOSSARY
Network Access Server (NAS)
A single point of access to a remote resource and is
exclusively used with Authentication, Authorization
and Accounting.
Point-to-Point Protocol (PPP)
A data link protocol commonly used in establishing a
direct connection between two networking nodes.
Secure Shell (SSH)
Satyanarayana & Prakash Expires April 13, 2014 [Page 4]
�
Internet-Draft LOCAL-AUTH-STD-MIB October 2013
It is a cryptographic network protocol for secure
data communication.
dot1x
dot1x also known as IEEE 802.1X is an IEEE Standard
for Port-based Network Access Control."
REVISION "201305100000Z"
DESCRIPTION
"Initial version of MIB"
::= { mib-2 999 }
-- Default Notification Type
localAuthMIBNotifs OBJECT IDENTIFIER
::= { localAuthMIB 0 }
-- Local authenticated user MIB object definition
localAuthMIBObjects OBJECT IDENTIFIER
::= { localAuthMIB 1 }
localAuthMIBConform OBJECT IDENTIFIER
::= { localAuthMIB 2 }
-- Notification Configuration
localAuthNotifEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object specifies whether the system generates
localAuthUserAdded, localAuthUserDeleted,
localAuthUserLoggedIn and localAuthUserLoggedOut
notifications."
DEFVAL { false }
::= { localAuthMIBObjects 1 }
localAuthUserTable OBJECT-TYPE
SYNTAX SEQUENCE OF LocalAuthUserEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table lists the currently configured local users."
Satyanarayana & Prakash Expires April 13, 2014 [Page 5]
�
Internet-Draft LOCAL-AUTH-STD-MIB October 2013
::= { localAuthMIBObjects 2 }
localAuthUserEntry OBJECT-TYPE
SYNTAX LocalAuthUserEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry describes a local user identified by its index.
An entry is created or modified when a user is defined in
system through configuration. An entry is removed when
a user is undefined with configuration commands via CLI
or by automatic expiry of users when lifetime of the user is
expired."
INDEX { localAuthUserIndex }
::= { localAuthUserTable 1 }
LocalAuthUserEntry ::= SEQUENCE {
localAuthUserIndex Unsigned32,
localAuthUserName SnmpAdminString,
localAuthUserType INTEGER,
localAuthUserCreationTime DateAndTime,
localAuthUserLifetime Unsigned32,
localAuthUserLoginSuccessCount Counter32,
localAuthUserLoginFailureCount Counter32,
localAuthUserLastLoginTime DateAndTime,
localAuthUserOTPEnabled TruthValue,
localAuthUserPrivelegeLevel Unsigned32,
localAuthUserLoginStatus TruthValue,
localAuthUserPasswordLifetime Unsigned32
}
localAuthUserIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object indicates an integer-value that uniquely
identifies a local user."
::= { localAuthUserEntry 1 }
localAuthUserName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A textual string containing the name of the locally
authenticated user."
Satyanarayana & Prakash Expires April 13, 2014 [Page 6]
�
Internet-Draft LOCAL-AUTH-STD-MIB October 2013
::= { localAuthUserEntry 2 }
localAuthUserType OBJECT-TYPE
SYNTAX INTEGER {
defaultUser(1),
lobbyUser(2),
managementUser(3),
networkUser(4),
guestUser(5)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates the type of local user:
defaultUser - Default user account type.
lobbyUser - Management user with lobby admin
privileges, can create and manage
guest user account type.
managementUser - Management user account type.
networkUser - User requires accessing the network.
guestUser - Type of networkUser with lifetime configured
such that they can stay alive for a given
time period and will expire therafter."
::= { localAuthUserEntry 3 }
localAuthUserCreationTime OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates the time the local user was created."
::= { localAuthUserEntry 4 }
localAuthUserLifetime OBJECT-TYPE
SYNTAX Unsigned32
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates the expiry duration of the local user;
that is, the duration the local user is valid from the
creation time."
::= { localAuthUserEntry 5 }
localAuthUserLoginSuccessCount OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
Satyanarayana & Prakash Expires April 13, 2014 [Page 7]
�
Internet-Draft LOCAL-AUTH-STD-MIB October 2013
STATUS current
DESCRIPTION
"This object indicates the number of times, the user
logged-in successfully."
::= { localAuthUserEntry 6 }
localAuthUserLoginFailureCount OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates the number of times, the user failed
to authenticate successfully."
::= { localAuthUserEntry 7 }
localAuthUserLastLoginTime OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates the last time the local user was
logged in successfully."
::= { localAuthUserEntry 8 }
localAuthUserOTPEnabled OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object specifies whether One Time Password is
enabled for the user."
::= { localAuthUserEntry 9 }
localAuthUserPrivelegeLevel OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates the privelege level of the
local user."
::= { localAuthUserEntry 10 }
localAuthUserLoginStatus OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates the current login status of
Satyanarayana & Prakash Expires April 13, 2014 [Page 8]
�
Internet-Draft LOCAL-AUTH-STD-MIB October 2013
the local user."
::= { localAuthUserEntry 11 }
localAuthUserPasswordLifetime OBJECT-TYPE
SYNTAX Unsigned32
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates the expiry duration of the
password of the local user."
::= { localAuthUserEntry 12 }
localAuthMIBCompliances OBJECT IDENTIFIER
::= { localAuthMIBConform 1 }
localAuthUserAdded NOTIFICATION-TYPE
OBJECTS {
localAuthUserName,
localAuthUserType,
localAuthUserLifetime
}
STATUS current
DESCRIPTION
"This notification indicates when the system has added a
user."
::= { localAuthMIBNotifs 1 }
localAuthUserDeleted NOTIFICATION-TYPE
OBJECTS {
localAuthUserName,
localAuthUserType
}
STATUS current
DESCRIPTION
"This notification indicates when the system has deleted a
user."
::= { localAuthMIBNotifs 2 }
localAuthUserLoggedIn NOTIFICATION-TYPE
OBJECTS {
localAuthUserName,
localAuthUserType
}
STATUS current
DESCRIPTION
Satyanarayana & Prakash Expires April 13, 2014 [Page 9]
�
Internet-Draft LOCAL-AUTH-STD-MIB October 2013
"This notification indicates when the user has logged
into the system."
::= { localAuthMIBNotifs 3 }
localAuthUserLoggedOut NOTIFICATION-TYPE
OBJECTS {
localAuthUserName,
localAuthUserType
}
STATUS current
DESCRIPTION
"This notification indicates when the user has logged
out of the system"
::= { localAuthMIBNotifs 4 }
localAuthUserPasswordExpired NOTIFICATION-TYPE
OBJECTS {
localAuthUserName,
localAuthUserType
}
STATUS current
DESCRIPTION
"This notification indicates when the user password
is expired."
::= { localAuthMIBNotifs 5 }
localAuthMIBGroups OBJECT IDENTIFIER
::= { localAuthMIBConform 2 }
localAuthMIBCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"This is a default module-compliance
containing default object groups."
MODULE -- this module
MANDATORY-GROUPS {
localAuthMIBMainObjectGroup,
localAuthMIBNotificationGroup
}
::= { localAuthMIBCompliances 1 }
-- Units of Conformance
localAuthMIBMainObjectGroup OBJECT-GROUP
OBJECTS {
Satyanarayana & Prakash Expires April 13, 2014 [Page 10]
�
Internet-Draft LOCAL-AUTH-STD-MIB October 2013
localAuthNotifEnable,
localAuthUserType,
localAuthUserCreationTime,
localAuthUserLifetime,
localAuthUserName,
localAuthUserLoginSuccessCount,
localAuthUserLoginFailureCount,
localAuthUserLastLoginTime,
localAuthUserOTPEnabled,
localAuthUserPrivelegeLevel,
localAuthUserLoginStatus,
localAuthUserPasswordLifetime
}
STATUS current
DESCRIPTION
"The is a local Authenticated User MIB Main Object group."
::= { localAuthMIBGroups 1 }
localAuthMIBNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS {
localAuthUserAdded,
localAuthUserDeleted,
localAuthUserLoggedIn,
localAuthUserLoggedOut,
localAuthUserPasswordExpired
}
STATUS current
DESCRIPTION
"The is a local Authenticated User MIB
Notification group."
::= { localAuthMIBGroups 2 }
END
6. Security Considerations
There are few management objects defined in this MIB module with a
MAX-ACCESS clause of read-write and/or read-create. Such objects may
be considered sensitive or vulnerable in some network environments.
The support for SET operations in a non-secure environment without
proper protection can have a negative effect on network operations.
These are the tables and objects and their sensitivity/vulnerability
Management object localAuthNotifEnable can be modified by the network
operators which will effect in large number of notification being
generated by the NAS.
Satyanarayana & Prakash Expires April 13, 2014 [Page 11]
�
Internet-Draft LOCAL-AUTH-STD-MIB October 2013
localAuthUserName object exposed via this MIB may not be considered
as a risk for an attacker. Username as an identity in the network
transport would mostly be a clear test. If this object is not
exposed via MIB, intruder can get this infomation via packet capture
or by any other means. With knowing username, risk can be mitigated
by enforcing strong password encryption schemes.
SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPsec),
there is no control as to who on the secure network is allowed to
access and GET/SET (read/change/create/delete) the objects in this
MIB module.
Implementations SHOULD provide the security features described by the
SNMPv3 framework (see [RFC3410]), and implementations claiming
compliance to the SNMPv3 standard MUST include full support for
authentication and privacy via the User-based Security Model (USM)
[RFC3414] with the AES cipher algorithm [RFC3826]. Implementations
MAY also provide support for the Transport Security Model (TSM)
[RFC5591] in combination with a secure transport such as SSH
[RFC5592] or TLS/DTLS [RFC6353].
Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them.
7. IANA Considerations
The MIB module in this document uses the following IANA-assigned
OBJECT IDENTIFIER values recorded in the SMI Numbers registry:
Descriptor OBJECT IDENTIFIER value
---------- -----------------------
localAuthUserMIB { mib-2 XXX }
[Editor's Note (to be removed prior to publication): the IANA is
requested to assign a value for "XXX" under the 'mib-2' subtree and
to record the assignment in the SMI Numbers registry. When the
assignment has been made, the RFC Editor is asked to replace "XXX"
(here and in the MIB module) with the assigned value and to remove
this note.]
Satyanarayana & Prakash Expires April 13, 2014 [Page 12]
�
Internet-Draft LOCAL-AUTH-STD-MIB October 2013
8. References
8.1. Normative References
[RFC2903] de Laat, C., Gross, G., Gommans, L., Vollbrecht, J., and
D. Spence, "Generic AAA Architecture", RFC 2903, August
2000.
8.2. Informative References
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
Schoenwaelder, "Textual Conventions for Internet Network
Addresses", RFC 4001, February 2005.
[RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network
Management Protocol (SNMP) Applications", STD 62, RFC
3413, December 2002.
Appendix A. Acknowledgments
Authors would like to thank Mouli Chandramouli, Peddareddappa
Gonichettipalli, Arun Kudur, Naresh Sunkara and Biju Raju for their
comments and suggestions.
Authors' Addresses
Satyanarayana Danda
Cisco Systems
EMail: sdanda@cisco.com
Prakash Vijayaragavan
Cisco Systems
EMail: pravijay@cisco.com
Satyanarayana & Prakash Expires April 13, 2014 [Page 13]
