Network Working Group D. Satyanarayana Internet-Draft V. Prakash Intended status: Standards Track Cisco Systems Expires: March 29, 2014 September 25, 2013 Local Auth User MIB draft-sdanda-localauth-mib-00 Abstract This draft defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes managed objects for managing Locally authenticated users. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 29, 2014. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents Satyanarayana & Prakash Expires March 29, 2014 [Page 1] Internet-Draft LOCAL-AUTH-USER-STD-MIB September 2013 carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. The Internet-Standard Management Framework . . . . . . . . . 2 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Brief Description of MIB Objects . . . . . . . . . . . . . . 3 4.1. Local Auth User Table (lauUserTable) . . . . . . . . . . 3 5. LAU MIB Module Definitions . . . . . . . . . . . . . . . . . 3 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 8.1. Normative References . . . . . . . . . . . . . . . . . . 12 8.2. Informative References . . . . . . . . . . . . . . . . . 12 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 12 1. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578, STD 58, RFC 2579 and STD 58, RFC 2580. 2. Introduction Authentication, Authorization and Accounting enables the user to allow the control access to system resources. For small enterprise network deployments that provide network access to hundreds of users, one may not need to have dedicated AAA servers for authenticating the users. For such scenarios, the user information or profiles can be stored locally at the network element. Thus, in that network deployment context, it is useful collect Authentication logs at the network element. This draft defines an portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes managed objects to monitor Local authenticated users. Satyanarayana & Prakash Expires March 29, 2014 [Page 2] Internet-Draft LOCAL-AUTH-USER-STD-MIB September 2013 Comments should be made directly to the WSPA mailing list at opsawg@ietf.org. 3. Terminology This document adopts the definitions, acronyms and mechanisms described in [RFC2903]. Unless otherwise stated, the mechanisms described therein will not be re-described here. 4. Brief Description of MIB Objects This section describes objects pertaining to Local Authenticated users with specific information related to the MIB module specified in this document. The Local Authenticated MIB has one module named LocalAuthUserMIB which is focussed on describing users authenticated locally by Network Access Server. 4.1. Local Auth User Table (lauUserTable) The lauUserTable lists the currently configured local users. For each user object, it provides information and statistics about the local users. 5. LAU MIB Module Definitions LOCAL-AUTH-USER-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Unsigned32 FROM SNMPv2-SMI MODULE-COMPLIANCE, NOTIFICATION-GROUP, OBJECT-GROUP FROM SNMPv2-CONF TruthValue, DateAndTime FROM SNMPv2-TC SnmpAdminString FROM SNMP-FRAMEWORK-MIB; localAuthUserMIB MODULE-IDENTITY LAST-UPDATED "201305090000Z" Satyanarayana & Prakash Expires March 29, 2014 [Page 3] Internet-Draft LOCAL-AUTH-USER-STD-MIB September 2013 ORGANIZATION "Operations and Management Area Working Group" CONTACT-INFO "Satyanarayana Danda, Cisco Systems, Inc Email: sdanda@cisco.com Prakash Vijayaragavan Cisco Systems, Inc Email: pravijay@cisco.com" DESCRIPTION "This MIB module defines objects describing users authenticated locally by a Network Access Server (NAS). +--------+ +--------+ +---------+ | | | | | | | Client |<---->| Server |<------>| Network | | | | (NAS) | | | +--------+ +--------+ +---------+ A client is a telnet or SSH user needing access to the NAS box directly. Network user like PPP or dot1x will request NAS box for authentication to access the network. NAS box authenticates user present in the local user database. GLOSSARY Network Access Server ( NAS ) A single point of access to a remote resource and is exclusively used with Authentication, Authorization and Accounting. Point-to-Point Protocol (PPP) A data link protocol commonly used in establishing a direct connection between two networking nodes." REVISION "201305090000Z" DESCRIPTION "Initial version of MIB" ::= { mib-2 XXX } -- Default Notification Type localAuthUserMIBNotifs OBJECT IDENTIFIER Satyanarayana & Prakash Expires March 29, 2014 [Page 4] Internet-Draft LOCAL-AUTH-USER-STD-MIB September 2013 ::= { localAuthUserMIB 0 } -- Local authenticated user MIB object definition localAuthUserMIBObjects OBJECT IDENTIFIER ::= { localAuthUserMIB 1 } localAuthUserMIBConform OBJECT IDENTIFIER ::= { localAuthUserMIB 2 } -- Notification Configuration lauNotifEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether the system generates lauUserAdded, lauUserDeleted, lauUserLoggedIn and lauUserLoggedOut notifications." DEFVAL { false } ::= { localAuthUserMIBObjects 1 } lauUserTable OBJECT-TYPE SYNTAX SEQUENCE OF LauEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists the currently configured local users." ::= { localAuthUserMIBObjects 2 } lauUserEntry OBJECT-TYPE SYNTAX LauEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry describes a local user identified by its index. An entry is created or modified when a user is defined in system through configuration. An entry is removed when a user is undefined with configuration commands via CLI or by automatic expiry of users when lifetime of the user is expired." INDEX { lauUserIndex } ::= { lauUserTable 1 } Satyanarayana & Prakash Expires March 29, 2014 [Page 5] Internet-Draft LOCAL-AUTH-USER-STD-MIB September 2013 LauEntry ::= SEQUENCE { lauUserIndex Unsigned32, lauUserName SnmpAdminString, lauUserType INTEGER, lauUserCreationTime DateAndTime, lauUserLifetime Unsigned32, lauUserLoginSuccessCount Unsigned32, lauUserLoginFailureCount Unsigned32, lauUserLastLoginTime DateAndTime, lauUserOTPEnabled TruthValue, lauUserPrivelegeLevel Unsigned32, lauUserLoginStatus TruthValue, lauUserDescription OCTET STRING, lauUserPasswordLifetime Unsigned32 } lauUserIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates an integer-value that uniquely identifies a local user." ::= { lauUserEntry 1 } lauUserName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "A textual string containing the name of the locally authenticated user." ::= { lauUserEntry 2 } lauUserType OBJECT-TYPE SYNTAX INTEGER { defaultUser(1), lobbyUser(2), managementUser(3), networkUser(4), guestUser(5) } MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the type of local user: defaultUser - Default user account type. Satyanarayana & Prakash Expires March 29, 2014 [Page 6] Internet-Draft LOCAL-AUTH-USER-STD-MIB September 2013 lobbyUser - Management user with lobby admin privileges, can create and manage guest user account type. managementUser - Management user account type. networkUser - User requires accessing the network. guestUser - Type of networkUser with lifetime configured such that they can stay alive for a given time period and will expire therafter." ::= { lauUserEntry 3 } lauUserCreationTime OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the time the local user was created." ::= { lauUserEntry 4 } lauUserLifetime OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the expiry duration of the local user; that is, the duration the local user is valid from the creation time." ::= { lauUserEntry 5 } lauUserLoginSuccessCount OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the number of times, the user logged-in successfully." ::= { lauUserEntry 6 } lauUserLoginFailureCount OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the number of times, the user failed to authenticate successfully." ::= { lauUserEntry 7 } lauUserLastLoginTime OBJECT-TYPE Satyanarayana & Prakash Expires March 29, 2014 [Page 7] Internet-Draft LOCAL-AUTH-USER-STD-MIB September 2013 SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the last time the local user was logged in successfully." ::= { lauUserEntry 8 } lauUserOTPEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies whether One Time Password is enabled for the user." ::= { lauUserEntry 9 } lauUserPrivelegeLevel OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the privelege level of the local user." ::= { lauUserEntry 10 } lauUserLoginStatus OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the current login status of the local user." ::= { lauUserEntry 11 } lauUserDescription OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the description of the local user." ::= { lauUserEntry 12 } lauUserPasswordLifetime OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION Satyanarayana & Prakash Expires March 29, 2014 [Page 8] Internet-Draft LOCAL-AUTH-USER-STD-MIB September 2013 "This object indicates the expiry duration of the password of the local user." ::= { lauUserEntry 13 } lauMIBCompliances OBJECT IDENTIFIER ::= { localAuthUserMIBConform 1 } lauUserAdded NOTIFICATION-TYPE OBJECTS { lauUserName, lauUserType, lauUserLifetime } STATUS current DESCRIPTION "This notification indicates when the system has added a user." ::= { localAuthUserMIBNotifs 1 } lauUserDeleted NOTIFICATION-TYPE OBJECTS { lauUserName, lauUserType } STATUS current DESCRIPTION "This notification indicates when the system has deleted a user." ::= { localAuthUserMIBNotifs 2 } lauUserLoggedIn NOTIFICATION-TYPE OBJECTS { lauUserName, lauUserType } STATUS current DESCRIPTION "This notification indicates when the user has logged into the system." ::= { localAuthUserMIBNotifs 3 } lauUserLoggedOut NOTIFICATION-TYPE OBJECTS { lauUserName, lauUserType } Satyanarayana & Prakash Expires March 29, 2014 [Page 9] Internet-Draft LOCAL-AUTH-USER-STD-MIB September 2013 STATUS current DESCRIPTION "This notification indicates when the user has logged out of the system" ::= { localAuthUserMIBNotifs 4 } lauUserPasswordExpired NOTIFICATION-TYPE OBJECTS { lauUserName, lauUserType } STATUS current DESCRIPTION "This notification indicates when the user password is expired." ::= { localAuthUserMIBNotifs 5 } lauMIBGroups OBJECT IDENTIFIER ::= { localAuthUserMIBConform 2 } lauMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "This is a default module-compliance containing default object groups." MODULE -- this module MANDATORY-GROUPS { lauMIBMainObjectGroup, lauMIBNotificationGroup } ::= { lauMIBCompliances 1 } -- Units of Conformance lauMIBMainObjectGroup OBJECT-GROUP OBJECTS { lauNotifEnable, lauUserType, lauUserCreationTime, lauUserLifetime, lauUserName, lauUserLoginSuccessCount, lauUserLoginFailureCount, lauUserLastLoginTime, lauUserOTPEnabled, Satyanarayana & Prakash Expires March 29, 2014 [Page 10] Internet-Draft LOCAL-AUTH-USER-STD-MIB September 2013 lauUserPrivelegeLevel, lauUserLoginStatus, lauUserDescription, lauUserPasswordLifetime } STATUS current DESCRIPTION "The is a local Authenticated User MIB Main Object group." ::= { lauMIBGroups 1 } lauMIBNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { lauUserAdded, lauUserDeleted, lauUserLoggedIn, lauUserLoggedOut, lauUserPasswordExpired } STATUS current DESCRIPTION "The is a local Authenticated User MIB Notification group." ::= { lauMIBGroups 2 } END 6. Security Considerations It is important to control GET access to these objects and possibly to even encrypt the values of these object when sending them over the network via SNMP. Not all versions of SNMP provide features for such a secure environment. SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure "for example by using IPSec", even then, there is no control as to who on the secure network is allowed to access and GET/SET "read/change/create/delete" the objects in these MIB modules. It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see RFC3410, section 8), including full support for the SNMPv3 cryptographic mechanisms "for authentication and privacy". Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to Satyanarayana & Prakash Expires March 29, 2014 [Page 11] Internet-Draft LOCAL-AUTH-USER-STD-MIB September 2013 enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module, is properly configured to give access to the objects only to those principals "users" that have legitimate rights to indeed GET or SET "change/create/delete" them. 7. IANA Considerations The MIB module in this document uses the following IANA-assigned OBJECT IDENTIFIER values recorded in the SMI Numbers registry: Descriptor OBJECT IDENTIFIER value ---------- ----------------------- localAuthUserMIB { mib-2 XXX } [Editor's Note (to be removed prior to publication): the IANA is requested to assign a value for "XXX" under the 'mib-2' subtree and to record the assignment in the SMI Numbers registry. When the assignment has been made, the RFC Editor is asked to replace "XXX" (here and in the MIB module) with the assigned value and to remove this note.] 8. References 8.1. Normative References [RFC2903] de Laat, C., Gross, G., Gommans, L., Vollbrecht, J., and D. Spence, "Generic AAA Architecture", RFC 2903, August 2000. 8.2. Informative References [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, "Textual Conventions for Internet Network Addresses", RFC 4001, February 2005. [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network Management Protocol (SNMP) Applications", STD 62, RFC 3413, December 2002. Appendix A. Acknowledgments Authors would like to thank Mouli Chandramouli, Peddareddappa Gonichettipalli, Arun Kudur, Naresh Sunkara and Biju Raju for their comments and suggestions. Satyanarayana & Prakash Expires March 29, 2014 [Page 12] Internet-Draft LOCAL-AUTH-USER-STD-MIB September 2013 Authors' Addresses Satyanarayana Danda Cisco Systems EMail: sdanda@cisco.com Prakash Vijayaragavan Cisco Systems EMail: pravijay@cisco.com Satyanarayana & Prakash Expires March 29, 2014 [Page 13]