Network Working Group D. Satyanarayana Internet-Draft V. Prakash Intended status: Standards Track Cisco Systems Expires: April 13, 2014 October 10, 2013 Local Auth MIB draft-sdanda-localauth-mib-01 Abstract This draft defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes managed objects for managing Locally authenticated users. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 13, 2014. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents Satyanarayana & Prakash Expires April 13, 2014 [Page 1] Internet-Draft LOCAL-AUTH-STD-MIB October 2013 carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. The Internet-Standard Management Framework . . . . . . . . . 2 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Brief Description of MIB Objects . . . . . . . . . . . . . . 3 4.1. Local Auth User Table (localAuthUserTable) . . . . . . . 3 5. Local Auth User MIB Module Definitions . . . . . . . . . . . 3 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 8.1. Normative References . . . . . . . . . . . . . . . . . . 13 8.2. Informative References . . . . . . . . . . . . . . . . . 13 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 13 1. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578, STD 58, RFC 2579 and STD 58, RFC 2580. 2. Introduction Authentication, Authorization and Accounting enables the user to control the access of the system resources. Dedicated AAA servers cannot be used for small enterprise network deployments that provide network access to hundreds of users. For such scenarios, the user information or profiles can be stored locally at the network element. This MIB can be used by the central controller to manage Local authentication information on the central controller. One of the use-cases would be to monitor user access on multiple vendor devices like - user login/logout notifications - user account lifetime expiry notifications - User account creation/deletion notifications Satyanarayana & Prakash Expires April 13, 2014 [Page 2] Internet-Draft LOCAL-AUTH-STD-MIB October 2013 This draft defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes managed objects to monitor Local authenticated users. Comments should be made directly to the opsawg@ietf.org mailing alias. 3. Terminology This document adopts the definitions, acronyms and mechanisms described in [RFC2903]. Unless otherwise stated, the mechanisms described therein will not be re-described here. 4. Brief Description of MIB Objects This section describes objects pertaining to Local Authenticated users with specific information related to the MIB module specified in this document. The Local Authenticated MIB has one module named LocalAuthMIB which is focussed on describing users authenticated locally by Network Access Server. 4.1. Local Auth User Table (localAuthUserTable) The localAuthUserTable lists the currently configured local users. For each user object, it provides information and statistics about the local users. 5. Local Auth User MIB Module Definitions LOCAL-AUTH-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Counter32, Unsigned32, mib-2 FROM SNMPv2-SMI MODULE-COMPLIANCE, NOTIFICATION-GROUP, OBJECT-GROUP FROM SNMPv2-CONF TruthValue, DateAndTime Satyanarayana & Prakash Expires April 13, 2014 [Page 3] Internet-Draft LOCAL-AUTH-STD-MIB October 2013 FROM SNMPv2-TC SnmpAdminString FROM SNMP-FRAMEWORK-MIB; localAuthMIB MODULE-IDENTITY LAST-UPDATED "201305090000Z" ORGANIZATION "Operations and Management Area Working Group" CONTACT-INFO "Satyanarayana Danda, Cisco Systems, Inc Email: sdanda@cisco.com Prakash Vijayaragavan Cisco Systems, Inc Email: pravijay@cisco.com" DESCRIPTION "This MIB module defines objects describing users authenticated locally by a Network Access Server (NAS). +--------+ +--------+ +---------+ | | | | | | | Client |<---->| Server |<------>| Network | | | | (NAS) | | | +--------+ +--------+ +---------+ A client is a telnet or SSH user needing access to the NAS box directly. Network user like PPP or dot1x will request NAS box for authentication to access the network. NAS box authenticates user present in the local user database. GLOSSARY Network Access Server (NAS) A single point of access to a remote resource and is exclusively used with Authentication, Authorization and Accounting. Point-to-Point Protocol (PPP) A data link protocol commonly used in establishing a direct connection between two networking nodes. Secure Shell (SSH) Satyanarayana & Prakash Expires April 13, 2014 [Page 4] Internet-Draft LOCAL-AUTH-STD-MIB October 2013 It is a cryptographic network protocol for secure data communication. dot1x dot1x also known as IEEE 802.1X is an IEEE Standard for Port-based Network Access Control." REVISION "201305100000Z" DESCRIPTION "Initial version of MIB" ::= { mib-2 999 } -- Default Notification Type localAuthMIBNotifs OBJECT IDENTIFIER ::= { localAuthMIB 0 } -- Local authenticated user MIB object definition localAuthMIBObjects OBJECT IDENTIFIER ::= { localAuthMIB 1 } localAuthMIBConform OBJECT IDENTIFIER ::= { localAuthMIB 2 } -- Notification Configuration localAuthNotifEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies whether the system generates localAuthUserAdded, localAuthUserDeleted, localAuthUserLoggedIn and localAuthUserLoggedOut notifications." DEFVAL { false } ::= { localAuthMIBObjects 1 } localAuthUserTable OBJECT-TYPE SYNTAX SEQUENCE OF LocalAuthUserEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists the currently configured local users." Satyanarayana & Prakash Expires April 13, 2014 [Page 5] Internet-Draft LOCAL-AUTH-STD-MIB October 2013 ::= { localAuthMIBObjects 2 } localAuthUserEntry OBJECT-TYPE SYNTAX LocalAuthUserEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry describes a local user identified by its index. An entry is created or modified when a user is defined in system through configuration. An entry is removed when a user is undefined with configuration commands via CLI or by automatic expiry of users when lifetime of the user is expired." INDEX { localAuthUserIndex } ::= { localAuthUserTable 1 } LocalAuthUserEntry ::= SEQUENCE { localAuthUserIndex Unsigned32, localAuthUserName SnmpAdminString, localAuthUserType INTEGER, localAuthUserCreationTime DateAndTime, localAuthUserLifetime Unsigned32, localAuthUserLoginSuccessCount Counter32, localAuthUserLoginFailureCount Counter32, localAuthUserLastLoginTime DateAndTime, localAuthUserOTPEnabled TruthValue, localAuthUserPrivelegeLevel Unsigned32, localAuthUserLoginStatus TruthValue, localAuthUserPasswordLifetime Unsigned32 } localAuthUserIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates an integer-value that uniquely identifies a local user." ::= { localAuthUserEntry 1 } localAuthUserName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "A textual string containing the name of the locally authenticated user." Satyanarayana & Prakash Expires April 13, 2014 [Page 6] Internet-Draft LOCAL-AUTH-STD-MIB October 2013 ::= { localAuthUserEntry 2 } localAuthUserType OBJECT-TYPE SYNTAX INTEGER { defaultUser(1), lobbyUser(2), managementUser(3), networkUser(4), guestUser(5) } MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the type of local user: defaultUser - Default user account type. lobbyUser - Management user with lobby admin privileges, can create and manage guest user account type. managementUser - Management user account type. networkUser - User requires accessing the network. guestUser - Type of networkUser with lifetime configured such that they can stay alive for a given time period and will expire therafter." ::= { localAuthUserEntry 3 } localAuthUserCreationTime OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the time the local user was created." ::= { localAuthUserEntry 4 } localAuthUserLifetime OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the expiry duration of the local user; that is, the duration the local user is valid from the creation time." ::= { localAuthUserEntry 5 } localAuthUserLoginSuccessCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only Satyanarayana & Prakash Expires April 13, 2014 [Page 7] Internet-Draft LOCAL-AUTH-STD-MIB October 2013 STATUS current DESCRIPTION "This object indicates the number of times, the user logged-in successfully." ::= { localAuthUserEntry 6 } localAuthUserLoginFailureCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the number of times, the user failed to authenticate successfully." ::= { localAuthUserEntry 7 } localAuthUserLastLoginTime OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the last time the local user was logged in successfully." ::= { localAuthUserEntry 8 } localAuthUserOTPEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "This object specifies whether One Time Password is enabled for the user." ::= { localAuthUserEntry 9 } localAuthUserPrivelegeLevel OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the privelege level of the local user." ::= { localAuthUserEntry 10 } localAuthUserLoginStatus OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the current login status of Satyanarayana & Prakash Expires April 13, 2014 [Page 8] Internet-Draft LOCAL-AUTH-STD-MIB October 2013 the local user." ::= { localAuthUserEntry 11 } localAuthUserPasswordLifetime OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the expiry duration of the password of the local user." ::= { localAuthUserEntry 12 } localAuthMIBCompliances OBJECT IDENTIFIER ::= { localAuthMIBConform 1 } localAuthUserAdded NOTIFICATION-TYPE OBJECTS { localAuthUserName, localAuthUserType, localAuthUserLifetime } STATUS current DESCRIPTION "This notification indicates when the system has added a user." ::= { localAuthMIBNotifs 1 } localAuthUserDeleted NOTIFICATION-TYPE OBJECTS { localAuthUserName, localAuthUserType } STATUS current DESCRIPTION "This notification indicates when the system has deleted a user." ::= { localAuthMIBNotifs 2 } localAuthUserLoggedIn NOTIFICATION-TYPE OBJECTS { localAuthUserName, localAuthUserType } STATUS current DESCRIPTION Satyanarayana & Prakash Expires April 13, 2014 [Page 9] Internet-Draft LOCAL-AUTH-STD-MIB October 2013 "This notification indicates when the user has logged into the system." ::= { localAuthMIBNotifs 3 } localAuthUserLoggedOut NOTIFICATION-TYPE OBJECTS { localAuthUserName, localAuthUserType } STATUS current DESCRIPTION "This notification indicates when the user has logged out of the system" ::= { localAuthMIBNotifs 4 } localAuthUserPasswordExpired NOTIFICATION-TYPE OBJECTS { localAuthUserName, localAuthUserType } STATUS current DESCRIPTION "This notification indicates when the user password is expired." ::= { localAuthMIBNotifs 5 } localAuthMIBGroups OBJECT IDENTIFIER ::= { localAuthMIBConform 2 } localAuthMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "This is a default module-compliance containing default object groups." MODULE -- this module MANDATORY-GROUPS { localAuthMIBMainObjectGroup, localAuthMIBNotificationGroup } ::= { localAuthMIBCompliances 1 } -- Units of Conformance localAuthMIBMainObjectGroup OBJECT-GROUP OBJECTS { Satyanarayana & Prakash Expires April 13, 2014 [Page 10] Internet-Draft LOCAL-AUTH-STD-MIB October 2013 localAuthNotifEnable, localAuthUserType, localAuthUserCreationTime, localAuthUserLifetime, localAuthUserName, localAuthUserLoginSuccessCount, localAuthUserLoginFailureCount, localAuthUserLastLoginTime, localAuthUserOTPEnabled, localAuthUserPrivelegeLevel, localAuthUserLoginStatus, localAuthUserPasswordLifetime } STATUS current DESCRIPTION "The is a local Authenticated User MIB Main Object group." ::= { localAuthMIBGroups 1 } localAuthMIBNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { localAuthUserAdded, localAuthUserDeleted, localAuthUserLoggedIn, localAuthUserLoggedOut, localAuthUserPasswordExpired } STATUS current DESCRIPTION "The is a local Authenticated User MIB Notification group." ::= { localAuthMIBGroups 2 } END 6. Security Considerations There are few management objects defined in this MIB module with a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. These are the tables and objects and their sensitivity/vulnerability Management object localAuthNotifEnable can be modified by the network operators which will effect in large number of notification being generated by the NAS. Satyanarayana & Prakash Expires April 13, 2014 [Page 11] Internet-Draft LOCAL-AUTH-STD-MIB October 2013 localAuthUserName object exposed via this MIB may not be considered as a risk for an attacker. Username as an identity in the network transport would mostly be a clear test. If this object is not exposed via MIB, intruder can get this infomation via packet capture or by any other means. With knowing username, risk can be mitigated by enforcing strong password encryption schemes. SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPsec), there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module. Implementations SHOULD provide the security features described by the SNMPv3 framework (see [RFC3410]), and implementations claiming compliance to the SNMPv3 standard MUST include full support for authentication and privacy via the User-based Security Model (USM) [RFC3414] with the AES cipher algorithm [RFC3826]. Implementations MAY also provide support for the Transport Security Model (TSM) [RFC5591] in combination with a secure transport such as SSH [RFC5592] or TLS/DTLS [RFC6353]. Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. 7. IANA Considerations The MIB module in this document uses the following IANA-assigned OBJECT IDENTIFIER values recorded in the SMI Numbers registry: Descriptor OBJECT IDENTIFIER value ---------- ----------------------- localAuthUserMIB { mib-2 XXX } [Editor's Note (to be removed prior to publication): the IANA is requested to assign a value for "XXX" under the 'mib-2' subtree and to record the assignment in the SMI Numbers registry. When the assignment has been made, the RFC Editor is asked to replace "XXX" (here and in the MIB module) with the assigned value and to remove this note.] Satyanarayana & Prakash Expires April 13, 2014 [Page 12] Internet-Draft LOCAL-AUTH-STD-MIB October 2013 8. References 8.1. Normative References [RFC2903] de Laat, C., Gross, G., Gommans, L., Vollbrecht, J., and D. Spence, "Generic AAA Architecture", RFC 2903, August 2000. 8.2. Informative References [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, "Textual Conventions for Internet Network Addresses", RFC 4001, February 2005. [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network Management Protocol (SNMP) Applications", STD 62, RFC 3413, December 2002. Appendix A. Acknowledgments Authors would like to thank Mouli Chandramouli, Peddareddappa Gonichettipalli, Arun Kudur, Naresh Sunkara and Biju Raju for their comments and suggestions. Authors' Addresses Satyanarayana Danda Cisco Systems EMail: sdanda@cisco.com Prakash Vijayaragavan Cisco Systems EMail: pravijay@cisco.com Satyanarayana & Prakash Expires April 13, 2014 [Page 13]