ENTERASYS-RADIUS-AUTH-CLIENT-ENCRYPT-MIB
The Enterasys Networks Proprietary MIB module for entities implementing the client side of the Remote Access Dialin User Service (RADIUS) authentication protocol (RFC2865). N O T I C E Use of this MIB in any product requires the approval of the Office of the CTO, Enterasys Networks, Inc. Permission to use this MIB will not be granted for products in which SNMPv3 is now, or will soon be, implemented. Permission to use this MIB in products that are never scheduled to implement SNMPv3 will be granted on a case-by-case basis, depending on what other suitable, secure means of RADIUS client configuration are available in the product. ------------------ The standard RADIUS Authentication Client MIB (RFC2618) does not have any writable objects, and is missing key objects needed for configuration. Use of this MIB requires encryption/decryption for security during transmission, using SNMPv1. Therefore, there are two separate processes needed to use this MIB. 1) The standard processes for SNMP gets and sets. 2) The encoding/encryption or decryption/decoding of objects. The encryption/decryption algorithm, as presented herein, is taken from the RADIUS protocol, and is the method specified for encryption of Tunnel-Password Attributes in RFC 2868. For a detailed discussion of the encoding/decoding and encryption/decryption of applicable objects, refer to the definition of RadiusEncryptionString defined in the Textual Conventions section of this MIB. Note that the encryption/decryption method makes use of an agreed-upon Secret and an Authenticator which are shared between the RADIUS Client SNMP interface and the management entity implementing the MIB. The reason that the shared secret and authenticator are algorithmically derived in the RADIUS Client / SNMP Agent and in the SNMP Management Station is to permit plug-'n-play remote installation, configuration and management of the device. An object is included to allow remote management of the Authenticator portion of the encryption key. It is suggested that this value be changed by the network administrator after initial configuration of the system. On receipt, the process is reversed to yield the plain-text String.