-- ***************************************************************** -- CISCO-PAE-MIB: CISCO private MIB for IEEE 802.1x -- -- September 2001, Binh P Le -- -- Copyright (c) 2001, 2002, 2003, 2004, 2005 by cisco Systems, Inc. -- All rights reserved. -- ***************************************************************** CISCO-PAE-MIB DEFINITIONS ::= BEGIN IMPORTS OBJECT-TYPE, MODULE-IDENTITY, NOTIFICATION-TYPE, Unsigned32 FROM SNMPv2-SMI TruthValue, MacAddress, TEXTUAL-CONVENTION FROM SNMPv2-TC OBJECT-GROUP, MODULE-COMPLIANCE, NOTIFICATION-GROUP FROM SNMPv2-CONF SnmpAdminString FROM SNMP-FRAMEWORK-MIB InetAddress, InetAddressType FROM INET-ADDRESS-MIB dot1xPaePortEntry, dot1xPaePortNumber, dot1xAuthPaeState, dot1xAuthConfigEntry FROM IEEE8021-PAE-MIB InterfaceIndex FROM IF-MIB VlanIndex FROM CISCO-VTP-MIB CiscoURLString FROM CISCO-TC CnnEouPostureToken FROM CISCO-NAC-NAD-MIB ciscoMgmt FROM CISCO-SMI; ciscoPaeMIB MODULE-IDENTITY LAST-UPDATED "200509220000Z" ORGANIZATION "Cisco System, Inc." CONTACT-INFO " Cisco Systems Customer Service Postal: 170 W Tasman Drive San Jose, CA 95134 USA Tel: +1 800 553-NETS E-mail: cs-lan-switch-snmp@cisco.com" DESCRIPTION "Cisco Port Access Entity (PAE) module for managing IEEE Std 802.1x. This MIB provides Port Access Entity information that are either excluded by IEEE8021-PAE-MIB or specific to Cisco products." REVISION "200509220000Z" DESCRIPTION "Added cpaeGuestVlanGroup3, cpaePortAuthFailVlanGroup, cpaePortOperVlanGroup, cpaeNoGuestVlanNotifEnableGrp, cpaeNoAuthFailVlanNotifEnableGrp, cpaeNoGuestVlanNotifGroup, cpaeNoAuthFailVlanNotifGroup, cpaeMacAuthBypassGroup, cpaeWebAuthGroup, cpaeAuthConfigGroup and cpaeHostInfoGroup. Deprecated cpaeInGuestVlan, cpaeGuestVlanGroup2." REVISION "200404230000Z" DESCRIPTION "Modified the DESCRIPTION clauses of cpaeGuestVlanNumber and cpaeGuestVlanId." REVISION "200404010000Z" DESCRIPTION "Added cpaeUserGroupGroup and cpaeRadiusConfigGroup." REVISION "200304080000Z" DESCRIPTION "Added cpaeGuestVlanGroup2 and cpaeShutdownTimeoutGroup. Deprecated cpaeGuestVlanGroup." REVISION "200210160000Z" DESCRIPTION "Added cpaePortEntryGroup and cpaeGuestVlanGroup. Deprecated cpaeMultipleHostGroup." REVISION "200105241016Z" DESCRIPTION "Initial version of this MIB module." ::= { ciscoMgmt 220 } cpaeMIBNotification OBJECT IDENTIFIER ::= { ciscoPaeMIB 0 } cpaeMIBObject OBJECT IDENTIFIER ::= { ciscoPaeMIB 1 } cpaeMIBConformance OBJECT IDENTIFIER ::= { ciscoPaeMIB 2 } --- Textual Conventions ReAuthPeriodSource ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Source of the reAuthPeriod constant, used by the 802.1x Reauthentication Timer state machine. local : local configured reauthentication period specified by the object dot1xAuthReAuthPeriod will be used. server: the reauthentication period will be received from the Authentication server. auto : source of reauthentication period will be decided by the system." SYNTAX INTEGER { local(1), server(2), auto(3) } cpaePortTable OBJECT-TYPE SYNTAX SEQUENCE OF CpaePortEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of system level information for each port supported by the Port Access Entity. An entry appears in this table for each PAE port of this system. This table contains additional objects for the dot1xPaePortTable." REFERENCE "IEEE 802.1x Subclause 9.6.1" ::= { cpaeMIBObject 1 } cpaePortEntry OBJECT-TYPE SYNTAX CpaePortEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry containing additional management information applicable to a particular PAE port." AUGMENTS { dot1xPaePortEntry } ::= { cpaePortTable 1 } CpaePortEntry ::= SEQUENCE { cpaeMultipleHost TruthValue, cpaePortMode INTEGER, cpaeGuestVlanNumber VlanIndex, cpaeInGuestVlan TruthValue, cpaeShutdownTimeoutEnabled TruthValue, cpaePortAuthFailVlan VlanIndex, cpaePortOperVlan VlanIndex, cpaePortOperVlanType INTEGER } cpaeMultipleHost OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS deprecated DESCRIPTION "Specifies whether the port allows multiple-host connection or not." ::= { cpaePortEntry 1 } cpaePortMode OBJECT-TYPE SYNTAX INTEGER { singleHost(1), multiHost(2), multiAuth(3) } MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies the current mode of dot1x operation on the port. singleHost(1): port allows one host to connect and authenticate. multiHost(2) : port allows multiple hosts to connect. Once a host is authenticated, all remaining hosts are also authorized. multiAuth(3) : port allows multiple hosts to connect and each host is authenticated. If the port security feature is enabled on the interface, the configuration of the port security (such as the number of the hosts allowed, the security violation action, etc) will apply to the interface." ::= { cpaePortEntry 2 } cpaeGuestVlanNumber OBJECT-TYPE SYNTAX VlanIndex MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies the Guest Vlan of the interface. An interface with cpaePortMode value of 'singleHost' will be moved to its Guest Vlan if the supplicant on the interface is not capable of IEEE-802.1x authentication. A value of zero for this object indicates no Guest Vlan configured for the interface." ::= { cpaePortEntry 3 } cpaeInGuestVlan OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS deprecated DESCRIPTION "Indicates whether the interface is in its Guest Vlan or not. The object is deprecated in favor of newly added object cpaePortOperVlanType." ::= { cpaePortEntry 4 } cpaeShutdownTimeoutEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies whether shutdown timeout feature is enabled on the interface." ::= { cpaePortEntry 5 } cpaePortAuthFailVlan OBJECT-TYPE SYNTAX VlanIndex MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies the Auth-Fail (Authentication Fail) Vlan of the port. A port with cpaePortMode value of 'singleHost' will be moved to its Auth-Fail Vlan if the supplicant supports IEEE-802.1x authentication but is unsuccessfully authenticated. A value of zero for this object indicates no Auth-Fail Vlan configured for the port." ::= { cpaePortEntry 6 } cpaePortOperVlan OBJECT-TYPE SYNTAX VlanIndex MAX-ACCESS read-only STATUS current DESCRIPTION "The VlanIndex of the Vlan which is assigned to this port via IEEE-802.1x and related methods of authentication supported by the system. A value of zero for this object indicates that no Vlan is assigned to this port via IEEE-802.1x authentication." ::= { cpaePortEntry 7 } cpaePortOperVlanType OBJECT-TYPE SYNTAX INTEGER { other(1), none(2), guest(3), authFail(4) } MAX-ACCESS read-only STATUS current DESCRIPTION "The type of the Vlan which is assigned to this port via IEEE-802.1x and related methods of authentication supported by the system. A value of 'other' for this object indicates type of Vlan assigned to this port; via IEEE-802.1x authentication; is other than the ones specified by listed enumerations for this object. A value of 'none' for this object indicates that there is no Vlan assigned to this port via IEEE-802.1x authentication. For such a case, corresponding value of cpaePortOperVlan object will be zero. A value of 'guest' for this object indicates that Vlan assigned to this port; via IEEE-802.1x authentication; is of type Guest Vlan and specified by the object cpaeGuestVlanNumber for this entry. A value of 'authFail' for this object indicates that Vlan assigned to this port; via IEEE-802.1x authentication; is of type Auth-Fail Vlan and specified by the object cpaeAuthFailVlanNumber for this entry." ::= { cpaePortEntry 8 } cpaeGuestVlanId OBJECT-TYPE SYNTAX VlanIndex MAX-ACCESS read-write STATUS deprecated DESCRIPTION "Specifies the Guest Vlan of the system. An interface with cpaePortMode value of 'singleHost' will be moved to Guest Vlan if the supplicant on the interface is not IEEE-802.1x capable. A value of zero indicates no Guest Vlan configured in the system. If the platform supports per-port guest Vlan ID configuration, this object is not instantiated." ::= { cpaeMIBObject 2 } cpaeShutdownTimeout OBJECT-TYPE SYNTAX Unsigned32 (0..65535) UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies the shutdown timeout interval to enable the interface automatically in case it is shutdown due to security violation. If the value of this object is 0, the interfaces shutdown due to the security violation will not be enabled automatically. The value of this object is applicable to the interface only when cpaeShutdownTimeoutEnabled is 'true', and port security feature is disabled on the interface." ::= { cpaeMIBObject 3 } cpaeRadiusAccountingEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies if RADIUS accounting is enabled for 802.1x on this devices." ::= { cpaeMIBObject 4 } cpaeUserGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF CpaeUserGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of Group Manager and authenticated users information on the device." ::= { cpaeMIBObject 5 } cpaeUserGroupEntry OBJECT-TYPE SYNTAX CpaeUserGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Information about an 802.1x authenticated user on the devices." INDEX { cpaeUserGroupName, cpaeUserGroupUserIndex } ::= { cpaeUserGroupTable 1 } CpaeUserGroupEntry ::= SEQUENCE { cpaeUserGroupName SnmpAdminString, cpaeUserGroupUserIndex Unsigned32, cpaeUserGroupUserName SnmpAdminString, cpaeUserGroupUserAddrType InetAddressType, cpaeUserGroupUserAddr InetAddress, cpaeUserGroupUserInterface InterfaceIndex, cpaeUserGroupUserVlan VlanIndex } cpaeUserGroupName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..100)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Specifies the name of the group that the user belongs to." ::= { cpaeUserGroupEntry 1 } cpaeUserGroupUserIndex OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index of an user within a group." ::= { cpaeUserGroupEntry 2 } cpaeUserGroupUserName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "Specifies the name of the user authenticated on a port of the device." ::= { cpaeUserGroupEntry 3 } cpaeUserGroupUserAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "Specifies the type of address used to determine the address of the user." ::= { cpaeUserGroupEntry 4 } cpaeUserGroupUserAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Specifies the address of the host that the user logging from." ::= { cpaeUserGroupEntry 5 } cpaeUserGroupUserInterface OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS read-only STATUS current DESCRIPTION "Specifies the interface index that the user is authenticated on." ::= { cpaeUserGroupEntry 6 } cpaeUserGroupUserVlan OBJECT-TYPE SYNTAX VlanIndex MAX-ACCESS read-only STATUS current DESCRIPTION "Specifies the vlan that the user belongs to." ::= { cpaeUserGroupEntry 7 } cpaeAuthFailUserTable OBJECT-TYPE SYNTAX SEQUENCE OF CpaeAuthFailUserEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table to list user information for each port on the system supported by the Port Access Entity and assigned to Auth-Fail Vlan." ::= { cpaeMIBObject 6 } cpaeAuthFailUserEntry OBJECT-TYPE SYNTAX CpaeAuthFailUserEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry appears in this table for each PAE port on the system which is assigned to Vlan of type 'authFail' via via IEEE-802.1x authentication." INDEX { dot1xPaePortNumber } ::= { cpaeAuthFailUserTable 1 } CpaeAuthFailUserEntry ::= SEQUENCE { cpaeAuthFailUserName SnmpAdminString } cpaeAuthFailUserName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "Indicates the name of the user who failed IEEE-802.1x authentication and hence now assigned to Auth-Fail Vlan. The Auth-Fail Vlan to which the user belongs is determined by the value of object cpaePortAuthFailVlan for this port." ::= { cpaeAuthFailUserEntry 1 } -- Notifications Control cpaeNotificationControl OBJECT IDENTIFIER ::= { cpaeMIBObject 7 } cpaeNoGuestVlanNotifEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This variable indicates whether the system produces the cpaeNoGuestVlanNotif. A 'false' value will prevent cpaeNoGuestVlanNotif from being generated by this system." ::= { cpaeNotificationControl 1 } cpaeNoAuthFailVlanNotifEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This variable indicates whether the system produces the cpaeNoAuthFailVlanNotif. A 'false' value will prevent cpaeNoAuthFailVlanNotif from being generated by this system." ::= { cpaeNotificationControl 2 } -- MAC Authentication Bypass feature cpaeMacAuthBypass OBJECT IDENTIFIER ::= { cpaeMIBObject 8 } cpaeMacAuthBypassReAuthTimeout OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies the waiting time before reauthentication is triggered on all MAC Auth-bypass authenticated ports." ::= { cpaeMacAuthBypass 1 } cpaeMacAuthBypassReAuthEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "The reauthentication control for all MAC Auth-bypass ports. Setting this object to 'true' causes every MAC Auth-Bypass authenticated port to reauthenticate the device connecting to the port, after every period of time specified by the object cpaeMacAuthBypassReAuthTimeout. Setting this object to 'false' will disable the MAC Auth-Bypass global reauthentication." ::= { cpaeMacAuthBypass 2 } cpaeMacAuthBypassViolation OBJECT-TYPE SYNTAX INTEGER { restrict(1), shutdown(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies the action upon reception of a security violation event. restrict(1): Packets from MAC address of the device causing security violation will be dropped. shutdown(2): The port that causes security violation will be shutdown." ::= { cpaeMacAuthBypass 3 } cpaeMacAuthBypassShutdownTimeout OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies time before a port is auto-enabled after being shutdown due to a MAC Auth-bypass security violation." ::= { cpaeMacAuthBypass 4 } cpaeMacAuthBypassAuthFailTimeout OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies the time a MAC Auth-bypass unauthenticated port waits before trying the authentication process again." ::= { cpaeMacAuthBypass 5 } cpaeMacAuthBypassPortTable OBJECT-TYPE SYNTAX SEQUENCE OF CpaeMacAuthBypassPortEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of MAC Authentication Bypass (MAC Auth-Bypass) configuration and information for ports in the device." ::= { cpaeMacAuthBypass 6 } cpaeMacAuthBypassPortEntry OBJECT-TYPE SYNTAX CpaeMacAuthBypassPortEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry containing management information for MAC Auth-Bypass feature on a port." INDEX { dot1xPaePortNumber } ::= { cpaeMacAuthBypassPortTable 1 } CpaeMacAuthBypassPortEntry ::= SEQUENCE { cpaeMacAuthBypassPortEnabled TruthValue, cpaeMacAuthBypassPortInitialize TruthValue, cpaeMacAuthBypassPortReAuth TruthValue, cpaeMacAuthBypassPortMacAddress MacAddress, cpaeMacAuthBypassPortAuthState INTEGER } cpaeMacAuthBypassPortEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies whether MAC Auth-Bypass is enabled on the port." ::= { cpaeMacAuthBypassPortEntry 1 } cpaeMacAuthBypassPortInitialize OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "The initialization control for this port. Setting this object to 'true' causes the MAC Auth-bypass state machine to be initialized on the port. Setting this object to 'false' has no effect. This object always returns 'false' when it is read." ::= { cpaeMacAuthBypassPortEntry 2 } cpaeMacAuthBypassPortReAuth OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "The reauthentication control for this port. Setting this object to 'true' causes the MAC address of the device connecting to the port to be reauthenticated. Setting this object to 'false' has no effect. This object always returns 'false' when it is read." ::= { cpaeMacAuthBypassPortEntry 3 } cpaeMacAuthBypassPortMacAddress OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Indicates the MAC address of the device connecting to the port." ::= { cpaeMacAuthBypassPortEntry 4 } cpaeMacAuthBypassPortAuthState OBJECT-TYPE SYNTAX INTEGER { other(1), waiting(2), authenticating(3), authenticated(4), fail(5), finished(6) } MAX-ACCESS read-only STATUS current DESCRIPTION "Indicates the current state of the MAC Auth-Bypass state machine. other(1) : An unknown state. waiting(2) : Waiting to receive the MAC address that needs to be authenticated. authenticating(3): In authentication process. authenticated(4) : MAC address of the device connecting to the port is authenticated. fail(5) : MAC Auth-bypass authentication failed. Port waits for a period of time before moving to the 'waiting' state, if there is no other authentication features available in the system. finished(6) : MAC Auth-bypass authentication failed. Port is authenticated by another authentication feature." ::= { cpaeMacAuthBypassPortEntry 5 } cpaeMacAuthBypassAcctEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies if accounting is enabled for Mac Authentication Bypass feature on this device." ::= { cpaeMacAuthBypass 7 } -- Web Based Proxy Authentication feature cpaeWebAuth OBJECT IDENTIFIER ::= { cpaeMIBObject 9 } cpaeWebAuthEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies whether Web Proxy Authentication is enabled in the system." ::= { cpaeWebAuth 1 } cpaeWebAuthSessionPeriod OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies the Web Proxy Authentication session period for the system. Session period is the time after which an Web Proxy Authenticated session is terminated." ::= { cpaeWebAuth 2 } cpaeWebAuthLoginPage OBJECT-TYPE SYNTAX CiscoURLString MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies the customized login page for Web Proxy Authentication, in the format of an URL. A customized login page is required to support the same input fields as the default login page for users to input credentials. If this object contains a zero length string, the default login page will be used." ::= { cpaeWebAuth 3 } cpaeWebAuthLoginFailedPage OBJECT-TYPE SYNTAX CiscoURLString MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies the customized login-failed page for Web Proxy Authentication, in the format of an URL. Login-failed page is sent back to the client upon an authentication failure. A login-failed page requires to have all the input fields of the login page, in addition to the authentication failure information. If this object contains a zero length string, the default login-failed page will be used." ::= { cpaeWebAuth 4 } cpaeWebAuthQuietPeriod OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies the time a Web Proxy Authentication state machine will be held in 'blackListed' state after maximum authentication attempts." ::= { cpaeWebAuth 5 } cpaeWebAuthMaxRetries OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies the maximum number of unsuccessful login attempts a user is allowed to make." ::= { cpaeWebAuth 6 } cpaeWebAuthPortTable OBJECT-TYPE SYNTAX SEQUENCE OF CpaeWebAuthPortEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of Web Proxy Authentication configuration and information for the feature capable ports in the device." ::= { cpaeWebAuth 7 } cpaeWebAuthPortEntry OBJECT-TYPE SYNTAX CpaeWebAuthPortEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry containing management information for Web Proxy Authentication feature on a port." INDEX { dot1xPaePortNumber } ::= { cpaeWebAuthPortTable 1 } CpaeWebAuthPortEntry ::= SEQUENCE { cpaeWebAuthPortEnabled TruthValue, cpaeWebAuthPortInitialize TruthValue } cpaeWebAuthPortEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies whether Web Proxy Authentication is enabled on the port." ::= { cpaeWebAuthPortEntry 1 } cpaeWebAuthPortInitialize OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "The initialization control for this port. Setting this object to 'true' causes Web Proxy Authentication state machine to be initialized for all the hosts connecting to the port. Setting this object to 'false' has no effect. This object always returns 'false' when it is read." ::= { cpaeWebAuthPortEntry 2 } cpaeWebAuthHostTable OBJECT-TYPE SYNTAX SEQUENCE OF CpaeWebAuthHostEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of Web Proxy Authentication information for hosts currently managed by the feature. An entry is added to the table when a host is detected and Web Proxy Authentication state machine is initiated for the host." ::= { cpaeWebAuth 8 } cpaeWebAuthHostEntry OBJECT-TYPE SYNTAX CpaeWebAuthHostEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry containing management information for Web Proxy Authentication feature on a host." INDEX { dot1xPaePortNumber, cpaeWebAuthHostAddrType, cpaeWebAuthHostAddress } ::= { cpaeWebAuthHostTable 1 } CpaeWebAuthHostEntry ::= SEQUENCE { cpaeWebAuthHostAddrType InetAddressType, cpaeWebAuthHostAddress InetAddress, cpaeWebAuthAaaSessionPeriod Unsigned32, cpaeWebAuthHostSessionTimeLeft Unsigned32, cpaeWebAuthHostState INTEGER, cpaeWebAuthHostInitialize TruthValue } cpaeWebAuthHostAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS not-accessible STATUS current DESCRIPTION "Indicates the Internet address type for the host." ::= { cpaeWebAuthHostEntry 1 } cpaeWebAuthHostAddress OBJECT-TYPE SYNTAX InetAddress (SIZE (0..64)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Indicates the Internet address for the host. The type of this address is determined by the value of cpaeWebAuthHostAddrType." ::= { cpaeWebAuthHostEntry 2 } cpaeWebAuthAaaSessionPeriod OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "Indicates the session period for a Web Proxy Authenticated session on this host, supplied by the AAA server. If value of this object is none zero, it will take precedence over the period specified by cpaeWebAuthPortSessionPeriod." ::= { cpaeWebAuthHostEntry 3 } cpaeWebAuthHostSessionTimeLeft OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "Indicates the leftover time of the current Web Proxy Authenticated session for this host." ::= { cpaeWebAuthHostEntry 4 } cpaeWebAuthHostState OBJECT-TYPE SYNTAX INTEGER { initialize(1), connecting(2), authenticating(3), authenticated(4), authFailed(5), parseError(6), sessionTimeout(7), blackListed(8) } MAX-ACCESS read-only STATUS current DESCRIPTION "Indicates the current state of the Web Proxy Authentication state machine. initialize : Initial state of the Web Proxy Authentication state machine. connecting : Login page is sent to the client, waiting for response from the client. authenticating: Credentials are extracted from client's response and authenticating with the AAA server. authenticated : Web Proxy Authentication succeeded. Session timer is started, policies are applied, and success page is sent back to client. authFailed : Web Proxy Authentication failed. Login page is resent with authentication failured information embedded, if retry count has not exceeded the maximum number of retry attempts. Otherwise, move to 'blackListed' state. parseError : Failed to extract user's credentials from the client's response. sessionTimeout: Session timer expired, user's policies are removed, state machine will moves to 'intialize' state after that. blackListed : Web Proxy Authentication retry count has exceeded the maximum number of retry attempts. Only setting the state machine to 'initialize' will take it out of this state." ::= { cpaeWebAuthHostEntry 5 } cpaeWebAuthHostInitialize OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "The initialization control for this host. Setting this object to 'true' causes Web Proxy Authentication state machine to be initialized for the host. Setting this object to 'false' has no effect. This object always returns 'false' when it is read." ::= { cpaeWebAuthHostEntry 6 } -- LAN Port 802.1x cpaeAuthConfigTable OBJECT-TYPE SYNTAX SEQUENCE OF CpaeAuthConfigEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table containing the configuration objects for the Authenticator PAE associated with each port. An entry appears in this table for each PAE port that may authenticate access to itself. This table contain additional objects for the dot1xAuthConfigTable." ::= { cpaeMIBObject 10 } cpaeAuthConfigEntry OBJECT-TYPE SYNTAX CpaeAuthConfigEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry containing additional management information applicable to a particular Authenticator PAE." AUGMENTS { dot1xAuthConfigEntry } ::= { cpaeAuthConfigTable 1 } CpaeAuthConfigEntry ::= SEQUENCE { cpaeAuthReAuthPeriodSrcAdmin ReAuthPeriodSource, cpaeAuthReAuthPeriodSrcOper ReAuthPeriodSource, cpaeAuthReAuthPeriodOper Unsigned32, cpaeAuthTimeToNextReAuth Unsigned32, cpaeAuthReAuthAction INTEGER, cpaeAuthReAuthMax Unsigned32, cpaeAuthIabEnabled TruthValue } cpaeAuthReAuthPeriodSrcAdmin OBJECT-TYPE SYNTAX ReAuthPeriodSource MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies the source of the reAuthPeriod constant to be used by the Reauthentication Timer state machine." ::= { cpaeAuthConfigEntry 1 } cpaeAuthReAuthPeriodSrcOper OBJECT-TYPE SYNTAX ReAuthPeriodSource MAX-ACCESS read-only STATUS current DESCRIPTION "Indicates the source of the reAuthPeriod constant currently in use by the Reauthentication Timer state machine." ::= { cpaeAuthConfigEntry 2 } cpaeAuthReAuthPeriodOper OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "Indicates the operational reauthentication period for this port." ::= { cpaeAuthConfigEntry 3 } cpaeAuthTimeToNextReAuth OBJECT-TYPE SYNTAX Unsigned32 UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "Indicates the leftover time of the current session for this port." ::= { cpaeAuthConfigEntry 4 } cpaeAuthReAuthAction OBJECT-TYPE SYNTAX INTEGER { terminate(1), reAuth(2), noReAuth(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "Indicates the reauthentication action for this port. terminate: Session will be terminated, with the corresponding Authenticator PAE state machine transits to 'disconnected'. reAuth : The port will be reauthenticated. noReAuth : The port will not be reauthenticated." ::= { cpaeAuthConfigEntry 5 } cpaeAuthReAuthMax OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The value of the reAuthMax constant currently in use by the Authenticator PAE state machine." REFERENCE "8.5.4.1.2, reAuthMax" ::= { cpaeAuthConfigEntry 6 } cpaeAuthIabEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies whether the PAE port is declared as Inaccessible Authentication Bypass (IAB). IAB ports will be granted network access via the administrative configured VLAN if it failed to connect to the Authentication server. The only way to bring an IAB port back to the Backend Authentication state machine is through setting dot1xPaePortInitialize in the corresponding entry in dot1xPaePortTable to 'true'. 802.1x reauthentication will be temporary disabled on an authenticated IAB port if the connection to the Authentication server is broken, and enable again when the connection is resumed." ::= { cpaeAuthConfigEntry 7 } cpaeHostInfoTable OBJECT-TYPE SYNTAX SEQUENCE OF CpaeHostInfoEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table containing 802.1x authentication information for hosts connecting to PAE ports in the system." ::= { cpaeMIBObject 11 } cpaeHostInfoEntry OBJECT-TYPE SYNTAX CpaeHostInfoEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry appears in the table for each 802.1x capable host connecting to an PAE port, providing its authentication information." INDEX { dot1xPaePortNumber, cpaeHostInfoHostIndex } ::= { cpaeHostInfoTable 1 } CpaeHostInfoEntry ::= SEQUENCE { cpaeHostInfoHostIndex Unsigned32, cpaeHostInfoMacAddress MacAddress, cpaeHostInfoPostureToken CnnEouPostureToken } cpaeHostInfoHostIndex OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "An arbitrary index assigned by the agent to identify the host." ::= { cpaeHostInfoEntry 1 } cpaeHostInfoMacAddress OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Indicates the Mac Address of the host." ::= { cpaeHostInfoEntry 2 } cpaeHostInfoPostureToken OBJECT-TYPE SYNTAX CnnEouPostureToken MAX-ACCESS read-only STATUS current DESCRIPTION "Indicates the posture token assigned to the host." ::= { cpaeHostInfoEntry 3 } -- Notifications cpaeNoGuestVlanNotif NOTIFICATION-TYPE OBJECTS { dot1xAuthPaeState } STATUS current DESCRIPTION "A cpaeNoGuestVlanNotif is sent if a non-802.1x supplicant is detected on a PAE port for which the value of corresponding instance of dot1xAuthAuthControlledPortControl is 'auto' and the value of corresponding instance of cpaeGuestVlanNumber is zero." ::= { cpaeMIBNotification 1 } cpaeNoAuthFailVlanNotif NOTIFICATION-TYPE OBJECTS { dot1xAuthPaeState } STATUS current DESCRIPTION "A cpaeNoAuthFailVlanNotif is sent if a 802.1x supplicant fails to authenticate on a PAE port for which the value of corresponding instance of dot1xAuthAuthControlledPortControl is 'auto' and the value of corresponding instance of cpaePortAuthFailVlan is zero." ::= { cpaeMIBNotification 2 } -- Conformance cpaeMIBCompliances OBJECT IDENTIFIER ::= { cpaeMIBConformance 1 } cpaeMIBGroups OBJECT IDENTIFIER ::= { cpaeMIBConformance 2 } cpaeCompliance MODULE-COMPLIANCE STATUS deprecated DESCRIPTION "The compliance statement for devices that implement the CISCO-PAE-MIB." MODULE MANDATORY-GROUPS { cpaeMultipleHostGroup } ::= { cpaeMIBCompliances 1 } cpaeCompliance2 MODULE-COMPLIANCE STATUS deprecated DESCRIPTION "The compliance statement for devices that implement the CISCO-PAE-MIB." MODULE MANDATORY-GROUPS { cpaePortEntryGroup } GROUP cpaeGuestVlanGroup DESCRIPTION "This group is mandatory in devices running software which supports Guest Vlan feature." ::= { cpaeMIBCompliances 2 } cpaeCompliance3 MODULE-COMPLIANCE STATUS deprecated DESCRIPTION "The compliance statement for devices that implement the CISCO-PAE-MIB." MODULE MANDATORY-GROUPS { cpaePortEntryGroup } GROUP cpaeGuestVlanGroup2 DESCRIPTION "This group is mandatory in devices running software which supports per-interface Guest Vlan feature." GROUP cpaeShutdownTimeoutGroup DESCRIPTION "This group is mandatory in devices running software which support Shutdown Timeout feature." ::= { cpaeMIBCompliances 3 } cpaeCompliance4 MODULE-COMPLIANCE STATUS deprecated DESCRIPTION "The compliance statement for devices that implement the CISCO-PAE-MIB." MODULE MANDATORY-GROUPS { cpaePortEntryGroup } GROUP cpaeGuestVlanGroup2 DESCRIPTION "This group is mandatory in devices running software which supports per-interface Guest Vlan feature." GROUP cpaeShutdownTimeoutGroup DESCRIPTION "This group is mandatory in devices running software which support Shutdown Timeout feature." GROUP cpaeRadiusConfigGroup DESCRIPTION "This group is mandatory in devices running software which support RADIUS configuration for 802.1x feature." GROUP cpaeUserGroupGroup DESCRIPTION "This group is mandatory in devices running software which support Group Manager for 802.1x feature." ::= { cpaeMIBCompliances 4 } cpaeCompliance5 MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for devices that implement the CISCO-PAE-MIB." MODULE MANDATORY-GROUPS { cpaePortEntryGroup } GROUP cpaeGuestVlanGroup3 DESCRIPTION "This group is mandatory in devices running software which supports per-interface Guest Vlan feature." GROUP cpaeShutdownTimeoutGroup DESCRIPTION "This group is mandatory in devices running software which support Shutdown Timeout feature." GROUP cpaeRadiusConfigGroup DESCRIPTION "This group is mandatory in devices running software which support RADIUS configuration for 802.1x feature." GROUP cpaeUserGroupGroup DESCRIPTION "This group is mandatory in devices running software which support Group Manager for 802.1x feature." GROUP cpaePortOperVlanGroup DESCRIPTION "Implementation of this group is optional." GROUP cpaePortAuthFailVlanGroup DESCRIPTION "This group is mandatory in devices running software which support Auth-Fail Vlan configuration for 802.1x feature." GROUP cpaeNoGuestVlanNotifEnableGrp DESCRIPTION "This group is mandatory in devices running software which supports per-interface Guest Vlan feature." GROUP cpaeNoAuthFailVlanNotifEnableGrp DESCRIPTION "This group is mandatory in devices running software which supports Auth-Fail Vlan configuration for 802.1x feature." GROUP cpaeNoGuestVlanNotifGroup DESCRIPTION "Implementation of this group is optional." GROUP cpaeNoAuthFailVlanNotifGroup DESCRIPTION "Implementation of this group is optional." GROUP cpaeMacAuthBypassGroup DESCRIPTION "This group is mandatory in devices running software which support MAC Authentication Bypass feature." GROUP cpaeWebAuthGroup DESCRIPTION "This group is mandatory in devices running software which support Web Proxy Authentication feature." GROUP cpaeAuthConfigGroup DESCRIPTION "This group is mandatory in devices running software which support remote reauthentication timer." GROUP cpaeHostInfoGroup DESCRIPTION "Implementation of this group is optional." ::= { cpaeMIBCompliances 5 } -- Units of Conformance cpaeMultipleHostGroup OBJECT-GROUP OBJECTS { cpaeMultipleHost } STATUS deprecated DESCRIPTION "A collection of objects that provide the multiple host configuration information for a PAE port. These are additional to the IEEE Std 802.1x PAE MIB." ::= { cpaeMIBGroups 1 } cpaePortEntryGroup OBJECT-GROUP OBJECTS { cpaePortMode } STATUS current DESCRIPTION "A collection of objects that provides the port-mode configuration for a PAE port." ::= { cpaeMIBGroups 2 } cpaeGuestVlanGroup OBJECT-GROUP OBJECTS { cpaeGuestVlanId } STATUS deprecated DESCRIPTION "A collection of objects that provides the Guest Vlan configuration information for the system." ::= { cpaeMIBGroups 3 } cpaeGuestVlanGroup2 OBJECT-GROUP OBJECTS { cpaeGuestVlanNumber, cpaeInGuestVlan } STATUS deprecated DESCRIPTION "A collection of objects that provides the per-interface Guest Vlan configuration information for the system." ::= { cpaeMIBGroups 4 } cpaeShutdownTimeoutGroup OBJECT-GROUP OBJECTS { cpaeShutdownTimeout, cpaeShutdownTimeoutEnabled } STATUS current DESCRIPTION "A collection of objects that provides the dot1x shutdown timeout configuration information for the system." ::= { cpaeMIBGroups 5 } cpaeRadiusConfigGroup OBJECT-GROUP OBJECTS { cpaeRadiusAccountingEnabled } STATUS current DESCRIPTION "A collection of objects that provides the RADIUS configuration information for the system." ::= { cpaeMIBGroups 6 } cpaeUserGroupGroup OBJECT-GROUP OBJECTS { cpaeUserGroupUserName, cpaeUserGroupUserAddrType, cpaeUserGroupUserAddr, cpaeUserGroupUserInterface, cpaeUserGroupUserVlan } STATUS current DESCRIPTION "A collection of objects that provides the group manager information of authenticated users in the system." ::= { cpaeMIBGroups 7 } cpaeGuestVlanGroup3 OBJECT-GROUP OBJECTS { cpaeGuestVlanNumber } STATUS current DESCRIPTION "A collection of objects that provides the per-interface Guest Vlan configuration information for the system." ::= { cpaeMIBGroups 8 } cpaePortOperVlanGroup OBJECT-GROUP OBJECTS { cpaePortOperVlan, cpaePortOperVlanType } STATUS current DESCRIPTION "A collection of object(s) that provides the information about Operational Vlan for each PAE port." ::= { cpaeMIBGroups 9 } cpaePortAuthFailVlanGroup OBJECT-GROUP OBJECTS { cpaePortAuthFailVlan, cpaeAuthFailUserName } STATUS current DESCRIPTION "A collection of object(s) that provides the Auth-Fail (Authentication Fail) Vlan configuration and Auth-Fail user information for the system." ::= { cpaeMIBGroups 10 } cpaeNoGuestVlanNotifEnableGrp OBJECT-GROUP OBJECTS { cpaeNoGuestVlanNotifEnable } STATUS current DESCRIPTION "A collection of object(s) that provides control over Guest Vlan related notification(s)." ::= { cpaeMIBGroups 11 } cpaeNoAuthFailVlanNotifEnableGrp OBJECT-GROUP OBJECTS { cpaeNoAuthFailVlanNotifEnable } STATUS current DESCRIPTION "A collection of object(s) that provides control over Auth-Fail related notification(s)." ::= { cpaeMIBGroups 12 } cpaeNoGuestVlanNotifGroup NOTIFICATION-GROUP NOTIFICATIONS { cpaeNoGuestVlanNotif } STATUS current DESCRIPTION "A collection of notification(s) providing the information for unconfigured Guest Vlan." ::= { cpaeMIBGroups 13 } cpaeNoAuthFailVlanNotifGroup NOTIFICATION-GROUP NOTIFICATIONS { cpaeNoAuthFailVlanNotif } STATUS current DESCRIPTION "A collection of notifications providing the information for unconfigured Auth-Fail Vlan." ::= { cpaeMIBGroups 14 } cpaeMacAuthBypassGroup OBJECT-GROUP OBJECTS { cpaeMacAuthBypassReAuthTimeout, cpaeMacAuthBypassReAuthEnabled, cpaeMacAuthBypassViolation, cpaeMacAuthBypassShutdownTimeout, cpaeMacAuthBypassAuthFailTimeout, cpaeMacAuthBypassPortEnabled, cpaeMacAuthBypassPortInitialize, cpaeMacAuthBypassPortReAuth, cpaeMacAuthBypassPortMacAddress, cpaeMacAuthBypassPortAuthState, cpaeMacAuthBypassAcctEnable } STATUS current DESCRIPTION "A collection of object(s) that provides the MAC Auth-Bypass configuration and information for the system." ::= { cpaeMIBGroups 15 } cpaeWebAuthGroup OBJECT-GROUP OBJECTS { cpaeWebAuthEnabled, cpaeWebAuthSessionPeriod, cpaeWebAuthLoginPage, cpaeWebAuthLoginFailedPage, cpaeWebAuthQuietPeriod, cpaeWebAuthMaxRetries, cpaeWebAuthPortEnabled, cpaeWebAuthPortInitialize, cpaeWebAuthAaaSessionPeriod, cpaeWebAuthHostSessionTimeLeft, cpaeWebAuthHostState, cpaeWebAuthHostInitialize } STATUS current DESCRIPTION "A collection of object(s) that provides the Web Proxy Authentication configuration and information for the system." ::= { cpaeMIBGroups 16 } cpaeAuthConfigGroup OBJECT-GROUP OBJECTS { cpaeAuthReAuthPeriodSrcAdmin, cpaeAuthReAuthPeriodSrcOper, cpaeAuthReAuthPeriodOper, cpaeAuthTimeToNextReAuth, cpaeAuthReAuthAction, cpaeAuthReAuthMax, cpaeAuthIabEnabled } STATUS current DESCRIPTION "A collection of object(s) that provides additional configuration information about an Authenticator PAE." ::= { cpaeMIBGroups 17 } cpaeHostInfoGroup OBJECT-GROUP OBJECTS { cpaeHostInfoMacAddress, cpaeHostInfoPostureToken } STATUS current DESCRIPTION "A collection of object(s) that provides information about an host connecting to a PAE port." ::= { cpaeMIBGroups 18 } END