mirror of
https://github.com/librenms/librenms.git
synced 2024-10-01 07:16:52 +00:00
6b9d05653c
git-svn-id: http://www.observium.org/svn/observer/trunk@1569 61d68cd4-352d-0410-923a-c4978735b2b8
802 lines
31 KiB
Plaintext
802 lines
31 KiB
Plaintext
ENTERASYS-ENCR-8021X-CONFIG-MIB DEFINITIONS ::= BEGIN
|
|
|
|
-- enterasys-encr-8021x-config-mib.txt
|
|
--
|
|
-- Part Number: <TBD>
|
|
--
|
|
--
|
|
|
|
-- This module provides authoritative definitions for Enterasys
|
|
-- Networks' encrypted IEEE 802.1x configuration MIB.
|
|
|
|
--
|
|
-- This module will be extended, as needed.
|
|
|
|
-- Enterasys Networks reserves the right to make changes in this
|
|
-- specification and other information contained in this document
|
|
-- without prior notice. The reader should consult Enterasys Networks
|
|
-- to determine whether any such changes have been made.
|
|
--
|
|
-- In no event shall Enterasys Networks be liable for any incidental,
|
|
-- indirect, special, or consequential damages whatsoever (including
|
|
-- but not limited to lost profits) arising out of or related to this
|
|
-- document or the information contained in it, even if Enterasys
|
|
-- Networks has been advised of, known, or should have known, the
|
|
-- possibility of such damages.
|
|
--
|
|
-- Enterasys Networks grants vendors, end-users, and other interested
|
|
-- parties a non-exclusive license to use this Specification in
|
|
-- connection with the management of Enterasys Networks products.
|
|
|
|
-- Copyright March, 2002 Enterasys Networks, Inc.
|
|
|
|
IMPORTS
|
|
MODULE-IDENTITY, OBJECT-TYPE
|
|
FROM SNMPv2-SMI
|
|
MODULE-COMPLIANCE, OBJECT-GROUP
|
|
FROM SNMPv2-CONF
|
|
-- TruthValue
|
|
-- FROM SNMPv2-TC
|
|
-- PaeControlledDirections,
|
|
-- PaeControlledPortStatus, PaeControlledPortControl
|
|
-- FROM IEEE8021-PAE-MIB
|
|
dot1xPaePortNumber
|
|
FROM IEEE8021-PAE-MIB
|
|
etsysDot1xAuthStationAddress
|
|
FROM ENTERASYS-8021X-EXTENSIONS-MIB
|
|
etsysModules
|
|
FROM ENTERASYS-MIB-NAMES;
|
|
|
|
|
|
etsysEncr8021xConfigMIB MODULE-IDENTITY
|
|
LAST-UPDATED "200203142045Z" -- Thu Mar 14 20:45 GMT 2002
|
|
ORGANIZATION "Enterasys Networks, Inc"
|
|
CONTACT-INFO
|
|
"Postal: Enterasys Networks
|
|
35 Industrial Way, P.O. Box 5005
|
|
Rochester, NH 03867-0505
|
|
|
|
Phone: +1 603 332 9400
|
|
E-mail: support@enterasys.com
|
|
WWW: http://www.enterasys.com"
|
|
|
|
-- This is the overall description of this MIB module
|
|
DESCRIPTION
|
|
"The Enterasys Networks MIB module for configuring IEEE
|
|
802.1x implementations on SNMPv1-only platforms.
|
|
|
|
This MIB includes encrypted variants of selected objects
|
|
from the IEEE 802.1x MIB and the Enterasys 802.1x
|
|
Extensions MIB.
|
|
|
|
------------------
|
|
|
|
N O T I C E
|
|
|
|
Use of this MIB in any product requires the approval
|
|
of the Office of the CTO, Enterasys Networks, Inc.
|
|
Permission to use this MIB will not be granted for
|
|
products in which SNMPv3 is now, or will soon be,
|
|
implemented. Permission to use this MIB in products
|
|
that are never scheduled to implement SNMPv3 will be
|
|
granted on a case-by-case basis, depending on what
|
|
other suitable, secure means of configuration are
|
|
available in the product.
|
|
|
|
------------------
|
|
|
|
The following is a discussion of the encoding/decoding and
|
|
encryption/decryption methods that must be used to extract
|
|
data from an encrypted OCTET STRING. (These methods are the
|
|
same as for the Enterasys Networks encrypted RADIUS Client
|
|
MIB.)
|
|
|
|
The encryption/decryption methods make use of an agreed-upon
|
|
Secret and an Authenticator shared between the SNMP network
|
|
management system and the entity that implements the MIB.
|
|
|
|
The encryption/decryption algorithm, as presented herein, is
|
|
taken from the RADIUS protocol, and is the method specified
|
|
for encryption of Tunnel-Password Attributes in RFC 2868.
|
|
|
|
To permit plug-and-play remote installation, configuration,
|
|
and management of the device, the device will algorithmically
|
|
derive the initial shared secret and the initial authenticator.
|
|
|
|
For security reasons, the network manager should change the
|
|
authenticator portion of the management encryption key after
|
|
initial configuration. The methods available for doing this
|
|
are implementation-specific and subject to change.
|
|
|
|
All read-write and write-only access objects except the table
|
|
index are encoded into fields in an OCTET STRING.
|
|
|
|
Octet String
|
|
|
|
Before encryption, a 'native' object must be encoded into
|
|
a formatted Octet String. After decryption, the Octet String
|
|
must be decoded to obtain the 'native' object.
|
|
|
|
0 1 2 3
|
|
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| Type | Length | Salt |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| String ...
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
Type
|
|
|
|
The data type of the non-encrypted 'native' data:
|
|
|
|
1 = Integer32
|
|
2 = OCTET STRING
|
|
|
|
Length
|
|
|
|
The length in octets of the native object sub-field of
|
|
the Octet String, exclusive of any optional padding.
|
|
Note that the Integrity Check sub-fields (CRC, OID-tail,
|
|
Time Stamp, Source IP Address) are not included in this
|
|
length value, but since the IC sub-fields are always
|
|
present and are of fixed length, there is no impediment
|
|
to proper packet parsing.
|
|
|
|
Salt
|
|
|
|
The Salt field is two octets in length and is used to
|
|
ensure the uniqueness of the encryption key used to
|
|
encrypt each object.
|
|
|
|
The most significant bit (leftmost) of the Salt field
|
|
MUST be set (1). The contents of each Salt field in a
|
|
given SNMP packet must be unique.
|
|
|
|
String
|
|
|
|
0 1 2 3
|
|
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| CRC (4 bytes) |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| OID-tail (4 bytes) |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| Time Stamp (4 bytes) |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| Source IP Address (4 bytes) |
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
| Object/Padding ...
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
The plain-text String field consists of six logical
|
|
sub-fields: the CRC, OID-tail, Time Stamp, Source IP
|
|
address and native Object sub-fields (all of which are
|
|
required), and the optional Padding sub-field. The
|
|
String field MUST be treated as a counted-string of
|
|
undistinguished octets, and not as a standard
|
|
C/UNIX-style null-terminated, printable ASCII string.
|
|
|
|
CRC Sub-field
|
|
|
|
The CRC sub-field contains a 32-bit CRC (CRC-32)
|
|
calculated over the following concatentated sub-fields
|
|
of the String: the OID-tail, Time Stamp, Source IP
|
|
Address and unpadded native Object fields. The CRC
|
|
sub-field acts as an integrity check on the decrypted
|
|
data.
|
|
|
|
OID-tail Sub-field
|
|
|
|
The OID-tail sub-field contains the least significant
|
|
four octets of the Object ID of the varbind. This
|
|
field is included as an integrity check on the OID of
|
|
the varbind.
|
|
|
|
Time Stamp Sub-field
|
|
|
|
The Time Stamp sub-field contains a 32-bit unsigned
|
|
integer value representing the time the encrypted
|
|
message was assembled. This field acts as an
|
|
integrity check by facilitating the disposal of stale
|
|
or replayed messages. The time window of acceptance is
|
|
implementation dependant, and may be the subject of
|
|
local (i.e. managed entity) policy configuration. The
|
|
Time Stamp is relative time, in units of seconds,
|
|
referenced to the sysUpTime object of the managed
|
|
entity.
|
|
|
|
Source IP Address Sub-field
|
|
|
|
The Source IP Address sub-field contains an unsigned
|
|
32-bit representation of the IPv4 address of the
|
|
source of the encrypted message. This is an added
|
|
check to allow verification of the source of the
|
|
varbind.
|
|
|
|
The CRC, OID-tail, Time Stamp, and Source IP Address
|
|
sub-fields are collectively hereinafter refered to as
|
|
the Integrity Check (IC) sub-fields.
|
|
|
|
Object/Padding Sub-field
|
|
|
|
Object
|
|
The Object sub-field contains the actual or native
|
|
object data followed by padding, if necessary.
|
|
|
|
Padding
|
|
If the combined length (in octets) of the
|
|
non-encrypted CRC, OID-tail, Time Stamp, Source IP
|
|
Address, and native Object sub-fields is not an even
|
|
multiple of 16, then the Padding sub-field MUST be
|
|
present. If it is present, the length of the
|
|
Padding sub-field is variable, between 1 and 15
|
|
octets. The value of the pad octets SHOULD be zero.
|
|
|
|
Encrypting/Decrypting the String Field
|
|
|
|
The entire String field MUST be encrypted as follows,
|
|
prior to transmission:
|
|
|
|
Construct a plain-text version of the String field by
|
|
concatenating the CRC, OID-tail, Time Stamp, Source IP
|
|
address, and native Object sub-fields. If necessary,
|
|
pad the resulting string until its length (in octets)
|
|
is an even multiple of 16. It is recommended that zero
|
|
octets (0x00) be used for padding. Call this plain-text
|
|
P.
|
|
|
|
Shared Secret
|
|
|
|
The shared secret is formed from the MAC
|
|
(hardware) address of the primary management
|
|
interface of the managed device (containing the
|
|
RADIUS Client). The MAC address is represented
|
|
as up-cased, dashed-ASCII, e.g. 08-00-2B-11-22-33.
|
|
|
|
Authenticator
|
|
|
|
The 128-bit authenticator is a pre-defined
|
|
constant. The default value of the authenticator
|
|
is an Enterasys Networks trade secret. This value
|
|
is settable and the user is advised to change it
|
|
from the default value after initial configuration
|
|
of the system. Contact the MIB author for
|
|
additional information on the default value.
|
|
|
|
Call the shared secret S, the [pseudo-random] 128-bit
|
|
Authenticator R, and the contents of the Salt field A.
|
|
Break P into 16 octet chunks p(1), p(2)...p(i),
|
|
where i = len(P)/16. Call the cipher-text blocks
|
|
c(1), c(2)...c(i) and the final cipher-text C.
|
|
Intermediate values b(1), b(2)...c(i) are required.
|
|
Encryption is performed in the following manner ('+'
|
|
indicates concatenation):
|
|
|
|
b(1) = MD5(S + R + A) c(1) = p(1) xor b(1) C = c(1)
|
|
b(2) = MD5(S + c(1)) c(2) = p(2) xor b(2) C = C + c(2)
|
|
. .
|
|
. .
|
|
. .
|
|
b(i) = MD5(S + c(i-1)) c(i) = p(i) xor b(i) C = C + c(i)
|
|
|
|
The resulting encrypted String field will contain
|
|
c(1)+c(2)+...+c(i).
|
|
|
|
On receipt, the process is reversed to yield the
|
|
plain-text String."
|
|
|
|
|
|
REVISION "200203142045Z" -- Thu Mar 14 20:45 GMT 2002
|
|
DESCRIPTION
|
|
"The initial version of this MIB module."
|
|
|
|
::= { etsysModules 19 }
|
|
|
|
|
|
etsysEncrDot1xConfigObjects
|
|
OBJECT IDENTIFIER ::= { etsysEncr8021xConfigMIB 1 }
|
|
|
|
-- ----------------------------------------------------------------- --
|
|
-- Textual Conventions
|
|
-- ----------------------------------------------------------------- --
|
|
|
|
-- ----------------------------------------------------------------- --
|
|
-- Branches of the Enterasys Encrypted IEEE 802.1x Configuration MIB
|
|
-- ----------------------------------------------------------------- --
|
|
|
|
-- Encrypted configuration objects for Authenticator PAEs.
|
|
etsysEncrDot1xAuthConfigBranch
|
|
OBJECT IDENTIFIER ::= { etsysEncrDot1xConfigObjects 1 }
|
|
|
|
-- ----------------------------------------------------------------- --
|
|
-- The Encrypted Configuration Table for Port-Based PAEs
|
|
-- ----------------------------------------------------------------- --
|
|
|
|
etsysEncrDot1xAuthPortConfigTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF EtsysEncrDot1xAuthPortConfigEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A table that contains encrypted configuration objects for
|
|
ports that support Authenticator PAEs."
|
|
::= { etsysEncrDot1xAuthConfigBranch 1 }
|
|
|
|
etsysEncrDot1xAuthPortConfigEntry OBJECT-TYPE
|
|
SYNTAX EtsysEncrDot1xAuthPortConfigEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Each conceptual row holds configuration information for
|
|
the Authenticator PAE(s) associated with one port."
|
|
INDEX { dot1xPaePortNumber }
|
|
::= { etsysEncrDot1xAuthPortConfigTable 1 }
|
|
|
|
EtsysEncrDot1xAuthPortConfigEntry ::=
|
|
SEQUENCE {
|
|
etsysEncrDot1xAuthAdminControlledDirections
|
|
OCTET STRING, -- encrypted enumeration
|
|
etsysEncrDot1xAuthControlledPortControl
|
|
OCTET STRING, -- encrypted enumeration
|
|
etsysEncrDot1xAuthQuietPeriod
|
|
OCTET STRING, -- encrypted INTEGER
|
|
etsysEncrDot1xAuthTxPeriod
|
|
OCTET STRING, -- encrypted INTEGER
|
|
etsysEncrDot1xAuthSuppTimeout
|
|
OCTET STRING, -- encrypted INTEGER
|
|
etsysEncrDot1xAuthServerTimeout
|
|
OCTET STRING, -- encrypted INTEGER
|
|
etsysEncrDot1xAuthMaxReq
|
|
OCTET STRING, -- encrypted INTEGER
|
|
etsysEncrDot1xAuthReAuthPeriod
|
|
OCTET STRING, -- encrypted INTEGER
|
|
etsysEncrDot1xAuthReAuthEnabled
|
|
OCTET STRING, -- encrypted TruthValue
|
|
etsysEncrDot1xAuthKeyTxEnabled
|
|
OCTET STRING -- encrypted TruthValue
|
|
}
|
|
|
|
etsysEncrDot1xAuthAdminControlledDirections OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE(0..255)) -- encrypted enumeration
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An encrypted octet string containing
|
|
|
|
The current value of the administrative controlled
|
|
directions parameter for the Port.
|
|
|
|
SYNTAX PaeControlledDirections
|
|
|
|
The data type is 1, Integer32."
|
|
REFERENCE
|
|
"IEEE P802.1x Section 9.4.1, Admin Control Mode"
|
|
::= { etsysEncrDot1xAuthPortConfigEntry 1 }
|
|
|
|
etsysEncrDot1xAuthControlledPortControl OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE(0..255)) -- encrypted enumeration
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An encrypted octet string containing
|
|
|
|
The current value of the controlled Port
|
|
control parameter for the Port.
|
|
|
|
SYNTAX INTEGER {
|
|
forceUnauthorized(1),
|
|
auto(2),
|
|
forceAuthorized(3)
|
|
}
|
|
|
|
The data type is 1, Integer32."
|
|
REFERENCE
|
|
"IEEE P802.1x Section 9.6.4.1, AuthControlledPortControl"
|
|
::= { etsysEncrDot1xAuthPortConfigEntry 2 }
|
|
|
|
etsysEncrDot1xAuthQuietPeriod OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE(0..255)) -- encrypted INTEGER
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An encrypted octet string containing
|
|
|
|
The value, in seconds, of the quietPeriod constant
|
|
currently in use by the Authenticator PAE state
|
|
machine.
|
|
|
|
Alternately, the default value (for ports that use
|
|
station-based access control, and that therefore may
|
|
support many virtual PAEs).
|
|
|
|
The data type is 1, Integer32."
|
|
REFERENCE
|
|
"IEEE P802.1x Section 9.6.4.1, quietPeriod"
|
|
-- DEFVAL { encrypt(60) }
|
|
::= { etsysEncrDot1xAuthPortConfigEntry 3 }
|
|
|
|
etsysEncrDot1xAuthTxPeriod OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE(0..255)) -- encrypted INTEGER
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An encrypted octet string containing
|
|
|
|
The value, in seconds, of the txPeriod constant
|
|
currently in use by the Authenticator PAE state
|
|
machine.
|
|
|
|
Alternately, the default value (for ports that use
|
|
station-based access control, and that therefore may
|
|
support many virtual PAEs).
|
|
|
|
The data type is 1, Integer32."
|
|
REFERENCE
|
|
"IEEE P802.1x Section 9.6.4.1, txPeriod"
|
|
-- DEFVAL { encrypt(30) }
|
|
::= { etsysEncrDot1xAuthPortConfigEntry 4 }
|
|
|
|
etsysEncrDot1xAuthSuppTimeout OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE(0..255)) -- encrypted INTEGER
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An encrypted octet string containing
|
|
|
|
The value, in seconds, of the suppTimeout constant
|
|
currently in use by the Backend Authentication state
|
|
machine.
|
|
|
|
Alternately, the default value (for ports that use
|
|
station-based access control, and that therefore may
|
|
support many virtual PAEs).
|
|
|
|
The data type is 1, Integer32."
|
|
REFERENCE
|
|
"IEEE P802.1x Section 9.6.4.1, suppTimeout"
|
|
-- DEFVAL { encrypt(30) }
|
|
::= { etsysEncrDot1xAuthPortConfigEntry 5 }
|
|
|
|
etsysEncrDot1xAuthServerTimeout OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE(0..255)) -- encrypted INTEGER
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An encrypted octet string containing
|
|
|
|
The value, in seconds, of the serverTimeout constant
|
|
currently in use by the Backend Authentication state
|
|
machine.
|
|
|
|
Alternately, the default value (for ports that use
|
|
station-based access control, and that therefore may
|
|
support many virtual PAEs).
|
|
|
|
The data type is 1, Integer32."
|
|
REFERENCE
|
|
"IEEE P802.1x Section 9.6.4.1, serverTimeout"
|
|
-- DEFVAL { encrypt(30) }
|
|
::= { etsysEncrDot1xAuthPortConfigEntry 6 }
|
|
|
|
etsysEncrDot1xAuthMaxReq OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE(0..255)) -- encrypted INTEGER
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An encrypted octet string containing
|
|
|
|
The value of the maxReq constant currently in use by
|
|
the Backend Authentication state machine.
|
|
|
|
Alternately, the default value (for ports that use
|
|
station-based access control, and that therefore may
|
|
support many virtual PAEs).
|
|
|
|
The data type is 1, Integer32."
|
|
REFERENCE
|
|
"IEEE P802.1x Section 9.6.4.1, maxReq"
|
|
-- DEFVAL { encrypt(2) }
|
|
::= { etsysEncrDot1xAuthPortConfigEntry 7 }
|
|
|
|
etsysEncrDot1xAuthReAuthPeriod OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE(0..255)) -- encrypted INTEGER
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An encrypted octet string containing
|
|
|
|
The value, in seconds, of the reAuthPeriod constant
|
|
currently in use by the Reauthentication Timer state
|
|
machine.
|
|
|
|
Alternately, the default value (for ports that use
|
|
station-based access control, and that therefore may
|
|
support many virtual PAEs).
|
|
|
|
The data type is 1, Integer32."
|
|
REFERENCE
|
|
"IEEE P802.1x Section 9.6.4.1, reAuthPeriod"
|
|
-- DEFVAL { encrypt(60) }
|
|
::= { etsysEncrDot1xAuthPortConfigEntry 8 }
|
|
|
|
etsysEncrDot1xAuthReAuthEnabled OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE(0..255)) -- encrypted TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An encrypted octet string containing
|
|
|
|
The enable/disable control used by the Reauthentication
|
|
Timer state machine (8.5.5.1).
|
|
|
|
Alternately, the default value (for ports that use
|
|
station-based access control, and that therefore may
|
|
support many virtual PAEs).
|
|
|
|
SYNTAX INTEGER { true(1), false(2) }
|
|
|
|
The data type is 1, Integer32."
|
|
REFERENCE
|
|
"IEEE P802.1x Section 9.6.4.1, reAuthEnabled"
|
|
-- DEFVAL { encrypt(false) }
|
|
::= { etsysEncrDot1xAuthPortConfigEntry 9 }
|
|
|
|
etsysEncrDot1xAuthKeyTxEnabled OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE(0..255)) -- encrypted TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An encrypted octet string containing
|
|
|
|
The value of the keyTransmissionEnabled constant
|
|
currently in use by the Authenticator PAE state
|
|
machine.
|
|
|
|
Alternately, the default value (for ports that use
|
|
station-based access control, and that therefore may
|
|
support many virtual PAEs).
|
|
|
|
SYNTAX INTEGER { true(1), false(2) }
|
|
|
|
The data type is 1, Integer32."
|
|
REFERENCE
|
|
"IEEE P802.1x Section 9.6.4.1, keyTransmissionEnabled"
|
|
-- DEFVAL { encrypt(false) }
|
|
::= { etsysEncrDot1xAuthPortConfigEntry 10 }
|
|
|
|
|
|
-- ----------------------------------------------------------------- --
|
|
-- The Encrypted Initialization Table for Port-Based PAEs
|
|
-- ----------------------------------------------------------------- --
|
|
|
|
etsysEncrDot1xAuthPortInitTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF EtsysEncrDot1xAuthPortInitEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A table that contains encrypted initialization objects for
|
|
port-based Authenticator PAEs."
|
|
::= { etsysEncrDot1xAuthConfigBranch 2 }
|
|
|
|
etsysEncrDot1xAuthPortInitEntry OBJECT-TYPE
|
|
SYNTAX EtsysEncrDot1xAuthPortInitEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Each conceptual row holds initialization objects for one
|
|
port-based Authenticator PAE."
|
|
INDEX { dot1xPaePortNumber }
|
|
::= { etsysEncrDot1xAuthPortInitTable 1 }
|
|
|
|
EtsysEncrDot1xAuthPortInitEntry ::=
|
|
SEQUENCE {
|
|
etsysEncrDot1xAuthInitialize
|
|
OCTET STRING, -- encrypted TruthValue
|
|
etsysEncrDot1xAuthReauthenticate
|
|
OCTET STRING -- encrypted TruthValue
|
|
}
|
|
|
|
etsysEncrDot1xAuthInitialize OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE(0..255)) -- encrypted TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An encrypted octet string containing
|
|
|
|
The initialization control for this Port. Setting this
|
|
attribute to TRUE causes the Port to be initialized.
|
|
The attribute value reverts to FALSE once initialization
|
|
has been completed.
|
|
|
|
Setting this attribute to TRUE for a Port that uses
|
|
station-based access control causes all of the virtual
|
|
PAEs associated with the Port to be initialized.
|
|
|
|
SYNTAX INTEGER { true(1), false(2) }
|
|
|
|
The data type is 1, Integer32."
|
|
REFERENCE
|
|
"IEEE P802.1x Section 9.6.1.2, Initialize Port"
|
|
::= { etsysEncrDot1xAuthPortInitEntry 1 }
|
|
|
|
etsysEncrDot1xAuthReauthenticate OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE(0..255)) -- encrypted TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An encrypted octet string containing
|
|
|
|
The reauthentication control for this Port. Setting this
|
|
attribute to TRUE causes the Authenticator PAE state
|
|
machine for the Port to reauthenticate the Supplicant.
|
|
Setting this attribute to FALSE has no effect.
|
|
This attribute always returns FALSE when it is read.
|
|
|
|
Setting this attribute to TRUE for a Port that uses
|
|
station-based access control causes all of the virtual
|
|
PAEs associated with the Port to reauthenticate their
|
|
Supplicants.
|
|
|
|
SYNTAX INTEGER { true(1), false(2) }
|
|
|
|
The data type is 1, Integer32."
|
|
REFERENCE
|
|
"IEEE P802.1x Section 9.6.4.1.3 Reauthenticate"
|
|
::= { etsysEncrDot1xAuthPortInitEntry 2 }
|
|
|
|
|
|
-- ----------------------------------------------------------------- --
|
|
-- The Encrypted Initialization Table for Station-Based PAEs
|
|
-- ----------------------------------------------------------------- --
|
|
|
|
etsysEncrDot1xAuthStationInitTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF EtsysEncrDot1xAuthStationInitEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A table that contains encrypted configuration objects for
|
|
station-based Authenticator PAEs."
|
|
::= { etsysEncrDot1xAuthConfigBranch 3 }
|
|
|
|
etsysEncrDot1xAuthStationInitEntry OBJECT-TYPE
|
|
SYNTAX EtsysEncrDot1xAuthStationInitEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Configuration objects for one station-based Authenticator
|
|
PAE."
|
|
INDEX { etsysDot1xAuthStationAddress }
|
|
::= { etsysEncrDot1xAuthStationInitTable 1 }
|
|
|
|
EtsysEncrDot1xAuthStationInitEntry ::=
|
|
SEQUENCE {
|
|
etsysEncrDot1xAuthStationInitialize
|
|
OCTET STRING, -- encrypted TruthValue
|
|
etsysEncrDot1xAuthStationReauthenticate
|
|
OCTET STRING -- encrypted TruthValue
|
|
}
|
|
|
|
etsysEncrDot1xAuthStationInitialize OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE(0..255)) -- encrypted TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An encrypted octet string containing
|
|
|
|
The initialization control for this Authenticator PAE.
|
|
Setting this attribute to TRUE causes the PAE to be
|
|
initialized. The attribute value reverts to FALSE
|
|
once initialization has completed.
|
|
|
|
SYNTAX INTEGER { true(1), false(2) }
|
|
|
|
The data type is 1, Integer32."
|
|
REFERENCE "IEEE P802.1x Section 9.6.1.2, Initialize Port"
|
|
::= { etsysEncrDot1xAuthStationInitEntry 1 }
|
|
|
|
etsysEncrDot1xAuthStationReauthenticate OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE(0..255)) -- encrypted TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An encrypted octet string containing
|
|
|
|
The reauthentication control for this Authenticator
|
|
PAE. Setting this attribute to TRUE causes the
|
|
Authenticator PAE state machine to reauthenticate the
|
|
Supplicant. Setting this attribute FALSE has no
|
|
effect. This attribute always returns FALSE when it
|
|
is read.
|
|
|
|
SYNTAX INTEGER { true(1), false(2) }
|
|
|
|
The data type is 1, Integer32."
|
|
REFERENCE "IEEE P802.1x Section 9.4.1.3 Reauthenticate"
|
|
::= { etsysEncrDot1xAuthStationInitEntry 2 }
|
|
|
|
|
|
-- ---------------------------------------------------------- --
|
|
-- Enterasys 802.1X Configuration MIB - Conformance Information
|
|
-- ---------------------------------------------------------- --
|
|
|
|
etsysEncrDot1xConfigConformance
|
|
OBJECT IDENTIFIER ::= { etsysEncr8021xConfigMIB 2 }
|
|
|
|
etsysEncrDot1xConfigGroups
|
|
OBJECT IDENTIFIER ::= { etsysEncrDot1xConfigConformance 1 }
|
|
|
|
etsysEncrDot1xConfigCompliances
|
|
OBJECT IDENTIFIER ::= { etsysEncrDot1xConfigConformance 2 }
|
|
|
|
-- ---------------------------------------------------------- --
|
|
-- Units of conformance
|
|
-- ---------------------------------------------------------- --
|
|
|
|
etsysEncrDot1xAuthConfigGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
etsysEncrDot1xAuthAdminControlledDirections,
|
|
etsysEncrDot1xAuthControlledPortControl,
|
|
etsysEncrDot1xAuthQuietPeriod,
|
|
etsysEncrDot1xAuthTxPeriod,
|
|
etsysEncrDot1xAuthSuppTimeout,
|
|
etsysEncrDot1xAuthServerTimeout,
|
|
etsysEncrDot1xAuthMaxReq,
|
|
etsysEncrDot1xAuthReAuthPeriod,
|
|
etsysEncrDot1xAuthReAuthEnabled,
|
|
etsysEncrDot1xAuthKeyTxEnabled
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of objects for configuring IEEE 802.1x
|
|
authentication at the port level. Objects belonging
|
|
to this group typically have durable values."
|
|
::= { etsysEncrDot1xConfigGroups 1 }
|
|
|
|
etsysEncrDot1xAuthInitGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
etsysEncrDot1xAuthInitialize,
|
|
etsysEncrDot1xAuthReauthenticate,
|
|
etsysEncrDot1xAuthStationInitialize,
|
|
etsysEncrDot1xAuthStationReauthenticate
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of objects for making Authenticator PAEs
|
|
initialize and reauthenticate Supplicants. Writes
|
|
to objects in this group trigger actions, rather than
|
|
changes to durable configuration values."
|
|
::= { etsysEncrDot1xConfigGroups 2 }
|
|
|
|
|
|
|
|
-- ---------------------------------------------------------- --
|
|
-- Compliance statements
|
|
-- ---------------------------------------------------------- --
|
|
|
|
etsysEncrDot1xConfigCompliance MODULE-COMPLIANCE
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The compliance statement for devices that support the
|
|
Enterasys encrypted IEEE 802.1x configuration MIB."
|
|
|
|
MODULE
|
|
|
|
MANDATORY-GROUPS { etsysEncrDot1xAuthConfigGroup }
|
|
|
|
OBJECT etsysEncrDot1xAuthAdminControlledDirections
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION "Support for encrypt(in(1)) is optional."
|
|
|
|
OBJECT etsysEncrDot1xAuthKeyTxEnabled
|
|
MIN-ACCESS read-only
|
|
DESCRIPTION "An Authenticator PAE that does not support
|
|
EAPOL-Key frames may implement this object as
|
|
read-only, returning a value of encrypt(FALSE)."
|
|
|
|
GROUP etsysEncrDot1xAuthInitGroup
|
|
DESCRIPTION "This group is optional."
|
|
|
|
|
|
::= { etsysEncrDot1xConfigCompliances 1 }
|
|
|
|
END
|