-- *****************************************************************
-- CISCO-AAA-CLIENT-MIB.my: Cisco AAA Client MIB
--
-- February 2000, Edward Pham
-- May 2001, Liwei Lue
-- October 2001, Jayakumar Kadirvelu
--
-- Copyright (c) 2000-2001 by cisco Systems, Inc.
-- All rights reserved.
-- *****************************************************************
--CISCO-AAA-CLIENT-MIB DEFINITIONS::=BEGINIMPORTSMODULE-IDENTITY,OBJECT-TYPE,Integer32FROM SNMPv2-SMI
MODULE-COMPLIANCE,OBJECT-GROUPFROM SNMPv2-CONF
TEXTUAL-CONVENTION,TruthValueFROM SNMPv2-TC
ciscoMgmt
FROM CISCO-SMI;ciscoAAAClientMIB MODULE-IDENTITYLAST-UPDATED"200111190000Z"ORGANIZATION"Cisco Systems, Inc."CONTACT-INFO" Cisco Systems
Customer Service
Postal: 170 W. Tasman Drive
San Jose, CA 95134
USA
Tel: +1 800 553-NETS
E-mail: cs-aaa@cisco.com"DESCRIPTION"This MIB module provides data for authentication method
priority based on Authentication, Authorization,
Accounting (AAA) protocols.
References:
The TACACS+ Protocol Version 1.78, Internet Draft
RFC 1411 Telnet Authentication: Kerberos Version 4.
RFC 1964 The Kerberos Version 5 GSS-API Mechanism.
"REVISION"200111190000Z"DESCRIPTION"Deprecate object cacLockoutPeriod and add a new object
cacLockoutPeriodExt.
"REVISION"200105100000Z"DESCRIPTION"Initial version
"::={ ciscoMgmt 158}--
-- Textual Conventions
----
-- Session Type textual convention
--SessionType::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"Represents a session type.
telnet(1) indicates telnet session.
console(2) indicates console session.
http(3) indicates http session.
"SYNTAXINTEGER{telnet (1),console (2),http (3)}--
-- Authentication method textual convention
--AuthenMethod ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"Represents authentication method.
tacacs(1) indicates that TACACS method is used for
authentication.
radius(2) indicates that RADIUS method is used for
authentication.
kerberos(3) indicates that KERBEROS method is used
for authentication.
local(4) indicates that local password is used
for authentication. Which password is used depend
on what login mode users specified.
"SYNTAXINTEGER{tacacs (1),radius (2),kerberos (3),local (4)}--
-- Login Mode textual convention
--LoginMode ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"Represents login mode.
login(1) indicates the normal mode.
enable(2) indicates the privileged mode.
"SYNTAXINTEGER{
login (1),enable (2)}-- AAA Client MIB objects definitionscacMIBObjects OBJECTIDENTIFIER::={ ciscoAAAClientMIB 1}-- The AAA Client MIB consists of the following groups
-- [1] AAA Client Priority Group (cacPriority)
-- [2] AAA Client Login Config Group (cacLoginConfig)cacPriority OBJECTIDENTIFIER::={ cacMIBObjects 1}cacLoginConfig OBJECTIDENTIFIER::={ cacMIBObjects 2}--****************************************************************************
-- AAA Client Priority Group
--****************************************************************************
--
----
-- Priority Table
--cacPriorityTable OBJECT-TYPESYNTAXSEQUENCEOF CacPriorityEntry
MAX-ACCESSnot-accessibleSTATUScurrent
DESCRIPTION"This table contains entries for AAA authentication
methods configured in the system. At startup, agent
set up all the entries of the table. All authentication
methods will be disabled except local authentication will
be enabled for each session type and login mode. Users
later can enable/disable a specific authentication method
through cacEnable object.
The following table describes the startup state of each
authentication method and session type in normal login
mode and enable login mode.
AuthenMethod Console Session Telnet Session Http Session
------------ ---------------- ---------------- ------------
tacacs disabled disabled disabled
radius disabled disabled disabled
kerberos disabled disabled disabled
local enabled(*) enabled(*) enabled(*)
(*) denotes primary method.
"::={ cacPriority 1}cacPriorityEntry OBJECT-TYPESYNTAX CacPriorityEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"An entry containing the priority number of an authentication
method used in a session.
"INDEX{ cacSession, cacAuthen, cacLoginMode }
::={ cacPriorityTable 1}
CacPriorityEntry ::=SEQUENCE{
cacSession SessionType,
cacAuthen AuthenMethod,
cacLoginMode LoginMode,
cacEnable TruthValue,
cacPriorityNumber Integer32,
cacPrimaryMethod TruthValue}cacSession OBJECT-TYPESYNTAXSessionTypeMAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"This is the session type used to connect to the network
device.
"::={ cacPriorityEntry 1}cacAuthen OBJECT-TYPESYNTAX AuthenMethod
MAX-ACCESSnot-accessibleSTATUScurrent
DESCRIPTION"This is the authentication method used to authenticate
users.
"::={ cacPriorityEntry 2}cacLoginMode OBJECT-TYPESYNTAX LoginMode
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"This is the login mode user used to login to the network
device.
"::={ cacPriorityEntry 3}cacEnable OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"It indicates whether the authentication method denoted by
cacAuthen is enabled or not.
When this object is true(1), the authentication method denoted
by cacAuthen is enabled.
When this object is false(2), the authentication method denoted
by cacAuthen is disabled.
If the value of cacAuthen is local, the value of this
object cannot be set to false(2).
"::={ cacPriorityEntry 4}cacPriorityNumber OBJECT-TYPESYNTAXInteger32(0..4)MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"This is the priority number of an authentication method to
be used in user authentication for a session. This value is
automatically assigned and reflects the relative priority
of the authentication method denoted by cacAuthen with
respected to already configured authentication methods.
It is assigned in the order in which the authentication
method is enabled by the user through cacEnable.
The higher value has the higher priority. This object
is used to determine the fallback order in case the
primary authentication method indicated by cacPrimaryMethod
failed.
If the authentication method denoted by cacAuthen is disabled
for the type of session denoted by cacSession, the value
of this object is equal to 0.
"::={ cacPriorityEntry 5}cacPrimaryMethod OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION
"It indicates whether the authentication method denoted by
cacAuthen is the primary (first one to be tried) method
when there are multiple authentication method configured.
Setting this object to true(1) will make the authentication
method denoted by cacAuthen to be the primary authentication
method for the session denoted by cacSession. The previously
configured primary method will be changed to false(2).
Setting this object to false(2) is not allowed.
"::={ cacPriorityEntry 6}-- -------------------------------------------------------------
-- AAA Client Login Config Group
-- -------------------------------------------------------------cacLoginConfigTable OBJECT-TYPESYNTAXSEQUENCEOF CacLoginConfigEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A table that contains login configuration
which is associated with this system.
"::={ cacLoginConfig 1}cacLoginConfigEntry OBJECT-TYPESYNTAX CacLoginConfigEntry
MAX-ACCESSnot-accessibleSTATUScurrent
DESCRIPTION"An entry containing the configuration of the login.
"INDEX{ cacLoginMode, cacSession }::={ cacLoginConfigTable 1}
CacLoginConfigEntry ::=SEQUENCE{
cacMaxLoginAttempt Integer32,
cacLockoutPeriod Integer32,
cacLockoutPeriodExt Integer32}cacMaxLoginAttempt OBJECT-TYPESYNTAXInteger32(0|3..10)MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Indicates the maximum number of login attempts allowed.
Setting this variable to 0 will disable the attempt
limit checking.
If the login session type does not support this attempt
limit checking, the value of this object can only be set
to 0.
"DEFVAL{3}::={ cacLoginConfigEntry 1}
cacLockoutPeriod OBJECT-TYPESYNTAXInteger32(0|30..600)UNITS"seconds"MAX-ACCESSread-writeSTATUSdeprecatedDESCRIPTION"Indicates the lockout period after the maximum number
of login attempt is met. For console, the console input
will be frozen during this period. For remote logins, the
connection will be closed and any subsequent access
from that station will be closed during the lockout time.
Setting this variable to 0 will disable the lockout.
If the login session type does not support this lockout
period, the value of this object can only be set to 0.
If the lockout period is greater than the maximum value
reportable by this object then this object should report
its maximum value (600) and cacLockoutPeriodExt must be
used to report the lockout period.
"DEFVAL{30}::={ cacLoginConfigEntry 2}cacLockoutPeriodExt OBJECT-TYPE
SYNTAXInteger32(0|30..43200)UNITS"seconds"MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Specifies the lockout period after the maximum number
of login attempt is met. For console, the console input
will be frozen during this period. For remote logins, the
connection will be closed and any subsequent access
from that station will be closed during the lockout time.
Setting this variable to 0 will disable the lockout.
If the login session type does not support this lockout
period, the value of this object can only be set to 0.
"DEFVAL{30}::={ cacLoginConfigEntry 3}--****************************************************************************
-- Notifications
--****************************************************************************cacMIBNotifications OBJECTIDENTIFIER::={ ciscoAAAClientMIB 2}cacMIBConformance OBJECTIDENTIFIER::=
{ ciscoAAAClientMIB 3}cacMIBCompliances OBJECTIDENTIFIER::={ cacMIBConformance 1}cacMIBGroups OBJECTIDENTIFIER::={ cacMIBConformance 2}-- compliance statementscacMIBCompliance MODULE-COMPLIANCESTATUSdeprecatedDESCRIPTION"The compliance statement for entities which
implement the CISCO AAA Client MIB"MODULE-- this moduleMANDATORY-GROUPS{
cacPriorityGroup,
cacLoginConfigGroup
}::={ cacMIBCompliances 1}cacMIBCompliance2 MODULE-COMPLIANCESTATUScurrentDESCRIPTION"The compliance statement for entities which
implement the CISCO AAA Client MIB"MODULE-- this moduleMANDATORY-GROUPS{
cacPriorityGroup,
cacLoginConfigGroupRev1
}::={ cacMIBCompliances 2}-- units of conformancecacPriorityGroup OBJECT-GROUPOBJECTS{
cacEnable,
cacPriorityNumber,
cacPrimaryMethod
}STATUScurrentDESCRIPTION"A collection of objects providing the
AAA client priority information.
"::={ cacMIBGroups 1}cacLoginConfigGroup OBJECT-GROUPOBJECTS{
cacMaxLoginAttempt,
cacLockoutPeriod
}STATUSdeprecatedDESCRIPTION"A collection of objects providing the
AAA client login configuration.
"::={ cacMIBGroups 2}
cacLoginConfigGroupRev1 OBJECT-GROUPOBJECTS{
cacMaxLoginAttempt,
cacLockoutPeriodExt
}STATUScurrentDESCRIPTION"A collection of objects providing the
AAA client login configuration.
"::={ cacMIBGroups 3}END