-- ********************************************************************* 
-- CISCO-AAA-SERVER-EXT-MIB.my: AAA Server Extension MIB
--
-- November 2003, Sanjeev C Joshi
-- July 2004, Charuhas Ghatge
-- May 2005, Vijay J.
-- Copyright (c) 2003,2004,2005 by cisco Systems, Inc.
-- All rights reserved.
-- 
-- *********************************************************************

CISCO-AAA-SERVER-EXT-MIB DEFINITIONS ::= BEGIN

IMPORTS
        MODULE-IDENTITY,
        OBJECT-TYPE,
        Unsigned32
                FROM SNMPv2-SMI
        InetAddressType,
        InetAddress
                FROM INET-ADDRESS-MIB   
        MODULE-COMPLIANCE, OBJECT-GROUP
                FROM SNMPv2-CONF
        RowStatus,
        TruthValue,
        TEXTUAL-CONVENTION,
        DisplayString
                FROM SNMPv2-TC
        SnmpAdminString 
                FROM SNMP-FRAMEWORK-MIB
        ciscoMgmt
                FROM CISCO-SMI
        casConfigEntry,
        CiscoAAAProtocol
                FROM CISCO-AAA-SERVER-MIB
        TimeIntervalMin,
        TimeIntervalSec       
                FROM CISCO-TC;

ciscoAAAServerExtMIB MODULE-IDENTITY
        LAST-UPDATED        "200505230000Z"
        ORGANIZATION        "Cisco Systems, Inc."
        CONTACT-INFO
                "       Cisco Systems
                        Customer Service
                        
                Postal: 170 W Tasman Drive
                        San Jose, CA  95134
                        USA
                        
                   Tel: +1 800 553-NETS
                   
                E-mail:  cs-aaa@cisco.com"
        DESCRIPTION
                "This MIB is an extension to the CISCO-AAA-SERVER-MIB.
                 This MIB module enhances the 'casConfigTable' to 
                 include other types of Server addresses.
                 This also provides management of :
                  - Generic configurations as applied on the AAA 
                    module.
                  - Global configuration settings, i.e., settings for
                    all the AAA Servers instrumented in one instance
                    of this MIB.
                  - Server Group configuration
                  - Application-to-AAA Function-to-Server Group
                    mapping configuration."
        REVISION  "200505230000Z"
        DESCRIPTION
                " - Added notConfigured(3) enumeration
                    to CiscoAAAServerKeyEncrType TC.
                  - Added cAAALoginAuthTypeMSCHAP
                    under cAAASvrExtGenericConfig.
                  - Added  cAAAServerProtoDirectedReq in 
                    cAAASvrExtProtocolParamTable.
                  - Added  cAAASvrGrpConfigDeadTime in
                    cAAASvrExtSvrGrpConfigTable.
                  - Added following objects in cAAASvrExtConfigTable.
                    cAAAServerRootDN
                    cAAAServerIdleTime
                    cAAAServerTestUser
                    cAAAServerTestPassword
                 - Added cAAASvrExtSvrGrpLDAPConfigTable."
        REVISION  "200505090000Z"
        DESCRIPTION
                "Added cAAASvrExtClearAccLog."
        REVISION  "200311140000Z"
        DESCRIPTION
                "Initial version of this MIB."
        ::= { ciscoMgmt 367 }

--
-- AAA Server MIB object definitions
--

ciscoAAASvrExtMIBObjects        OBJECT IDENTIFIER     
                                ::= { ciscoAAAServerExtMIB 1 }
ciscoAAASvrExtMIBConformance    OBJECT IDENTIFIER     
                                ::= { ciscoAAAServerExtMIB 2 }

cAAASvrExtGenericConfig         OBJECT IDENTIFIER 
                                ::= { ciscoAAASvrExtMIBObjects 1 }
cAAASvrExtSvrTableConfig        OBJECT IDENTIFIER 
                                ::= { ciscoAAASvrExtMIBObjects 2 }
cAAASvrExtProtoParamConfig          OBJECT IDENTIFIER 
                                ::= { ciscoAAASvrExtMIBObjects 3 }
cAAASvrExtSvrGrpConfig          OBJECT IDENTIFIER 
                                ::= { ciscoAAASvrExtMIBObjects 4 } 
cAAASvrExtAppSvrGrpMapConfig    OBJECT IDENTIFIER 
                                ::= { ciscoAAASvrExtMIBObjects 5 } 

--
-- Textual Conventions
--

CiscoAAAServerKeyEncrType ::= TEXTUAL-CONVENTION
        STATUS         current
        DESCRIPTION
           "Encryption type used for the AAA Server auth key.

                 plain(1) - Key is in Plain Text.
                 encrypted(2) - Key is Encrypted.
                 notConfigured(3) - Key is not configured.
            ."
        SYNTAX         INTEGER {
                            plain(1),
                            encrypted(2),
                            notConfigured(3)
                       }
                     
--
-- Generic configurations for AAA module - cAAASvrExtGenericConfig
--
                       
cAAASvrExtLocalAccLogMaxSize  OBJECT-TYPE
        SYNTAX         Unsigned32 (0..100000000)
        UNITS          "bytes"
        MAX-ACCESS     read-write
        STATUS         current
        DESCRIPTION   
           "The maximum size of the accounting log file in bytes. 
            The log file is stored on local persistent storage at the
            device. If the size is set to a smaller value than the 
            existing one, then smaller log will be available for view 
            by the user."
        ::= { cAAASvrExtGenericConfig 1 }
 
cAAASvrExtSvrGrpSvrListMaxEnt OBJECT-TYPE
        SYNTAX         Unsigned32 (1..64)
        MAX-ACCESS     read-only 
        STATUS         current
        DESCRIPTION   
           "The maximum number of AAA Server entries that 
            the agent supports within a Server Group. 
            This puts the restriction  of number of AAA Servers
            in  the 'cAAAServerList'  of 
            'cAAASvrExtSvrGrpConfigTable'."
        ::= { cAAASvrExtGenericConfig 2 }        
         
cAAASvrExtAppToSvrGrpMaxEnt OBJECT-TYPE
        SYNTAX         Unsigned32 (0..64)
        MAX-ACCESS     read-only 
        STATUS         current
        DESCRIPTION   
           "The maximum number of Server Groups entries that 
            the agent supports for application type  on per
            AAA operation basis excluding the 'Local' and 'Trivial'
            modes. 
            This puts the restriction  of number of  Server Groups 
            in  the 'cAAASvrGrpList'  of 
            'cAAASvrExtSerSvrGrpConfigTable'."
        ::= { cAAASvrExtGenericConfig 3 }        
                      
cAAASvrExtClearAccLog  OBJECT-TYPE
        SYNTAX         INTEGER {
                                clear(1),
                                noOp(2)  
                       }
        MAX-ACCESS     read-write
        STATUS         current
        DESCRIPTION   
           "This object clears the accounting log, when set
            to 'clear'. 
            No action is taken if this object is set to 'noOp'.
            When read, the value 'noOp' is returned."

        ::= { cAAASvrExtGenericConfig 4 }

cAAALoginAuthTypeMSCHAP OBJECT-TYPE
        SYNTAX             TruthValue
        MAX-ACCESS         read-write
        STATUS             current
        DESCRIPTION
           "This indicates whether the MSCHAP authentication mechanism
            should be used for authenticating the user through remote
            AAA Server during login.

            The value 'true(1)' indicates MSCHAP authentication
            should be used.

            The value 'false(2)' indicates that the default
            authentication mechanism should be used.

            The value of this object is used for authentication during
            user's login only."
        DEFVAL         { false }
        ::= { cAAASvrExtGenericConfig 5 }

--
-- Server Configuration Table  cAAASvrExtSvrTableConfig
--

cAAASvrExtConfigTable OBJECT-TYPE
        SYNTAX         SEQUENCE OF AAASvrExtEntry
        MAX-ACCESS     not-accessible
        STATUS         current
        DESCRIPTION
           "This table extends the 'casConfigTable'  from 
            CISCO-AAA-SERVER-MIB to provide configuration 
            flexibility.
            An entry cannot be created until at least one of the
            following objects/object-set are instantiated :
            - cAAAServerAddrType and cAAAServerAddr set
                      Or 
            - casAddress of casConfigTable
            If both 'casAddress' and 'cAAAServerAddr'(along with
            'cAAAServerAddrType') are set during the row creation,
            the values need to be consistent. Else it results in
            an error."
        ::= { cAAASvrExtSvrTableConfig 1 }

cAAASvrExtConfigEntry OBJECT-TYPE
        SYNTAX         AAASvrExtEntry
        MAX-ACCESS     not-accessible
        STATUS         current
        DESCRIPTION
           "An entry (conceptual row) in cAAASvrExtConfigTable." 
        AUGMENTS       { casConfigEntry }
        ::= { cAAASvrExtConfigTable 1}

AAASvrExtEntry ::=
        SEQUENCE {
            cAAAServerAddrType             InetAddressType,
            cAAAServerAddr                 InetAddress,
            cAAAServerKeyEncrType          CiscoAAAServerKeyEncrType,
            cAAAServerDeadTime             TimeIntervalMin,
            cAAAServerTimeOut              TimeIntervalSec,
            cAAAServerRetransmits          Unsigned32,
            cAAAServerRootDN               SnmpAdminString,
            cAAAServerIdleTime             TimeIntervalMin,
            cAAAServerTestUser             SnmpAdminString,
            cAAAServerTestPassword         SnmpAdminString
}

cAAAServerAddrType OBJECT-TYPE
    SYNTAX             InetAddressType
    MAX-ACCESS         read-create
    STATUS             current
    DESCRIPTION   
           "The type of address of the AAA Server as specified
            by object 'cAAAServerAddr'. 
            If the user sets  'casAddress' column of the
            'casConfigTable', then 'cAAAServerAddrType' is 
            appropriately filled by the agent.
            If  the user specifies a value other than  'ipv4', 
            then the 'casAddress' is set to zero-length string."
    DEFVAL             { ipv4 }
    ::= { cAAASvrExtConfigEntry 1 }

cAAAServerAddr   OBJECT-TYPE
    SYNTAX             InetAddress
    MAX-ACCESS         read-create
    STATUS             current
    DESCRIPTION   
           "The address of the AAA Server. 
            If the  users sets  'casAddress' column of the
            'casConfigTable', then 'cAAAServerAddr' is 
            appropriately filled by the agent."
    ::= { cAAASvrExtConfigEntry 2 }

cAAAServerKeyEncrType  OBJECT-TYPE
        SYNTAX         CiscoAAAServerKeyEncrType
        MAX-ACCESS     read-create
        STATUS         current
        DESCRIPTION
           "The encryption type of the corresponding instance
            of the server key 'casKey' in the augmented row of
            the 'casConfigTable'."
        DEFVAL         { plain }
        ::= { cAAASvrExtConfigEntry 3 }
        
cAAAServerDeadTime OBJECT-TYPE
        SYNTAX         TimeIntervalMin (0..1440)
        UNITS          "minutes"
        MAX-ACCESS     read-create
        STATUS         current
        DESCRIPTION   
           "This indicates the length of time in minutes that the
            system will mark the server dead when a AAA server does
            not respond to an authentication request. During the
            interval of the dead time, any authentication request 
            that comes up would not be sent to that AAA server that
            was marked as dead. 
            This value overrides value set in the 
            'cAAAServerProtoDeadTime' of the 
            'cAAASvrExtProtocolParamTable' for this server.
            If this value is zero, then the value set in the
            'cAAAServerProtoDeadTime' is used."
        DEFVAL         { 0 }
        ::= { cAAASvrExtConfigEntry 4 }

cAAAServerTimeOut OBJECT-TYPE
        SYNTAX         TimeIntervalSec (0..1000)
        UNITS          "seconds"
        MAX-ACCESS     read-create
        STATUS         current
        DESCRIPTION   
           "The time in seconds between retransmissions to
            the AAA server.This value overrides value set in the 
            'cAAAServerProtoTimeOut' of the 
            'cAAASvrExtProtocolParamTable' for this server. 
            If this value is zero, then the value set in the
            'cAAAServerProtoTimeOut' is used."
        DEFVAL         { 0 }
        ::= { cAAASvrExtConfigEntry 5 }  
    
cAAAServerRetransmits OBJECT-TYPE
        SYNTAX         Unsigned32 (0..100)
        UNITS          "retransmits"
        MAX-ACCESS     read-create
        STATUS         current                     
        DESCRIPTION   
           "The additional number of times the AAA server should be 
            tried by the AAA client before giving up on the server.
            This value overrides value set in the 
            'cAAAServerProtoTimeOut' of the 
            'cAAASvrExtProtocolParamTable' for this server.
            If this value is zero, then the value set in the 
            'cAAAServerProtoRetransmits' is used."
        DEFVAL         { 0 }
        ::= { cAAASvrExtConfigEntry 6 }               

cAAAServerRootDN OBJECT-TYPE
        SYNTAX         SnmpAdminString (SIZE(0..64))
        MAX-ACCESS     read-create
        STATUS         current
        DESCRIPTION
           "This object specifies the root Distinguished Name
           to be used in authenticating the access to LDAP
           server database."
        DEFVAL         { "" }
        ::= { cAAASvrExtConfigEntry 7 }

cAAAServerIdleTime OBJECT-TYPE
        SYNTAX         TimeIntervalMin (0..1440)
        UNITS          "minutes"
        MAX-ACCESS     read-create
        STATUS         current
        DESCRIPTION
           "This indicates the time interval in minutes, at which the
            system will periodically test the AAA Server by
            sending test packets to the server. The default value
            of 0 means that the AAA server will not be tested
            periodically."
        DEFVAL         { 0 }
        ::= { cAAASvrExtConfigEntry 8 }

cAAAServerTestUser OBJECT-TYPE
        SYNTAX      SnmpAdminString (SIZE (1..32))
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
               "The username to be used in the test packets sent
                to AAA Server to test if the Server responds to the
                requests or not."
        ::= { cAAASvrExtConfigEntry 9 }

cAAAServerTestPassword OBJECT-TYPE
        SYNTAX      SnmpAdminString (SIZE (1..32))
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
               "The password to be used in test packets sent to AAA
                Server to test if the Server responds to the
                requests or not.

                A zero-length string is always returned when this
                object is read."
        ::= { cAAASvrExtConfigEntry 10 }

--
-- AAA protocol parameter configuration - cAAASvrExtProtoParamConfig
--

cAAASvrExtProtocolParamTable OBJECT-TYPE
        SYNTAX         SEQUENCE OF ProtocolParamEntry
        MAX-ACCESS     not-accessible
        STATUS         current
        DESCRIPTION
           "This table contains the per-protocol parameters for use by
            all AAA Servers instrumented in one instance of this MIB."
        ::= { cAAASvrExtProtoParamConfig 1 }


cAAASvrExtProtocolParamEntry OBJECT-TYPE
        SYNTAX         ProtocolParamEntry
        MAX-ACCESS     not-accessible
        STATUS         current
        DESCRIPTION
           "An entry (conceptual row) in 
            'cAAASvrExtProtocolParamTable'. Each row of the
            table indicates the protocol parameters setting
            for a  particular AAA protocol. New entries can 
            not be created. The existing rows  can only be 
            modified." 
        INDEX          { cAAAServerProtocol }
        ::= { cAAASvrExtProtocolParamTable 1 }

ProtocolParamEntry ::=
        SEQUENCE {
            cAAAServerProtocol              CiscoAAAProtocol,
            cAAAServerProtoAuthKey          DisplayString,
            cAAAServerProtoKeyEncrType      CiscoAAAServerKeyEncrType,
            cAAAServerProtoDeadTime         TimeIntervalMin,
            cAAAServerProtoTimeOut          TimeIntervalSec,
            cAAAServerProtoRetransmits      Unsigned32,
            cAAAServerProtoSvrTableMaxEnt   Unsigned32,
            cAAAServerProtoDirectedReq      TruthValue

}

cAAAServerProtocol OBJECT-TYPE
        SYNTAX         CiscoAAAProtocol
        MAX-ACCESS     not-accessible
        STATUS         current
        DESCRIPTION
           "The AAA Protocol for which these settings are
            being applied."
       ::= { cAAASvrExtProtocolParamEntry 1 }

cAAAServerProtoAuthKey OBJECT-TYPE
        SYNTAX         DisplayString
        MAX-ACCESS     read-write
        STATUS         current
        DESCRIPTION
                "The key used in encrypting the packets passed
                 between the AAA server and the client.This key
                 must match the one configured on the server.
                 This Object is similar to the 'caskey'.
                 If the 'caskey' of the 'casConfigTable' is
                 administratively set to zero length string,
                 then this key used.
                 Retrieving the value of this object via SNMP will 
                 always return an empty string for security reasons."
        DEFVAL         { "" }
        ::= { cAAASvrExtProtocolParamEntry 2 }
        
cAAAServerProtoKeyEncrType  OBJECT-TYPE
        SYNTAX         CiscoAAAServerKeyEncrType
        MAX-ACCESS     read-write
        STATUS         current
        DESCRIPTION
           "The encryption type of the server key
           'cAAAServerProtoAuthKey'."
        DEFVAL         { plain }
        ::= { cAAASvrExtProtocolParamEntry 3 }

cAAAServerProtoDeadTime OBJECT-TYPE
        SYNTAX         TimeIntervalMin (0..1440)
        UNITS          "minutes"
        MAX-ACCESS     read-write
        STATUS         current
        DESCRIPTION   
           "The DeadTime setting for AAA Servers.
            If 'cAAAServerDeadTime' of 'cAAASvrExtConfigTable' is zero,
            this value is used.
            This indicates the length of time in minutes that the 
            system will mark the server dead when a AAA server does
            not respond to an authentication request. During the
            interval of the dead time, any authentication request
            that comes up would not be sent to that AAA server 
            that was marked as dead. The default value of 0 means
            that the AAA servers will not be marked dead if they
            do not respond."
        DEFVAL         { 0 }
        ::= { cAAASvrExtProtocolParamEntry 4 }

cAAAServerProtoTimeOut OBJECT-TYPE
        SYNTAX         TimeIntervalSec (1..1000)
        UNITS          "seconds"
        MAX-ACCESS     read-write
        STATUS         current
        DESCRIPTION   
           "The time in seconds between retransmissions to
            the AAA server.
            If 'cAAAServerTimeOut' of 'cAAASvrExtConfigTable' is zero
            , this value is used."
        DEFVAL         { 1 }
        ::= { cAAASvrExtProtocolParamEntry 5 }  
    
cAAAServerProtoRetransmits OBJECT-TYPE
        SYNTAX         Unsigned32 (0..100)
        UNITS          "retransmits"
        MAX-ACCESS     read-write
        STATUS         current                     
        DESCRIPTION   
           "The additional number of times the AAA server should be 
            tried by the AAA client before giving up on the server.
            If 'cAAAServerRetransmits' of 'cAAASvrExtConfigTable' is
            zero, this value is used."      
        DEFVAL         { 1 }
        ::= { cAAASvrExtProtocolParamEntry 6 }       

cAAAServerProtoSvrTableMaxEnt OBJECT-TYPE
        SYNTAX         Unsigned32 (0..65536)
        MAX-ACCESS     read-only
        STATUS         current
        DESCRIPTION   
           "Each instance of this object specifies the maximum
            number of AAA server entries in the 'casConfigTable',
            for a particular protocol."
        ::= { cAAASvrExtProtocolParamEntry 7 }

cAAAServerProtoDirectedReq OBJECT-TYPE
        SYNTAX             TruthValue
        MAX-ACCESS         read-write
        STATUS             current
        DESCRIPTION
            "This object is to specify whether a user could choose 
             a AAA server for authentication during login.
 
             The value 'true(1)' indicates that a user can specify
             the remote AAA server for authentication during login.
             If the user specifies the login name as 
             'username@hostname', then the authentication request
             will be sent to remote AAA server 'hostname' with
             username as 'username'. An entry should exist in
             cAAASvrExtConfigTable  with 'cAAAServerAddr' value
             'hostname'. The configuration in
             cAAASvrExtAppSvrGrpConfigTable is not used, if the
             specified remote AAA server fails to respond.

             The value 'false(2)' indicates user cannot specify the
             remote AAA server for authentication during login.
             If user specifies the login name as 'username@hostname',
             then the complete string will be treated as username and
             the user will be authenticated as per configuration in
             cAAASvrExtAppSvrGrpConfigTable."
        DEFVAL         { false }
        ::= { cAAASvrExtProtocolParamEntry 8 }

--
-- Server Group  Configuration Table - cAAASvrExtSvrGrpConfig
--

cAAASvrExtSvrGrpConfigTable OBJECT-TYPE
        SYNTAX         SEQUENCE OF ServerGroupEntry
        MAX-ACCESS     not-accessible
        STATUS         current
        DESCRIPTION
           "A table consisting of entries for Server Groups. 
            A server group consists of a number of AAA servers
            implementing the same AAA protocol. Multiple server
            groups (usually one group for TACACS+ and one group
            for RADIUS) can be used for the same service for
            authentication, authorization and accounting purpose.
            An entry cannot be created until following objects are 
            instantiated
            - cAAASvrGrpName
            - cAAASvrGrpProtocol
            - cAAAServerList with at least one member
            Note that an implementation may support any number of
            permanent rows which cannot be deleted. These permanent
            groups are system defined groups and not created by the
            user."
        ::= { cAAASvrExtSvrGrpConfig 1 }

cAAASvrExtSvrGrpConfigEntry OBJECT-TYPE
        SYNTAX         ServerGroupEntry
        MAX-ACCESS     not-accessible
        STATUS         current
        DESCRIPTION
           "An entry (conceptual row) in the
            cAAASvrExtSvrGrpConfigTable. " 
        INDEX          { cAAASvrGrpIndex }
        ::= { cAAASvrExtSvrGrpConfigTable 1}

ServerGroupEntry ::=
        SEQUENCE {
            cAAASvrGrpIndex                  Unsigned32,
            cAAASvrGrpName                   SnmpAdminString,
            cAAASvrGrpProtocol               CiscoAAAProtocol,
            cAAAServerList                   OCTET STRING,
            cAAASvrGrpConfigRowStatus        RowStatus,
            cAAASvrGrpConfigDeadTime         TimeIntervalMin

}

cAAASvrGrpIndex OBJECT-TYPE
        SYNTAX         Unsigned32 (1..100)
        MAX-ACCESS     not-accessible
        STATUS         current
        DESCRIPTION
           "The index for each of the Server Group entries."
        ::= { cAAASvrExtSvrGrpConfigEntry 1 }

cAAASvrGrpName OBJECT-TYPE
        SYNTAX         SnmpAdminString (SIZE (1..64))
        MAX-ACCESS     read-create
        STATUS         current
        DESCRIPTION
           "The name of the Server Group. The 'cAAASvrGrpName'
            has to be specified by the user during the creation
            of this row entry. 
            The cAAASvrGrpName can not be  modified when
            cAAASvrGrpConfigRowStatus is  'active'."
        ::= { cAAASvrExtSvrGrpConfigEntry 2 }

cAAASvrGrpProtocol OBJECT-TYPE
        SYNTAX         CiscoAAAProtocol
        MAX-ACCESS     read-create
        STATUS         current
        DESCRIPTION
           "The AAA Protocol to which this Server Group belongs to.
            The cAAASvrGrpProtocol can not be  modified when
            cAAASvrGrpConfigRowStatus is  'active'."
        DEFVAL         {tacacsplus}
        ::= { cAAASvrExtSvrGrpConfigEntry 3 }
      
cAAAServerList OBJECT-TYPE
        SYNTAX         OCTET STRING (SIZE(4..256))
        MAX-ACCESS     read-create
        STATUS         current
        DESCRIPTION
           "This represents ordered list of AAA Servers which form
            this Server Group.
            This object contains list of the AAA Servers as defined
            in the 'casConfigTable'.  
            The value of this object is a concatenation of one or
            more 4-octet strings, where each 4-octet string represents
            a 32-bit 'casIndex' value of 'casConfigTable' in network 
            byte order. This Index along with the 'cAAASvrGrpProtocol'
            that is set in the same row form the composite index in 
            the 'casConfigTable'.
            The order in which servers occur within the value of this
            object determines the Server priority  in that group. The
            first one will be 'Primary'  and the rest are 'secondary'
            ( others).
            At least one index has to be provided when creating  this
            row. A Server Group can not exist without any members.
            The maximum AAA Servers that can be specified  is limited
            by 'cAAASvrExtSvrGrpSvrListMaxEnt' value."
        ::= { cAAASvrExtSvrGrpConfigEntry 4 }

cAAASvrGrpConfigRowStatus OBJECT-TYPE
        SYNTAX         RowStatus
        MAX-ACCESS     read-create
        STATUS         current
        DESCRIPTION
           "The status of this conceptual row.This object can not
            be set to 'active' unless the corresponding value of 
            'cAAASvrGrpName' is unique. Once value of  this object
            is set to 'active', the associated entry can not be 
            modified except destroyed by setting this object to 
            destroy(6)."
        ::= { cAAASvrExtSvrGrpConfigEntry 5 }

cAAASvrGrpConfigDeadTime OBJECT-TYPE
        SYNTAX         TimeIntervalMin (0..1440)
        UNITS          "minutes"
        MAX-ACCESS     read-create
        STATUS         current
        DESCRIPTION
           "The DeadTime setting for AAA Server Group.
            This indicates the length of time in minutes that the
            system will mark the server dead when a AAA server does
            not respond to an authentication request. During the
            interval of the dead time, any authentication request
            that comes up would not be sent to that AAA server
            that was marked as dead. The default value of 0 means
            that the AAA servers will not be marked dead if they
            do not respond."
        DEFVAL         { 0 }
        ::= { cAAASvrExtSvrGrpConfigEntry 6 }

--
-- AAA Server Group Configuration for LDAP Protocol.
--
cAAASvrExtSvrGrpLDAPConfigTable OBJECT-TYPE
        SYNTAX         SEQUENCE OF CAAASvrExtSvrGrpLDAPConfigEntry
        MAX-ACCESS     not-accessible
        STATUS         current
        DESCRIPTION
           "This table is extension to cAAASvrExtSvrGrpConfigTable.

           An entry will be created in this table
           by the agent whenever an entry is created
           in cAAASvrExtSvrGrpConfigTable with 
           cAAASvrGrpProtocol set to 'ldap'.
          
           An entry will get destroyed by the agent
           whenever corresponding entry in
           cAAASvrExtSvrGrpConfigTable identified
           by cAAASvrGrpIndex is destroyed.
 
           The SNMP Manager can not create
           or destroy entries in this table.
           The SNMP Manager can modify columnar
           objects in this table."
        ::= { cAAASvrExtSvrGrpConfig 2 }

cAAASvrExtSvrGrpLDAPConfigEntry OBJECT-TYPE
        SYNTAX         CAAASvrExtSvrGrpLDAPConfigEntry
        MAX-ACCESS     not-accessible
        STATUS         current
        DESCRIPTION
           "An entry in the table. Each entry corresponds
           to  LDAP server group identified by
           a corresponding entry in cAAASvrExtSvrGrpConfigTable
           with cAAASvrGrpProtocol value of 'ldap'.
           Each entry contains information on LDAP Base
           Distinguished Name,  Filter and user profile."
        INDEX          { cAAASvrGrpIndex }
        ::= { cAAASvrExtSvrGrpLDAPConfigTable 1}

CAAASvrExtSvrGrpLDAPConfigEntry ::=
        SEQUENCE {
            cAAASvrGrpLDAPBaseDN        SnmpAdminString,
            cAAASvrGrpLDAPFilterUser    SnmpAdminString,
            cAAASvrGrpLDAPUserProfile   SnmpAdminString
}

cAAASvrGrpLDAPBaseDN OBJECT-TYPE
        SYNTAX         SnmpAdminString (SIZE (0..64))
        MAX-ACCESS     read-create
        STATUS         current
        DESCRIPTION
           "This object specifies the base entry in the
           LDAP hierarchy where the LDAP server should begin 
           searching when it receives an authorization request."
        DEFVAL { "" }
        ::= { cAAASvrExtSvrGrpLDAPConfigEntry 1 }

cAAASvrGrpLDAPFilterUser OBJECT-TYPE
        SYNTAX         SnmpAdminString (SIZE (0..128))
        MAX-ACCESS     read-create
        STATUS         current
        DESCRIPTION
           "This object specifies the filter to be
           used to search user entry in LDAP server 
           database."
        REFERENCE
            "RFC2254 - Section 3. LDAP Search Filter Definition."
        DEFVAL { "" }
        ::= { cAAASvrExtSvrGrpLDAPConfigEntry 2 }

cAAASvrGrpLDAPUserProfile OBJECT-TYPE
        SYNTAX         SnmpAdminString (SIZE (0..64))
        MAX-ACCESS     read-create
        STATUS         current
        DESCRIPTION
           "This object specifies the attribute type for
           user profile private attribute.  This attribute  
           is requested in search request to the LDAP server."
        DEFVAL { "" }
        ::= { cAAASvrExtSvrGrpLDAPConfigEntry 3 }
--
-- Application-Server Group  mapping configuration
-- cAAASvrExtAppSvrGrpMapConfig
--

cAAASvrExtAppSvrGrpConfigTable OBJECT-TYPE
        SYNTAX         SEQUENCE OF AppSvrGrpEntry
        MAX-ACCESS     not-accessible
        STATUS         current
        DESCRIPTION
           "A table associating the AAA server groups for 
            specific  AAA function for a given  Application 
            and Application Sub-Type. If the device encounters
            ERRORs from server(s) in first group of 
            'cAAASvrGrpList',it will try servers in next 
            server group. The order in which Server Groups occur
            within the value of 'cAAASvrGrpList' decides the order
            of trial for AAA  function. 
            Similarly, within a server group, each server 
            in the group will be tried one by one until one
            of them responds with either SUCCESS or FAIL. 
            In case all the Server Groups return ERROR,
            'Local' mechanism ('cAAASvrGrpLocal') followed by 
            'Trivial' mechanism ('cAAASvrGrpTrivial') are tried,
            if so configured."
        ::= { cAAASvrExtAppSvrGrpMapConfig 1 }

cAAASvrExtAppSvrGrpConfigEntry OBJECT-TYPE
        SYNTAX         AppSvrGrpEntry
        MAX-ACCESS     not-accessible
        STATUS         current
        DESCRIPTION
           "An entry (conceptual row) in the 
            cAAASvrExtSerSvrGrpConfigTable.
            New entries can not be created. The existing 
            rows only can be modified." 
        INDEX          { cAAAApplicationType,
                         cAAAApplicationSubType,
                         cAAAFunction }
        ::= { cAAASvrExtAppSvrGrpConfigTable  1}

AppSvrGrpEntry ::=
        SEQUENCE {
            cAAAApplicationType             INTEGER,
            cAAAApplicationSubType          INTEGER,
            cAAAFunction                    INTEGER,
            cAAASvrGrpLocal                 TruthValue,
            cAAASvrGrpTrivial               TruthValue,
            cAAASvrGrpList                  OCTET STRING
}

cAAAApplicationType OBJECT-TYPE
        SYNTAX         INTEGER {
                            default (1),
                            login (2),
                            dhchap (3),
                            iSCSI (4)
                       }
        MAX-ACCESS     not-accessible
        STATUS         current
        DESCRIPTION
           "The Application type for which this AAA configuration
            is applied. 
            Each of these applications uses AAA services on the device.
            'login' application includes console, telnet and SSH based 
            login using the username and password.
            DHCHAP (Diffie Hellman Challenge Handshake Authentication
            Protocol) is a FC-SP compliant authentication protocol that
            can be used for switch-to-switch, host-to-switch and 
            host-to-host authentication. DHCHAP is of the applications
            for AAA. DH-CHAP is basically combination of bi-directional
            CHAP authentication ([4]) with Diffie-Hellman exchange.
            iSCSI (Small Computer Systems Interface over IP) is an SCSI
            transport protocol for mapping of block-oriented storage 
            data over TCP/IP networks.
            The 'default' application type indicates the  default
            configurations which can be used by all the applications,
            unless overridden by specific application types."
        REFERENCE
           " - Fibre Channel Security Protocols (FC-SP) REV. 1.0,
               T11 FC-SP Working Document T11/03-149v0.pdf
             - Challenge Handshake Authentication Protocol (CHAP)
               RFC 1994
             - iSCSI Internet Draft
            ."
        ::= { cAAASvrExtAppSvrGrpConfigEntry 1 }

cAAAApplicationSubType OBJECT-TYPE
        SYNTAX         INTEGER {
                            all (1),
                            console(2)
                       }
        MAX-ACCESS     not-accessible
        STATUS         current
        DESCRIPTION
           "The Application Sub-Type. This is very specific to 
            the  application attached and indicates the
            sub-application.
            For 'login' application:
              - If the 'cAAAApplicationSubType' is 'all', the
                configuration  appearing in the corresponding row 
                is used by all the 'login' applications. 
              - If the 'cAAAApplicationSubType' is 'console',
                console login uses this configuration instead
                of the 'all'.
            For the 'dhchap' application, the only allowed
            'cAAAApplicationSubType' is 'all'. This means, the 
            configuration appearing in the corresponding row is 
            used by all the 'dhchap' applications.
            For the 'iSCSI' application, the only allowed 
            'cAAAApplicationSubType' is 'all'. This means, the 
            configuration appearing in the corresponding row is 
            used by all the iSCSI applications.
            For the 'default' application, 
              - the allowed 'cAAAApplicationSubType' values are
                'all' and 'console', when 'cAAAFunction' is 
                'authorization'
              - the allowed 'cAAAApplicationSubType'  value is 
                'all', when 'cAAAFunction' is 'accounting'
            ."
        ::= { cAAASvrExtAppSvrGrpConfigEntry 2 }

cAAAFunction OBJECT-TYPE
        SYNTAX        INTEGER {
                         authentication (1),
                         authorization (2),
                         accounting (3)
                       }
        MAX-ACCESS     not-accessible
        STATUS         current
        DESCRIPTION  
           "The AAA function to which this application 
            configuration row corresponds to."
        ::= { cAAASvrExtAppSvrGrpConfigEntry 3 }

cAAASvrGrpLocal OBJECT-TYPE
        SYNTAX         TruthValue
        MAX-ACCESS     read-write
        STATUS         current
        DESCRIPTION
           "The value 'true(1)'  indicates  'Local' AAA
            is allowed. 
            The value 'false(2)' indicates  'Local' AAA
            is not allowed.
            'Local' AAA is used only after trying all the Server
            Groups in the 'cAAASvrGrpList'.
            The 'Local' AAA means all the AAA functions
            are performed using the local AAA Service 
            provided in the Device.
            
            The value of this object can not be set to 'false'
            in the following conditions :
              - 'cAAAApplicationType' is 'default' and 'cAAAFuction'
                is 'authentication' or 'accounting'
                 
                 and 
                 
              - value of corresponding instance of 
                'cAAASvrGrpTrivial' is 'false' and  no server groups
                configured in the value of the corresponding instance
                of 'cAAASvrGrpList'
               
            The value of this object can not be set to 'true'
            if the 'cAAAFuction' value is 'authorization'."
        ::= { cAAASvrExtAppSvrGrpConfigEntry 4 }

cAAASvrGrpTrivial OBJECT-TYPE
    SYNTAX             TruthValue
    MAX-ACCESS         read-write
    STATUS             current
    DESCRIPTION
           "The value 'true(1)'  indicates  'Trivial' AAA
            is allowed. 
            The value 'false(2)' indicates  'Trivial' AAA 
            is not allowed. 
            'Trivial' AAA is used only after trying all the Server
            Groups in the 'cAAASvrGrpList' and 'Local' AAA 
            (if configured).
            Trivial AAA corresponds to one of the following
            based on the value of corresponding instance of
            'AAAFunction':
              - User name based authentication, if 'cAAAFunction'
                value is 'authentication'
              - No Authorization check, if 'cAAAFunction' 
                value is 'authorization'
              - No accounting, if 'cAAAFunction'
                value is 'accounting'
                
            The value of this object can not be set to 'false'
            in the following conditions :
              - 'cAAAApplicationSubType' is 'all' and 'cAAAFuction'
                is 'authorization'
                 
                 and 
                 
              - value of corresponding instance of 'cAAASvrGrpLocal'
                is 'false' and  no server groups configured in the
                value of the corresponding instance of 'cAAASvrGrpList'
                
            The value of this object can not be set to 'true'
            in the following conditions :
              - when 'cAAAApplicationType' is 'iSCSI' , 
                'cAAAApplicationSubType' is 'all' and 
                'cAAAFuction' is 'authentication'
                 
              - when 'cAAAApplicationType' is 'dhchap' , 
                'cAAAApplicationSubType' is 'all' and 
                'cAAAFuction' is 'authentication'                 
            ."
        ::= { cAAASvrExtAppSvrGrpConfigEntry 5 }

cAAASvrGrpList    OBJECT-TYPE
        SYNTAX         OCTET STRING (SIZE(0..256))
        MAX-ACCESS     read-write
        STATUS         current
        DESCRIPTION
           "This represents ordered list of AAA Server Groups that are
            configured for this application to perform AAA functions.
            This object contains list of the AAA Server Groups as
            defined in the 'cAAASvrExtSvrGrpConfigTable'.
            The value of this object is a concatenation of zero or
            more 4-octet strings, where each 4-octet string represents
            a 32-bit 'cAAASvrGrpIndex' value of  server group
            ('cAAASvrExtSvrGrpConfigTable')  in network byte order.
            The order in which Server Groups occur within the value of
            this object determines the Server Group priority in the
            list.
            The maximum  number of Server Groups that can be
            specified in this row is limited by
            'cAAASvrExtAppToSvrGrpMaxEnt' value."
        ::= { cAAASvrExtAppSvrGrpConfigEntry 6 }
--
-- Conformance
--

ciscoAAASvrExtMIBCompliances  OBJECT IDENTIFIER
                              ::= { ciscoAAASvrExtMIBConformance 1 }
ciscoAAASvrExtMIBGroups       OBJECT IDENTIFIER
                              ::= { ciscoAAASvrExtMIBConformance 2 }

ciscoAAAServerMIBCompliance MODULE-COMPLIANCE
        STATUS         deprecated -- superceede by
                                  -- ciscoAAAServerMIBCompliance1
        DESCRIPTION
           "The compliance statement for entities which implement the 
            CISCO-AAA-SERVER-EXT-MIB."
        MODULE 
           MANDATORY-GROUPS { cAAASvrExtGenericConfGroup,
                              cAAASvrExtSvrTableConfGroup,
                              cAAASvrExtProtoParamConfigGroup }
           GROUP       cAAASvrExtSvrGroupConfGroup 
           DESCRIPTION 
              "This group is required only if the Server Group
               configuration is implemented by the agent."
           GROUP       cAAASvrExtAppSvrGroupConfGroup 
           DESCRIPTION 
              "This group is required only if the Server Group
               and application-to-server group mapping configuration
               is implemented by the agent."           
        ::= { ciscoAAASvrExtMIBCompliances 1 }

ciscoAAAServerMIBCompliance1 MODULE-COMPLIANCE
        STATUS         deprecated -- superceede by
                                  -- ciscoAAAServerMIBCompliance2

        DESCRIPTION
           "The compliance statement for entities which implement the 
            CISCO-AAA-SERVER-EXT-MIB."
        MODULE 
           MANDATORY-GROUPS { cAAASvrExtGenericConfGroup1,
                              cAAASvrExtSvrTableConfGroup,
                              cAAASvrExtProtoParamConfigGroup }
           GROUP       cAAASvrExtSvrGroupConfGroup 
           DESCRIPTION 
              "This group is required only if the Server Group
               configuration is implemented by the agent."
           GROUP       cAAASvrExtAppSvrGroupConfGroup 
           DESCRIPTION 
              "This group is required only if the Server Group
               and application-to-server group mapping configuration
               is implemented by the agent."           
        ::= { ciscoAAASvrExtMIBCompliances 2 }

ciscoAAAServerMIBCompliance2 MODULE-COMPLIANCE
        STATUS         current
        DESCRIPTION
           "The compliance statement for entities which implement the 
            CISCO-AAA-SERVER-EXT-MIB."
        MODULE 
           MANDATORY-GROUPS { cAAASvrExtGenericConfGroup1,
                              cAAASvrExtSvrTableConfGroup,
                              cAAASvrExtProtoParamConfigGroup1 }
           GROUP       cAAASvrExtSvrGroupConfGroup2 
           DESCRIPTION 
              "This group is required only if the Server Group
               configuration is implemented by the agent."
           GROUP       cAAASvrExtAppSvrGroupConfGroup 
           DESCRIPTION 
              "This group is required only if the Server Group
               and application-to-server group mapping configuration
               is implemented by the agent."           
           GROUP cAAASvrExtSvrTableLDAPConfGroup
           DESCRIPTION 
               "This group is required only if AAA is
               supported using LDAP protocol."
           GROUP       cAAASvrExtSvrGroupLDAPConfGroup 
           DESCRIPTION 
               "This group is required only if AAA is
               supported using LDAP protocol."
           GROUP       cAAASvrExtSvrMonitorConfGroup
           DESCRIPTION
              "This group is required only if the Server Monitoring
               configuration is implemented by the agent."
           GROUP       cAAASvrExtGenericConfGroup2
           DESCRIPTION
              "This group is required only if MSCHAP authentication
              can be enabled/disabled."
        ::= { ciscoAAASvrExtMIBCompliances 3 }
--
-- Units of Conformance
--

cAAASvrExtGenericConfGroup  OBJECT-GROUP
        OBJECTS        { cAAASvrExtLocalAccLogMaxSize }
        STATUS         deprecated -- superceeded by
                                  -- cAAASvrExtGenericConfGroup1
        DESCRIPTION
           "A collection of objects Generic configuration."
        ::= { ciscoAAASvrExtMIBGroups 1 }

cAAASvrExtSvrTableConfGroup  OBJECT-GROUP
        OBJECTS        { cAAAServerAddrType,
                         cAAAServerAddr,
                         cAAAServerKeyEncrType,
                         cAAAServerDeadTime,
                         cAAAServerTimeOut,
                         cAAAServerRetransmits }
        STATUS         current
        DESCRIPTION
           "A collection of objects for AAA Server configuration."
        ::= { ciscoAAASvrExtMIBGroups 2 }

cAAASvrExtProtoParamConfigGroup  OBJECT-GROUP
        OBJECTS        { cAAAServerProtoAuthKey,
                         cAAAServerProtoKeyEncrType,
                         cAAAServerProtoDeadTime,
                         cAAAServerProtoTimeOut,
                         cAAAServerProtoRetransmits,
                         cAAAServerProtoSvrTableMaxEnt
                       }
        STATUS         deprecated -- replaced by 
                        -- cAAASvrExtProtoParamConfigGroup1
        DESCRIPTION
           "A collection of objects for AAA per-protocol parameter 
            configuration."
        ::= { ciscoAAASvrExtMIBGroups 3 }

cAAASvrExtSvrGroupConfGroup  OBJECT-GROUP
        OBJECTS        { cAAASvrGrpName,
                         cAAASvrGrpProtocol,
                         cAAAServerList,
                         cAAASvrGrpConfigRowStatus,
                         cAAASvrExtSvrGrpSvrListMaxEnt }
        STATUS         deprecated
        DESCRIPTION
           "A collection of objects for AAA  Server Group 
            configuration."
        ::= { ciscoAAASvrExtMIBGroups 4 }

cAAASvrExtAppSvrGroupConfGroup  OBJECT-GROUP
        OBJECTS        { cAAASvrGrpLocal,
                         cAAASvrGrpTrivial,
                         cAAASvrGrpList,
                         cAAASvrExtAppToSvrGrpMaxEnt }
        STATUS         current
        DESCRIPTION
           "A collection of objects for Application-to-Server
            Group mapping configuration."
        ::= { ciscoAAASvrExtMIBGroups 5 }

cAAASvrExtGenericConfGroup1  OBJECT-GROUP
        OBJECTS        { cAAASvrExtLocalAccLogMaxSize,
                         cAAASvrExtClearAccLog }
        STATUS         current
        DESCRIPTION
           "A collection of objects Generic configuration."
        ::= { ciscoAAASvrExtMIBGroups 6 }

cAAASvrExtGenericConfGroup2  OBJECT-GROUP
        OBJECTS        { cAAALoginAuthTypeMSCHAP }
        STATUS         current
        DESCRIPTION
           "A collection of objects Generic configuration."
        ::= { ciscoAAASvrExtMIBGroups 7 }

cAAASvrExtSvrGroupConfGroup2  OBJECT-GROUP
        OBJECTS        { cAAASvrGrpName,
                         cAAASvrGrpProtocol,
                         cAAAServerList,
                         cAAASvrGrpConfigRowStatus,
                         cAAASvrExtSvrGrpSvrListMaxEnt,
                         cAAASvrGrpConfigDeadTime
                       }
        STATUS         current
        DESCRIPTION
           "A collection of objects for AAA  Server Group 
            configuration."
        ::= { ciscoAAASvrExtMIBGroups 8 }

cAAASvrExtProtoParamConfigGroup1  OBJECT-GROUP
        OBJECTS        { cAAAServerProtoAuthKey,
                         cAAAServerProtoKeyEncrType,
                         cAAAServerProtoDeadTime,
                         cAAAServerProtoTimeOut,
                         cAAAServerProtoRetransmits,
                         cAAAServerProtoSvrTableMaxEnt,
                         cAAAServerProtoDirectedReq
                        }
        STATUS         current
        DESCRIPTION
           "A collection of objects for AAA per-protocol parameter 
            configuration."
        ::= { ciscoAAASvrExtMIBGroups 9 }

cAAASvrExtSvrTableLDAPConfGroup  OBJECT-GROUP
        OBJECTS        { 
                         cAAAServerRootDN
                       }
        STATUS         current
        DESCRIPTION
           "A collection of objects for AAA Server using
           LDAP protocol."
        ::= { ciscoAAASvrExtMIBGroups 10 }

cAAASvrExtSvrGroupLDAPConfGroup  OBJECT-GROUP
        OBJECTS        { 
                           cAAASvrGrpLDAPBaseDN,
                           cAAASvrGrpLDAPFilterUser,
                           cAAASvrGrpLDAPUserProfile

                       }
        STATUS         current
        DESCRIPTION
           "A collection of objects for LDAP Server Group 
            configuration."
        ::= { ciscoAAASvrExtMIBGroups 11 }

cAAASvrExtSvrMonitorConfGroup  OBJECT-GROUP
        OBJECTS        { 
                         cAAAServerIdleTime,
                         cAAAServerTestUser,
                         cAAAServerTestPassword
                       }
        STATUS         current
        DESCRIPTION
           "A collection of objects for configuring AAA Server
            monitoring."
        ::= { ciscoAAASvrExtMIBGroups 12 }

END