-- *********************************************************************
-- CISCO-AUTH-FRAMEWORK-MIB.my: Authentication Framework configuration
-- and information MIB
--
-- April 2008, Binh Phu Le
--
-- Copyright (c) 2008 by Cisco Systems Inc.
--
-- All rights reserved.
--
-- *******************************************************************CISCO-AUTH-FRAMEWORK-MIB DEFINITIONS::=BEGINIMPORTSMODULE-IDENTITY,OBJECT-TYPE,NOTIFICATION-TYPE,Unsigned32,Integer32FROM SNMPv2-SMI
MODULE-COMPLIANCE,NOTIFICATION-GROUP,OBJECT-GROUPFROM SNMPv2-CONF
MacAddress,TEXTUAL-CONVENTION,TruthValueFROM SNMPv2-TC
SnmpAdminStringFROM SNMP-FRAMEWORK-MIB
InetAddress,
InetAddressTypeFROM INET-ADDRESS-MIB
ifIndex,ifName
FROM IF-MIB
VlanIndexOrZero
FROM CISCO-PRIVATE-VLAN-MIB
CnnEouPostureTokenString
FROM CISCO-NAC-TC-MIB
ciscoMgmt
FROM CISCO-SMI;ciscoAuthFrameworkMIB MODULE-IDENTITYLAST-UPDATED"200805210000Z"ORGANIZATION"Cisco Systems Inc."CONTACT-INFO"Cisco Systems
Customer Service
Postal: 170 W Tasman Drive
San Jose, CA 95134
USA
Tel: +1 800 553 -NETS
E-mail: cs-ibns@cisco.com,
cs-lan-switch-snmp@cisco.com"DESCRIPTION"MIB module for Authentication Framework in the system.
Authentication Framework provides generic configurations
for authentication methods in the system and manage the
failover sequence of these methods in a flexible manner."REVISION"200805210000Z"DESCRIPTION"Initial version of this MIB module."::={ ciscoMgmt 656}ciscoAuthFrameworkMIBNotifs OBJECTIDENTIFIER::={ ciscoAuthFrameworkMIB 0}ciscoAuthFrameworkMIBObjects OBJECTIDENTIFIER::={ ciscoAuthFrameworkMIB 1}ciscoAuthFrameworkMIBConform OBJECTIDENTIFIER::={ ciscoAuthFrameworkMIB 2}ciscoAuthFrameworkSystem OBJECTIDENTIFIER::={ ciscoAuthFrameworkMIBObjects 1}
ciscoAuthFrwkAuthenticator OBJECTIDENTIFIER::={ ciscoAuthFrameworkMIBObjects 2}ciscoAuthFrameworkEvent OBJECTIDENTIFIER::={ ciscoAuthFrameworkMIBObjects 3}ciscoAuthFrameworkSession OBJECTIDENTIFIER::={ ciscoAuthFrameworkMIBObjects 4}ciscoAuthFrwkNotifControl OBJECTIDENTIFIER::={ ciscoAuthFrameworkMIBObjects 5}ciscoAuthFrwkNotifInfo OBJECTIDENTIFIER::={ ciscoAuthFrameworkMIBObjects 6}
-- Textual ConventionsCiscoAuthControlledDirections ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The controlled direction values for capable ports in
Authentication Framework.
both: control is required to be exerted over both
incoming and outgoing traffic through the
controlled port.
in : control is required to be exerted over the
incoming traffic through the controlled port."SYNTAXINTEGER{both(0),in(1)}CiscoAuthControlledPortControl ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION
"The authorization control values of Authentication
Framework on a controlled port.
forceUnauthorized: the controlled port is forced to
be unauthorized unconditionally.
auto : authorization of the controlled
port will be determined by an
authentication process.
forceAuthorized : The controlled port is forced to
be authorized unconditionally."SYNTAXINTEGER{forceUnauthorized(1),auto(2),forceAuthorized(3)}CiscoAuthMethod ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The authentication methods and protocols supported in
Authentication Framework.
other : none of the below.
dot1x : 802.1x Protocol.
macAuthBypass: MAC Authentication Bypass.
webAuth : Web-Proxy Authentication.
'other' is a read only value which can not be used in
set operation."SYNTAXINTEGER{other(1),dot1x(2),macAuthBypass(3),webAuth(4)}CiscoAuthMethodList ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The list of authentication methods provided within
Authentication Framework.
Each octet represents an authentication method which
is defined in CiscoAuthMethod.
The DESCRIPTION clause of CiscoAuthMethodList objects
must fully describe the relationship between methods."SYNTAXOCTETSTRINGCiscoAuthHostMode ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The authentication mode of a controlled port.
singleHost: port allows one host to connect and authenticate
in a single domain.
multiHost : port allows multiple hosts to connect. Once
a host is authenticated, all remaining hosts are
also authenticated in a single domain.
multiAuth : port allows multiple hosts to connect. Each host
is authenticated separately in a single domain.
multiDomain: port allows multiple domains to be authenticated."SYNTAXINTEGER{singleHost(1),
multiHost(2),multiAuth(3),multiDomain(4)}-- ciscoAuthFrameworkSystemcafAaaNoRespRecoveryDelay OBJECT-TYPESYNTAXUnsigned32UNITS"milliseconds"MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Specifies the AAA recovery delay for authentication methods
registered in Authentication Framework when AAA server becomes
active again after being inactive. A value of zero indicates
that AAA recovery delay is disabled in the system."::={ ciscoAuthFrameworkSystem 1}
cafAuthMethodRegTable OBJECT-TYPESYNTAXSEQUENCEOF CafAuthMethodRegEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A list of authentication methods which are currrently
registered with Authentication Framework.
An entry is created by the agent when an authentication method
has successfully registered with Authentication Framework.
An entry is deleted by the agent upon de-registration of the
authentication method."::={ ciscoAuthFrameworkSystem 2}cafAuthMethodRegEntry OBJECT-TYPESYNTAX CafAuthMethodRegEntry
MAX-ACCESSnot-accessibleSTATUScurrent
DESCRIPTION"An entry containing registration information of a particular
authentication method with Authentication Framework."INDEX{ cafAuthMethod }::={ cafAuthMethodRegTable 1}
CafAuthMethodRegEntry ::=SEQUENCE{
cafAuthMethod CiscoAuthMethod,
cafAuthMethodDefaultPriority Unsigned32,
cafAuthMethodDefaultExecOrder Unsigned32}cafAuthMethod OBJECT-TYPESYNTAX CiscoAuthMethod
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The authentication method registered with Authentication
Framework."::={ cafAuthMethodRegEntry 1}
cafAuthMethodDefaultPriority OBJECT-TYPESYNTAXUnsigned32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"A unique number which indicates the default priority of a
authentication method.
The default priority is assigned by Authentication Framework
during method registration. The method with smallest value
has highest priority."::={ cafAuthMethodRegEntry 2}cafAuthMethodDefaultExecOrder OBJECT-TYPESYNTAXUnsigned32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"A unique number which indicates the default execution order
of a authentication method.
The default execution order is assigned by Authentication Framework
during method registration. The method with smallest value
will be execute first."::={ cafAuthMethodRegEntry 3}-- ciscoAuthFrwkAuthenticatorcafPortConfigTable OBJECT-TYPESYNTAXSEQUENCEOF CafPortConfigEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A list of port entries. An entry will exist for each
interface which supports which support Authentication
Framework feature."::={ ciscoAuthFrwkAuthenticator 1}cafPortConfigEntry OBJECT-TYPESYNTAX CafPortConfigEntry
MAX-ACCESSnot-accessible
STATUScurrentDESCRIPTION"An entry containing management information of Authentication
Framework applicable to a particular port."INDEX{ ifIndex }::={ cafPortConfigTable 1}
CafPortConfigEntry ::=SEQUENCE{
cafPortControlledDirection CiscoAuthControlledDirections,
cafPortFallBackProfile SnmpAdminString,
cafPortAuthHostMode CiscoAuthHostMode,
cafPortPreAuthOpenAccess TruthValue,
cafPortAuthorizeControl CiscoAuthControlledPortControl,
cafPortReauthEnabled TruthValue,
cafPortReauthInterval Unsigned32,
cafPortRestartInterval Unsigned32,
cafPortInactivityTimeout Integer32,
cafPortViolationAction INTEGER}cafPortControlledDirection OBJECT-TYPESYNTAX CiscoAuthControlledDirections
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Specifies the controlled direction of this port."::={ cafPortConfigEntry 1}cafPortFallBackProfile OBJECT-TYPESYNTAXSnmpAdminStringMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Specifies the name of the fallback profile to be used when
failing over to Web Proxy Authentication. A zero length
string indicates that fallback mechanism to Web Proxy
Authentication is disabled in Authentication Framework."::={ cafPortConfigEntry 2}cafPortAuthHostMode OBJECT-TYPESYNTAX CiscoAuthHostMode
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Specifies the authentication host mode for this port."::={ cafPortConfigEntry 3}cafPortPreAuthOpenAccess OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Specifies if the Pre-Authentication Open Access feature
allows clients/devices to gain network access before
authentication is performed.
A value of 'true' for this object indicates that client/device
is able to gain network access before authentication is
performed."::={ cafPortConfigEntry 4}cafPortAuthorizeControl OBJECT-TYPESYNTAX CiscoAuthControlledPortControl
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Specifies the authorization control for this port."::={ cafPortConfigEntry 5}cafPortReauthEnabled OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Specifies if reauthentication is enabled for this port."::={ cafPortConfigEntry 6}cafPortReauthInterval OBJECT-TYPESYNTAXUnsigned32UNITS"seconds"MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Specifies the reauthentication interval, after which the port
will be reauthenticated if value of the corresponding instance
of cafPortReauthEnabled is 'true'.
A value of zero indicates that the reauthentication interval
is downloaded from AAA server when this port is authenticated."::={ cafPortConfigEntry 7}cafPortRestartInterval OBJECT-TYPESYNTAXUnsigned32UNITS"seconds"MAX-ACCESSread-write
STATUScurrentDESCRIPTION"Specifies the interval after which a further authentication
attempt should be made to this port if it is not authorized.
A value of zero indicates that no further authentication attempt
will be made if this port is unauthorized."::={ cafPortConfigEntry 8}cafPortInactivityTimeout OBJECT-TYPESYNTAXInteger32(-1 | 0 | 1..65535)UNITS"seconds"MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Specifies the period of time that a client associating with this
port is allowed to be inactive before being terminated.
A value of zero indicates that inactivity timeout is disabled on
this port.
A value of -1 indicates that inactivity timeout is downloaded
from the AAA server when this port is authenticated."::={ cafPortConfigEntry 9}cafPortViolationAction OBJECT-TYPESYNTAXINTEGER{restrict(1),shutdown(2)}MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Specifies the action to be taken due to a security violation
occurs on this port.
restrict: This port will be restricted, i.e. packets for the
offending host will be dropped.
shutdown: This port will be shutdown from Authentication
Framework perspective."::={ cafPortConfigEntry 10}cafPortMethodTable OBJECT-TYPESYNTAXSEQUENCEOF CafPortMethodEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The table contains a list of port entries. An entry will exist
for each port which supports Authentication Framework feature."::={ ciscoAuthFrwkAuthenticator 2}cafPortMethodEntry OBJECT-TYPESYNTAX CafPortMethodEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION
"Entry containing configuration and information of
authentication methods for a particular port."INDEX{ ifIndex }::={ cafPortMethodTable 1}
CafPortMethodEntry ::=SEQUENCE{
cafPortMethodAdminExecOrder CiscoAuthMethodList,
cafPortMethodAdminPriority CiscoAuthMethodList,
cafPortMethodAvailable CiscoAuthMethodList,
cafPortMethodOperExecOrder CiscoAuthMethodList,
cafPortMethodOperPriority CiscoAuthMethodList
}cafPortMethodAdminExecOrder OBJECT-TYPESYNTAX CiscoAuthMethodList
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object specifies the administrative execution order of
authentication methods on the port. Methods are executed in
the order as specified in the method list.
Method which is at the beginning of the method list will be
executed first. Method which is at the end of method list
will be executed last.
A zero length string of this object indicates that no per
port execution order configuration has been specified on
this port. The actual execution order is based on the value
of cafAuthMethodDefaultExecOrder in cafAuthMethodRegTable."::={ cafPortMethodEntry 1}cafPortMethodAdminPriority OBJECT-TYPESYNTAX CiscoAuthMethodList
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object specifies the administrative priority of
authentication methods on the port. The priority of
each method is assigned based on the method list.
Method which is at the beginning of the method list has
highest priority. Method which is at the end of method list
has lowest priority.
A zero length string of this object indicates that no per
port method priority configuration has been specified on
this port. The actual execution order is based on the value
of cafAuthMethodDefaultExecOrder in cafAuthMethodRegTable."::={ cafPortMethodEntry 2}cafPortMethodAvailable OBJECT-TYPESYNTAX CiscoAuthMethodList
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"This object indicates the authentication methods currently
available on this port."::={ cafPortMethodEntry 3}cafPortMethodOperExecOrder OBJECT-TYPESYNTAX CiscoAuthMethodList
MAX-ACCESSread-onlySTATUScurrent
DESCRIPTION"This object indicates the operational execution order of
authentication methods on this port. Methods are executed in
the order as specified in the method list.
Method which is at the beginning of the method list will be
executed first. Method which is at the end of method list
will be executed last."::={ cafPortMethodEntry 4}cafPortMethodOperPriority OBJECT-TYPESYNTAX CiscoAuthMethodList
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"This object indicates the operational priority of
authentication methods on this port. Methods have the
priority as specified in the method list.
Method which is at the beginning of the method list has
highest priority. Method which is at the end of method list
has lowest priority."::={ cafPortMethodEntry 5}-- ciscoAuthFrameworkEventcafAuthFailedEventPortTable OBJECT-TYPESYNTAXSEQUENCEOF CafAuthFailedEventPortEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The table contains a list of port entries.
An entry will exist for each port which supports Authentication
Fail event within the Authentication Framework."::={ ciscoAuthFrameworkEvent 1}cafAuthFailedEventPortEntry OBJECT-TYPESYNTAX CafAuthFailedEventPortEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Entry containing management information of Authentication
Fail event for a particular port."INDEX{ ifIndex }::={ cafAuthFailedEventPortTable 1}
CafAuthFailedEventPortEntry ::=SEQUENCE{
cafAuthFailedMaxRetry Unsigned32,
cafAuthFailedNoActionEnabled TruthValue,
cafAuthFailedAuthorizedVlan Integer32,
cafAuthFailedNextMethodEnabled TruthValue}cafAuthFailedMaxRetry OBJECT-TYPESYNTAXUnsigned32MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object specifies the maximum number of retry should be
performed before generating Authentication Fail event.
A value of zero indicates that Authentication Fail event will
be generated upon authentication fail without any retry."::={ cafAuthFailedEventPortEntry 1}cafAuthFailedNoActionEnabled OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object specifies whether no action will be performed
when an Authentication Fail event occurs.
Setting 'true' on this object indicates that no action will
be performed when Authentication Fail event occurs.
The read-only value 'false' indicates that an action will
be performed when an Authentication Fail event occurs."::={ cafAuthFailedEventPortEntry 2}cafAuthFailedAuthorizedVlan OBJECT-TYPE
SYNTAXInteger32(-1 | 0 | 1..2147483647)MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object specifies the Authentication Failed VLAN number.
The read-only value of -1 indicates that this object is not
applicable on this port.
The read-only value of zero indicates that this port will not be
authorized to any VLAN when Authentication Failed event occurs.
Setting a non-zero value on this object indicates that this port
will be authorized to the VLAN as specified by this object
value, when Authentication Fail event occurs."::={ cafAuthFailedEventPortEntry 3}cafAuthFailedNextMethodEnabled OBJECT-TYPESYNTAXTruthValue
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object specifies whether the next authentication method
will be used if an Authentication Fail event is generated by the
current authentication method.
Setting this object to 'true' indicates that the next available
authentication method will be used when Authentication Fail
event occurs.
The read-only value 'false' indicates that the next available
authentication method will not be used when Authentication Fail
event occurs."::={ cafAuthFailedEventPortEntry 4}cafSecurityViolationClient OBJECT-TYPESYNTAXMacAddressMAX-ACCESSaccessible-for-notifySTATUScurrentDESCRIPTION"The MAC address included in the notification currently being
sent, indicating the client who triggered the security violation
notification."::={ ciscoAuthFrwkNotifInfo 1}cafClientNoRespEventPortTable OBJECT-TYPESYNTAXSEQUENCEOF CafClientNoRespEventPortEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The table contains a list of port entries.
An entry exists for each port which supports No Response
event within the Authentication Framework."::={ ciscoAuthFrameworkEvent 2}cafClientNoRespEventPortEntry OBJECT-TYPESYNTAX CafClientNoRespEventPortEntry
MAX-ACCESSnot-accessibleSTATUScurrent
DESCRIPTION"Entry containing management information of No Response
event for a particular port."INDEX{ ifIndex }::={ cafClientNoRespEventPortTable 1}
CafClientNoRespEventPortEntry ::=SEQUENCE{
cafClientNoRespNoActionEnabled TruthValue,
cafClientNoRespAuthorizedVlan Integer32}cafClientNoRespNoActionEnabled OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object specifies whether an action is performed when No
Response event occurs.
Setting 'true' on this object indicates that no action will
be performed when No Response event occurs.
The read-only value 'false' of this object indicates that an
action will be performed when No Response event occurs."::={ cafClientNoRespEventPortEntry 1}cafClientNoRespAuthorizedVlan OBJECT-TYPESYNTAXInteger32(-1 | 0 | 1..2147483647)MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object specifies the No Response Authorized VLAN number.
The read-only value of -1 indicates that this object is not
applicable on this port.
The read-only value of zero indicates that this port will not be
authorized to any VLAN when No Response event occurs.
Setting a non-zero value on this object indicates that this port
will be authorized to the VLAN as specified by this object
value, when No Response event occurs."::={ cafClientNoRespEventPortEntry 2}cafServerEventPortTable OBJECT-TYPESYNTAXSEQUENCEOF CafServerEventPortEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The table contains a list of port entries.
An entry exists for each port which supports AAA Server
Reachability event within the Authentication Framework."::={ ciscoAuthFrameworkEvent 3}cafServerEventPortEntry OBJECT-TYPESYNTAX CafServerEventPortEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION
"Entry containing management information of AAA Server
Reachability event for a particular port."INDEX{ ifIndex }::={ cafServerEventPortTable 1}
CafServerEventPortEntry ::=SEQUENCE{
cafServerDeadNoActionEnabled TruthValue,
cafServerDeadRemainAuthorized TruthValue,
cafServerDeadAuthorizedVlan Integer32,
cafServerAliveAction INTEGER}cafServerDeadNoActionEnabled OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object indicates whether an action is performed if an
AAA Server Reachability event occurs.
Setting 'true' on this object indicates that no action
will be performed when AAA Server Reachability event occurs.
The read-only value 'false' indicates that an action will
be performed when AAA Server Reachability event occurs."::={ cafServerEventPortEntry 1}cafServerDeadRemainAuthorized OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object specifies if current authorization will remain
unchanged for the port when AAA Server Reachability event
occurs.
Setting 'true' on this object indicates that current
authorization will remain unchanged for the port when AAA
Server Reachability event occurs.
The read-only value 'false' indicates that the current
authorization will not be retained for the port when
AAA Server Reachability event occurs."::={ cafServerEventPortEntry 2}cafServerDeadAuthorizedVlan OBJECT-TYPESYNTAXInteger32(-1 | 0 | 1..2147483647)MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object specifies the AAA Server Reachability
Authorized VLAN number.
The read-only value of -1 indicates that this object is not
applicable on this port.
The read-only value of zero indicates that this port will not
be authorized to any VLAN when AAA Server Reachability event
occurs.
Setting a non-zero value on this object indicates that this port
will be authorized to the VLAN as specified by this object
value, when AAA Server Reachability event occurs."::={ cafServerEventPortEntry 3}cafServerAliveAction OBJECT-TYPESYNTAXINTEGER{none(1),reinitialize(2)}MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object specifies the action applied to the port upon AAA
recovery.
none : no action will be applied.
reinitialize: the port will be reinitialized with the current
authentication method."::={ cafServerEventPortEntry 4}-- ciscoAuthFrameworkSessioncafSessionTable OBJECT-TYPE
SYNTAXSEQUENCEOF CafSessionEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The table contains a list of authentication session.
An entry is created when an authentication session has
successfully created within Authentication Framework.
An entry is deleted when an authentication session has been
removed."::={ ciscoAuthFrameworkSession 1}cafSessionEntry OBJECT-TYPESYNTAX CafSessionEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Entry containing management information for a particular
authentication session."INDEX{
ifIndex,IMPLIED cafSessionId
}::={ cafSessionTable 1}
CafSessionEntry ::=SEQUENCE{
cafSessionId OCTETSTRING,
cafSessionClientMacAddress MacAddress,
cafSessionClientAddrType InetAddressType,
cafSessionClientAddress InetAddress,
cafSessionStatus INTEGER,
cafSessionDomain INTEGER,
cafSessionAuthHostMode CiscoAuthHostMode,
cafSessionControlledDirection CiscoAuthControlledDirections,
cafSessionPostureToken CnnEouPostureTokenString,
cafSessionAuthUserName SnmpAdminString,
cafSessionClientFramedIpPool SnmpAdminString,
cafSessionAuthorizedBy SnmpAdminString,
cafSessionCriticalTimeLeft Unsigned32,
cafSessionAuthVlan VlanIndexOrZero,
cafSessionTimeout Unsigned32,
cafSessionTimeLeft Unsigned32,
cafSessionTimeoutAction INTEGER,
cafSessionInactivityTimeout Unsigned32,
cafSessionInactivityTimeLeft Unsigned32,
cafSessionReauth TruthValue,
cafSessionTerminate TruthValue}cafSessionId OBJECT-TYPESYNTAXOCTETSTRING(SIZE(1..64))
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A unique identifier of the authentication session."::={ cafSessionEntry 1}cafSessionClientMacAddress OBJECT-TYPESYNTAXMacAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the MAC address of the device associates with the
authentication session."::={ cafSessionEntry 2}cafSessionClientAddrType OBJECT-TYPE
SYNTAXInetAddressTypeMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the type of Internet address of the client
associates with the authentication session."::={ cafSessionEntry 3}cafSessionClientAddress OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the Internet address of the client associates with
the authentication session. The type of this address is
determined by the value of cafSessionClientAddrType object."::={ cafSessionEntry 4}cafSessionStatus OBJECT-TYPE
SYNTAXINTEGER{idle(1),running(2),noMethod(3),authenticationSuccess(4),authenticationFailed(5),authorizationSuccess(6),authorizationFailed(7)}MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the current status of the authentication session.
idle : the session has been initialized and no
method has run yet.
running : an authentication method is running for
this session.
noMethod : no authentication method has provided a
result for this session.
authenticationSuccess: an authentication method has resulted
in authentication success for this session.
authenticationFailed: an authentication method has resulted
in authentication failed for this session.
authorizationSuccess: authorization is successful for this session.
authorizationFailed : authorization is failed for this session."::={ cafSessionEntry 5}cafSessionDomain OBJECT-TYPESYNTAXINTEGER{other(1),data(2),
voice(3)}MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the type of domain that the authentication session
belongs to.
other : none of the below.
data : indicates the data domain.
voice: indicates the voice domain."::={ cafSessionEntry 6}cafSessionAuthHostMode OBJECT-TYPESYNTAX CiscoAuthHostMode
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the authentication host mode of the port in the
authentication session."::={ cafSessionEntry 7}
cafSessionControlledDirection OBJECT-TYPESYNTAX CiscoAuthControlledDirections
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the operational controlled directions parameter
for this port in the authentication session."::={ cafSessionEntry 8}cafSessionPostureToken OBJECT-TYPESYNTAX CnnEouPostureTokenString
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the posture token associates with the authentication
session."::={ cafSessionEntry 9}cafSessionAuthUserName OBJECT-TYPE
SYNTAXSnmpAdminStringMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the name of the authenticated user for the
authentication session."::={ cafSessionEntry 10}cafSessionClientFramedIpPool OBJECT-TYPESYNTAXSnmpAdminStringMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the name of the address pool from which the
session's client IP address is assigned."::={ cafSessionEntry 11}cafSessionAuthorizedBy OBJECT-TYPESYNTAXSnmpAdminString
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the name of the feature which authorizes the
authentication session."::={ cafSessionEntry 12}cafSessionCriticalTimeLeft OBJECT-TYPESYNTAXUnsigned32UNITS"seconds"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the leftover time before the next authentication
attempt for the authentication session after Server Reachability
event occurred. Value zero indicates that this session is
currently being authenticated or it is not applicable."::={ cafSessionEntry 13}
cafSessionAuthVlan OBJECT-TYPESYNTAX VlanIndexOrZero
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the authorized VLAN applied to the authentication session.
Value zero indicates that no authorized VLAN has been applied, or it
is not applicable."::={ cafSessionEntry 14}cafSessionTimeout OBJECT-TYPESYNTAXUnsigned32UNITS"seconds"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the session timeout used by Authentication
Framework in the authentication session."::={ cafSessionEntry 15}
cafSessionTimeLeft OBJECT-TYPESYNTAXUnsigned32UNITS"seconds"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the leftover time of the current authentication
session."::={ cafSessionEntry 16}cafSessionTimeoutAction OBJECT-TYPESYNTAXINTEGER{unknown(1),terminate(2),reauthenticate(3)
}MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the timeout action on the authentication session, when
value of the corresponding instance of cafSessionTimeLeft reaches
zero.
unknown : None of the below.
terminate : Session will be terminated.
reauthenticate: Session will be reauthenticated."::={ cafSessionEntry 17}cafSessionInactivityTimeout OBJECT-TYPESYNTAXUnsigned32UNITS"seconds"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the inactivity timeout used by Authentication
Framework in the authentication session."::={ cafSessionEntry 18}cafSessionInactivityTimeLeft OBJECT-TYPESYNTAXUnsigned32UNITS"seconds"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the leftover time of the inactivity timer of
the authentication session."::={ cafSessionEntry 19}cafSessionReauth OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The reauthentication control for the authentication session.
Setting this object to 'true' cause the current authenticated
session to reauthenticate the authenticated client. Setting
this object to 'false' has no effect.
This object always returns 'false' when being read."::={ cafSessionEntry 20}cafSessionTerminate OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The termination request control for the authentication session.
Setting this object to 'true' terminates the current session.
Setting this object to 'false' has no effect.
This object always returns 'false' when being read."::={ cafSessionEntry 21}cafSessionMethodsInfoTable OBJECT-TYPESYNTAXSEQUENCEOF CafSessionMethodsInfoEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The table contains a list of authentication method for every
authentication session.
An entry exists for each authentication method that can
authenticate an authentication session within
Authentication Framework."::={ ciscoAuthFrameworkSession 2}cafSessionMethodsInfoEntry OBJECT-TYPESYNTAX CafSessionMethodsInfoEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Entry containing method information for a particular runnable
authentication methods which is associated with a session for
an Authentication Framework managed port."INDEX{
ifIndex,
cafSessionId,
cafSessionMethod
}::={ cafSessionMethodsInfoTable 1}
CafSessionMethodsInfoEntry ::=SEQUENCE{
cafSessionMethod CiscoAuthMethod,
cafSessionMethodState INTEGER}cafSessionMethod OBJECT-TYPESYNTAX CiscoAuthMethod
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Indicates this authentication method."::={ cafSessionMethodsInfoEntry 1}cafSessionMethodState OBJECT-TYPESYNTAXINTEGER{
notRun(1),running(2),failedOver(3),authcSuccess(4),authcFailed(5)}MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the state of this authentication method.
notRun : The method has not run for this session.
running : The method is running for this session.
failedOver : The method has failed and the next method is
expected to provide a result.
authcSuccess: The method has provided a successful
authentication result for this session.
authcFailed : The method has provided a failed authentication
result for this session."::={ cafSessionMethodsInfoEntry 2}-- Notifications and notification controlscafSecurityViolationNotifEnable OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This variable indicates whether the system produces
the cafSecurityViolationNotif.
A 'false' value will prevent cafSecurityViolationNotif
from being generated by this system."::={ ciscoAuthFrwkNotifControl 1}cafSecurityViolationNotif NOTIFICATION-TYPEOBJECTS{
ifIndex,
ifName,
cafSecurityViolationClient
}STATUScurrentDESCRIPTION"A cafSecurityViolationNotif is sent if a security violation
is detected on a port, and the instance value of
cafSecurityViolationNotifEnable is 'true'."::={ ciscoAuthFrameworkMIBNotifs 1}-- ConformanceciscoAuthFrameworkMIBCompliances OBJECTIDENTIFIER::={ ciscoAuthFrameworkMIBConform 1}ciscoAuthFrameworkMIBGroups OBJECTIDENTIFIER::={ ciscoAuthFrameworkMIBConform 2}ciscoAuthFrameworkMIBCompliance MODULE-COMPLIANCESTATUScurrent
DESCRIPTION"The compliance statement for entities which implement
CISCO-AUTH-FRAMEWORK-MIB."MODULE-- this moduleMANDATORY-GROUPS{
cafAuthMethodRegGroup,
cafAuthPortConfigGroup,
cafPortMethodGroup,
cafSessionGroup,
cafSessionMethodInfoGroup
}GROUP cafAaaNoRespRecoveryDelayGroup
DESCRIPTION"This group is mandatory in devices running software which
provide AAA recovery delay configuration for Authentication
Framework."GROUP cafAuthFailedEventGroup
DESCRIPTION"This group is mandatory in devices running software which
provide configuration for Authentication Framework on its
capable ports, when Authentication Fail event occurs."GROUP cafClientNoRespEventGroup
DESCRIPTION"This group is mandatory in devices running software which
provide configuration for Authentication Framework to authorize
ports in a special VLAN when non-capable clients are
detected."GROUP cafServerEventGroup
DESCRIPTION"This group is mandatory in devices running software which
provide configuration for Authentication Framework on
authenticated ports when AAA Server Reachability event occurs."GROUP cafSecViolationNotifEnableGroup
DESCRIPTION"This group is mandatory in devices running software which
support security violation notification for Authentication
Framework."GROUP cafSecurityViolationNotifGroup
DESCRIPTION"This group is mandatory in devices running software which
support security violation notification for Authentication
Framework."GROUP cafSecurityViolationClientGroup
DESCRIPTION"This group is mandatory in devices running software which
support security violation notification for Authentication
Framework."OBJECT cafAaaNoRespRecoveryDelay
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafPortControlledDirection
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafPortFallBackProfile
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafPortAuthHostMode
MIN-ACCESSread-onlyDESCRIPTION
"Write access is not required."OBJECT cafPortPreAuthOpenAccess
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafPortAuthorizeControl
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafPortReauthEnabled
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafPortReauthInterval
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafPortRestartInterval
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."
OBJECT cafPortInactivityTimeout
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafPortViolationAction
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafPortMethodAdminExecOrder
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafPortMethodAdminPriority
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafAuthFailedMaxRetry
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."
OBJECT cafAuthFailedNoActionEnabled
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafAuthFailedAuthorizedVlan
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafAuthFailedNextMethodEnabled
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafClientNoRespNoActionEnabled
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafClientNoRespAuthorizedVlan
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."
OBJECT cafServerDeadNoActionEnabled
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafServerDeadRemainAuthorized
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafServerDeadAuthorizedVlan
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafServerAliveAction
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafSessionReauth
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafSessionTerminate
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cafSecurityViolationNotifEnable
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."::={ ciscoAuthFrameworkMIBCompliances 1}-- Units of ConformancecafAuthMethodRegGroup OBJECT-GROUPOBJECTS{
cafAuthMethodDefaultPriority,
cafAuthMethodDefaultExecOrder
}STATUScurrentDESCRIPTION"A collection of objects that provides registration
information of authentication methods in Authentication
Framework."::={ ciscoAuthFrameworkMIBGroups 1}
cafAaaNoRespRecoveryDelayGroup OBJECT-GROUPOBJECTS{ cafAaaNoRespRecoveryDelay }STATUScurrentDESCRIPTION"A collection of objects that provides AAA recovery delay
configuration for Authentication Framework in the system."::={ ciscoAuthFrameworkMIBGroups 2}cafAuthPortConfigGroup OBJECT-GROUPOBJECTS{
cafPortControlledDirection,
cafPortFallBackProfile,
cafPortAuthHostMode,
cafPortPreAuthOpenAccess,
cafPortAuthorizeControl,
cafPortReauthEnabled,
cafPortReauthInterval,
cafPortRestartInterval,
cafPortInactivityTimeout,
cafPortViolationAction
}STATUScurrentDESCRIPTION"A collection of objects that provides configuration of
Authentication Framework for capable ports in the system."::={ ciscoAuthFrameworkMIBGroups 3}cafPortMethodGroup OBJECT-GROUPOBJECTS{
cafPortMethodAdminExecOrder,
cafPortMethodAdminPriority,
cafPortMethodAvailable,
cafPortMethodOperExecOrder,
cafPortMethodOperPriority
}
STATUScurrentDESCRIPTION"A collection of objects that provides configuration and
information of authentication methods within Authentication
Framework for capable ports in the system."::={ ciscoAuthFrameworkMIBGroups 4}cafAuthFailedEventGroup OBJECT-GROUPOBJECTS{
cafAuthFailedMaxRetry,
cafAuthFailedNoActionEnabled,
cafAuthFailedAuthorizedVlan,
cafAuthFailedNextMethodEnabled
}STATUScurrentDESCRIPTION"A collection of objects that provides configuration of
Auth-Failed behaviour of Authentication Framework for
ports in the system."::={ ciscoAuthFrameworkMIBGroups 5}
cafClientNoRespEventGroup OBJECT-GROUPOBJECTS{
cafClientNoRespNoActionEnabled,
cafClientNoRespAuthorizedVlan
}STATUScurrentDESCRIPTION"A collection of objects that provides configuration of
Authentication Framework when no-responsive client is detected
on a port in the system."::={ ciscoAuthFrameworkMIBGroups 6}cafServerEventGroup OBJECT-GROUPOBJECTS{
cafServerDeadNoActionEnabled,
cafServerDeadRemainAuthorized,
cafServerDeadAuthorizedVlan,
cafServerAliveAction
}STATUScurrentDESCRIPTION"A collection of objects that provides configuration of
Authentication Framework when AAA Server Reachability event
occurs."::={ ciscoAuthFrameworkMIBGroups 7}cafSessionGroup OBJECT-GROUPOBJECTS{
cafSessionClientMacAddress,
cafSessionClientAddrType,
cafSessionClientAddress,
cafSessionDomain,
cafSessionStatus,
cafSessionAuthHostMode,
cafSessionControlledDirection,
cafSessionPostureToken,
cafSessionAuthUserName,
cafSessionClientFramedIpPool,
cafSessionAuthorizedBy,
cafSessionCriticalTimeLeft,
cafSessionAuthVlan,
cafSessionTimeout,
cafSessionTimeLeft,
cafSessionTimeoutAction,
cafSessionInactivityTimeout,
cafSessionInactivityTimeLeft,
cafSessionReauth,
cafSessionTerminate
}STATUScurrentDESCRIPTION"A collection of objects that provides authentication session
management information for Authentication Framework."::={ ciscoAuthFrameworkMIBGroups 8}cafSessionMethodInfoGroup OBJECT-GROUPOBJECTS{ cafSessionMethodState }
STATUScurrentDESCRIPTION"A collection of objects that provides information about
authentication methods associate with Authentication Framework
's authentication sessions in the system."::={ ciscoAuthFrameworkMIBGroups 9}cafSecViolationNotifEnableGroup OBJECT-GROUPOBJECTS{ cafSecurityViolationNotifEnable }STATUScurrentDESCRIPTION"A collection of objects that provides control over
security violation notification for Authentication
Framework in the system."::={ ciscoAuthFrameworkMIBGroups 10}cafSecurityViolationNotifGroup NOTIFICATION-GROUP
NOTIFICATIONS{ cafSecurityViolationNotif }STATUScurrentDESCRIPTION"A collection of notification providing information
about port's security violation in Authentication
Framework."::={ ciscoAuthFrameworkMIBGroups 11}cafSecurityViolationClientGroup OBJECT-GROUPOBJECTS{ cafSecurityViolationClient }STATUScurrentDESCRIPTION"A collection of objects providing MAC address of the offending
client in the security violation notification."::={ ciscoAuthFrameworkMIBGroups 12}END