-- *******************************************************************
-- CISCO-LWAPP-WLAN-SECURITY-MIB.my
-- December 2005, Bharat Biswal, Prasanna Viswakumar
--
-- Copyright (c) 2005, 2006 by Cisco Systems, Inc.
-- All rights reserved.
-- *******************************************************************
--CISCO-LWAPP-WLAN-SECURITY-MIB DEFINITIONS::=BEGINIMPORTSMODULE-IDENTITY,OBJECT-TYPE,Unsigned32FROM SNMPv2-SMI
MODULE-COMPLIANCE,OBJECT-GROUPFROM SNMPv2-CONF
TruthValueFROM SNMPv2-TC
ciscoMgmt
FROM CISCO-SMI
CLSecEncryptType,
CLSecKeyFormat
FROM CISCO-LWAPP-TC-MIB
cLWlanIndex
FROM CISCO-LWAPP-WLAN-MIB;ciscoLwappWlanSecurityMIB MODULE-IDENTITYLAST-UPDATED"200604110000Z"ORGANIZATION"Cisco Systems, Inc."CONTACT-INFO" Cisco Systems,
Customer Service
Postal: 170 West Tasman Drive
San Jose, CA 95134
USA
Tel: +1 800 553-NETS
Email: cs-wnbu-snmp@cisco.com"DESCRIPTION"This MIB is intended to be implemented on all those
devices operating as Central controllers, that
terminate the Light Weight Access Point Protocol
tunnel from Cisco Light-weight LWAPP Access Points.
Information provided by this MIB is for WLAN security
related features as specified in the CCKM, CKIP
specifications.
The relationship between the controller and the
LWAPP APs is depicted as follows:
+......+ +......+ +......+
+ + + + + +
+ CC + + CC + + CC +
+ + + + + +
+......+ +......+ +......+
.. . .
.. . .
. . . .
. . . .
. . . .
. . . .
+......+ +......+ +......+ +......+
+ + + + + + + +
+ AP + + AP + + AP + + AP +
+ + + + + + + +
+......+ +......+ +......+ +......+
. . .
. . . .
. . . .
. . . .
. . . .
+......+ +......+ +......+ +......+
+ + + + + + + +
+ MN + + MN + + MN + + MN +
+ + + + + + + +
+......+ +......+ +......+ +......+
The LWAPP tunnel exists between the controller and
the APs. The MNs communicate with the APs through
the protocol defined by the 802.11 standard.
LWAPP APs, upon bootup, discover and join one of the
controllers and the controller pushes the configuration,
that includes the WLAN parameters, to the LWAPP APs.
The APs then encapsulate all the 802.11 frames from
wireless clients inside LWAPP frames and forward
the LWAPP frames to the controller.
GLOSSARY
802.1x
The IEEE ratified standard for enforcing port based
access control. This was originally intended for
use on wired LANs and later extended for use in
802.11 WLAN environments. This defines an
architecture with three main parts - a supplicant
(Ex. an 802.11 wireless client), an authenticator
(the AP) and an authentication server(a Radius
server). The authenticator passes messages back
and forth between the supplicant and the
authentication server to enable the supplicant
get authenticated to the network.
Access Point ( AP )
An entity that contains an 802.11 medium access
control ( MAC ) and physical layer ( PHY ) interface
and provides access to the distribution services via
the wireless medium for associated clients.
LWAPP APs encapsulate all the 802.11 frames in
LWAPP frames and sends them to the controller to which
it is logically connected.
Advanced Encryption Standard ( AES )
In cryptography, the Advanced Encryption Standard
(AES), also known as Rijndael, is a block cipher
adopted as an encryption standard by the US
government. It is expected to be used worldwide
and analysed extensively, as was the case with its
predecessor, the Data Encryption Standard (DES).
AES was adopted by National Institute of Standards
and Technology (NIST) as US FIPS PUB 197 in
November 2001 after a 5-year standardisation
process.
Central Controller ( CC )
The central entity that terminates the LWAPP protocol
tunnel from the LWAPP APs. Throughout this MIB,
this entity also referred to as 'controller'.
Cisco Centralized Key Management ( CCKM )
Client and AP exchange several EAPOL packets in the
process of EAP authenticaton to determine dynamic
session key (NSK), which is used for encrypting
packets between them.
When client moves to new-AP, it has to mutually
authenticate with the new-AP and derive new NSK. This
is being done by using complete EAP authentication
(which is time consuming and causes noticeable delay
in the voice application). Till that time, no data
packets are being transmitted between new-AP and
client.
CCKM implementation in first controller caches
client's credentials like session, vlanid, ssid, etc.
and propagates the same to other controllers in
mobility group.
Currently a set of controller can be configured as
part of a mobility group. If client roams across
access points associated to this set of controllers,
then with CCKM implementation in place, the L2
authentication will not happen. To make this happen
a CCKM cache is maintained on each controller and the
first controller where client gets associated update
rest of the controllers in mobility group. On later
reassociations, controller validates the CCKM specific
IE present and allow associations.
Wireless LAN Access Points (APs) manufactured by Cisco
Systems have features and capabilities beyond those in
related standards (e.g., IEEE 802.11 suite of
standards, Wi-Fi recommendations by WECA, 802.1X
security suite, etc). A number of features provide
higher performance. For example, Cisco AP transmits a
specific Information Element, which the clients adapt
to for enhanced performance. Similarly, a number of
features are implemented by means of proprietary
Information Elements, which Cisco clients use in
specific ways to carry out tasks above and beyond the
standard.
Other examples of feature categories are roaming and
power saving.
Cisco Key Integrity Protocol ( CKIP )
A proprietary implementation similar to TKIP. CKIP
implements key permutation for protecting the CKIP
key against attacks. Other features of CKIP include
expansion of encryption key to 16 bytes of length for
key protection and MIC to ensure data integrity.
Light Weight Access Point Protocol ( LWAPP )
This is a generic protocol that defines the
communication between the Access Points and the
Central Controller.
Mobile Node ( MN )
A roaming 802.11 wireless device in a wireless
network associated with an access point. Mobile Node
and client are used interchangeably.
Multilinear Modular Hash ( MMH )
This is a message authentication code. The original
message is run through the hash (with a secret key),
and the code is the result. The code is sent along
with the original message. The receiver of the
message calculates the hash over the original message
(also with the secret key) and compares the final
message authentication code with the code sent with
the message. If the two codes match, the receiver can
be assured that the original message is authentic.
Pre-Shared Key ( PSK )
Pre-shared keys are normally used for
interoperability purposes. The basic idea is that
two parties sharing a common secret can communicate
securely. This idea has been used since cryptography
first sprung onto the scene.
Temporal Key Integrity Protocol ( TKIP )
A security protocol defined to enhance the limitations
of WEP. Message Integrity Check and per-packet keying
on all WEP-encrypted frames are two significant
enhancements provided by TKIP to WEP.
Wired Equivalent Privacy ( WEP )
A security method defined by 802.11. WEP uses a
symmetric key stream cipher called RC4 to encrypt the
data packets.
Wi-Fi Protected Access ( WPA )
Wi-Fi Protected Access (WPA and WPA2) are security
systems created in response to several serious
weaknesses found in Wired Equivalent Privacy (WEP).
WPA implements the majority of the IEEE 802.11i
standard, and was intended as an intermediate
measure to take the place of WEP while 802.11i was
prepared. WPA is designed to work with all wireless
network interface cards, but not necessarily with
first generation wireless access points.
REFERENCE
[1] Wireless LAN Medium Access Control ( MAC ) and
Physical Layer ( PHY ) Specifications,
Amendment 6, MAC Security Enhancements.
[2] draft-obara-capwap-lwapp-00.txt, IETF Light
Weight Access Point Protocol "REVISION"200604110000Z"DESCRIPTION"Initial version of this MIB module. "::={ ciscoMgmt 521}ciscoLwappWlanSecurityMIBNotifs OBJECTIDENTIFIER::={ ciscoLwappWlanSecurityMIB 0}ciscoLwappWlanSecurityMIBObjects OBJECTIDENTIFIER::={ ciscoLwappWlanSecurityMIB 1}ciscoLwappWlanSecurityMIBConform OBJECTIDENTIFIER
::={ ciscoLwappWlanSecurityMIB 2}clwsCckmConfig OBJECTIDENTIFIER::={ ciscoLwappWlanSecurityMIBObjects 1}clwsCkipConfig OBJECTIDENTIFIER::={ ciscoLwappWlanSecurityMIBObjects 2}--********************************************************************
-- Table to represent CISCO CCKM parameters
-- per each WLAN.
--********************************************************************cLWSecDot11EssCckmTable OBJECT-TYPESYNTAXSEQUENCEOF CLWSecDot11EssCckmEntry
MAX-ACCESSnot-accessibleSTATUScurrent
DESCRIPTION"This table represents the CCKM configuration
for the WLANs configured on this controller.
There exist a row in this table corresponding to each
row representing a WLAN in cLWlanConfigTable. The
controller adds or deletes a row to this table
whenever a WLAN is added or deleted. "::={ clwsCckmConfig 1}cLWSecDot11EssCckmEntry OBJECT-TYPESYNTAX CLWSecDot11EssCckmEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Each entry represents a conceptual row in
cLWSecDot11EssCckmTable and uniquely identified
by cLWlanIndex. "INDEX{ cLWlanIndex }
::={ cLWSecDot11EssCckmTable 1}
CLWSecDot11EssCckmEntry ::=SEQUENCE{
cLWSecDot11EssCckmWpaSupport TruthValue,
cLWSecDot11EssCckmWpa1Security TruthValue,
cLWSecDot11EssCckmWpa1EncType CLSecEncryptType,
cLWSecDot11EssCckmWpa2Security TruthValue,
cLWSecDot11EssCckmWpa2EncType CLSecEncryptType,
cLWSecDot11EssCckmKeyMgmtMode BITS,
cLWSecDot11EssPskFmt CLSecKeyFormat,
cLWSecDot11EssPsk OCTETSTRING}
cLWSecDot11EssCckmWpaSupport OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object is used to enable or disable layer-2
security using WPA1 or WPA2. When this
object is set to 'true' layer-2 security is enabled.
When this object is set to 'false' layer-2 security
is disabled.
When layer-2 security is enabled, the following objects
are only applied to environment and can be set.
cLWSecDot11EssCckmWpa1Security
cLWSecDot11EssCckmWpa1EncType
cLWSecDot11EssCckmWpa2Security
cLWSecDot11EssCckmWpa2EncType
cLWSecDot11EssCckmKeyMgmtMode. "DEFVAL{ false }
::={ cLWSecDot11EssCckmEntry 1}cLWSecDot11EssCckmWpa1Security OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"A value of 'true' indicates that WPA1 security
is enabled on the controller. A value of 'false'
disables WPA1 security. "DEFVAL{ false }::={ cLWSecDot11EssCckmEntry 2}cLWSecDot11EssCckmWpa1EncType OBJECT-TYPESYNTAX CLSecEncryptType
MAX-ACCESSread-writeSTATUScurrent
DESCRIPTION"This object indicates the type of WPA1 encryption
configured on this WLAN.
The value populated by this object is applicable
only when cLWSecDot11EssCckmWpa1Security populates
a value of 'true'. "DEFVAL{{tkip}}::={ cLWSecDot11EssCckmEntry 3}cLWSecDot11EssCckmWpa2Security OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"A value of 'true' indicates that WPA2 security
is enabled on the controller. A value of 'false'
disables WPA2 security. "DEFVAL{ false }::={ cLWSecDot11EssCckmEntry 4}cLWSecDot11EssCckmWpa2EncType OBJECT-TYPESYNTAX CLSecEncryptType
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object indicates the type of WPA2 encryption
configured on this WLAN.
The value populated by this object is applicable
only when cLWSecDot11EssCckmWpa2Security populates
a value of 'true'. "DEFVAL{{aes}}::={ cLWSecDot11EssCckmEntry 5}
cLWSecDot11EssCckmKeyMgmtMode OBJECT-TYPESYNTAXBITS{dot1x(0),cckm(1),psk(2)}MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object indicates the type of authentication
key management that is applicable only when
cLWSecDot11EssCckmWpaSupport is set to a value of
'true'.
The following are the possible key management
configurations allowed and accepted by the system.
dot1x + CCKM
dot1x only
CCKM only
PSK only. "DEFVAL{{dot1x}}::={ cLWSecDot11EssCckmEntry 6}cLWSecDot11EssPskFmt OBJECT-TYPESYNTAX CLSecKeyFormat
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object indicates the type of the
authentication preshared key configured through
the object cLWSecDot11EssCckmPsk. Note
that the key configuration is applicable only
when psk is configured as the key management
mechanism through the
cLWSecDot11EssCckmKeyMgmtMode object. "
DEFVAL{ default }::={ cLWSecDot11EssCckmEntry 7}cLWSecDot11EssPsk OBJECT-TYPESYNTAXOCTETSTRING(SIZE(8..64))MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object indicates the authentication pre-shared
key in the hex format that is applicable only when
the 'psk' bit is specified in the
cLWSecDot11EssCckmKeyMgmtMode object.
The length of the key that can be specified for
the cLWSecDot11EssPsk object depends on the
value of the cLWSecDot11EssPskFmt object as
follows.
'ascii' 8-63 octets
'hex' 32 octets. "::={ cLWSecDot11EssCckmEntry 8}--********************************************************************
-- Table to represent CKIP parameters
-- per each WLAN.
--********************************************************************cLWSecDot11EssCkipTable OBJECT-TYPESYNTAXSEQUENCEOF CLWSecDot11EssCkipEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"This table represents the CKIP parameters of a
WLAN.
This is a new layer-2 security policy similar to
static WEP. User can select this policy on a WLAN.
This policy will be allowed to be configured only when
Aironet Extensions are enabled on the WLAN.
Once user has selected CKIP he will be given an option
to :
1> configure key
2> select MMH
There exist a row in this table corresponding to each
row representing a WLAN in cLWlanConfigTable. The
controller adds or deletes a row to this table
whenever a WLAN is added or deleted. "::={ clwsCckmConfig 2}cLWSecDot11EssCkipEntry OBJECT-TYPESYNTAX CLWSecDot11EssCkipEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"Each entry represents a conceptual row in
cLWSecDot11EssCkipTable and uniquely identified
by cLWlanIndex. "INDEX{ cLWlanIndex }::={ cLWSecDot11EssCkipTable 1}
CLWSecDot11EssCkipEntry ::=SEQUENCE{
cLWSecDot11EssCkipSecurity TruthValue,
cLWSecDot11EssCkipKeyIndex Unsigned32,
cLWSecDot11EssCkipKeyLength INTEGER,
cLWSecDot11EssCkipKeyFmt CLSecKeyFormat,
cLWSecDot11EssCkipKey OCTETSTRING,
cLWSecDot11EssCkipMMHMode TruthValue,
cLWSecDot11EssCkipKPEnable TruthValue
}cLWSecDot11EssCkipSecurity OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object is used to enable to disable layer-2
CKIP as security policy for this WLAN. When this
object is set to 'true', layer-2 CKIP security is
enabled. When this object is set to 'false',
layer-2 CKIP security is disabled. "DEFVAL{ false }::={ cLWSecDot11EssCkipEntry 1}cLWSecDot11EssCkipKeyIndex OBJECT-TYPESYNTAXUnsigned32(0..4)
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object represents the key index corresponding
to the key being configured. A value of 0 indicates
that the CKIP key hasn't been configured. "DEFVAL{0}::={ cLWSecDot11EssCkipEntry 2}cLWSecDot11EssCkipKeyLength OBJECT-TYPESYNTAXINTEGER{none (1),len40 (2),
len104 (3)}MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object indicates the length of CKIP key in bits
that is applicable only when cLWSecDot11EssCkipSecurity
is set as 'true'. "DEFVAL{ none }::={ cLWSecDot11EssCkipEntry 3}cLWSecDot11EssCkipKeyFmt OBJECT-TYPESYNTAX CLSecKeyFormat
MAX-ACCESSread-writeSTATUScurrent
DESCRIPTION"This object indicates the type of the key
configured through the object
cLWSecDot11EssCkipKey. "DEFVAL{ default }::={ cLWSecDot11EssCkipEntry 4}cLWSecDot11EssCkipKey OBJECT-TYPESYNTAXOCTETSTRING(SIZE(5..26))MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object indicates the CKIP key that is
applicable only when cLWSecDot11EssCkipSecurity
is set as 'true'.
The number of characters to be configured depends
on the key length and the key type configured through
the objects cLWSecDot11EssCkipKeyLength and
cLWSecDot11EssCkipKeyFmt respectively.
The combinations are as follows.
Key Type Number of characters
hex 10/26 hex characters for 40/104 bits
ascii 5/13 ascii characters for 40/104 bits.
When cLWSecDot11EssCkipKeyFmt is set to 'hex',
cLWSecDot11EssCkipKey can only be set to
hexadecimal characters.
To ensure consistency the following objects must be
set together.
cLWSecDot11EssCkipKeyFmt
cLWSecDot11EssCkipKeyIndex
cLWSecDot11EssCkipKeyLength
cLWSecDot11EssCkipKey. "::={ cLWSecDot11EssCkipEntry 5}cLWSecDot11EssCkipMMHMode OBJECT-TYPE
SYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object is used to enable or disable MMH MIC
mode for the CKIP for this WLAN.
'true' - MMH MIC mode is enabled
'false' - MMH MIC mode is disabled. "DEFVAL{ false }::={ cLWSecDot11EssCkipEntry 6}cLWSecDot11EssCkipKPEnable OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION
"When the value is set to 'true', the encryption
keys will be generated by permuting the static CKIP
key configured through cLWSecDot11EssCkipKey. "DEFVAL{ false }::={ cLWSecDot11EssCkipEntry 7}--********************************************************************
--* Compliance statements
--********************************************************************ciscoLwappWlanSecurityMIBCompliances OBJECTIDENTIFIER::={ ciscoLwappWlanSecurityMIBConform 1}ciscoLwappWlanSecurityMIBGroups OBJECTIDENTIFIER::={ ciscoLwappWlanSecurityMIBConform 2}
ciscoLwappWlanSecurityMIBCompliance MODULE-COMPLIANCESTATUScurrentDESCRIPTION"The compliance statement for the SNMP entities that
implement the ciscoLwappWlanSecurityMIB module. "MODULEMANDATORY-GROUPS{
ciscoLwappWlanSecurityCckmConfigGroup,
ciscoLwappWlanSecurityCkipConfigGroup
}::={ ciscoLwappWlanSecurityMIBCompliances 1}--********************************************************************
--* Units of conformance
--********************************************************************ciscoLwappWlanSecurityCckmConfigGroup OBJECT-GROUPOBJECTS{
cLWSecDot11EssCckmWpaSupport,
cLWSecDot11EssCckmWpa1Security,
cLWSecDot11EssCckmWpa1EncType,
cLWSecDot11EssCckmWpa2Security,
cLWSecDot11EssCckmWpa2EncType,
cLWSecDot11EssCckmKeyMgmtMode,
cLWSecDot11EssPskFmt,
cLWSecDot11EssPsk
}STATUScurrentDESCRIPTION"This collection of objects represents CCKM
related security parameters on a WLAN. The
collection also configures the pre-shared keys
when PSK is configured as the key management
type. "::={ ciscoLwappWlanSecurityMIBGroups 1}ciscoLwappWlanSecurityCkipConfigGroup OBJECT-GROUPOBJECTS{
cLWSecDot11EssCkipSecurity,
cLWSecDot11EssCkipKeyIndex,
cLWSecDot11EssCkipKeyLength,
cLWSecDot11EssCkipKeyFmt,
cLWSecDot11EssCkipKey,
cLWSecDot11EssCkipMMHMode,
cLWSecDot11EssCkipKPEnable
}STATUScurrentDESCRIPTION"This collection of objects represents CKIP
related security parameters on a WLAN. "::={ ciscoLwappWlanSecurityMIBGroups 2}END