-- *****************************************************************
-- Cisco NAC-NAD MIB
--
-- July, 2005 Liwei Lue
--
-- Copyright (c) 2005-2007 by Cisco Systems, Inc.
---- All rights reserved.
-- *****************************************************************CISCO-NAC-NAD-MIB DEFINITIONS::=BEGINIMPORTSMODULE-IDENTITY,OBJECT-TYPE,Unsigned32,Integer32FROM SNMPv2-SMI
MODULE-COMPLIANCE,OBJECT-GROUPFROM SNMPv2-CONF
StorageType,RowStatus,TruthValue,MacAddress,TimeStampFROM SNMPv2-TC
ifIndex,InterfaceIndex,InterfaceIndexOrZeroFROM IF-MIB
InetPortNumber,InetAddressType,InetAddressPrefixLength,InetAddressFROM INET-ADDRESS-MIB
SnmpAdminStringFROM SNMP-FRAMEWORK-MIB
CiscoURLString
FROM CISCO-TC
CpgPolicyNameOrEmpty
FROM CISCO-POLICY-GROUP-MIB
CnnEouPostureToken,
CnnEouPostureTokenString,
CnnEouState,
CnnEouAuthType,
CnnEouDeviceType
FROM CISCO-NAC-TC-MIB
ciscoMgmt
FROM CISCO-SMI;ciscoNacNadMIB MODULE-IDENTITYLAST-UPDATED"200711120000Z"ORGANIZATION"Cisco Systems, Inc."CONTACT-INFO"Cisco Systems
Customer Service
Postal: 170 W Tasman Drive
San Jose, CA 95134
USA
Tel: +1 800 553-NETS
E-mail: cs-nac@cisco.com, cs-lan-switch-snmp@cisco.com"DESCRIPTION"This MIB module is for the configuration of a Network
Access Device (NAD) on the Cisco Network Admission
Control (NAC) system.
EndPoint -------------- NAD ------- AAA ------ PVS
(SecurApp) EAPoUDP/802.1x RADIUS HCAP
(Plugin)
(PA)
Cisco NAC system
The Cisco Network Admission Control (NAC) security
solution offers a systems approach to customers for
ensuring endpoint device compliancy and vulnerability
checks prior to production access to the network. Cisco
refers to these compliancy checks as posture
validations. The intent of this systems approach is to
prevent the spread of works, viruses, and rogue
applications across the network. This systems approach
requires integration with third party end point security
applications, as well as endpoint security servers.
The Network Access Device (NAD) enforces network access
control privileges by controlling which endpoint devices
have access to network destinations and services
reachable through that NAD. Endpoint devices that do
not have the PA installed, enabled, or cannot otherwise
respond to the NAD posture challenges are considered
non-responsive hosts. Upon recognition of an incoming
endpoint device at L2 or L3, the NAD issues a challenge
to the endpoint device for posture credentials. Endpoint
devices with a PA will recognize the challenge and
respond with the necessary posture credentials. The NAD
acts as a relay agent between the endpoint device and
AAA server for all messages in the posture validation
exchange. Once the validation is complete, the NAD
enforces the access policy profile downloaded from the
AAA Server, e.g. (i) provide full access (ii) deny all
access through the NAD restrict access (quarantine) or
(iii) some intermediate level of network access
restriction or quarantine. Between posture
revalidations, the NAD may issue periodic status queries
to determine that the each endpoint device using the NAD
is still the same device that was first postured, and
that the endpoint device's posture credentials have not
changed. This mechanism is a challenge response protocol
that does not involve the AAA Server nor does it require
the posture plugins to resend any credentials. It is
used to trigger a full posture revalidation with the AAA
Server when the endpoint device's credentials have
changed (e.g. to revalidate the host endpoint device
after remediation), or a new host endpoint device
connects with a previously authorized IP address. The
NAD supports a local exception list based on IP, MAC
address or device type so that certain endpoint devices
can bypass the posture validation process based on
system administrator configuration. Also, the NAD may be
configured to query the AAA server for access policies
associated with endpoint devices that do not have a
Posture Agent installed, clientless host endpoint
devices.
Posture Validation occurs when a NAC-enabled network
access device (NAC) detects an endpoint device
attempting to connect or use its network resources and
it issues the endpoint device a posture challenge. An
endpoint device with a resident posture agent will
respond to the challenge with sets of posture
credentials from one or more posture plugins which can
detail the state of the various hardware and software
components on the endpoint device. The posture agent
response is forwarded by the network access device to an
AAA server which may in turn delegate parts of the
decision to posture validation server. Evaluation of the
credentials against posture validation policies results
in an authorization decision or posture token,
representing the endpoint device's relative compliance
to the network compliance policy. The AAA server then
sends the respective network access profile to the
network access device for enforcement of the endpoint
device authorization.
The Cisco Technology consists of the following:
Endpoint Device - Any host attempting to connect or use
the resource of a network. - e.g., a personal computer,
personal data digital assistant, or data server, or
other network attached device.
NAD - Network Access Device that enforces network
access control policies through layer 2 or layer 3
challenge-responses with a network enabled Endpoint
device.
PC - Posture Credentials that describe the state of
an application and/or operating system that is running
on an endpoint device at the time a layer 2 or layer 3
challenge response is issued by a NAD.
PP - Posture Plugin. A module implemented by an
application or agent provider that is responsible for
supplying the relevant posture credentials for the
application or agent.
PA - Posture Agent. Host agent software that serves as
a broker on the host for aggregating credential from
potentially multiple posture plugins and communicating
with the network.
CTA - Cisco Trust Agent. Cisco's implementation of
the posture agent.
EAP - Extensible Authentication Protocol. An extension
to PPP.
EOU - Extensible Authentication Protocol over UDP.
ACS/AAA - Cisco Secure Access Control Server. The
primary authorization server that is the network policy
decision point and is extended to support posture
validation.
PVS - Posture Validation Server.
UCT - Un Conditional Transition.
Clientless - Client without Cisco Posture Agent."REVISION"200711120000Z"DESCRIPTION"Add cnnEouIfIpDevTrackConfigGrp MIB group."REVISION"200702230000Z"DESCRIPTION"Move all the TEXTUAL-CONVENTION to CISCO-NAC-TC-MIB;
Modify cnnEouHostValidateAction object to add
the following enum values:
initializePostureTokenStr(23),
revalidatePostureTokenStr(24),
noRevalidatePostureTokenStr(25)
to deprecate the following enum values:
initializePostureToken(8),
revalidatePostureToken(15),
noRevalidatePostureToken(22)
Modify cnnEouHostQueryMask object to add
postureTokenString(9) enum value to deprecate
postureToken(7) enum value
Add the following objects:
cnnEouHostValidatePostureTokenStr,
cnnEouHostQueryPostureTokenStr,
cnnEouHostResultPostureTokenStr,
to deprecate the following objects:
cnnEouHostValidatePostureToken,
cnnEouHostQueryPostureToken,
cnnEouHostResultPostureToken
Add ciscoNacNadEouHostGroup to deprecate
ciscoNacNadEouHostGrp
Add the following MIB groups:
ciscoNacNadEouIfAaaFailPolicyGrp
cnnIpDeviceTrackingConfigGrp
cnnEouCriticalRecoveryDelayGrp"REVISION"200506280000Z"DESCRIPTION"Initial version of this MIB module."::={ ciscoMgmt 484}ciscoNacNadMIBNotifs OBJECTIDENTIFIER::={ ciscoNacNadMIB 0}ciscoNacNadMIBObjects OBJECTIDENTIFIER::={ ciscoNacNadMIB 1}
ciscoNacNadMIBConformance OBJECTIDENTIFIER::={ ciscoNacNadMIB 2}cnnEouGlobalObjects OBJECTIDENTIFIER::={ ciscoNacNadMIBObjects 1}cnnEouAuthorizeLists OBJECTIDENTIFIER::={ ciscoNacNadMIBObjects 2}cnnEouIfMIBObjects OBJECTIDENTIFIER::={ ciscoNacNadMIBObjects 3}cnnEouHostMIBObjects OBJECTIDENTIFIER::={ ciscoNacNadMIBObjects 4}cnnIpDeviceTrackingObjects OBJECTIDENTIFIER::={ ciscoNacNadMIBObjects 5}-- The cnnEouGlobalObjects groupcnnEouVersion OBJECT-TYPESYNTAXUnsigned32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION
"The version of EOU in use on the local system.
Value zero indicates the version can not be determined."::={ cnnEouGlobalObjects 1}cnnEouEnabled OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Indicates whether the posture validation via EOU is globally
enabled or disabled in the device."::={ cnnEouGlobalObjects 2}cnnEouAllowClientless OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Indicates whether to allow authentication of clientless
hosts (system that does not run Cisco Trust Agent)."::={ cnnEouGlobalObjects 3}cnnEouAllowIpStationId OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION
"It indicates whether to send the host IP address in the
calling station ID field of Radius request."::={ cnnEouGlobalObjects 4}cnnEouLoggingEnabled OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"To enable or disable EOU system logging events.
Set to 'true' to enable syslog message at an informational level
(syslog level 6)."::={ cnnEouGlobalObjects 5}cnnEouMaxRetry OBJECT-TYPESYNTAXInteger32MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The number of maximum retry attempts for EOU."::={ cnnEouGlobalObjects 6}cnnEouPort OBJECT-TYPESYNTAXInetPortNumberMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The UDP port for EOU. The port cannot conflict with
other UDP application."::={ cnnEouGlobalObjects 7}cnnEouRateLimit OBJECT-TYPESYNTAXUnsigned32MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The number of clients that can be simultaneously
validated.
Set the rate limit to 0 (zero), rate limiting will be
turned off.
If the rate limit is set to 100 and there are 101 clients,
validation will not occur until one drop off."::={ cnnEouGlobalObjects 8}cnnEouTimeoutAAA OBJECT-TYPESYNTAXUnsigned32UNITS"seconds"MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Timeout period used by NAD with AAA (Authentication,
Authorization and Accounting."::={ cnnEouGlobalObjects 9}cnnEouTimeoutHoldPeriod OBJECT-TYPESYNTAXUnsigned32UNITS"seconds"
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Length of time that can elapse before the client sessions
are purged from the system due to client inactivity."::={ cnnEouGlobalObjects 10}cnnEouTimeoutRetransmit OBJECT-TYPESYNTAXUnsigned32UNITS"seconds"MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The timeout period for the EOU message retransmitted."::={ cnnEouGlobalObjects 11}cnnEouTimeoutRevalidation OBJECT-TYPESYNTAXUnsigned32UNITS"seconds"MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The timeout period for the revalidation. Setting this object
to 0 will globally disable periodic revalidation on this
device."::={ cnnEouGlobalObjects 12}
cnnEouTimeoutStatusQuery OBJECT-TYPESYNTAXUnsigned32UNITS"seconds"MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The timeout period for the status query after revalidation."::={ cnnEouGlobalObjects 13}cnnEouCriticalRecoveryDelay OBJECT-TYPESYNTAXUnsigned32UNITS"milliseconds"MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object specifies the EOU critical recovery delay time for
the device. A value of zero indicates that critical recovery
delay feature is disabled."::={ cnnEouGlobalObjects 14}-- The cnnIpDeviceTrackingObjects groupcnnIpDeviceTrackingEnabled OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION
"Specifies whether the IP device tracking feature is globally
enabled or disabled on this device."::={ cnnIpDeviceTrackingObjects 1}cnnIpDeviceTrackingProbeCount OBJECT-TYPESYNTAXUnsigned32MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Specifies the number of times that this device sends the ARP
probe to an IP device before removing the IP device from the IP
device tracking table."::={ cnnIpDeviceTrackingObjects 2}cnnIpDeviceTrackingProbeInterval OBJECT-TYPESYNTAXUnsigned32UNITS"seconds"MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Specifies the number of the seconds that this device waits
before resending the ARP probe."::={ cnnIpDeviceTrackingObjects 3}cnnEouIfIpDevTrackConfigTable OBJECT-TYPESYNTAXSEQUENCEOF CnnEouIfIpDevTrackConfigEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A table of IP Device Tracking configuration for EOU
interfaces in the system."::={ cnnIpDeviceTrackingObjects 4}cnnEouIfIpDevTrackConfigEntry OBJECT-TYPESYNTAX CnnEouIfIpDevTrackConfigEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A set of EOU IP Device Tracking configuration information on
an EOU interface."INDEX{ ifIndex }::={ cnnEouIfIpDevTrackConfigTable 1}
CnnEouIfIpDevTrackConfigEntry ::=SEQUENCE{
cnnEouIfIpDevTrackEnabled TruthValue}cnnEouIfIpDevTrackEnabled OBJECT-TYPESYNTAXTruthValueMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Specifies if IP Device Tracking feature is enabled on this
interface."::={ cnnEouIfIpDevTrackConfigEntry 1}-- statically authorized devicecnnEouAuthIpTable OBJECT-TYPESYNTAXSEQUENCEOF CnnEouAuthIpEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A list of statically authorized IP devices in the system."::={ cnnEouAuthorizeLists 1}cnnEouAuthIpEntry OBJECT-TYPESYNTAX CnnEouAuthIpEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"An entry containing the associated policy information of
the statically authorized IP device. An entry can be created,
or deleted by using cnnEouAuthIpRowStatus.
Each statically authorized IP device is associated with a
policy. By creating, deleting or modifying an entry in this
table, users can add, delete or modify a policy for a particular
statically authorized IP device.
In order to add the statically authorized IP device into
exception-list and associate with the specific policy, user has
to create an entry for the device."INDEX{
cnnEouAuthIpAddrType,
cnnEouAuthIpAddr
}::={ cnnEouAuthIpTable 1}
CnnEouAuthIpEntry ::=SEQUENCE{
cnnEouAuthIpAddrType InetAddressType,
cnnEouAuthIpAddr InetAddress,
cnnEouAuthIpAddrMask InetAddressPrefixLength,
cnnEouAuthIpPolicy SnmpAdminString,
cnnEouAuthIpStorageType StorageType,
cnnEouAuthIpRowStatus RowStatus}cnnEouAuthIpAddrType OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The type of Internet address by which the statically
authorized IP device is reachable."::={ cnnEouAuthIpEntry 1}cnnEouAuthIpAddr OBJECT-TYPESYNTAXInetAddress(SIZE(1..64))
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The Internet address for the statically authorized IP device.
The type of this address is determined by the value of the
cnnEouAuthIpAddrType object."::={ cnnEouAuthIpEntry 2}cnnEouAuthIpAddrMask OBJECT-TYPESYNTAXInetAddressPrefixLengthMAX-ACCESSread-createSTATUScurrentDESCRIPTION"Using 'inverse mask' to support IP wildcards. The mask used
with the source IP address will specify what traffic is exempted
from EAP validation.
e.g. cnnEouAuthIpAddr: 10.0.0.0
cnnEouAuthIpAddrMask: 0.255.255.255
This exempts any IP in the subnet at 10.x.x.x from posture
validation.
cnnEouAuthIpAddr: 10.1.2.1
cnnEouAuthIpAddrMask: 0.0.0.0
This exempts host IP 10.1.2.1 from posture validation.
cnnEouAuthIpAddr: 10.0.0.0
cnnEouAuthIpAddrMask: 255.255.255.255
Mask value of 255.255.255.255 will exempt ALL hosts from
posture validation."::={ cnnEouAuthIpEntry 3}cnnEouAuthIpPolicy OBJECT-TYPESYNTAXSnmpAdminString
MAX-ACCESSread-createSTATUScurrentDESCRIPTION"The policy associate with the statically authorized IP
device. The policy needs to be present in the policy-database
before an statically authorized IP device can be associated
to it."::={ cnnEouAuthIpEntry 4}cnnEouAuthIpStorageType OBJECT-TYPESYNTAXStorageTypeMAX-ACCESSread-createSTATUScurrentDESCRIPTION"The storage type for this conceptual row."DEFVAL{ nonVolatile }::={ cnnEouAuthIpEntry 5}cnnEouAuthIpRowStatus OBJECT-TYPESYNTAXRowStatusMAX-ACCESSread-createSTATUScurrentDESCRIPTION"The status of this conceptual row.
To create an entry, users set the value of this object to
'createAndGo'.
The transition from 'active' to 'notInService' may not be
supported.
A row may be deleted by setting the RowStatus to 'destroy'.
Once a row becomes active, values within the row cannot be
modified, except by deleting and re-creating the row."::={ cnnEouAuthIpEntry 6}-- Mac Exception listcnnEouAuthMacTable OBJECT-TYPESYNTAXSEQUENCEOF CnnEouAuthMacEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A list of static authorized devices identified by MAC address."::={ cnnEouAuthorizeLists 2}cnnEouAuthMacEntry OBJECT-TYPESYNTAX CnnEouAuthMacEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"An entry containing the associated policy information of
the statically authorized device identified by MAC address.
The entry is created, and deleted by using
cnnEouAuthMacRowStatus."INDEX{ cnnEouAuthMacAddr }::={ cnnEouAuthMacTable 1}
CnnEouAuthMacEntry ::=SEQUENCE{
cnnEouAuthMacAddr MacAddress,
cnnEouAuthMacAddrMask MacAddress,
cnnEouAuthMacPolicy SnmpAdminString,
cnnEouAuthMacStorageType StorageType,
cnnEouAuthMacRowStatus RowStatus}cnnEouAuthMacAddr OBJECT-TYPESYNTAXMacAddressMAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The MAC address of the static authorized device."::={ cnnEouAuthMacEntry 1}cnnEouAuthMacAddrMask OBJECT-TYPESYNTAXMacAddressMAX-ACCESSread-createSTATUScurrentDESCRIPTION"Using 'inverse mask' support MAC wildcards. The mask used
with the source MAC address will specify what traffic is
exempted from EAP validation.
e.g. cnnEouAuthMacAddr: 00:0d:bc:ef:eb:bd
cnnEouAuthMacAddrMask: 00:00:ff:ff:ff:ff
This exempts any MAC in the range 00:0d:00:00:00:00 from
posture validation.
cnnEouAuthMacAddr: 00:0d:bc:ef:eb:bd
cnnEouAuthMacAddrMask: 00:00:00:00:00:00
This exempts specific MAC 00:0d:bc:ef:eb:bd from posture
validation.
cnnEouAuthMacAddr: 00:0d:bc:ef:eb:bd
cnnEouAuthMacAddrMask: ff:ff:ff:ff:ff:ff
This exempts all MAC address from posture validation."::={ cnnEouAuthMacEntry 2}cnnEouAuthMacPolicy OBJECT-TYPESYNTAXSnmpAdminStringMAX-ACCESSread-createSTATUScurrentDESCRIPTION"The policy associate with the statically authorized device
identified by MAC address. The policy needs to be present
in the policy-database before an device can be associated to
it."::={ cnnEouAuthMacEntry 3}cnnEouAuthMacStorageType OBJECT-TYPESYNTAXStorageTypeMAX-ACCESSread-createSTATUScurrentDESCRIPTION"The storage type for this conceptual row."DEFVAL{ nonVolatile }::={ cnnEouAuthMacEntry 4}
cnnEouAuthMacRowStatus OBJECT-TYPESYNTAXRowStatusMAX-ACCESSread-createSTATUScurrentDESCRIPTION"The status of this conceptual row.
To create an entry, users set the value of this object to
'createAndGo'.
The transition from 'active' to 'notInService' may not be
supported.
A row may be deleted by setting the RowStatus to 'destroy'.
Once a row becomes active, values within the row cannot be
modified, except by deleting and re-creating the row."::={ cnnEouAuthMacEntry 5}-- DeviceType Exception listcnnEouAuthDeviceTypeTable OBJECT-TYPESYNTAXSEQUENCEOF CnnEouAuthDeviceTypeEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A list of static authorized devices indexed by device type."::={ cnnEouAuthorizeLists 3}cnnEouAuthDeviceTypeEntry OBJECT-TYPESYNTAX CnnEouAuthDeviceTypeEntry
MAX-ACCESSnot-accessible
STATUScurrentDESCRIPTION"An entry containing the information of the static authorized
device indexed by device type."INDEX{ cnnEouAuthDeviceType }::={ cnnEouAuthDeviceTypeTable 1}
CnnEouAuthDeviceTypeEntry ::=SEQUENCE{
cnnEouAuthDeviceType CnnEouDeviceType,
cnnEouAuthDeviceTypeStorageType StorageType,
cnnEouAuthDeviceTypeRowStatus RowStatus}cnnEouAuthDeviceType OBJECT-TYPESYNTAX CnnEouDeviceType
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"The static authorize device type."::={ cnnEouAuthDeviceTypeEntry 1}cnnEouAuthDeviceTypeStorageType OBJECT-TYPESYNTAXStorageTypeMAX-ACCESSread-createSTATUScurrentDESCRIPTION"The storage type for this conceptual row."
DEFVAL{ nonVolatile }::={ cnnEouAuthDeviceTypeEntry 2}cnnEouAuthDeviceTypeRowStatus OBJECT-TYPESYNTAXRowStatusMAX-ACCESSread-createSTATUScurrentDESCRIPTION"This object is used to create or delete an entry in the
cnnEouAuthDeviceTypeTable.
A row may be created using the 'CreateAndGo' option.
A row may be deleted by setting the RowStatus to 'destroy'.
Once a row becomes active, values within the row cannot be
modified, except by deleting and re-creating the row."::={ cnnEouAuthDeviceTypeEntry 3}-- EAPoUDP Interface ConfigurationcnnEouIfConfigTable OBJECT-TYPESYNTAXSEQUENCEOF CnnEouIfConfigEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A list of EOU configurations for the EOU capable interfaces."::={ cnnEouIfMIBObjects 1}cnnEouIfConfigEntry OBJECT-TYPE
SYNTAX CnnEouIfConfigEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"An entry containing the EOU configuration information for a
particular EOU capable interface."INDEX{ ifIndex }::={ cnnEouIfConfigTable 1}
CnnEouIfConfigEntry ::=SEQUENCE{
cnnEouIfAdminStatus INTEGER,
cnnEouIfMaxRetry Integer32,
cnnEouIfValidateAction INTEGER,
cnnEouIfTimeoutGlobalConfig BITS,
cnnEouIfTimeoutAAA Unsigned32,
cnnEouIfTimeoutHoldPeriod Unsigned32,
cnnEouIfTimeoutRetransmit Unsigned32,
cnnEouIfTimeoutRevalidation Unsigned32,
cnnEouIfTimeoutStatusQuery Unsigned32,
cnnEouIfAaaFailPolicy CpgPolicyNameOrEmpty
}cnnEouIfAdminStatus OBJECT-TYPESYNTAXINTEGER{auto(1),
disabled(2),bypass(3)}MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Setting this object to 'auto' means the Posture Validation via
EOU ability at this interface would be enabled if a end point
device is found.
If the value of this object is 'disabled' then the interface
will act as it would if it had no posture validation via EOU
ability.
Setting this object to 'bypass' allows the host connected
to this interface this interface to bypass the Posture
Validation and directly download the host network access policy
from AAA server."::={ cnnEouIfConfigEntry 1}cnnEouIfMaxRetry OBJECT-TYPESYNTAXInteger32MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The maximum number of retry by EOU for this interface."::={ cnnEouIfConfigEntry 2}
cnnEouIfValidateAction OBJECT-TYPESYNTAXINTEGER{none(1),initialize(2),revalidate(3),noRevalidate(4)}MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"An EOU validate action to the devices associated with the
interface.
This object always has the value 'none' when read.
none(1) no operation is performed.
initialize(2) Manually initiates reauthentication of all
the endpoint devices associated with the
interface.
revalidate(3) Revalidate EOU posture credentials of the
devices associated with a specify interface.
noRevalidate(4) Disable the revalidation of all the device
associated with the interface."::={ cnnEouIfConfigEntry 3}cnnEouIfTimeoutGlobalConfig OBJECT-TYPESYNTAXBITS{
aaa(0),holdPeriod(1),retransmit(2),revalidation(3),statusQuery(4)}MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"This object indicates whether the timeout configurations on
this interface are based on the corresponding global
timeout configurations or not.
aaa(0) If this bit is set, the value of
cnnEouIfTimeoutAAA is based on the
value of cnnEouTimeoutAAA.
holdPeriod(1) If this bit is set, the value of
cnnEouIfTimeoutHoldPeriod is based on the
value of cnnEouTimeoutHoldPeriod.
retransmit(2) If this bit is set, the value of
cnnEouIfTimeoutRetransmit is based on the
value of cnnEouTimeoutRetransmit.
revalidation(3) If this bit is set, the value of
cnnEouIfTimeoutRevalidation is based on the
value of cnnEouTimeoutRevalidation.
statusQuery(4) If this bit is set, the value of
cnnEouIfTimeoutStatusQuery is based on the
value of cnnEouTimeoutStatusQuery.
If a bit is not set, the value of the corresponding object
in the same conceptual row is not based on its corresponding
global object.
If users configure object which is covered by
cnnEouIfTimeoutGlobalConfig in the same conceptual row
while the corresponding bit is set, the corresponding bit will
be unset in order to reflect that such configuration is not
from its corresponding global object."::={ cnnEouIfConfigEntry 4}cnnEouIfTimeoutAAA OBJECT-TYPESYNTAXUnsigned32UNITS"seconds"MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The timeout period used by EOU for the AAA server
connection on this interface."::={ cnnEouIfConfigEntry 5}cnnEouIfTimeoutHoldPeriod OBJECT-TYPESYNTAXUnsigned32UNITS"seconds"MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The hold period of this interface. The hold period
is the length of the time that can elapse before the client
session entries are purged from the system due to client
inactivity."::={ cnnEouIfConfigEntry 6}cnnEouIfTimeoutRetransmit OBJECT-TYPESYNTAXUnsigned32UNITS"seconds"MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The timeout period for the EOU message retransmitted at this
interface."::={ cnnEouIfConfigEntry 7}cnnEouIfTimeoutRevalidation OBJECT-TYPESYNTAXUnsigned32UNITS"seconds"MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The timeout period for the revalidation at this interface.
Setting this object to 0 will disable periodic revalidation on
this device."::={ cnnEouIfConfigEntry 8}cnnEouIfTimeoutStatusQuery OBJECT-TYPESYNTAXUnsigned32
UNITS"seconds"MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The timeout period for the status query after revalidation at
this interface."::={ cnnEouIfConfigEntry 9}cnnEouIfAaaFailPolicy OBJECT-TYPESYNTAX CpgPolicyNameOrEmpty
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Specified the name of the policy template to be applied when
cnnEouHostResultState is 'aaaFail'. The specified policy name
must exist in cpgPolicyTable if it is not empty string."::={ cnnEouIfConfigEntry 10}-- Validation Action: Initialize, Revalidate, noRevalidatecnnEouHostValidateAction OBJECT-TYPESYNTAXINTEGER{none(1),initializeAll(2),initializeAuthClientless(3),
initializeAuthEap(4),initializeAuthStatic(5),initializeIp(6),initializeMac(7),initializePostureToken(8),revalidateAll(9),revalidateAuthClientless(10),revalidateAuthEap(11),revalidateAuthStatic(12),revalidateIp(13),revalidateMac(14),revalidatePostureToken(15),noRevalidateAll(16),noRevalidateAuthClientless(17),
noRevalidateAuthEap(18),noRevalidateAuthStatic(19),noRevalidateIp(20),noRevalidateMac(21),noRevalidatePostureToken(22),initializePostureTokenStr(23),revalidatePostureTokenStr(24),noRevalidatePostureTokenStr(25)}MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"An EOU validate action to the devices.
Initialize: When a device is initialized, all previous state
information about that host is deleted and the admission
control process for that host will start with no state.
Revalidate: When a host is revalidated, state information about
that host is retained so that the host still has its' normal
access during the revalidation process.
This object always has the value 'none' when read.
none(1) - no operation is performed.
initializeAll(2) - to manually initiates reauthentication of
all endpoint devices on the system.
initializeAuthClientless(3) - to manually initiates
reauthentication of all clientless endpoint devices.
initializeAuthEap(4) - to manually initiates reauthentication of
all the endpoint devices authorized by Extensive
Authentication Protocol.
initializeAuthStatic(5) - to manually initiates reauthentication
of all the statically authorized endpoint devices.
initializeIp(6) - to manually initiates reauthentication of a
specific IP device. The value in
cnnEouHostValidateIpAddrType and
cnnEouHostValidateIpAddr are used by this operation.
initializeMac(7) - to manually initiates reauthentication of the
endpoint device identified by MAC address. The value
in cnnEouHostValidateMacAddr is used by this
operation.
initializePostureToken(8) - to manually initiates
reauthentication of the endpoint device(s) with a
specify posture token assigned. The value in
cnnEouHostValidatePostureToken is used by this
operation.
This enumerated integer is deprecated and replaced by
initializePostureTokenStr(23).
revalidateAll(9) - to revalidate EOU posture credentials of all
devices on the system.
revalidateAuthClientless(10) - to revalidate EOU posture
credentials of all clientless devices on the system.
revalidateAuthEap(11) - to revalidate EOU posture credentials of
the devices authorized by EAP on the system.
revalidateAuthStatic(12) - to revalidate EOU posture credentials
of all statically authorized devices on the system.
revalidateIp(13) - to revalidates EOU posture credentials of a
specific IP device. The value in
cnnEouHostValidateIpAddrType and
cnnEouHostValidateIpAddr are used by this operation.
revalidateMac(14) - to revalidates EOU posture credentials of a
specific device identified by MAC address. The value
in cnnEouHostValidateMacAddr is used by this
operation.
revalidatePostureToken(15) - to enable revalidates EOU posture
credentials of the devices with the specific posture
token assigned. The value in
cnnEouHostValidatePostureToken is used by this
operation.
This enumerated integer is deprecated and replaced by
revalidatePostureTokenStr(24).
noRevalidateAll(16) - to disable revalidation of all devices on
the system.
noRevalidateAuthClientless(17) - to disable the revalidation of
all clientless devices on the system.
noRevalidateAuthEap(18) - to disable the revalidation of all
devices authorized by EAP on the system.
noRevalidateAuthStatic(19) - to disable the revalidation of all
statically authorized devices on the system.
noRevalidateIp(20) - to disable the revalidation of the specific
IP device. The value in cnnEouHostValidateIpAddrType
and cnnEouHostValidateIpAddr are used by this operation.
noRevalidateMac(21) - to disable the revalidation of the specific
device identified by MAC address. The value in
cnnEouHostValidateMacAddr is used by this operation.
noRevalidatePostureToken(22) - to disable the revalidation of all
device with the specific posture token assigned.
The value in cnnEouHostValidatePostureToken is used by
this operation.
This enumerated integer is deprecated and replaced by
noRevalidatePostureTokenStr(25).
initializePostureTokenStr(23) - to manually initiates
reauthentication of the endpoint device(s) with a
specify posture token assigned. The value in
cnnEouHostValidatePostureTokenStr is used by this
operation.
revalidatePostureTokenStr(24) - to enable revalidates EOU
posture credentials of the devices with the specific
posture token assigned. The value in
cnnEouHostValidatePostureTokenStr is used by this
operation.
noRevalidatePostureTokenStr(25) - to disable the revalidation
of all device with the specific posture token
assigned. The value in
cnnEouHostValidatePostureTokenStr is used by this
operation."::={ cnnEouHostMIBObjects 1}cnnEouHostValidateIpAddrType OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSread-write
STATUScurrentDESCRIPTION"The type of Internet address for a detected host."::={ cnnEouHostMIBObjects 2}cnnEouHostValidateIpAddr OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The Internet address for a detected host. The type of this
address is determined by the value of the
cnnEouHostValidateIpAddrType."::={ cnnEouHostMIBObjects 3}cnnEouHostValidateMacAddr OBJECT-TYPESYNTAXMacAddressMAX-ACCESSread-writeSTATUScurrentDESCRIPTION"The Mac address for a detected host."::={ cnnEouHostMIBObjects 4}cnnEouHostValidatePostureToken OBJECT-TYPESYNTAX CnnEouPostureToken
MAX-ACCESSread-writeSTATUSdeprecated
DESCRIPTION"Type of posture token for a detected host.
This object is deprecated and replaced by
cnnEouHostValidatePostureTokenStr."::={ cnnEouHostMIBObjects 5}-- EOU endpoint device query tablecnnEouHostMaxQueries OBJECT-TYPESYNTAXUnsigned32MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Maximum number of query entries allowed to be outstanding
at any time, in the cnnEouHostQueryTable."::={ cnnEouHostMIBObjects 6}cnnEouHostQueryTable OBJECT-TYPESYNTAXSEQUENCEOF CnnEouHostQueryEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A control table used to query the client host by
specifying retrieval criteria for the EOU information.
Each row instance in the table represents a query with
its parameters. The resulting data for each instance of
a query in this table is returned in the
cnnHostQueryResultTable.
The maximum number of entries (rows) in this table cannot
exceed the value of cnnEouHostMaxQueries object."
::={ cnnEouHostMIBObjects 7}cnnEouHostQueryEntry OBJECT-TYPESYNTAX CnnEouHostQueryEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A conceptual row of the cnnEouHostQueryTable used to setup
retrieval criteria to search for the EOU hosts on the system.
The actual search is started by setting the value of
cnnEouHostQueryStatus to 'active'. Once a row becomes active,
values within the row cannot be modified, except by deleting
and re-creating the row."INDEX{ cnnEouHostQueryIndex }::={ cnnEouHostQueryTable 1}
CnnEouHostQueryEntry ::=SEQUENCE{
cnnEouHostQueryIndex Unsigned32,
cnnEouHostQueryMask INTEGER,
cnnEouHostQueryInterface InterfaceIndexOrZero,
cnnEouHostQueryIpAddrType InetAddressType,
cnnEouHostQueryIpAddr InetAddress,
cnnEouHostQueryMacAddr MacAddress,
cnnEouHostQueryPostureToken CnnEouPostureToken,
cnnEouHostQuerySkipNHosts Unsigned32,
cnnEouHostQueryMaxResultRows Unsigned32,
cnnEouHostQueryTotalHosts Integer32,
cnnEouHostQueryRows Integer32,
cnnEouHostQueryCreateTime TimeStamp,
cnnEouHostQueryStatus RowStatus,
cnnEouHostQueryPostureTokenStr CnnEouPostureTokenString
}cnnEouHostQueryIndex OBJECT-TYPESYNTAXUnsigned32MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"An arbitrary integer in the range of 1 to cnnEouHostMaxQueries
to identify this control query."::={ cnnEouHostQueryEntry 1}cnnEouHostQueryMask OBJECT-TYPESYNTAXINTEGER{authenClientless(1),authenEap(2),authenStatic(3),
interface(4),ip(5),mac(6),postureToken(7),all(8),postureTokenString(9)}MAX-ACCESSread-createSTATUScurrentDESCRIPTION"Setting each value causes the appropriate action:
authenClientless(1) - causes the creation of row(s) in the
cnnHostQueryResultTable corresponding to the current
EOU information for the clientless host(s) on the
system.
authenEap(2) - causes the creation of row(s) in the
cnnHostQueryResultTable corresponding to the current
EOU information for the hosts authorized by EAP on
the system.
authenStatic(3) - causes the creation of row(s) in the
cnnHostQueryResultTable corresponding to the current
EOU information for the statically authorized hosts
on the system.
interface(4) - causes the creation of row(s) in the
cnnHostQueryResultTable corresponding to the current
EOU information for the endpoint devices connected to
the interface specified in cnnEouHostQueryInterface.
ip(5) - causes the creation of row(s) in the
cnnHostQueryResultTable corresponding to the current
EOU information for the IP hosts specified in
cnnEouHostQueryIpAddrType and cnnEouHostQueryIpAddr.
mac(6) - causes the creation of row(s) in the
cnnHostQueryResultTable corresponding to the current
EOU information for the hosts matching the mac
address specified in cnnEouHostQueryMacAddr.
postureToken(7) - causes the creation of row(s) in the
cnnHostQueryResultTable corresponding to the current
EOU information for the hosts assigned posture token
specified in cnnEouHostQueryPostureToken.
This enumerated integer is deprecated and replaced by
postureTokenString.
all(8) - returns all rows corresponding to all the detected
hosts in the system.
postureTokenString(9) - causes the creation of row(s) in the
cnnHostQueryResultTable corresponding to the current
EOU information for the hosts assigned posture token
string specified in cnnEouHostQueryPostureTokenStr."DEFVAL{ all }::={ cnnEouHostQueryEntry 2}cnnEouHostQueryInterface OBJECT-TYPE
SYNTAXInterfaceIndexOrZeroMAX-ACCESSread-createSTATUScurrentDESCRIPTION"An index value that uniquely identifies an interface
where the end point device is connected.
The interface identified by a particular value of
this index is the same interface as identified
by the same value of ifIndex."REFERENCE"RFC 2863, ifIndex"DEFVAL{0}::={ cnnEouHostQueryEntry 3}cnnEouHostQueryIpAddrType OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSread-createSTATUScurrentDESCRIPTION"The internet address type for the queried host."DEFVAL{ ipv4 }::={ cnnEouHostQueryEntry 4}cnnEouHostQueryIpAddr OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-createSTATUScurrent
DESCRIPTION"The Internet address for the queried host. The type of this
address is determined by the value of the
cnnEouHostQueryIpAddrType.
If the 'ip' option of cnnEouHostQueryMask is selected, an
appropriate IP address type is assigned to
cnnEouHostQueryIpAddrType, and an appropriate IP address is
assigned to cnnEouHostQueryIpAddr then only the IP host with the
specified address will be containing in the result table."DEFVAL{ '00000000'H }::={ cnnEouHostQueryEntry 5}cnnEouHostQueryMacAddr OBJECT-TYPESYNTAXMacAddressMAX-ACCESSread-createSTATUScurrentDESCRIPTION"The Mac address for the queried host.
If the 'mac' option of cnnEouHostQueryMask is selected, an
appropriate MAC address is assigned to this object
then only the host with the specified MAC address will be
containing in the result table."DEFVAL{ '000000000000'H }::={ cnnEouHostQueryEntry 6}cnnEouHostQueryPostureToken OBJECT-TYPE
SYNTAX CnnEouPostureToken
MAX-ACCESSread-createSTATUSdeprecatedDESCRIPTION"The assigned posture token for the queried host.
If the 'postureToken' option of cnnEouHostQueryMask is selected,
an appropriate posture token is assigned to this object then
only the host with the specified posture token will be
containing in the result table.
This object is deprecated and replaced by
cnnEouHostQueryPostureTokenStr."DEFVAL{ healthy }::={ cnnEouHostQueryEntry 7}cnnEouHostQuerySkipNHosts OBJECT-TYPESYNTAXUnsigned32MAX-ACCESSread-createSTATUScurrentDESCRIPTION"The number of searched detected hosts to be skipped before
storing any host in cnnEouHostResultTable.
This object can be used along with cnnEouHostQueryTotalHosts
object to skip previously found hosts by setting the variable
equal to the number of the associated rows in
cnnEouHostResultTable, and only query the remaining hosts
in the table.
Note that due to the dynamical nature of the EOU, the queried
hosts may be missed or repeated by setting this object."::={ cnnEouHostQueryEntry 8}cnnEouHostQueryMaxResultRows OBJECT-TYPESYNTAXUnsigned32MAX-ACCESSread-createSTATUScurrentDESCRIPTION"This is the maximum number of rows in the
cnnEouHostResultTable, resulting from this query.
A value of zero (0) indicates no limit rows in
cnnEouHostResultTable, resulting from this query."::={ cnnEouHostQueryEntry 9}cnnEouHostQueryTotalHosts OBJECT-TYPESYNTAXInteger32(-1..2147483647)MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicating the total number of the hosts matching the query
criterion.
-1 - Either the query has not been started or the agent is
still processing this query instance. It is the default
value when the row is instantiated.
0..2147483647 - The search has ended and this is the number of
host matching the query criterion."::={ cnnEouHostQueryEntry 10}
cnnEouHostQueryRows OBJECT-TYPESYNTAXInteger32(-1..2147483647)MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicating the status of the query by following values:
-1 - Either the query has not been started or the agent is
still processing this query instance. It is the default
value when the row is instantiated.
0..2147483647 - The search has ended and this is the number of
rows in the cnnEouHostResultTable, resulting from this
query."::={ cnnEouHostQueryEntry 11}cnnEouHostQueryCreateTime OBJECT-TYPESYNTAXTimeStampMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Time when this query was last set to active."::={ cnnEouHostQueryEntry 12}cnnEouHostQueryStatus OBJECT-TYPESYNTAXRowStatusMAX-ACCESSread-create
STATUScurrentDESCRIPTION"The status object used to manage rows in this table.
When set to 'createAndGo', the query is initiated.
The completion of the query is indicated by the value of
cnnEouHostQueryRows as soon as it becomes greater than or equal
to 0.
Once a row becomes active, values within the row cannot
be modified, except by deleting and re-creating it."::={ cnnEouHostQueryEntry 13}cnnEouHostQueryPostureTokenStr OBJECT-TYPESYNTAX CnnEouPostureTokenString
MAX-ACCESSread-createSTATUScurrentDESCRIPTION"The assigned posture token string for the queried host. If the
'postureTokenString' option of cnnEouHostQueryMask is selected,
an appropriate posture token string is assigned to this object
then only the host with the specified posture token string will
be containing in the result table."::={ cnnEouHostQueryEntry 14}-- EAPoUDP Host Query ResultcnnEouHostResultTable OBJECT-TYPESYNTAXSEQUENCEOF CnnEouHostResultEntry
MAX-ACCESSnot-accessible
STATUScurrentDESCRIPTION"A table containing current detected host information
corresponding to all the completed queries set up in
the cnnEouHostQueryTable, that were detected in the device.
The query result will not become available until the current
search completes."::={ cnnEouHostMIBObjects 8}cnnEouHostResultEntry OBJECT-TYPESYNTAX CnnEouHostResultEntry
MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A conceptual row of cnnEouHostResultTable, containing
posture validation information of an detected host that
matches the search criteria set in the corresponding row of
cnnEouHostQueryTable."INDEX{
cnnEouHostQueryIndex,
cnnEouHostResultIndex
}::={ cnnEouHostResultTable 1}
CnnEouHostResultEntry ::=SEQUENCE{
cnnEouHostResultIndex Unsigned32,
cnnEouHostResultAssocIf InterfaceIndex,
cnnEouHostResultIpAddrType InetAddressType,
cnnEouHostResultIpAddr InetAddress,
cnnEouHostResultMacAddr MacAddress,
cnnEouHostResultAuthType CnnEouAuthType,
cnnEouHostResultPostureToken CnnEouPostureToken,
cnnEouHostResultAge Unsigned32,
cnnEouHostResultUrlRedir CiscoURLString,
cnnEouHostResultAclName SnmpAdminString,
cnnEouHostResultStatusQryPeriod Unsigned32,
cnnEouHostResultRevalidatePeriod Unsigned32,
cnnEouHostResultState CnnEouState,
cnnEouHostResultPostureTokenStr CnnEouPostureTokenString
}cnnEouHostResultIndex OBJECT-TYPESYNTAXUnsigned32MAX-ACCESSnot-accessibleSTATUScurrentDESCRIPTION"A number which uniquely identifies a result entry
matching a particular query."::={ cnnEouHostResultEntry 1}cnnEouHostResultAssocIf OBJECT-TYPESYNTAXInterfaceIndex
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"An index value that uniquely identifies an interface
where the end point device is currently connected.
The interface identified by a particular value of
this index is the same interface as identified
by the same value of ifIndex."REFERENCE"RFC 2863, ifIndex"::={ cnnEouHostResultEntry 2}cnnEouHostResultIpAddrType OBJECT-TYPESYNTAXInetAddressTypeMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The type of Internet address by which the detected host
is reachable."::={ cnnEouHostResultEntry 3}cnnEouHostResultIpAddr OBJECT-TYPESYNTAXInetAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The internet address for the detected host. The type
of this address is determined by the value of the
cnnEouHostResultIpAddrType object."::={ cnnEouHostResultEntry 4}cnnEouHostResultMacAddr OBJECT-TYPESYNTAXMacAddressMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates The MAC address of the detected host."::={ cnnEouHostResultEntry 5}cnnEouHostResultAuthType OBJECT-TYPESYNTAX CnnEouAuthType
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"This object indicates the authentication type used in
the posture validation process for this detected host."::={ cnnEouHostResultEntry 6}cnnEouHostResultPostureToken OBJECT-TYPESYNTAX CnnEouPostureToken
MAX-ACCESSread-onlySTATUSdeprecatedDESCRIPTION"Indicates the posture token of the detected host.
During the posture validation process, the host will be
placed into a particular category and have a token assigned to
it. This assignment will depend on the state of the software
that is resident on the host. The host will have specific
right to access network based on the token assigned.
This object is deprecated and replaced by
cnnEouHostResultPostureTokenStr"::={ cnnEouHostResultEntry 7}cnnEouHostResultAge OBJECT-TYPESYNTAXUnsigned32UNITS"minutes"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the length of time, in minutes, that host
has been connected."::={ cnnEouHostResultEntry 8}cnnEouHostResultUrlRedir OBJECT-TYPESYNTAX CiscoURLString
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"This object specifies the URL(Web page) where the latest
Anti-Virus file can be downloaded or upgraded, if the
detected host fails the credential validation then it
may require remediation."::={ cnnEouHostResultEntry 9}
cnnEouHostResultAclName OBJECT-TYPESYNTAXSnmpAdminStringMAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The mapped ACL to this detected host. A character string for
an ACL (Access Control List) name. Valid characters are a-z,
A-Z, 0-9, ,'#', '-', '_' and '.'. Some devices may require
that an ACL name contains at least one non-numeric character.
ACL name is case sensitive."::={ cnnEouHostResultEntry 10}cnnEouHostResultStatusQryPeriod OBJECT-TYPESYNTAXUnsigned32UNITS"seconds"MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"The timeout period, in seconds, for the status query after
revalidation at this interface."::={ cnnEouHostResultEntry 11}cnnEouHostResultRevalidatePeriod OBJECT-TYPESYNTAXUnsigned32UNITS"seconds"MAX-ACCESSread-onlySTATUScurrent
DESCRIPTION"The timeout period, in second, for the revalidation at this
interface."::={ cnnEouHostResultEntry 12}cnnEouHostResultState OBJECT-TYPESYNTAX CnnEouState
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the current EOU state of this detected host."::={ cnnEouHostResultEntry 13}cnnEouHostResultPostureTokenStr OBJECT-TYPESYNTAX CnnEouPostureTokenString
MAX-ACCESSread-onlySTATUScurrentDESCRIPTION"Indicates the posture token string of the detected host.
During the posture validation process, the host will be
placed into a particular category and have a token assigned to
it. This assignment will depend on the state of the software
that is resident on the host. The host will have specific
right to access network based on the token assigned."::={ cnnEouHostResultEntry 14}cnnEouHostValidatePostureTokenStr OBJECT-TYPE
SYNTAX CnnEouPostureTokenString
MAX-ACCESSread-writeSTATUScurrentDESCRIPTION"Posture token string for a detected host."::={ cnnEouHostMIBObjects 9}-- Notifications
--
-- no notifications defined
--
-- ConformanceciscoNacNadMIBCompliances OBJECTIDENTIFIER::={ ciscoNacNadMIBConformance 1}ciscoNacNadMIBGroups OBJECTIDENTIFIER::={ ciscoNacNadMIBConformance 2}ciscoNacNadMIBCompliance MODULE-COMPLIANCESTATUSdeprecatedDESCRIPTION"The compliance statement for the CISCO-NAC-NAD-MIB.
OBJECT cnnEouAuthIpAddrType
SYNTAX InetAddressType { ipv4(1) }
DESCRIPTION
An implementation is only required to support IPv4
addresses."MODULE-- this moduleMANDATORY-GROUPS{
ciscoNacNadEouGlobalGroup,
ciscoNacNadEouAuthIpGroup,
ciscoNacNadEouIfConfigGroup,
ciscoNacNadEouHostGroup
}GROUP ciscoNacNadEouIfTimeoutGroup
DESCRIPTION"This group is mandatory only for the platforms which
support the timeout configuration on interface."GROUP ciscoNacNadEouIfMaxRetryGroup
DESCRIPTION"This group is mandatory only for the platforms which
support the max-retry configuration on interface."GROUP ciscoNacNadEouRateLimitGroup
DESCRIPTION"This group is mandatory only for the platforms which
support the rate-limit configuration."GROUP ciscoNacNadEouIfAdminGroup
DESCRIPTION"This group is mandatory only for the platforms which
support enabled/disabled/bypassed EOU feature on the
interface."GROUP ciscoNacNadEouAuthMacGroup
DESCRIPTION"This group is mandatory only for the platforms which
support the exempted MAC device with a policy associated."GROUP ciscoNacNadEouAuthDeviceTypeGrp
DESCRIPTION"This group is mandatory only for the platforms which support
statically authorize device identified by device type."GROUP ciscoNacNadEouHostAgeGroup
DESCRIPTION"This group is mandatory only for the platforms which
support the age information on the interface."GROUP ciscoNacNadEouHostUrlRedir
DESCRIPTION"This group is mandatory only for the platforms which
support the redirection URL information on the interface."GROUP ciscoNacNadEouHostAclGroup
DESCRIPTION"This group is mandatory only for the platforms which
support the ACL(Access Control List) information on the
interface."OBJECT cnnEouEnabled
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cnnEouAllowIpStationId
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cnnEouPort
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cnnEouHostResultIpAddrType
SYNTAXINTEGER{
ipv4(1)}DESCRIPTION"An implementation is only required to support IPv4
addresses."OBJECT cnnEouAuthIpStorageType
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cnnEouAuthMacStorageType
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cnnEouAuthDeviceTypeStorageType
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."::={ ciscoNacNadMIBCompliances 1}ciscoNacNadMIBCompliance2 MODULE-COMPLIANCESTATUSdeprecatedDESCRIPTION"The compliance statement for the CISCO-NAC-NAD-MIB.
OBJECT cnnEouAuthIpAddrType
SYNTAX InetAddressType { ipv4(1) }
DESCRIPTION
An implementation is only required to support IPv4
addresses."MODULE-- this moduleMANDATORY-GROUPS{
ciscoNacNadEouGlobalGroup,
ciscoNacNadEouAuthIpGroup,
ciscoNacNadEouIfConfigGroup,
ciscoNacNadEouHostGrp
}GROUP ciscoNacNadEouIfTimeoutGroup
DESCRIPTION"This group is mandatory only for the platforms which
support the timeout configuration on interface."GROUP ciscoNacNadEouIfMaxRetryGroup
DESCRIPTION"This group is mandatory only for the platforms which
support the max-retry configuration on interface."GROUP ciscoNacNadEouRateLimitGroup
DESCRIPTION"This group is mandatory only for the platforms which
support the rate-limit configuration."GROUP ciscoNacNadEouIfAdminGroup
DESCRIPTION"This group is mandatory only for the platforms which
support enabled/disabled/bypassed EOU feature on the
interface."GROUP ciscoNacNadEouAuthMacGroup
DESCRIPTION"This group is mandatory only for the platforms which
support the exempted MAC device with a policy associated."GROUP ciscoNacNadEouAuthDeviceTypeGrp
DESCRIPTION"This group is mandatory only for the platforms which support
statically authorize device identified by device type."GROUP ciscoNacNadEouHostAgeGroup
DESCRIPTION"This group is mandatory only for the platforms which
support the age information on the interface."GROUP ciscoNacNadEouHostUrlRedir
DESCRIPTION"This group is mandatory only for the platforms which
support the redirection URL information on the interface."GROUP ciscoNacNadEouHostAclGroup
DESCRIPTION"This group is mandatory only for the platforms which
support the ACL(Access Control List) information on the
interface."GROUP ciscoNacNadEouIfAaaFailPolicyGrp
DESCRIPTION"This group is mandatory only for the platforms which
support IAB(Inaccessible Authentication Bypass) feature
on the interface."GROUP cnnIpDeviceTrackingConfigGrp
DESCRIPTION"This group is mandatory only for the platforms which
support IP device tracking feature."GROUP cnnEouCriticalRecoveryDelayGrp
DESCRIPTION"This group is mandatory only for the platforms which
support critical recovery delay feature."OBJECT cnnEouEnabled
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cnnEouAllowIpStationId
MIN-ACCESSread-onlyDESCRIPTION
"Write access is not required."OBJECT cnnEouPort
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cnnEouHostResultIpAddrType
SYNTAXINTEGER{
ipv4(1)}DESCRIPTION"An implementation is only required to support IPv4
addresses."OBJECT cnnEouAuthIpStorageType
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cnnEouAuthMacStorageType
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cnnEouAuthDeviceTypeStorageType
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."::={ ciscoNacNadMIBCompliances 2}ciscoNacNadMIBCompliance3 MODULE-COMPLIANCESTATUScurrentDESCRIPTION
"The compliance statement for the CISCO-NAC-NAD-MIB.
OBJECT cnnEouAuthIpAddrType
SYNTAX InetAddressType { ipv4(1) }
DESCRIPTION
An implementation is only required to support IPv4
addresses."MODULE-- this moduleMANDATORY-GROUPS{
ciscoNacNadEouGlobalGroup,
ciscoNacNadEouAuthIpGroup,
ciscoNacNadEouIfConfigGroup,
ciscoNacNadEouHostGrp
}GROUP ciscoNacNadEouIfTimeoutGroup
DESCRIPTION"This group is mandatory only for the platforms which
support the timeout configuration on interface."GROUP ciscoNacNadEouIfMaxRetryGroup
DESCRIPTION"This group is mandatory only for the platforms which
support the max-retry configuration on interface."GROUP ciscoNacNadEouRateLimitGroup
DESCRIPTION"This group is mandatory only for the platforms which
support the rate-limit configuration."GROUP ciscoNacNadEouIfAdminGroup
DESCRIPTION"This group is mandatory only for the platforms which
support enabled/disabled/bypassed EOU feature on the
interface."GROUP ciscoNacNadEouAuthMacGroup
DESCRIPTION"This group is mandatory only for the platforms which
support the exempted MAC device with a policy associated."GROUP ciscoNacNadEouAuthDeviceTypeGrp
DESCRIPTION"This group is mandatory only for the platforms which support
statically authorize device identified by device type."GROUP ciscoNacNadEouHostAgeGroup
DESCRIPTION"This group is mandatory only for the platforms which
support the age information on the interface."GROUP ciscoNacNadEouHostUrlRedir
DESCRIPTION"This group is mandatory only for the platforms which
support the redirection URL information on the interface."GROUP ciscoNacNadEouHostAclGroup
DESCRIPTION"This group is mandatory only for the platforms which
support the ACL(Access Control List) information on the
interface."GROUP ciscoNacNadEouIfAaaFailPolicyGrp
DESCRIPTION"This group is mandatory only for the platforms which
support IAB(Inaccessible Authentication Bypass) feature
on the interface."GROUP cnnIpDeviceTrackingConfigGrp
DESCRIPTION"This group is mandatory only for the platforms which
support IP device tracking feature."GROUP cnnEouCriticalRecoveryDelayGrp
DESCRIPTION"This group is mandatory only for the platforms which
support critical recovery delay feature."GROUP cnnEouIfIpDevTrackConfigGrp
DESCRIPTION"This group is mandatory only for the platforms which
support EOU IP Device Tracking per interface in the device."OBJECT cnnEouEnabled
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cnnEouAllowIpStationId
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cnnEouPort
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cnnEouHostResultIpAddrType
SYNTAXINTEGER{
ipv4(1)}DESCRIPTION"An implementation is only required to support IPv4
addresses."OBJECT cnnEouAuthIpStorageType
MIN-ACCESSread-only
DESCRIPTION"Write access is not required."OBJECT cnnEouAuthMacStorageType
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."OBJECT cnnEouAuthDeviceTypeStorageType
MIN-ACCESSread-onlyDESCRIPTION"Write access is not required."::={ ciscoNacNadMIBCompliances 3}-- Units of ConformanceciscoNacNadEouGlobalGroup OBJECT-GROUPOBJECTS{
cnnEouVersion,
cnnEouEnabled,
cnnEouAllowClientless,
cnnEouAllowIpStationId,
cnnEouLoggingEnabled,
cnnEouMaxRetry,
cnnEouPort,
cnnEouTimeoutAAA,
cnnEouTimeoutHoldPeriod,
cnnEouTimeoutRetransmit,
cnnEouTimeoutRevalidation,
cnnEouTimeoutStatusQuery
}STATUScurrent
DESCRIPTION"A collection of objects providing the global configuration on
the NAD."::={ ciscoNacNadMIBGroups 1}ciscoNacNadEouAuthIpGroup OBJECT-GROUPOBJECTS{
cnnEouAuthIpAddrMask,
cnnEouAuthIpPolicy,
cnnEouAuthIpStorageType,
cnnEouAuthIpRowStatus
}STATUScurrentDESCRIPTION"A collection of objects providing the configuration for
the static authorization IP device with policy associated."::={ ciscoNacNadMIBGroups 2}ciscoNacNadEouAuthMacGroup OBJECT-GROUPOBJECTS{
cnnEouAuthMacAddrMask,
cnnEouAuthMacPolicy,
cnnEouAuthMacStorageType,
cnnEouAuthMacRowStatus
}STATUScurrentDESCRIPTION"A collection of objects providing the configuration for
the static authorization MAC device with policy associated."
::={ ciscoNacNadMIBGroups 3}ciscoNacNadEouAuthDeviceTypeGrp OBJECT-GROUPOBJECTS{
cnnEouAuthDeviceTypeStorageType,
cnnEouAuthDeviceTypeRowStatus
}STATUScurrentDESCRIPTION"A collection of objects providing the configuration for
the static authorization device identified by device type."::={ ciscoNacNadMIBGroups 4}ciscoNacNadEouIfConfigGroup OBJECT-GROUPOBJECTS{ cnnEouIfValidateAction }STATUScurrentDESCRIPTION"A collection of objects providing the interface configuration
on the NAD."::={ ciscoNacNadMIBGroups 5}ciscoNacNadEouHostGroup OBJECT-GROUPOBJECTS{
cnnEouHostValidateAction,
cnnEouHostValidateIpAddrType,
cnnEouHostValidateIpAddr,
cnnEouHostValidateMacAddr,
cnnEouHostValidatePostureToken,
cnnEouHostMaxQueries,
cnnEouHostQueryMask,
cnnEouHostQueryInterface,
cnnEouHostQueryIpAddrType,
cnnEouHostQueryIpAddr,
cnnEouHostQueryMacAddr,
cnnEouHostQueryPostureToken,
cnnEouHostQuerySkipNHosts,
cnnEouHostQueryMaxResultRows,
cnnEouHostQueryTotalHosts,
cnnEouHostQueryRows,
cnnEouHostQueryCreateTime,
cnnEouHostQueryStatus,
cnnEouHostResultAssocIf,
cnnEouHostResultIpAddrType,
cnnEouHostResultIpAddr,
cnnEouHostResultMacAddr,
cnnEouHostResultAuthType,
cnnEouHostResultPostureToken,
cnnEouHostResultStatusQryPeriod,
cnnEouHostResultRevalidatePeriod,
cnnEouHostResultState
}STATUSdeprecated
DESCRIPTION"A collection of objects providing the host configuration
on the NAD."::={ ciscoNacNadMIBGroups 6}ciscoNacNadEouIfTimeoutGroup OBJECT-GROUPOBJECTS{
cnnEouIfTimeoutGlobalConfig,
cnnEouIfTimeoutAAA,
cnnEouIfTimeoutHoldPeriod,
cnnEouIfTimeoutRetransmit,
cnnEouIfTimeoutRevalidation,
cnnEouIfTimeoutStatusQuery
}STATUScurrentDESCRIPTION"A collection of objects providing the timeout configuration
on the interface."::={ ciscoNacNadMIBGroups 7}ciscoNacNadEouIfMaxRetryGroup OBJECT-GROUPOBJECTS{ cnnEouIfMaxRetry }STATUScurrentDESCRIPTION"A collection of objects providing the max-retry configuration
on the interface."::={ ciscoNacNadMIBGroups 8}
ciscoNacNadEouRateLimitGroup OBJECT-GROUPOBJECTS{ cnnEouRateLimit }STATUScurrentDESCRIPTION"A collection of objects providing the rate limit
configuration."::={ ciscoNacNadMIBGroups 9}ciscoNacNadEouIfAdminGroup OBJECT-GROUPOBJECTS{ cnnEouIfAdminStatus }STATUScurrentDESCRIPTION"A collection of objects providing the administrative
configuration on the interfaces."::={ ciscoNacNadMIBGroups 10}ciscoNacNadEouHostAgeGroup OBJECT-GROUPOBJECTS{ cnnEouHostResultAge }STATUScurrentDESCRIPTION"A collection of objects providing the age information
on the interface."::={ ciscoNacNadMIBGroups 11}ciscoNacNadEouHostUrlRedir OBJECT-GROUPOBJECTS{ cnnEouHostResultUrlRedir }
STATUScurrentDESCRIPTION"A collection of objects providing the redirect URL
information on the interface."::={ ciscoNacNadMIBGroups 12}ciscoNacNadEouHostAclGroup OBJECT-GROUPOBJECTS{ cnnEouHostResultAclName }STATUScurrentDESCRIPTION"A collection of objects providing the ACL(Access Control List)
information on the interface."::={ ciscoNacNadMIBGroups 13}ciscoNacNadEouIfAaaFailPolicyGrp OBJECT-GROUPOBJECTS{ cnnEouIfAaaFailPolicy }STATUScurrentDESCRIPTION"A collection of objects providing the AAA failed policy
for the interface."::={ ciscoNacNadMIBGroups 14}ciscoNacNadEouHostGrp OBJECT-GROUPOBJECTS{
cnnEouHostValidateAction,
cnnEouHostValidateIpAddrType,
cnnEouHostValidateIpAddr,
cnnEouHostValidateMacAddr,
cnnEouHostValidatePostureTokenStr,
cnnEouHostMaxQueries,
cnnEouHostQueryMask,
cnnEouHostQueryInterface,
cnnEouHostQueryIpAddrType,
cnnEouHostQueryIpAddr,
cnnEouHostQueryMacAddr,
cnnEouHostQueryPostureTokenStr,
cnnEouHostQuerySkipNHosts,
cnnEouHostQueryMaxResultRows,
cnnEouHostQueryTotalHosts,
cnnEouHostQueryRows,
cnnEouHostQueryCreateTime,
cnnEouHostQueryStatus,
cnnEouHostResultAssocIf,
cnnEouHostResultIpAddrType,
cnnEouHostResultIpAddr,
cnnEouHostResultMacAddr,
cnnEouHostResultAuthType,
cnnEouHostResultPostureTokenStr,
cnnEouHostResultStatusQryPeriod,
cnnEouHostResultRevalidatePeriod,
cnnEouHostResultState
}STATUScurrentDESCRIPTION"A collection of objects providing the host configuration
on the NAD."::={ ciscoNacNadMIBGroups 15}cnnIpDeviceTrackingConfigGrp OBJECT-GROUPOBJECTS{
cnnIpDeviceTrackingEnabled,
cnnIpDeviceTrackingProbeCount,
cnnIpDeviceTrackingProbeInterval
}STATUScurrentDESCRIPTION"A collection of objects providing IP device tracking
for the device."::={ ciscoNacNadMIBGroups 16}cnnEouCriticalRecoveryDelayGrp OBJECT-GROUPOBJECTS{ cnnEouCriticalRecoveryDelay }STATUScurrentDESCRIPTION"A collection of objects providing critical recovery delay
for the device."::={ ciscoNacNadMIBGroups 17}cnnEouIfIpDevTrackConfigGrp OBJECT-GROUP
OBJECTS{ cnnEouIfIpDevTrackEnabled }STATUScurrentDESCRIPTION"A collection of objects providing EOU IP device tracking
per interface in the device."::={ ciscoNacNadMIBGroups 18}END