-- *********************************************************************
-- CISCO-NAC-TC-MIB.my: Cisco NAC system Textual Conventions
--
-- May 2006, Liwei Lue
--
-- Copyright (c) 2006-2007 by Cisco Systems, Inc.
--
-- All rights reserved.
-- ********************************************************************CISCO-NAC-TC-MIB DEFINITIONS::=BEGINIMPORTSMODULE-IDENTITYFROM SNMPv2-SMI
TEXTUAL-CONVENTIONFROM SNMPv2-TC
ciscoMgmt
FROM CISCO-SMI;
ciscoNacTcMIB MODULE-IDENTITYLAST-UPDATED"200605310000Z"ORGANIZATION"Cisco Systems, Inc."CONTACT-INFO"Cisco Systems
Customer Service
Postal: 170 W Tasman Drive
San Jose, CA 95134
USA
Tel: +1 800 553-NETS
E-mail: cs-nac@cisco.com
cs-lan-switch-snmp@cisco.com"DESCRIPTION"This module defines the textual conventions for
Cisco Network Admission Control(NAC) system.
The Cisco Network Admission Control security
solution offers a systems approach to customers for
ensuring endpoint device compliancy and vulnerability
checks prior to production access to the network. Cisco
refers to these compliancy checks as posture
validations. The intent of this systems approach is to
prevent the spread of works, viruses, and rogue
applications across the network. This systems approach
requires integration with third party end point security
applications, as well as endpoint security servers.
Terminology used:
EOU - Extensible Authentication Protocol over UDP.
UCT - Un Conditional Transition.
CTA - Cisco Trust Agent.
EAP - Extensible Authentication Protocol. An extension
to PPP.
ACS/AAA - Cisco Secure Access Control Server. The
primary authorization server that is the network policy
decision point and is extended to support posture
validation.
NAD - Network Access Device that enforces network
access control policies through layer 2 or layer 3
challenge-responses with a network enabled Endpoint
device."REVISION"200605310000Z"DESCRIPTION"The initial version of this MIB module."::={ ciscoMgmt 530}-- Definitions of textual convention
CnnEouState ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"Describes the EOU state.
initialize(1)
Indicates that the EOU state is in initialization.
State machine enters this state when a new
IP has been learned on the port. Cleanup of the
port configuration also force entering this
state. When entering this state, the followings
action take place:
- any previously configured policy are removed
- frees up any previously allocated memory
- does a UCT to 'hello' state.
hello(2)
Indicates that the EOU state is in hello state.
In this state the device sends a hello
message to get the association ID of the CTA and
also to check whether a CTA exists at all. The
device starts the hello timer and waits till that
time and if it doesn't get a response, it
retransmits the hello requests for max-retry times
before it declares the host as 'clientless'.
clientless(3)
Indicates that the EOU state is in client-less
state.
State machine enters this state when hello response
is not reached and in this state the device does
a pseudo authentication to download the policy
for Non-Responsive hosts and stays in this
state.
eapRequest(4)
Indicates that the EOU state is in EAP request
state.
In this state, the device sends EAP validate
requests to the CTA and awaits response from the
CTA, it starts the retransmit timeout and if
response is not received before that timer expires,
it retransmits the EAP requests.
response(5)
Indicates that the EOU state is in EAP response
state.
State machine enters this state when a response for
the EAP validate request is received from the CTA.
Device then builds a RADIUS request incorporating
the EAP packet and sends it to the ACS and awaits
response from the ACS. If the response from the
ACS is an access challenge it moves the port the
'eapRequest' state. But if it's a success, port
is moved to 'authenticated' state. If its Access-
Reject, port is moved to 'fail' state.
authenticated(6)
Indicates that the EOU state is in authenticated
state.
In this state policy installation happens and port
remains in this state until revalidation event is
triggered because of session timer expiry or when
status query fails. Status query generation and
response reception happens in this state only.
fail(7)
Indicates that the EOU state is in failed state.
When posture validation fails, system start the
hold timer and device waits till it expires
before trying for posture validation again.
abort(8)
Indicates that the EOU state is in abort state.
State machine enters this state because of
failing to complete posture validation due to lack
of response from CTA/RADIUS or any other reason.
aaaFail(9)
Indicates that the EOU state is in AAA failed
state.
State machine enters this state when RADIUS requests
to AAA server timeouts either due to the server not
being reachable or is down.
hold(10)
Indicates that the EOU state is in hold state.
This state represents the quiet or idle state
for the host. The host is put in the hold state
on events like hello response is not received
or the AAA server is not reachable. Host
remains in this state for hold the EOU hold
timeout period.
client(11)
Indicates that the EOU state is in client state.
This state is reached when the host sends a
response to EOU hello request from the
authenticating device. This state indicates the
presence of CTA on the device.
server(12)
Indicates that the EOU state is in server state.
This state represents that the authenticating
device is communicating with the AAA (RADIUS)
server. This state is reached when host send an
EOU response."SYNTAXINTEGER{initialize(1),hello(2),clientless(3),eapRequest(4),response(5),authenticated(6),fail(7),abort(8),aaaFail(9),
hold(10),client(11),server(12)}CnnEouAuthType ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"Type of authentication for NAD.
clientless(1)
End point device that does not run Cisco
Trust Agent.
eap(2)
Authorized via Extensible Authentication
Protocol.
static(3)
Statically authorized or rejected individual
end point device.
unknown(4)
The authentication type of the endpoint host
is unknown."
SYNTAXINTEGER{clientless(1),eap(2),static(3),unknown(4)}CnnEouDeviceType ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"The supported exempt device type on NAD.
ciscoIpPhone(1) - Cisco IP Phone"SYNTAXINTEGER{ciscoIpPhone(1)
}CnnEouPostureToken ::=TEXTUAL-CONVENTIONSTATUSdeprecatedDESCRIPTION"Posture token which representing the endpoint
device's relative compliance to the network
compliance policy.
unknown(1)
The posture credentials of the endpoint host
cannot be determined. The integrity of the
endpoint should be determined so proper posture
credentials can be attained and assessed for
network access authorization.
healthy(2)
The host complies with the currently required
credentials so no restrictions need to be
placed on this device.
checkup(3)
The host is within policy but doesn't have the
latest AV software; update recommended.
This profile state may be used to signal
management servers to proactively get this
machine into the 'healthy' state.
quarantine(4)
The host is out of policy and needs to be
restricted to a remediation network.
This device is not actively placing a threat on
other host but is susceptible to attack or
infection and should be updated as soon as
possible.
infected(5)
The host is an active threat to other hosts.
Network access should be severely restricted
and placed into remediation or totally denied
all network access.
This TEXTUAL-CONVENTION is deprecated and replaced by
CnnEouPostureTokenString."SYNTAXINTEGER{unknown(1),healthy(2),checkup(3),quarantine(4),
infected(5)}CnnEouPostureTokenString ::=TEXTUAL-CONVENTIONSTATUScurrentDESCRIPTION"Posture token which representing the endpoint
device's relative compliance to the network
compliance policy.
Valid characters are a-z, A-Z, 0-9, ,'#', '-', '_',
and '.'. Posture token string is case sensitive and
permits the value of empty string."SYNTAXOCTETSTRING(SIZE(0..255))END