-
Notifications
You must be signed in to change notification settings - Fork 57
/
Copy pathCISCO-AAA-CLIENT-MIB.mib
491 lines (397 loc) · 14.7 KB
/
CISCO-AAA-CLIENT-MIB.mib
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
-- *****************************************************************
-- CISCO-AAA-CLIENT-MIB.my: Cisco AAA Client MIB
--
-- February 2000, Edward Pham
-- May 2001, Liwei Lue
-- October 2001, Jayakumar Kadirvelu
--
-- Copyright (c) 2000-2001 by cisco Systems, Inc.
-- All rights reserved.
-- *****************************************************************
--
CISCO-AAA-CLIENT-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY,
OBJECT-TYPE,
Integer32
FROM SNMPv2-SMI
MODULE-COMPLIANCE,
OBJECT-GROUP
FROM SNMPv2-CONF
TEXTUAL-CONVENTION,
TruthValue
FROM SNMPv2-TC
ciscoMgmt
FROM CISCO-SMI;
ciscoAAAClientMIB MODULE-IDENTITY
LAST-UPDATED "200111190000Z"
ORGANIZATION "Cisco Systems, Inc."
CONTACT-INFO
" Cisco Systems
Customer Service
Postal: 170 W. Tasman Drive
San Jose, CA 95134
USA
Tel: +1 800 553-NETS
E-mail: [email protected]"
DESCRIPTION
"This MIB module provides data for authentication method
priority based on Authentication, Authorization,
Accounting (AAA) protocols.
References:
The TACACS+ Protocol Version 1.78, Internet Draft
RFC 1411 Telnet Authentication: Kerberos Version 4.
RFC 1964 The Kerberos Version 5 GSS-API Mechanism.
"
REVISION "200111190000Z"
DESCRIPTION
"Deprecate object cacLockoutPeriod and add a new object
cacLockoutPeriodExt.
"
REVISION "200105100000Z"
DESCRIPTION
"Initial version
"
::= { ciscoMgmt 158 }
--
-- Textual Conventions
--
--
-- Session Type textual convention
--
SessionType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Represents a session type.
telnet(1) indicates telnet session.
console(2) indicates console session.
http(3) indicates http session.
"
SYNTAX INTEGER {
telnet (1),
console (2),
http (3)
}
--
-- Authentication method textual convention
--
AuthenMethod ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Represents authentication method.
tacacs(1) indicates that TACACS method is used for
authentication.
radius(2) indicates that RADIUS method is used for
authentication.
kerberos(3) indicates that KERBEROS method is used
for authentication.
local(4) indicates that local password is used
for authentication. Which password is used depend
on what login mode users specified.
"
SYNTAX INTEGER {
tacacs (1),
radius (2),
kerberos (3),
local (4)
}
--
-- Login Mode textual convention
--
LoginMode ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Represents login mode.
login(1) indicates the normal mode.
enable(2) indicates the privileged mode.
"
SYNTAX INTEGER {
login (1),
enable (2)
}
-- AAA Client MIB objects definitions
cacMIBObjects OBJECT IDENTIFIER ::= { ciscoAAAClientMIB 1 }
-- The AAA Client MIB consists of the following groups
-- [1] AAA Client Priority Group (cacPriority)
-- [2] AAA Client Login Config Group (cacLoginConfig)
cacPriority OBJECT IDENTIFIER ::= { cacMIBObjects 1 }
cacLoginConfig OBJECT IDENTIFIER ::= { cacMIBObjects 2 }
--****************************************************************************
-- AAA Client Priority Group
--****************************************************************************
--
--
--
-- Priority Table
--
cacPriorityTable OBJECT-TYPE
SYNTAX SEQUENCE OF CacPriorityEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains entries for AAA authentication
methods configured in the system. At startup, agent
set up all the entries of the table. All authentication
methods will be disabled except local authentication will
be enabled for each session type and login mode. Users
later can enable/disable a specific authentication method
through cacEnable object.
The following table describes the startup state of each
authentication method and session type in normal login
mode and enable login mode.
AuthenMethod Console Session Telnet Session Http Session
------------ ---------------- ---------------- ------------
tacacs disabled disabled disabled
radius disabled disabled disabled
kerberos disabled disabled disabled
local enabled(*) enabled(*) enabled(*)
(*) denotes primary method.
"
::= { cacPriority 1 }
cacPriorityEntry OBJECT-TYPE
SYNTAX CacPriorityEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing the priority number of an authentication
method used in a session.
"
INDEX { cacSession, cacAuthen, cacLoginMode }
::= { cacPriorityTable 1 }
CacPriorityEntry ::=
SEQUENCE {
cacSession SessionType,
cacAuthen AuthenMethod,
cacLoginMode LoginMode,
cacEnable TruthValue,
cacPriorityNumber Integer32,
cacPrimaryMethod TruthValue
}
cacSession OBJECT-TYPE
SYNTAX SessionType
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This is the session type used to connect to the network
device.
"
::= { cacPriorityEntry 1 }
cacAuthen OBJECT-TYPE
SYNTAX AuthenMethod
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This is the authentication method used to authenticate
users.
"
::= { cacPriorityEntry 2 }
cacLoginMode OBJECT-TYPE
SYNTAX LoginMode
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This is the login mode user used to login to the network
device.
"
::= { cacPriorityEntry 3 }
cacEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"It indicates whether the authentication method denoted by
cacAuthen is enabled or not.
When this object is true(1), the authentication method denoted
by cacAuthen is enabled.
When this object is false(2), the authentication method denoted
by cacAuthen is disabled.
If the value of cacAuthen is local, the value of this
object cannot be set to false(2).
"
::= { cacPriorityEntry 4 }
cacPriorityNumber OBJECT-TYPE
SYNTAX Integer32 (0..4)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This is the priority number of an authentication method to
be used in user authentication for a session. This value is
automatically assigned and reflects the relative priority
of the authentication method denoted by cacAuthen with
respected to already configured authentication methods.
It is assigned in the order in which the authentication
method is enabled by the user through cacEnable.
The higher value has the higher priority. This object
is used to determine the fallback order in case the
primary authentication method indicated by cacPrimaryMethod
failed.
If the authentication method denoted by cacAuthen is disabled
for the type of session denoted by cacSession, the value
of this object is equal to 0.
"
::= { cacPriorityEntry 5 }
cacPrimaryMethod OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"It indicates whether the authentication method denoted by
cacAuthen is the primary (first one to be tried) method
when there are multiple authentication method configured.
Setting this object to true(1) will make the authentication
method denoted by cacAuthen to be the primary authentication
method for the session denoted by cacSession. The previously
configured primary method will be changed to false(2).
Setting this object to false(2) is not allowed.
"
::= { cacPriorityEntry 6 }
-- -------------------------------------------------------------
-- AAA Client Login Config Group
-- -------------------------------------------------------------
cacLoginConfigTable OBJECT-TYPE
SYNTAX SEQUENCE OF CacLoginConfigEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table that contains login configuration
which is associated with this system.
"
::= { cacLoginConfig 1 }
cacLoginConfigEntry OBJECT-TYPE
SYNTAX CacLoginConfigEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing the configuration of the login.
"
INDEX { cacLoginMode, cacSession }
::= { cacLoginConfigTable 1 }
CacLoginConfigEntry ::=
SEQUENCE {
cacMaxLoginAttempt Integer32,
cacLockoutPeriod Integer32,
cacLockoutPeriodExt Integer32
}
cacMaxLoginAttempt OBJECT-TYPE
SYNTAX Integer32 (0|3..10)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Indicates the maximum number of login attempts allowed.
Setting this variable to 0 will disable the attempt
limit checking.
If the login session type does not support this attempt
limit checking, the value of this object can only be set
to 0.
"
DEFVAL { 3 }
::= { cacLoginConfigEntry 1 }
cacLockoutPeriod OBJECT-TYPE
SYNTAX Integer32 (0|30..600)
UNITS "seconds"
MAX-ACCESS read-write
STATUS deprecated
DESCRIPTION
"Indicates the lockout period after the maximum number
of login attempt is met. For console, the console input
will be frozen during this period. For remote logins, the
connection will be closed and any subsequent access
from that station will be closed during the lockout time.
Setting this variable to 0 will disable the lockout.
If the login session type does not support this lockout
period, the value of this object can only be set to 0.
If the lockout period is greater than the maximum value
reportable by this object then this object should report
its maximum value (600) and cacLockoutPeriodExt must be
used to report the lockout period.
"
DEFVAL { 30 }
::= { cacLoginConfigEntry 2 }
cacLockoutPeriodExt OBJECT-TYPE
SYNTAX Integer32 (0|30..43200)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Specifies the lockout period after the maximum number
of login attempt is met. For console, the console input
will be frozen during this period. For remote logins, the
connection will be closed and any subsequent access
from that station will be closed during the lockout time.
Setting this variable to 0 will disable the lockout.
If the login session type does not support this lockout
period, the value of this object can only be set to 0.
"
DEFVAL { 30 }
::= { cacLoginConfigEntry 3 }
--****************************************************************************
-- Notifications
--****************************************************************************
cacMIBNotifications OBJECT IDENTIFIER ::= { ciscoAAAClientMIB 2 }
cacMIBConformance OBJECT IDENTIFIER ::=
{ ciscoAAAClientMIB 3 }
cacMIBCompliances OBJECT IDENTIFIER ::=
{ cacMIBConformance 1 }
cacMIBGroups OBJECT IDENTIFIER ::=
{ cacMIBConformance 2 }
-- compliance statements
cacMIBCompliance MODULE-COMPLIANCE
STATUS deprecated
DESCRIPTION
"The compliance statement for entities which
implement the CISCO AAA Client MIB"
MODULE -- this module
MANDATORY-GROUPS
{
cacPriorityGroup,
cacLoginConfigGroup
}
::= { cacMIBCompliances 1 }
cacMIBCompliance2 MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for entities which
implement the CISCO AAA Client MIB"
MODULE -- this module
MANDATORY-GROUPS
{
cacPriorityGroup,
cacLoginConfigGroupRev1
}
::= { cacMIBCompliances 2 }
-- units of conformance
cacPriorityGroup OBJECT-GROUP
OBJECTS {
cacEnable,
cacPriorityNumber,
cacPrimaryMethod
}
STATUS current
DESCRIPTION
"A collection of objects providing the
AAA client priority information.
"
::= { cacMIBGroups 1 }
cacLoginConfigGroup OBJECT-GROUP
OBJECTS {
cacMaxLoginAttempt,
cacLockoutPeriod
}
STATUS deprecated
DESCRIPTION
"A collection of objects providing the
AAA client login configuration.
"
::= { cacMIBGroups 2 }
cacLoginConfigGroupRev1 OBJECT-GROUP
OBJECTS {
cacMaxLoginAttempt,
cacLockoutPeriodExt
}
STATUS current
DESCRIPTION
"A collection of objects providing the
AAA client login configuration.
"
::= { cacMIBGroups 3 }
END