module ieee802-dot1x { namespace "urn:ieee:std:802.1X:yang:ieee802-dot1x"; prefix "dot1x"; import ieee802-types { prefix "ieee"; } import ietf-yang-types { prefix "yang"; } import ietf-interfaces { prefix "if"; } import ietf-system { prefix "sys"; } import iana-if-type { prefix "ianaift"; } organization "Institute of Electrical and Electronics Engineers"; contact "WG-URL: http://grouper.ieee.org/groups/802/1/ WG-EMail: stds-802-1@ieee.org Contact: IEEE 802.1 Working Group Chair Postal: C/O IEEE 802.1 Working Group IEEE Standards Association 445 Hoes Lane P.O. Box 1331 Piscataway NJ 08855-1331 USA E-mail: STDS-802-1-L@LISTSERV.IEEE.ORG"; description "Port-based network access control allows a network administrator to restrict the use of IEEE 802 LAN service access points (ports) to secure communication between authenticated and authorized devices. IEEE Std 802.1X specifies an architecture, functional elements, and protocols that support mutual authentication between the clients of ports attached to the same LAN and secure communication between the ports. The following control allows a port to be reinitialized, terminating (and potentially restarting) authentication exchanges and MKA operation, based on a data model described in a set of YANG modules."; revision 2017-10-15 { description "Updates based upon comment resolution on draft D1.1 of P802.1Xck."; reference "IEEE 802.1X-2010, Port-Based Network Access Control."; } /* ------------------------------------------ * List of features that may be optionally * implemented/supported * ------------------------------------------ */ feature pacp-eap-supplicant { description "This feature indicates that the device supports a PACP EAP Supplicant."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } feature pacp-eap-authenticator { description "This feature indicates that the device supports a PACP EAP Authenticator."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } feature mka { description "This feature indicates that the device supports MKA"; reference "IEEE 802.1X-2010 Clause 12.9.2"; } feature macsec { description "This feature indicates that the device supports MACsec on the Controlled Port."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } feature announcements { description "This feature indicates that the device supports the ability to send EAPOL announcements."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } feature listener { description "This feature indicates that the device supports the ability to use receive EAPOL announcements."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } feature virtual-ports { description "This feature indicates that the device supports the virtual ports for a real port."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } feature in-service-upgrades { description "This feature indicates that the device supports MKA in-service upgrades."; reference "IEEE 802.1Xbx-2014 Clause 12.9.2"; } /* ---------------------------------------------- * Type definitions used by dot1X YANG module * ---------------------------------------------- */ typedef pae-system-ref { type leafref { path "/sys:system/dot1x:pae-system/dot1x:name"; } description "This type is used by data models that need to reference configured PAE systems."; } typedef pae-nid { type string { length "0..100"; } description "Network Identify, which is a UTF-8 string identifying a network or network service."; reference "IEEE 802.1X-2010 Clause 3, Clause 10.1, Clause 12.6"; } typedef pae-session-user-name { type string { length "0..253"; } description "Session user name, which is a utf8 string, representing the identify of the peer Supplicant."; reference "IEEE 802.1X-2010 Clause 12.5.1"; } typedef pae-session-id { type string { length "3..253"; } description "Session Identifier, which is a utf8 string, uniquely identifying the session within the context of the PAEs system."; reference "IEEE 802.1X-2010 Clause 12.5.1"; } typedef pae-nid-capabilities { type bits { bit eap { position 0; description "EAP"; } bit eapMka { position 1; description "EAP + MKA"; } bit eapMkaMacSec { position 2; description "EAP + MKA + MACsec"; } bit mka { position 3; description "MKA"; } bit mkaMacSec { position 4; description "MKA + MACsec"; } bit higherLayer { position 5; description "Higher Layer (WebAuth)"; } bit higherLayerFallback { position 6; description "Higher Layer Fallback (WebAuth)"; } bit vendorSpecific { position 7; description "Vendor specific authentication mechanisms"; } } description "Authentication and protection capabilities supported for the NID. Indicates the combinations of authentication and protection capabilities supported for a NID. Any set of these combinations can be supported."; reference "IEEE 802.1X-2010 Clause 10.1, Clause 11.12.3"; } typedef pae-access-status { type enumeration { enum no-access { description "Other than to authentication services, and to services announced as available in the absence of authentication (unauthenticated)."; } enum remedial-access { description "The access granted is severely limited, possibly to remedial services."; } enum restricted-access { description "The Controlled Port is operational, but restrictions have been applied by the network that can limit access to some resources."; } enum expected-access { description "The Controlled Port is operational, and access provided is as expected for successful authentication and authorization for the NID."; } } description "Indicates the transmitters Controlled Port operational status and current level of access resulting from authentication and the consequent authorization controls applied by that ports clients."; reference "IEEE 802.1X-2010 Clause 10.4, Clause 12.5"; } typedef mak-kn { type uint32; description "Indicates a Key Number (KN) used in MKA. It is assigned by the Key Server (sequentially beginning with 1)."; reference "IEEE 802.1X-2010 Clause 9.8, Clause 9.16"; } typedef mak-an { type uint32; description "A number that is concatenated with a MACsec Secure Channel Identifier to identify a Secure Association. Indicates an Association Number (AN) assigned by the Key Server for use with the key number for transmission."; reference "IEEE 802.1X-2010 Clause 9.8, Clause 9.16"; } typedef pae-ckn { type string { length "1..32"; } description "Indicates the CAK name to identify the Connectivity Association Key (CAK) which is the root key in the MACsec Key Agreement key hierarchy. All potential members of the CA use the same CKN."; reference "IEEE 802.1X-2010 Clause 9.3.1, Clause 6.2"; } typedef pae-kmd { type string { length "0..253"; } description "A Key Management Domain (KMD). A string of up to 253 UTF-8 characters that names the transmitting authenticators key management domain."; reference "IEEE Clause 12.6"; } typedef pae-auth-data { type string; description "Authorization data associated with the CAK."; reference "IEEE 802.1X-2010 Clause 9.16"; } typedef sci-list-entry { type string { length "8"; } description "8 octet string, where the first 6 octets represents the MAC Address (in canonical format), and the next 2 octets represents the Port Identifier."; reference "IEEE 802.1AE Clause 7.1.2, Clause 10.7.1"; } typedef pae-if-index { type int32 { range "1..2147483647"; } description "The interface index value represented by this interface."; } grouping nid-group { description "The PAE NID Group configuration and operational inforamtion."; list pae-nid-group { key "nid"; description "A list that contains the configuration and operational nodes for the network announcement information for the Logon Process."; leaf nid { type pae-nid; description "Identification of the network or network service."; reference "IEEE 802.1X-2010 Clause 12.5"; } leaf use-eap { type enumeration { enum never { description "Never."; } enum immediate { description "Immediately, concurrently with the use of MKA with any cached CAK(s)."; } enum mka-fail { description "Not until MKA has failed, if a prior CAK has been cached."; } } default "immediate"; description "Determines when the Logon Process will initiate EAP, if the Supplicant and or Authenticator are enabled, and takes one of the above values."; reference "IEEE 802.1X-2010 Clause 12.5"; } leaf unauth-allowed { type enumeration { enum never { description "Never."; } enum immediate { description "Immediately, independently of any current or future attempts to authenticate using the PAE or MKA."; } enum auth-fail { description "Not until an attempt has been made to authenticate using EAP, unless neither the supplicant nor the authenticator is enabled, and MKA has attempted to use any cached CAK (unless the KaY is not enabled)."; } } default "immediate"; description "Determines when the Logon Process will tell the CP state machine to provide unauthenticated connectivity, and takes one of the above values."; reference "IEEE 802.1X-2010 Clause 12.5"; } leaf unsecure-allowed { type enumeration { enum never { description "Never."; } enum immediate { description "Immediately, to provide connectivity concurrently with the use of MKA with any CAK acquired through EAP."; } enum mka-fail { description "Not until MKA has failed, or is not enabled."; } enum mka-server { description "Only if directed by the MKA server."; } } default "immediate"; description "Determines when the Logon Process will tell the CP state machine to provide authenticated but unsecured connectivity, takes one of the above values."; reference "IEEE 802.1X-2010 Clause 12.5"; } leaf unauthenticated-access { type enumeration { enum no-access { description "Other than to authentication services."; } enum fallback-access { description "Limited access can be provided after authentication failure."; } enum limited-access { description "Immediate limited access is available without authentication."; } enum open-access { description "Immediate access is available without authentication."; } } default "no-access"; description "Unauthenticated access capabilities provided by the NID."; reference "IEEE 802.1X-2010 Clause 10.1"; } leaf access-capabilities { type pae-nid-capabilities; description "Authentication and protection capabilities supported for the NID."; reference "IEEE 802.1X-2010 Clause 10.1"; } leaf kmd { type pae-kmd; config false; description "The Key Management Domain for the NID."; reference "IEEE 802.1X-2010 Clause 10.4"; } } } grouping port-capabilities { description "Per port PAE feature capabilities."; leaf supp { type boolean; description "Indicates if PACP EAP Supplicant is supported."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } leaf auth { type boolean; description "Indicates if PACP EAP Authenticator is supported."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } leaf mka { type boolean; description "Indicates if MKA is supported."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } leaf macsec { type boolean; description "Indicates if MACsec on the Controlled port is supported."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } leaf announcements { type boolean; description "Indicates if the ability to send EAPOL announcements is supported."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } leaf listener { type boolean; description "Indicates if the ability to use received EAPOL announcements is supported."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } leaf virtual-ports { type boolean; description "Indicates if virtual ports for a real port is supported."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } leaf in-service-upgrades { type boolean; description "Indicates if MKA in-service upgrades is supported."; reference "IEEE 802.1Xbx-2014 Clause 12.9.2"; } } /* --------------------------------------------------- * Configuration objects used by 802.1X YANG module * --------------------------------------------------- */ augment "/sys:system" { description "Augment system with 802.1X PAE System specific configuration nodes."; container pae-system { description "Contains all 802.1X PAE System specific related configuration and operational data."; leaf name { type string; description "The name which uniquely identifies the PAE System."; } leaf system-access-control { type enumeration { enum disabled { description "Deletes any virtual ports previously instantiated, and terminates authentication exchanges and MKA operation."; } enum enabled { description "Enables PAE system access control."; } } description "Setting this control to disabled deletes any virtual ports previously instantiated, and terminates authentication exchanges and MKA operation. Each real port PAE behaves as if enabledVirtualPorts was clear, the PAEs Supplicant, Authenticator, and KaY as if their enabled controls were clear, and Logon Process(es) as if unauthAllowed was Immediate. Announcements can be transmitted (subject to other controls), both periodically and in response to announcement requests (conveyed by EAPOL-Starts or EAPOL-Announcement-Reqs) but are sent with a single NID Set, with a null NID, and the Access Information TLV (and no other) with an pae-access-status of No Access, accessRequested false, OpenAccess, and no accessCapabilities. The control variable settings for each real port PAE are unaffected, and will be used once systemAccessControl is set to enabled."; reference "IEEE 802.1X-2010 Clause 12.9.1"; } leaf system-announcements { type enumeration { enum disabled { description "Causes each PAE to behave as if enabled were clear for the PAEs Announcement functionality."; } enum enabled { description "Enables PAE system announcements."; } } description "Setting this control to Disabled causes each PAE to behave as if enabled were clear for the PAE's Announcement functionality. The independent controls for each PAE apply if systemAnnouncements is Enabled."; reference "IEEE 802.1X-2010 Clause 12.9.1"; } leaf eapol-protocol-version { type uint32; config false; description "The EAPOL protocol version for this system."; reference "IEEE 802.1X-2010 Clause 12.9.1, Clause 11.3"; } leaf mka-version { type uint32; config false; description "The MKA protocol version for this system."; reference "IEEE 802.1X-2010 Clause 12.9.1, Clause 11.3"; } leaf-list pae { type if:interface-ref; config false; description "List of PAE references."; } } } /* * Port Authentication Entity (PAE) Nodes */ augment "/if:interfaces/if:interface" { when "if:type = 'ianaift:ethernetCsmacd' or if:type = 'ianaift:ilan' or if:type = 'ianaift:macSecControlledIF' or if:type = 'ianaift:ptm'" { description "Applies to the Controlled Port of SecY or PAC shim or Ethernet related Interface."; } description "Augment interface model with PAE configuration and operational nodes."; reference "IEEE 802.1AE Clause 11.7 and IEEE 802.1X-2010 Clause 6.5 and Clause 13.3.2"; container pae { description "Contains PAE configuration and operational related nodes."; leaf pae-system { type dot1x:pae-system-ref; description "The PAE system that this PAE is a member of."; } leaf vp-enable { when "../port-type = 'real-port' and ../port-capabilities/virtual-ports = 'true'" { description "Applies when port is Real Port and virtual port capabilities are supported."; } type boolean; default "false"; description "A real ports PAE may be configured to create virtual ports to support multi-access LANs provided that MKA and MACsec operation is enabled for that port."; reference "IEEE 802.1X-2010 Clause 12.7"; } container port-capabilities { description "Per port PAE feature capabilities."; uses port-capabilities; } leaf port-name { type if:interface-ref; config false; description "Each PAE is uniquely identified by a port name."; } leaf port-number { type pae-if-index; config false; description "Each PAE is uniquely identified by a port number. The port number used is unique amongst all port names for the system, and directly or indirectly identifies the Uncontrolled Port that supports the PAE. If the PAE has been dynamically instantiated to support an existing or potential virtual port, this portNumber, the uncontrolledPortNumber and the controlledPortNumber are allocated by the real ports PAE, and this portNumber is the uncontrolledPortNumber. If the PAE supports a real port, this portNumber is the commonPortNumber for the associated PAC or SecY."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } leaf controlled-port-name { type if:interface-ref; config false; description "Each PAE is uniquely identified by a port name."; } leaf controlled-port-number { type pae-if-index; config false; description "The port for the associated PAC or SecYs Controlled Port."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } leaf uncontrolled-port-name { type if:interface-ref; config false; description "The uncontrolled port name reference."; } leaf uncontrolled-port-number { type pae-if-index; config false; description "The port for the associated PAC or SecYs Uncontrolled Port."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } leaf common-port-name { type if:interface-ref; config false; description "The common port name reference."; } leaf common-port-number { type pae-if-index; config false; description "The port for the associated PAC or SecYs Common Port. All the virtual ports created for a given real port share the same Common Port and commonPortNumber."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } leaf port-type { type enumeration { enum real-port { description "Real Port type."; } enum virtual-port { description "Virtual Port type."; } } //config false; description "The port type of the PAE."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } container virtual-port { when "../port-capabilities/virtual-ports = 'true'" { description "Applies when the virtual ports port capability is supported."; } config false; description "Contains Virtual Port operational state information."; leaf max { when "../../port-type = 'real-port'" { description "Applies when Port is a Real Port."; } type uint32; description "The guaranteed maximum number of virtual ports."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } leaf current { when "../../port-type = 'real-port'" { description "Applies when Port is a Real Port."; } type yang:gauge32; description "The current number of virtual ports."; reference "IEEE 802.1X-2010 Clause 12.9.2"; } leaf start { when "../../port-type = 'virtual-port'" { description "Applies when Port is a Virtual Port."; } type uint32; description "Set if the virtual port was created by receipt of an EAPOL-Start frame."; reference "IEEE 802.1X-2010 Clause 12.9.7"; } leaf peer-address { when "../../port-type = 'virtual-port'" { description "Applies when Port is a Virtual Port."; } type ieee:mac-address; description "The source MAC Address of the EAPOL-Start (if vpStart is set)."; reference "IEEE 802.1X-2010 Clause 12.9.7"; } } container supplicant { when "../port-type = 'real-port' and ../port-capabilities/supp = 'true' and ../port-capabilities/auth = 'false'" { description "Applies to Real Ports and when the Authenticator is disabled and supplicant port capabilities are supported."; } description "Contains the configuration nodes for the Supplicant PAE associated with each port."; leaf held-period { type uint16; units seconds; default "60"; description "The initial value of the timer used to impose a wait period after a failed authentication attempt, before another attempt is permitted."; reference "IEEE 802.1X-2010 Clause 8.6"; } leaf retry-max { type uint8; default "2"; description "Specifies the maximum number of re-authentication attempts on an authenticator port before port is unauthorized."; reference "IEEE 802.1X-2010 Clause 8.7"; } leaf enabled { type boolean; config false; description "Set by PACP if the PAE can provide authentication. Will be FALSE if the Port is not enabled, if the functionality provided by the PAE is not available, or not implemented, or the control variable enable has been cleared by management, e.g. because the application scenario authenticates a user and there is no user logged on."; reference "IEEE 802.1X-2010 Clause 8.4"; } leaf authenticate { type boolean; config false; description "Set by the PAE client to request authentication, and allows reauthentication while set. Cleared by the client to revoke authentication. To enable authentication the client also needs to clear failed (if set)."; reference "IEEE 802.1X-2010 Clause 8.4"; } leaf authenticated { type boolean; config false; description "Set by PACP if the PAE is currently authenticated, and cleared if the authentication fails or is revoked."; reference "IEEE 802.1X-2010 Clause 8.4"; } leaf failed { type boolean; config false; description "Set by PACP if the authentication has failed or has been terminated. The cause could be a Fail returned by EAP, either immediately or following a reauthentication, an excessive number of attempts to authenticate (either immediately or upon reauthentication), or the client deasserting authenticate. The PACP will clear authenticated as well as setting failed. Any ongoing authentication exchange will be terminated (by the state machines) if enable becomes FALSE and enabled will be cleared, but failed will not be set."; reference "IEEE 802.1X-2010 Clause 8.4"; } } container authenticator { when "../port-capabilities/supp = 'false' and ../port-capabilities/auth = 'true'" { description "Applies when the Supplicant is disabled and Authenticator is supported."; } description "Contains configuration nodes for the Authenticator PAE associated with each port."; leaf quiet-period { type uint16; units seconds; default "60"; description "Number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client."; reference "IEEE 802.1X-2010 Clause 8.6, Figure 12-3"; } leaf reauth-period { type uint16; units seconds; default "3600"; description "This object indicates the time period of the reauthentication to the supplicant."; reference "IEEE 802.1X-2010 Clause 8.6, Figure 12-3"; } leaf reauth-enable { type boolean; default "false"; description "Re-authentication is enabled or not."; reference "IEEE 802.1X Clasue 5.8c and 8.9"; } leaf retry-max { type uint8; default "2"; description "Specifies the maximum number of re-authentication attempts on an authenticator port before port is unauthorized."; reference "IEEE 802.1X-2010 Clause 8.9"; } leaf enabled { type boolean; config false; description "Set by PACP if the PAE can provide authentication. Will be FALSE if the Port is not enabled, if the functionality provided by the PAE is not available, or not implemented, or the control variable enable has been cleared by management, e.g. because the application scenario authenticates a user and there is no user logged on."; reference "IEEE 802.1X-2010 Clause 8.4"; } leaf authenticate { type boolean; config false; description "Set by the PAE client to request authentication, and allows reauthentication while set. Cleared by the client to revoke authentication. To enable authentication the client also needs to clear failed (if set)."; reference "IEEE 802.1X-2010 Clause 8.4"; } leaf authenticated { type boolean; config false; description "Set by PACP if the PAE is currently authenticated, and cleared if the authentication fails or is revoked."; reference "IEEE 802.1X-2010 Clause 8.4"; } leaf failed { type boolean; config false; description "Set by PACP if the authentication has failed or has been terminated. The cause could be a Fail returned by EAP, either immediately or following a reauthentication, an excessive number of attempts to authenticate (either immediately or upon reauthentication), or the client deasserting authenticate. The PACP will clear authenticated as well as setting failed. Any ongoing authentication exchange will be terminated (by the state machines) if enable becomes FALSE and enabled will be cleared, but failed will not be set."; reference "IEEE 802.1X-2010 Clause 8.4"; } } container kay { when "../port-capabilities/mka = 'true'" { description "Applies when the MKA port capability is supported."; } description "Contains configuration system level information for each Interface supported by the KaY (Key Aggreement Entity)."; leaf enable { type boolean; default "false"; description "Set by management to enable (clear to disable) the use of MKA."; reference "IEEE 802.1X-2010 Clause 9.16"; } container actor { description "Contains configuration and operational nodes associated with the actor"; leaf priority { type uint8; description "The Key Server Priority for all the ports actors."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf sci { type sci-list-entry; config false; description "The SCI assigned by the system to the port (applies to all the ports actors)."; reference "IEEE 802.1X-2010 Clause 9.16"; } } container key-server { description "Contains configuration and operational nodes associated with the key server."; leaf priority { type uint8; description "The Key Server Priority for the Key Server for the principal actor. Matches the actorPriority if the actor is the Key Server"; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf sci { type sci-list-entry; config false; description "The SCI for Key Server for the principal actor. Null if there is no principal actor, or that actor has no live peers. Matches the actorSCI if the actor is the Key Server."; reference "IEEE 802.1X-2010 Clause 9.16"; } } container group { description "Contains configuration nodes associated with the group."; leaf join { type boolean; default "true"; description "Set if the KaY will accept Group CAKs distributed by MKA."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf form { type boolean; default "false"; description "Set if the KaY will attempt to use point-to-point CAs to distribute a Group CAK, if its principal actor is the Key Server for all the point-to-point CAs."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf new { type boolean; default "false"; description "Set by management if a new Group CAK is to be distributed, if the principal actor is the Key Server for all point-to-point CAs. Cleared by the KaY when distribution is complete."; reference "IEEE 802.1X-2010 Clause 9.16"; } } container macsec { when "../../port-capabilities/macsec = 'true'" { description "Applies when the MACsec port capability is supported."; } description "Contains configuration and operational nodes associated with macsec."; leaf capable { type boolean; description "Set for the port and applicable to all actors, by management."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf desired { type boolean; default "true"; description "Set for the port and applicable to all actors, by management."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf protect { type boolean; config false; description "As used by the CP state machine, see 12.4."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf validate { type boolean; config false; description "As used by the CP state machine, see 12.4."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf replay-protect { type boolean; config false; description "As used by the CP state machine, see 12.4."; reference "IEEE 802.1X-2010 Clause 9.16"; } } leaf suspend-on-request { type boolean; default "true"; description "Set by management to allow the KaYs principal actor to initiate a suspension if it is the Key Server and another participant has requested a suspension."; } leaf suspend-for { type uint8; default "0"; description "Set by management to a non-zero number of seconds between 1 and MKA Suspension Limit to initiate a suspension (9.18) of that duration (if the KaYs principal actor is the Key Server) or to request a suspension (otherwise)."; reference "IEEE 802.1X-2010 Clause 9.18"; } leaf suspended-while { type uint8; config false; description "Read by management to determine if a suspension is in progress and (when available) to discover the remaining duration of that suspension"; reference "IEEE 802.1X-2010 Clause 9.18"; } leaf active { type boolean; config false; description "Set if there is at least one active actor, transmitting MKPDUs."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf authenticated { type boolean; config false; description "Set if the principal actor, i.e. the participant that has the highest priority Key Server and one or more live peers, has determined that Controlled Port communication should proceed without MACsec."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf secured { type boolean; config false; description "Set if the principal actor has determined that communication should use MACsec."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf failed { type boolean; config false; description "Cleared when authenticated or secured are set, set if the latter are clear and MKA Life Time has elapsed since an MKA participant was last created."; reference "IEEE 802.1X-2010 Clause 9.16"; } container key-number { config false; description "Contains operation state nodes for Key Numbers."; leaf tx { type mak-kn; description "The Key Number assigned by the Key Server to the SAK currently being used for transmission. Null if MACsec is not being used."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf rx { type mak-kn; description "The Key Number assigned by the Key Server to the oldest SAK currently being used for reception. The same as txKN if a single SAK is currently in use (as will most often be the case). Null if MACsec is not being used."; reference "IEEE 802.1X-2010 Clause 9.16"; } } container association-number { config false; description "Contains operation state nodes for Association Numbers."; leaf tx { type mak-an; description "The Association Number assigned by the Key Server for use with txKN. Zero if MACsec is not in use."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf rx { type mak-an; description "The Association Number assigned by the Key Server for use with rxKN. The same as txAN if a single SAK is currently in use. Zero if MACsec is not in use."; reference "IEEE 802.1X-2010 Clause 9.16"; } } list participants { key "participant"; description "Contains list of configuration and operational nodes for each MKA participant supported by the KaY MKA entity."; leaf participant { type uint32; description "Key into Participants list."; } leaf cached { type boolean; description "Set by the KaY if the participants parameters are cached. If set, cached can be cleared by management to remove the participant from the cache."; } leaf active { type boolean; default "false"; description "Set if the participant is active, i.e., is currently transmitting periodic MKPDUs."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf retain { type boolean; default "false"; description "Set by management to retain the participant in the cache, even if the KaY would normally remove it (due to lack of use for example)."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf activate { type enumeration { enum default { description "The participant is from cached entries created by the KaY as part of normal operation, without explicit management, and is activated according to the implementation dependent policies of the KaY."; } enum disabled { description "The participant allows the cache information to be retained, but disabled for indefinite period."; } enum on-oper-up { description "Causing the participant to be activated when the PAEs part is activated, and therefore when the SecY or PACs Common Port becomes operational."; } enum always { description "Causing the participant to remain active all the time, even in the continued absence of partners."; } } default "default"; description "Controls when the participant is activated. Cached entries created by the KaY as part of normal operation, without explicit management, have the value Default, and are activated according to the implementation dependent policies of the KaY. This variable can be set to any of its values by management. Disabled allows the cache entry to be retained, but disabled for an indefinite period. OnOperUp causes the participant to be activated when the PAEs port (and therefore when the SecY or PACs Common Port becomes MAC_Operational). Always causes the participant to remain active all the time, even in the continued absence of partners. If the value is changed to Disabled or OnOperUp, the participant ceases operation immediately and receipt of MKPDUs with a matching CKN during a subsequent period of twice MKA Life Time will not cause the participant to become active once more."; reference "IEEE 802.1X-2010 Clause 9.16"; } container peers { config false; description "Contains operational state nodes associated with the Peers."; leaf-list live { type sci-list-entry; description "A list of the SCIs of the participants live peers."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf-list potential { type sci-list-entry; description "A list of the SCIs of the participants potential peers."; reference "IEEE 802.1X-2010 Clause 9.16"; } } leaf ckn { type pae-ckn; config false; description "The secure Connectivity Association Key Name for the participant."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf kmd { type pae-kmd; config false; description "The Key Management Domain for the participant."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf nid { type pae-nid; config false; description "The NID for the participant."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf auth-data { type pae-auth-data; config false; description "Authorization data associated with the secure Connectivity Association Key."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf principal { type boolean; config false; description "Set if the participant is currently the principal actor."; reference "IEEE 802.1X-2010 Clause 9.16"; } leaf dist-ckn { type pae-ckn; config false; description "The CKN for the last CAK distributed (either by the actor or one of its partners). Null if this participant has not been used to distribute a CAK."; reference "IEEE 802.1X-2010 Clause 9.16"; } } } container logon-nid { description "Contains the configuration and operational related NID information for the Logon Process. The Logon Process may use Network Identifiers (NIDs) to manage its use of authentication credentials, cached CAKs, and announcements."; leaf selected { type pae-nid; description "The NID currently configured for use by an access controlled port when transmitting EAPOL-Start frames. Defaults to the null NID."; reference "IEEE 802.1X-2010 Clause 12.5"; } uses nid-group; leaf connected { type pae-nid; config false; description "The NID associated with the current connectivity (possibly unauthenticated) provided by the operation of the CP state machine."; reference "IEEE 802.1X-2010 Clause 12.5"; } leaf requested { type pae-nid; config false; description "The NID marked as Access requested in announcements, as determined from EAPOL-Start frames. Defaults to the selectedNID."; reference "IEEE 802.1X-2010 Clause 12.5"; } } container announcer { when "../port-capabilities/announcements = 'true'" { description "Applies when the Announcements port capabilities are supported."; } description "Contains the configuration related Announcer information."; leaf enable { type boolean; default "false"; description "A boolean indicating if the announcer is enabled or not."; reference "IEEE 802.1X-2010 Clause 10.4"; } list announce { key "announces"; description "Contains the configuration related status information that the Announcers announce in the network announcement of the PAE system."; leaf announces { type uint32; description "Key into Announce list."; } uses nid-group; leaf nid { type pae-nid; config false; description "The NID information to identify a received network announcement for the PAE."; reference "IEEE 802.1X-2010 Clause 10.4"; } leaf access-status { type pae-access-status; config false; description "Access Status reflects connectivity as a result of authentication attempts, and might be set directly by the system or configured by AAA protocols."; reference "IEEE 802.1X-2010 Clause 10.4, Clause 12.5"; } } } container listener { when "../port-capabilities/listener = 'true'" { description "Applies when the Listener port capability is supported."; } description "Contains the configuration and operational Listener node related information."; leaf enable { type boolean; default "false"; description "A boolean indicating if the listener is enabled or not."; reference "IEEE 802.1X-2010 Clause 10.4"; } list announcement { key "announcements"; config false; description "A list containing the operational status information that the Listeners receive in the network announcement of the PAE system."; leaf announcements { type uint32; description "The key into the list of Announce nodes."; } leaf nid { type pae-nid; description "The NID information to identify a received network announcement for the PAE."; reference "IEEE 802.1X-2010 Clause 10.4"; } leaf kmd { type pae-kmd; description "The KMD information for this received network announcement of the PAE."; reference "IEEE 802.1X-2010 Clause 10.4"; } leaf specific { type boolean; description "This object indicates the received announcement information was specific to the receiving PAE, not generic for all systems attached to the LAN."; reference "IEEE 802.1X-2010 Clause 10.4"; } leaf access-status { type pae-access-status; description "The object information reflects connectivity as a result of authentication attempts for this received network announcement of the PAE."; reference "IEEE 802.1X-2010 Clause 10.4"; } leaf requested-nid { type boolean; description "The authenticated access has been requested for this particular NID or not."; reference "IEEE 802.1X-2010 Clause 10.4"; } leaf unauthenticated-access { type pae-access-status; description "The access capability of the ports clients without authentication in this received network announcement of the PAE"; reference "IEEE 802.1X-2010 Clause 10.4"; } leaf access-capabilities { type pae-nid-capabilities; description "The authentication and protection capabilities supported for the NID."; reference "IEEE 802.1X-2010 Clause 10.4"; } list cipher-suites { key "index"; description "A table contains the Cipher Suites information that the Listeners receive in the network announcement of the PAE system."; reference "IEEE 802.1X-2010 Clause 10.4"; leaf index { type uint16; description "Key into cipher suite entry."; } leaf cipherSuite { type string; description "cipher Suite identifier."; } leaf cipherSuiteCapability { type uint32; description "Cipher Suite capability."; } } } } container eapol-statistics { config false; description "Contains operational EAPOL statics."; leaf invalid-eapol-frame-rx { when "../../port-type = 'real-port'" { description "Applies when port is Real Port."; } type yang:counter32; description "The number of invalid EAPOL frames of any type that have been received by this PAE."; reference "IEEE 802.1X-2010 Clause 12.8.1"; } leaf eap-length-error-frames { when "../../port-type = 'real-port'" { description "Applies when port is Real Port."; } type yang:counter32; description "The number of EAPOL frames that the Packet Body Length does not match a Packet Body that is contained within the octets of the received EAPOL MPDU in this PAE."; reference "IEEE 802.1X-2010 Clause 12.8.1"; } leaf eapol-announcements-rx { when "../../port-type = 'real-port'" { description "Applies when port is Real Port."; } type yang:counter32; description "The number of EAPOL-Announcement frames that have been received by this PAE"; reference "IEEE 802.1X-2010 Clause 12.8.1"; } leaf eapol-announce-reqs-rx { when "../../port-type = 'real-port'" { description "Applies when port is Real Port."; } type yang:counter32; description "The number of EAPOL-Announcement-Req frames that have been received by this PAE."; reference "IEEE 802.1X-2010 Clause 12.8.1"; } leaf eapol-port-unavailable { when "../../port-type = 'real-port' and ../../port-capabilities/virtual-ports = 'true'" { description "Applies when port is Real Port and when the virtual ports capability is supported."; } type yang:counter32; description "The number of EAPOL frames that are discarded because their processing would require the creation of a virtual port, for which there are inadequate or constrained resources, or an existing virtual port and no such port currently exists. If virtual port is not supported, this object should be always 0."; reference "IEEE 802.1X-2010 Clause 12.8.1"; } leaf eapol-start-frames-rx { type yang:counter32; description "The number of EAPOL-Start frames that have been received by this PAE"; reference "IEEE 802.1X-2010 Clause 12.8.1"; } leaf eapol-eap-frames-rx { type yang:counter32; description "The number of EAPOL-EAP frames that have been received by this PAE."; reference "IEEE 802.1X-2010 Clause 12.8.1"; } leaf eapol-logoff-frames-rx { type yang:counter32; description "The number of EAPOL-Logoff frames that have been received by this PAE."; reference "IEEE 802.1X-2010 Clause 12.8.1"; } leaf eapol-mk-no-cfn { type yang:counter32; description "The number of MKPDUs received with MKA not enabled or CKN not recognized in this PAE."; reference "IEEE 802.1X-2010 Clause 12.8.1"; } leaf eapol-mk-invalid-frames-rx { type yang:counter32; description "The number of MKPDUs failing in message authentication on receipt process in this PAE."; reference "IEEE 802.1X-2010 Clause 12.8.1"; } leaf last-eapol-frame-source { when "../../port-type = 'real-port'" { description "Applies when port is Real Port."; } type ieee:mac-address; description "The source MAC address of last received EAPOL frame by this PAE."; reference "IEEE 802.1X-2010 Clause 12.8.2"; } leaf last-eapol-frame-version { type yang:counter32; description "The version of last received EAPOL frame by this PAE."; reference "IEEE 802.1X-2010 Clause 12.8.2"; } leaf eapol-supp-eap-frames-tx { when "../../port-type = 'real-port'" { description "Applies when port is Real Port."; } type yang:counter32; description "The number of EAPOL-EAP frames that have been transmitted by the supplicant of this PAE."; reference "IEEE 802.1X-2010 Clause 12.8.3"; } leaf eapol-logoff-frames-tx { when "../../port-type = 'real-port'" { description "Applies when port is Real Port."; } type yang:counter32; description "The number of EAPOL-Logoff frames that have been transmitted by this PAE."; reference "IEEE 802.1X-2010 Clause 12.8.3"; } leaf eapol-announcements-tx { when "../../port-type = 'real-port'" { description "Applies when port is Real Port."; } type yang:counter32; description "The number of EAPOL-Announcement frames that have been transmitted by this PAE."; reference "IEEE 802.1X-2010 Clause 12.8.3"; } leaf eapol-announce-reqs-tx { when "../../port-type = 'real-port'" { description "Applies when port is Real Port."; } type yang:counter32; description "The number of EAPOL-Announcement-Req frames that have been transmitted by this PAE."; reference "IEEE 802.1X-2010 Clause 12.8.3"; } leaf eapol-start-frames-tx { type yang:counter32; description "The number of EAPOL-Start frames that have been received by this PAE."; reference "IEEE 802.1X-2010 Clause 12.8.3"; } leaf eapol-auth-eap-frames-tx { type yang:counter32; description "The number of EAPOL-EAP frames that have been transmitted by the authenticator of this PAE."; reference "IEEE 802.1X-2010 Clause 12.8.3"; } leaf eapol-mka-frames-tx { type yang:counter32; description "The number of EAPOL-MKA frames with no CKN information that have been transmitted by this PAE."; reference "IEEE 802.1X-2010 Clause 12.8.3"; } } container logon-process { description "Contains configuration and operational system level information for each port to support the Logon Process(es) status information."; leaf logon { type boolean; default "false"; description "A boolean indicating if the logon-process is enabled or not."; reference "IEEE 802.1X-2010 Clause 12.5"; } leaf connect { type enumeration { enum pending { description "Prevent connectivity by clearing the controlledPortEnabled parameter."; } enum unauthenticated { description "Provide unsecured connectivity, setting controlledPortEnabled."; } enum authenticated { description "Provide unsecured connectivity, setting controlledPortEnabled."; } enum secure { description "Provide secure connectivity, using SAKs provided by the KaY (when available) and setting controlledPortEnabled when those keys are installed and in use, as specified in detail by the CP state machine."; } enum authorization-data { description "Authorization data to be made available to the client of the Controlled Port if connect is Authenticated."; } } config false; description "The Logon Process sets this variable to one of the above values."; reference "IEEE 802.1X-2010 Clause 12.3"; } leaf port-valid { type boolean; config false; description "Set if Controlled Port communication is secured as specified by the MACsec control macsecProtect."; reference "IEEE 802.1X-2010 Clause 12.3"; } list session-statistics { key "session-id"; config false; description "Contains operational state nodes associated with the session statistics."; leaf session-id { type pae-session-id; description "Key into list of session statistics."; reference "IEEE 802.1X-2010 Clause 12.5.1"; } leaf user-name { type pae-session-user-name; description "User name of the session."; reference "IEEE 802.1X-2010 Clause 12.5.1"; } leaf octets-rx { type yang:counter64; description "The number of octets received in this session of this PAE."; reference "IEEE 802.1X-2010 Clause 12.5.1"; } leaf octets-tx { type yang:counter64; description "The number of octets transmitted in this session of this PAE."; reference "IEEE 802.1X-2010 Clause 12.5.1"; } leaf frames-rx { type yang:counter64; description "The number of packets received in this session of this PAE."; reference "IEEE 802.1X-2010 Clause 12.5.1"; } leaf frames-tx { type yang:counter64; description "The number of packets transmitted in this session of this PAE."; reference "IEEE 802.1X-2010 Clause 12.5.1"; } leaf time { type yang:timeticks; description "Session Time. The duration of the session in seconds."; reference "IEEE 802.1X-2010 Clause 12.5.1"; } leaf terminate-cause { type enumeration { enum common_port_MAC_operatonal_false { description "Common Port for this PAE is not operational."; } enum system_access_control_disabled { description "The system-access-control node of the pae-system is disabled or initialization process of this PAE is invoked."; } enum eapol_logoff_rx { description "The PAE has received EAPOL-Logoff frame."; } enum eap_reauthentication_failure { description "EAP reauthentication has failed."; } enum mak-failure_termination { description "MKA failure or other MKA termination."; } enum new_session-beginning { description "New session beginning."; } enum not_terminated_yet { description "Not Terminated Yet."; } } description "The reason for the session termination."; reference "IEEE 802.1X-2010 Clause 12.5.1"; } } } } } container nid-group { description "Contains both configuration and operational state nodes associated with the PAE NID group."; uses nid-group; } }