module dot1X { namespace "ieee:ns:yang:ieee-port-dot1x"; prefix "dot1x"; import ieee-types { prefix "ieee"; } import ietf-yang-types { prefix "yang"; } import ietf-interfaces { prefix "if"; } import iana-if-type { prefix "ianif"; } organization "Institute of Electrical and Electronics Engineers"; contact "Web URL: http://ieee.org/ E-mail: corporate-communications@ieee.org Postal: U.S.A. Phone: +1 732-563-6820 Fax: +1 732-981-9511"; description "Port-based network access control allows a network administrator to restrict the use of IEEE 802 LAN service access points (ports) to secure communication between authenticated and authorized devices. IEEE Std 802.1X specifies an architecture, functional elements, and protocols that support mutual authentication between the clients of ports attached to the same LAN and secure communication between the ports. The following control allows a port to be reinitialized, terminating (and potentially restarting) authentication exchanges and MKA operation, based on a data model described in a set of YANG modules."; revision "2015-07-06" { description "Initial Version."; reference "IEEE 802.1X-2010, Port-Based Network Access Control."; } /* ---------------------------------------------- * Type definitions used by dot1X YANG module * ---------------------------------------------- */ typedef nidType { type string { // Need to confirm this. length "0..100"; } } typedef sessionUserNameType { description "utf8 definition"; type string { length "0..253"; } } typedef sessionIdType { description "utf8 definition"; type string { length "3..253"; } } typedef accessCapabilitiesType { type bits { bit eap { position 0; } bit mka { position 1; } bit macsec { position 2; } bit higher-layer { position 3; } bit higher-layer-fallback { position 4; } bit vendor-specific { position 5; } } } typedef portNumberType { type uint16; } typedef keyNumberType { type uint32; } typedef associationNumberType { type uint16; } typedef sciListType { // To be defined. type uint16; } typedef cknType { // To be defined. type uint16; } typedef kmdType { // To be defined. type uint16; } typedef authType { // To be defined. type uint16; } typedef cipherSuitesType { // Structure to be defined. type uint16; } grouping nidGroup { list paeNidGroup { key "nids"; leaf nids { type sessionUserNameType; } leaf use-eap { type enumeration { enum never; enum immediate; enum mka-fail; } default "immediate"; description "Determines when the Logon Process will initiate EAP, if the Supplicant and or Authenticator are enabled."; } leaf unauth-allowed { type enumeration { enum never; enum immediate; enum auth-fail; } default "immediate"; description "Determines when the Logon Process will tell the CP state machine to provide unauthenticated connectivity."; } leaf unsecure-allowed { type enumeration { enum never; enum immediate; enum mka-fail; enum mka-server; } default "immediate"; description "Determines when the Logon Process will tell the CP state machine to provide authenticated but unsecured connectivity."; } leaf unauthenticated-access { type enumeration { enum no-access; enum fallback-access; enum limited-access; enum open-access; } default "no-access"; } leaf access-capabilities { type accessCapabilitiesType; description "Authentication mechanisms."; } } } grouping nidGroupState { list paeNidGroupState { key "nids"; leaf nids { type sessionUserNameType; } leaf kmd { type kmdType; } leaf nid { type nidType; } } } /* --------------------------------------------------------------- * List of features taht may be optionally implemented/supported * --------------------------------------------------------------- */ feature pacp-eap-supplicant { description "This feature indicates that the device supports a PACP EAP Supplicant."; } feature pacp-eap-authenticator { description "This feature indicates that the device supports a PACP EAP Authenticator."; } feature mka { description "This feature indicates that the device supports MKA"; } feature macsec { description "This feature indicates that the device supports MACsec on the Controlled Port."; } feature announcements { description "This feature indicates that the device supports the ability to send EAPOL announcements."; } feature listener { description "This feature indicates that the device supports the ability to use receive EAPOL announcements."; } feature virtual-ports { description "This feature indicates that the device supports the virtual ports for a real port."; } feature in-service-upgrades { description "This feature indicates that the device supports MKA in-service upgrades."; } /* --------------------------------------------------- * Configuration objects used by 802.1X YANG module * --------------------------------------------------- */ container pae-system { leaf system-access-control { type enumeration { enum disabled; enum enabled; } description "Setting this control to 'disabled' deletes any virtual ports previously instantiated, and terminates authentication exchanges and MKA operation. Each real port PAE behaves as if enabledVirtualPorts was clear, the PAEs Supplicant, Authenticator, and KaY as if their enabled controls were clear, and Logon Process(es) as if unauthAllowed was Immediate. Announcements can be transmitted (subject to other controls), both periodically and in response to announcement requests (conveyed by EAPOL-Starts or EAPOL-Announcement-Reqs) but are sent with a single NID Set, with a null NID, and the Access Information TLV (and no other) with an accessStatus of No Access, accessRequested false, OpenAccess, and no accessCapabilities. The control variable settings for each real port PAE are unaffected, and will be used once systemAccessControl is set to 'enabled'"; } leaf system-announcements { type enumeration { enum disabled; enum enabled; } description "Setting this control to Disabled causes each PAE to behave as if enabled were clear for the PAE's Announcement functionality. The independent controls for each PAE apply if systemAnnouncements is Enabled."; } leaf eapol-protocol-version { type uint32; description "The EAPOL protocol version for this system."; } leaf mka-version { type uint32; description "The MKA protocol version for this system."; } } /* * Port Authentication Entity (PAE) Object */ augment "/if:interfaces/if:interface" { //when "if:type = 'ianaif:macSecControlledIF'"; leaf vp-enable { when "dot1x:port-type = 'dot1x:real-port'"; type boolean; description "A real port's PAE may be configured to create virtual ports to support mlti-access LANs provided that MKA and MACsec operation is enabled for that port."; } container supplicant { // NOTE: Suppplicant only applicable to RealPort types. leaf held-period { type uint16; units seconds; default "60"; } leaf retry-max { type uint8; default "2"; description "Specifies the maximum number of re-authentication attempts on an authenticator port before port is unauthorized."; } } container authenticator { leaf quiet-period { type uint16; units seconds; default "60"; description "Number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client"; reference "IEEE 802.1X Clause 8.6, Figure 12-3"; } leaf reauth-period { type uint16; units seconds; default "3600"; description "This object indicates the time period of the reauthentication to the supplicant."; reference "IEEE 802.1X Clause 8.6, Figure 12-3"; } leaf retry-max { type uint8; default "2"; description "Specifies the maximum number of re-authentication attempts on an authenticator port before port is unauthorized."; } } container kay { leaf enable { type boolean; default "false"; } container actor { leaf priority { type uint8; default "0"; } } container key-server { leaf priority { type uint8; default "0"; } } container group { leaf join { type boolean; default "false"; } leaf form { type boolean; default "false"; } leaf new { type boolean; default "false"; } } container macsec { leaf capable { type boolean; default "false"; } leaf desired { type boolean; default "false"; } } leaf suspend-on-request { type boolean; default "false"; } leaf suspend-for { type uint8; default "0"; } leaf suspend-while { type uint8; default "0"; } list participants { key "participant"; leaf participant { type uint16; } leaf cached { type boolean; default "false"; } leaf active { type boolean; default "false"; } leaf retain { type boolean; default "false"; } leaf activate { type enumeration { enum principal; enum livePeers; enum potential-peers; enum distCKN; } default "principal"; } } } container logon-nid { leaf selected { type nidType; } uses nidGroup; } container announcer { leaf enable { type boolean; default "false"; } list announce { key "announces"; leaf announces { type uint16; } uses nidGroup; } } container listener { leaf enable { type boolean; default "false"; } } container logon-process { leaf logon { type boolean; default "false"; } } } augment "/if:interfaces-state/if:interface" { //when "if:type = 'ianaift:macSecControlledIF'"; leaf port-number { type portNumberType; } leaf controlled-port-number { type portNumberType; } leaf uncontrolled-port-number { type portNumberType; } leaf common-port-number { type portNumberType; } leaf port-type { description "The port type of the PAE."; type enumeration { enum real-port; enum virtual-port; } } container virtual-port { leaf max { when "dot1x:port-type = 'dot1x:real-port'"; type uint32; } leaf current { when "dot1x:port-type = 'dot1x:real-port'"; type yang:gauge32; } leaf start { when "dot1x:port-type = 'dot1x:virtual-port'"; type uint32; } leaf peer-address { when "dot1x:port-type = 'dot1x:virtual-port'"; type ieee:mac-address; } } container supplicant { // NOTE: Suppplicant only applicable to RealPort types. leaf enabled { type boolean; } leaf authenticate { type boolean; } leaf authenticated { type boolean; } leaf failed { type boolean; } } container authenticator { leaf enabled { type boolean; } leaf authenticate { type boolean; } leaf authenticated { type boolean; } leaf failed { type boolean; } } container kay { container actor { container sci { leaf mac-address { type ieee:mac-address; } leaf port-id { type portNumberType; } } } container key-server { container sci { leaf mac-address { type ieee:mac-address; } leaf port-id { type portNumberType; } } } container macsec { leaf protect { type boolean; } leaf validate { type boolean; } leaf replay-protect { type boolean; } } leaf active { type boolean; } leaf authenticated { type boolean; } leaf secured { type boolean; } leaf failed { type boolean; } container keyNumber { leaf tx { type keyNumberType; } leaf rx { type keyNumberType; } } container associationNumber { leaf tx { type associationNumberType; } leaf rx { type associationNumberType; } } list participant { key "participants"; leaf participants { type uint16; } container peers { leaf live { type sciListType; } leaf potential { type sciListType; } } leaf ckn { type cknType; } leaf kmd { type kmdType; } leaf nid { type nidType; } leaf auth-data { type authType; } leaf principal { type boolean; } leaf distCKN { type cknType; } } } container logon-nid { leaf connected { type nidType; } leaf requested { type nidType; } uses nidGroupState; } container announcer { list announce { key "announces"; leaf announces { type uint16; } leaf nid { type nidType; } leaf access-status { // Need to confirm these types. type enumeration { enum no-access; enum acess-requested-fail; enum open-access; enum no-access-capabilities; } } uses nidGroupState; } } container listener { list announcement { key "announcements"; leaf announcements { type uint8; } leaf nid { type nidType; } leaf kmd { type kmdType; } leaf specific { type boolean; } leaf access-status { // Need to confirm these types. type enumeration { enum no-access; enum acess-requested-fail; enum open-access; enum no-access-capabilities; } } leaf requested-nid { type boolean; } leaf unauthenticated-access { // Need to confirm these types. type enumeration { enum no-access; enum acess-requested-fail; enum open-access; enum no-access-capabilities; } } leaf access-capabilities { type accessCapabilitiesType; } leaf cipher-suites { type cipherSuitesType; } } } container eapol-statistics { leaf invalid-eapol-frame-rx { when "dot1x:port-type = 'dot1x:real-port'"; type yang:counter32; } leaf eap-length-error-frames { when "dot1x:port-type = 'dot1x:real-port'"; type yang:counter32; } leaf eapol-announcements-rx { when "dot1x:port-type = 'dot1x:real-port'"; type yang:counter32; } leaf eapol-announce-reqs-rx { when "dot1x:port-type = 'dot1x:real-port'"; type yang:counter32; } leaf eapol-port-unavailable { if-feature virtual-ports; when "dot1x:port-type = 'dot1x:real-port'"; type yang:counter32; } leaf eapol-start-frames-rx { type yang:counter32; } leaf eapol-eap-frames-rx { type yang:counter32; } leaf eapol-logoff-frames-rx { type yang:counter32; } leaf eapol-mk-no-cfn { type yang:counter32; } leaf eapol-mk-invalid-frames-rx { type yang:counter32; } leaf last-eapol-frame-source { when "dot1x:port-type = 'dot1x:real-port'"; type ieee:mac-address; } leaf last-eapol-frame-version { type yang:counter32; } leaf eapol-supp-eap-frames-tx { when "dot1x:port-type = 'dot1x:real-port'"; type yang:counter32; } leaf eapol-logoff-frames-tx { when "dot1x:port-type = 'dot1x:real-port'"; type yang:counter32; } leaf eapol-announcements-tx { when "dot1x:port-type = 'dot1x:real-port'"; type yang:counter32; } leaf eapol-announce-reqs-tx { when "dot1x:port-type = 'dot1x:real-port'"; type yang:counter32; } leaf eapol-start-frames-tx { type yang:counter32; } leaf eapol-auth-eap-frames-tx { type yang:counter32; } leaf eapol-mka-frames-tx { type yang:counter32; } } container logon-process { leaf connect { type enumeration { enum pending; enum unauthenticated; enum authenticated; enum secure; } } leaf port-valid { type boolean; } list session-statistics { key "session"; leaf session { type uint16; } leaf octets-Rx { type yang:counter32; } leaf octets-Tx { type yang:counter32; } leaf frames-Rx { type yang:counter32; } leaf frames-Tx { type yang:counter32; } leaf id { type string { // Need to confirm this. length "0..100"; } } leaf user-name { type string { // Need to confirm this. length "0..100"; } } leaf time { type yang:timeticks; } leaf terminate-cause { type enumeration { enum common_port_MAC_operatonal_false; enum system_access_control_disabled; enum eapol_logoff_Rx; enum eap_reauthentication_failure; enum mak-failure_termination; enum new_session-beginning; enum not_terminated_yet; } } } } } container nid-group { uses nidGroup; uses nidGroupState; } }