module ieee-dot1X { namespace "urn:ieee:params:xml:ns:yang:ieee-dot1X"; prefix "dot1x"; import ieee-types { prefix "ieee"; } import ietf-yang-types { prefix "yang"; } import ietf-interfaces { prefix "if"; } import ietf-system {prefix "system"; } import iana-if-type { prefix "ianaif"; } organization "Institute of Electrical and Electronics Engineers"; contact "Web URL: http://ieee.org/ E-mail: corporate-communications@ieee.org Postal: U.S.A. Phone: +1 732-563-6820 Fax: +1 732-981-9511"; description "Port-based network access control allows a network administrator to restrict the use of IEEE 802 LAN service access points (ports) to secure communication between authenticated and authorized devices. IEEE Std 802.1X specifies an architecture, functional elements, and protocols that support mutual authentication between the clients of ports attached to the same LAN and secure communication between the ports. The following control allows a port to be reinitialized, terminating (and potentially restarting) authentication exchanges and MKA operation, based on a data model described in a set of YANG modules."; revision "2015-08-18" { description "Initial Version."; reference "IEEE 802.1X-2010, Port-Based Network Access Control."; } /* ---------------------------------------------- * Type definitions used by dot1X YANG module * ---------------------------------------------- */ typedef nidType { type string { // Need to confirm this. length "0..100"; } } typedef sessionUserNameType { description "utf8 definition"; type string { length "0..253"; } } typedef sessionIdType { description "utf8 definition"; type string { length "3..253"; } } typedef accessCapabilitiesType { description "Authentication and protection capabilities supported for the NID"; type bits { bit eap { position 0; } bit mka { position 1; } bit macsec { position 2; } bit higher-layer { position 3; } bit higher-layer-fallback { position 4; } bit vendor-specific { position 5; } } reference "Clause 10.1l)"; } typedef accessStatus { type enumeration { enum no-access { description "Other than to authentication services, and to services announced as available in the absence of authentication (unauthenticated)."; } enum remedial-access { description "The access granted is severely limited, possibly to remedial services."; } enum restricted-access { description "The Controlled Port is operational, but restrictions have been applied by the network that can limit access to some resources."; } enum expected-access { description "The Controlled Port is operational, and access provided is as expected for successful authentication and authorization for the NID."; } } } typedef keyNumberType { type uint16; } typedef associationNumberType { type uint16; } typedef sciListType { // To be defined. type uint16; } typedef cknType { // To be defined. type uint16; } typedef kmdType { // To be defined. type uint16; } typedef authType { // To be defined. type uint16; } typedef cipherSuitesType { // Structure to be defined. type uint16; } grouping nidGroup { list paeNidGroup { key "nids"; leaf nids { type sessionUserNameType; } leaf use-eap { type enumeration { enum never { description "Never."; } enum immediate { description "Immediately, concurrently with the use of MKA with any cached CAK(s)."; } enum mka-fail { description "Not until MKA has failed, if a prior CAK has been cached."; } } default "immediate"; description "Determines when the Logon Process will initiate EAP, if the Supplicant and or Authenticator are enabled, and takes one of the above values."; } leaf unauth-allowed { type enumeration { enum never { description "Never."; } enum immediate { description "Immediately, independently of any current or future attempts to authenticate using the PAE or MKA."; } enum auth-fail { description "Not until an attempt has been made to authenticate using EAP, unless neither the supplicant nor the authenticator is enabled, and MKA has attempted to use any cached CAK (unless the KaY is not enabled)"; } } default "immediate"; description "Determines when the Logon Process will tell the CP state machine to provide unauthenticated connectivity, and takes one of the above values."; } leaf unsecure-allowed { type enumeration { enum never { description "Never."; } enum immediate { description "Immediately, to provide connectivity concurrently with the use of MKA with any CAK acquired through EAP."; } enum mka-fail { description "Not until MKA has failed, or is not enabled."; } enum mka-server { description "Only if directed by the MKA server."; } } default "immediate"; description "Determines when the Logon Process will tell the CP state machine to provide authenticated but unsecured connectivity, takes one of the above values."; } leaf unauthenticated-access { type enumeration { enum no-access { description "Other than to authentication services."; } enum fallback-access { description "Limited access can be provided after authentication failure."; } enum limited-access { description "Immediate limited access is available without authentication."; } enum open-access { description "Immediate access is available without authentication."; } } default "no-access"; } leaf access-capabilities { type accessCapabilitiesType; description "Authentication mechanisms."; } } } grouping nidGroupState { list paeNidGroupState { key "nids"; leaf nids { type sessionUserNameType; } leaf kmd { type kmdType; description "The Key Management Domain for the NID."; } leaf nid { type nidType; } } } /* --------------------------------------------------------------- * List of features that may be optionally implemented/supported * --------------------------------------------------------------- */ feature pacp-eap-supplicant { description "This feature indicates that the device supports a PACP EAP Supplicant."; } feature pacp-eap-authenticator { description "This feature indicates that the device supports a PACP EAP Authenticator."; } feature mka { description "This feature indicates that the device supports MKA"; } feature macsec { description "This feature indicates that the device supports MACsec on the Controlled Port."; } feature announcements { description "This feature indicates that the device supports the ability to send EAPOL announcements."; } feature listener { description "This feature indicates that the device supports the ability to use receive EAPOL announcements."; } feature virtual-ports { description "This feature indicates that the device supports the virtual ports for a real port."; } feature in-service-upgrades { description "This feature indicates that the device supports MKA in-service upgrades."; } /* --------------------------------------------------- * Configuration objects used by 802.1X YANG module * --------------------------------------------------- */ augment "/system:system" { container pae-system { leaf system-access-control { type enumeration { enum disabled; enum enabled; } description "Setting this control to 'disabled' deletes any virtual ports previously instantiated, and terminates authentication exchanges and MKA operation. Each real port PAE behaves as if enabledVirtualPorts was clear, the PAEs Supplicant, Authenticator, and KaY as if their enabled controls were clear, and Logon Process(es) as if unauthAllowed was Immediate. Announcements can be transmitted (subject to other controls), both periodically and in response to announcement requests (conveyed by EAPOL-Starts or EAPOL-Announcement-Reqs) but are sent with a single NID Set, with a null NID, and the Access Information TLV (and no other) with an accessStatus of No Access, accessRequested false, OpenAccess, and no accessCapabilities. The control variable settings for each real port PAE are unaffected, and will be used once systemAccessControl is set to 'enabled'."; } leaf system-announcements { type enumeration { enum disabled; enum enabled; } description "Setting this control to Disabled causes each PAE to behave as if enabled were clear for the PAE's Announcement functionality. The independent controls for each PAE apply if systemAnnouncements is Enabled."; } leaf eapol-protocol-version { config false; type uint32; description "The EAPOL protocol version for this system."; } leaf mka-version { config false; type uint32; description "The MKA protocol version for this system."; } } } augment "/system:system-state" { container pae-system { leaf eapol-protocol-version { type uint32; description "The EAPOL protocol version for this system."; } leaf mka-version { type uint32; description "The MKA protocol version for this system."; } } } /* * Port Authentication Entity (PAE) Object */ augment "/if:interfaces/if:interface" { when "/if:interfaces/if:interface/if:type = 'ianaif:iso88023Csmacd'"; container pae { leaf vp-enable { when "dot1x:port-type = 'dot1x:real-port'"; if-feature virtual-ports; type boolean; default false; description "A real port's PAE may be configured to create virtual ports to support mlti-access LANs provided that MKA and MACsec operation is enabled for that port."; } container supplicant { // NOTE: Suppplicant only applicable to RealPort types. when "dot1x:port-type = 'dot1x:real-port' and ../authenticator/enable = 'false'"; if-feature pacp-eap-supplicant; leaf held-period { type uint16; units seconds; default "60"; description "The initial value of the timer used to impose a wait period after a failed authentication attempt, before another attempt is permitted."; } leaf retry-max { type uint8; default "2"; description "Specifies the maximum number of re-authentication attempts on an authenticator port before port is unauthorized."; } } container authenticator { when "../supplicant/enable = 'false'"; if-feature pacp-eap-authenticator; leaf quiet-period { type uint16; units seconds; default "60"; description "Number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client."; reference "IEEE 802.1X Clause 8.6, Figure 12-3"; } leaf reauth-period { type uint16; units seconds; default "3600"; description "This object indicates the time period of the reauthentication to the supplicant."; reference "IEEE 802.1X Clause 8.6, Figure 12-3"; } leaf reauth-enable { type boolean; default "false"; description "Re-authentication is enabled or not."; reference "IEEE 802.1X Clasue 5.8c and 8.9"; } leaf retry-max { type uint8; default "2"; description "Specifies the maximum number of re-authentication attempts on an authenticator port before port is unauthorized."; } } container kay { if-feature mka; // “mka” feature definition above used for kay – need to revisit leaf enable { type boolean; default "false"; description "Set by management to enable (clear to disable) the use of MKA."; } container actor { leaf priority { type uint8; default "0"; description "The Key Server Priority for all the port’s actors."; } } container key-server { leaf priority { type uint8; default "0"; description "The Key Server Priority for the Key Server for the principal actor. Matches the actorPriority if the actor is the Key Server"; } } container group { leaf join { type boolean; default "false"; description "Set if the KaY will accept Group CAKs distributed by MKA."; } leaf form { type boolean; default "false"; description "Set if the KaY will attempt to use point-to-point CAs to distribute a Group CAK, if its principal actor is the Key Server for all the point-to-point CAs."; } leaf new { type boolean; default "false"; description "Set by management if a new Group CAK is to be distributed, if the principal actor is the Key Server for all point-to-point CAs. Cleared by the KaY when distribution is complete."; } } container macsec { if-feature macsec; leaf capable { type boolean; default "false"; description "Set, for the port and applicable to all actors, by management."; } leaf desired { type boolean; default "false"; description "Set, for the port and applicable to all actors, by management."; } } leaf suspend-on-request { type boolean; default "false"; description "Set by management to allow the KaY’s principal actor to initiate a suspension if it is the Key Server and another participant has requested a suspension."; } leaf suspend-for { type uint8; default "0"; description "Set by management to a non-zero number of seconds between 1 and MKA Suspension Limit to initiate a suspension (9.18) of that duration (if the KaY’s principal actor is the Key Server) or to request a suspension (otherwise)."; } leaf suspend-while { type uint8; default "0"; description "Read by management to determine if a suspension is in progress and (when available) to discover the remaining duration of that suspension"; } list participants { key "participant"; leaf participant { type uint16; } leaf cached { type boolean; default "false"; description "Set by the KaY if the participant’s parameters are cached. If set, cached can be cleared by management to remove the participant from the cache."; } leaf active { type boolean; default "false"; description "Set if the participant is active, i.e., is currently transmitting periodic MKPDUs."; } leaf retain { type boolean; default "false"; description "Set by management to retain the participant in the cache, even if the KaY would normally remove it (due to lack of use for example)."; } leaf activate { type enumeration { enum default; enum disabled; enum on-oper-up; enum always; } default "default"; description "Controls when the participant is activated. Cached entries created by the KaY as part of normal operation, without explicit management, have the value Default, and are activated according to the implementation dependent policies of the KaY. This variable can be set to any of its values by management. Disabled allows the cache entry to be retained, but disabled for an indefinite period. OnOperUp causes the participant to be activated when the PAE’s port (and therefore when the SecY or PAC’s Common Port becomes MAC_Operational). Always causes the participant to remain active all the time, even in the continued absence of partners. If the value is changed to Disabled or OnOperUp, the participant ceases operation immediately and receipt of MKPDUs with a matching CKN during a subsequent period of twice MKA Life Time will not cause the participant to become active once more."; } } } container logon-nid { leaf selected { type nidType; description "The NID currently configured for use by an access controlled port when transmitting EAPOL-Start frames. Defaults to the null NID."; } uses nidGroup; } container announcer { if-feature announcements; leaf enable { type boolean; default "false"; description "A boolean indicating if the announcer is enabled or not."; } list announce { key "announces"; leaf announces { type uint16; } uses nidGroup; } } container listener { if-feature listener; leaf enable { type boolean; default "false"; description "A boolean indicating if the listener is enabled or not."; } } container logon-process { leaf logon { type boolean; default "false"; description "A boolean indicating if the logon-process is enabled or not."; } } } } augment "/if:interfaces-state/if:interface" { when "/if:interfaces/if:interface/if:type = 'ianaif:iso88023Csmacd'"; leaf port-name { type if:interface-ref; description "Each PAE is uniquely identified by a port name. The port name used is unique amongst all port names for the system, and directly or indirectly identifies the Uncontrolled Port that supports the PAE. If the PAE has been dynamically instantiated to support an existing or potential virtual port, the uncontrolledPortNumber and the controlledPortNumber are allocated by the real port's PAE, and this portName is the uncontrolledPortName. If the PAE supports a real port, this portName is the commonPortName for the associated PAC or SecY."; } leaf port-number { type leafref { path "/if:interfaces-state/if:interface/if:if-index"; } description "Each PAE is uniquely identified by a port name. The port name used is unique amongst all port names for the system, and directly or indirectly identifies the Uncontrolled Port that supports the PAE. If the PAE has been dynamically instantiated to support an existing or potential virtual port, this portNumber, the uncontrolledPortNumber and the controlledPortNumber are allocated by the real port’s PAE, and this portNumber is the uncontrolledPortNumber. If the PAE supports a real port, this portNumber is the commonPortNumber for the associated PAC or SecY."; } leaf controlled-port-name { type if:interface-ref; } leaf controlled-port-number { type leafref { path "/if:interfaces-state/if:interface/if:if-index"; // Calix - should point to controlled-port ifIndex } description "The port for the associated PAC or SecY's Controlled Port."; } leaf uncontrolled-port-name { type if:interface-ref; description "The uncontrolled port name reference."; } leaf uncontrolled-port-number { type leafref { path "/if:interfaces-state/if:interface/if:if-index"; } description "The port for the associated PAC or SecY's Uncontrolled Port."; } leaf common-port-name { type if:interface-ref; description "The common port name reference."; } leaf common-port-number { type leafref { path "/if:interfaces-state/if:interface/if:if-index"; } description "The port for the associated PAC or SecY's Common Port. All the virtual ports created for a given real port share the same Common Port and commonPortNumber."; } leaf port-type { type enumeration { enum real-port; enum virtual-port; } description "The port type of the PAE."; } container virtual-port { if-feature virtual-ports; leaf max { when "dot1x:port-type = 'dot1x:real-port'"; type uint32; description "The guaranteed maximum number of virtual ports."; } leaf current { when "dot1x:port-type = 'dot1x:real-port'"; type yang:gauge32; description "The current number of virtual ports."; } leaf start { when "dot1x:port-type = 'dot1x:virtual-port'"; type uint32; description "Set if the virtual port was created by receipt of an EAPOL-Start frame."; } leaf peer-address { when "dot1x:port-type = 'dot1x:virtual-port'"; type ieee:mac-address; description "The source MAC Address of the EAPOL-Start (if vpStart is set)."; } } container supplicant { // NOTE: Suppplicant only applicable to RealPort types. when "dot1x:port-type = 'dot1x:real-port'"; if-feature pacp-eap-supplicant; leaf enabled { type boolean; description "Set by PACP if the PAE can provide authentication. Will be FALSE if the Port is not enabled, if the functionality provided by the PAE is not available, or not implemented, or the control variable enable has been cleared by management, e.g. because the application scenario authenticates a user and there is no user logged on."; } leaf authenticate { type boolean; description "Set by the PAE client to request authentication, and allows reauthentication while set. Cleared by the client to revoke authentication. To enable authentication the client also needs to clear failed (if set)."; } leaf authenticated { type boolean; description "Set by PACP if the PAE is currently authenticated, and cleared if the authentication fails or is revoked."; } leaf failed { type boolean; description "Set by PACP if the authentication has failed or has been terminated. The cause could be a Fail returned by EAP, either immediately or following a reauthentication, an excessive number of attempts to authenticate (either immediately or upon reauthentication), or the client deasserting authenticate. The PACP will clear authenticated as well as setting failed. Any ongoing authentication exchange will be terminated (by the state machines) if enable becomes FALSE and enabled will be cleared, but failed will not be set."; } } container authenticator { if-feature pacp-eap-authenticator; leaf enabled { type boolean; description "Set by PACP if the PAE can provide authentication. Will be FALSE if the Port is not enabled, if the functionality provided by the PAE is not available, or not implemented, or the control variable enable has been cleared by management, e.g. because the application scenario authenticates a user and there is no user logged on."; } leaf authenticate { type boolean; description "Set by the PAE client to request authentication, and allows reauthentication while set. Cleared by the client to revoke authentication. To enable authentication the client also needs to clear failed (if set)."; } leaf authenticated { type boolean; description "Set by PACP if the PAE is currently authenticated, and cleared if the authentication fails or is revoked."; } leaf failed { type boolean; description "Set by PACP if the authentication has failed or has been terminated. The cause could be a Fail returned by EAP, either immediately or following a reauthentication, an excessive number of attempts to authenticate (either immediately or upon reauthentication), or the client deasserting authenticate. The PACP will clear authenticated as well as setting failed. Any ongoing authentication exchange will be terminated (by the state machines) if enable becomes FALSE and enabled will be cleared, but failed will not be set."; } leaf auth-retry-count { type uint8; description "Counts the number of authentication retry attempts on an authenticator port."; reference "IEEE 802.1X Clause 8.9"; } } container kay { if-feature mka; // May need to revisit this. container actor { container sci { description "The SCI assigned by the system to the port (applies to all the port’s actors)."; leaf mac-address { type ieee:mac-address; } leaf port-id { type leafref { path "/if:interfaces/if:interface/if:name"; } } } } container key-server { container sci { description "The SCI for Key Server for the principal actor. Null if there is no principal actor, or that actor has no live peers. Matches the actorSCI if the actor is the Key Server."; leaf mac-address { type ieee:mac-address; } leaf port-id { type leafref { path "/if:interfaces/if:interface/if:name"; } } } } container macsec { if-feature macsec; leaf protect { type boolean; description "As used by the CP state machine, see 12.4."; } leaf validate { type boolean; description "As used by the CP state machine, see 12.4."; } leaf replay-protect { type boolean; description "As used by the CP state machine, see 12.4."; } } leaf active { type boolean; description "Set if there is at least one active actor, transmitting MKPDUs."; } leaf authenticated { type boolean; description "Set if the principal actor, i.e. the participant that has the highest priority Key Server and one or more live peers, has determined that Controlled Port communication should proceed without MACsec."; } leaf secured { type boolean; description "Set if the principal actor has determined that communication should use MACsec."; } leaf failed { type boolean; description "Cleared when authenticated or secured are set, set if the latter are clear and MKA Life Time has elapsed since an MKA participant was last created."; } container keyNumber { leaf tx { type keyNumberType; description "The Key Number assigned by the Key Server to the SAK currently being used for transmission. Null if MACsec is not being used."; } leaf rx { type keyNumberType; description "The Key Number assigned by the Key Server to the oldest SAK currently being used for reception. The same as txKN if a single SAK is currently in use (as will most often be the case). Null if MACsec is not being used."; } } container associationNumber { leaf tx { type associationNumberType; description "The Association Number assigned by the Key Server for use with txKN. Zero if MACsec is not in use."; } leaf rx { type associationNumberType; description "The Association Number assigned by the Key Server for use with rxKN. The same as txAN if a single SAK is currently in use. Zero if MACsec is not in use."; } } list participant { key "participants"; leaf participants { type uint16; } container peers { leaf live { type sciListType; description "A list of the SCI’s of the participant’s live peers."; } leaf potential { type sciListType; description "A list of the SCI’s of the participant’s potential peers."; } } leaf ckn { type cknType; description "The secure Connectivity Association Key Name for the participant."; } leaf kmd { type kmdType; description "The Key Management Domain for the participant."; } leaf nid { type nidType; description "The NID for the participant."; } leaf auth-data { type authType; description "Authorization data associated with the secure Connectivity Association Key."; } leaf principal { type boolean; description "Set if the participant is currently the principal actor."; } leaf distCKN { type cknType; description "The CKN for the last CAK distributed (either by the actor or one of its partners). Null if this participant has not been used to distribute a CAK."; } } } container logon-nid { leaf connected { type nidType; description "The NID associated with the current connectivity (possibly unauthenticated) provided by the operation of the CP state machine."; } leaf requested { type nidType; description "The NID marked as Access requested in announcements, as determined from EAPOL-Start frames. Defaults to the selectedNID."; } uses nidGroupState; } container announcer { if-feature announcements; list announce { key "announces"; leaf announces { type uint16; } leaf nid { type nidType; description "The NID."; } leaf access-status { // Need to confirm these types. type accessStatus; description "Access Status reflects connectivity as a result of authentication attempts, and might be set directly by the system or configured by AAA protocols."; } uses nidGroupState; } } container listener { if-feature listener; list announcement { key "announcements"; leaf announcements { type uint8; } leaf nid { type nidType; description "The NID information to identify a received network announcement for the PAE."; } leaf kmd { type kmdType; description "The KMD information for this received network announcement of the PAE"; } leaf specific { type boolean; description "This object indicates the received announcement information was specific to the receiving PAE, not generic for all systems attached to the LAN."; } leaf access-status { // Need to confirm these types. type accessStatus; description "The object information reflects connectivity as a result of authentication attempts for this received network announcement of the PAE."; } leaf requested-nid { type boolean; description "The authenticated access has been requested for this particular NID or not"; } leaf unauthenticated-access { // Need to confirm these types. type accessStatus; description "The access capability of the port’s clients without authentication in this received network announcement of the PAE"; } leaf access-capabilities { type accessCapabilitiesType; description "The authentication and protection capabilities supported for the NID."; } leaf cipher-suites { type cipherSuitesType; description "A table contains the Cipher Suites information that the Listeners receive in the network announcement of the PAE system."; } } } container eapol-statistics { //if-feature (authenticator | supplicant); // This is a new "or" construct. Need to revist to organize. Shown // here is the intent or should add a new feature under system called // PAE_8021x and key this off of that. leaf invalid-eapol-frame-rx { when "dot1x:port-type = 'dot1x:real-port'"; type yang:counter32; description "The number of invalid EAPOL frames of any type that have been received by this PAE"; } leaf eap-length-error-frames { when "dot1x:port-type = 'dot1x:real-port'"; type yang:counter32; description "The number of EAPOL frames that the Packet Body Length does not match a Packet Body that is contained within the octets of the received EAPOL MPDU in this PAE"; } leaf eapol-announcements-rx { when "dot1x:port-type = 'dot1x:real-port'"; type yang:counter32; description "The number of EAPOL-Announcement frames that have been received by this PAE"; } leaf eapol-announce-reqs-rx { when "dot1x:port-type = 'dot1x:real-port'"; type yang:counter32; description "The number of EAPOL-Announcement-Req frames that have been received by this PAE"; } leaf eapol-port-unavailable { if-feature virtual-ports; when "dot1x:port-type = 'dot1x:real-port'"; type yang:counter32; description "The number of EAPOL frames that are discarded because their processing would require the creation of a virtual port, for which there are inadequate or constrained resources, or an existing virtual port and no such port currently exists. If virtual port is not supported, this object should be always 0."; } leaf eapol-start-frames-rx { type yang:counter32; description "The number of EAPOL-Start frames that have been received by this PAE"; } leaf eapol-eap-frames-rx { type yang:counter32; description "The number of EAPOL-EAP frames that have been received by this PAE"; } leaf eapol-logoff-frames-rx { type yang:counter32; description "The number of EAPOL-Logoff frames that have been received by this PAE"; } leaf eapol-mk-no-cfn { type yang:counter32; description "The number of MKPDUs received with MKA not enabled or CKN not recognized in this PAE"; } leaf eapol-mk-invalid-frames-rx { type yang:counter32; description "The number of MKPDUs failing in message authentication on receipt process in this PAE"; } leaf last-eapol-frame-source { when "dot1x:port-type = 'dot1x:real-port'"; type ieee:mac-address; description "The source MAC address of last received EAPOL frame by this PAE"; } leaf last-eapol-frame-version { type yang:counter32; description "The version of last received EAPOL frame by this PAE"; } leaf eapol-supp-eap-frames-tx { when "dot1x:port-type = 'dot1x:real-port'"; type yang:counter32; description "The number of EAPOL-EAP frames that have been transmitted by the supplicant of this PAE"; } leaf eapol-logoff-frames-tx { when "dot1x:port-type = 'dot1x:real-port'"; type yang:counter32; description "The number of EAPOL-Logoff frames that have been transmitted by this PAE"; } leaf eapol-announcements-tx { when "dot1x:port-type = 'dot1x:real-port'"; type yang:counter32; description "The number of EAPOL-Announcement frames that have been transmitted by this PAE"; } leaf eapol-announce-reqs-tx { when "dot1x:port-type = 'dot1x:real-port'"; type yang:counter32; description "The number of EAPOL-Announcement-Req frames that have been transmitted by this PAE"; } leaf eapol-start-frames-tx { type yang:counter32; description "The number of EAPOL-Start frames that have been received by this PAE"; } leaf eapol-auth-eap-frames-tx { type yang:counter32; description "The number of EAPOL-EAP frames that have been transmitted by the authenticator of this PAE"; } leaf eapol-mka-frames-tx { type yang:counter32; description "The number of EAPOL-MKA frames with no CKN information that have been transmitted by this PAE"; } } container logon-process { leaf connect { type enumeration { enum pending { description "Prevent connectivity by clearing the controlledPortEnabled parameter."; } enum unauthenticated { description "Provide unsecured connectivity, setting controlledPortEnabled."; } enum authenticated { description "Provide unsecured connectivity, setting controlledPortEnabled."; } enum secure { description "Provide secure connectivity, using SAKs provided by the KaY (when available) and setting controlledPortEnabled when those keys are installed and in use, as specified in detail by the CP state machine."; } enum authorization-data { description "Authorization data to be made available to the client of the Controlled Port if connect is Authenticated."; } } description "The Logon Process sets this variable to one of the above values."; } leaf port-valid { type boolean; description "Set if Controlled Port communication is secured as specified by the MACsec control macsecProtect."; } list session-statistics { key "session"; leaf session { type uint16; } leaf octets-Rx { type yang:counter64; description "The number of octets received in this session of this PAE. Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ieee8021XPaePortSessionStartTime"; } leaf octets-Tx { type yang:counter64; description "The number of octets transmitted in this session of this PAE. Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ieee8021XPaePortSessionStartTime"; } leaf frames-Rx { type yang:counter64; description "The number of packets received in this session of this PAE. Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ieee8021XPaePortSessionStartTime"; } leaf frames-Tx { type yang:counter64; description "The number of packets transmitted in this session of this PAE. Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ieee8021XPaePortSessionStartTime"; } leaf id { type string { // Need to confirm this. length "3..253"; } description "The session identifier for this session of the PAE. A UTF-8 string, uniquely identifying the session within the context of the PAE’s system"; } leaf user-name { type string { // Need to confirm this. length "0..253"; } description "Session User Name. A UTF-8 string, from 0 to 253 octets long, representing the identity of the peer Supplicant"; } leaf time { type yang:timeticks; description "Session Time. The duration of the session in seconds."; } leaf terminate-cause { type enumeration { enum common_port_MAC_operatonal_false { description "‘Common Port’ for this PAE is not operational."; } enum system_access_control_disabled { description "The system-access-control node of the pae-system is disabled or initialization process of this PAE is invoked."; } enum eapol_logoff_Rx { description "The PAE has received EAPOL-Logoff frame."; } enum eap_reauthentication_failure { description "EAP reauthentication has failed."; } enum mak-failure_termination { description "MKA failure or other MKA termination."; } enum new_session-beginning { description "New session beginning."; } enum not_terminated_yet { description "Not Terminated Yet."; } } description "The reason for the session termination."; } } } } container nid-group { uses nidGroup; uses nidGroupState; } }