module dot1x { namespace "ieee:ns:yang:ieee-port-dot1x"; prefix "dot1x"; import ieee-types { prefix ieee; } import ietf-yang-types { prefix yang; } organization "Institute of Electrical and Electronics Engineers"; contact "Web URL: http://ieee.org/ E-mail: corporate-communications@ieee.org Postal: U.S.A. Phone: +1 732-563-6820 Fax: +1 732-981-9511"; description "Port-based network access control allows a network administrator to restrict the use of IEEE 802 LAN service access points (ports) to secure communication between authenticated and authorized devices. IEEE Std 802.1X specifies an architecture, functional elements, and protocols that support mutual authentication between the clients of ports attached to the same LAN and secure communication between the ports. The following control allows a port to be reinitialized, terminating (and potentially restarting) authentication exchanges and MKA operation, based on a data model described in a set of YANG modules."; revision "2015-03-10" { description "Initial Version."; reference "IEEE 802.1X-2014, PAE (Port Access Entity) management information model."; } // Type definitions used by dot1X YANG module typedef nidType { type string { // Need to confirm this. length "0..100"; } } typedef sessionUserNameType { description "utf8 definition"; type string { length "0..253"; } } typedef sessionIdType { description "utf8 definition"; type string { length "3..253"; } } typedef accessCapabilitiesType { type bits { bit eap { position 0; } bit mka { position 1; } bit macsec { position 2; } bit higher-layer { position 3; } bit higher-layer-fallback { position 4; } bit vendor-specific { position 5; } } } typedef portNumberType { type uint16; } typedef keyNumberType { type uint32; } typedef associationNumberType { type uint16; } typedef sciListType { // To be defined. type uint16; } typedef cknType { // To be defined. type uint16; } typedef kmdType { // To be defined. type uint16; } typedef authType { // To be defined. type uint16; } typedef cipherSuitesType { // Structure to be defined. type uint16; } grouping nidGroup { list pae-nid-group { key "nids"; leaf nids { type sessionUserNameType; } leaf use-eap { type enumeration { enum never; enum immediate; enum mka-fail; } default "immediate"; description "Determines when the Logon Process will initiate EAP, if the Supplicant and or Authenticator are enabled."; } leaf unauth-allowed { type enumeration { enum never; enum immediate; enum auth-fail; } default "immediate"; description "Determines when the Logon Process will tell the CP state machine to provide unauthenticated connectivity."; } leaf unsecure-allowed { type enumeration { enum never; enum immediate; enum mka-fail; enum mka-server; } default "immediate"; description "Determines when the Logon Process will tell the CP state machine to provide authenticated but unsecured connectivity."; } leaf unauthenticated-access { type enumeration { enum no-access; enum fallback-access; enum limited-access; enum open-access; } default "no-access"; } leaf access-capabilities { type accessCapabilitiesType; description "Authentication mechanisms."; } container nid-status { config false; leaf kmd { type kmdType; } leaf nid { type nidType; } } } } feature pacp-eap-supplicant { description "This feature indicates that the device supports a PACP EAP Supplicant."; } feature pacp-eap-authenticator { description "This feature indicates that the device supports a PACP EAP Authenticator."; } feature mka { description "This feature indicates that the device supports MKA"; } feature macsec { description "This feature indicates that the device supports MACsec on the Controlled Port."; } feature announcements { description "This feature indicates that the device supports the ability to send EAPOL announcements."; } feature listener { description "This feature indicates that the device supports the ability to use receive EAPOL announcements."; } feature virtual-ports { description "This feature indicates that the device supports the virtual ports for a real port."; } feature in-service-upgrades { description "This feature indicates that the device supports MKA in-service upgrades."; } // Configuration objects used by 802.1X YANG module // PAE object container pae-system { leaf system-access-control { type enumeration { enum disabled; enum enabled; } description "Setting this control to 'disabled' deletes any virtual ports previously instantiated, and terminates authentication exchanges and MKA operation. Each real port PAE behaves as if enabledVirtualPorts was clear, the PAEs Supplicant, Authenticator, and KaY as if their enabled controls were clear, and Logon Process(es) as if unauthAllowed was Immediate. Announcements can be transmitted (subject to other controls), both periodically and in response to announcement requests (conveyed by EAPOL-Starts or EAPOL-Announcement-Reqs) but are sent with a single NID Set, with a null NID, and the Access Information TLV (and no other) with an accessStatus of No Access, accessRequested false, OpenAccess, and no accessCapabilities. The control variable settings for each real port PAE are unaffected, and will be used once systemAccessControl is set to 'enabled'"; } leaf system-announcements { type enumeration { enum disabled; enum enabled; } description "Setting this control to Disabled causes each PAE to behave as if enabled were clear for the PAE's Announcement functionality. The independent controls for each PAE apply if systemAnnouncements is Enabled."; } leaf eapol-protocol-version { //config false; type uint32; description "The EAPOL protocol version for this system."; } leaf mka-version { //config false; type uint32; description "The MKA protocol version for this system."; } // Port Authentication Entity (PAE) Object list pae { key "port-number"; leaf port-number { type portNumberType; description "Each PAE is uniquely identified by a port number. The port number used is unique amongst all port numbers for the system, and directly or indirectly identifies the Uncontrolled Port that supports the PAE. If the PAE has been dynamically instantiated to support an existing or potential virtual port, this portNumber, the uncontrolledPortNumber and the controlledPortNumber are allocated by the real port’s PAE, and this portNumber is the uncontrolledPortNumber. If the PAE supports a real port, this portNumber is the commonPortNumber for the associated PAC or SecY."; } leaf controlled-port-number { config false; type portNumberType; description "The port number for the associated PAC or SecY’s Controlled Port."; } leaf uncontrolled-port-number { config false; type portNumberType; description "The port number for the associated PAC or SecY’s Uncontrolled Port."; } leaf common-port-number { config false; type portNumberType; description "The port number for the associated PAC or SecY’s Common Port. All the virtual ports created for a given real port share the same Common Port and commonPortNumber"; } leaf port-type { description "The port type of the PAE."; config false; type enumeration { enum real-port; enum virtual-port; } } container virtual-port { if-feature virtual-ports; leaf enable { when "port-type = real-port"; type boolean; description "A real port's PAE may be configured to create virtual ports to support multi-access LANs provided that MKA and MACsec operation is enabled for that port."; } leaf max { when "port-type = real-port"; config false; type uint32; } leaf current { when "port-type = real-port"; config false; type yang:gauge32; } leaf start { when "port-type = virtual-port"; config false; type uint32; } leaf peer-address { when "port-type = virtual-port"; config false; type ieee:mac-address; } } // SUPPLICANT Object container supplicant { leaf held-period { type uint16; units seconds; default "60"; } leaf retry-max { type uint8; default "2"; description "Specifies the maximum number of re-authentication attempts on an authenticator port before port is unauthorized."; } container status { config false; leaf enabled { type boolean; } leaf authenticate { type boolean; } leaf authenticated { type boolean; } leaf failed { type boolean; } } } // AUTHENTICATOR Object container authenticator { leaf quiet-period { type uint16; units seconds; default "60"; description "Number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client"; reference "IEEE 802.1X Clause 8.6, Figure 12-3"; } leaf reauth-period { type uint16; units seconds; default "3600"; description "This object indicates the time period of the reauthentication to the supplicant."; reference "IEEE 802.1X Clause 8.6, Figure 12-3"; } leaf retry-max { type uint8; default "2"; description "Specifies the maximum number of re-authentication attempts on an authenticator port before port is unauthorized."; } container status { config false; leaf enabled { type boolean; } leaf authenticate { type boolean; } leaf authenticated { type boolean; } leaf failed { type boolean; } } } // PAE KaY (Group) Object container kay { leaf enable { type boolean; default "true"; } container actor { leaf priority { type uint8; default "0"; } container sci { config false; leaf mac-address { type ieee:mac-address; } leaf port-id { type portNumberType; } } } container key-server { leaf priority { type uint8; default "0"; } container sci { config false; leaf mac-address { type ieee:mac-address; } leaf port-id { type portNumberType; } } } container group { leaf join { type boolean; } leaf form { type boolean; } leaf new { type boolean; } } container macsec { leaf capable { type boolean; default "false"; } leaf desired { type boolean; default "false"; } leaf protect { config false; type boolean; } leaf validate { config false; type boolean; } leaf replay-protect { config false; type boolean; } } container status { config false; leaf active { type boolean; } leaf authenticated { type boolean; } leaf secured { type boolean; } leaf failed { type boolean; } } container key-stats { config false; leaf txKN { type keyNumberType; } leaf rxKN { type keyNumberType; } } container association-stats { config false; leaf txAN { type associationNumberType; } leaf rxAN { type associationNumberType; } } leaf suspend-on-request { type boolean; default "false"; } leaf suspend-for { type uint8; default "0"; } leaf suspend-while { type uint8; default "0"; } list participant { key "participants"; leaf participants { type uint16; } leaf cached { type boolean; default "false"; } leaf active { type boolean; default "false"; } leaf retain { type boolean; default "false"; } leaf activate { type enumeration { enum principal; enum livePeers; enum potentialPeers; enum distCKN; } default "principal"; } container peers { config false; leaf live { type sciListType; } leaf potential { type sciListType; } } leaf ckn { config false; type cknType; } leaf kmd { config false; type kmdType; } leaf nid { config false; type nidType; } leaf authData { config false; type authType; } leaf principal { config false; type boolean; } leaf distCKN { config false; type cknType; } } } // LOGIN-NID object container logon-nid { leaf connected { config false; type nidType; } leaf requested { config false; type nidType; } leaf selected { type nidType; mandatory true; } uses nidGroup; } // ANNOUNCER Object container announcer { leaf enable { type boolean; default "false"; } list announce { key "announces"; leaf announces { type uint16; } leaf nid { config false; type nidType; } leaf access-status { config false; // Need to confirm these types. type enumeration { enum no-access; enum acess-requested-fail; enum open-access; enum no-access-capabilities; } } } uses nidGroup; } // LISTENER Object container listener { leaf enable { type boolean; default "false"; } list announcement { key "announcements"; leaf announcements { type uint8; } leaf nid { config false; type nidType; } leaf kmd { config false; type kmdType; } leaf specific { config false; type boolean; } leaf access-status { config false; // Need to confirm these types. type enumeration { enum no-access; enum acess-requested-fail; enum open-access; enum no-access-capabilities; } } leaf requested-nid { config false; type boolean; } leaf unauthenticated-access { config false; // Need to confirm these types. type enumeration { enum no-access; enum acess-requested-fail; enum open-access; enum no-access-capabilities; } } leaf access-capabilities { config false; type accessCapabilitiesType; } leaf cipher-suites { config false; type cipherSuitesType; } } } // EapolStatistics container eapol-statistics { config false; leaf invalid-eapol-frame-rx { type yang:counter32; } leaf eap-length-error-frames { type yang:counter32; } leaf eapol-announcements-rx { type yang:counter32; } leaf eapol-announce-reqs-rx { type yang:counter32; } leaf eapol-port-unavailable { type yang:counter32; } leaf eapol-start-frames-rx { type yang:counter32; } leaf eapol-eap-frames-rx { type yang:counter32; } leaf eapol-logoff-frames-rx { type yang:counter32; } leaf eapol-mk-no-cfn { type yang:counter32; } leaf eapol-mk-invalid-frames-rx { type yang:counter32; } leaf last-eapol-frame-source { type ieee:mac-address; } leaf last-eapol-frame-version { type yang:counter32; } leaf eapol-supp-eap-frames-tx { type yang:counter32; } leaf eapol-logoff-frames-tx { type yang:counter32; } leaf eapol-announcements-tx { type yang:counter32; } leaf eapol-announce-reqs-tx { type yang:counter32; } leaf eapol-start-frames-tx { type yang:counter32; } leaf eapol-auth-eap-frames-tx { type yang:counter32; } leaf eapol-mka-frames-tx { type yang:counter32; } } } uses nidGroup; } }