1 module ieee802-dot1x {
\r
3 namespace "urn:ieee:std:802.1X:yang:ieee802-dot1x";
\r
6 import ieee802-types { prefix "ieee"; }
\r
7 import ietf-yang-types { prefix "yang"; }
\r
8 import ietf-interfaces { prefix "if"; }
\r
9 import ietf-system { prefix "sys"; }
\r
10 import iana-if-type { prefix "ianaift"; }
\r
11 import ieee802-dot1x-types { prefix "dot1x-types"; }
\r
14 "Institute of Electrical and Electronics Engineers";
\r
17 "WG-URL: http://www.ieee802.org/1
\r
18 WG-EMail: stds-802-1-L@ieee.org
\r
20 Contact: IEEE 802.1 Working Group Chair
\r
21 Postal: C/O IEEE 802.1 Working Group
\r
22 IEEE Standards Association
\r
28 E-mail: STDS-802-1-L@LISTSERV.IEEE.ORG";
\r
31 "Port-based network access control allows a network administrator
\r
32 to restrict the use of IEEE 802 LAN service access points (ports)
\r
33 to secure communication between authenticated and authorized
\r
34 devices. IEEE Std 802.1X specifies an architecture, functional
\r
35 elements, and protocols that support mutual authentication
\r
36 between the clients of ports attached to the same LAN and secure
\r
37 communication between the ports. The following control allows a
\r
38 port to be reinitialized, terminating (and potentially
\r
39 restarting) authentication exchanges and MKA operation, based on
\r
40 a data model described in a set of YANG modules.";
\r
42 revision 2020-02-18 {
\r
44 "Updated Contact information.";
\r
47 revision 2019-06-12 {
\r
49 "Updates based on comment resolution of the WG ballot of
\r
52 "IEEE Std 802.1X-2020, Port-Based Network Access Control.";
\r
55 grouping nid-group {
\r
57 "The PAE NID Group configuration and operational information.";
\r
58 list pae-nid-group {
\r
61 "A list that contains the configuration and operational
\r
62 nodes for the network announcement information for the
\r
65 type dot1x-types:pae-nid;
\r
67 "Identification of the network or network service.";
\r
69 "IEEE 802.1X-2020 Clause 12.5";
\r
79 "Immediately, concurrently with the use of MKA with any
\r
84 "Not until MKA has failed, if a prior CAK has been
\r
88 default "immediate";
\r
90 "Determines when the Logon Process will initiate EAP, if
\r
91 the Supplicant and or Authenticator are enabled, and takes
\r
92 one of the above values.";
\r
94 "IEEE 802.1X-2020 Clause 12.5";
\r
96 leaf unauth-allowed {
\r
104 "Immediately, independently of any current or future
\r
105 attempts to authenticate using the PAE or MKA.";
\r
109 "Not until an attempt has been made to authenticate
\r
110 using EAP, unless neither the supplicant nor the
\r
111 authenticator is enabled, and MKA has attempted to use
\r
112 any cached CAK (unless the KaY is not enabled).";
\r
115 default "immediate";
\r
117 "Determines when the Logon Process will tell the CP state
\r
118 machine to provide unauthenticated connectivity, and takes
\r
119 one of the above values.";
\r
121 "IEEE 802.1X-2020 Clause 12.5";
\r
123 leaf unsecure-allowed {
\r
131 "Immediately, to provide connectivity concurrently with
\r
132 the use of MKA with any CAK acquired through EAP.";
\r
136 "Not until MKA has failed, or is not enabled.";
\r
140 "Only if directed by the MKA server.";
\r
143 default "immediate";
\r
145 "Determines when the Logon Process will tell the CP state
\r
146 machine to provide authenticated but unsecured
\r
147 connectivity, takes one of the above values.";
\r
149 "IEEE 802.1X-2020 Clause 12.5";
\r
151 leaf unauthenticated-access {
\r
155 "Other than to authentication services.";
\r
157 enum fallback-access {
\r
159 "Limited access can be provided after authentication
\r
162 enum limited-access {
\r
164 "Immediate limited access is available without
\r
169 "Immediate access is available without
\r
173 default "no-access";
\r
175 "Unauthenticated access capabilities provided by the NID.";
\r
177 "IEEE 802.1X-2020 Clause 10.1";
\r
179 leaf access-capabilities {
\r
180 type dot1x-types:pae-nid-capabilities;
\r
182 "Authentication and protection capabilities supported for
\r
185 "IEEE 802.1X-2020 Clause 10.1";
\r
189 type dot1x-types:pae-kmd;
\r
192 "The Key Management Domain for the NID.";
\r
194 "IEEE 802.1X-2020 Clause 10.4";
\r
199 grouping port-capabilities {
\r
201 "Per port PAE feature capabilities.";
\r
205 "Indicates if PACP EAP Supplicant is supported.";
\r
207 "IEEE 802.1X-2020 Clause 12.9.2";
\r
212 "Indicates if PACP EAP Authenticator is supported.";
\r
214 "IEEE 802.1X-2020 Clause 12.9.2";
\r
219 "Indicates if MKA is supported.";
\r
221 "IEEE 802.1X-2020 Clause 12.9.2";
\r
226 "Indicates if MACsec on the Controlled port is supported.";
\r
228 "IEEE 802.1X-2020 Clause 12.9.2";
\r
230 leaf announcements {
\r
233 "Indicates if the ability to send EAPOL announcements is
\r
236 "IEEE 802.1X-2020 Clause 12.9.2";
\r
241 "Indicates if the ability to use received EAPOL
\r
242 announcements is supported.";
\r
244 "IEEE 802.1X-2020 Clause 12.9.2";
\r
246 leaf virtual-ports {
\r
249 "Indicates if virtual ports for a real port is supported.";
\r
251 "IEEE 802.1X-2020 Clause 12.9.2";
\r
253 leaf in-service-upgrades {
\r
256 "Indicates if MKA in-service upgrades is supported.";
\r
258 "IEEE 802.1X-2020 Clause 12.9.2";
\r
262 /* ---------------------------------------------------
\r
263 * Configuration objects used by 802.1X YANG module
\r
264 * ---------------------------------------------------
\r
266 augment "/sys:system" {
\r
268 "Augment system with 802.1X PAE System specific configuration
\r
270 container pae-system {
\r
272 "Contains all 802.1X PAE System specific related
\r
273 configuration and operational data.";
\r
279 "The name which uniquely identifies the PAE System.";
\r
281 leaf system-access-control {
\r
285 "Deletes any virtual ports previously instantiated, and
\r
286 terminates authentication exchanges and MKA
\r
291 "Enables PAE system access control.";
\r
295 "Setting this control to disabled deletes any virtual ports
\r
296 previously instantiated, and terminates authentication
\r
297 exchanges and MKA operation. Each real port PAE behaves as
\r
298 if enabledVirtualPorts was clear, the PAEs Supplicant,
\r
299 Authenticator, and KaY as if their enabled controls were
\r
300 clear, and Logon Process(es) as if unauthAllowed was
\r
301 Immediate. Announcements can be transmitted (subject to
\r
302 other controls), both periodically and in response to
\r
303 announcement requests (conveyed by EAPOL-Starts or
\r
304 EAPOL-Announcement-Reqs) but are sent with a single NID
\r
305 Set, with a null NID, and the Access Information TLV (and
\r
306 no other) with an pae-access-status of No Access,
\r
307 accessRequested false, OpenAccess, and no
\r
308 accessCapabilities. The control variable settings for each
\r
309 real port PAE are unaffected, and will be used once
\r
310 systemAccessControl is set to enabled.";
\r
312 "IEEE 802.1X-2020 Clause 12.9.1";
\r
314 leaf system-announcements {
\r
318 "Causes each PAE to behave as if enabled were clear
\r
319 for the PAE's Announcement functionality.";
\r
323 "Enables PAE system announcements.";
\r
327 "Setting this control to Disabled causes each PAE to behave
\r
328 as if enabled were clear for the PAE's Announcement
\r
329 functionality. The independent controls for each PAE apply
\r
330 if systemAnnouncements is Enabled.";
\r
332 "IEEE 802.1X-2020 Clause 12.9.1";
\r
334 leaf eapol-protocol-version {
\r
338 "The EAPOL protocol version for this system.";
\r
340 "IEEE 802.1X-2020 Clause 12.9.1, Clause 11.3";
\r
346 "The MKA protocol version for this system.";
\r
348 "IEEE 802.1X-2020 Clause 12.9.1, Clause 11.3";
\r
351 type if:interface-ref;
\r
354 "List of PAE references.";
\r
360 * Port Authentication Entity (PAE) Nodes
\r
362 augment "/if:interfaces/if:interface" {
\r
363 when "if:type = 'ianaift:ethernetCsmacd' or
\r
364 if:type = 'ianaift:ilan' or
\r
365 if:type = 'ianaift:macSecControlledIF' or
\r
366 if:type = 'ianaift:ptm' or
\r
367 if:type = 'ianaift:bridge'" {
\r
369 "Applies to the Controlled Port of SecY or PAC shim or
\r
370 Ethernet related Interface.";
\r
373 "Augment interface model with PAE configuration and
\r
374 operational nodes.";
\r
376 "IEEE 802.1AE Clause 11.7 and IEEE 802.1X-2020 Clause 6.5 and
\r
380 "Contains PAE configuration and operational related nodes.";
\r
383 path "/sys:system/dot1x:pae-system/dot1x:name";
\r
386 "The PAE system that this PAE is a member of.";
\r
389 when "../port-type = 'real-port' and
\r
390 ../port-capabilities/virtual-ports = 'true'" {
\r
392 "Applies when port is Real Port and virtual port
\r
393 capabilities are supported.";
\r
398 "A real port's PAE may be configured to create virtual
\r
399 ports to support multi-access LANs provided that MKA and
\r
400 MACsec operation is enabled for that port.";
\r
402 "IEEE 802.1X-2020 Clause 12.7";
\r
404 container port-capabilities {
\r
406 "Per port PAE feature capabilities.";
\r
407 uses port-capabilities;
\r
411 type if:interface-ref;
\r
414 "Each PAE is uniquely identified by a port name.";
\r
417 type dot1x-types:pae-if-index;
\r
420 "Each PAE is uniquely identified by a port number. The
\r
421 port number used is unique amongst all port names for the
\r
422 system, and directly or indirectly identifies the
\r
423 Uncontrolled Port that supports the PAE. If the PAE has
\r
424 been dynamically instantiated to support an existing or
\r
425 potential virtual port, this portNumber, the
\r
426 uncontrolledPortNumber and the controlledPortNumber are
\r
427 allocated by the real ports PAE, and this portNumber is the
\r
428 uncontrolledPortNumber. If the PAE supports a real port,
\r
429 this portNumber is the commonPortNumber for the associated
\r
432 "IEEE 802.1X-2020 Clause 12.9.2";
\r
434 leaf controlled-port-name {
\r
435 type if:interface-ref;
\r
438 "Each PAE is uniquely identified by a port name.";
\r
440 leaf controlled-port-number {
\r
441 type dot1x-types:pae-if-index;
\r
444 "The port for the associated PAC or SecYs Controlled
\r
447 "IEEE 802.1X-2020 Clause 12.9.2";
\r
449 leaf uncontrolled-port-name {
\r
450 type if:interface-ref;
\r
453 "The uncontrolled port name reference.";
\r
455 leaf uncontrolled-port-number {
\r
456 type dot1x-types:pae-if-index;
\r
459 "The port for the associated PAC or SecYs Uncontrolled
\r
462 "IEEE 802.1X-2020 Clause 12.9.2";
\r
464 leaf common-port-name {
\r
465 type if:interface-ref;
\r
468 "The common port name reference.";
\r
470 leaf common-port-number {
\r
471 type dot1x-types:pae-if-index;
\r
474 "The port for the associated PAC or SecYs Common Port. All
\r
475 the virtual ports created for a given real port share the
\r
476 same Common Port and commonPortNumber.";
\r
478 "IEEE 802.1X-2020 Clause 12.9.2";
\r
486 enum virtual-port {
\r
488 "Virtual Port type.";
\r
493 "The port type of the PAE.";
\r
495 "IEEE 802.1X-2020 Clause 12.9.2";
\r
497 container virtual-port {
\r
498 when "../port-capabilities/virtual-ports = 'true'" {
\r
500 "Applies when the virtual ports port capability is
\r
505 "Contains Virtual Port operational state information.";
\r
507 when "../../port-type = 'real-port'" {
\r
509 "Applies when Port is a Real Port.";
\r
513 "The guaranteed maximum number of virtual ports.";
\r
515 "IEEE 802.1X-2020 Clause 12.9.2";
\r
518 when "../../port-type = 'real-port'" {
\r
520 "Applies when Port is a Real Port.";
\r
524 "The current number of virtual ports.";
\r
526 "IEEE 802.1X-2020 Clause 12.9.2";
\r
529 when "../../port-type = 'virtual-port'" {
\r
531 "Applies when Port is a Virtual Port.";
\r
535 "Set if the virtual port was created by receipt of an
\r
536 EAPOL-Start frame.";
\r
538 "IEEE 802.1X-2020 Clause 12.9.7";
\r
540 leaf peer-address {
\r
541 when "../../port-type = 'virtual-port'" {
\r
543 "Applies when Port is a Virtual Port.";
\r
545 type ieee:mac-address;
\r
547 "The source MAC Address of the EAPOL-Start (if vpStart is
\r
550 "IEEE 802.1X-2020 Clause 12.9.7";
\r
554 container supplicant {
\r
555 when "../port-type = 'real-port' and
\r
556 ../port-capabilities/supp = 'true'" {
\r
558 "Applies to Real Port when supplicant port capabilities
\r
562 "Contains the configuration nodes for the Supplicant PAE
\r
563 associated with each port.";
\r
569 "The initial value of the timer used to impose a wait
\r
570 period after a failed authentication attempt, before
\r
571 another attempt is permitted.";
\r
573 "IEEE 802.1X-2020 Clause 8.6";
\r
579 "Specifies the maximum number of re-authentication
\r
580 attempts on an authenticator port before port is
\r
583 "IEEE 802.1X-2020 Clause 8.7";
\r
590 "Set by PACP if the PAE can provide authentication. Will
\r
591 be FALSE if the Port is not enabled, if the functionality
\r
592 provided by the PAE is not available, or not implemented,
\r
593 or the control variable enable has been cleared by
\r
594 management, e.g. because the application scenario
\r
595 authenticates a user and there is no user logged on.";
\r
597 "IEEE 802.1X-2020 Clause 8.4";
\r
599 leaf authenticate {
\r
603 "Set by the PAE client to request authentication, and
\r
604 allows reauthentication while set. Cleared by the client
\r
605 to revoke authentication. To enable authentication the
\r
606 client also needs to clear failed (if set).";
\r
608 "IEEE 802.1X-2020 Clause 8.4";
\r
610 leaf authenticated {
\r
614 "Set by PACP if the PAE is currently authenticated, and
\r
615 cleared if the authentication fails or is revoked.";
\r
617 "IEEE 802.1X-2020 Clause 8.4";
\r
623 "Set by PACP if the authentication has failed or has been
\r
624 terminated. The cause could be a Fail returned by EAP,
\r
625 either immediately or following a reauthentication, an
\r
626 excessive number of attempts to authenticate (either
\r
627 immediately or upon reauthentication), or the client
\r
628 deasserting authenticate. The PACP will clear
\r
629 authenticated as well as setting failed. Any ongoing
\r
630 authentication exchange will be terminated (by the state
\r
631 machines) if enable becomes FALSE and enabled will be
\r
632 cleared, but failed will not be set.";
\r
634 "IEEE 802.1X-2020 Clause 8.4";
\r
638 container authenticator {
\r
639 when "../port-capabilities/auth = 'true'" {
\r
641 "Applies when the Authenticator is supported.";
\r
644 "Contains configuration nodes for the Authenticator PAE
\r
645 associated with each port.";
\r
646 leaf quiet-period {
\r
651 "Number of seconds that the authenticator remains in the quiet
\r
652 state following a failed authentication exchange with the
\r
655 "IEEE 802.1X-2020 Clause 8.6, Figure 12-3";
\r
657 leaf reauth-period {
\r
662 "This object indicates the time period of the
\r
663 reauthentication to the supplicant.";
\r
665 "IEEE 802.1X-2020 Clause 8.6, Figure 12-3";
\r
667 leaf reauth-enable {
\r
671 "Re-authentication is enabled or not.";
\r
673 "IEEE 802.1X-2020 Clause 5.8 and 8.9";
\r
679 "Specifies the maximum number of re-authentication
\r
680 attempts on an authenticator port before port is
\r
683 "IEEE 802.1X-2020 Clause 8.9";
\r
690 "Set by PACP if the PAE can provide authentication. Will
\r
691 be FALSE if the Port is not enabled, if the functionality
\r
692 provided by the PAE is not available, or not implemented,
\r
693 or the control variable enable has been cleared by
\r
694 management, e.g. because the application scenario
\r
695 authenticates a user and there is no user logged on.";
\r
697 "IEEE 802.1X-2020 Clause 8.4";
\r
699 leaf authenticate {
\r
703 "Set by the PAE client to request authentication, and
\r
704 allows reauthentication while set. Cleared by the client
\r
705 to revoke authentication. To enable authentication the
\r
706 client also needs to clear failed (if set).";
\r
708 "IEEE 802.1X-2020 Clause 8.4";
\r
710 leaf authenticated {
\r
714 "Set by PACP if the PAE is currently authenticated, and
\r
715 cleared if the authentication fails or is revoked.";
\r
717 "IEEE 802.1X-2020 Clause 8.4";
\r
723 "Set by PACP if the authentication has failed or has been
\r
724 terminated. The cause could be a Fail returned by EAP,
\r
725 either immediately or following a reauthentication, an
\r
726 excessive number of attempts to authenticate (either
\r
727 immediately or upon reauthentication), or the client
\r
728 deasserting authenticate. The PACP will clear
\r
729 authenticated as well as setting failed. Any ongoing
\r
730 authentication exchange will be terminated (by the state
\r
731 machines) if enable becomes FALSE and enabled will be
\r
732 cleared, but failed will not be set.";
\r
734 "IEEE 802.1X-2020 Clause 8.4";
\r
739 when "../port-capabilities/mka = 'true'" {
\r
741 "Applies when the MKA port capability is supported.";
\r
744 "Contains configuration system level information for each
\r
745 Interface supported by the KaY (Key Aggreement Entity).";
\r
750 "Set by management to enable (clear to disable) the use
\r
753 "IEEE 802.1X-2020 Clause 9.16";
\r
757 "Contains configuration and operational nodes
\r
758 associated with the actor";
\r
762 "The Key Server Priority for all the ports actors.";
\r
764 "IEEE 802.1X-2020 Clause 9.16";
\r
767 type dot1x-types:sci-list-entry;
\r
770 "The SCI assigned by the system to the port (applies
\r
771 to all the ports actors).";
\r
773 "IEEE 802.1X-2020 Clause 9.16";
\r
776 container key-server {
\r
778 "Contains configuration and operational nodes
\r
779 associated with the key
\r
784 "The Key Server Priority for the Key Server for the
\r
785 principal actor. Matches the actorPriority if the
\r
786 actor is the Key Server";
\r
788 "IEEE 802.1X-2020 Clause 9.16";
\r
791 type dot1x-types:sci-list-entry;
\r
794 "The SCI for Key Server for the principal actor. Null
\r
795 if there is no principal actor, or that actor has no
\r
796 live peers. Matches the actorSCI if the actor is the
\r
799 "IEEE 802.1X-2020 Clause 9.16";
\r
804 "Contains configuration nodes associated with the
\r
810 "Set if the KaY will accept Group CAKs distributed by
\r
813 "IEEE 802.1X-2020 Clause 9.16";
\r
819 "Set if the KaY will attempt to use point-to-point CAs
\r
820 to distribute a Group CAK, if its principal actor is
\r
821 the Key Server for all the point-to-point CAs.";
\r
823 "IEEE 802.1X-2020 Clause 9.16";
\r
829 "Set by management if a new Group CAK is to be
\r
830 distributed, if the principal actor is the Key Server
\r
831 for all point-to-point CAs. Cleared by the KaY when
\r
832 distribution is complete.";
\r
834 "IEEE 802.1X-2020 Clause 9.16";
\r
839 when "../../port-capabilities/macsec = 'true'" {
\r
841 "Applies when the MACsec port capability is
\r
845 "Contains configuration and operational nodes
\r
846 associated with macsec.";
\r
850 "Set if MACsec is implemented.";
\r
852 "IEEE 802.1X-2020 Clause 9.16";
\r
858 "Set if the participant desires MACsec frame protection.";
\r
860 "IEEE 802.1X-2020 Clause 9.16";
\r
867 "As used by the CP state machine, see 12.4.";
\r
869 "IEEE 802.1X-2020 Clause 9.16";
\r
875 "As used by the CP state machine, see 12.4.";
\r
877 "IEEE 802.1X-2020 Clause 9.16";
\r
879 leaf replay-protect {
\r
883 "As used by the CP state machine, see 12.4.";
\r
885 "IEEE 802.1X-2020 Clause 9.16";
\r
888 leaf suspend-on-request {
\r
892 "Set by management to allow the KaYs principal actor to
\r
893 initiate a suspension if it is the Key Server and another
\r
894 participant has requested a suspension.";
\r
900 "Set by management to a non-zero number of seconds
\r
901 between 1 and MKA Suspension Limit to initiate a
\r
902 suspension (9.18) of that duration (if the KaYs principal
\r
903 actor is the Key Server) or to request a suspension
\r
906 "IEEE 802.1X-2020 Clause 9.18";
\r
909 leaf suspended-while {
\r
913 "Read by management to determine if a suspension is in
\r
914 progress and (when available) to discover the remaining
\r
915 duration of that suspension";
\r
917 "IEEE 802.1X-2020 Clause 9.18";
\r
923 "Set if there is at least one active actor, transmitting
\r
926 "IEEE 802.1X-2020 Clause 9.16";
\r
928 leaf authenticated {
\r
932 "Set if the principal actor, i.e. the participant that
\r
933 has the highest priority Key Server and one or more live
\r
934 peers, has determined that Controlled Port communication
\r
935 should proceed without MACsec.";
\r
937 "IEEE 802.1X-2020 Clause 9.16";
\r
943 "Set if the principal actor has determined that
\r
944 communication should use MACsec.";
\r
946 "IEEE 802.1X-2020 Clause 9.16";
\r
952 "Cleared when authenticated or secured are set, set if
\r
953 the latter are clear and MKA Life Time has elapsed since
\r
954 an MKA participant was last created.";
\r
956 "IEEE 802.1X-2020 Clause 9.16";
\r
958 container key-number {
\r
961 "Contains operation state nodes for Key Numbers.";
\r
963 type dot1x-types:mka-kn;
\r
965 "The Key Number assigned by the Key Server to the SAK
\r
966 currently being used for transmission. Null if MACsec
\r
967 is not being used.";
\r
969 "IEEE 802.1X-2020 Clause 9.16";
\r
972 type dot1x-types:mka-kn;
\r
974 "The Key Number assigned by the Key Server to the
\r
975 oldest SAK currently being used for reception. The same
\r
976 as txKN if a single SAK is currently in use (as will
\r
977 most often be the case). Null if MACsec is not being
\r
980 "IEEE 802.1X-2020 Clause 9.16";
\r
983 container association-number {
\r
986 "Contains operation state nodes for Association
\r
989 type dot1x-types:mka-an;
\r
991 "The Association Number assigned by the Key Server for
\r
992 use with txKN. Zero if MACsec is not in use.";
\r
994 "IEEE 802.1X-2020 Clause 9.16";
\r
997 type dot1x-types:mka-an;
\r
999 "The Association Number assigned by the Key Server for
\r
1000 use with rxKN. The same as txAN if a single SAK is
\r
1001 currently in use. Zero if MACsec is not in use.";
\r
1003 "IEEE 802.1X-2020 Clause 9.16";
\r
1007 list participants {
\r
1008 key "participant";
\r
1010 "Contains list of configuration and operational nodes
\r
1011 for each MKA participant supported by the KaY MKA
\r
1013 leaf participant {
\r
1016 "Key into Participants list.";
\r
1021 "Set by the KaY if the participants parameters are
\r
1022 cached. If set, cached can be cleared by management to
\r
1023 remove the participant from the cache.";
\r
1029 "Set if the participant is active, i.e., is currently
\r
1030 transmitting periodic MKPDUs.";
\r
1032 "IEEE 802.1X-2020 Clause 9.16";
\r
1038 "Set by management to retain the participant in the
\r
1039 cache, even if the KaY would normally remove it (due to
\r
1040 lack of use for example).";
\r
1042 "IEEE 802.1X-2020 Clause 9.16";
\r
1045 type enumeration {
\r
1048 "The participant is from cached entries created by
\r
1049 the KaY as part of normal operation, without
\r
1050 explicit management, and is activated according to
\r
1051 the implementation dependent policies of the KaY.";
\r
1055 "The participant allows the cache information to be
\r
1056 retained, but disabled for indefinite period.";
\r
1060 "Causing the participant to be activated when the
\r
1061 PAEs part is activated, and therefore when the SecY
\r
1062 or PACs Common Port becomes operational.";
\r
1066 "Causing the participant to remain active all the
\r
1067 time, even in the continued absence of partners.";
\r
1070 default "default";
\r
1072 "Controls when the participant is activated. Cached
\r
1073 entries created by the KaY as part of normal operation,
\r
1074 without explicit management, have the value Default,
\r
1075 and are activated according to the implementation
\r
1076 dependent policies of the KaY. This variable can be
\r
1077 set to any of its values by management. Disabled allows
\r
1078 the cache entry to be retained, but disabled for an
\r
1079 indefinite period. OnOperUp causes the participant to
\r
1080 be activated when the PAEs port (and therefore when the
\r
1081 SecY or PACs Common Port becomes MAC_Operational).
\r
1082 Always causes the participant to remain active all the
\r
1083 time, even in the continued absence of partners. If the
\r
1084 value is changed to Disabled or OnOperUp, the
\r
1085 participant ceases operation immediately and receipt of
\r
1086 MKPDUs with a matching CKN during a subsequent period
\r
1087 of twice MKA Life Time will not cause the participant
\r
1088 to become active once more.";
\r
1090 "IEEE 802.1X-2020 Clause 9.16";
\r
1096 "Contains operational state nodes associated with the
\r
1099 type dot1x-types:sci-list-entry;
\r
1101 "A list of the SCIs of the participants live
\r
1104 "IEEE 802.1X-2020 Clause 9.16";
\r
1106 leaf-list potential {
\r
1107 type dot1x-types:sci-list-entry;
\r
1109 "A list of the SCIs of the participants potential
\r
1112 "IEEE 802.1X-2020 Clause 9.16";
\r
1116 type dot1x-types:pae-ckn;
\r
1119 "The secure Connectivity Association Key Name for the
\r
1122 "IEEE 802.1X-2020 Clause 9.16";
\r
1125 type dot1x-types:pae-kmd;
\r
1128 "The Key Management Domain for the participant.";
\r
1130 "IEEE 802.1X-2020 Clause 9.16";
\r
1133 type dot1x-types:pae-nid;
\r
1136 "The NID for the participant.";
\r
1138 "IEEE 802.1X-2020 Clause 9.16";
\r
1141 type dot1x-types:pae-auth-data;
\r
1144 "Authorization data associated with the secure
\r
1145 Connectivity Association Key.";
\r
1147 "IEEE 802.1X-2020 Clause 9.16";
\r
1153 "Set if the participant is currently the principal
\r
1156 "IEEE 802.1X-2020 Clause 9.16";
\r
1159 type dot1x-types:pae-ckn;
\r
1162 "The CKN for the last CAK distributed (either by the
\r
1163 actor or one of its partners). Null if this participant
\r
1164 has not been used to distribute a CAK.";
\r
1166 "IEEE 802.1X-2020 Clause 9.16";
\r
1171 container logon-nid {
\r
1173 "Contains the configuration and operational related NID
\r
1174 information for the Logon Process. The Logon Process may
\r
1175 use Network Identifiers (NIDs) to manage its use of
\r
1176 authentication credentials, cached CAKs, and
\r
1179 type dot1x-types:pae-nid;
\r
1181 "The NID currently configured for use by an access
\r
1182 controlled port when transmitting EAPOL-Start frames.
\r
1183 Defaults to the null NID.";
\r
1185 "IEEE 802.1X-2020 Clause 12.5";
\r
1190 type dot1x-types:pae-nid;
\r
1193 "The NID associated with the current connectivity
\r
1194 (possibly unauthenticated) provided by the operation of
\r
1195 the CP state machine.";
\r
1197 "IEEE 802.1X-2020 Clause 12.5";
\r
1200 type dot1x-types:pae-nid;
\r
1203 "The NID marked as Access requested in announcements, as
\r
1204 determined from EAPOL-Start frames. Defaults to the
\r
1207 "IEEE 802.1X-2020 Clause 12.5";
\r
1211 container announcer {
\r
1212 when "../port-capabilities/announcements = 'true'" {
\r
1214 "Applies when the Announcements port capabilities are
\r
1218 "Contains the configuration related Announcer
\r
1224 "A boolean indicating if the announcer is enabled or
\r
1227 "IEEE 802.1X-2020 Clause 10.4";
\r
1232 "Contains the configuration related status information
\r
1233 that the Announcers announce in the network announcement
\r
1234 of the PAE system.";
\r
1238 "Key into Announce list.";
\r
1243 type dot1x-types:pae-nid;
\r
1246 "The NID information to identify a received network
\r
1247 announcement for the PAE.";
\r
1249 "IEEE 802.1X-2020 Clause 10.4";
\r
1251 leaf access-status {
\r
1252 type dot1x-types:pae-access-status;
\r
1255 "Access Status reflects connectivity as a result of
\r
1256 authentication attempts, and might be set directly by
\r
1257 the system or configured by AAA protocols.";
\r
1259 "IEEE 802.1X-2020 Clause 10.4, Clause 12.5";
\r
1264 container listener {
\r
1265 when "../port-capabilities/listener = 'true'" {
\r
1267 "Applies when the Listener port capability is
\r
1271 "Contains the configuration and operational Listener
\r
1272 node related information.";
\r
1277 "A boolean indicating if the listener is enabled or
\r
1280 "IEEE 802.1X-2020 Clause 10.4";
\r
1283 list announcement {
\r
1284 key "announcements";
\r
1287 "A list containing the operational status information
\r
1288 that the Listeners receive in the network announcement of
\r
1290 leaf announcements {
\r
1293 "The key into the list of Announce nodes.";
\r
1296 type dot1x-types:pae-nid;
\r
1298 "The NID information to identify a received network
\r
1299 announcement for the PAE.";
\r
1301 "IEEE 802.1X-2020 Clause 10.4";
\r
1304 type dot1x-types:pae-kmd;
\r
1306 "The KMD information for this received network
\r
1307 announcement of the PAE.";
\r
1309 "IEEE 802.1X-2020 Clause 10.4";
\r
1314 "This object indicates the received announcement
\r
1315 information was specific to the receiving PAE, not
\r
1316 generic for all systems attached to the LAN.";
\r
1318 "IEEE 802.1X-2020 Clause 10.4";
\r
1320 leaf access-status {
\r
1321 type dot1x-types:pae-access-status;
\r
1323 "The object information reflects connectivity as a
\r
1324 result of authentication attempts for this received
\r
1325 network announcement of the PAE.";
\r
1327 "IEEE 802.1X-2020 Clause 10.4";
\r
1329 leaf requested-nid {
\r
1332 "The authenticated access has been requested for this
\r
1333 particular NID or not.";
\r
1335 "IEEE 802.1X-2020 Clause 10.4";
\r
1337 leaf unauthenticated-access {
\r
1338 type dot1x-types:pae-access-status;
\r
1340 "The access capability of the ports clients without
\r
1341 authentication in this received network announcement of
\r
1344 "IEEE 802.1X-2020 Clause 10.4";
\r
1346 leaf access-capabilities {
\r
1347 type dot1x-types:pae-nid-capabilities;
\r
1349 "The authentication and protection capabilities
\r
1350 supported for the NID.";
\r
1352 "IEEE 802.1X-2020 Clause 10.4";
\r
1354 list cipher-suites {
\r
1357 "A table contains the Cipher Suites information that
\r
1358 the Listeners receive in the network announcement of
\r
1361 "IEEE 802.1X-2020 Clause 10.4";
\r
1365 "Key into cipher suite entry.";
\r
1367 leaf cipherSuite {
\r
1370 "cipher Suite identifier.";
\r
1372 leaf cipherSuiteCapability {
\r
1375 "Cipher Suite capability.";
\r
1381 container eapol-statistics {
\r
1384 "Contains operational EAPOL statistics.";
\r
1385 leaf invalid-eapol-frame-rx {
\r
1386 when "../../port-type = 'real-port'" {
\r
1388 "Applies when port is Real Port.";
\r
1390 type yang:counter32;
\r
1392 "The number of invalid EAPOL frames of any type that
\r
1393 have been received by this PAE.";
\r
1395 "IEEE 802.1X-2020 Clause 12.8.1";
\r
1397 leaf eap-length-error-frames-rx {
\r
1398 when "../../port-type = 'real-port'" {
\r
1400 "Applies when port is Real Port.";
\r
1402 type yang:counter32;
\r
1404 "The number of EAPOL frames that the Packet Body Length
\r
1405 does not match a Packet Body that is contained within the
\r
1406 octets of the received EAPOL MPDU in this PAE.";
\r
1408 "IEEE 802.1X-2020 Clause 12.8.1";
\r
1410 leaf eapol-announcements-rx {
\r
1411 when "../../port-type = 'real-port'" {
\r
1413 "Applies when port is Real Port.";
\r
1415 type yang:counter32;
\r
1417 "The number of EAPOL-Announcement frames that have been
\r
1418 received by this PAE";
\r
1420 "IEEE 802.1X-2020 Clause 12.8.1";
\r
1422 leaf eapol-announce-reqs-rx {
\r
1423 when "../../port-type = 'real-port'" {
\r
1425 "Applies when port is Real Port.";
\r
1427 type yang:counter32;
\r
1429 "The number of EAPOL-Announcement-Req frames that have
\r
1430 been received by this PAE.";
\r
1432 "IEEE 802.1X-2020 Clause 12.8.1";
\r
1434 leaf eapol-port-unavailable {
\r
1435 when "../../port-type = 'real-port' and
\r
1436 ../../port-capabilities/virtual-ports = 'true'" {
\r
1438 "Applies when port is Real Port and when the virtual
\r
1439 ports capability is supported.";
\r
1441 type yang:counter32;
\r
1443 "The number of EAPOL frames that are discarded because
\r
1444 their processing would require the creation of a virtual
\r
1445 port, for which there are inadequate or constrained
\r
1446 resources, or an existing virtual port and no such port
\r
1447 currently exists. If virtual port is not supported, this
\r
1448 object should be always 0.";
\r
1450 "IEEE 802.1X-2020 Clause 12.8.1";
\r
1452 leaf eapol-start-frames-rx {
\r
1453 type yang:counter32;
\r
1455 "The number of EAPOL-Start frames that have been received
\r
1458 "IEEE 802.1X-2020 Clause 12.8.1";
\r
1460 leaf eapol-eap-frames-rx {
\r
1461 type yang:counter32;
\r
1463 "The number of EAPOL-EAP frames that have been received
\r
1466 "IEEE 802.1X-2020 Clause 12.8.1";
\r
1468 leaf eapol-logoff-frames-rx {
\r
1469 type yang:counter32;
\r
1471 "The number of EAPOL-Logoff frames that have been
\r
1472 received by this PAE.";
\r
1474 "IEEE 802.1X-2020 Clause 12.8.1";
\r
1476 leaf eapol-mk-no-cfn {
\r
1477 type yang:counter32;
\r
1479 "The number of MKPDUs received with MKA not enabled or
\r
1480 CKN not recognized in this PAE.";
\r
1482 "IEEE 802.1X-2020 Clause 12.8.1";
\r
1484 leaf eapol-mk-invalid-frames-rx {
\r
1485 type yang:counter32;
\r
1487 "The number of MKPDUs failing in message authentication
\r
1488 on receipt process in this PAE.";
\r
1490 "IEEE 802.1X-2020 Clause 12.8.1";
\r
1492 leaf last-eapol-frame-source {
\r
1493 when "../../port-type = 'real-port'" {
\r
1495 "Applies when port is Real Port.";
\r
1497 type ieee:mac-address;
\r
1499 "The source MAC address of last received EAPOL frame by
\r
1502 "IEEE 802.1X-2020 Clause 12.8.2";
\r
1504 leaf last-eapol-frame-version {
\r
1507 "The version of last received EAPOL frame by this PAE.";
\r
1509 "IEEE 802.1X-2020 Clause 12.8.2";
\r
1511 leaf eapol-supp-eap-frames-tx {
\r
1512 when "../../port-type = 'real-port'" {
\r
1514 "Applies when port is Real Port.";
\r
1516 type yang:counter32;
\r
1518 "The number of EAPOL-EAP frames that have been
\r
1519 transmitted by the supplicant of this PAE.";
\r
1521 "IEEE 802.1X-2020 Clause 12.8.3";
\r
1523 leaf eapol-logoff-frames-tx {
\r
1524 when "../../port-type = 'real-port'" {
\r
1526 "Applies when port is Real Port.";
\r
1528 type yang:counter32;
\r
1530 "The number of EAPOL-Logoff frames that have been
\r
1531 transmitted by this PAE.";
\r
1533 "IEEE 802.1X-2020 Clause 12.8.3";
\r
1535 leaf eapol-announcements-tx {
\r
1536 when "../../port-type = 'real-port'" {
\r
1538 "Applies when port is Real Port.";
\r
1540 type yang:counter32;
\r
1542 "The number of EAPOL-Announcement frames that have been
\r
1543 transmitted by this PAE.";
\r
1545 "IEEE 802.1X-2020 Clause 12.8.3";
\r
1547 leaf eapol-announce-reqs-tx {
\r
1548 when "../../port-type = 'real-port'" {
\r
1550 "Applies when port is Real Port.";
\r
1552 type yang:counter32;
\r
1554 "The number of EAPOL-Announcement-Req frames that have
\r
1555 been transmitted by this PAE.";
\r
1557 "IEEE 802.1X-2020 Clause 12.8.3";
\r
1559 leaf eapol-start-frames-tx {
\r
1560 type yang:counter32;
\r
1562 "The number of EAPOL-Start frames that have been
\r
1563 transmitted by this PAE.";
\r
1565 "IEEE 802.1X-2020 Clause 12.8.3";
\r
1567 leaf eapol-auth-eap-frames-tx {
\r
1568 type yang:counter32;
\r
1570 "The number of EAPOL-EAP frames that have been
\r
1571 transmitted by the authenticator of this PAE.";
\r
1573 "IEEE 802.1X-2020 Clause 12.8.3";
\r
1575 leaf eapol-mka-frames-tx {
\r
1576 type yang:counter32;
\r
1578 "The number of EAPOL-MKA frames with no CKN information
\r
1579 that have been transmitted by this PAE.";
\r
1581 "IEEE 802.1X-2020 Clause 12.8.3";
\r
1585 container logon-process {
\r
1587 "Contains configuration and operational system level
\r
1588 information for each port to support the Logon Process(es)
\r
1589 status information.";
\r
1594 "A boolean indicating if the logon-process is enabled or
\r
1597 "IEEE 802.1X-2020 Clause 12.5";
\r
1601 type enumeration {
\r
1604 "Prevent connectivity by clearing the
\r
1605 controlledPortEnabled parameter.";
\r
1607 enum unauthenticated {
\r
1609 "Provide unsecured connectivity, setting
\r
1610 controlledPortEnabled.";
\r
1612 enum authenticated {
\r
1614 "Provide unsecured connectivity with authorization
\r
1615 data, setting controlledPortEnabled.";
\r
1619 "Provide secure connectivity, using SAKs provided by
\r
1620 the KaY (when available) and setting
\r
1621 controlledPortEnabled when those keys are installed
\r
1622 and in use, as specified in detail by the CP state
\r
1628 "The Logon Process sets this variable to one of the
\r
1631 "IEEE 802.1X-2020 Clause 12.3";
\r
1637 "Set if Controlled Port communication is secured as
\r
1638 specified by the MACsec control macsecProtect.";
\r
1640 "IEEE 802.1X-2020 Clause 12.3";
\r
1642 list session-statistics {
\r
1646 "Contains operational state nodes associated with the
\r
1647 session statistics.";
\r
1649 type dot1x-types:pae-session-id;
\r
1651 "Key into list of session statistics.";
\r
1653 "IEEE 802.1X-2020 Clause 12.5.1";
\r
1656 type dot1x-types:pae-session-user-name;
\r
1658 "User name of the session.";
\r
1660 "IEEE 802.1X-2020 Clause 12.5.1";
\r
1663 type yang:counter64;
\r
1665 "The number of octets received in this session of this
\r
1668 "IEEE 802.1X-2020 Clause 12.5.1";
\r
1671 type yang:counter64;
\r
1673 "The number of octets transmitted in this session of
\r
1676 "IEEE 802.1X-2020 Clause 12.5.1";
\r
1679 type yang:counter64;
\r
1681 "The number of packets received in this session of
\r
1684 "IEEE 802.1X-2020 Clause 12.5.1";
\r
1687 type yang:counter64;
\r
1689 "The number of packets transmitted in this session of
\r
1692 "IEEE 802.1X-2020 Clause 12.5.1";
\r
1698 "Session Time. The duration of the session in
\r
1701 "IEEE 802.1X-2020 Clause 12.5.1";
\r
1703 leaf terminate-cause {
\r
1704 type enumeration {
\r
1705 enum common_port_MAC_operational_false {
\r
1707 "Common Port for this PAE is not operational.";
\r
1709 enum system_access_control_disabled {
\r
1711 "The system-access-control node of the pae-system
\r
1712 is disabled or initialization process of this PAE
\r
1715 enum eapol_logoff_rx {
\r
1717 "The PAE has received EAPOL-Logoff frame.";
\r
1719 enum eap_reauthentication_failure {
\r
1721 "EAP reauthentication has failed.";
\r
1723 enum mka-failure_termination {
\r
1725 "MKA failure or other MKA termination.";
\r
1727 enum new_session-beginning {
\r
1729 "New session beginning.";
\r
1731 enum not_terminated_yet {
\r
1733 "Not Terminated Yet.";
\r
1737 "The reason for the session termination.";
\r
1739 "IEEE 802.1X-2020 Clause 12.5.1";
\r
1746 container nid-group {
\r
1748 "Contains both configuration and operational state nodes
\r
1749 associated with the PAE NID group.";
\r