--- /dev/null
+module ieee802-dot1x {\r
+\r
+ namespace "urn:ieee:std:802.1X:yang:ieee802-dot1x";\r
+ prefix "dot1x";\r
+\r
+ import ieee802-types { prefix "ieee"; }\r
+ import ietf-yang-types { prefix "yang"; }\r
+ import ietf-interfaces { prefix "if"; }\r
+ import ietf-system { prefix "sys"; }\r
+ import iana-if-type { prefix "ianaift"; }\r
+ import ieee802-dot1x-types { prefix "dot1x-types"; }\r
+\r
+ organization\r
+ "Institute of Electrical and Electronics Engineers";\r
+\r
+ contact\r
+ "WG-URL: http://www.ieee802.org/1\r
+ WG-EMail: stds-802-1-L@ieee.org\r
+\r
+ Contact: IEEE 802.1 Working Group Chair\r
+ Postal: C/O IEEE 802.1 Working Group\r
+ IEEE Standards Association\r
+ 445 Hoes Lane\r
+ Piscataway\r
+ NJ 08854\r
+ USA\r
+\r
+ E-mail: STDS-802-1-L@LISTSERV.IEEE.ORG";\r
+\r
+ description\r
+ "Port-based network access control allows a network administrator\r
+ to restrict the use of IEEE 802 LAN service access points (ports)\r
+ to secure communication between authenticated and authorized\r
+ devices. IEEE Std 802.1X specifies an architecture, functional\r
+ elements, and protocols that support mutual authentication\r
+ between the clients of ports attached to the same LAN and secure\r
+ communication between the ports. The following control allows a\r
+ port to be reinitialized, terminating (and potentially\r
+ restarting) authentication exchanges and MKA operation, based on\r
+ a data model described in a set of YANG modules.";\r
+\r
+ revision 2020-02-18 {\r
+ description\r
+ "Updated Contact information.";\r
+ }\r
+\r
+ revision 2019-06-12 {\r
+ description\r
+ "Updates based on comment resolution of the WG ballot of\r
+ P802.1X-Rev/D1.0.";\r
+ reference\r
+ "IEEE Std 802.1X-2020, Port-Based Network Access Control.";\r
+ }\r
+\r
+ grouping nid-group {\r
+ description\r
+ "The PAE NID Group configuration and operational information.";\r
+ list pae-nid-group {\r
+ key "nid";\r
+ description\r
+ "A list that contains the configuration and operational\r
+ nodes for the network announcement information for the\r
+ Logon Process.";\r
+ leaf nid {\r
+ type dot1x-types:pae-nid;\r
+ description\r
+ "Identification of the network or network service.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.5";\r
+ }\r
+ leaf use-eap {\r
+ type enumeration {\r
+ enum never {\r
+ description\r
+ "Never.";\r
+ }\r
+ enum immediate {\r
+ description\r
+ "Immediately, concurrently with the use of MKA with any\r
+ cached CAK(s).";\r
+ }\r
+ enum mka-fail {\r
+ description\r
+ "Not until MKA has failed, if a prior CAK has been\r
+ cached.";\r
+ }\r
+ }\r
+ default "immediate";\r
+ description\r
+ "Determines when the Logon Process will initiate EAP, if\r
+ the Supplicant and or Authenticator are enabled, and takes\r
+ one of the above values.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.5";\r
+ }\r
+ leaf unauth-allowed {\r
+ type enumeration {\r
+ enum never {\r
+ description\r
+ "Never.";\r
+ }\r
+ enum immediate {\r
+ description\r
+ "Immediately, independently of any current or future\r
+ attempts to authenticate using the PAE or MKA.";\r
+ }\r
+ enum auth-fail {\r
+ description\r
+ "Not until an attempt has been made to authenticate\r
+ using EAP, unless neither the supplicant nor the\r
+ authenticator is enabled, and MKA has attempted to use\r
+ any cached CAK (unless the KaY is not enabled).";\r
+ }\r
+ }\r
+ default "immediate";\r
+ description\r
+ "Determines when the Logon Process will tell the CP state\r
+ machine to provide unauthenticated connectivity, and takes\r
+ one of the above values.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.5";\r
+ }\r
+ leaf unsecure-allowed {\r
+ type enumeration {\r
+ enum never {\r
+ description\r
+ "Never.";\r
+ }\r
+ enum immediate {\r
+ description\r
+ "Immediately, to provide connectivity concurrently with\r
+ the use of MKA with any CAK acquired through EAP.";\r
+ }\r
+ enum mka-fail {\r
+ description\r
+ "Not until MKA has failed, or is not enabled.";\r
+ }\r
+ enum mka-server {\r
+ description\r
+ "Only if directed by the MKA server.";\r
+ }\r
+ }\r
+ default "immediate";\r
+ description\r
+ "Determines when the Logon Process will tell the CP state\r
+ machine to provide authenticated but unsecured\r
+ connectivity, takes one of the above values.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.5";\r
+ }\r
+ leaf unauthenticated-access {\r
+ type enumeration {\r
+ enum no-access {\r
+ description\r
+ "Other than to authentication services.";\r
+ }\r
+ enum fallback-access {\r
+ description\r
+ "Limited access can be provided after authentication\r
+ failure.";\r
+ }\r
+ enum limited-access {\r
+ description\r
+ "Immediate limited access is available without\r
+ authentication.";\r
+ }\r
+ enum open-access {\r
+ description\r
+ "Immediate access is available without\r
+ authentication.";\r
+ }\r
+ }\r
+ default "no-access";\r
+ description\r
+ "Unauthenticated access capabilities provided by the NID.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 10.1";\r
+ }\r
+ leaf access-capabilities {\r
+ type dot1x-types:pae-nid-capabilities;\r
+ description\r
+ "Authentication and protection capabilities supported for\r
+ the NID.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 10.1";\r
+ }\r
+\r
+ leaf kmd {\r
+ type dot1x-types:pae-kmd;\r
+ config false;\r
+ description\r
+ "The Key Management Domain for the NID.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 10.4";\r
+ }\r
+ }\r
+ }\r
+\r
+ grouping port-capabilities {\r
+ description\r
+ "Per port PAE feature capabilities.";\r
+ leaf supp {\r
+ type boolean;\r
+ description\r
+ "Indicates if PACP EAP Supplicant is supported.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.2";\r
+ }\r
+ leaf auth {\r
+ type boolean;\r
+ description\r
+ "Indicates if PACP EAP Authenticator is supported.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.2";\r
+ }\r
+ leaf mka {\r
+ type boolean;\r
+ description\r
+ "Indicates if MKA is supported.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.2";\r
+ }\r
+ leaf macsec {\r
+ type boolean;\r
+ description\r
+ "Indicates if MACsec on the Controlled port is supported.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.2";\r
+ }\r
+ leaf announcements {\r
+ type boolean;\r
+ description\r
+ "Indicates if the ability to send EAPOL announcements is\r
+ supported.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.2";\r
+ }\r
+ leaf listener {\r
+ type boolean;\r
+ description\r
+ "Indicates if the ability to use received EAPOL\r
+ announcements is supported.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.2";\r
+ }\r
+ leaf virtual-ports {\r
+ type boolean;\r
+ description\r
+ "Indicates if virtual ports for a real port is supported.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.2";\r
+ }\r
+ leaf in-service-upgrades {\r
+ type boolean;\r
+ description\r
+ "Indicates if MKA in-service upgrades is supported.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.2";\r
+ }\r
+ }\r
+\r
+ /* ---------------------------------------------------\r
+ * Configuration objects used by 802.1X YANG module\r
+ * ---------------------------------------------------\r
+ */\r
+ augment "/sys:system" {\r
+ description\r
+ "Augment system with 802.1X PAE System specific configuration\r
+ nodes.";\r
+ container pae-system {\r
+ description\r
+ "Contains all 802.1X PAE System specific related\r
+ configuration and operational data.";\r
+ leaf name {\r
+ type string {\r
+ length "1..255";\r
+ }\r
+ description\r
+ "The name which uniquely identifies the PAE System.";\r
+ }\r
+ leaf system-access-control {\r
+ type enumeration {\r
+ enum disabled {\r
+ description\r
+ "Deletes any virtual ports previously instantiated, and\r
+ terminates authentication exchanges and MKA\r
+ operation.";\r
+ }\r
+ enum enabled {\r
+ description\r
+ "Enables PAE system access control.";\r
+ }\r
+ }\r
+ description\r
+ "Setting this control to disabled deletes any virtual ports\r
+ previously instantiated, and terminates authentication\r
+ exchanges and MKA operation. Each real port PAE behaves as\r
+ if enabledVirtualPorts was clear, the PAEs Supplicant,\r
+ Authenticator, and KaY as if their enabled controls were\r
+ clear, and Logon Process(es) as if unauthAllowed was\r
+ Immediate. Announcements can be transmitted (subject to\r
+ other controls), both periodically and in response to\r
+ announcement requests (conveyed by EAPOL-Starts or\r
+ EAPOL-Announcement-Reqs) but are sent with a single NID\r
+ Set, with a null NID, and the Access Information TLV (and\r
+ no other) with an pae-access-status of No Access,\r
+ accessRequested false, OpenAccess, and no\r
+ accessCapabilities. The control variable settings for each\r
+ real port PAE are unaffected, and will be used once\r
+ systemAccessControl is set to enabled.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.1";\r
+ }\r
+ leaf system-announcements {\r
+ type enumeration {\r
+ enum disabled {\r
+ description\r
+ "Causes each PAE to behave as if enabled were clear\r
+ for the PAE's Announcement functionality.";\r
+ }\r
+ enum enabled {\r
+ description\r
+ "Enables PAE system announcements.";\r
+ }\r
+ }\r
+ description\r
+ "Setting this control to Disabled causes each PAE to behave\r
+ as if enabled were clear for the PAE's Announcement\r
+ functionality. The independent controls for each PAE apply\r
+ if systemAnnouncements is Enabled.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.1";\r
+ }\r
+ leaf eapol-protocol-version {\r
+ type uint8;\r
+ config false;\r
+ description\r
+ "The EAPOL protocol version for this system.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.1, Clause 11.3";\r
+ }\r
+ leaf mka-version {\r
+ type uint8;\r
+ config false;\r
+ description\r
+ "The MKA protocol version for this system.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.1, Clause 11.3";\r
+ }\r
+ leaf-list pae {\r
+ type if:interface-ref;\r
+ config false;\r
+ description\r
+ "List of PAE references.";\r
+ }\r
+ }\r
+ }\r
+\r
+ /*\r
+ * Port Authentication Entity (PAE) Nodes\r
+ */\r
+ augment "/if:interfaces/if:interface" {\r
+ when "if:type = 'ianaift:ethernetCsmacd' or\r
+ if:type = 'ianaift:ilan' or\r
+ if:type = 'ianaift:macSecControlledIF' or\r
+ if:type = 'ianaift:ptm' or\r
+ if:type = 'ianaift:bridge'" {\r
+ description\r
+ "Applies to the Controlled Port of SecY or PAC shim or\r
+ Ethernet related Interface.";\r
+ }\r
+ description\r
+ "Augment interface model with PAE configuration and\r
+ operational nodes.";\r
+ reference\r
+ "IEEE 802.1AE Clause 11.7 and IEEE 802.1X-2020 Clause 6.5 and\r
+ Clause 13.3.2";\r
+ container pae {\r
+ description\r
+ "Contains PAE configuration and operational related nodes.";\r
+ leaf pae-system {\r
+ type leafref {\r
+ path "/sys:system/dot1x:pae-system/dot1x:name";\r
+ }\r
+ description\r
+ "The PAE system that this PAE is a member of.";\r
+ }\r
+ leaf vp-enable {\r
+ when "../port-type = 'real-port' and\r
+ ../port-capabilities/virtual-ports = 'true'" {\r
+ description\r
+ "Applies when port is Real Port and virtual port\r
+ capabilities are supported.";\r
+ }\r
+ type boolean;\r
+ default "false";\r
+ description\r
+ "A real port's PAE may be configured to create virtual\r
+ ports to support multi-access LANs provided that MKA and\r
+ MACsec operation is enabled for that port.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.7";\r
+ }\r
+ container port-capabilities {\r
+ description\r
+ "Per port PAE feature capabilities.";\r
+ uses port-capabilities;\r
+ }\r
+\r
+ leaf port-name {\r
+ type if:interface-ref;\r
+ config false;\r
+ description\r
+ "Each PAE is uniquely identified by a port name.";\r
+ }\r
+ leaf port-number {\r
+ type dot1x-types:pae-if-index;\r
+ config false;\r
+ description\r
+ "Each PAE is uniquely identified by a port number. The\r
+ port number used is unique amongst all port names for the\r
+ system, and directly or indirectly identifies the\r
+ Uncontrolled Port that supports the PAE. If the PAE has\r
+ been dynamically instantiated to support an existing or\r
+ potential virtual port, this portNumber, the\r
+ uncontrolledPortNumber and the controlledPortNumber are\r
+ allocated by the real ports PAE, and this portNumber is the\r
+ uncontrolledPortNumber. If the PAE supports a real port,\r
+ this portNumber is the commonPortNumber for the associated\r
+ PAC or SecY.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.2";\r
+ }\r
+ leaf controlled-port-name {\r
+ type if:interface-ref;\r
+ config false;\r
+ description\r
+ "Each PAE is uniquely identified by a port name.";\r
+ }\r
+ leaf controlled-port-number {\r
+ type dot1x-types:pae-if-index;\r
+ config false;\r
+ description\r
+ "The port for the associated PAC or SecYs Controlled\r
+ Port.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.2";\r
+ }\r
+ leaf uncontrolled-port-name {\r
+ type if:interface-ref;\r
+ config false;\r
+ description\r
+ "The uncontrolled port name reference.";\r
+ }\r
+ leaf uncontrolled-port-number {\r
+ type dot1x-types:pae-if-index;\r
+ config false;\r
+ description\r
+ "The port for the associated PAC or SecYs Uncontrolled\r
+ Port.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.2";\r
+ }\r
+ leaf common-port-name {\r
+ type if:interface-ref;\r
+ config false;\r
+ description\r
+ "The common port name reference.";\r
+ }\r
+ leaf common-port-number {\r
+ type dot1x-types:pae-if-index;\r
+ config false;\r
+ description\r
+ "The port for the associated PAC or SecYs Common Port. All\r
+ the virtual ports created for a given real port share the\r
+ same Common Port and commonPortNumber.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.2";\r
+ }\r
+ leaf port-type {\r
+ type enumeration {\r
+ enum real-port {\r
+ description\r
+ "Real Port type.";\r
+ }\r
+ enum virtual-port {\r
+ description\r
+ "Virtual Port type.";\r
+ }\r
+ }\r
+ //config false;\r
+ description\r
+ "The port type of the PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.2";\r
+ }\r
+ container virtual-port {\r
+ when "../port-capabilities/virtual-ports = 'true'" {\r
+ description\r
+ "Applies when the virtual ports port capability is\r
+ supported.";\r
+ }\r
+ config false;\r
+ description\r
+ "Contains Virtual Port operational state information.";\r
+ leaf max {\r
+ when "../../port-type = 'real-port'" {\r
+ description\r
+ "Applies when Port is a Real Port.";\r
+ }\r
+ type uint32;\r
+ description\r
+ "The guaranteed maximum number of virtual ports.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.2";\r
+ }\r
+ leaf current {\r
+ when "../../port-type = 'real-port'" {\r
+ description\r
+ "Applies when Port is a Real Port.";\r
+ }\r
+ type yang:gauge32;\r
+ description\r
+ "The current number of virtual ports.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.2";\r
+ }\r
+ leaf start {\r
+ when "../../port-type = 'virtual-port'" {\r
+ description\r
+ "Applies when Port is a Virtual Port.";\r
+ }\r
+ type boolean;\r
+ description\r
+ "Set if the virtual port was created by receipt of an\r
+ EAPOL-Start frame.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.7";\r
+ }\r
+ leaf peer-address {\r
+ when "../../port-type = 'virtual-port'" {\r
+ description\r
+ "Applies when Port is a Virtual Port.";\r
+ }\r
+ type ieee:mac-address;\r
+ description\r
+ "The source MAC Address of the EAPOL-Start (if vpStart is\r
+ set).";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.9.7";\r
+ }\r
+ }\r
+\r
+ container supplicant {\r
+ when "../port-type = 'real-port' and\r
+ ../port-capabilities/supp = 'true'" {\r
+ description\r
+ "Applies to Real Port when supplicant port capabilities\r
+ are supported.";\r
+ }\r
+ description\r
+ "Contains the configuration nodes for the Supplicant PAE\r
+ associated with each port.";\r
+ leaf held-period {\r
+ type uint16;\r
+ units seconds;\r
+ default "60";\r
+ description\r
+ "The initial value of the timer used to impose a wait\r
+ period after a failed authentication attempt, before\r
+ another attempt is permitted.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 8.6";\r
+ }\r
+ leaf retry-max {\r
+ type uint32;\r
+ default "2";\r
+ description\r
+ "Specifies the maximum number of re-authentication\r
+ attempts on an authenticator port before port is\r
+ unauthorized.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 8.7";\r
+ }\r
+\r
+ leaf enabled {\r
+ type boolean;\r
+ config false;\r
+ description\r
+ "Set by PACP if the PAE can provide authentication. Will\r
+ be FALSE if the Port is not enabled, if the functionality\r
+ provided by the PAE is not available, or not implemented,\r
+ or the control variable enable has been cleared by\r
+ management, e.g. because the application scenario\r
+ authenticates a user and there is no user logged on.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 8.4";\r
+ }\r
+ leaf authenticate {\r
+ type boolean;\r
+ config false;\r
+ description\r
+ "Set by the PAE client to request authentication, and\r
+ allows reauthentication while set. Cleared by the client\r
+ to revoke authentication. To enable authentication the\r
+ client also needs to clear failed (if set).";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 8.4";\r
+ }\r
+ leaf authenticated {\r
+ type boolean;\r
+ config false;\r
+ description\r
+ "Set by PACP if the PAE is currently authenticated, and\r
+ cleared if the authentication fails or is revoked.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 8.4";\r
+ }\r
+ leaf failed {\r
+ type boolean;\r
+ config false;\r
+ description\r
+ "Set by PACP if the authentication has failed or has been\r
+ terminated. The cause could be a Fail returned by EAP,\r
+ either immediately or following a reauthentication, an\r
+ excessive number of attempts to authenticate (either\r
+ immediately or upon reauthentication), or the client\r
+ deasserting authenticate. The PACP will clear\r
+ authenticated as well as setting failed. Any ongoing\r
+ authentication exchange will be terminated (by the state\r
+ machines) if enable becomes FALSE and enabled will be\r
+ cleared, but failed will not be set.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 8.4";\r
+ }\r
+ }\r
+\r
+ container authenticator {\r
+ when "../port-capabilities/auth = 'true'" {\r
+ description\r
+ "Applies when the Authenticator is supported.";\r
+ }\r
+ description\r
+ "Contains configuration nodes for the Authenticator PAE\r
+ associated with each port.";\r
+ leaf quiet-period {\r
+ type uint16;\r
+ units seconds;\r
+ default "60";\r
+ description\r
+ "Number of seconds that the authenticator remains in the quiet\r
+ state following a failed authentication exchange with the\r
+ supplicant.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 8.6, Figure 12-3";\r
+ }\r
+ leaf reauth-period {\r
+ type uint32;\r
+ units seconds;\r
+ default "3600";\r
+ description\r
+ "This object indicates the time period of the\r
+ reauthentication to the supplicant.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 8.6, Figure 12-3";\r
+ }\r
+ leaf reauth-enable {\r
+ type boolean;\r
+ default "false";\r
+ description\r
+ "Re-authentication is enabled or not.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 5.8 and 8.9";\r
+ }\r
+ leaf retry-max {\r
+ type uint32;\r
+ default "2";\r
+ description\r
+ "Specifies the maximum number of re-authentication\r
+ attempts on an authenticator port before port is\r
+ unauthorized.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 8.9";\r
+ }\r
+\r
+ leaf enabled {\r
+ type boolean;\r
+ config false;\r
+ description\r
+ "Set by PACP if the PAE can provide authentication. Will\r
+ be FALSE if the Port is not enabled, if the functionality\r
+ provided by the PAE is not available, or not implemented,\r
+ or the control variable enable has been cleared by\r
+ management, e.g. because the application scenario\r
+ authenticates a user and there is no user logged on.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 8.4";\r
+ }\r
+ leaf authenticate {\r
+ type boolean;\r
+ config false;\r
+ description\r
+ "Set by the PAE client to request authentication, and\r
+ allows reauthentication while set. Cleared by the client\r
+ to revoke authentication. To enable authentication the\r
+ client also needs to clear failed (if set).";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 8.4";\r
+ }\r
+ leaf authenticated {\r
+ type boolean;\r
+ config false;\r
+ description\r
+ "Set by PACP if the PAE is currently authenticated, and\r
+ cleared if the authentication fails or is revoked.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 8.4";\r
+ }\r
+ leaf failed {\r
+ type boolean;\r
+ config false;\r
+ description\r
+ "Set by PACP if the authentication has failed or has been\r
+ terminated. The cause could be a Fail returned by EAP,\r
+ either immediately or following a reauthentication, an\r
+ excessive number of attempts to authenticate (either\r
+ immediately or upon reauthentication), or the client\r
+ deasserting authenticate. The PACP will clear\r
+ authenticated as well as setting failed. Any ongoing\r
+ authentication exchange will be terminated (by the state\r
+ machines) if enable becomes FALSE and enabled will be\r
+ cleared, but failed will not be set.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 8.4";\r
+ }\r
+ }\r
+\r
+ container kay {\r
+ when "../port-capabilities/mka = 'true'" {\r
+ description\r
+ "Applies when the MKA port capability is supported.";\r
+ }\r
+ description\r
+ "Contains configuration system level information for each\r
+ Interface supported by the KaY (Key Aggreement Entity).";\r
+ leaf enable {\r
+ type boolean;\r
+ default "false";\r
+ description\r
+ "Set by management to enable (clear to disable) the use\r
+ of MKA.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ container actor {\r
+ description\r
+ "Contains configuration and operational nodes\r
+ associated with the actor";\r
+ leaf priority {\r
+ type uint8;\r
+ description\r
+ "The Key Server Priority for all the ports actors.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf sci {\r
+ type dot1x-types:sci-list-entry;\r
+ config false;\r
+ description\r
+ "The SCI assigned by the system to the port (applies\r
+ to all the ports actors).";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ }\r
+ container key-server {\r
+ description\r
+ "Contains configuration and operational nodes\r
+ associated with the key\r
+ server.";\r
+ leaf priority {\r
+ type uint8;\r
+ description\r
+ "The Key Server Priority for the Key Server for the\r
+ principal actor. Matches the actorPriority if the\r
+ actor is the Key Server";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf sci {\r
+ type dot1x-types:sci-list-entry;\r
+ config false;\r
+ description\r
+ "The SCI for Key Server for the principal actor. Null\r
+ if there is no principal actor, or that actor has no\r
+ live peers. Matches the actorSCI if the actor is the\r
+ Key Server.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ }\r
+ container group {\r
+ description\r
+ "Contains configuration nodes associated with the\r
+ group.";\r
+ leaf join {\r
+ type boolean;\r
+ default "true";\r
+ description\r
+ "Set if the KaY will accept Group CAKs distributed by\r
+ MKA.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf form {\r
+ type boolean;\r
+ default "false";\r
+ description\r
+ "Set if the KaY will attempt to use point-to-point CAs\r
+ to distribute a Group CAK, if its principal actor is\r
+ the Key Server for all the point-to-point CAs.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf new {\r
+ type boolean;\r
+ default "false";\r
+ description\r
+ "Set by management if a new Group CAK is to be\r
+ distributed, if the principal actor is the Key Server\r
+ for all point-to-point CAs. Cleared by the KaY when\r
+ distribution is complete.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ }\r
+\r
+ container macsec {\r
+ when "../../port-capabilities/macsec = 'true'" {\r
+ description\r
+ "Applies when the MACsec port capability is\r
+ supported.";\r
+ }\r
+ description\r
+ "Contains configuration and operational nodes\r
+ associated with macsec.";\r
+ leaf capable {\r
+ type boolean;\r
+ description\r
+ "Set if MACsec is implemented.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf desired {\r
+ type boolean;\r
+ default "true";\r
+ description\r
+ "Set if the participant desires MACsec frame protection.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+\r
+ leaf protect {\r
+ type boolean;\r
+ config false;\r
+ description\r
+ "As used by the CP state machine, see 12.4.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf validate {\r
+ type boolean;\r
+ config false;\r
+ description\r
+ "As used by the CP state machine, see 12.4.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf replay-protect {\r
+ type boolean;\r
+ config false;\r
+ description\r
+ "As used by the CP state machine, see 12.4.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ }\r
+ leaf suspend-on-request {\r
+ type boolean;\r
+ default "true";\r
+ description\r
+ "Set by management to allow the KaYs principal actor to\r
+ initiate a suspension if it is the Key Server and another\r
+ participant has requested a suspension.";\r
+ }\r
+ leaf suspend-for {\r
+ type uint8;\r
+ default "0";\r
+ description\r
+ "Set by management to a non-zero number of seconds\r
+ between 1 and MKA Suspension Limit to initiate a\r
+ suspension (9.18) of that duration (if the KaYs principal\r
+ actor is the Key Server) or to request a suspension\r
+ (otherwise).";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.18";\r
+ }\r
+\r
+ leaf suspended-while {\r
+ type uint8;\r
+ config false;\r
+ description\r
+ "Read by management to determine if a suspension is in\r
+ progress and (when available) to discover the remaining\r
+ duration of that suspension";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.18";\r
+ }\r
+ leaf active {\r
+ type boolean;\r
+ config false;\r
+ description\r
+ "Set if there is at least one active actor, transmitting\r
+ MKPDUs.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf authenticated {\r
+ type boolean;\r
+ config false;\r
+ description\r
+ "Set if the principal actor, i.e. the participant that\r
+ has the highest priority Key Server and one or more live\r
+ peers, has determined that Controlled Port communication\r
+ should proceed without MACsec.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf secured {\r
+ type boolean;\r
+ config false;\r
+ description\r
+ "Set if the principal actor has determined that\r
+ communication should use MACsec.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf failed {\r
+ type boolean;\r
+ config false;\r
+ description\r
+ "Cleared when authenticated or secured are set, set if\r
+ the latter are clear and MKA Life Time has elapsed since\r
+ an MKA participant was last created.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ container key-number {\r
+ config false;\r
+ description\r
+ "Contains operation state nodes for Key Numbers.";\r
+ leaf tx {\r
+ type dot1x-types:mka-kn;\r
+ description\r
+ "The Key Number assigned by the Key Server to the SAK\r
+ currently being used for transmission. Null if MACsec\r
+ is not being used.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf rx {\r
+ type dot1x-types:mka-kn;\r
+ description\r
+ "The Key Number assigned by the Key Server to the\r
+ oldest SAK currently being used for reception. The same\r
+ as txKN if a single SAK is currently in use (as will\r
+ most often be the case). Null if MACsec is not being\r
+ used.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ }\r
+ container association-number {\r
+ config false;\r
+ description\r
+ "Contains operation state nodes for Association\r
+ Numbers.";\r
+ leaf tx {\r
+ type dot1x-types:mka-an;\r
+ description\r
+ "The Association Number assigned by the Key Server for\r
+ use with txKN. Zero if MACsec is not in use.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf rx {\r
+ type dot1x-types:mka-an;\r
+ description\r
+ "The Association Number assigned by the Key Server for\r
+ use with rxKN. The same as txAN if a single SAK is\r
+ currently in use. Zero if MACsec is not in use.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ }\r
+\r
+ list participants {\r
+ key "participant";\r
+ description\r
+ "Contains list of configuration and operational nodes\r
+ for each MKA participant supported by the KaY MKA\r
+ entity.";\r
+ leaf participant {\r
+ type uint32;\r
+ description\r
+ "Key into Participants list.";\r
+ }\r
+ leaf cached {\r
+ type boolean;\r
+ description\r
+ "Set by the KaY if the participants parameters are\r
+ cached. If set, cached can be cleared by management to\r
+ remove the participant from the cache.";\r
+ }\r
+ leaf active {\r
+ type boolean;\r
+ default "false";\r
+ description\r
+ "Set if the participant is active, i.e., is currently\r
+ transmitting periodic MKPDUs.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf retain {\r
+ type boolean;\r
+ default "false";\r
+ description\r
+ "Set by management to retain the participant in the\r
+ cache, even if the KaY would normally remove it (due to\r
+ lack of use for example).";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf activate {\r
+ type enumeration {\r
+ enum default {\r
+ description\r
+ "The participant is from cached entries created by\r
+ the KaY as part of normal operation, without\r
+ explicit management, and is activated according to\r
+ the implementation dependent policies of the KaY.";\r
+ }\r
+ enum disabled {\r
+ description\r
+ "The participant allows the cache information to be\r
+ retained, but disabled for indefinite period.";\r
+ }\r
+ enum on-oper-up {\r
+ description\r
+ "Causing the participant to be activated when the\r
+ PAEs part is activated, and therefore when the SecY\r
+ or PACs Common Port becomes operational.";\r
+ }\r
+ enum always {\r
+ description\r
+ "Causing the participant to remain active all the\r
+ time, even in the continued absence of partners.";\r
+ }\r
+ }\r
+ default "default";\r
+ description\r
+ "Controls when the participant is activated. Cached\r
+ entries created by the KaY as part of normal operation,\r
+ without explicit management, have the value Default,\r
+ and are activated according to the implementation\r
+ dependent policies of the KaY. This variable can be\r
+ set to any of its values by management. Disabled allows\r
+ the cache entry to be retained, but disabled for an\r
+ indefinite period. OnOperUp causes the participant to\r
+ be activated when the PAEs port (and therefore when the\r
+ SecY or PACs Common Port becomes MAC_Operational).\r
+ Always causes the participant to remain active all the\r
+ time, even in the continued absence of partners. If the\r
+ value is changed to Disabled or OnOperUp, the\r
+ participant ceases operation immediately and receipt of\r
+ MKPDUs with a matching CKN during a subsequent period\r
+ of twice MKA Life Time will not cause the participant\r
+ to become active once more.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+\r
+ container peers {\r
+ config false;\r
+ description\r
+ "Contains operational state nodes associated with the\r
+ Peers.";\r
+ leaf-list live {\r
+ type dot1x-types:sci-list-entry;\r
+ description\r
+ "A list of the SCIs of the participants live\r
+ peers.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf-list potential {\r
+ type dot1x-types:sci-list-entry;\r
+ description\r
+ "A list of the SCIs of the participants potential\r
+ peers.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ }\r
+ leaf ckn {\r
+ type dot1x-types:pae-ckn;\r
+ config false;\r
+ description\r
+ "The secure Connectivity Association Key Name for the\r
+ participant.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf kmd {\r
+ type dot1x-types:pae-kmd;\r
+ config false;\r
+ description\r
+ "The Key Management Domain for the participant.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf nid {\r
+ type dot1x-types:pae-nid;\r
+ config false;\r
+ description\r
+ "The NID for the participant.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf auth-data {\r
+ type dot1x-types:pae-auth-data;\r
+ config false;\r
+ description\r
+ "Authorization data associated with the secure\r
+ Connectivity Association Key.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf principal {\r
+ type boolean;\r
+ config false;\r
+ description\r
+ "Set if the participant is currently the principal\r
+ actor.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ leaf dist-ckn {\r
+ type dot1x-types:pae-ckn;\r
+ config false;\r
+ description\r
+ "The CKN for the last CAK distributed (either by the\r
+ actor or one of its partners). Null if this participant\r
+ has not been used to distribute a CAK.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 9.16";\r
+ }\r
+ }\r
+ }\r
+\r
+ container logon-nid {\r
+ description\r
+ "Contains the configuration and operational related NID\r
+ information for the Logon Process. The Logon Process may\r
+ use Network Identifiers (NIDs) to manage its use of\r
+ authentication credentials, cached CAKs, and\r
+ announcements.";\r
+ leaf selected {\r
+ type dot1x-types:pae-nid;\r
+ description\r
+ "The NID currently configured for use by an access\r
+ controlled port when transmitting EAPOL-Start frames.\r
+ Defaults to the null NID.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.5";\r
+ }\r
+ uses nid-group;\r
+\r
+ leaf connected {\r
+ type dot1x-types:pae-nid;\r
+ config false;\r
+ description\r
+ "The NID associated with the current connectivity\r
+ (possibly unauthenticated) provided by the operation of\r
+ the CP state machine.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.5";\r
+ }\r
+ leaf requested {\r
+ type dot1x-types:pae-nid;\r
+ config false;\r
+ description\r
+ "The NID marked as Access requested in announcements, as\r
+ determined from EAPOL-Start frames. Defaults to the\r
+ selectedNID.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.5";\r
+ }\r
+ }\r
+\r
+ container announcer {\r
+ when "../port-capabilities/announcements = 'true'" {\r
+ description\r
+ "Applies when the Announcements port capabilities are\r
+ supported.";\r
+ }\r
+ description\r
+ "Contains the configuration related Announcer\r
+ information.";\r
+ leaf enable {\r
+ type boolean;\r
+ default "false";\r
+ description\r
+ "A boolean indicating if the announcer is enabled or\r
+ not.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 10.4";\r
+ }\r
+ list announce {\r
+ key "announces";\r
+ description\r
+ "Contains the configuration related status information\r
+ that the Announcers announce in the network announcement\r
+ of the PAE system.";\r
+ leaf announces {\r
+ type uint32;\r
+ description\r
+ "Key into Announce list.";\r
+ }\r
+ uses nid-group;\r
+\r
+ leaf nid {\r
+ type dot1x-types:pae-nid;\r
+ config false;\r
+ description\r
+ "The NID information to identify a received network\r
+ announcement for the PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 10.4";\r
+ }\r
+ leaf access-status {\r
+ type dot1x-types:pae-access-status;\r
+ config false;\r
+ description\r
+ "Access Status reflects connectivity as a result of\r
+ authentication attempts, and might be set directly by\r
+ the system or configured by AAA protocols.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 10.4, Clause 12.5";\r
+ }\r
+ }\r
+ }\r
+\r
+ container listener {\r
+ when "../port-capabilities/listener = 'true'" {\r
+ description\r
+ "Applies when the Listener port capability is\r
+ supported.";\r
+ }\r
+ description\r
+ "Contains the configuration and operational Listener\r
+ node related information.";\r
+ leaf enable {\r
+ type boolean;\r
+ default "false";\r
+ description\r
+ "A boolean indicating if the listener is enabled or\r
+ not.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 10.4";\r
+ }\r
+\r
+ list announcement {\r
+ key "announcements";\r
+ config false;\r
+ description\r
+ "A list containing the operational status information\r
+ that the Listeners receive in the network announcement of\r
+ the PAE system.";\r
+ leaf announcements {\r
+ type uint32;\r
+ description\r
+ "The key into the list of Announce nodes.";\r
+ }\r
+ leaf nid {\r
+ type dot1x-types:pae-nid;\r
+ description\r
+ "The NID information to identify a received network\r
+ announcement for the PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 10.4";\r
+ }\r
+ leaf kmd {\r
+ type dot1x-types:pae-kmd;\r
+ description\r
+ "The KMD information for this received network\r
+ announcement of the PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 10.4";\r
+ }\r
+ leaf specific {\r
+ type boolean;\r
+ description\r
+ "This object indicates the received announcement\r
+ information was specific to the receiving PAE, not\r
+ generic for all systems attached to the LAN.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 10.4";\r
+ }\r
+ leaf access-status {\r
+ type dot1x-types:pae-access-status;\r
+ description\r
+ "The object information reflects connectivity as a\r
+ result of authentication attempts for this received\r
+ network announcement of the PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 10.4";\r
+ }\r
+ leaf requested-nid {\r
+ type boolean;\r
+ description\r
+ "The authenticated access has been requested for this\r
+ particular NID or not.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 10.4";\r
+ }\r
+ leaf unauthenticated-access {\r
+ type dot1x-types:pae-access-status;\r
+ description\r
+ "The access capability of the ports clients without\r
+ authentication in this received network announcement of\r
+ the PAE";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 10.4";\r
+ }\r
+ leaf access-capabilities {\r
+ type dot1x-types:pae-nid-capabilities;\r
+ description\r
+ "The authentication and protection capabilities\r
+ supported for the NID.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 10.4";\r
+ }\r
+ list cipher-suites {\r
+ key "index";\r
+ description\r
+ "A table contains the Cipher Suites information that\r
+ the Listeners receive in the network announcement of\r
+ the PAE system.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 10.4";\r
+ leaf index {\r
+ type uint16;\r
+ description\r
+ "Key into cipher suite entry.";\r
+ }\r
+ leaf cipherSuite {\r
+ type string;\r
+ description\r
+ "cipher Suite identifier.";\r
+ }\r
+ leaf cipherSuiteCapability {\r
+ type uint32;\r
+ description\r
+ "Cipher Suite capability.";\r
+ }\r
+ }\r
+ }\r
+ }\r
+\r
+ container eapol-statistics {\r
+ config false;\r
+ description\r
+ "Contains operational EAPOL statistics.";\r
+ leaf invalid-eapol-frame-rx {\r
+ when "../../port-type = 'real-port'" {\r
+ description\r
+ "Applies when port is Real Port.";\r
+ }\r
+ type yang:counter32;\r
+ description\r
+ "The number of invalid EAPOL frames of any type that\r
+ have been received by this PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.8.1";\r
+ }\r
+ leaf eap-length-error-frames-rx {\r
+ when "../../port-type = 'real-port'" {\r
+ description\r
+ "Applies when port is Real Port.";\r
+ }\r
+ type yang:counter32;\r
+ description\r
+ "The number of EAPOL frames that the Packet Body Length\r
+ does not match a Packet Body that is contained within the\r
+ octets of the received EAPOL MPDU in this PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.8.1";\r
+ }\r
+ leaf eapol-announcements-rx {\r
+ when "../../port-type = 'real-port'" {\r
+ description\r
+ "Applies when port is Real Port.";\r
+ }\r
+ type yang:counter32;\r
+ description\r
+ "The number of EAPOL-Announcement frames that have been\r
+ received by this PAE";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.8.1";\r
+ }\r
+ leaf eapol-announce-reqs-rx {\r
+ when "../../port-type = 'real-port'" {\r
+ description\r
+ "Applies when port is Real Port.";\r
+ }\r
+ type yang:counter32;\r
+ description\r
+ "The number of EAPOL-Announcement-Req frames that have\r
+ been received by this PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.8.1";\r
+ }\r
+ leaf eapol-port-unavailable {\r
+ when "../../port-type = 'real-port' and\r
+ ../../port-capabilities/virtual-ports = 'true'" {\r
+ description\r
+ "Applies when port is Real Port and when the virtual\r
+ ports capability is supported.";\r
+ }\r
+ type yang:counter32;\r
+ description\r
+ "The number of EAPOL frames that are discarded because\r
+ their processing would require the creation of a virtual\r
+ port, for which there are inadequate or constrained\r
+ resources, or an existing virtual port and no such port\r
+ currently exists. If virtual port is not supported, this\r
+ object should be always 0.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.8.1";\r
+ }\r
+ leaf eapol-start-frames-rx {\r
+ type yang:counter32;\r
+ description\r
+ "The number of EAPOL-Start frames that have been received\r
+ by this PAE";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.8.1";\r
+ }\r
+ leaf eapol-eap-frames-rx {\r
+ type yang:counter32;\r
+ description\r
+ "The number of EAPOL-EAP frames that have been received\r
+ by this PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.8.1";\r
+ }\r
+ leaf eapol-logoff-frames-rx {\r
+ type yang:counter32;\r
+ description\r
+ "The number of EAPOL-Logoff frames that have been\r
+ received by this PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.8.1";\r
+ }\r
+ leaf eapol-mk-no-cfn {\r
+ type yang:counter32;\r
+ description\r
+ "The number of MKPDUs received with MKA not enabled or\r
+ CKN not recognized in this PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.8.1";\r
+ }\r
+ leaf eapol-mk-invalid-frames-rx {\r
+ type yang:counter32;\r
+ description\r
+ "The number of MKPDUs failing in message authentication\r
+ on receipt process in this PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.8.1";\r
+ }\r
+ leaf last-eapol-frame-source {\r
+ when "../../port-type = 'real-port'" {\r
+ description\r
+ "Applies when port is Real Port.";\r
+ }\r
+ type ieee:mac-address;\r
+ description\r
+ "The source MAC address of last received EAPOL frame by\r
+ this PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.8.2";\r
+ }\r
+ leaf last-eapol-frame-version {\r
+ type uint8;\r
+ description\r
+ "The version of last received EAPOL frame by this PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.8.2";\r
+ }\r
+ leaf eapol-supp-eap-frames-tx {\r
+ when "../../port-type = 'real-port'" {\r
+ description\r
+ "Applies when port is Real Port.";\r
+ }\r
+ type yang:counter32;\r
+ description\r
+ "The number of EAPOL-EAP frames that have been\r
+ transmitted by the supplicant of this PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.8.3";\r
+ }\r
+ leaf eapol-logoff-frames-tx {\r
+ when "../../port-type = 'real-port'" {\r
+ description\r
+ "Applies when port is Real Port.";\r
+ }\r
+ type yang:counter32;\r
+ description\r
+ "The number of EAPOL-Logoff frames that have been\r
+ transmitted by this PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.8.3";\r
+ }\r
+ leaf eapol-announcements-tx {\r
+ when "../../port-type = 'real-port'" {\r
+ description\r
+ "Applies when port is Real Port.";\r
+ }\r
+ type yang:counter32;\r
+ description\r
+ "The number of EAPOL-Announcement frames that have been\r
+ transmitted by this PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.8.3";\r
+ }\r
+ leaf eapol-announce-reqs-tx {\r
+ when "../../port-type = 'real-port'" {\r
+ description\r
+ "Applies when port is Real Port.";\r
+ }\r
+ type yang:counter32;\r
+ description\r
+ "The number of EAPOL-Announcement-Req frames that have\r
+ been transmitted by this PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.8.3";\r
+ }\r
+ leaf eapol-start-frames-tx {\r
+ type yang:counter32;\r
+ description\r
+ "The number of EAPOL-Start frames that have been\r
+ transmitted by this PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.8.3";\r
+ }\r
+ leaf eapol-auth-eap-frames-tx {\r
+ type yang:counter32;\r
+ description\r
+ "The number of EAPOL-EAP frames that have been\r
+ transmitted by the authenticator of this PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.8.3";\r
+ }\r
+ leaf eapol-mka-frames-tx {\r
+ type yang:counter32;\r
+ description\r
+ "The number of EAPOL-MKA frames with no CKN information\r
+ that have been transmitted by this PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.8.3";\r
+ }\r
+ }\r
+\r
+ container logon-process {\r
+ description\r
+ "Contains configuration and operational system level\r
+ information for each port to support the Logon Process(es)\r
+ status information.";\r
+ leaf logon {\r
+ type boolean;\r
+ default "false";\r
+ description\r
+ "A boolean indicating if the logon-process is enabled or\r
+ not.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.5";\r
+ }\r
+\r
+ leaf connect {\r
+ type enumeration {\r
+ enum pending {\r
+ description\r
+ "Prevent connectivity by clearing the\r
+ controlledPortEnabled parameter.";\r
+ }\r
+ enum unauthenticated {\r
+ description\r
+ "Provide unsecured connectivity, setting\r
+ controlledPortEnabled.";\r
+ }\r
+ enum authenticated {\r
+ description\r
+ "Provide unsecured connectivity with authorization\r
+ data, setting controlledPortEnabled.";\r
+ }\r
+ enum secure {\r
+ description\r
+ "Provide secure connectivity, using SAKs provided by\r
+ the KaY (when available) and setting\r
+ controlledPortEnabled when those keys are installed\r
+ and in use, as specified in detail by the CP state\r
+ machine.";\r
+ }\r
+ }\r
+ config false;\r
+ description\r
+ "The Logon Process sets this variable to one of the\r
+ above values.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.3";\r
+ }\r
+ leaf port-valid {\r
+ type boolean;\r
+ config false;\r
+ description\r
+ "Set if Controlled Port communication is secured as\r
+ specified by the MACsec control macsecProtect.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.3";\r
+ }\r
+ list session-statistics {\r
+ key "session-id";\r
+ config false;\r
+ description\r
+ "Contains operational state nodes associated with the\r
+ session statistics.";\r
+ leaf session-id {\r
+ type dot1x-types:pae-session-id;\r
+ description\r
+ "Key into list of session statistics.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.5.1";\r
+ }\r
+ leaf user-name {\r
+ type dot1x-types:pae-session-user-name;\r
+ description\r
+ "User name of the session.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.5.1";\r
+ }\r
+ leaf octets-rx {\r
+ type yang:counter64;\r
+ description\r
+ "The number of octets received in this session of this\r
+ PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.5.1";\r
+ }\r
+ leaf octets-tx {\r
+ type yang:counter64;\r
+ description\r
+ "The number of octets transmitted in this session of\r
+ this PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.5.1";\r
+ }\r
+ leaf frames-rx {\r
+ type yang:counter64;\r
+ description\r
+ "The number of packets received in this session of\r
+ this PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.5.1";\r
+ }\r
+ leaf frames-tx {\r
+ type yang:counter64;\r
+ description\r
+ "The number of packets transmitted in this session of\r
+ this PAE.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.5.1";\r
+ }\r
+ leaf time {\r
+ type uint32;\r
+ units "seconds";\r
+ description\r
+ "Session Time. The duration of the session in\r
+ seconds.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.5.1";\r
+ }\r
+ leaf terminate-cause {\r
+ type enumeration {\r
+ enum common_port_MAC_operational_false {\r
+ description\r
+ "Common Port for this PAE is not operational.";\r
+ }\r
+ enum system_access_control_disabled {\r
+ description\r
+ "The system-access-control node of the pae-system\r
+ is disabled or initialization process of this PAE\r
+ is invoked.";\r
+ }\r
+ enum eapol_logoff_rx {\r
+ description\r
+ "The PAE has received EAPOL-Logoff frame.";\r
+ }\r
+ enum eap_reauthentication_failure {\r
+ description\r
+ "EAP reauthentication has failed.";\r
+ }\r
+ enum mka-failure_termination {\r
+ description\r
+ "MKA failure or other MKA termination.";\r
+ }\r
+ enum new_session-beginning {\r
+ description\r
+ "New session beginning.";\r
+ }\r
+ enum not_terminated_yet {\r
+ description\r
+ "Not Terminated Yet.";\r
+ }\r
+ }\r
+ description\r
+ "The reason for the session termination.";\r
+ reference\r
+ "IEEE 802.1X-2020 Clause 12.5.1";\r
+ }\r
+ }\r
+ }\r
+ }\r
+ }\r
+\r
+ container nid-group {\r
+ description\r
+ "Contains both configuration and operational state nodes\r
+ associated with the PAE NID group.";\r
+ uses nid-group;\r
+ }\r
+\r
+}\r