X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?p=sim%2Fo1-interface.git;a=blobdiff_plain;f=ntsimulator%2Fdeploy%2Fo-ran-ru-fh%2Fyang%2Fieee802-dot1x.yang;fp=ntsimulator%2Fdeploy%2Fo-ran-ru-fh%2Fyang%2Fieee802-dot1x.yang;h=ffb3e69872be0b93778e060746bd255f213cf3b3;hp=0000000000000000000000000000000000000000;hb=75385b2047f59353e3630e93736ddb6c9efa11bb;hpb=aa35a8ecece6592d35971150ee909f7044396bbe diff --git a/ntsimulator/deploy/o-ran-ru-fh/yang/ieee802-dot1x.yang b/ntsimulator/deploy/o-ran-ru-fh/yang/ieee802-dot1x.yang new file mode 100644 index 0000000..ffb3e69 --- /dev/null +++ b/ntsimulator/deploy/o-ran-ru-fh/yang/ieee802-dot1x.yang @@ -0,0 +1,1753 @@ +module ieee802-dot1x { + + namespace "urn:ieee:std:802.1X:yang:ieee802-dot1x"; + prefix "dot1x"; + + import ieee802-types { prefix "ieee"; } + import ietf-yang-types { prefix "yang"; } + import ietf-interfaces { prefix "if"; } + import ietf-system { prefix "sys"; } + import iana-if-type { prefix "ianaift"; } + import ieee802-dot1x-types { prefix "dot1x-types"; } + + organization + "Institute of Electrical and Electronics Engineers"; + + contact + "WG-URL: http://www.ieee802.org/1 + WG-EMail: stds-802-1-L@ieee.org + + Contact: IEEE 802.1 Working Group Chair + Postal: C/O IEEE 802.1 Working Group + IEEE Standards Association + 445 Hoes Lane + Piscataway + NJ 08854 + USA + + E-mail: STDS-802-1-L@LISTSERV.IEEE.ORG"; + + description + "Port-based network access control allows a network administrator + to restrict the use of IEEE 802 LAN service access points (ports) + to secure communication between authenticated and authorized + devices. IEEE Std 802.1X specifies an architecture, functional + elements, and protocols that support mutual authentication + between the clients of ports attached to the same LAN and secure + communication between the ports. The following control allows a + port to be reinitialized, terminating (and potentially + restarting) authentication exchanges and MKA operation, based on + a data model described in a set of YANG modules."; + + revision 2020-02-18 { + description + "Updated Contact information."; + } + + revision 2019-06-12 { + description + "Updates based on comment resolution of the WG ballot of + P802.1X-Rev/D1.0."; + reference + "IEEE Std 802.1X-2020, Port-Based Network Access Control."; + } + + grouping nid-group { + description + "The PAE NID Group configuration and operational information."; + list pae-nid-group { + key "nid"; + description + "A list that contains the configuration and operational + nodes for the network announcement information for the + Logon Process."; + leaf nid { + type dot1x-types:pae-nid; + description + "Identification of the network or network service."; + reference + "IEEE 802.1X-2020 Clause 12.5"; + } + leaf use-eap { + type enumeration { + enum never { + description + "Never."; + } + enum immediate { + description + "Immediately, concurrently with the use of MKA with any + cached CAK(s)."; + } + enum mka-fail { + description + "Not until MKA has failed, if a prior CAK has been + cached."; + } + } + default "immediate"; + description + "Determines when the Logon Process will initiate EAP, if + the Supplicant and or Authenticator are enabled, and takes + one of the above values."; + reference + "IEEE 802.1X-2020 Clause 12.5"; + } + leaf unauth-allowed { + type enumeration { + enum never { + description + "Never."; + } + enum immediate { + description + "Immediately, independently of any current or future + attempts to authenticate using the PAE or MKA."; + } + enum auth-fail { + description + "Not until an attempt has been made to authenticate + using EAP, unless neither the supplicant nor the + authenticator is enabled, and MKA has attempted to use + any cached CAK (unless the KaY is not enabled)."; + } + } + default "immediate"; + description + "Determines when the Logon Process will tell the CP state + machine to provide unauthenticated connectivity, and takes + one of the above values."; + reference + "IEEE 802.1X-2020 Clause 12.5"; + } + leaf unsecure-allowed { + type enumeration { + enum never { + description + "Never."; + } + enum immediate { + description + "Immediately, to provide connectivity concurrently with + the use of MKA with any CAK acquired through EAP."; + } + enum mka-fail { + description + "Not until MKA has failed, or is not enabled."; + } + enum mka-server { + description + "Only if directed by the MKA server."; + } + } + default "immediate"; + description + "Determines when the Logon Process will tell the CP state + machine to provide authenticated but unsecured + connectivity, takes one of the above values."; + reference + "IEEE 802.1X-2020 Clause 12.5"; + } + leaf unauthenticated-access { + type enumeration { + enum no-access { + description + "Other than to authentication services."; + } + enum fallback-access { + description + "Limited access can be provided after authentication + failure."; + } + enum limited-access { + description + "Immediate limited access is available without + authentication."; + } + enum open-access { + description + "Immediate access is available without + authentication."; + } + } + default "no-access"; + description + "Unauthenticated access capabilities provided by the NID."; + reference + "IEEE 802.1X-2020 Clause 10.1"; + } + leaf access-capabilities { + type dot1x-types:pae-nid-capabilities; + description + "Authentication and protection capabilities supported for + the NID."; + reference + "IEEE 802.1X-2020 Clause 10.1"; + } + + leaf kmd { + type dot1x-types:pae-kmd; + config false; + description + "The Key Management Domain for the NID."; + reference + "IEEE 802.1X-2020 Clause 10.4"; + } + } + } + + grouping port-capabilities { + description + "Per port PAE feature capabilities."; + leaf supp { + type boolean; + description + "Indicates if PACP EAP Supplicant is supported."; + reference + "IEEE 802.1X-2020 Clause 12.9.2"; + } + leaf auth { + type boolean; + description + "Indicates if PACP EAP Authenticator is supported."; + reference + "IEEE 802.1X-2020 Clause 12.9.2"; + } + leaf mka { + type boolean; + description + "Indicates if MKA is supported."; + reference + "IEEE 802.1X-2020 Clause 12.9.2"; + } + leaf macsec { + type boolean; + description + "Indicates if MACsec on the Controlled port is supported."; + reference + "IEEE 802.1X-2020 Clause 12.9.2"; + } + leaf announcements { + type boolean; + description + "Indicates if the ability to send EAPOL announcements is + supported."; + reference + "IEEE 802.1X-2020 Clause 12.9.2"; + } + leaf listener { + type boolean; + description + "Indicates if the ability to use received EAPOL + announcements is supported."; + reference + "IEEE 802.1X-2020 Clause 12.9.2"; + } + leaf virtual-ports { + type boolean; + description + "Indicates if virtual ports for a real port is supported."; + reference + "IEEE 802.1X-2020 Clause 12.9.2"; + } + leaf in-service-upgrades { + type boolean; + description + "Indicates if MKA in-service upgrades is supported."; + reference + "IEEE 802.1X-2020 Clause 12.9.2"; + } + } + + /* --------------------------------------------------- + * Configuration objects used by 802.1X YANG module + * --------------------------------------------------- + */ + augment "/sys:system" { + description + "Augment system with 802.1X PAE System specific configuration + nodes."; + container pae-system { + description + "Contains all 802.1X PAE System specific related + configuration and operational data."; + leaf name { + type string { + length "1..255"; + } + description + "The name which uniquely identifies the PAE System."; + } + leaf system-access-control { + type enumeration { + enum disabled { + description + "Deletes any virtual ports previously instantiated, and + terminates authentication exchanges and MKA + operation."; + } + enum enabled { + description + "Enables PAE system access control."; + } + } + description + "Setting this control to disabled deletes any virtual ports + previously instantiated, and terminates authentication + exchanges and MKA operation. Each real port PAE behaves as + if enabledVirtualPorts was clear, the PAEs Supplicant, + Authenticator, and KaY as if their enabled controls were + clear, and Logon Process(es) as if unauthAllowed was + Immediate. Announcements can be transmitted (subject to + other controls), both periodically and in response to + announcement requests (conveyed by EAPOL-Starts or + EAPOL-Announcement-Reqs) but are sent with a single NID + Set, with a null NID, and the Access Information TLV (and + no other) with an pae-access-status of No Access, + accessRequested false, OpenAccess, and no + accessCapabilities. The control variable settings for each + real port PAE are unaffected, and will be used once + systemAccessControl is set to enabled."; + reference + "IEEE 802.1X-2020 Clause 12.9.1"; + } + leaf system-announcements { + type enumeration { + enum disabled { + description + "Causes each PAE to behave as if enabled were clear + for the PAE's Announcement functionality."; + } + enum enabled { + description + "Enables PAE system announcements."; + } + } + description + "Setting this control to Disabled causes each PAE to behave + as if enabled were clear for the PAE's Announcement + functionality. The independent controls for each PAE apply + if systemAnnouncements is Enabled."; + reference + "IEEE 802.1X-2020 Clause 12.9.1"; + } + leaf eapol-protocol-version { + type uint8; + config false; + description + "The EAPOL protocol version for this system."; + reference + "IEEE 802.1X-2020 Clause 12.9.1, Clause 11.3"; + } + leaf mka-version { + type uint8; + config false; + description + "The MKA protocol version for this system."; + reference + "IEEE 802.1X-2020 Clause 12.9.1, Clause 11.3"; + } + leaf-list pae { + type if:interface-ref; + config false; + description + "List of PAE references."; + } + } + } + + /* + * Port Authentication Entity (PAE) Nodes + */ + augment "/if:interfaces/if:interface" { + when "if:type = 'ianaift:ethernetCsmacd' or + if:type = 'ianaift:ilan' or + if:type = 'ianaift:macSecControlledIF' or + if:type = 'ianaift:ptm' or + if:type = 'ianaift:bridge'" { + description + "Applies to the Controlled Port of SecY or PAC shim or + Ethernet related Interface."; + } + description + "Augment interface model with PAE configuration and + operational nodes."; + reference + "IEEE 802.1AE Clause 11.7 and IEEE 802.1X-2020 Clause 6.5 and + Clause 13.3.2"; + container pae { + description + "Contains PAE configuration and operational related nodes."; + leaf pae-system { + type leafref { + path "/sys:system/dot1x:pae-system/dot1x:name"; + } + description + "The PAE system that this PAE is a member of."; + } + leaf vp-enable { + when "../port-type = 'real-port' and + ../port-capabilities/virtual-ports = 'true'" { + description + "Applies when port is Real Port and virtual port + capabilities are supported."; + } + type boolean; + default "false"; + description + "A real port's PAE may be configured to create virtual + ports to support multi-access LANs provided that MKA and + MACsec operation is enabled for that port."; + reference + "IEEE 802.1X-2020 Clause 12.7"; + } + container port-capabilities { + description + "Per port PAE feature capabilities."; + uses port-capabilities; + } + + leaf port-name { + type if:interface-ref; + config false; + description + "Each PAE is uniquely identified by a port name."; + } + leaf port-number { + type dot1x-types:pae-if-index; + config false; + description + "Each PAE is uniquely identified by a port number. The + port number used is unique amongst all port names for the + system, and directly or indirectly identifies the + Uncontrolled Port that supports the PAE. If the PAE has + been dynamically instantiated to support an existing or + potential virtual port, this portNumber, the + uncontrolledPortNumber and the controlledPortNumber are + allocated by the real ports PAE, and this portNumber is the + uncontrolledPortNumber. If the PAE supports a real port, + this portNumber is the commonPortNumber for the associated + PAC or SecY."; + reference + "IEEE 802.1X-2020 Clause 12.9.2"; + } + leaf controlled-port-name { + type if:interface-ref; + config false; + description + "Each PAE is uniquely identified by a port name."; + } + leaf controlled-port-number { + type dot1x-types:pae-if-index; + config false; + description + "The port for the associated PAC or SecYs Controlled + Port."; + reference + "IEEE 802.1X-2020 Clause 12.9.2"; + } + leaf uncontrolled-port-name { + type if:interface-ref; + config false; + description + "The uncontrolled port name reference."; + } + leaf uncontrolled-port-number { + type dot1x-types:pae-if-index; + config false; + description + "The port for the associated PAC or SecYs Uncontrolled + Port."; + reference + "IEEE 802.1X-2020 Clause 12.9.2"; + } + leaf common-port-name { + type if:interface-ref; + config false; + description + "The common port name reference."; + } + leaf common-port-number { + type dot1x-types:pae-if-index; + config false; + description + "The port for the associated PAC or SecYs Common Port. All + the virtual ports created for a given real port share the + same Common Port and commonPortNumber."; + reference + "IEEE 802.1X-2020 Clause 12.9.2"; + } + leaf port-type { + type enumeration { + enum real-port { + description + "Real Port type."; + } + enum virtual-port { + description + "Virtual Port type."; + } + } + //config false; + description + "The port type of the PAE."; + reference + "IEEE 802.1X-2020 Clause 12.9.2"; + } + container virtual-port { + when "../port-capabilities/virtual-ports = 'true'" { + description + "Applies when the virtual ports port capability is + supported."; + } + config false; + description + "Contains Virtual Port operational state information."; + leaf max { + when "../../port-type = 'real-port'" { + description + "Applies when Port is a Real Port."; + } + type uint32; + description + "The guaranteed maximum number of virtual ports."; + reference + "IEEE 802.1X-2020 Clause 12.9.2"; + } + leaf current { + when "../../port-type = 'real-port'" { + description + "Applies when Port is a Real Port."; + } + type yang:gauge32; + description + "The current number of virtual ports."; + reference + "IEEE 802.1X-2020 Clause 12.9.2"; + } + leaf start { + when "../../port-type = 'virtual-port'" { + description + "Applies when Port is a Virtual Port."; + } + type boolean; + description + "Set if the virtual port was created by receipt of an + EAPOL-Start frame."; + reference + "IEEE 802.1X-2020 Clause 12.9.7"; + } + leaf peer-address { + when "../../port-type = 'virtual-port'" { + description + "Applies when Port is a Virtual Port."; + } + type ieee:mac-address; + description + "The source MAC Address of the EAPOL-Start (if vpStart is + set)."; + reference + "IEEE 802.1X-2020 Clause 12.9.7"; + } + } + + container supplicant { + when "../port-type = 'real-port' and + ../port-capabilities/supp = 'true'" { + description + "Applies to Real Port when supplicant port capabilities + are supported."; + } + description + "Contains the configuration nodes for the Supplicant PAE + associated with each port."; + leaf held-period { + type uint16; + units seconds; + default "60"; + description + "The initial value of the timer used to impose a wait + period after a failed authentication attempt, before + another attempt is permitted."; + reference + "IEEE 802.1X-2020 Clause 8.6"; + } + leaf retry-max { + type uint32; + default "2"; + description + "Specifies the maximum number of re-authentication + attempts on an authenticator port before port is + unauthorized."; + reference + "IEEE 802.1X-2020 Clause 8.7"; + } + + leaf enabled { + type boolean; + config false; + description + "Set by PACP if the PAE can provide authentication. Will + be FALSE if the Port is not enabled, if the functionality + provided by the PAE is not available, or not implemented, + or the control variable enable has been cleared by + management, e.g. because the application scenario + authenticates a user and there is no user logged on."; + reference + "IEEE 802.1X-2020 Clause 8.4"; + } + leaf authenticate { + type boolean; + config false; + description + "Set by the PAE client to request authentication, and + allows reauthentication while set. Cleared by the client + to revoke authentication. To enable authentication the + client also needs to clear failed (if set)."; + reference + "IEEE 802.1X-2020 Clause 8.4"; + } + leaf authenticated { + type boolean; + config false; + description + "Set by PACP if the PAE is currently authenticated, and + cleared if the authentication fails or is revoked."; + reference + "IEEE 802.1X-2020 Clause 8.4"; + } + leaf failed { + type boolean; + config false; + description + "Set by PACP if the authentication has failed or has been + terminated. The cause could be a Fail returned by EAP, + either immediately or following a reauthentication, an + excessive number of attempts to authenticate (either + immediately or upon reauthentication), or the client + deasserting authenticate. The PACP will clear + authenticated as well as setting failed. Any ongoing + authentication exchange will be terminated (by the state + machines) if enable becomes FALSE and enabled will be + cleared, but failed will not be set."; + reference + "IEEE 802.1X-2020 Clause 8.4"; + } + } + + container authenticator { + when "../port-capabilities/auth = 'true'" { + description + "Applies when the Authenticator is supported."; + } + description + "Contains configuration nodes for the Authenticator PAE + associated with each port."; + leaf quiet-period { + type uint16; + units seconds; + default "60"; + description + "Number of seconds that the authenticator remains in the quiet + state following a failed authentication exchange with the + supplicant."; + reference + "IEEE 802.1X-2020 Clause 8.6, Figure 12-3"; + } + leaf reauth-period { + type uint32; + units seconds; + default "3600"; + description + "This object indicates the time period of the + reauthentication to the supplicant."; + reference + "IEEE 802.1X-2020 Clause 8.6, Figure 12-3"; + } + leaf reauth-enable { + type boolean; + default "false"; + description + "Re-authentication is enabled or not."; + reference + "IEEE 802.1X-2020 Clause 5.8 and 8.9"; + } + leaf retry-max { + type uint32; + default "2"; + description + "Specifies the maximum number of re-authentication + attempts on an authenticator port before port is + unauthorized."; + reference + "IEEE 802.1X-2020 Clause 8.9"; + } + + leaf enabled { + type boolean; + config false; + description + "Set by PACP if the PAE can provide authentication. Will + be FALSE if the Port is not enabled, if the functionality + provided by the PAE is not available, or not implemented, + or the control variable enable has been cleared by + management, e.g. because the application scenario + authenticates a user and there is no user logged on."; + reference + "IEEE 802.1X-2020 Clause 8.4"; + } + leaf authenticate { + type boolean; + config false; + description + "Set by the PAE client to request authentication, and + allows reauthentication while set. Cleared by the client + to revoke authentication. To enable authentication the + client also needs to clear failed (if set)."; + reference + "IEEE 802.1X-2020 Clause 8.4"; + } + leaf authenticated { + type boolean; + config false; + description + "Set by PACP if the PAE is currently authenticated, and + cleared if the authentication fails or is revoked."; + reference + "IEEE 802.1X-2020 Clause 8.4"; + } + leaf failed { + type boolean; + config false; + description + "Set by PACP if the authentication has failed or has been + terminated. The cause could be a Fail returned by EAP, + either immediately or following a reauthentication, an + excessive number of attempts to authenticate (either + immediately or upon reauthentication), or the client + deasserting authenticate. The PACP will clear + authenticated as well as setting failed. Any ongoing + authentication exchange will be terminated (by the state + machines) if enable becomes FALSE and enabled will be + cleared, but failed will not be set."; + reference + "IEEE 802.1X-2020 Clause 8.4"; + } + } + + container kay { + when "../port-capabilities/mka = 'true'" { + description + "Applies when the MKA port capability is supported."; + } + description + "Contains configuration system level information for each + Interface supported by the KaY (Key Aggreement Entity)."; + leaf enable { + type boolean; + default "false"; + description + "Set by management to enable (clear to disable) the use + of MKA."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + container actor { + description + "Contains configuration and operational nodes + associated with the actor"; + leaf priority { + type uint8; + description + "The Key Server Priority for all the ports actors."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf sci { + type dot1x-types:sci-list-entry; + config false; + description + "The SCI assigned by the system to the port (applies + to all the ports actors)."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + } + container key-server { + description + "Contains configuration and operational nodes + associated with the key + server."; + leaf priority { + type uint8; + description + "The Key Server Priority for the Key Server for the + principal actor. Matches the actorPriority if the + actor is the Key Server"; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf sci { + type dot1x-types:sci-list-entry; + config false; + description + "The SCI for Key Server for the principal actor. Null + if there is no principal actor, or that actor has no + live peers. Matches the actorSCI if the actor is the + Key Server."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + } + container group { + description + "Contains configuration nodes associated with the + group."; + leaf join { + type boolean; + default "true"; + description + "Set if the KaY will accept Group CAKs distributed by + MKA."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf form { + type boolean; + default "false"; + description + "Set if the KaY will attempt to use point-to-point CAs + to distribute a Group CAK, if its principal actor is + the Key Server for all the point-to-point CAs."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf new { + type boolean; + default "false"; + description + "Set by management if a new Group CAK is to be + distributed, if the principal actor is the Key Server + for all point-to-point CAs. Cleared by the KaY when + distribution is complete."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + } + + container macsec { + when "../../port-capabilities/macsec = 'true'" { + description + "Applies when the MACsec port capability is + supported."; + } + description + "Contains configuration and operational nodes + associated with macsec."; + leaf capable { + type boolean; + description + "Set if MACsec is implemented."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf desired { + type boolean; + default "true"; + description + "Set if the participant desires MACsec frame protection."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + + leaf protect { + type boolean; + config false; + description + "As used by the CP state machine, see 12.4."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf validate { + type boolean; + config false; + description + "As used by the CP state machine, see 12.4."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf replay-protect { + type boolean; + config false; + description + "As used by the CP state machine, see 12.4."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + } + leaf suspend-on-request { + type boolean; + default "true"; + description + "Set by management to allow the KaYs principal actor to + initiate a suspension if it is the Key Server and another + participant has requested a suspension."; + } + leaf suspend-for { + type uint8; + default "0"; + description + "Set by management to a non-zero number of seconds + between 1 and MKA Suspension Limit to initiate a + suspension (9.18) of that duration (if the KaYs principal + actor is the Key Server) or to request a suspension + (otherwise)."; + reference + "IEEE 802.1X-2020 Clause 9.18"; + } + + leaf suspended-while { + type uint8; + config false; + description + "Read by management to determine if a suspension is in + progress and (when available) to discover the remaining + duration of that suspension"; + reference + "IEEE 802.1X-2020 Clause 9.18"; + } + leaf active { + type boolean; + config false; + description + "Set if there is at least one active actor, transmitting + MKPDUs."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf authenticated { + type boolean; + config false; + description + "Set if the principal actor, i.e. the participant that + has the highest priority Key Server and one or more live + peers, has determined that Controlled Port communication + should proceed without MACsec."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf secured { + type boolean; + config false; + description + "Set if the principal actor has determined that + communication should use MACsec."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf failed { + type boolean; + config false; + description + "Cleared when authenticated or secured are set, set if + the latter are clear and MKA Life Time has elapsed since + an MKA participant was last created."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + container key-number { + config false; + description + "Contains operation state nodes for Key Numbers."; + leaf tx { + type dot1x-types:mka-kn; + description + "The Key Number assigned by the Key Server to the SAK + currently being used for transmission. Null if MACsec + is not being used."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf rx { + type dot1x-types:mka-kn; + description + "The Key Number assigned by the Key Server to the + oldest SAK currently being used for reception. The same + as txKN if a single SAK is currently in use (as will + most often be the case). Null if MACsec is not being + used."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + } + container association-number { + config false; + description + "Contains operation state nodes for Association + Numbers."; + leaf tx { + type dot1x-types:mka-an; + description + "The Association Number assigned by the Key Server for + use with txKN. Zero if MACsec is not in use."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf rx { + type dot1x-types:mka-an; + description + "The Association Number assigned by the Key Server for + use with rxKN. The same as txAN if a single SAK is + currently in use. Zero if MACsec is not in use."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + } + + list participants { + key "participant"; + description + "Contains list of configuration and operational nodes + for each MKA participant supported by the KaY MKA + entity."; + leaf participant { + type uint32; + description + "Key into Participants list."; + } + leaf cached { + type boolean; + description + "Set by the KaY if the participants parameters are + cached. If set, cached can be cleared by management to + remove the participant from the cache."; + } + leaf active { + type boolean; + default "false"; + description + "Set if the participant is active, i.e., is currently + transmitting periodic MKPDUs."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf retain { + type boolean; + default "false"; + description + "Set by management to retain the participant in the + cache, even if the KaY would normally remove it (due to + lack of use for example)."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf activate { + type enumeration { + enum default { + description + "The participant is from cached entries created by + the KaY as part of normal operation, without + explicit management, and is activated according to + the implementation dependent policies of the KaY."; + } + enum disabled { + description + "The participant allows the cache information to be + retained, but disabled for indefinite period."; + } + enum on-oper-up { + description + "Causing the participant to be activated when the + PAEs part is activated, and therefore when the SecY + or PACs Common Port becomes operational."; + } + enum always { + description + "Causing the participant to remain active all the + time, even in the continued absence of partners."; + } + } + default "default"; + description + "Controls when the participant is activated. Cached + entries created by the KaY as part of normal operation, + without explicit management, have the value Default, + and are activated according to the implementation + dependent policies of the KaY. This variable can be + set to any of its values by management. Disabled allows + the cache entry to be retained, but disabled for an + indefinite period. OnOperUp causes the participant to + be activated when the PAEs port (and therefore when the + SecY or PACs Common Port becomes MAC_Operational). + Always causes the participant to remain active all the + time, even in the continued absence of partners. If the + value is changed to Disabled or OnOperUp, the + participant ceases operation immediately and receipt of + MKPDUs with a matching CKN during a subsequent period + of twice MKA Life Time will not cause the participant + to become active once more."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + + container peers { + config false; + description + "Contains operational state nodes associated with the + Peers."; + leaf-list live { + type dot1x-types:sci-list-entry; + description + "A list of the SCIs of the participants live + peers."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf-list potential { + type dot1x-types:sci-list-entry; + description + "A list of the SCIs of the participants potential + peers."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + } + leaf ckn { + type dot1x-types:pae-ckn; + config false; + description + "The secure Connectivity Association Key Name for the + participant."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf kmd { + type dot1x-types:pae-kmd; + config false; + description + "The Key Management Domain for the participant."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf nid { + type dot1x-types:pae-nid; + config false; + description + "The NID for the participant."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf auth-data { + type dot1x-types:pae-auth-data; + config false; + description + "Authorization data associated with the secure + Connectivity Association Key."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf principal { + type boolean; + config false; + description + "Set if the participant is currently the principal + actor."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + leaf dist-ckn { + type dot1x-types:pae-ckn; + config false; + description + "The CKN for the last CAK distributed (either by the + actor or one of its partners). Null if this participant + has not been used to distribute a CAK."; + reference + "IEEE 802.1X-2020 Clause 9.16"; + } + } + } + + container logon-nid { + description + "Contains the configuration and operational related NID + information for the Logon Process. The Logon Process may + use Network Identifiers (NIDs) to manage its use of + authentication credentials, cached CAKs, and + announcements."; + leaf selected { + type dot1x-types:pae-nid; + description + "The NID currently configured for use by an access + controlled port when transmitting EAPOL-Start frames. + Defaults to the null NID."; + reference + "IEEE 802.1X-2020 Clause 12.5"; + } + uses nid-group; + + leaf connected { + type dot1x-types:pae-nid; + config false; + description + "The NID associated with the current connectivity + (possibly unauthenticated) provided by the operation of + the CP state machine."; + reference + "IEEE 802.1X-2020 Clause 12.5"; + } + leaf requested { + type dot1x-types:pae-nid; + config false; + description + "The NID marked as Access requested in announcements, as + determined from EAPOL-Start frames. Defaults to the + selectedNID."; + reference + "IEEE 802.1X-2020 Clause 12.5"; + } + } + + container announcer { + when "../port-capabilities/announcements = 'true'" { + description + "Applies when the Announcements port capabilities are + supported."; + } + description + "Contains the configuration related Announcer + information."; + leaf enable { + type boolean; + default "false"; + description + "A boolean indicating if the announcer is enabled or + not."; + reference + "IEEE 802.1X-2020 Clause 10.4"; + } + list announce { + key "announces"; + description + "Contains the configuration related status information + that the Announcers announce in the network announcement + of the PAE system."; + leaf announces { + type uint32; + description + "Key into Announce list."; + } + uses nid-group; + + leaf nid { + type dot1x-types:pae-nid; + config false; + description + "The NID information to identify a received network + announcement for the PAE."; + reference + "IEEE 802.1X-2020 Clause 10.4"; + } + leaf access-status { + type dot1x-types:pae-access-status; + config false; + description + "Access Status reflects connectivity as a result of + authentication attempts, and might be set directly by + the system or configured by AAA protocols."; + reference + "IEEE 802.1X-2020 Clause 10.4, Clause 12.5"; + } + } + } + + container listener { + when "../port-capabilities/listener = 'true'" { + description + "Applies when the Listener port capability is + supported."; + } + description + "Contains the configuration and operational Listener + node related information."; + leaf enable { + type boolean; + default "false"; + description + "A boolean indicating if the listener is enabled or + not."; + reference + "IEEE 802.1X-2020 Clause 10.4"; + } + + list announcement { + key "announcements"; + config false; + description + "A list containing the operational status information + that the Listeners receive in the network announcement of + the PAE system."; + leaf announcements { + type uint32; + description + "The key into the list of Announce nodes."; + } + leaf nid { + type dot1x-types:pae-nid; + description + "The NID information to identify a received network + announcement for the PAE."; + reference + "IEEE 802.1X-2020 Clause 10.4"; + } + leaf kmd { + type dot1x-types:pae-kmd; + description + "The KMD information for this received network + announcement of the PAE."; + reference + "IEEE 802.1X-2020 Clause 10.4"; + } + leaf specific { + type boolean; + description + "This object indicates the received announcement + information was specific to the receiving PAE, not + generic for all systems attached to the LAN."; + reference + "IEEE 802.1X-2020 Clause 10.4"; + } + leaf access-status { + type dot1x-types:pae-access-status; + description + "The object information reflects connectivity as a + result of authentication attempts for this received + network announcement of the PAE."; + reference + "IEEE 802.1X-2020 Clause 10.4"; + } + leaf requested-nid { + type boolean; + description + "The authenticated access has been requested for this + particular NID or not."; + reference + "IEEE 802.1X-2020 Clause 10.4"; + } + leaf unauthenticated-access { + type dot1x-types:pae-access-status; + description + "The access capability of the ports clients without + authentication in this received network announcement of + the PAE"; + reference + "IEEE 802.1X-2020 Clause 10.4"; + } + leaf access-capabilities { + type dot1x-types:pae-nid-capabilities; + description + "The authentication and protection capabilities + supported for the NID."; + reference + "IEEE 802.1X-2020 Clause 10.4"; + } + list cipher-suites { + key "index"; + description + "A table contains the Cipher Suites information that + the Listeners receive in the network announcement of + the PAE system."; + reference + "IEEE 802.1X-2020 Clause 10.4"; + leaf index { + type uint16; + description + "Key into cipher suite entry."; + } + leaf cipherSuite { + type string; + description + "cipher Suite identifier."; + } + leaf cipherSuiteCapability { + type uint32; + description + "Cipher Suite capability."; + } + } + } + } + + container eapol-statistics { + config false; + description + "Contains operational EAPOL statistics."; + leaf invalid-eapol-frame-rx { + when "../../port-type = 'real-port'" { + description + "Applies when port is Real Port."; + } + type yang:counter32; + description + "The number of invalid EAPOL frames of any type that + have been received by this PAE."; + reference + "IEEE 802.1X-2020 Clause 12.8.1"; + } + leaf eap-length-error-frames-rx { + when "../../port-type = 'real-port'" { + description + "Applies when port is Real Port."; + } + type yang:counter32; + description + "The number of EAPOL frames that the Packet Body Length + does not match a Packet Body that is contained within the + octets of the received EAPOL MPDU in this PAE."; + reference + "IEEE 802.1X-2020 Clause 12.8.1"; + } + leaf eapol-announcements-rx { + when "../../port-type = 'real-port'" { + description + "Applies when port is Real Port."; + } + type yang:counter32; + description + "The number of EAPOL-Announcement frames that have been + received by this PAE"; + reference + "IEEE 802.1X-2020 Clause 12.8.1"; + } + leaf eapol-announce-reqs-rx { + when "../../port-type = 'real-port'" { + description + "Applies when port is Real Port."; + } + type yang:counter32; + description + "The number of EAPOL-Announcement-Req frames that have + been received by this PAE."; + reference + "IEEE 802.1X-2020 Clause 12.8.1"; + } + leaf eapol-port-unavailable { + when "../../port-type = 'real-port' and + ../../port-capabilities/virtual-ports = 'true'" { + description + "Applies when port is Real Port and when the virtual + ports capability is supported."; + } + type yang:counter32; + description + "The number of EAPOL frames that are discarded because + their processing would require the creation of a virtual + port, for which there are inadequate or constrained + resources, or an existing virtual port and no such port + currently exists. If virtual port is not supported, this + object should be always 0."; + reference + "IEEE 802.1X-2020 Clause 12.8.1"; + } + leaf eapol-start-frames-rx { + type yang:counter32; + description + "The number of EAPOL-Start frames that have been received + by this PAE"; + reference + "IEEE 802.1X-2020 Clause 12.8.1"; + } + leaf eapol-eap-frames-rx { + type yang:counter32; + description + "The number of EAPOL-EAP frames that have been received + by this PAE."; + reference + "IEEE 802.1X-2020 Clause 12.8.1"; + } + leaf eapol-logoff-frames-rx { + type yang:counter32; + description + "The number of EAPOL-Logoff frames that have been + received by this PAE."; + reference + "IEEE 802.1X-2020 Clause 12.8.1"; + } + leaf eapol-mk-no-cfn { + type yang:counter32; + description + "The number of MKPDUs received with MKA not enabled or + CKN not recognized in this PAE."; + reference + "IEEE 802.1X-2020 Clause 12.8.1"; + } + leaf eapol-mk-invalid-frames-rx { + type yang:counter32; + description + "The number of MKPDUs failing in message authentication + on receipt process in this PAE."; + reference + "IEEE 802.1X-2020 Clause 12.8.1"; + } + leaf last-eapol-frame-source { + when "../../port-type = 'real-port'" { + description + "Applies when port is Real Port."; + } + type ieee:mac-address; + description + "The source MAC address of last received EAPOL frame by + this PAE."; + reference + "IEEE 802.1X-2020 Clause 12.8.2"; + } + leaf last-eapol-frame-version { + type uint8; + description + "The version of last received EAPOL frame by this PAE."; + reference + "IEEE 802.1X-2020 Clause 12.8.2"; + } + leaf eapol-supp-eap-frames-tx { + when "../../port-type = 'real-port'" { + description + "Applies when port is Real Port."; + } + type yang:counter32; + description + "The number of EAPOL-EAP frames that have been + transmitted by the supplicant of this PAE."; + reference + "IEEE 802.1X-2020 Clause 12.8.3"; + } + leaf eapol-logoff-frames-tx { + when "../../port-type = 'real-port'" { + description + "Applies when port is Real Port."; + } + type yang:counter32; + description + "The number of EAPOL-Logoff frames that have been + transmitted by this PAE."; + reference + "IEEE 802.1X-2020 Clause 12.8.3"; + } + leaf eapol-announcements-tx { + when "../../port-type = 'real-port'" { + description + "Applies when port is Real Port."; + } + type yang:counter32; + description + "The number of EAPOL-Announcement frames that have been + transmitted by this PAE."; + reference + "IEEE 802.1X-2020 Clause 12.8.3"; + } + leaf eapol-announce-reqs-tx { + when "../../port-type = 'real-port'" { + description + "Applies when port is Real Port."; + } + type yang:counter32; + description + "The number of EAPOL-Announcement-Req frames that have + been transmitted by this PAE."; + reference + "IEEE 802.1X-2020 Clause 12.8.3"; + } + leaf eapol-start-frames-tx { + type yang:counter32; + description + "The number of EAPOL-Start frames that have been + transmitted by this PAE."; + reference + "IEEE 802.1X-2020 Clause 12.8.3"; + } + leaf eapol-auth-eap-frames-tx { + type yang:counter32; + description + "The number of EAPOL-EAP frames that have been + transmitted by the authenticator of this PAE."; + reference + "IEEE 802.1X-2020 Clause 12.8.3"; + } + leaf eapol-mka-frames-tx { + type yang:counter32; + description + "The number of EAPOL-MKA frames with no CKN information + that have been transmitted by this PAE."; + reference + "IEEE 802.1X-2020 Clause 12.8.3"; + } + } + + container logon-process { + description + "Contains configuration and operational system level + information for each port to support the Logon Process(es) + status information."; + leaf logon { + type boolean; + default "false"; + description + "A boolean indicating if the logon-process is enabled or + not."; + reference + "IEEE 802.1X-2020 Clause 12.5"; + } + + leaf connect { + type enumeration { + enum pending { + description + "Prevent connectivity by clearing the + controlledPortEnabled parameter."; + } + enum unauthenticated { + description + "Provide unsecured connectivity, setting + controlledPortEnabled."; + } + enum authenticated { + description + "Provide unsecured connectivity with authorization + data, setting controlledPortEnabled."; + } + enum secure { + description + "Provide secure connectivity, using SAKs provided by + the KaY (when available) and setting + controlledPortEnabled when those keys are installed + and in use, as specified in detail by the CP state + machine."; + } + } + config false; + description + "The Logon Process sets this variable to one of the + above values."; + reference + "IEEE 802.1X-2020 Clause 12.3"; + } + leaf port-valid { + type boolean; + config false; + description + "Set if Controlled Port communication is secured as + specified by the MACsec control macsecProtect."; + reference + "IEEE 802.1X-2020 Clause 12.3"; + } + list session-statistics { + key "session-id"; + config false; + description + "Contains operational state nodes associated with the + session statistics."; + leaf session-id { + type dot1x-types:pae-session-id; + description + "Key into list of session statistics."; + reference + "IEEE 802.1X-2020 Clause 12.5.1"; + } + leaf user-name { + type dot1x-types:pae-session-user-name; + description + "User name of the session."; + reference + "IEEE 802.1X-2020 Clause 12.5.1"; + } + leaf octets-rx { + type yang:counter64; + description + "The number of octets received in this session of this + PAE."; + reference + "IEEE 802.1X-2020 Clause 12.5.1"; + } + leaf octets-tx { + type yang:counter64; + description + "The number of octets transmitted in this session of + this PAE."; + reference + "IEEE 802.1X-2020 Clause 12.5.1"; + } + leaf frames-rx { + type yang:counter64; + description + "The number of packets received in this session of + this PAE."; + reference + "IEEE 802.1X-2020 Clause 12.5.1"; + } + leaf frames-tx { + type yang:counter64; + description + "The number of packets transmitted in this session of + this PAE."; + reference + "IEEE 802.1X-2020 Clause 12.5.1"; + } + leaf time { + type uint32; + units "seconds"; + description + "Session Time. The duration of the session in + seconds."; + reference + "IEEE 802.1X-2020 Clause 12.5.1"; + } + leaf terminate-cause { + type enumeration { + enum common_port_MAC_operational_false { + description + "Common Port for this PAE is not operational."; + } + enum system_access_control_disabled { + description + "The system-access-control node of the pae-system + is disabled or initialization process of this PAE + is invoked."; + } + enum eapol_logoff_rx { + description + "The PAE has received EAPOL-Logoff frame."; + } + enum eap_reauthentication_failure { + description + "EAP reauthentication has failed."; + } + enum mka-failure_termination { + description + "MKA failure or other MKA termination."; + } + enum new_session-beginning { + description + "New session beginning."; + } + enum not_terminated_yet { + description + "Not Terminated Yet."; + } + } + description + "The reason for the session termination."; + reference + "IEEE 802.1X-2020 Clause 12.5.1"; + } + } + } + } + } + + container nid-group { + description + "Contains both configuration and operational state nodes + associated with the PAE NID group."; + uses nid-group; + } + +}