module ieee802-dot1x {
yang-version 1;
namespace
"urn:ieee:std:802.1X:yang:ieee802-dot1x";
prefix dot1x;
import ieee802-types {
prefix ieee;
}
import ietf-yang-types {
prefix yang;
}
import ietf-interfaces {
prefix if;
}
import ietf-system {
prefix system;
}
import iana-if-type {
prefix ianaif;
}
organization
"Institute of Electrical and Electronics Engineers";
contact
"WG-URL: http://grouper.ieee.org/groups/802/1/
WG-EMail: stds-802-1@ieee.org
Contact: IEEE 802.1 Working Group Chair
Postal: C/O IEEE 802.1 Working Group
IEEE Standards Association
445 Hoes Lane
P.O. Box 1331
Piscataway
NJ 08855-1331
USA
E-mail: STDS-802-1-L@LISTSERV.IEEE.ORG";
description
"Port-based network access control allows a network administrator
to restrict the use of IEEE 802 LAN service access points (ports)
to secure communication between authenticated and authorized
devices. IEEE Std 802.1X specifies an architecture, functional
elements, and protocols that support mutual authentication
between the clients of ports attached to the same LAN and secure
communication between the ports. The following control allows a
port to be reinitialized, terminating (and potentially
restarting) authentication exchanges and MKA operation, based on
a data model described in a set of YANG modules.";
revision "2017-07-20" {
description
"Updates based upon comment resolution on draft
D1.1 of P802.1Xck.";
reference
"IEEE 802.1X-2010, Port-Based Network Access Control.";
}
feature pacp-eap-supplicant {
description
"This feature indicates that the device supports a PACP EAP
Supplicant.";
reference
"IEEE 802.1X-2010 Clause 12.9.2";
}
feature pacp-eap-authenticator {
description
"This feature indicates that the device supports a PACP EAP
Authenticator.";
reference
"IEEE 802.1X-2010 Clause 12.9.2";
}
feature mka {
description
"This feature indicates that the device supports MKA";
reference
"IEEE 802.1X-2010 Clause 12.9.2";
}
feature macsec {
description
"This feature indicates that the device supports MACsec on the
Controlled Port.";
reference
"IEEE 802.1X-2010 Clause 12.9.2";
}
feature announcements {
description
"This feature indicates that the device supports the ability to
send EAPOL announcements.";
reference
"IEEE 802.1X-2010 Clause 12.9.2";
}
feature listener {
description
"This feature indicates that the device supports the ability to
use receive EAPOL announcements.";
reference
"IEEE 802.1X-2010 Clause 12.9.2";
}
feature virtual-ports {
description
"This feature indicates that the device supports the virtual
ports for a real port.";
reference
"IEEE 802.1X-2010 Clause 12.9.2";
}
feature in-service-upgrades {
description
"This feature indicates that the device supports MKA in-service
upgrades.";
reference
"IEEE 802.1Xbx-2014 Clause 12.9.2";
}
typedef pae-system-ref {
type leafref {
path "/system:system/dot1x:pae-system/dot1x:name";
}
description
"This type is used by data models that need to reference
configured PAE systems.";
}
typedef pae-nid {
type string {
length "0..100";
}
description
"Network Identify, which is a UTF-8 string identifying a
network or network service.";
reference
"IEEE 802.1X-2010 Clause 3, Clause 10.1, Clause 12.6";
}
typedef pae-session-user-name {
type string {
length "0..253";
}
description
"Session user name, which is a utf8 string, representing the
identify of the peer Supplicant.";
reference
"IEEE 802.1X-2010 Clause 12.5.1";
}
typedef pae-session-id {
type string {
length "3..253";
}
description
"Session Identifier, which is a utf8 string, uniquely
identifying the session within the context of the PAEs
system.";
reference
"IEEE 802.1X-2010 Clause 12.5.1";
}
typedef pae-nid-capabilities {
type bits {
bit eap {
position 0;
description "EAP";
}
bit eapMka {
position 1;
description "EAP + MKA";
}
bit eapMkaMacSec {
position 2;
description "EAP + MKA + MACsec";
}
bit mka {
position 3;
description "MKA";
}
bit mkaMacSec {
position 4;
description "MKA + MACsec";
}
bit higherLayer {
position 5;
description
"Higher Layer (WebAuth)";
}
bit higherLayerFallback {
position 6;
description
"Higher Layer Fallback (WebAuth)";
}
bit vendorSpecific {
position 7;
description
"Vendor specific authentication mechanisms";
}
}
description
"Authentication and protection capabilities supported for the
NID. Indicates the combinations of authentication and
protection capabilities supported for a NID. Any set of these
combinations can be supported.";
reference
"IEEE 802.1X-2010 Clause 10.1, Clause 11.12.3";
}
typedef pae-access-status {
type enumeration {
enum "no-access" {
value 0;
description
"Other than to authentication services, and to services
announced as available in the absence of authentication
(unauthenticated).";
}
enum "remedial-access" {
value 1;
description
"The access granted is severely limited, possibly to
remedial services.";
}
enum "restricted-access" {
value 2;
description
"The Controlled Port is operational, but restrictions have
been applied by the network that can limit access to some
resources.";
}
enum "expected-access" {
value 3;
description
"The Controlled Port is operational, and access provided is
as expected for successful authentication and authorization
for the NID.";
}
}
description
"Indicates the transmitters Controlled Port operational status
and current level of access resulting from authentication and
the consequent authorization controls applied by that ports
clients.";
reference
"IEEE 802.1X-2010 Clause 10.4, Clause 12.5";
}
typedef mak-kn {
type uint32;
description
"Indicates a Key Number (KN) used in MKA. It is assigned by
the Key Server (sequentially beginning with 1).";
reference
"IEEE 802.1X-2010 Clause 9.8, Clause 9.16";
}
typedef mak-an {
type uint32;
description
"A number that is concatenated with a MACsec Secure Channel
Identifier to identify a Secure Association. Indicates an
Association Number (AN) assigned by the Key Server for use with
the key number for transmission.";
reference
"IEEE 802.1X-2010 Clause 9.8, Clause 9.16";
}
typedef pae-ckn {
type string {
length "1..32";
}
description
"Indicates the CAK name to identify the Connectivity
Association Key (CAK) which is the root key in the MACsec Key
Agreement key hierarchy. All potential members of the CA use
the same CKN.";
reference
"IEEE 802.1X-2010 Clause 9.3.1, Clause 6.2";
}
typedef pae-kmd {
type string {
length "0..253";
}
description
"A Key Management Domain (KMD). A string of up to 253 UTF-8
characters that names the transmitting authenticators key
management domain.";
reference
"IEEE Clause 12.6";
}
typedef pae-auth-data {
type string;
description
"Authorization data associated with the CAK.";
reference
"IEEE 802.1X-2010 Clause 9.16";
}
typedef sci-list-entry {
type string {
length "8";
}
description
"8 octet string, where the first 6 octets represents the MAC
Address (in canonical format), and the next 2 octets represents
the Port Identifier.";
reference
"IEEE 802.1AE Clause 7.1.2, Clause 10.7.1";
}
typedef pae-if-index {
type int32 {
range "1..2147483647";
}
description
"The interface index value represented by this interface.";
}
container nid-group {
description
"Contains both configuration and operational state nodes
associated with the PAE NID group.";
list pae-nid-group {
key "nid";
description
"A list that contains the configuration nodes for the network
announcement information for the Logon Process.";
leaf nid {
type pae-nid;
description
"Identification of the network or network service.";
reference
"IEEE 802.1X-2010 Clause 12.5";
}
leaf use-eap {
type enumeration {
enum "never" {
value 0;
description "Never.";
}
enum "immediate" {
value 1;
description
"Immediately, concurrently with the use of MKA with any
cached CAK(s).";
}
enum "mka-fail" {
value 2;
description
"Not until MKA has failed, if a prior CAK has been
cached.";
}
}
default "immediate";
description
"Determines when the Logon Process will initiate EAP, if
the Supplicant and or Authenticator are enabled, and takes
one of the above values.";
reference
"IEEE 802.1X-2010 Clause 12.5";
}
leaf unauth-allowed {
type enumeration {
enum "never" {
value 0;
description "Never.";
}
enum "immediate" {
value 1;
description
"Immediately, independently of any current or future
attempts to authenticate using the PAE or MKA.";
}
enum "auth-fail" {
value 2;
description
"Not until an attempt has been made to authenticate
using EAP, unless neither the supplicant nor the
authenticator is enabled, and MKA has attempted to use
any cached CAK (unless the KaY is not enabled).";
}
}
default "immediate";
description
"Determines when the Logon Process will tell the CP state
machine to provide unauthenticated connectivity, and takes
one of the above values.";
reference
"IEEE 802.1X-2010 Clause 12.5";
}
leaf unsecure-allowed {
type enumeration {
enum "never" {
value 0;
description "Never.";
}
enum "immediate" {
value 1;
description
"Immediately, to provide connectivity concurrently with
the use of MKA with any CAK acquired through EAP.";
}
enum "mka-fail" {
value 2;
description
"Not until MKA has failed, or is not enabled.";
}
enum "mka-server" {
value 3;
description
"Only if directed by the MKA server.";
}
}
default "immediate";
description
"Determines when the Logon Process will tell the CP state
machine to provide authenticated but unsecured
connectivity, takes one of the above values.";
reference
"IEEE 802.1X-2010 Clause 12.5";
}
leaf unauthenticated-access {
type enumeration {
enum "no-access" {
value 0;
description
"Other than to authentication services.";
}
enum "fallback-access" {
value 1;
description
"Limited access can be provided after authentication
failure.";
}
enum "limited-access" {
value 2;
description
"Immediate limited access is available without
authentication.";
}
enum "open-access" {
value 3;
description
"Immediate access is available without
authentication.";
}
}
default "no-access";
description
"Unauthenticated access capabilities provided by the NID.";
reference
"IEEE 802.1X-2010 Clause 10.1";
}
leaf access-capabilities {
type pae-nid-capabilities;
description
"Authentication and protection capabilities supported for
the NID.";
reference
"IEEE 802.1X-2010 Clause 10.1";
}
} // list pae-nid-group
list pae-nid-group-state {
key "nid";
description
"A list that contains the operational state nodes for the
network announcement information for the Logon Process.";
leaf nid {
type pae-nid;
description
"Identification of the network or network service.";
reference
"IEEE 802.1X-2010 Clause 12.5";
}
leaf kmd {
type pae-kmd;
description
"The Key Management Domain for the NID.";
reference
"IEEE 802.1X-2010 Clause 10.4";
}
} // list pae-nid-group-state
} // container nid-group
} // module ieee802-dot1x