netconfcentral logo

ieee802-dot1x@2017-07-20



  module ieee802-dot1x {

    yang-version 1;

    namespace
      "urn:ieee:std:802.1X:yang:ieee802-dot1x";

    prefix dot1x;

    import ieee802-types {
      prefix ieee;
    }
    import ietf-yang-types {
      prefix yang;
    }
    import ietf-interfaces {
      prefix if;
    }
    import ietf-system {
      prefix system;
    }
    import iana-if-type {
      prefix ianaif;
    }

    organization
      "Institute of Electrical and Electronics Engineers";

    contact
      "WG-URL: http://grouper.ieee.org/groups/802/1/
    WG-EMail: stds-802-1@ieee.org

    Contact: IEEE 802.1 Working Group Chair
    Postal: C/O IEEE 802.1 Working Group
            IEEE Standards Association
            445 Hoes Lane
            P.O. Box 1331
            Piscataway
            NJ 08855-1331
            USA
 	
    E-mail: STDS-802-1-L@LISTSERV.IEEE.ORG";

    description
      "Port-based network access control allows a network administrator
    to restrict the use of IEEE 802 LAN service access points (ports)
    to secure communication between authenticated and authorized
    devices. IEEE Std 802.1X specifies an architecture, functional
    elements, and protocols that support mutual authentication
    between the clients of ports attached to the same LAN and secure
    communication between the ports. The following control allows a
    port to be reinitialized, terminating (and potentially
    restarting) authentication exchanges and MKA operation, based on
    a data model described in a set of YANG modules.";

    revision "2017-07-20" {
      description
        "Updates based upon comment resolution on draft
      D1.1 of P802.1Xck.";
      reference
        "IEEE 802.1X-2010, Port-Based Network Access Control.";

    }


    feature pacp-eap-supplicant {
      description
        "This feature indicates that the device supports a PACP EAP
      Supplicant.";
      reference
        "IEEE 802.1X-2010 Clause 12.9.2";

    }

    feature pacp-eap-authenticator {
      description
        "This feature indicates that the device supports a PACP EAP
      Authenticator.";
      reference
        "IEEE 802.1X-2010 Clause 12.9.2";

    }

    feature mka {
      description
        "This feature indicates that the device supports MKA";
      reference
        "IEEE 802.1X-2010 Clause 12.9.2";

    }

    feature macsec {
      description
        "This feature indicates that the device supports MACsec on the
      Controlled Port.";
      reference
        "IEEE 802.1X-2010 Clause 12.9.2";

    }

    feature announcements {
      description
        "This feature indicates that the device supports the ability to
      send EAPOL announcements.";
      reference
        "IEEE 802.1X-2010 Clause 12.9.2";

    }

    feature listener {
      description
        "This feature indicates that the device supports the ability to
      use receive EAPOL announcements.";
      reference
        "IEEE 802.1X-2010 Clause 12.9.2";

    }

    feature virtual-ports {
      description
        "This feature indicates that the device supports the virtual
      ports for a real port.";
      reference
        "IEEE 802.1X-2010 Clause 12.9.2";

    }

    feature in-service-upgrades {
      description
        "This feature indicates that the device supports MKA in-service
      upgrades.";
      reference
        "IEEE 802.1Xbx-2014 Clause 12.9.2";

    }

    typedef pae-system-ref {
      type leafref {
        path "/system:system/dot1x:pae-system/dot1x:name";
      }
      description
        "This type is used by data models that need to reference
      configured PAE systems.";
    }

    typedef pae-nid {
      type string {
        length "0..100";
      }
      description
        "Network Identify, which is a UTF-8 string identifying a
      network or network service.";
      reference
        "IEEE 802.1X-2010 Clause 3, Clause 10.1, Clause 12.6";

    }

    typedef pae-session-user-name {
      type string {
        length "0..253";
      }
      description
        "Session user name, which is a utf8 string, representing the
      identify of the peer Supplicant.";
      reference
        "IEEE 802.1X-2010 Clause 12.5.1";

    }

    typedef pae-session-id {
      type string {
        length "3..253";
      }
      description
        "Session Identifier, which is a utf8 string, uniquely
      identifying the session within the context of the PAEs
      system.";
      reference
        "IEEE 802.1X-2010 Clause 12.5.1";

    }

    typedef pae-nid-capabilities {
      type bits {
        bit eap {
          position 0;
          description "EAP";
        }
        bit eapMka {
          position 1;
          description "EAP + MKA";
        }
        bit eapMkaMacSec {
          position 2;
          description "EAP + MKA + MACsec";
        }
        bit mka {
          position 3;
          description "MKA";
        }
        bit mkaMacSec {
          position 4;
          description "MKA + MACsec";
        }
        bit higherLayer {
          position 5;
          description
            "Higher Layer (WebAuth)";
        }
        bit higherLayerFallback {
          position 6;
          description
            "Higher Layer Fallback (WebAuth)";
        }
        bit vendorSpecific {
          position 7;
          description
            "Vendor specific authentication mechanisms";
        }
      }
      description
        "Authentication and protection capabilities supported for the
      NID. Indicates the combinations of authentication and
      protection capabilities supported for a NID. Any set of these
      combinations can be supported.";
      reference
        "IEEE 802.1X-2010 Clause 10.1, Clause 11.12.3";

    }

    typedef pae-access-status {
      type enumeration {
        enum "no-access" {
          value 0;
          description
            "Other than to authentication services, and to services
          announced as available in the absence of authentication
          (unauthenticated).";
        }
        enum "remedial-access" {
          value 1;
          description
            "The access granted is severely limited, possibly to
          remedial services.";
        }
        enum "restricted-access" {
          value 2;
          description
            "The Controlled Port is operational, but restrictions have
          been applied by the network that can limit access to some
          resources.";
        }
        enum "expected-access" {
          value 3;
          description
            "The Controlled Port is operational, and access provided is
          as expected for successful authentication and authorization
          for the NID.";
        }
      }
      description
        "Indicates the transmitters Controlled Port operational status
      and current level of access resulting from authentication and
      the consequent authorization controls applied by that ports
      clients.";
      reference
        "IEEE 802.1X-2010 Clause 10.4, Clause 12.5";

    }

    typedef mak-kn {
      type uint32;
      description
        "Indicates a Key Number (KN) used in MKA. It is assigned by
      the Key Server (sequentially beginning with 1).";
      reference
        "IEEE 802.1X-2010 Clause 9.8, Clause 9.16";

    }

    typedef mak-an {
      type uint32;
      description
        "A number that is concatenated with a MACsec Secure Channel
      Identifier to identify a Secure Association. Indicates an
      Association Number (AN) assigned by the Key Server for use with
      the key number for transmission.";
      reference
        "IEEE 802.1X-2010 Clause 9.8, Clause 9.16";

    }

    typedef pae-ckn {
      type string {
        length "1..32";
      }
      description
        "Indicates the CAK name to identify the Connectivity
      Association Key (CAK) which is the root key in the MACsec Key
      Agreement key hierarchy. All potential members of the CA use
      the same CKN.";
      reference
        "IEEE 802.1X-2010 Clause 9.3.1, Clause 6.2";

    }

    typedef pae-kmd {
      type string {
        length "0..253";
      }
      description
        "A Key Management Domain (KMD). A string of up to 253 UTF-8
      characters that names the transmitting authenticators key
      management domain.";
      reference
        "IEEE Clause 12.6";

    }

    typedef pae-auth-data {
      type string;
      description
        "Authorization data associated with the CAK.";
      reference
        "IEEE 802.1X-2010 Clause 9.16";

    }

    typedef sci-list-entry {
      type string {
        length "8";
      }
      description
        "8 octet string, where the first 6 octets represents the MAC
      Address (in canonical format), and the next 2 octets represents
      the Port Identifier.";
      reference
        "IEEE 802.1AE Clause 7.1.2, Clause 10.7.1";

    }

    typedef pae-if-index {
      type int32 {
        range "1..2147483647";
      }
      description
        "The interface index value represented by this interface.";
    }

    container nid-group {
      description
        "Contains both configuration and operational state nodes
      associated with the PAE NID group.";
      list pae-nid-group {
        key "nid";
        description
          "A list that contains the configuration nodes for the network
announcement information for the Logon Process.";
        leaf nid {
          type pae-nid;
          description
            "Identification of the network or network service.";
          reference
            "IEEE 802.1X-2010 Clause 12.5";

        }

        leaf use-eap {
          type enumeration {
            enum "never" {
              value 0;
              description "Never.";
            }
            enum "immediate" {
              value 1;
              description
                "Immediately, concurrently with the use of MKA with any
              cached CAK(s).";
            }
            enum "mka-fail" {
              value 2;
              description
                "Not until MKA has failed, if a prior CAK has been
              cached.";
            }
          }
          default "immediate";
          description
            "Determines when the Logon Process will initiate EAP, if
the Supplicant and or Authenticator are enabled, and takes
one of the above values.";
          reference
            "IEEE 802.1X-2010 Clause 12.5";

        }

        leaf unauth-allowed {
          type enumeration {
            enum "never" {
              value 0;
              description "Never.";
            }
            enum "immediate" {
              value 1;
              description
                "Immediately, independently of any current or future
              attempts to authenticate using the PAE or MKA.";
            }
            enum "auth-fail" {
              value 2;
              description
                "Not until an attempt has been made to authenticate
              using EAP, unless neither the supplicant nor the
              authenticator is enabled, and MKA has attempted to use
              any cached CAK (unless the KaY is not enabled).";
            }
          }
          default "immediate";
          description
            "Determines when the Logon Process will tell the CP state
machine to provide unauthenticated connectivity, and takes
one of the above values.";
          reference
            "IEEE 802.1X-2010 Clause 12.5";

        }

        leaf unsecure-allowed {
          type enumeration {
            enum "never" {
              value 0;
              description "Never.";
            }
            enum "immediate" {
              value 1;
              description
                "Immediately, to provide connectivity concurrently with
              the use of MKA with any CAK acquired through EAP.";
            }
            enum "mka-fail" {
              value 2;
              description
                "Not until MKA has failed, or is not enabled.";
            }
            enum "mka-server" {
              value 3;
              description
                "Only if directed by the MKA server.";
            }
          }
          default "immediate";
          description
            "Determines when the Logon Process will tell the CP state
machine to provide authenticated but unsecured
connectivity, takes one of the above values.";
          reference
            "IEEE 802.1X-2010 Clause 12.5";

        }

        leaf unauthenticated-access {
          type enumeration {
            enum "no-access" {
              value 0;
              description
                "Other than to authentication services.";
            }
            enum "fallback-access" {
              value 1;
              description
                "Limited access can be provided after authentication
              failure.";
            }
            enum "limited-access" {
              value 2;
              description
                "Immediate limited access is available without
              authentication.";
            }
            enum "open-access" {
              value 3;
              description
                "Immediate access is available without
              authentication.";
            }
          }
          default "no-access";
          description
            "Unauthenticated access capabilities provided by the NID.";
          reference
            "IEEE 802.1X-2010 Clause 10.1";

        }

        leaf access-capabilities {
          type pae-nid-capabilities;
          description
            "Authentication and protection capabilities supported for
the NID.";
          reference
            "IEEE 802.1X-2010 Clause 10.1";

        }
      }  // list pae-nid-group

      list pae-nid-group-state {
        key "nid";
        description
          "A list that contains the operational state nodes for the
network announcement information for the Logon Process.";
        leaf nid {
          type pae-nid;
          description
            "Identification of the network or network service.";
          reference
            "IEEE 802.1X-2010 Clause 12.5";

        }

        leaf kmd {
          type pae-kmd;
          description
            "The Key Management Domain for the NID.";
          reference
            "IEEE 802.1X-2010 Clause 10.4";

        }
      }  // list pae-nid-group-state
    }  // container nid-group
  }  // module ieee802-dot1x