netconfcentral logo

ieee802-dot1x@2017-07-20



  module ieee802-dot1x {

    yang-version 1;

    namespace
      "urn:ieee:std:802.1X:yang:ieee802-dot1x";

    prefix dot1x;

    import ieee802-types {
      prefix ieee;
    }
    import ietf-yang-types {
      prefix yang;
    }
    import ietf-interfaces {
      prefix if;
    }
    import ietf-system {
      prefix system;
    }
    import iana-if-type {
      prefix ianaif;
    }

    organization
      "Institute of Electrical and Electronics Engineers";

    contact
      "WG-URL: http://grouper.ieee.org/groups/802/1/
    WG-EMail: stds-802-1@ieee.org

    Contact: IEEE 802.1 Working Group Chair
    Postal: C/O IEEE 802.1 Working Group
            IEEE Standards Association
            445 Hoes Lane
            P.O. Box 1331
            Piscataway
            NJ 08855-1331
            USA
 	
    E-mail: STDS-802-1-L@LISTSERV.IEEE.ORG";

    description
      "Port-based network access control allows a network administrator
    to restrict the use of IEEE 802 LAN service access points (ports)
    to secure communication between authenticated and authorized
    devices. IEEE Std 802.1X specifies an architecture, functional
    elements, and protocols that support mutual authentication
    between the clients of ports attached to the same LAN and secure
    communication between the ports. The following control allows a
    port to be reinitialized, terminating (and potentially
    restarting) authentication exchanges and MKA operation, based on
    a data model described in a set of YANG modules.";

    revision "2017-07-20" {
      description
        "Updates based upon comment resolution on draft
      D1.1 of P802.1Xck.";
      reference
        "IEEE 802.1X-2010, Port-Based Network Access Control.";

    }


    feature pacp-eap-supplicant {
      description
        "This feature indicates that the device supports a PACP EAP
      Supplicant.";
      reference
        "IEEE 802.1X-2010 Clause 12.9.2";

    }

    feature pacp-eap-authenticator {
      description
        "This feature indicates that the device supports a PACP EAP
      Authenticator.";
      reference
        "IEEE 802.1X-2010 Clause 12.9.2";

    }

    feature mka {
      description
        "This feature indicates that the device supports MKA";
      reference
        "IEEE 802.1X-2010 Clause 12.9.2";

    }

    feature macsec {
      description
        "This feature indicates that the device supports MACsec on the
      Controlled Port.";
      reference
        "IEEE 802.1X-2010 Clause 12.9.2";

    }

    feature announcements {
      description
        "This feature indicates that the device supports the ability to
      send EAPOL announcements.";
      reference
        "IEEE 802.1X-2010 Clause 12.9.2";

    }

    feature listener {
      description
        "This feature indicates that the device supports the ability to
      use receive EAPOL announcements.";
      reference
        "IEEE 802.1X-2010 Clause 12.9.2";

    }

    feature virtual-ports {
      description
        "This feature indicates that the device supports the virtual
      ports for a real port.";
      reference
        "IEEE 802.1X-2010 Clause 12.9.2";

    }

    feature in-service-upgrades {
      description
        "This feature indicates that the device supports MKA in-service
      upgrades.";
      reference
        "IEEE 802.1Xbx-2014 Clause 12.9.2";

    }

    typedef pae-system-ref {
      type leafref {
        path "/system:system/dot1x:pae-system/dot1x:name";
      }
      description
        "This type is used by data models that need to reference
      configured PAE systems.";
    }

    typedef pae-nid {
      type string {
        length "0..100";
      }
      description
        "Network Identify, which is a UTF-8 string identifying a
      network or network service.";
      reference
        "IEEE 802.1X-2010 Clause 3, Clause 10.1, Clause 12.6";

    }

    typedef pae-session-user-name {
      type string {
        length "0..253";
      }
      description
        "Session user name, which is a utf8 string, representing the
      identify of the peer Supplicant.";
      reference
        "IEEE 802.1X-2010 Clause 12.5.1";

    }

    typedef pae-session-id {
      type string {
        length "3..253";
      }
      description
        "Session Identifier, which is a utf8 string, uniquely
      identifying the session within the context of the PAEs
      system.";
      reference
        "IEEE 802.1X-2010 Clause 12.5.1";

    }

    typedef pae-nid-capabilities {
      type bits {
        bit eap {
          position 0;
          description "EAP";
        }
        bit eapMka {
          position 1;
          description "EAP + MKA";
        }
        bit eapMkaMacSec {
          position 2;
          description "EAP + MKA + MACsec";
        }
        bit mka {
          position 3;
          description "MKA";
        }
        bit mkaMacSec {
          position 4;
          description "MKA + MACsec";
        }
        bit higherLayer {
          position 5;
          description
            "Higher Layer (WebAuth)";
        }
        bit higherLayerFallback {
          position 6;
          description
            "Higher Layer Fallback (WebAuth)";
        }
        bit vendorSpecific {
          position 7;
          description
            "Vendor specific authentication mechanisms";
        }
      }
      description
        "Authentication and protection capabilities supported for the
      NID. Indicates the combinations of authentication and
      protection capabilities supported for a NID. Any set of these
      combinations can be supported.";
      reference
        "IEEE 802.1X-2010 Clause 10.1, Clause 11.12.3";

    }

    typedef pae-access-status {
      type enumeration {
        enum "no-access" {
          value 0;
          description
            "Other than to authentication services, and to services
          announced as available in the absence of authentication
          (unauthenticated).";
        }
        enum "remedial-access" {
          value 1;
          description
            "The access granted is severely limited, possibly to
          remedial services.";
        }
        enum "restricted-access" {
          value 2;
          description
            "The Controlled Port is operational, but restrictions have
          been applied by the network that can limit access to some
          resources.";
        }
        enum "expected-access" {
          value 3;
          description
            "The Controlled Port is operational, and access provided is
          as expected for successful authentication and authorization
          for the NID.";
        }
      }
      description
        "Indicates the transmitters Controlled Port operational status
      and current level of access resulting from authentication and
      the consequent authorization controls applied by that ports
      clients.";
      reference
        "IEEE 802.1X-2010 Clause 10.4, Clause 12.5";

    }

    typedef mak-kn {
      type uint32;
      description
        "Indicates a Key Number (KN) used in MKA. It is assigned by
      the Key Server (sequentially beginning with 1).";
      reference
        "IEEE 802.1X-2010 Clause 9.8, Clause 9.16";

    }

    typedef mak-an {
      type uint32;
      description
        "A number that is concatenated with a MACsec Secure Channel
      Identifier to identify a Secure Association. Indicates an
      Association Number (AN) assigned by the Key Server for use with
      the key number for transmission.";
      reference
        "IEEE 802.1X-2010 Clause 9.8, Clause 9.16";

    }

    typedef pae-ckn {
      type string {
        length "1..32";
      }
      description
        "Indicates the CAK name to identify the Connectivity
      Association Key (CAK) which is the root key in the MACsec Key
      Agreement key hierarchy. All potential members of the CA use
      the same CKN.";
      reference
        "IEEE 802.1X-2010 Clause 9.3.1, Clause 6.2";

    }

    typedef pae-kmd {
      type string {
        length "0..253";
      }
      description
        "A Key Management Domain (KMD). A string of up to 253 UTF-8
      characters that names the transmitting authenticators key
      management domain.";
      reference
        "IEEE Clause 12.6";

    }

    typedef pae-auth-data {
      type string;
      description
        "Authorization data associated with the CAK.";
      reference
        "IEEE 802.1X-2010 Clause 9.16";

    }

    typedef sci-list-entry {
      type string {
        length "8";
      }
      description
        "8 octet string, where the first 6 octets represents the MAC
      Address (in canonical format), and the next 2 octets represents
      the Port Identifier.";
      reference
        "IEEE 802.1AE Clause 7.1.2, Clause 10.7.1";

    }

    typedef pae-if-index {
      type int32 {
        range "1..2147483647";
      }
      description
        "The interface index value represented by this interface.";
    }

    grouping nid-group {
      description
        "The PAE NID Group configuration inforamtion.";
      list pae-nid-group {
        key "nid";
        description
          "A list that contains the configuration nodes for the network
        announcement information for the Logon Process.";
        leaf nid {
          type pae-nid;
          description
            "Identification of the network or network service.";
          reference
            "IEEE 802.1X-2010 Clause 12.5";

        }

        leaf use-eap {
          type enumeration {
            enum "never" {
              value 0;
              description "Never.";
            }
            enum "immediate" {
              value 1;
              description
                "Immediately, concurrently with the use of MKA with any
              cached CAK(s).";
            }
            enum "mka-fail" {
              value 2;
              description
                "Not until MKA has failed, if a prior CAK has been
              cached.";
            }
          }
          default "immediate";
          description
            "Determines when the Logon Process will initiate EAP, if
          the Supplicant and or Authenticator are enabled, and takes
          one of the above values.";
          reference
            "IEEE 802.1X-2010 Clause 12.5";

        }

        leaf unauth-allowed {
          type enumeration {
            enum "never" {
              value 0;
              description "Never.";
            }
            enum "immediate" {
              value 1;
              description
                "Immediately, independently of any current or future
              attempts to authenticate using the PAE or MKA.";
            }
            enum "auth-fail" {
              value 2;
              description
                "Not until an attempt has been made to authenticate
              using EAP, unless neither the supplicant nor the
              authenticator is enabled, and MKA has attempted to use
              any cached CAK (unless the KaY is not enabled).";
            }
          }
          default "immediate";
          description
            "Determines when the Logon Process will tell the CP state
          machine to provide unauthenticated connectivity, and takes
          one of the above values.";
          reference
            "IEEE 802.1X-2010 Clause 12.5";

        }

        leaf unsecure-allowed {
          type enumeration {
            enum "never" {
              value 0;
              description "Never.";
            }
            enum "immediate" {
              value 1;
              description
                "Immediately, to provide connectivity concurrently with
              the use of MKA with any CAK acquired through EAP.";
            }
            enum "mka-fail" {
              value 2;
              description
                "Not until MKA has failed, or is not enabled.";
            }
            enum "mka-server" {
              value 3;
              description
                "Only if directed by the MKA server.";
            }
          }
          default "immediate";
          description
            "Determines when the Logon Process will tell the CP state
          machine to provide authenticated but unsecured
          connectivity, takes one of the above values.";
          reference
            "IEEE 802.1X-2010 Clause 12.5";

        }

        leaf unauthenticated-access {
          type enumeration {
            enum "no-access" {
              value 0;
              description
                "Other than to authentication services.";
            }
            enum "fallback-access" {
              value 1;
              description
                "Limited access can be provided after authentication
              failure.";
            }
            enum "limited-access" {
              value 2;
              description
                "Immediate limited access is available without
              authentication.";
            }
            enum "open-access" {
              value 3;
              description
                "Immediate access is available without
              authentication.";
            }
          }
          default "no-access";
          description
            "Unauthenticated access capabilities provided by the NID.";
          reference
            "IEEE 802.1X-2010 Clause 10.1";

        }

        leaf access-capabilities {
          type pae-nid-capabilities;
          description
            "Authentication and protection capabilities supported for
          the NID.";
          reference
            "IEEE 802.1X-2010 Clause 10.1";

        }
      }  // list pae-nid-group
    }  // grouping nid-group

    grouping nid-group-state {
      description
        "The PAE NID Group state information.";
      list pae-nid-group-state {
        key "nid";
        description
          "A list that contains the operational state nodes for the
        network announcement information for the Logon Process.";
        leaf nid {
          type pae-nid;
          description
            "Identification of the network or network service.";
          reference
            "IEEE 802.1X-2010 Clause 12.5";

        }

        leaf kmd {
          type pae-kmd;
          description
            "The Key Management Domain for the NID.";
          reference
            "IEEE 802.1X-2010 Clause 10.4";

        }
      }  // list pae-nid-group-state
    }  // grouping nid-group-state

    grouping port-capabilities {
      description
        "Per port PAE feature capabilities.";
      leaf supp {
        type boolean;
        description
          "Indicates if PACP EAP Supplicant is supported.";
        reference
          "IEEE 802.1X-2010 Clause 12.9.2";

      }

      leaf auth {
        type boolean;
        description
          "Indicates if PACP EAP Authenticator is supported.";
        reference
          "IEEE 802.1X-2010 Clause 12.9.2";

      }

      leaf mka {
        type boolean;
        description
          "Indicates if MKA is supported.";
        reference
          "IEEE 802.1X-2010 Clause 12.9.2";

      }

      leaf macsec {
        type boolean;
        description
          "Indicates if MACsec on the Controlled port is supported.";
        reference
          "IEEE 802.1X-2010 Clause 12.9.2";

      }

      leaf announcements {
        type boolean;
        description
          "Indicates if the ability to send EAPOL announcements is
        supported.";
        reference
          "IEEE 802.1X-2010 Clause 12.9.2";

      }

      leaf listener {
        type boolean;
        description
          "Indicates if the ability to use received EAPOL
        announcements is supported.";
        reference
          "IEEE 802.1X-2010 Clause 12.9.2";

      }

      leaf virtual-ports {
        type boolean;
        description
          "Indicates if virtual ports for a real port is supported.";
        reference
          "IEEE 802.1X-2010 Clause 12.9.2";

      }

      leaf in-service-upgrades {
        type boolean;
        description
          "Indicates if MKA in-service upgrades is supported.";
        reference
          "IEEE 802.1Xbx-2014 Clause 12.9.2";

      }
    }  // grouping port-capabilities

    augment /system:system {
      description
        "Augment system with 802.1X PAE System specific configuration
      nodes.";
      container pae-system {
        description
          "Contains all 802.1X PAE System specific related
        configuration.";
        leaf name {
          type string;
          description
            "The name which uniquely identifies the PAE System.";
        }

        leaf system-access-control {
          type enumeration {
            enum "disabled" {
              value 0;
              description
                "Deletes any virtual ports previously instantiated, and
              terminates authentication exchanges and MKA
              operation.";
            }
            enum "enabled" {
              value 1;
              description
                "Enables PAE system access control.";
            }
          }
          description
            "Setting this control to disabled deletes any virtual ports
          previously instantiated, and terminates authentication
          exchanges and MKA operation. Each real port PAE behaves as
          if enabledVirtualPorts was clear, the PAEs Supplicant,
          Authenticator, and KaY as if their enabled controls were
          clear, and Logon Process(es) as if unauthAllowed was
          Immediate. Announcements can be transmitted (subject to
          other controls), both periodically and in response to
          announcement requests (conveyed by EAPOL-Starts or
          EAPOL-Announcement-Reqs) but are sent with a single NID
          Set, with a null NID, and the Access Information TLV (and
          no other) with an pae-access-status of No Access,
          accessRequested false, OpenAccess, and no
          accessCapabilities. The control variable settings for each
          real port PAE are unaffected, and will be used once
          systemAccessControl is set to enabled.";
          reference
            "IEEE 802.1X-2010 Clause 12.9.1";

        }

        leaf system-announcements {
          type enumeration {
            enum "disabled" {
              value 0;
              description
                "Causes each PAE to behave as if enabled were clear
              for the PAEs Announcement functionality.";
            }
            enum "enabled" {
              value 1;
              description
                "Enables PAE system announcements.";
            }
          }
          description
            "Setting this control to Disabled causes each PAE to behave
          as if enabled were clear for the PAE's Announcement
          functionality. The independent controls for each PAE apply
          if systemAnnouncements is Enabled.";
          reference
            "IEEE 802.1X-2010 Clause 12.9.1";

        }
      }  // container pae-system
    }

    augment /system:system-state {
      description
        "Augment system-state model with 802.1X PAE System specific
      operational state nodes.";
      container pae-system {
        description
          "Contains all 802.1X specific operational state related
        nodes.";
        leaf eapol-protocol-version {
          type uint32;
          description
            "The EAPOL protocol version for this system.";
          reference
            "IEEE 802.1X-2010 Clause 12.9.1, Clause 11.3";

        }

        leaf mka-version {
          type uint32;
          description
            "The MKA protocol version for this system.";
          reference
            "IEEE 802.1X-2010 Clause 12.9.1, Clause 11.3";

        }

        leaf-list pae {
          type if:interface-ref;
          description
            "List of PAE references.";
        }
      }  // container pae-system
    }

    augment /if:interfaces/if:interface {
      when
        "if:type = 'ianaif:ethernetCsmacd' or
          if:type = 'ianaif:ilan'" {
        description
          "Applies to the Controlled Port of SecY or PAC shim.";
      }
      description
        "Augment interface model with PAE configuration nodes.";
      reference
        "IEEE 802.1AE Clause 11.7 and IEEE 802.1X-2010 Clause 6.5 and
        Clause 13.3.2";

      container pae {
        description
          "Contains PAE configuration related nodes.";
        leaf pae-system {
          type pae-system-ref;
          description
            "The PAE system that this PAE is a member of.";
        }

        leaf port-type {
          type enumeration {
            enum "real-port" {
              value 0;
              description "Real Port type.";
            }
            enum "virtual-port" {
              value 1;
              description
                "Virtual Port type.";
            }
          }
          description
            "The port type of the PAE.";
          reference
            "IEEE 802.1X-2010 Clause 12.9.2";

        }

        leaf vp-enable {
          when
            "../port-type = 'real-port' and
              ../port-capabilities/virtual-ports = 'true'" {
            description
              "Applies when port is Real Port and virtual port
            capabilities are supported.";
          }
          type boolean;
          default "false";
          description
            "A real ports PAE may be configured to create virtual
          ports to support multi-access LANs provided that MKA and
          MACsec operation is enabled for that port.";
          reference
            "IEEE 802.1X-2010 Clause 12.7";

        }

        container port-capabilities {
          description
            "Per port PAE feature capabilities.";
          uses port-capabilities;
        }  // container port-capabilities

        container supplicant {
          when
            "../port-type = 'real-port' and
              ../port-capabilities/supp = 'true' and
              ../port-capabilities/auth = 'false'" {
            description
              "Applies to Real Ports and when the Authenticator is
            disabled and supplicant port capabilities are
            supported.";
          }
          description
            "Contains the configuration nodes for the Supplicant PAE
          associated with each port.";
          leaf held-period {
            type uint16;
            units "seconds";
            default "60";
            description
              "The initial value of the timer used to impose a wait
            period after a failed authentication attempt, before
            another attempt is permitted.";
            reference
              "IEEE 802.1X-2010 Clause 8.6";

          }

          leaf retry-max {
            type uint8;
            default "2";
            description
              "Specifies the maximum number of re-authentication
            attempts on an authenticator port before port is
            unauthorized.";
            reference
              "IEEE 802.1X-2010 Clause 8.7";

          }
        }  // container supplicant

        container authenticator {
          when
            "../port-capabilities/supp = 'false' and
              ../port-capabilities/auth = 'true'" {
            description
              "Applies when the Supplicant is disabled and
            Authenticator is supported.";
          }
          description
            "Contains configuration nodes for the Authenticator PAE
          associated with each port.";
          leaf quiet-period {
            type uint16;
            units "seconds";
            default "60";
            description
              "Number of seconds that the switch remains in the quiet
            state following a failed authentication exchange with the
            client.";
            reference
              "IEEE 802.1X-2010 Clause 8.6, Figure 12-3";

          }

          leaf reauth-period {
            type uint16;
            units "seconds";
            default "3600";
            description
              "This object indicates the time period of the
            reauthentication to the supplicant.";
            reference
              "IEEE 802.1X-2010 Clause 8.6, Figure 12-3";

          }

          leaf reauth-enable {
            type boolean;
            default "false";
            description
              "Re-authentication is enabled or not.";
            reference
              "IEEE 802.1X Clasue 5.8c and 8.9";

          }

          leaf retry-max {
            type uint8;
            default "2";
            description
              "Specifies the maximum number of re-authentication
            attempts on an authenticator port before port is
            unauthorized.";
            reference
              "IEEE 802.1X-2010 Clause 8.9";

          }
        }  // container authenticator

        container kay {
          when
            "../port-capabilities/mka = 'true'" {
            description
              "Applies when the MKA port capability is supported.";
          }
          description
            "Contains configuration system level information for each
          Interface supported by the KaY (Key Aggreement Entity).";
          leaf enable {
            type boolean;
            default "false";
            description
              "Set by management to enable (clear to disable) the use
            of MKA.";
            reference
              "IEEE 802.1X-2010 Clause 9.16";

          }

          container actor {
            description
              "Contains configuration nodes associated with the actor";
            leaf priority {
              type uint8;
              description
                "The Key Server Priority for all the ports actors.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }
          }  // container actor

          container key-server {
            description
              "Contains configuration nodes associated with the key
            server.";
            leaf priority {
              type uint8;
              description
                "The Key Server Priority for the Key Server for the
              principal actor. Matches the actorPriority if the
              actor is the Key Server";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }
          }  // container key-server

          container group {
            description
              "Contains configuration nodes associated with the
            group.";
            leaf join {
              type boolean;
              default "true";
              description
                "Set if the KaY will accept Group CAKs distributed by
              MKA.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }

            leaf form {
              type boolean;
              default "false";
              description
                "Set if the KaY will attempt to use point-to-point CAs
              to distribute a Group CAK, if its principal actor is
              the Key Server for all the point-to-point CAs.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }

            leaf new {
              type boolean;
              default "false";
              description
                "Set by management if a new Group CAK is to be
              distributed, if the principal actor is the Key Server
              for all point-to-point CAs. Cleared by the KaY when
              distribution is complete.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }
          }  // container group

          container macsec {
            when
              "../../port-capabilities/macsec = 'true'" {
              description
                "Applies when the MACsec port capability is
              supported.";
            }
            description
              "Contains configuration nodes associated with macsec.";
            leaf capable {
              type boolean;
              description
                "Set for the port and applicable to all actors, by
              management.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }

            leaf desired {
              type boolean;
              default "true";
              description
                "Set for the port and applicable to all actors, by
              management.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }
          }  // container macsec

          leaf suspend-on-request {
            type boolean;
            default "true";
            description
              "Set by management to allow the KaYs principal actor to
            initiate a suspension if it is the Key Server and another
            participant has requested a suspension.";
          }

          leaf suspend-for {
            type uint8;
            default "0";
            description
              "Set by management to a non-zero number of seconds
            between 1 and MKA Suspension Limit to initiate a
            suspension (9.18) of that duration (if the KaYs principal
            actor is the Key Server) or to request a suspension
            (otherwise).";
            reference
              "IEEE 802.1X-2010 Clause 9.18";

          }

          list participants {
            key "participant";
            description
              "Contains list of configuration nodes for each MKA
            participant supported by the KaY MKA entity.";
            leaf participant {
              type uint32;
              description
                "Key into Participants list.";
            }

            leaf cached {
              type boolean;
              description
                "Set by the KaY if the participants parameters are
              cached. If set, cached can be cleared by management to
              remove the participant from the cache.";
            }

            leaf active {
              type boolean;
              default "false";
              description
                "Set if the participant is active, i.e., is currently
              transmitting periodic MKPDUs.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }

            leaf retain {
              type boolean;
              default "false";
              description
                "Set by management to retain the participant in the
              cache, even if the KaY would normally remove it (due to
              lack of use for example).";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }

            leaf activate {
              type enumeration {
                enum "default" {
                  value 0;
                  description
                    "The participant is from cached entries created by
                  the KaY as part of normal operation, without
                  explicit management, and is activated according to
                  the implementation dependent policies of the KaY.";
                }
                enum "disabled" {
                  value 1;
                  description
                    "The participant allows the cache information to be
                  retained, but disabled for indefinite period.";
                }
                enum "on-oper-up" {
                  value 2;
                  description
                    "Causing the participant to be activated when the
                  PAEs part is activated, and therefore when the SecY
                  or PACs Common Port becomes operational.";
                }
                enum "always" {
                  value 3;
                  description
                    "Causing the participant to remain active all the
                  time, even in the continued absence of partners.";
                }
              }
              default "default";
              description
                "Controls when the participant is activated. Cached
              entries created by the KaY as part of normal operation,
              without explicit management, have the value Default,
              and are activated according to the implementation
              dependent policies of the KaY. This variable can be
              set to any of its values by management. Disabled allows
              the cache entry to be retained, but disabled for an
              indefinite period. OnOperUp causes the participant to
              be activated when the PAEs port (and therefore when the
              SecY or PACs Common Port becomes MAC_Operational).
              Always causes the participant to remain active all the
              time, even in the continued absence of partners. If the
              value is changed to Disabled or OnOperUp, the
              participant ceases operation immediately and receipt of
              MKPDUs with a matching CKN during a subsequent period
              of twice MKA Life Time will not cause the participant
              to become active once more.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }
          }  // list participants
        }  // container kay

        container logon-nid {
          description
            "Contains the configuration related NID information for the
          Logon Process. The Logon Process may use Network
          Identifiers (NIDs) to manage its use of authentication
          credentials, cached CAKs, and announcements.";
          leaf selected {
            type pae-nid;
            description
              "The NID currently configured for use by an access
            controlled port when transmitting EAPOL-Start frames.
            Defaults to the null NID.";
            reference
              "IEEE 802.1X-2010 Clause 12.5";

          }

          uses nid-group;
        }  // container logon-nid

        container announcer {
          when
            "../port-capabilities/announcements = 'true'" {
            description
              "Applies when the Announcements port capabilities are
            supported.";
          }
          description
            "Contains the configuration related Announcer
          information.";
          leaf enable {
            type boolean;
            default "false";
            description
              "A boolean indicating if the announcer is enabled or
            not.";
            reference
              "IEEE 802.1X-2010 Clause 10.4";

          }

          list announce {
            key "announces";
            description
              "Contains the configuration related status information
            that the Announcers announce in the network announcement
            of the PAE system.";
            leaf announces {
              type uint32;
              description
                "Key into Announce list.";
            }

            uses nid-group;
          }  // list announce
        }  // container announcer

        container listener {
          when
            "../port-capabilities/listener = 'true'" {
            description
              "Applies when the Listener port capability is
            supported.";
          }
          description
            "Contains the configuration Listener node related
          information.";
          leaf enable {
            type boolean;
            default "false";
            description
              "A boolean indicating if the listener is enabled or
            not.";
            reference
              "IEEE 802.1X-2010 Clause 10.4";

          }
        }  // container listener

        container logon-process {
          description
            "Contains configuration system level information for each
          port to support the Logon Process(es) status information.";
          leaf logon {
            type boolean;
            default "false";
            description
              "A boolean indicating if the logon-process is enabled or
            not.";
            reference
              "IEEE 802.1X-2010 Clause 12.5";

          }
        }  // container logon-process
      }  // container pae
    }

    augment /if:interfaces-state/if:interface {
      when
        "if:type = 'ianaif:ethernetCsmacd' or
          if:type = 'ianaif:ilan'" {
        description
          "Applies to the Controlled Port of SecY or PAC shim.";
      }
      description
        "Augment interface-state model with PAE configuration nodes.";
      reference
        "IEEE 802.1AE Clause 11.7 and IEEE 802.1X-2010 Clause 6.5 and
        Clause 13.3.2.";

      container pae {
        description
          "Contains PAE operational state related nodes.";
        leaf port-name {
          type if:interface-ref;
          description
            "Each PAE is uniquely identified by a port name.";
        }

        leaf port-number {
          type pae-if-index;
          description
            "Each PAE is uniquely identified by a port number. The
          port number used is unique amongst all port names for the
          system, and directly or indirectly identifies the
          Uncontrolled Port that supports the PAE. If the PAE has
          been dynamically instantiated to support an existing or
          potential virtual port, this portNumber, the
          uncontrolledPortNumber and the controlledPortNumber are
          allocated by the real ports PAE, and this portNumber is the
          uncontrolledPortNumber. If the PAE supports a real port,
          this portNumber is the commonPortNumber for the associated
          PAC or SecY.";
          reference
            "IEEE 802.1X-2010 Clause 12.9.2";

        }

        leaf controlled-port-name {
          type if:interface-ref;
          description
            "Each PAE is uniquely identified by a port name.";
        }

        leaf controlled-port-number {
          type pae-if-index;
          description
            "The port for the associated PAC or SecYs Controlled
          Port.";
          reference
            "IEEE 802.1X-2010 Clause 12.9.2";

        }

        leaf uncontrolled-port-name {
          type if:interface-ref;
          description
            "The uncontrolled port name reference.";
        }

        leaf uncontrolled-port-number {
          type pae-if-index;
          description
            "The port for the associated PAC or SecYs Uncontrolled
          Port.";
          reference
            "IEEE 802.1X-2010 Clause 12.9.2";

        }

        leaf common-port-name {
          type if:interface-ref;
          description
            "The common port name reference.";
        }

        leaf common-port-number {
          type pae-if-index;
          description
            "The port for the associated PAC or SecYs Common Port. All
          the virtual ports created for a given real port share the
          same Common Port and commonPortNumber.";
          reference
            "IEEE 802.1X-2010 Clause 12.9.2";

        }

        container port-capabilities {
          description
            "Per port PAE feature capabilities.";
          uses port-capabilities;
        }  // container port-capabilities

        leaf port-type {
          type enumeration {
            enum "real-port" {
              value 0;
              description "Real Port type.";
            }
            enum "virtual-port" {
              value 1;
              description
                "Virtual Port type.";
            }
          }
          description
            "The port type of the PAE.";
          reference
            "IEEE 802.1X-2010 Clause 12.9.2";

        }

        container virtual-port {
          when
            "../port-capabilities/virtual-ports = 'true'" {
            description
              "Applies when the virtual ports port capability is
            supported.";
          }
          description
            "Contains Virtual Port operational state information.";
          leaf max {
            when
              "../../port-type = 'real-port'" {
              description
                "Applies when Port is a Real Port.";
            }
            type uint32;
            description
              "The guaranteed maximum number of virtual ports.";
            reference
              "IEEE 802.1X-2010 Clause 12.9.2";

          }

          leaf current {
            when
              "../../port-type = 'real-port'" {
              description
                "Applies when Port is a Real Port.";
            }
            type yang:gauge32;
            description
              "The current number of virtual ports.";
            reference
              "IEEE 802.1X-2010 Clause 12.9.2";

          }

          leaf start {
            when
              "../../port-type = 'virtual-port'" {
              description
                "Applies when Port is a Virtual Port.";
            }
            type uint32;
            description
              "Set if the virtual port was created by receipt of an
            EAPOL-Start frame.";
            reference
              "IEEE 802.1X-2010 Clause 12.9.7";

          }

          leaf peer-address {
            when
              "../../port-type = 'virtual-port'" {
              description
                "Applies when Port is a Virtual Port.";
            }
            type ieee:mac-address;
            description
              "The source MAC Address of the EAPOL-Start (if vpStart is
            set).";
            reference
              "IEEE 802.1X-2010 Clause 12.9.7";

          }
        }  // container virtual-port

        container supplicant {
          when
            "../port-type = 'real-port' and
              ../port-capabilities/supp = 'true'" {
            description
              "Applies when Port is a Real Port and the Supplicant
            port capability is supported.";
          }
          description
            "Contains the operational state nodes for the Supplicant
          PAE associated with each port.";
          leaf enabled {
            type boolean;
            description
              "Set by PACP if the PAE can provide authentication. Will
            be FALSE if the Port is not enabled, if the functionality
            provided by the PAE is not available, or not implemented,
            or the control variable enable has been cleared by
            management, e.g. because the application scenario
            authenticates a user and there is no user logged on.";
            reference
              "IEEE 802.1X-2010 Clause 8.4";

          }

          leaf authenticate {
            type boolean;
            description
              "Set by the PAE client to request authentication, and
            allows reauthentication while set. Cleared by the client
            to revoke authentication. To enable authentication the
            client also needs to clear failed (if set).";
            reference
              "IEEE 802.1X-2010 Clause 8.4";

          }

          leaf authenticated {
            type boolean;
            description
              "Set by PACP if the PAE is currently authenticated, and
            cleared if the authentication fails or is revoked.";
            reference
              "IEEE 802.1X-2010 Clause 8.4";

          }

          leaf failed {
            type boolean;
            description
              "Set by PACP if the authentication has failed or has been
            terminated. The cause could be a Fail returned by EAP,
            either immediately or following a reauthentication, an
            excessive number of attempts to authenticate (either
            immediately or upon reauthentication), or the client
            deasserting authenticate. The PACP will clear
            authenticated as well as setting failed. Any ongoing
            authentication exchange will be terminated (by the state
            machines) if enable becomes FALSE and enabled will be
            cleared, but failed will not be set.";
            reference
              "IEEE 802.1X-2010 Clause 8.4";

          }
        }  // container supplicant

        container authenticator {
          when
            "../port-capabilities/auth = 'true'" {
            description
              "Applies when the Authenticator port capability feature
            is supported.";
          }
          description
            "Contains operational state nodes for the Authenticator
          PAE associated with each port.";
          leaf enabled {
            type boolean;
            description
              "Set by PACP if the PAE can provide authentication. Will
            be FALSE if the Port is not enabled, if the functionality
            provided by the PAE is not available, or not implemented,
            or the control variable enable has been cleared by
            management, e.g. because the application scenario
            authenticates a user and there is no user logged on.";
            reference
              "IEEE 802.1X-2010 Clause 8.4";

          }

          leaf authenticate {
            type boolean;
            description
              "Set by the PAE client to request authentication, and
            allows reauthentication while set. Cleared by the client
            to revoke authentication. To enable authentication the
            client also needs to clear failed (if set).";
            reference
              "IEEE 802.1X-2010 Clause 8.4";

          }

          leaf authenticated {
            type boolean;
            description
              "Set by PACP if the PAE is currently authenticated, and
            cleared if the authentication fails or is revoked.";
            reference
              "IEEE 802.1X-2010 Clause 8.4";

          }

          leaf failed {
            type boolean;
            description
              "Set by PACP if the authentication has failed or has been
            terminated. The cause could be a Fail returned by EAP,
            either immediately or following a reauthentication, an
            excessive number of attempts to authenticate (either
            immediately or upon reauthentication), or the client
            deasserting authenticate. The PACP will clear
            authenticated as well as setting failed. Any ongoing
            authentication exchange will be terminated (by the state
            machines) if enable becomes FALSE and enabled will be
            cleared, but failed will not be set.";
            reference
              "IEEE 802.1X-2010 Clause 8.4";

          }
        }  // container authenticator

        container kay {
          when
            "../port-capabilities/mka = 'true'" {
            description
              "Applies when the MKA port capability feature is
            supported.";
          }
          description
            "Contains operational state system level information for
          each Interface supported by the KaY (Key Aggreement
          Entity).";
          container actor {
            description
              "Contains operational state nodes associated with the
            actor";
            leaf sci {
              type sci-list-entry;
              description
                "The SCI assigned by the system to the port (applies
              to all the ports actors).";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }
          }  // container actor

          container key-server {
            description
              "Contains operational state nodes associated with the
            key server.";
            leaf sci {
              type sci-list-entry;
              description
                "The SCI for Key Server for the principal actor. Null
              if there is no principal actor, or that actor has no
              live peers. Matches the actorSCI if the actor is the
              Key Server.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }
          }  // container key-server

          container macsec {
            when
              "../../port-capabilities/macsec = 'true'" {
              description
                "Applies when the MACsec port capability feature is
              supported.";
            }
            description
              "Contains operational state nodes associated with
            macsec.";
            leaf protect {
              type boolean;
              description
                "As used by the CP state machine, see 12.4.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }

            leaf validate {
              type boolean;
              description
                "As used by the CP state machine, see 12.4.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }

            leaf replay-protect {
              type boolean;
              description
                "As used by the CP state machine, see 12.4.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }
          }  // container macsec

          leaf suspended-while {
            type uint8;
            description
              "Read by management to determine if a suspension is in
            progress and (when available) to discover the remaining
            duration of that suspension";
            reference
              "IEEE 802.1X-2010 Clause 9.18";

          }

          leaf active {
            type boolean;
            description
              "Set if there is at least one active actor, transmitting
            MKPDUs.";
            reference
              "IEEE 802.1X-2010 Clause 9.16";

          }

          leaf authenticated {
            type boolean;
            description
              "Set if the principal actor, i.e. the participant that
            has the highest priority Key Server and one or more live
            peers, has determined that Controlled Port communication
            should proceed without MACsec.";
            reference
              "IEEE 802.1X-2010 Clause 9.16";

          }

          leaf secured {
            type boolean;
            description
              "Set if the principal actor has determined that
            communication should use MACsec.";
            reference
              "IEEE 802.1X-2010 Clause 9.16";

          }

          leaf failed {
            type boolean;
            description
              "Cleared when authenticated or secured are set, set if
            the latter are clear and MKA Life Time has elapsed since
            an MKA participant was last created.";
            reference
              "IEEE 802.1X-2010 Clause 9.16";

          }

          container key-number {
            description
              "Contains operation state nodes for Key Numbers.";
            leaf tx {
              type mak-kn;
              description
                "The Key Number assigned by the Key Server to the SAK
              currently being used for transmission. Null if MACsec
              is not being used.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }

            leaf rx {
              type mak-kn;
              description
                "The Key Number assigned by the Key Server to the
              oldest SAK currently being used for reception. The same
              as txKN if a single SAK is currently in use (as will
              most often be the case). Null if MACsec is not being
              used.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }
          }  // container key-number

          container association-number {
            description
              "Contains operation state nodes for Association
            Numbers.";
            leaf tx {
              type mak-an;
              description
                "The Association Number assigned by the Key Server for
              use with txKN. Zero if MACsec is not in use.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }

            leaf rx {
              type mak-an;
              description
                "The Association Number assigned by the Key Server for
              use with rxKN. The same as txAN if a single SAK is
              currently in use. Zero if MACsec is not in use.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }
          }  // container association-number

          list participant {
            key "participants";
            description
              "Contains list of operational state nodes for each MKA
            participant supported by the KaY MKA entity.";
            leaf participants {
              type uint32;
              description
                "Index into Participants list.";
            }

            container peers {
              description
                "Contains operational state nodes associated with the
              Peers.";
              leaf-list live {
                type sci-list-entry;
                description
                  "A list of the SCIs of the participants live
                  peers.";
                reference
                  "IEEE 802.1X-2010 Clause 9.16";

              }

              leaf-list potential {
                type sci-list-entry;
                description
                  "A list of the SCIs of the participants potential
                peers.";
                reference
                  "IEEE 802.1X-2010 Clause 9.16";

              }
            }  // container peers

            leaf ckn {
              type pae-ckn;
              description
                "The secure Connectivity Association Key Name for the
              participant.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }

            leaf kmd {
              type pae-kmd;
              description
                "The Key Management Domain for the participant.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }

            leaf nid {
              type pae-nid;
              description
                "The NID for the participant.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }

            leaf auth-data {
              type pae-auth-data;
              description
                "Authorization data associated with the secure
              Connectivity Association Key.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }

            leaf principal {
              type boolean;
              description
                "Set if the participant is currently the principal
              actor.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }

            leaf dist-ckn {
              type pae-ckn;
              description
                "The CKN for the last CAK distributed (either by the
              actor or one of its partners). Null if this participant
              has not been used to distribute a CAK.";
              reference
                "IEEE 802.1X-2010 Clause 9.16";

            }
          }  // list participant
        }  // container kay

        container logon-nid {
          description
            "Contains the operation state related NID information for
          the Logon Process. The Logon Process may use Network
          Identifiers (NIDs) to manage its use of authentication
          credentials, cached CAKs, and announcements.";
          leaf connected {
            type pae-nid;
            description
              "The NID associated with the current connectivity
            (possibly unauthenticated) provided by the operation of
            the CP state machine.";
            reference
              "IEEE 802.1X-2010 Clause 12.5";

          }

          leaf requested {
            type pae-nid;
            description
              "The NID marked as Access requested in announcements, as
            determined from EAPOL-Start frames. Defaults to the
            selectedNID.";
            reference
              "IEEE 802.1X-2010 Clause 12.5";

          }

          uses nid-group-state;
        }  // container logon-nid

        container announcer {
          when
            "../port-capabilities/announcements = 'true'" {
            description
              "Applies when the Announcements port capability feature
            is supported.";
          }
          description
            "Contains the operational state related Announcer
          information.";
          list announce {
            key "announces";
            description
              "Contains the operational state related status
            information that the Announcers announce in the network
            announcement of the PAE system.";
            leaf announces {
              type uint32;
              description
                "Key into Announce list.";
            }

            leaf nid {
              type pae-nid;
              description
                "The NID information to identify a received network
              announcement for the PAE.";
              reference
                "IEEE 802.1X-2010 Clause 10.4";

            }

            leaf access-status {
              type pae-access-status;
              description
                "Access Status reflects connectivity as a result of
              authentication attempts, and might be set directly by
              the system or configured by AAA protocols.";
              reference
                "IEEE 802.1X-2010 Clause 10.4, Clause 12.5";

            }

            uses nid-group-state;
          }  // list announce
        }  // container announcer

        container listener {
          when
            "../port-capabilities/listener = 'true'" {
            description
              "Applies when the Listener port capability feature is
            supported.";
          }
          description
            "Contains the operational state Listener node related
          information.";
          list announcement {
            key "announcements";
            description
              "A list containing the operational status information
            that the Listeners receive in the network announcement of
            the PAE system.";
            leaf announcements {
              type uint32;
              description
                "The key into the list of Announce nodes.";
            }

            leaf nid {
              type pae-nid;
              description
                "The NID information to identify a received network
              announcement for the PAE.";
              reference
                "IEEE 802.1X-2010 Clause 10.4";

            }

            leaf kmd {
              type pae-kmd;
              description
                "The KMD information for this received network
              announcement of the PAE.";
              reference
                "IEEE 802.1X-2010 Clause 10.4";

            }

            leaf specific {
              type boolean;
              description
                "This object indicates the received announcement
              information was specific to the receiving PAE, not
              generic for all systems attached to the LAN.";
              reference
                "IEEE 802.1X-2010 Clause 10.4";

            }

            leaf access-status {
              type pae-access-status;
              description
                "The object information reflects connectivity as a
              result of authentication attempts for this received
              network announcement of the PAE.";
              reference
                "IEEE 802.1X-2010 Clause 10.4";

            }

            leaf requested-nid {
              type boolean;
              description
                "The authenticated access has been requested for this
              particular NID or not.";
              reference
                "IEEE 802.1X-2010 Clause 10.4";

            }

            leaf unauthenticated-access {
              type pae-access-status;
              description
                "The access capability of the ports clients without
              authentication in this received network announcement of
              the PAE";
              reference
                "IEEE 802.1X-2010 Clause 10.4";

            }

            leaf access-capabilities {
              type pae-nid-capabilities;
              description
                "The authentication and protection capabilities
              supported for the NID.";
              reference
                "IEEE 802.1X-2010 Clause 10.4";

            }

            list cipher-suites {
              key "index";
              description
                "A table contains the Cipher Suites information that
              the Listeners receive in the network announcement of
              the PAE system.";
              reference
                "IEEE 802.1X-2010 Clause 10.4";

              leaf index {
                type uint16;
                description
                  "Key into cipher suite entry.";
              }

              leaf cipherSuite {
                type string;
                description
                  "cipher Suite identifier.";
              }

              leaf cipherSuiteCapability {
                type uint32;
                description
                  "Cipher Suite capability.";
              }
            }  // list cipher-suites
          }  // list announcement
        }  // container listener

        container eapol-statistics {
          description
            "Contains operational EAPOL statics.";
          leaf invalid-eapol-frame-rx {
            when
              "../../port-type = 'real-port'" {
              description
                "Applies when port is Real Port.";
            }
            type yang:counter32;
            description
              "The number of invalid EAPOL frames of any type that
            have been received by this PAE.";
            reference
              "IEEE 802.1X-2010 Clause 12.8.1";

          }

          leaf eap-length-error-frames {
            when
              "../../port-type = 'real-port'" {
              description
                "Applies when port is Real Port.";
            }
            type yang:counter32;
            description
              "The number of EAPOL frames that the Packet Body Length
            does not match a Packet Body that is contained within the
            octets of the received EAPOL MPDU in this PAE.";
            reference
              "IEEE 802.1X-2010 Clause 12.8.1";

          }

          leaf eapol-announcements-rx {
            when
              "../../port-type = 'real-port'" {
              description
                "Applies when port is Real Port.";
            }
            type yang:counter32;
            description
              "The number of EAPOL-Announcement frames that have been
            received by this PAE";
            reference
              "IEEE 802.1X-2010 Clause 12.8.1";

          }

          leaf eapol-announce-reqs-rx {
            when
              "../../port-type = 'real-port'" {
              description
                "Applies when port is Real Port.";
            }
            type yang:counter32;
            description
              "The number of EAPOL-Announcement-Req frames that have
            been received by this PAE.";
            reference
              "IEEE 802.1X-2010 Clause 12.8.1";

          }

          leaf eapol-port-unavailable {
            when
              "../../port-type = 'real-port' and
                ../../port-capabilities/virtual-ports = 'true'" {
              description
                "Applies when port is Real Port and when the virtual
              ports capability is supported.";
            }
            type yang:counter32;
            description
              "The number of EAPOL frames that are discarded because
            their processing would require the creation of a virtual
            port, for which there are inadequate or constrained
            resources, or an existing virtual port and no such port
            currently exists. If virtual port is not supported, this
            object should be always 0.";
            reference
              "IEEE 802.1X-2010 Clause 12.8.1";

          }

          leaf eapol-start-frames-rx {
            type yang:counter32;
            description
              "The number of EAPOL-Start frames that have been received
            by this PAE";
            reference
              "IEEE 802.1X-2010 Clause 12.8.1";

          }

          leaf eapol-eap-frames-rx {
            type yang:counter32;
            description
              "The number of EAPOL-EAP frames that have been received
            by this PAE.";
            reference
              "IEEE 802.1X-2010 Clause 12.8.1";

          }

          leaf eapol-logoff-frames-rx {
            type yang:counter32;
            description
              "The number of EAPOL-Logoff frames that have been
            received by this PAE.";
            reference
              "IEEE 802.1X-2010 Clause 12.8.1";

          }

          leaf eapol-mk-no-cfn {
            type yang:counter32;
            description
              "The number of MKPDUs received with MKA not enabled or
            CKN not recognized in this PAE.";
            reference
              "IEEE 802.1X-2010 Clause 12.8.1";

          }

          leaf eapol-mk-invalid-frames-rx {
            type yang:counter32;
            description
              "The number of MKPDUs failing in message authentication
            on receipt process in this PAE.";
            reference
              "IEEE 802.1X-2010 Clause 12.8.1";

          }

          leaf last-eapol-frame-source {
            when
              "../../port-type = 'real-port'" {
              description
                "Applies when port is Real Port.";
            }
            type ieee:mac-address;
            description
              "The source MAC address of last received EAPOL frame by
            this PAE.";
            reference
              "IEEE 802.1X-2010 Clause 12.8.2";

          }

          leaf last-eapol-frame-version {
            type yang:counter32;
            description
              "The version of last received EAPOL frame by this PAE.";
            reference
              "IEEE 802.1X-2010 Clause 12.8.2";

          }

          leaf eapol-supp-eap-frames-tx {
            when
              "../../port-type = 'real-port'" {
              description
                "Applies when port is Real Port.";
            }
            type yang:counter32;
            description
              "The number of EAPOL-EAP frames that have been
            transmitted by the supplicant of this PAE.";
            reference
              "IEEE 802.1X-2010 Clause 12.8.3";

          }

          leaf eapol-logoff-frames-tx {
            when
              "../../port-type = 'real-port'" {
              description
                "Applies when port is Real Port.";
            }
            type yang:counter32;
            description
              "The number of EAPOL-Logoff frames that have been
            transmitted by this PAE.";
            reference
              "IEEE 802.1X-2010 Clause 12.8.3";

          }

          leaf eapol-announcements-tx {
            when
              "../../port-type = 'real-port'" {
              description
                "Applies when port is Real Port.";
            }
            type yang:counter32;
            description
              "The number of EAPOL-Announcement frames that have been
            transmitted by this PAE.";
            reference
              "IEEE 802.1X-2010 Clause 12.8.3";

          }

          leaf eapol-announce-reqs-tx {
            when
              "../../port-type = 'real-port'" {
              description
                "Applies when port is Real Port.";
            }
            type yang:counter32;
            description
              "The number of EAPOL-Announcement-Req frames that have
            been transmitted by this PAE.";
            reference
              "IEEE 802.1X-2010 Clause 12.8.3";

          }

          leaf eapol-start-frames-tx {
            type yang:counter32;
            description
              "The number of EAPOL-Start frames that have been
            received by this PAE.";
            reference
              "IEEE 802.1X-2010 Clause 12.8.3";

          }

          leaf eapol-auth-eap-frames-tx {
            type yang:counter32;
            description
              "The number of EAPOL-EAP frames that have been
            transmitted by the authenticator of this PAE.";
            reference
              "IEEE 802.1X-2010 Clause 12.8.3";

          }

          leaf eapol-mka-frames-tx {
            type yang:counter32;
            description
              "The number of EAPOL-MKA frames with no CKN information
            that have been transmitted by this PAE.";
            reference
              "IEEE 802.1X-2010 Clause 12.8.3";

          }
        }  // container eapol-statistics

        container logon-process {
          description
            "Contains operational system level information for each
          port to support the Logon Process(es) status information.";
          leaf connect {
            type enumeration {
              enum "pending" {
                value 0;
                description
                  "Prevent connectivity by clearing the
                controlledPortEnabled parameter.";
              }
              enum "unauthenticated" {
                value 1;
                description
                  "Provide unsecured connectivity, setting
                controlledPortEnabled.";
              }
              enum "authenticated" {
                value 2;
                description
                  "Provide unsecured connectivity, setting
                controlledPortEnabled.";
              }
              enum "secure" {
                value 3;
                description
                  "Provide secure connectivity, using SAKs provided by
                the KaY (when available) and setting
                controlledPortEnabled when those keys are installed
                and in use, as specified in detail by the CP state
                machine.";
              }
              enum "authorization-data" {
                value 4;
                description
                  "Authorization data to be made available to the
                client of the Controlled Port if connect is
                Authenticated.";
              }
            }
            description
              "The Logon Process sets this variable to one of the
            above values.";
            reference
              "IEEE 802.1X-2010 Clause 12.3";

          }

          leaf port-valid {
            type boolean;
            description
              "Set if Controlled Port communication is secured as
            specified by the MACsec control macsecProtect.";
            reference
              "IEEE 802.1X-2010 Clause 12.3";

          }

          list session-statistics {
            key "session-id";
            description
              "Contains operational state nodes associated with the
            session statistics.";
            leaf session-id {
              type pae-session-id;
              description
                "Key into list of session statistics.";
              reference
                "IEEE 802.1X-2010 Clause 12.5.1";

            }

            leaf user-name {
              type pae-session-user-name;
              description
                "User name of the session.";
              reference
                "IEEE 802.1X-2010 Clause 12.5.1";

            }

            leaf octets-rx {
              type yang:counter64;
              description
                "The number of octets received in this session of this
              PAE.";
              reference
                "IEEE 802.1X-2010 Clause 12.5.1";

            }

            leaf octets-tx {
              type yang:counter64;
              description
                "The number of octets transmitted in this session of
              this PAE.";
              reference
                "IEEE 802.1X-2010 Clause 12.5.1";

            }

            leaf frames-rx {
              type yang:counter64;
              description
                "The number of packets received in this session of
              this PAE.";
              reference
                "IEEE 802.1X-2010 Clause 12.5.1";

            }

            leaf frames-tx {
              type yang:counter64;
              description
                "The number of packets transmitted in this session of
              this PAE.";
              reference
                "IEEE 802.1X-2010 Clause 12.5.1";

            }

            leaf time {
              type yang:timeticks;
              description
                "Session Time. The duration of the session in
              seconds.";
              reference
                "IEEE 802.1X-2010 Clause 12.5.1";

            }

            leaf terminate-cause {
              type enumeration {
                enum
                  "common_port_MAC_operatonal_false" {
                  value 0;
                  description
                    "Common Port for this PAE is not operational.";
                }
                enum
                  "system_access_control_disabled" {
                  value 1;
                  description
                    "The system-access-control node of the pae-system
                  is disabled or initialization process of this PAE
                  is invoked.";
                }
                enum "eapol_logoff_rx" {
                  value 2;
                  description
                    "The PAE has received EAPOL-Logoff frame.";
                }
                enum
                  "eap_reauthentication_failure" {
                  value 3;
                  description
                    "EAP reauthentication has failed.";
                }
                enum
                  "mak-failure_termination" {
                  value 4;
                  description
                    "MKA failure or other MKA termination.";
                }
                enum "new_session-beginning" {
                  value 5;
                  description
                    "New session beginning.";
                }
                enum "not_terminated_yet" {
                  value 6;
                  description
                    "Not Terminated Yet.";
                }
              }
              description
                "The reason for the session termination.";
              reference
                "IEEE 802.1X-2010 Clause 12.5.1";

            }
          }  // list session-statistics
        }  // container logon-process
      }  // container pae
    }

    container nid-group {
      description
        "Contains both configuration and operational state nodes
      associated with the PAE NID group.";
      uses nid-group;

      uses nid-group-state;
    }  // container nid-group
  }  // module ieee802-dot1x