Model for managing flex configurations Copyright (c) 2016-2020 by Cisco Systems, Inc. All rights reserved.
Version: 2021-07-01
module Cisco-IOS-XE-wireless-flex-cfg { yang-version 1; namespace "http://cisco.com/ns/yang/Cisco-IOS-XE-wireless-flex-cfg"; prefix wireless-flex-cfg; import Cisco-IOS-XE-wireless-apf-cfg { prefix wireless-apf-cfg; } import Cisco-IOS-XE-wireless-enum-types { prefix wireless-enum-types; } import ietf-inet-types { prefix inet; } import cisco-semver { prefix cisco-semver; } organization "Cisco Systems, Inc."; contact "Cisco Systems, Inc. Customer Service Postal: 170 W Tasman Drive San Jose, CA 95134 Tel: +1 1800 553-NETS E-mail: cs-yang@cisco.com"; description "Model for managing flex configurations Copyright (c) 2016-2020 by Cisco Systems, Inc. All rights reserved."; revision "2021-07-01" { description "- Added flex local auth password constraints"; reference "9.0.0"; } revision "2021-03-01" { description "- Add ASCII 32-126 and leading/trailing spaces restriction for flex profile name"; reference "8.0.0"; } revision "2020-11-01" { description "- Added DHCP broadcast configuration under flex profile"; reference "7.2.0"; } revision "2020-07-01" { description "- Added mDNS flex profile name configuration - Added ingress and egress ACL for vlan-acl mapping under flex profile - Added IP overlap configuration - Deprecated acl-name under client VLAN (use acl-name-in/acl-name-out) - Added ACL constraints (vlan-acl mappings under flex profile)"; reference "7.1.0"; } revision "2020-03-01" { description "- Added a constraint on leaf vlan-id - Added validation to disallow IPv4/IPv6 default ACLs"; reference "7.0.0"; } revision "2019-11-01" { description "- Added Radius server group name for accounting - Added umbrella-profile under flex profile - Marked VLAN-ACLs obsolete"; reference "6.0.0"; } revision "2019-05-01" { description "Added semantic version"; reference "5.1.0"; } revision "2019-02-12" { description "Removed Unsupported multicast overridden-interface from flex profile"; reference "5.0.0"; } revision "2019-02-11" { description "- Removed unused RLAN related leaves - Changed range constraint and default value of native-vlan-id - Restrict password type options available for local user under FLEX profile - Semantical and default value cleanup and moved RLAN configuration related entries to new config model - Change type of boolean leafs of security parameters to empty - Leaf rename: is-punt to is-cwa."; reference "4.0.0"; } revision "2018-06-05" { description "- Add constraints - Password encryption type configuration"; reference "3.0.0"; } revision "2018-03-08" { description "Add remote LAN configuration"; reference "2.1.0"; } revision "2018-01-24" { description "The first generally available version"; reference "2.0.0"; } revision "2017-05-05" { description "Initial revision"; reference "1.0.0"; } cisco-semver:module-version "9.0.0"; cisco-semver:module-version "8.0.0"; cisco-semver:module-version "7.2.0"; cisco-semver:module-version "7.1.0"; cisco-semver:module-version "7.0.0"; cisco-semver:module-version "6.0.0"; cisco-semver:module-version "5.1.0"; cisco-semver:module-version "5.0.0"; cisco-semver:module-version "4.0.0"; cisco-semver:module-version "3.0.0"; cisco-semver:module-version "2.1.0"; cisco-semver:module-version "2.0.0"; cisco-semver:module-version "1.0.0"; grouping st-ip-overlap { description "Configuration of IP overlap support for site"; leaf flex-overlap-ip-enable { type boolean; default "false"; description "Enable IP overlap support for site"; } } // grouping st-ip-overlap grouping vlan-acl-list { description "Configuration of vlan-acl mappings for REAPs"; leaf vlan-id { type uint32; description "VLAN ID to be mapped to the ACL for the REAP group"; } leaf ingress-acl-name { type string; default ""; description "Name of the ingress Access Control List for the vlan-acl mapping"; } leaf egress-acl-name { type string; default ""; description "Name of the egress Access Control List for the vlan-acl mapping"; } } // grouping vlan-acl-list grouping local-auth-user-list { description "Local authenticated user list"; leaf user-name { type string; description "User name for this group, used for authenticating a client associated to an AP within the group"; } leaf password { type string; must "((../password-type != 'clear') or (/wireless-apf-cfg:apf-cfg-data/wireless-apf-cfg:apf/wireless-apf-cfg:pwd-pol-def = 'false') or (not((contains(current(), 'cisco')) or (contains(current(), 'c!sco')) or (contains(current(), 'ci$co')) or (contains(current(), 'c1$co')) or (contains(current(), 'c1sco')) or (contains(current(), 'c!$co')) or (contains(current(), 'Cisco')) or (contains(current(), 'C!sco')) or (contains(current(), 'Ci$co')) or (contains(current(), 'C1$co')) or (contains(current(), 'C1sco')) or (contains(current(), 'C!$co')) or (contains(current(), 'CISCO')) or (contains(current(), 'C1SCO')) or (contains(current(), 'C!SCO')) or (contains(current(), 'C!$CO')) or (contains(current(), 'CISC0')) or (contains(current(), 'cisc0')) or (contains(current(), 'Cisc0')) or (contains(current(), 'c!$c0')) or (contains(current(), 'C!$c0')) or (contains(current(), 'C1$c0')) or (contains(current(), 'c1$c0')) or (contains(current(), 'C1sc0')) or (contains(current(), 'c1sc0')) or (contains(current(), 'ciscO')) or (contains(current(), 'CiscO')) or (contains(current(), 'c1scO')) or (contains(current(), 'c!scO')) or (contains(current(), 'c1$cO')) or (contains(current(), 'C1scO')) or (contains(current(), 'c!$cO')) or (contains(current(), 'ci$cO')) or (contains(current(), 'C!scO')))))" { error-message "Flex local auth password should not contain default password e.g., cisco, Cisco, c!sco, ci$co, c!sco"; error-app-tag "must-violation"; } must "((../password-type != 'clear') or (/wireless-apf-cfg:apf-cfg-data/wireless-apf-cfg:apf/wireless-apf-cfg:pwd-pol-def = 'false') or (not( (contains(current(), 'ocsic')) or (contains(current(), 'ocs!c')) or (contains(current(), 'oc$ic')) or (contains(current(), 'oc$1c')) or (contains(current(), 'ocs1c')) or (contains(current(), 'oc$!c')) or (contains(current(), 'ocsiC')) or (contains(current(), 'ocs!C')) or (contains(current(), 'oc$iC')) or (contains(current(), 'oc$1C')) or (contains(current(), 'ocs1C')) or (contains(current(), 'oc$!C')) or (contains(current(), 'OCSIC')) or (contains(current(), 'OCS1C')) or (contains(current(), 'OCS!C')) or (contains(current(), 'OC$!C')) or (contains(current(), '0CSIC')) or (contains(current(), '0csic')) or (contains(current(), '0csiC')) or (contains(current(), '0c$!c')) or (contains(current(), '0c$!C')) or (contains(current(), '0c$1C')) or (contains(current(), '0c$1c')) or (contains(current(), '0cs1C')) or (contains(current(), '0cs1c')) or (contains(current(), 'Ocs1c')) or (contains(current(), 'Oc$1C')) or (contains(current(), 'Ocsic')) or (contains(current(), 'Ocs!c')) or (contains(current(), 'Oc$iC')) or (contains(current(), 'OcsiC')) or (contains(current(), 'Oc$!C')))))" { error-message "Flex local auth password should not contain reverse default password e.g., ocsic, oc$ic"; error-app-tag "must-violation"; } must "((../password-type != 'clear') or (/wireless-apf-cfg:apf-cfg-data/wireless-apf-cfg:apf/wireless-apf-cfg:pwd-pol-def = 'false') or (contains(current(), 'a')) or (contains(current(), 'b')) or (contains(current(), 'c')) or (contains(current(), 'd')) or (contains(current(), 'e')) or (contains(current(), 'f')) or (contains(current(), 'g')) or (contains(current(), 'h')) or (contains(current(), 'i')) or (contains(current(), 'j')) or (contains(current(), 'k')) or (contains(current(), 'l')) or (contains(current(), 'm')) or (contains(current(), 'n')) or (contains(current(), 'o')) or (contains(current(), 'p')) or (contains(current(), 'q')) or (contains(current(), 'r')) or (contains(current(), 's')) or (contains(current(), 't')) or (contains(current(), 'u')) or (contains(current(), 'v')) or (contains(current(), 'w')) or (contains(current(), 'x')) or (contains(current(), 'y')) or (contains(current(), 'z')))" { error-message "Flex local auth password must contain at least one lower case letter"; error-app-tag "must-violation"; } must "((../password-type != 'clear') or (/wireless-apf-cfg:apf-cfg-data/wireless-apf-cfg:apf/wireless-apf-cfg:pwd-pol-def = 'false') or (contains(current(), 'A')) or (contains(current(), 'B')) or (contains(current(), 'C')) or (contains(current(), 'D')) or (contains(current(), 'E')) or (contains(current(), 'F')) or (contains(current(), 'G')) or (contains(current(), 'H')) or (contains(current(), 'I')) or (contains(current(), 'J')) or (contains(current(), 'K')) or (contains(current(), 'L')) or (contains(current(), 'M')) or (contains(current(), 'N')) or (contains(current(), 'O')) or (contains(current(), 'P')) or (contains(current(), 'Q')) or (contains(current(), 'R')) or (contains(current(), 'S')) or (contains(current(), 'T')) or (contains(current(), 'U')) or (contains(current(), 'V')) or (contains(current(), 'W')) or (contains(current(), 'X')) or (contains(current(), 'Y')) or (contains(current(), 'Z')))" { error-message "Flex local auth password must contain at least one upper case letter"; error-app-tag "must-violation"; } must "((../password-type != 'clear') or (/wireless-apf-cfg:apf-cfg-data/wireless-apf-cfg:apf/wireless-apf-cfg:pwd-pol-def = 'false') or (contains(current(), '0')) or (contains(current(), '1')) or (contains(current(), '2')) or (contains(current(), '3')) or (contains(current(), '4')) or (contains(current(), '5')) or (contains(current(), '6')) or (contains(current(), '7')) or (contains(current(), '8')) or (contains(current(), '9')))" { error-message "Flex local auth password must contain at least one digit"; error-app-tag "must-violation"; } must "((../password-type != 'clear') or (/wireless-apf-cfg:apf-cfg-data/wireless-apf-cfg:apf/wireless-apf-cfg:pwd-pol-def = 'false') or (not( (contains(current(), 'aaa')) or (contains(current(), 'AAA')) or (contains(current(), 'bbb')) or (contains(current(), 'BBB')) or (contains(current(), 'ccc')) or (contains(current(), 'CCC')) or (contains(current(), 'ddd')) or (contains(current(), 'DDD')) or (contains(current(), 'eee')) or (contains(current(), 'EEE')) or (contains(current(), 'fff')) or (contains(current(), 'FFF')) or (contains(current(), 'ggg')) or (contains(current(), 'GGG')) or (contains(current(), 'hhh')) or (contains(current(), 'HHH')) or (contains(current(), 'iii')) or (contains(current(), 'III')) or (contains(current(), 'jjj')) or (contains(current(), 'JJJ')) or (contains(current(), 'kkk')) or (contains(current(), 'KKK')) or (contains(current(), 'lll')) or (contains(current(), 'LLL')) or (contains(current(), 'mmm')) or (contains(current(), 'MMM')) or (contains(current(), 'nnn')) or (contains(current(), 'NNN')) or (contains(current(), 'ooo')) or (contains(current(), 'OOO')) or (contains(current(), 'ppp')) or (contains(current(), 'PPP')) or (contains(current(), 'qqq')) or (contains(current(), 'QQQ')) or (contains(current(), 'rrr')) or (contains(current(), 'RRR')) or (contains(current(), 'sss')) or (contains(current(), 'SSS')) or (contains(current(), 'ttt')) or (contains(current(), 'TTT')) or (contains(current(), 'uuu')) or (contains(current(), 'UUU')) or (contains(current(), 'vvv')) or (contains(current(), 'VVV')) or (contains(current(), 'www')) or (contains(current(), 'WWW')) or (contains(current(), 'xxx')) or (contains(current(), 'XXX')) or (contains(current(), 'yyy')) or (contains(current(), 'YYY')) or (contains(current(), 'zzz')) or (contains(current(), 'ZZZ')))))" { error-message "Flex local auth password should not contain more than two repetitions of characters"; error-app-tag "must-violation"; } must "((../password-type != 'clear') or (/wireless-apf-cfg:apf-cfg-data/wireless-apf-cfg:apf/wireless-apf-cfg:pwd-pol-def = 'false') or (not((contains(current(), 'abc')) or (contains(current(), 'ABC')) or (contains(current(), 'bcd')) or (contains(current(), 'BCD')) or (contains(current(), 'cde')) or (contains(current(), 'CDE')) or (contains(current(), 'def')) or (contains(current(), 'DEF')) or (contains(current(), 'efg')) or (contains(current(), 'EFG')) or (contains(current(), 'fgh')) or (contains(current(), 'FGH')) or (contains(current(), 'ghi')) or (contains(current(), 'GHI')) or (contains(current(), 'hij')) or (contains(current(), 'HIJ')) or (contains(current(), 'ijk')) or (contains(current(), 'IJK')) or (contains(current(), 'jkl')) or (contains(current(), 'JKL')) or (contains(current(), 'klm')) or (contains(current(), 'KLM')) or (contains(current(), 'lmn')) or (contains(current(), 'LMN')) or (contains(current(), 'mno')) or (contains(current(), 'MNO')) or (contains(current(), 'nop')) or (contains(current(), 'NOP')) or (contains(current(), 'opq')) or (contains(current(), 'OPQ')) or (contains(current(), 'pqr')) or (contains(current(), 'PQR')) or (contains(current(), 'qrs')) or (contains(current(), 'QRS')) or (contains(current(), 'rst')) or (contains(current(), 'RST')) or (contains(current(), 'stu')) or (contains(current(), 'STU')) or (contains(current(), 'tuv')) or (contains(current(), 'TUV')) or (contains(current(), 'uvw')) or (contains(current(), 'UVW')) or (contains(current(), 'vwx')) or (contains(current(), 'VWX')) or (contains(current(), 'wxy')) or (contains(current(), 'WXY')) or (contains(current(), 'xyz')) or (contains(current(), 'XYZ')))))" { error-message "Flex local auth password should not contain sequential characters"; error-app-tag "must-violation"; } must "((../password-type != 'clear') or (/wireless-apf-cfg:apf-cfg-data/wireless-apf-cfg:apf/wireless-apf-cfg:pwd-pol-def = 'false') or (not((contains(current(), '000')) or (contains(current(), '111')) or (contains(current(), '222')) or (contains(current(), '333')) or (contains(current(), '444')) or (contains(current(), '555')) or (contains(current(), '666')) or (contains(current(), '777')) or (contains(current(), '888')) or (contains(current(), '999')))))" { error-message "Flex local auth password should not contain more than two repetitions of digits"; error-app-tag "must-violation"; } must "((../password-type != 'clear') or (/wireless-apf-cfg:apf-cfg-data/wireless-apf-cfg:apf/wireless-apf-cfg:pwd-pol-def = 'false') or (not((contains(current(), '012')) or (contains(current(), '123')) or (contains(current(), '234')) or (contains(current(), '345')) or (contains(current(), '456')) or (contains(current(), '567')) or (contains(current(), '678')) or (contains(current(), '789')))))" { error-message "Flex local auth password should not contain sequential digits"; error-app-tag "must-violation"; } must "((../password-type != 'clear') or (/wireless-apf-cfg:apf-cfg-data/wireless-apf-cfg:apf/wireless-apf-cfg:pwd-pol-def = 'false') or (string-length(current()) >= 8))" { error-message "Flex local auth password length should not be less than 8, when the flex local auth password type is clear text and wireless default password policy is enabled"; error-app-tag "must-violation"; } must "((../password-type != 'clear') or (string-length(current()) <= 120))" { error-message "Flex local auth password length should not exceed 120 chars, when the flex local auth password type is clear text"; error-app-tag "must-violation"; } default ""; description "Password for the given username, to be used for authenticating a client associated to an AP within the group. Following criteria should be met if wireless password policy is configured. - Default passwords (cisco, Cisco, C!sco, ci$co, ..) are not allowed. - Reverse default passwords are not allowed. - At least one lower case letter is mandatory. - At least one upper case letter is mandatory. - At least one digit is mandatory. - Special characters are allowed, but not mandatory. - More than two sequential chars or digits (e.g., abc, 123) are not allowed. - More than two repeated chars or digits (e.g., 111, aaa) are not allowed. - Minimum password length is 8. Restriction: Flex local auth password of cleartext type must contain ASCII characters only. This rule is not implemented using constraints."; } leaf password-type { type wireless-enum-types:crypt-type; must "((current() = 'clear') or (current() = 'aes'))" { error-message "Password type should be either clear text or AES encryption"; error-app-tag "must-violation"; } default "clear"; description "Password encryption type for authentication by AP"; } } // grouping local-auth-user-list grouping policy-acl-list { description "Configuration of webpolicy Access Control List(ACL) mappings for REAP groups"; leaf acl-name { type string; must "../acl-name != 'preauth_v4'" { error-message "Default ACL preauth_v4 is not allowed"; error-app-tag "must-violation"; } must "../acl-name != 'preauth_v6'" { error-message "Default ACL preauth_v6 is not allowed"; error-app-tag "must-violation"; } description "Name of the webpolicy Access Control List(ACL) to be mapped to the REAP group"; } leaf is-cwa { type boolean; default "false"; description "Enable or Disable central webauth for this ACL."; } leaf urlfilterlist-name { type string; description "Mapping of IPv4/IPv6 ACL name to url filter list this ACL."; } } // grouping policy-acl-list grouping if-name-vlan-id-list { description "VLAN Name- ACL mappings to be configured for the REAP"; leaf interface-name { type string; description "VLAN name for the vlan-acl mapping."; } leaf vlan-id { when "(../interface-name != '')"; type uint32 { range "1 .. 4096"; } default "1"; description "VLAN ID to be mapped to the ACL for the Access Point identified by VLAN name."; } leaf acl-name { type string; default ""; status deprecated; description "Name of bidirectional Access Control List (ACL) for the VLAN-ACL mapping"; } leaf acl-name-in { type string { length "0..32"; } must 'string-length(current()) = 0 or string-length(../acl-name) = 0' { error-message "Only one ACL per direction can be configured"; error-app-tag "must-violation"; } must "current() != 'in' and current() != 'out'" { error-message "Illegal ACL name. Keywords in and out are not allowed"; error-app-tag "must-violation"; } description "Name of ingress Access Control List (ACL) for the VLAN-ACL mapping"; } leaf acl-name-out { type string { length "0..32"; } must 'string-length(current()) = 0 or string-length(../acl-name) = 0' { error-message "Only one ACL per direction can be configured"; error-app-tag "must-violation"; } must "current() != 'in' and current() != 'out'" { error-message "Illegal ACL name. Keywords in and out are not allowed"; error-app-tag "must-violation"; } description "Name of egress Access Control List(ACL) for the VLAN-ACL mapping"; } } // grouping if-name-vlan-id-list grouping st-security-params { description "Flex policy security parameters"; leaf is-peap { type empty; description "Enable or Disable Protected Extensible Authentication Protocol(PEAP)"; } leaf is-leap { type empty; description "Enable or Disable Lightweight Extensible Authentication Protocol(LEAP)"; } leaf is-eap { type empty; description "Enable or Disable Extensible Authentication Protocol(EAP)"; } leaf is-tls { type empty; description "Enable or Disable Transport Layer Security(TLS)"; } } // grouping st-security-params grouping st-umbrella-profile-list { description "Configuration of umbrella profile under flex mode"; leaf umbrella-name { type string; description "Umbrella profile name"; } } // grouping st-umbrella-profile-list grouping flex-policy-config { description "Encompasses the flex profile attributes"; leaf policy-name { type string { pattern '[!-~]([ -~]*[!-~])?'; } description "Name of the flex profile"; } leaf description { type string; description "Description for the flex profile"; } leaf eap-fast-profile-name { type string; description "EAP fast profile used for local auth"; } leaf radius-server-group-name { type string; description "Radius server group name for authentication"; } leaf fallback-radio-shut { type boolean; default "false"; description "Whether Fallback Radio Shut feature is enabled for the flexconnect Access Points connected to the Wireless LAN Controller"; } leaf arp-caching { type boolean; default "true"; description "Whether ARP cache feature is enabled for the flexconnect Access Points connected to the Wireless LAN Controller"; } leaf cts-inline-tagging { type boolean; default "false"; description "Whether CTS inline tagging feature is enabled for the flexconnect Access Points connected to the Wireless LAN Controller"; } leaf cts-rolebased-enforce { type boolean; default "false"; description "Whether CTS rolebased enforcement feature is enabled for flexconnect Access Points connected to the Wireless LAN Controller"; } leaf cts-profile-name { type string; default "default-sxp-profile"; description "CTS SXP profile name"; } leaf join-min-latency { type boolean; default "false"; description "REAP AP should join controller with smallest latency"; } leaf radius-enable { type boolean; default "true"; description "Enable or Disable RADIUS"; } leaf vlan-enable { type boolean; default "true"; description "Availability of Native VLAN configured on this REAP"; } leaf is-home-ap-enable { type boolean; default "false"; description "APs connected to this profile/group are used as Home APs"; } leaf is-radio-backhaul { type boolean; default "false"; description "Enable or Disable WLAN on backhaul radio"; } leaf is-resilient-mode { type boolean; default "false"; description "Enable or Disable Standalone mode support on a REAP AP."; } leaf efficient-ap-upgrade-enable { type boolean; default "true"; description "Efficient AP image upgrade is enabled"; } leaf http-proxy-ip { type inet:ip-address; default "0.0.0.0"; description "HTTP proxy Ip address"; } container security { description "Flex policy security parameters"; uses wireless-flex-cfg:st-security-params; } // container security leaf native-vlan-id { type uint32 { range "1 .. 4094"; } default "1"; description "Native VLAN ID for the particular AP"; } leaf slave-max-retry-count { type uint32; default "0"; description "Maximum retries the slave has to undertake to start the download from the master in the HREAP group"; } leaf http-proxy-port { type uint16 { range "0 .. 65535"; } default "0"; description "HTTP proxy port"; } container vlan-acls { status obsolete; description "VLAN ACLs"; list vlan-acl { key "vlan-id"; description "List of VLAN ACLs"; uses wireless-flex-cfg:vlan-acl-list; } // list vlan-acl } // container vlan-acls container policy-acls { description "Policy ACLs"; list policy-acl { key "acl-name"; description "List of Policy ACLs"; uses wireless-flex-cfg:policy-acl-list; } // list policy-acl } // container policy-acls container local-auth-users { description "Local auth users"; list local-auth-user { key "user-name"; description "List of Local auth users"; uses wireless-flex-cfg:local-auth-user-list; } // list local-auth-user } // container local-auth-users container if-name-vlan-ids { description "Interface name VLAN IDs"; list if-name-vlan-id { key "interface-name"; description "Interface name VLAN ID list"; uses wireless-flex-cfg:if-name-vlan-id-list; } // list if-name-vlan-id } // container if-name-vlan-ids leaf acct-radius-server-group-name { type string { length "1..32"; pattern "[\\]A-Za-z0-9!\"#%&()*+,\\-./:;<=>^?@\\\\$_`{|}\\[']+"; } description "Radius server group name for accounting"; } leaf is-local-roaming-enable { type boolean; default "false"; description "Enable or Disable distributed client data caching on AP for local roaming."; } container umbrella-profiles { description "Umbrella Profiles"; list umbrella-profile { key "umbrella-name"; description "List of umbrella profiles"; uses wireless-flex-cfg:st-umbrella-profile-list; } // list umbrella-profile } // container umbrella-profiles leaf mdns-profile-name { type string; description "mDNS flex profile name"; } container ip-overlap-cfg { description "IP overlap configuration"; uses wireless-flex-cfg:st-ip-overlap; } // container ip-overlap-cfg leaf dhcp-bcast { type boolean; default "false"; description "DHCP broadcast for locally switched clients"; } } // grouping flex-policy-config container flex-cfg-data { description "Yang model for configuring site"; container flex-policy-entries { description "Flex policy profile configuration"; list flex-policy-entry { key "policy-name"; description "Flex profile name mapped to the site tag"; uses wireless-flex-cfg:flex-policy-config; } // list flex-policy-entry } // container flex-policy-entries } // container flex-cfg-data } // module Cisco-IOS-XE-wireless-flex-cfg
© 2023 YumaWorks, Inc. All rights reserved.