Model for managing rogue configurations Copyright (c) 2016-2020 by Cisco Systems, Inc. All rights reserved.
Version: 2020-11-01
module Cisco-IOS-XE-wireless-rogue-cfg { yang-version 1; namespace "http://cisco.com/ns/yang/Cisco-IOS-XE-wireless-rogue-cfg"; prefix wireless-rogue-cfg; import Cisco-IOS-XE-wireless-enum-types { prefix wireless-enum-types; } import Cisco-IOS-XE-wireless-rogue-types { prefix wireless-rogue-types; } import ietf-yang-types { prefix yang; } import cisco-semver { prefix cisco-semver; } organization "Cisco Systems, Inc."; contact "Cisco Systems, Inc. Customer Service Postal: 170 W Tasman Drive San Jose, CA 95134 Tel: +1 1800 553-NETS E-mail: cs-yang@cisco.com"; description "Model for managing rogue configurations Copyright (c) 2016-2020 by Cisco Systems, Inc. All rights reserved."; revision "2020-11-01" { description "- New rogue rule conditions for WPA3. - Added support for syslog notification configuration. - Removed restriction on number of conditions per rogue rule. - Deprecated Rogue RLDP config model."; reference "6.1.0"; } revision "2020-07-01" { description "- Restricted rule name to alphanumeric characters."; reference "6.0.0"; } revision "2019-05-01" { description "- Fixed some spelling errors in error messages. - Added support for Rogue WSA events. - Added semantic version"; reference "5.1.0"; } revision "2019-01-24" { description "- New constraint in Cisco-IOS-XE-wireless-rogue-cfg forcing major version bump. - Cleaned up spelling errors in descriptions. - rogue-global container marked as non-presence."; reference "5.0.0"; } revision "2018-05-18" { description "Added validation"; reference "4.0.0"; } revision "2018-03-01" { description "Insert containers around lists"; reference "3.0.0"; } revision "2018-01-24" { description "The first generally available version"; reference "2.0.0"; } revision "2017-05-05" { description "Initial revision"; reference "1.0.0"; } cisco-semver:module-version "6.1.0"; cisco-semver:module-version "6.0.0"; cisco-semver:module-version "5.1.0"; cisco-semver:module-version "5.0.0"; cisco-semver:module-version "4.0.0"; cisco-semver:module-version "3.0.0"; cisco-semver:module-version "2.0.0"; cisco-semver:module-version "1.0.0"; container rogue-cfg-data { description "Configuration of rogue data"; container rogue-global { description "Configuration of rogue global"; leaf rogue-rldp { type wireless-enum-types:rldp-config-mode; must "(../rogue-rldp = 'rldp-cfg-mode-disable') or (../rogue-rldp-schedule-set = 'false' and ../rogue-rldp != 'rldp-cfg-mode-disable')" { error-message "RLDP scheduling and RLDP cannot be enabled at the same time"; error-app-tag "must-violation"; } default "rldp-cfg-mode-disable"; status deprecated; description "Configure Rogue Location Discovery Protocol"; } leaf rogue-rldp-auto-contain { type boolean; default "false"; status deprecated; description "Set rldp, alarm and auto-contain if rogue is detected"; } leaf rogue-rldp-schedule-set { type boolean; default "false"; status deprecated; description "Configure rldp scheduling"; } leaf rogue-rldp-retry-count { type uint8 { range "1 .. 5"; } default "1"; status deprecated; description "Number of rldp retry times per rogue AP"; } leaf rogue-auto-contain-my-ssid { type boolean; default "false"; description "Auto-contain upon detecting rogue advertising our SSID"; } leaf rogue-auto-contain-ad-hoc { type boolean; default "false"; description "Enable automatically containing adhoc rogue"; } leaf rogue-auto-contain-valid-mobile-on-untrusted-ap { type boolean; default "false"; description "Auto-contain upon detecting valid clients using rogue APs"; } leaf rogue-validate-mobiles-against-radius { type boolean; must "(../rogue-validate-mobiles-against-radius = 'false') or (../rogue-validate-mobiles-against-radius != ../rogue-validate-mobiles-against-mse)" { error-message "Rogue validation against MSE and rogue validation against radius cannot be enabled at the same time"; error-app-tag "must-violation"; } default "false"; description "Set use of AAA/local database to detect valid mac addresses"; } leaf rogue-validate-mobiles-against-mse { type boolean; default "false"; description "Set use of MSE to detect valid mac addresses"; } leaf rogue-validate-aps-against-radius { type boolean; default "false"; description "Set use of AAA/local database to detect valid AP mac addresses"; } leaf adhoc-rogue-reporting { type boolean; default "true"; description "Enable detecting and reporting adhoc rogue (IBSS)"; } leaf ap-auth-enabled { type boolean; default "false"; description "Flag to indicate whether auth is enabled"; } leaf rogue-auto-contain-level-monitor-ap { type boolean; default "false"; description "Configure auto contain for monitor ap mode"; } leaf security-level { type wireless-enum-types:rogue-security-level; default "rogue-security-level-custom"; description "Configure security level"; } leaf ap-auth-alarm-th { type uint8 { range "1 .. 255"; } default "1"; description "Configure AP auth alarm threshold"; } leaf rogue-cleanup-timer { type uint32 { range "240 .. 3600"; } default "1200"; description "The number of seconds before rogue entries are flushed"; } leaf rogue-init-timer { type uint32; default "180"; description "rogue init timer"; } leaf rogue-auto-contain-level { type uint32 { range "1 .. 4"; } default "1"; description "Configure auto contain level"; } leaf rogue-polling-interval { type uint32 { range "60 .. 86400"; } default "3600"; description "Configures Rogue AP AAA validation interval in seconds"; } leaf rogue-detection-client-num-threshold { type uint32 { range "0 .. 256"; } default "0"; description "Rogue client per a rogue AP SNMP trap threshold"; } leaf notify-rogue-ap-threshold { type uint32 { range "0 .. 10"; } default "0"; description "Configure rogue AP RSSI deviation threshold for notification"; } leaf notify-rogue-client-threshold { type uint32 { range "0 .. 10"; } default "0"; description "Configure rogue Client RSSI deviation threshold for notification"; } leaf notify-rogue-ap-min-rssi { type int32 { range "-128 .. -70"; } default "-128"; description "Configure rogue AP minimum RSSI threshold for notification"; } leaf notify-rogue-client-min-rssi { type int32 { range "-128 .. -70"; } default "-128"; description "Configure rogue Client minimum RSSI threshold for notification"; } leaf rogue-wsa-events-enabled { type boolean; default "false"; description "Enable/Disable Rogue WSA events"; } leaf rogue-syslog-enabled { type boolean; default "false"; description "Enable/Disable Rogue events notifications through syslog"; } } // container rogue-global container rldp-schedules { status deprecated; description "Configuration of rldp schedule"; list rldp-schedule { key "day"; description "List of rldp schedule configurations"; leaf day { type wireless-enum-types:work-day; description "Configuration of day in rldp schedule"; } leaf start-time { type string { pattern '([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]'; } default "00:00:00"; description "Configure the start time for rldp schedule for the day [HH:MM:SS]"; } leaf end-time { type string { pattern '([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]'; } default "00:00:00"; description "Configure the end time for rldp schedule for the day [HH:MM:SS]"; } } // list rldp-schedule } // container rldp-schedules container rogue-ap-cfgs { description "Configuration of ap rogue cfg"; list rogue-ap-cfg { key "rogue-address"; max-elements 625; description "List of ap rogue cfg"; leaf rogue-address { type yang:mac-address; description "MAC address of the ad-hoc rogue access point"; } leaf adhoc { type boolean; description "adhoc"; } leaf rogue-class-type { type wireless-enum-types:rogue-class-type; must "../rogue-class-type != 'rogue-classtype-invalid' and ../rogue-class-type != 'rogue-classtype-unknown' and ../rogue-class-type != 'rogue-classtype-custom'" { error-message "Rogue classtype cannot be custom, invalid or unknown"; error-app-tag "must-violation"; } mandatory true; description "Rogue classification"; } leaf rogue-mode { type wireless-enum-types:rogue-state; must "(../rogue-class-type != 'rogue-classtype-friendly') or (../rogue-mode = 'rogue-state-trusted' or ../rogue-mode = 'rogue-state-acknowledged')" { error-message "Friendly rogue AP state must be trusted or acknowledged"; error-app-tag "must-violation"; } must "(../rogue-class-type != 'rogue-classtype-malicious') or (../rogue-mode = 'rogue-state-contained' or ../rogue-mode = 'rogue-state-alert')" { error-message "Malicious rogue AP state must be contained or alert"; error-app-tag "must-violation"; } must "(../rogue-class-type != 'rogue-classtype-unclassified') or (../rogue-mode = 'rogue-state-contained' or ../rogue-mode = 'rogue-state-alert')" { error-message "Unclassified rogue AP state must be contained or alert"; error-app-tag "must-violation"; } must "../rogue-mode != 'rogue-state-init' and ../rogue-mode != 'rogue-state-pending' and ../rogue-mode != 'rogue-state-lrad' and ../rogue-mode != 'rogue-state-threat' and ../rogue-mode != 'rogue-state-contained-pending' and ../rogue-mode != 'rogue-state-deleted' and ../rogue-mode != 'rogue-state-invalid'" { error-message "Invalid rogue state"; error-app-tag "must-violation"; } default "rogue-state-init"; description "Rogue classification state"; } leaf containment-level { type uint32 { range "0 .. 4"; } must "(../rogue-mode = 'rogue-state-contained') or (../containment-level = 0)" { error-message "Containment level can be set only for contained APs"; error-app-tag "must-violation"; } must "(../rogue-mode != 'rogue-state-contained') or (../containment-level >= 1 and ../containment-level <= 4)" { error-message "When rogue AP state is contained, containment level should be greater than 0"; error-app-tag "must-violation"; } default "0"; description "Containment level"; } } // list rogue-ap-cfg } // container rogue-ap-cfgs container rogue-client-cfgs { description "Configuration of client rogue cfg"; list rogue-client-cfg { key "rogue-client-address"; max-elements 625; description "List of client rogue configurations"; leaf rogue-client-address { type yang:mac-address; description "MAC address of the rogue access point"; } leaf rogue-mode { type wireless-enum-types:rogue-state; must "../rogue-mode = 'rogue-state-contained'" { error-message "Rogue client state can only be set to contained"; error-app-tag "must-violation"; } default "rogue-state-init"; description "Rogue client state"; } leaf containment-level { type uint32 { range "0 .. 4"; } must "(../rogue-mode = 'rogue-state-contained') or (../containment-level = 0)" { error-message "Containment level can be set only for contained clients"; error-app-tag "must-violation"; } must "(../rogue-mode != 'rogue-state-contained') or (../containment-level >= 1 and ../containment-level <= 4)" { error-message "When rogue client state is contained, containment level shold be greater than 0"; error-app-tag "must-violation"; } default "0"; description "Containment level"; } } // list rogue-client-cfg } // container rogue-client-cfgs container rogue-ignore-data-entries { description "Configuration of ignore rogue data"; list rogue-ignore-data-entry { key "rogue-ignore-address"; description "List of ignore rogue data configurations"; leaf rogue-ignore-address { type yang:mac-address; description "Configuration of ignore rogue address"; } } // list rogue-ignore-data-entry } // container rogue-ignore-data-entries container rule-data-entries { description "Configuration of rule data"; list rule-data-entry { key "rule-name"; unique "rule-cfg/priority-num"; max-elements 64; description "List of rule data configurations"; leaf rule-name { type string { length "0..32"; pattern '[-A-Za-z_.0-9]+'; } must "../rule-name != 'all'" { error-message "all is not allowed as rule name"; error-app-tag "must-violation"; } description "Name of rogue rule"; } container rule-cfg { description "Configuration of rule cfg"; leaf class-type { type wireless-enum-types:rogue-class-type; must "(../enable = 'false') or (../class-type = 'rogue-classtype-friendly' and (../state = 'rogue-state-trusted' or ../state = 'rogue-state-alert' or ../state = 'rogue-state-acknowledged')) or (../class-type = 'rogue-classtype-malicious' and (../state = 'rogue-state-contained' or ../state = 'rogue-state-alert')) or (../class-type = 'rogue-classtype-custom' and (../state = 'rogue-state-contained' or ../state = 'rogue-state-alert')) or (../class-type = 'rogue-classtype-unclassified' and ../state = 'rogue-state-deleted')" { error-message "Please define a valid class/state classification"; error-app-tag "must-violation"; } default "rogue-classtype-unclassified"; description "Classification type"; } leaf state { type wireless-enum-types:rogue-state; description "Rogue state"; } leaf severity-score { when "(../class-type = 'rogue-classtype-custom')"; type uint32 { range "1 .. 100"; } description "Severity score"; } leaf class-type-custom-name { when "(../class-type = 'rogue-classtype-custom')"; type string; description "Custom name of the classification"; } leaf match-op { type wireless-enum-types:apf-rogue-rule-rule-match-op; must "../match-op = 'rule-match-any' or ../match-op = 'rule-match-all'" { error-message "Match operation can be ALL or ANY"; error-app-tag "must-violation"; } default "rule-match-any"; description "Match operation"; } leaf priority-num { type int32 { range "1 .. 512"; } mandatory true; description "priority number for the rogue rule"; } leaf enable { type boolean; default "false"; description "Enable the rule"; } leaf notify { type boolean; default "true"; description "Notification on rule match"; } } // container rule-cfg container cond-lists { description "List of conditions of a Rogue rule"; list cond-list { key "cond-name"; description "Condition of a Rogue rule"; leaf cond-name { type string; must "../cond-name = 'client-count' or ../cond-name = 'ssid' or ../cond-name = 'wildcard-ssid' or ../cond-name = 'rssi' or ../cond-name = 'duration' or ../cond-name = 'managed-ssid' or ../cond-name = 'no-encryption' or ../cond-name = 'any-encryption' or ../cond-name = 'wpa-encryption' or ../cond-name = 'wpa2-encryption' or ../cond-name = 'wpa3-sae-encryption' or ../cond-name = 'wpa3-owe-encryption'" { error-message "Condition can be client-count/ssid/wildcard-ssid/rssi/duration/managed-ssid/no-encryption/any-encryption/wpa-encryption/wpa2-encryption/wpa3-sae-encryption/wpa3-owe-encryption"; error-app-tag "must-violation"; } description "Configure name of condition"; } container cond-cfg { description "Configuration of condition"; leaf rssi { type int32 { range "-128 .. 0"; } must "(../../cond-name != 'rssi' and ../rssi = 0) or (../../cond-name = 'rssi')" { error-message "The condition name must reflect the condition flags. It must be 'rssi' if rssi condition is set"; error-app-tag "must-violation"; } description "Receiving signal strength indicator"; } leaf client-count { type uint32 { range "1 .. 10"; } must "(../../cond-name != 'client-count' and ../client-count = 0) or (../../cond-name = 'client-count')" { error-message "The condition name must reflect the condition flags. It must be 'client-count' if client-count condition is set"; error-app-tag "must-violation"; } description "Number of client present"; } leaf no-encryption { type boolean; must "((../../cond-name = 'no-encryption') and (../no-encryption = 'true')) or ((../../cond-name != 'no-encryption') and (../no-encryption != 'true'))" { error-message "The condition name must reflect the condition flags. It must be 'no-encryption' if no-encryption condition is set"; error-app-tag "must-violation"; } default "false"; description "no encryption"; } leaf managed-ssid { type boolean; must "((../../cond-name = 'managed-ssid') and (../managed-ssid = 'true')) or ((../../cond-name != 'managed-ssid') and (../managed-ssid != 'true'))" { error-message "The condition name must reflect the condition flags. It must be 'managed-ssid' if managed-ssid condition is set"; error-app-tag "must-violation"; } default "false"; description "Status of managed ssid"; } leaf duration { type uint32 { range "0 .. 86400"; } must "(../../cond-name != 'duration' and ../duration = 0) or (../../cond-name = 'duration')" { error-message "The condition name must reflect the condition flags. It must be 'duration' if duration condition is set"; error-app-tag "must-violation"; } description "Rogue AP detected for more than the specified duration time"; } leaf any-encryption { type boolean; must "((../../cond-name = 'any-encryption') and (../any-encryption = 'true')) or ((../../cond-name != 'any-encryption') and (../any-encryption != 'true'))" { error-message "The condition name must reflect the condition flags. It must be 'any-encryption' if any-encryption condition is set"; error-app-tag "must-violation"; } description "any type of encryption"; } leaf wpa-encryption { type boolean; must "((../../cond-name = 'wpa-encryption') and (../wpa-encryption = 'true')) or ((../../cond-name != 'wpa-encryption') and (../wpa-encryption != 'true'))" { error-message "The condition name must reflect the condition flags. It must be 'wpa-encryption' if wpa-encryption condition is set"; error-app-tag "must-violation"; } description "WPA encryption"; } leaf wpa2-encryption { type boolean; must "((../../cond-name = 'wpa2-encryption') and (../wpa2-encryption = 'true')) or ((../../cond-name != 'wpa2-encryption') and (../wpa2-encryption != 'true'))" { error-message "The condition name must reflect the condition flags. It must be 'wpa2-encryption' if wpa2-encryption condition is set"; error-app-tag "must-violation"; } description "WPA2 encryption"; } leaf wpa3-sae-encryption { type boolean; must "((../../cond-name = 'wpa3-sae-encryption') and (../wpa3-sae-encryption = 'true')) or ((../../cond-name != 'wpa3-sae-encryption') and (../wpa3-sae-encryption != 'true'))" { error-message "The condition name must reflect the condition flags. It must be 'wpa3-sae-encryption' if wpa3-sae-encryption condition is set"; error-app-tag "must-violation"; } description "WPA3 SAE encryption"; } leaf wpa3-owe-encryption { type boolean; must "((../../cond-name = 'wpa3-owe-encryption') and (../wpa3-owe-encryption = 'true')) or ((../../cond-name != 'wpa3-owe-encryption') and (../wpa3-owe-encryption != 'true'))" { error-message "The condition name must reflect the condition flags. It must be 'wpa3-owe-encryption' if wpa3-owe-encryption condition is set"; error-app-tag "must-violation"; } description "WPA3 OWE encryption"; } } // container cond-cfg container ssid-lists { description "Configuration of ssid list"; list ssid-list { key "ssid"; max-elements 25; description "List of ssid configurations"; leaf ssid { type string { length "0..32"; } must "../ssid != 'all'" { error-message "all is not allowed as SSID name"; error-app-tag "must-violation"; } description "Configuration of ssid in rule list"; } } // list ssid-list } // container ssid-lists } // list cond-list } // container cond-lists } // list rule-data-entry } // container rule-data-entries } // container rogue-cfg-data } // module Cisco-IOS-XE-wireless-rogue-cfg
© 2023 YumaWorks, Inc. All rights reserved.