Model for managing rogue configurations Copyright (c) 2016-2020 by Cisco Systems, Inc. All rights reserved.
Version: 2020-11-01
module Cisco-IOS-XE-wireless-rogue-cfg { yang-version 1; namespace "http://cisco.com/ns/yang/Cisco-IOS-XE-wireless-rogue-cfg"; prefix wireless-rogue-cfg; import Cisco-IOS-XE-wireless-enum-types { prefix wireless-enum-types; } import Cisco-IOS-XE-wireless-rogue-types { prefix wireless-rogue-types; } import ietf-yang-types { prefix yang; } import cisco-semver { prefix cisco-semver; } organization "Cisco Systems, Inc."; contact "Cisco Systems, Inc. Customer Service Postal: 170 W Tasman Drive San Jose, CA 95134 Tel: +1 1800 553-NETS E-mail: cs-yang@cisco.com"; description "Model for managing rogue configurations Copyright (c) 2016-2020 by Cisco Systems, Inc. All rights reserved."; revision "2020-11-01" { description "- New rogue rule conditions for WPA3. - Added support for syslog notification configuration. - Removed restriction on number of conditions per rogue rule. - Deprecated Rogue RLDP config model."; reference "6.1.0"; } revision "2020-07-01" { description "- Restricted rule name to alphanumeric characters."; reference "6.0.0"; } revision "2019-05-01" { description "- Fixed some spelling errors in error messages. - Added support for Rogue WSA events. - Added semantic version"; reference "5.1.0"; } revision "2019-01-24" { description "- New constraint in Cisco-IOS-XE-wireless-rogue-cfg forcing major version bump. - Cleaned up spelling errors in descriptions. - rogue-global container marked as non-presence."; reference "5.0.0"; } revision "2018-05-18" { description "Added validation"; reference "4.0.0"; } revision "2018-03-01" { description "Insert containers around lists"; reference "3.0.0"; } revision "2018-01-24" { description "The first generally available version"; reference "2.0.0"; } revision "2017-05-05" { description "Initial revision"; reference "1.0.0"; } cisco-semver:module-version "6.1.0"; cisco-semver:module-version "6.0.0"; cisco-semver:module-version "5.1.0"; cisco-semver:module-version "5.0.0"; cisco-semver:module-version "4.0.0"; cisco-semver:module-version "3.0.0"; cisco-semver:module-version "2.0.0"; cisco-semver:module-version "1.0.0"; grouping rogue-global { description "Configuration of rogue global parameters"; leaf rogue-rldp { type wireless-enum-types:rldp-config-mode; must "(../rogue-rldp = 'rldp-cfg-mode-disable') or (../rogue-rldp-schedule-set = 'false' and ../rogue-rldp != 'rldp-cfg-mode-disable')" { error-message "RLDP scheduling and RLDP cannot be enabled at the same time"; error-app-tag "must-violation"; } default "rldp-cfg-mode-disable"; status deprecated; description "Configure Rogue Location Discovery Protocol"; } leaf rogue-rldp-auto-contain { type boolean; default "false"; status deprecated; description "Set rldp, alarm and auto-contain if rogue is detected"; } leaf rogue-rldp-schedule-set { type boolean; default "false"; status deprecated; description "Configure rldp scheduling"; } leaf rogue-rldp-retry-count { type uint8 { range "1 .. 5"; } default "1"; status deprecated; description "Number of rldp retry times per rogue AP"; } leaf rogue-auto-contain-my-ssid { type boolean; default "false"; description "Auto-contain upon detecting rogue advertising our SSID"; } leaf rogue-auto-contain-ad-hoc { type boolean; default "false"; description "Enable automatically containing adhoc rogue"; } leaf rogue-auto-contain-valid-mobile-on-untrusted-ap { type boolean; default "false"; description "Auto-contain upon detecting valid clients using rogue APs"; } leaf rogue-validate-mobiles-against-radius { type boolean; must "(../rogue-validate-mobiles-against-radius = 'false') or (../rogue-validate-mobiles-against-radius != ../rogue-validate-mobiles-against-mse)" { error-message "Rogue validation against MSE and rogue validation against radius cannot be enabled at the same time"; error-app-tag "must-violation"; } default "false"; description "Set use of AAA/local database to detect valid mac addresses"; } leaf rogue-validate-mobiles-against-mse { type boolean; default "false"; description "Set use of MSE to detect valid mac addresses"; } leaf rogue-validate-aps-against-radius { type boolean; default "false"; description "Set use of AAA/local database to detect valid AP mac addresses"; } leaf adhoc-rogue-reporting { type boolean; default "true"; description "Enable detecting and reporting adhoc rogue (IBSS)"; } leaf ap-auth-enabled { type boolean; default "false"; description "Flag to indicate whether auth is enabled"; } leaf rogue-auto-contain-level-monitor-ap { type boolean; default "false"; description "Configure auto contain for monitor ap mode"; } leaf security-level { type wireless-enum-types:rogue-security-level; default "rogue-security-level-custom"; description "Configure security level"; } leaf ap-auth-alarm-th { type uint8 { range "1 .. 255"; } default "1"; description "Configure AP auth alarm threshold"; } leaf rogue-cleanup-timer { type uint32 { range "240 .. 3600"; } default "1200"; description "The number of seconds before rogue entries are flushed"; } leaf rogue-init-timer { type uint32; default "180"; description "rogue init timer"; } leaf rogue-auto-contain-level { type uint32 { range "1 .. 4"; } default "1"; description "Configure auto contain level"; } leaf rogue-polling-interval { type uint32 { range "60 .. 86400"; } default "3600"; description "Configures Rogue AP AAA validation interval in seconds"; } leaf rogue-detection-client-num-threshold { type uint32 { range "0 .. 256"; } default "0"; description "Rogue client per a rogue AP SNMP trap threshold"; } leaf notify-rogue-ap-threshold { type uint32 { range "0 .. 10"; } default "0"; description "Configure rogue AP RSSI deviation threshold for notification"; } leaf notify-rogue-client-threshold { type uint32 { range "0 .. 10"; } default "0"; description "Configure rogue Client RSSI deviation threshold for notification"; } leaf notify-rogue-ap-min-rssi { type int32 { range "-128 .. -70"; } default "-128"; description "Configure rogue AP minimum RSSI threshold for notification"; } leaf notify-rogue-client-min-rssi { type int32 { range "-128 .. -70"; } default "-128"; description "Configure rogue Client minimum RSSI threshold for notification"; } leaf rogue-wsa-events-enabled { type boolean; default "false"; description "Enable/Disable Rogue WSA events"; } leaf rogue-syslog-enabled { type boolean; default "false"; description "Enable/Disable Rogue events notifications through syslog"; } } // grouping rogue-global grouping rogue-ap-cfg { description "Configuration of rogue access point"; leaf rogue-address { type yang:mac-address; description "MAC address of the ad-hoc rogue access point"; } leaf adhoc { type boolean; description "adhoc"; } leaf rogue-class-type { type wireless-enum-types:rogue-class-type; must "../rogue-class-type != 'rogue-classtype-invalid' and ../rogue-class-type != 'rogue-classtype-unknown' and ../rogue-class-type != 'rogue-classtype-custom'" { error-message "Rogue classtype cannot be custom, invalid or unknown"; error-app-tag "must-violation"; } mandatory true; description "Rogue classification"; } leaf rogue-mode { type wireless-enum-types:rogue-state; must "(../rogue-class-type != 'rogue-classtype-friendly') or (../rogue-mode = 'rogue-state-trusted' or ../rogue-mode = 'rogue-state-acknowledged')" { error-message "Friendly rogue AP state must be trusted or acknowledged"; error-app-tag "must-violation"; } must "(../rogue-class-type != 'rogue-classtype-malicious') or (../rogue-mode = 'rogue-state-contained' or ../rogue-mode = 'rogue-state-alert')" { error-message "Malicious rogue AP state must be contained or alert"; error-app-tag "must-violation"; } must "(../rogue-class-type != 'rogue-classtype-unclassified') or (../rogue-mode = 'rogue-state-contained' or ../rogue-mode = 'rogue-state-alert')" { error-message "Unclassified rogue AP state must be contained or alert"; error-app-tag "must-violation"; } must "../rogue-mode != 'rogue-state-init' and ../rogue-mode != 'rogue-state-pending' and ../rogue-mode != 'rogue-state-lrad' and ../rogue-mode != 'rogue-state-threat' and ../rogue-mode != 'rogue-state-contained-pending' and ../rogue-mode != 'rogue-state-deleted' and ../rogue-mode != 'rogue-state-invalid'" { error-message "Invalid rogue state"; error-app-tag "must-violation"; } default "rogue-state-init"; description "Rogue classification state"; } leaf containment-level { type uint32 { range "0 .. 4"; } must "(../rogue-mode = 'rogue-state-contained') or (../containment-level = 0)" { error-message "Containment level can be set only for contained APs"; error-app-tag "must-violation"; } must "(../rogue-mode != 'rogue-state-contained') or (../containment-level >= 1 and ../containment-level <= 4)" { error-message "When rogue AP state is contained, containment level should be greater than 0"; error-app-tag "must-violation"; } default "0"; description "Containment level"; } } // grouping rogue-ap-cfg grouping rogue-client-cfg { description "Configuration of rogue client"; leaf rogue-client-address { type yang:mac-address; description "MAC address of the rogue access point"; } leaf rogue-mode { type wireless-enum-types:rogue-state; must "../rogue-mode = 'rogue-state-contained'" { error-message "Rogue client state can only be set to contained"; error-app-tag "must-violation"; } default "rogue-state-init"; description "Rogue client state"; } leaf containment-level { type uint32 { range "0 .. 4"; } must "(../rogue-mode = 'rogue-state-contained') or (../containment-level = 0)" { error-message "Containment level can be set only for contained clients"; error-app-tag "must-violation"; } must "(../rogue-mode != 'rogue-state-contained') or (../containment-level >= 1 and ../containment-level <= 4)" { error-message "When rogue client state is contained, containment level shold be greater than 0"; error-app-tag "must-violation"; } default "0"; description "Containment level"; } } // grouping rogue-client-cfg grouping rogue-ignore-data { description "Configuration of ignore rogue data"; leaf rogue-ignore-address { type yang:mac-address; description "Configuration of ignore rogue address"; } } // grouping rogue-ignore-data grouping rldp-day-sched { description "Configuration of day rldp schedule"; leaf day { type wireless-enum-types:work-day; description "Configuration of day in rldp schedule"; } leaf start-time { type string { pattern '([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]'; } default "00:00:00"; description "Configure the start time for rldp schedule for the day [HH:MM:SS]"; } leaf end-time { type string { pattern '([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]'; } default "00:00:00"; description "Configure the end time for rldp schedule for the day [HH:MM:SS]"; } } // grouping rldp-day-sched grouping rule-data { description "Configuration of rule data"; leaf rule-name { type string { length "0..32"; pattern '[-A-Za-z_.0-9]+'; } must "../rule-name != 'all'" { error-message "all is not allowed as rule name"; error-app-tag "must-violation"; } description "Name of rogue rule"; } container rule-cfg { description "Configuration of rule cfg"; uses wireless-rogue-types:st-rule-data-cfg; } // container rule-cfg container cond-lists { description "List of conditions of a Rogue rule"; list cond-list { key "cond-name"; description "Condition of a Rogue rule"; uses wireless-rogue-cfg:rule-condition; } // list cond-list } // container cond-lists } // grouping rule-data grouping rule-condition { description "Configuration of rule condition"; leaf cond-name { type string; must "../cond-name = 'client-count' or ../cond-name = 'ssid' or ../cond-name = 'wildcard-ssid' or ../cond-name = 'rssi' or ../cond-name = 'duration' or ../cond-name = 'managed-ssid' or ../cond-name = 'no-encryption' or ../cond-name = 'any-encryption' or ../cond-name = 'wpa-encryption' or ../cond-name = 'wpa2-encryption' or ../cond-name = 'wpa3-sae-encryption' or ../cond-name = 'wpa3-owe-encryption'" { error-message "Condition can be client-count/ssid/wildcard-ssid/rssi/duration/managed-ssid/no-encryption/any-encryption/wpa-encryption/wpa2-encryption/wpa3-sae-encryption/wpa3-owe-encryption"; error-app-tag "must-violation"; } description "Configure name of condition"; } container cond-cfg { description "Configuration of condition"; uses wireless-rogue-types:st-rule-condition-cfg; } // container cond-cfg container ssid-lists { description "Configuration of ssid list"; list ssid-list { key "ssid"; max-elements 25; description "List of ssid configurations"; uses wireless-rogue-cfg:rule-ssid-list; } // list ssid-list } // container ssid-lists } // grouping rule-condition grouping rule-ssid-list { description "Configuration of ssid rule list"; leaf ssid { type string { length "0..32"; } must "../ssid != 'all'" { error-message "all is not allowed as SSID name"; error-app-tag "must-violation"; } description "Configuration of ssid in rule list"; } } // grouping rule-ssid-list container rogue-cfg-data { description "Configuration of rogue data"; container rogue-global { description "Configuration of rogue global"; uses wireless-rogue-cfg:rogue-global; } // container rogue-global container rldp-schedules { status deprecated; description "Configuration of rldp schedule"; list rldp-schedule { key "day"; description "List of rldp schedule configurations"; uses wireless-rogue-cfg:rldp-day-sched; } // list rldp-schedule } // container rldp-schedules container rogue-ap-cfgs { description "Configuration of ap rogue cfg"; list rogue-ap-cfg { key "rogue-address"; max-elements 625; description "List of ap rogue cfg"; uses wireless-rogue-cfg:rogue-ap-cfg; } // list rogue-ap-cfg } // container rogue-ap-cfgs container rogue-client-cfgs { description "Configuration of client rogue cfg"; list rogue-client-cfg { key "rogue-client-address"; max-elements 625; description "List of client rogue configurations"; uses wireless-rogue-cfg:rogue-client-cfg; } // list rogue-client-cfg } // container rogue-client-cfgs container rogue-ignore-data-entries { description "Configuration of ignore rogue data"; list rogue-ignore-data-entry { key "rogue-ignore-address"; description "List of ignore rogue data configurations"; uses wireless-rogue-cfg:rogue-ignore-data; } // list rogue-ignore-data-entry } // container rogue-ignore-data-entries container rule-data-entries { description "Configuration of rule data"; list rule-data-entry { key "rule-name"; unique "rule-cfg/priority-num"; max-elements 64; description "List of rule data configurations"; uses wireless-rogue-cfg:rule-data; } // list rule-data-entry } // container rule-data-entries } // container rogue-cfg-data } // module Cisco-IOS-XE-wireless-rogue-cfg
© 2023 YumaWorks, Inc. All rights reserved.