Model for managing wlan configurations Copyright (c) 2016-2021 by Cisco Systems, Inc. All rights reserved.
Version: 2021-07-01
module Cisco-IOS-XE-wireless-wlan-cfg { yang-version 1; namespace "http://cisco.com/ns/yang/Cisco-IOS-XE-wireless-wlan-cfg"; prefix wireless-wlan-cfg; import Cisco-IOS-XE-wireless-enum-types { prefix wireless-enum-types; } import Cisco-IOS-XE-wireless-general-cfg { prefix wireless-general-cfg; } import Cisco-IOS-XE-wireless-types { prefix wireless-types; } import ietf-inet-types { prefix inet; } import cisco-semver { prefix cisco-semver; } organization "Cisco Systems, Inc."; contact "Cisco Systems, Inc. Customer Service Postal: 170 W Tasman Drive San Jose, CA 95134 Tel: +1 1800 553-NETS E-mail: cs-yang@cisco.com"; description "Model for managing wlan configurations Copyright (c) 2016-2021 by Cisco Systems, Inc. All rights reserved."; revision "2021-07-01" { description "- Added Link-Local bridging policy profile configuration and constraints. - Added PC analytics support. - Added AAA override VLAN fallback configuration in policy profile. - Added support for WLAN broadcast on band and slot. - Added 6Ghz client steering support for WLAN. - Added obsolete state for radio policy under WLAN - Added constraints that TKIP or AES Cipher to be enabled for WPA1 configuration. - Added constraints to disallow CCKM and PSK to be active at the same time."; reference "12.0.0"; } revision "2021-03-01" { description "- Added support for Locally Administered Address handling. - Added support for per WLAN 802.11ax config - Added Webauth on Mac-filter Failure validation rules. - Add ASCII 32-126 and leading/trailing spaces restriction for calender, guest lan and WLAN profile name, policy tag name and policy profile - Added SSID restriction in description - Added Easy-PSK configuration for a WLAN and constraints. - Updated constraints for AKM PSK leaf. - Updated constraints for mPSK leaf. - Removed constraints that enforced WPA2 to be enabled for GTK randomization. - Added constraint to prevent native profiling configuration in FlexConnect in Local Authentication, Local Switching mode. - Added constraint to disallow FT-Enabled/FT-Adaptive without WPA2/WPA3. - Added constraints for AKM interworking with WPA2/WPA3. - Added constraint to disallow configuring PMF on WPA1 only wlan without WPA2. - Added obsolete status for central association in FlexConnect profile - Removed constraints that enforced central association to be disabled in Flexconnect profile for EWC. - Removed constraint to disallow FT-Enabled/FT-Adaptive without WPA2/WPA3. - Removed constraint for AKM interworking with WPA2/WPA3. - Removed constraint to disallow configuring PMF on WPA1 only wlan without WPA2"; reference "11.0.0"; } revision "2020-11-01" { description "- Added support for Advanced Scheduling Requests handling for a WLAN - Support for Authentication and Accounting attribute list per WLAN. - Removed constraints that prevented simultaneous OSEN and WPA2 AES configuration. - Added a constraint to prevent WIFI to Cellular steering configuration without MBO. - Prevent configuration of central DHCP and central switching in EWC platform. - Prevent configuration of central association in EWC platform. - Added ip-mac binding support for the policy profile. - Removed constraints that enforced WPA2 to be enabled for GTK randomization. - Changed SAE retransmission timeout default to 400 milliseconds."; reference "10.0.0"; } revision "2020-07-01" { description "- Extended range constraints for remote LAN port-id leaf. - Added WIFI to Cellular config for a WLAN. - Updated Yang constraints for MBO leaf to allow PMF optional on WPA2 enabled WLAN. - Added WiFi direct policy configuration. - Updated description string from User Private Network to User Defined (Private) Network. - Added a configuration option to ignore RSN IE Validation. - Removed gtk-randomization validation from OSEN and added OSEN encryption vlan configuration. - Removed constraints that prevented simultaneous Hotspot and Guest access configuration"; reference "9.0.0"; } revision "2020-03-01" { description "- Modified description for PSK. - Modified WPA3 SuiteB constraints to disallow CCMP256. - Modified WPA3 config constraints to disallow FT-Dot1x with SAE or FT-Dot1x/FT-PSK with OWE. - Added 802.11k Radio Measurement for Beacon Request (Client Scan Report) configurations. - Added 802.11v BSS Transition request dual neighbor list config on a WLAN. - Added validation to disallow IPv4/IPv6 default ACLs. - Added constraints to disallow FT-Enabled/FT-Adaptive with SuiteB ciphers. - Removed OSEN validation if auth list is not defined."; reference "8.0.0"; } revision "2019-11-01" { description "- Added umbrella flex parameter configuration. - Added MDNS mode config on GLAN Profile. - Added User Private Network configuration. - Added User Private Network configuration for unicast. - Modified AVC constraints to allow IPv6 flow monitors in flex and fabric modes. - Added NAC type support. - Added ND, DAD, ARP proxy options in policy profile. - Added configuration under device analytics to share Cisco device data with client. - Removed mandatory constraint from calendar-profile-config end-time. - Added QOS enhanced basic service set, Opportunistic key caching and Multicast-Filter. - Added configuration for device analytics support. - Changed the ND and DAD proxy option to enum type"; reference "7.0.0"; } revision "2019-06-13" { description "- Changed the schedule wlan daily profile name to calendar profile. - Added schedule wlan daily profile config in wlan-config. - Added constraints to mutually exclude Hotspot 2.0 property and anchor in wlan-policy. - Added ipv4/ipv6 ingress/egress flow monitor lists. - Added Hotspot 2.0 property in wlan-policy - Added GTK randomization option in wlan-profile - Added Guest-LAN config in wlan-policy - Added leaves for Target Wake-up Time support on wlan-profile. - Added Guest-LAN config in wlan-policy - Added MBO config in WLAN - Added OSEN option in wlan-profile. - Changed the content of some Guest-LAN related error messages. - Added Constraints for WEP Key Type. - Added OSEN validation if auth-list is not defined. - Added constraints on transition-mode-wlan-id. - Increased AVC flow monitor limit to 2 to enable Application Performance Monitoring. - Added constraints on wlan-status to prevent partial WPA3 configuration. - Added constraints on pmf-options for WPA2/WPA3 WLAN. - Changed constraint to allow guest anchor configuration when no ANQP server configured. - Added semantic version. - Added constraints on AKM in WPA3 only WLAN. - Changed conditional web redirect to obsolete. - Added OSEN validation if dot1x is not defined. - Update the default values as per WLC configuration best practice"; reference "6.0.0"; } revision "2019-03-15" { description "- Update wlan-profile: add new data, change default values and add new constraints - Added Guest-LAN config and constraints - Cleaned up spelling errors in descriptions - Cleaned up descriptions by adding relevant information - Mandatory constraint added for policy-profile-name in wlan-policy - Role replaced with new has-wired-vlan parameter in Guest-LAN validations - Multicast related leaves name change - Removed diag channel state variable and CCX related variables - Unused attributes removed and renamed few attributes appropriately - Removed dot1x-enabled leaf - Update wlan-profile: mac-filtering is changed to mac-filtering-list - Update wlan-profile: authorization-override-list-name is changed to mac-override-authorization-list."; reference "5.0.0"; } revision "2018-07-04" { description "- Added constraints for call-snoop - CTS CLI support"; reference "4.0.0"; } revision "2018-03-09" { description "Seperate ATF policy from WLAN policy. Move accounting-list from wlan to policy profile."; reference "3.0.0"; } revision "2018-01-24" { description "The first generally available version"; reference "2.0.0"; } revision "2017-05-05" { description "Initial revision"; reference "1.0.0"; } cisco-semver:module-version "12.0.0"; cisco-semver:module-version "11.0.0"; cisco-semver:module-version "10.0.0"; cisco-semver:module-version "9.0.0"; cisco-semver:module-version "8.0.0"; cisco-semver:module-version "7.0.0"; cisco-semver:module-version "6.0.0"; cisco-semver:module-version "5.0.0"; cisco-semver:module-version "4.0.0"; cisco-semver:module-version "3.0.0"; cisco-semver:module-version "2.0.0"; cisco-semver:module-version "1.0.0"; container wlan-cfg-data { description "This yang file includes the configuration of wlan parameter and policies"; container calendar-profile-configs { description "Calendar profile configuration"; list calendar-profile-config { key "profile-name"; description "Calendar profile"; leaf profile-name { type string { pattern '[!-~]([ -~]*[!-~])?'; } mandatory true; description "Name of the Schedule-SSID-Daily profile"; } leaf start-time { type string { pattern '([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]'; } mandatory true; description "Configuration for start time for the day [HH:MM:SS]"; } leaf end-time { type string { pattern '([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]'; } description "Configuration for end time for the day [HH:MM:SS]"; } leaf recurrence { type wireless-enum-types:calendar-recurrence; mandatory true; description "Calendar recurrence configuration"; } container calendar-weekly-configs { description "List of weekdays under Calendar profile"; list calendar-weekly-config { key "day"; description "List of days of the week"; leaf day { type wireless-enum-types:work-day; mandatory true; description "Configuration of enable scheduling on this day"; } } // list calendar-weekly-config } // container calendar-weekly-configs container calendar-monthly-configs { description "List of dates under calendar profile"; list calendar-monthly-config { key "date"; description "List of dates"; leaf date { type uint8 { range "1 .. 31"; } mandatory true; description "Configuration to enable scheduling on this date"; } } // list calendar-monthly-config } // container calendar-monthly-configs } // list calendar-profile-config } // container calendar-profile-configs container wlan-cfg-entries { description "WLAN config parameters"; list wlan-cfg-entry { key "profile-name"; unique "wlan-id"; description "List of WLAN config parameters"; leaf wlan-id { type uint32 { range "1 .. 4096"; } mandatory true; description "wlan ID"; } leaf profile-name { type string { pattern '[!-~]([ -~]*[!-~])?'; } description "profile-name"; } leaf description { type string; description "Description for the WLAN profile"; } leaf security-wpa { type boolean; default "true"; description "Configures WPA/WPA2 Support for a WLAN"; } leaf wep-enabled { type boolean; default "false"; description "Configures static WEP keys on a WLAN"; } leaf webauth-enabled { type boolean; default "false"; description "Configures Web authentication"; } leaf cond-web-redirect { type boolean; default "false"; status obsolete; description "Set Conditional Web Redirect on a WLAN"; } leaf splash-web-redirect { type boolean; default "false"; description "Set Splash-Page Web Redirect"; } leaf dot11-auth-type { type wireless-enum-types:apf-vap-80211-authentication; default "apf-vap-80211-auth-open"; description "Configures 802.11 authentication"; } leaf wep-key-index { type uint8 { range "1 .. 4"; } description "This index is for informing Mobile Station which key it should use for Static WEP Authentication"; } leaf wep-key-size { type wireless-enum-types:apf-vap-80211-encryption; default "apf-vap-80211-encryp-wep104"; description "Static WEP Encryption key size. Length of key specified in default Key depends on this attribute"; } leaf wep-key { type string; default ""; description "Static WEP Key"; } leaf wep-key-type { type wireless-enum-types:crypt-type; must "(../wep-key-type = 'clear' or ../wep-key-type = 'aes')" { error-message "Default WEP Key type can be only 'clear' or 'aes'"; error-app-tag "must-violation"; } default "clear"; description "Wep key Encryption type"; } leaf wep-key-format { type wireless-enum-types:apf-vap-key-type; default "key-hex"; description "The format of the wep key"; } leaf wpa1-enabled { type boolean; must "(../wpa1-enabled = 'false') or ((../wpa1-tkip = 'true') or (../wpa1-aes = 'true'))" { error-message "Either TKIP or AES ciphers must be enabled with WPA1 config"; error-app-tag "must-violation"; } default "false"; description "Configures WPA1 support"; } leaf wpa1-tkip { type boolean; default "false"; description "WPA1/TKIP Cipher support"; } leaf wpa1-aes { type boolean; default "false"; description "AES Cipher support WPA1"; } leaf auth-key-mgmt-psk { type boolean; must "(../apf-vap-id-data/wlan-status = 'false') or (../auth-key-mgmt-psk = 'false') or ((../auth-key-mgmt-psk = 'true') and ((string-length(../psk) > 0) or (../easy-psk = 'true') or ((../mpsk-enable = 'true') and (count(../mpsk-keys/mpsk-key) > 0))))" { error-message "AKM PSK can be enabled only when PSK key is set or Easy-PSK is enabled or mPSK is enabled and at least one mPSK key is configured"; error-app-tag "must-violation"; } must "(../apf-vap-id-data/wlan-status = 'false') or (../auth-key-mgmt-psk = 'false') or (../auth-key-mgmt-psk = 'true') and ((string-length(../psk) > 0) or (../auth-key-mgmt-cckm = 'false'))" { error-message "CCKM and PSK must not be active at the same time"; error-app-tag "must-violation"; } default "false"; description "Authentication key management PSK"; } leaf psk-key-type { type wireless-enum-types:apf-vap-key-type; default "key-ascii"; description "Authentication pre-shared key type ascii/hex"; } leaf wpa2-enabled { type boolean; default "true"; description "Configures WPA2 support"; } leaf wpa2-aes { type boolean; default "true"; description "WPA2/CCMP128 support"; } leaf rsn-cipher-suite-gcmp128 { type boolean; default "false"; description "WPA2/GCMP128 support"; } leaf rsn-cipher-suite-gcmp256 { type boolean; default "false"; description "WPA2/GCMP256 support"; } leaf rsn-cipher-suite-ccmp256 { type boolean; default "false"; description "WPA2/CCMP256 support"; } leaf auth-key-mgmt-dot1x { type boolean; default "true"; description "Authentication key management type 802.1x"; } leaf auth-key-mgmt-cckm { type boolean; default "false"; description "Authentication key management type CCKM"; } leaf auth-key-mgmt-ft-dot1x { type boolean; default "false"; description "Authentication key management type 802.11r dot1x"; } leaf auth-key-mgmt-ft-psk { type boolean; default "false"; description "Authentication key management type 802.11r PSK"; } leaf auth-key-mgmt-dot1x-sha256 { type boolean; default "false"; description "Authentication key management type 802.1x SHA256"; } leaf auth-key-mgmt-psk-sha256 { type boolean; default "false"; description "Authentication key management type PSK SHA256"; } leaf psk { type string; default ""; description "Authentication pre-shared key. For hexadecimal key format, PSK length must be exactly 64 characters and for ASCII key format, PSK length must be in the range of 8 and 63"; } leaf psk-type { type wireless-enum-types:crypt-type; default "clear"; description "Pre-shared key encryption type"; } leaf mac-filtering-list { type string; default ""; description "Set MAC filtering support on WLAN"; } leaf mac-override-authorization-list { type string; default ""; description "Set override MAC filtering support on WLAN"; } leaf webauth-ipv4-preauth-acl { type string; must "../webauth-ipv4-preauth-acl != 'preauth_v4'" { error-message "Default ACL preauth_v4 is not allowed"; error-app-tag "must-violation"; } must "../webauth-ipv4-preauth-acl != 'preauth_v6'" { error-message "Default ACL preauth_v6 is not allowed"; error-app-tag "must-violation"; } default ""; description "Name of IPv4 pre authentication ACL for the WLAN"; } leaf webauth-ipv6-preauth-acl { type string; must "../webauth-ipv6-preauth-acl != 'preauth_v6'" { error-message "Default ACL preauth_v6 is not allowed"; error-app-tag "must-violation"; } must "../webauth-ipv6-preauth-acl != 'preauth_v4'" { error-message "Default ACL preauth_v4 is not allowed"; error-app-tag "must-violation"; } default ""; description "Name of IPv6 pre authentication ACL for the WLAN"; } leaf radio-policy { type wireless-enum-types:apf-vap-radio-policies; must "(../radio-policy = 'apf-vap-radio-all' or ../radio-policy = 'apf-vap-radio-80211a-only' or ../radio-policy = 'apf-vap-radio-80211ag-only' or ../radio-policy = 'apf-vap-radio-80211bg-only' or ../radio-policy = 'apf-vap-radio-80211g-only')" { error-message "Radio policy must be one of the following: 1. apf-vap-radio-all 2. apf-vap-radio-80211a-only 3. apf-vap-radio-80211ag-only 4. apf-vap-radio-80211bg-only 5. apf-vap-radio-80211g-only"; error-app-tag "must-violation"; } default "apf-vap-radio-all"; status obsolete; description "Configures the Radio Policy"; } leaf qos-wmm-status { type wireless-enum-types:apf-vap-wme-policies; default "apf-vap-wme-allowed"; description "Configures WMM (WME)"; } leaf wifi-direct-client { type wireless-enum-types:apf-vap-wifi-direct-policies; must "../wifi-direct-client != 'apf-vap-wifidirect-invalid'" { error-message "Invalid WiFi direct policy value not permitted"; error-app-tag "must-violation"; } default "apf-vap-wifidirect-disable"; description "Configure WiFi Direct related policy on WLAN"; } leaf ft-over-ds { type boolean; default "false"; description "Configures Fast Transition over the DS"; } leaf ft-reassoc-timeout { type uint32 { range "1 .. 100"; } default "20"; description "Enter the Reassociation timeout in seconds"; } leaf ft-mode { type wireless-enum-types:ft-dot11r-mode; default "dot11r-adaptive-enabled"; description "Configures Fast Transition Adaptive support"; } leaf pmf-options { type wireless-enum-types:apf-vap-pmf-policies; default "apf-vap-pmf-disabled"; description "Configures PMF as optional/required"; } leaf pmf-assoc-comeback-timeout { type uint32 { range "1 .. 20"; } default "1"; description "Enter the Association Comeback Time in seconds"; } leaf pmf-sa-query-retry-timeout { type uint32 { range "100 .. 500"; } default "200"; description "Configures SA Query Retry TimeOut"; } leaf local-eap-profile-name { type string; default ""; description "Configure the EAP profile on a WLAN"; } leaf local-eap-enable { type boolean; default "false"; description "EAP Profile on a WLAN is set or not"; } leaf band-steering-allowed { type boolean; default "false"; description "Allow/Disallow Band Select on a WLAN"; } leaf load-balance { type boolean; default "false"; description "Allow/Disallow Load Balance on a WLAN"; } leaf universal-ap-admin { type boolean; default "false"; description "Allows universal admin mode to be enabled on a 802.1X/WPA/WPA2 secured WLAN."; } leaf mu-mimo { type boolean; default "true"; description "Configures 802.11ac MU-MIMO on a WLAN"; } leaf multicast-mc-direct { type boolean; default "false"; description "Configures multicast direct for WLAN"; } leaf defer-time { type uint16 { range "0 .. 60000"; } default "100"; description "Configures scan defer time"; } leaf defer-priority0 { type boolean; default "false"; description "Configures priority markings for packets - Enable priority 0"; } leaf defer-priority1 { type boolean; default "false"; description "Configures priority markings for packets - Enable priority 1"; } leaf defer-priority2 { type boolean; default "false"; description "Configures priority markings for packets - Enable priority 2"; } leaf defer-priority3 { type boolean; default "false"; description "Configures priority markings for packets - Enable priority 3"; } leaf defer-priority4 { type boolean; default "false"; description "Configures priority markings for packets - Enable priority 4"; } leaf defer-priority5 { type boolean; default "true"; description "Configures priority markings for packets - Enable priority 5"; } leaf defer-priority6 { type boolean; default "true"; description "Configures priority markings for packets - Enable priority 6"; } leaf defer-priority7 { type boolean; default "false"; description "Configures priority markings for packets - Enable priority 7"; } leaf authentication-list { type string; default ""; description "Enter the Authentication list name"; } leaf authorization-list { type string; default ""; description "Enter the Authorization list name"; } leaf max-clients-allowed { type uint32; default "0"; description "Configure maximum client connections per WLAN"; } leaf max-clients-per-ap-per-wlan { type uint32 { range "0 .. 400"; } default "0"; description "Configure maximum client connections per AP per WLAN"; } leaf max-clients-per-radio-per-wlan { type uint32 { range "0 .. 200"; } default "200"; description "Configure maximum client connections per AP Radio per WLAN"; } leaf static-ip-tunneling { type boolean; default "false"; description "Configures static IP client tunnelling support on a WLAN."; } leaf webauth-on-mac-auth-failure { type boolean; must "( ( (../auth-key-mgmt-dot1x = 'false') and (../auth-key-mgmt-dot1x-sha256 = 'false') and (../auth-key-mgmt-ft-dot1x = 'false') ) or (../webauth-on-mac-auth-failure = 'false') )" { error-message "Webauth on-macfilter-failure and DOT1X cannot be active at the same time"; error-app-tag "must-violation"; } must "( (../webauth-on-mac-auth-failure = 'false') or (../auth-key-mgmt-cckm = 'false') )" { error-message "Webauth on-macfilter-failure and CCKM AKM cannot be active at the same time"; error-app-tag "must-violation"; } default "false"; description "Enables Web authentication on MAC filter failure."; } leaf web-authc-list { type string; default ""; description "Enter the Authentication list name"; } leaf web-authz-list { type string; default ""; description "Enter the Authorization list name"; } leaf web-auth-parameter-map { type string; default ""; description "Enter the parameter-map name"; } leaf ip-source-guard-enabled { type boolean; default "false"; description "Configures MAC verification"; } leaf uapsd-compliant { type boolean; default "false"; description "Configure WMM UAPSD Compliant Client support for Wlan"; } leaf re-anchor-roam-clients { type boolean; default "false"; description "Configure Re-Anchor Policy for Roaming Voice Clients"; } leaf wlan-11k-assisted-roaming { type boolean; default "false"; description "Indicates whether 11k Assisted Roaming Prediction Optimization is enabled on the controller for this WLAN."; } leaf wlan-11k-dual-band-neigh-list { type boolean; default "false"; description "Indicates whether 11k Neighbor List Dual Band is enabled on the controller for this WLAN."; } leaf wlan-11k-neigh-list { type boolean; default "true"; description "Indicates whether 11k Neighbor List is enabled on the controller for this WLAN."; } leaf multicast-buffer-value { type uint8 { range "30 .. 60"; } description "Configure Multicast Buffer Tuning for 802.11a radio for the WLAN"; } leaf multicast-buffer-enable { type boolean; default "false"; description "Configure Multicast Buffer Tuning mode for 802.11a radio for the WLAN"; } container apf-vap-id-data { description "WLAN configuration for VAP"; leaf broadcast-ssid { type boolean; default "true"; description "broadcast SSID on a WLAN"; } leaf ccx-aironet-ie { type boolean; default "false"; description "This object indicates the support for the Cisco Compatible Extensions Aironet information element on this WLAN."; } leaf p2p-block-action { type wireless-enum-types:apf-vap-p2p-blocking-action; default "p2p-blocking-action-none"; description "Represents the name of the ACL applied to this WLAN. If it is required to remove the ACL"; } leaf ssid { type string; default ""; description "Represents the SSID assigned to this WLAN. The access points will broadcast this SSID on this WLAN. SSID is restricted to non control characters."; } leaf dot11a-dtim { type uint8 { range "1 .. 255"; } default "1"; description "Represents DTIM configuration per WLAN for each 802.11 network."; } leaf dot11b-dtim { type uint8 { range "1 .. 255"; } default "1"; description "Represents DTIM configuration per WLAN for each 802.11 network."; } leaf chd { type boolean; default "true"; description "Indicates whether Coverage Hole Detection (CHD) is enabled on the controller. A value of 'true' indicates CHD is on and a value of 'false' indicates CHD is turned off for this WLAN."; } leaf wlan-status { type boolean; must "(../wlan-status = 'false') or (../../ft-mode = 'dot11r-disabled') or ((../../rsn-cipher-suite-gcmp128 = 'false') and (../../rsn-cipher-suite-gcmp256 = 'false') and (../../rsn-cipher-suite-ccmp256 = 'false'))" { error-message "Disable security FT/FT-adaptive when configuring SUITE-B cipher(GCMP256/CCMP256/GCMP128)."; error-app-tag "must-violation"; } must "(../wlan-status = 'false') or (../../wpa3-enabled = 'false') or (../../rsn-cipher-suite-gcmp128 = 'true') or (../../rsn-cipher-suite-gcmp256 = 'true') or ((../../wpa2-enabled = 'true') and (../../rsn-cipher-suite-ccmp256 = 'true')) or (((../../auth-key-mgmt-dot1x = 'true') or (../../auth-key-mgmt-dot1x-sha256 = 'true') or (../../auth-key-mgmt-ft-dot1x = 'true')) and (../../wpa2-aes = 'true')) or (((../../auth-key-mgmt-sae = 'true') or (../../akm-owe = 'true')) and (../../wpa2-aes = 'true') and ((../../ft-mode = 'dot11r-disabled') or ((../../wpa2-enabled = 'true') and (../../ft-mode = 'dot11r-enabled'))))" { error-message "WPA3 security valid combinations: 1. GCMP cipher, 2. Dot1x AKM and AES cipher, 3. SAE/OWE AKM, AES cipher and FT is disabled (WPA3 only) or FT is enabled/disabled (WPA2+WPA3)"; error-app-tag "must-violation"; } must "(../wlan-status = 'false') or (../../wpa3-enabled = 'true') or ((../../auth-key-mgmt-sae = 'false') and (../../akm-owe = 'false'))" { error-message "WPA3 must be enabled if SAE/OWE AKM is configured"; error-app-tag "must-violation"; } must "(../wlan-status = 'false') or (../../wpa3-enabled = 'false') or (../../pmf-options = 'apf-vap-pmf-required') or ((../../wpa2-enabled = 'true') and (../../pmf-options = 'apf-vap-pmf-optional'))" { error-message "Valid pmf-options values are: 1. apf-vap-pmf-required in WPA3 WLAN, 2. either apf-vap-pmf-optional or apf-vap-pmf-required in WPA2+WPA3 WLAN"; error-app-tag "must-violation"; } must "(../wlan-status = 'false') or (../../wpa3-enabled = 'false') or (../../wpa2-enabled = 'true') or ((../../auth-key-mgmt-psk = 'false') and (../../auth-key-mgmt-psk-sha256 = 'false') and (../../auth-key-mgmt-ft-psk = 'false'))" { error-message "AKM auth-key-mgmt-psk, auth-key-mgmt-psk-sha256 and auth-key-mgmt-ft-psk must be set to false in WPA3 only WLAN"; error-app-tag "must-violation"; } default "false"; description "Administrative Status of ESS(WLAN). By disabling an ESS the corresponding SSID is no longer broadcasted in AP beacons."; } } // container apf-vap-id-data leaf cckm-tsf-tolerance { type uint16 { range "1000 .. 5000"; } default "1000"; description "CCKM timestamp tolerance"; } container apf-vap-802-11v-data { description "802.11v configuration for VAP"; leaf dot11v-dms { type boolean; default "true"; description "Configure DMS processing per WLAN"; } leaf dot11v-bss-max-idle { type boolean; default "true"; description "Configure BSS max idle processing per WLAN"; } leaf dot11v-bss-max-idle-protected { type boolean; default "false"; description "Configure protected mode for BSS max idle processing per WLAN"; } leaf dot11v-tfs { type boolean; default "false"; description "Configure tfs processing per WLAN"; } leaf dot11v-bss-transition { type boolean; default "true"; description "Configure BSS transition per WLAN"; } leaf dot11v-wnm-sleep-mode { type boolean; default "false"; description "Configure wnm sleep mode per WLAN"; } leaf dot11v-disassoc-imminent { type boolean; default "false"; description "Configure BSS transition disassociation Imminent per WLAN"; } leaf dot11v-disassoc-timer { type uint16 { range "0 .. 3000"; } default "200"; description "Configure BSS transition disassociation imminent timer per WLAN"; } leaf dot11v-disassoc-timer-opt-roam { type uint16 { range "0 .. 40"; } default "40"; description "Configure BSS transition disassociation imminent optimized-roaming timer per WLAN"; } leaf dot11v-dual-list { type boolean; default "false"; description "This leaf determines whether the dual band neighbor list is enabled in 802.11v BSS transition for the WLAN."; } } // container apf-vap-802-11v-data container vap-dot11ax-cfg { description "802.11ax configuration for VAP"; leaf he-ofdma-downlink { type boolean; default "true"; description "802.11ax OFDMA downlink configuration"; } leaf he-ofdma-uplink { type boolean; default "true"; description "802.11ax OFDMA uplink configuration"; } leaf he-mumimo-downlink { type boolean; default "true"; description "802.11ax MU-MIMO downlink configuration"; } leaf he-mumimo-uplink { type boolean; default "true"; description "802.11ax MU-MIMO uplink configuration"; } leaf he-bss-color-enable { type boolean; default "true"; description "802.11ax BSS color configuration"; } leaf he-bss-partial-color-enable { type boolean; default "true"; description "802.11ax partial BSS color configuration"; } leaf he-bss-color { type uint8 { range "0 .. 255"; } default "0"; description "802.11ax BSS color value configuration"; } leaf he-twt-enable { type boolean; default "true"; description "802.11ax target wake-up time. True - Target Wake-up Time is Enabled. False - Target Wake-up Time is Disabled."; } leaf he-twt-broadcast-support { type boolean; default "true"; description "802.11ax target wake-up time broadcast support. True - Target Wake-up Time broadcast support is Enabled. False - Target Wake-up Time broadcast support is Disabled."; } leaf he-dot11-ax { type boolean; default "true"; description "Enable/Disable 802.11ax IE"; } } // container vap-dot11ax-cfg leaf mpsk-enable { type boolean; must "(../apf-vap-id-data/wlan-status = 'false') or (../mpsk-enable = 'false') or (../mpsk-enable = 'true' and ../auth-key-mgmt-psk = 'true')" { error-message "AKM PSK needs to be enabled to enable MPSK"; error-app-tag "must-violation"; } must "(../mpsk-enable = 'false') or (../mpsk-enable = 'true' and ../wpa3-enabled = 'false')" { error-message "WPA3 and MPSK cannot be enabled simultaneously"; error-app-tag "must-violation"; } default "false"; description "MPSK enabled"; } container mpsk-keys { description "MPSK keys"; list mpsk-key { key "priority"; description "MPSK keys"; leaf priority { type uint8 { range "0 .. 4"; } description "MPSK priority"; } leaf mpsk-key { type string; default ""; description "MPSK key"; } leaf mpsk-key-type { type wireless-enum-types:crypt-type; default "clear"; description "MPSK key Type"; } leaf mpsk-key-format { type wireless-enum-types:apf-vap-key-type; must "(../mpsk-key-format = 'key-hex' and string-length(../mpsk-key) = 64) or (../mpsk-key-format = 'key-ascii' and string-length(../mpsk-key) < 64)" { error-message "Hex keys need to be 64 characters. ASCII keys need to be less than 64 characters"; error-app-tag "must-violation"; } description "MPSK key format"; } } // list mpsk-key } // container mpsk-keys leaf mdns-sd-mode { type wireless-enum-types:enm-wlan-mdns-sd-cfg; default "mdns-sd-bridging"; description "MDNS operational mode on WLAN"; } leaf mbo { type boolean; must "(../mbo = 'false') or (../security-wpa = 'false') or (../wpa2-enabled = 'false') or (../pmf-options = 'apf-vap-pmf-required') or (../pmf-options = 'apf-vap-pmf-optional')" { error-message "PMF must be set to mandatory or optional for MBO on a WPA2 enabled wlan"; error-app-tag "must-violation"; } default "false"; description "MBO support"; } leaf gtk-randomize { type boolean; must "(../gtk-randomize = 'false') or (../gtk-randomize = 'true' and ../wpa3-enabled = 'false')" { error-message "WPA3 and randomized GTK cannot be enabled simultaneously"; error-app-tag "must-violation"; } default "false"; description "Randomized GTK enabled for hole-196 mitigation"; } leaf osen { type boolean; must "( ( (../wpa1-enabled = 'false') and (../auth-key-mgmt-cckm = 'false') and (../wep-enabled = 'false') and (../dot11-auth-type != 'apf-vap-80211-auth-shared-key') ) or (../osen = 'false') )" { error-message "WEP/WPA1/CCKM and OSEN cannot be all active at the same time"; error-app-tag "must-violation"; } must "( (../wpa1-aes = 'false') or (../osen = 'false') )" { error-message "WPA1 cipher suite AES and OSEN cannot be active at the same time"; error-app-tag "must-violation"; } must "( (../wpa3-enabled = 'false') or (../osen = 'false') )" { error-message "WPA3 and OSEN cannot be active at the same time"; error-app-tag "must-violation"; } must "( (../ft-mode = 'dot11r-disabled') or (../osen = 'false') )" { error-message "FT and OSEN cannot be active at the same time"; error-app-tag "must-violation"; } must "( (../auth-key-mgmt-dot1x = 'true') or (../osen = 'false') )" { error-message "DOT1X AKM needs to be defined for OSEN"; error-app-tag "must-violation"; } must "( (../auth-key-mgmt-dot1x-sha256 = 'false') or (../osen = 'false') )" { error-message "DOT1X SHA256 AKM and OSEN cannot be active at the same time"; error-app-tag "must-violation"; } default "false"; description "Configures OSEN support"; } leaf wpa3-enabled { type boolean; must "(../wpa3-enabled = 'false') or ((../wpa3-enabled = 'true') and (../wep-enabled = 'false') and (../wpa1-enabled= 'false') and (../auth-key-mgmt-cckm = 'false'))" { error-message "WEP/WPA1/CCKM and WPA3 should not be enabled simultaneously"; error-app-tag "must-violation"; } default "false"; description "Configures WPA3 support"; } leaf auth-key-mgmt-sae { type boolean; must "(../auth-key-mgmt-sae = 'false') or ((../auth-key-mgmt-sae = 'true') and (string-length(../psk) > 0))" { error-message "PSK passphrase must be configured when SAE is configured"; error-app-tag "must-violation"; } must "(../auth-key-mgmt-sae = 'false') or ((../auth-key-mgmt-sae = 'true') and (../wep-enabled = 'false') and (../wpa1-tkip = 'false') and (../wpa1-aes = 'false') and (../auth-key-mgmt-dot1x = 'false') and (../auth-key-mgmt-dot1x-sha256 = 'false') and (../auth-key-mgmt-ft-dot1x = 'false') and (../auth-key-mgmt-cckm = 'false'))" { error-message "WEP/TKIP/WPA1-AES/802.1x/CCKM and SAE cannot be enabled simultaneously"; error-app-tag "must-violation"; } default "false"; description "Authentication key management type SAE"; } leaf sae-anti-clog-threshold { type uint16 { range "0 .. 3000"; } default "1500"; description "SAE anti-clogging threshold"; } leaf sae-retx-timeout-msec { type uint16 { range "1 .. 10000"; } default "400"; description "SAE retransmission timeout"; } leaf sae-max-retries { type uint8 { range "1 .. 10"; } default "5"; description "SAE max number of retransmissions"; } leaf akm-owe { type boolean; must "(../akm-owe = 'false') or (../akm-owe = 'true' and ../auth-key-mgmt-sae = 'false')" { error-message "SAE and OWE cannot be enabled simultaneously"; error-app-tag "must-violation"; } must "(../akm-owe = 'false') or ((../akm-owe = 'true') and (../wep-enabled = 'false') and (../wpa1-tkip = 'false') and (../wpa1-aes = 'false') and (../auth-key-mgmt-psk = 'false') and (../auth-key-mgmt-psk-sha256 = 'false') and (../auth-key-mgmt-ft-psk = 'false') and (../auth-key-mgmt-dot1x = 'false') and (../auth-key-mgmt-dot1x-sha256 = 'false') and (../auth-key-mgmt-ft-dot1x = 'false') and (../auth-key-mgmt-cckm = 'false'))" { error-message "WEP/TKIP/WPA1-AES/PSK/802.1x/CCKM and OWE cannot be enabled simultaneously"; error-app-tag "must-violation"; } must "(../akm-owe = 'false') or ((../akm-owe = 'true') and (../wpa2-enabled = 'false'))" { error-message "WPA2 and OWE cannot be enabled simultaneously"; error-app-tag "must-violation"; } default "false"; description "OWE support"; } leaf transition-mode-wlan-id { type uint16 { range "0 .. 4096"; } must "(../transition-mode-wlan-id != ../wlan-id)" { error-message "Transition mode WLAN ID must be different from WLAN ID"; error-app-tag "must-violation"; } must "(../transition-mode-wlan-id = 0) or ((../wep-enabled = 'false') and (../auth-key-mgmt-psk = 'false') and (../auth-key-mgmt-dot1x = 'false') and (../auth-key-mgmt-cckm = 'false') and (../auth-key-mgmt-ft-dot1x = 'false') and (../auth-key-mgmt-ft-psk = 'false') and (../auth-key-mgmt-dot1x-sha256 = 'false') and (../auth-key-mgmt-psk-sha256 = 'false') and (../rsn-cipher-suite-gcmp128 = 'false') and (../rsn-cipher-suite-gcmp256 = 'false') and (../rsn-cipher-suite-ccmp256 = 'false') and (../auth-key-mgmt-sae = 'false'))" { error-message "Transition mode WLAN ID cannot be set in non OWE/Open WLAN"; error-app-tag "must-violation"; } default "0"; description "OWE transition mode WLAN ID"; } container device-analytics { description "Device Analytics support"; leaf da-export { type boolean; default "false"; description "Enable or disable sharing Cisco device data with client"; } leaf da-support { type boolean; default "true"; description "Enable or disable device analytics support"; } leaf da-pc-support { type boolean; default "true"; description "Enable or disable PC analytics support"; } } // container device-analytics leaf okc { type boolean; default "true"; description "Enable/disable opportunistic key caching"; } container dot11k-rm-beacon-meas-req { description "802.11k Radio Measurement for Beacon Request (Client Scan Report) info"; leaf on-assoc { type boolean; default "false"; description "Send Beacon Measurement Request (Client Scan Report) on client association"; } leaf on-roam { type boolean; default "false"; description "Send Beacon Measurement Request (Client Scan Report) on client roam"; } } // container dot11k-rm-beacon-meas-req leaf wifi-to-cellular { type boolean; must "(../wifi-to-cellular = 'false') or (../mbo = 'true')" { error-message "MBO must be enabled for WIFI to Cellular steering"; error-app-tag "must-violation"; } default "false"; description "Enable/disable WIFI to Cellular steering on a WLAN"; } leaf ignore-rsn-ie-len { type boolean; default "false"; description "Enable/disable RSN IE Validation"; } container sched-cfg { description "Radio scheduler configuration for a WLAN"; leaf asr-enable { type boolean; default "true"; description "Enable/Disable Advanced Scheduling Requests Handling on a WLAN"; } } // container sched-cfg leaf easy-psk { type boolean; must "(../easy-psk = 'false') or (../easy-psk = 'true' and ../auth-key-mgmt-cckm = 'false')" { error-message "Easy-PSK is not allowed with AKM CCKM"; error-app-tag "must-violation"; } must "(../easy-psk = 'false') or (../easy-psk = 'true' and ../wpa3-enabled = 'false')" { error-message "WPA3 and Easy-PSK cannot be enabled simultaneously"; error-app-tag "must-violation"; } must "(../easy-psk = 'false') or (../easy-psk = 'true' and ../mpsk-enable = 'false')" { error-message "mPSK and Easy-PSK cannot be enabled simultaneously"; error-app-tag "must-violation"; } must "(../easy-psk = 'false') or (../easy-psk = 'true' and string-length(../psk) = 0)" { error-message "Easy-PSK and PSK key cannot be set simultaneously"; error-app-tag "must-violation"; } must "(../apf-vap-id-data/wlan-status = 'false') or (../easy-psk = 'false') or (../easy-psk = 'true' and string-length(../mac-filtering-list) > 0)" { error-message "MAC filtering is required with Easy-PSK"; error-app-tag "must-violation"; } must "(../apf-vap-id-data/wlan-status = 'false') or (../easy-psk = 'false') or (../easy-psk = 'true' and ../auth-key-mgmt-psk = 'true')" { error-message "AKM PSK needs to be configured to enable Easy-PSK"; error-app-tag "must-violation"; } default "false"; description "Easy-PSK enabled"; } container laa-params { description "Locally Administered Address configuration for a WLAN"; leaf laa-client-denial { type boolean; default "false"; description "Deny client joining with Locally Administered Address(random MAC address)"; } } // container laa-params container wlan-radio-policies { description "WLAN radio policy"; list wlan-radio-policy { key "band"; description "WLAN radio policy"; leaf band { type wireless-types:enm-ewlc-dot11-radio-band; must "(../band != 'dot11-6-ghz-band')" { error-message "6GHz is not allowed"; error-app-tag "must-violation"; } description "Broadcast WLAN on band"; } leaf slot0 { when "../band = 'dot11-5-ghz-band'"; type boolean; default "false"; description "Broadcast WLAN on slot-0"; } leaf slot1 { when "../band = 'dot11-5-ghz-band'"; type boolean; default "false"; description "Broadcast WLAN on slot-1"; } leaf slot2 { when "../band = 'dot11-5-ghz-band'"; type boolean; default "false"; description "Broadcast WLAN on slot-2"; } } // list wlan-radio-policy } // container wlan-radio-policies leaf client-steering { type boolean; default "false"; description "Enable/disable 6Ghz client steering on a WLAN"; } container vap-dot11bg-cfg { description "WLAN broadcast on specific protocol on 2.4ghz band"; leaf bg-policy { type wireless-types:enm-apfvap-dot11bg-policy; default "dot11-bg-only"; description "Broadcast WLAN on 11g or 11bg"; } } // container vap-dot11bg-cfg } // list wlan-cfg-entry } // container wlan-cfg-entries container wlan-policies { description "WLAN policy configuration"; list wlan-policy { key "policy-profile-name"; description "List of WLAN policy configurations"; leaf policy-profile-name { type string { pattern '[!-~]([ -~]*[!-~])?'; } description "This object specifies one instance of a WLAN policy on the controller."; } leaf description { type string; default ""; description "This object specifies the description associated to this WLAN policy.This can be any user defined string"; } leaf status { type boolean; default "false"; description "This object specifies whether the policy profile is shutdown or active"; } leaf passive-client { type boolean; default "false"; description "This object specifies whether passive-client support is enabled or not on a policy"; } leaf interface-name { type string; default "1"; description "This object represents the interface attached to the wireless lan."; } leaf mcast-vlan-id { type uint32 { range "1 .. 4094"; } description "Multicast Vlan Id attached to the wireless lan."; } container wlan-switching-policy { description "This is structure to specifies wlan switching policy"; leaf central-switching { type boolean; must "(/wireless-general-cfg:general-cfg-data/wireless-general-cfg:mewlc-config/wireless-general-cfg:mewlc-platform = 'false') or (current() = 'false') or (../../status = 'false')" { error-message "Central switching mode is not supported on EWC platform"; error-app-tag "must-violation"; } default "true"; description "Enable/disable central switching"; } leaf central-authentication { type boolean; default "true"; description "Enable/disable central authentication"; } leaf central-dhcp { type boolean; must "(/wireless-general-cfg:general-cfg-data/wireless-general-cfg:mewlc-config/wireless-general-cfg:mewlc-platform = 'false') or (current() = 'false') or (../../status = 'false')" { error-message "Central DHCP mode is not supported on EWC platform"; error-app-tag "must-violation"; } default "true"; description "Central dhcp for locally switched clients"; } leaf override-nat-pat { type boolean; default "false"; description "This object specifies whether Network Address Translation (NAT) and Port Address Translation (PAT) are enabled on this WLAN"; } leaf central-assoc-enable { type boolean; default "true"; status obsolete; description "This object indicates the behavior of the REAP when handling the (re-)association management frames from associated to it through the WLAN policy identified"; } } // container wlan-switching-policy container wlan-flex-policy { description "This structure specifies wlan flex policies"; leaf split-mac-acl { type string; default ""; description "Configuration of split mac acl"; } leaf vlan-central-switching { type boolean; default "false"; description "Configuration of vlan central switching"; } } // container wlan-flex-policy container static-ip-mobility { description "This structure specifies whether static ip mobility support is enabled or disabled."; leaf is-static-ip-mobility { type boolean; default "false"; description "Configuration of static IP mobility"; } } // container static-ip-mobility container wlan-acl { description "This structure specifies ipv4 and ipv6 and layer2 acl name mapped to the policies."; leaf ipv4-acl { type string; must "../ipv4-acl != 'preauth_v4'" { error-message "Default ACL preauth_v4 is not allowed"; error-app-tag "must-violation"; } must "../ipv4-acl != 'preauth_v6'" { error-message "Default ACL preauth_v6 is not allowed"; error-app-tag "must-violation"; } default ""; description "Name of IPV4 ACL"; } leaf ipv6-acl { type string; must "../ipv6-acl != 'preauth_v6'" { error-message "Default ACL preauth_v6 is not allowed"; error-app-tag "must-violation"; } must "../ipv6-acl != 'preauth_v4'" { error-message "Default ACL preauth_v4 is not allowed"; error-app-tag "must-violation"; } default ""; description "Configure the name of IPV6 ACL"; } leaf layer2-acl { type string; default ""; description "Configure the name of layer2 ACL"; } leaf pre-auth-urlfilter-list { type string; description "Configure the name of pre-auth URL filter list"; } leaf post-auth-urlfilter-list { type string; description "Configure the name of post-auth URL filter list"; } } // container wlan-acl container wlan-timeout { description "This structure encompases of timeout related details for the wlan policy profile. "; leaf session-timeout { type uint32 { range "0 .. 86400"; } default "1800"; description "Configures client Session timeout"; } leaf idle-timeout { type uint32 { range "15 .. 100000"; } default "300"; description "The duration of idle timeout in seconds"; } leaf idle-threshold { type uint32; default "0"; description "Configures the idle threshold"; } } // container wlan-timeout container wlan-local-profiling { description "This encompasses of wlan local policy profile details."; leaf device-classification { type boolean; default "false"; description "This object specifies to enable or disable client device classification.A value of 'true' indicates native profiling is enabled.A value of 'false' indicates native profiling is disabled."; } leaf subscriber-policy-name { type string; must "not((../../wlan-switching-policy/central-switching = 'false') and (../../wlan-switching-policy/central-authentication = 'false') and (string-length() > 0))" { error-message "no central switching, no central authentication and subscriber-policy-name cannot coexist"; error-app-tag "must-violation"; } default ""; description "This object uniquely identifies a native profiling classification policy configured on the Wireless LAN Controller."; } leaf radius-profiling { type boolean; default "false"; description "Radius profiling"; } leaf http-tlv-caching { type boolean; default "false"; description "HTTP TLV caching"; } leaf dhcp-tlv-caching { type boolean; default "false"; description "DHCP TLV caching"; } } // container wlan-local-profiling container wlan-mobility { description "This encompasses of wlan mobility related configuration for the policy profile. "; leaf anchor { type boolean; default "false"; description "This objects specifies that wlan mapped to the policy is an anchor wlan"; } } // container wlan-mobility leaf nbar-protocol-discovery { type boolean; must "../wlan-switching-policy/central-switching = 'true' or current() = 'false'" { error-message "WLAN switching policy central-switching should be enabled when NBAR Protocol Discovery is enabled."; error-app-tag "must-violation"; } default "false"; description "This object allows the user to enable or disable NBAR Protocol Discovery for a wlan. A value of 'true' indicates NBAR protocol discovery is active, a 'false' value indicates NBAR protocol discovery is disabled"; } leaf reanchor-classmap-name { type string; must "../wlan-switching-policy/central-switching = 'true' or string-length() = 0" { error-message "WLAN switching policy central-switching should be enabled when using selective reanchoring feature"; error-app-tag "must-violation"; } must "(count(../avc-ipv4-fm-ingress-entries/avc-ipv4-fm-ingress-entry) + count(../avc-ipv4-fm-egress-entries/avc-ipv4-fm-egress-entry) + count(../avc-ipv6-fm-ingress-entries/avc-ipv6-fm-ingress-entry) + count(../avc-ipv6-fm-egress-entries/avc-ipv6-fm-egress-entry)) > 0 or string-length() = 0" { error-message "At least one flow monitor should be enabled when using selective reanchoring feature"; error-app-tag "must-violation"; } must "string-length() = 0 or current() = 'AVC-Reanchor-Class'" { error-message "The value of classmap used for selective reanchoring feature must be either empty (disabled) or 'AVC-Reanchor-Class'"; error-app-tag "must-violation"; } default ""; description "This object specifies the classmap containing protocols to decide on selective reanchoring"; } container per-ssid-qos { description "This object keeps ingress and egress service names."; leaf ingress-service-name { type string { length "0..80"; } default ""; description "This object specifies the ingress service-policy name. It can be system generated policy name or user-defined policy name."; } leaf egress-service-name { type string { length "0..80"; } default ""; description "This object specifies the egress service-policy name. It can be system generated policy name or user-defined policy name."; } } // container per-ssid-qos container per-client-qos { description "This object specifies the per client ingress and egress service names"; leaf ingress-service-name { type string { length "0..80"; } default ""; description "This object specifies the ingress service-policy name. It can be system generated policy name or user-defined policy name."; } leaf egress-service-name { type string { length "0..80"; } default ""; description "This object specifies the egress service-policy name. It can be system generated policy name or user-defined policy name."; } } // container per-client-qos container autoqos-mode { description "Specifies the mode of autoqos."; leaf mode { type wireless-enum-types:autoqos-profile; default "autoqos-disabled"; description "This object specifies the user to enable or disable Auto QoS mode in wireless policy profile."; } } // container autoqos-mode container dhcp-params { description "Keeps various information of Dhcp such as is_dhcp_enabled,dhcp_server_address etc."; leaf is-dhcp-enabled { type boolean; default "false"; description "DHCP required for all clients on this WLAN"; } leaf dhcp-server-address { type inet:ipv4-address; default "0.0.0.0"; description "Configures the WLAN's IPv4 DHCP Server"; } leaf dhcp-opt82-enable { type boolean; default "false"; description "This object represents the DHCP Option82 state"; } leaf dhcp-opt82-ascii { type boolean; default "false"; description "This object represents the DHCP Option82 Ascii option"; } leaf dhcp-opt82-rid { type boolean; default "false"; description "This object represents the DHCP Option82 Rid option"; } leaf apmac { type boolean; default "false"; description "This object represents the DHCP Option82 format Ap mac option"; } leaf ssid { type boolean; default "false"; description "This object represents the DHCP Option82 format SSID option"; } leaf ap-ethmac { type boolean; default "false"; description "This object represents the DHCP Option82 format Ap ethmac option"; } leaf apname { type boolean; default "false"; description "This object represents the DHCP Option82 format Ap name option"; } leaf policy-tag { type boolean; default "false"; description "This object represents the DHCP Option82 format Policy tag option"; } leaf ap-location { type boolean; default "false"; description "This object represents the DHCP Option82 format Ap location option"; } leaf vlan-id { type boolean; default "false"; description "This object represents the DHCP Option82 format Vlan_id option"; } leaf dhcp-option-none { type boolean; description "No dhcp options are set"; } } // container dhcp-params container mdns-service-policy { description "MDNS service policy."; leaf policy-name { type string { length "1..64" { error-message "Invalid string length for MDNS service policy:Valid string has be 1 to 64 characters"; error-app-tag "must-violation"; } } default "default-mdns-service-policy"; description "MDNS service policy name"; } } // container mdns-service-policy container cts-policy { description "This structure specifies CTS policy for the wireless profile."; leaf sgacl-enforcement { type boolean; default "false"; description "Configuration to enable SGACL enforcement of cts policies on the device"; } } // container cts-policy leaf inline-tagging { type boolean; default "false"; description "Configuration to enable inline tagging for client"; } leaf sgt { type uint16 { range "2 .. 65519"; } description "Configuration of default SGT value"; } container umbrella-params { description "Configuration of umbrella policy"; leaf param-map-name { type string; default ""; description "Umbrella's open dns parameter map name"; } } // container umbrella-params container blacklist-params { description "This object keeps information for client blacklisting feature for a WLAN."; leaf is-blacklist-enabled { type boolean; default "true"; description "This is the flag that can enable or disable the client blacklisting feature for a WLAN."; } leaf blacklist-timeout { type uint32 { range "0 .. 2147483647"; } default "60"; description "Set time the client will be excluded"; } } // container blacklist-params container aaa-policy-params { description "This object specifies various attributes of WLAN policy. such as policy profile name etc."; leaf aaa-override { type boolean; default "false"; description "This flag is set when aaa override is enabled"; } leaf nac { type boolean; default "false"; description "This flag is set when NAC is enabled"; } leaf aaa-policy-name { type string; default "default-aaa-policy"; description "This is the name of the aaa policy name."; } leaf nac-type { type wireless-enum-types:nac-type; description "Type of Network Authentication Control (NAC) supported"; } leaf vlan-fallback { type boolean; must "(../aaa-override = 'true' and .= 'true') or (.='false')" { error-message "AAA override cannot be in disabled state when VLAN fallback is enabled."; error-app-tag "must-violation"; } default "false"; description "This flag allows fallback to policy profile VLAN when override VLAN is not available"; } } // container aaa-policy-params container et-analytics-params { description "This object specifies whether encryption enabled or disabled."; leaf is-tvi-enabled { type boolean; default "false"; description "This flag enables/disables Encrypted Traffic Analytics feature on this WLAN"; } } // container et-analytics-params container wgb-policy-params { description "WGB Policy Parameters"; leaf broadcast-tagging { type boolean; default "false"; description "WGB Broadcast tagging"; } leaf wgb-vlan { type boolean; default "false"; description "Client Vlan Support"; } } // container wgb-policy-params leaf fabric-profile-name { type string; default ""; description "Specifies the fabric profile name configured on the policy profile."; } leaf accounting-list { type string; default ""; description "Specifies the accounting list configured on the policy profile."; } leaf client-count { type uint32 { range "0 .. 200"; } description "Maximum client that can join the wlan mapped to policy profile."; } container atf-policy-map-entries { description "ATF Policy Mapping configuration"; list atf-policy-map-entry { key "band-id"; description "ATF Policies associated to policy profile"; leaf band-id { type uint8 { range "0 .. 1"; } description "Band ID of the ATF Policy"; } leaf atf-policy-name { type string { length "0..31"; } default "default-atf-policy"; description "Air Time Fairness policy name"; } } // list atf-policy-map-entry } // container atf-policy-map-entries container guest-mm-db-export-entries { description "Guest mm DB configuration"; list guest-mm-db-export-entry { key "ip"; description "Guest mm DB associated to policy profile"; leaf ip { type inet:ip-address; description "IP address of the mobility anchor"; } leaf anchor-priority { type wireless-enum-types:enm-export-anchor-priority-type; default "export-anchor-tertiary"; description "Priority of the mobility anchor"; } } // list guest-mm-db-export-entry } // container guest-mm-db-export-entries leaf call-snoop { type boolean; must "(../call-snoop = 'true' and ../per-ssid-qos/ingress-service-name = 'platinum-up' and ../per-ssid-qos/egress-service-name = 'platinum') or (../call-snoop = 'false' and (../per-ssid-qos/ingress-service-name = 'platinum-up' and ../per-ssid-qos/egress-service-name = 'platinum')) or (../call-snoop = 'false' and (../per-ssid-qos/ingress-service-name != 'platinum-up' or ../per-ssid-qos/egress-service-name != 'platinum'))" { error-message "SSID policies should be configured with Platinum when Call Snoop is enabled"; error-app-tag "must-violation"; } default "false"; description "Enable or Disable call snoop for the wlan mapped to policy profile."; } leaf sip-cac-send-dis-assoc { type boolean; default "false"; description "Enable or Disable SIP CAC send disassociate."; } leaf sip-cac-send-486-busy { type boolean; default "false"; description "Enable or Disable SIP CAC send 486 busy."; } leaf tunnel-profile-name { type string { length "0..128"; } default ""; description "Tunnel profile name"; } container avc-ipv4-fm-ingress-entries { description "AVC Ingress IPv4 flow monitor configuration"; list avc-ipv4-fm-ingress-entry { must "(count(../avc-ipv4-fm-ingress-entry) <= 2)" { error-message "There cannot exist more than 2 IPv4 ingress flow monitors"; error-app-tag "must-violation"; } key "name"; description "IPv4 ingress flow monitor associated to policy profile"; leaf name { type string { length "0..32"; pattern '[0-9a-zA-Z_-]+'; } description "Flow monitor name"; } } // list avc-ipv4-fm-ingress-entry } // container avc-ipv4-fm-ingress-entries container avc-ipv4-fm-egress-entries { description "AVC Egress IPv4 flow monitor configuration"; list avc-ipv4-fm-egress-entry { must "(count(../avc-ipv4-fm-egress-entry) <= 2)" { error-message "There cannot exist more than 2 IPv4 egress flow monitors"; error-app-tag "must-violation"; } key "name"; description "IPv4 egress flow monitor associated to policy profile"; leaf name { type string { length "0..32"; pattern '[0-9a-zA-Z_-]+'; } description "Flow monitor name"; } } // list avc-ipv4-fm-egress-entry } // container avc-ipv4-fm-egress-entries container avc-ipv6-fm-ingress-entries { description "AVC Ingress IPv6 flow monitor configuration"; list avc-ipv6-fm-ingress-entry { must "(count(../avc-ipv6-fm-ingress-entry) <= 2)" { error-message "There cannot exist more than 2 IPv6 ingress flow monitors"; error-app-tag "must-violation"; } key "name"; description "IPv6 ingress flow monitor associated to policy profile"; leaf name { type string { length "0..32"; pattern '[0-9a-zA-Z_-]+'; } description "Flow monitor name"; } } // list avc-ipv6-fm-ingress-entry } // container avc-ipv6-fm-ingress-entries container avc-ipv6-fm-egress-entries { description "AVC Egress IPv6 flow monitor configuration"; list avc-ipv6-fm-egress-entry { must "(count(../avc-ipv6-fm-egress-entry) <= 2)" { error-message "There cannot exist more than 2 IPv6 egress flow monitors"; error-app-tag "must-violation"; } key "name"; description "IPv6 egress flow monitor associated to policy profile"; leaf name { type string { length "0..32"; pattern '[0-9a-zA-Z_-]+'; } description "Flow monitor name"; } } // list avc-ipv6-fm-egress-entry } // container avc-ipv6-fm-egress-entries leaf hotspot-anqp-server { type string { length "0..200"; } default ""; description "Name of the Hotspot 2.0 ANQP Server settings"; } container guest-lan { description "Guest LAN policy details."; leaf enable-session-timeout { type boolean; default "false"; description "Enable session timeout"; } } // container guest-lan container policy-profile-calendar-configs { description "Calendar profile configuration"; list policy-profile-calendar-config { key "calendar-profile-name"; description "Calendar profile associated to policy profile"; leaf calendar-profile-name { type string; description "Timer profile name configured under policy profile"; } leaf wlan-enable { type wireless-enum-types:timer-profile-action; description "Action to enable policy profile based on calender profile"; } leaf client-session-disable { type wireless-enum-types:timer-profile-action; description "Action to disable client session based on calender profile"; } } // list policy-profile-calendar-config } // container policy-profile-calendar-configs container upn { description "User Defined (Private) Network policies"; leaf is-upn-restrict-enable { type boolean; default "false"; description "User Defined (Private) Network status"; } leaf upn-unicast-disable { type boolean; default "false"; description "User Defined (Private) Network Unicast disable status"; } } // container upn container proxy { description "Proxy related configuration on policies"; leaf ipv6-proxy { type wireless-enum-types:ipv6-proxy; default "no-proxy"; description "Enable IPv6 Neighbor discovery(ND) proxy features."; } leaf arp-proxy { type boolean; default "false"; description "Enable or disable Address Resolution Protocol (ARP) proxy feature."; } } // container proxy container umbrella-flex-params { description "Configuration of umbrella policy for flex mode"; leaf dhcp-dns-option-enable { type boolean; default "true"; description "DHCP DNS Option enabled"; } leaf mode-force { type boolean; default "false"; description "Umbrella redirect forced"; } } // container umbrella-flex-params leaf multicast-filter { type boolean; default "false"; description "Drop all downstream Multicast packets"; } leaf qbss-load { type boolean; default "true"; description "Advertisement of the QOS enhanced basic service set load Information Element(IE)."; } leaf encryption-vlan-osen { type string { length "0..8"; pattern '[vV]lan([1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-3][0-9][0-9][0-9]|40[0-8][0-9]|409[0-4])|([1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-3][0-9][0-9][0-9]|40[0-8][0-9]|409[0-4])?'; } default ""; description "Vlan name or vlan id of clients connecting to OSEN wlan."; } leaf ip-mac-binding { type boolean; default "true"; description "Control over support for ip-mac binding creation"; } leaf link-local-bridging { type boolean; must "../wlan-switching-policy/central-switching = 'true' or current() = 'false'" { error-message "WLAN switching policy central-switching should be enabled when link-local bridging is enabled."; error-app-tag "must-violation"; } must "../wlan-mobility/anchor = 'false' or current() = 'false'" { error-message "WLAN mobility policy anchor should be disabled when link-local bridging is enabled."; error-app-tag "must-violation"; } must "count(../guest-mm-db-export-entries/guest-mm-db-export-entry) = 0 or current() = 'false'" { error-message "WLAN link-local bridging is not allowed with mobility anchor"; error-app-tag "must-violation"; } must "(/wireless-general-cfg:general-cfg-data/wireless-general-cfg:mewlc-config/wireless-general-cfg:mewlc-platform = 'false') or (current() = 'false')" { error-message "Link-local bridging is not supported on EWC platform"; error-app-tag "must-violation"; } default "false"; description "This object specifies whether link-local bridging is enabled"; } } // list wlan-policy } // container wlan-policies container policy-list-entries { description "Policy list configuration"; list policy-list-entry { key "tag-name"; description "This object specifies the policy tag name and also hosts the mapping between a Wlan and policy profile"; leaf tag-name { type string { pattern '[!-~]([ -~]*[!-~])?'; } must "(count(../wlan-policies/wlan-policy) + count(../tag-child-rlan-policy-configs/tag-child-rlan-policy-config)) <= 16" { error-message "Cumulative number of RLANs and WLANs associated with a policy tag cannot exceed 16"; error-app-tag "must-violation"; } description "This object uniquely identifies the policy tag"; } leaf description { type string; default ""; description "description for the policy tag"; } container wlan-policies { description "WLAN policy configuration"; list wlan-policy { key "wlan-profile-name"; description "WLAN profile and policy profile name configuration"; leaf wlan-profile-name { type string; description "Name of the WLAN profile"; } leaf policy-profile-name { type string { length "1..32"; } mandatory true; description "Name of the policy profile"; } } // list wlan-policy } // container wlan-policies container tag-child-rlan-policy-configs { description "RLAN policy configuration"; list tag-child-rlan-policy-config { key "port-id"; description "Configure remote lan profile and policy profile for policy tag"; leaf port-id { type uint16; must "(((current() >= 1) and (current() <= 4)) or (current() = 128))" { error-message "Remote LAN port-id leaf can be set to values: 1, 2, 3, 4 and 128 only"; error-app-tag "must-violation"; } description "RLAN port-id value of AP. The port-id can be between 1 to 4 for LAN ports or port-id 128 is for external module of AP"; } leaf rlan-profile-name { type string; description "This is the name of the RLAN config "; } leaf rlan-policy-profile-name { type string; description "This is the name of the RLAN policy config "; } } // list tag-child-rlan-policy-config } // container tag-child-rlan-policy-configs } // list policy-list-entry } // container policy-list-entries container wireless-aaa-policy-configs { description "Wireless AAA policy Configurations"; list wireless-aaa-policy-config { key "policy-name"; description "The wireless AAA policy configurations"; leaf policy-name { type string; description "This is the policy name"; } container nas-id { description "Different NAS-ID options"; leaf option1 { type wireless-types:enm-nas-id-options; default "nas-id-sys-name"; description "Radius NAS-ID option1"; } leaf option2 { type wireless-types:enm-nas-id-options; default "nas-id-not-configured"; description "Radius NAS-ID option2"; } leaf option3 { type wireless-types:enm-nas-id-options; default "nas-id-not-configured"; description "Radius NAS-ID option3"; } } // container nas-id leaf aaa-realm { type boolean; description "Indicates if AAA-REALM is enabled/disabled"; } leaf accounting-list { type string; description "Accounting attribute list per WLAN."; } leaf authentication-list { type string; description "Authentication attribute list per WLAN."; } } // list wireless-aaa-policy-config } // container wireless-aaa-policy-configs container guest-lan-configs { description "Guest-LAN profile configuration"; list guest-lan-config { key "profile-name"; unique "guest-lan-id"; description "Specifies the Guest-LAN profile"; leaf guest-lan-id { type uint32 { range "1 .. 5"; } mandatory true; description "Guest-LAN Profile ID"; } leaf profile-name { type string { length "1..32" { error-message "Invalid Guest-LAN profile-name: has to be between 1 and 32 characters"; error-app-tag "must-violation"; } pattern '[!-~]([ -~]*[!-~])?'; } must "(count(../../../wlan-cfg-entries/wlan-cfg-entry[profile-name = current()]) = 0)" { error-message "Invalid profile-name: Cannot use WLAN profile-name in a guest-lan-map"; error-app-tag "must-violation"; } must "(count(../../../policy-list-entries/policy-list-entry/wlan-policies/wlan-policy[wlan-profile-name = current()]) = 0)" { error-message "Invalid Guest-LAN profile-name: Provided profile name already used under policy tag"; error-app-tag "must-violation"; } must "(count(../../../policy-list-entries/policy-list-entry/tag-child-rlan-policy-configs/tag-child-rlan-policy-config[rlan-profile-name = current()]) = 0)" { error-message "Invalid Guest-LAN profile-name: Provided profile name already used under policy tag"; error-app-tag "must-violation"; } description "Guest-LAN Profile Name"; } leaf has-wired-vlan { type wireless-enum-types:ewlc-guest-lan-has-wired-vlan; must "(current() = 'ewlc-guest-lan-without-wired-vlan') or (current() = 'ewlc-guest-lan-with-wired-vlan')" { error-message "Guest-LAN parameter ewlc-guest-lan-has-wired-vlan must be configured explicitly"; error-app-tag "must-violation"; } mandatory true; description "Specifies whether a wired-vlan number is configured for the Guest-LAN. The wired-vlan number must be configured on the Guest Foreign controller; it must not be configured on the Guest Anchor controller."; } leaf wired-vlan { type uint32 { range "0 .. 4094"; } must "((../has-wired-vlan = 'ewlc-guest-lan-without-wired-vlan') and (current() = 0)) or ((../has-wired-vlan = 'ewlc-guest-lan-with-wired-vlan') and (current() >= 1))" { error-message "Invalid wired-vlan: the VLAN number must be in range [1, 4094] for Guest Foreign, and 0 or omitted for Guest Anchor"; error-app-tag "must-violation"; } must "(../has-wired-vlan = 'ewlc-guest-lan-without-wired-vlan') or ((current() != 1) and (current() != 1002) and (current() != 1003) and (current() != 1004) and (current() != 1005))" { error-message "Invalid wired-vlan: This VLAN number is reserved"; error-app-tag "must-violation"; } must "(../has-wired-vlan = 'ewlc-guest-lan-without-wired-vlan') or (count(../../../guest-lan-configs/guest-lan-config[wired-vlan = current()]) <= 1)" { error-message "Invalid wired-vlan: The same VLAN number cannot be associated with multiple Guest-LANs"; error-app-tag "must-violation"; } default "0"; description "Configures wired-vlan for Guest-LAN on Guest Foreign controller"; } leaf security-web-auth { type boolean; default "true"; description "Configures security web auth"; } leaf auth-list { type string; description "Configures authentication list on Guest-LAN"; } leaf authz-list { type string; description "Configures authorization list on Guest-LAN"; } leaf web-auth-parameter-map { type string; description "Configures parameter map on Guest-LAN"; } leaf max-associated-clients { type uint32 { range "1 .. 2000"; } default "2000"; description "Configures maximum client connections per Guest-LAN"; } leaf status { type boolean; default "false"; description "Specifies whether the Guest-LAN is shutdown or active"; } leaf mdns-sd-mode { type wireless-enum-types:enm-wlan-mdns-sd-cfg; description "MDNS mode on Guest-LAN"; } } // list guest-lan-config } // container guest-lan-configs container guest-lan-maps { description "Guest-LAN map configuration"; list guest-lan-map { key "map-name"; description "Specifies the Guest-LAN map"; leaf map-name { type string; must "(count(../../../guest-lan-maps/guest-lan-map[map-name]) <= 1)" { error-message "Invalid Guest-LAN map: There cannot exist multiple GLAN maps"; error-app-tag "must-violation"; } description "This object uniquely identifies the guest lan map"; } container guest-lan-policy-maps { description "Wired Guest-LAN map configuration"; list guest-lan-policy-map { key "guest-lan-profile-name"; description "Configure guest lan profile and policy profile in guest lan map"; leaf guest-lan-profile-name { type string { length "1..32" { error-message "Invalid Guest-LAN profile-name: has to be between 1 and 32 characters"; error-app-tag "must-violation"; } } must "(count(../../../../../wlan-cfg-entries/wlan-cfg-entry[profile-name = current()]) = 0)" { error-message "Invalid Guest-LAN profile-name: Cannot use WLAN profile-name in a guest-lan-map"; error-app-tag "must-violation"; } must "(count(../../../../../policy-list-entries/policy-list-entry/wlan-policies/wlan-policy[wlan-profile-name = current()]) = 0)" { error-message "Invalid Guest-LAN profile-name: Provided profile name already used under policy tag"; error-app-tag "must-violation"; } must "(count(../../../../../policy-list-entries/policy-list-entry/tag-child-rlan-policy-configs/tag-child-rlan-policy-config[rlan-profile-name = current()]) = 0)" { error-message "Invalid Guest-LAN profile-name: Provided profile name already used under policy tag"; error-app-tag "must-violation"; } must "(count(../../../guest-lan-policy-maps/guest-lan-policy-map[guest-lan-profile-name]) <= 5)" { error-message "Exceeding the limit of 5 mappings under one guest-lan map"; error-app-tag "must-violation"; } description "Profile-name of the Wired Guest-LAN config "; } leaf policy-profile-name { type string; mandatory true; description "Name of the Guest-LAN policy config"; } } // list guest-lan-policy-map } // container guest-lan-policy-maps } // list guest-lan-map } // container guest-lan-maps } // container wlan-cfg-data } // module Cisco-IOS-XE-wireless-wlan-cfg
© 2023 YumaWorks, Inc. All rights reserved.