Port-based network access control allows a network administrator to restrict the use of IEEE 802 LAN service access points (por...
Version: 2020-02-18
module ieee802-dot1x { yang-version 1; namespace "urn:ieee:std:802.1X:yang:ieee802-dot1x"; prefix dot1x; import ieee802-types { prefix ieee; } import ietf-yang-types { prefix yang; } import ietf-interfaces { prefix if; } import ietf-system { prefix sys; } import iana-if-type { prefix ianaift; } import ieee802-dot1x-types { prefix dot1x-types; } organization "Institute of Electrical and Electronics Engineers"; contact "WG-URL: http://www.ieee802.org/1 WG-EMail: stds-802-1-L@ieee.org Contact: IEEE 802.1 Working Group Chair Postal: C/O IEEE 802.1 Working Group IEEE Standards Association 445 Hoes Lane Piscataway NJ 08854 USA E-mail: STDS-802-1-L@LISTSERV.IEEE.ORG"; description "Port-based network access control allows a network administrator to restrict the use of IEEE 802 LAN service access points (ports) to secure communication between authenticated and authorized devices. IEEE Std 802.1X specifies an architecture, functional elements, and protocols that support mutual authentication between the clients of ports attached to the same LAN and secure communication between the ports. The following control allows a port to be reinitialized, terminating (and potentially restarting) authentication exchanges and MKA operation, based on a data model described in a set of YANG modules."; revision "2020-02-18" { description "Updated Contact information."; } revision "2019-06-12" { description "Updates based on comment resolution of the WG ballot of P802.1X-Rev/D1.0."; reference "IEEE Std 802.1X-2020, Port-Based Network Access Control."; } grouping nid-group { description "The PAE NID Group configuration and operational information."; list pae-nid-group { key "nid"; description "A list that contains the configuration and operational nodes for the network announcement information for the Logon Process."; leaf nid { type dot1x-types:pae-nid; description "Identification of the network or network service."; reference "IEEE 802.1X-2020 Clause 12.5"; } leaf use-eap { type enumeration { enum "never" { value 0; description "Never."; } enum "immediate" { value 1; description "Immediately, concurrently with the use of MKA with any cached CAK(s)."; } enum "mka-fail" { value 2; description "Not until MKA has failed, if a prior CAK has been cached."; } } default "immediate"; description "Determines when the Logon Process will initiate EAP, if the Supplicant and or Authenticator are enabled, and takes one of the above values."; reference "IEEE 802.1X-2020 Clause 12.5"; } leaf unauth-allowed { type enumeration { enum "never" { value 0; description "Never."; } enum "immediate" { value 1; description "Immediately, independently of any current or future attempts to authenticate using the PAE or MKA."; } enum "auth-fail" { value 2; description "Not until an attempt has been made to authenticate using EAP, unless neither the supplicant nor the authenticator is enabled, and MKA has attempted to use any cached CAK (unless the KaY is not enabled)."; } } default "immediate"; description "Determines when the Logon Process will tell the CP state machine to provide unauthenticated connectivity, and takes one of the above values."; reference "IEEE 802.1X-2020 Clause 12.5"; } leaf unsecure-allowed { type enumeration { enum "never" { value 0; description "Never."; } enum "immediate" { value 1; description "Immediately, to provide connectivity concurrently with the use of MKA with any CAK acquired through EAP."; } enum "mka-fail" { value 2; description "Not until MKA has failed, or is not enabled."; } enum "mka-server" { value 3; description "Only if directed by the MKA server."; } } default "immediate"; description "Determines when the Logon Process will tell the CP state machine to provide authenticated but unsecured connectivity, takes one of the above values."; reference "IEEE 802.1X-2020 Clause 12.5"; } leaf unauthenticated-access { type enumeration { enum "no-access" { value 0; description "Other than to authentication services."; } enum "fallback-access" { value 1; description "Limited access can be provided after authentication failure."; } enum "limited-access" { value 2; description "Immediate limited access is available without authentication."; } enum "open-access" { value 3; description "Immediate access is available without authentication."; } } default "no-access"; description "Unauthenticated access capabilities provided by the NID."; reference "IEEE 802.1X-2020 Clause 10.1"; } leaf access-capabilities { type dot1x-types:pae-nid-capabilities; description "Authentication and protection capabilities supported for the NID."; reference "IEEE 802.1X-2020 Clause 10.1"; } leaf kmd { type dot1x-types:pae-kmd; config false; description "The Key Management Domain for the NID."; reference "IEEE 802.1X-2020 Clause 10.4"; } } // list pae-nid-group } // grouping nid-group grouping port-capabilities { description "Per port PAE feature capabilities."; leaf supp { type boolean; description "Indicates if PACP EAP Supplicant is supported."; reference "IEEE 802.1X-2020 Clause 12.9.2"; } leaf auth { type boolean; description "Indicates if PACP EAP Authenticator is supported."; reference "IEEE 802.1X-2020 Clause 12.9.2"; } leaf mka { type boolean; description "Indicates if MKA is supported."; reference "IEEE 802.1X-2020 Clause 12.9.2"; } leaf macsec { type boolean; description "Indicates if MACsec on the Controlled port is supported."; reference "IEEE 802.1X-2020 Clause 12.9.2"; } leaf announcements { type boolean; description "Indicates if the ability to send EAPOL announcements is supported."; reference "IEEE 802.1X-2020 Clause 12.9.2"; } leaf listener { type boolean; description "Indicates if the ability to use received EAPOL announcements is supported."; reference "IEEE 802.1X-2020 Clause 12.9.2"; } leaf virtual-ports { type boolean; description "Indicates if virtual ports for a real port is supported."; reference "IEEE 802.1X-2020 Clause 12.9.2"; } leaf in-service-upgrades { type boolean; description "Indicates if MKA in-service upgrades is supported."; reference "IEEE 802.1X-2020 Clause 12.9.2"; } } // grouping port-capabilities augment /sys:system { description "Augment system with 802.1X PAE System specific configuration nodes."; container pae-system { description "Contains all 802.1X PAE System specific related configuration and operational data."; leaf name { type string { length "1..255"; } description "The name which uniquely identifies the PAE System."; } leaf system-access-control { type enumeration { enum "disabled" { value 0; description "Deletes any virtual ports previously instantiated, and terminates authentication exchanges and MKA operation."; } enum "enabled" { value 1; description "Enables PAE system access control."; } } description "Setting this control to disabled deletes any virtual ports previously instantiated, and terminates authentication exchanges and MKA operation. Each real port PAE behaves as if enabledVirtualPorts was clear, the PAEs Supplicant, Authenticator, and KaY as if their enabled controls were clear, and Logon Process(es) as if unauthAllowed was Immediate. Announcements can be transmitted (subject to other controls), both periodically and in response to announcement requests (conveyed by EAPOL-Starts or EAPOL-Announcement-Reqs) but are sent with a single NID Set, with a null NID, and the Access Information TLV (and no other) with an pae-access-status of No Access, accessRequested false, OpenAccess, and no accessCapabilities. The control variable settings for each real port PAE are unaffected, and will be used once systemAccessControl is set to enabled."; reference "IEEE 802.1X-2020 Clause 12.9.1"; } leaf system-announcements { type enumeration { enum "disabled" { value 0; description "Causes each PAE to behave as if enabled were clear for the PAE's Announcement functionality."; } enum "enabled" { value 1; description "Enables PAE system announcements."; } } description "Setting this control to Disabled causes each PAE to behave as if enabled were clear for the PAE's Announcement functionality. The independent controls for each PAE apply if systemAnnouncements is Enabled."; reference "IEEE 802.1X-2020 Clause 12.9.1"; } leaf eapol-protocol-version { type uint8; config false; description "The EAPOL protocol version for this system."; reference "IEEE 802.1X-2020 Clause 12.9.1, Clause 11.3"; } leaf mka-version { type uint8; config false; description "The MKA protocol version for this system."; reference "IEEE 802.1X-2020 Clause 12.9.1, Clause 11.3"; } leaf-list pae { type if:interface-ref; config false; description "List of PAE references."; } } // container pae-system } augment /if:interfaces/if:interface { when "if:type = 'ianaift:ethernetCsmacd' or if:type = 'ianaift:ilan' or if:type = 'ianaift:macSecControlledIF' or if:type = 'ianaift:ptm' or if:type = 'ianaift:bridge'" { description "Applies to the Controlled Port of SecY or PAC shim or Ethernet related Interface."; } description "Augment interface model with PAE configuration and operational nodes."; reference "IEEE 802.1AE Clause 11.7 and IEEE 802.1X-2020 Clause 6.5 and Clause 13.3.2"; container pae { description "Contains PAE configuration and operational related nodes."; leaf pae-system { type leafref { path "/sys:system/dot1x:pae-system/dot1x:name"; } description "The PAE system that this PAE is a member of."; } leaf vp-enable { when "../port-type = 'real-port' and ../port-capabilities/virtual-ports = 'true'" { description "Applies when port is Real Port and virtual port capabilities are supported."; } type boolean; default "false"; description "A real port's PAE may be configured to create virtual ports to support multi-access LANs provided that MKA and MACsec operation is enabled for that port."; reference "IEEE 802.1X-2020 Clause 12.7"; } container port-capabilities { description "Per port PAE feature capabilities."; uses port-capabilities; } // container port-capabilities leaf port-name { type if:interface-ref; config false; description "Each PAE is uniquely identified by a port name."; } leaf port-number { type dot1x-types:pae-if-index; config false; description "Each PAE is uniquely identified by a port number. The port number used is unique amongst all port names for the system, and directly or indirectly identifies the Uncontrolled Port that supports the PAE. If the PAE has been dynamically instantiated to support an existing or potential virtual port, this portNumber, the uncontrolledPortNumber and the controlledPortNumber are allocated by the real ports PAE, and this portNumber is the uncontrolledPortNumber. If the PAE supports a real port, this portNumber is the commonPortNumber for the associated PAC or SecY."; reference "IEEE 802.1X-2020 Clause 12.9.2"; } leaf controlled-port-name { type if:interface-ref; config false; description "Each PAE is uniquely identified by a port name."; } leaf controlled-port-number { type dot1x-types:pae-if-index; config false; description "The port for the associated PAC or SecYs Controlled Port."; reference "IEEE 802.1X-2020 Clause 12.9.2"; } leaf uncontrolled-port-name { type if:interface-ref; config false; description "The uncontrolled port name reference."; } leaf uncontrolled-port-number { type dot1x-types:pae-if-index; config false; description "The port for the associated PAC or SecYs Uncontrolled Port."; reference "IEEE 802.1X-2020 Clause 12.9.2"; } leaf common-port-name { type if:interface-ref; config false; description "The common port name reference."; } leaf common-port-number { type dot1x-types:pae-if-index; config false; description "The port for the associated PAC or SecYs Common Port. All the virtual ports created for a given real port share the same Common Port and commonPortNumber."; reference "IEEE 802.1X-2020 Clause 12.9.2"; } leaf port-type { type enumeration { enum "real-port" { value 0; description "Real Port type."; } enum "virtual-port" { value 1; description "Virtual Port type."; } } description "The port type of the PAE."; reference "IEEE 802.1X-2020 Clause 12.9.2"; } container virtual-port { when "../port-capabilities/virtual-ports = 'true'" { description "Applies when the virtual ports port capability is supported."; } config false; description "Contains Virtual Port operational state information."; leaf max { when "../../port-type = 'real-port'" { description "Applies when Port is a Real Port."; } type uint32; description "The guaranteed maximum number of virtual ports."; reference "IEEE 802.1X-2020 Clause 12.9.2"; } leaf current { when "../../port-type = 'real-port'" { description "Applies when Port is a Real Port."; } type yang:gauge32; description "The current number of virtual ports."; reference "IEEE 802.1X-2020 Clause 12.9.2"; } leaf start { when "../../port-type = 'virtual-port'" { description "Applies when Port is a Virtual Port."; } type boolean; description "Set if the virtual port was created by receipt of an EAPOL-Start frame."; reference "IEEE 802.1X-2020 Clause 12.9.7"; } leaf peer-address { when "../../port-type = 'virtual-port'" { description "Applies when Port is a Virtual Port."; } type ieee:mac-address; description "The source MAC Address of the EAPOL-Start (if vpStart is set)."; reference "IEEE 802.1X-2020 Clause 12.9.7"; } } // container virtual-port container supplicant { when "../port-type = 'real-port' and ../port-capabilities/supp = 'true'" { description "Applies to Real Port when supplicant port capabilities are supported."; } description "Contains the configuration nodes for the Supplicant PAE associated with each port."; leaf held-period { type uint16; units "seconds"; default "60"; description "The initial value of the timer used to impose a wait period after a failed authentication attempt, before another attempt is permitted."; reference "IEEE 802.1X-2020 Clause 8.6"; } leaf retry-max { type uint32; default "2"; description "Specifies the maximum number of re-authentication attempts on an authenticator port before port is unauthorized."; reference "IEEE 802.1X-2020 Clause 8.7"; } leaf enabled { type boolean; config false; description "Set by PACP if the PAE can provide authentication. Will be FALSE if the Port is not enabled, if the functionality provided by the PAE is not available, or not implemented, or the control variable enable has been cleared by management, e.g. because the application scenario authenticates a user and there is no user logged on."; reference "IEEE 802.1X-2020 Clause 8.4"; } leaf authenticate { type boolean; config false; description "Set by the PAE client to request authentication, and allows reauthentication while set. Cleared by the client to revoke authentication. To enable authentication the client also needs to clear failed (if set)."; reference "IEEE 802.1X-2020 Clause 8.4"; } leaf authenticated { type boolean; config false; description "Set by PACP if the PAE is currently authenticated, and cleared if the authentication fails or is revoked."; reference "IEEE 802.1X-2020 Clause 8.4"; } leaf failed { type boolean; config false; description "Set by PACP if the authentication has failed or has been terminated. The cause could be a Fail returned by EAP, either immediately or following a reauthentication, an excessive number of attempts to authenticate (either immediately or upon reauthentication), or the client deasserting authenticate. The PACP will clear authenticated as well as setting failed. Any ongoing authentication exchange will be terminated (by the state machines) if enable becomes FALSE and enabled will be cleared, but failed will not be set."; reference "IEEE 802.1X-2020 Clause 8.4"; } } // container supplicant container authenticator { when "../port-capabilities/auth = 'true'" { description "Applies when the Authenticator is supported."; } description "Contains configuration nodes for the Authenticator PAE associated with each port."; leaf quiet-period { type uint16; units "seconds"; default "60"; description "Number of seconds that the authenticator remains in the quiet state following a failed authentication exchange with the supplicant."; reference "IEEE 802.1X-2020 Clause 8.6, Figure 12-3"; } leaf reauth-period { type uint32; units "seconds"; default "3600"; description "This object indicates the time period of the reauthentication to the supplicant."; reference "IEEE 802.1X-2020 Clause 8.6, Figure 12-3"; } leaf reauth-enable { type boolean; default "false"; description "Re-authentication is enabled or not."; reference "IEEE 802.1X-2020 Clause 5.8 and 8.9"; } leaf retry-max { type uint32; default "2"; description "Specifies the maximum number of re-authentication attempts on an authenticator port before port is unauthorized."; reference "IEEE 802.1X-2020 Clause 8.9"; } leaf enabled { type boolean; config false; description "Set by PACP if the PAE can provide authentication. Will be FALSE if the Port is not enabled, if the functionality provided by the PAE is not available, or not implemented, or the control variable enable has been cleared by management, e.g. because the application scenario authenticates a user and there is no user logged on."; reference "IEEE 802.1X-2020 Clause 8.4"; } leaf authenticate { type boolean; config false; description "Set by the PAE client to request authentication, and allows reauthentication while set. Cleared by the client to revoke authentication. To enable authentication the client also needs to clear failed (if set)."; reference "IEEE 802.1X-2020 Clause 8.4"; } leaf authenticated { type boolean; config false; description "Set by PACP if the PAE is currently authenticated, and cleared if the authentication fails or is revoked."; reference "IEEE 802.1X-2020 Clause 8.4"; } leaf failed { type boolean; config false; description "Set by PACP if the authentication has failed or has been terminated. The cause could be a Fail returned by EAP, either immediately or following a reauthentication, an excessive number of attempts to authenticate (either immediately or upon reauthentication), or the client deasserting authenticate. The PACP will clear authenticated as well as setting failed. Any ongoing authentication exchange will be terminated (by the state machines) if enable becomes FALSE and enabled will be cleared, but failed will not be set."; reference "IEEE 802.1X-2020 Clause 8.4"; } } // container authenticator container kay { when "../port-capabilities/mka = 'true'" { description "Applies when the MKA port capability is supported."; } description "Contains configuration system level information for each Interface supported by the KaY (Key Aggreement Entity)."; leaf enable { type boolean; default "false"; description "Set by management to enable (clear to disable) the use of MKA."; reference "IEEE 802.1X-2020 Clause 9.16"; } container actor { description "Contains configuration and operational nodes associated with the actor"; leaf priority { type uint8; description "The Key Server Priority for all the ports actors."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf sci { type dot1x-types:sci-list-entry; config false; description "The SCI assigned by the system to the port (applies to all the ports actors)."; reference "IEEE 802.1X-2020 Clause 9.16"; } } // container actor container key-server { description "Contains configuration and operational nodes associated with the key server."; leaf priority { type uint8; description "The Key Server Priority for the Key Server for the principal actor. Matches the actorPriority if the actor is the Key Server"; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf sci { type dot1x-types:sci-list-entry; config false; description "The SCI for Key Server for the principal actor. Null if there is no principal actor, or that actor has no live peers. Matches the actorSCI if the actor is the Key Server."; reference "IEEE 802.1X-2020 Clause 9.16"; } } // container key-server container group { description "Contains configuration nodes associated with the group."; leaf join { type boolean; default "true"; description "Set if the KaY will accept Group CAKs distributed by MKA."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf form { type boolean; default "false"; description "Set if the KaY will attempt to use point-to-point CAs to distribute a Group CAK, if its principal actor is the Key Server for all the point-to-point CAs."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf new { type boolean; default "false"; description "Set by management if a new Group CAK is to be distributed, if the principal actor is the Key Server for all point-to-point CAs. Cleared by the KaY when distribution is complete."; reference "IEEE 802.1X-2020 Clause 9.16"; } } // container group container macsec { when "../../port-capabilities/macsec = 'true'" { description "Applies when the MACsec port capability is supported."; } description "Contains configuration and operational nodes associated with macsec."; leaf capable { type boolean; description "Set if MACsec is implemented."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf desired { type boolean; default "true"; description "Set if the participant desires MACsec frame protection."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf protect { type boolean; config false; description "As used by the CP state machine, see 12.4."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf validate { type boolean; config false; description "As used by the CP state machine, see 12.4."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf replay-protect { type boolean; config false; description "As used by the CP state machine, see 12.4."; reference "IEEE 802.1X-2020 Clause 9.16"; } } // container macsec leaf suspend-on-request { type boolean; default "true"; description "Set by management to allow the KaYs principal actor to initiate a suspension if it is the Key Server and another participant has requested a suspension."; } leaf suspend-for { type uint8; default "0"; description "Set by management to a non-zero number of seconds between 1 and MKA Suspension Limit to initiate a suspension (9.18) of that duration (if the KaYs principal actor is the Key Server) or to request a suspension (otherwise)."; reference "IEEE 802.1X-2020 Clause 9.18"; } leaf suspended-while { type uint8; config false; description "Read by management to determine if a suspension is in progress and (when available) to discover the remaining duration of that suspension"; reference "IEEE 802.1X-2020 Clause 9.18"; } leaf active { type boolean; config false; description "Set if there is at least one active actor, transmitting MKPDUs."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf authenticated { type boolean; config false; description "Set if the principal actor, i.e. the participant that has the highest priority Key Server and one or more live peers, has determined that Controlled Port communication should proceed without MACsec."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf secured { type boolean; config false; description "Set if the principal actor has determined that communication should use MACsec."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf failed { type boolean; config false; description "Cleared when authenticated or secured are set, set if the latter are clear and MKA Life Time has elapsed since an MKA participant was last created."; reference "IEEE 802.1X-2020 Clause 9.16"; } container key-number { config false; description "Contains operation state nodes for Key Numbers."; leaf tx { type dot1x-types:mka-kn; description "The Key Number assigned by the Key Server to the SAK currently being used for transmission. Null if MACsec is not being used."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf rx { type dot1x-types:mka-kn; description "The Key Number assigned by the Key Server to the oldest SAK currently being used for reception. The same as txKN if a single SAK is currently in use (as will most often be the case). Null if MACsec is not being used."; reference "IEEE 802.1X-2020 Clause 9.16"; } } // container key-number container association-number { config false; description "Contains operation state nodes for Association Numbers."; leaf tx { type dot1x-types:mka-an; description "The Association Number assigned by the Key Server for use with txKN. Zero if MACsec is not in use."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf rx { type dot1x-types:mka-an; description "The Association Number assigned by the Key Server for use with rxKN. The same as txAN if a single SAK is currently in use. Zero if MACsec is not in use."; reference "IEEE 802.1X-2020 Clause 9.16"; } } // container association-number list participants { key "participant"; description "Contains list of configuration and operational nodes for each MKA participant supported by the KaY MKA entity."; leaf participant { type uint32; description "Key into Participants list."; } leaf cached { type boolean; description "Set by the KaY if the participants parameters are cached. If set, cached can be cleared by management to remove the participant from the cache."; } leaf active { type boolean; default "false"; description "Set if the participant is active, i.e., is currently transmitting periodic MKPDUs."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf retain { type boolean; default "false"; description "Set by management to retain the participant in the cache, even if the KaY would normally remove it (due to lack of use for example)."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf activate { type enumeration { enum "default" { value 0; description "The participant is from cached entries created by the KaY as part of normal operation, without explicit management, and is activated according to the implementation dependent policies of the KaY."; } enum "disabled" { value 1; description "The participant allows the cache information to be retained, but disabled for indefinite period."; } enum "on-oper-up" { value 2; description "Causing the participant to be activated when the PAEs part is activated, and therefore when the SecY or PACs Common Port becomes operational."; } enum "always" { value 3; description "Causing the participant to remain active all the time, even in the continued absence of partners."; } } default "default"; description "Controls when the participant is activated. Cached entries created by the KaY as part of normal operation, without explicit management, have the value Default, and are activated according to the implementation dependent policies of the KaY. This variable can be set to any of its values by management. Disabled allows the cache entry to be retained, but disabled for an indefinite period. OnOperUp causes the participant to be activated when the PAEs port (and therefore when the SecY or PACs Common Port becomes MAC_Operational). Always causes the participant to remain active all the time, even in the continued absence of partners. If the value is changed to Disabled or OnOperUp, the participant ceases operation immediately and receipt of MKPDUs with a matching CKN during a subsequent period of twice MKA Life Time will not cause the participant to become active once more."; reference "IEEE 802.1X-2020 Clause 9.16"; } container peers { config false; description "Contains operational state nodes associated with the Peers."; leaf-list live { type dot1x-types:sci-list-entry; description "A list of the SCIs of the participants live peers."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf-list potential { type dot1x-types:sci-list-entry; description "A list of the SCIs of the participants potential peers."; reference "IEEE 802.1X-2020 Clause 9.16"; } } // container peers leaf ckn { type dot1x-types:pae-ckn; config false; description "The secure Connectivity Association Key Name for the participant."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf kmd { type dot1x-types:pae-kmd; config false; description "The Key Management Domain for the participant."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf nid { type dot1x-types:pae-nid; config false; description "The NID for the participant."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf auth-data { type dot1x-types:pae-auth-data; config false; description "Authorization data associated with the secure Connectivity Association Key."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf principal { type boolean; config false; description "Set if the participant is currently the principal actor."; reference "IEEE 802.1X-2020 Clause 9.16"; } leaf dist-ckn { type dot1x-types:pae-ckn; config false; description "The CKN for the last CAK distributed (either by the actor or one of its partners). Null if this participant has not been used to distribute a CAK."; reference "IEEE 802.1X-2020 Clause 9.16"; } } // list participants } // container kay container logon-nid { description "Contains the configuration and operational related NID information for the Logon Process. The Logon Process may use Network Identifiers (NIDs) to manage its use of authentication credentials, cached CAKs, and announcements."; leaf selected { type dot1x-types:pae-nid; description "The NID currently configured for use by an access controlled port when transmitting EAPOL-Start frames. Defaults to the null NID."; reference "IEEE 802.1X-2020 Clause 12.5"; } uses nid-group; leaf connected { type dot1x-types:pae-nid; config false; description "The NID associated with the current connectivity (possibly unauthenticated) provided by the operation of the CP state machine."; reference "IEEE 802.1X-2020 Clause 12.5"; } leaf requested { type dot1x-types:pae-nid; config false; description "The NID marked as Access requested in announcements, as determined from EAPOL-Start frames. Defaults to the selectedNID."; reference "IEEE 802.1X-2020 Clause 12.5"; } } // container logon-nid container announcer { when "../port-capabilities/announcements = 'true'" { description "Applies when the Announcements port capabilities are supported."; } description "Contains the configuration related Announcer information."; leaf enable { type boolean; default "false"; description "A boolean indicating if the announcer is enabled or not."; reference "IEEE 802.1X-2020 Clause 10.4"; } list announce { key "announces"; description "Contains the configuration related status information that the Announcers announce in the network announcement of the PAE system."; leaf announces { type uint32; description "Key into Announce list."; } uses nid-group; leaf nid { type dot1x-types:pae-nid; config false; description "The NID information to identify a received network announcement for the PAE."; reference "IEEE 802.1X-2020 Clause 10.4"; } leaf access-status { type dot1x-types:pae-access-status; config false; description "Access Status reflects connectivity as a result of authentication attempts, and might be set directly by the system or configured by AAA protocols."; reference "IEEE 802.1X-2020 Clause 10.4, Clause 12.5"; } } // list announce } // container announcer container listener { when "../port-capabilities/listener = 'true'" { description "Applies when the Listener port capability is supported."; } description "Contains the configuration and operational Listener node related information."; leaf enable { type boolean; default "false"; description "A boolean indicating if the listener is enabled or not."; reference "IEEE 802.1X-2020 Clause 10.4"; } list announcement { key "announcements"; config false; description "A list containing the operational status information that the Listeners receive in the network announcement of the PAE system."; leaf announcements { type uint32; description "The key into the list of Announce nodes."; } leaf nid { type dot1x-types:pae-nid; description "The NID information to identify a received network announcement for the PAE."; reference "IEEE 802.1X-2020 Clause 10.4"; } leaf kmd { type dot1x-types:pae-kmd; description "The KMD information for this received network announcement of the PAE."; reference "IEEE 802.1X-2020 Clause 10.4"; } leaf specific { type boolean; description "This object indicates the received announcement information was specific to the receiving PAE, not generic for all systems attached to the LAN."; reference "IEEE 802.1X-2020 Clause 10.4"; } leaf access-status { type dot1x-types:pae-access-status; description "The object information reflects connectivity as a result of authentication attempts for this received network announcement of the PAE."; reference "IEEE 802.1X-2020 Clause 10.4"; } leaf requested-nid { type boolean; description "The authenticated access has been requested for this particular NID or not."; reference "IEEE 802.1X-2020 Clause 10.4"; } leaf unauthenticated-access { type dot1x-types:pae-access-status; description "The access capability of the ports clients without authentication in this received network announcement of the PAE"; reference "IEEE 802.1X-2020 Clause 10.4"; } leaf access-capabilities { type dot1x-types:pae-nid-capabilities; description "The authentication and protection capabilities supported for the NID."; reference "IEEE 802.1X-2020 Clause 10.4"; } list cipher-suites { key "index"; description "A table contains the Cipher Suites information that the Listeners receive in the network announcement of the PAE system."; reference "IEEE 802.1X-2020 Clause 10.4"; leaf index { type uint16; description "Key into cipher suite entry."; } leaf cipherSuite { type string; description "cipher Suite identifier."; } leaf cipherSuiteCapability { type uint32; description "Cipher Suite capability."; } } // list cipher-suites } // list announcement } // container listener container eapol-statistics { config false; description "Contains operational EAPOL statistics."; leaf invalid-eapol-frame-rx { when "../../port-type = 'real-port'" { description "Applies when port is Real Port."; } type yang:counter32; description "The number of invalid EAPOL frames of any type that have been received by this PAE."; reference "IEEE 802.1X-2020 Clause 12.8.1"; } leaf eap-length-error-frames-rx { when "../../port-type = 'real-port'" { description "Applies when port is Real Port."; } type yang:counter32; description "The number of EAPOL frames that the Packet Body Length does not match a Packet Body that is contained within the octets of the received EAPOL MPDU in this PAE."; reference "IEEE 802.1X-2020 Clause 12.8.1"; } leaf eapol-announcements-rx { when "../../port-type = 'real-port'" { description "Applies when port is Real Port."; } type yang:counter32; description "The number of EAPOL-Announcement frames that have been received by this PAE"; reference "IEEE 802.1X-2020 Clause 12.8.1"; } leaf eapol-announce-reqs-rx { when "../../port-type = 'real-port'" { description "Applies when port is Real Port."; } type yang:counter32; description "The number of EAPOL-Announcement-Req frames that have been received by this PAE."; reference "IEEE 802.1X-2020 Clause 12.8.1"; } leaf eapol-port-unavailable { when "../../port-type = 'real-port' and ../../port-capabilities/virtual-ports = 'true'" { description "Applies when port is Real Port and when the virtual ports capability is supported."; } type yang:counter32; description "The number of EAPOL frames that are discarded because their processing would require the creation of a virtual port, for which there are inadequate or constrained resources, or an existing virtual port and no such port currently exists. If virtual port is not supported, this object should be always 0."; reference "IEEE 802.1X-2020 Clause 12.8.1"; } leaf eapol-start-frames-rx { type yang:counter32; description "The number of EAPOL-Start frames that have been received by this PAE"; reference "IEEE 802.1X-2020 Clause 12.8.1"; } leaf eapol-eap-frames-rx { type yang:counter32; description "The number of EAPOL-EAP frames that have been received by this PAE."; reference "IEEE 802.1X-2020 Clause 12.8.1"; } leaf eapol-logoff-frames-rx { type yang:counter32; description "The number of EAPOL-Logoff frames that have been received by this PAE."; reference "IEEE 802.1X-2020 Clause 12.8.1"; } leaf eapol-mk-no-cfn { type yang:counter32; description "The number of MKPDUs received with MKA not enabled or CKN not recognized in this PAE."; reference "IEEE 802.1X-2020 Clause 12.8.1"; } leaf eapol-mk-invalid-frames-rx { type yang:counter32; description "The number of MKPDUs failing in message authentication on receipt process in this PAE."; reference "IEEE 802.1X-2020 Clause 12.8.1"; } leaf last-eapol-frame-source { when "../../port-type = 'real-port'" { description "Applies when port is Real Port."; } type ieee:mac-address; description "The source MAC address of last received EAPOL frame by this PAE."; reference "IEEE 802.1X-2020 Clause 12.8.2"; } leaf last-eapol-frame-version { type uint8; description "The version of last received EAPOL frame by this PAE."; reference "IEEE 802.1X-2020 Clause 12.8.2"; } leaf eapol-supp-eap-frames-tx { when "../../port-type = 'real-port'" { description "Applies when port is Real Port."; } type yang:counter32; description "The number of EAPOL-EAP frames that have been transmitted by the supplicant of this PAE."; reference "IEEE 802.1X-2020 Clause 12.8.3"; } leaf eapol-logoff-frames-tx { when "../../port-type = 'real-port'" { description "Applies when port is Real Port."; } type yang:counter32; description "The number of EAPOL-Logoff frames that have been transmitted by this PAE."; reference "IEEE 802.1X-2020 Clause 12.8.3"; } leaf eapol-announcements-tx { when "../../port-type = 'real-port'" { description "Applies when port is Real Port."; } type yang:counter32; description "The number of EAPOL-Announcement frames that have been transmitted by this PAE."; reference "IEEE 802.1X-2020 Clause 12.8.3"; } leaf eapol-announce-reqs-tx { when "../../port-type = 'real-port'" { description "Applies when port is Real Port."; } type yang:counter32; description "The number of EAPOL-Announcement-Req frames that have been transmitted by this PAE."; reference "IEEE 802.1X-2020 Clause 12.8.3"; } leaf eapol-start-frames-tx { type yang:counter32; description "The number of EAPOL-Start frames that have been transmitted by this PAE."; reference "IEEE 802.1X-2020 Clause 12.8.3"; } leaf eapol-auth-eap-frames-tx { type yang:counter32; description "The number of EAPOL-EAP frames that have been transmitted by the authenticator of this PAE."; reference "IEEE 802.1X-2020 Clause 12.8.3"; } leaf eapol-mka-frames-tx { type yang:counter32; description "The number of EAPOL-MKA frames with no CKN information that have been transmitted by this PAE."; reference "IEEE 802.1X-2020 Clause 12.8.3"; } } // container eapol-statistics container logon-process { description "Contains configuration and operational system level information for each port to support the Logon Process(es) status information."; leaf logon { type boolean; default "false"; description "A boolean indicating if the logon-process is enabled or not."; reference "IEEE 802.1X-2020 Clause 12.5"; } leaf connect { type enumeration { enum "pending" { value 0; description "Prevent connectivity by clearing the controlledPortEnabled parameter."; } enum "unauthenticated" { value 1; description "Provide unsecured connectivity, setting controlledPortEnabled."; } enum "authenticated" { value 2; description "Provide unsecured connectivity with authorization data, setting controlledPortEnabled."; } enum "secure" { value 3; description "Provide secure connectivity, using SAKs provided by the KaY (when available) and setting controlledPortEnabled when those keys are installed and in use, as specified in detail by the CP state machine."; } } config false; description "The Logon Process sets this variable to one of the above values."; reference "IEEE 802.1X-2020 Clause 12.3"; } leaf port-valid { type boolean; config false; description "Set if Controlled Port communication is secured as specified by the MACsec control macsecProtect."; reference "IEEE 802.1X-2020 Clause 12.3"; } list session-statistics { key "session-id"; config false; description "Contains operational state nodes associated with the session statistics."; leaf session-id { type dot1x-types:pae-session-id; description "Key into list of session statistics."; reference "IEEE 802.1X-2020 Clause 12.5.1"; } leaf user-name { type dot1x-types:pae-session-user-name; description "User name of the session."; reference "IEEE 802.1X-2020 Clause 12.5.1"; } leaf octets-rx { type yang:counter64; description "The number of octets received in this session of this PAE."; reference "IEEE 802.1X-2020 Clause 12.5.1"; } leaf octets-tx { type yang:counter64; description "The number of octets transmitted in this session of this PAE."; reference "IEEE 802.1X-2020 Clause 12.5.1"; } leaf frames-rx { type yang:counter64; description "The number of packets received in this session of this PAE."; reference "IEEE 802.1X-2020 Clause 12.5.1"; } leaf frames-tx { type yang:counter64; description "The number of packets transmitted in this session of this PAE."; reference "IEEE 802.1X-2020 Clause 12.5.1"; } leaf time { type uint32; units "seconds"; description "Session Time. The duration of the session in seconds."; reference "IEEE 802.1X-2020 Clause 12.5.1"; } leaf terminate-cause { type enumeration { enum "common_port_MAC_operational_false" { value 0; description "Common Port for this PAE is not operational."; } enum "system_access_control_disabled" { value 1; description "The system-access-control node of the pae-system is disabled or initialization process of this PAE is invoked."; } enum "eapol_logoff_rx" { value 2; description "The PAE has received EAPOL-Logoff frame."; } enum "eap_reauthentication_failure" { value 3; description "EAP reauthentication has failed."; } enum "mka-failure_termination" { value 4; description "MKA failure or other MKA termination."; } enum "new_session-beginning" { value 5; description "New session beginning."; } enum "not_terminated_yet" { value 6; description "Not Terminated Yet."; } } description "The reason for the session termination."; reference "IEEE 802.1X-2020 Clause 12.5.1"; } } // list session-statistics } // container logon-process } // container pae } container nid-group { description "Contains both configuration and operational state nodes associated with the PAE NID group."; uses nid-group; } // container nid-group } // module ieee802-dot1x
© 2023 YumaWorks, Inc. All rights reserved.