Model for managing 8021X. Augments the OpenConfig models for wired interfaces and wireless SSIDs for configuration and state.
Version: 2020-01-28
module openconfig-if-8021x { yang-version 1; namespace "http://openconfig.net/yang/interfaces/8021x"; prefix oc-1x; import openconfig-yang-types { prefix oc-yang; } import openconfig-extensions { prefix oc-ext; } import openconfig-interfaces { prefix oc-if; } import openconfig-if-ethernet { prefix oc-eth; } import openconfig-vlan { prefix oc-vlan; } import openconfig-vlan-types { prefix oc-vlan-types; } organization "OpenConfig working group"; contact "OpenConfig working group netopenconfig@googlegroups.com"; description "Model for managing 8021X. Augments the OpenConfig models for wired interfaces and wireless SSIDs for configuration and state."; revision "2020-01-28" { description "Initial draft of model, including only the most common 802.1X configuration and state use-cases."; reference "0.0.1"; } oc-ext:openconfig-version "0.0.1"; grouping vlan-map-config { description "Configuration data for mapping from VLAN name to VLAN id."; leaf vlan-name { type string; mandatory true; description "The VLAN name to be mapped to the VLAN id."; } leaf id { type oc-vlan-types:vlan-id; mandatory true; description "The VLAN id to be mapped to the VLAN name."; } } // grouping vlan-map-config grouping dot1x-port-config { description "802.1X port-based configuration."; leaf authenticate-port { type boolean; description "Enable 802.1X port control on an interface."; } leaf host-mode { type enumeration { enum "SINGLE_HOST" { value 0; description "Only single supplicant can communicate through the port. If the supplicant logs off or the port state is changed, the port becomes unauthenticated."; } enum "MULTI_HOST" { value 1; description "Multiple hosts can communicate over a single port. Only the first supplicant is authenticated while subsequent hosts have network access without having to authenticate."; } enum "MULTI_DOMAIN" { value 2; description "Allows for authentication of multiple clients individually on one authenticator port."; } } description "Allow for single or multiple hosts to communicate through an 802.1X controlled port."; } leaf reauthenticate-interval { type uint16; units "seconds"; description "Enable periodic re-authentication of the device connected to this port. Setting a value of 0 disabled reauthentication on this port."; } leaf retransmit-interval { type uint16; units "seconds"; description "How long the interface waits for a response from an EAPoL Start before restarting 802.1X authentication on the port."; } leaf supplicant-timeout { type uint16; units "seconds"; description "Time to wait for a response from the supplicant before restarting the 802.1X authentication process."; } leaf max-requests { type uint16; description "Maximum number of times an EAPoL request packet is retransmitted to the supplicant before the authentication session fails."; } leaf server-fail-vlan { type union { type string; type oc-vlan-types:vlan-id; } description "If RADIUS is unresponsive, the supplicant shall be placed in this VLAN. If this VLAN is configured as a VLAN name, the vlan-map must be populated for the Authenticator to map this VLAN name to a VLAN id."; } leaf auth-fail-vlan { type union { type string; type oc-vlan-types:vlan-id; } description "Upon failure to authenticate, the port is set to this VLAN. If this VLAN is a configured as a VLAN name, the vlan-map must be populated for the Authenticator to map this VLAN name to a VLAN id."; } } // grouping dot1x-port-config grouping vlan-map-top { description "Top-level grouping for vlan-map configuration and Operational state data."; container dot1x-vlan-map { description "Enclosing container for mapping a VLAN name to VLAN id"; list vlan-name { key "vlan-name"; description "A list of mappings from VLAN name to VLAN id. Entries in this list are utilized for DVA using a VLAN name; eg when RADIUS returns a VLAN name as the tunnel-private-group-id."; reference "RFC 2868: RADIUS Attributes for Tunnel Protocol Support"; leaf vlan-name { type leafref { path "../config/vlan-name"; } description "References the configured VLAN name"; } container config { description "Configuration data for each configured VLAN name in the VLAN ID to VLAN name mapping"; uses vlan-map-config; } // container config container state { config false; description "Operational state data for each VLAN id to VLAN name mapping."; uses vlan-map-config; } // container state } // list vlan-name } // container dot1x-vlan-map } // grouping vlan-map-top grouping dot1x-sessions-top { description "Top-level grouping for 802.1X sessions."; container authenticated-sessions { description "Top level container for authenticated sessions state data."; list authenticated-session { key "mac"; config false; description "The list of authenticated sessions on this device."; leaf mac { type leafref { path "../state/mac"; } description "Device MAC address."; } container state { config false; description "Top level state container for 802.1X."; leaf mac { type oc-yang:mac-address; description "Device MAC address."; } uses dot1x-sessions-state; } // container state } // list authenticated-session } // container authenticated-sessions } // grouping dot1x-sessions-top grouping dot1x-sessions-state { description "Grouping for 802.1X sessions State data."; leaf session-id { type string; description "The locally-significant session id which this authenticated session applies to. Typically used for RADIUS accounting or other system level telemetry."; } leaf status { type enumeration { enum "AUTHENTICATED" { value 0; description "The session has succesfully completed one of the authentication methods allowed on the port."; } enum "AUTHENTICATING" { value 1; description "The session is in the process of authenticating."; } enum "FAILED_AUTHENTICATION" { value 2; description "An authentication has been attempted for this session, and has failed."; } enum "SUPPLICANT_TIMEOUT" { value 3; description "An authentication has been attempted for this session, however the supplicant has not responded. This is likely due to the attached devices lack of 802.1X support."; } } description "The status of the 802.1X session for a device."; } } // grouping dot1x-sessions-state grouping dot1x-top { description "Top-level grouping for 802.1X configuration and operational state data."; container dot1x { description "Top level container for 802.1X configuration and state data."; container config { description "Top level configuration container for 802.1X."; uses dot1x-port-config; } // container config container state { config false; description "Top level state container for 802.1X."; uses dot1x-port-config; } // container state } // container dot1x uses dot1x-sessions-top; } // grouping dot1x-top augment /oc-if:interfaces/oc-if:interface/oc-eth:ethernet { description "Adds 802.1X settings to individual Ethernet interfaces"; uses dot1x-top; } augment /oc-if:interfaces/oc-if:interface/oc-eth:ethernet/oc-vlan:switched-vlan { description "Adds vlan-map to switched-vlans."; uses vlan-map-top; } } // module openconfig-if-8021x
© 2023 YumaWorks, Inc. All rights reserved.