1-- ********************************************************************* 2-- CISCO-AAA-SERVER-EXT-MIB.my: AAA Server Extension MIB 3-- 4-- November 2003, Sanjeev C Joshi 5-- July 2004, Charuhas Ghatge 6-- May 2005, Vijay J. 7-- Copyright (c) 2003,2004,2005 by cisco Systems, Inc. 8-- All rights reserved. 9-- 10-- ********************************************************************* 11 12CISCO-AAA-SERVER-EXT-MIB DEFINITIONS ::= BEGIN 13 14IMPORTS 15 MODULE-IDENTITY, 16 OBJECT-TYPE, 17 Unsigned32 18 FROM SNMPv2-SMI 19 InetAddressType, 20 InetAddress 21 FROM INET-ADDRESS-MIB 22 MODULE-COMPLIANCE, OBJECT-GROUP 23 FROM SNMPv2-CONF 24 RowStatus, 25 TruthValue, 26 TEXTUAL-CONVENTION, 27 DisplayString 28 FROM SNMPv2-TC 29 SnmpAdminString 30 FROM SNMP-FRAMEWORK-MIB 31 ciscoMgmt 32 FROM CISCO-SMI 33 casConfigEntry, 34 CiscoAAAProtocol 35 FROM CISCO-AAA-SERVER-MIB 36 TimeIntervalMin, 37 TimeIntervalSec 38 FROM CISCO-TC; 39 40ciscoAAAServerExtMIB MODULE-IDENTITY 41 LAST-UPDATED "200505230000Z" 42 ORGANIZATION "Cisco Systems, Inc." 43 CONTACT-INFO 44 " Cisco Systems 45 Customer Service 46 47 Postal: 170 W Tasman Drive 48 San Jose, CA 95134 49 USA 50 51 Tel: +1 800 553-NETS 52 53 E-mail: cs-aaa@cisco.com" 54 DESCRIPTION 55 "This MIB is an extension to the CISCO-AAA-SERVER-MIB. 56 This MIB module enhances the 'casConfigTable' to 57 include other types of Server addresses. 58 This also provides management of : 59 - Generic configurations as applied on the AAA 60 module. 61 - Global configuration settings, i.e., settings for 62 all the AAA Servers instrumented in one instance 63 of this MIB. 64 - Server Group configuration 65 - Application-to-AAA Function-to-Server Group 66 mapping configuration." 67 REVISION "200505230000Z" 68 DESCRIPTION 69 " - Added notConfigured(3) enumeration 70 to CiscoAAAServerKeyEncrType TC. 71 - Added cAAALoginAuthTypeMSCHAP 72 under cAAASvrExtGenericConfig. 73 - Added cAAAServerProtoDirectedReq in 74 cAAASvrExtProtocolParamTable. 75 - Added cAAASvrGrpConfigDeadTime in 76 cAAASvrExtSvrGrpConfigTable. 77 - Added following objects in cAAASvrExtConfigTable. 78 cAAAServerRootDN 79 cAAAServerIdleTime 80 cAAAServerTestUser 81 cAAAServerTestPassword 82 - Added cAAASvrExtSvrGrpLDAPConfigTable." 83 REVISION "200505090000Z" 84 DESCRIPTION 85 "Added cAAASvrExtClearAccLog." 86 REVISION "200311140000Z" 87 DESCRIPTION 88 "Initial version of this MIB." 89 ::= { ciscoMgmt 367 } 90 91-- 92-- AAA Server MIB object definitions 93-- 94 95ciscoAAASvrExtMIBObjects OBJECT IDENTIFIER 96 ::= { ciscoAAAServerExtMIB 1 } 97ciscoAAASvrExtMIBConformance OBJECT IDENTIFIER 98 ::= { ciscoAAAServerExtMIB 2 } 99 100cAAASvrExtGenericConfig OBJECT IDENTIFIER 101 ::= { ciscoAAASvrExtMIBObjects 1 } 102cAAASvrExtSvrTableConfig OBJECT IDENTIFIER 103 ::= { ciscoAAASvrExtMIBObjects 2 } 104cAAASvrExtProtoParamConfig OBJECT IDENTIFIER 105 ::= { ciscoAAASvrExtMIBObjects 3 } 106cAAASvrExtSvrGrpConfig OBJECT IDENTIFIER 107 ::= { ciscoAAASvrExtMIBObjects 4 } 108cAAASvrExtAppSvrGrpMapConfig OBJECT IDENTIFIER 109 ::= { ciscoAAASvrExtMIBObjects 5 } 110 111-- 112-- Textual Conventions 113-- 114 115CiscoAAAServerKeyEncrType ::= TEXTUAL-CONVENTION 116 STATUS current 117 DESCRIPTION 118 "Encryption type used for the AAA Server auth key. 119 120 plain(1) - Key is in Plain Text. 121 encrypted(2) - Key is Encrypted. 122 notConfigured(3) - Key is not configured. 123 ." 124 SYNTAX INTEGER { 125 plain(1), 126 encrypted(2), 127 notConfigured(3) 128 } 129 130-- 131-- Generic configurations for AAA module - cAAASvrExtGenericConfig 132-- 133 134cAAASvrExtLocalAccLogMaxSize OBJECT-TYPE 135 SYNTAX Unsigned32 (0..100000000) 136 UNITS "bytes" 137 MAX-ACCESS read-write 138 STATUS current 139 DESCRIPTION 140 "The maximum size of the accounting log file in bytes. 141 The log file is stored on local persistent storage at the 142 device. If the size is set to a smaller value than the 143 existing one, then smaller log will be available for view 144 by the user." 145 ::= { cAAASvrExtGenericConfig 1 } 146 147cAAASvrExtSvrGrpSvrListMaxEnt OBJECT-TYPE 148 SYNTAX Unsigned32 (1..64) 149 MAX-ACCESS read-only 150 STATUS current 151 DESCRIPTION 152 "The maximum number of AAA Server entries that 153 the agent supports within a Server Group. 154 This puts the restriction of number of AAA Servers 155 in the 'cAAAServerList' of 156 'cAAASvrExtSvrGrpConfigTable'." 157 ::= { cAAASvrExtGenericConfig 2 } 158 159cAAASvrExtAppToSvrGrpMaxEnt OBJECT-TYPE 160 SYNTAX Unsigned32 (0..64) 161 MAX-ACCESS read-only 162 STATUS current 163 DESCRIPTION 164 "The maximum number of Server Groups entries that 165 the agent supports for application type on per 166 AAA operation basis excluding the 'Local' and 'Trivial' 167 modes. 168 This puts the restriction of number of Server Groups 169 in the 'cAAASvrGrpList' of 170 'cAAASvrExtSerSvrGrpConfigTable'." 171 ::= { cAAASvrExtGenericConfig 3 } 172 173cAAASvrExtClearAccLog OBJECT-TYPE 174 SYNTAX INTEGER { 175 clear(1), 176 noOp(2) 177 } 178 MAX-ACCESS read-write 179 STATUS current 180 DESCRIPTION 181 "This object clears the accounting log, when set 182 to 'clear'. 183 No action is taken if this object is set to 'noOp'. 184 When read, the value 'noOp' is returned." 185 186 ::= { cAAASvrExtGenericConfig 4 } 187 188cAAALoginAuthTypeMSCHAP OBJECT-TYPE 189 SYNTAX TruthValue 190 MAX-ACCESS read-write 191 STATUS current 192 DESCRIPTION 193 "This indicates whether the MSCHAP authentication mechanism 194 should be used for authenticating the user through remote 195 AAA Server during login. 196 197 The value 'true(1)' indicates MSCHAP authentication 198 should be used. 199 200 The value 'false(2)' indicates that the default 201 authentication mechanism should be used. 202 203 The value of this object is used for authentication during 204 user's login only." 205 DEFVAL { false } 206 ::= { cAAASvrExtGenericConfig 5 } 207 208-- 209-- Server Configuration Table cAAASvrExtSvrTableConfig 210-- 211 212cAAASvrExtConfigTable OBJECT-TYPE 213 SYNTAX SEQUENCE OF AAASvrExtEntry 214 MAX-ACCESS not-accessible 215 STATUS current 216 DESCRIPTION 217 "This table extends the 'casConfigTable' from 218 CISCO-AAA-SERVER-MIB to provide configuration 219 flexibility. 220 An entry cannot be created until at least one of the 221 following objects/object-set are instantiated : 222 - cAAAServerAddrType and cAAAServerAddr set 223 Or 224 - casAddress of casConfigTable 225 If both 'casAddress' and 'cAAAServerAddr'(along with 226 'cAAAServerAddrType') are set during the row creation, 227 the values need to be consistent. Else it results in 228 an error." 229 ::= { cAAASvrExtSvrTableConfig 1 } 230 231cAAASvrExtConfigEntry OBJECT-TYPE 232 SYNTAX AAASvrExtEntry 233 MAX-ACCESS not-accessible 234 STATUS current 235 DESCRIPTION 236 "An entry (conceptual row) in cAAASvrExtConfigTable." 237 AUGMENTS { casConfigEntry } 238 ::= { cAAASvrExtConfigTable 1} 239 240AAASvrExtEntry ::= 241 SEQUENCE { 242 cAAAServerAddrType InetAddressType, 243 cAAAServerAddr InetAddress, 244 cAAAServerKeyEncrType CiscoAAAServerKeyEncrType, 245 cAAAServerDeadTime TimeIntervalMin, 246 cAAAServerTimeOut TimeIntervalSec, 247 cAAAServerRetransmits Unsigned32, 248 cAAAServerRootDN SnmpAdminString, 249 cAAAServerIdleTime TimeIntervalMin, 250 cAAAServerTestUser SnmpAdminString, 251 cAAAServerTestPassword SnmpAdminString 252} 253 254cAAAServerAddrType OBJECT-TYPE 255 SYNTAX InetAddressType 256 MAX-ACCESS read-create 257 STATUS current 258 DESCRIPTION 259 "The type of address of the AAA Server as specified 260 by object 'cAAAServerAddr'. 261 If the user sets 'casAddress' column of the 262 'casConfigTable', then 'cAAAServerAddrType' is 263 appropriately filled by the agent. 264 If the user specifies a value other than 'ipv4', 265 then the 'casAddress' is set to zero-length string." 266 DEFVAL { ipv4 } 267 ::= { cAAASvrExtConfigEntry 1 } 268 269cAAAServerAddr OBJECT-TYPE 270 SYNTAX InetAddress 271 MAX-ACCESS read-create 272 STATUS current 273 DESCRIPTION 274 "The address of the AAA Server. 275 If the users sets 'casAddress' column of the 276 'casConfigTable', then 'cAAAServerAddr' is 277 appropriately filled by the agent." 278 ::= { cAAASvrExtConfigEntry 2 } 279 280cAAAServerKeyEncrType OBJECT-TYPE 281 SYNTAX CiscoAAAServerKeyEncrType 282 MAX-ACCESS read-create 283 STATUS current 284 DESCRIPTION 285 "The encryption type of the corresponding instance 286 of the server key 'casKey' in the augmented row of 287 the 'casConfigTable'." 288 DEFVAL { plain } 289 ::= { cAAASvrExtConfigEntry 3 } 290 291cAAAServerDeadTime OBJECT-TYPE 292 SYNTAX TimeIntervalMin (0..1440) 293 UNITS "minutes" 294 MAX-ACCESS read-create 295 STATUS current 296 DESCRIPTION 297 "This indicates the length of time in minutes that the 298 system will mark the server dead when a AAA server does 299 not respond to an authentication request. During the 300 interval of the dead time, any authentication request 301 that comes up would not be sent to that AAA server that 302 was marked as dead. 303 This value overrides value set in the 304 'cAAAServerProtoDeadTime' of the 305 'cAAASvrExtProtocolParamTable' for this server. 306 If this value is zero, then the value set in the 307 'cAAAServerProtoDeadTime' is used." 308 DEFVAL { 0 } 309 ::= { cAAASvrExtConfigEntry 4 } 310 311cAAAServerTimeOut OBJECT-TYPE 312 SYNTAX TimeIntervalSec (0..1000) 313 UNITS "seconds" 314 MAX-ACCESS read-create 315 STATUS current 316 DESCRIPTION 317 "The time in seconds between retransmissions to 318 the AAA server.This value overrides value set in the 319 'cAAAServerProtoTimeOut' of the 320 'cAAASvrExtProtocolParamTable' for this server. 321 If this value is zero, then the value set in the 322 'cAAAServerProtoTimeOut' is used." 323 DEFVAL { 0 } 324 ::= { cAAASvrExtConfigEntry 5 } 325 326cAAAServerRetransmits OBJECT-TYPE 327 SYNTAX Unsigned32 (0..100) 328 UNITS "retransmits" 329 MAX-ACCESS read-create 330 STATUS current 331 DESCRIPTION 332 "The additional number of times the AAA server should be 333 tried by the AAA client before giving up on the server. 334 This value overrides value set in the 335 'cAAAServerProtoTimeOut' of the 336 'cAAASvrExtProtocolParamTable' for this server. 337 If this value is zero, then the value set in the 338 'cAAAServerProtoRetransmits' is used." 339 DEFVAL { 0 } 340 ::= { cAAASvrExtConfigEntry 6 } 341 342cAAAServerRootDN OBJECT-TYPE 343 SYNTAX SnmpAdminString (SIZE(0..64)) 344 MAX-ACCESS read-create 345 STATUS current 346 DESCRIPTION 347 "This object specifies the root Distinguished Name 348 to be used in authenticating the access to LDAP 349 server database." 350 DEFVAL { "" } 351 ::= { cAAASvrExtConfigEntry 7 } 352 353cAAAServerIdleTime OBJECT-TYPE 354 SYNTAX TimeIntervalMin (0..1440) 355 UNITS "minutes" 356 MAX-ACCESS read-create 357 STATUS current 358 DESCRIPTION 359 "This indicates the time interval in minutes, at which the 360 system will periodically test the AAA Server by 361 sending test packets to the server. The default value 362 of 0 means that the AAA server will not be tested 363 periodically." 364 DEFVAL { 0 } 365 ::= { cAAASvrExtConfigEntry 8 } 366 367cAAAServerTestUser OBJECT-TYPE 368 SYNTAX SnmpAdminString (SIZE (1..32)) 369 MAX-ACCESS read-create 370 STATUS current 371 DESCRIPTION 372 "The username to be used in the test packets sent 373 to AAA Server to test if the Server responds to the 374 requests or not." 375 ::= { cAAASvrExtConfigEntry 9 } 376 377cAAAServerTestPassword OBJECT-TYPE 378 SYNTAX SnmpAdminString (SIZE (1..32)) 379 MAX-ACCESS read-create 380 STATUS current 381 DESCRIPTION 382 "The password to be used in test packets sent to AAA 383 Server to test if the Server responds to the 384 requests or not. 385 386 A zero-length string is always returned when this 387 object is read." 388 ::= { cAAASvrExtConfigEntry 10 } 389 390-- 391-- AAA protocol parameter configuration - cAAASvrExtProtoParamConfig 392-- 393 394cAAASvrExtProtocolParamTable OBJECT-TYPE 395 SYNTAX SEQUENCE OF ProtocolParamEntry 396 MAX-ACCESS not-accessible 397 STATUS current 398 DESCRIPTION 399 "This table contains the per-protocol parameters for use by 400 all AAA Servers instrumented in one instance of this MIB." 401 ::= { cAAASvrExtProtoParamConfig 1 } 402 403 404cAAASvrExtProtocolParamEntry OBJECT-TYPE 405 SYNTAX ProtocolParamEntry 406 MAX-ACCESS not-accessible 407 STATUS current 408 DESCRIPTION 409 "An entry (conceptual row) in 410 'cAAASvrExtProtocolParamTable'. Each row of the 411 table indicates the protocol parameters setting 412 for a particular AAA protocol. New entries can 413 not be created. The existing rows can only be 414 modified." 415 INDEX { cAAAServerProtocol } 416 ::= { cAAASvrExtProtocolParamTable 1 } 417 418ProtocolParamEntry ::= 419 SEQUENCE { 420 cAAAServerProtocol CiscoAAAProtocol, 421 cAAAServerProtoAuthKey DisplayString, 422 cAAAServerProtoKeyEncrType CiscoAAAServerKeyEncrType, 423 cAAAServerProtoDeadTime TimeIntervalMin, 424 cAAAServerProtoTimeOut TimeIntervalSec, 425 cAAAServerProtoRetransmits Unsigned32, 426 cAAAServerProtoSvrTableMaxEnt Unsigned32, 427 cAAAServerProtoDirectedReq TruthValue 428 429} 430 431cAAAServerProtocol OBJECT-TYPE 432 SYNTAX CiscoAAAProtocol 433 MAX-ACCESS not-accessible 434 STATUS current 435 DESCRIPTION 436 "The AAA Protocol for which these settings are 437 being applied." 438 ::= { cAAASvrExtProtocolParamEntry 1 } 439 440cAAAServerProtoAuthKey OBJECT-TYPE 441 SYNTAX DisplayString 442 MAX-ACCESS read-write 443 STATUS current 444 DESCRIPTION 445 "The key used in encrypting the packets passed 446 between the AAA server and the client.This key 447 must match the one configured on the server. 448 This Object is similar to the 'caskey'. 449 If the 'caskey' of the 'casConfigTable' is 450 administratively set to zero length string, 451 then this key used. 452 Retrieving the value of this object via SNMP will 453 always return an empty string for security reasons." 454 DEFVAL { "" } 455 ::= { cAAASvrExtProtocolParamEntry 2 } 456 457cAAAServerProtoKeyEncrType OBJECT-TYPE 458 SYNTAX CiscoAAAServerKeyEncrType 459 MAX-ACCESS read-write 460 STATUS current 461 DESCRIPTION 462 "The encryption type of the server key 463 'cAAAServerProtoAuthKey'." 464 DEFVAL { plain } 465 ::= { cAAASvrExtProtocolParamEntry 3 } 466 467cAAAServerProtoDeadTime OBJECT-TYPE 468 SYNTAX TimeIntervalMin (0..1440) 469 UNITS "minutes" 470 MAX-ACCESS read-write 471 STATUS current 472 DESCRIPTION 473 "The DeadTime setting for AAA Servers. 474 If 'cAAAServerDeadTime' of 'cAAASvrExtConfigTable' is zero, 475 this value is used. 476 This indicates the length of time in minutes that the 477 system will mark the server dead when a AAA server does 478 not respond to an authentication request. During the 479 interval of the dead time, any authentication request 480 that comes up would not be sent to that AAA server 481 that was marked as dead. The default value of 0 means 482 that the AAA servers will not be marked dead if they 483 do not respond." 484 DEFVAL { 0 } 485 ::= { cAAASvrExtProtocolParamEntry 4 } 486 487cAAAServerProtoTimeOut OBJECT-TYPE 488 SYNTAX TimeIntervalSec (1..1000) 489 UNITS "seconds" 490 MAX-ACCESS read-write 491 STATUS current 492 DESCRIPTION 493 "The time in seconds between retransmissions to 494 the AAA server. 495 If 'cAAAServerTimeOut' of 'cAAASvrExtConfigTable' is zero 496 , this value is used." 497 DEFVAL { 1 } 498 ::= { cAAASvrExtProtocolParamEntry 5 } 499 500cAAAServerProtoRetransmits OBJECT-TYPE 501 SYNTAX Unsigned32 (0..100) 502 UNITS "retransmits" 503 MAX-ACCESS read-write 504 STATUS current 505 DESCRIPTION 506 "The additional number of times the AAA server should be 507 tried by the AAA client before giving up on the server. 508 If 'cAAAServerRetransmits' of 'cAAASvrExtConfigTable' is 509 zero, this value is used." 510 DEFVAL { 1 } 511 ::= { cAAASvrExtProtocolParamEntry 6 } 512 513cAAAServerProtoSvrTableMaxEnt OBJECT-TYPE 514 SYNTAX Unsigned32 (0..65536) 515 MAX-ACCESS read-only 516 STATUS current 517 DESCRIPTION 518 "Each instance of this object specifies the maximum 519 number of AAA server entries in the 'casConfigTable', 520 for a particular protocol." 521 ::= { cAAASvrExtProtocolParamEntry 7 } 522 523cAAAServerProtoDirectedReq OBJECT-TYPE 524 SYNTAX TruthValue 525 MAX-ACCESS read-write 526 STATUS current 527 DESCRIPTION 528 "This object is to specify whether a user could choose 529 a AAA server for authentication during login. 530 531 The value 'true(1)' indicates that a user can specify 532 the remote AAA server for authentication during login. 533 If the user specifies the login name as 534 'username@hostname', then the authentication request 535 will be sent to remote AAA server 'hostname' with 536 username as 'username'. An entry should exist in 537 cAAASvrExtConfigTable with 'cAAAServerAddr' value 538 'hostname'. The configuration in 539 cAAASvrExtAppSvrGrpConfigTable is not used, if the 540 specified remote AAA server fails to respond. 541 542 The value 'false(2)' indicates user cannot specify the 543 remote AAA server for authentication during login. 544 If user specifies the login name as 'username@hostname', 545 then the complete string will be treated as username and 546 the user will be authenticated as per configuration in 547 cAAASvrExtAppSvrGrpConfigTable." 548 DEFVAL { false } 549 ::= { cAAASvrExtProtocolParamEntry 8 } 550 551-- 552-- Server Group Configuration Table - cAAASvrExtSvrGrpConfig 553-- 554 555cAAASvrExtSvrGrpConfigTable OBJECT-TYPE 556 SYNTAX SEQUENCE OF ServerGroupEntry 557 MAX-ACCESS not-accessible 558 STATUS current 559 DESCRIPTION 560 "A table consisting of entries for Server Groups. 561 A server group consists of a number of AAA servers 562 implementing the same AAA protocol. Multiple server 563 groups (usually one group for TACACS+ and one group 564 for RADIUS) can be used for the same service for 565 authentication, authorization and accounting purpose. 566 An entry cannot be created until following objects are 567 instantiated 568 - cAAASvrGrpName 569 - cAAASvrGrpProtocol 570 - cAAAServerList with at least one member 571 Note that an implementation may support any number of 572 permanent rows which cannot be deleted. These permanent 573 groups are system defined groups and not created by the 574 user." 575 ::= { cAAASvrExtSvrGrpConfig 1 } 576 577cAAASvrExtSvrGrpConfigEntry OBJECT-TYPE 578 SYNTAX ServerGroupEntry 579 MAX-ACCESS not-accessible 580 STATUS current 581 DESCRIPTION 582 "An entry (conceptual row) in the 583 cAAASvrExtSvrGrpConfigTable. " 584 INDEX { cAAASvrGrpIndex } 585 ::= { cAAASvrExtSvrGrpConfigTable 1} 586 587ServerGroupEntry ::= 588 SEQUENCE { 589 cAAASvrGrpIndex Unsigned32, 590 cAAASvrGrpName SnmpAdminString, 591 cAAASvrGrpProtocol CiscoAAAProtocol, 592 cAAAServerList OCTET STRING, 593 cAAASvrGrpConfigRowStatus RowStatus, 594 cAAASvrGrpConfigDeadTime TimeIntervalMin 595 596} 597 598cAAASvrGrpIndex OBJECT-TYPE 599 SYNTAX Unsigned32 (1..100) 600 MAX-ACCESS not-accessible 601 STATUS current 602 DESCRIPTION 603 "The index for each of the Server Group entries." 604 ::= { cAAASvrExtSvrGrpConfigEntry 1 } 605 606cAAASvrGrpName OBJECT-TYPE 607 SYNTAX SnmpAdminString (SIZE (1..64)) 608 MAX-ACCESS read-create 609 STATUS current 610 DESCRIPTION 611 "The name of the Server Group. The 'cAAASvrGrpName' 612 has to be specified by the user during the creation 613 of this row entry. 614 The cAAASvrGrpName can not be modified when 615 cAAASvrGrpConfigRowStatus is 'active'." 616 ::= { cAAASvrExtSvrGrpConfigEntry 2 } 617 618cAAASvrGrpProtocol OBJECT-TYPE 619 SYNTAX CiscoAAAProtocol 620 MAX-ACCESS read-create 621 STATUS current 622 DESCRIPTION 623 "The AAA Protocol to which this Server Group belongs to. 624 The cAAASvrGrpProtocol can not be modified when 625 cAAASvrGrpConfigRowStatus is 'active'." 626 DEFVAL {tacacsplus} 627 ::= { cAAASvrExtSvrGrpConfigEntry 3 } 628 629cAAAServerList OBJECT-TYPE 630 SYNTAX OCTET STRING (SIZE(4..256)) 631 MAX-ACCESS read-create 632 STATUS current 633 DESCRIPTION 634 "This represents ordered list of AAA Servers which form 635 this Server Group. 636 This object contains list of the AAA Servers as defined 637 in the 'casConfigTable'. 638 The value of this object is a concatenation of one or 639 more 4-octet strings, where each 4-octet string represents 640 a 32-bit 'casIndex' value of 'casConfigTable' in network 641 byte order. This Index along with the 'cAAASvrGrpProtocol' 642 that is set in the same row form the composite index in 643 the 'casConfigTable'. 644 The order in which servers occur within the value of this 645 object determines the Server priority in that group. The 646 first one will be 'Primary' and the rest are 'secondary' 647 ( others). 648 At least one index has to be provided when creating this 649 row. A Server Group can not exist without any members. 650 The maximum AAA Servers that can be specified is limited 651 by 'cAAASvrExtSvrGrpSvrListMaxEnt' value." 652 ::= { cAAASvrExtSvrGrpConfigEntry 4 } 653 654cAAASvrGrpConfigRowStatus OBJECT-TYPE 655 SYNTAX RowStatus 656 MAX-ACCESS read-create 657 STATUS current 658 DESCRIPTION 659 "The status of this conceptual row.This object can not 660 be set to 'active' unless the corresponding value of 661 'cAAASvrGrpName' is unique. Once value of this object 662 is set to 'active', the associated entry can not be 663 modified except destroyed by setting this object to 664 destroy(6)." 665 ::= { cAAASvrExtSvrGrpConfigEntry 5 } 666 667cAAASvrGrpConfigDeadTime OBJECT-TYPE 668 SYNTAX TimeIntervalMin (0..1440) 669 UNITS "minutes" 670 MAX-ACCESS read-create 671 STATUS current 672 DESCRIPTION 673 "The DeadTime setting for AAA Server Group. 674 This indicates the length of time in minutes that the 675 system will mark the server dead when a AAA server does 676 not respond to an authentication request. During the 677 interval of the dead time, any authentication request 678 that comes up would not be sent to that AAA server 679 that was marked as dead. The default value of 0 means 680 that the AAA servers will not be marked dead if they 681 do not respond." 682 DEFVAL { 0 } 683 ::= { cAAASvrExtSvrGrpConfigEntry 6 } 684 685-- 686-- AAA Server Group Configuration for LDAP Protocol. 687-- 688cAAASvrExtSvrGrpLDAPConfigTable OBJECT-TYPE 689 SYNTAX SEQUENCE OF CAAASvrExtSvrGrpLDAPConfigEntry 690 MAX-ACCESS not-accessible 691 STATUS current 692 DESCRIPTION 693 "This table is extension to cAAASvrExtSvrGrpConfigTable. 694 695 An entry will be created in this table 696 by the agent whenever an entry is created 697 in cAAASvrExtSvrGrpConfigTable with 698 cAAASvrGrpProtocol set to 'ldap'. 699 700 An entry will get destroyed by the agent 701 whenever corresponding entry in 702 cAAASvrExtSvrGrpConfigTable identified 703 by cAAASvrGrpIndex is destroyed. 704 705 The SNMP Manager can not create 706 or destroy entries in this table. 707 The SNMP Manager can modify columnar 708 objects in this table." 709 ::= { cAAASvrExtSvrGrpConfig 2 } 710 711cAAASvrExtSvrGrpLDAPConfigEntry OBJECT-TYPE 712 SYNTAX CAAASvrExtSvrGrpLDAPConfigEntry 713 MAX-ACCESS not-accessible 714 STATUS current 715 DESCRIPTION 716 "An entry in the table. Each entry corresponds 717 to LDAP server group identified by 718 a corresponding entry in cAAASvrExtSvrGrpConfigTable 719 with cAAASvrGrpProtocol value of 'ldap'. 720 Each entry contains information on LDAP Base 721 Distinguished Name, Filter and user profile." 722 INDEX { cAAASvrGrpIndex } 723 ::= { cAAASvrExtSvrGrpLDAPConfigTable 1} 724 725CAAASvrExtSvrGrpLDAPConfigEntry ::= 726 SEQUENCE { 727 cAAASvrGrpLDAPBaseDN SnmpAdminString, 728 cAAASvrGrpLDAPFilterUser SnmpAdminString, 729 cAAASvrGrpLDAPUserProfile SnmpAdminString 730} 731 732cAAASvrGrpLDAPBaseDN OBJECT-TYPE 733 SYNTAX SnmpAdminString (SIZE (0..64)) 734 MAX-ACCESS read-create 735 STATUS current 736 DESCRIPTION 737 "This object specifies the base entry in the 738 LDAP hierarchy where the LDAP server should begin 739 searching when it receives an authorization request." 740 DEFVAL { "" } 741 ::= { cAAASvrExtSvrGrpLDAPConfigEntry 1 } 742 743cAAASvrGrpLDAPFilterUser OBJECT-TYPE 744 SYNTAX SnmpAdminString (SIZE (0..128)) 745 MAX-ACCESS read-create 746 STATUS current 747 DESCRIPTION 748 "This object specifies the filter to be 749 used to search user entry in LDAP server 750 database." 751 REFERENCE 752 "RFC2254 - Section 3. LDAP Search Filter Definition." 753 DEFVAL { "" } 754 ::= { cAAASvrExtSvrGrpLDAPConfigEntry 2 } 755 756cAAASvrGrpLDAPUserProfile OBJECT-TYPE 757 SYNTAX SnmpAdminString (SIZE (0..64)) 758 MAX-ACCESS read-create 759 STATUS current 760 DESCRIPTION 761 "This object specifies the attribute type for 762 user profile private attribute. This attribute 763 is requested in search request to the LDAP server." 764 DEFVAL { "" } 765 ::= { cAAASvrExtSvrGrpLDAPConfigEntry 3 } 766-- 767-- Application-Server Group mapping configuration 768-- cAAASvrExtAppSvrGrpMapConfig 769-- 770 771cAAASvrExtAppSvrGrpConfigTable OBJECT-TYPE 772 SYNTAX SEQUENCE OF AppSvrGrpEntry 773 MAX-ACCESS not-accessible 774 STATUS current 775 DESCRIPTION 776 "A table associating the AAA server groups for 777 specific AAA function for a given Application 778 and Application Sub-Type. If the device encounters 779 ERRORs from server(s) in first group of 780 'cAAASvrGrpList',it will try servers in next 781 server group. The order in which Server Groups occur 782 within the value of 'cAAASvrGrpList' decides the order 783 of trial for AAA function. 784 Similarly, within a server group, each server 785 in the group will be tried one by one until one 786 of them responds with either SUCCESS or FAIL. 787 In case all the Server Groups return ERROR, 788 'Local' mechanism ('cAAASvrGrpLocal') followed by 789 'Trivial' mechanism ('cAAASvrGrpTrivial') are tried, 790 if so configured." 791 ::= { cAAASvrExtAppSvrGrpMapConfig 1 } 792 793cAAASvrExtAppSvrGrpConfigEntry OBJECT-TYPE 794 SYNTAX AppSvrGrpEntry 795 MAX-ACCESS not-accessible 796 STATUS current 797 DESCRIPTION 798 "An entry (conceptual row) in the 799 cAAASvrExtSerSvrGrpConfigTable. 800 New entries can not be created. The existing 801 rows only can be modified." 802 INDEX { cAAAApplicationType, 803 cAAAApplicationSubType, 804 cAAAFunction } 805 ::= { cAAASvrExtAppSvrGrpConfigTable 1} 806 807AppSvrGrpEntry ::= 808 SEQUENCE { 809 cAAAApplicationType INTEGER, 810 cAAAApplicationSubType INTEGER, 811 cAAAFunction INTEGER, 812 cAAASvrGrpLocal TruthValue, 813 cAAASvrGrpTrivial TruthValue, 814 cAAASvrGrpList OCTET STRING 815} 816 817cAAAApplicationType OBJECT-TYPE 818 SYNTAX INTEGER { 819 default (1), 820 login (2), 821 dhchap (3), 822 iSCSI (4) 823 } 824 MAX-ACCESS not-accessible 825 STATUS current 826 DESCRIPTION 827 "The Application type for which this AAA configuration 828 is applied. 829 Each of these applications uses AAA services on the device. 830 'login' application includes console, telnet and SSH based 831 login using the username and password. 832 DHCHAP (Diffie Hellman Challenge Handshake Authentication 833 Protocol) is a FC-SP compliant authentication protocol that 834 can be used for switch-to-switch, host-to-switch and 835 host-to-host authentication. DHCHAP is of the applications 836 for AAA. DH-CHAP is basically combination of bi-directional 837 CHAP authentication ([4]) with Diffie-Hellman exchange. 838 iSCSI (Small Computer Systems Interface over IP) is an SCSI 839 transport protocol for mapping of block-oriented storage 840 data over TCP/IP networks. 841 The 'default' application type indicates the default 842 configurations which can be used by all the applications, 843 unless overridden by specific application types." 844 REFERENCE 845 " - Fibre Channel Security Protocols (FC-SP) REV. 1.0, 846 T11 FC-SP Working Document T11/03-149v0.pdf 847 - Challenge Handshake Authentication Protocol (CHAP) 848 RFC 1994 849 - iSCSI Internet Draft 850 ." 851 ::= { cAAASvrExtAppSvrGrpConfigEntry 1 } 852 853cAAAApplicationSubType OBJECT-TYPE 854 SYNTAX INTEGER { 855 all (1), 856 console(2) 857 } 858 MAX-ACCESS not-accessible 859 STATUS current 860 DESCRIPTION 861 "The Application Sub-Type. This is very specific to 862 the application attached and indicates the 863 sub-application. 864 For 'login' application: 865 - If the 'cAAAApplicationSubType' is 'all', the 866 configuration appearing in the corresponding row 867 is used by all the 'login' applications. 868 - If the 'cAAAApplicationSubType' is 'console', 869 console login uses this configuration instead 870 of the 'all'. 871 For the 'dhchap' application, the only allowed 872 'cAAAApplicationSubType' is 'all'. This means, the 873 configuration appearing in the corresponding row is 874 used by all the 'dhchap' applications. 875 For the 'iSCSI' application, the only allowed 876 'cAAAApplicationSubType' is 'all'. This means, the 877 configuration appearing in the corresponding row is 878 used by all the iSCSI applications. 879 For the 'default' application, 880 - the allowed 'cAAAApplicationSubType' values are 881 'all' and 'console', when 'cAAAFunction' is 882 'authorization' 883 - the allowed 'cAAAApplicationSubType' value is 884 'all', when 'cAAAFunction' is 'accounting' 885 ." 886 ::= { cAAASvrExtAppSvrGrpConfigEntry 2 } 887 888cAAAFunction OBJECT-TYPE 889 SYNTAX INTEGER { 890 authentication (1), 891 authorization (2), 892 accounting (3) 893 } 894 MAX-ACCESS not-accessible 895 STATUS current 896 DESCRIPTION 897 "The AAA function to which this application 898 configuration row corresponds to." 899 ::= { cAAASvrExtAppSvrGrpConfigEntry 3 } 900 901cAAASvrGrpLocal OBJECT-TYPE 902 SYNTAX TruthValue 903 MAX-ACCESS read-write 904 STATUS current 905 DESCRIPTION 906 "The value 'true(1)' indicates 'Local' AAA 907 is allowed. 908 The value 'false(2)' indicates 'Local' AAA 909 is not allowed. 910 'Local' AAA is used only after trying all the Server 911 Groups in the 'cAAASvrGrpList'. 912 The 'Local' AAA means all the AAA functions 913 are performed using the local AAA Service 914 provided in the Device. 915 916 The value of this object can not be set to 'false' 917 in the following conditions : 918 - 'cAAAApplicationType' is 'default' and 'cAAAFuction' 919 is 'authentication' or 'accounting' 920 921 and 922 923 - value of corresponding instance of 924 'cAAASvrGrpTrivial' is 'false' and no server groups 925 configured in the value of the corresponding instance 926 of 'cAAASvrGrpList' 927 928 The value of this object can not be set to 'true' 929 if the 'cAAAFuction' value is 'authorization'." 930 ::= { cAAASvrExtAppSvrGrpConfigEntry 4 } 931 932cAAASvrGrpTrivial OBJECT-TYPE 933 SYNTAX TruthValue 934 MAX-ACCESS read-write 935 STATUS current 936 DESCRIPTION 937 "The value 'true(1)' indicates 'Trivial' AAA 938 is allowed. 939 The value 'false(2)' indicates 'Trivial' AAA 940 is not allowed. 941 'Trivial' AAA is used only after trying all the Server 942 Groups in the 'cAAASvrGrpList' and 'Local' AAA 943 (if configured). 944 Trivial AAA corresponds to one of the following 945 based on the value of corresponding instance of 946 'AAAFunction': 947 - User name based authentication, if 'cAAAFunction' 948 value is 'authentication' 949 - No Authorization check, if 'cAAAFunction' 950 value is 'authorization' 951 - No accounting, if 'cAAAFunction' 952 value is 'accounting' 953 954 The value of this object can not be set to 'false' 955 in the following conditions : 956 - 'cAAAApplicationSubType' is 'all' and 'cAAAFuction' 957 is 'authorization' 958 959 and 960 961 - value of corresponding instance of 'cAAASvrGrpLocal' 962 is 'false' and no server groups configured in the 963 value of the corresponding instance of 'cAAASvrGrpList' 964 965 The value of this object can not be set to 'true' 966 in the following conditions : 967 - when 'cAAAApplicationType' is 'iSCSI' , 968 'cAAAApplicationSubType' is 'all' and 969 'cAAAFuction' is 'authentication' 970 971 - when 'cAAAApplicationType' is 'dhchap' , 972 'cAAAApplicationSubType' is 'all' and 973 'cAAAFuction' is 'authentication' 974 ." 975 ::= { cAAASvrExtAppSvrGrpConfigEntry 5 } 976 977cAAASvrGrpList OBJECT-TYPE 978 SYNTAX OCTET STRING (SIZE(0..256)) 979 MAX-ACCESS read-write 980 STATUS current 981 DESCRIPTION 982 "This represents ordered list of AAA Server Groups that are 983 configured for this application to perform AAA functions. 984 This object contains list of the AAA Server Groups as 985 defined in the 'cAAASvrExtSvrGrpConfigTable'. 986 The value of this object is a concatenation of zero or 987 more 4-octet strings, where each 4-octet string represents 988 a 32-bit 'cAAASvrGrpIndex' value of server group 989 ('cAAASvrExtSvrGrpConfigTable') in network byte order. 990 The order in which Server Groups occur within the value of 991 this object determines the Server Group priority in the 992 list. 993 The maximum number of Server Groups that can be 994 specified in this row is limited by 995 'cAAASvrExtAppToSvrGrpMaxEnt' value." 996 ::= { cAAASvrExtAppSvrGrpConfigEntry 6 } 997-- 998-- Conformance 999-- 1000 1001ciscoAAASvrExtMIBCompliances OBJECT IDENTIFIER 1002 ::= { ciscoAAASvrExtMIBConformance 1 } 1003ciscoAAASvrExtMIBGroups OBJECT IDENTIFIER 1004 ::= { ciscoAAASvrExtMIBConformance 2 } 1005 1006ciscoAAAServerMIBCompliance MODULE-COMPLIANCE 1007 STATUS deprecated -- superceede by 1008 -- ciscoAAAServerMIBCompliance1 1009 DESCRIPTION 1010 "The compliance statement for entities which implement the 1011 CISCO-AAA-SERVER-EXT-MIB." 1012 MODULE 1013 MANDATORY-GROUPS { cAAASvrExtGenericConfGroup, 1014 cAAASvrExtSvrTableConfGroup, 1015 cAAASvrExtProtoParamConfigGroup } 1016 GROUP cAAASvrExtSvrGroupConfGroup 1017 DESCRIPTION 1018 "This group is required only if the Server Group 1019 configuration is implemented by the agent." 1020 GROUP cAAASvrExtAppSvrGroupConfGroup 1021 DESCRIPTION 1022 "This group is required only if the Server Group 1023 and application-to-server group mapping configuration 1024 is implemented by the agent." 1025 ::= { ciscoAAASvrExtMIBCompliances 1 } 1026 1027ciscoAAAServerMIBCompliance1 MODULE-COMPLIANCE 1028 STATUS deprecated -- superceede by 1029 -- ciscoAAAServerMIBCompliance2 1030 1031 DESCRIPTION 1032 "The compliance statement for entities which implement the 1033 CISCO-AAA-SERVER-EXT-MIB." 1034 MODULE 1035 MANDATORY-GROUPS { cAAASvrExtGenericConfGroup1, 1036 cAAASvrExtSvrTableConfGroup, 1037 cAAASvrExtProtoParamConfigGroup } 1038 GROUP cAAASvrExtSvrGroupConfGroup 1039 DESCRIPTION 1040 "This group is required only if the Server Group 1041 configuration is implemented by the agent." 1042 GROUP cAAASvrExtAppSvrGroupConfGroup 1043 DESCRIPTION 1044 "This group is required only if the Server Group 1045 and application-to-server group mapping configuration 1046 is implemented by the agent." 1047 ::= { ciscoAAASvrExtMIBCompliances 2 } 1048 1049ciscoAAAServerMIBCompliance2 MODULE-COMPLIANCE 1050 STATUS current 1051 DESCRIPTION 1052 "The compliance statement for entities which implement the 1053 CISCO-AAA-SERVER-EXT-MIB." 1054 MODULE 1055 MANDATORY-GROUPS { cAAASvrExtGenericConfGroup1, 1056 cAAASvrExtSvrTableConfGroup, 1057 cAAASvrExtProtoParamConfigGroup1 } 1058 GROUP cAAASvrExtSvrGroupConfGroup2 1059 DESCRIPTION 1060 "This group is required only if the Server Group 1061 configuration is implemented by the agent." 1062 GROUP cAAASvrExtAppSvrGroupConfGroup 1063 DESCRIPTION 1064 "This group is required only if the Server Group 1065 and application-to-server group mapping configuration 1066 is implemented by the agent." 1067 GROUP cAAASvrExtSvrTableLDAPConfGroup 1068 DESCRIPTION 1069 "This group is required only if AAA is 1070 supported using LDAP protocol." 1071 GROUP cAAASvrExtSvrGroupLDAPConfGroup 1072 DESCRIPTION 1073 "This group is required only if AAA is 1074 supported using LDAP protocol." 1075 GROUP cAAASvrExtSvrMonitorConfGroup 1076 DESCRIPTION 1077 "This group is required only if the Server Monitoring 1078 configuration is implemented by the agent." 1079 GROUP cAAASvrExtGenericConfGroup2 1080 DESCRIPTION 1081 "This group is required only if MSCHAP authentication 1082 can be enabled/disabled." 1083 ::= { ciscoAAASvrExtMIBCompliances 3 } 1084-- 1085-- Units of Conformance 1086-- 1087 1088cAAASvrExtGenericConfGroup OBJECT-GROUP 1089 OBJECTS { cAAASvrExtLocalAccLogMaxSize } 1090 STATUS deprecated -- superceeded by 1091 -- cAAASvrExtGenericConfGroup1 1092 DESCRIPTION 1093 "A collection of objects Generic configuration." 1094 ::= { ciscoAAASvrExtMIBGroups 1 } 1095 1096cAAASvrExtSvrTableConfGroup OBJECT-GROUP 1097 OBJECTS { cAAAServerAddrType, 1098 cAAAServerAddr, 1099 cAAAServerKeyEncrType, 1100 cAAAServerDeadTime, 1101 cAAAServerTimeOut, 1102 cAAAServerRetransmits } 1103 STATUS current 1104 DESCRIPTION 1105 "A collection of objects for AAA Server configuration." 1106 ::= { ciscoAAASvrExtMIBGroups 2 } 1107 1108cAAASvrExtProtoParamConfigGroup OBJECT-GROUP 1109 OBJECTS { cAAAServerProtoAuthKey, 1110 cAAAServerProtoKeyEncrType, 1111 cAAAServerProtoDeadTime, 1112 cAAAServerProtoTimeOut, 1113 cAAAServerProtoRetransmits, 1114 cAAAServerProtoSvrTableMaxEnt 1115 } 1116 STATUS deprecated -- replaced by 1117 -- cAAASvrExtProtoParamConfigGroup1 1118 DESCRIPTION 1119 "A collection of objects for AAA per-protocol parameter 1120 configuration." 1121 ::= { ciscoAAASvrExtMIBGroups 3 } 1122 1123cAAASvrExtSvrGroupConfGroup OBJECT-GROUP 1124 OBJECTS { cAAASvrGrpName, 1125 cAAASvrGrpProtocol, 1126 cAAAServerList, 1127 cAAASvrGrpConfigRowStatus, 1128 cAAASvrExtSvrGrpSvrListMaxEnt } 1129 STATUS deprecated 1130 DESCRIPTION 1131 "A collection of objects for AAA Server Group 1132 configuration." 1133 ::= { ciscoAAASvrExtMIBGroups 4 } 1134 1135cAAASvrExtAppSvrGroupConfGroup OBJECT-GROUP 1136 OBJECTS { cAAASvrGrpLocal, 1137 cAAASvrGrpTrivial, 1138 cAAASvrGrpList, 1139 cAAASvrExtAppToSvrGrpMaxEnt } 1140 STATUS current 1141 DESCRIPTION 1142 "A collection of objects for Application-to-Server 1143 Group mapping configuration." 1144 ::= { ciscoAAASvrExtMIBGroups 5 } 1145 1146cAAASvrExtGenericConfGroup1 OBJECT-GROUP 1147 OBJECTS { cAAASvrExtLocalAccLogMaxSize, 1148 cAAASvrExtClearAccLog } 1149 STATUS current 1150 DESCRIPTION 1151 "A collection of objects Generic configuration." 1152 ::= { ciscoAAASvrExtMIBGroups 6 } 1153 1154cAAASvrExtGenericConfGroup2 OBJECT-GROUP 1155 OBJECTS { cAAALoginAuthTypeMSCHAP } 1156 STATUS current 1157 DESCRIPTION 1158 "A collection of objects Generic configuration." 1159 ::= { ciscoAAASvrExtMIBGroups 7 } 1160 1161cAAASvrExtSvrGroupConfGroup2 OBJECT-GROUP 1162 OBJECTS { cAAASvrGrpName, 1163 cAAASvrGrpProtocol, 1164 cAAAServerList, 1165 cAAASvrGrpConfigRowStatus, 1166 cAAASvrExtSvrGrpSvrListMaxEnt, 1167 cAAASvrGrpConfigDeadTime 1168 } 1169 STATUS current 1170 DESCRIPTION 1171 "A collection of objects for AAA Server Group 1172 configuration." 1173 ::= { ciscoAAASvrExtMIBGroups 8 } 1174 1175cAAASvrExtProtoParamConfigGroup1 OBJECT-GROUP 1176 OBJECTS { cAAAServerProtoAuthKey, 1177 cAAAServerProtoKeyEncrType, 1178 cAAAServerProtoDeadTime, 1179 cAAAServerProtoTimeOut, 1180 cAAAServerProtoRetransmits, 1181 cAAAServerProtoSvrTableMaxEnt, 1182 cAAAServerProtoDirectedReq 1183 } 1184 STATUS current 1185 DESCRIPTION 1186 "A collection of objects for AAA per-protocol parameter 1187 configuration." 1188 ::= { ciscoAAASvrExtMIBGroups 9 } 1189 1190cAAASvrExtSvrTableLDAPConfGroup OBJECT-GROUP 1191 OBJECTS { 1192 cAAAServerRootDN 1193 } 1194 STATUS current 1195 DESCRIPTION 1196 "A collection of objects for AAA Server using 1197 LDAP protocol." 1198 ::= { ciscoAAASvrExtMIBGroups 10 } 1199 1200cAAASvrExtSvrGroupLDAPConfGroup OBJECT-GROUP 1201 OBJECTS { 1202 cAAASvrGrpLDAPBaseDN, 1203 cAAASvrGrpLDAPFilterUser, 1204 cAAASvrGrpLDAPUserProfile 1205 1206 } 1207 STATUS current 1208 DESCRIPTION 1209 "A collection of objects for LDAP Server Group 1210 configuration." 1211 ::= { ciscoAAASvrExtMIBGroups 11 } 1212 1213cAAASvrExtSvrMonitorConfGroup OBJECT-GROUP 1214 OBJECTS { 1215 cAAAServerIdleTime, 1216 cAAAServerTestUser, 1217 cAAAServerTestPassword 1218 } 1219 STATUS current 1220 DESCRIPTION 1221 "A collection of objects for configuring AAA Server 1222 monitoring." 1223 ::= { ciscoAAASvrExtMIBGroups 12 } 1224 1225END 1226 1227