1 2-- ***************************************************************** 3-- CISCO-AAA-CLIENT-MIB.my: Cisco AAA Client MIB 4-- 5-- February 2000, Edward Pham 6-- May 2001, Liwei Lue 7-- October 2001, Jayakumar Kadirvelu 8-- 9-- Copyright (c) 2000-2001 by cisco Systems, Inc. 10-- All rights reserved. 11-- ***************************************************************** 12-- 13 14CISCO-AAA-CLIENT-MIB DEFINITIONS ::= BEGIN 15 16IMPORTS 17 MODULE-IDENTITY, 18 OBJECT-TYPE, 19 Integer32 20 FROM SNMPv2-SMI 21 MODULE-COMPLIANCE, 22 OBJECT-GROUP 23 FROM SNMPv2-CONF 24 TEXTUAL-CONVENTION, 25 TruthValue 26 FROM SNMPv2-TC 27 ciscoMgmt 28 FROM CISCO-SMI; 29 30 31ciscoAAAClientMIB MODULE-IDENTITY 32 LAST-UPDATED "200111190000Z" 33 ORGANIZATION "Cisco Systems, Inc." 34 CONTACT-INFO 35 " Cisco Systems 36 Customer Service 37 38 Postal: 170 W. Tasman Drive 39 San Jose, CA 95134 40 USA 41 42 Tel: +1 800 553-NETS 43 44 E-mail: cs-aaa@cisco.com" 45 DESCRIPTION 46 "This MIB module provides data for authentication method 47 priority based on Authentication, Authorization, 48 Accounting (AAA) protocols. 49 50 51 References: 52 The TACACS+ Protocol Version 1.78, Internet Draft 53 RFC 1411 Telnet Authentication: Kerberos Version 4. 54 RFC 1964 The Kerberos Version 5 GSS-API Mechanism. 55 " 56 REVISION "200111190000Z" 57 DESCRIPTION 58 "Deprecate object cacLockoutPeriod and add a new object 59 cacLockoutPeriodExt. 60 " 61 REVISION "200105100000Z" 62 DESCRIPTION 63 "Initial version 64 " 65 ::= { ciscoMgmt 158 } 66 67 68-- 69-- Textual Conventions 70-- 71 72-- 73-- Session Type textual convention 74-- 75SessionType ::= TEXTUAL-CONVENTION 76 STATUS current 77 DESCRIPTION 78 "Represents a session type. 79 80 telnet(1) indicates telnet session. 81 82 console(2) indicates console session. 83 84 http(3) indicates http session. 85 86 " 87 SYNTAX INTEGER { 88 telnet (1), 89 console (2), 90 http (3) 91 } 92 93 94 95-- 96-- Authentication method textual convention 97-- 98AuthenMethod ::= TEXTUAL-CONVENTION 99 STATUS current 100 DESCRIPTION 101 "Represents authentication method. 102 103 tacacs(1) indicates that TACACS method is used for 104 authentication. 105 106 radius(2) indicates that RADIUS method is used for 107 authentication. 108 109 kerberos(3) indicates that KERBEROS method is used 110 for authentication. 111 112 local(4) indicates that local password is used 113 for authentication. Which password is used depend 114 on what login mode users specified. 115 " 116 SYNTAX INTEGER { 117 tacacs (1), 118 radius (2), 119 kerberos (3), 120 local (4) 121 } 122 123 124-- 125-- Login Mode textual convention 126-- 127LoginMode ::= TEXTUAL-CONVENTION 128 STATUS current 129 DESCRIPTION 130 "Represents login mode. 131 132 login(1) indicates the normal mode. 133 134 enable(2) indicates the privileged mode. 135 " 136 SYNTAX INTEGER { 137 login (1), 138 enable (2) 139 } 140 141 142-- AAA Client MIB objects definitions 143 144cacMIBObjects OBJECT IDENTIFIER ::= { ciscoAAAClientMIB 1 } 145 146 147-- The AAA Client MIB consists of the following groups 148-- [1] AAA Client Priority Group (cacPriority) 149-- [2] AAA Client Login Config Group (cacLoginConfig) 150 151cacPriority OBJECT IDENTIFIER ::= { cacMIBObjects 1 } 152cacLoginConfig OBJECT IDENTIFIER ::= { cacMIBObjects 2 } 153 154 155 156 157--**************************************************************************** 158-- AAA Client Priority Group 159--**************************************************************************** 160-- 161-- 162 163-- 164-- Priority Table 165-- 166 167cacPriorityTable OBJECT-TYPE 168 SYNTAX SEQUENCE OF CacPriorityEntry 169 MAX-ACCESS not-accessible 170 STATUS current 171 DESCRIPTION 172 "This table contains entries for AAA authentication 173 methods configured in the system. At startup, agent 174 set up all the entries of the table. All authentication 175 methods will be disabled except local authentication will 176 be enabled for each session type and login mode. Users 177 later can enable/disable a specific authentication method 178 through cacEnable object. 179 180 The following table describes the startup state of each 181 authentication method and session type in normal login 182 mode and enable login mode. 183 184 AuthenMethod Console Session Telnet Session Http Session 185 ------------ ---------------- ---------------- ------------ 186 tacacs disabled disabled disabled 187 radius disabled disabled disabled 188 kerberos disabled disabled disabled 189 local enabled(*) enabled(*) enabled(*) 190 191 (*) denotes primary method. 192 " 193 ::= { cacPriority 1 } 194 195cacPriorityEntry OBJECT-TYPE 196 SYNTAX CacPriorityEntry 197 MAX-ACCESS not-accessible 198 STATUS current 199 DESCRIPTION 200 "An entry containing the priority number of an authentication 201 method used in a session. 202 " 203 INDEX { cacSession, cacAuthen, cacLoginMode } 204 ::= { cacPriorityTable 1 } 205 206 207CacPriorityEntry ::= 208 SEQUENCE { 209 cacSession SessionType, 210 cacAuthen AuthenMethod, 211 cacLoginMode LoginMode, 212 cacEnable TruthValue, 213 cacPriorityNumber Integer32, 214 cacPrimaryMethod TruthValue 215 } 216 217 218cacSession OBJECT-TYPE 219 SYNTAX SessionType 220 MAX-ACCESS not-accessible 221 STATUS current 222 DESCRIPTION 223 "This is the session type used to connect to the network 224 device. 225 " 226 ::= { cacPriorityEntry 1 } 227 228 229cacAuthen OBJECT-TYPE 230 SYNTAX AuthenMethod 231 MAX-ACCESS not-accessible 232 STATUS current 233 DESCRIPTION 234 "This is the authentication method used to authenticate 235 users. 236 " 237 ::= { cacPriorityEntry 2 } 238 239 240cacLoginMode OBJECT-TYPE 241 SYNTAX LoginMode 242 MAX-ACCESS not-accessible 243 STATUS current 244 DESCRIPTION 245 "This is the login mode user used to login to the network 246 device. 247 " 248 ::= { cacPriorityEntry 3 } 249 250 251cacEnable OBJECT-TYPE 252 SYNTAX TruthValue 253 MAX-ACCESS read-write 254 STATUS current 255 DESCRIPTION 256 "It indicates whether the authentication method denoted by 257 cacAuthen is enabled or not. 258 259 When this object is true(1), the authentication method denoted 260 by cacAuthen is enabled. 261 262 When this object is false(2), the authentication method denoted 263 by cacAuthen is disabled. 264 265 If the value of cacAuthen is local, the value of this 266 object cannot be set to false(2). 267 " 268 ::= { cacPriorityEntry 4 } 269 270 271cacPriorityNumber OBJECT-TYPE 272 SYNTAX Integer32 (0..4) 273 MAX-ACCESS read-only 274 STATUS current 275 DESCRIPTION 276 "This is the priority number of an authentication method to 277 be used in user authentication for a session. This value is 278 automatically assigned and reflects the relative priority 279 of the authentication method denoted by cacAuthen with 280 respected to already configured authentication methods. 281 It is assigned in the order in which the authentication 282 method is enabled by the user through cacEnable. 283 The higher value has the higher priority. This object 284 is used to determine the fallback order in case the 285 primary authentication method indicated by cacPrimaryMethod 286 failed. 287 288 If the authentication method denoted by cacAuthen is disabled 289 for the type of session denoted by cacSession, the value 290 of this object is equal to 0. 291 " 292 ::= { cacPriorityEntry 5 } 293 294 295cacPrimaryMethod OBJECT-TYPE 296 SYNTAX TruthValue 297 MAX-ACCESS read-write 298 STATUS current 299 DESCRIPTION 300 "It indicates whether the authentication method denoted by 301 cacAuthen is the primary (first one to be tried) method 302 when there are multiple authentication method configured. 303 304 Setting this object to true(1) will make the authentication 305 method denoted by cacAuthen to be the primary authentication 306 method for the session denoted by cacSession. The previously 307 configured primary method will be changed to false(2). 308 309 Setting this object to false(2) is not allowed. 310 " 311 ::= { cacPriorityEntry 6 } 312 313 314-- ------------------------------------------------------------- 315-- AAA Client Login Config Group 316-- ------------------------------------------------------------- 317 318cacLoginConfigTable OBJECT-TYPE 319 SYNTAX SEQUENCE OF CacLoginConfigEntry 320 MAX-ACCESS not-accessible 321 STATUS current 322 DESCRIPTION 323 "A table that contains login configuration 324 which is associated with this system. 325 " 326 ::= { cacLoginConfig 1 } 327 328cacLoginConfigEntry OBJECT-TYPE 329 SYNTAX CacLoginConfigEntry 330 MAX-ACCESS not-accessible 331 STATUS current 332 DESCRIPTION 333 "An entry containing the configuration of the login. 334 " 335 INDEX { cacLoginMode, cacSession } 336 ::= { cacLoginConfigTable 1 } 337 338CacLoginConfigEntry ::= 339 SEQUENCE { 340 cacMaxLoginAttempt Integer32, 341 cacLockoutPeriod Integer32, 342 cacLockoutPeriodExt Integer32 343 } 344 345cacMaxLoginAttempt OBJECT-TYPE 346 SYNTAX Integer32 (0|3..10) 347 MAX-ACCESS read-write 348 STATUS current 349 DESCRIPTION 350 "Indicates the maximum number of login attempts allowed. 351 Setting this variable to 0 will disable the attempt 352 limit checking. 353 354 If the login session type does not support this attempt 355 limit checking, the value of this object can only be set 356 to 0. 357 " 358 DEFVAL { 3 } 359 ::= { cacLoginConfigEntry 1 } 360 361 362cacLockoutPeriod OBJECT-TYPE 363 SYNTAX Integer32 (0|30..600) 364 UNITS "seconds" 365 MAX-ACCESS read-write 366 STATUS deprecated 367 DESCRIPTION 368 "Indicates the lockout period after the maximum number 369 of login attempt is met. For console, the console input 370 will be frozen during this period. For remote logins, the 371 connection will be closed and any subsequent access 372 from that station will be closed during the lockout time. 373 374 Setting this variable to 0 will disable the lockout. 375 If the login session type does not support this lockout 376 period, the value of this object can only be set to 0. 377 378 If the lockout period is greater than the maximum value 379 reportable by this object then this object should report 380 its maximum value (600) and cacLockoutPeriodExt must be 381 used to report the lockout period. 382 " 383 DEFVAL { 30 } 384 ::= { cacLoginConfigEntry 2 } 385 386cacLockoutPeriodExt OBJECT-TYPE 387 SYNTAX Integer32 (0|30..43200) 388 UNITS "seconds" 389 MAX-ACCESS read-write 390 STATUS current 391 DESCRIPTION 392 "Specifies the lockout period after the maximum number 393 of login attempt is met. For console, the console input 394 will be frozen during this period. For remote logins, the 395 connection will be closed and any subsequent access 396 from that station will be closed during the lockout time. 397 398 Setting this variable to 0 will disable the lockout. 399 If the login session type does not support this lockout 400 period, the value of this object can only be set to 0. 401 " 402 DEFVAL { 30 } 403 ::= { cacLoginConfigEntry 3 } 404 405--**************************************************************************** 406-- Notifications 407--**************************************************************************** 408cacMIBNotifications OBJECT IDENTIFIER ::= { ciscoAAAClientMIB 2 } 409 410 411 412 413cacMIBConformance OBJECT IDENTIFIER ::= 414 { ciscoAAAClientMIB 3 } 415cacMIBCompliances OBJECT IDENTIFIER ::= 416 { cacMIBConformance 1 } 417cacMIBGroups OBJECT IDENTIFIER ::= 418 { cacMIBConformance 2 } 419 420-- compliance statements 421 422cacMIBCompliance MODULE-COMPLIANCE 423 STATUS deprecated 424 DESCRIPTION 425 "The compliance statement for entities which 426 implement the CISCO AAA Client MIB" 427 MODULE -- this module 428 MANDATORY-GROUPS 429 { 430 cacPriorityGroup, 431 cacLoginConfigGroup 432 } 433 ::= { cacMIBCompliances 1 } 434 435 436cacMIBCompliance2 MODULE-COMPLIANCE 437 STATUS current 438 DESCRIPTION 439 "The compliance statement for entities which 440 implement the CISCO AAA Client MIB" 441 MODULE -- this module 442 MANDATORY-GROUPS 443 { 444 cacPriorityGroup, 445 cacLoginConfigGroupRev1 446 } 447 ::= { cacMIBCompliances 2 } 448 449-- units of conformance 450 451 452cacPriorityGroup OBJECT-GROUP 453 OBJECTS { 454 cacEnable, 455 cacPriorityNumber, 456 cacPrimaryMethod 457 } 458 STATUS current 459 DESCRIPTION 460 "A collection of objects providing the 461 AAA client priority information. 462 " 463 ::= { cacMIBGroups 1 } 464 465 466cacLoginConfigGroup OBJECT-GROUP 467 OBJECTS { 468 cacMaxLoginAttempt, 469 cacLockoutPeriod 470 } 471 STATUS deprecated 472 DESCRIPTION 473 "A collection of objects providing the 474 AAA client login configuration. 475 " 476 ::= { cacMIBGroups 2 } 477 478cacLoginConfigGroupRev1 OBJECT-GROUP 479 OBJECTS { 480 cacMaxLoginAttempt, 481 cacLockoutPeriodExt 482 } 483 STATUS current 484 DESCRIPTION 485 "A collection of objects providing the 486 AAA client login configuration. 487 " 488 ::= { cacMIBGroups 3 } 489 490END 491 492