Bridge Working Group K.C. Norseth
INTERNET-DRAFT L-3 Communications
November 2003
Expires May 2004
Definitions for Port Access Control (IEEE 802.1X) MIB
draft-ietf-bridge-8021x-03.txt
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of Section 10 of RFC2026, except that the right to produce derivative
works is not granted, other than to extract the MIB module in Section
4 as-is for separate use.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
IESG Note
This document is not the product of an IETF Working Group. The IETF
currently has no effort underway to standardize the Port Access
Control (IEEE 802.1X) MIB
Abstract
This document defines a portion of the Management Information Base
(MIB) for use with network management protocols in TCP/IP-based
internets. In particular, it defines objects for managing the
operation of Port Access Control, based on the specification
contained in Clause 8 and Clause 9 of the IEEE 802.1X standard. This
clause includes a MIB module that is SNMPv2 SMI compliant.
This standard defines a mechanism for Port-based network access
control that makes use of the physical access characteristics of
Bridge Working Group Expires May 2004 [Page 1]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
IEEE 802 LAN infrastructures in order to provide a means of
authenticating and authorizing devices attached to a LAN port that
has point-to-point connection characteristics, and of preventing
access to that port in cases in which the authentication and
authorization process fails.
This standard is part of a family of standards for local and
metropolitan area networks.
This draft is written within the IEEE 802.1X working group and is
being presented to the IETF for informational purposes.
Table of Contents
1. Introduction ............................................... 2
2. Overview .................................................. 3
2.1. Scope ................................................... 4
3. Structure of MIB ........................................... 4
3.1 Relationship to the managed objects defined in IEEE 802.1X . 4
3.2 The PAE System Group ..................................... 6
3.3 The PAE Authenticator Group ............................... 6
3.4 The PAE Supplicant Group .................................. 6
3.5 Relationship to other MIBs ................................ 6
3.6 Relationship to the Interfaces MIB ........................ 6
4 Definitions for the 802.1X-MIB ............................. 7
5. Intellectual Property .................................... 38
6. Acknowledgements ......................................... 38
7. Normative References ...................................... 39
8. Informative References ................................... 39
9. Security Considerations .................................. 40
10. Author's Address ......................................... 41
11. Change Log ............................................... 41
12. Full Copyright Statement .................................. 41
1. Introduction
The SNMP Management Framework
The SNMP Management Framework presently consists of five major
components:
o An overall architecture, described in RFC 2571 [RFC2571].
o Mechanisms for describing and naming objects and events for the
purpose of management. The first version of this Structure of
Management Information (SMI) is called SMIv1 and described in
STD 16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC
1215 [RFC1215]. The second version, called SMIv2, is described
in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and
STD 58, RFC 2580 [RFC2580].
Bridge Working Group Expires May 2004 [Page 2]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
o Message protocols for transferring management information. The
first version of the SNMP message protocol is called SNMPv1 and
described in STD 15, RFC 1157 [RFC1157]. A second version of
the SNMP message protocol, which is not an Internet standards
track protocol, is called SNMPv2c and described in RFC 1901
[RFC1901] and RFC 1906 [RFC1906]. The third version of the
message protocol is called SNMPv3 and described in RFC 1906
[RFC1906], RFC 2572 [RFC2572] and RFC 2574 [RFC2574].
o Protocol operations for accessing management information. The
first set of protocol operations and associated PDU formats is
described in STD 15, RFC 1157 [RFC1157]. A second set of
protocol operations and associated PDU formats is described in
RFC 1905 [RFC1905].
o A set of fundamental applications described in RFC 2573
[RFC2573] and the view-based access control mechanism described
in RFC 2575 [RFC2575].
A more detailed introduction to the current SNMP Management Framework
can be found in RFC 2570 [RFC2570].
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. Objects in the MIB are
defined using the mechanisms defined in the SMI.
This memo specifies a MIB module that is compliant to the SMIv2. A
MIB conforming to the SMIv1 can be produced through the appropriate
translations. The resulting translated MIB must be semantically
equivalent, except where objects or events are omitted because no
translation is possible (use of Counter64). Some machine readable
information in SMIv2 will be converted into textual descriptions in
SMIv1 during the translation process. However, this loss of machine
readable information is not considered to change the semantics of the
MIB.
2. Overview
Local Area Networks (or LANs; see 3.4 in IEEE Std 802.1D, 1998
Edition) are often deployed in environments that permit unauthorized
devices to be physically attached to the LAN infrastructure, or
permit unauthorized users to attempt to access the LAN through
equipment already attached. Examples of such environments include
corporate LANs that provide LAN connectivity in areas of a building
that are accessible to the general public, and LANs that are deployed
by one organization in order to offer connectivity services to other
organizations (for example, as may occur in a business park or a
serviced office building). In such environments, it is desirable to
restrict access to the services offered by the LAN to those users and
devices that are permitted to make use of those services.
Port-based network access control makes use of the physical access
characteristics of IEEE 802 LAN infrastructures in order to provide a
Bridge Working Group Expires May 2004 [Page 3]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
means of authenticating and authorizing devices attached to a LAN
port that has point-to-point connection characteristics, and of
preventing access to that port in cases in which the authentication
and authorization process fails. A port in this context is a single
point of attachment to the LAN infrastructure. Examples of ports in
which the use of authentication can be desirable Include the Ports of
MAC Bridges (as specified in IEEE 802.1D), the ports used to attach
servers or routers to the LAN infrastructure, and associations
between stations and access points in IEEE 802.11 Wireless LANs.
2.1. Scope
The purpose of this document is to specify how the management
operations are made available to a remote manager using the protocol
and architectural description provided by the Simple Network
Management Protocol (SNMP).
This MIB is the republishing of the IEEE Definitions for Port
Access Control MIB (802.1X) defined in the 802.1X specification
document.
3. Structure of MIB
A single MIB module is defined in this clause. Objects in the MIB
are arranged into groups. Each group is organized as a set of related
objects. The overall structure and assignment of objects to their
groups is shown in the following subclauses. IEEE Std 802.1X-2001
LOCAL AND METROPOLITAN AREA NETWORKS 10.4.1 Relationship to the
managed objects defined in IEEE 802.1X Clause 9. The following table
contains cross-references between the objects defined in IEEE 802.1X
Clause 9 and the MIB objects defined in this clause.
3.1 Relationship to the managed objects defined in IEEE 802.1X
Note: The relationship sections (9.4.3 Authenticator Diagnostics,
9.4.4 Authenticator Session Statistics, etc.) defined related to
sections in the 801.1X document specification, not this document.
Definition in IEEE 802.1X Clause 9 MIB object(s)
--------------------------------- -------------------------------
EAPOL Logoff frames received dot1xAuthEapolLogoffFramesRx
EAP Resp/Id frames received dot1xAuthEapolRespIdFramesRx
EAP Response frames received dot1xAuthEapolRespFramesRx
EAP Req/Id frames transmitted dot1xAuthEapolReqIdFramesTx
EAP Request frames transmitted dot1xAuthEapolReqFramesTx
Invalid EAPOL frames received dot1xAuthInvalidEapolFramesRx
EAP length error frames received dot1xAuthEapLengthErrorFramesRx
Last EAPOL frame version dot1xAuthLastEapolFrameVersion
Last EAPOL frame source dot1xAuthLastEapolFrameSource
9.4.3 Authenticator Diagnostics dot1xAuthDiagTable
authEntersConnecting dot1xAuthEntersConnecting
Bridge Working Group Expires May 2004 [Page 4]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
authEapLogoffsWhileConnecting dot1xAuthEapLogoffsWhileConnecting
authEntersAutheniticating dot1xAuthEntersAuthenticating
authAuthSuccessWhileAuthenticating
dot1xAuthAuthSuccessWhileAuthenticating
authAuthTimeoutsWhileAuthenticating
dot1xAuthAuthTimeoutsWhileAuthenticating
authAuthFailWhileAuthenticating dot1xAuthAuthFailWhileAuthenticating
authAuthReauthsWhileAuthenticating
dot1xAuthAuthReauthsWhileAuthenticating
authAuthEapStartsWhileAuthenticating
dot1xAuthAuthEapStartsWhileAuthenticating
authAuthLogoffWhileAuthenticating
dot1xAuthAuthEapLogoffWhileAuthenticating
authAuthReauthsWhileAuthenticated
dot1xAuthAuthReauthsWhileAuthenticated
authAuthEapStartsWhileAuthenticated
dot1xAuthAuthEapStartsWhileAuthenticated
authAuthLogoffWhileAuthenticated
dot1xAuthAuthEapLogoffWhileAuthenticated
backendResponses dot1xAuthBackendResponses
backendAccessChallenges dot1xAuthBackendAccessChallenges
backendOtherRequestsToSupplicant
dot1xAuthBackendOtherRequestsToSupplicant
backendNonNakResponsesFromSupplicant
dot1xAuthBackendNonNakResponsesFromSupplicant
backendAuthSuccesses dot1xAuthBackendAuthSuccesses
backendAuthFails dot1xAuthBackendAuthFails
9.4.4 Authenticator Session Statistics dot1xAuthSessionStatsTable
Port number dot1xPaePortNumber (table index)
Session Octets Received dot1xAuthSessionOctetsRx
Session Octets Transmitted dot1xAuthSessionOctetsTx
Session Frames Received dot1xAuthSessionFramesRx
Session Frames Transmitted dot1xAuthSessionFramesTx
Session Identifier dot1xAuthSessionId
Session Authentication Method dot1xAuthSessionAuthenticMethod
Session Time dot1xAuthSessionTime
Session Terminate Cause dot1xAuthSessionTerminateCause
Session User Name dot1xAuthSessionUserName
9.5.1 Supplicant Configuration dot1xSuppConfigTable
Port number dot1xPaePortNumber (table index)
Supplicant PAE State dot1xSuppPaeState
heldPeriod dot1xSuppHeldPeriod
authPeriod dot1xSuppAuthPeriod
startPeriod dot1xSuppStartPeriod
maxStart dot1xSuppMaxStart
9.5.2 Supplicant Statistics dot1xSuppStatsTable
Port number dot1xPaePortNumber (table index)
EAPOL frames received dot1xSuppEapolFramesRx
EAPOL frames transmitted dot1xSuppEapolFramesTx
EAPOL Start frames transmitted dot1xSuppEapolStartFramesTx
Bridge Working Group Expires May 2004 [Page 5]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
EAPOL Logoff frames transmitted dot1xSuppEapolLogoffFramesTx
EAP Resp/Id frames transmitted dot1xSuppEapolRespIdFramesTx
EAP Response frames transmitted dot1xSuppEapolRespFramesTx
EAP Req/Id frames received dot1xSuppEapolReqIdFramesRx
EAP Request frames received dot1xSuppEapolReqFramesRx
Invalid EAPOL frames received dot1xSuppInvalidEapolFramesRx
EAP length error frames received dot1xSuppEapLengthErrorFramesRx
Last EAPOL frame version dot1xSuppLastEapolFrameVersion
Last EAPOL frame source dot1xSuppLastEapolFrameSource
3.2 The PAE System Group
This group of objects provides management functionality that is not
specific to the operation of either of the two PAE roles (Supplicant
and Authenticator). A means of enabling and disabling the operation
of Port Access Control for the entire system is provided, plus a
per-Port indication of the protocol version supported and the PAE
roles supported by the port. As it is not mandatory for all Ports of
a System to support PAE functionality, there may be Port entries
that indicate Ports that support neither Supplicant nor
Authenticator functionality.
3.3 The PAE Authenticator Group
This group of objects provides, for each Port of an Authenticator
[8021XAUTH], the functionality necessary to allow configuration of
the operation of the Authenticator PAE, recording and retrieving
statistical information relating to the operation of the
Authenticator PAE, and recording and retrieving information relating
to a session (i.e., the period of time between consecutive
authentications on the Port).
3.4 The PAE Supplicant Group
This group of objects provides, for each Port of a Supplicant
[8021XSUPP], the functionality necessary to allow configuration of
the operation of the Supplicant PAE, and recording and retrieving
statistical information relating to the operation of the
Authenticator PAE.
3.5 Relationship to other MIBs
It is assumed that a system implementing this MIB will also implement
(at least) the system group defined in MIB-II defined in IETF RFC
1213 and the interfaces group defined in IETF RFC 2863.
3.6 Relationship to the Interfaces MIB
IETF RFC 2863, the Interface MIB Evolution, requires that any MIB
that is an adjunct of the Interface MIB clarify specific areas within
the Interface MIB. These areas were intentionally left vague in IETF
RFC 2863 to avoid overconstraining the MIB, thereby precluding
management of certain media types.
Bridge Working Group Expires May 2004 [Page 6]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
Section 3.3 of IETF RFC 2863 enumerates several areas that a
media-specific MIB must clarify. Each of these areas is addressed in
a following subsection. The implementor is referred to IETF RFC 2863
in order to understand the general intent of these areas.
In IETF RFC 2863, the interfaces group is defined as being
mandatory for all systems and contains information on an entity's
interfaces, where each interface is thought of as being attached to
a subnetwork.
(Note that this term is not to be confused with subnet, which refers
to an addressing partitioning scheme used in the Internet suite of
protocols.) The term segment is sometimes used to refer to such a
subnetwork.
Where Port numbers are used in this standard to identify Ports of a
System, these numbers are equal to the ifIndex value for the
interface for the corresponding Port.
4 Definitions for the 802.1X-MIB
In the MIB definition below, should any discrepancy between the
DESCRIPTION text and the corresponding definition in IEEE 802.1X
Clause 9 occur, the definition in IEEE 802.1X Clause 9 shall take
precedence.
The MIB module below was originally published on-line as:
http://www.ieee802.org/1/files/public/MIBs/802-1x-2001-mib.txt
The text that follows includes certain corrections relative to the
original version that were necessary in order to get the module to
compile. These changes were:
- Replaced all non-ascii double quotes and apostrophes by the
equivalent ASCII characters;
- In the MODULE-IDENTITY value assignment changed
"iso(1)" to "iso";
- Added dot1xPaePortReauthenticate and
dot1xAuthSessionUserName to
the appropriate conformance groups.
IEEE8021-PAE-MIB DEFINITIONS ::= BEGIN
-- ---------------------------------------------------------- --
-- IEEE 802.1X MIB
-- ---------------------------------------------------------- --
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64,
Bridge Working Group Expires May 2004 [Page 7]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
Unsigned32, TimeTicks
FROM SNMPv2-SMI
MacAddress, TEXTUAL-CONVENTION, TruthValue
FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB
InterfaceIndex
FROM IF-MIB
;
ieee8021paeMIB MODULE-IDENTITY
LAST-UPDATED "200309050000Z"
ORGANIZATION "IEEE 802.1 Working Group"
CONTACT-INFO
"http://grouper.ieee.org/groups/802/1/index.html"
DESCRIPTION
"The Port Access Entity module for managing IEEE
802.1X."
REVISION "200309050000Z"
DESCRIPTION "The IETF published version as in RFC xxxx.
The IETF Bridge-mib WG made the following changes:
- Replaced all non-ascii double quotes and
apostrophes by the equivalent ASCII characters;
- In the MODULE-IDENTITY value assignment changed
'iso(1)' to 'iso';
- Added dot1xPaePortReauthenticate and
dot1xAuthSessionUserName to the appropriate
conformance groups.
"
REVISION "200101160000Z" -- Jan 16th, 2001
DESCRIPTION "The initial and authoritative version as published at:
http://www.ieee802.org/1/files/public/MIBs/802-1x-2001-mib.txt
"
::= { iso std(0) iso8802(8802) ieee802dot1(1)
ieee802dot1mibs(1) 1 }
paeMIBObjects OBJECT IDENTIFIER ::= { ieee8021paeMIB 1 }
-- ---------------------------------------------------------- --
-- Textual Conventions
-- ---------------------------------------------------------- --
PaeControlledDirections ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The control mode values for the Authenticator PAE."
SYNTAX INTEGER {
both(0),
Bridge Working Group Expires May 2004 [Page 8]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
in(1)
}
PaeControlledPortStatus ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The status values of the Authenticator PAE controlled
Port."
SYNTAX INTEGER {
authorized(1),
unauthorized(2)
}
PaeControlledPortControl ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The control values of the Authenticator PAE controlled
Port."
SYNTAX INTEGER {
forceUnauthorized(1),
auto(2),
forceAuthorized(3)
}
-- ---------------------------------------------------------- --
-- ---------------------------------------------------------- --
-- groups in the PAE MIB
-- ---------------------------------------------------------- --
dot1xPaeSystem OBJECT IDENTIFIER ::= { paeMIBObjects 1 }
dot1xPaeAuthenticator OBJECT IDENTIFIER ::= { paeMIBObjects 2 }
dot1xPaeSupplicant OBJECT IDENTIFIER ::= { paeMIBObjects 3 }
-- ---------------------------------------------------------- --
-- ---------------------------------------------------------- --
-- The PAE System Group
-- ---------------------------------------------------------- --
dot1xPaeSystemAuthControl OBJECT-TYPE
SYNTAX INTEGER { enabled(1), disabled(2) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The administrative enable/disable state for
Port Access Control in a System."
REFERENCE
"9.6.1, SystemAuthControl"
::= { dot1xPaeSystem 1 }
-- ---------------------------------------------------------- --
-- The PAE Port Table
-- ---------------------------------------------------------- --
Bridge Working Group Expires May 2004 [Page 9]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
dot1xPaePortTable OBJECT-TYPE
SYNTAX SEQUENCE OF Dot1xPaePortEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table of system level information for each port
supported by the Port Access Entity. An entry appears
in this table for each port of this system."
REFERENCE
"9.6.1"
::= { dot1xPaeSystem 2 }
dot1xPaePortEntry OBJECT-TYPE
SYNTAX Dot1xPaePortEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The Port number, protocol version, and
initialization control for a Port."
INDEX { dot1xPaePortNumber }
::= { dot1xPaePortTable 1 }
Dot1xPaePortEntry ::=
SEQUENCE {
dot1xPaePortNumber
InterfaceIndex,
dot1xPaePortProtocolVersion
Unsigned32,
dot1xPaePortCapabilities
BITS,
dot1xPaePortInitialize
TruthValue,
dot1xPaePortReauthenticate
TruthValue
}
dot1xPaePortNumber OBJECT-TYPE
SYNTAX InterfaceIndex
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The Port number associated with this Port."
REFERENCE
"9.6.1, Port number"
::= { dot1xPaePortEntry 1 }
dot1xPaePortProtocolVersion OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The protocol version associated with this Port."
REFERENCE
Bridge Working Group Expires May 2004 [Page 10]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
"9.6.1, Protocol version"
::= { dot1xPaePortEntry 2 }
dot1xPaePortCapabilities OBJECT-TYPE
SYNTAX BITS {
dot1xPaePortAuthCapable(0),
-- Authenticator functions are supported
dot1xPaePortSuppCapable(1)
-- Supplicant functions are supported
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Indicates the PAE functionality that this Port
supports and that may be managed through this MIB."
REFERENCE
"9.6.1, PAE Capabilities"
::= { dot1xPaePortEntry 3 }
dot1xPaePortInitialize OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The initialization control for this Port. Setting this
attribute TRUE causes the Port to be initialized.
The attribute value reverts to FALSE once initialization
has completed."
REFERENCE
"9.6.1.2, Initialize Port"
::= { dot1xPaePortEntry 4 }
dot1xPaePortReauthenticate OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The reauthentication control for this port. Setting
this attribute TRUE causes the Authenticator PAE state
machine for the Port to reauthenticate the Supplicant.
Setting this attribute FALSE has no effect.
This attribute always returns FALSE when it is read."
REFERENCE
"9.4.1.3 Reauthenticate"
::= { dot1xPaePortEntry 5 }
-- ---------------------------------------------------------- --
-- The PAE Authenticator Group
-- ---------------------------------------------------------- --
-- ---------------------------------------------------------- --
-- The Authenticator Configuration Table
-- ---------------------------------------------------------- --
Bridge Working Group Expires May 2004 [Page 11]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
dot1xAuthConfigTable OBJECT-TYPE
SYNTAX SEQUENCE OF Dot1xAuthConfigEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table that contains the configuration objects for the
Authenticator PAE associated with each port.
An entry appears in this table for each port that may
authenticate access to itself."
REFERENCE
"9.4.1 Authenticator Configuration"
::= { dot1xPaeAuthenticator 1 }
dot1xAuthConfigEntry OBJECT-TYPE
SYNTAX Dot1xAuthConfigEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The configuration information for an Authenticator
PAE."
INDEX { dot1xPaePortNumber }
::= { dot1xAuthConfigTable 1 }
Dot1xAuthConfigEntry ::=
SEQUENCE {
dot1xAuthPaeState
INTEGER,
dot1xAuthBackendAuthState
INTEGER,
dot1xAuthAdminControlledDirections
PaeControlledDirections,
dot1xAuthOperControlledDirections
PaeControlledDirections,
dot1xAuthAuthControlledPortStatus
PaeControlledPortStatus,
dot1xAuthAuthControlledPortControl
PaeControlledPortControl,
dot1xAuthQuietPeriod
Unsigned32,
dot1xAuthTxPeriod
Unsigned32,
dot1xAuthSuppTimeout
Unsigned32,
dot1xAuthServerTimeout
Unsigned32,
dot1xAuthMaxReq
Unsigned32,
dot1xAuthReAuthPeriod
Unsigned32,
dot1xAuthReAuthEnabled
TruthValue,
dot1xAuthKeyTxEnabled
TruthValue
}
Bridge Working Group Expires May 2004 [Page 12]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
dot1xAuthPaeState OBJECT-TYPE
SYNTAX INTEGER {
initialize(1),
disconnected(2),
connecting(3),
authenticating(4),
authenticated(5),
aborting(6),
held(7),
forceAuth(8),
forceUnauth(9)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current value of the Authenticator PAE state
machine."
REFERENCE
"9.4.1, Authenticator PAE state"
::= { dot1xAuthConfigEntry 1 }
dot1xAuthBackendAuthState OBJECT-TYPE
SYNTAX INTEGER {
request(1),
response(2),
success(3),
fail(4),
timeout(5),
idle(6),
initialize(7)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current state of the Backend Authentication
state machine."
REFERENCE
"9.4.1, Backend Authentication state"
::= { dot1xAuthConfigEntry 2 }
dot1xAuthAdminControlledDirections OBJECT-TYPE
SYNTAX PaeControlledDirections
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The current value of the administrative controlled
directions parameter for the Port."
REFERENCE
"9.4.1, Admin Control Mode"
::= { dot1xAuthConfigEntry 3 }
dot1xAuthOperControlledDirections OBJECT-TYPE
SYNTAX PaeControlledDirections
Bridge Working Group Expires May 2004 [Page 13]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current value of the operational controlled
directions parameter for the Port."
REFERENCE
"9.4.1, Oper Control Mode"
::= { dot1xAuthConfigEntry 4 }
dot1xAuthAuthControlledPortStatus OBJECT-TYPE
SYNTAX PaeControlledPortStatus
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current value of the controlled Port
status parameter for the Port."
REFERENCE
"9.4.1, AuthControlledPortStatus"
::= { dot1xAuthConfigEntry 5 }
dot1xAuthAuthControlledPortControl OBJECT-TYPE
SYNTAX PaeControlledPortControl
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The current value of the controlled Port
control parameter for the Port."
REFERENCE
"9.4.1, AuthControlledPortControl"
::= { dot1xAuthConfigEntry 6 }
dot1xAuthQuietPeriod OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The value, in seconds, of the quietPeriod constant
currently in use by the Authenticator PAE state
machine."
REFERENCE
"9.4.1, quietPeriod"
DEFVAL { 60 }
::= { dot1xAuthConfigEntry 7 }
dot1xAuthTxPeriod OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The value, in seconds, of the txPeriod constant
currently in use by the Authenticator PAE state
machine."
REFERENCE
"9.4.1, txPeriod"
Bridge Working Group Expires May 2004 [Page 14]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
DEFVAL { 30 }
::= { dot1xAuthConfigEntry 8 }
dot1xAuthSuppTimeout OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The value, in seconds, of the suppTimeout constant
currently in use by the Backend Authentication state
machine."
REFERENCE
"9.4.1, suppTimeout"
DEFVAL { 30 }
::= { dot1xAuthConfigEntry 9 }
dot1xAuthServerTimeout OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The value, in seconds, of the serverTimeout constant
currently in use by the Backend Authentication state
machine."
REFERENCE
"9.4.1, serverTimeout"
DEFVAL { 30 }
::= { dot1xAuthConfigEntry 10 }
dot1xAuthMaxReq OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The value of the maxReq constant currently in use by
the Backend Authentication state machine."
REFERENCE
"9.4.1, maxReq"
DEFVAL { 2 }
::= { dot1xAuthConfigEntry 11 }
dot1xAuthReAuthPeriod OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The value, in seconds, of the reAuthPeriod constant
currently in use by the Reauthentication Timer state
machine."
REFERENCE
"9.4.1, reAuthPeriod"
DEFVAL { 3600 }
::= { dot1xAuthConfigEntry 12 }
Bridge Working Group Expires May 2004 [Page 15]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
dot1xAuthReAuthEnabled OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The enable/disable control used by the Reauthentication
Timer state machine (8.5.5.1)."
REFERENCE
"9.4.1, reAuthEnabled"
DEFVAL { false }
::= { dot1xAuthConfigEntry 13 }
dot1xAuthKeyTxEnabled OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The value of the keyTransmissionEnabled constant
currently in use by the Authenticator PAE state
machine."
REFERENCE
"9.4.1, keyTransmissionEnabled"
::= { dot1xAuthConfigEntry 14 }
-- ---------------------------------------------------------- --
-- The Authenticator Statistics Table
-- ---------------------------------------------------------- --
dot1xAuthStatsTable OBJECT-TYPE
SYNTAX SEQUENCE OF Dot1xAuthStatsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table that contains the statistics objects for the
Authenticator PAE associated with each Port.
An entry appears in this table for each port that may
authenticate access to itself."
REFERENCE
"9.4.2 Authenticator Statistics"
::= { dot1xPaeAuthenticator 2 }
dot1xAuthStatsEntry OBJECT-TYPE
SYNTAX Dot1xAuthStatsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The statistics information for an Authenticator PAE."
INDEX { dot1xPaePortNumber }
::= { dot1xAuthStatsTable 1 }
Dot1xAuthStatsEntry ::=
SEQUENCE {
dot1xAuthEapolFramesRx
Counter32,
Bridge Working Group Expires May 2004 [Page 16]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
dot1xAuthEapolFramesTx
Counter32,
dot1xAuthEapolStartFramesRx
Counter32,
dot1xAuthEapolLogoffFramesRx
Counter32,
dot1xAuthEapolRespIdFramesRx
Counter32,
dot1xAuthEapolRespFramesRx
Counter32,
dot1xAuthEapolReqIdFramesTx
Counter32,
dot1xAuthEapolReqFramesTx
Counter32,
dot1xAuthInvalidEapolFramesRx
Counter32,
dot1xAuthEapLengthErrorFramesRx
Counter32,
dot1xAuthLastEapolFrameVersion
Unsigned32,
dot1xAuthLastEapolFrameSource
MacAddress
}
dot1xAuthEapolFramesRx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of valid EAPOL frames of any type
that have been received by this Authenticator."
REFERENCE
"9.4.2, EAPOL frames received"
::= { dot1xAuthStatsEntry 1 }
dot1xAuthEapolFramesTx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of EAPOL frames of any type
that have been transmitted by this Authenticator."
REFERENCE
"9.4.2, EAPOL frames transmitted"
::= { dot1xAuthStatsEntry 2 }
dot1xAuthEapolStartFramesRx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of EAPOL Start frames that have
been received by this Authenticator."
REFERENCE
Bridge Working Group Expires May 2004 [Page 17]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
"9.4.2, EAPOL Start frames received"
::= { dot1xAuthStatsEntry 3 }
dot1xAuthEapolLogoffFramesRx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of EAPOL Logoff frames that have
been received by this Authenticator."
REFERENCE
"9.4.2, EAPOL Logoff frames received"
::= { dot1xAuthStatsEntry 4 }
dot1xAuthEapolRespIdFramesRx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of EAP Resp/Id frames that have
been received by this Authenticator."
REFERENCE
"9.4.2, EAPOL Resp/Id frames received"
::= { dot1xAuthStatsEntry 5 }
dot1xAuthEapolRespFramesRx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of valid EAP Response frames
(other than Resp/Id frames) that have been
received by this Authenticator."
REFERENCE
"9.4.2, EAPOL Response frames received"
::= { dot1xAuthStatsEntry 6 }
dot1xAuthEapolReqIdFramesTx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of EAP Req/Id frames that have been
transmitted by this Authenticator."
REFERENCE
"9.4.2, EAPOL Req/Id frames transmitted"
::= { dot1xAuthStatsEntry 7 }
dot1xAuthEapolReqFramesTx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of EAP Request frames
Bridge Working Group Expires May 2004 [Page 18]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
(other than Rq/Id frames) that have been
transmitted by this Authenticator."
REFERENCE
"9.4.2, EAPOL Request frames transmitted"
::= { dot1xAuthStatsEntry 8 }
dot1xAuthInvalidEapolFramesRx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of EAPOL frames that have been
received by this Authenticator in which the
frame type is not recognized."
REFERENCE
"9.4.2, Invalid EAPOL frames received"
::= { dot1xAuthStatsEntry 9 }
dot1xAuthEapLengthErrorFramesRx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of EAPOL frames that have been received
by this Authenticator in which the Packet Body
Length field is invalid."
REFERENCE
"9.4.2, EAP length error frames received"
::= { dot1xAuthStatsEntry 10 }
dot1xAuthLastEapolFrameVersion OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The protocol version number carried in the
most recently received EAPOL frame."
REFERENCE
"9.4.2, Last EAPOL frame version"
::= { dot1xAuthStatsEntry 11 }
dot1xAuthLastEapolFrameSource OBJECT-TYPE
SYNTAX MacAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The source MAC address carried in the
most recently received EAPOL frame."
REFERENCE
"9.4.2, Last EAPOL frame source"
::= { dot1xAuthStatsEntry 12 }
-- ---------------------------------------------------------- --
-- The Authenticator Diagnostics Table
Bridge Working Group Expires May 2004 [Page 19]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
-- ---------------------------------------------------------- --
dot1xAuthDiagTable OBJECT-TYPE
SYNTAX SEQUENCE OF Dot1xAuthDiagEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table that contains the diagnostics objects for the
Authenticator PAE associated with each Port.
An entry appears in this table for each port that may
authenticate access to itself."
REFERENCE
"9.4.3 Authenticator Diagnostics"
::= { dot1xPaeAuthenticator 3 }
dot1xAuthDiagEntry OBJECT-TYPE
SYNTAX Dot1xAuthDiagEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The diagnostics information for an Authenticator PAE."
INDEX { dot1xPaePortNumber }
::= { dot1xAuthDiagTable 1 }
Dot1xAuthDiagEntry ::=
SEQUENCE {
dot1xAuthEntersConnecting
Counter32,
dot1xAuthEapLogoffsWhileConnecting
Counter32,
dot1xAuthEntersAuthenticating
Counter32,
dot1xAuthAuthSuccessWhileAuthenticating
Counter32,
dot1xAuthAuthTimeoutsWhileAuthenticating
Counter32,
dot1xAuthAuthFailWhileAuthenticating
Counter32,
dot1xAuthAuthReauthsWhileAuthenticating
Counter32,
dot1xAuthAuthEapStartsWhileAuthenticating
Counter32,
dot1xAuthAuthEapLogoffWhileAuthenticating
Counter32,
dot1xAuthAuthReauthsWhileAuthenticated
Counter32,
dot1xAuthAuthEapStartsWhileAuthenticated
Counter32,
dot1xAuthAuthEapLogoffWhileAuthenticated
Counter32,
dot1xAuthBackendResponses
Counter32,
dot1xAuthBackendAccessChallenges
Counter32,
Bridge Working Group Expires May 2004 [Page 20]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
dot1xAuthBackendOtherRequestsToSupplicant
Counter32,
dot1xAuthBackendNonNakResponsesFromSupplicant
Counter32,
dot1xAuthBackendAuthSuccesses
Counter32,
dot1xAuthBackendAuthFails
Counter32
}
dot1xAuthEntersConnecting OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counts the number of times that the state machine
transitions to the CONNECTING state from any other
state."
REFERENCE
"9.4.2, 8.5.4.2.1"
::= { dot1xAuthDiagEntry 1 }
dot1xAuthEapLogoffsWhileConnecting OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counts the number of times that the state machine
transitions from CONNECTING to DISCONNECTED as a result
of receiving an EAPOL-Logoff message."
REFERENCE
"9.4.2, 8.5.4.2.2"
::= { dot1xAuthDiagEntry 2 }
dot1xAuthEntersAuthenticating OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counts the number of times that the state machine
transitions from CONNECTING to AUTHENTICATING, as a
result of an EAP-Response/Identity message being
received from the Supplicant."
REFERENCE
"9.4.2, 8.5.4.2.3"
::= { dot1xAuthDiagEntry 3 }
dot1xAuthAuthSuccessWhileAuthenticating OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counts the number of times that the state machine
transitions from AUTHENTICATING to AUTHENTICATED, as a
Bridge Working Group Expires May 2004 [Page 21]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
result of the Backend Authentication state machine
indicating successful authentication of the Supplicant
(authSuccess = TRUE)."
REFERENCE
"9.4.2, 8.5.4.2.4"
::= { dot1xAuthDiagEntry 4 }
dot1xAuthAuthTimeoutsWhileAuthenticating OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counts the number of times that the state machine
transitions from AUTHENTICATING to ABORTING, as a result
of the Backend Authentication state machine indicating
authentication timeout (authTimeout = TRUE)."
REFERENCE
"9.4.2, 8.5.4.2.5"
::= { dot1xAuthDiagEntry 5 }
dot1xAuthAuthFailWhileAuthenticating OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counts the number of times that the state machine
transitions from AUTHENTICATING to HELD, as a result
of the Backend Authentication state machine indicating
authentication failure (authFail = TRUE)."
REFERENCE
"9.4.2, 8.5.4.2.6"
::= { dot1xAuthDiagEntry 6 }
dot1xAuthAuthReauthsWhileAuthenticating OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counts the number of times that the state machine
transitions from AUTHENTICATING to ABORTING, as a result
of a reauthentication request (reAuthenticate = TRUE)."
REFERENCE
"9.4.2, 8.5.4.2.7"
::= { dot1xAuthDiagEntry 7 }
dot1xAuthAuthEapStartsWhileAuthenticating OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counts the number of times that the state machine
transitions from AUTHENTICATING to ABORTING, as a result
of an EAPOL-Start message being received
from the Supplicant."
Bridge Working Group Expires May 2004 [Page 22]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
REFERENCE
"9.4.2, 8.5.4.2.8"
::= { dot1xAuthDiagEntry 8 }
dot1xAuthAuthEapLogoffWhileAuthenticating OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counts the number of times that the state machine
transitions from AUTHENTICATING to ABORTING, as a result
of an EAPOL-Logoff message being received
from the Supplicant."
REFERENCE
"9.4.2, 8.5.4.2.9"
::= { dot1xAuthDiagEntry 9 }
dot1xAuthAuthReauthsWhileAuthenticated OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counts the number of times that the state machine
transitions from AUTHENTICATED to CONNECTING, as a
result of a reauthentication request
(reAuthenticate = TRUE)."
REFERENCE
"9.4.2, 8.5.4.2.10"
::= { dot1xAuthDiagEntry 10 }
dot1xAuthAuthEapStartsWhileAuthenticated OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counts the number of times that the state machine
transitions from AUTHENTICATED to CONNECTING, as a
result of an EAPOL-Start message being received from the
Supplicant."
REFERENCE
"9.4.2, 8.5.4.2.11"
::= { dot1xAuthDiagEntry 11 }
dot1xAuthAuthEapLogoffWhileAuthenticated OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counts the number of times that the state machine
transitions from AUTHENTICATED to DISCONNECTED, as a
result of an EAPOL-Logoff message being received from
the Supplicant."
REFERENCE
"9.4.2, 8.5.4.2.12"
Bridge Working Group Expires May 2004 [Page 23]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
::= { dot1xAuthDiagEntry 12 }
dot1xAuthBackendResponses OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counts the number of times that the state machine sends
an initial Access-Request packet to the Authentication
server (i.e., executes sendRespToServer on entry to the
RESPONSE state). Indicates that the Authenticator
attempted communication with the Authentication Server."
REFERENCE
"9.4.2, 8.5.6.2.1"
::= { dot1xAuthDiagEntry 13 }
dot1xAuthBackendAccessChallenges OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counts the number of times that the state machine
receives an initial Access-Challenge packet from the
Authentication server (i.e., aReq becomes TRUE,
causing exit from the RESPONSE state). Indicates that
the Authentication Server has communication with
the Authenticator."
REFERENCE
"9.4.2, 8.5.6.2.2"
::= { dot1xAuthDiagEntry 14 }
dot1xAuthBackendOtherRequestsToSupplicant OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counts the number of times that the state machine
sends an EAP-Request packet (other than an Identity,
Notification, Failure or Success message) to the
Supplicant (i.e., executes txReq on entry to the
REQUEST state). Indicates that the Authenticator chose
an EAP-method."
REFERENCE
"9.4.2, 8.5.6.2.3"
::= { dot1xAuthDiagEntry 15 }
dot1xAuthBackendNonNakResponsesFromSupplicant OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counts the number of times that the state machine
receives a response from the Supplicant to an initial
EAP-Request, and the response is something other than
Bridge Working Group Expires May 2004 [Page 24]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
EAP-NAK (i.e., rxResp becomes TRUE, causing the state
machine to transition from REQUEST to RESPONSE,
and the response is not an EAP-NAK). Indicates that
the Supplicant can respond to the Authenticator's
chosen EAP-method."
REFERENCE
"9.4.2, 8.5.6.2.4"
::= { dot1xAuthDiagEntry 16 }
dot1xAuthBackendAuthSuccesses OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counts the number of times that the state machine
receives an EAP-Success message from the Authentication
Server (i.e., aSuccess becomes TRUE, causing a
transition from RESPONSE to SUCCESS). Indicates that
the Supplicant has successfully authenticated to
the Authentication Server."
REFERENCE
"9.4.2, 8.5.6.2.5"
::= { dot1xAuthDiagEntry 17 }
dot1xAuthBackendAuthFails OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counts the number of times that the state machine
receives an EAP-Failure message from the Authentication
Server (i.e., aFail becomes TRUE, causing a transition
from RESPONSE to FAIL). Indicates that the Supplicant
has not authenticated to the Authentication Server."
REFERENCE
"9.4.2, 8.5.6.2.6"
::= { dot1xAuthDiagEntry 18 }
-- ---------------------------------------------------------- --
-- The Authenticator Session Statistics Table
-- ---------------------------------------------------------- --
dot1xAuthSessionStatsTable OBJECT-TYPE
SYNTAX SEQUENCE OF Dot1xAuthSessionStatsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table that contains the session statistics objects
for the Authenticator PAE associated with each Port.
An entry appears in this table for each port that may
authenticate access to itself."
REFERENCE
"9.4.4"
::= { dot1xPaeAuthenticator 4 }
Bridge Working Group Expires May 2004 [Page 25]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
dot1xAuthSessionStatsEntry OBJECT-TYPE
SYNTAX Dot1xAuthSessionStatsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The session statistics information for an Authenticator
PAE. This shows the current values being collected for
each session that is still in progress, or the final
values for the last valid session on each port where
there is no session currently active."
INDEX { dot1xPaePortNumber }
::= { dot1xAuthSessionStatsTable 1 }
Dot1xAuthSessionStatsEntry ::=
SEQUENCE {
dot1xAuthSessionOctetsRx
Counter64,
dot1xAuthSessionOctetsTx
Counter64,
dot1xAuthSessionFramesRx
Counter32,
dot1xAuthSessionFramesTx
Counter32,
dot1xAuthSessionId
SnmpAdminString,
dot1xAuthSessionAuthenticMethod
INTEGER,
dot1xAuthSessionTime
TimeTicks,
dot1xAuthSessionTerminateCause
INTEGER,
dot1xAuthSessionUserName
SnmpAdminString
}
dot1xAuthSessionOctetsRx OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of octets received in user data
frames on this Port during the session."
REFERENCE
"9.4.4, Session Octets Received"
::= { dot1xAuthSessionStatsEntry 1 }
dot1xAuthSessionOctetsTx OBJECT-TYPE
SYNTAX Counter64
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of octets transmitted in user data
frames on this Port during the session."
Bridge Working Group Expires May 2004 [Page 26]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
REFERENCE
"9.4.4, Session Octets Transmitted"
::= { dot1xAuthSessionStatsEntry 2 }
dot1xAuthSessionFramesRx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of user data frames received
on this Port during the session."
REFERENCE
"9.4.4, Session Frames Received"
::= { dot1xAuthSessionStatsEntry 3 }
dot1xAuthSessionFramesTx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of user data frames transmitted
on this Port during the session."
REFERENCE
"9.4.4, Session Frames Transmitted"
::= { dot1xAuthSessionStatsEntry 4 }
dot1xAuthSessionId OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique identifier for the session, in the
form of a printable ASCII string of at least
three characters."
REFERENCE
"9.4.4, Session Identifier"
::= { dot1xAuthSessionStatsEntry 5 }
dot1xAuthSessionAuthenticMethod OBJECT-TYPE
SYNTAX INTEGER {
remoteAuthServer(1),
localAuthServer(2)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The authentication method used to establish the
session."
REFERENCE
"9.4.4, Session Authentication Method"
::= { dot1xAuthSessionStatsEntry 6 }
dot1xAuthSessionTime OBJECT-TYPE
SYNTAX TimeTicks
Bridge Working Group Expires May 2004 [Page 27]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The duration of the session in seconds."
REFERENCE
"9.4.4, Session Time"
::= { dot1xAuthSessionStatsEntry 7 }
dot1xAuthSessionTerminateCause OBJECT-TYPE
SYNTAX INTEGER {
supplicantLogoff(1),
portFailure(2),
supplicantRestart(3),
reauthFailed(4),
authControlForceUnauth(5),
portReInit(6),
portAdminDisabled(7),
notTerminatedYet(999)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The reason for the session termination."
REFERENCE
"9.4.4, Session Terminate Cause"
::= { dot1xAuthSessionStatsEntry 8 }
dot1xAuthSessionUserName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The User-Name representing the identity of the
Supplicant PAE."
REFERENCE
"9.4.4, Session User Name"
::= { dot1xAuthSessionStatsEntry 9 }
-- ---------------------------------------------------------- --
-- The PAE Supplicant Group
-- ---------------------------------------------------------- --
-- ---------------------------------------------------------- --
-- The Supplicant Configuration Table
-- ---------------------------------------------------------- --
dot1xSuppConfigTable OBJECT-TYPE
SYNTAX SEQUENCE OF Dot1xSuppConfigEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table that contains the configuration objects for the
Supplicant PAE associated with each port.
Bridge Working Group Expires May 2004 [Page 28]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
An entry appears in this table for each port that may
authenticate itself when challenged by a remote system."
REFERENCE
"9.5.1"
::= { dot1xPaeSupplicant 1 }
dot1xSuppConfigEntry OBJECT-TYPE
SYNTAX Dot1xSuppConfigEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The configuration information for a Supplicant PAE."
INDEX { dot1xPaePortNumber }
::= { dot1xSuppConfigTable 1 }
Dot1xSuppConfigEntry ::=
SEQUENCE {
dot1xSuppPaeState
INTEGER,
dot1xSuppHeldPeriod
Unsigned32,
dot1xSuppAuthPeriod
Unsigned32,
dot1xSuppStartPeriod
Unsigned32,
dot1xSuppMaxStart
Unsigned32
}
dot1xSuppPaeState OBJECT-TYPE
SYNTAX INTEGER {
disconnected(1),
logoff(2),
connecting(3),
authenticating(4),
authenticated(5),
acquired(6),
held(7)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current state of the Supplicant PAE state
machine (8.5.8)."
REFERENCE
"9.5.1, Supplicant PAE State"
::= { dot1xSuppConfigEntry 1 }
dot1xSuppHeldPeriod OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The value, in seconds, of the heldPeriod
Bridge Working Group Expires May 2004 [Page 29]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
constant currently in use by the Supplicant
PAE state machine (8.5.8.1.2)."
REFERENCE
"9.5.1, heldPeriod"
DEFVAL { 60 }
::= { dot1xSuppConfigEntry 2 }
dot1xSuppAuthPeriod OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The value, in seconds, of the authPeriod
constant currently in use by the Supplicant
PAE state machine (8.5.8.1.2)."
REFERENCE
"9.5.1, authPeriod"
DEFVAL { 30 }
::= { dot1xSuppConfigEntry 3 }
dot1xSuppStartPeriod OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The value, in seconds, of the startPeriod
constant currently in use by the Supplicant
PAE state machine (8.5.8.1.2)."
REFERENCE
"9.5.1, startPeriod"
DEFVAL { 30 }
::= { dot1xSuppConfigEntry 4 }
dot1xSuppMaxStart OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The value of the maxStart constant currently in use by
the Supplicant PAE state machine (8.5.8.1.2)."
REFERENCE
"9.5.1, maxStart"
DEFVAL { 3}
::= { dot1xSuppConfigEntry 5 }
-- ---------------------------------------------------------- --
-- The Supplicant Statistics Table
-- ---------------------------------------------------------- --
dot1xSuppStatsTable OBJECT-TYPE
SYNTAX SEQUENCE OF Dot1xSuppStatsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
Bridge Working Group Expires May 2004 [Page 30]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
"A table that contains the statistics objects for the
Supplicant PAE associated with each port.
An entry appears in this table for each port that may
authenticate itself when challenged by a remote system."
REFERENCE
"9.5.2"
::= { dot1xPaeSupplicant 2 }
dot1xSuppStatsEntry OBJECT-TYPE
SYNTAX Dot1xSuppStatsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The statistics information for a Supplicant PAE."
INDEX { dot1xPaePortNumber }
::= { dot1xSuppStatsTable 1 }
Dot1xSuppStatsEntry ::=
SEQUENCE {
dot1xSuppEapolFramesRx
Counter32,
dot1xSuppEapolFramesTx
Counter32,
dot1xSuppEapolStartFramesTx
Counter32,
dot1xSuppEapolLogoffFramesTx
Counter32,
dot1xSuppEapolRespIdFramesTx
Counter32,
dot1xSuppEapolRespFramesTx
Counter32,
dot1xSuppEapolReqIdFramesRx
Counter32,
dot1xSuppEapolReqFramesRx
Counter32,
dot1xSuppInvalidEapolFramesRx
Counter32,
dot1xSuppEapLengthErrorFramesRx
Counter32,
dot1xSuppLastEapolFrameVersion
Unsigned32,
dot1xSuppLastEapolFrameSource
MacAddress
}
dot1xSuppEapolFramesRx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of EAPOL frames of any type
that have been received by this Supplicant."
REFERENCE
"9.5.2, EAPOL frames received"
Bridge Working Group Expires May 2004 [Page 31]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
::= { dot1xSuppStatsEntry 1 }
dot1xSuppEapolFramesTx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of EAPOL frames of any type
that have been transmitted by this Supplicant."
REFERENCE
"9.5.2, EAPOL frames transmitted"
::= { dot1xSuppStatsEntry 2 }
dot1xSuppEapolStartFramesTx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of EAPOL Start frames
that have been transmitted by this Supplicant."
REFERENCE
"9.5.2, EAPOL Start frames transmitted"
::= { dot1xSuppStatsEntry 3 }
dot1xSuppEapolLogoffFramesTx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of EAPOL Logoff frames
that have been transmitted by this Supplicant."
REFERENCE
"9.5.2, EAPOL Logoff frames transmitted"
::= { dot1xSuppStatsEntry 4 }
dot1xSuppEapolRespIdFramesTx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of EAP Resp/Id frames
that have been transmitted by this Supplicant."
REFERENCE
"9.5.2, EAP Resp/Id frames transmitted"
::= { dot1xSuppStatsEntry 5 }
dot1xSuppEapolRespFramesTx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of valid EAP Response frames
(other than Resp/Id frames)
that have been transmitted by this Supplicant."
Bridge Working Group Expires May 2004 [Page 32]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
REFERENCE
"9.5.2, EAP Resp frames transmitted"
::= { dot1xSuppStatsEntry 6 }
dot1xSuppEapolReqIdFramesRx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of EAP Req/Id frames
that have been received by this Supplicant."
REFERENCE
"9.5.2, EAP Req/Id frames received"
::= { dot1xSuppStatsEntry 7 }
dot1xSuppEapolReqFramesRx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of EAP Request frames (other than Rq/Id
frames) that have been received by this Supplicant."
REFERENCE
"9.5.2, EAP Req frames received"
::= { dot1xSuppStatsEntry 8 }
dot1xSuppInvalidEapolFramesRx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of EAPOL frames that have been
received by this Supplicant in which the
frame type is not recognized."
REFERENCE
"9.5.2, Invalid EAPOL frames received"
::= { dot1xSuppStatsEntry 9 }
dot1xSuppEapLengthErrorFramesRx OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of EAPOL frames that have been
received by this Supplicant in which the Packet
Body Length field (7.5.5) is invalid."
REFERENCE
"9.5.2, EAP length error frames received"
::= { dot1xSuppStatsEntry 10 }
dot1xSuppLastEapolFrameVersion OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
Bridge Working Group Expires May 2004 [Page 33]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
DESCRIPTION
"The protocol version number carried in the
most recently received EAPOL frame."
REFERENCE
"9.5.2, Last EAPOL frame version"
::= { dot1xSuppStatsEntry 11 }
dot1xSuppLastEapolFrameSource OBJECT-TYPE
SYNTAX MacAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The source MAC address carried in the
most recently received EAPOL frame."
REFERENCE
"9.5.2, Last EAPOL frame source"
::= { dot1xSuppStatsEntry 12 }
-- ---------------------------------------------------------- --
-- IEEE 802.1X MIB - Conformance Information
-- ---------------------------------------------------------- --
dot1xPaeConformance OBJECT IDENTIFIER ::= { ieee8021paeMIB 2 }
dot1xPaeGroups OBJECT IDENTIFIER ::= { dot1xPaeConformance 1 }
dot1xPaeCompliances OBJECT IDENTIFIER
::= { dot1xPaeConformance 2 }
-- ---------------------------------------------------------- --
-- units of conformance
-- ---------------------------------------------------------- --
dot1xPaeSystemGroup OBJECT-GROUP
OBJECTS {
dot1xPaeSystemAuthControl,
dot1xPaePortProtocolVersion,
dot1xPaePortCapabilities,
dot1xPaePortInitialize,
dot1xPaePortReauthenticate
}
STATUS current
DESCRIPTION
"A collection of objects providing system information
about, and control over, a PAE."
::= { dot1xPaeGroups 1 }
dot1xPaeAuthConfigGroup OBJECT-GROUP
OBJECTS {
dot1xAuthPaeState,
dot1xAuthBackendAuthState,
dot1xAuthAdminControlledDirections,
dot1xAuthOperControlledDirections,
dot1xAuthAuthControlledPortStatus,
Bridge Working Group Expires May 2004 [Page 34]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
dot1xAuthAuthControlledPortControl,
dot1xAuthQuietPeriod,
dot1xAuthTxPeriod,
dot1xAuthSuppTimeout,
dot1xAuthServerTimeout,
dot1xAuthMaxReq,
dot1xAuthReAuthPeriod,
dot1xAuthReAuthEnabled,
dot1xAuthKeyTxEnabled
}
STATUS current
DESCRIPTION
"A collection of objects providing configuration
information about an Authenticator PAE."
::= { dot1xPaeGroups 2 }
dot1xPaeAuthStatsGroup OBJECT-GROUP
OBJECTS {
dot1xAuthEapolFramesRx,
dot1xAuthEapolFramesTx,
dot1xAuthEapolStartFramesRx,
dot1xAuthEapolLogoffFramesRx,
dot1xAuthEapolRespIdFramesRx,
dot1xAuthEapolRespFramesRx,
dot1xAuthEapolReqIdFramesTx,
dot1xAuthEapolReqFramesTx,
dot1xAuthInvalidEapolFramesRx,
dot1xAuthEapLengthErrorFramesRx,
dot1xAuthLastEapolFrameVersion,
dot1xAuthLastEapolFrameSource
}
STATUS current
DESCRIPTION
"A collection of objects providing statistics about an
Authenticator PAE."
::= { dot1xPaeGroups 3 }
dot1xPaeAuthDiagGroup OBJECT-GROUP
OBJECTS {
dot1xAuthEntersConnecting,
dot1xAuthEapLogoffsWhileConnecting,
dot1xAuthEntersAuthenticating,
dot1xAuthAuthSuccessWhileAuthenticating,
dot1xAuthAuthTimeoutsWhileAuthenticating,
dot1xAuthAuthFailWhileAuthenticating,
dot1xAuthAuthReauthsWhileAuthenticating,
dot1xAuthAuthEapStartsWhileAuthenticating,
dot1xAuthAuthEapLogoffWhileAuthenticating,
dot1xAuthAuthReauthsWhileAuthenticated,
dot1xAuthAuthEapStartsWhileAuthenticated,
dot1xAuthAuthEapLogoffWhileAuthenticated,
dot1xAuthBackendResponses,
dot1xAuthBackendAccessChallenges,
dot1xAuthBackendOtherRequestsToSupplicant,
Bridge Working Group Expires May 2004 [Page 35]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
dot1xAuthBackendNonNakResponsesFromSupplicant,
dot1xAuthBackendAuthSuccesses,
dot1xAuthBackendAuthFails
}
STATUS current
DESCRIPTION
"A collection of objects providing diagnostic statistics
about an Authenticator PAE."
::= { dot1xPaeGroups 4 }
dot1xPaeAuthSessionStatsGroup OBJECT-GROUP
OBJECTS {
dot1xAuthSessionOctetsRx,
dot1xAuthSessionOctetsTx,
dot1xAuthSessionFramesRx,
dot1xAuthSessionFramesTx,
dot1xAuthSessionId,
dot1xAuthSessionAuthenticMethod,
dot1xAuthSessionTime,
dot1xAuthSessionTerminateCause,
dot1xAuthSessionUserName
}
STATUS current
DESCRIPTION
"A collection of objects providing statistics about the
current, or last session for an Authenticator PAE."
::= { dot1xPaeGroups 5 }
dot1xPaeSuppConfigGroup OBJECT-GROUP
OBJECTS {
dot1xSuppPaeState,
dot1xSuppHeldPeriod,
dot1xSuppAuthPeriod,
dot1xSuppStartPeriod,
dot1xSuppMaxStart
}
STATUS current
DESCRIPTION
"A collection of objects providing configuration
information about a Supplicant PAE."
::= { dot1xPaeGroups 6 }
dot1xPaeSuppStatsGroup OBJECT-GROUP
OBJECTS {
dot1xSuppEapolFramesRx,
dot1xSuppEapolFramesTx,
dot1xSuppEapolStartFramesTx,
dot1xSuppEapolLogoffFramesTx,
dot1xSuppEapolRespIdFramesTx,
dot1xSuppEapolRespFramesTx,
dot1xSuppEapolReqIdFramesRx,
dot1xSuppEapolReqFramesRx,
dot1xSuppInvalidEapolFramesRx,
dot1xSuppEapLengthErrorFramesRx,
Bridge Working Group Expires May 2004 [Page 36]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
dot1xSuppLastEapolFrameVersion,
dot1xSuppLastEapolFrameSource
}
STATUS current
DESCRIPTION
"A collection of objects providing statistics about a
Supplicant PAE."
::= { dot1xPaeGroups 7 }
-- ---------------------------------------------------------- --
-- compliance statements
-- ---------------------------------------------------------- --
dot1xPaeCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for device support of
Port Access Control."
MODULE
MANDATORY-GROUPS {
dot1xPaeSystemGroup
}
GROUP dot1xPaeAuthConfigGroup
DESCRIPTION
"This group is mandatory for systems that support
the Authenticator functions of the PAE."
OBJECT dot1xAuthAdminControlledDirections
SYNTAX INTEGER {
both(0)
}
MIN-ACCESS read-only
DESCRIPTION
"Support for in(1) is optional."
OBJECT dot1xAuthOperControlledDirections
SYNTAX INTEGER {
both(0)
}
DESCRIPTION
"Support for in(1) is optional."
OBJECT dot1xAuthKeyTxEnabled
MIN-ACCESS read-only
DESCRIPTION
"An Authenticator PAE that does not support
EAPOL-Key frames may implement this object as
read-only, returning a value of FALSE."
GROUP dot1xPaeAuthStatsGroup
DESCRIPTION
"This group is mandatory for systems that support
Bridge Working Group Expires May 2004 [Page 37]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
the Authenticator functions of the PAE."
GROUP dot1xPaeAuthDiagGroup
DESCRIPTION
"This group is optional for systems that support
the Authenticator functions of the PAE."
GROUP dot1xPaeAuthSessionStatsGroup
DESCRIPTION
"This group is optional for systems that support
the Authenticator functions of the PAE."
GROUP dot1xPaeSuppConfigGroup
DESCRIPTION
"This group is mandatory for systems that support
the Supplicant functions of the PAE."
GROUP dot1xPaeSuppStatsGroup
DESCRIPTION
"This group is mandatory for systems that support
the Supplicant functions of the PAE."
::= { dot1xPaeCompliances 1 }
END
5. Intellectual Property
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
6. Acknowledgements
This document was reproduced by the IETF Bridge MIB Working Group
from the IEEE Std 802.1X-2001 IEEE Standard for Local and
Bridge Working Group Expires May 2004 [Page 38]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
metropolitan area networks Port-Based Network Access Control.
A Special thanks to Les Bell for his help in getting this document
ready for publication and providing his insight, and Mike Heard for
helping with security and copyright issues.
7. Normative References
[IEEESTD8021] IEEE, IEEE Std 802.1, 2001 "Edition: IEEE Standard for
Local and metropolitan area networks Port-Based Network
Access Control"
[RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M. and S. Waldbusser, "Structure of Management
Information Version 2 (SMIv2)", STD 58, RFC 2578,
May 1999.
[RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M. and S. Waldbusser, "Textual Conventions for SMIv2",
STD 58, RFC 2579, May 1999.
[RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M. and S. Waldbusser, "Conformance Statements for
SMIv2", STD 58, RFC 2580, May 1999.
[RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB
using SMIv2", RFC 2863, June 2000.
[RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An
Architecture for describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002.
[RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart,
"Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002.
[RFC3635] Flick, J., "Definitions of Managed Objects for the
Ethernet-like Interface Types", RFC 3635, September 2003.
[8021XAUTH] IEEE, 802.1x - Port Based Network Access Control,
definition of Authenticator, clause 3.1.1
[8021XSUPP] IEEE, 802.1x - Port Based Network Access Control,
definition of Supplicant, clause 3.1.5
8. Informative References
[RFC1157] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple
Network Management Protocol", STD 15, RFC 1157, May 1990.
Bridge Working Group Expires May 2004 [Page 39]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
[RFC1212] Rose, M. and K. McCloghrie, "Concise MIB Definitions",
STD 16, RFC 1212, March 1991.
[RFC1901] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
"Introduction to Community-based SNMPv2", RFC 1901, January
1996.
[RFC1905] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
"Protocol Operations for Version 2 of the Simple Network
Management Protocol (SNMPv2)", RFC 1905, January 1996.
[RFC1906] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
"Transport Mappings for Version 2 of the Simple Network
Management Protocol (SNMPv2)", RFC 1906, January 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirements Levels", BCP 14, RFC 2119, March 1997.
[RFC2570] Case, J., Mundy, R., Partain, D. and B. Stewart,
"Introduction to Version 3 of the Internet-Standard Network
Management Framework", RFC 2570, May 1999.
[RFC2572] Case, J., Harrington D., Presuhn R. and B. Wijnen, "Message
Processing and Dispatching for the Simple Network Management
Protocol (SNMP)", RFC 2572, May 1999.
[RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management Protocol
(SNMPv3)", RFC 2574, May 1999.
[RFC2573] Levi, D., Meyer, P. and B. Stewart, "SNMPv3 Applications",
RFC 2573, May 1999.
[RFC2575] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access
Control Model (VACM) for the Simple Network Management
Protocol (SNMP)", RFC 2575, May 1999.
9. Security Considerations
There are a number of management objects defined in this MIB module
with a MAX-ACCESS clause of read-write. If maliciously set these
objects can affect the operation of the port authentication
functions, including allowing access to unathorized users or denying
access to authorized users. Hence the support for SET operations in
without proper access control may have a negative effect on network
operations. The sensitive read-write objects in this MIB module are:
dot1xPaeSystemAuthControl, dot1xPaePortInitialize,
dot1xPaePortReauthenticate, dot1xAuthAdminControlledDirections,
dot1xAuthAuthControlledPortControl, dot1xAuthQuietPeriod,
dot1xAuthTxPeriod, dot1xAuthSuppTimeout, dot1xAuthServerTimeout,
dot1xAuthMaxReq, dot1xAuthReAuthPeriod, dot1xAuthReAuthEnabled,
dot1xAuthKeyTxEnabled, dot1xSuppHeldPeriod, dot1xSuppAuthPeriod,
dot1xSuppStartPeriod, and dot1xSuppMaxStart.
Bridge Working Group Expires May 2004 [Page 40]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
The readable object in this MIB module (i.e., the managed objects
that have a MAX-ACCESS clause of anything other than not-accessible)
contain information that may be used to compromise the access and
security of network users. It is therefore important to control
GET and/or NOTIFY access to these objects and possibly even to
encrypt their values when sending them over the network via SNMP.
SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPSec),
even then, there is no control as to who on the secure network is
allowed to access and GET/SET (read/change/create/delete) the objects
in this MIB module.
It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them.
10. Author's Address
K.C. Norseth
L-3 Communications
640 N. 2200 West.
Salt Lake City, Utah 84116-0850
Email: kenyon.c.norseth@L-3com.com
kcn@norseth.com
11. Change Log
The following changes were made to <draft-ietf-bridge-8021x-00.txt>
to produce <draft-ietf-bridge-8021x-03.txt>:
1) Redefined the overview to more reflect the IEEE 802.1x document.
1) Clarification of the security section
2) Splitting references into Normative and Informative
3) Changing draft to reflect IETF document standards.
12. Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
Bridge Working Group Expires May 2004 [Page 41]
Internet Draft Port Access Control (802.1X) MIB November 8, 2003
others provided that the above copyright notice and this paragraph
are included on all such copies. However, this document itself may
not be modified in any way, such as by removing the copyright notice
or references to the Internet Society or other Internet
organizations, except as required to translate it into languages
other than English, and derivative works of it may not be created,
other than to extract the MIB module in Section 4 as-is for separate
use.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Bridge Working Group Expires May 2004 [Page 42]
