496 lines
17 KiB
Plaintext
496 lines
17 KiB
Plaintext
ENTERASYS-TACACS-CLIENT-MIB DEFINITIONS ::= BEGIN
|
|
|
|
-- enterasys-tacacs-client-mib.txt
|
|
--
|
|
-- Part Number:
|
|
--
|
|
--
|
|
|
|
-- This module provides authoritative definitions for Enterasys
|
|
-- Networks' TACACS+ client functionality.
|
|
|
|
--
|
|
-- This module will be extended, as needed.
|
|
|
|
-- Enterasys Networks reserves the right to make changes in this
|
|
-- specification and other information contained in this document
|
|
-- without prior notice. The reader should consult Enterasys Networks
|
|
-- to determine whether any such changes have been made.
|
|
--
|
|
-- In no event shall Enterasys Networks be liable for any incidental,
|
|
-- indirect, special, or consequential damages whatsoever (including
|
|
-- but not limited to lost profits) arising out of or related to this
|
|
-- document or the information contained in it, even if Enterasys
|
|
-- Networks has been advised of, known, or should have known, the
|
|
-- possibility of such damages.
|
|
--
|
|
-- Enterasys Networks grants vendors, end-users, and other interested
|
|
-- parties a non-exclusive license to use this Specification in
|
|
-- connection with the management of Enterasys Networks products.
|
|
|
|
-- Copyright February 2003-2010 Enterasys Networks, Inc.
|
|
|
|
IMPORTS
|
|
MODULE-IDENTITY, OBJECT-TYPE, Integer32
|
|
FROM SNMPv2-SMI
|
|
MODULE-COMPLIANCE, OBJECT-GROUP
|
|
FROM SNMPv2-CONF
|
|
TruthValue, RowStatus
|
|
FROM SNMPv2-TC
|
|
EnabledStatus
|
|
FROM P-BRIDGE-MIB
|
|
SnmpAdminString
|
|
FROM SNMP-FRAMEWORK-MIB
|
|
InetAddressType, InetAddress, InetPortNumber
|
|
FROM INET-ADDRESS-MIB
|
|
etsysModules
|
|
FROM ENTERASYS-MIB-NAMES;
|
|
|
|
etsysTacacsClientMIB MODULE-IDENTITY
|
|
LAST-UPDATED "201002011702Z" -- Mon Feb 1 17:02 UTC 2010
|
|
ORGANIZATION "Enterasys Networks, Inc"
|
|
CONTACT-INFO
|
|
"Postal: Enterasys Networks
|
|
50 Minuteman Rd.
|
|
Andover, MA 01810-1008
|
|
USA
|
|
Phone: +1 978 684 1000
|
|
E-mail: support@enterasys.com
|
|
WWW: http://www.enterasys.com"
|
|
|
|
DESCRIPTION
|
|
"This MIB module defines a portion of the SNMP MIB under
|
|
the Enterasys Networks enterprise OID pertaining to
|
|
TACACS+ client configuration."
|
|
|
|
REVISION "201002011702Z" -- Mon Feb 1 17:02 UTC 2010
|
|
DESCRIPTION "Corrected DESCRIPTION clause for the
|
|
etsysTacacsClientSesnAuthValue object."
|
|
|
|
REVISION "200502101757Z" -- Thu Feb 10 17:57 GMT 2005
|
|
DESCRIPTION "The initial version of this MIB module."
|
|
::= { etsysModules 58 }
|
|
|
|
|
|
-- -------------------------------------------------------------
|
|
-- Branches of the Enterasys TACACS+ Client MIB
|
|
-- -------------------------------------------------------------
|
|
|
|
etsysTacacsClientObjects OBJECT IDENTIFIER
|
|
::= { etsysTacacsClientMIB 1 }
|
|
|
|
etsysTacacsClientControl OBJECT IDENTIFIER
|
|
::= { etsysTacacsClientObjects 1 }
|
|
|
|
etsysTacacsClientSesnAuth OBJECT IDENTIFIER
|
|
::= { etsysTacacsClientObjects 2 }
|
|
|
|
etsysTacacsClientServer OBJECT IDENTIFIER
|
|
::= { etsysTacacsClientObjects 3 }
|
|
|
|
|
|
-- -------------------------------------------------------------
|
|
-- TACACS+ Client Control Group
|
|
-- -------------------------------------------------------------
|
|
|
|
etsysTacacsClientSesnAuthEnabled OBJECT-TYPE
|
|
SYNTAX EnabledStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Controls the operation of the TACACS+ client for session
|
|
authentication and authorization."
|
|
DEFVAL { disabled }
|
|
::= { etsysTacacsClientControl 1 }
|
|
|
|
etsysTacacsClientSesnAcctEnabled OBJECT-TYPE
|
|
SYNTAX EnabledStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Controls the operation of the TACACS+ client for session
|
|
accounting."
|
|
DEFVAL { disabled }
|
|
::= { etsysTacacsClientControl 2 }
|
|
|
|
etsysTacacsClientCmdAuthEnabled OBJECT-TYPE
|
|
SYNTAX EnabledStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Controls the operation of the TACACS+ client for command
|
|
level authorization."
|
|
DEFVAL { disabled }
|
|
::= { etsysTacacsClientControl 3 }
|
|
|
|
etsysTacacsClientCmdAcctEnabled OBJECT-TYPE
|
|
SYNTAX EnabledStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Controls the operation of the TACACS+ client for command
|
|
accounting."
|
|
DEFVAL { disabled }
|
|
::= { etsysTacacsClientControl 4 }
|
|
|
|
etsysTacacsClientSingleConnection OBJECT-TYPE
|
|
SYNTAX EnabledStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Allows the TACACS+ client to send multiple TACACS+ requests
|
|
on a single TCP connection. All configured TACACS+ servers
|
|
MUST allow this NAS to use single connection mode."
|
|
DEFVAL { disabled }
|
|
::= { etsysTacacsClientControl 5 }
|
|
|
|
|
|
-- -------------------------------------------------------------
|
|
-- TACACS+ Client Session Authorization Group
|
|
-- -------------------------------------------------------------
|
|
|
|
etsysTacacsClientSesnAuthService OBJECT-TYPE
|
|
SYNTAX SnmpAdminString
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The service to be requested for management session
|
|
authorization."
|
|
DEFVAL { "enable" }
|
|
::= { etsysTacacsClientSesnAuth 1 }
|
|
|
|
|
|
-- -------------------------------------------------------------
|
|
-- TACACS+ Client Session Authorization Table
|
|
-- -------------------------------------------------------------
|
|
|
|
etsysTacacsClientSesnAuthTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF EtsysTacacsClientSesnAuthEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A list of TACACS+ servers that this client may attempt to use."
|
|
::= { etsysTacacsClientSesnAuth 2 }
|
|
|
|
etsysTacacsClientSesnAuthEntry OBJECT-TYPE
|
|
SYNTAX EtsysTacacsClientSesnAuthEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A TACACS+ server that this client may attempt to use."
|
|
INDEX { etsysTacacsClientSesnAuthLevel }
|
|
::= { etsysTacacsClientSesnAuthTable 1 }
|
|
|
|
EtsysTacacsClientSesnAuthEntry ::= SEQUENCE {
|
|
etsysTacacsClientSesnAuthLevel INTEGER,
|
|
etsysTacacsClientSesnAuthAttribute SnmpAdminString,
|
|
etsysTacacsClientSesnAuthValue SnmpAdminString
|
|
}
|
|
|
|
etsysTacacsClientSesnAuthLevel OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
readonly (1),
|
|
readwrite (2),
|
|
superuser (3),
|
|
debug (4)
|
|
}
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The authorization level for the corresponding attribute
|
|
value pair. Managed entities are not required to support
|
|
all authorization levels."
|
|
::= { etsysTacacsClientSesnAuthEntry 1 }
|
|
|
|
etsysTacacsClientSesnAuthAttribute OBJECT-TYPE
|
|
SYNTAX SnmpAdminString
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The attribute part of the attribute-value pair for this
|
|
access level. The default value 'priv-lvl' is normally
|
|
defined to have a corresponding value part with a value
|
|
between '0' and '15' inclusive."
|
|
DEFVAL { "priv-lvl" }
|
|
::= { etsysTacacsClientSesnAuthEntry 2 }
|
|
|
|
etsysTacacsClientSesnAuthValue OBJECT-TYPE
|
|
SYNTAX SnmpAdminString
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The value part of the attribute-value pair for this access
|
|
level.
|
|
|
|
To allow the leveraging of existing Cisco 'enable' mode
|
|
configurations. When
|
|
|
|
1.) the etsysTacacsClientSesnAuthService object has the value
|
|
'enable',
|
|
|
|
2.) the attribute part of this attribute-value pair is
|
|
'priv-lvl',
|
|
|
|
and
|
|
|
|
3.) the value part of this attribute-value pair represents a
|
|
numeric value between 0 and 15, inclusive,
|
|
|
|
then the value part of this attribute-value pair specifies the
|
|
minimum value required for this access level.
|
|
|
|
If any of the above conditions are not met then this value
|
|
must be an exact match with the value returned from the TACACS+
|
|
server.
|
|
|
|
The default values for this object are '0' for read-only,
|
|
'1' for read-write, and '15' for superuser authorization."
|
|
::= { etsysTacacsClientSesnAuthEntry 3 }
|
|
|
|
|
|
-- -------------------------------------------------------------
|
|
-- TACACS+ Client Server Table
|
|
-- -------------------------------------------------------------
|
|
|
|
etsysTacacsClientServerTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF EtsysTacacsClientServerEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A list of TACACS+ servers that this client may attempt to use."
|
|
::= { etsysTacacsClientServer 1 }
|
|
|
|
etsysTacacsClientServerEntry OBJECT-TYPE
|
|
SYNTAX EtsysTacacsClientServerEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A TACACS+ server that this client may attempt to use."
|
|
INDEX { etsysTacacsClientServerIndex }
|
|
::= { etsysTacacsClientServerTable 1 }
|
|
|
|
EtsysTacacsClientServerEntry ::= SEQUENCE {
|
|
etsysTacacsClientServerIndex Integer32,
|
|
etsysTacacsClientServerAddressType InetAddressType,
|
|
etsysTacacsClientServerAddress InetAddress,
|
|
etsysTacacsClientServerPortNumber InetPortNumber,
|
|
etsysTacacsClientServerTimeout Integer32,
|
|
etsysTacacsClientServerSecret OCTET STRING,
|
|
etsysTacacsClientServerSecretEntered TruthValue,
|
|
etsysTacacsClientServerStatus RowStatus
|
|
}
|
|
|
|
etsysTacacsClientServerIndex OBJECT-TYPE
|
|
SYNTAX Integer32 (1..2147483647)
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A number uniquely identifying each conceptual row
|
|
in the etsysTacacsClientServerTable.
|
|
|
|
In the event of an agent restart, the same value of
|
|
etsysTacacsClientServerIndex must be used to identify
|
|
each conceptual row in etsysTacacsClientServerTable
|
|
as prior to the restart."
|
|
::= { etsysTacacsClientServerEntry 1 }
|
|
|
|
etsysTacacsClientServerAddressType OBJECT-TYPE
|
|
SYNTAX InetAddressType
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The type of Internet address by which this TACACS+ server
|
|
is reachable."
|
|
DEFVAL { ipv4 }
|
|
::= { etsysTacacsClientServerEntry 2 }
|
|
|
|
etsysTacacsClientServerAddress OBJECT-TYPE
|
|
SYNTAX InetAddress (SIZE(1..64))
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The Internet address for the TACACS+ server.
|
|
|
|
The etsysTacacsClientServerAddress may not be
|
|
empty due to the SIZE restriction. Also the size of
|
|
a DNS name is limited to 64 characters.
|
|
|
|
If a row is created administratively by an SNMP
|
|
operation and the address type value is dns(16), then
|
|
the agent stores the DNS name internally. A DNS name
|
|
lookup must be performed on the internally stored DNS
|
|
name whenever it is being used to contact the peer.
|
|
If a row is created by the managed entity itself and
|
|
the address type value is dns(16), then the agent
|
|
stores the IP address internally. A DNS reverse lookup
|
|
must be performed on the internally stored IP address
|
|
whenever the value is retrieved via SNMP."
|
|
::= { etsysTacacsClientServerEntry 3 }
|
|
|
|
etsysTacacsClientServerPortNumber OBJECT-TYPE
|
|
SYNTAX InetPortNumber
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The TCP port number (0-65535) the client is using
|
|
to send requests to this server."
|
|
DEFVAL { 49 }
|
|
::= { etsysTacacsClientServerEntry 4 }
|
|
|
|
etsysTacacsClientServerTimeout OBJECT-TYPE
|
|
SYNTAX Integer32 (1..180)
|
|
UNITS "seconds"
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of seconds to wait for a TACACS+ server to
|
|
respond to a request."
|
|
DEFVAL { 10 }
|
|
::= { etsysTacacsClientServerEntry 5 }
|
|
|
|
etsysTacacsClientServerSecret OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE(0..32))
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object is the secret shared between the TACACS+
|
|
server and TACACS+ client."
|
|
::= { etsysTacacsClientServerEntry 6 }
|
|
|
|
etsysTacacsClientServerSecretEntered OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This indicates the existence of a shared secret."
|
|
::= { etsysTacacsClientServerEntry 7 }
|
|
|
|
etsysTacacsClientServerStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Lets users create and delete TACACS+ server entries on
|
|
systems that support this capability.
|
|
|
|
Rules
|
|
|
|
1. When creating a TACACS+ client, it is up to the
|
|
management station to determine a suitable
|
|
etsysTacacsClientServerIndex. To facilitate
|
|
interoperability, agents should not put any
|
|
restrictions on the etsysTacacsClientServerIndex
|
|
beyond the obvious ones that it be valid and unused.
|
|
|
|
2. Before a new row can become 'active', values must
|
|
be supplied for the columnar objects
|
|
etsysTacacsClientServerAddress and
|
|
etsysTacacsClientServerSecret.
|
|
|
|
3. The value of etsysTacacsClientServerStatus MAY
|
|
need to be set to 'notInService' in order to modify
|
|
a writable object in the same conceptual row.
|
|
|
|
4. etsysTacacsClientServer entries whose
|
|
status is 'notReady' or 'notInService' will
|
|
not be used for authentication."
|
|
|
|
::= { etsysTacacsClientServerEntry 8 }
|
|
|
|
|
|
-- ------------------------------------
|
|
-- Conformance information
|
|
-- ------------------------------------
|
|
|
|
etsysTacacsClientConformance
|
|
OBJECT IDENTIFIER ::= { etsysTacacsClientMIB 2 }
|
|
|
|
etsysTacacsClientCompliances
|
|
OBJECT IDENTIFIER ::= { etsysTacacsClientConformance 1 }
|
|
|
|
etsysTacacsClientGroups
|
|
OBJECT IDENTIFIER ::= { etsysTacacsClientConformance 2 }
|
|
|
|
|
|
-- ------------------------------------
|
|
-- Units of conformance
|
|
-- ------------------------------------
|
|
|
|
etsysTacacsClientSessionGroup OBJECT-GROUP
|
|
OBJECTS { etsysTacacsClientSesnAuthEnabled,
|
|
etsysTacacsClientSesnAcctEnabled,
|
|
etsysTacacsClientSingleConnection,
|
|
etsysTacacsClientServerAddressType,
|
|
etsysTacacsClientServerAddress,
|
|
etsysTacacsClientServerPortNumber,
|
|
etsysTacacsClientServerTimeout,
|
|
etsysTacacsClientServerSecret,
|
|
etsysTacacsClientServerSecretEntered,
|
|
etsysTacacsClientServerStatus
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The collection of objects required to do TACACS+
|
|
authentication, authorization, and accounting for
|
|
management sessions."
|
|
::= { etsysTacacsClientGroups 1 }
|
|
|
|
etsysTacacsClientCmdAuthGroup OBJECT-GROUP
|
|
OBJECTS { etsysTacacsClientCmdAuthEnabled }
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Additional objects for TACACS+ command authorization."
|
|
::= { etsysTacacsClientGroups 2 }
|
|
|
|
etsysTacacsClientCmdAcctGroup OBJECT-GROUP
|
|
OBJECTS { etsysTacacsClientCmdAcctEnabled }
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Additional objects for TACACS+ command accounting."
|
|
::= { etsysTacacsClientGroups 3 }
|
|
|
|
etsysTacacsClientSesnAuthGroup OBJECT-GROUP
|
|
OBJECTS { etsysTacacsClientSesnAuthService,
|
|
etsysTacacsClientSesnAuthAttribute,
|
|
etsysTacacsClientSesnAuthValue
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Additional objects to map read-only, read-write, superuser,
|
|
and debug authorization level into a service level and
|
|
respective attribute-value pairs."
|
|
::= { etsysTacacsClientGroups 4 }
|
|
|
|
|
|
-- ------------------------------------
|
|
-- Compliance statements
|
|
-- ------------------------------------
|
|
|
|
etsysTacacsClientCompliance MODULE-COMPLIANCE
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The compliance statement for clients implementing the
|
|
TACACS+ Client MIB."
|
|
MODULE
|
|
MANDATORY-GROUPS { etsysTacacsClientSessionGroup }
|
|
|
|
GROUP etsysTacacsClientCmdAuthGroup
|
|
DESCRIPTION
|
|
"This group is REQUIRED for devices supporting command
|
|
authorization via TACACS+"
|
|
|
|
GROUP etsysTacacsClientCmdAcctGroup
|
|
DESCRIPTION
|
|
"This group is REQUIRED for devices supporting command
|
|
accounting via TACACS+"
|
|
|
|
GROUP etsysTacacsClientSesnAuthGroup
|
|
DESCRIPTION
|
|
"This group is REQUIRED for devices supporting any of the
|
|
following authorization levels: read-only, read-write,
|
|
superuser, or debug."
|
|
|
|
::= { etsysTacacsClientCompliances 1 }
|
|
|
|
END
|