1001 lines
37 KiB
Plaintext
1001 lines
37 KiB
Plaintext
-- =================================================================
|
|
-- Copyright (c) 2004-2015 Hangzhou H3C Tech. Co., Ltd. All rights reserved.
|
|
--
|
|
-- Description: description of Port Security
|
|
-- Reference:
|
|
-- Version: V1.8
|
|
-- History:
|
|
-- V1.0 2004-11-24, Created by lijian
|
|
-- V1.1 2005-2-23, Modified by Zhangmin
|
|
-- Add objects:h3cSecureRalmAuthDomain,h3cSecureRalmAuthOfflineTime
|
|
-- h3cSecureRalmAuthServerTimeoutTime,
|
|
-- h3cSecureRalmLoginFailure,h3cSecureRalmLogon
|
|
-- h3cSecureRalmLogoff
|
|
-- V1.2 2005-10-21, Modified the value range of 'h3cSecureRalmAuthPassword'
|
|
-- from (0..16) to (0..63) by lijian
|
|
-- V1.3 2006-01-21, Add TruthValue and h3cSecureAssignTable by wangyingxia
|
|
-- V1.4 2006-02-24, Modified the description of h3cSecureBindingTable
|
|
-- Modified the range of h3cSecureBindingIndex by xulei
|
|
-- V1.5 2006-05-27, Add h3cSecureMacControl by ludi
|
|
-- V1.6 2006-11-16, Add macAddressAndUserLoginSecure
|
|
-- and macAddressAndUserLoginSecureExt for h3cSecurePortMode
|
|
-- by huangyang
|
|
-- V1.7 2012-04-11, Modified the range of h3cSecureRalmAuthOfflineTime by xuyonggang
|
|
-- V1.8 2014-06-05, Modified the range of h3cSecureRalmAuthDomain by wuqiang
|
|
-- =================================================================
|
|
H3C-PORT-SECURITY-MIB DEFINITIONS ::= BEGIN
|
|
|
|
|
|
IMPORTS
|
|
h3cPortSecurity
|
|
FROM HUAWEI-3COM-OID-MIB
|
|
ifAdminStatus,ifIndex
|
|
FROM RFC1213-MIB
|
|
OBJECT-TYPE, NOTIFICATION-TYPE, MODULE-IDENTITY, Integer32, IpAddress
|
|
FROM SNMPv2-SMI
|
|
DisplayString, RowStatus, MacAddress, TruthValue
|
|
FROM SNMPv2-TC
|
|
dot1xAuthSessionUserName, dot1xAuthSessionAuthenticMethod,
|
|
dot1xAuthSessionTerminateCause, dot1xPaePortNumber
|
|
FROM IEEE8021-PAE-MIB
|
|
;
|
|
|
|
h3cPortSecurityMIB MODULE-IDENTITY
|
|
LAST-UPDATED "200411240000Z"
|
|
ORGANIZATION
|
|
"Hangzhou H3C Technologies Co., Ltd."
|
|
CONTACT-INFO
|
|
"Platform Team Hangzhou H3C Technologies Co., Ltd.
|
|
Hai-Dian District Beijing P.R. China
|
|
http://www.h3c.com
|
|
Zip:100085"
|
|
DESCRIPTION
|
|
"The MIB module is used for managing port security."
|
|
REVISION "200411240000Z"
|
|
DESCRIPTION
|
|
"The Initial Version of h3cPortSecurityMIB"
|
|
::= { h3cPortSecurity 1 }
|
|
|
|
|
|
h3cPortSecurityLeaf OBJECT IDENTIFIER ::= {h3cPortSecurityMIB 1}
|
|
|
|
--
|
|
-- SECURITY ACCESS CONTROL OBJECT
|
|
--
|
|
|
|
h3cSecurePortSecurityControl OBJECT-TYPE
|
|
SYNTAX INTEGER{enabled(1),disabled(2)}
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This attribute controls the system wide operation of network
|
|
access control. The configured port security options only become
|
|
operational when this attribute is set to enabled."
|
|
::= {h3cPortSecurityLeaf 1}
|
|
|
|
|
|
|
|
--
|
|
-- SECURITY TABLE 'VLAN membership list' OBJECT
|
|
--
|
|
|
|
h3cSecurePortVlanMembershipList OBJECT-TYPE
|
|
SYNTAX DisplayString(SIZE(0..255))
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This is a dummy MIB object referenced by the h3csecureLogon and
|
|
h3csecureLogoff traps. This object contains a comma separated list of
|
|
the VLAN identifiers (0-4095) assigned to a port. A tagged VLAN has a
|
|
'T' suffix after the VLAN number and an untagged VLAN may have an
|
|
optional 'U' suffix."
|
|
::= {h3cPortSecurityLeaf 2}
|
|
|
|
--
|
|
-- RADIUS Authenticated Login using MAC-address GROUP
|
|
--
|
|
|
|
h3cSecureRalmObjects OBJECT IDENTIFIER ::= { h3cPortSecurityLeaf 4 }
|
|
|
|
h3cSecureRalmDefaultSessionTime OBJECT-TYPE
|
|
SYNTAX INTEGER(1..1000000)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Specifies the default session lifetime in seconds before
|
|
a forwarding MAC address is re-authenticated.
|
|
The default time is 1800 seconds."
|
|
::= { h3cSecureRalmObjects 1 }
|
|
|
|
|
|
h3cSecureRalmHoldoffTime OBJECT-TYPE
|
|
SYNTAX INTEGER(1..1000000)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Specifies the time in seconds before
|
|
a blocked (denied) MAC address can be re-authenticated.
|
|
The default time is 60 seconds."
|
|
::= { h3cSecureRalmObjects 2 }
|
|
|
|
|
|
h3cSecureRalmReauthenticate OBJECT-TYPE
|
|
SYNTAX MacAddress
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Writing a MAC address to this object causes an
|
|
immediate RALM re-authentication of this address (can be on
|
|
any port). If the MAC address not currently known to RALM,
|
|
it silently ignores the write."
|
|
::= { h3cSecureRalmObjects 3 }
|
|
|
|
h3cSecureRalmAuthMode OBJECT-TYPE
|
|
SYNTAX INTEGER
|
|
{
|
|
papUsernameAsMacAddress(1),
|
|
papUsernameFixed(2)
|
|
}
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This controls how MAC addresses are authenticated.
|
|
|
|
papUsernameAsMacAddress(1)
|
|
Authentication uses the RADIUS server by
|
|
sending a PAP request with Username and
|
|
Password both equal to the MAC address being
|
|
authenticated. This is the default.
|
|
|
|
papUsernameFixed(2)
|
|
Authentication uses the RADIUS server by
|
|
sending a PAP request with Username and
|
|
Password coming from the h3cSecureRalmAuthUsername and
|
|
h3cSecureRalmAuthPassword MIB objects. In this mode
|
|
the RADIUS server would normally take into account
|
|
the request's calling-station-id attribute, which is
|
|
the MAC address of the host being authenticated."
|
|
::= { h3cSecureRalmObjects 4 }
|
|
|
|
h3cSecureRalmAuthUsername OBJECT-TYPE
|
|
SYNTAX DisplayString(SIZE(1..80))
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This is the username used for authentication requests
|
|
where h3cSecureRalmAuthMode is papUsernameFixed.
|
|
Default shall be 'mac'."
|
|
::= { h3cSecureRalmObjects 5 }
|
|
|
|
h3cSecureRalmAuthPassword OBJECT-TYPE
|
|
SYNTAX DisplayString(SIZE(0..63))
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This is the password used for authentication requests
|
|
where h3cSecureRalmAuthMode is papUsernameFixed.
|
|
Default shall be a null string."
|
|
::= { h3cSecureRalmObjects 6 }
|
|
|
|
h3cSecureRalmAuthDomain OBJECT-TYPE
|
|
SYNTAX DisplayString(SIZE(1..255))
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"MAC-authentication users may be configured in a specific domain,
|
|
which excludes 802.1x and other authentication users. This
|
|
specifies the domain of all MAC-authentication users."
|
|
::= {h3cSecureRalmObjects 7}
|
|
|
|
h3cSecureRalmAuthOfflineTime OBJECT-TYPE
|
|
SYNTAX Integer32 (60..2147483647)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Switch isn't informed when online user is offline,
|
|
so switch should be able to detect offline and inform radius
|
|
server to stop accounting when there is no traffic of the user.
|
|
This attribute configures the timer interval of offline-detect.
|
|
The default time is 300 seconds."
|
|
DEFVAL { 300 }
|
|
::= {h3cSecureRalmObjects 8}
|
|
|
|
h3cSecureRalmAuthServerTimeoutTime OBJECT-TYPE
|
|
SYNTAX INTEGER(1..65535)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"When switch sends request packets (include connecting
|
|
request and offline request, etc) to radius server and
|
|
there is no response, switch will terminate the authentication
|
|
process. This attribute configures the timer interval of
|
|
server-timeout. The default time is 100 seconds."
|
|
DEFVAL { 100 }
|
|
::= {h3cSecureRalmObjects 9}
|
|
|
|
h3cSecureMacControl OBJECT-TYPE
|
|
SYNTAX INTEGER{enabled(1),disabled(2)}
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This attribute controls the system wide operation of
|
|
mac-authentication. The system-wide mac-authentication options
|
|
become non-operational when this attribute is set to disabled.
|
|
This is required for h3cSecurePortSecurityControl to be enabled."
|
|
::= { h3cSecureRalmObjects 10 }
|
|
|
|
h3cPortSecurityTables OBJECT IDENTIFIER ::= {h3cPortSecurityMIB 2}
|
|
|
|
h3cSecurePortTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF H3cSecurePortEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table defines the security status of each secure port.
|
|
Each port can have a number of authorised MAC addresses, and these are
|
|
stored in the h3cSecureAddressTable."
|
|
::= {h3cPortSecurityTables 1}
|
|
|
|
|
|
h3cSecurePortEntry OBJECT-TYPE
|
|
SYNTAX H3cSecurePortEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"There is a row in this table for each secure port, and
|
|
allows repeater ports to be configured for security on a per port basis.
|
|
It is indexed using the object ifIndex in RFC1213-MIB."
|
|
INDEX
|
|
{
|
|
ifIndex
|
|
}
|
|
::= {h3cSecurePortTable 1}
|
|
|
|
|
|
H3cSecurePortEntry ::= SEQUENCE
|
|
{
|
|
h3cSecurePortMode INTEGER,
|
|
h3cSecureNeedToKnowMode INTEGER,
|
|
h3cSecureIntrusionAction INTEGER,
|
|
h3cSecureNumberAddresses Integer32,
|
|
h3cSecureNumberAddressesStored Integer32,
|
|
h3cSecureMaximumAddresses Integer32
|
|
}
|
|
|
|
h3cSecurePortMode OBJECT-TYPE
|
|
SYNTAX INTEGER
|
|
{
|
|
noRestrictions(1),
|
|
continuousLearning(2),
|
|
autoLearn(3),
|
|
secure(4),
|
|
userLogin(5),
|
|
userLoginSecure(6),
|
|
userLoginWithOUI(7),
|
|
macAddressWithRadius(8),
|
|
macAddressOrUserLoginSecure(9),
|
|
macAddressElseUserLoginSecure(10),
|
|
userLoginSecureExt(11),
|
|
macAddressOrUserLoginSecureExt(12),
|
|
macAddressElseUserLoginSecureExt(13),
|
|
macAddressAndUserLoginSecure(14),
|
|
macAddressAndUserLoginSecureExt(15)
|
|
}
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Determines the learning and security modes of the port.
|
|
See h3cSecureNeedToKnowMode and h3cSecureIntrusionAction to
|
|
configure Need To Know and Intrusion Action on each port.
|
|
(When in a learning mode, h3cSecureNumberAddresses determines the maximum
|
|
number of addresses that can be learned on the port. This is set
|
|
by the user.)
|
|
|
|
noRestrictions(1) All of the security features are disabled.
|
|
|
|
continuousLearning(2) Addresses are learned continually. If more
|
|
addresses are learned than are permitted on the
|
|
port, then one of the older entries will be aged
|
|
out. Need To Know and Intrusion Action depends on
|
|
h3cSecureNeedToKnowMode and h3cSecureIntrusionAction
|
|
respectively.
|
|
|
|
autoLearn(3) All addresses for this port are deleted, and then
|
|
addresses are learned up to the number permitted.
|
|
h3cSecurePortMode is then set to secure. Need To
|
|
Know and Intrusion Action depends on
|
|
h3cSecureNeedToKnowMode and h3cSecureIntrusionAction
|
|
respectively.
|
|
|
|
secure(4) Learning is disabled. Need To Know and Intrusion
|
|
Action depends on h3cSecureNeedToKnowMode and
|
|
h3cSecureIntrusionAction respectively.
|
|
|
|
userLogin(5) Access to the port is denied until the port client is
|
|
authorised (by 802.1X or other authentication mechanism).
|
|
Once authorised, traffic will be accepted from any MAC
|
|
address. The Need To Know and Intrusion Action are ignored.
|
|
|
|
userLoginSecure(6) Access to the port is denied until the port client
|
|
is authorised (by 802.1X or other authentication mechanism).
|
|
When the client is authorised, the MAC address is added to the
|
|
Secure Address Table.
|
|
The h3cSecureMaximumAddresses is set to one automatically when
|
|
this mode is entered. Any existing MAC addresses in the Secure
|
|
Address Table are deleted. Need To Know and Intrusion Action
|
|
depends on h3cSecureNeedToKnowMode and h3cSecureIntrusionAction
|
|
respectively. Learning is disabled.
|
|
|
|
userLoginWithOUI(7) This mode is similar to the userLoginSecure mode
|
|
except that a second MAC address may be placed in the Secure
|
|
Address Table. This second address is authorised based on the
|
|
MAC address OUI value.
|
|
If a new device with an authorised OUI value is discovered,
|
|
the previous entry is deleted. Traffic from the
|
|
OUI authorised device will be accepted even if the user has
|
|
not been authenticated. Need To Know and Intrusion Action
|
|
depends on h3cSecureNeedToKnowMode and h3cSecureIntrusionAction
|
|
respectively.
|
|
|
|
macAddressWithRadius(8) This selects the RADIUS Authenticated Login using
|
|
MAC-address (RALM) security mode on the port. This feature controls
|
|
network access of a host based on authenticating its MAC
|
|
address. Once authorised, the host is allowed access to the
|
|
network. If unauthorised, the port can be configured to deny
|
|
access to this MAC address or to allow some access depending
|
|
upon the port VLAN and QoS configuration.
|
|
Where access is allowed, the MAC address is added to the Secure
|
|
Address Table.
|
|
|
|
macAddressOrUserLoginSecure(9) This selects both the macAddressWithRadius and
|
|
userLoginSecure modes together such that either or both are allowed to
|
|
authorised access. Where both authorised access, userLoginSecure takes
|
|
precedence.
|
|
|
|
macAddressElseUserLoginSecure(10) This selects both the macAddressWithRadius and
|
|
userLoginSecure modes together such that the MAC address is first
|
|
authenticated and only if this fails does the userLoginSecure then attempt
|
|
user authentication.
|
|
|
|
userLoginSecureExt(11) Access to the port is denied until the port client
|
|
is authorised (by 802.1X or other authentication mechanism).
|
|
When the client is authorised, the MAC address is added to the
|
|
Secure Address Table.
|
|
The h3cSecureNumberAddresses is restricted by the value of h3cSecureMaximumAddresses
|
|
automatically when this mode is entered.
|
|
Any existing MAC addresses in the Secure Address Table are deleted.
|
|
Need To Know and Intrusion Action depends on h3cSecureNeedToKnowMode
|
|
and h3cSecureIntrusionAction respectively. Learning is disabled.
|
|
|
|
macAddressOrUserLoginSecureExt(12) This selects both the macAddressWithRadius and
|
|
userLoginSecureExt modes together such that either or both are allowed to
|
|
authorised access. Where both authorised access, userLoginSecure takes
|
|
precedence.
|
|
|
|
macAddressElseUserLoginSecureExt(13) This selects both the macAddressWithRadius and
|
|
userLoginSecureExt modes together such that the MAC address is first
|
|
authenticated and only if this fails does the userLoginSecure then attempt
|
|
user authentication.
|
|
|
|
macAddressAndUserLoginSecure(14) This selects both the macAddressWithRadius and
|
|
userLoginSecure modes together such that the MAC address is first
|
|
authenticated and only if this succeeds does the userLoginSecure then attempt
|
|
user authentication.
|
|
|
|
macAddressAndUserLoginSecureExt(15) This selects both the macAddressWithRadius and
|
|
userLoginSecureExt modes together such that the MAC address is first
|
|
authenticated and only if this succeeds does the userLoginSecure then attempt
|
|
user authentication.
|
|
"
|
|
::= {h3cSecurePortEntry 1}
|
|
|
|
|
|
h3cSecureNeedToKnowMode OBJECT-TYPE
|
|
SYNTAX INTEGER
|
|
{
|
|
notAvailable(1),
|
|
disabled(2),
|
|
needToKnowOnly(3),
|
|
needToKnowWithBroadcastsAllowed(4),
|
|
needToKnowWithMulticastsAllowed(5),
|
|
permanentNeedToKnowOnly(6),
|
|
permanentNeedToKnowWithBroadcastsAllowed(7),
|
|
permanentNeedToKnowWithMulticastsAllowed(8)
|
|
}
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Attribute to determine which frames are to be forwarded to
|
|
this port intact.
|
|
|
|
1 - Need To Know is not available.
|
|
2 - All frames.
|
|
3 - Frames addressed to the authorised devices only.
|
|
4 - Frames addressed to the authorised devices, plus all broadcast
|
|
frames.
|
|
5 - Frames addressed to the authorised devices, plus all broadcast
|
|
and multicast frames.
|
|
6 - As 3 and cannot be changed.
|
|
7 - As 4 and cannot be changed.
|
|
8 - As 5 and cannot be changed.
|
|
|
|
If this object returns 1,6,7 or 8, it means that the Need To Know
|
|
configuration cannot be changed, and any attempt to write to this object
|
|
will cause an error."
|
|
::= {h3cSecurePortEntry 2}
|
|
|
|
|
|
h3cSecureIntrusionAction OBJECT-TYPE
|
|
SYNTAX INTEGER
|
|
{
|
|
notAvailable(1),
|
|
noAction(2),
|
|
disablePort(3),
|
|
disablePortTemporarily(4),
|
|
allowDefaultAccess(5),
|
|
blockMacAddress(6)
|
|
}
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Attribute to determine the action if an unauthorised device
|
|
transmits on this port."
|
|
::= {h3cSecurePortEntry 3}
|
|
|
|
--
|
|
-- The following 3 objects are used to allow multiple MAC addresses to be
|
|
-- assigned to the port.
|
|
|
|
h3cSecureNumberAddresses OBJECT-TYPE
|
|
SYNTAX Integer32
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The maximum number of addresses that the port can learn or
|
|
store. Reducing this number may cause some addresses to be deleted.
|
|
This value is set by the user and cannot be automatically changed by the
|
|
agent. The maximum number will not include and limit the number of
|
|
static mac addresses that configured by manager.
|
|
|
|
The following relationship must be preserved.
|
|
h3cSecureNumberAddressesStored <= h3cSecureNumberAddresses <=
|
|
h3cSecureMaximumAddresses
|
|
"
|
|
::= {h3cSecurePortEntry 4}
|
|
|
|
|
|
h3cSecureNumberAddressesStored OBJECT-TYPE
|
|
SYNTAX Integer32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of addresses that are currently in the
|
|
AddressTable for this port. If this object has the same value as
|
|
h3cSecureNumberAddresses, then no more addresses can be authorised on this
|
|
port. The number will not include and limit the number of
|
|
static mac addresses that configured by manager.
|
|
|
|
Those objects are bound by the relationship:
|
|
h3cSecureNumberAddressesStored <= h3cSecureNumberAddresses <=
|
|
h3cSecureMaximumAddresses
|
|
"
|
|
::= {h3cSecurePortEntry 5}
|
|
|
|
|
|
h3cSecureMaximumAddresses OBJECT-TYPE
|
|
SYNTAX Integer32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This indicates the maximum value that h3cSecureNumberAddresses
|
|
can be set to. It is dependent on the resources available so may change,
|
|
eg. if resources are shared between ports, then this value can both
|
|
increase and decrease. This object must be read before setting
|
|
h3cSecureNumberAddresses.
|
|
|
|
Those objects are bound by the relationship:
|
|
h3cSecureNumberAddressesStored <= h3cSecureNumberAddresses <=
|
|
h3cSecureMaximumAddresses
|
|
"
|
|
::= {h3cSecurePortEntry 6}
|
|
|
|
--
|
|
-- SECURE ADDRESS TABLE
|
|
--
|
|
|
|
h3cSecureAddressTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF H3cSecureAddressEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table stores the MAC addresses assigned to each
|
|
port. This table can be written to by the agent as well as the
|
|
management station."
|
|
::= {h3cPortSecurityTables 2}
|
|
|
|
|
|
h3cSecureAddressEntry OBJECT-TYPE
|
|
SYNTAX H3cSecureAddressEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table allows multiple addresses to be assigned to each
|
|
secure port. It is indexed using the objects ifIndex,
|
|
h3cSecureAddrMAC and h3cSecureVlanID."
|
|
INDEX
|
|
{
|
|
ifIndex,
|
|
h3cSecureAddrMAC,
|
|
h3cSecureAddrVlanID
|
|
}
|
|
::= {h3cSecureAddressTable 1}
|
|
|
|
|
|
H3cSecureAddressEntry ::= SEQUENCE
|
|
{
|
|
h3cSecureAddrMAC MacAddress,
|
|
h3cSecureAddrVlanID Integer32,
|
|
h3cSecureAddrMACStatus INTEGER,
|
|
h3cSecureAddrRowStatus RowStatus
|
|
}
|
|
|
|
|
|
h3cSecureAddrMAC OBJECT-TYPE
|
|
SYNTAX MacAddress
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The MAC address of a station assigned to this port.
|
|
This is the second index into the h3cSecureAddressTable."
|
|
::= {h3cSecureAddressEntry 1}
|
|
|
|
h3cSecureAddrVlanID OBJECT-TYPE
|
|
SYNTAX Integer32
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The Vlan ID associate with the port and the MAC address.
|
|
This is the third index into the h3cSecureAddressTable."
|
|
::= {h3cSecureAddressEntry 2}
|
|
|
|
h3cSecureAddrMACStatus OBJECT-TYPE
|
|
SYNTAX INTEGER
|
|
{
|
|
addressBlackhole(1),
|
|
addressUserConfig(2),
|
|
addressDot1xAuth(3),
|
|
addressRALM(4)
|
|
}
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The state of the mac address assigned to this port.
|
|
|
|
addressBlackhole (1) the mac address is a blackhole address,
|
|
Each packet whose source address is equal to this address will be
|
|
dropped by the agent.
|
|
addressUserConfig (2) the mac address configed by user with this state
|
|
are preserved across power cycles and resets.
|
|
addressDot1xAuth (3) the mac address is authorized by 802.1x authenticator,
|
|
User can not configure this mac address. This value is used for GET
|
|
and GETNEXT operation.
|
|
addressRALM (4) the mac address is authorized by RALM authenticator,
|
|
User can not configure this mac address. This value is used for GET
|
|
and GETNEXT operation.
|
|
"
|
|
::= {h3cSecureAddressEntry 3}
|
|
|
|
|
|
h3cSecureAddrRowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This manages the creation and deletion or rows, and shows
|
|
the current status of the indexed MAC address. This object has the
|
|
following values.
|
|
|
|
active(1) The indexed MAC address is authorised on this port.
|
|
notInService(2) Not Supported.
|
|
notReady(3) Not Supported.
|
|
createAndGo(4) Assign a new MAC address to the port and authorise
|
|
immediately.
|
|
createAndWait(5) Not Supported.
|
|
destroy(6) Delete this entry.
|
|
|
|
When creating a new entry, index a new row and use createAndGo(4).
|
|
When reading this object, only active(1) will be
|
|
returned.
|
|
"
|
|
::= {h3cSecureAddressEntry 4}
|
|
|
|
|
|
--
|
|
-- SECURE OUI TABLE
|
|
--
|
|
|
|
h3cSecureOUITable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF H3cSecureOUIEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table stores the OUI values for OUI based
|
|
authentication."
|
|
::= {h3cPortSecurityTables 3}
|
|
|
|
|
|
h3cSecureOUIEntry OBJECT-TYPE
|
|
SYNTAX H3cSecureOUIEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This is a row in the h3cSecureOUITable."
|
|
INDEX
|
|
{
|
|
h3cSecureOUIIndex
|
|
}
|
|
::= {h3cSecureOUITable 1}
|
|
|
|
|
|
H3cSecureOUIEntry ::= SEQUENCE
|
|
{
|
|
h3cSecureOUIIndex INTEGER,
|
|
h3cSecureOUI OCTET STRING,
|
|
h3cSecureOUIRowStatus RowStatus
|
|
}
|
|
|
|
|
|
h3cSecureOUIIndex OBJECT-TYPE
|
|
SYNTAX INTEGER(1..1024)
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The index number. This is the first index into the
|
|
h3cSecureOUITable."
|
|
::= {h3cSecureOUIEntry 1}
|
|
|
|
|
|
h3cSecureOUI OBJECT-TYPE
|
|
SYNTAX OCTET STRING(SIZE(3))
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The OUI value for an authorised device."
|
|
::= {h3cSecureOUIEntry 2}
|
|
|
|
|
|
h3cSecureOUIRowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This manages the creation and deletion of rows, and shows
|
|
the current status of the entry.
|
|
|
|
active(1) The indexed OUI value is authorised.
|
|
notInService(2) Not Supported.
|
|
notReady(3) Not Supported.
|
|
createAndGo(4) Assign a new OUI to the unit and authorise
|
|
immediately.
|
|
createAndWait(5) Not Supported.
|
|
destroy(6) Delete this entry.
|
|
|
|
When creating a new entry, index a new row and use createAndGo(4) .
|
|
When reading this object, only active(1) will be returned.
|
|
"
|
|
::= {h3cSecureOUIEntry 3}
|
|
|
|
--
|
|
-- IP+MAC+PORT BINDING TABLE
|
|
--
|
|
|
|
h3cSecureBindingTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF H3cSecureBindingEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table stores the elements of binding rules include the
|
|
MAC addresses, the IP address and the port. Only the frame exactly
|
|
matching the binding rules can be forwarded. This table can be
|
|
written to by the agent as well as the management station."
|
|
::= {h3cPortSecurityTables 4}
|
|
|
|
|
|
h3cSecureBindingEntry OBJECT-TYPE
|
|
SYNTAX H3cSecureBindingEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table allows multiple binding rules. It is indexed using the object
|
|
h3cSecureBindingIndex."
|
|
INDEX
|
|
{
|
|
h3cSecureBindingIndex
|
|
}
|
|
::= {h3cSecureBindingTable 1}
|
|
|
|
|
|
H3cSecureBindingEntry ::= SEQUENCE
|
|
{
|
|
h3cSecureBindingIndex Integer32,
|
|
h3cSecureBindingPort Integer32,
|
|
h3cSecureBindingAddrMAC MacAddress,
|
|
h3cSecureBindingAddrIp IpAddress,
|
|
h3cSecureBindingRowStatus RowStatus
|
|
}
|
|
|
|
h3cSecureBindingIndex OBJECT-TYPE
|
|
SYNTAX Integer32
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The index number. This is the first index into the
|
|
h3cSecureBindingTable."
|
|
::= {h3cSecureBindingEntry 1}
|
|
|
|
h3cSecureBindingPort OBJECT-TYPE
|
|
SYNTAX Integer32
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The port number of the port bound with the IP address
|
|
and the MAC address."
|
|
::= {h3cSecureBindingEntry 2}
|
|
|
|
h3cSecureBindingAddrMAC OBJECT-TYPE
|
|
SYNTAX MacAddress
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The MAC address bound with the port and the IP address."
|
|
::= {h3cSecureBindingEntry 3}
|
|
|
|
h3cSecureBindingAddrIp OBJECT-TYPE
|
|
SYNTAX IpAddress
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The IP address bound with the port and the MAC address."
|
|
::= {h3cSecureBindingEntry 4}
|
|
|
|
h3cSecureBindingRowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This manages the creation and deletion or rows, and shows
|
|
status of the entry. This object has the following values.
|
|
|
|
active(1) The indexed MAC address is authorised on this port.
|
|
notInService(2) Not Supported.
|
|
notReady(3) Not Supported.
|
|
createAndGo(4) Assign a new MAC address to the port and authorise
|
|
immediately.
|
|
createAndWait(5) Not Supported.
|
|
destroy(6) Delete this entry.
|
|
|
|
When creating a new entry, index a new row and use createAndGo(4).
|
|
When reading this object, only active(1) will be
|
|
returned.
|
|
"
|
|
::= {h3cSecureBindingEntry 5}
|
|
--
|
|
-- PORT ASSIGN TABLE
|
|
--
|
|
h3cSecureAssignTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF H3cSecureAssignEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Table of port assignment management information about authorised user."
|
|
::= {h3cPortSecurityTables 5}
|
|
|
|
|
|
h3cSecureAssignEntry OBJECT-TYPE
|
|
SYNTAX H3cSecureAssignEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An entry (conceptual row) representing information about port assignment
|
|
about authorised user."
|
|
INDEX
|
|
{
|
|
ifIndex
|
|
}
|
|
::= {h3cSecureAssignTable 1}
|
|
|
|
|
|
H3cSecureAssignEntry ::= SEQUENCE
|
|
{
|
|
h3cSecureAssignEnable TruthValue,
|
|
h3cSecureVlanAssignment OCTET STRING
|
|
}
|
|
|
|
h3cSecureAssignEnable OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The user-based port configuration control. Setting this attribute
|
|
TRUE causes the port to be configured with any configuration
|
|
parameters supplied by the authentication server. Setting this
|
|
attribute to FALSE causes any configuration parameters supplied
|
|
by the authentication server to be ignored."
|
|
DEFVAL {true}
|
|
::= { h3cSecureAssignEntry 1 }
|
|
|
|
h3cSecureVlanAssignment OBJECT-TYPE
|
|
SYNTAX OCTET STRING(SIZE(0..255))
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The VLAN membership assigned to the port for the authorised user.
|
|
This contains the actual value received from the authentication
|
|
server. This object will contain a null value if there is no user
|
|
authorised to access the port or if the authorised user was not
|
|
assigned a VLAN membership."
|
|
::= { h3cSecureAssignEntry 2 }
|
|
|
|
-- **********************************************************************
|
|
-- Define enterprise repeater traps. Rules for traps are that any
|
|
-- varbind must be from a table in which the first qualifier on the
|
|
-- object id is the service identifier of the 'thing' causing the trap.
|
|
-- **********************************************************************
|
|
h3cPortSecurityNotifications OBJECT IDENTIFIER ::= {h3cPortSecurityMIB 3}
|
|
|
|
h3cSecureAddressLearned NOTIFICATION-TYPE
|
|
OBJECTS
|
|
{
|
|
ifIndex,
|
|
h3cSecureAddrMAC
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This trap is sent when a new station has been learned. The
|
|
port on which the address was received is the first object,
|
|
and the MAC address of the learned station is in the second object."
|
|
::= {h3cPortSecurityNotifications 1}
|
|
|
|
|
|
h3cSecureViolation NOTIFICATION-TYPE
|
|
OBJECTS
|
|
{
|
|
ifIndex,
|
|
h3cSecureAddrMAC,
|
|
ifAdminStatus
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This trap is sent whenever a security violation has occurred.
|
|
The port on which the violation occured is the first object,
|
|
and the MAC address of the offending station is in the second object.
|
|
ifAdminStatus indicates if the port has been disabled because of the violation.
|
|
The implementation may not send violation traps from the same port
|
|
at intervals of less than 5 seconds."
|
|
::= {h3cPortSecurityNotifications 2}
|
|
|
|
|
|
h3cSecureLoginFailure NOTIFICATION-TYPE
|
|
OBJECTS
|
|
{
|
|
ifIndex,
|
|
h3cSecureAddrMAC,
|
|
dot1xAuthSessionUserName
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This trap is sent whenever a user network access
|
|
authentication has failed. The port on which the violation occured is
|
|
the first object, and the MAC address of the offending station is in
|
|
the second object. The dot1xAuthSessionUserName is the identity supplied
|
|
during the user authentication."
|
|
::= {h3cPortSecurityNotifications 3}
|
|
|
|
|
|
h3cSecureLogon NOTIFICATION-TYPE
|
|
OBJECTS
|
|
{
|
|
ifIndex,
|
|
h3cSecureAddrMAC,
|
|
dot1xAuthSessionUserName,
|
|
dot1xAuthSessionAuthenticMethod,
|
|
h3cSecurePortVlanMembershipList
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This trap is sent when a new session is started for
|
|
an authorised port user. The port on which the violation occured is
|
|
the first object, and the MAC address of the offending station is in
|
|
the second object.
|
|
The dot1xAuthSessionUserName is the identity supplied during the user
|
|
authentication. The dot1xAuthSessionAuthenticMethod indicates how the
|
|
user was authorised. The h3cSecurePortVlanMembershipList object
|
|
identifies the VLAN membership assigned to the port on session
|
|
activation."
|
|
::= {h3cPortSecurityNotifications 4}
|
|
|
|
|
|
h3cSecureLogoff NOTIFICATION-TYPE
|
|
OBJECTS
|
|
{
|
|
ifIndex,
|
|
h3cSecureAddrMAC,
|
|
dot1xAuthSessionUserName,
|
|
dot1xAuthSessionTerminateCause,
|
|
h3cSecurePortVlanMembershipList
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This trap is sent when a user session is terminated.
|
|
The port on which the violation occured is the first object,
|
|
and the MAC address of the offending station is in the second object.
|
|
The dot1xAuthSessionUserName is the identity supplied during the user
|
|
authentication. The dot1xAuthSessionTerminateCause indicates the
|
|
reason why the session was terminated.
|
|
The h3cSecurePortVlanMembershipList object identifies the VLAN
|
|
membership assigned to the port on session termination."
|
|
::= {h3cPortSecurityNotifications 5}
|
|
|
|
h3cSecureRalmLoginFailure NOTIFICATION-TYPE
|
|
OBJECTS
|
|
{
|
|
ifIndex,
|
|
h3cSecureAddrMAC,
|
|
h3cSecureRalmAuthMode,
|
|
h3cSecureRalmAuthUsername
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This trap is sent whenever a user network access
|
|
authentication has failed. The port on which the violation
|
|
occured is the first object, and the MAC address of the
|
|
offending station is in the second object. The authentication mode
|
|
indicates how the user was authorised. The h3cSecureRalmAuthUsername
|
|
is the identity supplied during the user authentication."
|
|
::= {h3cPortSecurityNotifications 6}
|
|
|
|
|
|
h3cSecureRalmLogon NOTIFICATION-TYPE
|
|
OBJECTS
|
|
{
|
|
ifIndex,
|
|
h3cSecureAddrMAC,
|
|
h3cSecureRalmAuthMode,
|
|
h3cSecureRalmAuthUsername,
|
|
h3cSecurePortVlanMembershipList
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This trap is sent when a new session is started for
|
|
an authorised port user. The port on which the violation
|
|
occured is the first object, and the MAC address of
|
|
the offending station is in the second object. The authentication mode
|
|
indicates how the user was authorised. The h3cSecureRalmAuthUsername is
|
|
the identity supplied during the user authentication. The
|
|
h3cSecurePortVlanMembershipList object identifies the VLAN
|
|
membership assigned to the port on session activation."
|
|
::= {h3cPortSecurityNotifications 7}
|
|
|
|
|
|
h3cSecureRalmLogoff NOTIFICATION-TYPE
|
|
OBJECTS
|
|
{
|
|
ifIndex,
|
|
h3cSecureAddrMAC,
|
|
h3cSecureRalmAuthMode,
|
|
h3cSecureRalmAuthUsername,
|
|
h3cSecurePortVlanMembershipList
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This trap is sent when a new session is started for
|
|
an authorised port user. The port on which the violation
|
|
occured is the first object, and the MAC address of the
|
|
offending station is in the second object. The authentication mode
|
|
indicates how the user was authorised. The h3cSecureRalmAuthUsername is
|
|
the identity supplied during the user authentication. The
|
|
h3cSecurePortVlanMembershipList object identifies the VLAN
|
|
membership assigned to the port on session activation."
|
|
::= {h3cPortSecurityNotifications 8}
|
|
END
|