997 lines
37 KiB
Plaintext
997 lines
37 KiB
Plaintext
-- =================================================================
|
|
-- Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P.
|
|
--
|
|
-- Description: description of Port Security
|
|
-- Reference:
|
|
-- Version: V1.7
|
|
-- History:
|
|
-- V1.0 2004-11-24, Created by lijian
|
|
-- V1.1 2005-2-23, Modified by Zhangmin
|
|
-- Add objects:hpnicfSecureRalmAuthDomain,hpnicfSecureRalmAuthOfflineTime
|
|
-- hpnicfSecureRalmAuthServerTimeoutTime,
|
|
-- hpnicfSecureRalmLoginFailure,hpnicfSecureRalmLogon
|
|
-- hpnicfSecureRalmLogoff
|
|
-- V1.2 2005-10-21, Modified the value range of 'hpnicfSecureRalmAuthPassword'
|
|
-- from (0..16) to (0..63) by lijian
|
|
-- V1.3 2006-01-21, Add TruthValue and hpnicfSecureAssignTable by wangyingxia
|
|
-- V1.4 2006-02-24, Modified the description of hpnicfSecureBindingTable
|
|
-- Modified the range of hpnicfSecureBindingIndex by xulei
|
|
-- V1.5 2006-05-27, Add hpnicfSecureMacControl by ludi
|
|
-- V1.6 2006-11-16, Add macAddressAndUserLoginSecure
|
|
-- and macAddressAndUserLoginSecureExt for hpnicfSecurePortMode
|
|
-- by huangyang
|
|
-- V1.7 2012-04-11, Modified the range of hpnicfSecureRalmAuthOfflineTime by xuyonggang
|
|
-- =================================================================
|
|
HPN-ICF-PORT-SECURITY-MIB DEFINITIONS ::= BEGIN
|
|
|
|
|
|
IMPORTS
|
|
hpnicfPortSecurity
|
|
FROM HPN-ICF-OID-MIB
|
|
ifAdminStatus,ifIndex
|
|
FROM RFC1213-MIB
|
|
OBJECT-TYPE, NOTIFICATION-TYPE, MODULE-IDENTITY, Integer32, IpAddress
|
|
FROM SNMPv2-SMI
|
|
DisplayString, RowStatus, MacAddress, TruthValue
|
|
FROM SNMPv2-TC
|
|
dot1xAuthSessionUserName, dot1xAuthSessionAuthenticMethod,
|
|
dot1xAuthSessionTerminateCause, dot1xPaePortNumber
|
|
FROM IEEE8021-PAE-MIB
|
|
;
|
|
|
|
hpnicfPortSecurityMIB MODULE-IDENTITY
|
|
LAST-UPDATED "200411240000Z"
|
|
ORGANIZATION
|
|
""
|
|
CONTACT-INFO
|
|
""
|
|
DESCRIPTION
|
|
"The MIB module is used for managing port security."
|
|
REVISION "200411240000Z"
|
|
DESCRIPTION
|
|
"The Initial Version of hpnicfPortSecurityMIB"
|
|
::= { hpnicfPortSecurity 1 }
|
|
|
|
|
|
hpnicfPortSecurityLeaf OBJECT IDENTIFIER ::= {hpnicfPortSecurityMIB 1}
|
|
|
|
--
|
|
-- SECURITY ACCESS CONTROL OBJECT
|
|
--
|
|
|
|
hpnicfSecurePortSecurityControl OBJECT-TYPE
|
|
SYNTAX INTEGER{enabled(1),disabled(2)}
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This attribute controls the system wide operation of network
|
|
access control. The configured port security options only become
|
|
operational when this attribute is set to enabled."
|
|
::= {hpnicfPortSecurityLeaf 1}
|
|
|
|
|
|
|
|
--
|
|
-- SECURITY TABLE 'VLAN membership list' OBJECT
|
|
--
|
|
|
|
hpnicfSecurePortVlanMembershipList OBJECT-TYPE
|
|
SYNTAX DisplayString(SIZE(0..255))
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This is a dummy MIB object referenced by the hpnicfsecureLogon and
|
|
hpnicfsecureLogoff traps. This object contains a comma separated list of
|
|
the VLAN identifiers (0-4095) assigned to a port. A tagged VLAN has a
|
|
'T' suffix after the VLAN number and an untagged VLAN may have an
|
|
optional 'U' suffix."
|
|
::= {hpnicfPortSecurityLeaf 2}
|
|
|
|
--
|
|
-- RADIUS Authenticated Login using MAC-address GROUP
|
|
--
|
|
|
|
hpnicfSecureRalmObjects OBJECT IDENTIFIER ::= { hpnicfPortSecurityLeaf 4 }
|
|
|
|
hpnicfSecureRalmDefaultSessionTime OBJECT-TYPE
|
|
SYNTAX INTEGER(1..1000000)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Specifies the default session lifetime in seconds before
|
|
a forwarding MAC address is re-authenticated.
|
|
The default time is 1800 seconds."
|
|
::= { hpnicfSecureRalmObjects 1 }
|
|
|
|
|
|
hpnicfSecureRalmHoldoffTime OBJECT-TYPE
|
|
SYNTAX INTEGER(1..1000000)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Specifies the time in seconds before
|
|
a blocked (denied) MAC address can be re-authenticated.
|
|
The default time is 60 seconds."
|
|
::= { hpnicfSecureRalmObjects 2 }
|
|
|
|
|
|
hpnicfSecureRalmReauthenticate OBJECT-TYPE
|
|
SYNTAX MacAddress
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Writing a MAC address to this object causes an
|
|
immediate RALM re-authentication of this address (can be on
|
|
any port). If the MAC address not currently known to RALM,
|
|
it silently ignores the write."
|
|
::= { hpnicfSecureRalmObjects 3 }
|
|
|
|
hpnicfSecureRalmAuthMode OBJECT-TYPE
|
|
SYNTAX INTEGER
|
|
{
|
|
papUsernameAsMacAddress(1),
|
|
papUsernameFixed(2)
|
|
}
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This controls how MAC addresses are authenticated.
|
|
|
|
papUsernameAsMacAddress(1)
|
|
Authentication uses the RADIUS server by
|
|
sending a PAP request with Username and
|
|
Password both equal to the MAC address being
|
|
authenticated. This is the default.
|
|
|
|
papUsernameFixed(2)
|
|
Authentication uses the RADIUS server by
|
|
sending a PAP request with Username and
|
|
Password coming from the hpnicfSecureRalmAuthUsername and
|
|
hpnicfSecureRalmAuthPassword MIB objects. In this mode
|
|
the RADIUS server would normally take into account
|
|
the request's calling-station-id attribute, which is
|
|
the MAC address of the host being authenticated."
|
|
::= { hpnicfSecureRalmObjects 4 }
|
|
|
|
hpnicfSecureRalmAuthUsername OBJECT-TYPE
|
|
SYNTAX DisplayString(SIZE(1..80))
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This is the username used for authentication requests
|
|
where hpnicfSecureRalmAuthMode is papUsernameFixed.
|
|
Default shall be 'mac'."
|
|
::= { hpnicfSecureRalmObjects 5 }
|
|
|
|
hpnicfSecureRalmAuthPassword OBJECT-TYPE
|
|
SYNTAX DisplayString(SIZE(0..63))
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This is the password used for authentication requests
|
|
where hpnicfSecureRalmAuthMode is papUsernameFixed.
|
|
Default shall be a null string."
|
|
::= { hpnicfSecureRalmObjects 6 }
|
|
|
|
hpnicfSecureRalmAuthDomain OBJECT-TYPE
|
|
SYNTAX DisplayString(SIZE(1..24))
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"MAC-authentication users may be configured in a specific domain,
|
|
which excludes 802.1x and other authentication users. This
|
|
specifies the domain of all MAC-authentication users."
|
|
::= {hpnicfSecureRalmObjects 7}
|
|
|
|
hpnicfSecureRalmAuthOfflineTime OBJECT-TYPE
|
|
SYNTAX Integer32 (60..2147483647)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Switch isn't informed when online user is offline,
|
|
so switch should be able to detect offline and inform radius
|
|
server to stop accounting when there is no traffic of the user.
|
|
This attribute configures the timer interval of offline-detect.
|
|
The default time is 300 seconds."
|
|
DEFVAL { 300 }
|
|
::= {hpnicfSecureRalmObjects 8}
|
|
|
|
hpnicfSecureRalmAuthServerTimeoutTime OBJECT-TYPE
|
|
SYNTAX INTEGER(1..65535)
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"When switch sends request packets (include connecting
|
|
request and offline request, etc) to radius server and
|
|
there is no response, switch will terminate the authentication
|
|
process. This attribute configures the timer interval of
|
|
server-timeout. The default time is 100 seconds."
|
|
DEFVAL { 100 }
|
|
::= {hpnicfSecureRalmObjects 9}
|
|
|
|
hpnicfSecureMacControl OBJECT-TYPE
|
|
SYNTAX INTEGER{enabled(1),disabled(2)}
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This attribute controls the system wide operation of
|
|
mac-authentication. The system-wide mac-authentication options
|
|
become non-operational when this attribute is set to disabled.
|
|
This is required for hpnicfSecurePortSecurityControl to be enabled."
|
|
::= { hpnicfSecureRalmObjects 10 }
|
|
|
|
hpnicfPortSecurityTables OBJECT IDENTIFIER ::= {hpnicfPortSecurityMIB 2}
|
|
|
|
hpnicfSecurePortTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF HpnicfSecurePortEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table defines the security status of each secure port.
|
|
Each port can have a number of authorised MAC addresses, and these are
|
|
stored in the hpnicfSecureAddressTable."
|
|
::= {hpnicfPortSecurityTables 1}
|
|
|
|
|
|
hpnicfSecurePortEntry OBJECT-TYPE
|
|
SYNTAX HpnicfSecurePortEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"There is a row in this table for each secure port, and
|
|
allows repeater ports to be configured for security on a per port basis.
|
|
It is indexed using the object ifIndex in RFC1213-MIB."
|
|
INDEX
|
|
{
|
|
ifIndex
|
|
}
|
|
::= {hpnicfSecurePortTable 1}
|
|
|
|
|
|
HpnicfSecurePortEntry ::= SEQUENCE
|
|
{
|
|
hpnicfSecurePortMode INTEGER,
|
|
hpnicfSecureNeedToKnowMode INTEGER,
|
|
hpnicfSecureIntrusionAction INTEGER,
|
|
hpnicfSecureNumberAddresses Integer32,
|
|
hpnicfSecureNumberAddressesStored Integer32,
|
|
hpnicfSecureMaximumAddresses Integer32
|
|
}
|
|
|
|
hpnicfSecurePortMode OBJECT-TYPE
|
|
SYNTAX INTEGER
|
|
{
|
|
noRestrictions(1),
|
|
continuousLearning(2),
|
|
autoLearn(3),
|
|
secure(4),
|
|
userLogin(5),
|
|
userLoginSecure(6),
|
|
userLoginWithOUI(7),
|
|
macAddressWithRadius(8),
|
|
macAddressOrUserLoginSecure(9),
|
|
macAddressElseUserLoginSecure(10),
|
|
userLoginSecureExt(11),
|
|
macAddressOrUserLoginSecureExt(12),
|
|
macAddressElseUserLoginSecureExt(13),
|
|
macAddressAndUserLoginSecure(14),
|
|
macAddressAndUserLoginSecureExt(15)
|
|
}
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Determines the learning and security modes of the port.
|
|
See hpnicfSecureNeedToKnowMode and hpnicfSecureIntrusionAction to
|
|
configure Need To Know and Intrusion Action on each port.
|
|
(When in a learning mode, hpnicfSecureNumberAddresses determines the maximum
|
|
number of addresses that can be learned on the port. This is set
|
|
by the user.)
|
|
|
|
noRestrictions(1) All of the security features are disabled.
|
|
|
|
continuousLearning(2) Addresses are learned continually. If more
|
|
addresses are learned than are permitted on the
|
|
port, then one of the older entries will be aged
|
|
out. Need To Know and Intrusion Action depends on
|
|
hpnicfSecureNeedToKnowMode and hpnicfSecureIntrusionAction
|
|
respectively.
|
|
|
|
autoLearn(3) All addresses for this port are deleted, and then
|
|
addresses are learned up to the number permitted.
|
|
hpnicfSecurePortMode is then set to secure. Need To
|
|
Know and Intrusion Action depends on
|
|
hpnicfSecureNeedToKnowMode and hpnicfSecureIntrusionAction
|
|
respectively.
|
|
|
|
secure(4) Learning is disabled. Need To Know and Intrusion
|
|
Action depends on hpnicfSecureNeedToKnowMode and
|
|
hpnicfSecureIntrusionAction respectively.
|
|
|
|
userLogin(5) Access to the port is denied until the port client is
|
|
authorised (by 802.1X or other authentication mechanism).
|
|
Once authorised, traffic will be accepted from any MAC
|
|
address. The Need To Know and Intrusion Action are ignored.
|
|
|
|
userLoginSecure(6) Access to the port is denied until the port client
|
|
is authorised (by 802.1X or other authentication mechanism).
|
|
When the client is authorised, the MAC address is added to the
|
|
Secure Address Table.
|
|
The hpnicfSecureMaximumAddresses is set to one automatically when
|
|
this mode is entered. Any existing MAC addresses in the Secure
|
|
Address Table are deleted. Need To Know and Intrusion Action
|
|
depends on hpnicfSecureNeedToKnowMode and hpnicfSecureIntrusionAction
|
|
respectively. Learning is disabled.
|
|
|
|
userLoginWithOUI(7) This mode is similar to the userLoginSecure mode
|
|
except that a second MAC address may be placed in the Secure
|
|
Address Table. This second address is authorised based on the
|
|
MAC address OUI value.
|
|
If a new device with an authorised OUI value is discovered,
|
|
the previous entry is deleted. Traffic from the
|
|
OUI authorised device will be accepted even if the user has
|
|
not been authenticated. Need To Know and Intrusion Action
|
|
depends on hpnicfSecureNeedToKnowMode and hpnicfSecureIntrusionAction
|
|
respectively.
|
|
|
|
macAddressWithRadius(8) This selects the RADIUS Authenticated Login using
|
|
MAC-address (RALM) security mode on the port. This feature controls
|
|
network access of a host based on authenticating its MAC
|
|
address. Once authorised, the host is allowed access to the
|
|
network. If unauthorised, the port can be configured to deny
|
|
access to this MAC address or to allow some access depending
|
|
upon the port VLAN and QoS configuration.
|
|
Where access is allowed, the MAC address is added to the Secure
|
|
Address Table.
|
|
|
|
macAddressOrUserLoginSecure(9) This selects both the macAddressWithRadius and
|
|
userLoginSecure modes together such that either or both are allowed to
|
|
authorised access. Where both authorised access, userLoginSecure takes
|
|
precedence.
|
|
|
|
macAddressElseUserLoginSecure(10) This selects both the macAddressWithRadius and
|
|
userLoginSecure modes together such that the MAC address is first
|
|
authenticated and only if this fails does the userLoginSecure then attempt
|
|
user authentication.
|
|
|
|
userLoginSecureExt(11) Access to the port is denied until the port client
|
|
is authorised (by 802.1X or other authentication mechanism).
|
|
When the client is authorised, the MAC address is added to the
|
|
Secure Address Table.
|
|
The hpnicfSecureNumberAddresses is restricted by the value of hpnicfSecureMaximumAddresses
|
|
automatically when this mode is entered.
|
|
Any existing MAC addresses in the Secure Address Table are deleted.
|
|
Need To Know and Intrusion Action depends on hpnicfSecureNeedToKnowMode
|
|
and hpnicfSecureIntrusionAction respectively. Learning is disabled.
|
|
|
|
macAddressOrUserLoginSecureExt(12) This selects both the macAddressWithRadius and
|
|
userLoginSecureExt modes together such that either or both are allowed to
|
|
authorised access. Where both authorised access, userLoginSecure takes
|
|
precedence.
|
|
|
|
macAddressElseUserLoginSecureExt(13) This selects both the macAddressWithRadius and
|
|
userLoginSecureExt modes together such that the MAC address is first
|
|
authenticated and only if this fails does the userLoginSecure then attempt
|
|
user authentication.
|
|
|
|
macAddressAndUserLoginSecure(14) This selects both the macAddressWithRadius and
|
|
userLoginSecure modes together such that the MAC address is first
|
|
authenticated and only if this succeeds does the userLoginSecure then attempt
|
|
user authentication.
|
|
|
|
macAddressAndUserLoginSecureExt(15) This selects both the macAddressWithRadius and
|
|
userLoginSecureExt modes together such that the MAC address is first
|
|
authenticated and only if this succeeds does the userLoginSecure then attempt
|
|
user authentication.
|
|
"
|
|
::= {hpnicfSecurePortEntry 1}
|
|
|
|
|
|
hpnicfSecureNeedToKnowMode OBJECT-TYPE
|
|
SYNTAX INTEGER
|
|
{
|
|
notAvailable(1),
|
|
disabled(2),
|
|
needToKnowOnly(3),
|
|
needToKnowWithBroadcastsAllowed(4),
|
|
needToKnowWithMulticastsAllowed(5),
|
|
permanentNeedToKnowOnly(6),
|
|
permanentNeedToKnowWithBroadcastsAllowed(7),
|
|
permanentNeedToKnowWithMulticastsAllowed(8)
|
|
}
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Attribute to determine which frames are to be forwarded to
|
|
this port intact.
|
|
|
|
1 - Need To Know is not available.
|
|
2 - All frames.
|
|
3 - Frames addressed to the authorised devices only.
|
|
4 - Frames addressed to the authorised devices, plus all broadcast
|
|
frames.
|
|
5 - Frames addressed to the authorised devices, plus all broadcast
|
|
and multicast frames.
|
|
6 - As 3 and cannot be changed.
|
|
7 - As 4 and cannot be changed.
|
|
8 - As 5 and cannot be changed.
|
|
|
|
If this object returns 1,6,7 or 8, it means that the Need To Know
|
|
configuration cannot be changed, and any attempt to write to this object
|
|
will cause an error."
|
|
::= {hpnicfSecurePortEntry 2}
|
|
|
|
|
|
hpnicfSecureIntrusionAction OBJECT-TYPE
|
|
SYNTAX INTEGER
|
|
{
|
|
notAvailable(1),
|
|
noAction(2),
|
|
disablePort(3),
|
|
disablePortTemporarily(4),
|
|
allowDefaultAccess(5),
|
|
blockMacAddress(6)
|
|
}
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Attribute to determine the action if an unauthorised device
|
|
transmits on this port."
|
|
::= {hpnicfSecurePortEntry 3}
|
|
|
|
--
|
|
-- The following 3 objects are used to allow multiple MAC addresses to be
|
|
-- assigned to the port.
|
|
|
|
hpnicfSecureNumberAddresses OBJECT-TYPE
|
|
SYNTAX Integer32
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The maximum number of addresses that the port can learn or
|
|
store. Reducing this number may cause some addresses to be deleted.
|
|
This value is set by the user and cannot be automatically changed by the
|
|
agent. The maximum number will not include and limit the number of
|
|
static mac addresses that configured by manager.
|
|
|
|
The following relationship must be preserved.
|
|
hpnicfSecureNumberAddressesStored <= hpnicfSecureNumberAddresses <=
|
|
hpnicfSecureMaximumAddresses
|
|
"
|
|
::= {hpnicfSecurePortEntry 4}
|
|
|
|
|
|
hpnicfSecureNumberAddressesStored OBJECT-TYPE
|
|
SYNTAX Integer32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The number of addresses that are currently in the
|
|
AddressTable for this port. If this object has the same value as
|
|
hpnicfSecureNumberAddresses, then no more addresses can be authorised on this
|
|
port. The number will not include and limit the number of
|
|
static mac addresses that configured by manager.
|
|
|
|
Those objects are bound by the relationship:
|
|
hpnicfSecureNumberAddressesStored <= hpnicfSecureNumberAddresses <=
|
|
hpnicfSecureMaximumAddresses
|
|
"
|
|
::= {hpnicfSecurePortEntry 5}
|
|
|
|
|
|
hpnicfSecureMaximumAddresses OBJECT-TYPE
|
|
SYNTAX Integer32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This indicates the maximum value that hpnicfSecureNumberAddresses
|
|
can be set to. It is dependent on the resources available so may change,
|
|
eg. if resources are shared between ports, then this value can both
|
|
increase and decrease. This object must be read before setting
|
|
hpnicfSecureNumberAddresses.
|
|
|
|
Those objects are bound by the relationship:
|
|
hpnicfSecureNumberAddressesStored <= hpnicfSecureNumberAddresses <=
|
|
hpnicfSecureMaximumAddresses
|
|
"
|
|
::= {hpnicfSecurePortEntry 6}
|
|
|
|
--
|
|
-- SECURE ADDRESS TABLE
|
|
--
|
|
|
|
hpnicfSecureAddressTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF HpnicfSecureAddressEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table stores the MAC addresses assigned to each
|
|
port. This table can be written to by the agent as well as the
|
|
management station."
|
|
::= {hpnicfPortSecurityTables 2}
|
|
|
|
|
|
hpnicfSecureAddressEntry OBJECT-TYPE
|
|
SYNTAX HpnicfSecureAddressEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table allows multiple addresses to be assigned to each
|
|
secure port. It is indexed using the objects ifIndex,
|
|
hpnicfSecureAddrMAC and hpnicfSecureVlanID."
|
|
INDEX
|
|
{
|
|
ifIndex,
|
|
hpnicfSecureAddrMAC,
|
|
hpnicfSecureAddrVlanID
|
|
}
|
|
::= {hpnicfSecureAddressTable 1}
|
|
|
|
|
|
HpnicfSecureAddressEntry ::= SEQUENCE
|
|
{
|
|
hpnicfSecureAddrMAC MacAddress,
|
|
hpnicfSecureAddrVlanID Integer32,
|
|
hpnicfSecureAddrMACStatus INTEGER,
|
|
hpnicfSecureAddrRowStatus RowStatus
|
|
}
|
|
|
|
|
|
hpnicfSecureAddrMAC OBJECT-TYPE
|
|
SYNTAX MacAddress
|
|
MAX-ACCESS accessible-for-notify
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The MAC address of a station assigned to this port.
|
|
This is the second index into the hpnicfSecureAddressTable."
|
|
::= {hpnicfSecureAddressEntry 1}
|
|
|
|
hpnicfSecureAddrVlanID OBJECT-TYPE
|
|
SYNTAX Integer32
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The Vlan ID associate with the port and the MAC address.
|
|
This is the third index into the hpnicfSecureAddressTable."
|
|
::= {hpnicfSecureAddressEntry 2}
|
|
|
|
hpnicfSecureAddrMACStatus OBJECT-TYPE
|
|
SYNTAX INTEGER
|
|
{
|
|
addressBlackhole(1),
|
|
addressUserConfig(2),
|
|
addressDot1xAuth(3),
|
|
addressRALM(4)
|
|
}
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The state of the mac address assigned to this port.
|
|
|
|
addressBlackhole (1) the mac address is a blackhole address,
|
|
Each packet whose source address is equal to this address will be
|
|
dropped by the agent.
|
|
addressUserConfig (2) the mac address configed by user with this state
|
|
are preserved across power cycles and resets.
|
|
addressDot1xAuth (3) the mac address is authorized by 802.1x authenticator,
|
|
User can not configure this mac address. This value is used for GET
|
|
and GETNEXT operation.
|
|
addressRALM (4) the mac address is authorized by RALM authenticator,
|
|
User can not configure this mac address. This value is used for GET
|
|
and GETNEXT operation.
|
|
"
|
|
::= {hpnicfSecureAddressEntry 3}
|
|
|
|
|
|
hpnicfSecureAddrRowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This manages the creation and deletion or rows, and shows
|
|
the current status of the indexed MAC address. This object has the
|
|
following values.
|
|
|
|
active(1) The indexed MAC address is authorised on this port.
|
|
notInService(2) Not Supported.
|
|
notReady(3) Not Supported.
|
|
createAndGo(4) Assign a new MAC address to the port and authorise
|
|
immediately.
|
|
createAndWait(5) Not Supported.
|
|
destroy(6) Delete this entry.
|
|
|
|
When creating a new entry, index a new row and use createAndGo(4).
|
|
When reading this object, only active(1) will be
|
|
returned.
|
|
"
|
|
::= {hpnicfSecureAddressEntry 4}
|
|
|
|
|
|
--
|
|
-- SECURE OUI TABLE
|
|
--
|
|
|
|
hpnicfSecureOUITable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF HpnicfSecureOUIEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table stores the OUI values for OUI based
|
|
authentication."
|
|
::= {hpnicfPortSecurityTables 3}
|
|
|
|
|
|
hpnicfSecureOUIEntry OBJECT-TYPE
|
|
SYNTAX HpnicfSecureOUIEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This is a row in the hpnicfSecureOUITable."
|
|
INDEX
|
|
{
|
|
hpnicfSecureOUIIndex
|
|
}
|
|
::= {hpnicfSecureOUITable 1}
|
|
|
|
|
|
HpnicfSecureOUIEntry ::= SEQUENCE
|
|
{
|
|
hpnicfSecureOUIIndex INTEGER,
|
|
hpnicfSecureOUI OCTET STRING,
|
|
hpnicfSecureOUIRowStatus RowStatus
|
|
}
|
|
|
|
|
|
hpnicfSecureOUIIndex OBJECT-TYPE
|
|
SYNTAX INTEGER(1..1024)
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The index number. This is the first index into the
|
|
hpnicfSecureOUITable."
|
|
::= {hpnicfSecureOUIEntry 1}
|
|
|
|
|
|
hpnicfSecureOUI OBJECT-TYPE
|
|
SYNTAX OCTET STRING(SIZE(3))
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The OUI value for an authorised device."
|
|
::= {hpnicfSecureOUIEntry 2}
|
|
|
|
|
|
hpnicfSecureOUIRowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This manages the creation and deletion of rows, and shows
|
|
the current status of the entry.
|
|
|
|
active(1) The indexed OUI value is authorised.
|
|
notInService(2) Not Supported.
|
|
notReady(3) Not Supported.
|
|
createAndGo(4) Assign a new OUI to the unit and authorise
|
|
immediately.
|
|
createAndWait(5) Not Supported.
|
|
destroy(6) Delete this entry.
|
|
|
|
When creating a new entry, index a new row and use createAndGo(4) .
|
|
When reading this object, only active(1) will be returned.
|
|
"
|
|
::= {hpnicfSecureOUIEntry 3}
|
|
|
|
--
|
|
-- IP+MAC+PORT BINDING TABLE
|
|
--
|
|
|
|
hpnicfSecureBindingTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF HpnicfSecureBindingEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table stores the elements of binding rules include the
|
|
MAC addresses, the IP address and the port. Only the frame exactly
|
|
matching the binding rules can be forwarded. This table can be
|
|
written to by the agent as well as the management station."
|
|
::= {hpnicfPortSecurityTables 4}
|
|
|
|
|
|
hpnicfSecureBindingEntry OBJECT-TYPE
|
|
SYNTAX HpnicfSecureBindingEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table allows multiple binding rules. It is indexed using the object
|
|
hpnicfSecureBindingIndex."
|
|
INDEX
|
|
{
|
|
hpnicfSecureBindingIndex
|
|
}
|
|
::= {hpnicfSecureBindingTable 1}
|
|
|
|
|
|
HpnicfSecureBindingEntry ::= SEQUENCE
|
|
{
|
|
hpnicfSecureBindingIndex Integer32,
|
|
hpnicfSecureBindingPort Integer32,
|
|
hpnicfSecureBindingAddrMAC MacAddress,
|
|
hpnicfSecureBindingAddrIp IpAddress,
|
|
hpnicfSecureBindingRowStatus RowStatus
|
|
}
|
|
|
|
hpnicfSecureBindingIndex OBJECT-TYPE
|
|
SYNTAX Integer32
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The index number. This is the first index into the
|
|
hpnicfSecureBindingTable."
|
|
::= {hpnicfSecureBindingEntry 1}
|
|
|
|
hpnicfSecureBindingPort OBJECT-TYPE
|
|
SYNTAX Integer32
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The port number of the port bound with the IP address
|
|
and the MAC address."
|
|
::= {hpnicfSecureBindingEntry 2}
|
|
|
|
hpnicfSecureBindingAddrMAC OBJECT-TYPE
|
|
SYNTAX MacAddress
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The MAC address bound with the port and the IP address."
|
|
::= {hpnicfSecureBindingEntry 3}
|
|
|
|
hpnicfSecureBindingAddrIp OBJECT-TYPE
|
|
SYNTAX IpAddress
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The IP address bound with the port and the MAC address."
|
|
::= {hpnicfSecureBindingEntry 4}
|
|
|
|
hpnicfSecureBindingRowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This manages the creation and deletion or rows, and shows
|
|
status of the entry. This object has the following values.
|
|
|
|
active(1) The indexed MAC address is authorised on this port.
|
|
notInService(2) Not Supported.
|
|
notReady(3) Not Supported.
|
|
createAndGo(4) Assign a new MAC address to the port and authorise
|
|
immediately.
|
|
createAndWait(5) Not Supported.
|
|
destroy(6) Delete this entry.
|
|
|
|
When creating a new entry, index a new row and use createAndGo(4).
|
|
When reading this object, only active(1) will be
|
|
returned.
|
|
"
|
|
::= {hpnicfSecureBindingEntry 5}
|
|
--
|
|
-- PORT ASSIGN TABLE
|
|
--
|
|
hpnicfSecureAssignTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF HpnicfSecureAssignEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Table of port assignment management information about authorised user."
|
|
::= {hpnicfPortSecurityTables 5}
|
|
|
|
|
|
hpnicfSecureAssignEntry OBJECT-TYPE
|
|
SYNTAX HpnicfSecureAssignEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An entry (conceptual row) representing information about port assignment
|
|
about authorised user."
|
|
INDEX
|
|
{
|
|
ifIndex
|
|
}
|
|
::= {hpnicfSecureAssignTable 1}
|
|
|
|
|
|
HpnicfSecureAssignEntry ::= SEQUENCE
|
|
{
|
|
hpnicfSecureAssignEnable TruthValue,
|
|
hpnicfSecureVlanAssignment OCTET STRING
|
|
}
|
|
|
|
hpnicfSecureAssignEnable OBJECT-TYPE
|
|
SYNTAX TruthValue
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The user-based port configuration control. Setting this attribute
|
|
TRUE causes the port to be configured with any configuration
|
|
parameters supplied by the authentication server. Setting this
|
|
attribute to FALSE causes any configuration parameters supplied
|
|
by the authentication server to be ignored."
|
|
DEFVAL {true}
|
|
::= { hpnicfSecureAssignEntry 1 }
|
|
|
|
hpnicfSecureVlanAssignment OBJECT-TYPE
|
|
SYNTAX OCTET STRING(SIZE(0..255))
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The VLAN membership assigned to the port for the authorised user.
|
|
This contains the actual value received from the authentication
|
|
server. This object will contain a null value if there is no user
|
|
authorised to access the port or if the authorised user was not
|
|
assigned a VLAN membership."
|
|
::= { hpnicfSecureAssignEntry 2 }
|
|
|
|
-- **********************************************************************
|
|
-- Define enterprise repeater traps. Rules for traps are that any
|
|
-- varbind must be from a table in which the first qualifier on the
|
|
-- object id is the service identifier of the 'thing' causing the trap.
|
|
-- **********************************************************************
|
|
hpnicfPortSecurityNotifications OBJECT IDENTIFIER ::= {hpnicfPortSecurityMIB 3}
|
|
|
|
hpnicfSecureAddressLearned NOTIFICATION-TYPE
|
|
OBJECTS
|
|
{
|
|
ifIndex,
|
|
hpnicfSecureAddrMAC
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This trap is sent when a new station has been learned. The
|
|
port on which the address was received is the first object,
|
|
and the MAC address of the learned station is in the second object."
|
|
::= {hpnicfPortSecurityNotifications 1}
|
|
|
|
|
|
hpnicfSecureViolation NOTIFICATION-TYPE
|
|
OBJECTS
|
|
{
|
|
ifIndex,
|
|
hpnicfSecureAddrMAC,
|
|
ifAdminStatus
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This trap is sent whenever a security violation has occurred.
|
|
The port on which the violation occured is the first object,
|
|
and the MAC address of the offending station is in the second object.
|
|
ifAdminStatus indicates if the port has been disabled because of the violation.
|
|
The implementation may not send violation traps from the same port
|
|
at intervals of less than 5 seconds."
|
|
::= {hpnicfPortSecurityNotifications 2}
|
|
|
|
|
|
hpnicfSecureLoginFailure NOTIFICATION-TYPE
|
|
OBJECTS
|
|
{
|
|
ifIndex,
|
|
hpnicfSecureAddrMAC,
|
|
dot1xAuthSessionUserName
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This trap is sent whenever a user network access
|
|
authentication has failed. The port on which the violation occured is
|
|
the first object, and the MAC address of the offending station is in
|
|
the second object. The dot1xAuthSessionUserName is the identity supplied
|
|
during the user authentication."
|
|
::= {hpnicfPortSecurityNotifications 3}
|
|
|
|
|
|
hpnicfSecureLogon NOTIFICATION-TYPE
|
|
OBJECTS
|
|
{
|
|
ifIndex,
|
|
hpnicfSecureAddrMAC,
|
|
dot1xAuthSessionUserName,
|
|
dot1xAuthSessionAuthenticMethod,
|
|
hpnicfSecurePortVlanMembershipList
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This trap is sent when a new session is started for
|
|
an authorised port user. The port on which the violation occured is
|
|
the first object, and the MAC address of the offending station is in
|
|
the second object.
|
|
The dot1xAuthSessionUserName is the identity supplied during the user
|
|
authentication. The dot1xAuthSessionAuthenticMethod indicates how the
|
|
user was authorised. The hpnicfSecurePortVlanMembershipList object
|
|
identifies the VLAN membership assigned to the port on session
|
|
activation."
|
|
::= {hpnicfPortSecurityNotifications 4}
|
|
|
|
|
|
hpnicfSecureLogoff NOTIFICATION-TYPE
|
|
OBJECTS
|
|
{
|
|
ifIndex,
|
|
hpnicfSecureAddrMAC,
|
|
dot1xAuthSessionUserName,
|
|
dot1xAuthSessionTerminateCause,
|
|
hpnicfSecurePortVlanMembershipList
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This trap is sent when a user session is terminated.
|
|
The port on which the violation occured is the first object,
|
|
and the MAC address of the offending station is in the second object.
|
|
The dot1xAuthSessionUserName is the identity supplied during the user
|
|
authentication. The dot1xAuthSessionTerminateCause indicates the
|
|
reason why the session was terminated.
|
|
The hpnicfSecurePortVlanMembershipList object identifies the VLAN
|
|
membership assigned to the port on session termination."
|
|
::= {hpnicfPortSecurityNotifications 5}
|
|
|
|
hpnicfSecureRalmLoginFailure NOTIFICATION-TYPE
|
|
OBJECTS
|
|
{
|
|
ifIndex,
|
|
hpnicfSecureAddrMAC,
|
|
hpnicfSecureRalmAuthMode,
|
|
hpnicfSecureRalmAuthUsername
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This trap is sent whenever a user network access
|
|
authentication has failed. The port on which the violation
|
|
occured is the first object, and the MAC address of the
|
|
offending station is in the second object. The authentication mode
|
|
indicates how the user was authorised. The hpnicfSecureRalmAuthUsername
|
|
is the identity supplied during the user authentication."
|
|
::= {hpnicfPortSecurityNotifications 6}
|
|
|
|
|
|
hpnicfSecureRalmLogon NOTIFICATION-TYPE
|
|
OBJECTS
|
|
{
|
|
ifIndex,
|
|
hpnicfSecureAddrMAC,
|
|
hpnicfSecureRalmAuthMode,
|
|
hpnicfSecureRalmAuthUsername,
|
|
hpnicfSecurePortVlanMembershipList
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This trap is sent when a new session is started for
|
|
an authorised port user. The port on which the violation
|
|
occured is the first object, and the MAC address of
|
|
the offending station is in the second object. The authentication mode
|
|
indicates how the user was authorised. The hpnicfSecureRalmAuthUsername is
|
|
the identity supplied during the user authentication. The
|
|
hpnicfSecurePortVlanMembershipList object identifies the VLAN
|
|
membership assigned to the port on session activation."
|
|
::= {hpnicfPortSecurityNotifications 7}
|
|
|
|
|
|
hpnicfSecureRalmLogoff NOTIFICATION-TYPE
|
|
OBJECTS
|
|
{
|
|
ifIndex,
|
|
hpnicfSecureAddrMAC,
|
|
hpnicfSecureRalmAuthMode,
|
|
hpnicfSecureRalmAuthUsername,
|
|
hpnicfSecurePortVlanMembershipList
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This trap is sent when a new session is started for
|
|
an authorised port user. The port on which the violation
|
|
occured is the first object, and the MAC address of the
|
|
offending station is in the second object. The authentication mode
|
|
indicates how the user was authorised. The hpnicfSecureRalmAuthUsername is
|
|
the identity supplied during the user authentication. The
|
|
hpnicfSecurePortVlanMembershipList object identifies the VLAN
|
|
membership assigned to the port on session activation."
|
|
::= {hpnicfPortSecurityNotifications 8}
|
|
END
|