407 lines
13 KiB
Plaintext
407 lines
13 KiB
Plaintext
RAD-TACACS-MIB DEFINITIONS ::= BEGIN
|
|
|
|
IMPORTS
|
|
|
|
InetAddressType, InetAddress FROM INET-ADDRESS-MIB
|
|
SnmpAdminString FROM SNMP-FRAMEWORK-MIB
|
|
Counter32, Unsigned32, OBJECT-TYPE,
|
|
MODULE-IDENTITY FROM SNMPv2-SMI
|
|
TEXTUAL-CONVENTION, RowStatus FROM SNMPv2-TC
|
|
radSecurity FROM RAD-SMI-MIB;
|
|
|
|
radTacacsPlus MODULE-IDENTITY
|
|
LAST-UPDATED "201609191808Z" -- September 19, 2016
|
|
ORGANIZATION "RAD Data Communications Ltd."
|
|
CONTACT-INFO
|
|
"System Department
|
|
|
|
Email: mibs@rad.com
|
|
Postal: RAD Data Communications Ltd.
|
|
24 Raoul Wallenberg St.
|
|
Tel-Aviv 6971920
|
|
Israel
|
|
|
|
Phone: +972-3-645-5421
|
|
Fax: +972-3-760-7844"
|
|
DESCRIPTION
|
|
"TACACS MIB."
|
|
::= { radSecurity 1 }
|
|
|
|
|
|
-- Definition of a client Terminal Access Controller Access Control System Plus (TACACS+)
|
|
|
|
|
|
-- Textual conventions
|
|
RadTacacsKeyString ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A string to keep a TACACS Plus key. Its lenght is limited to 255 characters."
|
|
SYNTAX OCTET STRING (SIZE(0..255))
|
|
|
|
|
|
-- TACACS Plus Server Required Parameters
|
|
|
|
|
|
tacplusAuthServerTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF TacplusAuthServerEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The (conceptual) table listing the TACACS+ authentication
|
|
servers with which the client shares a secret key."
|
|
::= { radTacacsPlus 1 }
|
|
|
|
tacplusAuthServerEntry OBJECT-TYPE
|
|
SYNTAX TacplusAuthServerEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"An entry (conceptual row) representing a TACACS+
|
|
authentication server with which the client shares
|
|
a secret key."
|
|
INDEX { tacplusServerAddressType, tacplusServerAddress, tacplusServerPort }
|
|
::= { tacplusAuthServerTable 1 }
|
|
|
|
TacplusAuthServerEntry ::= SEQUENCE {
|
|
tacplusServerAddressType InetAddressType,
|
|
tacplusServerAddress InetAddress,
|
|
tacplusServerPort Unsigned32,
|
|
tacplusRowStatus RowStatus,
|
|
tacplusSecretKey RadTacacsKeyString,
|
|
tacplusRetryCount Unsigned32,
|
|
tacplusTimeout Unsigned32,
|
|
tacplusAuthentStatus INTEGER,
|
|
tacplusAccountingPort Unsigned32,
|
|
tacplusServerGroup Unsigned32,
|
|
tacplusAuthenticationPort Unsigned32
|
|
}
|
|
|
|
tacplusServerAddressType OBJECT-TYPE
|
|
SYNTAX InetAddressType
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This variable represents the TACACS+ Server Address Type
|
|
indicating ipv4(1), ipv6(2). The object identifiers for
|
|
the InetAddressType object and the InetAddress object MUST
|
|
have the same length and the last sub-identifier of the
|
|
InetAddressType object MUST be 1 less than the last
|
|
sub-identifier of the InetAddress object."
|
|
::= { tacplusAuthServerEntry 1 }
|
|
|
|
tacplusServerAddress OBJECT-TYPE
|
|
SYNTAX InetAddress
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The IP address of the TACACS+ authentication server
|
|
referred to in this table entry."
|
|
::= { tacplusAuthServerEntry 2 }
|
|
|
|
tacplusServerPort OBJECT-TYPE
|
|
SYNTAX Unsigned32 (1..65535)
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"In current implementation this index shall me equal to '1'.
|
|
The TCP port configuration shall be done via the objects in the table."
|
|
::= { tacplusAuthServerEntry 3 }
|
|
|
|
tacplusRowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The status of the TACACS server entry.
|
|
In order for this object to become active, the following
|
|
row objects must be defined:
|
|
tacplusSecretKey
|
|
All other objects can assume default values.
|
|
In order to set the admin Status of the server to 'down' use the
|
|
notInService function."
|
|
::= { tacplusAuthServerEntry 4 }
|
|
|
|
|
|
tacplusSecretKey OBJECT-TYPE
|
|
SYNTAX RadTacacsKeyString
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This is the secret key shared between the Client and Server TACACS+."
|
|
DEFVAL { "" }
|
|
::= { tacplusAuthServerEntry 6 }
|
|
|
|
|
|
tacplusRetryCount OBJECT-TYPE
|
|
SYNTAX Unsigned32 (1..10)
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object indicates the threshold number of permitted Authentication requests.
|
|
If the number of authentication requests crosses the threshold number then the device will
|
|
not attempt to send additional Authentication requests until it will reboot or reset.
|
|
The default value is 3 authentication attempt requests."
|
|
DEFVAL { 3 }
|
|
::= { tacplusAuthServerEntry 7 }
|
|
|
|
|
|
tacplusTimeout OBJECT-TYPE
|
|
SYNTAX Unsigned32 (1..255)
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The delay in seconds that a specific TACACS+ server responds to a client request.
|
|
The default value is 5 seconds."
|
|
DEFVAL { 5 }
|
|
::= { tacplusAuthServerEntry 8 }
|
|
|
|
tacplusAuthentStatus OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
authenticated (1),
|
|
authenticationFailure (2),
|
|
unknownFailure (3),
|
|
idle (4)
|
|
}
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Authentication Status reflects possible results of the authentication process.
|
|
Authenticated(1) means that the authentication succeeded.
|
|
AuthenticationFailure(2) means that the authentication process failed due
|
|
to wrong credential.
|
|
UnknownFailure(4) means that the authentication process failed due to a server
|
|
or internal error.
|
|
Idle(4) is the initial default value."
|
|
DEFVAL { idle }
|
|
::= { tacplusAuthServerEntry 9 }
|
|
|
|
-- Entry 10 is free
|
|
|
|
|
|
|
|
tacplusAccountingPort OBJECT-TYPE
|
|
SYNTAX Unsigned32 (1..65535)
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The TCP port used for Accounting.
|
|
This parameter shall be configured only if the Accounting TCP port is
|
|
different from 49."
|
|
DEFVAL { 49 }
|
|
::= { tacplusAuthServerEntry 11 }
|
|
|
|
tacplusServerGroup OBJECT-TYPE
|
|
SYNTAX Unsigned32 (0..65535)
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The associate group (in tacplusServerGroupId).
|
|
By default the value is 0."
|
|
::= { tacplusAuthServerEntry 12 }
|
|
|
|
tacplusAuthenticationPort OBJECT-TYPE
|
|
SYNTAX Unsigned32 (1..65535)
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The TCP port used for Authentication.
|
|
This parameter shall be configured only if the Authentication TCP port is
|
|
different from 49."
|
|
DEFVAL { 49 }
|
|
::= { tacplusAuthServerEntry 13 }
|
|
|
|
|
|
-- TACACS+ Statistics Entry per Server
|
|
|
|
|
|
tacplusStatsTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF TacplusStatsEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table contains the statistics per TACACS+ server instance."
|
|
::= { radTacacsPlus 2 }
|
|
|
|
tacplusStatsEntry OBJECT-TYPE
|
|
SYNTAX TacplusStatsEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A TACACS+ server instance statistics table entry."
|
|
AUGMENTS { tacplusAuthServerEntry }
|
|
::= { tacplusStatsTable 1 }
|
|
|
|
TacplusStatsEntry ::= SEQUENCE {
|
|
tacplusClearStaticsCmd INTEGER,
|
|
tacplusAuthRequests Counter32,
|
|
tacplusAuthenRequestTimeouts Counter32,
|
|
tacplusAuthenUnexpectedResponses Counter32,
|
|
tacplusAuthenServerErrorResponses Counter32,
|
|
tacplusAuthenIncorrectResponses Counter32,
|
|
tacplusAuthenTransactionSuccesses Counter32,
|
|
tacplusAuthenTransactionFailures Counter32,
|
|
tacplusAuthenPendingRequests Counter32
|
|
}
|
|
|
|
|
|
tacplusClearStaticsCmd OBJECT-TYPE
|
|
SYNTAX INTEGER {
|
|
on (1),
|
|
off (2)
|
|
}
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This object will allow to initialize the statistic counters of a given
|
|
TACACS+ server instance.
|
|
on(1) means that the statistics will be cleared. The Agent will change the value
|
|
of this MIB object to off(2) automatically, after performing the command.
|
|
off(2) is the default value. Setting this object to off(2), will do nothing."
|
|
DEFVAL { off }
|
|
::= { tacplusStatsEntry 1 }
|
|
|
|
|
|
tacplusAuthRequests OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Counter that measures the number of authentications performed toward a specific TACACS+ server."
|
|
::= { tacplusStatsEntry 2 }
|
|
|
|
tacplusAuthenRequestTimeouts OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Counter that measures the number of transaction timeouts that were occured between the client and server."
|
|
::= { tacplusStatsEntry 3 }
|
|
|
|
tacplusAuthenUnexpectedResponses OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Counter that is incremented when the tacacs+ client receives a tacacs+ packet which
|
|
is not expected at that time. This could happen because of delay response to a request
|
|
which has already timed out."
|
|
::= { tacplusStatsEntry 4 }
|
|
|
|
tacplusAuthenServerErrorResponses OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Counter that measures the number of errors received from the tacacs+ server."
|
|
::= { tacplusStatsEntry 5 }
|
|
|
|
tacplusAuthenIncorrectResponses OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This counter is incremented when tacacs+ client fails to decrypt the packets or
|
|
when the client finds an invalid field in the tacacs+ packet or when the client
|
|
receives a response which is not valid based on the request."
|
|
::= { tacplusStatsEntry 6 }
|
|
|
|
tacplusAuthenTransactionSuccesses OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Counter that measures the successfully transactions between the client and server tacacs+."
|
|
::= { tacplusStatsEntry 7 }
|
|
|
|
tacplusAuthenTransactionFailures OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This counter is increamented when tacacs+ client receives an abort from the server or
|
|
when the server fails to respond even after maximum resend (RetryCount)."
|
|
::= { tacplusStatsEntry 8 }
|
|
|
|
tacplusAuthenPendingRequests OBJECT-TYPE
|
|
SYNTAX Counter32
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This counter is incremented when a tacacs+ client sends a request and it is decremented
|
|
when tacaplus client receives a response or when a timeout occurs."
|
|
::= { tacplusStatsEntry 9 }
|
|
|
|
|
|
-- ------------------
|
|
-- Server Group Table
|
|
-- ------------------
|
|
|
|
|
|
tacplusServerGroupTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF TacplusServerGroupEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table contains the groups of tacacs servers."
|
|
::= { radTacacsPlus 3 }
|
|
|
|
tacplusServerGroupEntry OBJECT-TYPE
|
|
SYNTAX TacplusServerGroupEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A TACACS+ server group table entry."
|
|
INDEX { tacplusServerGroupId }
|
|
::= { tacplusServerGroupTable 1 }
|
|
|
|
TacplusServerGroupEntry ::= SEQUENCE {
|
|
tacplusServerGroupId Unsigned32,
|
|
tacplusServerGroupRowStatus RowStatus,
|
|
tacplusServerGroupName SnmpAdminString,
|
|
tacplusServerGroupAccountingMode BITS
|
|
}
|
|
|
|
tacplusServerGroupId OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The ID for the group"
|
|
::= { tacplusServerGroupEntry 1 }
|
|
|
|
tacplusServerGroupRowStatus OBJECT-TYPE
|
|
SYNTAX RowStatus
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The status of this table entry."
|
|
::= { tacplusServerGroupEntry 2 }
|
|
|
|
tacplusServerGroupName OBJECT-TYPE
|
|
SYNTAX SnmpAdminString
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The name of the group"
|
|
::= { tacplusServerGroupEntry 3 }
|
|
|
|
tacplusServerGroupAccountingMode OBJECT-TYPE
|
|
SYNTAX BITS
|
|
{
|
|
shell (0),
|
|
system (1),
|
|
commands (2)
|
|
}
|
|
MAX-ACCESS read-create
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The group type, the group can be configured as:
|
|
Bit 0 = shell
|
|
Bit 1 = system
|
|
Bit 2 = commands
|
|
By default all bits are inactive (bit # = 0)."
|
|
::= { tacplusServerGroupEntry 4 }
|
|
|
|
|
|
END
|