-
Notifications
You must be signed in to change notification settings - Fork 124
/
Copy pathCISCO-NAC-TC-MIB-V1SMI.my
311 lines (299 loc) · 9.76 KB
/
CISCO-NAC-TC-MIB-V1SMI.my
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
-- MIB file created 28-Feb-2007 14:55:40, by
-- SMICng version 2.2.11-beta(PRO)(Solaris), January 20, 2001. Enterprise key cisco.com
CISCO-NAC-TC-MIB DEFINITIONS ::= BEGIN
-- From file: "CISCO-NAC-TC-MIB.my"
-- Compile options "4 7 F H N O W 03 06 0B 0G 0N 0T"
IMPORTS
ciscoMgmt
FROM CISCO-SMI;
ciscoNacTcMIB OBJECT IDENTIFIER ::= { ciscoMgmt 530 }
-- MODULE-IDENTITY
-- LastUpdated
-- 200605310000Z
-- OrgName
-- Cisco Systems, Inc.
-- ContactInfo
-- Cisco Systems
-- Customer Service
--
-- Postal: 170 W Tasman Drive
-- San Jose, CA 95134
-- USA
--
-- Tel: +1 800 553-NETS
--
-- E-mail: [email protected]
-- Descr
-- This module defines the textual conventions for
-- Cisco Network Admission Control(NAC) system.
--
-- The Cisco Network Admission Control security
-- solution offers a systems approach to customers for
-- ensuring endpoint device compliancy and vulnerability
-- checks prior to production access to the network. Cisco
-- refers to these compliancy checks as posture
-- validations. The intent of this systems approach is to
-- prevent the spread of works, viruses, and rogue
-- applications across the network. This systems approach
-- requires integration with third party end point security
-- applications, as well as endpoint security servers.
--
-- Terminology used:
--
-- EOU - Extensible Authentication Protocol over UDP.
--
-- UCT - Un Conditional Transition.
--
-- CTA - Cisco Trust Agent.
--
-- EAP - Extensible Authentication Protocol. An extension
-- to PPP.
--
-- ACS/AAA - Cisco Secure Access Control Server. The
-- primary authorization server that is the network policy
-- decision point and is extended to support posture
-- validation.
--
-- NAD - Network Access Device that enforces network
-- access control policies through layer 2 or layer 3
-- challenge-responses with a network enabled Endpoint
-- device.
-- RevDate
-- 200605310000Z
-- RevDescr
-- The initial version of this MIB module.
CnnEouState ::= INTEGER {
initialize(1),
hello(2),
clientless(3),
eapRequest(4),
response(5),
authenticated(6),
fail(7),
abort(8),
aaaFail(9),
hold(10),
client(11),
server(12)
}
-- TEXTUAL-CONVENTION
-- Status
-- mandatory
-- Descr
-- Describes the EOU state.
--
-- initialize(1)
-- Indicates that the EOU state is in initialization.
--
-- State machine enters this state when a new
-- IP has been learned on the port. Cleanup of the
-- port configuration also force entering this
-- state. When entering this state, the followings
-- action take place:
-- - any previously configured policy are removed
-- - frees up any previously allocated memory
-- - does a UCT to 'hello' state.
--
-- hello(2)
-- Indicates that the EOU state is in hello state.
--
-- In this state the device sends a hello
-- message to get the association ID of the CTA and
-- also to check whether a CTA exists at all. The
-- device starts the hello timer and waits till that
-- time and if it doesn't get a response, it
-- retransmits the hello requests for max-retry times
-- before it declares the host as 'clientless'.
--
-- clientless(3)
-- Indicates that the EOU state is in client-less
-- state.
--
-- State machine enters this state when hello response
-- is not reached and in this state the device does
-- a pseudo authentication to download the policy
-- for Non-Responsive hosts and stays in this
-- state.
--
-- eapRequest(4)
-- Indicates that the EOU state is in EAP request
-- state.
--
-- In this state, the device sends EAP validate
-- requests to the CTA and awaits response from the
-- CTA, it starts the retransmit timeout and if
-- response is not received before that timer expires,
-- it retransmits the EAP requests.
--
-- response(5)
-- Indicates that the EOU state is in EAP response
-- state.
--
-- State machine enters this state when a response for
-- the EAP validate request is received from the CTA.
-- Device then builds a RADIUS request incorporating
-- the EAP packet and sends it to the ACS and awaits
-- response from the ACS. If the response from the
-- ACS is an access challenge it moves the port the
-- 'eapRequest' state. But if it's a success, port
-- is moved to 'authenticated' state. If its Access-
-- Reject, port is moved to 'fail' state.
--
-- authenticated(6)
-- Indicates that the EOU state is in authenticated
-- state.
--
-- In this state policy installation happens and port
-- remains in this state until revalidation event is
-- triggered because of session timer expiry or when
-- status query fails. Status query generation and
-- response reception happens in this state only.
--
-- fail(7)
-- Indicates that the EOU state is in failed state.
--
-- When posture validation fails, system start the
-- hold timer and device waits till it expires
-- before trying for posture validation again.
--
-- abort(8)
-- Indicates that the EOU state is in abort state.
--
-- State machine enters this state because of
-- failing to complete posture validation due to lack
-- of response from CTA/RADIUS or any other reason.
--
-- aaaFail(9)
-- Indicates that the EOU state is in AAA failed
-- state.
--
-- State machine enters this state when RADIUS requests
-- to AAA server timeouts either due to the server not
-- being reachable or is down.
--
-- hold(10)
-- Indicates that the EOU state is in hold state.
--
-- This state represents the quiet or idle state
-- for the host. The host is put in the hold state
-- on events like hello response is not received
-- or the AAA server is not reachable. Host
-- remains in this state for hold the EOU hold
-- timeout period.
--
-- client(11)
-- Indicates that the EOU state is in client state.
--
-- This state is reached when the host sends a
-- response to EOU hello request from the
-- authenticating device. This state indicates the
-- presence of CTA on the device.
--
-- server(12)
-- Indicates that the EOU state is in server state.
--
-- This state represents that the authenticating
-- device is communicating with the AAA (RADIUS)
-- server. This state is reached when host send an
-- EOU response.
CnnEouAuthType ::= INTEGER {
clientless(1),
eap(2),
static(3),
unknown(4)
}
-- TEXTUAL-CONVENTION
-- Status
-- mandatory
-- Descr
-- Type of authentication for NAD.
--
-- clientless(1)
-- End point device that does not run Cisco
-- Trust Agent.
--
-- eap(2)
-- Authorized via Extensible Authentication
-- Protocol.
--
-- static(3)
-- Statically authorized or rejected individual
-- end point device.
--
-- unknown(4)
-- The authentication type of the endpoint host
-- is unknown.
CnnEouDeviceType ::= INTEGER {
ciscoIpPhone(1)
}
-- TEXTUAL-CONVENTION
-- Status
-- mandatory
-- Descr
-- The supported exempt device type on NAD.
--
-- ciscoIpPhone(1) - Cisco IP Phone
CnnEouPostureToken ::= INTEGER {
unknown(1),
healthy(2),
checkup(3),
quarantine(4),
infected(5)
}
-- TEXTUAL-CONVENTION
-- Status
-- deprecated
-- Descr
-- Posture token which representing the endpoint
-- device's relative compliance to the network
-- compliance policy.
--
-- unknown(1)
-- The posture credentials of the endpoint host
-- cannot be determined. The integrity of the
-- endpoint should be determined so proper posture
-- credentials can be attained and assessed for
-- network access authorization.
--
-- healthy(2)
-- The host complies with the currently required
-- credentials so no restrictions need to be
-- placed on this device.
--
-- checkup(3)
-- The host is within policy but doesn't have the
-- latest AV software; update recommended.
-- This profile state may be used to signal
-- management servers to proactively get this
-- machine into the 'healthy' state.
--
-- quarantine(4)
-- The host is out of policy and needs to be
-- restricted to a remediation network.
-- This device is not actively placing a threat on
-- other host but is susceptible to attack or
-- infection and should be updated as soon as
-- possible.
--
-- infected(5)
-- The host is an active threat to other hosts.
-- Network access should be severely restricted
-- and placed into remediation or totally denied
-- all network access.
--
-- This TEXTUAL-CONVENTION is deprecated and replaced by
-- CnnEouPostureTokenString.
CnnEouPostureTokenString ::= OCTET STRING(SIZE(0..255))
-- TEXTUAL-CONVENTION
-- Status
-- mandatory
-- Descr
-- Posture token which representing the endpoint
-- device's relative compliance to the network
-- compliance policy.
--
-- Valid characters are a-z, A-Z, 0-9, ,'#', '-', '_',
-- and '.'. Posture token string is case sensitive and
-- permits the value of empty string.
END