314 lines
11 KiB
Plaintext
314 lines
11 KiB
Plaintext
-- *********************************************************************
|
|
-- CISCO-NAC-TC-MIB.my: Cisco NAC system Textual Conventions
|
|
--
|
|
-- May 2006, Liwei Lue
|
|
--
|
|
-- Copyright (c) 2006-2007 by Cisco Systems, Inc.
|
|
--
|
|
-- All rights reserved.
|
|
-- ********************************************************************
|
|
|
|
CISCO-NAC-TC-MIB DEFINITIONS ::= BEGIN
|
|
|
|
IMPORTS
|
|
MODULE-IDENTITY
|
|
FROM SNMPv2-SMI
|
|
TEXTUAL-CONVENTION
|
|
FROM SNMPv2-TC
|
|
ciscoMgmt
|
|
FROM CISCO-SMI;
|
|
|
|
|
|
ciscoNacTcMIB MODULE-IDENTITY
|
|
LAST-UPDATED "200605310000Z"
|
|
ORGANIZATION "Cisco Systems, Inc."
|
|
CONTACT-INFO
|
|
"Cisco Systems
|
|
Customer Service
|
|
|
|
Postal: 170 W Tasman Drive
|
|
San Jose, CA 95134
|
|
USA
|
|
|
|
Tel: +1 800 553-NETS
|
|
|
|
E-mail: cs-nac@cisco.com
|
|
cs-lan-switch-snmp@cisco.com"
|
|
DESCRIPTION
|
|
"This module defines the textual conventions for
|
|
Cisco Network Admission Control(NAC) system.
|
|
|
|
The Cisco Network Admission Control security
|
|
solution offers a systems approach to customers for
|
|
ensuring endpoint device compliancy and vulnerability
|
|
checks prior to production access to the network. Cisco
|
|
refers to these compliancy checks as posture
|
|
validations. The intent of this systems approach is to
|
|
prevent the spread of works, viruses, and rogue
|
|
applications across the network. This systems approach
|
|
requires integration with third party end point security
|
|
applications, as well as endpoint security servers.
|
|
|
|
Terminology used:
|
|
|
|
EOU - Extensible Authentication Protocol over UDP.
|
|
|
|
UCT - Un Conditional Transition.
|
|
|
|
CTA - Cisco Trust Agent.
|
|
|
|
EAP - Extensible Authentication Protocol. An extension
|
|
to PPP.
|
|
|
|
ACS/AAA - Cisco Secure Access Control Server. The
|
|
primary authorization server that is the network policy
|
|
decision point and is extended to support posture
|
|
validation.
|
|
|
|
NAD - Network Access Device that enforces network
|
|
access control policies through layer 2 or layer 3
|
|
challenge-responses with a network enabled Endpoint
|
|
device."
|
|
REVISION "200605310000Z"
|
|
DESCRIPTION
|
|
"The initial version of this MIB module."
|
|
::= { ciscoMgmt 530 }
|
|
|
|
|
|
-- Definitions of textual convention
|
|
|
|
CnnEouState ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Describes the EOU state.
|
|
|
|
initialize(1)
|
|
Indicates that the EOU state is in initialization.
|
|
|
|
State machine enters this state when a new
|
|
IP has been learned on the port. Cleanup of the
|
|
port configuration also force entering this
|
|
state. When entering this state, the followings
|
|
action take place:
|
|
- any previously configured policy are removed
|
|
- frees up any previously allocated memory
|
|
- does a UCT to 'hello' state.
|
|
|
|
hello(2)
|
|
Indicates that the EOU state is in hello state.
|
|
|
|
In this state the device sends a hello
|
|
message to get the association ID of the CTA and
|
|
also to check whether a CTA exists at all. The
|
|
device starts the hello timer and waits till that
|
|
time and if it doesn't get a response, it
|
|
retransmits the hello requests for max-retry times
|
|
before it declares the host as 'clientless'.
|
|
|
|
clientless(3)
|
|
Indicates that the EOU state is in client-less
|
|
state.
|
|
|
|
State machine enters this state when hello response
|
|
is not reached and in this state the device does
|
|
a pseudo authentication to download the policy
|
|
for Non-Responsive hosts and stays in this
|
|
state.
|
|
|
|
eapRequest(4)
|
|
Indicates that the EOU state is in EAP request
|
|
state.
|
|
|
|
In this state, the device sends EAP validate
|
|
requests to the CTA and awaits response from the
|
|
CTA, it starts the retransmit timeout and if
|
|
response is not received before that timer expires,
|
|
it retransmits the EAP requests.
|
|
|
|
response(5)
|
|
Indicates that the EOU state is in EAP response
|
|
state.
|
|
|
|
State machine enters this state when a response for
|
|
the EAP validate request is received from the CTA.
|
|
Device then builds a RADIUS request incorporating
|
|
the EAP packet and sends it to the ACS and awaits
|
|
response from the ACS. If the response from the
|
|
ACS is an access challenge it moves the port the
|
|
'eapRequest' state. But if it's a success, port
|
|
is moved to 'authenticated' state. If its Access-
|
|
Reject, port is moved to 'fail' state.
|
|
|
|
authenticated(6)
|
|
Indicates that the EOU state is in authenticated
|
|
state.
|
|
|
|
In this state policy installation happens and port
|
|
remains in this state until revalidation event is
|
|
triggered because of session timer expiry or when
|
|
status query fails. Status query generation and
|
|
response reception happens in this state only.
|
|
|
|
fail(7)
|
|
Indicates that the EOU state is in failed state.
|
|
|
|
When posture validation fails, system start the
|
|
hold timer and device waits till it expires
|
|
before trying for posture validation again.
|
|
|
|
abort(8)
|
|
Indicates that the EOU state is in abort state.
|
|
|
|
State machine enters this state because of
|
|
failing to complete posture validation due to lack
|
|
of response from CTA/RADIUS or any other reason.
|
|
|
|
aaaFail(9)
|
|
Indicates that the EOU state is in AAA failed
|
|
state.
|
|
|
|
State machine enters this state when RADIUS requests
|
|
to AAA server timeouts either due to the server not
|
|
being reachable or is down.
|
|
|
|
hold(10)
|
|
Indicates that the EOU state is in hold state.
|
|
|
|
This state represents the quiet or idle state
|
|
for the host. The host is put in the hold state
|
|
on events like hello response is not received
|
|
or the AAA server is not reachable. Host
|
|
remains in this state for hold the EOU hold
|
|
timeout period.
|
|
|
|
client(11)
|
|
Indicates that the EOU state is in client state.
|
|
|
|
This state is reached when the host sends a
|
|
response to EOU hello request from the
|
|
authenticating device. This state indicates the
|
|
presence of CTA on the device.
|
|
|
|
server(12)
|
|
Indicates that the EOU state is in server state.
|
|
|
|
This state represents that the authenticating
|
|
device is communicating with the AAA (RADIUS)
|
|
server. This state is reached when host send an
|
|
EOU response."
|
|
SYNTAX INTEGER {
|
|
initialize(1),
|
|
hello(2),
|
|
clientless(3),
|
|
eapRequest(4),
|
|
response(5),
|
|
authenticated(6),
|
|
fail(7),
|
|
abort(8),
|
|
aaaFail(9),
|
|
hold(10),
|
|
client(11),
|
|
server(12)
|
|
}
|
|
|
|
CnnEouAuthType ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Type of authentication for NAD.
|
|
|
|
clientless(1)
|
|
End point device that does not run Cisco
|
|
Trust Agent.
|
|
|
|
eap(2)
|
|
Authorized via Extensible Authentication
|
|
Protocol.
|
|
|
|
static(3)
|
|
Statically authorized or rejected individual
|
|
end point device.
|
|
|
|
unknown(4)
|
|
The authentication type of the endpoint host
|
|
is unknown."
|
|
SYNTAX INTEGER {
|
|
clientless(1),
|
|
eap(2),
|
|
static(3),
|
|
unknown(4)
|
|
}
|
|
|
|
CnnEouDeviceType ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The supported exempt device type on NAD.
|
|
|
|
ciscoIpPhone(1) - Cisco IP Phone"
|
|
SYNTAX INTEGER {
|
|
ciscoIpPhone(1)
|
|
}
|
|
|
|
CnnEouPostureToken ::= TEXTUAL-CONVENTION
|
|
STATUS deprecated
|
|
DESCRIPTION
|
|
"Posture token which representing the endpoint
|
|
device's relative compliance to the network
|
|
compliance policy.
|
|
|
|
unknown(1)
|
|
The posture credentials of the endpoint host
|
|
cannot be determined. The integrity of the
|
|
endpoint should be determined so proper posture
|
|
credentials can be attained and assessed for
|
|
network access authorization.
|
|
|
|
healthy(2)
|
|
The host complies with the currently required
|
|
credentials so no restrictions need to be
|
|
placed on this device.
|
|
|
|
checkup(3)
|
|
The host is within policy but doesn't have the
|
|
latest AV software; update recommended.
|
|
This profile state may be used to signal
|
|
management servers to proactively get this
|
|
machine into the 'healthy' state.
|
|
|
|
quarantine(4)
|
|
The host is out of policy and needs to be
|
|
restricted to a remediation network.
|
|
This device is not actively placing a threat on
|
|
other host but is susceptible to attack or
|
|
infection and should be updated as soon as
|
|
possible.
|
|
|
|
infected(5)
|
|
The host is an active threat to other hosts.
|
|
Network access should be severely restricted
|
|
and placed into remediation or totally denied
|
|
all network access.
|
|
|
|
This TEXTUAL-CONVENTION is deprecated and replaced by
|
|
CnnEouPostureTokenString."
|
|
SYNTAX INTEGER {
|
|
unknown(1),
|
|
healthy(2),
|
|
checkup(3),
|
|
quarantine(4),
|
|
infected(5)
|
|
}
|
|
|
|
CnnEouPostureTokenString ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Posture token which representing the endpoint
|
|
device's relative compliance to the network
|
|
compliance policy.
|
|
|
|
Valid characters are a-z, A-Z, 0-9, ,'#', '-', '_',
|
|
and '.'. Posture token string is case sensitive and
|
|
permits the value of empty string."
|
|
SYNTAX OCTET STRING (SIZE (0..255))
|
|
|
|
END
|