diff options
| author | David Leutgeb <david.leutgeb@mannundmouse.com> | 2023-12-05 12:25:34 +0100 |
|---|---|---|
| committer | David Leutgeb <david.leutgeb@mannundmouse.com> | 2023-12-05 12:25:34 +0100 |
| commit | 98a672123c7872f6b9b75a9a2b6bb3aea504de6a (patch) | |
| tree | 9b13bd7f563c3198047bd359195327cf28b3caf0 /MIBS/cisco/CISCO-NAC-TC-MIB | |
| download | mibs-98a672123c7872f6b9b75a9a2b6bb3aea504de6a.tar.gz mibs-98a672123c7872f6b9b75a9a2b6bb3aea504de6a.zip | |
Diffstat (limited to 'MIBS/cisco/CISCO-NAC-TC-MIB')
| -rw-r--r-- | MIBS/cisco/CISCO-NAC-TC-MIB | 313 |
1 files changed, 313 insertions, 0 deletions
diff --git a/MIBS/cisco/CISCO-NAC-TC-MIB b/MIBS/cisco/CISCO-NAC-TC-MIB new file mode 100644 index 0000000..8a2f67f --- /dev/null +++ b/MIBS/cisco/CISCO-NAC-TC-MIB @@ -0,0 +1,313 @@ +-- ********************************************************************* +-- CISCO-NAC-TC-MIB.my: Cisco NAC system Textual Conventions +-- +-- May 2006, Liwei Lue +-- +-- Copyright (c) 2006-2007 by Cisco Systems, Inc. +-- +-- All rights reserved. +-- ******************************************************************** + +CISCO-NAC-TC-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY + FROM SNMPv2-SMI + TEXTUAL-CONVENTION + FROM SNMPv2-TC + ciscoMgmt + FROM CISCO-SMI; + + +ciscoNacTcMIB MODULE-IDENTITY + LAST-UPDATED "200605310000Z" + ORGANIZATION "Cisco Systems, Inc." + CONTACT-INFO + "Cisco Systems + Customer Service + + Postal: 170 W Tasman Drive + San Jose, CA 95134 + USA + + Tel: +1 800 553-NETS + + E-mail: cs-nac@cisco.com + cs-lan-switch-snmp@cisco.com" + DESCRIPTION + "This module defines the textual conventions for + Cisco Network Admission Control(NAC) system. + + The Cisco Network Admission Control security + solution offers a systems approach to customers for + ensuring endpoint device compliancy and vulnerability + checks prior to production access to the network. Cisco + refers to these compliancy checks as posture + validations. The intent of this systems approach is to + prevent the spread of works, viruses, and rogue + applications across the network. This systems approach + requires integration with third party end point security + applications, as well as endpoint security servers. + + Terminology used: + + EOU - Extensible Authentication Protocol over UDP. + + UCT - Un Conditional Transition. + + CTA - Cisco Trust Agent. + + EAP - Extensible Authentication Protocol. An extension + to PPP. + + ACS/AAA - Cisco Secure Access Control Server. The + primary authorization server that is the network policy + decision point and is extended to support posture + validation. + + NAD - Network Access Device that enforces network + access control policies through layer 2 or layer 3 + challenge-responses with a network enabled Endpoint + device." + REVISION "200605310000Z" + DESCRIPTION + "The initial version of this MIB module." + ::= { ciscoMgmt 530 } + + +-- Definitions of textual convention + +CnnEouState ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Describes the EOU state. + + initialize(1) + Indicates that the EOU state is in initialization. + + State machine enters this state when a new + IP has been learned on the port. Cleanup of the + port configuration also force entering this + state. When entering this state, the followings + action take place: + - any previously configured policy are removed + - frees up any previously allocated memory + - does a UCT to 'hello' state. + + hello(2) + Indicates that the EOU state is in hello state. + + In this state the device sends a hello + message to get the association ID of the CTA and + also to check whether a CTA exists at all. The + device starts the hello timer and waits till that + time and if it doesn't get a response, it + retransmits the hello requests for max-retry times + before it declares the host as 'clientless'. + + clientless(3) + Indicates that the EOU state is in client-less + state. + + State machine enters this state when hello response + is not reached and in this state the device does + a pseudo authentication to download the policy + for Non-Responsive hosts and stays in this + state. + + eapRequest(4) + Indicates that the EOU state is in EAP request + state. + + In this state, the device sends EAP validate + requests to the CTA and awaits response from the + CTA, it starts the retransmit timeout and if + response is not received before that timer expires, + it retransmits the EAP requests. + + response(5) + Indicates that the EOU state is in EAP response + state. + + State machine enters this state when a response for + the EAP validate request is received from the CTA. + Device then builds a RADIUS request incorporating + the EAP packet and sends it to the ACS and awaits + response from the ACS. If the response from the + ACS is an access challenge it moves the port the + 'eapRequest' state. But if it's a success, port + is moved to 'authenticated' state. If its Access- + Reject, port is moved to 'fail' state. + + authenticated(6) + Indicates that the EOU state is in authenticated + state. + + In this state policy installation happens and port + remains in this state until revalidation event is + triggered because of session timer expiry or when + status query fails. Status query generation and + response reception happens in this state only. + + fail(7) + Indicates that the EOU state is in failed state. + + When posture validation fails, system start the + hold timer and device waits till it expires + before trying for posture validation again. + + abort(8) + Indicates that the EOU state is in abort state. + + State machine enters this state because of + failing to complete posture validation due to lack + of response from CTA/RADIUS or any other reason. + + aaaFail(9) + Indicates that the EOU state is in AAA failed + state. + + State machine enters this state when RADIUS requests + to AAA server timeouts either due to the server not + being reachable or is down. + + hold(10) + Indicates that the EOU state is in hold state. + + This state represents the quiet or idle state + for the host. The host is put in the hold state + on events like hello response is not received + or the AAA server is not reachable. Host + remains in this state for hold the EOU hold + timeout period. + + client(11) + Indicates that the EOU state is in client state. + + This state is reached when the host sends a + response to EOU hello request from the + authenticating device. This state indicates the + presence of CTA on the device. + + server(12) + Indicates that the EOU state is in server state. + + This state represents that the authenticating + device is communicating with the AAA (RADIUS) + server. This state is reached when host send an + EOU response." + SYNTAX INTEGER { + initialize(1), + hello(2), + clientless(3), + eapRequest(4), + response(5), + authenticated(6), + fail(7), + abort(8), + aaaFail(9), + hold(10), + client(11), + server(12) + } + +CnnEouAuthType ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Type of authentication for NAD. + + clientless(1) + End point device that does not run Cisco + Trust Agent. + + eap(2) + Authorized via Extensible Authentication + Protocol. + + static(3) + Statically authorized or rejected individual + end point device. + + unknown(4) + The authentication type of the endpoint host + is unknown." + SYNTAX INTEGER { + clientless(1), + eap(2), + static(3), + unknown(4) + } + +CnnEouDeviceType ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The supported exempt device type on NAD. + + ciscoIpPhone(1) - Cisco IP Phone" + SYNTAX INTEGER { + ciscoIpPhone(1) + } + +CnnEouPostureToken ::= TEXTUAL-CONVENTION + STATUS deprecated + DESCRIPTION + "Posture token which representing the endpoint + device's relative compliance to the network + compliance policy. + + unknown(1) + The posture credentials of the endpoint host + cannot be determined. The integrity of the + endpoint should be determined so proper posture + credentials can be attained and assessed for + network access authorization. + + healthy(2) + The host complies with the currently required + credentials so no restrictions need to be + placed on this device. + + checkup(3) + The host is within policy but doesn't have the + latest AV software; update recommended. + This profile state may be used to signal + management servers to proactively get this + machine into the 'healthy' state. + + quarantine(4) + The host is out of policy and needs to be + restricted to a remediation network. + This device is not actively placing a threat on + other host but is susceptible to attack or + infection and should be updated as soon as + possible. + + infected(5) + The host is an active threat to other hosts. + Network access should be severely restricted + and placed into remediation or totally denied + all network access. + + This TEXTUAL-CONVENTION is deprecated and replaced by + CnnEouPostureTokenString." + SYNTAX INTEGER { + unknown(1), + healthy(2), + checkup(3), + quarantine(4), + infected(5) + } + +CnnEouPostureTokenString ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Posture token which representing the endpoint + device's relative compliance to the network + compliance policy. + + Valid characters are a-z, A-Z, 0-9, ,'#', '-', '_', + and '.'. Posture token string is case sensitive and + permits the value of empty string." + SYNTAX OCTET STRING (SIZE (0..255)) + +END |