1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
|
-- *********************************************************************
-- CISCO-NAC-TC-MIB.my: Cisco NAC system Textual Conventions
--
-- May 2006, Liwei Lue
--
-- Copyright (c) 2006-2007 by Cisco Systems, Inc.
--
-- All rights reserved.
-- ********************************************************************
CISCO-NAC-TC-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY
FROM SNMPv2-SMI
TEXTUAL-CONVENTION
FROM SNMPv2-TC
ciscoMgmt
FROM CISCO-SMI;
ciscoNacTcMIB MODULE-IDENTITY
LAST-UPDATED "200605310000Z"
ORGANIZATION "Cisco Systems, Inc."
CONTACT-INFO
"Cisco Systems
Customer Service
Postal: 170 W Tasman Drive
San Jose, CA 95134
USA
Tel: +1 800 553-NETS
E-mail: cs-nac@cisco.com
cs-lan-switch-snmp@cisco.com"
DESCRIPTION
"This module defines the textual conventions for
Cisco Network Admission Control(NAC) system.
The Cisco Network Admission Control security
solution offers a systems approach to customers for
ensuring endpoint device compliancy and vulnerability
checks prior to production access to the network. Cisco
refers to these compliancy checks as posture
validations. The intent of this systems approach is to
prevent the spread of works, viruses, and rogue
applications across the network. This systems approach
requires integration with third party end point security
applications, as well as endpoint security servers.
Terminology used:
EOU - Extensible Authentication Protocol over UDP.
UCT - Un Conditional Transition.
CTA - Cisco Trust Agent.
EAP - Extensible Authentication Protocol. An extension
to PPP.
ACS/AAA - Cisco Secure Access Control Server. The
primary authorization server that is the network policy
decision point and is extended to support posture
validation.
NAD - Network Access Device that enforces network
access control policies through layer 2 or layer 3
challenge-responses with a network enabled Endpoint
device."
REVISION "200605310000Z"
DESCRIPTION
"The initial version of this MIB module."
::= { ciscoMgmt 530 }
-- Definitions of textual convention
CnnEouState ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Describes the EOU state.
initialize(1)
Indicates that the EOU state is in initialization.
State machine enters this state when a new
IP has been learned on the port. Cleanup of the
port configuration also force entering this
state. When entering this state, the followings
action take place:
- any previously configured policy are removed
- frees up any previously allocated memory
- does a UCT to 'hello' state.
hello(2)
Indicates that the EOU state is in hello state.
In this state the device sends a hello
message to get the association ID of the CTA and
also to check whether a CTA exists at all. The
device starts the hello timer and waits till that
time and if it doesn't get a response, it
retransmits the hello requests for max-retry times
before it declares the host as 'clientless'.
clientless(3)
Indicates that the EOU state is in client-less
state.
State machine enters this state when hello response
is not reached and in this state the device does
a pseudo authentication to download the policy
for Non-Responsive hosts and stays in this
state.
eapRequest(4)
Indicates that the EOU state is in EAP request
state.
In this state, the device sends EAP validate
requests to the CTA and awaits response from the
CTA, it starts the retransmit timeout and if
response is not received before that timer expires,
it retransmits the EAP requests.
response(5)
Indicates that the EOU state is in EAP response
state.
State machine enters this state when a response for
the EAP validate request is received from the CTA.
Device then builds a RADIUS request incorporating
the EAP packet and sends it to the ACS and awaits
response from the ACS. If the response from the
ACS is an access challenge it moves the port the
'eapRequest' state. But if it's a success, port
is moved to 'authenticated' state. If its Access-
Reject, port is moved to 'fail' state.
authenticated(6)
Indicates that the EOU state is in authenticated
state.
In this state policy installation happens and port
remains in this state until revalidation event is
triggered because of session timer expiry or when
status query fails. Status query generation and
response reception happens in this state only.
fail(7)
Indicates that the EOU state is in failed state.
When posture validation fails, system start the
hold timer and device waits till it expires
before trying for posture validation again.
abort(8)
Indicates that the EOU state is in abort state.
State machine enters this state because of
failing to complete posture validation due to lack
of response from CTA/RADIUS or any other reason.
aaaFail(9)
Indicates that the EOU state is in AAA failed
state.
State machine enters this state when RADIUS requests
to AAA server timeouts either due to the server not
being reachable or is down.
hold(10)
Indicates that the EOU state is in hold state.
This state represents the quiet or idle state
for the host. The host is put in the hold state
on events like hello response is not received
or the AAA server is not reachable. Host
remains in this state for hold the EOU hold
timeout period.
client(11)
Indicates that the EOU state is in client state.
This state is reached when the host sends a
response to EOU hello request from the
authenticating device. This state indicates the
presence of CTA on the device.
server(12)
Indicates that the EOU state is in server state.
This state represents that the authenticating
device is communicating with the AAA (RADIUS)
server. This state is reached when host send an
EOU response."
SYNTAX INTEGER {
initialize(1),
hello(2),
clientless(3),
eapRequest(4),
response(5),
authenticated(6),
fail(7),
abort(8),
aaaFail(9),
hold(10),
client(11),
server(12)
}
CnnEouAuthType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Type of authentication for NAD.
clientless(1)
End point device that does not run Cisco
Trust Agent.
eap(2)
Authorized via Extensible Authentication
Protocol.
static(3)
Statically authorized or rejected individual
end point device.
unknown(4)
The authentication type of the endpoint host
is unknown."
SYNTAX INTEGER {
clientless(1),
eap(2),
static(3),
unknown(4)
}
CnnEouDeviceType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The supported exempt device type on NAD.
ciscoIpPhone(1) - Cisco IP Phone"
SYNTAX INTEGER {
ciscoIpPhone(1)
}
CnnEouPostureToken ::= TEXTUAL-CONVENTION
STATUS deprecated
DESCRIPTION
"Posture token which representing the endpoint
device's relative compliance to the network
compliance policy.
unknown(1)
The posture credentials of the endpoint host
cannot be determined. The integrity of the
endpoint should be determined so proper posture
credentials can be attained and assessed for
network access authorization.
healthy(2)
The host complies with the currently required
credentials so no restrictions need to be
placed on this device.
checkup(3)
The host is within policy but doesn't have the
latest AV software; update recommended.
This profile state may be used to signal
management servers to proactively get this
machine into the 'healthy' state.
quarantine(4)
The host is out of policy and needs to be
restricted to a remediation network.
This device is not actively placing a threat on
other host but is susceptible to attack or
infection and should be updated as soon as
possible.
infected(5)
The host is an active threat to other hosts.
Network access should be severely restricted
and placed into remediation or totally denied
all network access.
This TEXTUAL-CONVENTION is deprecated and replaced by
CnnEouPostureTokenString."
SYNTAX INTEGER {
unknown(1),
healthy(2),
checkup(3),
quarantine(4),
infected(5)
}
CnnEouPostureTokenString ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Posture token which representing the endpoint
device's relative compliance to the network
compliance policy.
Valid characters are a-z, A-Z, 0-9, ,'#', '-', '_',
and '.'. Posture token string is case sensitive and
permits the value of empty string."
SYNTAX OCTET STRING (SIZE (0..255))
END
|
