CISCO-LWAPP-MFP-MIB

File: CISCO-LWAPP-MFP-MIB.mib (39334 bytes)

Imported modules

SNMPv2-SMI SNMPv2-CONF SNMPv2-TC
CISCO-LWAPP-WLAN-MIB CISCO-LWAPP-AP-MIB CISCO-LWAPP-DOT11-CLIENT-MIB
CISCO-LWAPP-TC-MIB CISCO-SMI

Imported symbols

MODULE-IDENTITY NOTIFICATION-TYPE OBJECT-TYPE
Unsigned32 Gauge32 MODULE-COMPLIANCE
OBJECT-GROUP NOTIFICATION-GROUP TruthValue
TimeInterval MacAddress cLWlanConfigEntry
cLApIfSmtDot11Bssid cLApEntry cLApIfSmtParamEntry
cldcClientMacAddress CLEventFrames CLMfpEventType
CLMfpVersion CLTimeBaseStatus ciscoMgmt

Defined Types

CLMfpWlanConfigEntry  
SEQUENCE    
  cLMfpVersionRequired CLMfpVersion
  cLMfpProtectionEnable TruthValue
  cLMfpClientProtection INTEGER

CLMfpClientEntry  
SEQUENCE    
  cLMfpClientMfpEnabled TruthValue

CLMfpApParamEntry  
SEQUENCE    
  cLMfpApMfpValidationEnable TruthValue
  cLMfpApMfpValidationActual TruthValue

CLMfpApIfSmtCapEntry  
SEQUENCE    
  cLMfpApIfMfpVersionSupported CLMfpVersion
  cLMfpApIfMfpProtectionCapability INTEGER
  cLMfpApIfMfpValidationCapability INTEGER

Defined Values

ciscoLwappMfpMIB 1.3.6.1.4.1.9.9.518
This MIB is intended to be implemented on all those devices operating as Central Controllers (CC) that terminate the Light Weight Access Point Protocol tunnel from Light-weight LWAPP Access Points. This MIB instrumentation provides the parameters used by the controller to control and monitor the behavior of the associated Access Points when following the newly defined Management Frame Protocol. The controller would pass the MFP settings configured by the user through this MIB to the APs through LWAPP messages. The APs then begin to validate and verify the integrity of 802.11 Management frames and report the anomalies found, if any, to the controller. The relationship between CC and the LWAPP APs can be depicted as follows. +......+ +......+ +......+ +......+ + + + + + + + + + CC + + CC + + CC + + CC + + + + + + + + + +......+ +......+ +......+ +......+ .. . . . .. . . . . . . . . . . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ +......+ + + + + + + + + + + + AP + + AP + + AP + + AP + + AP + + + + + + + + + + + +......+ +......+ +......+ +......+ +......+ . . . . . . . . . . . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ +......+ + + + + + + + + + + + MN + + MN + + MN + + MN + + MN + + + + + + + + + + + +......+ +......+ +......+ +......+ +......+ The LWAPP tunnel exists between the controller and the APs. The MNs communicate with the APs through the protocol defined by the 802.11 standard. LWAPP APs, upon bootup, discover and join one of the controllers and the controller pushes the configuration, which includes the WLAN parameters, to the LWAPP APs. The APs then encapsulate all the 802.11 frames from wireless clients inside LWAPP frames and forward the LWAPP frames to the controller. Reference [2] explains in detail about the communication between the controller and APs, while Reference [1] explains the AP-MN communication. To secure the 802.11 management traffic, the controller and the APs perform specific roles. The controller acts as the central entity to generate and distribute signature keys using which the APs generate integrity check values, also known as signatures, for individual management frames. The APs append this signature in the form of an Information Element to the respective management frame to be transmitted. This is needed to isolate those potential rogue APs whose frames may not carry the frame signature. The APs use the signature keys, generated and pushed to them by the controller for each BSSID reported as heard by the APs, to validate the integrity of the the management traffic originating from various 802.11 sources. Any anomalies observed by the APs are reported to the controller. The controller makes the information about such events available for a network management Station in the form of notifications. GLOSSARY Access Point ( AP ) An entity that contains an 802.11 media access control ( MAC ) and physical layer ( PHY ) interface and provides access to the distribution services via the wireless medium for associated clients. LWAPP APs encapsulate all the 802.11 frames in LWAPP frames and sends them to the controller to which it is logically connected. AP-Authentication With this feature enabled, the Access Points sending radio resource management neighbor packets with different RF network names will be reported as rogues. Basic Service Set Identifier ( BSSID ) The identifier of the Basic Service Set controlled by a single coordination function. The identifier is usually the MAC address of the radio interface that hosts the BSS. Central Controller ( CC ) The central entity that terminates the LWAPP protocol tunnel from the LWAPP APs. Throughout this MIB, this entity is also referred to as 'controller'. Light Weight Access Point Protocol ( LWAPP ) This is a generic protocol that defines the communication between the Access Points and the Central Controller. Management Frame Protection ( MFP ) A proprietary mechanism devised to integrity protect the otherwise unprotected management frames of the 802.11 protocol specification. Message Integrity Check ( MIC ) A checksum computed on a sequence of bytes and made known to the receiving party in a data communication, to let the receiving party make sure the bytes received were not compromised enroute. Mobile Node ( MN ) A roaming 802.11 wireless device in a wireless network associated with an access point. Network Management Station ( NMS ) The system through which the network administrator manages the controller and the APs associated to it. REFERENCE [1] Wireless LAN Medium Access Control ( MAC ) and Physical Layer ( PHY ) Specifications, ANSI/IEEE Std 802.11, 1999 Edition. [2] Draft-obara-Capwap-lwapp-00.txt, IETF Light Weight Access Point Protocol
MODULE-IDENTITY    

ciscoLwappMfpMIBNotifs 1.3.6.1.4.1.9.9.518.0
OBJECT IDENTIFIER    

ciscoLwappMfpMIBNotifObjects 1.3.6.1.4.1.9.9.518.1
OBJECT IDENTIFIER    

ciscoLwappMfpMIBObjects 1.3.6.1.4.1.9.9.518.2
OBJECT IDENTIFIER    

ciscoLwappMfpMIBConform 1.3.6.1.4.1.9.9.518.3
OBJECT IDENTIFIER    

ciscoLwappMfpConfig 1.3.6.1.4.1.9.9.518.2.1
OBJECT IDENTIFIER    

ciscoLwappMfpStatus 1.3.6.1.4.1.9.9.518.2.2
OBJECT IDENTIFIER    

cLMfpProtectType 1.3.6.1.4.1.9.9.518.2.1.1
The authentication mechanism to be used to secure the WLANs managed through this controller. cLMfpProtectNone - No authentication or protection mechanism is configured on the controller. cLMfpProtectApAuth - AP-authentication is configured as the authentication and protection mechanism on the controller. cLMfpProtectMfp - MFP is configured as the as the authentication and protection mechanism on the controller. The settings configured through cLMfpProtectionEnable and cLMfpApMfpValidationEnable for a WLAN and AP respectively take effect only if this object is set to 'cLMfpProtectMfp'.
OBJECT-TYPE    
  INTEGER cLMfpProtectNone(1), cLMfpProtectApAuth(2), cLMfpProtectMfp(3)  

cLMfpWlanConfigTable 1.3.6.1.4.1.9.9.518.2.1.2
This table provides the configuration needed by the controller to enable management frame protection on a particular WLAN. A controller, when configured, enables the MFP on individual WLANs. When these WLANs that have MFP enabled are applied to the APs, the APs become part of the MFP framework. The APs will receive the signature keys to be used to generate MICs for unicast and broadcast management frames upon joining the controller. With these keys, the APs generate the MIC for individual management frames and append the value as an information element to the respective frames. The creation of a new row in cLWlanConfigTable through an explicit network management action results in creation of an entry in this table. Similarly, deletion of a row in cLWlanConfigTable through user action causes the deletion of corresponding row in this table.
OBJECT-TYPE    
  SEQUENCE OF  
    CLMfpWlanConfigEntry

cLMfpWlanConfigEntry 1.3.6.1.4.1.9.9.518.2.1.2.1
A conceptual row in cLMfpWlanConfigTable and represents the MFP configuration on a particular WLAN.
OBJECT-TYPE    
  CLMfpWlanConfigEntry  

cLMfpVersionRequired 1.3.6.1.4.1.9.9.518.2.1.2.1.2
The version of the Management Frame Protection Protocol required for the MFP framework when the MFP protection is enabled through the cLMfpProtectionEnable object.
OBJECT-TYPE    
  CLMfpVersion  

cLMfpProtectionEnable 1.3.6.1.4.1.9.9.518.2.1.2.1.3
This object specifies whether the MFP protection on this WLAN be enabled or not. A value of 'true' enables management frame protection on the WLAN and 'false' disables management frame protection. Note that MFP is enabled or disabled on a WLAN through the values of 'true' and 'false' only if MFP is configured as the protection mechanism by setting the object cLMfpProtectType to 'cLMfpProtectMfp'. The NMS shall modify the value of this object, but the change made will take effect only if MFP is configured as the protection mechanism on the controller through the cLMfpProtectType object.
OBJECT-TYPE    
  TruthValue  

cLMfpClientProtection 1.3.6.1.4.1.9.9.518.2.1.2.1.4
This object specifies the level of client MFP protection for this WLAN. disabled - client protection is disabled. enabled - client protection is optional. required - client protection is mandatory.
OBJECT-TYPE    
  INTEGER disabled(1), enabled(2), required(3)  

cLMfpClientTable 1.3.6.1.4.1.9.9.518.2.2.5
This table represents the MFP information for 802.11 wireless clients that are associated with the APs that have joined this controller.
OBJECT-TYPE    
  SEQUENCE OF  
    CLMfpClientEntry

cLMfpClientEntry 1.3.6.1.4.1.9.9.518.2.2.5.1
Each entry represents a conceptual row in this table and provides MFP information about the clients associated to the APs that have joined the controller.
OBJECT-TYPE    
  CLMfpClientEntry  

cLMfpClientMfpEnabled 1.3.6.1.4.1.9.9.518.2.2.5.1.1
This object indicates whether MFP protection is enabled for a particular client. A value of 'true' indicates that MFP protection is enabled. A value of 'false' indicates MFP protection is disabled.
OBJECT-TYPE    
  TruthValue  

cLMfpCtrlTimeBaseStatus 1.3.6.1.4.1.9.9.518.2.2.1
The status of synchronization of the MFP-aware LWAPP controller's timebase with that of a central time server.
OBJECT-TYPE    
  CLTimeBaseStatus  

cLMfpApParamTable 1.3.6.1.4.1.9.9.518.2.2.2
This table provides the configuration of MFP related parameters corresponding to a particular AP. A row is added to the table by the agent when a a row is added to cLApTable of CISCO-LWAPP-AP-MIB. Similarly, a row is deleted from this table when the corresponding row is deleted from cLApTable.
OBJECT-TYPE    
  SEQUENCE OF  
    CLMfpApParamEntry

cLMfpApParamEntry 1.3.6.1.4.1.9.9.518.2.2.2.1
A conceptual row in this table and represents the MFP parameters of a particular AP.
OBJECT-TYPE    
  CLMfpApParamEntry  

cLMfpApMfpValidationEnable 1.3.6.1.4.1.9.9.518.2.2.2.1.1
This object specifies whether the AP should validate the management frames received by it in accordance with the MFP version or not. A value of 'true' indicates that the AP should validate all the received management frames accordance with the MFP version supported by the respective dot11 interface on which the frame was received. A value of 'false' indicates that the AP won't validate the received management frames. Note that MFP validation is enabled or disabled on an AP through the values of 'true' and 'false' only if MFP is configured as the protection mechanism by setting the object cLMfpProtectType to 'cLMfpProtectMfp'. The NMS shall modify the value of this object, but the change made will take effect only if MFP is configured as the protection mechanism on the controller through the cLMfpProtectType object.
OBJECT-TYPE    
  TruthValue  

cLMfpApMfpValidationActual 1.3.6.1.4.1.9.9.518.2.2.2.1.2
This object indicates the status of MFP validation being done as reported by the AP in response to the controller's request to perform MFP validation. A value of 'true' indicates that all the management frames received by the AP will be validated in accordance with the MFP version supported by the respective dot11 interface on which the frame was received. A value of 'false' indicates that the management frames received by this AP won't be validated.
OBJECT-TYPE    
  TruthValue  

cLMfpApIfSmtCapTable 1.3.6.1.4.1.9.9.518.2.2.3
This table provides the MFP capabilities on a dot11 radio interface of an AP that has joined this controller. An AP performs the role of protecting and validating management frames on its dot11 interfaces. It protects the management frames transmitted out on a dot11 interface when the signature protection capability is enabled on that interface through the object cLMfpApIfMfpProtectionCapability. Similarly, it validates all the management frames received on a dot11 interface when MFP validation capability is enabled on the AP. A row is added to the table by the agent corresponding to each dot11 interface of an AP, when it adds the row(s) to cLApIfSmtParamTable of CISCO-LWAPP-AP-MIB. The agent deletes the row(s) when it deletes the corresponding rows from cLApIfSmtParamTable.
OBJECT-TYPE    
  SEQUENCE OF  
    CLMfpApIfSmtCapEntry

cLMfpApIfSmtCapEntry 1.3.6.1.4.1.9.9.518.2.2.3.1
A conceptual row in this table and represents the MFP capabilities on the dot11 interface of a particular LWAPP AP.
OBJECT-TYPE    
  CLMfpApIfSmtCapEntry  

cLMfpApIfMfpVersionSupported 1.3.6.1.4.1.9.9.518.2.2.3.1.1
The version of the Management Frame Protection protocol currently supported by this radio interface.
OBJECT-TYPE    
  CLMfpVersion  

cLMfpApIfMfpProtectionCapability 1.3.6.1.4.1.9.9.518.2.2.3.1.2
The management frame protection capability currently exhibited by the dot11 interface. protectCapNone - protection is not supported on this dot11 interface. protectCapNoBeacon - protection is supported for all types of 802.11 management frames except for beacon and probe rsponse frames. protectCapAllFrames - protection is supported for all types of 802.11 management frames.
OBJECT-TYPE    
  INTEGER protectCapNone(1), protectCapNoBeacon(2), protectCapAllFrames(3)  

cLMfpApIfMfpValidationCapability 1.3.6.1.4.1.9.9.518.2.2.3.1.3
The management frame validation capability currently exhibited by this dot11 interface. validateCapNone - The MFP validation is not done by this dot11 interface. validateCapAllFrames - The MFP validation is supported on ths dot11 interface for all types of 802.11 management frames.
OBJECT-TYPE    
  INTEGER validateCapNone(1), validateCapAllFrames(2)  

cLMfpCtrlNotifEnable 1.3.6.1.4.1.9.9.518.2.2.4
The object to control the generation of notifications defined in this MIB. A value of 'true' indicates that the agent generates the notifications defined in this MIB. A value of 'false' indicates that the agent doesn't generate the notifications.
OBJECT-TYPE    
  TruthValue  

cLApMacAddress 1.3.6.1.4.1.9.9.518.1.1
This object specifies the radio MAC address of a LWAPP AP.
OBJECT-TYPE    
  MacAddress  

cLApDot11IfSlotIdx 1.3.6.1.4.1.9.9.518.1.2
This object specifies the slotId of the dot11 interface.
OBJECT-TYPE    
  Unsigned32 0..2  

cLWlanIdx 1.3.6.1.4.1.9.9.518.1.3
This object indicates the identifier for a WLAN.
OBJECT-TYPE    
  Unsigned32  

cLMfpApIfMfpProtectionActual 1.3.6.1.4.1.9.9.518.1.4
The actual protection configuration for a specific WLAN as applicable to a dot11 interface of a specific AP.
OBJECT-TYPE    
  TruthValue  

cLMfpEventType 1.3.6.1.4.1.9.9.518.1.5
The type of the MFP anomaly event.
OBJECT-TYPE    
  CLMfpEventType  

cLMfpEventTotal 1.3.6.1.4.1.9.9.518.1.6
The number of MFP anomaly events detected in the prior period indicated by cLMfpEventPeriod. cLMfpEventType indicates the type of the anomaly event.
OBJECT-TYPE    
  Gauge32  

cLMfpEventPeriod 1.3.6.1.4.1.9.9.518.1.7
The time period, in hundredths of a second, in which the reported number of events are detected. This is the time interval at which the controller periodically checks for the anomaly events to be reported to the NMS through the ciscoLwappMfpAnomalyDetected notification.
OBJECT-TYPE    
  TimeInterval  

cLMfpEventFrames 1.3.6.1.4.1.9.9.518.1.8
This object indicates which type of 802.11 management frames contain anomalies of type cLMfpEventType. When the controller detects anomalies using the MFP validation test it will generate the ciscoLwappMfpAnomalyDetected notification.
OBJECT-TYPE    
  CLEventFrames  

cLClientLastSourceMacAddress 1.3.6.1.4.1.9.9.518.1.10
This object represents the MAC address of the client that is responsible for the most recent event related to a wireless client. This information is useful to identify the rogue client that has staged the most recent attack on the wireless network.
OBJECT-TYPE    
  MacAddress  

ciscoLwappMfpProtectConfigMismatch 1.3.6.1.4.1.9.9.518.0.1
This notification is sent by the agent when the controller detects that the AP couldn't apply the protection configuration to the specific radio interface for the specified WLAN. The controller detects the mismatch by matching the MFP configuration requested to be applied with the configuration returned in the acknowledgement as having been applied to the radio interface. The controller also generates this notification to indicate that configuration mismatch is cleared when the values of cLMfpProtectionEnable and cLMfpApIfMfpProtectionActual are found to be the same. This notification is generated by the controller only if MFP has been configured as the protection mechanism through cLMfpProtectType.
NOTIFICATION-TYPE    

ciscoLwappMfpValidationConfigMismatch 1.3.6.1.4.1.9.9.518.0.2
This notification is sent by the agent when the controller detects that the AP couldn't configure itself with the MFP signature validation configuration. The controller detects the mismatch by matching the MFP configuration requested to be applied with the configuration returned in the acknowledgement as having been configured by the AP. The controller also generates this notification to indicate that configuration mismatch is cleared when the values of cLMfpApMfpValidationEnable and cLMfpApMfpValidationActual are found to be the same. This notification is generated by the controller only if MFP has been configured as the protection mechanism through cLMfpProtectType.
NOTIFICATION-TYPE    

ciscoLwappMfpTimebaseStatus 1.3.6.1.4.1.9.9.518.0.3
This notification is sent by the agent to indicate the controller's status of synchronization of its timebase with that of a central timebase. The notification is sent once after the controller comes up and thereafter, it is sent everytime the status changes.
NOTIFICATION-TYPE    

ciscoLwappMfpAnomalyDetected 1.3.6.1.4.1.9.9.518.0.4
This notification is sent by the agent when the MFP configuration of the WLAN was violated by the radio interface cLApIfSmtDot11Bssid and detected by the radio interface cLApDot11IfSlotId of the AP cLApMacAddress. The violation is indicated by cLMfpEventType. Through this notification, the controller reports the NMS the occurrence of a total of cLMfpEventTotal volation events, of type cLMfpEventType, upon observing the management frame(s) indicated by cLMfpEventFrames for the last cLMfpEventPeriod time units. When cLMfpEventTotal is 0, it indicates that no further anomalies have recently been detected and that the NMS should clear any alarm raised about the MFP errors. This notification is generated by the controller only if MFP has been configured as the protection mechanism through cLMfpProtectType.
NOTIFICATION-TYPE    

ciscoLwappMfpAnomalyDetected1 1.3.6.1.4.1.9.9.518.0.5
This notification is sent by the agent when the MFP configuration of the WLAN was violated by the radio interface cLApIfSmtDot11Bssid and detected by the radio interface cLApDot11IfSlotId of the AP cLApMacAddress. The violation is indicated by cLMfpEventType. Through this notification, the controller reports the NMS the occurrence of a total of cLMfpEventTotal volation events, of type cLMfpEventType, upon observing the management frame(s) indicated by cLMfpEventFrames for the last cLMfpEventPeriod time units. When cLMfpEventTotal is 0, it indicates that no further anomalies have recently been detected and that the NMS should clear any alarm raised about the MFP errors. cLClientLastSourceMacAddress is used only when the controller generates notifications about client-related attacks. The controller will populate zeros as the value for cLClientLastSourceMacAddress when reporting anomalies sourced by infrastructure devices. This notification is generated by the controller only if MFP has been configured as the protection mechanism through cLMfpProtectType.
NOTIFICATION-TYPE    

ciscoLwappMfpMIBCompliances 1.3.6.1.4.1.9.9.518.3.1
OBJECT IDENTIFIER    

ciscoLwappMfpMIBGroups 1.3.6.1.4.1.9.9.518.3.2
OBJECT IDENTIFIER    

ciscoLwappMfpMIBCompliance 1.3.6.1.4.1.9.9.518.3.1.1
The compliance statement for the SNMP entities that implement the ciscoLwappMfpMIB module.
MODULE-COMPLIANCE    

ciscoLwappMfpMIBComplianceRev1 1.3.6.1.4.1.9.9.518.3.1.2
The compliance statement for the SNMP entities that implement the ciscoLwappMfpMIB module.
MODULE-COMPLIANCE    

ciscoLwappMfpConfigGroup 1.3.6.1.4.1.9.9.518.3.2.1
This collection of objects represent the global and WLAN-specific protection capabilities on the controller.
OBJECT-GROUP    

ciscoLwappMfpStatusGroup 1.3.6.1.4.1.9.9.518.3.2.2
This collection of objects provides the information about the MFP signature protection capabilities as observed on the dot11 interfaces of the LWAPP APs.
OBJECT-GROUP    

ciscoLwappMfpNotifObjsGroup 1.3.6.1.4.1.9.9.518.3.2.3
This collection of objects represent the information carried by the MFP related notifications sent by the agent to a network management station.
OBJECT-GROUP    

ciscoLwappMfpNotifsGroup 1.3.6.1.4.1.9.9.518.3.2.4
This collection of objects represent the MFP related notifications sent by the agent to a network management station.
NOTIFICATION-GROUP    

ciscoLwappMfpConfigSup1Group 1.3.6.1.4.1.9.9.518.3.2.5
This collection of objects represent the configuration for client protection on the controller.
OBJECT-GROUP    

ciscoLwappMfpStatusSup1Group 1.3.6.1.4.1.9.9.518.3.2.6
This collection of objects represent the status of client protection on the controller.
OBJECT-GROUP    

ciscoLwappMfpNotifObjsSup1Group 1.3.6.1.4.1.9.9.518.3.2.7
This collection of objects represent the client related information in the MFP notifications generated by the controller.
OBJECT-GROUP    

ciscoLwappMfpNotifsNewGroup 1.3.6.1.4.1.9.9.518.3.2.8
This collection of objects represent the MFP related notifications sent by the agent to a network management station.
NOTIFICATION-GROUP