CnnEouAuthDeviceTypeEntry |
|
SEQUENCE |
|
|
|
|
cnnEouAuthDeviceType |
CnnEouDeviceType |
|
|
cnnEouAuthDeviceTypeStorageType |
StorageType |
|
|
cnnEouAuthDeviceTypeRowStatus |
RowStatus |
|
CnnEouIfConfigEntry |
|
SEQUENCE |
|
|
|
|
cnnEouIfAdminStatus |
INTEGER |
|
|
cnnEouIfMaxRetry |
Integer32 |
|
|
cnnEouIfValidateAction |
INTEGER |
|
|
cnnEouIfTimeoutGlobalConfig |
BITS |
|
|
cnnEouIfTimeoutAAA |
Unsigned32 |
|
|
cnnEouIfTimeoutHoldPeriod |
Unsigned32 |
|
|
cnnEouIfTimeoutRetransmit |
Unsigned32 |
|
|
cnnEouIfTimeoutRevalidation |
Unsigned32 |
|
|
cnnEouIfTimeoutStatusQuery |
Unsigned32 |
|
|
cnnEouIfAaaFailPolicy |
CpgPolicyNameOrEmpty |
|
|
cnnEouIfAllowClientless |
TruthValue |
|
|
cnnEouIfAllowIpStationId |
TruthValue |
|
CnnEouHostQueryEntry |
|
SEQUENCE |
|
|
|
|
cnnEouHostQueryIndex |
Unsigned32 |
|
|
cnnEouHostQueryMask |
INTEGER |
|
|
cnnEouHostQueryInterface |
InterfaceIndexOrZero |
|
|
cnnEouHostQueryIpAddrType |
InetAddressType |
|
|
cnnEouHostQueryIpAddr |
InetAddress |
|
|
cnnEouHostQueryMacAddr |
MacAddress |
|
|
cnnEouHostQueryPostureToken |
CnnEouPostureToken |
|
|
cnnEouHostQuerySkipNHosts |
Unsigned32 |
|
|
cnnEouHostQueryMaxResultRows |
Unsigned32 |
|
|
cnnEouHostQueryTotalHosts |
Integer32 |
|
|
cnnEouHostQueryRows |
Integer32 |
|
|
cnnEouHostQueryCreateTime |
TimeStamp |
|
|
cnnEouHostQueryStatus |
RowStatus |
|
|
cnnEouHostQueryPostureTokenStr |
CnnEouPostureTokenString |
|
CnnEouHostResultEntry |
|
SEQUENCE |
|
|
|
|
cnnEouHostResultIndex |
Unsigned32 |
|
|
cnnEouHostResultAssocIf |
InterfaceIndex |
|
|
cnnEouHostResultIpAddrType |
InetAddressType |
|
|
cnnEouHostResultIpAddr |
InetAddress |
|
|
cnnEouHostResultMacAddr |
MacAddress |
|
|
cnnEouHostResultAuthType |
CnnEouAuthType |
|
|
cnnEouHostResultPostureToken |
CnnEouPostureToken |
|
|
cnnEouHostResultAge |
Unsigned32 |
|
|
cnnEouHostResultUrlRedir |
CiscoURLString |
|
|
cnnEouHostResultAclName |
SnmpAdminString |
|
|
cnnEouHostResultStatusQryPeriod |
Unsigned32 |
|
|
cnnEouHostResultRevalidatePeriod |
Unsigned32 |
|
|
cnnEouHostResultState |
CnnEouState |
|
|
cnnEouHostResultPostureTokenStr |
CnnEouPostureTokenString |
|
|
cnnEouHostResultUrlRedirectAcl |
SnmpAdminString |
|
|
cnnEouHostResultTagName |
SnmpAdminString |
|
|
cnnEouHostResultAuditSessionId |
SnmpAdminString |
|
|
cnnEouHostResultAaaFailPolicy |
SnmpAdminString |
|
ciscoNacNadMIB |
1.3.6.1.4.1.9.9.484 |
This MIB module is for the configuration of a Network
Access Device (NAD) on the Cisco Network Admission
Control (NAC) system.
EndPoint -------------- NAD ------- AAA ------ PVS
(SecurApp) EAPoUDP/802.1x RADIUS HCAP
(Plugin)
(PA)
Cisco NAC system
The Cisco Network Admission Control (NAC) security
solution offers a systems approach to customers for
ensuring endpoint device compliancy and vulnerability
checks prior to production access to the network. Cisco
refers to these compliancy checks as posture
validations. The intent of this systems approach is to
prevent the spread of works, viruses, and rogue
applications across the network. This systems approach
requires integration with third party end point security
applications, as well as endpoint security servers.
The Network Access Device (NAD) enforces network access
control privileges by controlling which endpoint devices
have access to network destinations and services
reachable through that NAD. Endpoint devices that do
not have the PA installed, enabled, or cannot otherwise
respond to the NAD posture challenges are considered
non-responsive hosts. Upon recognition of an incoming
endpoint device at L2 or L3, the NAD issues a challenge
to the endpoint device for posture credentials. Endpoint
devices with a PA will recognize the challenge and
respond with the necessary posture credentials. The NAD
acts as a relay agent between the endpoint device and
AAA server for all messages in the posture validation
exchange. Once the validation is complete, the NAD
enforces the access policy profile downloaded from the
AAA Server, e.g. (i) provide full access (ii) deny all
access through the NAD restrict access (quarantine) or
(iii) some intermediate level of network access
restriction or quarantine. Between posture
revalidations, the NAD may issue periodic status queries
to determine that the each endpoint device using the NAD
is still the same device that was first postured, and
that the endpoint device's posture credentials have not
changed. This mechanism is a challenge response protocol
that does not involve the AAA Server nor does it require
the posture plugins to resend any credentials. It is
used to trigger a full posture revalidation with the AAA
Server when the endpoint device's credentials have
changed (e.g. to revalidate the host endpoint device
after remediation), or a new host endpoint device
connects with a previously authorized IP address. The
NAD supports a local exception list based on IP, MAC
address or device type so that certain endpoint devices
can bypass the posture validation process based on
system administrator configuration. Also, the NAD may be
configured to query the AAA server for access policies
associated with endpoint devices that do not have a
Posture Agent installed, clientless host endpoint
devices.
Posture Validation occurs when a NAC-enabled network
access device (NAC) detects an endpoint device
attempting to connect or use its network resources and
it issues the endpoint device a posture challenge. An
endpoint device with a resident posture agent will
respond to the challenge with sets of posture
credentials from one or more posture plugins which can
detail the state of the various hardware and software
components on the endpoint device. The posture agent
response is forwarded by the network access device to an
AAA server which may in turn delegate parts of the
decision to posture validation server. Evaluation of the
credentials against posture validation policies results
in an authorization decision or posture token,
representing the endpoint device's relative compliance
to the network compliance policy. The AAA server then
sends the respective network access profile to the
network access device for enforcement of the endpoint
device authorization.
The Cisco Technology consists of the following:
Endpoint Device - Any host attempting to connect or use
the resource of a network. - e.g., a personal computer,
personal data digital assistant, or data server, or
other network attached device.
NAD - Network Access Device that enforces network
access control policies through layer 2 or layer 3
challenge-responses with a network enabled Endpoint
device.
PC - Posture Credentials that describe the state of
an application and/or operating system that is running
on an endpoint device at the time a layer 2 or layer 3
challenge response is issued by a NAD.
PP - Posture Plugin. A module implemented by an
application or agent provider that is responsible for
supplying the relevant posture credentials for the
application or agent.
PA - Posture Agent. Host agent software that serves as
a broker on the host for aggregating credential from
potentially multiple posture plugins and communicating
with the network.
CTA - Cisco Trust Agent. Cisco's implementation of
the posture agent.
EAP - Extensible Authentication Protocol. An extension
to PPP.
EOU - Extensible Authentication Protocol over UDP.
ACS/AAA - Cisco Secure Access Control Server. The
primary authorization server that is the network policy
decision point and is extended to support posture
validation.
PVS - Posture Validation Server.
UCT - Un Conditional Transition.
Clientless - Client without Cisco Posture Agent.
Tag - Tag is a policy specifier which is mapped to a
policy template based on specific rules. The Tag allows
network administrators to define enforcement policies
on local device and have a RADIUS server specify the
policy Template to be enforced. |
MODULE-IDENTITY |
|
|
|
cnnEouIfIpDevTrackConfigEntry |
1.3.6.1.4.1.9.9.484.1.5.4.1 |
A set of EOU IP Device Tracking configuration information on
an EOU interface. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CnnEouIfIpDevTrackConfigEntry |
|
|
cnnEouAuthIpEntry |
1.3.6.1.4.1.9.9.484.1.2.1.1 |
An entry containing the associated policy information of
the statically authorized IP device. An entry can be created,
or deleted by using cnnEouAuthIpRowStatus.
Each statically authorized IP device is associated with a
policy. By creating, deleting or modifying an entry in this
table, users can add, delete or modify a policy for a particular
statically authorized IP device.
In order to add the statically authorized IP device into
exception-list and associate with the specific policy, user has
to create an entry for the device. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CnnEouAuthIpEntry |
|
|
cnnEouAuthMacEntry |
1.3.6.1.4.1.9.9.484.1.2.2.1 |
An entry containing the associated policy information of
the statically authorized device identified by MAC address.
The entry is created, and deleted by using
cnnEouAuthMacRowStatus. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CnnEouAuthMacEntry |
|
|
cnnEouAuthDeviceTypeEntry |
1.3.6.1.4.1.9.9.484.1.2.3.1 |
An entry containing the information of the static authorized
device indexed by device type. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CnnEouAuthDeviceTypeEntry |
|
|
cnnEouIfConfigEntry |
1.3.6.1.4.1.9.9.484.1.3.1.1 |
An entry containing the EOU configuration information for a
particular EOU capable interface. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CnnEouIfConfigEntry |
|
|
cnnEouIfTimeoutGlobalConfig |
1.3.6.1.4.1.9.9.484.1.3.1.1.4 |
This object indicates whether the timeout configurations on
this interface are based on the corresponding global
timeout configurations or not.
aaa(0) If this bit is set, the value of
cnnEouIfTimeoutAAA is based on the
value of cnnEouTimeoutAAA.
holdPeriod(1) If this bit is set, the value of
cnnEouIfTimeoutHoldPeriod is based on the
value of cnnEouTimeoutHoldPeriod.
retransmit(2) If this bit is set, the value of
cnnEouIfTimeoutRetransmit is based on the
value of cnnEouTimeoutRetransmit.
revalidation(3) If this bit is set, the value of
cnnEouIfTimeoutRevalidation is based on the
value of cnnEouTimeoutRevalidation.
statusQuery(4) If this bit is set, the value of
cnnEouIfTimeoutStatusQuery is based on the
value of cnnEouTimeoutStatusQuery.
maxRetry(5) If this bit is set, the value of
cnnEouIfMaxRetry is based on the
value of cnnEouMaxRetry.
clientless(6) If this bit is set, the value of
cnnEouIfAllowClientless is based on the
value of cnnEouAllowClientless.
ipStationId(7) If this bit is set, the value of
cnnEouIfAllowIpStationId is based on the
value of cnnEouAllowIpStationId.
If a bit is not set, the value of the corresponding object
in the same conceptual row is not based on its corresponding
global object.
If users configure object which is covered by
cnnEouIfTimeoutGlobalConfig in the same conceptual row
while the corresponding bit is set, the corresponding bit will
be unset in order to reflect that such configuration is not
from its corresponding global object. |
Status: current |
Access: read-write |
OBJECT-TYPE |
|
|
|
|
BITS |
aaa(0), holdPeriod(1), retransmit(2), revalidation(3), statusQuery(4), maxRetry(5), clientless(6), ipStationId(7) |
|
cnnEouHostValidateAction |
1.3.6.1.4.1.9.9.484.1.4.1 |
An EOU validate action to the devices.
Initialize: When a device is initialized, all previous state
information about that host is deleted and the admission
control process for that host will start with no state.
Revalidate: When a host is revalidated, state information about
that host is retained so that the host still has its' normal
access during the revalidation process.
This object always has the value 'none' when read.
none(1) - no operation is performed.
initializeAll(2) - to manually initiates reauthentication of
all endpoint devices on the system.
initializeAuthClientless(3) - to manually initiates
reauthentication of all clientless endpoint devices.
initializeAuthEap(4) - to manually initiates reauthentication of
all the endpoint devices authorized by Extensive
Authentication Protocol.
initializeAuthStatic(5) - to manually initiates reauthentication
of all the statically authorized endpoint devices.
initializeIp(6) - to manually initiates reauthentication of a
specific IP device. The value in
cnnEouHostValidateIpAddrType and
cnnEouHostValidateIpAddr are used by this operation.
initializeMac(7) - to manually initiates reauthentication of the
endpoint device identified by MAC address. The value
in cnnEouHostValidateMacAddr is used by this
operation.
initializePostureToken(8) - to manually initiates
reauthentication of the endpoint device(s) with a
specify posture token assigned. The value in
cnnEouHostValidatePostureToken is used by this
operation.
This enumerated integer is deprecated and replaced by
initializePostureTokenStr.
revalidateAll(9) - to revalidate EOU posture credentials of all
devices on the system.
revalidateAuthClientless(10) - to revalidate EOU posture
credentials of all clientless devices on the system.
revalidateAuthEap(11) - to revalidate EOU posture credentials of
the devices authorized by EAP on the system.
revalidateAuthStatic(12) - to revalidate EOU posture credentials
of all statically authorized devices on the system.
revalidateIp(13) - to revalidates EOU posture credentials of a
specific IP device. The value in
cnnEouHostValidateIpAddrType and
cnnEouHostValidateIpAddr are used by this operation.
revalidateMac(14) - to revalidates EOU posture credentials of a
specific device identified by MAC address. The value
in cnnEouHostValidateMacAddr is used by this
operation.
revalidatePostureToken(15) - to enable revalidates EOU posture
credentials of the devices with the specific posture
token assigned. The value in
cnnEouHostValidatePostureToken is used by this
operation.
This enumerated integer is deprecated and replaced by
revalidatePostureTokenStr.
noRevalidateAll(16) - to disable revalidation of all devices on
the system.
noRevalidateAuthClientless(17) - to disable the revalidation of
all clientless devices on the system.
noRevalidateAuthEap(18) - to disable the revalidation of all
devices authorized by EAP on the system.
noRevalidateAuthStatic(19) - to disable the revalidation of all
statically authorized devices on the system.
noRevalidateIp(20) - to disable the revalidation of the specific
IP device. The value in cnnEouHostValidateIpAddrType
and cnnEouHostValidateIpAddr are used by this operation.
noRevalidateMac(21) - to disable the revalidation of the specific
device identified by MAC address. The value in
cnnEouHostValidateMacAddr is used by this operation.
noRevalidatePostureToken(22) - to disable the revalidation of all
device with the specific posture token assigned.
The value in cnnEouHostValidatePostureToken is used by
this operation.
This enumerated integer is deprecated and replaced by
noRevalidatePostureTokenStr.
initializePostureTokenStr(23) - to manually initiates
reauthentication of the endpoint device(s) with a
specify posture token assigned. The value in
cnnEouHostValidatePostureTokenStr is used by this
operation.
revalidatePostureTokenStr(24) - to enable revalidates EOU
posture credentials of the devices with the specific
posture token assigned. The value in
cnnEouHostValidatePostureTokenStr is used by this
operation.
noRevalidatePostureTokenStr(25) - to disable the revalidation
of all device with the specific posture token
assigned. The value in
cnnEouHostValidatePostureTokenStr is used by this
operation. |
Status: current |
Access: read-write |
OBJECT-TYPE |
|
|
|
|
INTEGER |
none(1), initializeAll(2), initializeAuthClientless(3), initializeAuthEap(4), initializeAuthStatic(5), initializeIp(6), initializeMac(7), initializePostureToken(8), revalidateAll(9), revalidateAuthClientless(10), revalidateAuthEap(11), revalidateAuthStatic(12), revalidateIp(13), revalidateMac(14), revalidatePostureToken(15), noRevalidateAll(16), noRevalidateAuthClientless(17), noRevalidateAuthEap(18), noRevalidateAuthStatic(19), noRevalidateIp(20), noRevalidateMac(21), noRevalidatePostureToken(22), initializePostureTokenStr(23), revalidatePostureTokenStr(24), noRevalidatePostureTokenStr(25) |
|
cnnEouHostValidatePostureToken |
1.3.6.1.4.1.9.9.484.1.4.5 |
Type of posture token for a detected host.
This object is deprecated and replaced by
cnnEouHostValidatePostureTokenStr. |
Status: deprecated |
Access: read-write |
OBJECT-TYPE |
|
|
|
|
CnnEouPostureToken |
|
|
cnnEouHostQueryEntry |
1.3.6.1.4.1.9.9.484.1.4.7.1 |
A conceptual row of the cnnEouHostQueryTable used to setup
retrieval criteria to search for the EOU hosts on the system.
The actual search is started by setting the value of
cnnEouHostQueryStatus to 'active'. Once a row becomes active,
values within the row cannot be modified, except by deleting
and re-creating the row. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CnnEouHostQueryEntry |
|
|
cnnEouHostQueryPostureToken |
1.3.6.1.4.1.9.9.484.1.4.7.1.7 |
The assigned posture token for the queried host.
If the 'postureToken' option of cnnEouHostQueryMask is selected,
an appropriate posture token is assigned to this object then
only the host with the specified posture token will be
containing in the result table.
This object is deprecated and replaced by
cnnEouHostQueryPostureTokenStr. |
Status: deprecated |
Access: read-create |
OBJECT-TYPE |
|
|
|
|
CnnEouPostureToken |
|
|
cnnEouHostQueryPostureTokenStr |
1.3.6.1.4.1.9.9.484.1.4.7.1.14 |
The assigned posture token string for the queried host. If the
'postureTokenString' option of cnnEouHostQueryMask is selected,
an appropriate posture token string is assigned to this object
then only the host with the specified posture token string will
be containing in the result table. |
Status: current |
Access: read-create |
OBJECT-TYPE |
|
|
|
|
CnnEouPostureTokenString |
|
|
cnnEouHostResultEntry |
1.3.6.1.4.1.9.9.484.1.4.8.1 |
A conceptual row of cnnEouHostResultTable, containing
posture validation information of an detected host that
matches the search criteria set in the corresponding row of
cnnEouHostQueryTable. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CnnEouHostResultEntry |
|
|
cnnEouHostResultPostureToken |
1.3.6.1.4.1.9.9.484.1.4.8.1.7 |
Indicates the posture token of the detected host.
During the posture validation process, the host will be
placed into a particular category and have a token assigned to
it. This assignment will depend on the state of the software
that is resident on the host. The host will have specific
right to access network based on the token assigned.
This object is deprecated and replaced by
cnnEouHostResultPostureTokenStr |
Status: deprecated |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
CnnEouPostureToken |
|
|
cnnEouHostResultPostureTokenStr |
1.3.6.1.4.1.9.9.484.1.4.8.1.14 |
Indicates the posture token string of the detected host.
During the posture validation process, the host will be
placed into a particular category and have a token assigned to
it. This assignment will depend on the state of the software
that is resident on the host. The host will have specific
right to access network based on the token assigned. |
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
CnnEouPostureTokenString |
|
|
cnnEouHostValidatePostureTokenStr |
1.3.6.1.4.1.9.9.484.1.4.9 |
Posture token string for a detected host. |
Status: current |
Access: read-write |
OBJECT-TYPE |
|
|
|
|
CnnEouPostureTokenString |
|
|