ENTERASYS-TACACS-CLIENT-MIB DEFINITIONS ::= BEGIN -- enterasys-tacacs-client-mib.txt -- -- Part Number: -- -- -- This module provides authoritative definitions for Enterasys -- Networks' TACACS+ client functionality. -- -- This module will be extended, as needed. -- Enterasys Networks reserves the right to make changes in this -- specification and other information contained in this document -- without prior notice. The reader should consult Enterasys Networks -- to determine whether any such changes have been made. -- -- In no event shall Enterasys Networks be liable for any incidental, -- indirect, special, or consequential damages whatsoever (including -- but not limited to lost profits) arising out of or related to this -- document or the information contained in it, even if Enterasys -- Networks has been advised of, known, or should have known, the -- possibility of such damages. -- -- Enterasys Networks grants vendors, end-users, and other interested -- parties a non-exclusive license to use this Specification in -- connection with the management of Enterasys Networks products. -- Copyright February 2003-2010 Enterasys Networks, Inc. IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Integer32 FROM SNMPv2-SMI MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF TruthValue, RowStatus FROM SNMPv2-TC EnabledStatus FROM P-BRIDGE-MIB SnmpAdminString FROM SNMP-FRAMEWORK-MIB InetAddressType, InetAddress, InetPortNumber FROM INET-ADDRESS-MIB etsysModules FROM ENTERASYS-MIB-NAMES; etsysTacacsClientMIB MODULE-IDENTITY LAST-UPDATED "201002011702Z" -- Mon Feb 1 17:02 UTC 2010 ORGANIZATION "Enterasys Networks, Inc" CONTACT-INFO "Postal: Enterasys Networks 50 Minuteman Rd. Andover, MA 01810-1008 USA Phone: +1 978 684 1000 E-mail: support@enterasys.com WWW: http://www.enterasys.com" DESCRIPTION "This MIB module defines a portion of the SNMP MIB under the Enterasys Networks enterprise OID pertaining to TACACS+ client configuration." REVISION "201002011702Z" -- Mon Feb 1 17:02 UTC 2010 DESCRIPTION "Corrected DESCRIPTION clause for the etsysTacacsClientSesnAuthValue object." REVISION "200502101757Z" -- Thu Feb 10 17:57 GMT 2005 DESCRIPTION "The initial version of this MIB module." ::= { etsysModules 58 } -- ------------------------------------------------------------- -- Branches of the Enterasys TACACS+ Client MIB -- ------------------------------------------------------------- etsysTacacsClientObjects OBJECT IDENTIFIER ::= { etsysTacacsClientMIB 1 } etsysTacacsClientControl OBJECT IDENTIFIER ::= { etsysTacacsClientObjects 1 } etsysTacacsClientSesnAuth OBJECT IDENTIFIER ::= { etsysTacacsClientObjects 2 } etsysTacacsClientServer OBJECT IDENTIFIER ::= { etsysTacacsClientObjects 3 } -- ------------------------------------------------------------- -- TACACS+ Client Control Group -- ------------------------------------------------------------- etsysTacacsClientSesnAuthEnabled OBJECT-TYPE SYNTAX EnabledStatus MAX-ACCESS read-write STATUS current DESCRIPTION "Controls the operation of the TACACS+ client for session authentication and authorization." DEFVAL { disabled } ::= { etsysTacacsClientControl 1 } etsysTacacsClientSesnAcctEnabled OBJECT-TYPE SYNTAX EnabledStatus MAX-ACCESS read-write STATUS current DESCRIPTION "Controls the operation of the TACACS+ client for session accounting." DEFVAL { disabled } ::= { etsysTacacsClientControl 2 } etsysTacacsClientCmdAuthEnabled OBJECT-TYPE SYNTAX EnabledStatus MAX-ACCESS read-write STATUS current DESCRIPTION "Controls the operation of the TACACS+ client for command level authorization." DEFVAL { disabled } ::= { etsysTacacsClientControl 3 } etsysTacacsClientCmdAcctEnabled OBJECT-TYPE SYNTAX EnabledStatus MAX-ACCESS read-write STATUS current DESCRIPTION "Controls the operation of the TACACS+ client for command accounting." DEFVAL { disabled } ::= { etsysTacacsClientControl 4 } etsysTacacsClientSingleConnection OBJECT-TYPE SYNTAX EnabledStatus MAX-ACCESS read-write STATUS current DESCRIPTION "Allows the TACACS+ client to send multiple TACACS+ requests on a single TCP connection. All configured TACACS+ servers MUST allow this NAS to use single connection mode." DEFVAL { disabled } ::= { etsysTacacsClientControl 5 } -- ------------------------------------------------------------- -- TACACS+ Client Session Authorization Group -- ------------------------------------------------------------- etsysTacacsClientSesnAuthService OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "The service to be requested for management session authorization." DEFVAL { "enable" } ::= { etsysTacacsClientSesnAuth 1 } -- ------------------------------------------------------------- -- TACACS+ Client Session Authorization Table -- ------------------------------------------------------------- etsysTacacsClientSesnAuthTable OBJECT-TYPE SYNTAX SEQUENCE OF EtsysTacacsClientSesnAuthEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A list of TACACS+ servers that this client may attempt to use." ::= { etsysTacacsClientSesnAuth 2 } etsysTacacsClientSesnAuthEntry OBJECT-TYPE SYNTAX EtsysTacacsClientSesnAuthEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A TACACS+ server that this client may attempt to use." INDEX { etsysTacacsClientSesnAuthLevel } ::= { etsysTacacsClientSesnAuthTable 1 } EtsysTacacsClientSesnAuthEntry ::= SEQUENCE { etsysTacacsClientSesnAuthLevel INTEGER, etsysTacacsClientSesnAuthAttribute SnmpAdminString, etsysTacacsClientSesnAuthValue SnmpAdminString } etsysTacacsClientSesnAuthLevel OBJECT-TYPE SYNTAX INTEGER { readonly (1), readwrite (2), superuser (3), debug (4) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "The authorization level for the corresponding attribute value pair. Managed entities are not required to support all authorization levels." ::= { etsysTacacsClientSesnAuthEntry 1 } etsysTacacsClientSesnAuthAttribute OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "The attribute part of the attribute-value pair for this access level. The default value 'priv-lvl' is normally defined to have a corresponding value part with a value between '0' and '15' inclusive." DEFVAL { "priv-lvl" } ::= { etsysTacacsClientSesnAuthEntry 2 } etsysTacacsClientSesnAuthValue OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "The value part of the attribute-value pair for this access level. To allow the leveraging of existing Cisco 'enable' mode configurations. When 1.) the etsysTacacsClientSesnAuthService object has the value 'enable', 2.) the attribute part of this attribute-value pair is 'priv-lvl', and 3.) the value part of this attribute-value pair represents a numeric value between 0 and 15, inclusive, then the value part of this attribute-value pair specifies the minimum value required for this access level. If any of the above conditions are not met then this value must be an exact match with the value returned from the TACACS+ server. The default values for this object are '0' for read-only, '1' for read-write, and '15' for superuser authorization." ::= { etsysTacacsClientSesnAuthEntry 3 } -- ------------------------------------------------------------- -- TACACS+ Client Server Table -- ------------------------------------------------------------- etsysTacacsClientServerTable OBJECT-TYPE SYNTAX SEQUENCE OF EtsysTacacsClientServerEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A list of TACACS+ servers that this client may attempt to use." ::= { etsysTacacsClientServer 1 } etsysTacacsClientServerEntry OBJECT-TYPE SYNTAX EtsysTacacsClientServerEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A TACACS+ server that this client may attempt to use." INDEX { etsysTacacsClientServerIndex } ::= { etsysTacacsClientServerTable 1 } EtsysTacacsClientServerEntry ::= SEQUENCE { etsysTacacsClientServerIndex Integer32, etsysTacacsClientServerAddressType InetAddressType, etsysTacacsClientServerAddress InetAddress, etsysTacacsClientServerPortNumber InetPortNumber, etsysTacacsClientServerTimeout Integer32, etsysTacacsClientServerSecret OCTET STRING, etsysTacacsClientServerSecretEntered TruthValue, etsysTacacsClientServerStatus RowStatus } etsysTacacsClientServerIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A number uniquely identifying each conceptual row in the etsysTacacsClientServerTable. In the event of an agent restart, the same value of etsysTacacsClientServerIndex must be used to identify each conceptual row in etsysTacacsClientServerTable as prior to the restart." ::= { etsysTacacsClientServerEntry 1 } etsysTacacsClientServerAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "The type of Internet address by which this TACACS+ server is reachable." DEFVAL { ipv4 } ::= { etsysTacacsClientServerEntry 2 } etsysTacacsClientServerAddress OBJECT-TYPE SYNTAX InetAddress (SIZE(1..64)) MAX-ACCESS read-create STATUS current DESCRIPTION "The Internet address for the TACACS+ server. The etsysTacacsClientServerAddress may not be empty due to the SIZE restriction. Also the size of a DNS name is limited to 64 characters. If a row is created administratively by an SNMP operation and the address type value is dns(16), then the agent stores the DNS name internally. A DNS name lookup must be performed on the internally stored DNS name whenever it is being used to contact the peer. If a row is created by the managed entity itself and the address type value is dns(16), then the agent stores the IP address internally. A DNS reverse lookup must be performed on the internally stored IP address whenever the value is retrieved via SNMP." ::= { etsysTacacsClientServerEntry 3 } etsysTacacsClientServerPortNumber OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "The TCP port number (0-65535) the client is using to send requests to this server." DEFVAL { 49 } ::= { etsysTacacsClientServerEntry 4 } etsysTacacsClientServerTimeout OBJECT-TYPE SYNTAX Integer32 (1..180) UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "The number of seconds to wait for a TACACS+ server to respond to a request." DEFVAL { 10 } ::= { etsysTacacsClientServerEntry 5 } etsysTacacsClientServerSecret OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is the secret shared between the TACACS+ server and TACACS+ client." ::= { etsysTacacsClientServerEntry 6 } etsysTacacsClientServerSecretEntered OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "This indicates the existence of a shared secret." ::= { etsysTacacsClientServerEntry 7 } etsysTacacsClientServerStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Lets users create and delete TACACS+ server entries on systems that support this capability. Rules 1. When creating a TACACS+ client, it is up to the management station to determine a suitable etsysTacacsClientServerIndex. To facilitate interoperability, agents should not put any restrictions on the etsysTacacsClientServerIndex beyond the obvious ones that it be valid and unused. 2. Before a new row can become 'active', values must be supplied for the columnar objects etsysTacacsClientServerAddress and etsysTacacsClientServerSecret. 3. The value of etsysTacacsClientServerStatus MAY need to be set to 'notInService' in order to modify a writable object in the same conceptual row. 4. etsysTacacsClientServer entries whose status is 'notReady' or 'notInService' will not be used for authentication." ::= { etsysTacacsClientServerEntry 8 } -- ------------------------------------ -- Conformance information -- ------------------------------------ etsysTacacsClientConformance OBJECT IDENTIFIER ::= { etsysTacacsClientMIB 2 } etsysTacacsClientCompliances OBJECT IDENTIFIER ::= { etsysTacacsClientConformance 1 } etsysTacacsClientGroups OBJECT IDENTIFIER ::= { etsysTacacsClientConformance 2 } -- ------------------------------------ -- Units of conformance -- ------------------------------------ etsysTacacsClientSessionGroup OBJECT-GROUP OBJECTS { etsysTacacsClientSesnAuthEnabled, etsysTacacsClientSesnAcctEnabled, etsysTacacsClientSingleConnection, etsysTacacsClientServerAddressType, etsysTacacsClientServerAddress, etsysTacacsClientServerPortNumber, etsysTacacsClientServerTimeout, etsysTacacsClientServerSecret, etsysTacacsClientServerSecretEntered, etsysTacacsClientServerStatus } STATUS current DESCRIPTION "The collection of objects required to do TACACS+ authentication, authorization, and accounting for management sessions." ::= { etsysTacacsClientGroups 1 } etsysTacacsClientCmdAuthGroup OBJECT-GROUP OBJECTS { etsysTacacsClientCmdAuthEnabled } STATUS current DESCRIPTION "Additional objects for TACACS+ command authorization." ::= { etsysTacacsClientGroups 2 } etsysTacacsClientCmdAcctGroup OBJECT-GROUP OBJECTS { etsysTacacsClientCmdAcctEnabled } STATUS current DESCRIPTION "Additional objects for TACACS+ command accounting." ::= { etsysTacacsClientGroups 3 } etsysTacacsClientSesnAuthGroup OBJECT-GROUP OBJECTS { etsysTacacsClientSesnAuthService, etsysTacacsClientSesnAuthAttribute, etsysTacacsClientSesnAuthValue } STATUS current DESCRIPTION "Additional objects to map read-only, read-write, superuser, and debug authorization level into a service level and respective attribute-value pairs." ::= { etsysTacacsClientGroups 4 } -- ------------------------------------ -- Compliance statements -- ------------------------------------ etsysTacacsClientCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for clients implementing the TACACS+ Client MIB." MODULE MANDATORY-GROUPS { etsysTacacsClientSessionGroup } GROUP etsysTacacsClientCmdAuthGroup DESCRIPTION "This group is REQUIRED for devices supporting command authorization via TACACS+" GROUP etsysTacacsClientCmdAcctGroup DESCRIPTION "This group is REQUIRED for devices supporting command accounting via TACACS+" GROUP etsysTacacsClientSesnAuthGroup DESCRIPTION "This group is REQUIRED for devices supporting any of the following authorization levels: read-only, read-write, superuser, or debug." ::= { etsysTacacsClientCompliances 1 } END