ENTERASYS-MULTI-AUTH-MIB: View SNMP OID List / Download MIB

This MIB module defines a portion of the SNMP MIB under the Enterasys Networks enterprise OID pertaining to configuration of multiple authentication mechanisms to be run simultaneously on a device.

An etsysMultiAuthSuccess trap signifies that the SNMP entity, acting in an agent role, has successfully authenticated a station on one of its interfaces. The included objects of etsysMultiAuthStationAddrType and etsysMultiAuthStationAddr uniquely identify the station that has been authenticated. The interface that the station was authenticated on is specified by the ifIndex object, and the type of authentication used is to authenticate the station is specified by the etsysMultiAuthSessionAgentType object. This trap will only be generated on interfaces that are in the authOptional(3) or authRequired(4) state.

An etsysMultiAuthFailed trap signifies that the SNMP entity, acting in an agent role, has identified a station that attempted and subsequently failed to authenticate on one of its interfaces. The included objects of etsysMultiAuthStationAddrType and etsysMultiAuthStationAddr uniquely identify the station that attempted to authenticate. The interface that the station attempted to authenticate on is specified by the ifIndex object, and the type of authentication attempted is specified by the etsysMultiAuthSessionAgentType object. This trap will only be generated on interfaces that are in the authOptional(3) or authRequired(4) state.

An etsysMultiAuthTerminated trap signifies that the SNMP entity, acting in an agent role, has terminated the authentication of a station on one of its interfaces. The included objects of etsysMultiAuthStationAddrType and etsysMultiAuthStationAddr uniquely identify the station for which authentication was terminated. The interface that the station was previously authenticated on is specified by the ifIndex object, and the type of authentication that the station was terminated for is specified by the etsysMultiAuthSessionAgentType object. This trap will only be generated on interfaces that are in the authOptional(3) or authRequired(4) state.

An etsysMultiAuthMaxNumUsersReached trap signifies that the SNMP entity, acting in an agent role, has an interface where subsequent to a successful authentication, the number of current sessions on the interface equals the maximum number of sessions allowed for that interface. The interface that the maximum number of sessions has been reached is specified by the ifIndex object.

An etsysMultiAuthModuleMaxNumUsersReached trap signifies that the SNMP entity, acting in an agent role, has a module where subsequent to a successful authentication, the number of current sessions on the module equals the maximum number of sessions allowed for that module. The module that the maximum number of sessions has been reached is specified by the entPhysicalIndex object.

An etsysMultiAuthSystemMaxNumUsersReached trap signifies that the SNMP entity, acting in an agent role, where subsequent to a successful authentication, has the number of current sessions on the system equals the maximum number of sessions allowed for that system, .

This object specifies that authentication types that the device supports. A bit will be set for each corresponding type that is supported. Bits: 'macAuth': 2, 'radiusSnooping': 4, 'cep': 3, 'ieee8021x': 0, 'pwa': 1.

The maximum number of users the can be actively authenticated or have authentications in progress at one time in the system.

The current number of users the are actively authenticated, have authentications in progress, or the device is keeping authentication termination information for in the system.

The value strictIeee8021x(1) will cause the device to authenticate in strict adherence to IEEE Std. 802.1X-2001. In this mode no other authentication mechanisms will be active. While in this mode, changes may be made to other objects in the MIB, but they will have no effect on the operation of the device until such time as the system mode is changed to etsysMultiAuth(2). A set of this object to a value of etsysMultiAuth(2) will cause the device to authenticate using multiple authenticators simultaneously. Enumeration: 'etsysMultiAuth': 2, 'strictIeee8021x': 1.

The precedence that authentication results will be applied to network traffic by default. This object will have a size equal to the number of enumerations specified by the EtsysMultiAuthTypes textual convention.

This object allows one to modify the default precedence by which authentication results will be applied to network traffic. Sets to this object are not required to specify all of the types that the device supports. If less types are specified than are supported, then all types that were not specified will be given an operational precedence based on that type's default precedence relative to the last type specified. For example, if the default precedence is '030102'H and the object is set to '02'H then operational precedence would be '020301'H. A set to this object of a zero length octet string will clear the administrative precedence. In this case the operational precedence would be equal to the default precedence.

This object returns the operational precedence of authentication types as they will be applied to network traffic. The value returned by this object is the calculated result of the etsysMultiAuthSystemDefaultPrecedence and etsysMultiAuthSystemAdminPrecedence objects. This object will have a size equal to the number of enumerations specified by the EtsysMultiAuthTypes textual convention.

A table of properties per authentication type.

An entry containing per authentication type properties.

The authentication type the entry properties pertain to.

The maximum number of seconds an authenticated session may last before termination of the session. A value of zero indicates that no session timeout will be applied. This value MAY be superseded by a session timeout value provided by the authenticating server. For example, if a session is authenticated by a RADIUS server, that server may encode a Session-Timeout Attribute in its authentication response. The operational timeout value of a given authenticated session is specified by the etsysMultiAuthSessionSessionTimeout object.

The maximum number of consecutive seconds an authenticated session may be idle before termination of the session. A value of zero indicates that no idle timeout will be applied. This value MAY be superseded by a idle timeout value provided by the authenticating server. For example, if a session is authenticated by a RADIUS server, that server may encode a Idle-Timeout Attribute in its authentication response. The operational idle timeout value of a given authenticated session is specified by the etsysMultiAuthSessionIdleTimeout object.

The current number of users the are actively authenticated or have authentications in progress for this authentication type in the system.

This object allows for the enabling or disabling the transmission of the etsysMultiAuthSystemMaxNumUsersReached NOTIFICATION.

A table of per port information and configuration for user authentication.

An entry containing per port authentication data. Only interfaces that are able to authenticate users are represented in this table.

This object specifies the authorization mode to use for packets received on this interface. A value of forceUnauthorized(1) indicates that the interface is always unauthenticated. A value of forceAuthorized(2) indicates that users on this port will always be considered to be authenticated. A value of authOptional(3) indicates that authentication is optional on this interface. Packets received from unauthenticated users on the interface will be processed using the static configuration of the interface. Users may promote the policy applied to their traffic by actively authenticating on this interface. A value of authRequired(4) indicates that all packets received on the interface will be dropped until authentication succeeds. Some authentication types, such as PWA, will not be fully functional in this mode of operation. Enumeration: 'authRequired': 4, 'forceUnauthorized': 1, 'forceAuthorized': 2, 'authOptional': 3.

The maximum number of users that can be actively authenticated or have authentications in progress at one time on this interface.

The user configured number of users that can be actively authenticated or have authentications in progress at one time on this interface. This object has a default value equal to the value of etsysMultiAuthPortMaxNumUsers for this interface. If the value set to this object is less than its current value, it will have the same effect as setting the etsysMultiAuthPortClearUsers object to a value of true(1).

The current number of users that are actively authenticated or have authentications in progress at one time on this interface. By definition this value can not exceed the value specified by etsysMultiAuthPortMaxNumUsers for the same interface.

Setting this object to a value of true(1) will cause all users that are currently authenticated or that have authentications in progress on this interface to become unauthenticated. This will cause any such entries with matching ifIndex values in the etsysMultiAuthSessionStationTable tables to change their authorization status to authTerminated(5). Setting this object to a value of false(2) has no effect. This object will always return a value of false(2).

This object allows for the enabling or disabling of each trap on a per interface basis. Setting a given bit to a value of 1 allows traps of that type to be sent for events on that interface. Setting a given bit to a value of 0 disallows traps of that type to be sent for events on that interface. The individual bits correlate to specific traps as follows: BIT NOTIFICATION ---------------------------------------------------------------- authSuccessTrap(0) etsysMultiAuthSuccess authFailedTrap(1) etsysMultiAuthFailed authTerminatedTrap(2) etsysMultiAuthTerminated maxNumUsersReachedTrap(3) etsysMultiAuthMaxNumUsersReached Bits: 'authTerminatedTrap': 2, 'maxNumUsersReachedTrap': 3, 'authSuccessTrap': 0, 'authFailedTrap': 1.

A table of per port, per authentication type information.

An entry containing per port, per authentication type data. Only interfaces that are able to authenticate users are represented in this table.

The current number of users the are actively authenticated or have authentications in progress for this authentication type on the specified port.

A table of station configuration on specific interfaces.

An entry containing authentication information on a per station, per port basis. Only interfaces that are able to authenticate users are represented in this table.

The type of station represented by etsysMultiAuthStationAddr.

The station address for the authenticated user.

Setting this object to a value of true(1) will cause any users with the specified station address that are currently authenticated or that have authentications in progress to become unauthenticated. This will cause any entries with matching etsysMultiAuthStationAddr values in the etsysMultiAuthSessionStationTable tables to change their authorization status to authTerminated(5). Setting this object to a value of false(2) has no effect. This object will always return a value of false(2).

A table of session information and configuration for user authentication. Entries in this table represent users in various stages of authentication. Entries that do not have a etsysMultiAuthSessionStationAuthStatus value of authSuccess(1) or authInProgress(3) MAY be removed by the agent as required in order to free resources for new user authentications.

An entry containing authentication information on a per station, per port, per authentication agent type basis. Only interfaces that are able to authenticate users are represented in this table.

The type of authentication agent for this session.

The status of authentication for this session.

The value of sysUpTime when this session last attempted authorization. For entries that have a value of authInProgress(3) for etsysMultiAuthSessionStationAuthStatus this object MAY return a value of zero.

The type of authentication server used to authenticate this session. A value of radius(1) indicates that a RADIUS request and response were attempted in order to authenticate the session. A value of local(2) indicates that the session was authenticated by a local file or configuration on the device itself. Enumeration: 'local': 2, 'radius': 1.

The type of data returned by etsysMultiAuthSessionAuthServerAddr. If the etsysMultiAuthSessionAuthServerType leaf for this entry has a value of local(2) then this object MUST return a a value of unknown(0).

The network address of the authentication server for this session. If the etsysMultiAuthSessionAuthServerType leaf for this entry has a value of local(2) then this object MUST return a zero length string.

The Policy Profile Index returned from the authentication server for this session. The value of zero indicates that no policy will be applied for this session. If the etsysMultiAuthSessionStationAuthStatus object returns a value of authSuccess(1), then a value of zero is the result of the policy not being configured on the authorization server. For all other values of etsysMultiAuthSessionStationAuthStatus a value of zero for this object is the result of authorization not succeeding or not having completed. All values other than zero are valid Policy Profile Indexes that specify the policy profile the user will receive on this interface. If a given user has been authenticated by multiple authentication types on the same interface the policy that is applied to the user's packets is determined by the precedence of the agents as specified by etsysMultiAuthSystemOperPrecedence. These indexes are suitable for indexing in the ENTERASYS-POLICY-PROFILE-MIB.

This object indicates whether this entry and the policy index contained within it are actively being applied to traffic matching the interface and station address of this entry. A value of true(1) indicates that this entry is being applied. A value of false(2) indicates that the entry is not being applied. Only one authentication type per interface station address ordered pair may be applied at a single time. The operational precedence of the various authentication types determines which if any type will be applied.

The local date and time that the session was terminated. If the session is not in the authTerminated(5) state this object MUST return '00000000'H.

The maximum number of seconds this session may last before automatic termination. A value of zero indicates that no session timeout will be applied. This value MAY be provided by the etsysMultiAuthSessionTimeout object or by the authenticating server.

The maximum number of consecutive seconds this session may be idle before automatic termination. A value of zero indicates that no idle timeout will be applied. This value MAY be provided by the etsysMultiAuthIdleTimeout object or by the authenticating server.

The length of this session in seconds. This object MAY return zero for a session in any state other than authSuccess(1).

The number of consecutive seconds this session has been idle. This object MAY return zero for a session in any state other than authSuccess(1).

The VLAN Tunnel Attribute (Tunnel-Group-ID) returned from the authentication server for this session. This value is interpreted as the 12 bit VLAN identifier to be applied to traffic from the session entity. Policy VLAN classification rules have precedence in assigning VLAN, however, in the absence of any applicable rules, this VLAN will be used. If the traffic is already tagged, this VLAN will only be applied if TCI overwrite has been enabled (through Policy or ctDot1qPortReplaceTCI). A value of zero indicates that there is no authenticated VLAN ID for the given session (none was provided by the authentication server). Should a session become unauthenticated this value MUST return zero. A value of 4095 indicates that a the session has been authenticated, but that the VLAN returned could not be applied to the port (possibly because of resource constraints or misconfiguration). The traffic from the session entity will be assigned VLAN through Policy or standard 802.1Q mechanisms.

A table of session information and configuration for user authentication. This table represents the information specified in the etsysMultiAuthSessionStationTable with alternate indexing for faster lookups of data on per port basis.

An entry containing authentication information on a per port, per station, per authentication agent type basis. Only interfaces that are able to authenticate users are represented in this table.

The status of authentication for this session.

A table of per module information for user authentication.

An entry containing per module authentication data. Only physical indexes with a entPhysicalClass of module(9) are represented in this table. Furthermore, each entity represented in this table must have authentication resources that are separate from every other entity in the table.

The maximum number of users that can be actively authenticated or have authentications in progress at one time on the specified module.

The current number of users that are actively authenticated or have authentications in progress at one time on the specified module. By definition this value can not exceed the value specified by etsysMultiAuthModuleMaxNumUsers for the same module.

This object allows for the enabling or disabling the transmission of the etsysMultiAuthModuleMaxNumUsersReached NOTIFICATION.

The system group for all devices supporting Multiple Authentication.

The base level port group for all devices supporting Multiple Authentication.

This group of objects for all devices supporting per interface SNMP notifications.

The station group for all devices supporting Multiple Authentication.

The session group for all devices supporting Multiple Authentication.

The group of per interface notifications for Multiple Authentication.

The module group for all devices supporting Multiple Authentication.

The session group for all devices supporting Multiple Authentication.

The group of objects for all devices that support timing out Multiple Authentication sessions.

The group of objects for all devices that support counting the number of current users on a per authentication type basis.

The group of objects for all devices supporting module SNMP notifications.

The group of objects for all devices supporting system SNMP notifications.

The group of per module notifications for Multiple Authentication.

The group of per system notifications for Multiple Authentication.

The group of objects for all devices supporting 802.1X RADIUS tunnel attributes for 802.1Q VLANs.

This compliance statement has been deprecated in favor of the expanded group defined by etsysMultiAuthCompliance2.

This compliance statement has been deprecated in favor of the expanded group defined by etsysMultiAuthCompliance3.

This compliance statement has been deprecated in favor of the expanded group defined by etsysMultiAuthCompliance4.

The compliance statement for devices that support timing out of Multiple Authentication sessions.

The compliance statement for all devices that support counting the number of current users on a per authentication type basis.

The compliance statement for devices that support Multiple Authentication.

The compliance statement for all devices that support 802.1X RADIUS Tunnel Attributes.