ENTERASYS-MULTI-AUTH-MIB

The following tables, groups, and variables are supported in this MIB.

Table/Group Supported Variables Comments
Multiple Authentication System Group etsysMultiAuthSystemSupportedTypes This object specifies that authentication types that the device supports. A bit will be set for each corresponding type that is supported.
etsysMultiAuthSystemMaxNumUsers The maximum number of users the can be actively authenticated or have authentications in progress at one time in the system.
etsysMultiAuthSystemCurrentNumUsers The current number of users the are actively authenticated, have authentications in progress, or the device is keeping authentication termination information for in the system.
etsysMultiAuthSystemMode The value strictIeee8021x(1) will cause the device to authenticate in strict adherence to IEEE Std. 802.1X-2001. In this mode no other authentication mechanisms will be active. While in this mode, changes may be made to other objects in the MIB, but they will have no effect on the operation of the device until such time as the system mode is changed to etsysMultiAuth(2). A set of this object to a value of etsysMultiAuth(2) will cause the device to authenticate using multiple authenticators simultaneously.
etsysMultiAuthSystemDefaultPrecedence The precedence that authentication results will be applied to network traffic by default. This object will have a size equal to the number of enumerations specified by the EtsysMultiAuthTypes textual convention.
etsysMultiAuthSystemAdminPrecedence

This object allows one to modify the default precedence by which authentication results will be applied to network traffic. Sets to this object are not required to specify all of the types that the device supports. If less types are specified than are supported, then all types that were not specified will be given an operational precedence based on that type's default precedence relative to the last type specified. For example, if the default precedence is '030102'H and the object is set to '02'H then operational precedence would be '020301'H.

A set to this object of a zero length octet string will clear the administrative precedence. In this case the operational precedence would be equal to the default precedence.

etsysMultiAuthSystemOperPrecedence This object returns the operational precedence of authentication types as they will be applied to network traffic. The value returned by this object is the calculated result of the etsysMultiAuthSystemDefaultPrecedence and etsysMultiAuthSystemAdminPrecedence objects. This object will have a size equal to the number of enumerations specified by the EtsysMultiAuthTypes textual convention.
etsysMultiAuthTypePropertiesTable A table of properties per authentication type.
etsysMultiAuthTypePropertiesEntry An entry containing per authentication type properties.
etsysMultiAuthType The authentication type the entry properties pertain to.
etsysMultiAuthSessionTimeout The maximum number of seconds an authenticated session may last before termination of the session. A value of zero indicates that no session timeout will be applied. This value MAY be superseded by a session timeout value provided by the authenticating server. For example, if a session is authenticated by a RADIUS server, that server may encode a Session-Timeout Attribute in its authentication response. The operational timeout value of a given authenticated session is specified by the etsysMultiAuthSessionSessionTimeout object.
etsysMultiAuthIdleTimeout The maximum number of consecutive seconds an authenticated session may be idle before termination of the session. A value of zero indicates that no idle timeout will be applied. This value MAY be superseded by a idle timeout value provided by the authenticating server. For example, if a session is authenticated by a RADIUS server, that server may encode a Idle-Timeout Attribute in its authentication response. The operational idle timeout value of a given authenticated session is specified by the etsysMultiAuthSessionIdleTimeout object.
etsysMultiAuthCurrentNumUsers The current number of users the are actively authenticated or have authentications in progress for this authentication type in the system.
etsysMultiAuthSystemMaxNumUsersReachedTrapEnable This object allows for the enabling or disabling the transmission of the etsysMultiAuthSystemMaxNumUsersReached NOTIFICATION.
etsysMultiAuthSessionsUniquePerPort

When this object is set to true(1) each multi-auth session MAY be unique to the port it was created on.

The operational status of this variable can be found using etsysMultiAuthSessionsUniquePerPortOperStatus.

etsysMultiAuthSessionsUniquePerPortOperStatus If this object has a value of true(1) each multi-auth session will be unique to the port it was created on. If this object has a value of false(2) each multi-auth session may exist on multiple ports.
etsysMultiAuthSystemReAuthenticationTimeoutAction

When this object is set to terminate(1) re-authenticating multiauth sessions will be terminated if the re-authentication RADIUS transaction results in a complete timeout.

When this object is set to none(2) re-authentication multiauth sessions will be left as they were prior to the re-authentication attempt if the re-authentication RADIUS transaction results in a complete timeout.

A complete timeout occurs when all RADIUS retries to all appropriate RADIUS servers have been exhausted.

Multiple Authentication Port Group etsysMultiAuthPortTable A table of per port information and configuration for user authentication.
-etsysMultiAuthPortEntry An entry containing per port authentication data. Only interfaces that are able to authenticate users are represented in this table.
etsysMultiAuthPortMode

This object specifies the authorization mode to use for packets received on this interface.

A value of forceUnauthorized(1) indicates that the interface is always unauthenticated.

A value of forceAuthorized(2) indicates that users on this port will always be considered to be authenticated.

A value of authOptional(3) indicates that authentication is optional on this interface. Packets received from unauthenticated users on the interface will be processed using the static configuration of the interface. Users may promote the policy applied to their traffic by actively authenticating on this interface.

A value of authRequired(4) indicates that all packets received on the interface will be dropped until authentication succeeds. Some authentication types, such as PWA, will not be fully functional in this mode of operation.

etsysMultiAuthPortMaxNumUsers The maximum number of users that can be actively authenticated or have authentications in progress at one time on this interface.
etsysMultiAuthPortNumUsersAllowed The user configured number of users that can be actively authenticated or have authentications in progress at one time on this interface. This object has a default value equal to the value of etsysMultiAuthPortMaxNumUsers for this interface. If the value set to this object is less than its current value, it will have the same effect as setting the etsysMultiAuthPortClearUsers object to a value of true(1).
etsysMultiAuthPortCurrentNumUsers The current number of users that are actively authenticated or have authentications in progress at one time on this interface. By definition this value can not exceed the value specified by etsysMultiAuthPortMaxNumUsers for the same interface.
etsysMultiAuthPortClearUsers

Setting this object to a value of true(1) will cause all users that are currently authenticated or that have authentications in progress on this interface to become unauthenticated. This will cause any such entries with matching ifIndex values in the etsysMultiAuthSessionStationTable tables to change their authorization status to authTerminated(5)

Setting this object to a value of false(2) has no effect. This object will always return a value of false(2).

etsysMultiAuthPortTrapEnable

This object allows for the enabling or disabling of each trap on a per interface basis. Setting a given bit to a value of 1 allows traps of that type to be sent for events on that interface. Setting a given bit to a value of 0 disallows traps of that type to be sent for events on that interface. The individual bits correlate to specific traps as follows:

BIT NOTIFICATION ---------------------------------------------------------------- authSuccessTrap(0) etsysMultiAuthSuccess authFailedTrap(1) etsysMultiAuthFailed authTerminatedTrap(2) etsysMultiAuthTerminated maxNumUsersReachedTrap(3) etsysMultiAuthMaxNumUsersReached

etsysMultiAuthPortTypeTable A table of per port, per authentication type information.
etsysMultiAuthPortTypeEntry An entry containing per port, per authentication type data. Only interfaces that are able to authenticate users are represented in this table.
etsysMultiAuthPortTypeCurrentNumUsers The current number of users the are actively authenticated or have authentications in progress for this authentication type on the specified port.
Multiple Authentication Station GroupMultiple Authentication Session Group etsysMultiAuthStationTable A table of station configuration on specific interfaces.
etsysMultiAuthStationEntry An entry containing authentication information on a per station, per port basis. Only interfaces that are able to authenticate users are represented in this table.
etsysMultiAuthStationAddrType The type of station represented by etsysMultiAuthStationAddr.
etsysMultiAuthStationAddr The station address for the authenticated user.
etsysMultiAuthStationClearUsers

Setting this object to a value of true(1) will cause any users with the specified station address that are currently authenticated or that have authentications in progress to become unauthenticated. This will cause any entries with matching etsysMultiAuthStationAddr values in the etsysMultiAuthSessionStationTable tables to change their authorization status to authTerminated(5).

Setting this object to a value of false(2) has no effect. This object will always return a value of false(2).

etsysMultiAuthSessionStationTable A table of session information and configuration for user authentication. Entries in this table represent users in various stages of authentication. Entries that do not have a etsysMultiAuthSessionStationAuthStatus value of authSuccess(1) or authInProgress(3) MAY be removed by the agent as required in order to free resources for new user authentications.
etsysMultiAuthSessionStationEntry An entry containing authentication information on a per station, per port, per authentication agent type basis. Only interfaces that are able to authenticate users are represented in this table.
etsysMultiAuthSessionAgentType The type of authentication agent for this session.
etsysMultiAuthSessionStationAuthStatus The status of authentication for this session.
etsysMultiAuthSessionAuthAttemptTime The value of sysUpTime when this session last attempted authorization. For entries that have a value of authInProgress(3) for etsysMultiAuthSessionStationAuthStatus this object MAY return a value of zero.
etsysMultiAuthSessionAuthServerType The type of authentication server used to authenticate this session. A value of radius(1) indicates that a RADIUS request and response were attempted in order to authenticate the session. A value of local(2) indicates that the session was authenticated by a local file or configuration on the device itself.
etsysMultiAuthSessionAuthServerAddrType The type of data returned by etsysMultiAuthSessionAuthServerAddr. If the etsysMultiAuthSessionAuthServerType leaf for this entry has a value of local(2) then this object MUST return a a value of unknown(0).
etsysMultiAuthSessionAuthServerAddr The network address of the authentication server for this session. If the etsysMultiAuthSessionAuthServerType leaf for this entry has a value of local(2) then this object MUST return a zero length string.
The network address of the authentication server for this session. If the etsysMultiAuthSessionAuthServerType leaf for this entry has a value of local(2) then this object MUST return a zero length string.

The Policy Profile Index returned from the authentication server for this session.

The value of zero indicates that no policy will be applied for this session. If the etsysMultiAuthSessionStationAuthStatus object returns a value of authSuccess(1), then a value of zero is the result of the policy not being configured on the authorization server. For all other values of etsysMultiAuthSessionStationAuthStatus a value of zero for this object is the result of authorization not succeeding or not having completed.

All values other than zero are valid Policy Profile Indexes that specify the policy profile the user will receive on this interface. If a given user has been authenticated by multiple authentication types on the same interface the policy that is applied to the user's packets is determined by the precedence of the agents as specified by etsysMultiAuthSystemOperPrecedence. These indexes are suitable for indexing in the ENTERASYS-POLICY-PROFILE-MIB.

etsysMultiAuthSessionIsApplied This object indicates whether this entry and the policy index contained within it are actively being applied to traffic matching the interface and station address of this entry. A value of true(1) indicates that this entry is being applied. A value of false(2) indicates that the entry is not being applied. Only one authentication type per interface station address ordered pair may be applied at a single time. The operational precedence of the various authentication types determines which if any type will be applied.
etsysMultiAuthSessionTerminationTime The local date and time that the session was terminated. If the session is not in the authTerminated(5) state this object MUST return '00000000'H.
etsysMultiAuthSessionSessionTimeout The maximum number of seconds this session may last before automatic termination. A value of zero indicates that no session timeout will be applied. This value MAY be provided by the etsysMultiAuthSessionTimeout object or by the authenticating server.
etsysMultiAuthSessionIdleTimeout The maximum number of consecutive seconds this session may be idle before automatic termination. A value of zero indicates that no idle timeout will be applied. This value MAY be provided by the etsysMultiAuthIdleTimeout object or by the authenticating server.
etsysMultiAuthSessionDuration The length of this session in seconds. This object MAY return zero for a session in any state other than authSuccess(1).
etsysMultiAuthSessionIdleTime The number of consecutive seconds this session has been idle. This object MAY return zero for a session in any state other than authSuccess(1).
etsysMultiAuthSessionVlanTunnelAttribute

The VLAN Tunnel Attribute (Tunnel-Group-ID) returned from the authentication server for this session.

This value is interpreted as the 12 bit VLAN identifier to be applied to traffic from the session entity. Policy VLAN classification rules have precedence in assigning VLAN, however, in the absence of any applicable rules, this VLAN will be used. If the traffic is already tagged, this VLAN will only be applied if TCI overwrite has been enabled (through Policy or ctDot1qPortReplaceTCI).

A value of zero indicates that there is no authenticated VLAN ID for the given session (none was provided by the authentication server). Should a session become unauthenticated this value MUST return zero.

A value of 4095 indicates that a the session has been authenticated, but that the VLAN returned could not be applied to the port (possibly because of resource constraints or misconfiguration). The traffic from the session entity will be assigned VLAN through Policy or standard 802.1Q mechanisms.

etsysMultiAuthSessionClear Setting this object to a value of true(1) will cause the specified table entry with the specified station address, ifIndex and agent type that are currently authenticated or that have authentications in progress to become unauthenticated and their authorization status changes to authTerminated(5). Setting this object to a value of false(2) has no effect. This object will always return a value of false(2).
etsysMultiAuthSessionPortTable A table of session information and configuration for user authentication. This table represents the information specified in the etsysMultiAuthSessionStationTable with alternate indexing for faster lookups of data on per port basis.
etsysMultiAuthSessionPortEntry An entry containing authentication information on a per port, per station, per authentication agent type basis. Only interfaces that are able to authenticate users are represented in this table.
etsysMultiAuthSessionPortAuthStatus The status of authentication for this session.
Multiple Authentication Module Group etsysMultiAuthModuleTable A table of per module information for user authentication.
etsysMultiAuthModuleEntry An entry containing per module authentication data. Only physical indexes with a entPhysicalClass of module(9) are represented in this table. Furthermore, each entity represented in this table must have authentication resources that are separate from every other entity in the table.
etsysMultiAuthModuleMaxNumUsers The maximum number of users that can be actively authenticated or have authentications in progress at one time on the specified module.
etsysMultiAuthModuleCurrentNumUsers The current number of users that are actively authenticated or have authentications in progress at one time on the specified module. By definition this value can not exceed the value specified by etsysMultiAuthModuleMaxNumUsers for the same module.
etsysMultiAuthModuleMaxNumUsersReachedTrapEnable This object allows for the enabling or disabling the transmission of the etsysMultiAuthModuleMaxNumUsersReached NOTIFICATION.
Multiple Authentication Counters Group etsysMultiAuthCounterTable A table of per station and port user counter data.
etsysMultiAuthCounterEntry An entry containing user counter data.
etsysMultiAuthCounterInboundBytes The number of bytes of user data received on this interface.
etsysMultiAuthCounterInboundPackets The number of packets of user data received on this interface.
etsysMultiAuthCounterOutboundBytes The number of bytes of user data transmitted on this interface.
etsysMultiAuthCounterOutboundPackets The number of packets of user data transmitted on this interface.
etsysMultiAuthCounterEnable This object allows for the enabling or disabling of per-user counters.
Multiple Authentication Notification Group etsysMultiAuthSuccess NOTIFICATION-TYPE An etsysMultiAuthSuccess trap signifies that the SNMP entity, acting in an agent role, has successfully authenticated a station on one of its interfaces. The included objects of etsysMultiAuthStationAddrType and etsysMultiAuthStationAddr uniquely identify the station that has been authenticated. The interface that the station was authenticated on is specified by the ifIndex object, and the type of authentication used is to authenticate the station is specified by the etsysMultiAuthSessionAgentType object. This trap will only be generated on interfaces that are in the authOptional(3) or authRequired(4) state.
etsysMultiAuthFailed NOTIFICATION-TYPE An etsysMultiAuthFailed trap signifies that the SNMP entity, acting in an agent role, has identified a station that attempted and subsequently failed to authenticate on one of its interfaces. The included objects of etsysMultiAuthStationAddrType and etsysMultiAuthStationAddr uniquely identify the station that attempted to authenticate. The interface that the station attempted to authenticate on is specified by the ifIndex object, and the type of authentication attempted is specified by the etsysMultiAuthSessionAgentType object. This trap will only be generated on interfaces that are in the authOptional(3) or authRequired(4) state.
etsysMultiAuthTerminated NOTIFICATION-TYPE An etsysMultiAuthTerminated trap signifies that the SNMP entity, acting in an agent role, has terminated the authentication of a station on one of its interfaces. The included objects of etsysMultiAuthStationAddrType and etsysMultiAuthStationAddr uniquely identify the station for which authentication was terminated. The interface that the station was previously authenticated on is specified by the ifIndex object, and the type of authentication that the station was terminated for is specified by the etsysMultiAuthSessionAgentType object. This trap will only be generated on interfaces that are in the authOptional(3) or authRequired(4) state.
etsysMultiAuthMaxNumUsersReached NOTIFICATION-TYPE An etsysMultiAuthMaxNumUsersReached trap signifies that the SNMP entity, acting in an agent role, has an interface where subsequent to a successful authentication, the number of current sessions on the interface equals the maximum number of sessions allowed for that interface. The interface that the maximum number of sessions has been reached is specified by the ifIndex object.
etsysMultiAuthModuleMaxNumUsersReached NOTIFICATION-TYPE An etsysMultiAuthModuleMaxNumUsersReached trap signifies that the SNMP entity, acting in an agent role, has a module where subsequent to a successful authentication, the number of current sessions on the module equals the maximum number of sessions allowed for that module. The module that the maximum number of sessions has been reached is specified by the entPhysicalIndex object.
etsysMultiAuthSystemMaxNumUsersReached NOTIFICATION-TYPE An etsysMultiAuthSystemMaxNumUsersReached trap signifies that the SNMP entity, acting in an agent role, where subsequent to a successful authentication, has the number of current sessions on the system equals the maximum number of sessions allowed for that system, .