Bridge Working Group K.C. Norseth INTERNET-DRAFT L-3 Communications November 2003 Expires May 2004 Definitions for Port Access Control (IEEE 802.1X) MIB draft-ietf-bridge-8021x-03.txt Status of this Memo This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026, except that the right to produce derivative works is not granted, other than to extract the MIB module in Section 4 as-is for separate use. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. IESG Note This document is not the product of an IETF Working Group. The IETF currently has no effort underway to standardize the Port Access Control (IEEE 802.1X) MIB Abstract This document defines a portion of the Management Information Base (MIB) for use with network management protocols in TCP/IP-based internets. In particular, it defines objects for managing the operation of Port Access Control, based on the specification contained in Clause 8 and Clause 9 of the IEEE 802.1X standard. This clause includes a MIB module that is SNMPv2 SMI compliant. This standard defines a mechanism for Port-based network access control that makes use of the physical access characteristics of Bridge Working Group Expires May 2004 [Page 1] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 IEEE 802 LAN infrastructures in order to provide a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics, and of preventing access to that port in cases in which the authentication and authorization process fails. This standard is part of a family of standards for local and metropolitan area networks. This draft is written within the IEEE 802.1X working group and is being presented to the IETF for informational purposes. Table of Contents 1. Introduction ............................................... 2 2. Overview .................................................. 3 2.1. Scope ................................................... 4 3. Structure of MIB ........................................... 4 3.1 Relationship to the managed objects defined in IEEE 802.1X . 4 3.2 The PAE System Group ..................................... 6 3.3 The PAE Authenticator Group ............................... 6 3.4 The PAE Supplicant Group .................................. 6 3.5 Relationship to other MIBs ................................ 6 3.6 Relationship to the Interfaces MIB ........................ 6 4 Definitions for the 802.1X-MIB ............................. 7 5. Intellectual Property .................................... 38 6. Acknowledgements ......................................... 38 7. Normative References ...................................... 39 8. Informative References ................................... 39 9. Security Considerations .................................. 40 10. Author's Address ......................................... 41 11. Change Log ............................................... 41 12. Full Copyright Statement .................................. 41 1. Introduction The SNMP Management Framework The SNMP Management Framework presently consists of five major components: o An overall architecture, described in RFC 2571 [RFC2571]. o Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in STD 16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC 1215 [RFC1215]. The second version, called SMIv2, is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580]. Bridge Working Group Expires May 2004 [Page 2] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 o Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in STD 15, RFC 1157 [RFC1157]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [RFC1901] and RFC 1906 [RFC1906]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [RFC1906], RFC 2572 [RFC2572] and RFC 2574 [RFC2574]. o Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in STD 15, RFC 1157 [RFC1157]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [RFC1905]. o A set of fundamental applications described in RFC 2573 [RFC2573] and the view-based access control mechanism described in RFC 2575 [RFC2575]. A more detailed introduction to the current SNMP Management Framework can be found in RFC 2570 [RFC2570]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the mechanisms defined in the SMI. This memo specifies a MIB module that is compliant to the SMIv2. A MIB conforming to the SMIv1 can be produced through the appropriate translations. The resulting translated MIB must be semantically equivalent, except where objects or events are omitted because no translation is possible (use of Counter64). Some machine readable information in SMIv2 will be converted into textual descriptions in SMIv1 during the translation process. However, this loss of machine readable information is not considered to change the semantics of the MIB. 2. Overview Local Area Networks (or LANs; see 3.4 in IEEE Std 802.1D, 1998 Edition) are often deployed in environments that permit unauthorized devices to be physically attached to the LAN infrastructure, or permit unauthorized users to attempt to access the LAN through equipment already attached. Examples of such environments include corporate LANs that provide LAN connectivity in areas of a building that are accessible to the general public, and LANs that are deployed by one organization in order to offer connectivity services to other organizations (for example, as may occur in a business park or a serviced office building). In such environments, it is desirable to restrict access to the services offered by the LAN to those users and devices that are permitted to make use of those services. Port-based network access control makes use of the physical access characteristics of IEEE 802 LAN infrastructures in order to provide a Bridge Working Group Expires May 2004 [Page 3] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics, and of preventing access to that port in cases in which the authentication and authorization process fails. A port in this context is a single point of attachment to the LAN infrastructure. Examples of ports in which the use of authentication can be desirable Include the Ports of MAC Bridges (as specified in IEEE 802.1D), the ports used to attach servers or routers to the LAN infrastructure, and associations between stations and access points in IEEE 802.11 Wireless LANs. 2.1. Scope The purpose of this document is to specify how the management operations are made available to a remote manager using the protocol and architectural description provided by the Simple Network Management Protocol (SNMP). This MIB is the republishing of the IEEE Definitions for Port Access Control MIB (802.1X) defined in the 802.1X specification document. 3. Structure of MIB A single MIB module is defined in this clause. Objects in the MIB are arranged into groups. Each group is organized as a set of related objects. The overall structure and assignment of objects to their groups is shown in the following subclauses. IEEE Std 802.1X-2001 LOCAL AND METROPOLITAN AREA NETWORKS 10.4.1 Relationship to the managed objects defined in IEEE 802.1X Clause 9. The following table contains cross-references between the objects defined in IEEE 802.1X Clause 9 and the MIB objects defined in this clause. 3.1 Relationship to the managed objects defined in IEEE 802.1X Note: The relationship sections (9.4.3 Authenticator Diagnostics, 9.4.4 Authenticator Session Statistics, etc.) defined related to sections in the 801.1X document specification, not this document. Definition in IEEE 802.1X Clause 9 MIB object(s) --------------------------------- ------------------------------- EAPOL Logoff frames received dot1xAuthEapolLogoffFramesRx EAP Resp/Id frames received dot1xAuthEapolRespIdFramesRx EAP Response frames received dot1xAuthEapolRespFramesRx EAP Req/Id frames transmitted dot1xAuthEapolReqIdFramesTx EAP Request frames transmitted dot1xAuthEapolReqFramesTx Invalid EAPOL frames received dot1xAuthInvalidEapolFramesRx EAP length error frames received dot1xAuthEapLengthErrorFramesRx Last EAPOL frame version dot1xAuthLastEapolFrameVersion Last EAPOL frame source dot1xAuthLastEapolFrameSource 9.4.3 Authenticator Diagnostics dot1xAuthDiagTable authEntersConnecting dot1xAuthEntersConnecting Bridge Working Group Expires May 2004 [Page 4] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 authEapLogoffsWhileConnecting dot1xAuthEapLogoffsWhileConnecting authEntersAutheniticating dot1xAuthEntersAuthenticating authAuthSuccessWhileAuthenticating dot1xAuthAuthSuccessWhileAuthenticating authAuthTimeoutsWhileAuthenticating dot1xAuthAuthTimeoutsWhileAuthenticating authAuthFailWhileAuthenticating dot1xAuthAuthFailWhileAuthenticating authAuthReauthsWhileAuthenticating dot1xAuthAuthReauthsWhileAuthenticating authAuthEapStartsWhileAuthenticating dot1xAuthAuthEapStartsWhileAuthenticating authAuthLogoffWhileAuthenticating dot1xAuthAuthEapLogoffWhileAuthenticating authAuthReauthsWhileAuthenticated dot1xAuthAuthReauthsWhileAuthenticated authAuthEapStartsWhileAuthenticated dot1xAuthAuthEapStartsWhileAuthenticated authAuthLogoffWhileAuthenticated dot1xAuthAuthEapLogoffWhileAuthenticated backendResponses dot1xAuthBackendResponses backendAccessChallenges dot1xAuthBackendAccessChallenges backendOtherRequestsToSupplicant dot1xAuthBackendOtherRequestsToSupplicant backendNonNakResponsesFromSupplicant dot1xAuthBackendNonNakResponsesFromSupplicant backendAuthSuccesses dot1xAuthBackendAuthSuccesses backendAuthFails dot1xAuthBackendAuthFails 9.4.4 Authenticator Session Statistics dot1xAuthSessionStatsTable Port number dot1xPaePortNumber (table index) Session Octets Received dot1xAuthSessionOctetsRx Session Octets Transmitted dot1xAuthSessionOctetsTx Session Frames Received dot1xAuthSessionFramesRx Session Frames Transmitted dot1xAuthSessionFramesTx Session Identifier dot1xAuthSessionId Session Authentication Method dot1xAuthSessionAuthenticMethod Session Time dot1xAuthSessionTime Session Terminate Cause dot1xAuthSessionTerminateCause Session User Name dot1xAuthSessionUserName 9.5.1 Supplicant Configuration dot1xSuppConfigTable Port number dot1xPaePortNumber (table index) Supplicant PAE State dot1xSuppPaeState heldPeriod dot1xSuppHeldPeriod authPeriod dot1xSuppAuthPeriod startPeriod dot1xSuppStartPeriod maxStart dot1xSuppMaxStart 9.5.2 Supplicant Statistics dot1xSuppStatsTable Port number dot1xPaePortNumber (table index) EAPOL frames received dot1xSuppEapolFramesRx EAPOL frames transmitted dot1xSuppEapolFramesTx EAPOL Start frames transmitted dot1xSuppEapolStartFramesTx Bridge Working Group Expires May 2004 [Page 5] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 EAPOL Logoff frames transmitted dot1xSuppEapolLogoffFramesTx EAP Resp/Id frames transmitted dot1xSuppEapolRespIdFramesTx EAP Response frames transmitted dot1xSuppEapolRespFramesTx EAP Req/Id frames received dot1xSuppEapolReqIdFramesRx EAP Request frames received dot1xSuppEapolReqFramesRx Invalid EAPOL frames received dot1xSuppInvalidEapolFramesRx EAP length error frames received dot1xSuppEapLengthErrorFramesRx Last EAPOL frame version dot1xSuppLastEapolFrameVersion Last EAPOL frame source dot1xSuppLastEapolFrameSource 3.2 The PAE System Group This group of objects provides management functionality that is not specific to the operation of either of the two PAE roles (Supplicant and Authenticator). A means of enabling and disabling the operation of Port Access Control for the entire system is provided, plus a per-Port indication of the protocol version supported and the PAE roles supported by the port. As it is not mandatory for all Ports of a System to support PAE functionality, there may be Port entries that indicate Ports that support neither Supplicant nor Authenticator functionality. 3.3 The PAE Authenticator Group This group of objects provides, for each Port of an Authenticator [8021XAUTH], the functionality necessary to allow configuration of the operation of the Authenticator PAE, recording and retrieving statistical information relating to the operation of the Authenticator PAE, and recording and retrieving information relating to a session (i.e., the period of time between consecutive authentications on the Port). 3.4 The PAE Supplicant Group This group of objects provides, for each Port of a Supplicant [8021XSUPP], the functionality necessary to allow configuration of the operation of the Supplicant PAE, and recording and retrieving statistical information relating to the operation of the Authenticator PAE. 3.5 Relationship to other MIBs It is assumed that a system implementing this MIB will also implement (at least) the system group defined in MIB-II defined in IETF RFC 1213 and the interfaces group defined in IETF RFC 2863. 3.6 Relationship to the Interfaces MIB IETF RFC 2863, the Interface MIB Evolution, requires that any MIB that is an adjunct of the Interface MIB clarify specific areas within the Interface MIB. These areas were intentionally left vague in IETF RFC 2863 to avoid overconstraining the MIB, thereby precluding management of certain media types. Bridge Working Group Expires May 2004 [Page 6] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 Section 3.3 of IETF RFC 2863 enumerates several areas that a media-specific MIB must clarify. Each of these areas is addressed in a following subsection. The implementor is referred to IETF RFC 2863 in order to understand the general intent of these areas. In IETF RFC 2863, the interfaces group is defined as being mandatory for all systems and contains information on an entity's interfaces, where each interface is thought of as being attached to a subnetwork. (Note that this term is not to be confused with subnet, which refers to an addressing partitioning scheme used in the Internet suite of protocols.) The term segment is sometimes used to refer to such a subnetwork. Where Port numbers are used in this standard to identify Ports of a System, these numbers are equal to the ifIndex value for the interface for the corresponding Port. 4 Definitions for the 802.1X-MIB In the MIB definition below, should any discrepancy between the DESCRIPTION text and the corresponding definition in IEEE 802.1X Clause 9 occur, the definition in IEEE 802.1X Clause 9 shall take precedence. The MIB module below was originally published on-line as: http://www.ieee802.org/1/files/public/MIBs/802-1x-2001-mib.txt The text that follows includes certain corrections relative to the original version that were necessary in order to get the module to compile. These changes were: - Replaced all non-ascii double quotes and apostrophes by the equivalent ASCII characters; - In the MODULE-IDENTITY value assignment changed "iso(1)" to "iso"; - Added dot1xPaePortReauthenticate and dot1xAuthSessionUserName to the appropriate conformance groups. IEEE8021-PAE-MIB DEFINITIONS ::= BEGIN -- ---------------------------------------------------------- -- -- IEEE 802.1X MIB -- ---------------------------------------------------------- -- IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64, Bridge Working Group Expires May 2004 [Page 7] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 Unsigned32, TimeTicks FROM SNMPv2-SMI MacAddress, TEXTUAL-CONVENTION, TruthValue FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF SnmpAdminString FROM SNMP-FRAMEWORK-MIB InterfaceIndex FROM IF-MIB ; ieee8021paeMIB MODULE-IDENTITY LAST-UPDATED "200309050000Z" ORGANIZATION "IEEE 802.1 Working Group" CONTACT-INFO "http://grouper.ieee.org/groups/802/1/index.html" DESCRIPTION "The Port Access Entity module for managing IEEE 802.1X." REVISION "200309050000Z" DESCRIPTION "The IETF published version as in RFC xxxx. The IETF Bridge-mib WG made the following changes: - Replaced all non-ascii double quotes and apostrophes by the equivalent ASCII characters; - In the MODULE-IDENTITY value assignment changed 'iso(1)' to 'iso'; - Added dot1xPaePortReauthenticate and dot1xAuthSessionUserName to the appropriate conformance groups. " REVISION "200101160000Z" -- Jan 16th, 2001 DESCRIPTION "The initial and authoritative version as published at: http://www.ieee802.org/1/files/public/MIBs/802-1x-2001-mib.txt " ::= { iso std(0) iso8802(8802) ieee802dot1(1) ieee802dot1mibs(1) 1 } paeMIBObjects OBJECT IDENTIFIER ::= { ieee8021paeMIB 1 } -- ---------------------------------------------------------- -- -- Textual Conventions -- ---------------------------------------------------------- -- PaeControlledDirections ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The control mode values for the Authenticator PAE." SYNTAX INTEGER { both(0), Bridge Working Group Expires May 2004 [Page 8] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 in(1) } PaeControlledPortStatus ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The status values of the Authenticator PAE controlled Port." SYNTAX INTEGER { authorized(1), unauthorized(2) } PaeControlledPortControl ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The control values of the Authenticator PAE controlled Port." SYNTAX INTEGER { forceUnauthorized(1), auto(2), forceAuthorized(3) } -- ---------------------------------------------------------- -- -- ---------------------------------------------------------- -- -- groups in the PAE MIB -- ---------------------------------------------------------- -- dot1xPaeSystem OBJECT IDENTIFIER ::= { paeMIBObjects 1 } dot1xPaeAuthenticator OBJECT IDENTIFIER ::= { paeMIBObjects 2 } dot1xPaeSupplicant OBJECT IDENTIFIER ::= { paeMIBObjects 3 } -- ---------------------------------------------------------- -- -- ---------------------------------------------------------- -- -- The PAE System Group -- ---------------------------------------------------------- -- dot1xPaeSystemAuthControl OBJECT-TYPE SYNTAX INTEGER { enabled(1), disabled(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "The administrative enable/disable state for Port Access Control in a System." REFERENCE "9.6.1, SystemAuthControl" ::= { dot1xPaeSystem 1 } -- ---------------------------------------------------------- -- -- The PAE Port Table -- ---------------------------------------------------------- -- Bridge Working Group Expires May 2004 [Page 9] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 dot1xPaePortTable OBJECT-TYPE SYNTAX SEQUENCE OF Dot1xPaePortEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of system level information for each port supported by the Port Access Entity. An entry appears in this table for each port of this system." REFERENCE "9.6.1" ::= { dot1xPaeSystem 2 } dot1xPaePortEntry OBJECT-TYPE SYNTAX Dot1xPaePortEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The Port number, protocol version, and initialization control for a Port." INDEX { dot1xPaePortNumber } ::= { dot1xPaePortTable 1 } Dot1xPaePortEntry ::= SEQUENCE { dot1xPaePortNumber InterfaceIndex, dot1xPaePortProtocolVersion Unsigned32, dot1xPaePortCapabilities BITS, dot1xPaePortInitialize TruthValue, dot1xPaePortReauthenticate TruthValue } dot1xPaePortNumber OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS not-accessible STATUS current DESCRIPTION "The Port number associated with this Port." REFERENCE "9.6.1, Port number" ::= { dot1xPaePortEntry 1 } dot1xPaePortProtocolVersion OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The protocol version associated with this Port." REFERENCE Bridge Working Group Expires May 2004 [Page 10] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 "9.6.1, Protocol version" ::= { dot1xPaePortEntry 2 } dot1xPaePortCapabilities OBJECT-TYPE SYNTAX BITS { dot1xPaePortAuthCapable(0), -- Authenticator functions are supported dot1xPaePortSuppCapable(1) -- Supplicant functions are supported } MAX-ACCESS read-only STATUS current DESCRIPTION "Indicates the PAE functionality that this Port supports and that may be managed through this MIB." REFERENCE "9.6.1, PAE Capabilities" ::= { dot1xPaePortEntry 3 } dot1xPaePortInitialize OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "The initialization control for this Port. Setting this attribute TRUE causes the Port to be initialized. The attribute value reverts to FALSE once initialization has completed." REFERENCE "9.6.1.2, Initialize Port" ::= { dot1xPaePortEntry 4 } dot1xPaePortReauthenticate OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "The reauthentication control for this port. Setting this attribute TRUE causes the Authenticator PAE state machine for the Port to reauthenticate the Supplicant. Setting this attribute FALSE has no effect. This attribute always returns FALSE when it is read." REFERENCE "9.4.1.3 Reauthenticate" ::= { dot1xPaePortEntry 5 } -- ---------------------------------------------------------- -- -- The PAE Authenticator Group -- ---------------------------------------------------------- -- -- ---------------------------------------------------------- -- -- The Authenticator Configuration Table -- ---------------------------------------------------------- -- Bridge Working Group Expires May 2004 [Page 11] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 dot1xAuthConfigTable OBJECT-TYPE SYNTAX SEQUENCE OF Dot1xAuthConfigEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table that contains the configuration objects for the Authenticator PAE associated with each port. An entry appears in this table for each port that may authenticate access to itself." REFERENCE "9.4.1 Authenticator Configuration" ::= { dot1xPaeAuthenticator 1 } dot1xAuthConfigEntry OBJECT-TYPE SYNTAX Dot1xAuthConfigEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The configuration information for an Authenticator PAE." INDEX { dot1xPaePortNumber } ::= { dot1xAuthConfigTable 1 } Dot1xAuthConfigEntry ::= SEQUENCE { dot1xAuthPaeState INTEGER, dot1xAuthBackendAuthState INTEGER, dot1xAuthAdminControlledDirections PaeControlledDirections, dot1xAuthOperControlledDirections PaeControlledDirections, dot1xAuthAuthControlledPortStatus PaeControlledPortStatus, dot1xAuthAuthControlledPortControl PaeControlledPortControl, dot1xAuthQuietPeriod Unsigned32, dot1xAuthTxPeriod Unsigned32, dot1xAuthSuppTimeout Unsigned32, dot1xAuthServerTimeout Unsigned32, dot1xAuthMaxReq Unsigned32, dot1xAuthReAuthPeriod Unsigned32, dot1xAuthReAuthEnabled TruthValue, dot1xAuthKeyTxEnabled TruthValue } Bridge Working Group Expires May 2004 [Page 12] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 dot1xAuthPaeState OBJECT-TYPE SYNTAX INTEGER { initialize(1), disconnected(2), connecting(3), authenticating(4), authenticated(5), aborting(6), held(7), forceAuth(8), forceUnauth(9) } MAX-ACCESS read-only STATUS current DESCRIPTION "The current value of the Authenticator PAE state machine." REFERENCE "9.4.1, Authenticator PAE state" ::= { dot1xAuthConfigEntry 1 } dot1xAuthBackendAuthState OBJECT-TYPE SYNTAX INTEGER { request(1), response(2), success(3), fail(4), timeout(5), idle(6), initialize(7) } MAX-ACCESS read-only STATUS current DESCRIPTION "The current state of the Backend Authentication state machine." REFERENCE "9.4.1, Backend Authentication state" ::= { dot1xAuthConfigEntry 2 } dot1xAuthAdminControlledDirections OBJECT-TYPE SYNTAX PaeControlledDirections MAX-ACCESS read-write STATUS current DESCRIPTION "The current value of the administrative controlled directions parameter for the Port." REFERENCE "9.4.1, Admin Control Mode" ::= { dot1xAuthConfigEntry 3 } dot1xAuthOperControlledDirections OBJECT-TYPE SYNTAX PaeControlledDirections Bridge Working Group Expires May 2004 [Page 13] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 MAX-ACCESS read-only STATUS current DESCRIPTION "The current value of the operational controlled directions parameter for the Port." REFERENCE "9.4.1, Oper Control Mode" ::= { dot1xAuthConfigEntry 4 } dot1xAuthAuthControlledPortStatus OBJECT-TYPE SYNTAX PaeControlledPortStatus MAX-ACCESS read-only STATUS current DESCRIPTION "The current value of the controlled Port status parameter for the Port." REFERENCE "9.4.1, AuthControlledPortStatus" ::= { dot1xAuthConfigEntry 5 } dot1xAuthAuthControlledPortControl OBJECT-TYPE SYNTAX PaeControlledPortControl MAX-ACCESS read-write STATUS current DESCRIPTION "The current value of the controlled Port control parameter for the Port." REFERENCE "9.4.1, AuthControlledPortControl" ::= { dot1xAuthConfigEntry 6 } dot1xAuthQuietPeriod OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The value, in seconds, of the quietPeriod constant currently in use by the Authenticator PAE state machine." REFERENCE "9.4.1, quietPeriod" DEFVAL { 60 } ::= { dot1xAuthConfigEntry 7 } dot1xAuthTxPeriod OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The value, in seconds, of the txPeriod constant currently in use by the Authenticator PAE state machine." REFERENCE "9.4.1, txPeriod" Bridge Working Group Expires May 2004 [Page 14] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 DEFVAL { 30 } ::= { dot1xAuthConfigEntry 8 } dot1xAuthSuppTimeout OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The value, in seconds, of the suppTimeout constant currently in use by the Backend Authentication state machine." REFERENCE "9.4.1, suppTimeout" DEFVAL { 30 } ::= { dot1xAuthConfigEntry 9 } dot1xAuthServerTimeout OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The value, in seconds, of the serverTimeout constant currently in use by the Backend Authentication state machine." REFERENCE "9.4.1, serverTimeout" DEFVAL { 30 } ::= { dot1xAuthConfigEntry 10 } dot1xAuthMaxReq OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The value of the maxReq constant currently in use by the Backend Authentication state machine." REFERENCE "9.4.1, maxReq" DEFVAL { 2 } ::= { dot1xAuthConfigEntry 11 } dot1xAuthReAuthPeriod OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The value, in seconds, of the reAuthPeriod constant currently in use by the Reauthentication Timer state machine." REFERENCE "9.4.1, reAuthPeriod" DEFVAL { 3600 } ::= { dot1xAuthConfigEntry 12 } Bridge Working Group Expires May 2004 [Page 15] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 dot1xAuthReAuthEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "The enable/disable control used by the Reauthentication Timer state machine (8.5.5.1)." REFERENCE "9.4.1, reAuthEnabled" DEFVAL { false } ::= { dot1xAuthConfigEntry 13 } dot1xAuthKeyTxEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "The value of the keyTransmissionEnabled constant currently in use by the Authenticator PAE state machine." REFERENCE "9.4.1, keyTransmissionEnabled" ::= { dot1xAuthConfigEntry 14 } -- ---------------------------------------------------------- -- -- The Authenticator Statistics Table -- ---------------------------------------------------------- -- dot1xAuthStatsTable OBJECT-TYPE SYNTAX SEQUENCE OF Dot1xAuthStatsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table that contains the statistics objects for the Authenticator PAE associated with each Port. An entry appears in this table for each port that may authenticate access to itself." REFERENCE "9.4.2 Authenticator Statistics" ::= { dot1xPaeAuthenticator 2 } dot1xAuthStatsEntry OBJECT-TYPE SYNTAX Dot1xAuthStatsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The statistics information for an Authenticator PAE." INDEX { dot1xPaePortNumber } ::= { dot1xAuthStatsTable 1 } Dot1xAuthStatsEntry ::= SEQUENCE { dot1xAuthEapolFramesRx Counter32, Bridge Working Group Expires May 2004 [Page 16] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 dot1xAuthEapolFramesTx Counter32, dot1xAuthEapolStartFramesRx Counter32, dot1xAuthEapolLogoffFramesRx Counter32, dot1xAuthEapolRespIdFramesRx Counter32, dot1xAuthEapolRespFramesRx Counter32, dot1xAuthEapolReqIdFramesTx Counter32, dot1xAuthEapolReqFramesTx Counter32, dot1xAuthInvalidEapolFramesRx Counter32, dot1xAuthEapLengthErrorFramesRx Counter32, dot1xAuthLastEapolFrameVersion Unsigned32, dot1xAuthLastEapolFrameSource MacAddress } dot1xAuthEapolFramesRx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of valid EAPOL frames of any type that have been received by this Authenticator." REFERENCE "9.4.2, EAPOL frames received" ::= { dot1xAuthStatsEntry 1 } dot1xAuthEapolFramesTx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of EAPOL frames of any type that have been transmitted by this Authenticator." REFERENCE "9.4.2, EAPOL frames transmitted" ::= { dot1xAuthStatsEntry 2 } dot1xAuthEapolStartFramesRx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of EAPOL Start frames that have been received by this Authenticator." REFERENCE Bridge Working Group Expires May 2004 [Page 17] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 "9.4.2, EAPOL Start frames received" ::= { dot1xAuthStatsEntry 3 } dot1xAuthEapolLogoffFramesRx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of EAPOL Logoff frames that have been received by this Authenticator." REFERENCE "9.4.2, EAPOL Logoff frames received" ::= { dot1xAuthStatsEntry 4 } dot1xAuthEapolRespIdFramesRx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of EAP Resp/Id frames that have been received by this Authenticator." REFERENCE "9.4.2, EAPOL Resp/Id frames received" ::= { dot1xAuthStatsEntry 5 } dot1xAuthEapolRespFramesRx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of valid EAP Response frames (other than Resp/Id frames) that have been received by this Authenticator." REFERENCE "9.4.2, EAPOL Response frames received" ::= { dot1xAuthStatsEntry 6 } dot1xAuthEapolReqIdFramesTx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of EAP Req/Id frames that have been transmitted by this Authenticator." REFERENCE "9.4.2, EAPOL Req/Id frames transmitted" ::= { dot1xAuthStatsEntry 7 } dot1xAuthEapolReqFramesTx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of EAP Request frames Bridge Working Group Expires May 2004 [Page 18] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 (other than Rq/Id frames) that have been transmitted by this Authenticator." REFERENCE "9.4.2, EAPOL Request frames transmitted" ::= { dot1xAuthStatsEntry 8 } dot1xAuthInvalidEapolFramesRx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of EAPOL frames that have been received by this Authenticator in which the frame type is not recognized." REFERENCE "9.4.2, Invalid EAPOL frames received" ::= { dot1xAuthStatsEntry 9 } dot1xAuthEapLengthErrorFramesRx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of EAPOL frames that have been received by this Authenticator in which the Packet Body Length field is invalid." REFERENCE "9.4.2, EAP length error frames received" ::= { dot1xAuthStatsEntry 10 } dot1xAuthLastEapolFrameVersion OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The protocol version number carried in the most recently received EAPOL frame." REFERENCE "9.4.2, Last EAPOL frame version" ::= { dot1xAuthStatsEntry 11 } dot1xAuthLastEapolFrameSource OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The source MAC address carried in the most recently received EAPOL frame." REFERENCE "9.4.2, Last EAPOL frame source" ::= { dot1xAuthStatsEntry 12 } -- ---------------------------------------------------------- -- -- The Authenticator Diagnostics Table Bridge Working Group Expires May 2004 [Page 19] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 -- ---------------------------------------------------------- -- dot1xAuthDiagTable OBJECT-TYPE SYNTAX SEQUENCE OF Dot1xAuthDiagEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table that contains the diagnostics objects for the Authenticator PAE associated with each Port. An entry appears in this table for each port that may authenticate access to itself." REFERENCE "9.4.3 Authenticator Diagnostics" ::= { dot1xPaeAuthenticator 3 } dot1xAuthDiagEntry OBJECT-TYPE SYNTAX Dot1xAuthDiagEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The diagnostics information for an Authenticator PAE." INDEX { dot1xPaePortNumber } ::= { dot1xAuthDiagTable 1 } Dot1xAuthDiagEntry ::= SEQUENCE { dot1xAuthEntersConnecting Counter32, dot1xAuthEapLogoffsWhileConnecting Counter32, dot1xAuthEntersAuthenticating Counter32, dot1xAuthAuthSuccessWhileAuthenticating Counter32, dot1xAuthAuthTimeoutsWhileAuthenticating Counter32, dot1xAuthAuthFailWhileAuthenticating Counter32, dot1xAuthAuthReauthsWhileAuthenticating Counter32, dot1xAuthAuthEapStartsWhileAuthenticating Counter32, dot1xAuthAuthEapLogoffWhileAuthenticating Counter32, dot1xAuthAuthReauthsWhileAuthenticated Counter32, dot1xAuthAuthEapStartsWhileAuthenticated Counter32, dot1xAuthAuthEapLogoffWhileAuthenticated Counter32, dot1xAuthBackendResponses Counter32, dot1xAuthBackendAccessChallenges Counter32, Bridge Working Group Expires May 2004 [Page 20] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 dot1xAuthBackendOtherRequestsToSupplicant Counter32, dot1xAuthBackendNonNakResponsesFromSupplicant Counter32, dot1xAuthBackendAuthSuccesses Counter32, dot1xAuthBackendAuthFails Counter32 } dot1xAuthEntersConnecting OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times that the state machine transitions to the CONNECTING state from any other state." REFERENCE "9.4.2, 8.5.4.2.1" ::= { dot1xAuthDiagEntry 1 } dot1xAuthEapLogoffsWhileConnecting OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times that the state machine transitions from CONNECTING to DISCONNECTED as a result of receiving an EAPOL-Logoff message." REFERENCE "9.4.2, 8.5.4.2.2" ::= { dot1xAuthDiagEntry 2 } dot1xAuthEntersAuthenticating OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times that the state machine transitions from CONNECTING to AUTHENTICATING, as a result of an EAP-Response/Identity message being received from the Supplicant." REFERENCE "9.4.2, 8.5.4.2.3" ::= { dot1xAuthDiagEntry 3 } dot1xAuthAuthSuccessWhileAuthenticating OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times that the state machine transitions from AUTHENTICATING to AUTHENTICATED, as a Bridge Working Group Expires May 2004 [Page 21] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 result of the Backend Authentication state machine indicating successful authentication of the Supplicant (authSuccess = TRUE)." REFERENCE "9.4.2, 8.5.4.2.4" ::= { dot1xAuthDiagEntry 4 } dot1xAuthAuthTimeoutsWhileAuthenticating OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times that the state machine transitions from AUTHENTICATING to ABORTING, as a result of the Backend Authentication state machine indicating authentication timeout (authTimeout = TRUE)." REFERENCE "9.4.2, 8.5.4.2.5" ::= { dot1xAuthDiagEntry 5 } dot1xAuthAuthFailWhileAuthenticating OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times that the state machine transitions from AUTHENTICATING to HELD, as a result of the Backend Authentication state machine indicating authentication failure (authFail = TRUE)." REFERENCE "9.4.2, 8.5.4.2.6" ::= { dot1xAuthDiagEntry 6 } dot1xAuthAuthReauthsWhileAuthenticating OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times that the state machine transitions from AUTHENTICATING to ABORTING, as a result of a reauthentication request (reAuthenticate = TRUE)." REFERENCE "9.4.2, 8.5.4.2.7" ::= { dot1xAuthDiagEntry 7 } dot1xAuthAuthEapStartsWhileAuthenticating OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times that the state machine transitions from AUTHENTICATING to ABORTING, as a result of an EAPOL-Start message being received from the Supplicant." Bridge Working Group Expires May 2004 [Page 22] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 REFERENCE "9.4.2, 8.5.4.2.8" ::= { dot1xAuthDiagEntry 8 } dot1xAuthAuthEapLogoffWhileAuthenticating OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times that the state machine transitions from AUTHENTICATING to ABORTING, as a result of an EAPOL-Logoff message being received from the Supplicant." REFERENCE "9.4.2, 8.5.4.2.9" ::= { dot1xAuthDiagEntry 9 } dot1xAuthAuthReauthsWhileAuthenticated OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times that the state machine transitions from AUTHENTICATED to CONNECTING, as a result of a reauthentication request (reAuthenticate = TRUE)." REFERENCE "9.4.2, 8.5.4.2.10" ::= { dot1xAuthDiagEntry 10 } dot1xAuthAuthEapStartsWhileAuthenticated OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times that the state machine transitions from AUTHENTICATED to CONNECTING, as a result of an EAPOL-Start message being received from the Supplicant." REFERENCE "9.4.2, 8.5.4.2.11" ::= { dot1xAuthDiagEntry 11 } dot1xAuthAuthEapLogoffWhileAuthenticated OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times that the state machine transitions from AUTHENTICATED to DISCONNECTED, as a result of an EAPOL-Logoff message being received from the Supplicant." REFERENCE "9.4.2, 8.5.4.2.12" Bridge Working Group Expires May 2004 [Page 23] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 ::= { dot1xAuthDiagEntry 12 } dot1xAuthBackendResponses OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times that the state machine sends an initial Access-Request packet to the Authentication server (i.e., executes sendRespToServer on entry to the RESPONSE state). Indicates that the Authenticator attempted communication with the Authentication Server." REFERENCE "9.4.2, 8.5.6.2.1" ::= { dot1xAuthDiagEntry 13 } dot1xAuthBackendAccessChallenges OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times that the state machine receives an initial Access-Challenge packet from the Authentication server (i.e., aReq becomes TRUE, causing exit from the RESPONSE state). Indicates that the Authentication Server has communication with the Authenticator." REFERENCE "9.4.2, 8.5.6.2.2" ::= { dot1xAuthDiagEntry 14 } dot1xAuthBackendOtherRequestsToSupplicant OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times that the state machine sends an EAP-Request packet (other than an Identity, Notification, Failure or Success message) to the Supplicant (i.e., executes txReq on entry to the REQUEST state). Indicates that the Authenticator chose an EAP-method." REFERENCE "9.4.2, 8.5.6.2.3" ::= { dot1xAuthDiagEntry 15 } dot1xAuthBackendNonNakResponsesFromSupplicant OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times that the state machine receives a response from the Supplicant to an initial EAP-Request, and the response is something other than Bridge Working Group Expires May 2004 [Page 24] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 EAP-NAK (i.e., rxResp becomes TRUE, causing the state machine to transition from REQUEST to RESPONSE, and the response is not an EAP-NAK). Indicates that the Supplicant can respond to the Authenticator's chosen EAP-method." REFERENCE "9.4.2, 8.5.6.2.4" ::= { dot1xAuthDiagEntry 16 } dot1xAuthBackendAuthSuccesses OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times that the state machine receives an EAP-Success message from the Authentication Server (i.e., aSuccess becomes TRUE, causing a transition from RESPONSE to SUCCESS). Indicates that the Supplicant has successfully authenticated to the Authentication Server." REFERENCE "9.4.2, 8.5.6.2.5" ::= { dot1xAuthDiagEntry 17 } dot1xAuthBackendAuthFails OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times that the state machine receives an EAP-Failure message from the Authentication Server (i.e., aFail becomes TRUE, causing a transition from RESPONSE to FAIL). Indicates that the Supplicant has not authenticated to the Authentication Server." REFERENCE "9.4.2, 8.5.6.2.6" ::= { dot1xAuthDiagEntry 18 } -- ---------------------------------------------------------- -- -- The Authenticator Session Statistics Table -- ---------------------------------------------------------- -- dot1xAuthSessionStatsTable OBJECT-TYPE SYNTAX SEQUENCE OF Dot1xAuthSessionStatsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table that contains the session statistics objects for the Authenticator PAE associated with each Port. An entry appears in this table for each port that may authenticate access to itself." REFERENCE "9.4.4" ::= { dot1xPaeAuthenticator 4 } Bridge Working Group Expires May 2004 [Page 25] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 dot1xAuthSessionStatsEntry OBJECT-TYPE SYNTAX Dot1xAuthSessionStatsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The session statistics information for an Authenticator PAE. This shows the current values being collected for each session that is still in progress, or the final values for the last valid session on each port where there is no session currently active." INDEX { dot1xPaePortNumber } ::= { dot1xAuthSessionStatsTable 1 } Dot1xAuthSessionStatsEntry ::= SEQUENCE { dot1xAuthSessionOctetsRx Counter64, dot1xAuthSessionOctetsTx Counter64, dot1xAuthSessionFramesRx Counter32, dot1xAuthSessionFramesTx Counter32, dot1xAuthSessionId SnmpAdminString, dot1xAuthSessionAuthenticMethod INTEGER, dot1xAuthSessionTime TimeTicks, dot1xAuthSessionTerminateCause INTEGER, dot1xAuthSessionUserName SnmpAdminString } dot1xAuthSessionOctetsRx OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of octets received in user data frames on this Port during the session." REFERENCE "9.4.4, Session Octets Received" ::= { dot1xAuthSessionStatsEntry 1 } dot1xAuthSessionOctetsTx OBJECT-TYPE SYNTAX Counter64 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of octets transmitted in user data frames on this Port during the session." Bridge Working Group Expires May 2004 [Page 26] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 REFERENCE "9.4.4, Session Octets Transmitted" ::= { dot1xAuthSessionStatsEntry 2 } dot1xAuthSessionFramesRx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of user data frames received on this Port during the session." REFERENCE "9.4.4, Session Frames Received" ::= { dot1xAuthSessionStatsEntry 3 } dot1xAuthSessionFramesTx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of user data frames transmitted on this Port during the session." REFERENCE "9.4.4, Session Frames Transmitted" ::= { dot1xAuthSessionStatsEntry 4 } dot1xAuthSessionId OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "A unique identifier for the session, in the form of a printable ASCII string of at least three characters." REFERENCE "9.4.4, Session Identifier" ::= { dot1xAuthSessionStatsEntry 5 } dot1xAuthSessionAuthenticMethod OBJECT-TYPE SYNTAX INTEGER { remoteAuthServer(1), localAuthServer(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "The authentication method used to establish the session." REFERENCE "9.4.4, Session Authentication Method" ::= { dot1xAuthSessionStatsEntry 6 } dot1xAuthSessionTime OBJECT-TYPE SYNTAX TimeTicks Bridge Working Group Expires May 2004 [Page 27] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 MAX-ACCESS read-only STATUS current DESCRIPTION "The duration of the session in seconds." REFERENCE "9.4.4, Session Time" ::= { dot1xAuthSessionStatsEntry 7 } dot1xAuthSessionTerminateCause OBJECT-TYPE SYNTAX INTEGER { supplicantLogoff(1), portFailure(2), supplicantRestart(3), reauthFailed(4), authControlForceUnauth(5), portReInit(6), portAdminDisabled(7), notTerminatedYet(999) } MAX-ACCESS read-only STATUS current DESCRIPTION "The reason for the session termination." REFERENCE "9.4.4, Session Terminate Cause" ::= { dot1xAuthSessionStatsEntry 8 } dot1xAuthSessionUserName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The User-Name representing the identity of the Supplicant PAE." REFERENCE "9.4.4, Session User Name" ::= { dot1xAuthSessionStatsEntry 9 } -- ---------------------------------------------------------- -- -- The PAE Supplicant Group -- ---------------------------------------------------------- -- -- ---------------------------------------------------------- -- -- The Supplicant Configuration Table -- ---------------------------------------------------------- -- dot1xSuppConfigTable OBJECT-TYPE SYNTAX SEQUENCE OF Dot1xSuppConfigEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table that contains the configuration objects for the Supplicant PAE associated with each port. Bridge Working Group Expires May 2004 [Page 28] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 An entry appears in this table for each port that may authenticate itself when challenged by a remote system." REFERENCE "9.5.1" ::= { dot1xPaeSupplicant 1 } dot1xSuppConfigEntry OBJECT-TYPE SYNTAX Dot1xSuppConfigEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The configuration information for a Supplicant PAE." INDEX { dot1xPaePortNumber } ::= { dot1xSuppConfigTable 1 } Dot1xSuppConfigEntry ::= SEQUENCE { dot1xSuppPaeState INTEGER, dot1xSuppHeldPeriod Unsigned32, dot1xSuppAuthPeriod Unsigned32, dot1xSuppStartPeriod Unsigned32, dot1xSuppMaxStart Unsigned32 } dot1xSuppPaeState OBJECT-TYPE SYNTAX INTEGER { disconnected(1), logoff(2), connecting(3), authenticating(4), authenticated(5), acquired(6), held(7) } MAX-ACCESS read-only STATUS current DESCRIPTION "The current state of the Supplicant PAE state machine (8.5.8)." REFERENCE "9.5.1, Supplicant PAE State" ::= { dot1xSuppConfigEntry 1 } dot1xSuppHeldPeriod OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The value, in seconds, of the heldPeriod Bridge Working Group Expires May 2004 [Page 29] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 constant currently in use by the Supplicant PAE state machine (8.5.8.1.2)." REFERENCE "9.5.1, heldPeriod" DEFVAL { 60 } ::= { dot1xSuppConfigEntry 2 } dot1xSuppAuthPeriod OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The value, in seconds, of the authPeriod constant currently in use by the Supplicant PAE state machine (8.5.8.1.2)." REFERENCE "9.5.1, authPeriod" DEFVAL { 30 } ::= { dot1xSuppConfigEntry 3 } dot1xSuppStartPeriod OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The value, in seconds, of the startPeriod constant currently in use by the Supplicant PAE state machine (8.5.8.1.2)." REFERENCE "9.5.1, startPeriod" DEFVAL { 30 } ::= { dot1xSuppConfigEntry 4 } dot1xSuppMaxStart OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The value of the maxStart constant currently in use by the Supplicant PAE state machine (8.5.8.1.2)." REFERENCE "9.5.1, maxStart" DEFVAL { 3} ::= { dot1xSuppConfigEntry 5 } -- ---------------------------------------------------------- -- -- The Supplicant Statistics Table -- ---------------------------------------------------------- -- dot1xSuppStatsTable OBJECT-TYPE SYNTAX SEQUENCE OF Dot1xSuppStatsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION Bridge Working Group Expires May 2004 [Page 30] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 "A table that contains the statistics objects for the Supplicant PAE associated with each port. An entry appears in this table for each port that may authenticate itself when challenged by a remote system." REFERENCE "9.5.2" ::= { dot1xPaeSupplicant 2 } dot1xSuppStatsEntry OBJECT-TYPE SYNTAX Dot1xSuppStatsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The statistics information for a Supplicant PAE." INDEX { dot1xPaePortNumber } ::= { dot1xSuppStatsTable 1 } Dot1xSuppStatsEntry ::= SEQUENCE { dot1xSuppEapolFramesRx Counter32, dot1xSuppEapolFramesTx Counter32, dot1xSuppEapolStartFramesTx Counter32, dot1xSuppEapolLogoffFramesTx Counter32, dot1xSuppEapolRespIdFramesTx Counter32, dot1xSuppEapolRespFramesTx Counter32, dot1xSuppEapolReqIdFramesRx Counter32, dot1xSuppEapolReqFramesRx Counter32, dot1xSuppInvalidEapolFramesRx Counter32, dot1xSuppEapLengthErrorFramesRx Counter32, dot1xSuppLastEapolFrameVersion Unsigned32, dot1xSuppLastEapolFrameSource MacAddress } dot1xSuppEapolFramesRx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of EAPOL frames of any type that have been received by this Supplicant." REFERENCE "9.5.2, EAPOL frames received" Bridge Working Group Expires May 2004 [Page 31] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 ::= { dot1xSuppStatsEntry 1 } dot1xSuppEapolFramesTx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of EAPOL frames of any type that have been transmitted by this Supplicant." REFERENCE "9.5.2, EAPOL frames transmitted" ::= { dot1xSuppStatsEntry 2 } dot1xSuppEapolStartFramesTx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of EAPOL Start frames that have been transmitted by this Supplicant." REFERENCE "9.5.2, EAPOL Start frames transmitted" ::= { dot1xSuppStatsEntry 3 } dot1xSuppEapolLogoffFramesTx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of EAPOL Logoff frames that have been transmitted by this Supplicant." REFERENCE "9.5.2, EAPOL Logoff frames transmitted" ::= { dot1xSuppStatsEntry 4 } dot1xSuppEapolRespIdFramesTx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of EAP Resp/Id frames that have been transmitted by this Supplicant." REFERENCE "9.5.2, EAP Resp/Id frames transmitted" ::= { dot1xSuppStatsEntry 5 } dot1xSuppEapolRespFramesTx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of valid EAP Response frames (other than Resp/Id frames) that have been transmitted by this Supplicant." Bridge Working Group Expires May 2004 [Page 32] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 REFERENCE "9.5.2, EAP Resp frames transmitted" ::= { dot1xSuppStatsEntry 6 } dot1xSuppEapolReqIdFramesRx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of EAP Req/Id frames that have been received by this Supplicant." REFERENCE "9.5.2, EAP Req/Id frames received" ::= { dot1xSuppStatsEntry 7 } dot1xSuppEapolReqFramesRx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of EAP Request frames (other than Rq/Id frames) that have been received by this Supplicant." REFERENCE "9.5.2, EAP Req frames received" ::= { dot1xSuppStatsEntry 8 } dot1xSuppInvalidEapolFramesRx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of EAPOL frames that have been received by this Supplicant in which the frame type is not recognized." REFERENCE "9.5.2, Invalid EAPOL frames received" ::= { dot1xSuppStatsEntry 9 } dot1xSuppEapLengthErrorFramesRx OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of EAPOL frames that have been received by this Supplicant in which the Packet Body Length field (7.5.5) is invalid." REFERENCE "9.5.2, EAP length error frames received" ::= { dot1xSuppStatsEntry 10 } dot1xSuppLastEapolFrameVersion OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current Bridge Working Group Expires May 2004 [Page 33] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 DESCRIPTION "The protocol version number carried in the most recently received EAPOL frame." REFERENCE "9.5.2, Last EAPOL frame version" ::= { dot1xSuppStatsEntry 11 } dot1xSuppLastEapolFrameSource OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The source MAC address carried in the most recently received EAPOL frame." REFERENCE "9.5.2, Last EAPOL frame source" ::= { dot1xSuppStatsEntry 12 } -- ---------------------------------------------------------- -- -- IEEE 802.1X MIB - Conformance Information -- ---------------------------------------------------------- -- dot1xPaeConformance OBJECT IDENTIFIER ::= { ieee8021paeMIB 2 } dot1xPaeGroups OBJECT IDENTIFIER ::= { dot1xPaeConformance 1 } dot1xPaeCompliances OBJECT IDENTIFIER ::= { dot1xPaeConformance 2 } -- ---------------------------------------------------------- -- -- units of conformance -- ---------------------------------------------------------- -- dot1xPaeSystemGroup OBJECT-GROUP OBJECTS { dot1xPaeSystemAuthControl, dot1xPaePortProtocolVersion, dot1xPaePortCapabilities, dot1xPaePortInitialize, dot1xPaePortReauthenticate } STATUS current DESCRIPTION "A collection of objects providing system information about, and control over, a PAE." ::= { dot1xPaeGroups 1 } dot1xPaeAuthConfigGroup OBJECT-GROUP OBJECTS { dot1xAuthPaeState, dot1xAuthBackendAuthState, dot1xAuthAdminControlledDirections, dot1xAuthOperControlledDirections, dot1xAuthAuthControlledPortStatus, Bridge Working Group Expires May 2004 [Page 34] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 dot1xAuthAuthControlledPortControl, dot1xAuthQuietPeriod, dot1xAuthTxPeriod, dot1xAuthSuppTimeout, dot1xAuthServerTimeout, dot1xAuthMaxReq, dot1xAuthReAuthPeriod, dot1xAuthReAuthEnabled, dot1xAuthKeyTxEnabled } STATUS current DESCRIPTION "A collection of objects providing configuration information about an Authenticator PAE." ::= { dot1xPaeGroups 2 } dot1xPaeAuthStatsGroup OBJECT-GROUP OBJECTS { dot1xAuthEapolFramesRx, dot1xAuthEapolFramesTx, dot1xAuthEapolStartFramesRx, dot1xAuthEapolLogoffFramesRx, dot1xAuthEapolRespIdFramesRx, dot1xAuthEapolRespFramesRx, dot1xAuthEapolReqIdFramesTx, dot1xAuthEapolReqFramesTx, dot1xAuthInvalidEapolFramesRx, dot1xAuthEapLengthErrorFramesRx, dot1xAuthLastEapolFrameVersion, dot1xAuthLastEapolFrameSource } STATUS current DESCRIPTION "A collection of objects providing statistics about an Authenticator PAE." ::= { dot1xPaeGroups 3 } dot1xPaeAuthDiagGroup OBJECT-GROUP OBJECTS { dot1xAuthEntersConnecting, dot1xAuthEapLogoffsWhileConnecting, dot1xAuthEntersAuthenticating, dot1xAuthAuthSuccessWhileAuthenticating, dot1xAuthAuthTimeoutsWhileAuthenticating, dot1xAuthAuthFailWhileAuthenticating, dot1xAuthAuthReauthsWhileAuthenticating, dot1xAuthAuthEapStartsWhileAuthenticating, dot1xAuthAuthEapLogoffWhileAuthenticating, dot1xAuthAuthReauthsWhileAuthenticated, dot1xAuthAuthEapStartsWhileAuthenticated, dot1xAuthAuthEapLogoffWhileAuthenticated, dot1xAuthBackendResponses, dot1xAuthBackendAccessChallenges, dot1xAuthBackendOtherRequestsToSupplicant, Bridge Working Group Expires May 2004 [Page 35] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 dot1xAuthBackendNonNakResponsesFromSupplicant, dot1xAuthBackendAuthSuccesses, dot1xAuthBackendAuthFails } STATUS current DESCRIPTION "A collection of objects providing diagnostic statistics about an Authenticator PAE." ::= { dot1xPaeGroups 4 } dot1xPaeAuthSessionStatsGroup OBJECT-GROUP OBJECTS { dot1xAuthSessionOctetsRx, dot1xAuthSessionOctetsTx, dot1xAuthSessionFramesRx, dot1xAuthSessionFramesTx, dot1xAuthSessionId, dot1xAuthSessionAuthenticMethod, dot1xAuthSessionTime, dot1xAuthSessionTerminateCause, dot1xAuthSessionUserName } STATUS current DESCRIPTION "A collection of objects providing statistics about the current, or last session for an Authenticator PAE." ::= { dot1xPaeGroups 5 } dot1xPaeSuppConfigGroup OBJECT-GROUP OBJECTS { dot1xSuppPaeState, dot1xSuppHeldPeriod, dot1xSuppAuthPeriod, dot1xSuppStartPeriod, dot1xSuppMaxStart } STATUS current DESCRIPTION "A collection of objects providing configuration information about a Supplicant PAE." ::= { dot1xPaeGroups 6 } dot1xPaeSuppStatsGroup OBJECT-GROUP OBJECTS { dot1xSuppEapolFramesRx, dot1xSuppEapolFramesTx, dot1xSuppEapolStartFramesTx, dot1xSuppEapolLogoffFramesTx, dot1xSuppEapolRespIdFramesTx, dot1xSuppEapolRespFramesTx, dot1xSuppEapolReqIdFramesRx, dot1xSuppEapolReqFramesRx, dot1xSuppInvalidEapolFramesRx, dot1xSuppEapLengthErrorFramesRx, Bridge Working Group Expires May 2004 [Page 36] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 dot1xSuppLastEapolFrameVersion, dot1xSuppLastEapolFrameSource } STATUS current DESCRIPTION "A collection of objects providing statistics about a Supplicant PAE." ::= { dot1xPaeGroups 7 } -- ---------------------------------------------------------- -- -- compliance statements -- ---------------------------------------------------------- -- dot1xPaeCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for device support of Port Access Control." MODULE MANDATORY-GROUPS { dot1xPaeSystemGroup } GROUP dot1xPaeAuthConfigGroup DESCRIPTION "This group is mandatory for systems that support the Authenticator functions of the PAE." OBJECT dot1xAuthAdminControlledDirections SYNTAX INTEGER { both(0) } MIN-ACCESS read-only DESCRIPTION "Support for in(1) is optional." OBJECT dot1xAuthOperControlledDirections SYNTAX INTEGER { both(0) } DESCRIPTION "Support for in(1) is optional." OBJECT dot1xAuthKeyTxEnabled MIN-ACCESS read-only DESCRIPTION "An Authenticator PAE that does not support EAPOL-Key frames may implement this object as read-only, returning a value of FALSE." GROUP dot1xPaeAuthStatsGroup DESCRIPTION "This group is mandatory for systems that support Bridge Working Group Expires May 2004 [Page 37] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 the Authenticator functions of the PAE." GROUP dot1xPaeAuthDiagGroup DESCRIPTION "This group is optional for systems that support the Authenticator functions of the PAE." GROUP dot1xPaeAuthSessionStatsGroup DESCRIPTION "This group is optional for systems that support the Authenticator functions of the PAE." GROUP dot1xPaeSuppConfigGroup DESCRIPTION "This group is mandatory for systems that support the Supplicant functions of the PAE." GROUP dot1xPaeSuppStatsGroup DESCRIPTION "This group is mandatory for systems that support the Supplicant functions of the PAE." ::= { dot1xPaeCompliances 1 } END 5. Intellectual Property The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 6. Acknowledgements This document was reproduced by the IETF Bridge MIB Working Group from the IEEE Std 802.1X-2001 IEEE Standard for Local and Bridge Working Group Expires May 2004 [Page 38] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 metropolitan area networks Port-Based Network Access Control. A Special thanks to Les Bell for his help in getting this document ready for publication and providing his insight, and Mike Heard for helping with security and copyright issues. 7. Normative References [IEEESTD8021] IEEE, IEEE Std 802.1, 2001 "Edition: IEEE Standard for Local and metropolitan area networks Port-Based Network Access Control" [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, May 1999. [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 2579, May 1999. [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Conformance Statements for SMIv2", STD 58, RFC 2580, May 1999. [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB using SMIv2", RFC 2863, June 2000. [RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002. [RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, December 2002. [RFC3635] Flick, J., "Definitions of Managed Objects for the Ethernet-like Interface Types", RFC 3635, September 2003. [8021XAUTH] IEEE, 802.1x - Port Based Network Access Control, definition of Authenticator, clause 3.1.1 [8021XSUPP] IEEE, 802.1x - Port Based Network Access Control, definition of Supplicant, clause 3.1.5 8. Informative References [RFC1157] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple Network Management Protocol", STD 15, RFC 1157, May 1990. Bridge Working Group Expires May 2004 [Page 39] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 [RFC1212] Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16, RFC 1212, March 1991. [RFC1901] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, January 1996. [RFC1905] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996. [RFC1906] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906, January 1996. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirements Levels", BCP 14, RFC 2119, March 1997. [RFC2570] Case, J., Mundy, R., Partain, D. and B. Stewart, "Introduction to Version 3 of the Internet-Standard Network Management Framework", RFC 2570, May 1999. [RFC2572] Case, J., Harrington D., Presuhn R. and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2572, May 1999. [RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2574, May 1999. [RFC2573] Levi, D., Meyer, P. and B. Stewart, "SNMPv3 Applications", RFC 2573, May 1999. [RFC2575] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 2575, May 1999. 9. Security Considerations There are a number of management objects defined in this MIB module with a MAX-ACCESS clause of read-write. If maliciously set these objects can affect the operation of the port authentication functions, including allowing access to unathorized users or denying access to authorized users. Hence the support for SET operations in without proper access control may have a negative effect on network operations. The sensitive read-write objects in this MIB module are: dot1xPaeSystemAuthControl, dot1xPaePortInitialize, dot1xPaePortReauthenticate, dot1xAuthAdminControlledDirections, dot1xAuthAuthControlledPortControl, dot1xAuthQuietPeriod, dot1xAuthTxPeriod, dot1xAuthSuppTimeout, dot1xAuthServerTimeout, dot1xAuthMaxReq, dot1xAuthReAuthPeriod, dot1xAuthReAuthEnabled, dot1xAuthKeyTxEnabled, dot1xSuppHeldPeriod, dot1xSuppAuthPeriod, dot1xSuppStartPeriod, and dot1xSuppMaxStart. Bridge Working Group Expires May 2004 [Page 40] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 The readable object in this MIB module (i.e., the managed objects that have a MAX-ACCESS clause of anything other than not-accessible) contain information that may be used to compromise the access and security of network users. It is therefore important to control GET and/or NOTIFY access to these objects and possibly even to encrypt their values when sending them over the network via SNMP. SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPSec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module. It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy). Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. 10. Author's Address K.C. Norseth L-3 Communications 640 N. 2200 West. Salt Lake City, Utah 84116-0850 Email: kenyon.c.norseth@L-3com.com kcn@norseth.com 11. Change Log The following changes were made to to produce : 1) Redefined the overview to more reflect the IEEE 802.1x document. 1) Clarification of the security section 2) Splitting references into Normative and Informative 3) Changing draft to reflect IETF document standards. 12. Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to Bridge Working Group Expires May 2004 [Page 41] Internet Draft Port Access Control (802.1X) MIB November 8, 2003 others provided that the above copyright notice and this paragraph are included on all such copies. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as required to translate it into languages other than English, and derivative works of it may not be created, other than to extract the MIB module in Section 4 as-is for separate use. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Bridge Working Group Expires May 2004 [Page 42]