ENTERASYS-TACACS-CLIENT-MIB DEFINITIONS ::= BEGIN

--  enterasys-tacacs-client-mib.txt
--
--  Part Number:
--
--

--  This module provides authoritative definitions for Enterasys
--  Networks' TACACS+ client functionality.

--
--  This module will be extended, as needed.

--  Enterasys Networks reserves the right to make changes in this
--  specification and other information contained in this document
--  without prior notice.  The reader should consult Enterasys Networks
--  to determine whether any such changes have been made.
--
--  In no event shall Enterasys Networks be liable for any incidental,
--  indirect, special, or consequential damages whatsoever (including
--  but not limited to lost profits) arising out of or related to this
--  document or the information contained in it, even if Enterasys
--  Networks has been advised of, known, or should have known, the
--  possibility of such damages.
--
--  Enterasys Networks grants vendors, end-users, and other interested
--  parties a non-exclusive license to use this Specification in
--  connection with the management of Enterasys Networks products.

--  Copyright February 2003-2010 Enterasys Networks, Inc.

IMPORTS
    MODULE-IDENTITY, OBJECT-TYPE, Integer32
        FROM SNMPv2-SMI
    MODULE-COMPLIANCE, OBJECT-GROUP
        FROM SNMPv2-CONF
    TruthValue, RowStatus
        FROM SNMPv2-TC
    EnabledStatus
        FROM P-BRIDGE-MIB
    SnmpAdminString
        FROM SNMP-FRAMEWORK-MIB
    InetAddressType, InetAddress, InetPortNumber
        FROM INET-ADDRESS-MIB
    etsysModules
        FROM ENTERASYS-MIB-NAMES;

etsysTacacsClientMIB MODULE-IDENTITY
    LAST-UPDATED "201002011702Z"  -- Mon Feb  1 17:02 UTC 2010
    ORGANIZATION "Enterasys Networks, Inc"
    CONTACT-INFO
        "Postal:  Enterasys Networks
                  50 Minuteman Rd.
                  Andover, MA 01810-1008
                  USA
         Phone:   +1 978 684 1000
         E-mail:  support@enterasys.com
         WWW:     http://www.enterasys.com"

    DESCRIPTION
        "This MIB module defines a portion of the SNMP MIB under
         the Enterasys Networks enterprise OID pertaining to
         TACACS+ client configuration."

    REVISION    "201002011702Z"  -- Mon Feb  1 17:02 UTC 2010
    DESCRIPTION "Corrected DESCRIPTION clause for the 
                 etsysTacacsClientSesnAuthValue object." 

    REVISION    "200502101757Z"  -- Thu Feb 10 17:57 GMT 2005
    DESCRIPTION "The initial version of this MIB module."
    ::= { etsysModules 58 }


-- -------------------------------------------------------------
-- Branches of the Enterasys TACACS+ Client MIB
-- -------------------------------------------------------------

etsysTacacsClientObjects     OBJECT IDENTIFIER 
        ::= { etsysTacacsClientMIB 1 }

etsysTacacsClientControl     OBJECT IDENTIFIER 
        ::= { etsysTacacsClientObjects 1 }

etsysTacacsClientSesnAuth    OBJECT IDENTIFIER 
        ::= { etsysTacacsClientObjects 2 }

etsysTacacsClientServer      OBJECT IDENTIFIER 
        ::= { etsysTacacsClientObjects 3 }


-- -------------------------------------------------------------
-- TACACS+ Client Control Group
-- -------------------------------------------------------------

etsysTacacsClientSesnAuthEnabled OBJECT-TYPE
    SYNTAX         EnabledStatus
    MAX-ACCESS     read-write
    STATUS         current
    DESCRIPTION
        "Controls the operation of the TACACS+ client for session
         authentication and authorization."
    DEFVAL { disabled }
    ::= { etsysTacacsClientControl 1 }

etsysTacacsClientSesnAcctEnabled OBJECT-TYPE
    SYNTAX         EnabledStatus
    MAX-ACCESS     read-write
    STATUS         current
    DESCRIPTION
        "Controls the operation of the TACACS+ client for session
         accounting."
    DEFVAL { disabled }
    ::= { etsysTacacsClientControl 2 }

etsysTacacsClientCmdAuthEnabled OBJECT-TYPE
    SYNTAX         EnabledStatus
    MAX-ACCESS     read-write
    STATUS         current
    DESCRIPTION
        "Controls the operation of the TACACS+ client for command
         level authorization."
    DEFVAL { disabled }
    ::= { etsysTacacsClientControl 3 }

etsysTacacsClientCmdAcctEnabled OBJECT-TYPE
    SYNTAX         EnabledStatus
    MAX-ACCESS     read-write
    STATUS         current
    DESCRIPTION
        "Controls the operation of the TACACS+ client for command
         accounting."
    DEFVAL { disabled }
    ::= { etsysTacacsClientControl 4 }

etsysTacacsClientSingleConnection OBJECT-TYPE
    SYNTAX         EnabledStatus
    MAX-ACCESS     read-write
    STATUS         current
    DESCRIPTION
        "Allows the TACACS+ client to send multiple TACACS+ requests
         on a single TCP connection.  All configured TACACS+ servers
         MUST allow this NAS to use single connection mode."
    DEFVAL { disabled }
    ::= { etsysTacacsClientControl 5 }


-- -------------------------------------------------------------
-- TACACS+ Client Session Authorization Group
-- -------------------------------------------------------------

etsysTacacsClientSesnAuthService OBJECT-TYPE
    SYNTAX         SnmpAdminString
    MAX-ACCESS     read-write
    STATUS         current
    DESCRIPTION
        "The service to be requested for management session
         authorization."
    DEFVAL { "enable" }
    ::= { etsysTacacsClientSesnAuth 1 }


-- -------------------------------------------------------------
-- TACACS+ Client Session Authorization Table
-- -------------------------------------------------------------

etsysTacacsClientSesnAuthTable OBJECT-TYPE
    SYNTAX         SEQUENCE OF EtsysTacacsClientSesnAuthEntry
    MAX-ACCESS     not-accessible
    STATUS         current
    DESCRIPTION
        "A list of TACACS+ servers that this client may attempt to use."
    ::= { etsysTacacsClientSesnAuth 2 }

etsysTacacsClientSesnAuthEntry OBJECT-TYPE
    SYNTAX         EtsysTacacsClientSesnAuthEntry
    MAX-ACCESS     not-accessible
    STATUS         current
    DESCRIPTION
        "A TACACS+ server that this client may attempt to use."
    INDEX { etsysTacacsClientSesnAuthLevel }
    ::= { etsysTacacsClientSesnAuthTable 1 }

EtsysTacacsClientSesnAuthEntry ::= SEQUENCE {
    etsysTacacsClientSesnAuthLevel                INTEGER,
    etsysTacacsClientSesnAuthAttribute            SnmpAdminString,
    etsysTacacsClientSesnAuthValue                SnmpAdminString
}

etsysTacacsClientSesnAuthLevel OBJECT-TYPE
    SYNTAX         INTEGER {
                       readonly   (1),
                       readwrite  (2),
                       superuser  (3),
                       debug      (4)
                   }
    MAX-ACCESS     not-accessible
    STATUS         current
    DESCRIPTION
        "The authorization level for the corresponding attribute
         value pair.  Managed entities are not required to support
         all authorization levels."
    ::= { etsysTacacsClientSesnAuthEntry 1 }

etsysTacacsClientSesnAuthAttribute OBJECT-TYPE
    SYNTAX         SnmpAdminString
    MAX-ACCESS     read-write
    STATUS         current
    DESCRIPTION
        "The attribute part of the attribute-value pair for this
         access level.  The default value 'priv-lvl' is normally
         defined to have a corresponding value part with a value
         between '0' and '15' inclusive."
    DEFVAL { "priv-lvl" }
    ::= { etsysTacacsClientSesnAuthEntry 2 }

etsysTacacsClientSesnAuthValue OBJECT-TYPE
    SYNTAX         SnmpAdminString
    MAX-ACCESS     read-write
    STATUS         current
    DESCRIPTION
        "The value part of the attribute-value pair for this access
         level.

         To allow the leveraging of existing Cisco 'enable' mode 
         configurations.  When

         1.)  the etsysTacacsClientSesnAuthService object has the value
              'enable',

         2.)  the attribute part of this attribute-value pair is
              'priv-lvl',

         and

         3.)  the value part of this attribute-value pair represents a
              numeric value between 0 and 15, inclusive,

         then the value part of this attribute-value pair specifies the
         minimum value required for this access level.

         If any of the above conditions are not met then this value
         must be an exact match with the value returned from the TACACS+
         server.

         The default values for this object are '0' for read-only,
         '1' for read-write, and '15' for superuser authorization."
    ::= { etsysTacacsClientSesnAuthEntry 3 }


-- -------------------------------------------------------------
-- TACACS+ Client Server Table
-- -------------------------------------------------------------

etsysTacacsClientServerTable OBJECT-TYPE
    SYNTAX         SEQUENCE OF EtsysTacacsClientServerEntry
    MAX-ACCESS     not-accessible
    STATUS         current
    DESCRIPTION
        "A list of TACACS+ servers that this client may attempt to use."
    ::= { etsysTacacsClientServer 1 }

etsysTacacsClientServerEntry OBJECT-TYPE
    SYNTAX         EtsysTacacsClientServerEntry
    MAX-ACCESS     not-accessible
    STATUS         current
    DESCRIPTION
        "A TACACS+ server that this client may attempt to use."
    INDEX { etsysTacacsClientServerIndex }
    ::= { etsysTacacsClientServerTable 1 }

EtsysTacacsClientServerEntry ::= SEQUENCE {
    etsysTacacsClientServerIndex                  Integer32,
    etsysTacacsClientServerAddressType            InetAddressType,
    etsysTacacsClientServerAddress                InetAddress,
    etsysTacacsClientServerPortNumber             InetPortNumber,
    etsysTacacsClientServerTimeout                Integer32,
    etsysTacacsClientServerSecret                 OCTET STRING,
    etsysTacacsClientServerSecretEntered          TruthValue,
    etsysTacacsClientServerStatus                 RowStatus
}

etsysTacacsClientServerIndex OBJECT-TYPE
    SYNTAX         Integer32 (1..2147483647)
    MAX-ACCESS     not-accessible
    STATUS         current
    DESCRIPTION
        "A number uniquely identifying each conceptual row
         in the etsysTacacsClientServerTable.

         In the event of an agent restart, the same value of
         etsysTacacsClientServerIndex must be used to identify 
         each conceptual row in etsysTacacsClientServerTable
         as prior to the restart."
    ::= { etsysTacacsClientServerEntry 1 }

etsysTacacsClientServerAddressType OBJECT-TYPE
    SYNTAX         InetAddressType
    MAX-ACCESS     read-create
    STATUS         current
    DESCRIPTION
        "The type of Internet address by which this TACACS+ server
         is reachable."
    DEFVAL { ipv4 }
    ::= { etsysTacacsClientServerEntry 2 }

etsysTacacsClientServerAddress OBJECT-TYPE
    SYNTAX         InetAddress (SIZE(1..64))
    MAX-ACCESS     read-create
    STATUS         current
    DESCRIPTION
        "The Internet address for the TACACS+ server.

         The etsysTacacsClientServerAddress may not be
         empty due to the SIZE restriction.  Also the size of
         a DNS name is limited to 64 characters.

         If a row is created administratively by an SNMP
         operation and the address type value is dns(16), then
         the agent stores the DNS name internally. A DNS name
         lookup must be performed on the internally stored DNS
         name whenever it is being used to contact the peer.
         If a row is created by the managed entity itself and
         the address type value is dns(16), then the agent
         stores the IP address internally. A DNS reverse lookup
         must be performed on the internally stored IP address
         whenever the value is retrieved via SNMP."
    ::= { etsysTacacsClientServerEntry 3 }

etsysTacacsClientServerPortNumber  OBJECT-TYPE
    SYNTAX         InetPortNumber
    MAX-ACCESS     read-create
    STATUS         current
    DESCRIPTION
        "The TCP port number (0-65535) the client is using
         to send requests to this server."
    DEFVAL { 49 }
    ::= { etsysTacacsClientServerEntry 4 }

etsysTacacsClientServerTimeout OBJECT-TYPE
    SYNTAX         Integer32 (1..180)
    UNITS          "seconds"
    MAX-ACCESS     read-write
    STATUS         current
    DESCRIPTION
        "The number of seconds to wait for a TACACS+ server to
         respond to a request."
    DEFVAL { 10 }
    ::= { etsysTacacsClientServerEntry 5 }

etsysTacacsClientServerSecret  OBJECT-TYPE
    SYNTAX         OCTET STRING (SIZE(0..32))
    MAX-ACCESS     read-create
    STATUS         current
    DESCRIPTION
        "This object is the secret shared between the TACACS+ 
         server and TACACS+ client."
    ::= { etsysTacacsClientServerEntry 6 }

etsysTacacsClientServerSecretEntered  OBJECT-TYPE
    SYNTAX         TruthValue
    MAX-ACCESS     read-only
    STATUS         current
    DESCRIPTION
        "This indicates the existence of a shared secret."
    ::= { etsysTacacsClientServerEntry 7 }

etsysTacacsClientServerStatus OBJECT-TYPE
    SYNTAX         RowStatus
    MAX-ACCESS     read-create
    STATUS         current
    DESCRIPTION   
        "Lets users create and delete TACACS+ server entries on
         systems that support this capability.
            
         Rules
        
            1. When creating a TACACS+ client, it is up to the
               management station to determine a suitable
               etsysTacacsClientServerIndex.  To facilitate
               interoperability, agents should not put any
               restrictions on the etsysTacacsClientServerIndex
               beyond the obvious ones that it be valid and unused.

            2. Before a new row can become 'active', values must
               be supplied for the columnar objects
               etsysTacacsClientServerAddress and
               etsysTacacsClientServerSecret.

            3. The value of etsysTacacsClientServerStatus MAY
               need to be set to 'notInService' in order to modify
               a writable object in the same conceptual row.

            4. etsysTacacsClientServer entries whose 
               status is 'notReady' or 'notInService' will 
               not be used for authentication."

    ::= { etsysTacacsClientServerEntry 8 }


-- ------------------------------------
-- Conformance information
-- ------------------------------------

etsysTacacsClientConformance
       OBJECT IDENTIFIER ::= { etsysTacacsClientMIB 2 }

etsysTacacsClientCompliances
       OBJECT IDENTIFIER ::= { etsysTacacsClientConformance 1 }

etsysTacacsClientGroups
       OBJECT IDENTIFIER ::= { etsysTacacsClientConformance 2 }


-- ------------------------------------
-- Units of conformance
-- ------------------------------------

etsysTacacsClientSessionGroup OBJECT-GROUP
     OBJECTS { etsysTacacsClientSesnAuthEnabled,
               etsysTacacsClientSesnAcctEnabled,
               etsysTacacsClientSingleConnection,
               etsysTacacsClientServerAddressType,
               etsysTacacsClientServerAddress,
               etsysTacacsClientServerPortNumber,
               etsysTacacsClientServerTimeout,
               etsysTacacsClientServerSecret,
               etsysTacacsClientServerSecretEntered,
               etsysTacacsClientServerStatus
     }
     STATUS  current
     DESCRIPTION
         "The collection of objects required to do TACACS+
          authentication, authorization, and accounting for
          management sessions."
     ::= { etsysTacacsClientGroups 1 }

etsysTacacsClientCmdAuthGroup OBJECT-GROUP
     OBJECTS { etsysTacacsClientCmdAuthEnabled }
     STATUS  current
     DESCRIPTION
         "Additional objects for TACACS+ command authorization."
     ::= { etsysTacacsClientGroups 2 }

etsysTacacsClientCmdAcctGroup OBJECT-GROUP
     OBJECTS { etsysTacacsClientCmdAcctEnabled }
     STATUS  current
     DESCRIPTION
         "Additional objects for TACACS+ command accounting."
     ::= { etsysTacacsClientGroups 3 }

etsysTacacsClientSesnAuthGroup OBJECT-GROUP
     OBJECTS { etsysTacacsClientSesnAuthService,
               etsysTacacsClientSesnAuthAttribute,
               etsysTacacsClientSesnAuthValue
     }
     STATUS  current
     DESCRIPTION
         "Additional objects to map read-only, read-write, superuser,
          and debug  authorization level into a service level and
          respective attribute-value pairs."
     ::= { etsysTacacsClientGroups 4 }


-- ------------------------------------
-- Compliance statements
-- ------------------------------------

etsysTacacsClientCompliance MODULE-COMPLIANCE
     STATUS  current
     DESCRIPTION
         "The compliance statement for clients implementing the
          TACACS+ Client MIB."
     MODULE
        MANDATORY-GROUPS { etsysTacacsClientSessionGroup }

        GROUP       etsysTacacsClientCmdAuthGroup
        DESCRIPTION
            "This group is REQUIRED for devices supporting command
             authorization via TACACS+"

        GROUP       etsysTacacsClientCmdAcctGroup
        DESCRIPTION
            "This group is REQUIRED for devices supporting command
             accounting via TACACS+"

        GROUP       etsysTacacsClientSesnAuthGroup
        DESCRIPTION
            "This group is REQUIRED for devices supporting any of the
             following authorization levels: read-only, read-write,
             superuser, or debug."

     ::= { etsysTacacsClientCompliances 1 }

END
