-- ******************************************************************* -- CISCO-LWAPP-WLAN-SECURITY-MIB.my -- December 2005, Bharat Biswal, Prasanna Viswakumar -- -- Copyright (c) 2005-2008 by Cisco Systems Inc. -- All rights reserved. -- ***************************************************************** CISCO-LWAPP-WLAN-SECURITY-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Unsigned32 FROM SNMPv2-SMI MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF TruthValue FROM SNMPv2-TC CLSecEncryptType, CLSecKeyFormat FROM CISCO-LWAPP-TC-MIB cLWlanIndex FROM CISCO-LWAPP-WLAN-MIB ciscoMgmt FROM CISCO-SMI; ciscoLwappWlanSecurityMIB MODULE-IDENTITY LAST-UPDATED "200801150000Z" ORGANIZATION "Cisco Systems, Inc." CONTACT-INFO "Cisco Systems, Customer Service Postal: 170 West Tasman Drive San Jose, CA 95134 USA Tel: +1 800 553-NETS Email: cs-wnbu-snmp@cisco.com" DESCRIPTION "This MIB is intended to be implemented on all those devices operating as Central controllers, that terminate the Light Weight Access Point Protocol tunnel from Cisco Light-weight LWAPP Access Points. Information provided by this MIB is for WLAN security related features as specified in the CCKM, CKIP specifications. The relationship between the controller and the LWAPP APs is depicted as follows: +......+ +......+ +......+ + + + + + + + CC + + CC + + CC + + + + + + + +......+ +......+ +......+ .. . . .. . . . . . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ + + + + + + + + + AP + + AP + + AP + + AP + + + + + + + + + +......+ +......+ +......+ +......+ . . . . . . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ + + + + + + + + + MN + + MN + + MN + + MN + + + + + + + + + +......+ +......+ +......+ +......+ The LWAPP tunnel exists between the controller and the APs. The MNs communicate with the APs through the protocol defined by the 802.11 standard. LWAPP APs, upon bootup, discover and join one of the controllers and the controller pushes the configuration, that includes the WLAN parameters, to the LWAPP APs. The APs then encapsulate all the 802.11 frames from wireless clients inside LWAPP frames and forward the LWAPP frames to the controller. GLOSSARY 802.1x The IEEE ratified standard for enforcing port based access control. This was originally intended for use on wired LANs and later extended for use in 802.11 WLAN environments. This defines an architecture with three main parts - a supplicant (Ex. an 802.11 wireless client), an authenticator (the AP) and an authentication server(a Radius server). The authenticator passes messages back and forth between the supplicant and the authentication server to enable the supplicant get authenticated to the network. Access Point ( AP ) An entity that contains an 802.11 medium access control ( MAC ) and physical layer ( PHY ) interface and provides access to the distribution services via the wireless medium for associated clients. LWAPP APs encapsulate all the 802.11 frames in LWAPP frames and sends them to the controller to which it is logically connected. Advanced Encryption Standard ( AES ) In cryptography, the Advanced Encryption Standard (AES), also known as Rijndael, is a block cipher adopted as an encryption standard by the US government. It is expected to be used worldwide and analysed extensively, as was the case with its predecessor, the Data Encryption Standard (DES). AES was adopted by National Institute of Standards and Technology (NIST) as US FIPS PUB 197 in November 2001 after a 5-year standardisation process. Central Controller ( CC ) The central entity that terminates the LWAPP protocol tunnel from the LWAPP APs. Throughout this MIB, this entity also referred to as 'controller'. Cisco Centralized Key Management ( CCKM ) Client and AP exchange several EAPOL packets in the process of EAP authenticaton to determine dynamic session key (NSK), which is used for encrypting packets between them. When client moves to new-AP, it has to mutually authenticate with the new-AP and derive new NSK. This is being done by using complete EAP authentication (which is time consuming and causes noticeable delay in the voice application). Till that time, no data packets are being transmitted between new-AP and client. CCKM implementation in first controller caches client's credentials like session, vlanid, ssid, etc. and propagates the same to other controllers in mobility group. Currently a set of controller can be configured as part of a mobility group. If client roams across access points associated to this set of controllers, then with CCKM implementation in place, the L2 authentication will not happen. To make this happen a CCKM cache is maintained on each controller and the first controller where client gets associated update rest of the controllers in mobility group. On later reassociations, controller validates the CCKM specific IE present and allow associations. Wireless LAN Access Points (APs) manufactured by Cisco Systems have features and capabilities beyond those in related standards (e.g., IEEE 802.11 suite of standards, Wi-Fi recommendations by WECA, 802.1X security suite, etc). A number of features provide higher performance. For example, Cisco AP transmits a specific Information Element, which the clients adapt to for enhanced performance. Similarly, a number of features are implemented by means of proprietary Information Elements, which Cisco clients use in specific ways to carry out tasks above and beyond the standard. Other examples of feature categories are roaming and power saving. Cisco Key Integrity Protocol ( CKIP ) A proprietary implementation similar to TKIP. CKIP implements key permutation for protecting the CKIP key against attacks. Other features of CKIP include expansion of encryption key to 16 bytes of length for key protection and MIC to ensure data integrity. Light Weight Access Point Protocol ( LWAPP ) This is a generic protocol that defines the communication between the Access Points and the Central Controller. Mobile Node ( MN ) A roaming 802.11 wireless device in a wireless network associated with an access point. Mobile Node and client are used interchangeably. Multilinear Modular Hash ( MMH ) This is a message authentication code. The original message is run through the hash (with a secret key), and the code is the result. The code is sent along with the original message. The receiver of the message calculates the hash over the original message (also with the secret key) and compares the final message authentication code with the code sent with the message. If the two codes match, the receiver can be assured that the original message is authentic. Pre-Shared Key ( PSK ) Pre-shared keys are normally used for interoperability purposes. The basic idea is that two parties sharing a common secret can communicate securely. This idea has been used since cryptography first sprung onto the scene. Temporal Key Integrity Protocol ( TKIP ) A security protocol defined to enhance the limitations of WEP. Message Integrity Check and per-packet keying on all WEP-encrypted frames are two significant enhancements provided by TKIP to WEP. Wired Equivalent Privacy ( WEP ) A security method defined by 802.11. WEP uses a symmetric key stream cipher called RC4 to encrypt the data packets. Wi-Fi Protected Access ( WPA ) Wi-Fi Protected Access (WPA and WPA2) are security systems created in response to several serious weaknesses found in Wired Equivalent Privacy (WEP). WPA implements the majority of the IEEE 802.11i standard, and was intended as an intermediate measure to take the place of WEP while 802.11i was prepared. WPA is designed to work with all wireless network interface cards, but not necessarily with first generation wireless access points. REFERENCE [1] Wireless LAN Medium Access Control ( MAC ) and Physical Layer ( PHY ) Specifications, Amendment 6, MAC Security Enhancements. [2] draft-obara-capwap-lwapp-00.txt, IETF Light Weight Access Point Protocol" REVISION "200801150000Z" DESCRIPTION "Added new cLWSecDot11EssWebPolicyTable and ciscoLwappWlanSecurityMIBComplianceRev1" REVISION "200711080000Z" DESCRIPTION "Initial version of this MIB module." ::= { ciscoMgmt 521 } ciscoLwappWlanSecurityMIBNotifs OBJECT IDENTIFIER ::= { ciscoLwappWlanSecurityMIB 0 } ciscoLwappWlanSecurityMIBObjects OBJECT IDENTIFIER ::= { ciscoLwappWlanSecurityMIB 1 } ciscoLwappWlanSecurityMIBConform OBJECT IDENTIFIER ::= { ciscoLwappWlanSecurityMIB 2 } clwsCckmConfig OBJECT IDENTIFIER ::= { ciscoLwappWlanSecurityMIBObjects 1 } clwsCkipConfig OBJECT IDENTIFIER ::= { ciscoLwappWlanSecurityMIBObjects 2 } clwsWebPolicyConfig OBJECT IDENTIFIER ::= { ciscoLwappWlanSecurityMIBObjects 3 } -- ******************************************************************** -- Table to represent CISCO CCKM parameters -- per each WLAN. -- ******************************************************************** cLWSecDot11EssCckmTable OBJECT-TYPE SYNTAX SEQUENCE OF CLWSecDot11EssCckmEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table represents the CCKM configuration for the WLANs configured on this controller. There exist a row in this table corresponding to each row representing a WLAN in cLWlanConfigTable. The controller adds or deletes a row to this table whenever a WLAN is added or deleted." ::= { clwsCckmConfig 1 } cLWSecDot11EssCckmEntry OBJECT-TYPE SYNTAX CLWSecDot11EssCckmEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry represents a conceptual row in cLWSecDot11EssCckmTable and uniquely identified by cLWlanIndex." INDEX { cLWlanIndex } ::= { cLWSecDot11EssCckmTable 1 } CLWSecDot11EssCckmEntry ::= SEQUENCE { cLWSecDot11EssCckmWpaSupport TruthValue, cLWSecDot11EssCckmWpa1Security TruthValue, cLWSecDot11EssCckmWpa1EncType CLSecEncryptType, cLWSecDot11EssCckmWpa2Security TruthValue, cLWSecDot11EssCckmWpa2EncType CLSecEncryptType, cLWSecDot11EssCckmKeyMgmtMode BITS, cLWSecDot11EssPskFmt CLSecKeyFormat, cLWSecDot11EssPsk OCTET STRING } cLWSecDot11EssCckmWpaSupport OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object is used to enable or disable layer-2 security using WPA1 or WPA2. When this object is set to 'true' layer-2 security is enabled. When this object is set to 'false' layer-2 security is disabled. When layer-2 security is enabled, the following objects are only applied to environment and can be set. cLWSecDot11EssCckmWpa1Security cLWSecDot11EssCckmWpa1EncType cLWSecDot11EssCckmWpa2Security cLWSecDot11EssCckmWpa2EncType cLWSecDot11EssCckmKeyMgmtMode." DEFVAL { false } ::= { cLWSecDot11EssCckmEntry 1 } cLWSecDot11EssCckmWpa1Security OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "A value of 'true' indicates that WPA1 security is enabled on the controller. A value of 'false' disables WPA1 security." DEFVAL { false } ::= { cLWSecDot11EssCckmEntry 2 } cLWSecDot11EssCckmWpa1EncType OBJECT-TYPE SYNTAX CLSecEncryptType MAX-ACCESS read-write STATUS current DESCRIPTION "This object indicates the type of WPA1 encryption configured on this WLAN. The value populated by this object is applicable only when cLWSecDot11EssCckmWpa1Security populates a value of 'true'." DEFVAL { { } } ::= { cLWSecDot11EssCckmEntry 3 } cLWSecDot11EssCckmWpa2Security OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "A value of 'true' indicates that WPA2 security is enabled on the controller. A value of 'false' disables WPA2 security." DEFVAL { false } ::= { cLWSecDot11EssCckmEntry 4 } cLWSecDot11EssCckmWpa2EncType OBJECT-TYPE SYNTAX CLSecEncryptType MAX-ACCESS read-write STATUS current DESCRIPTION "This object indicates the type of WPA2 encryption configured on this WLAN. The value populated by this object is applicable only when cLWSecDot11EssCckmWpa2Security populates a value of 'true'." DEFVAL { { } } ::= { cLWSecDot11EssCckmEntry 5 } cLWSecDot11EssCckmKeyMgmtMode OBJECT-TYPE SYNTAX BITS { dot1x(0), cckm(1), psk(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object indicates the type of authentication key management that is applicable only when cLWSecDot11EssCckmWpaSupport is set to a value of 'true'. The following are the possible key management configurations allowed and accepted by the system. dot1x + CCKM dot1x only CCKM only PSK only." DEFVAL { { dot1x } } ::= { cLWSecDot11EssCckmEntry 6 } cLWSecDot11EssPskFmt OBJECT-TYPE SYNTAX CLSecKeyFormat MAX-ACCESS read-write STATUS current DESCRIPTION "This object indicates the type of the authentication preshared key configured through the object cLWSecDot11EssCckmPsk. Note that the key configuration is applicable only when psk is configured as the key management mechanism through the cLWSecDot11EssCckmKeyMgmtMode object." DEFVAL { default } ::= { cLWSecDot11EssCckmEntry 7 } cLWSecDot11EssPsk OBJECT-TYPE SYNTAX OCTET STRING (SIZE (8..64)) MAX-ACCESS read-write STATUS current DESCRIPTION "This object indicates the authentication pre-shared key in the hex format that is applicable only when the 'psk' bit is specified in the cLWSecDot11EssCckmKeyMgmtMode object. The length of the key that can be specified for the cLWSecDot11EssPsk object depends on the value of the cLWSecDot11EssPskFmt object as follows. 'ascii' 8-63 octets 'hex' 32 octets." ::= { cLWSecDot11EssCckmEntry 8 } -- ******************************************************************** -- Table to represent CKIP parameters -- per each WLAN. -- ******************************************************************** cLWSecDot11EssCkipTable OBJECT-TYPE SYNTAX SEQUENCE OF CLWSecDot11EssCkipEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table represents the CKIP parameters of a WLAN. This is a new layer-2 security policy similar to static WEP. User can select this policy on a WLAN. This policy will be allowed to be configured only when Aironet Extensions are enabled on the WLAN. Once user has selected CKIP he will be given an option to : 1> configure key 2> select MMH There exist a row in this table corresponding to each row representing a WLAN in cLWlanConfigTable. The controller adds or deletes a row to this table whenever a WLAN is added or deleted." ::= { clwsCckmConfig 2 } cLWSecDot11EssCkipEntry OBJECT-TYPE SYNTAX CLWSecDot11EssCkipEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry represents a conceptual row in cLWSecDot11EssCkipTable and uniquely identified by cLWlanIndex." INDEX { cLWlanIndex } ::= { cLWSecDot11EssCkipTable 1 } CLWSecDot11EssCkipEntry ::= SEQUENCE { cLWSecDot11EssCkipSecurity TruthValue, cLWSecDot11EssCkipKeyIndex Unsigned32, cLWSecDot11EssCkipKeyLength INTEGER , cLWSecDot11EssCkipKeyFmt CLSecKeyFormat, cLWSecDot11EssCkipKey OCTET STRING, cLWSecDot11EssCkipMMHMode TruthValue, cLWSecDot11EssCkipKPEnable TruthValue } cLWSecDot11EssCkipSecurity OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object is used to enable to disable layer-2 CKIP as security policy for this WLAN. When this object is set to 'true', layer-2 CKIP security is enabled. When this object is set to 'false', layer-2 CKIP security is disabled." DEFVAL { false } ::= { cLWSecDot11EssCkipEntry 1 } cLWSecDot11EssCkipKeyIndex OBJECT-TYPE SYNTAX Unsigned32 (0..4 ) MAX-ACCESS read-write STATUS current DESCRIPTION "This object represents the key index corresponding to the key being configured. A value of 0 indicates that the CKIP key hasn't been configured." DEFVAL { 0 } ::= { cLWSecDot11EssCkipEntry 2 } cLWSecDot11EssCkipKeyLength OBJECT-TYPE SYNTAX INTEGER { none(1), len40(2), len104(3) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object indicates the length of CKIP key in bits that is applicable only when cLWSecDot11EssCkipSecurity is set as 'true'." DEFVAL { none } ::= { cLWSecDot11EssCkipEntry 3 } cLWSecDot11EssCkipKeyFmt OBJECT-TYPE SYNTAX CLSecKeyFormat MAX-ACCESS read-write STATUS current DESCRIPTION "This object indicates the type of the key configured through the object cLWSecDot11EssCkipKey." DEFVAL { default } ::= { cLWSecDot11EssCkipEntry 4 } cLWSecDot11EssCkipKey OBJECT-TYPE SYNTAX OCTET STRING (SIZE (5..26)) MAX-ACCESS read-write STATUS current DESCRIPTION "This object indicates the CKIP key that is applicable only when cLWSecDot11EssCkipSecurity is set as 'true'. The number of characters to be configured depends on the key length and the key type configured through the objects cLWSecDot11EssCkipKeyLength and cLWSecDot11EssCkipKeyFmt respectively. The combinations are as follows. Key Type Number of characters hex 10/26 hex characters for 40/104 bits ascii 5/13 ascii characters for 40/104 bits. When cLWSecDot11EssCkipKeyFmt is set to 'hex', cLWSecDot11EssCkipKey can only be set to hexadecimal characters. To ensure consistency the following objects must be set together. cLWSecDot11EssCkipKeyFmt cLWSecDot11EssCkipKeyIndex cLWSecDot11EssCkipKeyLength cLWSecDot11EssCkipKey." ::= { cLWSecDot11EssCkipEntry 5 } cLWSecDot11EssCkipMMHMode OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object is used to enable or disable MMH MIC mode for the CKIP for this WLAN. 'true' - MMH MIC mode is enabled 'false' - MMH MIC mode is disabled." DEFVAL { false } ::= { cLWSecDot11EssCkipEntry 6 } cLWSecDot11EssCkipKPEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "When the value is set to 'true', the encryption keys will be generated by permuting the static CKIP key configured through cLWSecDot11EssCkipKey." DEFVAL { false } ::= { cLWSecDot11EssCkipEntry 7 } -- ******************************************************************** -- Table to represent CISCO WEB-CONDITIONAL-REDIRECT parameters -- per each WLAN. -- ******************************************************************** cLWSecDot11EssWebPolicyTable OBJECT-TYPE SYNTAX SEQUENCE OF CLWSecDot11EssWebPolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table represents the conditional web-redirect parameters for the WLANs configured on this controller. There exist a row in this table corresponding to each row representing a WLAN in cLWlanConfigTable. The controller adds or deletes a row to this table whenever a WLAN is added or deleted." ::= { clwsWebPolicyConfig 1 } cLWSecDot11EssWebPolicyEntry OBJECT-TYPE SYNTAX CLWSecDot11EssWebPolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry represents a conceptual row in cLWSecDot11EssWebPolicyTable and uniquely identified by cLWlanIndex." INDEX { cLWlanIndex } ::= { cLWSecDot11EssWebPolicyTable 1 } CLWSecDot11EssWebPolicyEntry ::= SEQUENCE { cLWSecDot11EssWebPolicyCondRedirect TruthValue, cLWSecDot11EssWebPolicySplashPageWebRedirect TruthValue } cLWSecDot11EssWebPolicyCondRedirect OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object is used to enable or disable conditional redirect. When this attribute is 'true', it signifies that conditional redirect is enabled and redirection of the client is done based on the url-redirect attribute provided by radius server. When this attribute is 'false', it signifies that conditional redirect is disabled and redirection of the client is not done, even if the url-redirect attribute is provided by the radius server. This attribute can be enabled only when 802.1x has been configured as layer-2 security the wlan and web policy is enabled on the wlan." DEFVAL { false } ::= { cLWSecDot11EssWebPolicyEntry 1 } cLWSecDot11EssWebPolicySplashPageWebRedirect OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object is used to enable or disable splash page web redirect. When this attribute is 'true', it signifies that splash page redirect is enabled and redirection of the client is done based on the url-redirect attribute provided by radius server. The redirect function works only for HTTP traffic. HTTPS redirect is not supported for any of the Web Policies. When this attribute is 'false', it signifies that splash page redirect is disabled and redirection of the client is not done. This attribute can be enabled only when 802.1x or WPA1+WPA2 has been configured as layer-2 security on the wlan." DEFVAL { false } ::= { cLWSecDot11EssWebPolicyEntry 2 } -- ******************************************************************** -- * Compliance statements -- ******************************************************************** ciscoLwappWlanSecurityMIBCompliances OBJECT IDENTIFIER ::= { ciscoLwappWlanSecurityMIBConform 1 } ciscoLwappWlanSecurityMIBGroups OBJECT IDENTIFIER ::= { ciscoLwappWlanSecurityMIBConform 2 } ciscoLwappWlanSecurityMIBCompliance MODULE-COMPLIANCE STATUS deprecated DESCRIPTION "The compliance statement for the SNMP entities that implement the ciscoLwappWlanSecurityMIB module." MODULE -- this module MANDATORY-GROUPS { ciscoLwappWlanSecurityCckmConfigGroup, ciscoLwappWlanSecurityCkipConfigGroup } ::= { ciscoLwappWlanSecurityMIBCompliances 1 } ciscoLwappWlanSecurityMIBComplianceRev1 MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for the SNMP entities that implement the ciscoLwappWlanSecurityMIB module." MODULE -- this module MANDATORY-GROUPS { ciscoLwappWlanSecurityCckmConfigGroup, ciscoLwappWlanSecurityCkipConfigGroup, ciscoLwappWlanSecurityWebPolicyConfigGroup } ::= { ciscoLwappWlanSecurityMIBCompliances 2 } -- ******************************************************************** -- * Units of conformance -- ******************************************************************** ciscoLwappWlanSecurityCckmConfigGroup OBJECT-GROUP OBJECTS { cLWSecDot11EssCckmWpaSupport, cLWSecDot11EssCckmWpa1Security, cLWSecDot11EssCckmWpa1EncType, cLWSecDot11EssCckmWpa2Security, cLWSecDot11EssCckmWpa2EncType, cLWSecDot11EssCckmKeyMgmtMode, cLWSecDot11EssPskFmt, cLWSecDot11EssPsk } STATUS current DESCRIPTION "This collection of objects represents CCKM related security parameters on a WLAN. The collection also configures the pre-shared keys when PSK is configured as the key management type." ::= { ciscoLwappWlanSecurityMIBGroups 1 } ciscoLwappWlanSecurityCkipConfigGroup OBJECT-GROUP OBJECTS { cLWSecDot11EssCkipSecurity, cLWSecDot11EssCkipKeyIndex, cLWSecDot11EssCkipKeyLength, cLWSecDot11EssCkipKeyFmt, cLWSecDot11EssCkipKey, cLWSecDot11EssCkipMMHMode, cLWSecDot11EssCkipKPEnable } STATUS current DESCRIPTION "This collection of objects represents CKIP related security parameters on a WLAN." ::= { ciscoLwappWlanSecurityMIBGroups 2 } ciscoLwappWlanSecurityWebPolicyConfigGroup OBJECT-GROUP OBJECTS { cLWSecDot11EssWebPolicyCondRedirect, cLWSecDot11EssWebPolicySplashPageWebRedirect } STATUS current DESCRIPTION "This collection of objects represents conditional redirect parameters on a WLAN." ::= { ciscoLwappWlanSecurityMIBGroups 3 } END