cac Priority Table

1.3.6.1.4.1.9.9.158.1.1.1

This table contains entries for AAA authentication methods configured in the system. At startup, agent set up all the entries of the table. All authentication methods will be disabled except local authentication will be enabled for each session type and login mode. Users later can enable/disable a specific authentication method through cacEnable object. The following table describes the startup state of each authentication method and session type in normal login mode and enable login mode. AuthenMethod Console Session Telnet Session Http Session ------------ ---------------- ---------------- ------------ tacacs disabled disabled disabled radius disabled disabled disabled kerberos disabled disabled disabled local enabled(*) enabled(*) enabled(*) (*) denotes primary method. ::= { cacPriority 1 } SYNTAX CacPriorityEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION An entry containing the priority number of an authentication method used in a session. INDEX { cacSession, cacAuthen, cacLoginMode } ::= { cacPriorityTable 1 } CacPriorityEntry ::= SEQUENCE { cacSession SessionType, cacAuthen AuthenMethod, cacLoginMode LoginMode, cacEnable TruthValue, cacPriorityNumber Integer32, cacPrimaryMethod TruthValue } SYNTAX SessionType MAX-ACCESS not-accessible STATUS current DESCRIPTION This is the session type used to connect to the network device. ::= { cacPriorityEntry 1 } SYNTAX AuthenMethod MAX-ACCESS not-accessible STATUS current DESCRIPTION This is the authentication method used to authenticate users. ::= { cacPriorityEntry 2 } SYNTAX LoginMode MAX-ACCESS not-accessible STATUS current DESCRIPTION This is the login mode user used to login to the network device. ::= { cacPriorityEntry 3 } SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION It indicates whether the authentication method denoted by cacAuthen is enabled or not. When this object is true(1), the authentication method denoted by cacAuthen is enabled. When this object is false(2), the authentication method denoted by cacAuthen is disabled. If the value of cacAuthen is local, the value of this object cannot be set to false(2). ::= { cacPriorityEntry 4 } SYNTAX Integer32 (0..4) MAX-ACCESS read-only STATUS current DESCRIPTION This is the priority number of an authentication method to be used in user authentication for a session. This value is automatically assigned and reflects the relative priority of the authentication method denoted by cacAuthen with respected to already configured authentication methods. It is assigned in the order in which the authentication method is enabled by the user through cacEnable. The higher value has the higher priority. This object is used to determine the fallback order in case the primary authentication method indicated by cacPrimaryMethod failed. If the authentication method denoted by cacAuthen is disabled for the type of session denoted by cacSession, the value of this object is equal to 0. ::= { cacPriorityEntry 5 } SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION It indicates whether the authentication method denoted by cacAuthen is the primary (first one to be tried) method when there are multiple authentication method configured. Setting this object to true(1) will make the authentication method denoted by cacAuthen to be the primary authentication method for the session denoted by cacSession. The previously configured primary method will be changed to false(2). Setting this object to false(2) is not allowed. ::= { cacPriorityEntry 6 } -- ------------------------------------------------------------- -- AAA Client Login Config Group -- ------------------------------------------------------------- SYNTAX SEQUENCE OF CacLoginConfigEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION A table that contains login configuration which is associated with this system. ::= { cacLoginConfig 1 } SYNTAX CacLoginConfigEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION An entry containing the configuration of the login. INDEX { cacLoginMode, cacSession } ::= { cacLoginConfigTable 1 } CacLoginConfigEntry ::= SEQUENCE { cacMaxLoginAttempt Integer32, cacLockoutPeriod Integer32, cacLockoutPeriodExt Integer32 } SYNTAX Integer32 (0|3..10) MAX-ACCESS read-write STATUS current DESCRIPTION Indicates the maximum number of login attempts allowed. Setting this variable to 0 will disable the attempt limit checking. If the login session type does not support this attempt limit checking, the value of this object can only be set to 0. DEFVAL { 3 } ::= { cacLoginConfigEntry 1 } SYNTAX Integer32 (0|30..600) UNITS "seconds Indicates the lockout period after the maximum number of login attempt is met. For console, the console input will be frozen during this period. For remote logins, the connection will be closed and any subsequent access from that station will be closed during the lockout time. Setting this variable to 0 will disable the lockout. If the login session type does not support this lockout period, the value of this object can only be set to 0. If the lockout period is greater than the maximum value reportable by this object then this object should report its maximum value (600) and cacLockoutPeriodExt must be used to report the lockout period. DEFVAL { 30 } ::= { cacLoginConfigEntry 2 } SYNTAX Integer32 (0|30..43200) UNITS "seconds Specifies the lockout period after the maximum number of login attempt is met. For console, the console input will be frozen during this period. For remote logins, the connection will be closed and any subsequent access from that station will be closed during the lockout time. Setting this variable to 0 will disable the lockout. If the login session type does not support this lockout period, the value of this object can only be set to 0. DEFVAL { 30 } ::= { cacLoginConfigEntry 3 } --**************************************************************************** -- Notifications --**************************************************************************** cacMIBNotifications OBJECT IDENTIFIER ::= { ciscoAAAClientMIB 2 } cacMIBConformance OBJECT IDENTIFIER ::= { ciscoAAAClientMIB 3 } cacMIBCompliances OBJECT IDENTIFIER ::= { cacMIBConformance 1 } cacMIBGroups OBJECT IDENTIFIER ::= { cacMIBConformance 2 } -- compliance statements cacMIBCompliance MODULE-COMPLIANCE STATUS deprecated DESCRIPTION The compliance statement for entities which implement the CISCO AAA Client MIB