You are here:

MonitorTools.com > Technical documentation > SNMP > MIB > Enterasys Networks > ENTERASYS-ENCR-8021X-CONFIG-MIB
ActiveXperts Network Monitor 2019##AdminFavorites

ENTERASYS-ENCR-8021X-CONFIG-MIB by vendor Enterasys Networks

ENTERASYS-ENCR-8021X-CONFIG-MIB file content

The SNMP protocol is used to for conveying information and commands between agents and managing entities. SNMP uses the User Datagram Protocol (UDP) as the transport protocol for passing data between managers and agents. The reasons for using UDP for SNMP are, firstly it has low overheads in comparison to TCP, which uses a 3-way hand shake for connection. Secondly, in congested networks, SNMP over TCP is a bad idea because TCP in order to maintain reliability will flood the network with retransmissions.

Management information (MIB) is represented as a collection of managed objects. These objects together form a virtual information base called MIB. An agent may implement many MIBs, but all agents must implement a particular MIB called MIB-II [16]. This standard defines variables for things such as interface statistics (interface speeds, MTU, octets sent, octets received, etc.) as well as various other things pertaining to the system itself (system location, system contact, etc.). The main goal of MIB-II is to provide general TCP/IP management information.

Use ActiveXperts Network Monitor 2019 to import vendor-specific MIB files, inclusing ENTERASYS-ENCR-8021X-CONFIG-MIB.


Vendor: Enterasys Networks
Mib: ENTERASYS-ENCR-8021X-CONFIG-MIB  [download]  [view objects]
Tool: ActiveXperts Network Monitor 2019 [download]    (ships with advanced SNMP/MIB tools)
ENTERASYS-ENCR-8021X-CONFIG-MIB DEFINITIONS ::= BEGIN

--  enterasys-encr-8021x-config-mib.txt
--
--  Part Number: <TBD>
--
--

--  This module provides authoritative definitions for Enterasys 
--  Networks' encrypted IEEE 802.1x configuration MIB.

--
--  This module will be extended, as needed.

--  Enterasys Networks reserves the right to make changes in this
--  specification and other information contained in this document
--  without prior notice.  The reader should consult Enterasys Networks
--  to determine whether any such changes have been made.
--
--  In no event shall Enterasys Networks be liable for any incidental,
--  indirect, special, or consequential damages whatsoever (including
--  but not limited to lost profits) arising out of or related to this
--  document or the information contained in it, even if Enterasys
--  Networks has been advised of, known, or should have known, the
--  possibility of such damages.
--
--  Enterasys Networks grants vendors, end-users, and other interested
--  parties a non-exclusive license to use this Specification in 
--  connection with the management of Enterasys Networks products.

--  Copyright March, 2002 Enterasys Networks, Inc.

IMPORTS  
    MODULE-IDENTITY, OBJECT-TYPE
        FROM SNMPv2-SMI
    MODULE-COMPLIANCE, OBJECT-GROUP
        FROM SNMPv2-CONF
--  TruthValue
--      FROM SNMPv2-TC
--  PaeControlledDirections,
--  PaeControlledPortStatus, PaeControlledPortControl
--      FROM IEEE8021-PAE-MIB
    dot1xPaePortNumber
        FROM IEEE8021-PAE-MIB
    etsysDot1xAuthStationAddress
        FROM ENTERASYS-8021X-EXTENSIONS-MIB
    etsysModules
        FROM ENTERASYS-MIB-NAMES;


etsysEncr8021xConfigMIB MODULE-IDENTITY
    LAST-UPDATED "200203142045Z"  -- Thu Mar 14 20:45 GMT 2002
    ORGANIZATION "Enterasys Networks, Inc"
    CONTACT-INFO
        "Postal: Enterasys Networks
                 35 Industrial Way, P.O. Box 5005
                 Rochester, NH 03867-0505

         Phone:  +1 603 332 9400
         E-mail: support@enterasys.com
         WWW:    http://www.enterasys.com"

    -- This is the overall description of this MIB module
    DESCRIPTION
        "The Enterasys Networks MIB module for configuring IEEE
         802.1x implementations on SNMPv1-only platforms.

         This MIB includes encrypted variants of selected objects
         from the IEEE 802.1x MIB and the Enterasys 802.1x
         Extensions MIB.

                                ------------------

                                   N O T I C E

              Use of this MIB in any product requires the approval
              of the Office of the CTO, Enterasys Networks, Inc.  
              Permission to use this MIB will not be granted for 
              products in which SNMPv3 is now, or will soon be,
              implemented.  Permission to use this MIB in products
              that are never scheduled to implement SNMPv3 will be 
              granted on a case-by-case basis, depending on what 
              other suitable, secure means of configuration are
              available in the product.

                                ------------------

         The following is a discussion of the encoding/decoding and
         encryption/decryption methods that must be used to extract
         data from an encrypted OCTET STRING.  (These methods are the
         same as for the Enterasys Networks encrypted RADIUS Client
         MIB.)
          
         The encryption/decryption methods make use of an agreed-upon
         Secret and an Authenticator shared between the SNMP network
         management system and the entity that implements the MIB.

         The encryption/decryption algorithm, as presented herein, is
         taken from the RADIUS protocol, and is the method specified
         for encryption of Tunnel-Password Attributes in RFC 2868.

         To permit plug-and-play remote installation, configuration,
         and management of the device, the device will algorithmically
         derive the initial shared secret and the initial authenticator.

         For security reasons, the network manager should change the
         authenticator portion of the management encryption key after
         initial configuration.  The methods available for doing this
         are implementation-specific and subject to change.

         All read-write and write-only access objects except the table
         index are encoded into fields in an OCTET STRING.

         Octet String

         Before encryption, a 'native' object must be encoded into
         a formatted Octet String.  After decryption, the Octet String
         must be decoded to obtain the 'native' object.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Length     |   Salt                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   String ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
            
             Type
  
                The data type of the non-encrypted 'native' data:

                1 = Integer32
                2 = OCTET STRING
          
             Length

                The length in octets of the native object sub-field of
                the Octet String, exclusive of any optional padding.
                Note that the Integrity Check sub-fields (CRC, OID-tail,
                Time Stamp, Source IP Address) are not included in this
                length value, but since the IC sub-fields are always
                present and are of fixed length, there is no impediment
                to proper packet parsing.

             Salt

                The Salt field is two octets in length and is used to
                ensure the uniqueness of the encryption key used to
                encrypt each object.

                The most significant bit (leftmost) of the Salt field
                MUST be set (1).  The contents of each Salt field in a
                given SNMP packet must be unique.

             String

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  CRC (4 bytes)                                                |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  OID-tail (4 bytes)                                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Time Stamp (4 bytes)                                         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Source IP Address (4 bytes)                                  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Object/Padding ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
            
                The plain-text String field consists of six logical
                sub-fields: the CRC, OID-tail, Time Stamp, Source IP
                address and native Object sub-fields (all of which are
                required), and the optional Padding sub-field.  The
                String field MUST be treated as a counted-string of
                undistinguished octets, and not as a standard
                C/UNIX-style null-terminated, printable ASCII string.
          
                CRC Sub-field

                  The CRC sub-field contains a 32-bit CRC (CRC-32)
                  calculated over the following concatentated sub-fields
                  of the String: the OID-tail, Time Stamp, Source IP
                  Address and unpadded native Object fields.  The CRC
                  sub-field acts as an integrity check on the decrypted
                  data.
          
                OID-tail Sub-field
          
                  The OID-tail sub-field contains the least significant
                  four octets of the Object ID of the varbind.  This
                  field is included as an integrity check on the OID of
                  the varbind.
          
                Time Stamp Sub-field
          
                  The Time Stamp sub-field contains a 32-bit unsigned
                  integer value representing the time the encrypted
                  message was assembled.  This field acts as an
                  integrity check by facilitating the disposal of stale
                  or replayed messages. The time window of acceptance is
                  implementation dependant, and may be the subject of
                  local (i.e. managed entity) policy configuration.  The
                  Time Stamp is relative time, in units of seconds,
                  referenced to the sysUpTime object of the managed
                  entity.
          
                Source IP Address Sub-field
          
                  The Source IP Address sub-field contains an unsigned
                  32-bit representation of the IPv4 address of the
                  source of the encrypted message.  This is an added
                  check to allow verification of the source of the
                  varbind.

                The CRC, OID-tail, Time Stamp, and Source IP Address
                sub-fields are collectively hereinafter refered to as
                the Integrity Check (IC) sub-fields.
          
                Object/Padding Sub-field

                  Object 
                    The Object sub-field contains the actual or native
                    object data followed by padding, if necessary.
          
                  Padding
                    If the combined length (in octets) of the
                    non-encrypted CRC, OID-tail, Time Stamp, Source IP
                    Address, and native Object sub-fields is not an even
                    multiple of 16, then the Padding sub-field MUST be
                    present.  If it is present, the length of the
                    Padding sub-field is variable, between 1 and 15
                    octets.  The value of the pad octets SHOULD be zero.
          
             Encrypting/Decrypting the String Field

                The entire String field MUST be encrypted as follows,
                prior to transmission:
          
                Construct a plain-text version of the String field by
                concatenating the CRC, OID-tail, Time Stamp, Source IP
                address, and native Object sub-fields.  If necessary,
                pad the resulting string until its length (in octets)
                is an even multiple of 16.  It is recommended that zero
                octets (0x00) be used for padding.  Call this plain-text
                P.

                   Shared Secret

                      The shared secret is formed from the MAC
                      (hardware) address of the primary management
                      interface of the managed device (containing the
                      RADIUS Client).  The MAC address is represented
                      as up-cased, dashed-ASCII, e.g. 08-00-2B-11-22-33.
          
                  Authenticator
          
                      The 128-bit authenticator is a pre-defined
                      constant.  The default value of the authenticator
                      is an Enterasys Networks trade secret.  This value
                      is settable and the user is advised to change it
                      from the default value after initial configuration
                      of the system.  Contact the MIB author for
                      additional information on the default value.
          
                Call the shared secret S, the [pseudo-random] 128-bit 
                Authenticator R, and the contents of the Salt field A.  
                Break P into 16 octet chunks p(1), p(2)...p(i), 
                where i = len(P)/16.  Call the cipher-text blocks 
                c(1), c(2)...c(i) and the final cipher-text C.
                Intermediate values b(1), b(2)...c(i) are required.
                Encryption is performed in the following manner ('+'
                indicates concatenation):
          
            b(1) = MD5(S + R + A)   c(1) = p(1) xor b(1)   C = c(1)
            b(2) = MD5(S + c(1))    c(2) = p(2) xor b(2)   C = C + c(2)
                         .                       .
                         .                       .
                         .                       .
            b(i) = MD5(S + c(i-1))  c(i) = p(i) xor b(i)   C = C + c(i)
          
                The resulting encrypted String field will contain
                c(1)+c(2)+...+c(i).

                On receipt, the process is reversed to yield the
                plain-text String."


    REVISION "200203142045Z"  -- Thu Mar 14 20:45 GMT 2002
    DESCRIPTION
        "The initial version of this MIB module."

    ::= { etsysModules 19 }


etsysEncrDot1xConfigObjects
        OBJECT IDENTIFIER ::= { etsysEncr8021xConfigMIB 1 }

-- ----------------------------------------------------------------- --
-- Textual Conventions
-- ----------------------------------------------------------------- --

-- ----------------------------------------------------------------- --
-- Branches of the Enterasys Encrypted IEEE 802.1x Configuration MIB
-- ----------------------------------------------------------------- --

--  Encrypted configuration objects for Authenticator PAEs.
etsysEncrDot1xAuthConfigBranch
        OBJECT IDENTIFIER ::= { etsysEncrDot1xConfigObjects 1 }

-- ----------------------------------------------------------------- --
-- The Encrypted Configuration Table for Port-Based PAEs
-- ----------------------------------------------------------------- --

etsysEncrDot1xAuthPortConfigTable OBJECT-TYPE
    SYNTAX        SEQUENCE OF EtsysEncrDot1xAuthPortConfigEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "A table that contains encrypted configuration objects for
         ports that support Authenticator PAEs."
    ::= { etsysEncrDot1xAuthConfigBranch 1 }

etsysEncrDot1xAuthPortConfigEntry OBJECT-TYPE
    SYNTAX        EtsysEncrDot1xAuthPortConfigEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "Each conceptual row holds configuration information for
         the Authenticator PAE(s) associated with one port."
    INDEX { dot1xPaePortNumber }
    ::= { etsysEncrDot1xAuthPortConfigTable 1 }

EtsysEncrDot1xAuthPortConfigEntry ::=
    SEQUENCE { 
        etsysEncrDot1xAuthAdminControlledDirections
            OCTET STRING,               -- encrypted enumeration
        etsysEncrDot1xAuthControlledPortControl
            OCTET STRING,               -- encrypted enumeration
        etsysEncrDot1xAuthQuietPeriod
            OCTET STRING,               -- encrypted INTEGER
        etsysEncrDot1xAuthTxPeriod
            OCTET STRING,               -- encrypted INTEGER
        etsysEncrDot1xAuthSuppTimeout
            OCTET STRING,               -- encrypted INTEGER
        etsysEncrDot1xAuthServerTimeout
            OCTET STRING,               -- encrypted INTEGER
        etsysEncrDot1xAuthMaxReq
            OCTET STRING,               -- encrypted INTEGER
        etsysEncrDot1xAuthReAuthPeriod
            OCTET STRING,               -- encrypted INTEGER
        etsysEncrDot1xAuthReAuthEnabled
            OCTET STRING,               -- encrypted TruthValue
        etsysEncrDot1xAuthKeyTxEnabled
            OCTET STRING                -- encrypted TruthValue
     }

etsysEncrDot1xAuthAdminControlledDirections OBJECT-TYPE
    SYNTAX      OCTET STRING (SIZE(0..255))   -- encrypted enumeration
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
        "An encrypted octet string containing

            The current value of the administrative controlled
            directions parameter for the Port.

            SYNTAX      PaeControlledDirections

         The data type is 1, Integer32."
    REFERENCE
        "IEEE P802.1x Section 9.4.1, Admin Control Mode"
    ::= { etsysEncrDot1xAuthPortConfigEntry 1 }

etsysEncrDot1xAuthControlledPortControl OBJECT-TYPE
    SYNTAX      OCTET STRING (SIZE(0..255))   -- encrypted enumeration
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
        "An encrypted octet string containing

            The current value of the controlled Port
            control parameter for the Port.

            SYNTAX      INTEGER {
                            forceUnauthorized(1),
                            auto(2),
                            forceAuthorized(3)
                        }

         The data type is 1, Integer32."
    REFERENCE
        "IEEE P802.1x Section 9.6.4.1, AuthControlledPortControl"
    ::= { etsysEncrDot1xAuthPortConfigEntry 2 }

etsysEncrDot1xAuthQuietPeriod OBJECT-TYPE
    SYNTAX      OCTET STRING (SIZE(0..255))   -- encrypted INTEGER
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
        "An encrypted octet string containing

            The value, in seconds, of the quietPeriod constant
            currently in use by the Authenticator PAE state
            machine.

            Alternately, the default value (for ports that use
            station-based access control, and that therefore may
            support many virtual PAEs).

         The data type is 1, Integer32."
    REFERENCE
        "IEEE P802.1x Section 9.6.4.1, quietPeriod"
--  DEFVAL { encrypt(60) }
    ::= { etsysEncrDot1xAuthPortConfigEntry 3 }

etsysEncrDot1xAuthTxPeriod OBJECT-TYPE
    SYNTAX      OCTET STRING (SIZE(0..255))   -- encrypted INTEGER
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
        "An encrypted octet string containing

            The value, in seconds, of the txPeriod constant
            currently in use by the Authenticator PAE state
            machine.

            Alternately, the default value (for ports that use
            station-based access control, and that therefore may
            support many virtual PAEs).

         The data type is 1, Integer32."
    REFERENCE
        "IEEE P802.1x Section 9.6.4.1, txPeriod"
--  DEFVAL { encrypt(30) }
    ::= { etsysEncrDot1xAuthPortConfigEntry 4 }

etsysEncrDot1xAuthSuppTimeout OBJECT-TYPE
    SYNTAX      OCTET STRING (SIZE(0..255))   -- encrypted INTEGER
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
        "An encrypted octet string containing

            The value, in seconds, of the suppTimeout constant
            currently in use by the Backend Authentication state
            machine.

            Alternately, the default value (for ports that use
            station-based access control, and that therefore may
            support many virtual PAEs).

         The data type is 1, Integer32."
    REFERENCE
        "IEEE P802.1x Section 9.6.4.1, suppTimeout"
--  DEFVAL { encrypt(30) }
    ::= { etsysEncrDot1xAuthPortConfigEntry 5 }

etsysEncrDot1xAuthServerTimeout OBJECT-TYPE
    SYNTAX      OCTET STRING (SIZE(0..255))   -- encrypted INTEGER
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
        "An encrypted octet string containing

            The value, in seconds, of the serverTimeout constant
            currently in use by the Backend Authentication state
            machine.

            Alternately, the default value (for ports that use
            station-based access control, and that therefore may
            support many virtual PAEs).

         The data type is 1, Integer32."
    REFERENCE
        "IEEE P802.1x Section 9.6.4.1, serverTimeout"
--  DEFVAL { encrypt(30) }
    ::= { etsysEncrDot1xAuthPortConfigEntry 6 }

etsysEncrDot1xAuthMaxReq OBJECT-TYPE
    SYNTAX      OCTET STRING (SIZE(0..255))   -- encrypted INTEGER
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
        "An encrypted octet string containing

            The value of the maxReq constant currently in use by
            the Backend Authentication state machine.

            Alternately, the default value (for ports that use
            station-based access control, and that therefore may
            support many virtual PAEs).

         The data type is 1, Integer32."
    REFERENCE
        "IEEE P802.1x Section 9.6.4.1, maxReq"
--  DEFVAL { encrypt(2) }
    ::= { etsysEncrDot1xAuthPortConfigEntry 7 }

etsysEncrDot1xAuthReAuthPeriod OBJECT-TYPE
    SYNTAX      OCTET STRING (SIZE(0..255))   -- encrypted INTEGER
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
        "An encrypted octet string containing

            The value, in seconds, of the reAuthPeriod constant
            currently in use by the Reauthentication Timer state
            machine.

            Alternately, the default value (for ports that use
            station-based access control, and that therefore may
            support many virtual PAEs).

         The data type is 1, Integer32."
    REFERENCE
        "IEEE P802.1x Section 9.6.4.1, reAuthPeriod"
--  DEFVAL { encrypt(60) }
    ::= { etsysEncrDot1xAuthPortConfigEntry 8 }

etsysEncrDot1xAuthReAuthEnabled OBJECT-TYPE
    SYNTAX      OCTET STRING (SIZE(0..255))   -- encrypted TruthValue
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
        "An encrypted octet string containing

            The enable/disable control used by the Reauthentication
            Timer state machine (8.5.5.1).

            Alternately, the default value (for ports that use
            station-based access control, and that therefore may
            support many virtual PAEs).

            SYNTAX      INTEGER { true(1), false(2) }

         The data type is 1, Integer32."
    REFERENCE
        "IEEE P802.1x Section 9.6.4.1, reAuthEnabled"
--  DEFVAL { encrypt(false) }
    ::= { etsysEncrDot1xAuthPortConfigEntry 9 }

etsysEncrDot1xAuthKeyTxEnabled OBJECT-TYPE
    SYNTAX      OCTET STRING (SIZE(0..255))   -- encrypted TruthValue
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
        "An encrypted octet string containing

            The value of the keyTransmissionEnabled constant
            currently in use by the Authenticator PAE state
            machine.

            Alternately, the default value (for ports that use
            station-based access control, and that therefore may
            support many virtual PAEs).

            SYNTAX      INTEGER { true(1), false(2) }

         The data type is 1, Integer32."
    REFERENCE
        "IEEE P802.1x Section 9.6.4.1, keyTransmissionEnabled"
--  DEFVAL { encrypt(false) }
    ::= { etsysEncrDot1xAuthPortConfigEntry 10 }


-- ----------------------------------------------------------------- --
-- The Encrypted Initialization Table for Port-Based PAEs
-- ----------------------------------------------------------------- --

etsysEncrDot1xAuthPortInitTable OBJECT-TYPE
    SYNTAX        SEQUENCE OF EtsysEncrDot1xAuthPortInitEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "A table that contains encrypted initialization objects for
         port-based Authenticator PAEs."
    ::= { etsysEncrDot1xAuthConfigBranch 2 }

etsysEncrDot1xAuthPortInitEntry OBJECT-TYPE
    SYNTAX        EtsysEncrDot1xAuthPortInitEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "Each conceptual row holds initialization objects for one
         port-based Authenticator PAE."
    INDEX { dot1xPaePortNumber }
    ::= { etsysEncrDot1xAuthPortInitTable 1 }

EtsysEncrDot1xAuthPortInitEntry ::=
    SEQUENCE { 
        etsysEncrDot1xAuthInitialize
            OCTET STRING,               -- encrypted TruthValue
        etsysEncrDot1xAuthReauthenticate
            OCTET STRING                -- encrypted TruthValue
     }

etsysEncrDot1xAuthInitialize OBJECT-TYPE
    SYNTAX      OCTET STRING (SIZE(0..255))   -- encrypted TruthValue
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
        "An encrypted octet string containing

            The initialization control for this Port.  Setting this
            attribute to TRUE causes the Port to be initialized.
            The attribute value reverts to FALSE once initialization
            has been completed.

            Setting this attribute to TRUE for a Port that uses
            station-based access control causes all of the virtual
            PAEs associated with the Port to be initialized.

            SYNTAX      INTEGER { true(1), false(2) }

         The data type is 1, Integer32."
    REFERENCE
        "IEEE P802.1x Section 9.6.1.2, Initialize Port"
    ::= { etsysEncrDot1xAuthPortInitEntry 1 }

etsysEncrDot1xAuthReauthenticate OBJECT-TYPE
    SYNTAX      OCTET STRING (SIZE(0..255))   -- encrypted TruthValue
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
        "An encrypted octet string containing

            The reauthentication control for this Port.  Setting this
            attribute to TRUE causes the Authenticator PAE state
            machine for the Port to reauthenticate the Supplicant.
            Setting this attribute to FALSE has no effect.
            This attribute always returns FALSE when it is read.

            Setting this attribute to TRUE for a Port that uses
            station-based access control causes all of the virtual
            PAEs associated with the Port to reauthenticate their
            Supplicants.

            SYNTAX      INTEGER { true(1), false(2) }

         The data type is 1, Integer32."
    REFERENCE
        "IEEE P802.1x Section 9.6.4.1.3 Reauthenticate"
    ::= { etsysEncrDot1xAuthPortInitEntry 2 }


-- ----------------------------------------------------------------- --
-- The Encrypted Initialization Table for Station-Based PAEs
-- ----------------------------------------------------------------- --

etsysEncrDot1xAuthStationInitTable OBJECT-TYPE
    SYNTAX        SEQUENCE OF EtsysEncrDot1xAuthStationInitEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "A table that contains encrypted configuration objects for
         station-based Authenticator PAEs."
    ::= { etsysEncrDot1xAuthConfigBranch 3 }

etsysEncrDot1xAuthStationInitEntry OBJECT-TYPE
    SYNTAX        EtsysEncrDot1xAuthStationInitEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "Configuration objects for one station-based Authenticator
         PAE."
    INDEX { etsysDot1xAuthStationAddress }
    ::= { etsysEncrDot1xAuthStationInitTable 1 }

EtsysEncrDot1xAuthStationInitEntry ::=
    SEQUENCE { 
     etsysEncrDot1xAuthStationInitialize
            OCTET STRING,               -- encrypted TruthValue
     etsysEncrDot1xAuthStationReauthenticate
            OCTET STRING                -- encrypted TruthValue
    }

etsysEncrDot1xAuthStationInitialize OBJECT-TYPE
    SYNTAX        OCTET STRING (SIZE(0..255))   -- encrypted TruthValue
    MAX-ACCESS    read-write
    STATUS        current
    DESCRIPTION
        "An encrypted octet string containing

            The initialization control for this Authenticator PAE.
            Setting this attribute to TRUE causes the PAE to be
            initialized.  The attribute value reverts to FALSE
            once initialization has completed.

            SYNTAX      INTEGER { true(1), false(2) }

         The data type is 1, Integer32."
    REFERENCE      "IEEE P802.1x Section 9.6.1.2, Initialize Port"
    ::= { etsysEncrDot1xAuthStationInitEntry 1 }

etsysEncrDot1xAuthStationReauthenticate OBJECT-TYPE
    SYNTAX        OCTET STRING (SIZE(0..255))   -- encrypted TruthValue
    MAX-ACCESS    read-write
    STATUS        current
    DESCRIPTION
        "An encrypted octet string containing

            The reauthentication control for this Authenticator
            PAE.  Setting this attribute to TRUE causes the
            Authenticator PAE state machine to reauthenticate the
            Supplicant.  Setting this attribute FALSE has no
            effect.  This attribute always returns FALSE when it
            is read.

            SYNTAX      INTEGER { true(1), false(2) }

         The data type is 1, Integer32."
    REFERENCE   "IEEE P802.1x Section 9.4.1.3 Reauthenticate"
    ::= { etsysEncrDot1xAuthStationInitEntry 2 }


-- ---------------------------------------------------------- --
-- Enterasys 802.1X Configuration MIB - Conformance Information
-- ---------------------------------------------------------- --

etsysEncrDot1xConfigConformance
    OBJECT IDENTIFIER ::= { etsysEncr8021xConfigMIB 2 }

etsysEncrDot1xConfigGroups      
    OBJECT IDENTIFIER ::= { etsysEncrDot1xConfigConformance 1 }

etsysEncrDot1xConfigCompliances
    OBJECT IDENTIFIER ::= { etsysEncrDot1xConfigConformance 2 }

-- ---------------------------------------------------------- --
-- Units of conformance
-- ---------------------------------------------------------- --

etsysEncrDot1xAuthConfigGroup OBJECT-GROUP
    OBJECTS {
           etsysEncrDot1xAuthAdminControlledDirections,
           etsysEncrDot1xAuthControlledPortControl,
           etsysEncrDot1xAuthQuietPeriod,
           etsysEncrDot1xAuthTxPeriod,
           etsysEncrDot1xAuthSuppTimeout,
           etsysEncrDot1xAuthServerTimeout,
           etsysEncrDot1xAuthMaxReq,
           etsysEncrDot1xAuthReAuthPeriod,
           etsysEncrDot1xAuthReAuthEnabled,
           etsysEncrDot1xAuthKeyTxEnabled
        }
    STATUS current
    DESCRIPTION
            "A collection of objects for configuring IEEE 802.1x
             authentication at the port level.  Objects belonging
             to this group typically have durable values."
    ::= { etsysEncrDot1xConfigGroups 1 }

etsysEncrDot1xAuthInitGroup OBJECT-GROUP
    OBJECTS {
           etsysEncrDot1xAuthInitialize,
           etsysEncrDot1xAuthReauthenticate,
           etsysEncrDot1xAuthStationInitialize,
           etsysEncrDot1xAuthStationReauthenticate
        }
    STATUS current
    DESCRIPTION
            "A collection of objects for making Authenticator PAEs
             initialize and reauthenticate Supplicants.  Writes
             to objects in this group trigger actions, rather than
             changes to durable configuration values."
    ::= { etsysEncrDot1xConfigGroups 2 }



-- ---------------------------------------------------------- --
-- Compliance statements
-- ---------------------------------------------------------- --

etsysEncrDot1xConfigCompliance MODULE-COMPLIANCE
    STATUS current
    DESCRIPTION
            "The compliance statement for devices that support the
             Enterasys encrypted IEEE 802.1x configuration MIB."

MODULE

    MANDATORY-GROUPS { etsysEncrDot1xAuthConfigGroup }

    OBJECT         etsysEncrDot1xAuthAdminControlledDirections
    MIN-ACCESS     read-only
    DESCRIPTION    "Support for encrypt(in(1)) is optional."

    OBJECT         etsysEncrDot1xAuthKeyTxEnabled
    MIN-ACCESS     read-only
    DESCRIPTION    "An Authenticator PAE that does not support
                    EAPOL-Key frames may implement this object as
                    read-only, returning a value of encrypt(FALSE)."

    GROUP          etsysEncrDot1xAuthInitGroup
    DESCRIPTION    "This group is optional."


::= { etsysEncrDot1xConfigCompliances 1 }

END