CISCO-TRUSTSEC-MIB: View SNMP OID List / Download MIB

This MIB module is for the configuration of a network device on the Cisco Trusted Security (TrustSec) system. TrustSec secures a network fabric by authenticating and authorizing each device connecting to the network, allowing for the encryption, authentication and replay protection of data traffic on a hop by hop basis. Glossary : TrustSec - Cisco Trusted Security EAP-FAST - Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (RFC 4851) PAC - Protected Access Credential A credential dynamically downloaded from the Access Control Server. ACS - Access Control Server SGT - Security Group Tag A tag identifying its source, assigned to a packet on ingress to a TrustSec cloud, and used to determine security and other policy to be applied to it along its path through the cloud.

A ctsSwKeystoreFileErrNotif is generated when system encounters an error while performing operation on the software keystore file.

A ctsSwKeystoreSyncFailNotifReason is generated when system fails to sync software keystore information from the active supervisor to the standby supervisor.

A ctsAuthzCacheFileErrNotif is generated when the system encounters error downloading TrustSec authorization related environment data to a cache file.

A ctsCacheFileAccessErrNotif is generated when the system fails to perform open/read/write operation for a TrustSec cache file.

A ctsSrcEntropyFailNotif is generated when the periodic health tests for the CTR-DRBG (Counter- Deterministic Random Bit Generator) implementation fails due to issues with the source entropy.

A ctsSapRandomNumberFailNotif is generated when the the system fails to obtain a random number from CTR-DRBG block for SAP (Security Association Protocol) key-counter.

This object specifies if the TrustSec cache is enabled in the system.

The object specifies the location on the device where TrustSec cache files will be created. The location may be specified in :[directory] format, where can be (but not limited to): bootdisk:, disk0:, disk1:. A zero length string for this object indicates that no location has been configured and system will decide the location of TrustSec cache files.

This object allows user to clear the cache files for Cisco Trusted Security feature on this device. When read, this object always returns the value 'none'. 'none' - No operation. 'all' - Clear all the cached information 'authzPolicies' - Clear all the cached authorization policies. 'authzPoliciesPeer' - Clear the cached peer authorization policies. 'authzPoliciesSgt' - Clear the cached SGT authorization policies. 'environmentData' - Clear the cached environment data 'interfaceController' - Clear the cached interface controller data. Enumeration: 'none': 1, 'environmentData': 6, 'interfaceController': 7, 'authzPoliciesPeer': 4, 'all': 2, 'authzPoliciesSgt': 5, 'authzPolicies': 3.

This object allows user to specify the SGT for the packets originating from this device. A value of zero for this object indicates that no SGT has been configured.

This object specifies the method used for assignment of TrustSec SGT for the line cards without TrustSec tagging capability. 'none' - assignment of TrustSec SGT is not enabled. 'ingress' - 'ingress' method is used for the assignment of TrustSec SGT. 'egress' - 'egress' method is used for the assignment of TrustSec SGT. Enumeration: 'none': 1, 'egress': 3, 'ingress': 2.

This object allows user to specify the identifier for the device. This identifier and the device password (specified by ctsDevicePassword) are used together by the Cisco Trusted Security feature for authenticating the device. The value of this object must be set in the same PDU as ctsDevicePasswordType and ctsDevicePassword. The object may not be set to a zero length string. The system will return a zero length string for this object either when there is no value configured for this object or TrustSec credentials for the device have been cleared by setting ctsCredentialsClearAll to 'true'.

This object specifies the type of encryption employed to encrypt password in ctsDevicePassword object. Value for this object must be specified as 'clearText', 'typeSix' or 'typeSeven' in order to configure the password in ctsDevicePassword. The value of this object must be set in the same PDU as ctsDevicePassword and ctsDeviceId. When read, value of this object must be 'none' if ctsDevicePassword is a zero length string. The value of this object may not be set to 'none' or 'other'.

This object allows user to specify the password for the device. This password and the device identifier (specified by ctsDeviceId) are used together by the Cisco Trusted Security feature for authenticating the device. The value of this object must be set in the same PDU as ctsDevicePasswordType and ctsDeviceId. The object may not be set to a zero length string. When read, this object always returns the value of a zero-length octet string.

This object indicates the type of keystore employed by the device. 'hardwareKeystore' - Keystore functionality is implemented in hardware. 'softwareEmulation' - Keystore functionality is emulated in software. Enumeration: 'hardwareKeystore': 1, 'softwareEmulation': 2.

This object indicates the firmware version of the hardware keystore. This object is only instantiated when the value of ctsKeystoreType is 'hardwareKeystore'.

This object indicates the number of hardware keystore alerts that occurred. This object is only instantiated when the value of ctsKeystoreType is 'hardwareKeystore'.

This object indicates the number of times the keystore firmware was reset. This object is only instantiated when the value of ctsKeystoreType is 'hardwareKeystore'.

This object indicates the number of times the system timed out awaiting response from keystore firmware. This object is only instantiated when the value of ctsKeystoreType is 'hardwareKeystore'.

This object indicates the number of message fragments the system received from keystore firmware that had bad checksum value. This object is only instantiated when the value of ctsKeystoreType is 'hardwareKeystore'.

This object indicates the number of message fragments the system received from keystore firmware that had illegal lengths. This object is only instantiated when the value of ctsKeystoreType is 'hardwareKeystore'.

This object indicates the number of times keystore firmware reported detection of one or more corrupted records in the hardware keystore. This object is only instantiated when the value of ctsKeystoreType is 'hardwareKeystore'.

A list of Cisco Trusted Security password records stored in the hardware or software keystore of this device.

An entry describing individual password record in the keystore of this device. An entry will be created or deleted from this table when a password record is added or removed from the keystore of this device.

This object identifies a password record.

This object indicates the type of credential in this record.

A list of Cisco Trusted Security PAC records stored in the hardware or software keystore of this device.

An entry describing individual PAC record in the keystore of this device. An entry will be created or deleted by the system when a PAC record is added or removed from the keystore of this device.

The name of this PAC record.

This object indicates the type of credential in this record.

A list of PACs on this device.

An entry providing management information of a particular PAC record. An entry can only be created dynamically by the system when a new PAC is installed in the keystore. An entry will be deleted from this table when the PAC is removed from the keystore by the system or by the user.

This object indicates the unique authority identity of the ACS server from where the PAC was downloaded.

This object indicates the description of the ACS server from where the PAC was downloaded.

This object indicates the type of PAC this entry represents. 'unknown' - Any other type of PAC that is not covered below 'tunnel' - Distributed shared secret between the peer and ACS that is used to establish a secure tunnel and convey the policy of what must and can occur in the tunnel. 'machineAuthentication' - The Machine Authentication PAC contains information in the PAC opaque that identifies the machine. It is meant to be used by a machine when network access is required and no user is logged in. 'userAuthorization' - The User Authorization PAC contains information in the PAC opaque that identifies a user and provides authorization information. The User Authorization PAC is used to provide user information during stateless session resumption so user authentication MAY be skipped. 'posture' - Distributed posture checking and authorization result based on a previous posture validation. A posture PAC can be used to optimize posture validation in the case of frequent revalidations. This result is specific to the posture validation application and may be used outside the contents of EAP-FAST. 'ciscoTrustSec' - A credential dynamically provisioned in phase 0 of EAP-FAST. It is used by Trustsec to set up secure communications with the server. Enumeration: 'tunnel': 2, 'unknown': 1, 'userAuthorization': 4, 'ciscoTrustSec': 6, 'machineAuthentication': 3, 'posture': 5.

This object indicates the time when this PAC will be expired.

This object indicates the time left for this PAC to be refreshed from the ACS.

This object is used to manage the deletion of rows in this table. This object only supports the values 'active' and 'destroy'. Setting this object to 'destroy' deletes this PAC. When read, this object will always return 'active'.

This object allows user to clear all the PACs and Cisco Trusted Security credentials on the device. Setting the object to 'true' will clear all the PACs and credentials. When read, this object will always return 'false'.

This object indicates the status of the last attempt to download the Environment Data. 'other' - Any other state not covered by below enumerations. 'succeeded' - Environment Data download completed successfully. 'failed' - Environment Data download failed. 'inprogress'- Environment Data download is in progress. 'incomplete'- Environment Data download is incomplete. 'timedout' - Environment Data download did not start and timed out due to no response from the ACS. 'cleared' - Environment Data has been cleared by the user. Enumeration: 'succeeded': 2, 'timedout': 6, 'failed': 3, 'other': 1, 'inprogress': 4, 'cleared': 7, 'incomplete': 5.

This object indicates the SGT for packets originating on this device downloaded from the ACS. A value of zero for this object indicates that no SGT has been downloaded from the ACS.

This object indicates the generation identifier associated with the downloaded SGT on this device.

This object indicates the last time Cisco Trusted Security Environment Data was successfully updated from ACS. This object will contain 0-1-1,00:00:00:0 if Environment Data has never been successfully updated from ACS.

This object indicates the time interval for which Trusted Security Environment Data is valid. The Trusted Security Environment Data will be refreshed i.e. downloaded from the ACS after this time period has elapsed.

This object indicates the time left for the currently installed Trusted Security Environment Data to expire.

This object indicates the time interval after which Trusted Security Environment Data will be refreshed i.e. downloaded from the ACS due to Environment Data expiration or refresh failure.

This object indicates the source of current Environment Data installed on the system. 'none' - No Environment Data is currently installed. 'cached' - Environment Data is installed from non-volatile storage on the system. 'downloaded' - Environment Data is downloaded from the ACS. Enumeration: 'cached': 2, 'downloaded': 3, 'none': 1.

This object allows user to specify the action to be taken for all the Cisco Trusted Security Environment Data on this device. When read, this object always returns the value 'none'. 'none' - No operation. 'refresh' - Refresh all the Trusted Security Environment Data on the device. Enumeration: 'none': 1, 'refresh': 2.

A list of Security Group Names in Cisco Trusted Security environment.

An entry listing the name assigned to each SGT in Cisco Trusted Security environment. Entries will be populated in this table when system downloads Security Group Name information as part of Trusted Security Environment Data.

This object identifies a SGT in Trusted Security environment.

This object indicates the Generation Identifier associated with this SGT.

This object indicates the flag associated with this SGT. 'recognizedSgt' - indicates a recognized SGT when set to 1, else indicates a reserved SGT. 'unicastSgt' - indicates a unicast SGT when set to 1, else indicates a multicast SGT. Bits: 'unicastSgt': 1, 'recognizedSgt': 0.

This object indicates the Security Group Name assigned to this SGT.

This object specifies if the system generates ctsSwKeystoreFileErrNotif. A value of 'false' will prevent ctsSwKeystoreFileErrNotif notifications from being generated by this system.

This object specifies if the system generates ctsSwKeystoreSyncFailNotif. A value of 'false' will prevent ctsSwKeystoreSyncFailNotif notifications from being generated by this system.

This object specifies if the system generates ctsAuthzCacheFileErrNotif. A value of 'false' will prevent ctsAuthzCacheFileErrNotif notifications from being generated by this system.

This object specifies if the system generates ctsCacheFileAccessErrNotif. A value of 'false' will prevent ctsCacheFileAccessErrNotif notifications from being generated by this system.

This object specifies if the system generates ctsSrcEntropyFailNotif. A value of 'false' will prevent ctsSrcEntropyFailNotif notifications from being generated by this system.

This object specifies if the system generates ctsSapRandomNumberFailNotif. A value of 'false' will prevent ctsSapRandomNumberFailNotif notifications from being generated by this system.

This object indicates the reason file error related notification was generated. 'openFailedForWrite' - System failed to open a file to write TrustSec information. 'writeFailed' - System failed to write TrustSec information to a file. 'openFailedForRead' - System failed to open a file to read TrustSec information. 'readFailed' - System failed to read TrustSec information from a file. 'badMagic' - A bad magic number was encountered for a TrustSec file. 'unexpectedEof' - A record of unexpected length is found in TrustSec file. 'badHeader' - Bad file header was encountered for a TrustSec file. Enumeration: 'readFailed': 4, 'badMagic': 5, 'badHeader': 7, 'unexpectedEof': 6, 'openFailedForRead': 3, 'openFailedForWrite': 1, 'writeFailed': 2.

This object indicates the reason ctsSwKeystoreSyncFailNotif notification was generated. 'ipcPortCreationFailed' - Keystore information could not be synced because the system failed to create port for Inter-Process communication between the active and the standby supervisors. 'ipcPortOpenFailed' - Keystore information could not be synced because the system failed to open port for Inter-Process communication between the active and the standby supervisors. 'ipcConnectionFailure' - Keystore information could not be synced because Inter-Process communication connection failed between the active and the standby supervisors. 'ipcSendFailure' - Keystore information could not be synced because Inter-Process Communication messages could not be sent to the standby supervisor. 'standbyIncompatible' - Keystore information could not be synced because the standby supervisor is not compatible with the active supervisor. 'syncProcessCreationFailed' - Keystore information could not be synced because the system failed to create the sync process. Enumeration: 'syncProcessCreationFailed': 6, 'ipcPortCreationFailed': 1, 'ipcConnectionFailure': 3, 'ipcPortOpenFailed': 2, 'standbyIncompatible': 5, 'ipcSendFailure': 4.

The object indicates additional information for a TrustSec notification.

This object specifies if the Critical-Auth functionality is enabled in the system. Setting the object to 'true' will enable Critical-Auth functionality in the system and 'false' will disable the Critical-Auth functionality. Before enable ctsCriticalAuthEnable ctsCriticalAuthPeerSgt need to be configured.

This object specifies the CTS Critical-Auth fallback policy. default - Critical-Auth fallback policy is default. cache - Critical-Auth fallback policy is cache. Enumeration: 'default': 1, 'cache': 2.

This object specifies the CTS Critical-Auth SGT tag of the remote peer. ctsCriticalAuthPeerSgt cannot be set to zero when ctsCriticalAuthEnable is enable. ctsCriticalAuthPeerSgtTrust will be set to untrusted by default during set operation of ctsCriticalAuthPeerSgt. User need to explicitly override the ctsCriticalAuthPeerSgtTrust to trusted if required.

This object specifies the CTS Critical-Auth peer's sgt trust state. This object can only be set when ctsCriticalAuthPeerSgt is non-zero.

This object specifies the CTS Critical-Auth default PMK used by SAP. The purpose of this object is to only allow configuration of Critical-Auth PMK. The ctsCriticalAuthViewDefaultPmk object is used to display the default Critical-Auth PMK.

This object indicates the CTS Critical-Auth default PMK. The purpose of this object is to only display the configured Critical-Auth PMK. A zero length string for this objects indicates the SAP negotiation is disabled. The ctsCriticalAuthDefaultPmk object is used to configure the PMK.

The compliance statement for the CISCO-TRUSTSEC-MIB.

The compliance statement for the CISCO-TRUSTSEC-MIB.

The compliance statement for the CISCO-TRUSTSEC-MIB.

The compliance statement for the CISCO-TRUSTSEC-MIB.

A collection of objects that provides the cache configuration for TrustSec in the system.

A collection of objects to manage SGT for TrustSec.

A collection of objects to manage credentials parameters for TrustSec.

A collection of objects to manage hardware keystore for TrustSec.

A collection of objects to manage Environment Data for TrustSec.

A collection of objects to manage assignment of TrustSec SGT.

A collection of object(s) to manage Security Group Name information for TrustSec.

A collection of object(s) to provide information regarding software keystore notifications for TrustSec.

A collection of object(s) to control software keystore notifications for TrustSec.

A collection of software keystore related notifications for TrustSec.

A collection of object(s) to provide information regarding file error related notifications for TrustSec.

A collection of object(s) to provide information regarding TrustSec notification.

A collection of object(s) to control cache file related notifications for TrustSec.

A collection of TrustSec cache file related notifications.

A collection of object(s) to control CTR-DRBG related notifications for TrustSec.

A collection of CTR-DRBG related notifications for TrustSec.

A collection of CTS Critical Auth Config objects