ENTERASYS-PWA-MIB: View SNMP OID List / Download MIB

This MIB module provides the ability to configure the Port Web Authentication (PWA) component in a switch. PWA provides a way of authenticating a user on a switch port before allowing the user general access to the network. Only the essential protocols and services required by the authentication process are allowed on the segment between the end-station and the switch port. All other traffic will be discarded. When a user is in the unauthenticated state, any traffic generated by the end-station will not go beyond the switch port that they are connected to. The PWA/login process from the user standpoint is simple. The user makes a request via their favorite web browser for the 'secureharbour' web page. Depending upon the authenticated state of the port, a login page is provided so that the user can enter their username and password, or a logout page is presented to the user. When they submit their login page, the switch will then authenticate them via a preconfigured radius server. If the login is successful, then the port that the end-station is connected to will be turned on and full network access will be granted according to the users port configuration on the switch. This MIB module also provides status about the PWA component and statistics about all current users who are logged into the switch.

The administrative enable/disable state for Port Web Authentication Control in a System. Enabling this object turns on the PWA system.

This is the hostname part the Uniform Resource Locator (URL). This object is a DNS/WINS name and is considered to be bound to the etsysPwaSystemAuthIPAddress. This object must not contain the protocol portion of the URL nor any directory or filenames. Changing this objects value changes the default name of the http server located at the local switch. An administrator can change this objects value to whatever name is appropriate for their network.

The banner that will be displayed on the web login page of the Port Web Authentication Control in a System. This banner is a courtesy introduction to the network, which the user sees on the login page.

The enable state of the name services application. Enabling this object turns on the Domain Name Service (DNS) and the Windows Internet Naming Services (WINS) clients. These clients will resolve only requests for the etsysPwaSystemAuthHostName. Disabling this object would require users in the network to know and use the etsysPwaSystemAuthIPAddress of this system.

This object has been deprecated. Refer to etsysPwaSystemAuthIPAddress for the reason. The textual convention for InetAddressType states that this object must be registered immediately before the InetAddress that it defines. etsysPwaSystemAuthInetAddressType MUST be used for all future implementations of this MIB.

This object has been deprecated due to an incorrect initial implementation of this MIB. This object was originally an InetAddress but some versions of the E7 firmware implemented it as an IpAddress. The syntax of this object was changed to allow management of the existing products. The etsysPwaSystemAuthInetAddress object MUST be used for all future implementations of this MIB.

The authentication protocol used for this switch module. When set to a chap(1), the authentication scheme used will be the 'PPP Challenge Handshake Authentication Protocol (CHAP)', when set to a pap(2), the scheme will be 'Password Authentication Protocol (PAP)'. When using the CHAP protocol, the username and password utilize the CHAP protocol method of encryption to encrypt the users password in the http transmission of the submitted form on the segment between the end-station and the switch port. The PAP protocol is less secure than CHAP and does not provide any encryption on the segment between the end-station the switch port. The username and password go over this segment in the http transmission of the submitted form in plain text format. Enumeration: 'pap': 2, 'chap': 1.

The domain name for which this module resides in.

A value that represents a type of etsysPwaSystemAuthInetAddress. unknown(0) An unknown address type. This value MUST be used if the value of the corresponding InetAddress object is a zero-length string. It may also be used to indicate an IP address which is not in one of the formats defined below. ipv4(1) An IPv4 address as defined by the InetAddressIPv4 textual convention. ipv6(2) An IPv6 address as defined by the InetAddressIPv6 textual convention.

The IP address bound to the etsysPwaSystemAuthHostName. The format of this object is defined in the etsysPwaSystemAuthInetAddressType object. This address MUST be supplied for authentication to work. This is a globally unique address and must be the same value configured into every authenticating switch in the domain. Each switch terminates any IP traffic destined to this etsysPwaSystemAuthInetAddress. If the port is in either promiscousAuto(4) or auto(2) mode, described in the etsysPwaControlledPortControl object, then the local switch in question responds to http requests with a login page. If the port is in any other mode, then all traffic destined for etsysPwaSystemAuthInetAddress is discarded. Please note that neither the etsysPwaSystemAuthHostName object nor this object refer to any specific machine in the network. These objects are always relative to the connection between an end station and a switch. Traffic destined for this IP is never seen over interswitch links.

The enable state of the PWA enhanced mode. When this feature is enabled users on unauthenticated ports will be presented the login page on their initial web access. The etsysPwaControlledPortControl object MUST be set to auto(2) for this feature to function correctly. If etsysPwaControlledPortControl is not set to auto(2), or if this feature is disabled, users must enter the value of etsysPwaSystemAuthHostName in order to get the login page.

When this object is set to enabled, the secureharbour logo will be displayed on the PWA login web pages. When it is set to disabled, the logo will not be displayed.

The username that the Guest Networking feature will use to authenticate users that do not override this value in the login page.

The password that the Guest Networking feature will use to authenticate users that do not override the guest username. On a read this object will always return an empty string.

true(1) - indicates that etsysPwaGuestPassword was last set with some value other than the empty string. false(2) - indicates that etsysPwaGuestPassword has never been set, or was last set to the empty string.

Guest Networking is a feature that allows a user to get default policy access to the network without having to know a username or password. When this feature is not disabled(1), the username on the login page will be populated with the value from the object etsysPwaGuestUsername and the password will be mask out with asterisks. The password in the login page should never be populated with the value from etsysPwaGuestPassword. When Guest Networking is enabled, and a user submits a request for authentication, and the username is the same as the value from etsysPwaGuestUsername, PWA will use the value from etsysPwaGuestPassword as the password for authentication. When this object is set to disabled(1), Guest Networking will be unavailable. When set to authNone(2) Guest Networking will be enabled and it will not authenticate the guest user using any authentication method. Once the user submits the login page with the username that matches the value from etsysPwaGuestUsername, the default policy of that port will become the active policy. When set to authRadius(3) Guest Networking will be enabled and it will authenticate the guest user using RADIUS authentication Upon a successful authentication from RADIUS, this port will apply the policy returned from RADIUS to that port. Enumeration: 'disabled': 1, 'authNone': 2, 'authRadius': 3.

This is the value that is displayed on the PWA login success page as the redirect time. If a user, using PWA enhanced mode, enters a URL of 'http://enterasys.com' prior to being presented with the PWA login page and then successfully authenticates into the network they would be presented with a login success page that displays 'Welcome to the Network. Completing network connections. You will be redirected to http://enterasys.com in approximately 30 seconds'. An end-station that is utilizing the Dynamic Host Configuration Protocol (DHCP) as a means of obtaining an IP address will take some time to transition from the temporary IP address issued by PWA, as part of the authentication process, to the official IP address issued by the network. etsysPwaSystemEnhancedModeRefreshTime provides a configurable time period for the end-stations on a given switch to complete the process of obtaining their official IP addresses and to begin using them. The default value of 30 seconds has been shown to be adequate in most environments. In some networks this time period may need to be longer, and in other networks it could be shorter. In networks that only use static IP addresses a time period on the order of 5 to 10 seconds may be sufficient. A period of less than 5 seconds is not recommended as there is a slight delay after a successful login before the switch transitions the port to forwarding.

A table of configuration objects for each port that are supported by the Port Web Authentication Entity. An entry appears in this table for each port in this system. All objects/instances in this table are stored persistent memory.

The ifIndex number, maximum number of requests, quiet period between failed attempts, and initialization control for a Port. This table holds the objects for configuring the PWA system.

The ifIndex number associated with this port.

The initialization control for this ifIndex. This object can be used to unauthenticate a user on a port or to return the port to its initial default state due to some unknown condition. Setting this attribute to true(1) causes the Port to be initialized. The attribute value reverts to false(2) once initialization has completed. Initializing a port returns the etsysPwaAuthPwaState to disconnected(1) and if the etsysPwaControlledPortControl setting is either promiscousAuto(4) or auto(2), and the etsysPwaAuthPwaState was authenticated(3), then the current session is terminated, and the user is forced off the network.

The value, in seconds, of the quietPeriod constant currently in use by the Port Web Authenticator state machine. After the user attempts unsuccessfully to login a number of times equal to the etsysPwaAuthMaxReq constant, then the ifIndex is locked for a time period equal to the value of this MIB entry. In the initial released version of this MIB this object was an Unsigned32. The initial implementation on the E7 returned an Integer32. The syntax of this object was changed to reflect the existing product in the field. All future implementations of this object should return an Integer32.

The value of the maxReq constant currently in use by the Port Web Authenticator state machine. This represents the maximum number of failed retry attempts before preventing any further attempts for a time period equal to the value of etsysPwaAuthQuietPeriod. In the initial released version of this MIB this object was an Unsigned32. The initial implementation on the E7 returned an Integer32. The syntax of this object was changed to reflect the existing product in the field. All future implementations of this object should return an Integer32.

The authentication method of the ifIndex. A value of forceUnauthorized(1) indicates that the port is always unauthenticated. When set to this value the ifindex is essentially disabled. A value of auto(2) indicates that the ifindex will authenticate users using PWA process. In this mode the switch will provide all the services the end-station will need to complete the login. These services include a Dynamic Host Configuration Protocol (DHCP) server, a Windows Internet Naming Server (WINS), and a Domain Name Service (DNS) Server. A value of forceAuthorized(3) indicates the port is always authorized. When set to this value, the ifindex will always be authenticated. When set to promiscousAuto(4) the services that are required to complete the network login are not provided by the switch. These services must be provided on a back-end network that the end-station can communicate with. These services might be specific to the particular Operating System of the end-station and could also include the same services as provided in auto mode. Enumeration: 'auto': 2, 'forceUnauthorized': 1, 'forceAuthorized': 3, 'promiscousAuto': 4.

A table that contains the status objects for the Port Web Authenticator associated with each ifIndex. An entry appears in this table for each ifIndex that may authenticate access to itself. All objects/instances in this table are stored in persistent memory.

The status information for an Authenticator PWA.

The current value of the Port Web Authenticator state machine. When set to disconnected(1) no user is logged in. When set to authenticating(2), it indicates that a login is in process and has not yet completed. A value of authenticated(3) indicates a user has successfully logged in. When the value is held(4) it indicates that the port is locked down because the number of failed login attempts is greater than etsysPwaAuthMaxReq.The port will be locked until the etsysPwaAuthQuietPeriod has expired. Enumeration: 'authenticated': 3, 'authenticating': 2, 'disconnected': 1, 'held': 4.

The total number of failed logon attempts on this ifIndex.

The total number of failed logon attempts since the last successful logon on this ifIndex.

This ASCII string provides an unstructured way for the web based auth agent to communicate detailed error and status indications to a network administrator.

A table that contains the session statistics objects for the Authenticator PWA associated with each ifIndex. An entry appears in this table for each ifIndex that may authenticate access to itself. Session entries are collected for each ifIndex. All objects/instances in this table are stored in non-persistent memory. The instancing in this table and the etsysPwaAuthSessionStatsHCTable are dependent upon the switch port configuration and will always be identical in any given switch.

The session statistics information for an Authenticator PWA. This shows the current values being collected for each session that is still in progress, or the final values for the last valid session on each ifIndex where there is no session currently active.

A unique ID that identifies the session on this ifindex.

The number of octets received in user data frames on this ifIndex during the session.

The number of times the associated etsysPwaAuthSessionOctetsRx counter has overflowed.

The number of octets transmitted in user data frames on this ifIndex during the session.

The number of times the associated etsysPwaAuthSessionOctetsTx counter has overflowed.

The number of user data frames received on this ifIndex during the session.

The number of user data frames transmitted on this ifIndex during the session.

The start time of the session in hundredths of seconds since reset.

The duration of the session in hundredths of seconds.

The reason for the session termination. When set to linkDown(1), the ifindex has no link. When set to logoff(2), a user has successfully logged off the network on this ifindex. When set to authControlForceUnauth(3) an administrator has terminated the user session on this ifindex by setting etsysPwaControlledPortControl to forceUnauthorized(1). When set to portReInit(4) the ifindex has been re-initialized by setting the object etsysPwaInitializePort. When set to portDisabled(5) the ifindex has been disabled. When set notTerminatedYet(999) the ifindex has an active session. Enumeration: 'notTerminatedYet': 999, 'portDisabled': 5, 'portReInit': 4, 'linkDown': 1, 'logoff': 2, 'authControlForceUnauth': 3.

The mac address of the remote user of this session entry stored for this ifIndex.

A value that represents a type of etsysPwaAuthSessionIPAddress. unknown(0) An unknown address type. This value MUST be used if the value of the corresponding InetAddress object is a zero-length string. It may also be used to indicate an IP address which is not in one of the formats defined below. ipv4(1) An IPv4 address as defined by the InetAddressIPv4 textual convention. ipv6(2) An IPv6 address as defined by the InetAddressIPv6 textual convention.

The ip address of the remote user of this session entry stored for this ifIndex. The format of this object is defined in the etsysPwaAuthSessionIPAddressType object.

The username that logged on to this ifIndex.

A table that contains the session statistics objects for the Authenticator PWA associated with each ifIndex. An entry appears in this table for each ifIndex that may authenticate access to itself. Session entries are collected for each ifIndex up to the maximum allowed. When the maximum number of allowed sessions has been reached, the oldest session entries will be replaced with newer ones as necessary. All objects/instances in this table are stored in non-persistent memory.

The session statistics information for an Authenticator PWA. This shows the current values being collected for each session that is still in progress, or the final values for the last valid session on each ifIndex where there is no session currently active.

A unique ID that identifies the session on this ifindex.

The number of octets received in user data frames on this ifIndex during the session.

The number of octets transmitted in user data frames on this ifIndex during the session.

This section has been deprecated. See etsysPwaSystemGroupI.

This section is for ifIndex based configuration of the PWA system.

The status of all login information on a per ifIndex basis can be obtained here.

This section contains statistics associated with each ifIndex/login.

This section contains statistics associated with each ifIndex/login.

This section is for the basic configuration parameters used by the PWA system.

This section is for the configuration of the PWA enhanced mode of operation.

Deprecated, see etsysPwaMIBComplianceI.

The compliance statement for hosts using Port Web Authentication.