From 4e9d466c812ea18c9a19d73c8a8a254c7f082ed5 Mon Sep 17 00:00:00 2001 From: Oleksandr Mazur Date: Mon, 8 Jan 2024 10:53:22 +0200 Subject: [PATCH] Extend schema to add dynamic authorization (CoA) support - Extend schema/switch.yml to support configuring DAC list (origin of CoA and DM messages), as well as configiguring DAS (port on which receive CoA + DM) etc. - Extend state/unit.yml to report back to the cloud current DAS configuration and DAC config. Signed-off-by: Oleksandr Mazur --- schema/switch.yml | 55 +++++++++++++++++++++++++++++++++++++++++++++++ state/unit.yml | 48 ++++++++++++++++++++++++++++++++++++++++- 2 files changed, 102 insertions(+), 1 deletion(-) diff --git a/schema/switch.yml b/schema/switch.yml index a6c80a7..aae513d 100644 --- a/schema/switch.yml +++ b/schema/switch.yml @@ -129,3 +129,58 @@ properties: type: integer maximum: 64 minimum: 1 + dynamic-authorization: + description: + Additional dynamic authorization (RFC 5176 compliant) - configure option for DAS that enable RM and CoA processing. + type: object + properties: + auth-type: + description: + Sets the accepted authorization types for dynamic RADIUS clients. + all - Selects all COA client authentication types. All authentication attributes must match for the authentication to succeed. + any - Selects any COA client authentication type. Any authentication attribute may match for the authentication to succeed. + session-key - Indicates that the session-key must match for authentication to succeed. + type: string + enum: + - all + - any + - session-key + bounce-port-ignore: + description: + Sets the switch to ignore bounce-port requests from dynamic authorization clients. + type: boolean + default: false + disable-port-ignore: + description: + Sets the switch to ignore requests from dynamic authorization clients. + type: boolean + default: false + ignore-server-key: + description: + Do not attmept to authenticate with the server key. + type: boolean + default: false + ignore-session-key: + description: + Do not attmept to authenticate with the session key. + type: boolean + default: false + server-key: + description: + Sets the shared secret to verify client COA requests for this server. + type: string + client: + description: + Configure DAC. + type: array + items: + type: object + properties: + address: + description: + A valid IP address or hostname of a DAC. + type: string + server-key: + description: + Sets the shared secret to verify client COA requests for this server. + type: string diff --git a/state/unit.yml b/state/unit.yml index a42c5cb..1e23e30 100644 --- a/state/unit.yml +++ b/state/unit.yml @@ -74,4 +74,50 @@ properties: examples: - "ON" - "OFF" - + ieee8021x: + description: + This section describes the global (device-wise) 802.1X (port access control) state and config applied. + type: object + properties: + dynamic-authorization: + description: + Reported DAS-related state info. + type: object + properties: + stats: + description: + Cumulative statistics for all configured DACs. + type: object + properties: + coa_req_received: + description: + Number of CoA requests received. + type: number + coa_ack_sent: + description: + Number of CoA ACK responses sent. + type: number + coa_nak_sent: + description: + Number of CoA NAK responses sent. + type: number + coa_ignored: + description: + Number of CoA requests ignored. + type: number + coa_wrong_attr: + description: + Number of CoA requests received with invalid (unsupported) attributes. + type: number + coa_wrong_attr_value: + description: + Number of CoA requests received with invalid (unsupported) attribute value. + type: number + coa_wrong_session_context: + description: + Number of CoA requests received with inexisting session context. + type: number + administratively_prohibited_req: + description: + Number of CoA requests that are sent if the NAS is configured to prohibit honoring of CoA-Request or Disconnect-Request packets for the specified session. + type: number