-- ****************************************************************************
-- ****************************************************************************
--             Copyright(c) 2004 Mediatrix Telecom, Inc.
--  NOTICE:
--   This document contains information that is confidential and proprietary
--   to Mediatrix Telecom, Inc.
--   Mediatrix Telecom, Inc. reserves all rights to this document as well as
--   to the Intellectual Property of the document and the technology and
--   know-how that it includes and represents.
--   This publication cannot be reproduced, neither in whole nor in part in
--   any form whatsoever without written prior approval by
--   Mediatrix Telecom, Inc.
--   Mediatrix Telecom, Inc. reserves the right to revise this publication
--   and make changes at any time and without the obligation to notify any
--   person and/or entity of such revisions and/or changes.
-- ****************************************************************************
-- ****************************************************************************

MX-AAA-MIB
DEFINITIONS ::= BEGIN

IMPORTS
        MODULE-IDENTITY,
        OBJECT-TYPE,
        Unsigned32,
        Integer32
    FROM SNMPv2-SMI
        MODULE-COMPLIANCE,
        OBJECT-GROUP
    FROM SNMPv2-CONF
        MxEnableState,
        MxActivationState,
        MxIpHostName,
        MxIpAddress,
        MxIpPort,
        MxAdvancedIpPort,
        MxIpSubnetMask,
        MxDigitMap
    FROM MX-TC
        MxUInt64,
        MxFloat32,
        MxIpHostNamePort,
        MxIpAddr,
        MxIpAddrPort,
        MxIpAddrMask,
        MxUri,
        MxUrl
    FROM MX-TC2
        mediatrixServices
    FROM MX-SMI2;

aaaMIB MODULE-IDENTITY
 LAST-UPDATED   "1910210000Z"
 ORGANIZATION " Mediatrix Telecom, Inc. "
 CONTACT-INFO " Mediatrix Telecom, Inc.
                4229, Garlock Street
                Sherbrooke (Quebec)
                Canada
                Phone: (819) 829-8749
                "
 DESCRIPTION  " Authentication, Authorization and Accounting

                The Authentication, Authorization and Accounting (AAA) service
                manages the administrator accounts and grants or denies access
                to various parameters.
                "
 ::= { mediatrixServices 1000 }

aaaMIBObjects OBJECT IDENTIFIER ::= { aaaMIB 1 }

-- *****************************************************************************

-- Table:Users

-- *****************************************************************************

usersTable OBJECT-TYPE
 SYNTAX        SEQUENCE OF UsersEntry
 MAX-ACCESS    not-accessible
 STATUS        current
 DESCRIPTION " Users

               This table contains the users that are allowed in the system.
               "
 ::= { aaaMIBObjects 100 }
 usersEntry OBJECT-TYPE
  SYNTAX        UsersEntry
  MAX-ACCESS    not-accessible
  STATUS        current
  DESCRIPTION " A row in table Users. "
  INDEX         {
                  usersUserName
                }

  ::= { usersTable 1 }

 UsersEntry ::= SEQUENCE
 {
   usersUserName             OCTET STRING,
   usersPassword             OCTET STRING,
   usersAccessRights         INTEGER,
   usersLockProtectionEnable MxEnableState,
   usersDelete               INTEGER
 }

 -- Index:User Name

 usersUserName OBJECT-TYPE
  SYNTAX        OCTET STRING ( SIZE(0..50) )
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " User Name

                Contains the user name. Cannot be empty.
                "
  DEFVAL        { "" }
  ::= { usersEntry 100 }

 -- Columnar:Password

 usersPassword OBJECT-TYPE
  SYNTAX        OCTET STRING
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Password

                Contains the user's password.
                "
  DEFVAL        { "" }
  ::= { usersEntry 200 }

 -- Columnar:Access Rights

 usersAccessRights OBJECT-TYPE
  SYNTAX        INTEGER { admin(100) , user(200) , observer(300) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Access Rights

                Identifies the user role defining the access rights.

                  * Admin: User has administrator access rights and is allowed
                    to read, modify and execute all configuration objects of
                    the unit.
                  * User: User has end-user access rights.
                  * Observer: User has observer access rights.

                "
  DEFVAL        { admin }
  ::= { usersEntry 250 }

 -- Columnar:Users Lock Protection Enable

 usersLockProtectionEnable OBJECT-TYPE
  SYNTAX        MxEnableState
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Users Lock Protection Enable

                To configure the locking mechanism to protect a user account
                against brute force attacks.

                  * Enable: The user account will be temporarily locked after
                    repetitive login failures.
                  * Disable: The user account will never be locked, regardless
                    of the amount of failed login attempts.

                Refer to the LoginLockedMaxRetry and LoginLockedTimeoutS
                parameters for more configuration.

                "
  DEFVAL        { enable }
  ::= { usersEntry 275 }

 -- Row command:Delete

 usersDelete OBJECT-TYPE
  SYNTAX        INTEGER { noOp(0), delete(10) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Delete

                Deletes this row.

                Note: a system restart is required to completely remove the
                user. The current activities of this user are not terminated on
                removal.

                "
  DEFVAL        { noOp }
  ::= { usersEntry 300 }

-- End of table:Users

-- *****************************************************************************

-- Table:Users Status

-- *****************************************************************************

usersStatusTable OBJECT-TYPE
 SYNTAX           SEQUENCE OF UsersStatusEntry
 MAX-ACCESS       not-accessible
 STATUS           current
 DESCRIPTION    " Users Status

                  This table displays the list of all currently allowed users.
                  "
 ::= { aaaMIBObjects 150 }
 usersStatusEntry OBJECT-TYPE
  SYNTAX        UsersStatusEntry
  MAX-ACCESS    not-accessible
  STATUS        current
  DESCRIPTION " A row in table Users Status. "
  INDEX         {
                  usersStatusUserName
                }

  ::= { usersStatusTable 1 }

 UsersStatusEntry ::= SEQUENCE
 {
   usersStatusUserName OCTET STRING,
   usersStatusPassword OCTET STRING,
   usersStatusLocked   INTEGER
 }

 -- Index:User Name

 usersStatusUserName OBJECT-TYPE
  SYNTAX        OCTET STRING
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " User Name

                Contains the user name.
                "
  ::= { usersStatusEntry 100 }

 -- Columnar:Password

 usersStatusPassword OBJECT-TYPE
  SYNTAX        OCTET STRING
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Password

                Contains the user's password.
                "
  ::= { usersStatusEntry 200 }

 -- Columnar:Users Status Locked

 usersStatusLocked OBJECT-TYPE
  SYNTAX        INTEGER { unlocked(100) , locked(200) }
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Users Status Locked

                Indicates when a user account has been temporarily locked due
                to excessive login failures. All login attempts will be
                rejected while the user account is locked. See the
                UsersLockProtectionEnable parameter for more details.
                "
  ::= { usersStatusEntry 300 }

-- End of table:Users Status

-- Scalar:Batch User

batchUser OBJECT-TYPE
 SYNTAX        OCTET STRING
 MAX-ACCESS    read-write
 STATUS        current
 DESCRIPTION " Batch User

               User name that is used for scheduled tasks.
               "
 DEFVAL        { "" }
 ::= { aaaMIBObjects 200 }

-- *****************************************************************************

-- Table:Services Aaa Type

-- *****************************************************************************

servicesAaaTypeTable OBJECT-TYPE
 SYNTAX                       SEQUENCE OF ServicesAaaTypeEntry
 MAX-ACCESS                   not-accessible
 STATUS                       current
 DESCRIPTION               "  Services Aaa Type

                              Aaa type used by services.
                              "
 ::= { aaaMIBObjects 300 }
 servicesAaaTypeEntry OBJECT-TYPE
  SYNTAX        ServicesAaaTypeEntry
  MAX-ACCESS    not-accessible
  STATUS        current
  DESCRIPTION " A row in table Services Aaa Type. "
  INDEX         {
                  servicesAaaTypeService
                }

  ::= { servicesAaaTypeTable 1 }

 ServicesAaaTypeEntry ::= SEQUENCE
 {
   servicesAaaTypeService            OCTET STRING,
   servicesAaaTypeAuthenticationType INTEGER,
   servicesAaaTypeAccountingType     INTEGER
 }

 -- Index:Service Name

 servicesAaaTypeService OBJECT-TYPE
  SYNTAX        OCTET STRING
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Service Name

                Service name for which the Aaa types are configured.
                "
  DEFVAL        { "" }
  ::= { servicesAaaTypeEntry 100 }

 -- Columnar:Authentication Type

 servicesAaaTypeAuthenticationType OBJECT-TYPE
  SYNTAX        INTEGER { local(100) , radius(200) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Authentication Type

                Authentication type a service uses for incoming authentication
                requests.

                  * Local: Incoming authentication attempts are validated
                    against the user names and passwords stored in the
                    Aaa.Users table.
                  * Radius: Incoming authentication attempts are validated
                    against the first responding Radius server configured in
                    the Aaa.RadiusServers table. When no servers reply or when
                    no server is configured in the Aaa.RadiusServers table, an
                    authentication attempt of type Local is performed against
                    the user names and passwords stored in the Aaa.Users table.

                "
  DEFVAL        { local }
  ::= { servicesAaaTypeEntry 200 }

 -- Columnar:Accounting Type

 servicesAaaTypeAccountingType OBJECT-TYPE
  SYNTAX        INTEGER { none(100) , radius(200) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Accounting Type

                Accounting type a service uses once a user is successfully
                authenticated on the unit. Accounting starts once users are
                successfully authenticated and stops when their session is
                over.

                  * None: Accounting is disabled.
                  * Radius: Accounting is done by the first responding Radius
                    server configured in the Aaa.RadiusServers table.

                "
  DEFVAL        { none }
  ::= { servicesAaaTypeEntry 300 }

-- End of table:Services Aaa Type

-- ****************************************************************************

-- Group:Radius Configuration

-- ****************************************************************************

radiusGroup OBJECT IDENTIFIER
 ::= { aaaMIBObjects 10000 }
 -- Scalar:Radius Servers Requests Timeout

 radiusServersTimeoutS OBJECT-TYPE
  SYNTAX        Unsigned32 ( 1..5 )
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Radius Servers Requests Timeout

                Maximum time, in seconds, the unit waits for a reply from a
                Radius server. When the timeout is reached, the request is
                sent to the next configured server in the Aaa.RadiusServers
                table.
                "
  DEFVAL        { 5 }
  ::= { radiusGroup 100 }

 -- Scalar:Radius User Access Rights

 radiusUserAccessRights OBJECT-TYPE
  SYNTAX        INTEGER { admin(100) , user(200) , observer(300) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Radius User Access Rights

                Identifies the user role defining the access rights for all
                Radius users.

                  * Admin: User has administrator access rights and is allowed
                    to read, modify and execute all configuration objects of
                    the unit.
                  * User: User has end-user access rights.
                  * Observer: User has observer access rights.

                "
  DEFVAL        { admin }
  ::= { radiusGroup 200 }

 -- ***************************************************************************
 
 -- Table:Radius Servers

 -- ***************************************************************************
 
 radiusServersTable OBJECT-TYPE
  SYNTAX                  SEQUENCE OF RadiusServersEntry
  MAX-ACCESS              not-accessible
  STATUS                  current
  DESCRIPTION           " Radius Servers

                          Radius servers used by services.
                          "
  ::= { radiusGroup 1000 }
  radiusServersEntry OBJECT-TYPE
   SYNTAX        RadiusServersEntry
   MAX-ACCESS    not-accessible
   STATUS        current
   DESCRIPTION " A row in table Radius Servers. "
   INDEX         {
                   radiusServersService,
                   radiusServersPriority
                 }

   ::= { radiusServersTable 1 }

  RadiusServersEntry ::= SEQUENCE
  {
    radiusServersService              OCTET STRING,
    radiusServersPriority             Unsigned32,
    radiusServersAuthenticationHost   MxIpHostNamePort,
    radiusServersAuthenticationSecret OCTET STRING,
    radiusServersAccountingHost       MxIpHostNamePort,
    radiusServersAccountingSecret     OCTET STRING
  }

  -- Index:Service Name

  radiusServersService OBJECT-TYPE
   SYNTAX        OCTET STRING
   MAX-ACCESS    read-only
   STATUS        current
   DESCRIPTION " Service Name

                 Name of the service for which Radius servers are configured.
                 "
   ::= { radiusServersEntry 100 }

  -- Index:Radius Server Priority

  radiusServersPriority OBJECT-TYPE
   SYNTAX        Unsigned32
   MAX-ACCESS    read-only
   STATUS        current
   DESCRIPTION " Radius Server Priority

                 Radius server priority determining their usage order for Aaa
                 requests.
                 "
   ::= { radiusServersEntry 200 }

  -- Columnar:Radius Host for Authentication

  radiusServersAuthenticationHost OBJECT-TYPE
   SYNTAX        MxIpHostNamePort
   MAX-ACCESS    read-write
   STATUS        current
   DESCRIPTION " Radius Host for Authentication

                 Hostname and port of a Radius server used for authentication
                 requests.
                 "
   DEFVAL        { "" }
   ::= { radiusServersEntry 300 }

  -- Columnar:Radius Authentication Server Secret Key

  radiusServersAuthenticationSecret OBJECT-TYPE
   SYNTAX        OCTET STRING ( SIZE(0..512) )
   MAX-ACCESS    read-write
   STATUS        current
   DESCRIPTION " Radius Authentication Server Secret Key

                 Secret key shared between the Radius server and the unit. The
                 AuthenticationSecret key must be the same as the secret key
                 stored on the Radius authentication server set in the
                 RadiusServers.AuthenticationHost column.
                 "
   DEFVAL        { "" }
   ::= { radiusServersEntry 400 }

  -- Columnar:Radius Host for Accounting

  radiusServersAccountingHost OBJECT-TYPE
   SYNTAX        MxIpHostNamePort
   MAX-ACCESS    read-write
   STATUS        current
   DESCRIPTION " Radius Host for Accounting

                 Hostname and port of a Radius server used for accounting
                 requests.
                 "
   DEFVAL        { "" }
   ::= { radiusServersEntry 500 }

  -- Columnar:Radius Accounting Server Secret Key

  radiusServersAccountingSecret OBJECT-TYPE
   SYNTAX        OCTET STRING ( SIZE(0..512) )
   MAX-ACCESS    read-write
   STATUS        current
   DESCRIPTION " Radius Accounting Server Secret Key

                 Secret key shared between the Radius server and the unit. The
                 AccountingSecret key must be the same as the secret key
                 stored on the Radius accounting server set in the
                 RadiusServers.AccountingHost column.
                 "
   DEFVAL        { "" }
   ::= { radiusServersEntry 600 }

 -- End of table:Radius Servers

-- End of group:Radius Configuration

-- ****************************************************************************

-- Group:Security Configuration

-- ****************************************************************************

securityGroup OBJECT IDENTIFIER
 ::= { aaaMIBObjects 20000 }
 -- Scalar:Login Locked Max Retry

 loginLockedMaxRetry OBJECT-TYPE
  SYNTAX        Unsigned32 ( 1..5 )
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Login Locked Max Retry

                Defines the maximum number of failed login attempts allowed
                before temporarily locking the user account.

                This parameter has no effect when the LockProtectionEnable
                parameter is disabled.

                "
  DEFVAL        { 5 }
  ::= { securityGroup 100 }

 -- Scalar:Login Locked Timeout

 loginLockedTimeoutS OBJECT-TYPE
  SYNTAX        Unsigned32 ( 5..3600 )
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Login Locked Timeout

                Defines the duration of the locked period (in seconds), after
                which the user is allowed to log in again.

                This parameter has no effect when the LockProtectionEnable
                parameter is disabled.

                "
  DEFVAL        { 300 }
  ::= { securityGroup 200 }

-- End of group:Security Configuration

-- ****************************************************************************

-- Group:Notification Messages Configuration

-- ****************************************************************************

notificationsGroup OBJECT IDENTIFIER
 ::= { aaaMIBObjects 60010 }
 -- Scalar:Minimal Severity of Notification

 minSeverity OBJECT-TYPE
  SYNTAX        INTEGER { disable(0) , debug(100) , info(200) , warning(300) ,
                error(400) , critical (500) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Minimal Severity of Notification

                Sets the minimal severity to issue a notification message
                incoming from this service.

                  * Disable: No notification is issued.
                  * Debug: All notification messages are issued.
                  * Info: Notification messages with a 'Informational' and
                    higher severity are issued.
                  * Warning: Notification messages with a 'Warning' and higher
                    severity are issued.
                  * Error: Notification messages with an 'Error' and higher
                    severity are issued.
                  * Critical: Notification messages with a 'Critical' severity
                    are issued.

                "
  DEFVAL        { warning }
  ::= { notificationsGroup 100 }

-- End of group:Notification Messages Configuration

-- ****************************************************************************

-- Group:Configuration Settings

-- ****************************************************************************

configurationGroup OBJECT IDENTIFIER
 ::= { aaaMIBObjects 60020 }
 -- Scalar:Need Restart

 needRestartInfo OBJECT-TYPE
  SYNTAX        INTEGER { no(0) , yes(100) }
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Need Restart

                Indicates if the service needs to be restarted for the
                configuration to fully take effect.

                  * Yes: Service needs to be restarted.
                  * No: Service does not need to be restarted.

                Services can be restarted by using the
                Scm.ServiceCommands.Restart command.

                "
  ::= { configurationGroup 100 }

-- End of group:Configuration Settings

END
