From dffcb08d69d45ead6291fb99a29a963ba9e35be1 Mon Sep 17 00:00:00 2001 From: Shirisha Dasari Date: Fri, 4 Aug 2023 00:25:40 -0700 Subject: [PATCH 1/5] PAC and HOSTAPD YANG files. --- src/sonic-yang-models/doc/Configuration.md | 39 +++ src/sonic-yang-models/setup.py | 2 + .../tests/files/sample_config_db.json | 29 +++ .../tests/yang_model_tests/tests/hostapd.json | 5 + .../tests/yang_model_tests/tests/pac.json | 16 ++ .../tests_config/hostapd.json | 12 + .../yang_model_tests/tests_config/pac.json | 127 ++++++++++ .../yang-models/sonic-hostapd.yang | 39 +++ .../yang-models/sonic-pac.yang | 234 ++++++++++++++++++ 9 files changed, 503 insertions(+) create mode 100644 src/sonic-yang-models/tests/yang_model_tests/tests/hostapd.json create mode 100644 src/sonic-yang-models/tests/yang_model_tests/tests/pac.json create mode 100644 src/sonic-yang-models/tests/yang_model_tests/tests_config/hostapd.json create mode 100644 src/sonic-yang-models/tests/yang_model_tests/tests_config/pac.json create mode 100644 src/sonic-yang-models/yang-models/sonic-hostapd.yang create mode 100644 src/sonic-yang-models/yang-models/sonic-pac.yang diff --git a/src/sonic-yang-models/doc/Configuration.md b/src/sonic-yang-models/doc/Configuration.md index 88778c477f..16c0a4b958 100644 --- a/src/sonic-yang-models/doc/Configuration.md +++ b/src/sonic-yang-models/doc/Configuration.md @@ -84,6 +84,7 @@ Table of Contents * [SYSTEM_DEFAULTS table](#systemdefaults-table) * [RADIUS](#radius) * [Static DNS](#static-dns) + * [PAC](#pac) * [For Developers](#for-developers) * [Generating Application Config by Jinja2 Template](#generating-application-config-by-jinja2-template) * [Incremental Configuration by Subscribing to ConfigDB](#incremental-configuration-by-subscribing-to-configdb) @@ -2523,6 +2524,44 @@ The FIPS table introduces FIPS configuration. } ``` +### PAC + +The PAC and HOSTAPD tables define the PAC configuration parameters. + +``` +"PAC_PORT_CONFIG": { + "Ethernet1": { + "method_list": [ + "dot1x", + "mab" + ], + "priority_list": [ + "dot1x", + "mab" + ], + "port_pae_role": "authenticator", + "port_control_mode": "auto", + "host_control_mode": "multi_auth", + "reauth_period": 60, + "reauth_enable": "true", + "max_users_per_port": 16, + } +} + +"HOSTAPD_GLOBAL_CONFIG": { + "global": { + "dot1x_system_auth_control": "enable" + } +} + +"MAB_PORT_CONFIG": { + "Ethernet1": { + "mab": "enable", + "mab_auth_type": "eap-md5", + } +} +``` + #### 5.2.3 Update value directly in db memory For Developers diff --git a/src/sonic-yang-models/setup.py b/src/sonic-yang-models/setup.py index e20c10da05..438d1ea6f7 100644 --- a/src/sonic-yang-models/setup.py +++ b/src/sonic-yang-models/setup.py @@ -156,6 +156,8 @@ setup( './yang-models/sonic-system-aaa.yang', './yang-models/sonic-system-tacacs.yang', './yang-models/sonic-system-radius.yang', + './yang-models/sonic-pac.yang', + './yang-models/sonic-hostapd.yang', './yang-models/sonic-telemetry.yang', './yang-models/sonic-telemetry_client.yang', './yang-models/sonic-gnmi.yang', diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json index a709f44901..3798124114 100644 --- a/src/sonic-yang-models/tests/files/sample_config_db.json +++ b/src/sonic-yang-models/tests/files/sample_config_db.json @@ -2494,5 +2494,34 @@ "global": { } } + }, + "PAC_PORT_CONFIG": { + "Ethernet1": { + "method_list": [ + "dot1x", + "mab" + ], + "priority_list": [ + "dot1x", + "mab" + ], + "port_pae_role": "authenticator", + "port_control_mode": "auto", + "host_control_mode": "multi_auth", + "reauth_period": 60, + "reauth_enable": "true", + "max_users_per_port": 16 + } + }, + "HOSTAPD_GLOBAL_CONFIG": { + "global": { + "dot1x_system_auth_control": "enable" + } + }, + "MAB_PORT_CONFIG": { + "Ethernet1": { + "mab": "enable", + "mab_auth_type": "eap-md5" + } } } diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/hostapd.json b/src/sonic-yang-models/tests/yang_model_tests/tests/hostapd.json new file mode 100644 index 0000000000..72208089fb --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests/hostapd.json @@ -0,0 +1,5 @@ +{ + "HOSTAPD_TEST": { + "desc": "HOSTAPD configuration in global configuration table." + } +} diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/pac.json b/src/sonic-yang-models/tests/yang_model_tests/tests/pac.json new file mode 100644 index 0000000000..3bd195b5ef --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests/pac.json @@ -0,0 +1,16 @@ +{ + "PAC_PORT_CONFIG_TEST" : { + "desc": "PAC configuration for port." + }, + "PAC_PORT_INVALID_REAUTH_TIMER_TEST": { + "desc": "PAC configuration with invalid re-auth timer in PAC_PORT_CONFIG table.", + "eStr": "PAC re-auth timer must be 1..65535." + }, + "PAC_PORT_INVALID_MAX_USERS_TEST" : { + "desc": "PAC configuration with invalid max users in PAC_PORT_CONFIG table.", + "eStr": "PAC max users per port must be 1..48." + }, + "MAB_PORT_CONFIG_TEST" : { + "desc": "MAB configuration for port." + } +} diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/hostapd.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/hostapd.json new file mode 100644 index 0000000000..6d7e05f4df --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/hostapd.json @@ -0,0 +1,12 @@ +{ + "HOSTAPD_TEST": { + "sonic-hostapd:sonic-hostapd": { + "sonic-hostapd:HOSTAPD_GLOBAL_CONFIG": { + "sonic-hostapd:HOSTAPD_GLOBAL_CONFIG_LIST": { + "global": "GLOBAL", + "dot1x_system_auth_control": "true" + } + } + } + } +} diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/pac.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/pac.json new file mode 100644 index 0000000000..0b7b852365 --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/pac.json @@ -0,0 +1,127 @@ +{ + "PAC_PORT_CONFIG_TEST": { + "sonic-port:sonic-port": { + "sonic-port:PORT": { + "PORT_LIST": [ + { + "admin_status": "up", + "alias": "eth0", + "description": "Ethernet0", + "lanes": "65", + "mtu": 9000, + "name": "Ethernet0", + "speed": 25000 + } + ] + } + }, + "sonic-pac:sonic-pac": { + "sonic-pac:PAC_PORT_CONFIG": { + "PAC_PORT_CONFIG_TABLE_LIST": [ + { + "port": "Ethernet0", + "port_control_mode": "auto", + "host_control_mode": "single-host", + "reauth_enable": "true", + "reauth_period": 30, + "max_users_per_port": 25, + "method_list": ["dot1x", "mab"], + "priority_list": ["dot1x", "mab"], + "port_pae_role": "authenticator" + } + ] + } + } + }, + "PAC_PORT_INVALID_REAUTH_TIMER_TEST": { + "sonic-port:sonic-port": { + "sonic-port:PORT": { + "PORT_LIST": [ + { + "admin_status": "up", + "alias": "eth0", + "description": "Ethernet0", + "lanes": "65", + "mtu": 9000, + "name": "Ethernet0", + "speed": 25000 + } + ] + } + }, + "sonic-pac:sonic-pac": { + "sonic-pac:PAC_PORT_CONFIG": { + "PAC_PORT_CONFIG_TABLE_LIST": [ + { + "port": "Ethernet0", + "port_control_mode": "auto", + "host_control_mode": "single-host", + "reauth_enable": "true", + "reauth_period": 65573, + "max_users_per_port": 25, + "port_pae_role": "none" + } + ] + } + } + }, + "PAC_PORT_INVALID_MAX_USERS_TEST": { + "sonic-port:sonic-port": { + "sonic-port:PORT": { + "PORT_LIST": [ + { + "admin_status": "up", + "alias": "eth0", + "description": "Ethernet0", + "lanes": "65", + "mtu": 9000, + "name": "Ethernet0", + "speed": 25000 + } + ] + } + }, + "sonic-pac:sonic-pac": { + "sonic-pac:PAC_PORT_CONFIG": { + "PAC_PORT_CONFIG_TABLE_LIST": [ + { + "port": "Ethernet0", + "port_control_mode": "auto", + "host_control_mode": "single-host", + "reauth_enable": "true", + "max_users_per_port": 55, + "port_pae_role": "none" + } + ] + } + } + }, + "MAB_PORT_CONFIG_TEST": { + "sonic-port:sonic-port": { + "sonic-port:PORT": { + "PORT_LIST": [ + { + "admin_status": "up", + "alias": "eth0", + "description": "Ethernet0", + "lanes": "65", + "mtu": 9000, + "name": "Ethernet0", + "speed": 25000 + } + ] + } + }, + "sonic-pac:sonic-pac": { + "sonic-pac:MAB_PORT_CONFIG": { + "MAB_PORT_CONFIG_TABLE_LIST": [ + { + "port": "Ethernet0", + "mab": "true", + "mab_auth_type": "eap-md5" + } + ] + } + } + } +} diff --git a/src/sonic-yang-models/yang-models/sonic-hostapd.yang b/src/sonic-yang-models/yang-models/sonic-hostapd.yang new file mode 100644 index 0000000000..43e9bcadeb --- /dev/null +++ b/src/sonic-yang-models/yang-models/sonic-hostapd.yang @@ -0,0 +1,39 @@ +module sonic-hostapd { + namespace "http://github.com/sonic-net/sonic-hostapd"; + prefix shostapd; + yang-version 1.1; + + description + "SONiC HOSTAPD"; + + revision 2023-08-02 { + description "Initial revision."; + } + + container sonic-hostapd { + description "HOSTAPD top level container."; + + container HOSTAPD_GLOBAL_CONFIG { + description + "Container for hostapd global config."; + + list HOSTAPD_GLOBAL_CONFIG_LIST { + key "global"; + + leaf global { + type enumeration { + enum GLOBAL; + } + description + "Configure dot1x/hostapd global configuration."; + } + + leaf dot1x_system_auth_control { + type boolean; + description + "Indicates whether dot1x/hostapd is enabled/disabled on the switch."; + } + } + } + } +} diff --git a/src/sonic-yang-models/yang-models/sonic-pac.yang b/src/sonic-yang-models/yang-models/sonic-pac.yang new file mode 100644 index 0000000000..2c2e26107c --- /dev/null +++ b/src/sonic-yang-models/yang-models/sonic-pac.yang @@ -0,0 +1,234 @@ +module sonic-pac { + namespace "http://github.com/sonic-net/sonic-pac"; + prefix spac; + yang-version 1.1; + + import sonic-port { + prefix prt; + } + + description + "SONiC PAC"; + + revision 2023-03-28 { + description "Initial revision."; + } + + typedef port_mode_enumeration { + type enumeration { + enum auto { + description + "Enable auto port control mode on a port."; + } + + enum force-authorized { + description + "Enable force authorized port control mode on a port."; + } + + enum force-unauthorized { + description + "Enable force unauthorized port control mode on a port."; + } + } + } + + typedef host_mode_enumeration { + type enumeration { + enum single-host { + description + "One data client or one voice client can be authenticated on the port."; + } + + enum multi-auth { + description + "Multiple data client and one voice client can be authenticated on the port."; + } + + enum multi-host { + description + "One data client can be authenticated on the port. Rest of the + clients tailgate once the first client is authenticated."; + } + } + } + + typedef auth_order_enumeration { + type enumeration { + enum dot1x { + description + "Configure authmgr authentication order as dot1x"; + } + + enum mab { + description + "Configure authmgr authentication order as mab"; + } + } + } + + typedef auth_priority_enumeration { + type enumeration { + enum dot1x { + description + "Configure authmgr authentication priority as dot1x"; + } + + enum mab { + description + "Configure authmgr authentication priority as mab"; + } + } + } + + typedef port_role_enumeration { + type enumeration { + enum authenticator { + description + "Allows config of dot1x port's pae role as authenticator."; + } + + enum none { + description + "Allows config of dot1x port's pae role as none."; + } + } + } + + typedef auth_type_enumeration { + type enumeration { + enum eap-md5 { + description + "Configure EAP-MD5 auth type for MAB."; + } + + enum pap { + description + "Configure PAP auth type for MAB."; + } + + enum chap { + description + "Configure CHAP auth type for MAB."; + } + } + } + + container sonic-pac { + + description + "pac top level container."; + + container PAC_PORT_CONFIG { + + description + "Container for port config table."; + + list PAC_PORT_CONFIG_TABLE_LIST { + key "port"; + + leaf port { + type leafref { + path "/prt:sonic-port/prt:PORT/prt:PORT_LIST/prt:name"; + } + description + "Name of the interface on which PAC configuration gets applied."; + } + + leaf port_control_mode { + type port_mode_enumeration; + description + "Determines whether or not to enforce authentication on an interface."; + } + + leaf host_control_mode { + type host_mode_enumeration; + description + "Allow for single or multiple hosts to communicate through + a PAC controlled port."; + } + + leaf reauth_enable { + type boolean; + description + "Indicates whether Reauthentication is enabled on + the port."; + } + + leaf reauth_period { + type uint32 { + range 1..65535 { + error-message "reauth period value must be in range of 1-65535."; + error-app-tag reauth-period-invalid; + } + } + units seconds; + description + "The value of the timer that defines the period + after which the Authenticator will reauthenticate the Supplicant."; + } + + leaf max_users_per_port { + type uint8 { + range 1..48 { + error-message "max users per port value must be in range of 1-48."; + error-app-tag max-users-per-port-invalid; + } + } + description + "Maximum number of clients that can be authenticated + on the port. This is applicable only for multi-auth host mode."; + } + + leaf-list method_list { + type auth_order_enumeration; + description + "Enables configuration of authmgr authentication methods order."; + } + + leaf-list priority_list { + type auth_priority_enumeration; + description + "Enables configuration of authmgr authentication methods priority."; + } + + leaf port_pae_role { + type port_role_enumeration; + description + "Enables configuration of dot1x port's pae role. + Note: Enabling PAC on the port will revert all switchport configurations on the + port, + if port control mode is auto/force-unauthorized and port pae role is + authenticator."; + } + } + } + + container MAB_PORT_CONFIG { + + list MAB_PORT_CONFIG_TABLE_LIST { + key "port"; + + leaf port { + type leafref { + path "/prt:sonic-port/prt:PORT/prt:PORT_LIST/prt:name"; + } + description + "Name of the interface on which mab gets applied."; + } + + leaf mab { + type boolean; + description + "Enable mab on the interface."; + } + + leaf mab_auth_type { + type auth_type_enumeration; + description + "MAB authentication type." + } + } + } + } +} From 13f079ff3c706127c56ffb76201a7ca01492baae Mon Sep 17 00:00:00 2001 From: Shirisha Dasari Date: Fri, 4 Aug 2023 00:25:40 -0700 Subject: [PATCH 2/5] PAC and HOSTAPD YANG files. --- src/sonic-yang-models/yang-models/sonic-pac.yang | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sonic-yang-models/yang-models/sonic-pac.yang b/src/sonic-yang-models/yang-models/sonic-pac.yang index 2c2e26107c..c5bce6222c 100644 --- a/src/sonic-yang-models/yang-models/sonic-pac.yang +++ b/src/sonic-yang-models/yang-models/sonic-pac.yang @@ -226,7 +226,7 @@ module sonic-pac { leaf mab_auth_type { type auth_type_enumeration; description - "MAB authentication type." + "MAB authentication type."; } } } From 7f6f62f1c703170d0ddee40a2154d320a60dda41 Mon Sep 17 00:00:00 2001 From: Shirisha Dasari Date: Fri, 4 Aug 2023 00:25:40 -0700 Subject: [PATCH 3/5] PAC and HOSTAPD YANG files. --- src/sonic-yang-models/tests/yang_model_tests/tests/pac.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/pac.json b/src/sonic-yang-models/tests/yang_model_tests/tests/pac.json index 3bd195b5ef..b980aaba3f 100644 --- a/src/sonic-yang-models/tests/yang_model_tests/tests/pac.json +++ b/src/sonic-yang-models/tests/yang_model_tests/tests/pac.json @@ -4,11 +4,11 @@ }, "PAC_PORT_INVALID_REAUTH_TIMER_TEST": { "desc": "PAC configuration with invalid re-auth timer in PAC_PORT_CONFIG table.", - "eStr": "PAC re-auth timer must be 1..65535." + "eStr": "reauth period value must be in range of 1-65535." }, "PAC_PORT_INVALID_MAX_USERS_TEST" : { "desc": "PAC configuration with invalid max users in PAC_PORT_CONFIG table.", - "eStr": "PAC max users per port must be 1..48." + "eStr": "max users per port value must be in range of 1-48." }, "MAB_PORT_CONFIG_TEST" : { "desc": "MAB configuration for port." From 79ad3abb75a30c46f751dadf480d8f5420ae5aba Mon Sep 17 00:00:00 2001 From: Shirisha Dasari Date: Fri, 4 Aug 2023 00:25:40 -0700 Subject: [PATCH 4/5] PAC and HOSTAPD YANG files. --- .../tests/yang_model_tests/tests_config/hostapd.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/hostapd.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/hostapd.json index 6d7e05f4df..fe64aea38a 100644 --- a/src/sonic-yang-models/tests/yang_model_tests/tests_config/hostapd.json +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/hostapd.json @@ -2,11 +2,13 @@ "HOSTAPD_TEST": { "sonic-hostapd:sonic-hostapd": { "sonic-hostapd:HOSTAPD_GLOBAL_CONFIG": { - "sonic-hostapd:HOSTAPD_GLOBAL_CONFIG_LIST": { + "sonic-hostapd:HOSTAPD_GLOBAL_CONFIG_LIST": [ + { "global": "GLOBAL", "dot1x_system_auth_control": "true" - } - } + } + ] + } } } } From c905a165ac315a5b187773ec54c3a6593b461c02 Mon Sep 17 00:00:00 2001 From: Shirisha Dasari Date: Fri, 4 Aug 2023 00:25:40 -0700 Subject: [PATCH 5/5] PAC and HOSTAPD YANG files. --- src/sonic-yang-models/yang-models/sonic-pac.yang | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sonic-yang-models/yang-models/sonic-pac.yang b/src/sonic-yang-models/yang-models/sonic-pac.yang index c5bce6222c..02af8725ac 100644 --- a/src/sonic-yang-models/yang-models/sonic-pac.yang +++ b/src/sonic-yang-models/yang-models/sonic-pac.yang @@ -8,7 +8,7 @@ module sonic-pac { } description - "SONiC PAC"; + "SONiC PAC"; revision 2023-03-28 { description "Initial revision.";