matthew/sonic-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge c905a165ac into 610685d27b

Browse Source
This commit is contained in:
shdasari 2024-03-25 12:33:55 +00:00 committed by GitHub
commit e17184ce03
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 505 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
src/sonic-yang-models/doc/Configuration.md
View File

@ -89,6 +89,7 @@ Table of Contents
* [SYSTEM_DEFAULTS table](#systemdefaults-table)
* [RADIUS](#radius)
* [Static DNS](#static-dns)
* [PAC](#pac)
* [For Developers](#for-developers)
* [Generating Application Config by Jinja2 Template](#generating-application-config-by-jinja2-template)
* [Incremental Configuration by Subscribing to ConfigDB](#incremental-configuration-by-subscribing-to-configdb)
@ -2770,6 +2771,44 @@ The DPUS table introduces the information on the DPUs (Data Processing Unit) ava
}
```
### PAC
The PAC and HOSTAPD tables define the PAC configuration parameters.
```
"PAC_PORT_CONFIG": {
"Ethernet1": {
"method_list": [
"dot1x",
"mab"
],
"priority_list": [
"dot1x",
"mab"
],
"port_pae_role": "authenticator",
"port_control_mode": "auto",
"host_control_mode": "multi_auth",
"reauth_period": 60,
"reauth_enable": "true",
"max_users_per_port": 16,
}
}
"HOSTAPD_GLOBAL_CONFIG": {
"global": {
"dot1x_system_auth_control": "enable"
}
}
"MAB_PORT_CONFIG": {
"Ethernet1": {
"mab": "enable",
"mab_auth_type": "eap-md5",
}
}
```
#### 5.2.3 Update value directly in db memory
For Developers

2
src/sonic-yang-models/setup.py
View File

@ -163,6 +163,8 @@ setup(
'./yang-models/sonic-system-aaa.yang',
'./yang-models/sonic-system-tacacs.yang',
'./yang-models/sonic-system-radius.yang',
'./yang-models/sonic-pac.yang',
'./yang-models/sonic-hostapd.yang',
'./yang-models/sonic-telemetry.yang',
'./yang-models/sonic-telemetry_client.yang',
'./yang-models/sonic-gnmi.yang',

29
src/sonic-yang-models/tests/files/sample_config_db.json
View File

@ -2637,5 +2637,34 @@
"global": {
}
}
},
"PAC_PORT_CONFIG": {
"Ethernet1": {
"method_list": [
"dot1x",
"mab"
],
"priority_list": [
"dot1x",
"mab"
],
"port_pae_role": "authenticator",
"port_control_mode": "auto",
"host_control_mode": "multi_auth",
"reauth_period": 60,
"reauth_enable": "true",
"max_users_per_port": 16
}
},
"HOSTAPD_GLOBAL_CONFIG": {
"global": {
"dot1x_system_auth_control": "enable"
}
},
"MAB_PORT_CONFIG": {
"Ethernet1": {
"mab": "enable",
"mab_auth_type": "eap-md5"
}
}
}

5
src/sonic-yang-models/tests/yang_model_tests/tests/hostapd.json Normal file
View File

@ -0,0 +1,5 @@
{
"HOSTAPD_TEST": {
"desc": "HOSTAPD configuration in global configuration table."
}
}

16
src/sonic-yang-models/tests/yang_model_tests/tests/pac.json Normal file
View File

@ -0,0 +1,16 @@
{
"PAC_PORT_CONFIG_TEST" : {
"desc": "PAC configuration for port."
},
"PAC_PORT_INVALID_REAUTH_TIMER_TEST": {
"desc": "PAC configuration with invalid re-auth timer in PAC_PORT_CONFIG table.",
"eStr": "reauth period value must be in range of 1-65535."
},
"PAC_PORT_INVALID_MAX_USERS_TEST" : {
"desc": "PAC configuration with invalid max users in PAC_PORT_CONFIG table.",
"eStr": "max users per port value must be in range of 1-48."
},
"MAB_PORT_CONFIG_TEST" : {
"desc": "MAB configuration for port."
}
}

14
src/sonic-yang-models/tests/yang_model_tests/tests_config/hostapd.json Normal file
View File

@ -0,0 +1,14 @@
{
"HOSTAPD_TEST": {
"sonic-hostapd:sonic-hostapd": {
"sonic-hostapd:HOSTAPD_GLOBAL_CONFIG": {
"sonic-hostapd:HOSTAPD_GLOBAL_CONFIG_LIST": [
{
"global": "GLOBAL",
"dot1x_system_auth_control": "true"
}
]
}
}
}
}

127
src/sonic-yang-models/tests/yang_model_tests/tests_config/pac.json Normal file
View File

@ -0,0 +1,127 @@
{
"PAC_PORT_CONFIG_TEST": {
"sonic-port:sonic-port": {
"sonic-port:PORT": {
"PORT_LIST": [
{
"admin_status": "up",
"alias": "eth0",
"description": "Ethernet0",
"lanes": "65",
"mtu": 9000,
"name": "Ethernet0",
"speed": 25000
}
]
}
},
"sonic-pac:sonic-pac": {
"sonic-pac:PAC_PORT_CONFIG": {
"PAC_PORT_CONFIG_TABLE_LIST": [
{
"port": "Ethernet0",
"port_control_mode": "auto",
"host_control_mode": "single-host",
"reauth_enable": "true",
"reauth_period": 30,
"max_users_per_port": 25,
"method_list": ["dot1x", "mab"],
"priority_list": ["dot1x", "mab"],
"port_pae_role": "authenticator"
}
]
}
}
},
"PAC_PORT_INVALID_REAUTH_TIMER_TEST": {
"sonic-port:sonic-port": {
"sonic-port:PORT": {
"PORT_LIST": [
{
"admin_status": "up",
"alias": "eth0",
"description": "Ethernet0",
"lanes": "65",
"mtu": 9000,
"name": "Ethernet0",
"speed": 25000
}
]
}
},
"sonic-pac:sonic-pac": {
"sonic-pac:PAC_PORT_CONFIG": {
"PAC_PORT_CONFIG_TABLE_LIST": [
{
"port": "Ethernet0",
"port_control_mode": "auto",
"host_control_mode": "single-host",
"reauth_enable": "true",
"reauth_period": 65573,
"max_users_per_port": 25,
"port_pae_role": "none"
}
]
}
}
},
"PAC_PORT_INVALID_MAX_USERS_TEST": {
"sonic-port:sonic-port": {
"sonic-port:PORT": {
"PORT_LIST": [
{
"admin_status": "up",
"alias": "eth0",
"description": "Ethernet0",
"lanes": "65",
"mtu": 9000,
"name": "Ethernet0",
"speed": 25000
}
]
}
},
"sonic-pac:sonic-pac": {
"sonic-pac:PAC_PORT_CONFIG": {
"PAC_PORT_CONFIG_TABLE_LIST": [
{
"port": "Ethernet0",
"port_control_mode": "auto",
"host_control_mode": "single-host",
"reauth_enable": "true",
"max_users_per_port": 55,
"port_pae_role": "none"
}
]
}
}
},
"MAB_PORT_CONFIG_TEST": {
"sonic-port:sonic-port": {
"sonic-port:PORT": {
"PORT_LIST": [
{
"admin_status": "up",
"alias": "eth0",
"description": "Ethernet0",
"lanes": "65",
"mtu": 9000,
"name": "Ethernet0",
"speed": 25000
}
]
}
},
"sonic-pac:sonic-pac": {
"sonic-pac:MAB_PORT_CONFIG": {
"MAB_PORT_CONFIG_TABLE_LIST": [
{
"port": "Ethernet0",
"mab": "true",
"mab_auth_type": "eap-md5"
}
]
}
}
}
}

39
src/sonic-yang-models/yang-models/sonic-hostapd.yang Normal file
View File

@ -0,0 +1,39 @@
module sonic-hostapd {
namespace "http://github.com/sonic-net/sonic-hostapd";
prefix shostapd;
yang-version 1.1;
description
"SONiC HOSTAPD";
revision 2023-08-02 {
description "Initial revision.";
}
container sonic-hostapd {
description "HOSTAPD top level container.";
container HOSTAPD_GLOBAL_CONFIG {
description
"Container for hostapd global config.";
list HOSTAPD_GLOBAL_CONFIG_LIST {
key "global";
leaf global {
type enumeration {
enum GLOBAL;
}
description
"Configure dot1x/hostapd global configuration.";
}
leaf dot1x_system_auth_control {
type boolean;
description
"Indicates whether dot1x/hostapd is enabled/disabled on the switch.";
}
}
}
}
}

234
src/sonic-yang-models/yang-models/sonic-pac.yang Normal file
View File

@ -0,0 +1,234 @@
module sonic-pac {
namespace "http://github.com/sonic-net/sonic-pac";
prefix spac;
yang-version 1.1;
import sonic-port {
prefix prt;
}
description
"SONiC PAC";
revision 2023-03-28 {
description "Initial revision.";
}
typedef port_mode_enumeration {
type enumeration {
enum auto {
description
"Enable auto port control mode on a port.";
}
enum force-authorized {
description
"Enable force authorized port control mode on a port.";
}
enum force-unauthorized {
description
"Enable force unauthorized port control mode on a port.";
}
}
}
typedef host_mode_enumeration {
type enumeration {
enum single-host {
description
"One data client or one voice client can be authenticated on the port.";
}
enum multi-auth {
description
"Multiple data client and one voice client can be authenticated on the port.";
}
enum multi-host {
description
"One data client can be authenticated on the port. Rest of the
clients tailgate once the first client is authenticated.";
}
}
}
typedef auth_order_enumeration {
type enumeration {
enum dot1x {
description
"Configure authmgr authentication order as dot1x";
}
enum mab {
description
"Configure authmgr authentication order as mab";
}
}
}
typedef auth_priority_enumeration {
type enumeration {
enum dot1x {
description
"Configure authmgr authentication priority as dot1x";
}
enum mab {
description
"Configure authmgr authentication priority as mab";
}
}
}
typedef port_role_enumeration {
type enumeration {
enum authenticator {
description
"Allows config of dot1x port's pae role as authenticator.";
}
enum none {
description
"Allows config of dot1x port's pae role as none.";
}
}
}
typedef auth_type_enumeration {
type enumeration {
enum eap-md5 {
description
"Configure EAP-MD5 auth type for MAB.";
}
enum pap {
description
"Configure PAP auth type for MAB.";
}
enum chap {
description
"Configure CHAP auth type for MAB.";
}
}
}
container sonic-pac {
description
"pac top level container.";
container PAC_PORT_CONFIG {
description
"Container for port config table.";
list PAC_PORT_CONFIG_TABLE_LIST {
key "port";
leaf port {
type leafref {
path "/prt:sonic-port/prt:PORT/prt:PORT_LIST/prt:name";
}
description
"Name of the interface on which PAC configuration gets applied.";
}
leaf port_control_mode {
type port_mode_enumeration;
description
"Determines whether or not to enforce authentication on an interface.";
}
leaf host_control_mode {
type host_mode_enumeration;
description
"Allow for single or multiple hosts to communicate through
a PAC controlled port.";
}
leaf reauth_enable {
type boolean;
description
"Indicates whether Reauthentication is enabled on
the port.";
}
leaf reauth_period {
type uint32 {
range 1..65535 {
error-message "reauth period value must be in range of 1-65535.";
error-app-tag reauth-period-invalid;
}
}
units seconds;
description
"The value of the timer that defines the period
after which the Authenticator will reauthenticate the Supplicant.";
}
leaf max_users_per_port {
type uint8 {
range 1..48 {
error-message "max users per port value must be in range of 1-48.";
error-app-tag max-users-per-port-invalid;
}
}
description
"Maximum number of clients that can be authenticated
on the port. This is applicable only for multi-auth host mode.";
}
leaf-list method_list {
type auth_order_enumeration;
description
"Enables configuration of authmgr authentication methods order.";
}
leaf-list priority_list {
type auth_priority_enumeration;
description
"Enables configuration of authmgr authentication methods priority.";
}
leaf port_pae_role {
type port_role_enumeration;
description
"Enables configuration of dot1x port's pae role.
Note: Enabling PAC on the port will revert all switchport configurations on the
port,
if port control mode is auto/force-unauthorized and port pae role is
authenticator.";
}
}
}
container MAB_PORT_CONFIG {
list MAB_PORT_CONFIG_TABLE_LIST {
key "port";
leaf port {
type leafref {
path "/prt:sonic-port/prt:PORT/prt:PORT_LIST/prt:name";
}
description
"Name of the interface on which mab gets applied.";
}
leaf mab {
type boolean;
description
"Enable mab on the interface.";
}
leaf mab_auth_type {
type auth_type_enumeration;
description
"MAB authentication type.";
}
}
}
}
}