diff --git a/src/sonic-yang-models/doc/Configuration.md b/src/sonic-yang-models/doc/Configuration.md index 886277d26f7c..febb1cc39a94 100644 --- a/src/sonic-yang-models/doc/Configuration.md +++ b/src/sonic-yang-models/doc/Configuration.md @@ -89,6 +89,7 @@ Table of Contents * [SYSTEM_DEFAULTS table](#systemdefaults-table) * [RADIUS](#radius) * [Static DNS](#static-dns) + * [PAC](#pac) * [For Developers](#for-developers) * [Generating Application Config by Jinja2 Template](#generating-application-config-by-jinja2-template) * [Incremental Configuration by Subscribing to ConfigDB](#incremental-configuration-by-subscribing-to-configdb) @@ -2770,6 +2771,44 @@ The DPUS table introduces the information on the DPUs (Data Processing Unit) ava } ``` +### PAC + +The PAC and HOSTAPD tables define the PAC configuration parameters. + +``` +"PAC_PORT_CONFIG": { + "Ethernet1": { + "method_list": [ + "dot1x", + "mab" + ], + "priority_list": [ + "dot1x", + "mab" + ], + "port_pae_role": "authenticator", + "port_control_mode": "auto", + "host_control_mode": "multi_auth", + "reauth_period": 60, + "reauth_enable": "true", + "max_users_per_port": 16, + } +} + +"HOSTAPD_GLOBAL_CONFIG": { + "global": { + "dot1x_system_auth_control": "enable" + } +} + +"MAB_PORT_CONFIG": { + "Ethernet1": { + "mab": "enable", + "mab_auth_type": "eap-md5", + } +} +``` + #### 5.2.3 Update value directly in db memory For Developers diff --git a/src/sonic-yang-models/setup.py b/src/sonic-yang-models/setup.py index 95f98bd53dd8..9935e1d45a3a 100644 --- a/src/sonic-yang-models/setup.py +++ b/src/sonic-yang-models/setup.py @@ -163,6 +163,8 @@ def run(self): './yang-models/sonic-system-aaa.yang', './yang-models/sonic-system-tacacs.yang', './yang-models/sonic-system-radius.yang', + './yang-models/sonic-pac.yang', + './yang-models/sonic-hostapd.yang', './yang-models/sonic-telemetry.yang', './yang-models/sonic-telemetry_client.yang', './yang-models/sonic-gnmi.yang', diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json index 050f4433bac6..9f0e315f6c16 100644 --- a/src/sonic-yang-models/tests/files/sample_config_db.json +++ b/src/sonic-yang-models/tests/files/sample_config_db.json @@ -2612,6 +2612,35 @@ "link": "PortChannel2" } }, + "PAC_PORT_CONFIG": { + "Ethernet1": { + "method_list": [ + "dot1x", + "mab" + ], + "priority_list": [ + "dot1x", + "mab" + ], + "port_pae_role": "authenticator", + "port_control_mode": "auto", + "host_control_mode": "multi-auth", + "reauth_period": "60", + "reauth_enable": "true", + "max_users_per_port": "16" + } + }, + "MAB_PORT_CONFIG": { + "Ethernet0": { + "mab": "enable", + "mab_auth_type": "eap-md5" + } + }, + "HOSTAPD_GLOBAL_CONFIG": { + "GLOBAL": { + "dot1x_system_auth_control": "enable" + } + }, "MID_PLANE_BRIDGE": { "GLOBAL" : { "bridge": "bridge_midplane", diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/hostapd.json b/src/sonic-yang-models/tests/yang_model_tests/tests/hostapd.json new file mode 100644 index 000000000000..72208089fbbf --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests/hostapd.json @@ -0,0 +1,5 @@ +{ + "HOSTAPD_TEST": { + "desc": "HOSTAPD configuration in global configuration table." + } +} diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/pac.json b/src/sonic-yang-models/tests/yang_model_tests/tests/pac.json new file mode 100644 index 000000000000..b980aaba3fdd --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests/pac.json @@ -0,0 +1,16 @@ +{ + "PAC_PORT_CONFIG_TEST" : { + "desc": "PAC configuration for port." + }, + "PAC_PORT_INVALID_REAUTH_TIMER_TEST": { + "desc": "PAC configuration with invalid re-auth timer in PAC_PORT_CONFIG table.", + "eStr": "reauth period value must be in range of 1-65535." + }, + "PAC_PORT_INVALID_MAX_USERS_TEST" : { + "desc": "PAC configuration with invalid max users in PAC_PORT_CONFIG table.", + "eStr": "max users per port value must be in range of 1-48." + }, + "MAB_PORT_CONFIG_TEST" : { + "desc": "MAB configuration for port." + } +} diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/hostapd.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/hostapd.json new file mode 100644 index 000000000000..7b76087b23ee --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/hostapd.json @@ -0,0 +1,14 @@ +{ + "HOSTAPD_TEST": { + "sonic-hostapd:sonic-hostapd": { + "sonic-hostapd:HOSTAPD_GLOBAL_CONFIG": { + "sonic-hostapd:HOSTAPD_GLOBAL_CONFIG_LIST": [ + { + "global": "GLOBAL", + "dot1x_system_auth_control": "enable" + } + ] + } + } + } +} diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/pac.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/pac.json new file mode 100644 index 000000000000..5cd9314c647e --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/pac.json @@ -0,0 +1,127 @@ +{ + "PAC_PORT_CONFIG_TEST": { + "sonic-port:sonic-port": { + "sonic-port:PORT": { + "PORT_LIST": [ + { + "admin_status": "up", + "alias": "eth0", + "description": "Ethernet0", + "lanes": "65", + "mtu": 9000, + "name": "Ethernet0", + "speed": 25000 + } + ] + } + }, + "sonic-pac:sonic-pac": { + "sonic-pac:PAC_PORT_CONFIG": { + "PAC_PORT_CONFIG_LIST": [ + { + "port": "Ethernet0", + "port_control_mode": "auto", + "host_control_mode": "single-host", + "reauth_enable": "true", + "reauth_period": 30, + "max_users_per_port": 25, + "method_list": ["dot1x", "mab"], + "priority_list": ["dot1x", "mab"], + "port_pae_role": "authenticator" + } + ] + } + } + }, + "PAC_PORT_INVALID_REAUTH_TIMER_TEST": { + "sonic-port:sonic-port": { + "sonic-port:PORT": { + "PORT_LIST": [ + { + "admin_status": "up", + "alias": "eth0", + "description": "Ethernet0", + "lanes": "65", + "mtu": 9000, + "name": "Ethernet0", + "speed": 25000 + } + ] + } + }, + "sonic-pac:sonic-pac": { + "sonic-pac:PAC_PORT_CONFIG": { + "PAC_PORT_CONFIG_LIST": [ + { + "port": "Ethernet0", + "port_control_mode": "auto", + "host_control_mode": "single-host", + "reauth_enable": "true", + "reauth_period": 65573, + "max_users_per_port": 25, + "port_pae_role": "none" + } + ] + } + } + }, + "PAC_PORT_INVALID_MAX_USERS_TEST": { + "sonic-port:sonic-port": { + "sonic-port:PORT": { + "PORT_LIST": [ + { + "admin_status": "up", + "alias": "eth0", + "description": "Ethernet0", + "lanes": "65", + "mtu": 9000, + "name": "Ethernet0", + "speed": 25000 + } + ] + } + }, + "sonic-pac:sonic-pac": { + "sonic-pac:PAC_PORT_CONFIG": { + "PAC_PORT_CONFIG_LIST": [ + { + "port": "Ethernet0", + "port_control_mode": "auto", + "host_control_mode": "single-host", + "reauth_enable": "true", + "max_users_per_port": 55, + "port_pae_role": "none" + } + ] + } + } + }, + "MAB_PORT_CONFIG_TEST": { + "sonic-port:sonic-port": { + "sonic-port:PORT": { + "PORT_LIST": [ + { + "admin_status": "up", + "alias": "eth0", + "description": "Ethernet0", + "lanes": "65", + "mtu": 9000, + "name": "Ethernet0", + "speed": 25000 + } + ] + } + }, + "sonic-pac:sonic-pac": { + "sonic-pac:MAB_PORT_CONFIG": { + "MAB_PORT_CONFIG_LIST": [ + { + "port": "Ethernet0", + "mab": "enable", + "mab_auth_type": "eap-md5" + } + ] + } + } + } +} diff --git a/src/sonic-yang-models/yang-models/sonic-hostapd.yang b/src/sonic-yang-models/yang-models/sonic-hostapd.yang new file mode 100644 index 000000000000..69d386cb45e9 --- /dev/null +++ b/src/sonic-yang-models/yang-models/sonic-hostapd.yang @@ -0,0 +1,42 @@ +module sonic-hostapd { + namespace "http://github.com/sonic-net/sonic-hostapd"; + prefix shostapd; + yang-version 1.1; + + description + "SONiC HOSTAPD"; + + revision 2023-08-02 { + description "Initial revision."; + } + + container sonic-hostapd { + description "HOSTAPD top level container."; + + container HOSTAPD_GLOBAL_CONFIG { + description + "Container for hostapd global config."; + + list HOSTAPD_GLOBAL_CONFIG_LIST { + key "global"; + + leaf global { + type enumeration { + enum GLOBAL; + } + description + "Configure dot1x/hostapd global configuration."; + } + + leaf dot1x_system_auth_control { + type enumeration { + enum enable; + enum disable; + } + description + "Indicates whether dot1x/hostapd is enabled/disabled on the switch."; + } + } + } + } +} diff --git a/src/sonic-yang-models/yang-models/sonic-pac.yang b/src/sonic-yang-models/yang-models/sonic-pac.yang new file mode 100644 index 000000000000..ab147467a8ab --- /dev/null +++ b/src/sonic-yang-models/yang-models/sonic-pac.yang @@ -0,0 +1,237 @@ +module sonic-pac { + namespace "http://github.com/sonic-net/sonic-pac"; + prefix spac; + yang-version 1.1; + + import sonic-port { + prefix prt; + } + + description + "SONiC PAC"; + + revision 2023-03-28 { + description "Initial revision."; + } + + typedef port_mode_enumeration { + type enumeration { + enum auto { + description + "Enable auto port control mode on a port."; + } + + enum force-authorized { + description + "Enable force authorized port control mode on a port."; + } + + enum force-unauthorized { + description + "Enable force unauthorized port control mode on a port."; + } + } + } + + typedef host_mode_enumeration { + type enumeration { + enum single-host { + description + "One data client or one voice client can be authenticated on the port."; + } + + enum multi-auth { + description + "Multiple data client and one voice client can be authenticated on the port."; + } + + enum multi-host { + description + "One data client can be authenticated on the port. Rest of the + clients tailgate once the first client is authenticated."; + } + } + } + + typedef auth_order_enumeration { + type enumeration { + enum dot1x { + description + "Configure authmgr authentication order as dot1x"; + } + + enum mab { + description + "Configure authmgr authentication order as mab"; + } + } + } + + typedef auth_priority_enumeration { + type enumeration { + enum dot1x { + description + "Configure authmgr authentication priority as dot1x"; + } + + enum mab { + description + "Configure authmgr authentication priority as mab"; + } + } + } + + typedef port_role_enumeration { + type enumeration { + enum authenticator { + description + "Allows config of dot1x port's pae role as authenticator."; + } + + enum none { + description + "Allows config of dot1x port's pae role as none."; + } + } + } + + typedef auth_type_enumeration { + type enumeration { + enum eap-md5 { + description + "Configure EAP-MD5 auth type for MAB."; + } + + enum pap { + description + "Configure PAP auth type for MAB."; + } + + enum chap { + description + "Configure CHAP auth type for MAB."; + } + } + } + + container sonic-pac { + + description + "pac top level container."; + + container PAC_PORT_CONFIG { + + description + "Container for port config table."; + + list PAC_PORT_CONFIG_LIST { + key "port"; + + leaf port { + type leafref { + path "/prt:sonic-port/prt:PORT/prt:PORT_LIST/prt:name"; + } + description + "Name of the interface on which PAC configuration gets applied."; + } + + leaf port_control_mode { + type port_mode_enumeration; + description + "Determines whether or not to enforce authentication on an interface."; + } + + leaf host_control_mode { + type host_mode_enumeration; + description + "Allow for single or multiple hosts to communicate through + a PAC controlled port."; + } + + leaf reauth_enable { + type boolean; + description + "Indicates whether Reauthentication is enabled on + the port."; + } + + leaf reauth_period { + type uint32 { + range 1..65535 { + error-message "reauth period value must be in range of 1-65535."; + error-app-tag reauth-period-invalid; + } + } + units seconds; + description + "The value of the timer that defines the period + after which the Authenticator will reauthenticate the Supplicant."; + } + + leaf max_users_per_port { + type uint8 { + range 1..48 { + error-message "max users per port value must be in range of 1-48."; + error-app-tag max-users-per-port-invalid; + } + } + description + "Maximum number of clients that can be authenticated + on the port. This is applicable only for multi-auth host mode."; + } + + leaf-list method_list { + type auth_order_enumeration; + description + "Enables configuration of authmgr authentication methods order."; + } + + leaf-list priority_list { + type auth_priority_enumeration; + description + "Enables configuration of authmgr authentication methods priority."; + } + + leaf port_pae_role { + type port_role_enumeration; + description + "Enables configuration of dot1x port's pae role. + Note: Enabling PAC on the port will revert all switchport configurations on the + port, + if port control mode is auto/force-unauthorized and port pae role is + authenticator."; + } + } + } + + container MAB_PORT_CONFIG { + + list MAB_PORT_CONFIG_LIST { + key "port"; + + leaf port { + type leafref { + path "/prt:sonic-port/prt:PORT/prt:PORT_LIST/prt:name"; + } + description + "Name of the interface on which mab gets applied."; + } + + leaf mab { + type enumeration { + enum enable; + enum disable; + } + description + "Enable mab on the interface."; + } + + leaf mab_auth_type { + type auth_type_enumeration; + description + "MAB authentication type."; + } + } + } + } +}