Server : Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
System : Windows NT USER-PC 6.1 build 7601 (Windows 7 Professional Edition Service Pack 1) AMD64
User : User ( 0)
PHP Version : 7.4.6
Disable Function : NONE
Directory :  C:/Program Files (x86)/Cisco/Cisco EAP-FAST Module/
Upload File :
Current Directory [ Writeable ] Root Directory [ Writeable ]


Current File : C:/Program Files (x86)/Cisco/Cisco EAP-FAST Module/CiscoEapFast.xsd
<?xml version="1.0"?>

<!--
*******************************************************************************
                           Cisco EAP-FAST Schema             (1.0.40)          
Copyright 2006-2007, Cisco Systems, Inc.                   All rights reserved.
*******************************************************************************
-->

<xs:schema
  xmlns:xs="http://www.w3.org/2001/XMLSchema"
  xmlns="http://www.cisco.com/CCX"
  targetNamespace="http://www.cisco.com/CCX"
  elementFormDefault="qualified"
  attributeFormDefault="unqualified">

  <xs:element name="eapFast" type="EapFast"/>

  <xs:complexType name="EapFast">
    <xs:complexContent>
      <xs:extension base="TunnelMethods">
        <xs:sequence>
          <xs:choice>
            <xs:element name="usePac">
              <xs:complexType>
                <xs:sequence>
                  <xs:element name="allowUnauthPacProvisioning" type="xs:boolean" default="true">
                    <xs:annotation>
                      <xs:documentation>Will accept a PAC from an unauthenticated server.</xs:documentation>
                    </xs:annotation>
                  </xs:element>
                  <xs:element name="autoGrouping" type="xs:boolean" default="true">
                    <xs:annotation>
                      <xs:documentation>   
An aid-group is a set of A-IDs that are all trusted equally.  Any A-ID in the group can be utilized.  Auto-grouping means that when  an untrusted A-ID is accepted by the end-user then that A-ID is grouped with the A-ID(s) that were already trusted for that profile, hence automatically creating and growing an A-ID group based on user actions.  The advantage of an A-ID group is that if a profile initially starts with the same trusted A-ID(1) and then  at some point the end-user authorizes the use of a new A-ID(2) when using this profile it will  accept A-ID(2) without bothering the end-user a second time.</xs:documentation>
                    </xs:annotation>
                  </xs:element>
                  <xs:element name="userValidatesServerIdFromUnauthProv" type="xs:boolean" default="true">
                    <xs:annotation>
                      <xs:documentation>  
If true,  then when the client is about to do unauthenticated provisioning, the user will be prompted to allow or disallow the unauthenticated provisioning.</xs:documentation>
                    </xs:annotation>
                  </xs:element>
                  <xs:element name="unauthProvAllowedTilPacReceived" type="xs:boolean" default="false">
                    <xs:annotation>
                      <xs:documentation>if true, then unauthenticated provisioning is allowed to occur until it succeeds and a PAC is received, then only authenticated provisioning will be allowed.</xs:documentation>
                    </xs:annotation>
                  </xs:element>
                  <xs:choice>
                    <xs:element name="validateWithSpecificPacs" type="ValidateWithSpecificPacs">
                      <xs:annotation>
                        <xs:documentation>This indicates that only those PACs referenced in this element (as well as PACs that are auto-provisioned to this profile when this profile is in use) shall be used for validation.  </xs:documentation>
                      </xs:annotation>
                    </xs:element>
                  </xs:choice>
                </xs:sequence>
              </xs:complexType>
            </xs:element>
            <xs:element name="doNotUsePac" type="Empty">
              <xs:annotation>
                <xs:documentation>Will not utilize PAC for authentication.</xs:documentation>
              </xs:annotation>
            </xs:element>
          </xs:choice>
          <xs:element name="enablePosture" type="xs:boolean" default="false">
            <xs:annotation>
              <xs:documentation>Allow posture information to be processed.</xs:documentation>
            </xs:annotation>
          </xs:element>
          <xs:element name="authMethods">
            <xs:complexType>
              <xs:choice>
                <xs:element name="builtinMethods">
                  <xs:complexType>
                    <xs:choice>
                      <xs:element name="authenticateWithPassword">
                        <xs:complexType>
                          <xs:sequence>
                            <xs:element name="protectedIdentityPattern" type="IdentityPattern" minOccurs="0">
                              <xs:annotation>
                                <xs:documentation>Format rules same as for unprotectedIdentityPattern.  Typical pattern: [username]@[domain] or if password source is this profile then the pattern would be the actual string to send as the username. </xs:documentation>
                              </xs:annotation>
                            </xs:element>
                            <xs:element name="passwordSource" type="PasswordSource"/>
                            <xs:element name="methods">
                              <xs:annotation>
                                <xs:documentation>At least 1 child element is required.</xs:documentation>
                              </xs:annotation>
                              <xs:complexType>
                                <xs:all>
                                  <xs:element name="eapMschapv2" type="Empty" minOccurs="0"/>
                                  <xs:element name="eapGtc" type="Empty" minOccurs="0"/>
                                </xs:all>
                              </xs:complexType>
                            </xs:element>
                          </xs:sequence>
                        </xs:complexType>
                      </xs:element>
                      <xs:element name="authenticateWithToken">
                        <xs:complexType>
                          <xs:sequence>
                            <xs:element name="protectedIdentityPattern" type="IdentityPattern" minOccurs="0">
                              <xs:annotation>
                                <xs:documentation>Format rules same as for unprotectedIdentityPattern.  Typical pattern: [username]@[domain] </xs:documentation>
                              </xs:annotation>
                            </xs:element>
                            <xs:element name="tokenSource" type="TokenSource"/>
                            <xs:element name="methods">
                              <xs:complexType>
                                <xs:all>
                                  <xs:element name="eapGtc" type="Empty"/>
                                </xs:all>
                              </xs:complexType>
                            </xs:element>
                          </xs:sequence>
                        </xs:complexType>
                      </xs:element>
                      <xs:element name="authenticateWithCertificate">
                        <xs:complexType>
                          <xs:sequence>
                            <xs:element name="protectedIdentityPattern" type="IdentityPattern" minOccurs="0">
                              <xs:annotation>
                                <xs:documentation>Format rules same as for unprotectedIdentityPattern. Typical pattern: [username]@[domain] </xs:documentation>
                              </xs:annotation>
                            </xs:element>
                            <xs:element name="certificateSource" type="CertificateSource"/>
                            <xs:choice>
                              <xs:element name="doNotUseInnerMethod">
                                <xs:complexType>
                                  <xs:choice>
                                    <xs:element name="sendWheneverRequested" type="Empty"/>
                                    <xs:element name="sendSecurelyOnly" type="Empty"/>
                                  </xs:choice>
                                </xs:complexType>
                              </xs:element>
                              <xs:element name="sendViaInnerMethod">
                                <xs:complexType>
                                  <xs:all>
                                    <xs:element name="eapTls" type="Empty"/>
                                  </xs:all>
                                </xs:complexType>
                              </xs:element>
                            </xs:choice>
                          </xs:sequence>
                        </xs:complexType>
                      </xs:element>
                    </xs:choice>
                  </xs:complexType>
                </xs:element>
                <xs:element name="extendedInnerMethods" type="ExtendedInnerEapMethod" maxOccurs="unbounded"/>
              </xs:choice>
            </xs:complexType>
          </xs:element>
        </xs:sequence>
      </xs:extension>
    </xs:complexContent>
  </xs:complexType>

  <xs:complexType name="IdentityPattern">
    <xs:simpleContent>
      <xs:extension base="NonEmptyString">
        <xs:attribute name="encryptContent" type="xs:boolean" use="optional" default="true">
          <xs:annotation>
            <xs:documentation>this is defaulted to 'true' as an indication to  the post-process tool that it should encrypt this element.</xs:documentation>
          </xs:annotation>
        </xs:attribute>
      </xs:extension>
    </xs:simpleContent>
  </xs:complexType>

  <xs:complexType name="PasswordFromProfile">
    <xs:simpleContent>
      <xs:extension base="xs:string">
        <xs:attribute name="encryptContent" type="xs:boolean" use="optional" default="true">
          <xs:annotation>
            <xs:documentation>this is defaulted to 'true' as an indication to  the post-process tool that it should encrypt this element.</xs:documentation>
          </xs:annotation>
        </xs:attribute>
      </xs:extension>
    </xs:simpleContent>
  </xs:complexType>

  <xs:complexType name="PasswordSource">
    <xs:choice>
      <xs:element name="passwordFromLogon" type="Empty"/>
      <xs:element name="passwordFromUser" type="Empty"/>
      <xs:element name="passwordFromProfile" type="PasswordFromProfile"/>
    </xs:choice>
  </xs:complexType>

  <xs:complexType name="TokenSource">
    <xs:choice>
      <xs:element name="passwordFromOtherToken" type="Empty">
        <xs:annotation>
          <xs:documentation>this will result in a prompt to user to obtain identity and otp from token</xs:documentation>
        </xs:annotation>
      </xs:element>
    </xs:choice>
  </xs:complexType>

  <xs:complexType name="CertificateSource">
    <xs:choice>
      <xs:element name="certificateFromUser" type="Empty">
        <xs:annotation>
          <xs:documentation>
The client certificate to use during authentication is the one that the end-user selects from a list presented to them.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="certificateFromLogon" type="Empty">
        <xs:annotation>
          <xs:documentation>The client certificate to use during authentication is the one the end-user used in order to logon to windows.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="certificateFromProfile" type="ClientCertificate">
        <xs:annotation>
          <xs:documentation>The client user certificate to use during authentication is indicated here.</xs:documentation>
        </xs:annotation>
      </xs:element>
    </xs:choice>
  </xs:complexType>

  <xs:complexType name="ExtendedInnerEapMethod">
    <xs:sequence>
      <xs:element name="methodName" type="xs:string"/>
      <xs:element name="methodEapId" type="xs:unsignedInt"/>
      <xs:element name="vendorId" type="xs:integer" default="0"/>
      <xs:element name="AuthorName" type="xs:string"/>
      <xs:element name="AuthorId" type="xs:unsignedInt"/>
      <xs:any namespace="##any" processContents="lax" minOccurs="0"/>
    </xs:sequence>
  </xs:complexType>

  <xs:complexType name="TunnelMethods">
    <xs:sequence>
      <xs:choice>
        <xs:element name="validateServerCertificate" type="serverCertificateValidationParameters"/>
        <xs:element name="doNotValidateServerCertificate" type="Empty"/>
      </xs:choice>
      <xs:element name="unprotectedIdentityPattern" type="IdentityPattern" minOccurs="0">
        <xs:annotation>
          <xs:documentation>If the [username] and/or  [domain] placeholders are used in the pattern then: if a client certificate is used for authentication then placeholder's values shall be obtained from the CN field of the client certificate.  if the credentials are obtained from the end-user then these shall be obtained from the information the user enters.  if the credentials are obtained from the operating system then these shall be obtained from the information the logon provides.  Typical pattern: anonymous@[domain] for tunneled methods or  [username]@[domain] for non-tunneled methods.  If the credential source is this profile then the pattern would be the actual string to send as the username (no placeholders).</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:choice>
        <xs:element name="enableFastReconnect">
          <xs:complexType>
            <xs:complexContent>
              <xs:extension base="Empty">
                <xs:choice>
                  <xs:element name="alwaysAttempt" type="Empty"/>
                </xs:choice>
              </xs:extension>
            </xs:complexContent>
          </xs:complexType>
        </xs:element>
        <xs:element name="disableFastReconnect" type="Empty"/>
      </xs:choice>
    </xs:sequence>
  </xs:complexType>

  <xs:complexType name="ClientCertificate">
    <xs:choice>
      <xs:element name="certificateId" type="CertificateIdentifier">
        <xs:annotation>
          <xs:documentation>This is a reference to an OS pre-stored certificate.</xs:documentation>
        </xs:annotation>
      </xs:element>
    </xs:choice>
  </xs:complexType>

  <xs:complexType name="CertificateContainer">
    <xs:choice minOccurs="0" maxOccurs="unbounded">
      <xs:element name="certificateId" type="CertificateIdentifier">
        <xs:annotation>
          <xs:documentation>This is a reference to an OS pre-stored certificate.</xs:documentation>
        </xs:annotation>
      </xs:element>
    </xs:choice>
  </xs:complexType>

  <xs:complexType name="CertificateIdentifier">
    <xs:simpleContent>
      <xs:annotation>
        <xs:documentation>SHA 1 hash over the whole binary certificate in X509 format that uniquely identifies a certificate in the global list of trusted CAs for the machine (OS managed store in windows).</xs:documentation>
      </xs:annotation>
      <xs:extension base="NonEmptyString">
        <xs:attribute name="reference" type="xs:boolean">
          <xs:annotation>
            <xs:documentation>true means the element value is a file reference to a certificate in PEM format, the post-process tool will retrieve the certificate file, convert to a hash, populate the certificateId element, and set the reference to false to indicate this is the SHA1 hash over that certificate.</xs:documentation>
          </xs:annotation>
        </xs:attribute>
      </xs:extension>
    </xs:simpleContent>
  </xs:complexType>

  <xs:complexType name="Empty"/>

  <xs:simpleType name="NonEmptyString">
    <xs:restriction base="xs:string">
      <xs:minLength value="1"/>
    </xs:restriction>
  </xs:simpleType>

  <xs:complexType name="ServerRuleFormat">
    <xs:simpleContent>
      <xs:extension base="NonEmptyString">
        <xs:attribute name="match" use="required">
          <xs:simpleType>
            <xs:restriction base="xs:string">
              <xs:enumeration value="exactly"/>
              <xs:enumeration value="endsWith"/>
            </xs:restriction>
          </xs:simpleType>
        </xs:attribute>
      </xs:extension>
    </xs:simpleContent>
  </xs:complexType>

  <xs:complexType name="ServerValidationRules">
    <xs:choice minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>
Optional only when product allows user to trust server. In which case it allows a profile that has no server validations rules to start with and when a user validates an untrusted server the validation process still validates the server name.</xs:documentation>
      </xs:annotation>
      <xs:element name="matchSubjectAlternativeName" type="ServerRuleFormat">
        <xs:annotation>
          <xs:documentation>DNSName: typically takes the form of a Fully Qualified Domain Name (FQDN)</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="matchSubject" type="ServerRuleFormat">
        <xs:annotation>
          <xs:documentation>Either Subject: CN (Common Name) - typically a simple ASCII string.Or Subject: DN (Domain Name) - a composite of a set of DC (Domain Component) attributes</xs:documentation>
        </xs:annotation>
      </xs:element>
    </xs:choice>
  </xs:complexType>

  <xs:complexType name="serverCertificateValidationParameters">
    <xs:sequence>
      <xs:choice>
        <xs:element name="serverNameValidationRules" type="ServerValidationRules"/>
        <xs:element name="anyServerName" type="Empty">
          <xs:annotation>
            <xs:documentation>the server name within the certificate will not be tested.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:choice>
      <xs:choice>
        <xs:element name="validateChainWithSpecificCa">
          <xs:complexType>
            <xs:complexContent>
              <xs:extension base="CertificateContainer"/>
            </xs:complexContent>
          </xs:complexType>
        </xs:element>
        <xs:element name="validateChainWithAnyCaFromOs" type="Empty">
          <xs:annotation>
            <xs:documentation>the certificate chain will be trusted if it ends in a CA cert from the global CA cert store.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:choice>
      <xs:element name="userValidatesUntrustedServerCertificate" type="xs:boolean">
        <xs:annotation>
          <xs:documentation>if the server certificate fails to validate then if this is true the end-user will be asked to validate the server.  If they do so then appropriate trustedCaCerts will be remembered as well as the server name fields so it will be automatically trusted in the future.</xs:documentation>
        </xs:annotation>
      </xs:element>
    </xs:sequence>
  </xs:complexType>

  <xs:complexType name="ValidateWithSpecificPacs">
    <xs:choice minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>This is optional because it allows the profile to indicate that we want the engine to validate the server PACs but that the PACs will be dynamically added by the end-user actions or via unauthenticated provisioning rather than being statically defined here in the profile.</xs:documentation>
      </xs:annotation>
      <xs:element name="trustPacFromGlobalPacStoreWithThisId" type="xs:string">
        <xs:annotation>
          <xs:documentation> 
 Utilized when there is a global store used for PACs (rather than just per-profile).</xs:documentation>
        </xs:annotation>
      </xs:element>
    </xs:choice>
  </xs:complexType>

</xs:schema>