draft-ietf-opsawg-tacacs-yang-01.txt   draft-ietf-opsawg-tacacs-yang-02.txt 
Network Working Group G. Zheng Network Working Group G. Zheng
Internet-Draft M. Wang Internet-Draft M. Wang
Intended status: Standards Track B. Wu Intended status: Standards Track B. Wu
Expires: May 6, 2020 Huawei Expires: September 9, 2020 Huawei
November 3, 2019 March 8, 2020
Yang data model for TACACS+ Yang data model for TACACS+
draft-ietf-opsawg-tacacs-yang-01 draft-ietf-opsawg-tacacs-yang-02
Abstract Abstract
This document defines YANG modules that augment the System Management This document defines YANG modules that augment the System Management
data model defined in the RFC 7317 with TACACS+ client model. The data model defined in the RFC 7317 with TACACS+ client model. The
data model of Terminal Access Controller Access Control System Plus data model of Terminal Access Controller Access Control System Plus
(TACACS+) client allows the configuration of TACACS+ servers for (TACACS+) client allows the configuration of TACACS+ servers for
centralized Authentication, Authorization and Accounting. centralized Authentication, Authorization and Accounting.
The YANG modules in this document conforms to the Network Management The YANG modules in this document conforms to the Network Management
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 6, 2020. This Internet-Draft will expire on September 9, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions used in this document . . . . . . . . . . . . . . 3 2. Conventions used in this document . . . . . . . . . . . . . . 3
2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3
3. Design of the Data Model . . . . . . . . . . . . . . . . . . 3 3. Design of the Data Model . . . . . . . . . . . . . . . . . . 3
4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
8.1. Normative References . . . . . . . . . . . . . . . . . . 12 8.1. Normative References . . . . . . . . . . . . . . . . . . 12
8.2. Informative References . . . . . . . . . . . . . . . . . 13 8.2. Informative References . . . . . . . . . . . . . . . . . 13
Appendix A. TACACS+ Authentication Configuration . . . . . . . . 13 Appendix A. TACACS+ Authentication Configuration . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction 1. Introduction
This document defines YANG modules that augment the System Management This document defines YANG modules that augment the System Management
data model defined in the [RFC7317] with TACACS+ client model. data model defined in the [RFC7317] with TACACS+ client model.
TACACS+ provides Device Administration for routers, network access TACACS+ provides Device Administration for routers, network access
servers and other networked computing devices via one or more servers and other networked computing devices via one or more
centralized servers which is defined in the TACACS+ Protocol. centralized servers which is defined in the TACACS+ Protocol.
skipping to change at page 5, line 36 skipping to change at page 5, line 36
+--ro connection-aborts? yang:counter64 +--ro connection-aborts? yang:counter64
+--ro connection-failures? yang:counter64 +--ro connection-failures? yang:counter64
+--ro connection-timeouts? yang:counter64 +--ro connection-timeouts? yang:counter64
+--ro messages-sent? yang:counter64 +--ro messages-sent? yang:counter64
+--ro messages-received? yang:counter64 +--ro messages-received? yang:counter64
+--ro errors-received? yang:counter64 +--ro errors-received? yang:counter64
+--ro sessions? yang:counter64 +--ro sessions? yang:counter64
4. TACACS+ Client Module 4. TACACS+ Client Module
<CODE BEGINS> file "ietf-system-tacacsplus@2019-11-01.yang" <CODE BEGINS> file "ietf-system-tacacsplus@2020-03-05.yang"
module ietf-system-tacacsplus { module ietf-system-tacacsplus {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus"; namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus";
prefix sys-tcsplus; prefix sys-tcsplus;
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
reference "RFC 6991: Common YANG Data Types"; reference
"RFC 6991: Common YANG Data Types";
} }
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
reference "RFC 6991: Common YANG Data Types"; reference
"RFC 6991: Common YANG Data Types";
} }
import ietf-network-instance { import ietf-network-instance {
prefix ni; prefix ni;
reference "RFC 8529: YANG Data Model for Network Instances"; reference
"RFC 8529: YANG Data Model for Network Instances";
} }
import ietf-interfaces { import ietf-interfaces {
prefix if; prefix if;
reference "RFC 8343: A YANG Data Model for Interface Management"; reference
"RFC 8343: A YANG Data Model for Interface Management";
} }
import ietf-system { import ietf-system {
prefix sys; prefix sys;
reference "RFC 7317: A YANG Data Model for System Management"; reference
"RFC 7317: A YANG Data Model for System Management";
} }
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
reference "RFC 8341: Network Configuration Access Control Model"; reference
"RFC 8341: Network Configuration Access Control Model";
} }
organization organization
"IETF Opsawg (Operations and Management Area Working Group)"; "IETF Opsawg (Operations and Management Area Working Group)";
contact contact
"WG Web: <http://tools.ietf.org/wg/opsawg/> "WG Web: <http://tools.ietf.org/wg/opsawg/>
WG List: <mailto:opsawg@ietf.org> WG List: <mailto:opsawg@ietf.org>
Editor: Guangying Zheng Editor: Guangying Zheng
<mailto:zhengguangying@huawei.com>"; <mailto:zhengguangying@huawei.com>";
skipping to change at page 6, line 43 skipping to change at page 6, line 49
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see the This version of this YANG module is part of RFC XXXX; see the
RFC itself for full legal notices."; RFC itself for full legal notices.";
revision 2019-11-01 { revision 2020-03-05 {
description description
"Initial revision."; "Initial revision.";
reference "foo";
reference
"foo";
} }
feature tacacsplus { feature tacacsplus {
description description
"Indicates that the device can be configured as a TACACS+ "Indicates that the device can be configured as a TACACS+
client."; client.";
reference "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol"; reference
"draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol";
} }
identity tacacsplus { identity tacacsplus {
base sys:authentication-method; base sys:authentication-method;
description description
"Indicates AAA operation using TACACS+."; "Indicates AAA operation using TACACS+.";
reference "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol"; reference
"draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol";
} }
grouping statistics { grouping statistics {
description description
"Grouping for TACACS+ statistics attributes"; "Grouping for TACACS+ statistics attributes";
container statistics { container statistics {
config false; config false;
description description
"A collection of server-related statistics objects"; "A collection of server-related statistics objects";
leaf connection-opens { leaf connection-opens {
skipping to change at page 8, line 31 skipping to change at page 8, line 39
"Total Number of sessions. A single-connection tacacs+ "Total Number of sessions. A single-connection tacacs+
connection may be >1 sessions."; connection may be >1 sessions.";
} }
} }
} }
grouping tacacsplus { grouping tacacsplus {
description description
"Grouping for TACACS+ attributes"; "Grouping for TACACS+ attributes";
container tacacsplus { container tacacsplus {
must "not(derived-from-or-self(../sys:authentication"
+ "/sys:user-authentication-order, 'tacacsplus')) or server" {
error-message "When 'tacacsplus' is used as a sysytem"
+ " authentication method, a TACACS+ server"
+ " must be configured.";
description
"When 'tacacsplus' is used as an authentication method,
a TACACS+ server must be configured.";
}
if-feature "tacacsplus"; if-feature "tacacsplus";
description description
"Container for TACACS+ configurations and operations."; "Container for TACACS+ configurations and operations.";
list server { list server {
key "name"; key "name";
ordered-by user; ordered-by user;
description description
"List of TACACS+ servers used by the device."; "List of TACACS+ servers used by the device.";
leaf name { leaf name {
type string; type string;
skipping to change at page 9, line 39 skipping to change at page 10, line 8
} }
leaf shared-secret { leaf shared-secret {
type string; type string;
mandatory true; mandatory true;
nacm:default-deny-all; nacm:default-deny-all;
description description
"The shared secret, which is known to both the "The shared secret, which is known to both the
TACACS+ client and server. TACACS+ server administrators TACACS+ client and server. TACACS+ server administrators
should configure secret keys of minimum should configure secret keys of minimum
16 characters length."; 16 characters length.";
reference "TACACS+ protocol:"; reference
"TACACS+ protocol:";
} }
choice source-type { choice source-type {
description description
"The source address type for outbound TACACS+ packets."; "The source address type for outbound TACACS+ packets.";
case source-ip { case source-ip {
leaf source-ip { leaf source-ip {
type inet:ip-address; type inet:ip-address;
description description
"Specifies source IP address for TACACS+ outbound "Specifies source IP address for TACACS+ outbound
packets."; packets.";
skipping to change at page 12, line 23 skipping to change at page 12, line 38
Alan DeKok, Joe Clarke, and many others for their helpful comments Alan DeKok, Joe Clarke, and many others for their helpful comments
and suggestions. and suggestions.
8. References 8. References
8.1. Normative References 8.1. Normative References
[I-D.ietf-opsawg-tacacs] [I-D.ietf-opsawg-tacacs]
Dahm, T., Ota, A., dcmgash@cisco.com, d., Carrel, D., and Dahm, T., Ota, A., dcmgash@cisco.com, d., Carrel, D., and
L. Grant, "The TACACS+ Protocol", draft-ietf-opsawg- L. Grant, "The TACACS+ Protocol", draft-ietf-opsawg-
tacacs-15 (work in progress), September 2019. tacacs-17 (work in progress), November 2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
skipping to change at page 14, line 21 skipping to change at page 14, line 34
Guangying Zheng Guangying Zheng
Huawei Huawei
101 Software Avenue, Yuhua District 101 Software Avenue, Yuhua District
Nanjing, Jiangsu 210012 Nanjing, Jiangsu 210012
China China
Email: zhengguangying@huawei.com Email: zhengguangying@huawei.com
Michael Wang Michael Wang
Huawei Technologies, Co., Ltd Huawei Technologies, Co.,
Ltd
101 Software Avenue, Yuhua District 101 Software Avenue, Yuhua District
Nanjing 210012 Nanjing 210012
China China
Email: wangzitao@huawei.com Email: wangzitao@huawei.com
Bo Wu Bo Wu
Huawei Huawei
101 Software Avenue, Yuhua District 101 Software Avenue, Yuhua District
Nanjing, Jiangsu 210012 Nanjing, Jiangsu 210012
 End of changes. 21 change blocks. 
21 lines changed or deleted 42 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/