--- 1/draft-ietf-opsawg-tacacs-yang-01.txt 2020-03-09 00:13:37.747725267 -0700 +++ 2/draft-ietf-opsawg-tacacs-yang-02.txt 2020-03-09 00:13:37.779726080 -0700 @@ -1,19 +1,19 @@ Network Working Group G. Zheng Internet-Draft M. Wang Intended status: Standards Track B. Wu -Expires: May 6, 2020 Huawei - November 3, 2019 +Expires: September 9, 2020 Huawei + March 8, 2020 Yang data model for TACACS+ - draft-ietf-opsawg-tacacs-yang-01 + draft-ietf-opsawg-tacacs-yang-02 Abstract This document defines YANG modules that augment the System Management data model defined in the RFC 7317 with TACACS+ client model. The data model of Terminal Access Controller Access Control System Plus (TACACS+) client allows the configuration of TACACS+ servers for centralized Authentication, Authorization and Accounting. The YANG modules in this document conforms to the Network Management @@ -27,51 +27,51 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on May 6, 2020. + This Internet-Draft will expire on September 9, 2020. Copyright Notice - Copyright (c) 2019 IETF Trust and the persons identified as the + Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions used in this document . . . . . . . . . . . . . . 3 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 3. Design of the Data Model . . . . . . . . . . . . . . . . . . 3 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 - 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 8.1. Normative References . . . . . . . . . . . . . . . . . . 12 8.2. Informative References . . . . . . . . . . . . . . . . . 13 - Appendix A. TACACS+ Authentication Configuration . . . . . . . . 13 + Appendix A. TACACS+ Authentication Configuration . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 1. Introduction This document defines YANG modules that augment the System Management data model defined in the [RFC7317] with TACACS+ client model. TACACS+ provides Device Administration for routers, network access servers and other networked computing devices via one or more centralized servers which is defined in the TACACS+ Protocol. @@ -199,50 +199,56 @@ +--ro connection-aborts? yang:counter64 +--ro connection-failures? yang:counter64 +--ro connection-timeouts? yang:counter64 +--ro messages-sent? yang:counter64 +--ro messages-received? yang:counter64 +--ro errors-received? yang:counter64 +--ro sessions? yang:counter64 4. TACACS+ Client Module - file "ietf-system-tacacsplus@2019-11-01.yang" + file "ietf-system-tacacsplus@2020-03-05.yang" module ietf-system-tacacsplus { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus"; prefix sys-tcsplus; import ietf-inet-types { prefix inet; - reference "RFC 6991: Common YANG Data Types"; + reference + "RFC 6991: Common YANG Data Types"; } import ietf-yang-types { prefix yang; - reference "RFC 6991: Common YANG Data Types"; + reference + "RFC 6991: Common YANG Data Types"; } import ietf-network-instance { prefix ni; - reference "RFC 8529: YANG Data Model for Network Instances"; + reference + "RFC 8529: YANG Data Model for Network Instances"; } import ietf-interfaces { prefix if; - reference "RFC 8343: A YANG Data Model for Interface Management"; + reference + "RFC 8343: A YANG Data Model for Interface Management"; } import ietf-system { prefix sys; - reference "RFC 7317: A YANG Data Model for System Management"; + reference + "RFC 7317: A YANG Data Model for System Management"; } import ietf-netconf-acm { prefix nacm; - reference "RFC 8341: Network Configuration Access Control Model"; + reference + "RFC 8341: Network Configuration Access Control Model"; } organization "IETF Opsawg (Operations and Management Area Working Group)"; contact "WG Web: WG List: Editor: Guangying Zheng "; @@ -255,38 +261,42 @@ Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; - revision 2019-11-01 { + revision 2020-03-05 { description "Initial revision."; - reference "foo"; + + reference + "foo"; } feature tacacsplus { description "Indicates that the device can be configured as a TACACS+ client."; - reference "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol"; + reference + "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol"; } identity tacacsplus { base sys:authentication-method; description "Indicates AAA operation using TACACS+."; - reference "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol"; + reference + "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol"; } grouping statistics { description "Grouping for TACACS+ statistics attributes"; container statistics { config false; description "A collection of server-related statistics objects"; leaf connection-opens { @@ -338,20 +348,29 @@ "Total Number of sessions. A single-connection tacacs+ connection may be >1 sessions."; } } } grouping tacacsplus { description "Grouping for TACACS+ attributes"; container tacacsplus { + must "not(derived-from-or-self(../sys:authentication" + + "/sys:user-authentication-order, 'tacacsplus')) or server" { + error-message "When 'tacacsplus' is used as a sysytem" + + " authentication method, a TACACS+ server" + + " must be configured."; + description + "When 'tacacsplus' is used as an authentication method, + a TACACS+ server must be configured."; + } if-feature "tacacsplus"; description "Container for TACACS+ configurations and operations."; list server { key "name"; ordered-by user; description "List of TACACS+ servers used by the device."; leaf name { type string; @@ -394,21 +413,22 @@ } leaf shared-secret { type string; mandatory true; nacm:default-deny-all; description "The shared secret, which is known to both the TACACS+ client and server. TACACS+ server administrators should configure secret keys of minimum 16 characters length."; - reference "TACACS+ protocol:"; + reference + "TACACS+ protocol:"; } choice source-type { description "The source address type for outbound TACACS+ packets."; case source-ip { leaf source-ip { type inet:ip-address; description "Specifies source IP address for TACACS+ outbound packets."; @@ -519,21 +538,21 @@ Alan DeKok, Joe Clarke, and many others for their helpful comments and suggestions. 8. References 8.1. Normative References [I-D.ietf-opsawg-tacacs] Dahm, T., Ota, A., dcmgash@cisco.com, d., Carrel, D., and L. Grant, "The TACACS+ Protocol", draft-ietf-opsawg- - tacacs-15 (work in progress), September 2019. + tacacs-17 (work in progress), November 2019. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, . @@ -608,21 +627,22 @@ Guangying Zheng Huawei 101 Software Avenue, Yuhua District Nanjing, Jiangsu 210012 China Email: zhengguangying@huawei.com Michael Wang - Huawei Technologies, Co., Ltd + Huawei Technologies, Co., + Ltd 101 Software Avenue, Yuhua District Nanjing 210012 China Email: wangzitao@huawei.com Bo Wu Huawei 101 Software Avenue, Yuhua District Nanjing, Jiangsu 210012