| draft-ietf-opsawg-tacacs-yang-02.txt | draft-ietf-opsawg-tacacs-yang-03.txt | |||
|---|---|---|---|---|
| Network Working Group G. Zheng | Network Working Group G. Zheng | |||
| Internet-Draft M. Wang | Internet-Draft M. Wang | |||
| Intended status: Standards Track B. Wu | Intended status: Standards Track B. Wu | |||
| Expires: September 9, 2020 Huawei | Expires: October 21, 2020 Huawei | |||
| March 8, 2020 | April 19, 2020 | |||
| Yang data model for TACACS+ | Yang data model for TACACS+ | |||
| draft-ietf-opsawg-tacacs-yang-02 | draft-ietf-opsawg-tacacs-yang-03 | |||
| Abstract | Abstract | |||
| This document defines YANG modules that augment the System Management | This document defines YANG modules that augment the System Management | |||
| data model defined in the RFC 7317 with TACACS+ client model. The | data model defined in the RFC 7317 with TACACS+ client model. The | |||
| data model of Terminal Access Controller Access Control System Plus | data model of Terminal Access Controller Access Control System Plus | |||
| (TACACS+) client allows the configuration of TACACS+ servers for | (TACACS+) client allows the configuration of TACACS+ servers for | |||
| centralized Authentication, Authorization and Accounting. | centralized Authentication, Authorization and Accounting. | |||
| The YANG modules in this document conforms to the Network Management | The YANG modules in this document conforms to the Network Management | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 9, 2020. | This Internet-Draft will expire on October 21, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 5, line 36 ¶ | skipping to change at page 5, line 36 ¶ | |||
| +--ro connection-aborts? yang:counter64 | +--ro connection-aborts? yang:counter64 | |||
| +--ro connection-failures? yang:counter64 | +--ro connection-failures? yang:counter64 | |||
| +--ro connection-timeouts? yang:counter64 | +--ro connection-timeouts? yang:counter64 | |||
| +--ro messages-sent? yang:counter64 | +--ro messages-sent? yang:counter64 | |||
| +--ro messages-received? yang:counter64 | +--ro messages-received? yang:counter64 | |||
| +--ro errors-received? yang:counter64 | +--ro errors-received? yang:counter64 | |||
| +--ro sessions? yang:counter64 | +--ro sessions? yang:counter64 | |||
| 4. TACACS+ Client Module | 4. TACACS+ Client Module | |||
| <CODE BEGINS> file "ietf-system-tacacsplus@2020-03-05.yang" | <CODE BEGINS> file "ietf-system-tacacsplus@2020-04-20.yang" | |||
| module ietf-system-tacacsplus { | module ietf-system-tacacsplus { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus"; | namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus"; | |||
| prefix sys-tcsplus; | prefix sys-tcsplus; | |||
| import ietf-inet-types { | import ietf-inet-types { | |||
| prefix inet; | prefix inet; | |||
| reference | reference | |||
| "RFC 6991: Common YANG Data Types"; | "RFC 6991: Common YANG Data Types"; | |||
| skipping to change at page 6, line 31 ¶ | skipping to change at page 6, line 31 ¶ | |||
| reference | reference | |||
| "RFC 8341: Network Configuration Access Control Model"; | "RFC 8341: Network Configuration Access Control Model"; | |||
| } | } | |||
| organization | organization | |||
| "IETF Opsawg (Operations and Management Area Working Group)"; | "IETF Opsawg (Operations and Management Area Working Group)"; | |||
| contact | contact | |||
| "WG Web: <http://tools.ietf.org/wg/opsawg/> | "WG Web: <http://tools.ietf.org/wg/opsawg/> | |||
| WG List: <mailto:opsawg@ietf.org> | WG List: <mailto:opsawg@ietf.org> | |||
| Editor: Guangying Zheng | Editor: Bo Wu <lana.wubo@huawei.com> | |||
| <mailto:zhengguangying@huawei.com>"; | : Guangying Zheng <zhengguangying@huawei.com>"; | |||
| description | description | |||
| "This module provides configuration of TACACS+ client. | "This module provides configuration of TACACS+ client. | |||
| Copyright (c) 2019 IETF Trust and the persons identified as | Copyright (c) 2020 IETF Trust and the persons identified as | |||
| authors of the code. All rights reserved. | authors of the code. All rights reserved. | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Simplified BSD License | to the license terms contained in, the Simplified BSD License | |||
| set forth in Section 4.c of the IETF Trust's Legal Provisions | set forth in Section 4.c of the IETF Trust's Legal Provisions | |||
| Relating to IETF Documents | Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC XXXX; see the | This version of this YANG module is part of RFC XXXX; see the | |||
| RFC itself for full legal notices."; | RFC itself for full legal notices."; | |||
| revision 2020-03-05 { | revision 2020-04-20 { | |||
| description | description | |||
| "Initial revision."; | "Initial revision."; | |||
| reference | reference | |||
| "foo"; | "RFC XXXX: A Yang Data Model for TACACS+"; | |||
| } | } | |||
| feature tacacsplus { | feature tacacsplus { | |||
| description | description | |||
| "Indicates that the device can be configured as a TACACS+ | "Indicates that the device can be configured as a TACACS+ | |||
| client."; | client."; | |||
| reference | reference | |||
| "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol"; | "draft-ietf-opsawg-tacacs-18: The TACACS+ Protocol"; | |||
| } | } | |||
| identity tacacsplus { | identity tacacsplus { | |||
| base sys:authentication-method; | base sys:authentication-method; | |||
| description | description | |||
| "Indicates AAA operation using TACACS+."; | "Indicates AAA operation using TACACS+."; | |||
| reference | reference | |||
| "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol"; | "draft-ietf-opsawg-tacacs-18: The TACACS+ Protocol"; | |||
| } | } | |||
| grouping statistics { | grouping statistics { | |||
| description | description | |||
| "Grouping for TACACS+ statistics attributes"; | "Grouping for TACACS+ statistics attributes"; | |||
| container statistics { | container statistics { | |||
| config false; | config false; | |||
| description | description | |||
| "A collection of server-related statistics objects"; | "A collection of server-related statistics objects"; | |||
| leaf connection-opens { | leaf connection-opens { | |||
| skipping to change at page 8, line 39 ¶ | skipping to change at page 8, line 39 ¶ | |||
| "Total Number of sessions. A single-connection tacacs+ | "Total Number of sessions. A single-connection tacacs+ | |||
| connection may be >1 sessions."; | connection may be >1 sessions."; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| grouping tacacsplus { | grouping tacacsplus { | |||
| description | description | |||
| "Grouping for TACACS+ attributes"; | "Grouping for TACACS+ attributes"; | |||
| container tacacsplus { | container tacacsplus { | |||
| if-feature "tacacsplus"; | ||||
| must "not(derived-from-or-self(../sys:authentication" | must "not(derived-from-or-self(../sys:authentication" | |||
| + "/sys:user-authentication-order, 'tacacsplus')) or server" { | + "/sys:user-authentication-order, 'tacacsplus')) or server" { | |||
| error-message "When 'tacacsplus' is used as a sysytem" | error-message "When 'tacacsplus' is used as a sysytem" | |||
| + " authentication method, a TACACS+ server" | + " authentication method, a TACACS+ server" | |||
| + " must be configured."; | + " must be configured."; | |||
| description | description | |||
| "When 'tacacsplus' is used as an authentication method, | "When 'tacacsplus' is used as an authentication method, | |||
| a TACACS+ server must be configured."; | a TACACS+ server must be configured."; | |||
| } | } | |||
| if-feature "tacacsplus"; | ||||
| description | description | |||
| "Container for TACACS+ configurations and operations."; | "Container for TACACS+ configurations and operations."; | |||
| list server { | list server { | |||
| key "name"; | key "name"; | |||
| ordered-by user; | ordered-by user; | |||
| description | description | |||
| "List of TACACS+ servers used by the device."; | "List of TACACS+ servers used by the device."; | |||
| leaf name { | leaf name { | |||
| type string; | type string; | |||
| description | description | |||
| skipping to change at page 12, line 38 ¶ | skipping to change at page 12, line 38 ¶ | |||
| Alan DeKok, Joe Clarke, and many others for their helpful comments | Alan DeKok, Joe Clarke, and many others for their helpful comments | |||
| and suggestions. | and suggestions. | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [I-D.ietf-opsawg-tacacs] | [I-D.ietf-opsawg-tacacs] | |||
| Dahm, T., Ota, A., dcmgash@cisco.com, d., Carrel, D., and | Dahm, T., Ota, A., dcmgash@cisco.com, d., Carrel, D., and | |||
| L. Grant, "The TACACS+ Protocol", draft-ietf-opsawg- | L. Grant, "The TACACS+ Protocol", draft-ietf-opsawg- | |||
| tacacs-17 (work in progress), November 2019. | tacacs-18 (work in progress), March 2020. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | |||
| and A. Bierman, Ed., "Network Configuration Protocol | and A. Bierman, Ed., "Network Configuration Protocol | |||
| (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | |||
| <https://www.rfc-editor.org/info/rfc6241>. | <https://www.rfc-editor.org/info/rfc6241>. | |||
| skipping to change at page 14, line 8 ¶ | skipping to change at page 14, line 8 ¶ | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||
| DOI 10.17487/RFC3688, January 2004, | DOI 10.17487/RFC3688, January 2004, | |||
| <https://www.rfc-editor.org/info/rfc3688>. | <https://www.rfc-editor.org/info/rfc3688>. | |||
| Appendix A. TACACS+ Authentication Configuration | Appendix A. TACACS+ Authentication Configuration | |||
| The system management model defines two authentication configuration | The system management model defines two authentication configuration | |||
| options and controls authentication methods by configuring "user- | options, "local-users" and "radius", and use "user-authentication- | |||
| authentication-order" . One is "local-users", and the other is | order" to control the authentication methods. As defined in | |||
| "radius". | [RFC7317], the current system authentication methods model is as | |||
| This draft defines the "tacacsplus" model extension and therefore | ||||
| needs to be configured in the same way. The 'tacacsplus' identity is | ||||
| defined to control whether or not TACACS+ authentication should be | ||||
| used. The current system authentication configuration model is as | ||||
| follows: | follows: | |||
| +--rw system | +--rw system | |||
| +--rw authentication | +--rw authentication | |||
| +--rw user-authentication-order* identityref | +--rw user-authentication-order* identityref | |||
| ... | ... | |||
| This draft defines the "tacacsplus" extension and therefore needs to | ||||
| be configured in the same way. The 'tacacsplus' identity is defined | ||||
| to control whether or not TACACS+ authentication should be used. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Guangying Zheng | Guangying Zheng | |||
| Huawei | Huawei | |||
| 101 Software Avenue, Yuhua District | 101 Software Avenue, Yuhua District | |||
| Nanjing, Jiangsu 210012 | Nanjing, Jiangsu 210012 | |||
| China | China | |||
| Email: zhengguangying@huawei.com | Email: zhengguangying@huawei.com | |||
| End of changes. 15 change blocks. | ||||
| 22 lines changed or deleted | 21 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||