draft-ietf-opsawg-tacacs-yang-07.txt   draft-ietf-opsawg-tacacs-yang-08.txt 
Network Working Group G. Zheng Network Working Group G. Zheng
Internet-Draft M. Wang Internet-Draft M. Wang
Intended status: Standards Track B. Wu Intended status: Standards Track B. Wu
Expires: December 22, 2020 Huawei Expires: March 2, 2021 Huawei
June 20, 2020 August 29, 2020
Yang data model for TACACS+ Yang data model for TACACS+
draft-ietf-opsawg-tacacs-yang-07 draft-ietf-opsawg-tacacs-yang-08
Abstract Abstract
This document defines a YANG module that augment the System This document defines a TACACS+ client YANG module, that augments the
Management data model defined in the RFC 7317 with TACACS+ client System Management data model, defined in RFC 7317, to allow devices
model. The data model of Terminal Access Controller Access Control to make use of TACACS+ servers for centralized Authentication,
System Plus (TACACS+) client allows the configuration of TACACS+ Authorization and Accounting.
servers for centralized Authentication, Authorization and Accounting.
The YANG module in this document conforms to the Network Management The YANG module in this document conforms to the Network Management
Datastore Architecture (NMDA) defined in RFC 8342. Datastore Architecture (NMDA) defined in RFC 8342.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 22, 2020. This Internet-Draft will expire on March 2, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 13
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions used in this document . . . . . . . . . . . . . . 3 2. Conventions used in this document . . . . . . . . . . . . . . 3
2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3
3. Design of the Data Model . . . . . . . . . . . . . . . . . . 3 3. Design of the TACACS+ Data Model . . . . . . . . . . . . . . 3
4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5
5. Security Considerations . . . . . . . . . . . . . . . . . . . 12 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
8.1. Normative References . . . . . . . . . . . . . . . . . . 13 8.1. Normative References . . . . . . . . . . . . . . . . . . 13
8.2. Informative References . . . . . . . . . . . . . . . . . 14 8.2. Informative References . . . . . . . . . . . . . . . . . 14
Appendix A. Example Tacacs+ Authentication Configuration . . . . 14 Appendix A. Example TACACS+ Authentication Configuration . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
This document defines a YANG module that augment the System This document defines a YANG module that augments the System
Management data model defined in the [RFC7317] with TACACS+ client Management data model defined in the [RFC7317] to support the
model. configuration and management of TACACS+ clients.
TACACS+ provides Device Administration for routers, network access TACACS+ [I-D.ietf-opsawg-tacacs] provides device administration for
servers and other networked computing devices via one or more routers, network access servers and other networked devices via one
centralized servers which is defined in the TACACS+ Protocol. or more centralized servers.
[I-D.ietf-opsawg-tacacs]
The System Management Model [RFC7317] defines two YANG features to The System Management Model [RFC7317] defines separate functionality
support local or RADIUS authentication: to support local and RADIUS authentication:
o User Authentication Model: Defines a list of usernames and o User Authentication Model: Defines a list of usernames with
passwords and control the order in which local or RADIUS associated passwords and a configuration leaf to decide the order
authentication is used. in which local or RADIUS authentication is used.
o RADIUS Client Model: Defines a list of RADIUS servers that a o RADIUS Client Model: Defines a list of RADIUS servers used by a
device uses. device for centralized user authentication.
Since TACACS+ is also used for device management and the feature is The System Management Model is augmented with the TACACS+ YANG module
not contained in the System Management model, this document defines a defined in this document to allow the use of TACACS+ servers as an
YANG data model that allows users to configure TACACS+ client alternative to RADIUS servers or local user configuration.
functions on a device for centralized Authentication, Authorization
and Accounting provided by TACACS+ servers.
The YANG model can be used with network management protocols such as The YANG module can be used with network management protocols such as
NETCONF[RFC6241] to install, manipulate, and delete the configuration NETCONF[RFC6241].
of network devices.
The YANG data model in this document conforms to the Network The YANG module in this document conforms to the Network Management
Management Datastore Architecture (NMDA) defined in [RFC8342]. Datastore Architecture (NMDA) defined in [RFC8342].
2. Conventions used in this document 2. Conventions used in this document
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP14, [RFC2119], [RFC8174] when, and only when, they appear in all BCP14, [RFC2119], [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
The following terms are defined in [RFC6241] and are used in this The following terms are defined in [RFC6241] and are used in this
specification: specification:
o client
o configuration data o configuration data
o server
o state data o state data
The following terms are defined in [RFC7950] and are used in this The following terms are defined in [RFC7950] and are used in this
specification: specification:
o augment o augment
o data model o data model
o data node o data node
The terminology for describing YANG data models is found in The terminology for describing YANG data models is found in
[RFC7950]. [RFC7950].
2.1. Tree Diagrams 2.1. Tree Diagrams
Tree diagrams used in this document follow the notation defined in Tree diagrams used in this document follow the notation defined in
[RFC8340]. [RFC8340].
3. Design of the Data Model 3. Design of the TACACS+ Data Model
This model is used to configure TACACS+ client on the device to This model is used to configure TACACS+ client on a device to support
support deployment scenarios with centralized authentication, deployment scenarios with centralized authentication, authorization,
authorization, and accounting servers. Authentication is used to and accounting servers. Authentication is used to validate a user's
validate a user's name and password, authorization allows the user to username and password, authorization allows the user to access and
access and execute commands at various command levels assigned to the execute commands at various command levels assigned to the user, and
user and accounting keeps track of the activity of a user who has accounting keeps track of the activity of a user who has accessed the
accessed the device. device.
The ietf-system-tacacsplus module is intended to augment the The ietf-system-tacacs-plus module augments the "/sys:system" path
"/sys:system" path defined in the ietf-system module with the defined in the ietf-system module with the contents of the"tacacs-
contents of the"tacacsplus" grouping. Therefore, a device can use plus" grouping. Therefore, a device can use local, RADIUS, or
local, Remote Authentication Dial In User Service (RADIUS), or TACACS+ to validate users who attempt to access the router by several
Terminal Access Controller Access Control System Plus (TACACS+) to mechanisms, e.g., a command line interface or a web-based user
validate users who attempt to access the router by several
mechanisms, e.g. a command line interface or a web-based user
interface. interface.
The "server" list is directly under the "tacacsplus" container, which The "server" list is directly under the "tacacs-plus" container,
holds a list of TACACS+ servers and uses server-type to distinguish which holds a list of TACACS+ servers and uses server-type to
between the three protocols. The list of servers is for redundancy. distinguish between Authentication, Authorization and Accounting
(AAA). The list of servers is for redundancy.
Most of the parameters in the "server" list are taken directly from Most of the parameters in the "server" list are taken directly from
the TACACS+ protocol [I-D.ietf-opsawg-tacacs], and some are derived the TACACS+ protocol [I-D.ietf-opsawg-tacacs], and some are derived
from the various implementations by network equipment manufacturers. from the various implementations by network equipment manufacturers.
For example, when there are multiple interfaces connected to the For example, when there are multiple interfaces connected to the
TACACS+ client or server, the source address of outgoing TACACS+ TACACS+ client or server, the source address of outgoing TACACS+
packets could be specified, or the source address could be specified packets could be specified, or the source address could be specified
through the interface setting, or derived from the out-bound through the interface IP address setting, or derived from the
interface from the local FIB. For the TACACS+ server located in a outbound interface from the local FIB. For the TACACS+ server
Virtual Private Network(VPN), a VRF instance needs to be specified. located in a Virtual Private Network(VPN), a VRF instance needs to be
specified.
The "statistics" container under the "server list" is to record The "statistics" container under the "server list" is a collection of
session statistics and usage information during user access which read-only counters for sent and received messages from a configured
include the amount of data a user has sent and/or received during a server.
session.
The data model for TACACS+ client has the following structure: The data model for TACACS+ client has the following structure:
module: ietf-system-tacacsplus module: ietf-system-tacacs-plus
augment /sys:system: augment /sys:system:
+--rw tacacsplus {tacacsplus}? +--rw tacacs-plus
+--rw server* [name] +--rw server* [name]
+--rw name string +--rw name string
+--rw server-type? tcsplus-server-type +--rw server-type? tacacs-plus-server-type
+--rw address inet:host +--rw address inet:host
+--rw port? inet:port-number +--rw port? inet:port-number
+--rw shared-secret string +--rw shared-secret string
+--rw (source-type)? +--rw (source-type)?
| +--:(source-ip) | +--:(source-ip)
| | +--rw source-ip? inet:ip-address | | +--rw source-ip? inet:ip-address
| +--:(source-interface) | +--:(source-interface)
| +--rw source-interface? if:interface-ref | +--rw source-interface? if:interface-ref
+--rw vrf-instance? +--rw vrf-instance?
| -> /ni:network-instances/network-instance/name | -> /ni:network-instances/network-instance/name
skipping to change at page 5, line 36 skipping to change at page 5, line 36
+--ro connection-aborts? yang:counter64 +--ro connection-aborts? yang:counter64
+--ro connection-failures? yang:counter64 +--ro connection-failures? yang:counter64
+--ro connection-timeouts? yang:counter64 +--ro connection-timeouts? yang:counter64
+--ro messages-sent? yang:counter64 +--ro messages-sent? yang:counter64
+--ro messages-received? yang:counter64 +--ro messages-received? yang:counter64
+--ro errors-received? yang:counter64 +--ro errors-received? yang:counter64
+--ro sessions? yang:counter64 +--ro sessions? yang:counter64
4. TACACS+ Client Module 4. TACACS+ Client Module
This YANG module imports typedefs from [RFC6991]. This YANG module imports typedefs from [RFC6991]. This module also
uses the interface typedef from [RFC8343], the leafref to VRF
<CODE BEGINS> file "ietf-system-tacacsplus@2020-05-22.yang" instance from [RFC8529], and the "default-deny-all" extension
statement from [RFC8341].
module ietf-system-tacacsplus {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus";
prefix sys-tcsplus;
import ietf-inet-types { <CODE BEGINS> file "ietf-system-tacacs-plus@2020-08-28.yang"
prefix inet;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-yang-types {
prefix yang;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-network-instance {
prefix ni;
reference
"RFC 8529: YANG Data Model for Network Instances";
}
import ietf-interfaces {
prefix if;
reference
"RFC 8343: A YANG Data Model for Interface Management";
}
import ietf-system {
prefix sys;
reference
"RFC 7317: A YANG Data Model for System Management";
}
import ietf-netconf-acm {
prefix nacm;
reference
"RFC 8341: Network Configuration Access Control Model";
}
organization module ietf-system-tacacs-plus {
"IETF Opsawg (Operations and Management Area Working Group)"; yang-version 1.1;
contact namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus";
"WG Web: <http://tools.ietf.org/wg/opsawg/> prefix sys-tcs-plus;
WG List: <mailto:opsawg@ietf.org>
Editor: Bo Wu <lana.wubo@huawei.com> import ietf-inet-types {
Editor: Guangying Zheng <zhengguangying@huawei.com>"; prefix inet;
description reference
"This module provides configuration of TACACS+ client. "RFC 6991: Common YANG Data Types";
}
import ietf-yang-types {
prefix yang;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-network-instance {
prefix ni;
reference
"RFC 8529: YANG Data Model for Network Instances";
}
import ietf-interfaces {
prefix if;
reference
"RFC 8343: A YANG Data Model for Interface Management";
}
import ietf-system {
prefix sys;
reference
"RFC 7317: A YANG Data Model for System Management";
}
import ietf-netconf-acm {
prefix nacm;
reference
"RFC 8341: Network Configuration Access Control Model";
}
Copyright (c) 2020 IETF Trust and the persons identified as organization
authors of the code. All rights reserved. "IETF Opsawg (Operations and Management Area Working Group)";
contact
"WG Web: <http://tools.ietf.org/wg/opsawg/>
WG List: <mailto:opsawg@ietf.org>
Redistribution and use in source and binary forms, with or Editor: Bo Wu <lana.wubo@huawei.com>
without modification, is permitted pursuant to, and subject Editor: Guangying Zheng <zhengguangying@huawei.com>";
to the license terms contained in, the Simplified BSD License description
set forth in Section 4.c of the IETF Trust's Legal Provisions "This module provides configuration of TACACS+ client.
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see the Copyright (c) 2020 IETF Trust and the persons identified as
RFC itself for full legal notices."; authors of the code. All rights reserved.
// RFC Ed.: update the date below with the date of RFC Redistribution and use in source and binary forms, with or
// publication and remove this note. without modification, is permitted pursuant to, and subject
// RFC Ed.: replace XXXX with actual RFC number and remove to the license terms contained in, the Simplified BSD License
// this note, and the TACACS+ Protocol refers to set forth in Section 4.c of the IETF Trust's Legal Provisions
// draft-ietf-opsawg-tacacs. Relating to IETF Documents
(http://trustee.ietf.org/license-info).
revision 2020-05-22 { This version of this YANG module is part of RFC XXXX; see the
description RFC itself for full legal notices.";
"Initial revision.";
reference
"RFC XXXX: A Yang Data Model for TACACS+";
}
typedef tcsplus-server-type { // RFC Ed.: update the date below with the date of RFC
type bits { // publication and remove this note.
bit authentication { // RFC Ed.: replace XXXX with actual RFC number and remove
description // this note, and the TACACS+ Protocol refers to
"When set, the server is an authentication server."; // draft-ietf-opsawg-tacacs.
}
bit authorization {
description
"When set, the server is an authorization server.";
}
bit accounting {
description
"When set, the server is an accounting server.";
}
}
description
"tcsplus-server-type can be set to
authentication/authorization/accounting
or any combination of the three types. When all three types are
supported, all the three bits are set.";
}
feature tacacsplus { revision 2020-08-28 {
description description
"Indicates that the device can be configured as a TACACS+ "Initial revision.";
client."; reference
reference "RFC XXXX: A Yang Data Model for TACACS+";
"RFC XXXX : The TACACS+ Protocol "; }
}
identity tacacsplus { typedef tacacs-plus-server-type {
base sys:authentication-method; type bits {
description bit authentication {
"Indicates AAA operation using TACACS+."; description
reference "When set, the server is an authentication server.";
"RFC XXXX: The TACACS+ Protocol"; }
bit authorization {
description
"When set, the server is an authorization server.";
}
bit accounting {
description
"When set, the server is an accounting server.";
}
}
description
"tacacs-plus-server-type can be set to
authentication/authorization/accounting
or any combination of the three types. When all three types are
supported, all the three bits are set.";
}
} identity tacacs-plus {
base sys:authentication-method;
description
"Indicates AAA operation using TACACS+.";
reference
"RFC XXXX: The TACACS+ Protocol";
}
grouping statistics { grouping statistics {
description description
"Grouping for TACACS+ statistics attributes"; "Grouping for TACACS+ statistics attributes";
container statistics {
config false;
description
"A collection of server-related statistics objects";
leaf connection-opens {
type yang:counter64;
description
"Number of new connection requests sent to the server, e.g.
socket open";
}
leaf connection-closes {
type yang:counter64;
description
"Number of connection close requests sent to the server, e.g.
socket close";
}
leaf connection-aborts {
type yang:counter64;
description
"Number of aborted connections to the server. These do
not include connections that are close gracefully.";
}
leaf connection-failures {
type yang:counter64;
description
"Number of connection failures to the server";
}
leaf connection-timeouts {
type yang:counter64;
description
"Number of connection timeouts to the server";
}
leaf messages-sent {
type yang:counter64;
description
"Number of messages sent to the server";
}
leaf messages-received {
type yang:counter64;
description
"Number of messages received from the server";
}
leaf errors-received {
type yang:counter64;
description
"Number of error messages received from the server";
}
leaf sessions {
type yang:counter64;
description
"Number of TACACS+ sessions completed with the server.
If the Single Connection Mode was NOT enabled, the number of
sessions is the same as the number of 'connection-closes'.
If the Mode was enabled, a single TCP connection may contain
multiple TACACS+ sessions.";
}
}
}
grouping tacacsplus { container statistics {
description config false;
"Grouping for TACACS+ attributes"; description
container tacacsplus { "A collection of server-related statistics objects";
if-feature "tacacsplus"; leaf connection-opens {
must "not(derived-from-or-self(../sys:authentication" type yang:counter64;
+ "/sys:user-authentication-order, 'tacacsplus')) or server" { description
error-message "When 'tacacsplus' is used as a system" "Number of new connection requests sent to the server, e.g.,
+ " authentication method, a TACACS+ server" socket open";
+ " must be configured."; }
description leaf connection-closes {
"When 'tacacsplus' is used as an authentication method, type yang:counter64;
a TACACS+ server must be configured."; description
} "Number of connection close requests sent to the server, e.g.,
description socket close";
"Container for TACACS+ configurations and operations."; }
list server { leaf connection-aborts {
key "name"; type yang:counter64;
ordered-by user; description
description "Number of aborted connections to the server. These do
"List of TACACS+ servers used by the device."; not include connections that are close gracefully.";
leaf name { }
type string; leaf connection-failures {
description type yang:counter64;
"An arbitrary name for the TACACS+ server."; description
} "Number of connection failures to the server";
leaf server-type { }
type tcsplus-server-type; leaf connection-timeouts {
description type yang:counter64;
"Server type: authentication/authorization/accounting and description
various combinations. "Number of connection timeouts to the server";
When all three types are supported, all the three bits }
are set."; leaf messages-sent {
} type yang:counter64;
leaf address { description
type inet:host; "Number of messages sent to the server";
mandatory true; }
description leaf messages-received {
"The address of the TACACS+ server."; type yang:counter64;
} description
leaf port { "Number of messages received from the server";
type inet:port-number; }
default "49"; leaf errors-received {
description type yang:counter64;
"The port number of TACACS+ Server port."; description
} "Number of error messages received from the server";
leaf shared-secret { }
type string { leaf sessions {
length "16..max"; type yang:counter64;
} description
mandatory true; "Number of TACACS+ sessions completed with the server.
nacm:default-deny-all; If the Single Connection Mode was NOT enabled, the number of
description sessions is the same as the number of 'connection-closes'.
"The shared secret, which is known to both the If the Mode was enabled, a single TCP connection may contain
TACACS+ client and server. TACACS+ server administrators multiple TACACS+ sessions.";
should configure shared secret of minimum 16 characters }
length. }
It is highly recommended that shared keys are at least 32 }
characters long.";
reference
"RFC XXXX: The TACACS+ Protocol";
}
choice source-type {
description
"The source address type for outbound TACACS+ packets.";
case source-ip {
leaf source-ip {
type inet:ip-address;
description
"Specifies source IP address for TACACS+ outbound
packets.";
}
}
case source-interface {
leaf source-interface {
type if:interface-ref;
description
"Specifies the interface from which the IP address is
derived for use as the source for the outbound TACACS+
packet";
} grouping tacacs-plus {
} description
} "Grouping for TACACS+ attributes";
leaf vrf-instance { container tacacs-plus {
type leafref { must "not(derived-from-or-self(../sys:authentication"
path "/ni:network-instances/ni:network-instance/ni:name"; + "/sys:user-authentication-order, 'tacacs-plus'))"
} + " or bit-is-set(server/server-type,'authentication')" {
description error-message "When 'tacacs-plus' is used as a system"
"Specifies the VPN Routing and Forwarding (VRF) instance to + " authentication method, a TACACS+ authentication"
use to communicate with the TACACS+ server."; + " server must be configured.";
} description
leaf single-connection { "When 'tacacs-plus' is used as an authentication method,
type boolean; a TACACS+ server must be configured.";
default "false"; }
description description
"Whether the single connection mode is enabled for the "Container for TACACS+ configurations and operations.";
server. By default, the single connection mode is list server {
disabled."; key "name";
} ordered-by user;
leaf timeout { description
type uint16 { "List of TACACS+ servers used by the device.";
range "1..300"; leaf name {
} type string;
units "seconds"; description
default "5"; "An arbitrary name for the TACACS+ server.";
description }
"The number of seconds the device will wait for a leaf server-type {
response from each TACACS+ server before trying with a type tacacs-plus-server-type;
different server."; description
} "Server type: authentication/authorization/accounting and
uses statistics; various combinations.
} When all three types are supported, all the three bits
} are set.";
} }
leaf address {
type inet:host;
mandatory true;
description
"The address of the TACACS+ server.";
}
leaf port {
type inet:port-number;
default "49";
description
"The port number of TACACS+ Server port.";
}
leaf shared-secret {
type string {
length "16..max";
}
mandatory true;
nacm:default-deny-all;
description
"The shared secret, which is known to both the
TACACS+ client and server. TACACS+ server administrators
should configure shared secret of minimum 16 characters
length.
It is highly recommended that shared keys are at least 32
characters long.";
reference
"RFC XXXX: The TACACS+ Protocol";
}
choice source-type {
description
"The source address type for outbound TACACS+ packets.";
case source-ip {
leaf source-ip {
type inet:ip-address;
description
"Specifies source IP address for TACACS+ outbound
packets.";
}
}
case source-interface {
leaf source-interface {
type if:interface-ref;
description
"Specifies the interface from which the IP address is
derived for use as the source for the outbound TACACS+
packet";
}
}
}
leaf vrf-instance {
type leafref {
path "/ni:network-instances/ni:network-instance/ni:name";
}
description
"Specifies the VPN Routing and Forwarding (VRF) instance to
use to communicate with the TACACS+ server.";
}
leaf single-connection {
type boolean;
default "false";
description
"Whether the single connection mode is enabled for the
server. By default, the single connection mode is
disabled.";
}
leaf timeout {
type uint16 {
range "1..300";
}
units "seconds";
default "5";
description
"The number of seconds the device will wait for a
response from each TACACS+ server before trying with a
different server.";
}
uses statistics;
}
}
}
augment "/sys:system" { augment "/sys:system" {
description description
"Augment the system model with the tacacsplus model"; "Augment the system model with the tacacs-plus model";
uses tacacsplus; uses tacacs-plus;
} }
} }
<CODE ENDS> <CODE ENDS>
5. Security Considerations 5. Security Considerations
The YANG module defined in this document is designed to be accessed The YANG module defined in this document is designed to be accessed
via network management protocols such as NETCONF [RFC6241] or via network management protocols such as NETCONF [RFC6241] or
RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport
layer, and the mandatory-to-implement secure transport is Secure layer, and the mandatory-to-implement secure transport is Secure
Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the
skipping to change at page 12, line 27 skipping to change at page 12, line 18
operations and content. operations and content.
There are a number of data nodes defined in this YANG module that are There are a number of data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., config true, which is the writable/creatable/deletable (i.e., config true, which is the
default). These data nodes may be considered sensitive or vulnerable default). These data nodes may be considered sensitive or vulnerable
in some network environments. Write operations (e.g., edit-config) in some network environments. Write operations (e.g., edit-config)
to these data nodes without proper protection can have a negative to these data nodes without proper protection can have a negative
effect on network operations. These are the subtrees and data nodes effect on network operations. These are the subtrees and data nodes
and their sensitivity/vulnerability: and their sensitivity/vulnerability:
/system/tacacsplus/server: This list contains the objects used to /system/tacacsplus/server: This list contains the data nodes used to
control the TACACS+ servers used by the device. Unauthorized control the TACACS+ servers used by the device. Unauthorized
access to this list could cause a user management failure on the access to this list could cause a complete control over the device
device. by pointing to a compromised TACACS+ server.
/system/tacacsplus/server/shared-secret: This leaf controls the key /system/tacacsplus/server/shared-secret: This leaf controls the key
known to both the TACACS+ client and server. Unauthorized access known to both the TACACS+ client and server. Unauthorized access
to this leaf could cause the device vulnerable to attacks, to this leaf could cause the device vulnerable to attacks,
therefore has been restricted using the "default-deny-all" access therefore has been restricted using the "default-deny-all" access
control defined in [RFC8341]. control defined in [RFC8341].
This document describes the use of TACACS+ for purposes of This document describes the use of TACACS+ for purposes of
authentication, authorization and accounting, it is vulnerable to all authentication, authorization and accounting, it is vulnerable to all
of the threats that are present in TACACS+ applications. For a of the threats that are present in TACACS+ applications. For a
discussion of such threats, see Section 9 of the TACACS+ Protocol discussion of such threats, see Section 9 of the TACACS+ Protocol
[I-D.ietf-opsawg-tacacs]. [I-D.ietf-opsawg-tacacs].
6. IANA Considerations 6. IANA Considerations
This document registers a URI in the IETF XML registry [RFC3688]. This document registers a URI in the IETF XML registry [RFC3688].
Following the format in [RFC3688], the following registration is Following the format in [RFC3688], the following registration is
requested to be made: requested to be made:
URI: urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus URI: urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A, the requested URI is an XML namespace. XML: N/A, the requested URI is an XML namespace.
This document registers a YANG module in the YANG Module Names This document registers a YANG module in the YANG Module Names
registry [RFC7950]. registry [RFC7950].
Name: ietf-system-tacacsplus Name: ietf-system-tacacs-plus
Namespace: urn:ietf:params:xml:ns:yang: ietf-tacacsplus Namespace: urn:ietf:params:xml:ns:yang: ietf-system-tacacs-plus
Prefix: sys-tcsplus Prefix: sys-tcs-plus
Reference: RFC XXXX (RFC Ed.: replace XXXX with actual Reference: RFC XXXX (RFC Ed.: replace XXXX with actual
RFC number and remove this note.) RFC number and remove this note.)
7. Acknowledgments 7. Acknowledgments
The authors wish to thank Alex Campbell, John Heasley, Ebben Aries, The authors wish to thank Alex Campbell, John Heasley, Ebben Aries,
Alan DeKok, Joe Clarke, Joe Clarke, Tom Petch, and many others for Alan DeKok, Joe Clarke, Joe Clarke, Tom Petch, and many others for
their helpful comments and suggestions. their helpful comments and suggestions.
8. References 8. References
skipping to change at page 14, line 35 skipping to change at page 14, line 19
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", STD 91, RFC 8341, Access Control Model", STD 91, RFC 8341,
DOI 10.17487/RFC8341, March 2018, DOI 10.17487/RFC8341, March 2018,
<https://www.rfc-editor.org/info/rfc8341>. <https://www.rfc-editor.org/info/rfc8341>.
[RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K.,
and R. Wilton, "Network Management Datastore Architecture and R. Wilton, "Network Management Datastore Architecture
(NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018,
<https://www.rfc-editor.org/info/rfc8342>. <https://www.rfc-editor.org/info/rfc8342>.
[RFC8343] Bjorklund, M., "A YANG Data Model for Interface
Management", RFC 8343, DOI 10.17487/RFC8343, March 2018,
<https://www.rfc-editor.org/info/rfc8343>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC8529] Berger, L., Hopps, C., Lindem, A., Bogdanovic, D., and X.
Liu, "YANG Data Model for Network Instances", RFC 8529,
DOI 10.17487/RFC8529, March 2019,
<https://www.rfc-editor.org/info/rfc8529>.
8.2. Informative References 8.2. Informative References
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
Appendix A. Example Tacacs+ Authentication Configuration Appendix A. Example TACACS+ Authentication Configuration
The following shows an example where a tacacs+ authentication server The following shows an example where a TACACS+ authentication server
instance is configured. instance is configured.
{ {
"ietf-system:system": { "ietf-system:system": {
"authentication": { "authentication": {
"user-authentication-order": [tacacsplus, local-users] "user-authentication-order": [tacacs-plus, local-users]
} }
"tacacsplus": { "tacacs-plus": {
"server": [ "server": [
{ {
"name": "tac_plus1", "name": "tac_plus1",
"server-type": "authentication", "server-type": "authentication",
"address": "192.0.2.2", "address": "192.0.2.2",
"shared-secret": "QaEfThUkO1980100754609236h3TbE8n", "shared-secret": "QaEfThUkO1980100754609236h3TbE8n",
"source-ip": "192.0.2.12", "source-ip": "192.0.2.12",
"single-connection": "false",
"timeout": "10" "timeout": "10"
} }
] ]
} }
} }
} }
Authors' Addresses Authors' Addresses
Guangying Zheng Guangying Zheng
 End of changes. 54 change blocks. 
365 lines changed or deleted 357 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/