< draft-zheng-opsawg-tacacs-yang-01.txt   draft-zheng-opsawg-tacacs-yang-02.txt >
Network Working Group G. Zheng Network Working Group G. Zheng
Internet-Draft M. Wang Internet-Draft M. Wang
Intended status: Standards Track B. Wu Intended status: Standards Track B. Wu
Expires: September 11, 2019 Huawei Expires: December 22, 2019 Huawei
March 10, 2019 June 20, 2019
Yang data model for Terminal Access Controller Access Control System Yang data model for TACACS+
Plus draft-zheng-opsawg-tacacs-yang-02
draft-zheng-opsawg-tacacs-yang-01
Abstract Abstract
This document defines two YANG modules that augment the System data This document defines a YANG modules that augment the System data
model defined in the [RFC 7317] with TACACS+ client model and model defined in the RFC 7317 with TACACS+ client model. The data
additional AAA model. The data model of Terminal Access Controller model of Terminal Access Controller Access Control System Plus
Access Control System Plus (TACACS+) client allows the configuration (TACACS+) client allows the configuration of TACACS+ servers for
of TACACS+ servers for centralized Authentication, Authorization and centralized Authentication, Authorization and Accounting.
Accouting. While the current system model only supports
authentication configuration, the additional AAA model allows system
authorization and accouting configuration.
The YANG modules in this document conforms to the Network Management The YANG modules in this document conforms to the Network Management
Datastore Architecture (NMDA) defined in [RFC8342]. Datastore Architecture (NMDA) defined in RFC 8342.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 11, 2019. This Internet-Draft will expire on December 22, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions used in this document . . . . . . . . . . . . . . 3 2. Conventions used in this document . . . . . . . . . . . . . . 3
2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3
3. TACACSPLUS Client Model . . . . . . . . . . . . . . . . . . . 4 3. TACACS+ Client Model . . . . . . . . . . . . . . . . . . . . 3
4. AAA Model Augmentation . . . . . . . . . . . . . . . . . . . 5 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5
4.1. User Authorization Model . . . . . . . . . . . . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
4.2. User Accounting Model . . . . . . . . . . . . . . . . . . 6 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
5. TACACS+ Module . . . . . . . . . . . . . . . . . . . . . . . 7 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12
6. AAA Module . . . . . . . . . . . . . . . . . . . . . . . . . 12 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
7. Security Considerations . . . . . . . . . . . . . . . . . . . 16 8.1. Normative References . . . . . . . . . . . . . . . . . . 12
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 8.2. Informative References . . . . . . . . . . . . . . . . . 13
9. Normative References . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction 1. Introduction
This document defines two YANG modules that augment the System data This document defines a YANG modules that augment the System data
model defined in the [RFC 7317] with TACACS+ client model and model defined in the [RFC7317] with TACACS+ client model.
additional AAA model. The data model of Terminal Access Controller
Access Control System Plus (TACACS+) client allows the configuration
of TACACS+ servers for centralized Authentication, Authorization and
Accouting. While the current system model only supports
authentication configuration, the additional AAA model allows system
authorization and accouting configuration.
TACACS+ provides Device Administration for routers, network access TACACS+ provides Device Administration for routers, network access
servers and other networked computing devices via one or more servers and other networked computing devices via one or more
centralized servers which is defined inthe TACACS+ Protocol. centralized servers which is defined inthe TACACS+ Protocol.
[I-D.ietf-opsawg-tacacs] [I-D.ietf-opsawg-tacacs]
A YANG Data Model for System Management [RFC7317]defines two YANG The System Management Model [RFC7317] defines two YANG features to
features to support local or RADIUS authentication: support local or RADIUS authentication:
o User Authentication Model: Define a list of usernames and o User Authentication Model: Define a list of usernames and
passwords and control the order in which local or RADIUS passwords and control the order in which local or RADIUS
authentication is used. authentication is used.
o RADIUS Client Model: Defines a list of RADIUS server that a device o RADIUS Client Model: Defines a list of RADIUS server that a device
used. used.
Since TACACS+ is also used for device management and the feature is Since TACACS+ is also used for device management and the feature is
not contained in the system model, this document defines a YANG data not contained in the system model, this document defines a YANG data
model that allows users to configure TACACS + client functions on a model that allows users to configure TACACS+ client functions on a
device. device for centralized Authentication, Authorization and Accounting
provided by TACACS+ servers.
Additionally, to support full AAA feature, the "ietf-aaa" YANG module
defined in this document provides user authorization model and user
accouting model. The additional AAA model is intended to be used
together with the authentication feature of the System model, to
authorize what services that a user is allowed to use, and to
maintain a record of the actions performed when a user logging on.
The YANG models can be used with network management protocols such as The YANG models can be used with network management protocols such as
NETCONF[RFC6241] to install, manipulate, and delete the configuration NETCONF[RFC6241] to install, manipulate, and delete the configuration
of network devices. of network devices.
The YANG data model in this document conforms to the Network The YANG data model in this document conforms to the Network
Management Datastore Architecture (NMDA) defined in [RFC8342]. Management Datastore Architecture (NMDA) defined in [RFC8342].
2. Conventions used in this document 2. Conventions used in this document
skipping to change at page 4, line 14 skipping to change at page 3, line 48
o data node o data node
The terminology for describing YANG data models is found in The terminology for describing YANG data models is found in
[RFC7950]. [RFC7950].
2.1. Tree Diagrams 2.1. Tree Diagrams
Tree diagrams used in this document follow the notation defined in Tree diagrams used in this document follow the notation defined in
[RFC8340]. [RFC8340].
3. TACACSPLUS Client Model 3. TACACS+ Client Model
This model is used to configure TACACS+ client on the device to This model is used to configure TACACS+ client on the device to
support deployment scenarios with centralized authentication, support deployment scenarios with centralized authentication,
authorization, and accounting servers. Authentication is used to authorization, and accounting servers. Authentication is used to
validates a user's name and password, authorization allows the user validates a user's name and password, authorization allows the user
to access and execute commands at various command levels assigned to to access and execute commands at various command levels assigned to
the user and accounting keeps track of the activity of a user who has the user and accounting keeps track of the activity of a user who has
accessed the device. accessed the device.
The ietf-tacacs module is intended to augment the "/sys:system" path The ietf-system-tacacsplus module is intended to augment the
defined in the ietf-system module with "tacacs" grouping. Therefore, "/sys:system" path defined in the ietf-system module with
a device can use local, Remote Authentication Dial In User Service "tacacsplus" grouping. Therefore, a device can use local, Remote
(RADIUS), or Terminal Access Controller Access Control System Plus Authentication Dial In User Service (RADIUS), or Terminal Access
(TACACS+) to validate users who attempt to access the router by Controller Access Control System Plus (TACACS+) to validate users who
several mechanisms, e.g. a command line interface or a web-based user attempt to access the router by several mechanisms, e.g. a command
interface. line interface or a web-based user interface.
The "server" list is directly under the "tacacs" container, which is The "server" list is directly under the "tacacsplus" container, which
is to hold a list of different TACACS+ server and use server-type to is to hold a list of different TACACS+ server and use server-type to
distinguish the three protocols. The list of servers is for distinguish the three protocols. The list of servers is for
redundancy purpose. redundancy purpose.
Most of the parameters in the "server" list are taken directly from
the TACACS+ protocol [I-D.ietf-opsawg-tacacs], and some are derived
from the wide implementation of network equipment manufacturers. For
example, when there are multiple interfaces connected to the TACACS+
server, the source address of outgoing TACACS+ packets could be
specified, or the source address could be specified through the
interface setting. For the TACACS + server located in a private
network, a VRF instance needs to be specified.
The "statistics" container under the "server list" is to record The "statistics" container under the "server list" is to record
session statistics and usage information during user access which session statistics and usage information during user access which
include the amount of data a user has sent and/or received during a include the amount of data a user has sent and/or received during a
session. session.
The data model for tacacs has the following structure: The data model for TACACS+ client has the following structure:
module: ietf-aaa-tacacs
augment /sys:system:
+--rw tacacs {tacacs}?
+--rw server* [name]
| +--rw name string
| +--rw server-type? enumeration
| +--rw address inet:host
| +--rw port? inet:port-number
| +--rw shared-secret string
| +--rw source-ip? inet:ip-address
| +--rw single-connection? boolean
| +--rw network-instance? -> /ni:network-instances/network-instance/name
| +--ro statistics
| +--ro connection-opens? yang:counter64
| +--ro connection-closes? yang:counter64
| +--ro connection-aborts? yang:counter64
| +--ro connection-failures? yang:counter64
| +--ro connection-timeouts? yang:counter64
| +--ro messages-sent? yang:counter64
| +--ro messages-received? yang:counter64
| +--ro errors-received? yang:counter64
+--rw options
+--rw timeout? uint16
4. AAA Model Augmentation
This document augments the system model with authorization model and
accouting model to support full AAA feature.
For the authentication model, if the NETCONF server advertises the
"tacacs" feature, the device also supports user authentication using
TACACSPLUS. For NETCONF transport protocols that support password
authentication, the leaf-list "user-authentication-order" is used to
control if TACACSPLUS password authentication should be used.
For the authorization model and accouting model, the extended AAA
data model has the following structure:
module: ietf-system-aaa module: ietf-system-tacacsplus
augment /sys:system: augment /sys:system:
+--rw authorization {authorization}? +--rw tacacsplus {tacacsplus}?
| +--rw user-authorization-order* identityref +--rw server* [name]
| +--rw events +--rw name string
| +--rw event* [event-type] +--rw server-type? enumeration
| +--rw event-type identityref +--rw address inet:host
+--rw accouting {accouting}? +--rw port? inet:port-number
+--rw user-accouting-order* identityref +--rw shared-secret string
+--rw events +--rw (source-type)?
+--rw event* [event-type] | +--:(source-ip)
+--rw event-type identityref | | +--rw source-ip? inet:ip-address
+--rw record? enumeration | +--:(source-interface)
| +--rw source-interface? if:interface-ref
4.1. User Authorization Model +--rw single-connection? boolean
+--rw timeout? uint16
Following authentication, a user must gain authorization for doing +--rw vrf-instance?
certain tasks. For instance, the user may try to issue commands. | -> /ni:network-instances/network-instance/name
The authorization process determines whether the user has the +--ro statistics
authority to issue such commands. +--ro connection-opens? yang:counter64
+--ro connection-closes? yang:counter64
This document defines two optional authorization YANG features: +--ro connection-aborts? yang:counter64
"local-users" and "tacacs", which the server advertises to indicate +--ro connection-failures? yang:counter64
support for configuring local users on the device and support for +--ro connection-timeouts? yang:counter64
using TACACSPLUS for authorization, respectively. +--ro messages-sent? yang:counter64
+--ro messages-received? yang:counter64
In addition, an authorization parameter is defined to indicate a +--ro errors-received? yang:counter64
specific authorization event, and an event can be added by defining
other event identifiers. Currently,
"aaa_authorization_event_command" is used to determine whether the
user is allowed to run commands.
4.2. User Accounting Model
Accounting is used to record the authorization information and
accouting specific information such as start and stop times and
resource usage information.
This document defines two optional accouting YANG features: "local-
users" and "tacacs", which the server advertises to indicate support
for configuring local users on the device and support for using
TACACSPLUS for accouting, respectively.
Two accouting parameters are defined to indicate specific accouting
event and also the record type.
o "event type": "aaa_accounting_event_command" is defined to record
commands issued by the user.
o "record": Start records indicate that a accouting service is about
to begin. Stop records indicate that a service has just
terminated.
5. TACACS+ Module 4. TACACS+ Client Module
<CODE BEGINS> file "ietf-aaa-tacacs@2019-03-06.yang" <CODE BEGINS> file "ietf-system-tacacsplus@2019-06-20.yang"
module ietf-aaa-tacacs { module ietf-system-tacacsplus {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-aaa-tacacs"; namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus";
prefix aaa-tcs; prefix sys-tcsplus;
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
reference "RFC 6991: Common YANG Data Types"; reference "RFC 6991: Common YANG Data Types";
} }
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
reference "RFC 6991: Common YANG Data Types"; reference "RFC 6991: Common YANG Data Types";
} }
import ietf-network-instance { import ietf-network-instance {
prefix ni; prefix ni;
reference "draft-ietf-rtgwg-ni-model-12: YANG Model for reference
Network Instances"; "RFC 8529: YANG Data Model for Network Instances";
}
import ietf-interfaces {
prefix if;
reference
"RFC 8343: A YANG Data Model for Interface Management";
} }
import ietf-system { import ietf-system {
prefix sys; prefix sys;
reference "RFC 7317: A YANG Data Model for System Management"; reference "RFC 7317: A YANG Data Model for System Management";
} }
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
reference "RFC 8341: Network Configuration Access Control Model";
} }
organization organization
"IETF Opsawg (Operations and Management Area Working Group)"; "IETF Opsawg (Operations and Management Area Working Group)";
contact contact
"WG Web: <http://tools.ietf.org/wg/opsawg/> "WG Web: <http://tools.ietf.org/wg/opsawg/>
WG List: <mailto:opsawg@ietf.org> WG List: <mailto:opsawg@ietf.org>
Editor: Guangying Zheng Editor: Guangying Zheng
<mailto:zhengguangying@huawei.com>"; <mailto:zhengguangying@huawei.com>";
skipping to change at page 8, line 15 skipping to change at page 6, line 44
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see the RFC This version of this YANG module is part of RFC XXXX; see the RFC
itself for full legal notices."; itself for full legal notices.";
revision 2019-03-06 { revision 2019-06-20 {
description description
"Initial revision."; "Initial revision.";
reference "foo"; reference "foo";
} }
feature tacacs { feature tacacsplus {
description description
"Indicates that the device can be configured as a TACACSPLUS "Indicates that the device can be configured as a TACACS+
client."; client.";
reference "draft-ietf-opsawg-tacacs-11: The TACACSPLUS Protocol"; reference "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol";
} }
grouping statistics { grouping statistics {
description description
"Grouping for statistics attributes"; "Grouping for TACACS+ packets statistics attributes";
container statistics { container statistics {
config false; config false;
description description
"A collection of server-related statistics objects"; "A collection of server-related statistics objects";
leaf connection-opens { leaf connection-opens {
type yang:counter64; type yang:counter64;
description description
"Number of new connection requests sent to the server, e.g. "Number of new connection requests sent to the server, e.g.
socket open"; socket open";
} }
skipping to change at page 9, line 34 skipping to change at page 8, line 14
"Number of messages received by the server"; "Number of messages received by the server";
} }
leaf errors-received { leaf errors-received {
type yang:counter64; type yang:counter64;
description description
"Number of error messages received from the server"; "Number of error messages received from the server";
} }
} }
} }
grouping tacacs { grouping tacacsplus {
description description
"Grouping for tacacs attributes"; "Grouping for TACACS+ attributes";
container tacacs { container tacacsplus {
if-feature "tacacs"; if-feature "tacacsplus";
description description
"Container for TACACS+ configurations and operations."; "Container for TACACS+ configurations and operations.";
list server { list server {
key "name"; key "name";
ordered-by user; ordered-by user;
description description
"List of TACACS+ servers used by the device "List of TACACS+ servers used by the device
When the TACACS client is invoked by a calling When the TACACS+ client is invoked by a calling
application, it sends the query to the first server in application, it sends the query to the first server in
this list. If no response has been received within this list. If no response has been received within
'timeout' seconds, the client continues with the next 'timeout' seconds, the client continues with the next
server in the list. If no response is received from any server in the list. If no response is received from any
server, the client continues with the first server again. server, the client continues with the first server again.
When the client has traversed the list 'attempts' times When the client has traversed the list 'attempts' times
without receiving any response, it gives up and returns an without receiving any response, it gives up and returns an
error to the calling application."; error to the calling application.";
leaf name { leaf name {
type string; type string;
skipping to change at page 10, line 41 skipping to change at page 9, line 21
leaf address { leaf address {
type inet:host; type inet:host;
mandatory true; mandatory true;
description description
"The address of the TACACS+ server."; "The address of the TACACS+ server.";
} }
leaf port { leaf port {
type inet:port-number; type inet:port-number;
default "49"; default "49";
description description
"The port number of TACACSPLUS Server port."; "The port number of TACACS+ Server port.";
} }
leaf shared-secret { leaf shared-secret {
type string; type string;
mandatory true; mandatory true;
nacm:default-deny-all; nacm:default-deny-all;
description description
"The shared secret, which is known to both the "The shared secret, which is known to both the
TACACS client and server.TACACS+ server administrators TACACS+ client and server. TACACS+ server administrators
SHOULD configure secret keys of minimum SHOULD configure secret keys of minimum
16 characters length."; 16 characters length.";
reference "TACACS+ protocol:";
reference "tacacs protocol:";
} }
leaf source-ip { choice source-type {
type inet:ip-address;
description description
"Source IP address for a TACACS+ server."; "The source address type for outbound TACACS+ packets.";
case source-ip {
leaf source-ip {
type inet:ip-address;
description
"Specifies source IP address for TACACS+ outbound
packets.";
}
}
case source-interface {
leaf source-interface {
type if:interface-ref;
description
"Specifies the interface from which the IP address is
derived for use as the source for the outbound TACACS+
packet";
}
}
} }
leaf single-connection { leaf single-connection {
type boolean; type boolean;
default "false"; default "false";
description description
"Whether the single connection mode is enabled for the "Whether the single connection mode is enabled for the
server. By default, the single connection mode is server. By default, the single connection mode is
disabled."; disabled.";
}
leaf network-instance {
type leafref {
path "/ni:network-instances/ni:network-instance/ni:name";
}
description
"Configure the vpn-instance name.";
} }
uses statistics;
}
container options {
description
"TACACS+ client options.";
leaf timeout { leaf timeout {
type uint16 { type uint16 {
range "1..300"; range "1..300";
} }
units "seconds"; units "seconds";
default "5"; default "5";
description description
"The number of seconds the device will wait for a "The number of seconds the device will wait for a
response from each TACACS+ server before trying with a response from each TACACS+ server before trying with a
different server."; different server.";
} }
leaf vrf-instance {
type leafref {
path "/ni:network-instances/ni:network-instance/ni:name";
}
description
"Specifies the VPN Routing and Forwarding (VRF) instance to
use to communicate with the TACACS+ server.";
}
uses statistics;
} }
} }
} }
augment "/sys:system" { augment "/sys:system" {
description description
"Augment the system model with authorization and accounting "Augment the system model with authorization and accounting
attribuets attributes
Augment the system model with the tacacs model"; Augment the system model with the tacacsplus model";
uses tacacs; uses tacacsplus;
}
}
<CODE ENDS>
6. AAA Module
<CODE BEGINS> file "ietf-system-aaa@2019-03-06.yang"
module ietf-system-aaa {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-system-aaa";
prefix sys-aaa;
import ietf-system {
prefix sys;
reference "RFC 7317: A YANG Data Model for System Management";
}
import ietf-netconf-acm {
prefix nacm;
}
organization
"IETF Opsawg (Operations and Management Area Working Group)";
contact
"WG Web: <http://tools.ietf.org/wg/opsawg/>
WG List: <mailto:opsawg@ietf.org>
Editor: Guangying Zheng
<mailto:zhengguangying@huawei.com>";
description
"This module provides configuration of system AAA.
Copyright (c) 2018 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see the RFC
itself for full legal notices.";
revision 2019-03-06 {
description
"Initial revision.";
reference "foo";
}
feature authorization {
description
"Indicates that the device supports configuration of
user authorization.";
}
feature accouting {
description
"Indicates that the device supports configuration of
user accouting.";
}
identity authorization-method {
description
"Base identity for user authorization methods.";
}
identity accouting-method {
description
"Base identity for user accouting methods.";
}
identity tacacs {
base sys:authentication-method;
base authorization-method;
base accouting-method;
description
"Indicates AAA operation using TACACS+.";
reference "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol";
}
identity local-users {
base sys:authentication-method;
base authorization-method;
base accouting-method;
description
"Indicates accouting of locally
configured users.";
}
identity aaa_accounting_event_type {
description
"Base identity for specifying events types that should be
sent to AAA server for accounting";
}
identity aaa_accounting_event_command {
base aaa_accounting_event_type;
description
"Specifies interactive command events for AAA accounting";
}
identity aaa_authorization_event_type {
description
"Base identity for specifying activities that should be
sent to AAA server for authorization";
}
identity aaa_authorization_event_command {
base aaa_authorization_event_type;
description
"Specifies interactive command events for AAA authorization";
}
augment "/sys:system" {
description
"Augment the system model with authorization and accounting
attribuets
Augment the system model with the tacacs model";
container authorization {
nacm:default-deny-write;
if-feature "authorization";
description
"The authorization configuration subtree.";
leaf-list user-authorization-order {
type identityref {
base authorization-method;
}
ordered-by user;
description
"When the device authorize a user, it tries the authorization
methods in this leaf-list in order. If authorization with
one method fails, the next method is used. If no method
succeeds, the user is denied access.
If the 'tacacs-authentication' feature is advertised by
the NETCONF server, the 'tacacs' identity can be added to
this list.
If the 'local-users' feature is advertised by the
NETCONF server, the 'local-users' identity can be
added to this list.";
}
container events {
description
"The container contains an set of authorization events";
list event {
key "event-type";
description
"List of events of AAA authorization";
leaf event-type {
type identityref {
base aaa_authorization_event_type;
}
description
"The type of event to record at the AAA authorization
server";
}
}
}
}
container accouting {
nacm:default-deny-write;
if-feature "accouting";
description
"The accouting configuration subtree.";
leaf-list user-accouting-order {
type identityref {
base accouting-method;
}
ordered-by user;
description
"When the device audit a user with a password,
it tries the accouting methods in this leaf-list in
order. The accouting method may be specified as TACACS+
servers, or the local.";
}
container events {
description
"The container contains an set of accouting events";
list event {
key "event-type";
description
"List of events of accounting";
leaf event-type {
type identityref {
base aaa_accounting_event_type;
}
description
"The type of activity to record at the AAA accounting
server";
}
leaf record {
type enumeration {
enum start_stop {
description
"Send START record to the accounting server at the
beginning of the activity, and STOP record at the
end of the activity.";
}
enum stop {
description
"Send STOP record to the accounting server when the
user activity completes";
}
}
description
"Type of record to send to the accounting server for this
activity type";
}
}
}
}
} }
} }
<CODE ENDS> <CODE ENDS>
7. Security Considerations 5. Security Considerations
The YANG module defined in this document is designed to be accessed The YANG module defined in this document is designed to be accessed
via network management protocols such as NETCONF [RFC6241] or via network management protocols such as NETCONF [RFC6241] or
RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport
layer, and the mandatory-to-implement secure transport is Secure layer, and the mandatory-to-implement secure transport is Secure
Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the
mandatory-to-implement secure transport is TLS [RFC8446]. mandatory-to-implement secure transport is TLS [RFC8446].
The NETCONF access control model [RFC6536] provides the means to The NETCONF access control model [RFC8341] provides the means to
restrict access for particular NETCONF or RESTCONF users to a restrict access for particular NETCONF or RESTCONF users to a
preconfigured subset of all available NETCONF or RESTCONF protocol preconfigured subset of all available NETCONF or RESTCONF protocol
operations and content. operations and content.
There are a number of data nodes defined in this YANG module that are There are a number of data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., config true, which is the writable/creatable/deletable (i.e., config true, which is the
default). These data nodes may be considered sensitive or vulnerable default). These data nodes may be considered sensitive or vulnerable
in some network environments. Write operations (e.g., edit-config) in some network environments. Write operations (e.g., edit-config)
to these data nodes without proper protection can have a negative to these data nodes without proper protection can have a negative
effect on network operations. effect on network operations.
This document describes the use of TACACS+ for purposes of This document describes the use of TACACS+ for purposes of
authentication, authorization and accouting, it is vulnerable to all authentication, authorization and accounting, it is vulnerable to all
of the threats that are present in TACACS+ applications. For a of the threats that are present in TACACS+ applications. For a
discussion of such threats, see Section 9 of the TACACS+ Protocol discussion of such threats, see Section 9 of the TACACS+ Protocol
[I-D.ietf-opsawg-tacacs]. [I-D.ietf-opsawg-tacacs].
8. IANA Considerations 6. IANA Considerations
This document registers a URI in the IETF XML registry [RFC3688]. This document registers a URI in the IETF XML registry [RFC3688].
Following the format in [RFC3688], the following registration is Following the format in [RFC3688], the following registration is
requested to be made: requested to be made:
URI: urn:ietf:params:xml:ns:yang:ietf-tacacs URI: urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A, the requested URI is an XML namespace. XML: N/A, the requested URI is an XML namespace.
This document registers a YANG module in the YANG Module Names This document registers a YANG module in the YANG Module Names
registry [RFC7950]. registry [RFC7950].
Name: ietf-tacacs Name: ietf-system-tacacsplus
Namespace: urn:ietf:params:xml:ns:yang: ietf-tacacs Namespace: urn:ietf:params:xml:ns:yang: ietf-tacacsplus
Prefix: tcs Prefix: sys-tcsplus
Reference: RFC XXXX Reference: RFC XXXX
9. Normative References 7. Acknowledgments
[I-D.ietf-opsawg-tacacs] The authors wish to thank Alex Campbell and Ebben Aries, Alan DeKok,
Dahm, T., Ota, A., dcmgash@cisco.com, d., Carrel, D., and Joe Clarke, many others for their helpful comments.
L. Grant, "The TACACS+ Protocol", draft-ietf-opsawg-
tacacs-12 (work in progress), December 2018.
[RFC1492] Finseth, C., "An Access Control Protocol, Sometimes Called 8. References
TACACS", RFC 1492, DOI 10.17487/RFC1492, July 1993,
<https://www.rfc-editor.org/info/rfc1492>. 8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC6021] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6021, DOI 10.17487/RFC6021, October 2010,
<https://www.rfc-editor.org/info/rfc6021>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.rfc-editor.org/info/rfc6242>.
[RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
Protocol (NETCONF) Access Control Model", RFC 6536, RFC 6991, DOI 10.17487/RFC6991, July 2013,
DOI 10.17487/RFC6536, March 2012, <https://www.rfc-editor.org/info/rfc6991>.
<https://www.rfc-editor.org/info/rfc6536>.
[RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for
System Management", RFC 7317, DOI 10.17487/RFC7317, August System Management", RFC 7317, DOI 10.17487/RFC7317, August
2014, <https://www.rfc-editor.org/info/rfc7317>. 2014, <https://www.rfc-editor.org/info/rfc7317>.
[RFC792] Postel, J., "Internet Control Message Protocol", RFC 792,
September 1981.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>. <https://www.rfc-editor.org/info/rfc8040>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>. <https://www.rfc-editor.org/info/rfc8340>.
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", STD 91, RFC 8341,
DOI 10.17487/RFC8341, March 2018,
<https://www.rfc-editor.org/info/rfc8341>.
[RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K.,
and R. Wilton, "Network Management Datastore Architecture and R. Wilton, "Network Management Datastore Architecture
(NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018,
<https://www.rfc-editor.org/info/rfc8342>. <https://www.rfc-editor.org/info/rfc8342>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
8.2. Informative References
[I-D.ietf-opsawg-tacacs]
Dahm, T., Ota, A., dcmgash@cisco.com, d., Carrel, D., and
L. Grant, "The TACACS+ Protocol", draft-ietf-opsawg-
tacacs-13 (work in progress), March 2019.
Authors' Addresses Authors' Addresses
Guangying Zheng Guangying Zheng
Huawei Huawei
101 Software Avenue, Yuhua District 101 Software Avenue, Yuhua District
Nanjing, Jiangsu 210012 Nanjing, Jiangsu 210012
China China
Email: zhengguangying@huawei.com Email: zhengguangying@huawei.com
 End of changes. 53 change blocks. 
427 lines changed or deleted 162 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/