draft-ietf-opsawg-tacacs-yang-00.txt   draft-ietf-opsawg-tacacs-yang-01.txt 
Network Working Group G. Zheng Network Working Group G. Zheng
Internet-Draft M. Wang Internet-Draft M. Wang
Intended status: Standards Track B. Wu Intended status: Standards Track B. Wu
Expires: January 23, 2020 Huawei Expires: May 6, 2020 Huawei
July 22, 2019 November 3, 2019
Yang data model for TACACS+ Yang data model for TACACS+
draft-ietf-opsawg-tacacs-yang-00 draft-ietf-opsawg-tacacs-yang-01
Abstract Abstract
This document defines a YANG modules that augment the System data This document defines YANG modules that augment the System Management
model defined in the RFC 7317 with TACACS+ client model. The data data model defined in the RFC 7317 with TACACS+ client model. The
model of Terminal Access Controller Access Control System Plus data model of Terminal Access Controller Access Control System Plus
(TACACS+) client allows the configuration of TACACS+ servers for (TACACS+) client allows the configuration of TACACS+ servers for
centralized Authentication, Authorization and Accounting. centralized Authentication, Authorization and Accounting.
The YANG modules in this document conforms to the Network Management The YANG modules in this document conforms to the Network Management
Datastore Architecture (NMDA) defined in RFC 8342. Datastore Architecture (NMDA) defined in RFC 8342.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 23, 2020. This Internet-Draft will expire on May 6, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions used in this document . . . . . . . . . . . . . . 3 2. Conventions used in this document . . . . . . . . . . . . . . 3
2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3
3. TACACS+ Client Model . . . . . . . . . . . . . . . . . . . . 3 3. Design of the Data Model . . . . . . . . . . . . . . . . . . 3
4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
8.1. Normative References . . . . . . . . . . . . . . . . . . 12 8.1. Normative References . . . . . . . . . . . . . . . . . . 12
8.2. Informative References . . . . . . . . . . . . . . . . . 13 8.2. Informative References . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Appendix A. TACACS+ Authentication Configuration . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction 1. Introduction
This document defines a YANG modules that augment the System data This document defines YANG modules that augment the System Management
model defined in the [RFC7317] with TACACS+ client model. data model defined in the [RFC7317] with TACACS+ client model.
TACACS+ provides Device Administration for routers, network access TACACS+ provides Device Administration for routers, network access
servers and other networked computing devices via one or more servers and other networked computing devices via one or more
centralized servers which is defined inthe TACACS+ Protocol. centralized servers which is defined in the TACACS+ Protocol.
[I-D.ietf-opsawg-tacacs] [I-D.ietf-opsawg-tacacs]
The System Management Model [RFC7317] defines two YANG features to The System Management Model [RFC7317] defines two YANG features to
support local or RADIUS authentication: support local or RADIUS authentication:
o User Authentication Model: Define a list of usernames and o User Authentication Model: Defines a list of usernames and
passwords and control the order in which local or RADIUS passwords and control the order in which local or RADIUS
authentication is used. authentication is used.
o RADIUS Client Model: Defines a list of RADIUS server that a device o RADIUS Client Model: Defines a list of RADIUS servers that a
used. device uses.
Since TACACS+ is also used for device management and the feature is Since TACACS+ is also used for device management and the feature is
not contained in the system model, this document defines a YANG data not contained in the System Management model, this document defines a
model that allows users to configure TACACS+ client functions on a YANG data model that allows users to configure TACACS+ client
device for centralized Authentication, Authorization and Accounting functions on a device for centralized Authentication, Authorization
provided by TACACS+ servers. and Accounting provided by TACACS+ servers.
The YANG models can be used with network management protocols such as The YANG models can be used with network management protocols such as
NETCONF[RFC6241] to install, manipulate, and delete the configuration NETCONF[RFC6241] to install, manipulate, and delete the configuration
of network devices. of network devices.
The YANG data model in this document conforms to the Network The YANG data model in this document conforms to the Network
Management Datastore Architecture (NMDA) defined in [RFC8342]. Management Datastore Architecture (NMDA) defined in [RFC8342].
2. Conventions used in this document 2. Conventions used in this document
skipping to change at page 3, line 48 skipping to change at page 3, line 48
o data node o data node
The terminology for describing YANG data models is found in The terminology for describing YANG data models is found in
[RFC7950]. [RFC7950].
2.1. Tree Diagrams 2.1. Tree Diagrams
Tree diagrams used in this document follow the notation defined in Tree diagrams used in this document follow the notation defined in
[RFC8340]. [RFC8340].
3. TACACS+ Client Model 3. Design of the Data Model
This model is used to configure TACACS+ client on the device to This model is used to configure TACACS+ client on the device to
support deployment scenarios with centralized authentication, support deployment scenarios with centralized authentication,
authorization, and accounting servers. Authentication is used to authorization, and accounting servers. Authentication is used to
validates a user's name and password, authorization allows the user validate a user's name and password, authorization allows the user to
to access and execute commands at various command levels assigned to access and execute commands at various command levels assigned to the
the user and accounting keeps track of the activity of a user who has user and accounting keeps track of the activity of a user who has
accessed the device. accessed the device.
The ietf-system-tacacsplus module is intended to augment the The ietf-system-tacacsplus module is intended to augment the
"/sys:system" path defined in the ietf-system module with "/sys:system" path defined in the ietf-system module with
"tacacsplus" grouping. Therefore, a device can use local, Remote "tacacsplus" grouping. Therefore, a device can use local, Remote
Authentication Dial In User Service (RADIUS), or Terminal Access Authentication Dial In User Service (RADIUS), or Terminal Access
Controller Access Control System Plus (TACACS+) to validate users who Controller Access Control System Plus (TACACS+) to validate users who
attempt to access the router by several mechanisms, e.g. a command attempt to access the router by several mechanisms, e.g. a command
line interface or a web-based user interface. line interface or a web-based user interface.
The "server" list is directly under the "tacacsplus" container, which The "server" list is directly under the "tacacsplus" container, which
is to hold a list of different TACACS+ server and use server-type to holds a list of TACACS+ servers and uses server-type to distinguish
distinguish the three protocols. The list of servers is for between the three protocols. The list of servers is for redundancy.
redundancy purpose.
Most of the parameters in the "server" list are taken directly from Most of the parameters in the "server" list are taken directly from
the TACACS+ protocol [I-D.ietf-opsawg-tacacs], and some are derived the TACACS+ protocol [I-D.ietf-opsawg-tacacs], and some are derived
from the wide implementation of network equipment manufacturers. For from the various implementations by network equipment manufacturers.
example, when there are multiple interfaces connected to the TACACS+ For example, when there are multiple interfaces connected to the
server, the source address of outgoing TACACS+ packets could be TACACS+ client or server, the source address of outgoing TACACS+
specified, or the source address could be specified through the packets could be specified, or the source address could be specified
interface setting. For the TACACS + server located in a private through the interface setting, or derived from the out-bound
network, a VRF instance needs to be specified. interface from the local FIB. For the TACACS+ server located in a
Virtual Private Network(VPN), a VRF instance needs to be specified.
The "statistics" container under the "server list" is to record The "statistics" container under the "server list" is to record
session statistics and usage information during user access which session statistics and usage information during user access which
include the amount of data a user has sent and/or received during a include the amount of data a user has sent and/or received during a
session. session.
The data model for TACACS+ client has the following structure: The data model for TACACS+ client has the following structure:
module: ietf-system-tacacsplus module: ietf-system-tacacsplus
augment /sys:system: augment /sys:system:
skipping to change at page 5, line 19 skipping to change at page 5, line 19
+--rw name string +--rw name string
+--rw server-type? enumeration +--rw server-type? enumeration
+--rw address inet:host +--rw address inet:host
+--rw port? inet:port-number +--rw port? inet:port-number
+--rw shared-secret string +--rw shared-secret string
+--rw (source-type)? +--rw (source-type)?
| +--:(source-ip) | +--:(source-ip)
| | +--rw source-ip? inet:ip-address | | +--rw source-ip? inet:ip-address
| +--:(source-interface) | +--:(source-interface)
| +--rw source-interface? if:interface-ref | +--rw source-interface? if:interface-ref
+--rw single-connection? boolean
+--rw timeout? uint16
+--rw vrf-instance? +--rw vrf-instance?
| -> /ni:network-instances/network-instance/name | -> /ni:network-instances/network-instance/name
+--rw single-connection? boolean
+--rw timeout? uint16
+--ro statistics +--ro statistics
+--ro connection-opens? yang:counter64 +--ro connection-opens? yang:counter64
+--ro connection-closes? yang:counter64 +--ro connection-closes? yang:counter64
+--ro connection-aborts? yang:counter64 +--ro connection-aborts? yang:counter64
+--ro connection-failures? yang:counter64 +--ro connection-failures? yang:counter64
+--ro connection-timeouts? yang:counter64 +--ro connection-timeouts? yang:counter64
+--ro messages-sent? yang:counter64 +--ro messages-sent? yang:counter64
+--ro messages-received? yang:counter64 +--ro messages-received? yang:counter64
+--ro errors-received? yang:counter64 +--ro errors-received? yang:counter64
+--ro sessions? yang:counter64
4. TACACS+ Client Module 4. TACACS+ Client Module
<CODE BEGINS> file "ietf-system-tacacsplus@2019-06-20.yang" <CODE BEGINS> file "ietf-system-tacacsplus@2019-11-01.yang"
module ietf-system-tacacsplus {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus";
prefix sys-tcsplus;
import ietf-inet-types { module ietf-system-tacacsplus {
prefix inet; yang-version 1.1;
reference "RFC 6991: Common YANG Data Types"; namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus";
} prefix sys-tcsplus;
import ietf-yang-types {
prefix yang;
reference "RFC 6991: Common YANG Data Types";
}
import ietf-network-instance {
prefix ni;
reference
"RFC 8529: YANG Data Model for Network Instances";
}
import ietf-interfaces {
prefix if;
reference
"RFC 8343: A YANG Data Model for Interface Management";
}
import ietf-system {
prefix sys;
reference "RFC 7317: A YANG Data Model for System Management";
}
import ietf-netconf-acm {
prefix nacm;
reference "RFC 8341: Network Configuration Access Control Model";
}
organization import ietf-inet-types {
"IETF Opsawg (Operations and Management Area Working Group)"; prefix inet;
contact reference "RFC 6991: Common YANG Data Types";
"WG Web: <http://tools.ietf.org/wg/opsawg/> }
WG List: <mailto:opsawg@ietf.org> import ietf-yang-types {
prefix yang;
reference "RFC 6991: Common YANG Data Types";
}
import ietf-network-instance {
prefix ni;
reference "RFC 8529: YANG Data Model for Network Instances";
}
import ietf-interfaces {
prefix if;
reference "RFC 8343: A YANG Data Model for Interface Management";
}
import ietf-system {
prefix sys;
reference "RFC 7317: A YANG Data Model for System Management";
}
import ietf-netconf-acm {
prefix nacm;
reference "RFC 8341: Network Configuration Access Control Model";
}
Editor: Guangying Zheng organization
<mailto:zhengguangying@huawei.com>"; "IETF Opsawg (Operations and Management Area Working Group)";
description contact
"This module provides configuration of TACACS+ client. "WG Web: <http://tools.ietf.org/wg/opsawg/>
WG List: <mailto:opsawg@ietf.org>
Copyright (c) 2018 IETF Trust and the persons identified as Editor: Guangying Zheng
authors of the code. All rights reserved. <mailto:zhengguangying@huawei.com>";
description
"This module provides configuration of TACACS+ client.
Redistribution and use in source and binary forms, with or Copyright (c) 2019 IETF Trust and the persons identified as
without modification, is permitted pursuant to, and subject authors of the code. All rights reserved.
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see the RFC Redistribution and use in source and binary forms, with or
itself for full legal notices."; without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
revision 2019-06-20 { This version of this YANG module is part of RFC XXXX; see the
description RFC itself for full legal notices.";
"Initial revision.";
reference "foo";
}
feature tacacsplus { revision 2019-11-01 {
description description
"Indicates that the device can be configured as a TACACS+ "Initial revision.";
client."; reference "foo";
reference "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol"; }
}
grouping statistics { feature tacacsplus {
description description
"Grouping for TACACS+ packets statistics attributes"; "Indicates that the device can be configured as a TACACS+
container statistics { client.";
config false; reference "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol";
description }
"A collection of server-related statistics objects";
leaf connection-opens {
type yang:counter64;
description
"Number of new connection requests sent to the server, e.g.
socket open";
}
leaf connection-closes {
type yang:counter64;
description
"Number of connection close requests sent to the server, e.g.
socket close";
}
leaf connection-aborts {
type yang:counter64;
description
"Number of aborted connections to the server. These do
not include connections that are close gracefully.";
}
leaf connection-failures {
type yang:counter64;
description
"Number of connection failures to the server";
}
leaf connection-timeouts {
type yang:counter64;
description
"Number of connection timeouts to the server";
}
leaf messages-sent {
type yang:counter64;
description
"Number of messages sent to the server";
}
leaf messages-received {
type yang:counter64;
description
"Number of messages received by the server";
}
leaf errors-received {
type yang:counter64;
description
"Number of error messages received from the server";
}
}
}
grouping tacacsplus { identity tacacsplus {
description base sys:authentication-method;
"Grouping for TACACS+ attributes"; description
container tacacsplus { "Indicates AAA operation using TACACS+.";
if-feature "tacacsplus"; reference "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol";
description }
"Container for TACACS+ configurations and operations.";
list server {
key "name";
ordered-by user;
description
"List of TACACS+ servers used by the device
When the TACACS+ client is invoked by a calling grouping statistics {
application, it sends the query to the first server in description
this list. If no response has been received within "Grouping for TACACS+ statistics attributes";
'timeout' seconds, the client continues with the next container statistics {
server in the list. If no response is received from any config false;
server, the client continues with the first server again. description
When the client has traversed the list 'attempts' times "A collection of server-related statistics objects";
without receiving any response, it gives up and returns an leaf connection-opens {
error to the calling application."; type yang:counter64;
leaf name { description
type string; "Number of new connection requests sent to the server, e.g.
description socket open";
"An arbitrary name for the TACACS+ server."; }
} leaf connection-closes {
leaf server-type { type yang:counter64;
type enumeration { description
enum authentication { "Number of connection close requests sent to the server, e.g.
description socket close";
"The server is an authentication server."; }
} leaf connection-aborts {
enum authorization { type yang:counter64;
description description
"The server is an authorization server."; "Number of aborted connections to the server. These do
} not include connections that are close gracefully.";
enum accounting { }
description leaf connection-failures {
"The server is an accounting server."; type yang:counter64;
} description
} "Number of connection failures to the server";
description }
"Server type: authentication/authorization/accounting."; leaf connection-timeouts {
} type yang:counter64;
leaf address { description
type inet:host; "Number of connection timeouts to the server";
mandatory true; }
description leaf messages-sent {
"The address of the TACACS+ server."; type yang:counter64;
} description
leaf port { "Number of messages sent to the server";
type inet:port-number; }
default "49"; leaf messages-received {
description type yang:counter64;
"The port number of TACACS+ Server port."; description
} "Number of messages received by the server";
leaf shared-secret { }
type string; leaf errors-received {
mandatory true; type yang:counter64;
nacm:default-deny-all; description
description "Number of error messages received from the server";
"The shared secret, which is known to both the }
TACACS+ client and server. TACACS+ server administrators leaf sessions {
SHOULD configure secret keys of minimum type yang:counter64;
16 characters length."; description
reference "TACACS+ protocol:"; "Total Number of sessions. A single-connection tacacs+
} connection may be >1 sessions.";
choice source-type { }
description }
"The source address type for outbound TACACS+ packets."; }
case source-ip {
leaf source-ip {
type inet:ip-address;
description
"Specifies source IP address for TACACS+ outbound
packets.";
}
}
case source-interface {
leaf source-interface {
type if:interface-ref;
description
"Specifies the interface from which the IP address is
derived for use as the source for the outbound TACACS+
packet";
} grouping tacacsplus {
} description
} "Grouping for TACACS+ attributes";
leaf single-connection { container tacacsplus {
type boolean; if-feature "tacacsplus";
default "false"; description
description "Container for TACACS+ configurations and operations.";
"Whether the single connection mode is enabled for the list server {
server. By default, the single connection mode is key "name";
disabled."; ordered-by user;
} description
leaf timeout { "List of TACACS+ servers used by the device.";
type uint16 { leaf name {
range "1..300"; type string;
} description
units "seconds"; "An arbitrary name for the TACACS+ server.";
default "5"; }
description leaf server-type {
"The number of seconds the device will wait for a type enumeration {
response from each TACACS+ server before trying with a enum authentication {
different server."; description
} "The server is an authentication server.";
leaf vrf-instance { }
type leafref { enum authorization {
path "/ni:network-instances/ni:network-instance/ni:name"; description
} "The server is an authorization server.";
description }
"Specifies the VPN Routing and Forwarding (VRF) instance to enum accounting {
use to communicate with the TACACS+ server."; description
} "The server is an accounting server.";
}
enum all {
description
"The group of all types of TACACS+ servers.";
}
}
description
"Server type: authentication/authorization/accounting/all.";
}
leaf address {
type inet:host;
mandatory true;
description
"The address of the TACACS+ server.";
}
leaf port {
type inet:port-number;
default "49";
description
"The port number of TACACS+ Server port.";
}
leaf shared-secret {
type string;
mandatory true;
nacm:default-deny-all;
description
"The shared secret, which is known to both the
TACACS+ client and server. TACACS+ server administrators
should configure secret keys of minimum
16 characters length.";
reference "TACACS+ protocol:";
}
choice source-type {
description
"The source address type for outbound TACACS+ packets.";
case source-ip {
leaf source-ip {
type inet:ip-address;
description
"Specifies source IP address for TACACS+ outbound
packets.";
}
}
case source-interface {
leaf source-interface {
type if:interface-ref;
description
"Specifies the interface from which the IP address is
derived for use as the source for the outbound TACACS+
packet";
}
}
}
leaf vrf-instance {
type leafref {
path "/ni:network-instances/ni:network-instance/ni:name";
}
description
"Specifies the VPN Routing and Forwarding (VRF) instance to
use to communicate with the TACACS+ server.";
}
leaf single-connection {
type boolean;
default "false";
description
"Whether the single connection mode is enabled for the
server. By default, the single connection mode is
disabled.";
}
leaf timeout {
type uint16 {
range "1..300";
}
units "seconds";
default "5";
description
"The number of seconds the device will wait for a
response from each TACACS+ server before trying with a
different server.";
}
uses statistics;
}
}
}
uses statistics; augment "/sys:system" {
} description
} "Augment the system model with authorization and accounting
} attributes
Augment the system model with the tacacsplus model";
uses tacacsplus;
augment "/sys:system" { }
description }
"Augment the system model with authorization and accounting
attributes
Augment the system model with the tacacsplus model";
uses tacacsplus;
}
}
<CODE ENDS> <CODE ENDS>
5. Security Considerations 5. Security Considerations
The YANG module defined in this document is designed to be accessed The YANG module defined in this document is designed to be accessed
via network management protocols such as NETCONF [RFC6241] or via network management protocols such as NETCONF [RFC6241] or
RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport
layer, and the mandatory-to-implement secure transport is Secure layer, and the mandatory-to-implement secure transport is Secure
Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the
skipping to change at page 12, line 7 skipping to change at page 12, line 12
This document registers a YANG module in the YANG Module Names This document registers a YANG module in the YANG Module Names
registry [RFC7950]. registry [RFC7950].
Name: ietf-system-tacacsplus Name: ietf-system-tacacsplus
Namespace: urn:ietf:params:xml:ns:yang: ietf-tacacsplus Namespace: urn:ietf:params:xml:ns:yang: ietf-tacacsplus
Prefix: sys-tcsplus Prefix: sys-tcsplus
Reference: RFC XXXX Reference: RFC XXXX
7. Acknowledgments 7. Acknowledgments
The authors wish to thank Alex Campbell and Ebben Aries, Alan DeKok, The authors wish to thank Alex Campbell, John Heasley, Ebben Aries,
Joe Clarke, many others for their helpful comments. Alan DeKok, Joe Clarke, and many others for their helpful comments
and suggestions.
8. References 8. References
8.1. Normative References 8.1. Normative References
[I-D.ietf-opsawg-tacacs]
Dahm, T., Ota, A., dcmgash@cisco.com, d., Carrel, D., and
L. Grant, "The TACACS+ Protocol", draft-ietf-opsawg-
tacacs-15 (work in progress), September 2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.rfc-editor.org/info/rfc6242>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
skipping to change at page 13, line 25 skipping to change at page 13, line 33
and R. Wilton, "Network Management Datastore Architecture and R. Wilton, "Network Management Datastore Architecture
(NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018,
<https://www.rfc-editor.org/info/rfc8342>. <https://www.rfc-editor.org/info/rfc8342>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
8.2. Informative References 8.2. Informative References
[I-D.ietf-opsawg-tacacs] [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
Dahm, T., Ota, A., dcmgash@cisco.com, d., Carrel, D., and DOI 10.17487/RFC3688, January 2004,
L. Grant, "The TACACS+ Protocol", draft-ietf-opsawg- <https://www.rfc-editor.org/info/rfc3688>.
tacacs-13 (work in progress), March 2019.
Appendix A. TACACS+ Authentication Configuration
The system management model defines two authentication configuration
options and controls authentication methods by configuring "user-
authentication-order" . One is "local-users", and the other is
"radius".
This draft defines the "tacacsplus" model extension and therefore
needs to be configured in the same way. The 'tacacsplus' identity is
defined to control whether or not TACACS+ authentication should be
used. The current system authentication configuration model is as
follows:
+--rw system
+--rw authentication
+--rw user-authentication-order* identityref
...
Authors' Addresses Authors' Addresses
Guangying Zheng Guangying Zheng
Huawei Huawei
101 Software Avenue, Yuhua District 101 Software Avenue, Yuhua District
Nanjing, Jiangsu 210012 Nanjing, Jiangsu 210012
China China
Email: zhengguangying@huawei.com Email: zhengguangying@huawei.com
 End of changes. 37 change blocks. 
285 lines changed or deleted 310 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/