| draft-ietf-opsawg-tacacs-yang-01.txt | draft-ietf-opsawg-tacacs-yang-02.txt | |||
|---|---|---|---|---|
| Network Working Group G. Zheng | Network Working Group G. Zheng | |||
| Internet-Draft M. Wang | Internet-Draft M. Wang | |||
| Intended status: Standards Track B. Wu | Intended status: Standards Track B. Wu | |||
| Expires: May 6, 2020 Huawei | Expires: September 9, 2020 Huawei | |||
| November 3, 2019 | March 8, 2020 | |||
| Yang data model for TACACS+ | Yang data model for TACACS+ | |||
| draft-ietf-opsawg-tacacs-yang-01 | draft-ietf-opsawg-tacacs-yang-02 | |||
| Abstract | Abstract | |||
| This document defines YANG modules that augment the System Management | This document defines YANG modules that augment the System Management | |||
| data model defined in the RFC 7317 with TACACS+ client model. The | data model defined in the RFC 7317 with TACACS+ client model. The | |||
| data model of Terminal Access Controller Access Control System Plus | data model of Terminal Access Controller Access Control System Plus | |||
| (TACACS+) client allows the configuration of TACACS+ servers for | (TACACS+) client allows the configuration of TACACS+ servers for | |||
| centralized Authentication, Authorization and Accounting. | centralized Authentication, Authorization and Accounting. | |||
| The YANG modules in this document conforms to the Network Management | The YANG modules in this document conforms to the Network Management | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 6, 2020. | This Internet-Draft will expire on September 9, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Conventions used in this document . . . . . . . . . . . . . . 3 | 2. Conventions used in this document . . . . . . . . . . . . . . 3 | |||
| 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 | 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Design of the Data Model . . . . . . . . . . . . . . . . . . 3 | 3. Design of the Data Model . . . . . . . . . . . . . . . . . . 3 | |||
| 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5 | 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 | 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 12 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 12 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 13 | 8.2. Informative References . . . . . . . . . . . . . . . . . 13 | |||
| Appendix A. TACACS+ Authentication Configuration . . . . . . . . 13 | Appendix A. TACACS+ Authentication Configuration . . . . . . . . 14 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 1. Introduction | 1. Introduction | |||
| This document defines YANG modules that augment the System Management | This document defines YANG modules that augment the System Management | |||
| data model defined in the [RFC7317] with TACACS+ client model. | data model defined in the [RFC7317] with TACACS+ client model. | |||
| TACACS+ provides Device Administration for routers, network access | TACACS+ provides Device Administration for routers, network access | |||
| servers and other networked computing devices via one or more | servers and other networked computing devices via one or more | |||
| centralized servers which is defined in the TACACS+ Protocol. | centralized servers which is defined in the TACACS+ Protocol. | |||
| skipping to change at page 5, line 36 ¶ | skipping to change at page 5, line 36 ¶ | |||
| +--ro connection-aborts? yang:counter64 | +--ro connection-aborts? yang:counter64 | |||
| +--ro connection-failures? yang:counter64 | +--ro connection-failures? yang:counter64 | |||
| +--ro connection-timeouts? yang:counter64 | +--ro connection-timeouts? yang:counter64 | |||
| +--ro messages-sent? yang:counter64 | +--ro messages-sent? yang:counter64 | |||
| +--ro messages-received? yang:counter64 | +--ro messages-received? yang:counter64 | |||
| +--ro errors-received? yang:counter64 | +--ro errors-received? yang:counter64 | |||
| +--ro sessions? yang:counter64 | +--ro sessions? yang:counter64 | |||
| 4. TACACS+ Client Module | 4. TACACS+ Client Module | |||
| <CODE BEGINS> file "ietf-system-tacacsplus@2019-11-01.yang" | <CODE BEGINS> file "ietf-system-tacacsplus@2020-03-05.yang" | |||
| module ietf-system-tacacsplus { | module ietf-system-tacacsplus { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus"; | namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus"; | |||
| prefix sys-tcsplus; | prefix sys-tcsplus; | |||
| import ietf-inet-types { | import ietf-inet-types { | |||
| prefix inet; | prefix inet; | |||
| reference "RFC 6991: Common YANG Data Types"; | reference | |||
| "RFC 6991: Common YANG Data Types"; | ||||
| } | } | |||
| import ietf-yang-types { | import ietf-yang-types { | |||
| prefix yang; | prefix yang; | |||
| reference "RFC 6991: Common YANG Data Types"; | reference | |||
| "RFC 6991: Common YANG Data Types"; | ||||
| } | } | |||
| import ietf-network-instance { | import ietf-network-instance { | |||
| prefix ni; | prefix ni; | |||
| reference "RFC 8529: YANG Data Model for Network Instances"; | reference | |||
| "RFC 8529: YANG Data Model for Network Instances"; | ||||
| } | } | |||
| import ietf-interfaces { | import ietf-interfaces { | |||
| prefix if; | prefix if; | |||
| reference "RFC 8343: A YANG Data Model for Interface Management"; | reference | |||
| "RFC 8343: A YANG Data Model for Interface Management"; | ||||
| } | } | |||
| import ietf-system { | import ietf-system { | |||
| prefix sys; | prefix sys; | |||
| reference "RFC 7317: A YANG Data Model for System Management"; | reference | |||
| "RFC 7317: A YANG Data Model for System Management"; | ||||
| } | } | |||
| import ietf-netconf-acm { | import ietf-netconf-acm { | |||
| prefix nacm; | prefix nacm; | |||
| reference "RFC 8341: Network Configuration Access Control Model"; | reference | |||
| "RFC 8341: Network Configuration Access Control Model"; | ||||
| } | } | |||
| organization | organization | |||
| "IETF Opsawg (Operations and Management Area Working Group)"; | "IETF Opsawg (Operations and Management Area Working Group)"; | |||
| contact | contact | |||
| "WG Web: <http://tools.ietf.org/wg/opsawg/> | "WG Web: <http://tools.ietf.org/wg/opsawg/> | |||
| WG List: <mailto:opsawg@ietf.org> | WG List: <mailto:opsawg@ietf.org> | |||
| Editor: Guangying Zheng | Editor: Guangying Zheng | |||
| <mailto:zhengguangying@huawei.com>"; | <mailto:zhengguangying@huawei.com>"; | |||
| skipping to change at page 6, line 43 ¶ | skipping to change at page 6, line 49 ¶ | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Simplified BSD License | to the license terms contained in, the Simplified BSD License | |||
| set forth in Section 4.c of the IETF Trust's Legal Provisions | set forth in Section 4.c of the IETF Trust's Legal Provisions | |||
| Relating to IETF Documents | Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC XXXX; see the | This version of this YANG module is part of RFC XXXX; see the | |||
| RFC itself for full legal notices."; | RFC itself for full legal notices."; | |||
| revision 2019-11-01 { | revision 2020-03-05 { | |||
| description | description | |||
| "Initial revision."; | "Initial revision."; | |||
| reference "foo"; | ||||
| reference | ||||
| "foo"; | ||||
| } | } | |||
| feature tacacsplus { | feature tacacsplus { | |||
| description | description | |||
| "Indicates that the device can be configured as a TACACS+ | "Indicates that the device can be configured as a TACACS+ | |||
| client."; | client."; | |||
| reference "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol"; | reference | |||
| "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol"; | ||||
| } | } | |||
| identity tacacsplus { | identity tacacsplus { | |||
| base sys:authentication-method; | base sys:authentication-method; | |||
| description | description | |||
| "Indicates AAA operation using TACACS+."; | "Indicates AAA operation using TACACS+."; | |||
| reference "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol"; | reference | |||
| "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol"; | ||||
| } | } | |||
| grouping statistics { | grouping statistics { | |||
| description | description | |||
| "Grouping for TACACS+ statistics attributes"; | "Grouping for TACACS+ statistics attributes"; | |||
| container statistics { | container statistics { | |||
| config false; | config false; | |||
| description | description | |||
| "A collection of server-related statistics objects"; | "A collection of server-related statistics objects"; | |||
| leaf connection-opens { | leaf connection-opens { | |||
| skipping to change at page 8, line 31 ¶ | skipping to change at page 8, line 39 ¶ | |||
| "Total Number of sessions. A single-connection tacacs+ | "Total Number of sessions. A single-connection tacacs+ | |||
| connection may be >1 sessions."; | connection may be >1 sessions."; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| grouping tacacsplus { | grouping tacacsplus { | |||
| description | description | |||
| "Grouping for TACACS+ attributes"; | "Grouping for TACACS+ attributes"; | |||
| container tacacsplus { | container tacacsplus { | |||
| must "not(derived-from-or-self(../sys:authentication" | ||||
| + "/sys:user-authentication-order, 'tacacsplus')) or server" { | ||||
| error-message "When 'tacacsplus' is used as a sysytem" | ||||
| + " authentication method, a TACACS+ server" | ||||
| + " must be configured."; | ||||
| description | ||||
| "When 'tacacsplus' is used as an authentication method, | ||||
| a TACACS+ server must be configured."; | ||||
| } | ||||
| if-feature "tacacsplus"; | if-feature "tacacsplus"; | |||
| description | description | |||
| "Container for TACACS+ configurations and operations."; | "Container for TACACS+ configurations and operations."; | |||
| list server { | list server { | |||
| key "name"; | key "name"; | |||
| ordered-by user; | ordered-by user; | |||
| description | description | |||
| "List of TACACS+ servers used by the device."; | "List of TACACS+ servers used by the device."; | |||
| leaf name { | leaf name { | |||
| type string; | type string; | |||
| skipping to change at page 9, line 39 ¶ | skipping to change at page 10, line 8 ¶ | |||
| } | } | |||
| leaf shared-secret { | leaf shared-secret { | |||
| type string; | type string; | |||
| mandatory true; | mandatory true; | |||
| nacm:default-deny-all; | nacm:default-deny-all; | |||
| description | description | |||
| "The shared secret, which is known to both the | "The shared secret, which is known to both the | |||
| TACACS+ client and server. TACACS+ server administrators | TACACS+ client and server. TACACS+ server administrators | |||
| should configure secret keys of minimum | should configure secret keys of minimum | |||
| 16 characters length."; | 16 characters length."; | |||
| reference "TACACS+ protocol:"; | reference | |||
| "TACACS+ protocol:"; | ||||
| } | } | |||
| choice source-type { | choice source-type { | |||
| description | description | |||
| "The source address type for outbound TACACS+ packets."; | "The source address type for outbound TACACS+ packets."; | |||
| case source-ip { | case source-ip { | |||
| leaf source-ip { | leaf source-ip { | |||
| type inet:ip-address; | type inet:ip-address; | |||
| description | description | |||
| "Specifies source IP address for TACACS+ outbound | "Specifies source IP address for TACACS+ outbound | |||
| packets."; | packets."; | |||
| skipping to change at page 12, line 23 ¶ | skipping to change at page 12, line 38 ¶ | |||
| Alan DeKok, Joe Clarke, and many others for their helpful comments | Alan DeKok, Joe Clarke, and many others for their helpful comments | |||
| and suggestions. | and suggestions. | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [I-D.ietf-opsawg-tacacs] | [I-D.ietf-opsawg-tacacs] | |||
| Dahm, T., Ota, A., dcmgash@cisco.com, d., Carrel, D., and | Dahm, T., Ota, A., dcmgash@cisco.com, d., Carrel, D., and | |||
| L. Grant, "The TACACS+ Protocol", draft-ietf-opsawg- | L. Grant, "The TACACS+ Protocol", draft-ietf-opsawg- | |||
| tacacs-15 (work in progress), September 2019. | tacacs-17 (work in progress), November 2019. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | |||
| and A. Bierman, Ed., "Network Configuration Protocol | and A. Bierman, Ed., "Network Configuration Protocol | |||
| (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | |||
| <https://www.rfc-editor.org/info/rfc6241>. | <https://www.rfc-editor.org/info/rfc6241>. | |||
| skipping to change at page 14, line 21 ¶ | skipping to change at page 14, line 34 ¶ | |||
| Guangying Zheng | Guangying Zheng | |||
| Huawei | Huawei | |||
| 101 Software Avenue, Yuhua District | 101 Software Avenue, Yuhua District | |||
| Nanjing, Jiangsu 210012 | Nanjing, Jiangsu 210012 | |||
| China | China | |||
| Email: zhengguangying@huawei.com | Email: zhengguangying@huawei.com | |||
| Michael Wang | Michael Wang | |||
| Huawei Technologies, Co., Ltd | Huawei Technologies, Co., | |||
| Ltd | ||||
| 101 Software Avenue, Yuhua District | 101 Software Avenue, Yuhua District | |||
| Nanjing 210012 | Nanjing 210012 | |||
| China | China | |||
| Email: wangzitao@huawei.com | Email: wangzitao@huawei.com | |||
| Bo Wu | Bo Wu | |||
| Huawei | Huawei | |||
| 101 Software Avenue, Yuhua District | 101 Software Avenue, Yuhua District | |||
| Nanjing, Jiangsu 210012 | Nanjing, Jiangsu 210012 | |||
| End of changes. 21 change blocks. | ||||
| 21 lines changed or deleted | 42 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||