| rfc9950.original | rfc9950.txt | |||
|---|---|---|---|---|
| Operations and Management Area Working Group M. Boucadair, Ed. | Internet Engineering Task Force (IETF) M. Boucadair, Ed. | |||
| Internet-Draft Orange | Request for Comments: 9950 Orange | |||
| Obsoletes: 9105 (if approved) B. Wu | Obsoletes: 9105 B. Wu | |||
| Intended status: Standards Track Huawei Technologies | Category: Standards Track Huawei Technologies | |||
| Expires: 8 January 2026 7 July 2025 | ISSN: 2070-1721 March 2026 | |||
| A YANG Data Model for Terminal Access Controller Access-Control System | A YANG Data Model for Terminal Access Controller Access-Control System | |||
| Plus (TACACS+) | Plus (TACACS+) | |||
| draft-ietf-opsawg-secure-tacacs-yang-13 | ||||
| Abstract | Abstract | |||
| This document defines a Terminal Access Controller Access-Control | This document defines a Terminal Access Controller Access-Control | |||
| System Plus (TACACS+) client YANG module that augments the System | System Plus (TACACS+) client YANG module that augments the System | |||
| Management data model, defined in RFC 7317, to allow devices to make | Management data model, defined in RFC 7317, to allow devices to make | |||
| use of TACACS+ servers for centralized Authentication, Authorization, | use of TACACS+ servers for centralized Authentication, Authorization, | |||
| and Accounting (AAA). Specifically, this document defines a YANG | and Accounting (AAA). Specifically, this document defines a YANG | |||
| module for TACACS+ over TLS 1.3. | module for TACACS+ over TLS 1.3. | |||
| This document obsoletes RFC 9105. | This document obsoletes RFC 9105. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
| provisions of BCP 78 and BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
| and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
| time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
| material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 7841. | ||||
| This Internet-Draft will expire on 8 January 2026. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| https://www.rfc-editor.org/info/rfc9950. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2025 IETF Trust and the persons identified as the | Copyright (c) 2026 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
| license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
| extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
| described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
| provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
| in the Revised BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction | |||
| 1.1. Changes Since RFC 9105 . . . . . . . . . . . . . . . . . 3 | 1.1. Changes Since RFC 9105 | |||
| 1.2. Editorial Note (To be removed by RFC Editor) . . . . . . 3 | 2. Conventions and Definitions | |||
| 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 4 | 2.1. Tree Diagrams | |||
| 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Design of the TACACS+ Data Model | |||
| 3. Design of the TACACS+ Data Model . . . . . . . . . . . . . . 4 | 4. TACACS+ Client Module | |||
| 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 8 | 5. Operational Considerations | |||
| 5. Operational Considerations . . . . . . . . . . . . . . . . . 26 | 6. Security Considerations | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 26 | 7. IANA Considerations | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 | 8. References | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 | 8.1. Normative References | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 27 | 8.2. Informative References | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 30 | ||||
| Appendix A. Example TACACS+ Authentication Configuration with | Appendix A. Example TACACS+ Authentication Configuration with | |||
| Shared Secret . . . . . . . . . . . . . . . . . . . . . . 31 | Shared Secret | |||
| Appendix B. TACACS+TLS Examples . . . . . . . . . . . . . . . . 32 | Appendix B. TACACS+TLS Examples | |||
| B.1. Example TACACS+ Authentication Configuration with Explicit | B.1. Example TACACS+ Authentication Configuration with Explicit | |||
| Certificate Definitions . . . . . . . . . . . . . . . . . 32 | Certificate Definitions | |||
| B.2. Example TACACS+ Authentication Configuration with | B.2. Example TACACS+ Authentication Configuration with | |||
| Certificate References . . . . . . . . . . . . . . . . . 34 | Certificate References | |||
| Appendix C. Full Tree . . . . . . . . . . . . . . . . . . . . . 36 | Appendix C. Full Tree | |||
| Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 46 | Acknowledgments | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 47 | Authors' Addresses | |||
| 1. Introduction | 1. Introduction | |||
| The System Management data model [RFC7317] defines separate | The System Management data model [RFC7317] defines separate | |||
| functionality to support local and Remote Authentication Dial In User | functionality to support local and Remote Authentication Dial-In User | |||
| Service (RADIUS) authentication: | Service (RADIUS) authentication: | |||
| User Authentication Model: Defines a list of user names with | User Authentication Model: Defines a list of user names with | |||
| associated passwords and a configuration leaf to decide the order | associated passwords and a configuration leaf to decide the order | |||
| in which local or RADIUS authentication is used. | in which local or RADIUS authentication is used. | |||
| RADIUS Client Model: Defines a list of RADIUS servers used by a | RADIUS Client Model: Defines a list of RADIUS servers used by a | |||
| device for centralized user authentication. | device for centralized user authentication. | |||
| [RFC9105] defines a YANG module ("ietf-system-tacacs-plus") that | [RFC9105] defines a YANG module ("ietf-system-tacacs-plus") that | |||
| skipping to change at page 3, line 4 ¶ | skipping to change at line 93 ¶ | |||
| associated passwords and a configuration leaf to decide the order | associated passwords and a configuration leaf to decide the order | |||
| in which local or RADIUS authentication is used. | in which local or RADIUS authentication is used. | |||
| RADIUS Client Model: Defines a list of RADIUS servers used by a | RADIUS Client Model: Defines a list of RADIUS servers used by a | |||
| device for centralized user authentication. | device for centralized user authentication. | |||
| [RFC9105] defines a YANG module ("ietf-system-tacacs-plus") that | [RFC9105] defines a YANG module ("ietf-system-tacacs-plus") that | |||
| augments the System Management data model [RFC7317] for the | augments the System Management data model [RFC7317] for the | |||
| management of Terminal Access Controller Access-Control System Plus | management of Terminal Access Controller Access-Control System Plus | |||
| (TACACS+) clients as an alternative to RADIUS servers [RFC2865]. | (TACACS+) clients as an alternative to RADIUS servers [RFC2865]. | |||
| Typically, the "ietf-system-tacacs-plus" module is used to configure | Typically, the "ietf-system-tacacs-plus" module is used to configure | |||
| a TACACS+ client on a device to support deployment scenarios with | a TACACS+ client on a device to support deployment scenarios with | |||
| centralized authentication, authorization, and accounting servers. | centralized Authentication, Authorization, and Accounting (AAA) | |||
| servers. | ||||
| This document defines a YANG module for managing TACACS+ clients | This document defines a YANG module for managing TACACS+ clients | |||
| (Section 4), including TACACS+ over TLS 1.3 clients | (Section 4), including TACACS+ over TLS 1.3 clients [RFC9887]. This | |||
| [I-D.ietf-opsawg-tacacs-tls13]. This document obsoletes [RFC9105]. | document obsoletes [RFC9105]. | |||
| The YANG module in this document conforms to the Network Management | The YANG module in this document conforms to the Network Management | |||
| Datastore Architecture (NMDA) defined in [RFC8342]. | Datastore Architecture (NMDA) defined in [RFC8342]. | |||
| 1.1. Changes Since RFC 9105 | 1.1. Changes Since RFC 9105 | |||
| The following changes have been made to [RFC9105]: | The following changes have been made to [RFC9105]: | |||
| * Add support for TLS [I-D.ietf-opsawg-tacacs-tls13] | * Added support for TLS [RFC9887] | |||
| * Add a constraint to ensure that the list of servers is unique per | ||||
| address/port number | ||||
| * Update the description of 'address' to be consistent with the type | ||||
| * Fix a must statement under 'tacacs-plus' | ||||
| * Fix errors in the example provided in Appendix A of [RFC9105] | ||||
| * Add an example to illustrate the use of VRF | ||||
| * Add new examples to illustrate the use of TACACS+TLS data nodes | ||||
| Detailed YANG changes are listed in Section 4. | ||||
| 1.2. Editorial Note (To be removed by RFC Editor) | ||||
| Note to the RFC Editor: This section is to be removed prior to | * Added a constraint to ensure that the list of servers is unique | |||
| publication. | per address/port number | |||
| This document contains placeholder values that need to be replaced | * Updated the description of 'address' to be consistent with the | |||
| with finalized values at the time of publication. This note | type | |||
| summarizes all of the substitutions that are needed. | ||||
| Please apply the following replacements: | * Fixed a 'must' statement under 'tacacs-plus' | |||
| * XXXX --> the assigned RFC number for this I-D | * Fixed errors in the example provided in Appendix A of [RFC9105] | |||
| * SSSS --> the assigned RFC number for | * Added an example to illustrate the use of VPN Routing and | |||
| [I-D.ietf-opsawg-tacacs-tls13] | Forwarding (VRF) | |||
| * TBD --> the assigned port number in Section 7 of | * Added new examples to illustrate the use of TACACS+TLS data nodes | |||
| [I-D.ietf-opsawg-tacacs-tls13] | ||||
| * 2024-12-11 --> the actual date of the publication of this document | Detailed changes to the YANG module are listed in Section 4. | |||
| 2. Conventions and Definitions | 2. Conventions and Definitions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| The terminology for describing YANG data models is defined in | The terminology for describing YANG data models is defined in | |||
| [RFC7950]. | [RFC7950]. | |||
| The document uses the terms defined in Section 2 of | The document uses the terms defined in Section 2 of [RFC9887] and | |||
| [I-D.ietf-opsawg-tacacs-tls13] and Section 3 of [RFC8907]. | Section 3 of [RFC8907]. | |||
| 'client' refers to TACACS+ client, while 'server' refers to TACACS+ | 'client' refers to a TACACS+ client, while 'server' refers to a | |||
| server. | TACACS+ server. | |||
| 2.1. Tree Diagrams | 2.1. Tree Diagrams | |||
| The tree diagram used in this document follows the notation defined | The tree diagrams used in this document follow the notation defined | |||
| in [RFC8340]. | in [RFC8340]. | |||
| 3. Design of the TACACS+ Data Model | 3. Design of the TACACS+ Data Model | |||
| This module is used to configure a TACACS+ client on a device to | This module is used to configure a TACACS+ client on a device to | |||
| support deployment scenarios with centralized authentication, | support deployment scenarios with centralized Authentication, | |||
| authorization, and accounting servers. Authentication is used to | Authorization, and Accounting (AAA) servers. Authentication is used | |||
| validate a user's username and password, authorization allows the | to validate a user's username and password, authorization allows the | |||
| user to access and execute commands at various privilege levels | user to access and execute commands at various privilege levels | |||
| assigned to the user, and accounting keeps track of the activity of a | assigned to the user, and accounting keeps track of the activity of a | |||
| user who has accessed the device. | user who has accessed the device. | |||
| The "ietf-system-tacacs-plus" module augments the '/sys:system' path | The "ietf-system-tacacs-plus" module augments the '/sys:system' path | |||
| defined in the "ietf-system" module with the contents of the 'tacacs- | defined in the "ietf-system" module with the contents of the 'tacacs- | |||
| plus' grouping. Therefore, a device can use local, RADIUS, or | plus' grouping. Therefore, a device can use local, RADIUS, or | |||
| TACACS+ authentication to validate users who attempt to access the | TACACS+ authentication to validate users who attempt to access the | |||
| device by several mechanisms, e.g., a command line interface or a | device by several mechanisms, e.g., a command line interface or a | |||
| web-based user interface. | web-based user interface. | |||
| The 'server' list, which is directly under the 'tacacs-plus' | The 'server' list, which is directly under the 'tacacs-plus' | |||
| container, holds a list of TACACS+ servers and uses 'server-type' to | container, holds a list of TACACS+ servers and uses 'server-type' to | |||
| distinguish between Authentication, Authorization, and Accounting | distinguish between AAA services. The list of servers is for | |||
| (AAA) services. The list of servers is for redundancy. | redundancy. | |||
| When there are multiple interfaces connected to a TACACS+ client or | When there are multiple interfaces connected to a TACACS+ client or | |||
| server, the source address of outgoing TACACS+ packets could be | server, the source address of outgoing TACACS+ packets could be | |||
| specified, or the source address could be specified through the | specified, or the source address could be specified through the | |||
| interface IP address setting or derived from the outbound interface | interface IP address setting or derived from the outbound interface | |||
| from the local Forwarding Information Base (FIB). For a TACACS+ | from the local Forwarding Information Base (FIB). For a TACACS+ | |||
| server located in a Virtual Private Network (VPN), a VPN Routing and | server located in a Virtual Private Network (VPN), a VPN Routing and | |||
| Forwarding (VRF) instance needs to be specified. | Forwarding (VRF) instance needs to be specified. | |||
| The 'statistics' container under the 'server' list is a collection of | The 'statistics' container under the 'server' list is a collection of | |||
| skipping to change at page 7, line 22 ¶ | skipping to change at line 286 ¶ | |||
| +--ro messages-received? yang:counter64 | +--ro messages-received? yang:counter64 | |||
| +--ro errors-received? yang:counter64 | +--ro errors-received? yang:counter64 | |||
| +--ro sessions? yang:counter64 | +--ro sessions? yang:counter64 | |||
| +--ro cert-errors? yang:counter64 | +--ro cert-errors? yang:counter64 | |||
| +--ro rpk-errors? yang:counter64 | +--ro rpk-errors? yang:counter64 | |||
| {tlsc:server-auth-raw-public-key}? | {tlsc:server-auth-raw-public-key}? | |||
| Figure 1: Tree Structure Overview | Figure 1: Tree Structure Overview | |||
| Specifically, the module is designed to cover the following key | Specifically, the module is designed to cover the following key | |||
| requirements specified in [I-D.ietf-opsawg-tacacs-tls13]: | requirements specified in [RFC9887]: | |||
| * Minimum TLS 1.3 [RFC8446] MUST be used for transport. | * Minimum TLS 1.3 [RFC8446] MUST be used for transport. | |||
| * Earlier TLS versions MUST NOT be used. | * Earlier TLS versions MUST NOT be used. | |||
| * The cipher suites offered or accepted SHOULD be configurable. | * The cipher suites offered or accepted SHOULD be configurable. | |||
| * Implementations MAY support Raw Public Keys (RPKs) and Pre-Shared | * Implementations MAY support Raw Public Keys (RPKs) and Pre-Shared | |||
| Keys (PSKs). | Keys (PSKs). | |||
| * Implementations MUST support the ability to configure the server's | * Implementations MUST support the ability to configure the server's | |||
| domain name, so that it may be included in the TLS Server Name | domain name, so that it may be included in the TLS Server Name | |||
| Indication (SNI) extension. | Indication (SNI) extension. | |||
| The following new data nodes are supported compared to [RFC9105]: | The following new data nodes are supported compared to [RFC9105]: | |||
| 'client-credentials' and 'server-credentials': Defines a set | 'client-credentials' and 'server-credentials': Define a set | |||
| credentials that can be globally provisioned and then referenced | credentials that can be globally provisioned and then referenced | |||
| under specific servers. | under specific servers. | |||
| 'domain-name': Provides a domain name of the server per Section 3.3 | 'domain-name': Provides a domain name of the server per Section 3.3 | |||
| of [I-D.ietf-opsawg-tacacs-tls13]. This is the TLS TACACS+ | of [RFC9887]. This is the TLS TACACS+ server's domain name that | |||
| server's domain name that is included in the SNI extension. This | is included in the SNI extension. This domain name is distinct | |||
| domain name is distinct from the IP address/hostname used for the | from the IP address/hostname used for the underlying transport | |||
| underlying transport connection. | connection. | |||
| 'sni-enabled': Controls activation of Server Name Indication (SNI) | 'sni-enabled': Controls activation of SNI (Section 3 of [RFC6066]). | |||
| (Section 3 of [RFC6066]). This parameter can be used only if a | This parameter can be used only if a domain name is provided. | |||
| domain name is provided. | ||||
| 'client-identity': Specifies the identity credentials that the | 'client-identity': Specifies the identity credentials that the | |||
| client may present when establishing a connection to a server. | client may present when establishing a connection to a server. | |||
| Client identities can be configured at the top level and then | Client identities can be configured at the top level and then | |||
| referenced for specific server instances. Alternatively, client | referenced for specific server instances. Alternatively, client | |||
| identities can be configured explicitly under each server | identities can be configured explicitly under each server | |||
| instance. | instance. | |||
| 'server-authentication': Specifies how a client authenticates | 'server-authentication': Specifies how a client authenticates | |||
| servers. Server credentials can be configured at the top level | servers. Server credentials can be configured at the top level | |||
| skipping to change at page 8, line 28 ¶ | skipping to change at line 339 ¶ | |||
| 'hello-params': Controls TLS versions and cipher suites to be used | 'hello-params': Controls TLS versions and cipher suites to be used | |||
| when establishing TLS sessions. | when establishing TLS sessions. | |||
| 'discontinuity-time': The time of the most recent occasion at which | 'discontinuity-time': The time of the most recent occasion at which | |||
| the client suffered a discontinuity (a configuration action to | the client suffered a discontinuity (a configuration action to | |||
| reset all counters, re-initialization, etc.). | reset all counters, re-initialization, etc.). | |||
| 'cert-errors': Number of connection failures due to certificate | 'cert-errors': Number of connection failures due to certificate | |||
| issues. | issues. | |||
| 'rpk-errors': Number of raw public key related connection failures. | 'rpk-errors': Number of connection failures related to raw public | |||
| keys. | ||||
| 4. TACACS+ Client Module | 4. TACACS+ Client Module | |||
| This YANG module uses types and groupings defined in [RFC6991], | This YANG module uses types and groupings defined in [RFC6991], | |||
| [RFC8341], [RFC8343], [RFC8529], [RFC9640], [RFC9641], [RFC9642], and | [RFC8341], [RFC8343], [RFC8529], [RFC9640], [RFC9641], [RFC9642], and | |||
| [RFC9645]. | [RFC9645]. | |||
| The module augments [RFC7317]. | The module augments [RFC7317]. | |||
| The module also cites [RFC6520], [RFC9257], and [RFC9258]. | The module also cites [RFC6520], [RFC9257], and [RFC9258]. | |||
| <CODE BEGINS> file "ietf-system-tacacs-plus@2025-01-23.yang" | <CODE BEGINS> file "ietf-system-tacacs-plus@2026-03-13.yang" | |||
| module ietf-system-tacacs-plus { | module ietf-system-tacacs-plus { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus"; | namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus"; | |||
| prefix sys-tcs-plus; | prefix sys-tcs-plus; | |||
| import ietf-inet-types { | import ietf-inet-types { | |||
| prefix inet; | prefix inet; | |||
| reference | reference | |||
| "RFC 6991: Common YANG Data Types"; | "RFC 6991: Common YANG Data Types"; | |||
| } | } | |||
| skipping to change at page 10, line 25 ¶ | skipping to change at line 435 ¶ | |||
| <zhengguangying@huawei.com>"; | <zhengguangying@huawei.com>"; | |||
| description | description | |||
| "This module provides management of TACACS+ clients. | "This module provides management of TACACS+ clients. | |||
| The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL | The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL | |||
| NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', | NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', | |||
| 'MAY', and 'OPTIONAL' in this document are to be interpreted as | 'MAY', and 'OPTIONAL' in this document are to be interpreted as | |||
| described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, | described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, | |||
| they appear in all capitals, as shown here. | they appear in all capitals, as shown here. | |||
| Copyright (c) 2025 IETF Trust and the persons identified as | Copyright (c) 2026 IETF Trust and the persons identified as | |||
| authors of the code. All rights reserved. | authors of the code. All rights reserved. | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Revised BSD License | to the license terms contained in, the Revised BSD License | |||
| set forth in Section 4.c of the IETF Trust's Legal Provisions | set forth in Section 4.c of the IETF Trust's Legal Provisions | |||
| Relating to IETF Documents | Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
| All revisions of IETF and IANA published modules can be found | All revisions of IETF and IANA published modules can be found | |||
| at the YANG Parameters registry | at the YANG Parameters registry | |||
| (https://www.iana.org/assignments/yang-parameters). | (https://www.iana.org/assignments/yang-parameters). | |||
| This version of this YANG module is part of RFC XXXX; see the | This version of this YANG module is part of RFC 9950; see the | |||
| RFC itself for full legal notices."; | RFC itself for full legal notices."; | |||
| revision 2025-01-23 { | revision 2026-03-13 { | |||
| description | description | |||
| "This revision adds TLS support. Specifically, this revision | "This revision adds TLS support. Specifically, this revision | |||
| adds: | adds: | |||
| - a new feature 'credential-reference' | - a new feature 'credential-reference' | |||
| - a new container 'client-credentials' | - a new container 'client-credentials' | |||
| - a new container 'server-credentials' | - a new container 'server-credentials' | |||
| - a new leaf 'domain-name' | - a new leaf 'domain-name' | |||
| - a new leaf 'sni-enabled' | - a new leaf 'sni-enabled' | |||
| - TLS as a new security choice | - TLS as a new security choice | |||
| - a new leaf 'discontinuity-time' under 'statistics' | - a new leaf 'discontinuity-time' under 'statistics' | |||
| - a new leaf 'cert-errors' under 'statistics' | - a new leaf 'cert-errors' under 'statistics' | |||
| - a new leaf 'rpk-errors' under 'statistics' | - a new leaf 'rpk-errors' under 'statistics' | |||
| Also, this revision: | Also, this revision: | |||
| - updates the reference of 'tacacs-plus' identity | - updates the reference for 'tacacs-plus' identity | |||
| to also cite RFC SSSS | to also cite RFC 9887 | |||
| - fixes a must statement under 'tacacs-plus' by adding | - fixes a 'must' statement under 'tacacs-plus' by adding | |||
| a missing prefix | a missing prefix | |||
| - requires that the servers list must be unique per | - requires that the list of servers must be unique per | |||
| address/port number. | address/port number. | |||
| - updates the description of the 'name' under 'server' | - updates the description of the 'name' under 'server' | |||
| list to better reflect the intended use and clarifies | list to better reflect the intended use and clarifies | |||
| the difference with the new domain-name | the difference with the new domain-name | |||
| - updates the description of the 'address' to be | - updates the description of the 'address' to be | |||
| consistent with the type | consistent with the type | |||
| - removes the default statement for the 'port' under | - removes the default statement for the 'port' under | |||
| 'server' list because a distinct default port number | 'server' list because a distinct default port number | |||
| is used for TACACS+TLS | is used for TACACS+TLS | |||
| - updates the 'port' leaf under 'server' list to enumerate | - updates the 'port' leaf under 'server' list to enumerate | |||
| the various TACACS+ default port numbers | the various TACACS+ default port numbers | |||
| - added a constraint on the VRF with 'source-interface' | - adds a constraint on the VRF with 'source-interface' | |||
| is also provided | is also provided | |||
| - updates the description of timeout to remove redundant | - updates the description of timeout to remove redundant | |||
| text with the default statement"; | text with the default statement"; | |||
| reference | reference | |||
| "RFC XXXX: A YANG Data Model for Terminal Access Controller | "RFC 9950: A YANG Data Model for Terminal Access Controller | |||
| Access-Control System Plus (TACACS+)"; | Access-Control System Plus (TACACS+)"; | |||
| } | } | |||
| revision 2021-08-05 { | revision 2021-08-05 { | |||
| description | description | |||
| "Initial revision."; | "Initial revision."; | |||
| reference | reference | |||
| "RFC 9105: A YANG Data Model for Terminal Access Controller | "RFC 9105: A YANG Data Model for Terminal Access Controller | |||
| Access-Control System Plus (TACACS+)"; | Access-Control System Plus (TACACS+)"; | |||
| } | } | |||
| skipping to change at page 12, line 4 ¶ | skipping to change at line 510 ¶ | |||
| description | description | |||
| "Indicates whether service credentials references are | "Indicates whether service credentials references are | |||
| supported."; | supported."; | |||
| } | } | |||
| identity tacacs-plus { | identity tacacs-plus { | |||
| base sys:authentication-method; | base sys:authentication-method; | |||
| description | description | |||
| "Indicates AAA operation using TACACS+."; | "Indicates AAA operation using TACACS+."; | |||
| reference | reference | |||
| "RFC SSSS: Terminal Access Controller Access-Control | "RFC 9887: Terminal Access Controller Access-Control | |||
| System Plus (TACACS+) over TLS 1.3 | System Plus (TACACS+) over TLS 1.3 | |||
| RFC 8907: The TACACS+ Protocol"; | RFC 8907: The TACACS+ Protocol"; | |||
| } | } | |||
| typedef tacacs-plus-server-type { | typedef tacacs-plus-server-type { | |||
| type bits { | type bits { | |||
| bit authentication { | bit authentication { | |||
| description | description | |||
| "Indicates that the TACACS+ server is providing | "Indicates that the TACACS+ server is providing | |||
| authentication services."; | authentication services."; | |||
| skipping to change at page 13, line 13 ¶ | skipping to change at line 567 ¶ | |||
| description | description | |||
| "Grouping for TACACS+ statistics attributes, including TLS | "Grouping for TACACS+ statistics attributes, including TLS | |||
| specifics."; | specifics."; | |||
| container statistics { | container statistics { | |||
| config false; | config false; | |||
| description | description | |||
| "A collection of server-related statistics objects."; | "A collection of server-related statistics objects."; | |||
| leaf discontinuity-time { | leaf discontinuity-time { | |||
| type yang:date-and-time; | type yang:date-and-time; | |||
| description | description | |||
| "The time on the most recent occasion at which the | "The time of the most recent occasion at which the | |||
| TACACS+ client suffered a discontinuity. Examples of | TACACS+ client suffered a discontinuity. Examples of | |||
| discontinuity can be a configuration action to reset | discontinuity can be a configuration action to reset | |||
| all counters, re-initialization of the system, or any | all counters, re-initialization of the system, or any | |||
| other events that prevent reliable contiguous tracking | other events that prevent reliable contiguous tracking | |||
| of counters."; | of counters."; | |||
| } | } | |||
| leaf connection-opens { | leaf connection-opens { | |||
| type yang:counter64; | type yang:counter64; | |||
| description | description | |||
| "Number of new connection requests sent to the server, | "Number of new connection requests sent to the server, | |||
| skipping to change at page 15, line 35 ¶ | skipping to change at line 685 ¶ | |||
| must 'not(deref(.)/../ks:public-key-format) or ' | must 'not(deref(.)/../ks:public-key-format) or ' | |||
| + 'derived-from-or-self(deref(.)/../ks:public-' | + 'derived-from-or-self(deref(.)/../ks:public-' | |||
| + 'key-format, "ct:subject-public-key-info-format")'; | + 'key-format, "ct:subject-public-key-info-format")'; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| grouping tls13-epsk { | grouping tls13-epsk { | |||
| description | description | |||
| "An External Pre-Shared Key (EPSK) is established or | "An External Pre-Shared Key (EPSK) is established or | |||
| provisioned out-of-band, i.e., not from a TLS connection. | provisioned out of band, i.e., not from a TLS connection. | |||
| An EPSK is a tuple of (Base Key, External Identity, Hash). | An EPSK is a tuple of (Base Key, External Identity, Hash). | |||
| When Pre-Shared Keys (PSKs) are provisioned out of band, | When Pre-Shared Keys (PSKs) are provisioned out of band, | |||
| the PSK identity and the Key Derivation Function (KDF) hash | the PSK identity and the Key Derivation Function (KDF) hash | |||
| algorithm to be used with the PSK must also be | algorithm to be used with the PSK must also be | |||
| provisioned."; | provisioned."; | |||
| reference | reference | |||
| "RFC 8446: The Transport Layer Security (TLS) Protocol | "RFC 8446: The Transport Layer Security (TLS) Protocol | |||
| Version 1.3, Section 4.2.11 | Version 1.3, Section 4.2.11 | |||
| RFC 9257: Guidance for External Pre-Shared Key (PSK) Usage | RFC 9257: Guidance for External Pre-Shared Key (PSK) Usage | |||
| in TLS, Section 6 | in TLS, Section 6 | |||
| RFC 9258: Importing External Pre-Shared Keys (PSKs) for | RFC 9258: Importing External Pre-Shared Keys (PSKs) for | |||
| TLS 1.3, Section 5.1"; | TLS 1.3, Section 5.1"; | |||
| uses ks:inline-or-keystore-symmetric-key-grouping; | uses ks:inline-or-keystore-symmetric-key-grouping; | |||
| leaf external-identity { | leaf external-identity { | |||
| type string; | type string; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "A sequence of bytes used to identify an EPSK. A label for | "A sequence of bytes used to identify an EPSK. A label for | |||
| a pre-shared key established externally."; | a PSK established externally."; | |||
| reference | reference | |||
| "RFC 8446: The Transport Layer Security (TLS) Protocol | "RFC 8446: The Transport Layer Security (TLS) Protocol | |||
| Version 1.3, Section 4.2.11 | Version 1.3, Section 4.2.11 | |||
| RFC 9257: Guidance for External Pre-Shared Key (PSK) | RFC 9257: Guidance for External Pre-Shared Key (PSK) | |||
| Usage in TLS, Section 4.1"; | Usage in TLS, Section 4.1"; | |||
| } | } | |||
| leaf hash { | leaf hash { | |||
| type tlscmn:epsk-supported-hash; | type tlscmn:epsk-supported-hash; | |||
| default "sha-256"; | default "sha-256"; | |||
| description | description | |||
| skipping to change at page 17, line 4 ¶ | skipping to change at line 750 ¶ | |||
| } | } | |||
| leaf target-kdf { | leaf target-kdf { | |||
| type uint16; | type uint16; | |||
| description | description | |||
| "The KDF for which a PSK is imported for use."; | "The KDF for which a PSK is imported for use."; | |||
| reference | reference | |||
| "RFC 9258: Importing External Pre-Shared Keys (PSKs) for | "RFC 9258: Importing External Pre-Shared Keys (PSKs) for | |||
| TLS 1.3, Section 3"; | TLS 1.3, Section 3"; | |||
| } | } | |||
| } | } | |||
| grouping client-identity { | grouping client-identity { | |||
| description | description | |||
| "Identity credentials that a TLS client may present when | "Identity credentials that a TLS client may present when | |||
| establishing a connection to a TLS server. When configured, | establishing a connection to a TLS server. When configured | |||
| and requested by the TLS server when establishing a TLS | and requested by the TLS server when establishing a TLS | |||
| session, these credentials are passed in the Certificate | session, these credentials are passed in the Certificate | |||
| message."; | message."; | |||
| reference | reference | |||
| "RFC 8446: The Transport Layer Security (TLS) Protocol | "RFC 8446: The Transport Layer Security (TLS) Protocol | |||
| Version 1.3, Section 4.4.2"; | Version 1.3, Section 4.4.2"; | |||
| choice auth-type { | choice auth-type { | |||
| description | description | |||
| "A choice amongst authentication types."; | "A choice amongst authentication types."; | |||
| case certificate { | case certificate { | |||
| skipping to change at page 17, line 36 ¶ | skipping to change at line 783 ¶ | |||
| container raw-private-key { | container raw-private-key { | |||
| description | description | |||
| "Specifies the client identity using RPK."; | "Specifies the client identity using RPK."; | |||
| uses raw-private-key; | uses raw-private-key; | |||
| } | } | |||
| } | } | |||
| case tls13-epsk { | case tls13-epsk { | |||
| if-feature "tlsc:client-ident-tls13-epsk"; | if-feature "tlsc:client-ident-tls13-epsk"; | |||
| container tls13-epsk { | container tls13-epsk { | |||
| description | description | |||
| "An EPSK is established or provisioned out-of-band."; | "An EPSK is established or provisioned out of band."; | |||
| uses tls13-epsk; | uses tls13-epsk; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| grouping client-identity-with-ref { | grouping client-identity-with-ref { | |||
| description | description | |||
| "Identity credentials that the TLS client may present when | "Identity credentials that the TLS client may present when | |||
| establishing a connection to a TLS server. When configured, | establishing a connection to a TLS server. When configured | |||
| and requested by the TLS server when establishing a TLS | and requested by the TLS server when establishing a TLS | |||
| session, these credentials are passed in the Certificate | session, these credentials are passed in the Certificate | |||
| message."; | message."; | |||
| choice ref-or-explicit { | choice ref-or-explicit { | |||
| description | description | |||
| "A choice between a reference or explicit configuration."; | "A choice between a reference or explicit configuration."; | |||
| case ref { | case ref { | |||
| description | description | |||
| "Provides a reference to a client identity."; | "Provides a reference to a client identity."; | |||
| leaf credentials-reference { | leaf credentials-reference { | |||
| skipping to change at page 19, line 51 ¶ | skipping to change at line 894 ¶ | |||
| "Indicates that a TLS client can authenticate TLS servers | "Indicates that a TLS client can authenticate TLS servers | |||
| using configured EPSKs."; | using configured EPSKs."; | |||
| } | } | |||
| } | } | |||
| grouping server-authentication-with-ref { | grouping server-authentication-with-ref { | |||
| description | description | |||
| "Specifies how a TLS client can authenticate TLS servers."; | "Specifies how a TLS client can authenticate TLS servers."; | |||
| choice ref-or-explicit { | choice ref-or-explicit { | |||
| description | description | |||
| "A choice between a reference of explicit configuration."; | "A choice between a reference or explicit configuration."; | |||
| case ref { | case ref { | |||
| description | description | |||
| "Provides a reference to server credentials."; | "Provides a reference to server credentials."; | |||
| leaf credentials-reference { | leaf credentials-reference { | |||
| if-feature "credential-reference"; | if-feature "credential-reference"; | |||
| type sys-tcs-plus:server-credentials-ref; | type sys-tcs-plus:server-credentials-ref; | |||
| description | description | |||
| "Specifies the server credentials reference."; | "Specifies the server credentials reference."; | |||
| } | } | |||
| } | } | |||
| skipping to change at page 20, line 27 ¶ | skipping to change at line 917 ¶ | |||
| "Explicit configuration of credentials of a server."; | "Explicit configuration of credentials of a server."; | |||
| uses server-authentication; | uses server-authentication; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| grouping hello-params { | grouping hello-params { | |||
| description | description | |||
| "Configurable parameters for the TLS Hello message."; | "Configurable parameters for the TLS Hello message."; | |||
| reference | reference | |||
| "RFC SSSS: Terminal Access Controller Access-Control | "RFC 9887: Terminal Access Controller Access-Control | |||
| System Plus (TACACS+) over TLS 1.3, | System Plus (TACACS+) over TLS 1.3, | |||
| Section 5.1"; | Section 5.1"; | |||
| uses tlscmn:hello-params-grouping { | uses tlscmn:hello-params-grouping { | |||
| refine "tls-versions/min" { | refine "tls-versions/min" { | |||
| must "not(derived-from-or-self(current(), " | must "not(derived-from-or-self(current(), " | |||
| + "'tlscmn:tls12'))" { | + "'tlscmn:tls12'))" { | |||
| error-message | error-message | |||
| "TLS 1.2 is not supported as min TLS version"; | "TLS 1.2 is not supported as min TLS version"; | |||
| } | } | |||
| } | } | |||
| skipping to change at page 22, line 26 ¶ | skipping to change at line 1013 ¶ | |||
| list server-credentials { | list server-credentials { | |||
| if-feature "credential-reference"; | if-feature "credential-reference"; | |||
| key "id"; | key "id"; | |||
| description | description | |||
| "Identity credentials that a TLS client may use | "Identity credentials that a TLS client may use | |||
| to authenticate a TLS server."; | to authenticate a TLS server."; | |||
| nacm:default-deny-write; | nacm:default-deny-write; | |||
| leaf id { | leaf id { | |||
| type string; | type string; | |||
| description | description | |||
| "An identifier that uniquely identify server | "An identifier that uniquely identifies server | |||
| credentials within the device configuration."; | credentials within the device configuration."; | |||
| } | } | |||
| uses server-authentication; | uses server-authentication; | |||
| } | } | |||
| list server { | list server { | |||
| key "name"; | key "name"; | |||
| unique "address port"; | unique "address port"; | |||
| ordered-by user; | ordered-by user; | |||
| description | description | |||
| "List of TACACS+ servers used by the device."; | "List of TACACS+ servers used by the device."; | |||
| skipping to change at page 23, line 8 ¶ | skipping to change at line 1043 ¶ | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Server type: authentication/authorization/accounting and | "Server type: authentication/authorization/accounting and | |||
| various combinations."; | various combinations."; | |||
| } | } | |||
| leaf domain-name { | leaf domain-name { | |||
| type inet:domain-name; | type inet:domain-name; | |||
| description | description | |||
| "Provides a domain name of the TACACS+ server."; | "Provides a domain name of the TACACS+ server."; | |||
| reference | reference | |||
| "RFC SSSS: Terminal Access Controller Access-Control | "RFC 9887: Terminal Access Controller Access-Control | |||
| System Plus (TACACS+) over TLS 1.3, | System Plus (TACACS+) over TLS 1.3, | |||
| Section 3.4.2"; | Section 3.4.2"; | |||
| } | } | |||
| leaf sni-enabled { | leaf sni-enabled { | |||
| type boolean; | type boolean; | |||
| must '../domain-name' { | must '../domain-name' { | |||
| error-message | error-message | |||
| "A domain name must be provided to make use of Server | "A domain name must be provided to make use of Server | |||
| Name Indication (SNI)."; | Name Indication (SNI)."; | |||
| } | } | |||
| description | description | |||
| "Enables the use of SNI, when set to true. Disables the | "Enables the use of SNI when set to true. Disables the | |||
| use of SNI, when set to false."; | use of SNI when set to false."; | |||
| reference | reference | |||
| "RFC 6066: Transport Layer Security (TLS) Extensions: | "RFC 6066: Transport Layer Security (TLS) Extensions: | |||
| Extension Definitions, Section 3 | Extension Definitions, Section 3 | |||
| RFC SSSS: Terminal Access Controller Access-Control | RFC 9887: Terminal Access Controller Access-Control | |||
| System Plus (TACACS+) over TLS 1.3, | System Plus (TACACS+) over TLS 1.3, | |||
| Section 3.4.2"; | Section 3.4.2"; | |||
| } | } | |||
| leaf address { | leaf address { | |||
| type inet:host; | type inet:host; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "The IP address or name of the TACACS+ server."; | "The IP address or name of the TACACS+ server."; | |||
| } | } | |||
| leaf port { | leaf port { | |||
| type inet:port-number; | type inet:port-number; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "The port number of TACACS+ server. | "The port number of the TACACS+ server. | |||
| Default port number for legacy TACACS+ is 49, | The default port number for legacy TACACS+ is 49, | |||
| while it is TBD for TACACS+TLS."; | while it is 300 for TACACS+TLS."; | |||
| } | } | |||
| choice security { | choice security { | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Security mechanism between TACACS+ client and server."; | "Security mechanism between TACACS+ client and server."; | |||
| case tls { | case tls { | |||
| description | description | |||
| "TLS is used to secure TACACS+ exchanges."; | "TLS is used to secure TACACS+ exchanges."; | |||
| reference | reference | |||
| "RFC SSSS: Terminal Access Controller Access-Control | "RFC 9887: Terminal Access Controller Access-Control | |||
| System Plus (TACACS+) over TLS 1.3"; | System Plus (TACACS+) over TLS 1.3"; | |||
| uses tls-client; | uses tls-client; | |||
| } | } | |||
| case obfuscation { | case obfuscation { | |||
| leaf shared-secret { | leaf shared-secret { | |||
| type string { | type string { | |||
| length "1..max"; | length "1..max"; | |||
| } | } | |||
| description | description | |||
| "The shared secret, which is known to both the | "The shared secret, which is known to both the | |||
| skipping to change at page 24, line 33 ¶ | skipping to change at line 1116 ¶ | |||
| as it does not provide any meaningful integrity, | as it does not provide any meaningful integrity, | |||
| privacy, or replay protection. | privacy, or replay protection. | |||
| The use of obfuscation is deprecated in favor | The use of obfuscation is deprecated in favor | |||
| of TLS. | of TLS. | |||
| This choice is provided in the model to accommodate | This choice is provided in the model to accommodate | |||
| installed base."; | installed base."; | |||
| reference | reference | |||
| "RFC 8907: The TACACS+ Protocol | "RFC 8907: The TACACS+ Protocol | |||
| RFC SSSS: Terminal Access Controller Access-Control | RFC 9887: Terminal Access Controller Access-Control | |||
| System Plus (TACACS+) over TLS 1.3"; | System Plus (TACACS+) over TLS 1.3"; | |||
| nacm:default-deny-all; | nacm:default-deny-all; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| choice source-type { | choice source-type { | |||
| description | description | |||
| "The source address type for outbound TACACS+ packets."; | "The source address type for outbound TACACS+ packets."; | |||
| case source-ip { | case source-ip { | |||
| leaf source-ip { | leaf source-ip { | |||
| type inet:ip-address; | type inet:ip-address; | |||
| skipping to change at page 26, line 4 ¶ | skipping to change at line 1183 ¶ | |||
| leaf timeout { | leaf timeout { | |||
| type uint16 { | type uint16 { | |||
| range "1..max"; | range "1..max"; | |||
| } | } | |||
| units "seconds"; | units "seconds"; | |||
| default "5"; | default "5"; | |||
| description | description | |||
| "The number of seconds that the device will wait for a | "The number of seconds that the device will wait for a | |||
| response from each TACACS+ server before trying with a | response from each TACACS+ server before trying with a | |||
| different server."; | different server."; | |||
| } | } | |||
| uses statistics; | uses statistics; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| augment "/sys:system" { | augment "/sys:system" { | |||
| description | description | |||
| "Augments the system model with the tacacs-plus data nodes."; | "Augments the system model with the tacacs-plus data nodes."; | |||
| uses tacacs-plus; | uses tacacs-plus; | |||
| } | } | |||
| } | } | |||
| <CODE ENDS> | <CODE ENDS> | |||
| 5. Operational Considerations | 5. Operational Considerations | |||
| The same operational considerations discussed in Section 6 of | The same operational considerations discussed in Section 6 of | |||
| [I-D.ietf-opsawg-tacacs-tls13] apply for this document. | [RFC9887] apply for this document. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| This section is modeled after the template described in Section 3.7 | This section is modeled after the template described in Section 3.7.1 | |||
| of [I-D.ietf-netmod-rfc8407bis]. | of [RFC9907]. | |||
| The "ietf-ac-common" YANG module defines a data model that is | The "ietf-ac-common" YANG module defines a data model that is | |||
| designed to be accessed via YANG-based management protocols, such as | designed to be accessed via YANG-based management protocols, such as | |||
| NETCONF [RFC6241] and RESTCONF [RFC8040]. These YANG-based | the Network Configuration Protocol (NETCONF) [RFC6241] and RESTCONF | |||
| management protocols (1) have to use a secure transport layer (e.g., | [RFC8040]. These YANG-based management protocols (1) have to use a | |||
| SSH [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and (2) have to use | secure transport layer (e.g., Secure Shell (SSH) [RFC4252], TLS | |||
| mutual authentication. | [RFC8446], and QUIC [RFC9000]) and (2) have to use mutual | |||
| authentication. | ||||
| The Network Configuration Access Control Model (NACM) [RFC8341] | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
| provides the means to restrict access for particular NETCONF or | provides the means to restrict access for particular NETCONF or | |||
| RESTCONF users to a preconfigured subset of all available NETCONF or | RESTCONF users to a preconfigured subset of all available NETCONF or | |||
| RESTCONF protocol operations and content. | RESTCONF protocol operations and content. | |||
| There are a number of data nodes defined in this YANG module that are | There are a number of data nodes defined in this YANG module that are | |||
| writable/creatable/deletable (i.e., "config true", which is the | writable/creatable/deletable (i.e., "config true", which is the | |||
| default). All writable data nodes are likely to be sensitive or | default). All writable data nodes are likely to be sensitive or | |||
| vulnerable in some network environments. Write operations (e.g., | vulnerable in some network environments. Write operations (e.g., | |||
| skipping to change at page 27, line 23 ¶ | skipping to change at line 1249 ¶ | |||
| [RFC8341]. When setting, it is highly recommended that the leaf | [RFC8341]. When setting, it is highly recommended that the leaf | |||
| is at least 32 characters long and sufficiently complex with a mix | is at least 32 characters long and sufficiently complex with a mix | |||
| of different character types, i.e., upper case, lower case, | of different character types, i.e., upper case, lower case, | |||
| numeric, and punctuation. | numeric, and punctuation. | |||
| 'client-identity' and 'server-authentication': Any modification to a | 'client-identity' and 'server-authentication': Any modification to a | |||
| key or reference to a key may dramatically alter the implemented | key or reference to a key may dramatically alter the implemented | |||
| security policy. For this reason, the NACM extension "default- | security policy. For this reason, the NACM extension "default- | |||
| deny-write" has been set. | deny-write" has been set. | |||
| There are no particularly sensitive readable data nodes. | ||||
| There are no particularly sensitive RPC or action operations. | ||||
| This YANG module uses groupings from other YANG modules that define | This YANG module uses groupings from other YANG modules that define | |||
| nodes that may be considered sensitive or vulnerable in network | nodes that may be considered sensitive or vulnerable in network | |||
| environments. Refer to Section 5.3 of [RFC9642] and Section 5.3 of | environments. Refer to Section 5.3 of [RFC9642] and Section 5.3 of | |||
| [RFC9645] for information as to which nodes may be considered | [RFC9645] for information as to which nodes may be considered | |||
| sensitive or vulnerable in network environments. | sensitive or vulnerable in network environments. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| IANA is requested to update the following URI in the "ns" subregistry | IANA has registered the following URI in the "ns" registry within the | |||
| within the "IETF XML Registry" [RFC3688]: | "IETF XML Registry" [RFC3688]: | |||
| URI: urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus | URI: urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus | |||
| Registrant Contact: The IESG. | Registrant Contact: The IESG. | |||
| XML: N/A; the requested URI is an XML namespace. | XML: N/A; the requested URI is an XML namespace. | |||
| IANA is requested to register the following YANG module in the "YANG | IANA has registered the following YANG module in the "YANG Module | |||
| Module Names" registry [RFC6020] within the "YANG Parameters" | Names" registry [RFC6020] within the "YANG Parameters" registry | |||
| registry group: | group: | |||
| Name: ietf-system-tacacs-plus | Name: ietf-system-tacacs-plus | |||
| Namespace: urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus | Maintained by IANA? N | |||
| Prefix: sys-tcs-plus | Namespace: urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus | |||
| Maintained by IANA? N | Prefix: sys-tcs-plus | |||
| Reference: RFC XXXX | Reference: RFC 9950 | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [I-D.ietf-opsawg-tacacs-tls13] | ||||
| Dahm, T., Heasley, J., dcmgash@cisco.com, and A. Ota, | ||||
| "Terminal Access Controller Access-Control System Plus | ||||
| over TLS 1.3 (TACACS+ over TLS)", Work in Progress, | ||||
| Internet-Draft, draft-ietf-opsawg-tacacs-tls13-23, 21 June | ||||
| 2025, <https://datatracker.ietf.org/doc/html/draft-ietf- | ||||
| opsawg-tacacs-tls13-23>. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/rfc/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||
| DOI 10.17487/RFC3688, January 2004, | DOI 10.17487/RFC3688, January 2004, | |||
| <https://www.rfc-editor.org/rfc/rfc3688>. | <https://www.rfc-editor.org/info/rfc3688>. | |||
| [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | |||
| the Network Configuration Protocol (NETCONF)", RFC 6020, | the Network Configuration Protocol (NETCONF)", RFC 6020, | |||
| DOI 10.17487/RFC6020, October 2010, | DOI 10.17487/RFC6020, October 2010, | |||
| <https://www.rfc-editor.org/rfc/rfc6020>. | <https://www.rfc-editor.org/info/rfc6020>. | |||
| [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) | [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) | |||
| Extensions: Extension Definitions", RFC 6066, | Extensions: Extension Definitions", RFC 6066, | |||
| DOI 10.17487/RFC6066, January 2011, | DOI 10.17487/RFC6066, January 2011, | |||
| <https://www.rfc-editor.org/rfc/rfc6066>. | <https://www.rfc-editor.org/info/rfc6066>. | |||
| [RFC6520] Seggelmann, R., Tuexen, M., and M. Williams, "Transport | [RFC6520] Seggelmann, R., Tuexen, M., and M. Williams, "Transport | |||
| Layer Security (TLS) and Datagram Transport Layer Security | Layer Security (TLS) and Datagram Transport Layer Security | |||
| (DTLS) Heartbeat Extension", RFC 6520, | (DTLS) Heartbeat Extension", RFC 6520, | |||
| DOI 10.17487/RFC6520, February 2012, | DOI 10.17487/RFC6520, February 2012, | |||
| <https://www.rfc-editor.org/rfc/rfc6520>. | <https://www.rfc-editor.org/info/rfc6520>. | |||
| [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", | [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", | |||
| RFC 6991, DOI 10.17487/RFC6991, July 2013, | RFC 6991, DOI 10.17487/RFC6991, July 2013, | |||
| <https://www.rfc-editor.org/rfc/rfc6991>. | <https://www.rfc-editor.org/info/rfc6991>. | |||
| [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for | [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for | |||
| System Management", RFC 7317, DOI 10.17487/RFC7317, August | System Management", RFC 7317, DOI 10.17487/RFC7317, August | |||
| 2014, <https://www.rfc-editor.org/rfc/rfc7317>. | 2014, <https://www.rfc-editor.org/info/rfc7317>. | |||
| [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", | [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", | |||
| RFC 7950, DOI 10.17487/RFC7950, August 2016, | RFC 7950, DOI 10.17487/RFC7950, August 2016, | |||
| <https://www.rfc-editor.org/rfc/rfc7950>. | <https://www.rfc-editor.org/info/rfc7950>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration | [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration | |||
| Access Control Model", STD 91, RFC 8341, | Access Control Model", STD 91, RFC 8341, | |||
| DOI 10.17487/RFC8341, March 2018, | DOI 10.17487/RFC8341, March 2018, | |||
| <https://www.rfc-editor.org/rfc/rfc8341>. | <https://www.rfc-editor.org/info/rfc8341>. | |||
| [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | |||
| and R. Wilton, "Network Management Datastore Architecture | and R. Wilton, "Network Management Datastore Architecture | |||
| (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | |||
| <https://www.rfc-editor.org/rfc/rfc8342>. | <https://www.rfc-editor.org/info/rfc8342>. | |||
| [RFC8343] Bjorklund, M., "A YANG Data Model for Interface | [RFC8343] Bjorklund, M., "A YANG Data Model for Interface | |||
| Management", RFC 8343, DOI 10.17487/RFC8343, March 2018, | Management", RFC 8343, DOI 10.17487/RFC8343, March 2018, | |||
| <https://www.rfc-editor.org/rfc/rfc8343>. | <https://www.rfc-editor.org/info/rfc8343>. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/rfc/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| [RFC8529] Berger, L., Hopps, C., Lindem, A., Bogdanovic, D., and X. | [RFC8529] Berger, L., Hopps, C., Lindem, A., Bogdanovic, D., and X. | |||
| Liu, "YANG Data Model for Network Instances", RFC 8529, | Liu, "YANG Data Model for Network Instances", RFC 8529, | |||
| DOI 10.17487/RFC8529, March 2019, | DOI 10.17487/RFC8529, March 2019, | |||
| <https://www.rfc-editor.org/rfc/rfc8529>. | <https://www.rfc-editor.org/info/rfc8529>. | |||
| [RFC9257] Housley, R., Hoyland, J., Sethi, M., and C. A. Wood, | [RFC9257] Housley, R., Hoyland, J., Sethi, M., and C. A. Wood, | |||
| "Guidance for External Pre-Shared Key (PSK) Usage in TLS", | "Guidance for External Pre-Shared Key (PSK) Usage in TLS", | |||
| RFC 9257, DOI 10.17487/RFC9257, July 2022, | RFC 9257, DOI 10.17487/RFC9257, July 2022, | |||
| <https://www.rfc-editor.org/rfc/rfc9257>. | <https://www.rfc-editor.org/info/rfc9257>. | |||
| [RFC9258] Benjamin, D. and C. A. Wood, "Importing External Pre- | [RFC9258] Benjamin, D. and C. A. Wood, "Importing External Pre- | |||
| Shared Keys (PSKs) for TLS 1.3", RFC 9258, | Shared Keys (PSKs) for TLS 1.3", RFC 9258, | |||
| DOI 10.17487/RFC9258, July 2022, | DOI 10.17487/RFC9258, July 2022, | |||
| <https://www.rfc-editor.org/rfc/rfc9258>. | <https://www.rfc-editor.org/info/rfc9258>. | |||
| [RFC9640] Watsen, K., "YANG Data Types and Groupings for | [RFC9640] Watsen, K., "YANG Data Types and Groupings for | |||
| Cryptography", RFC 9640, DOI 10.17487/RFC9640, October | Cryptography", RFC 9640, DOI 10.17487/RFC9640, October | |||
| 2024, <https://www.rfc-editor.org/rfc/rfc9640>. | 2024, <https://www.rfc-editor.org/info/rfc9640>. | |||
| [RFC9641] Watsen, K., "A YANG Data Model for a Truststore", | [RFC9641] Watsen, K., "A YANG Data Model for a Truststore", | |||
| RFC 9641, DOI 10.17487/RFC9641, October 2024, | RFC 9641, DOI 10.17487/RFC9641, October 2024, | |||
| <https://www.rfc-editor.org/rfc/rfc9641>. | <https://www.rfc-editor.org/info/rfc9641>. | |||
| [RFC9642] Watsen, K., "A YANG Data Model for a Keystore", RFC 9642, | [RFC9642] Watsen, K., "A YANG Data Model for a Keystore", RFC 9642, | |||
| DOI 10.17487/RFC9642, October 2024, | DOI 10.17487/RFC9642, October 2024, | |||
| <https://www.rfc-editor.org/rfc/rfc9642>. | <https://www.rfc-editor.org/info/rfc9642>. | |||
| [RFC9645] Watsen, K., "YANG Groupings for TLS Clients and TLS | [RFC9645] Watsen, K., "YANG Groupings for TLS Clients and TLS | |||
| Servers", RFC 9645, DOI 10.17487/RFC9645, October 2024, | Servers", RFC 9645, DOI 10.17487/RFC9645, October 2024, | |||
| <https://www.rfc-editor.org/rfc/rfc9645>. | <https://www.rfc-editor.org/info/rfc9645>. | |||
| 8.2. Informative References | [RFC9887] Dahm, T., Heasley, J., Medway Gash, D.C., and A. Ota, | |||
| "Terminal Access Controller Access-Control System Plus | ||||
| (TACACS+) over TLS 1.3", RFC 9887, DOI 10.17487/RFC9887, | ||||
| December 2025, <https://www.rfc-editor.org/info/rfc9887>. | ||||
| [I-D.ietf-netmod-rfc8407bis] | 8.2. Informative References | |||
| Bierman, A., Boucadair, M., and Q. Wu, "Guidelines for | ||||
| Authors and Reviewers of Documents Containing YANG Data | ||||
| Models", Work in Progress, Internet-Draft, draft-ietf- | ||||
| netmod-rfc8407bis-28, 5 June 2025, | ||||
| <https://datatracker.ietf.org/doc/html/draft-ietf-netmod- | ||||
| rfc8407bis-28>. | ||||
| [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, | [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, | |||
| "Remote Authentication Dial In User Service (RADIUS)", | "Remote Authentication Dial In User Service (RADIUS)", | |||
| RFC 2865, DOI 10.17487/RFC2865, June 2000, | RFC 2865, DOI 10.17487/RFC2865, June 2000, | |||
| <https://www.rfc-editor.org/rfc/rfc2865>. | <https://www.rfc-editor.org/info/rfc2865>. | |||
| [RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | [RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | |||
| Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252, | Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252, | |||
| January 2006, <https://www.rfc-editor.org/rfc/rfc4252>. | January 2006, <https://www.rfc-editor.org/info/rfc4252>. | |||
| [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | |||
| and A. Bierman, Ed., "Network Configuration Protocol | and A. Bierman, Ed., "Network Configuration Protocol | |||
| (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | |||
| <https://www.rfc-editor.org/rfc/rfc6241>. | <https://www.rfc-editor.org/info/rfc6241>. | |||
| [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | |||
| Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, | Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, | |||
| <https://www.rfc-editor.org/rfc/rfc8040>. | <https://www.rfc-editor.org/info/rfc8040>. | |||
| [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", | [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", | |||
| BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, | BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, | |||
| <https://www.rfc-editor.org/rfc/rfc8340>. | <https://www.rfc-editor.org/info/rfc8340>. | |||
| [RFC8907] Dahm, T., Ota, A., Medway Gash, D.C., Carrel, D., and L. | [RFC8907] Dahm, T., Ota, A., Medway Gash, D.C., Carrel, D., and L. | |||
| Grant, "The Terminal Access Controller Access-Control | Grant, "The Terminal Access Controller Access-Control | |||
| System Plus (TACACS+) Protocol", RFC 8907, | System Plus (TACACS+) Protocol", RFC 8907, | |||
| DOI 10.17487/RFC8907, September 2020, | DOI 10.17487/RFC8907, September 2020, | |||
| <https://www.rfc-editor.org/rfc/rfc8907>. | <https://www.rfc-editor.org/info/rfc8907>. | |||
| [RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | [RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | |||
| Multiplexed and Secure Transport", RFC 9000, | Multiplexed and Secure Transport", RFC 9000, | |||
| DOI 10.17487/RFC9000, May 2021, | DOI 10.17487/RFC9000, May 2021, | |||
| <https://www.rfc-editor.org/rfc/rfc9000>. | <https://www.rfc-editor.org/info/rfc9000>. | |||
| [RFC9105] Wu, B., Ed., Zheng, G., and M. Wang, Ed., "A YANG Data | [RFC9105] Wu, B., Ed., Zheng, G., and M. Wang, Ed., "A YANG Data | |||
| Model for Terminal Access Controller Access-Control System | Model for Terminal Access Controller Access-Control System | |||
| Plus (TACACS+)", RFC 9105, DOI 10.17487/RFC9105, August | Plus (TACACS+)", RFC 9105, DOI 10.17487/RFC9105, August | |||
| 2021, <https://www.rfc-editor.org/rfc/rfc9105>. | 2021, <https://www.rfc-editor.org/info/rfc9105>. | |||
| [RFC9907] Bierman, A., Boucadair, M., Ed., and Q. Wu, "Guidelines | ||||
| for Authors and Reviewers of Documents Containing YANG | ||||
| Data Models", RFC 9907, DOI 10.17487/RFC9907, March 2026, | ||||
| <https://www.rfc-editor.org/info/rfc9907>. | ||||
| Appendix A. Example TACACS+ Authentication Configuration with Shared | Appendix A. Example TACACS+ Authentication Configuration with Shared | |||
| Secret | Secret | |||
| Figure 2 shows an example where a TACACS+ authentication server | Figure 2 shows an example where a TACACS+ authentication server | |||
| instance is configured using shared secret for authentication. This | instance is configured using a shared secret for authentication. | |||
| mode is not recommended per [I-D.ietf-opsawg-tacacs-tls13]. | This mode is not recommended per [RFC9887]. | |||
| { | { | |||
| "ietf-system:system": { | "ietf-system:system": { | |||
| "authentication": { | "authentication": { | |||
| "user-authentication-order": [ | "user-authentication-order": [ | |||
| "ietf-system-tacacs-plus:tacacs-plus", | "ietf-system-tacacs-plus:tacacs-plus", | |||
| "ietf-system:local-users" | "ietf-system:local-users" | |||
| ] | ] | |||
| }, | }, | |||
| "ietf-system-tacacs-plus:tacacs-plus": { | "ietf-system-tacacs-plus:tacacs-plus": { | |||
| skipping to change at page 34, line 26 ¶ | skipping to change at line 1574 ¶ | |||
| } | } | |||
| } | } | |||
| } | } | |||
| Figure 4: Example with TACACS+TLS with Inline Certificate Definitions | Figure 4: Example with TACACS+TLS with Inline Certificate Definitions | |||
| B.2. Example TACACS+ Authentication Configuration with Certificate | B.2. Example TACACS+ Authentication Configuration with Certificate | |||
| References | References | |||
| Figure 5 shows a configuration example with credential references for | Figure 5 shows a configuration example with credential references for | |||
| multiple service instances: four server instances are configured with | multiple service instances. Four server instances are configured, | |||
| all using the same credentials. These instances form a redundancy | all using the same credentials. These instances form a redundancy | |||
| group for both IPv4 and IPv6. | group for both IPv4 and IPv6. | |||
| =============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
| { | { | |||
| "ietf-system:system": { | "ietf-system:system": { | |||
| "ietf-system-tacacs-plus:tacacs-plus": { | "ietf-system-tacacs-plus:tacacs-plus": { | |||
| "client-credentials": [ | "client-credentials": [ | |||
| { | { | |||
| skipping to change at page 47, line 13 ¶ | skipping to change at line 2184 ¶ | |||
| Thanks to Joe Clarke and Tom Petch for the review and comments. | Thanks to Joe Clarke and Tom Petch for the review and comments. | |||
| Thanks to Reshad Rahman for the yangdoctors review, Tina Tsou for the | Thanks to Reshad Rahman for the yangdoctors review, Tina Tsou for the | |||
| opsdir review, Ines Robles for the genart review, and Robert Sparks | opsdir review, Ines Robles for the genart review, and Robert Sparks | |||
| for the secdir review. | for the secdir review. | |||
| Thanks Mahesh Jethanandani for the AD review. | Thanks Mahesh Jethanandani for the AD review. | |||
| Thanks Erik Kline and Éric Vyncke for the IESG review. | Thanks Erik Kline and Éric Vyncke for the IESG review. | |||
| Authors of RFC 9105: Bo Wu | Bo Wu, Guangying Zheng, and Michael Wang were the authors of | |||
| [RFC9105]. | ||||
| Guangying Zheng | ||||
| Michael Wang | Acknowledgments from RFC 9105 | |||
| Acknowledgments from RFC 9105: The authors wish to thank Alex | The authors wish to thank Alex Campbell, John Heasley, Ebben Aries, | |||
| Campbell, John Heasley, Ebben Aries, Alan DeKok, Joe Clarke, Tom | Alan DeKok, Joe Clarke, Tom Petch, Robert Wilton, and many others for | |||
| Petch, Robert Wilton, and many others for their helpful comments | their helpful comments and suggestions. | |||
| and suggestions. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Mohamed Boucadair (editor) | Mohamed Boucadair (editor) | |||
| Orange | Orange | |||
| Email: mohamed.boucadair@orange.com | Email: mohamed.boucadair@orange.com | |||
| Bo Wu | Bo Wu | |||
| Huawei Technologies | Huawei Technologies | |||
| Email: mlana.wubo@huawei.com | Email: mlana.wubo@huawei.com | |||
| End of changes. 103 change blocks. | ||||
| 208 lines changed or deleted | 181 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||