idnits 2.17.1 draft-zheng-netmod-tacacs-yang-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 91 instances of too long lines in the document, the longest one being 130 characters in excess of 72. ** The abstract seems to contain references ([RFC8342]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 1, 2018) is 2119 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC8040' is mentioned on line 1421, but not defined == Missing Reference: 'RFC5246' is mentioned on line 1424, but not defined ** Obsolete undefined reference: RFC 5246 (Obsoleted by RFC 8446) == Unused Reference: 'RFC1492' is defined on line 1458, but no explicit reference was found in the text == Unused Reference: 'RFC6021' is defined on line 1471, but no explicit reference was found in the text == Unused Reference: 'RFC792' is defined on line 1493, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 1492 ** Obsolete normative reference: RFC 6021 (Obsoleted by RFC 6991) ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) Summary: 6 errors (**), 0 flaws (~~), 6 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group G. Zheng 3 Internet-Draft M. Wang 4 Intended status: Standards Track B. Wu 5 Expires: January 2, 2019 Huawei 6 July 1, 2018 8 Yang data model for Terminal Access Controller Access Control System 9 Plus 10 draft-zheng-netmod-tacacs-yang-01 12 Abstract 14 This document describes a data model of Terminal Access Controller 15 Access Control System Plus (TACACS+). 17 The YANG data model in this document conforms to the Network 18 Management Datastore Architecture (NMDA) defined in [RFC8342]. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on January 2, 2019. 37 Copyright Notice 39 Copyright (c) 2018 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (https://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 2. Conventions used in this document . . . . . . . . . . . . . . 2 56 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 57 3. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3 58 4. Design of the Data Model . . . . . . . . . . . . . . . . . . 3 59 4.1. TACACS+ Modules Overview . . . . . . . . . . . . . . . . 4 60 5. TACACS+ Module . . . . . . . . . . . . . . . . . . . . . . . 8 61 6. Security Considerations . . . . . . . . . . . . . . . . . . . 30 62 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 63 8. Normative References . . . . . . . . . . . . . . . . . . . . 31 64 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32 66 1. Introduction 68 This document describes a data model of Terminal Access Controller 69 Access Control System Plus (TACACS+).TACACS+ provides Device 70 Administration for routers, network access servers and other 71 networked computing devices via one or more centralized servers. 72 Various TACACS+ clients and servers have been widely deployed. 74 This document defines a YANG [RFC7950] data model for TACACS+ draft- 75 ietf-opsawg-tacacs-10 implementation and identification of some 76 common properties within a device containing a Network Configuration 77 Protocol (NETCONF) server. Devices that are managed by NETCONF and 78 perhaps other mechanisms have common properties that need to be 79 configured and monitored in a standard way. 81 The YANG data model in this document conforms to the Network 82 Management Datastore Architecture (NMDA) defined in [RFC8342]. 84 2. Conventions used in this document 86 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 87 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 88 "OPTIONAL" in this document are to be interpreted as described in 89 BCP14, [RFC2119], [RFC8174] when, and only when, they appear in all 90 capitals, as shown here. 92 The following terms are defined in [RFC6241] and are used in this 93 specification: 95 o client 96 o configuration data 98 o server 100 o state data 102 The following terms are defined in [RFC7950] and are used in this 103 specification: 105 o augment 107 o data model 109 o data node 111 The terminology for describing YANG data models is found in 112 [RFC7950]. 114 2.1. Tree Diagrams 116 Tree diagrams used in this document follow the notation defined in 117 [RFC8340]. 119 3. Problem Statement 121 This document defines a YANG data model which allows user to 122 configure the TACACS+ function on a network system. YANG model can 123 be used with network management protocols such as NETCONF [RFC6241] 124 to install, manipulate, and delete the configuration of network 125 devices. 127 TACACS+ implementations in every device may vary greatly in terms of 128 the data hierarchy and operations that they support. Therefore this 129 draft proposes a model that can be augmented by standard extensions 130 and vendor proprietary models. 132 4. Design of the Data Model 134 Although different vendors have different TACACS+ data model, there 135 is a common understanding of what Terminal Access Controller Access 136 Control System Plus (TACACS+) is. A network system usually has a 137 TACACS+ functions which provides centralized validation of users 138 attempting to gain access to a device or network access server. 140 TACACS+ services are maintained in a database on a TACACS server. 142 TACACS+ provides for separate and modular authentication, 143 authorization, and accounting facilities and allows for a single 144 TACACS+ server to provide each service authentication, authorization, 145 and accounting independently. Each service can be tied into its own 146 database to take advantage of other services available on that server 147 or on the network, depending on the capabilities of the server. 149 4.1. TACACS+ Modules Overview 151 The ietf-tacacs+ module augments the "/sys:system" path defined in 152 the ietf-system module [RFC7317] with "tacacs" grouping defined in 153 Section 3.2. 155 Under the 'tacacs' grouping, there are global-attributes container 156 and a tacacs-templates coantainer. 158 The global-attributes container is used to present the 'enable' and 159 'service-name' configuration and the global statistics information. 161 The tacacs-templates container is used to describe the tacacs 162 configuration templates and operation templates. 164 Under tacacs-templates container, there are tacacs-servers container, 165 ipv6-servers container, and host-servers container. 167 In the direction orthogonal to the tacacs container, presented are 168 the commands. Those, in YANG terms, are the RPC commands. These RPC 169 commands provide uniform APIs for resetting all statistics, resetting 170 authentication statistics, resetting authorization statistics, 171 resetting accounting statistics, and resetting common statistics. 173 The data model for tacacs has the following structure: 175 module: ietf-tacacs 176 augment /sys:system: 177 +--rw tacacs {tacacs}? 178 +--rw global-attributes 179 | +--rw enable? boolean 180 | +--ro total-templates? uint32 181 | +--ro total-servers? uint32 182 | +--rw service-name? string 183 +--rw tacacs-templates 184 +--rw tacacs-template* [name] 185 +--rw name string 186 +--rw domain-include? boolean 187 +--rw timeout? uint32 188 +--rw quiet-time? uint32 189 +--rw shared-key? password-extend 190 +--rw source-ip? inet:ipv4-address-no-zone 191 +--rw domain-mode? domain-include 192 +--ro pri-authen-srv? inet:ipv4-address-no-zone 193 +--ro pri-common-srv? inet:ipv4-address-no-zone 194 +--ro pri-author-srv? inet:ipv4-address-no-zone 195 +--ro cur-authen-srv? inet:ipv4-address-no-zone 196 +--ro cur-author-srv? inet:ipv4-address-no-zone 197 +--ro sec-authen-srv-num? uint32 198 +--ro sec-common-srv-num? uint32 199 +--ro sec-author-srv-num? uint32 200 +--ro pri-authen-port? uint32 201 +--ro pri-common-port? uint32 202 +--ro pri-author-port? uint32 203 +--ro cur-authen-port? uint32 204 +--ro cur-author-port? uint32 205 +--ro authen-srv-connected-num? uint32 206 +--ro authen-srv-disconnected-num? uint32 207 +--ro authen-reqs-num? uint32 208 +--ro authen-rsps-num? uint32 209 +--ro authen-unknowns-num? uint32 210 +--ro authen-timeouts-num? uint32 211 +--ro authen-pkts-drop-num? uint32 212 +--ro authen-passwords-change-num? uint32 213 +--ro authen-logins-num? uint32 214 +--ro authen-send-reqs-num? uint32 215 +--ro authen-send-passwords-num? uint32 216 +--ro authen-abort-reqs-num? uint32 217 +--ro authen-connection-reqs-num? uint32 218 +--ro authen-rsp-errs-num? uint32 219 +--ro authen-rsp-fails-num? uint32 220 +--ro authen-rsp-follows-num? uint32 221 +--ro authen-get-data-num? uint32 222 +--ro authen-get-password-num? uint32 223 +--ro authen-get-user-num? uint32 224 +--ro authen-rsps-pass-num? uint32 225 +--ro authen-restart-num? uint32 226 +--ro authen-no-process-num? uint32 227 +--ro authen-time? uint32 228 +--ro authen-errors-num? uint32 229 +--ro author-srv-connected-num? uint32 230 +--ro author-srv-disconnected-num? uint32 231 +--ro author-reqs-num? uint32 232 +--ro author-rsps-num? uint32 233 +--ro author-unknowns-num? uint32 234 +--ro author-timeouts-num? uint32 235 +--ro author-pkts-drop-num? uint32 236 +--ro author-reqs-exec-num? uint32 237 +--ro author-ppp-num? uint32 238 +--ro author-vpdn-num? uint32 239 +--ro author-rsps-err-num? uint32 240 +--ro author-rsps-exec-num? uint32 241 +--ro author-rsps-ppp-num? uint32 242 +--ro author-rsps-vpdn-num? uint32 243 +--ro author-time? uint32 244 +--ro author-reqs-not-process-num? uint32 245 +--ro author-errors-num? uint32 246 +--ro sec-accounting-servers-num? uint32 247 +--ro cur-account-port? uint32 248 +--ro pri-account-port? uint32 249 +--ro cur-account-srv? inet:ipv4-address-no-zone 250 +--ro pri-account-srv? inet:ipv4-address-no-zone 251 +--ro account-pkts-stop-num? uint32 252 +--ro account-rsps-pass-num? uint32 253 +--ro account-rsps-num? uint32 254 +--ro account-srvs-connected-num? uint32 255 +--ro account-pkts-rsps-num? uint32 256 +--ro account-reqs-num? uint32 257 +--ro account-srv-disconnected-num? uint32 258 +--ro account-rsps-errs-num? uint32 259 +--ro account-follow-rsps-num? uint32 260 +--ro account-reqs-not-process-num? uint32 261 +--rw tacacs-servers 262 | +--rw tacacs-server* [server-ip server-type secondary-server network-instance public-net] 263 | +--rw server-ip inet:ipv4-address-no-zone 264 | +--rw server-type server-type 265 | +--rw secondary-server boolean 266 | +--rw network-instance -> /ni:network-instances/network-instance/name 267 | +--rw public-net boolean 268 | +--rw server-port? uint32 269 | +--rw mux-mode-enable? boolean 270 | +--ro server-current-state? server-state 271 | +--ro current-srv? boolean 272 | +--rw shared-key? password-extend 273 | +--ro authen-srv-connected-num? uint32 274 | +--ro authen-srv-disconnected-num? uint32 275 | +--ro authen-reqs-num? uint32 276 | +--ro authen-rsps-num? uint32 277 | +--ro author-srv-connected-num? uint32 278 | +--ro author-srv-disconnected-num? uint32 279 | +--ro author-reqs-num? uint32 280 | +--ro author-rsps-num? uint32 281 | +--ro acct-reqs-num? uint32 282 | +--ro acct-rsps-num? uint32 283 | +--ro acct-srv-connected-num? uint32 284 | +--ro acct-srv-disconnected-num? uint32 285 +--rw ipv6-servers 286 | +--rw ipv6-server* [server-ip server-type secondary-server network-instance] 287 | +--rw server-ip inet:ipv6-address-no-zone 288 | +--rw server-type server-type 289 | +--rw secondary-server boolean 290 | +--rw network-instance -> /ni:network-instances/network-instance/name 291 | +--rw server-port? uint32 292 | +--rw mux-mode-enable? boolean 293 | +--ro server-state? server-state 294 | +--ro current-srv? boolean 295 | +--rw shared-key? password-extend 296 | +--ro authen-srv-connected-num? uint32 297 | +--ro authen-srv-disconnected-num? uint32 298 | +--ro authen-reqs-num? uint32 299 | +--ro authen-rsps-num? uint32 300 | +--ro author-srv-connected-num? uint32 301 | +--ro author-srv-disconnected-num? uint32 302 | +--ro author-reqs-num? uint32 303 | +--ro author-rsps-num? uint32 304 | +--ro acct-reqs-num? uint32 305 | +--ro acct-rsps-num? uint32 306 | +--ro acct-srv-connected-num? uint32 307 | +--ro acct-srv-disconnected-num? uint32 308 +--rw host-servers 309 +--rw host-server* [server-host-name server-type secondary-server network-instance public-net] 310 +--rw server-host-name string 311 +--rw server-type server-type 312 +--rw secondary-server boolean 313 +--rw network-instance -> /ni:network-instances/network-instance/name 314 +--rw public-net boolean 315 +--rw server-port? uint32 316 +--rw mux-mode-enable? boolean 317 +--ro server-state? server-state 318 +--ro current-server? boolean 319 +--rw shared-key? password-extend 320 +--ro authen-srv-connected-num? uint32 321 +--ro authen-srv-disconnected-num? uint32 322 +--ro authen-reqs-num? uint32 323 +--ro authen-rsps-num? uint32 324 +--ro author-srv-connected-num? uint32 325 +--ro author-srv-disconnected-num? uint32 326 +--ro author-reqs-num? uint32 327 +--ro author-rsps-num? uint32 328 +--ro acct-reqs-num? uint32 329 +--ro acct-rsps-num? uint32 330 +--ro acct-srv-connected-num? uint32 331 +--ro acct-srv-disconnected-num? uint32 333 rpcs: 334 +---x rest-all-statistics 335 +---x reset-authen-statistics 336 +---x reset-author-statistics 337 +---x reset-account-statistics 338 +---x reset-common-statistics 340 5. TACACS+ Module 342 file "ietf-tacacs@2018-06-25.yang" 344 module ietf-tacacs { 345 namespace "urn:ietf:params:xml:ns:yang:ietf-tacacs"; 346 prefix tcs; 348 import ietf-inet-types { 349 prefix inet; 350 } 351 import ietf-network-instance { 352 prefix ni; 353 } 354 import ietf-system { 355 prefix sys; 356 } 358 organization 359 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 360 contact 361 "WG Web: 362 WG List: 364 Editor: Guangying Zheng 365 "; 366 description 367 "This module provide defines a component that describe the 368 configuration of TACACS+."; 370 revision 2018-06-25 { 371 description 372 "Initial revision."; 373 reference "foo"; 374 } 376 typedef password-extend { 377 type string { 378 length "1..255"; 379 } 380 description 381 "now password extend is like string"; 382 } 383 typedef timezone-name { 384 type string; 385 description 386 "A time zone name as used by the Time Zone Database, 387 sometimes referred to as the 'Olson Database'. 389 The exact set of valid values is an implementation-specific 390 matter. Client discovery of the exact set of time zone names 391 for a particular server is out of scope."; 392 reference "RFC 6557: Procedures for Maintaining the Time Zone Database"; 393 } 394 typedef server-state { 395 type enumeration { 396 enum "up" { 397 description 398 "The server is active."; 399 } 400 enum "down" { 401 description 402 "The server is inactive."; 403 } 404 } 405 description 406 "The type of tacacs server state"; 407 } 408 typedef server-type { 409 type enumeration { 410 enum "authentication" { 411 description 412 "The server is an authentication server."; 413 } 414 enum "authorization" { 415 description 416 "The server is an authorization server."; 417 } 418 enum "accounting" { 419 description 420 "The server is an accounting server."; 421 } 422 enum "common" { 423 description 424 "The server is a common server."; 425 } 426 } 427 description 428 "The type of tacacs server"; 429 } 430 typedef domain-include { 431 type enumeration { 432 enum "no" { 433 description 434 "User name excludes domain."; 435 } 436 enum "yes" { 437 description 438 "User name includes domain."; 439 } 440 enum "original" { 441 description 442 "User name same as user input."; 443 } 444 } 445 description 446 "The type of domain mode"; 447 } 449 feature tacacs { 450 description 451 "Indicates that the device can be configured as a tacacs 452 client."; 453 } 455 grouping tacacs { 457 container tacacs { 458 if-feature tacacs; 459 description 460 "Container for TACACS configurations and operations."; 461 container global-attributes { 462 description 463 "TACACS global attributes."; 464 leaf enable { 465 type boolean; 466 default "false"; 467 description 468 "Whether the TACACS server is enabled."; 469 } 470 leaf total-templates { 471 type uint32; 472 config false; 473 description 474 "Total number of TACACS templates configured."; 475 } 476 leaf total-servers { 477 type uint32; 478 config false; 479 description 480 "Total number of TACACS servers configured."; 481 } 482 leaf service-name { 483 type string { 484 length "1..32"; 485 } 486 description 487 "TACACS service name."; 488 } 489 } 490 container tacacs-templates { 491 description 492 "A set of TACACS templates."; 493 list tacacs-template { 494 key "name"; 495 description 496 "List for tacacs template."; 497 leaf name { 498 type string; 499 description 500 "Name of a TACACS template, it is not case sensitive. The template name can have alphabets a to z (case insensitive) and numbers from 0 to 9 or symbols ('.', '-' and '_')."; 501 } 502 leaf domain-include { 503 type boolean; 504 default "true"; 505 description 506 "Whether a domain name is included in a user name. By default, a user name contains the domain name."; 507 } 508 leaf timeout { 509 type uint32 { 510 range "1..300"; 511 } 512 default "5"; 513 description 514 "Server response timeout period. The default timeout period is 5 seconds."; 515 } 516 leaf quiet-time { 517 type uint32 { 518 range "1..255"; 519 } 520 default "5"; 521 description 522 "Time period after which the primary server restores to active. The default time period is 5 minutes. The time period can be modified no matter whether users are using the TACACS template."; 523 } 524 leaf shared-key { 525 type password-extend; 526 description 527 "Shared key for a TACACS server. Configuring a shared key improves the communication security between a router and TACACS server. By default, no shared key is configured."; 528 } 529 leaf source-ip { 530 type inet:ipv4-address-no-zone; 531 description 532 "Source IP address for a TACACS server."; 533 } 534 leaf domain-mode { 535 type domain-include; 536 default "yes"; 537 description 538 "To configure domain Mode"; 539 } 540 leaf pri-authen-srv { 541 type inet:ipv4-address-no-zone; 542 config false; 543 description 544 "IP address of the primary authentication server."; 545 } 546 leaf pri-common-srv { 547 type inet:ipv4-address-no-zone; 548 config false; 549 description 550 "IP address of the primary common server."; 551 } 552 leaf pri-author-srv { 553 type inet:ipv4-address-no-zone; 554 config false; 555 description 556 "IP address of the primary authorization server."; 557 } 558 leaf cur-authen-srv { 559 type inet:ipv4-address-no-zone; 560 config false; 561 description 562 "IP address of the authentication server being used."; 563 } 564 leaf cur-author-srv { 565 type inet:ipv4-address-no-zone; 566 config false; 567 description 568 "IP address of authorization server being used."; 569 } 570 leaf sec-authen-srv-num { 571 type uint32; 572 config false; 573 description 574 "Total number of configured secondary authentication servers in the template."; 576 } 577 leaf sec-common-srv-num { 578 type uint32; 579 config false; 580 description 581 "Total number of configured secondary common servers in the template."; 582 } 583 leaf sec-author-srv-num { 584 type uint32; 585 config false; 586 description 587 "Total number of configured secondary authorization servers in the template."; 588 } 589 leaf pri-authen-port { 590 type uint32; 591 config false; 592 description 593 "Port of the primary authentication server."; 594 } 595 leaf pri-common-port { 596 type uint32; 597 config false; 598 description 599 "Port of the primary common server."; 600 } 601 leaf pri-author-port { 602 type uint32; 603 config false; 604 description 605 "Port of the primary authorization server."; 606 } 607 leaf cur-authen-port { 608 type uint32; 609 config false; 610 description 611 "Authentication server port being used."; 612 } 613 leaf cur-author-port { 614 type uint32; 615 config false; 616 description 617 "Authorization server port being used."; 618 } 619 leaf authen-srv-connected-num { 620 type uint32; 621 config false; 622 description 623 "Number of times that the TACACS client connected to the authentication server."; 625 } 626 leaf authen-srv-disconnected-num { 627 type uint32; 628 config false; 629 description 630 "Number of times that the TACACS client disconnected from the authentication server."; 631 } 632 leaf authen-reqs-num { 633 type uint32; 634 config false; 635 description 636 "Number of authentication requests. "; 637 } 638 leaf authen-rsps-num { 639 type uint32; 640 config false; 641 description 642 "Number of authentication responses."; 643 } 644 leaf authen-unknowns-num { 645 type uint32; 646 config false; 647 description 648 "Number of unknown authentication packets received by the TACACS client."; 649 } 650 leaf authen-timeouts-num { 651 type uint32; 652 config false; 653 description 654 "Number of times that authentication times out."; 655 } 656 leaf authen-pkts-drop-num { 657 type uint32; 658 config false; 659 description 660 "Number of times that authentication packets are dropped."; 661 } 662 leaf authen-passwords-change-num { 663 type uint32; 664 config false; 665 description 666 "Number of times that the password is changed for authentication."; 667 } 668 leaf authen-logins-num { 669 type uint32; 670 config false; 671 description 672 "Number of authentication logins."; 674 } 675 leaf authen-send-reqs-num { 676 type uint32; 677 config false; 678 description 679 "Number of authentication requests sent to server."; 680 } 681 leaf authen-send-passwords-num { 682 type uint32; 683 config false; 684 description 685 "Number of authentication password requests sent to the server."; 686 } 687 leaf authen-abort-reqs-num { 688 type uint32; 689 config false; 690 description 691 "Number of authentication abort requests sent to server."; 692 } 693 leaf authen-connection-reqs-num { 694 type uint32; 695 config false; 696 description 697 "Number of authentication connection requests sent to server."; 698 } 699 leaf authen-rsp-errs-num { 700 type uint32; 701 config false; 702 description 703 "Number of authentication error responses received from server."; 704 } 705 leaf authen-rsp-fails-num { 706 type uint32; 707 config false; 708 description 709 "Number of authentication response failures received from server."; 710 } 711 leaf authen-rsp-follows-num { 712 type uint32; 713 config false; 714 description 715 "Number of authentication Follow responses received from server."; 716 } 717 leaf authen-get-data-num { 718 type uint32; 719 config false; 720 description 721 "Number of authentication date responses received from server."; 723 } 724 leaf authen-get-password-num { 725 type uint32; 726 config false; 727 description 728 "Number of authentication password responses received from server."; 729 } 730 leaf authen-get-user-num { 731 type uint32; 732 config false; 733 description 734 "Number of authentication user responses received from server."; 735 } 736 leaf authen-rsps-pass-num { 737 type uint32; 738 config false; 739 description 740 "Number of authentication-pass responses received from server."; 741 } 742 leaf authen-restart-num { 743 type uint32; 744 config false; 745 description 746 "Number of authentication-restart responses received from server."; 747 } 748 leaf authen-no-process-num { 749 type uint32; 750 config false; 751 description 752 "Number of authentication requests that are not processed."; 753 } 754 leaf authen-time { 755 type uint32; 756 config false; 757 description 758 "Time (in tick) taken to complete the authentication."; 759 } 760 leaf authen-errors-num { 761 type uint32; 762 config false; 763 description 764 "Number of authentication errors."; 765 } 766 leaf author-srv-connected-num { 767 type uint32; 768 config false; 769 description 770 "Number of times that the TACACS client connected to the authorization server."; 772 } 773 leaf author-srv-disconnected-num{ 774 type uint32; 775 config false; 776 description 777 "Number of times that the TACACS client disconnected from the authorization server."; 778 } 779 leaf author-reqs-num { 780 type uint32; 781 config false; 782 description 783 "Number of authorization requests. "; 784 } 785 leaf author-rsps-num { 786 type uint32; 787 config false; 788 description 789 "Number of authorization responses."; 790 } 791 leaf author-unknowns-num { 792 type uint32; 793 config false; 794 description 795 "Number of unknown authorization packets received by TACACS client."; 796 } 797 leaf author-timeouts-num { 798 type uint32; 799 config false; 800 description 801 "Number of times that authorization times out."; 802 } 803 leaf author-pkts-drop-num { 804 type uint32; 805 config false; 806 description 807 "Number of times that authorization packets are dropped."; 808 } 809 leaf author-reqs-exec-num { 810 type uint32; 811 config false; 812 description 813 "Number of authorization requests for execute."; 814 } 815 leaf author-ppp-num { 816 type uint32; 817 config false; 818 description 819 "Number of authorization requests for PPP."; 821 } 822 leaf author-vpdn-num{ 823 type uint32; 824 config false; 825 description 826 "Number of authorization requests for VPDN."; 827 } 828 leaf author-rsps-err-num { 829 type uint32; 830 config false; 831 description 832 "Number of authorization error responses."; 833 } 834 leaf author-rsps-exec-num { 835 type uint32; 836 config false; 837 description 838 "Number of authorization execute responses."; 839 } 840 leaf author-rsps-ppp-num { 841 type uint32; 842 config false; 843 description 844 "Number of authorization PPP responses."; 845 } 846 leaf author-rsps-vpdn-num { 847 type uint32; 848 config false; 849 description 850 "Number of authorization VPDN responses."; 851 } 852 leaf author-time { 853 type uint32; 854 config false; 855 description 856 "Time (in tick) taken to complete authorization."; 857 } 858 leaf author-reqs-not-process-num { 859 type uint32; 860 config false; 861 description 862 "Number of authorization requests that are not processed."; 863 } 864 leaf author-errors-num { 865 type uint32; 866 config false; 867 description 868 "Number of authorization errors."; 870 } 871 leaf sec-accounting-servers-num { 872 type uint32; 873 config false; 874 description 875 "Number of secondary accounting servers in the template."; 876 } 877 leaf cur-account-port { 878 type uint32; 879 config false; 880 description 881 "Accounting server port being used."; 882 } 883 leaf pri-account-port { 884 type uint32; 885 config false; 886 description 887 "Port of the primary accounting server."; 888 } 889 leaf cur-account-srv { 890 type inet:ipv4-address-no-zone; 891 config false; 892 description 893 "Accounting server port being used."; 894 } 895 leaf pri-account-srv { 896 type inet:ipv4-address-no-zone; 897 config false; 898 description 899 "Primary accounting server."; 900 } 901 leaf account-pkts-stop-num { 902 type uint32; 903 config false; 904 description 905 "Number of responses to accounting-stop packets."; 906 } 907 leaf account-rsps-pass-num { 908 type uint32; 909 config false; 910 description 911 "Number of responses to accounting-pass packets."; 912 } 913 leaf account-rsps-num { 914 type uint32; 915 config false; 916 description 917 "Number of responses to accounting requests."; 919 } 920 leaf account-srvs-connected-num { 921 type uint32; 922 config false; 923 description 924 "Number of times that the TACACS client connected to the accounting server."; 925 } 926 leaf account-pkts-rsps-num { 927 type uint32; 928 config false; 929 description 930 "Number of responses to accounting-start packets."; 931 } 932 leaf account-reqs-num { 933 type uint32; 934 config false; 935 description 936 "Number of accounting requests sent to the server."; 937 } 938 leaf account-srv-disconnected-num { 939 type uint32; 940 config false; 941 description 942 "Number of times that the TACACS client disconnected from the accounting server."; 943 } 944 leaf account-rsps-errs-num { 945 type uint32; 946 config false; 947 description 948 "Number of abnormal accounting responses received from the server."; 949 } 950 leaf account-follow-rsps-num { 951 type uint32; 952 config false; 953 description 954 "Number of accounting Follow responses received from server."; 955 } 956 leaf account-reqs-not-process-num { 957 type uint32; 958 config false; 959 description 960 "Number of accounting requests that are not processed."; 961 } 962 container tacacs-servers { 963 description 964 "A set of TACACS servers."; 965 list tacacs-server { 966 key "server-ip server-type secondary-server network-instance public-net"; 967 description 968 "TACACS IPV4 server. A maximum 32 servers can be configured in one template "; 970 leaf server-ip { 971 type inet:ipv4-address-no-zone; 972 description 973 "Server IPv4 address. Must be a valid unicast IP address."; 974 } 975 leaf server-type { 976 type server-type; 977 description 978 "Server type: authentication/authorization/accounting/common."; 979 } 980 leaf secondary-server { 981 type boolean; 982 description 983 "Whether the server is secondary. By default, a server is a secondary server."; 984 } 985 leaf network-instance { 986 type leafref { 987 path "/ni:network-instances/ni:network-instance/ni:name"; 988 } 989 description 990 "VPN instance name."; 991 } 992 leaf public-net { 993 type boolean; 994 description 995 "Set the public-net."; 996 } 997 leaf server-port { 998 type uint32 { 999 range "1..65535"; 1000 } 1001 default "49"; 1002 description 1003 "Server port. Value range: 1-65535. The default port number is 49."; 1004 } 1005 leaf mux-mode-enable { 1006 type boolean; 1007 default "false"; 1008 description 1009 "Whether the MUX mode is enabled for the server. By default, the MUX mode is disabled."; 1010 } 1011 leaf server-current-state { 1012 type server-state; 1013 config false; 1014 description 1015 "Server running status."; 1016 } 1017 leaf current-srv { 1018 type boolean; 1019 default "false"; 1020 config false; 1021 description 1022 "Whether the server is being used."; 1023 } 1024 leaf shared-key { 1025 type password-extend; 1026 description 1027 "Shared key for a TACACS server. Configuring a shared key improves the communication security between a router and TACACS server. By default, no shared key is configured."; 1028 } 1029 leaf authen-srv-connected-num { 1030 type uint32; 1031 config false; 1032 description 1033 "Number of times that the TACACS client connected to the authentication server."; 1034 } 1035 leaf authen-srv-disconnected-num { 1036 type uint32; 1037 config false; 1038 description 1039 "Number of times that the TACACS client disconnected from the authentication server."; 1040 } 1041 leaf authen-reqs-num { 1042 type uint32; 1043 config false; 1044 description 1045 "Number of authentication requests. "; 1046 } 1047 leaf authen-rsps-num { 1048 type uint32; 1049 config false; 1050 description 1051 "Number of authentication responses."; 1052 } 1053 leaf author-srv-connected-num { 1054 type uint32; 1055 config false; 1056 description 1057 "Number of times that the TACACS client connected to the authorization server."; 1058 } 1059 leaf author-srv-disconnected-num { 1060 type uint32; 1061 config false; 1062 description 1063 "Number of times that the TACACS client disconnected from the authorization server."; 1064 } 1065 leaf author-reqs-num { 1066 type uint32; 1067 config false; 1068 description 1069 "Number of authorization requests. "; 1070 } 1071 leaf author-rsps-num { 1072 type uint32; 1073 config false; 1074 description 1075 "Number of authorization responses."; 1076 } 1077 leaf acct-reqs-num { 1078 type uint32; 1079 config false; 1080 description 1081 "Number of accounting requests. "; 1082 } 1083 leaf acct-rsps-num { 1084 type uint32; 1085 config false; 1086 description 1087 "Number of accounting responses."; 1088 } 1089 leaf acct-srv-connected-num { 1090 type uint32; 1091 config false; 1092 description 1093 "Number of times that the TACACS client connected to the accounting server."; 1094 } 1095 leaf acct-srv-disconnected-num { 1096 type uint32; 1097 config false; 1098 description 1099 "Number of times that the TACACS client disconnected from the accounting server."; 1100 } 1101 } 1102 } 1103 container ipv6-servers { 1104 description 1105 "A set of TACACS servers."; 1106 list ipv6-server { 1107 key "server-ip server-type secondary-server network-instance"; 1108 description 1109 "TACACS IPV6 server. A maximum 32 servers can be configured in one template "; 1110 leaf server-ip { 1111 type inet:ipv6-address-no-zone; 1112 description 1113 "Server IPv6 address. Must be a valid unicast IP address."; 1114 } 1115 leaf server-type { 1116 type server-type; 1117 description 1118 "Server type: authentication/authorization/accounting/common."; 1119 } 1120 leaf secondary-server { 1121 type boolean; 1122 description 1123 "Whether the server is secondary. By default, a server is a secondary server."; 1124 } 1125 leaf network-instance { 1126 type leafref { 1127 path "/ni:network-instances/ni:network-instance/ni:name"; 1128 } 1129 description 1130 "Configure the vpn-instance name."; 1131 } 1132 leaf server-port { 1133 type uint32 { 1134 range "1..65535"; 1135 } 1136 default "49"; 1137 description 1138 "Server port. Value range: 1-65535. The default port number is 49."; 1139 } 1140 leaf mux-mode-enable { 1141 type boolean; 1142 default "false"; 1143 description 1144 "Whether the MUX mode is enabled for the server. By default, the MUX mode is disabled."; 1145 } 1146 leaf server-state { 1147 type server-state; 1148 config false; 1149 description 1150 "Server running status."; 1151 } 1152 leaf current-srv { 1153 type boolean; 1154 default "false"; 1155 config false; 1156 description 1157 "Whether the server is being used."; 1158 } 1159 leaf shared-key { 1160 type password-extend; 1161 description 1162 "Shared key for a TACACS server. Configuring a shared key improves the communication security between a router and TACACS server. By default, no shared key is configured."; 1163 } 1164 leaf authen-srv-connected-num { 1165 type uint32; 1166 config false; 1167 description 1168 "Number of times that the TACACS client connected to the authentication server."; 1169 } 1170 leaf authen-srv-disconnected-num { 1171 type uint32; 1172 config false; 1173 description 1174 "Number of times that the TACACS client disconnected from the authentication server."; 1175 } 1176 leaf authen-reqs-num { 1177 type uint32; 1178 config false; 1179 description 1180 "Number of authentication requests. "; 1181 } 1182 leaf authen-rsps-num { 1183 type uint32; 1184 config false; 1185 description 1186 "Number of authentication responses."; 1187 } 1188 leaf author-srv-connected-num { 1189 type uint32; 1190 config false; 1191 description 1192 "Number of times that the TACACS client connected to the authorization server."; 1193 } 1194 leaf author-srv-disconnected-num { 1195 type uint32; 1196 config false; 1197 description 1198 "Number of times that the TACACS client disconnected from the authorization server."; 1199 } 1200 leaf author-reqs-num{ 1201 type uint32; 1202 config false; 1203 description 1204 "Number of authorization requests. "; 1205 } 1206 leaf author-rsps-num { 1207 type uint32; 1208 config false; 1209 description 1210 "Number of authorization responses."; 1211 } 1212 leaf acct-reqs-num { 1213 type uint32; 1214 config false; 1215 description 1216 "Number of accounting requests. "; 1217 } 1218 leaf acct-rsps-num { 1219 type uint32; 1220 config false; 1221 description 1222 "Number of accounting responses."; 1223 } 1224 leaf acct-srv-connected-num { 1225 type uint32; 1226 config false; 1227 description 1228 "Number of times that the TACACS client connected to the accounting server."; 1229 } 1230 leaf acct-srv-disconnected-num { 1231 type uint32; 1232 config false; 1233 description 1234 "Number of times that the TACACS client disconnected from the accounting server."; 1235 } 1236 } 1237 } 1238 container host-servers { 1239 description 1240 "A set of TACACS host servers."; 1241 list host-server { 1242 key "server-host-name server-type secondary-server network-instance public-net"; 1243 description 1244 "TACACS host server. A maximum 32 servers can be configured in one template."; 1245 leaf server-host-name { 1246 type string { 1247 length "1..255"; 1248 } 1249 description 1250 "Host name of TACACS server. Host name, Can include character '.', '-', '_' and lowercase or uppercase letters and digit, at least include one letter or digit."; 1251 } 1252 leaf server-type { 1253 type server-type; 1254 description 1255 "Server type: authentication/authorization/accounting/common."; 1256 } 1257 leaf secondary-server { 1258 type boolean; 1259 description 1260 "Whether the server is secondary. By default, a server is a secondary server."; 1261 } 1262 leaf network-instance { 1263 type leafref { 1264 path "/ni:network-instances/ni:network-instance/ni:name"; 1265 } 1266 description 1267 "VPN instance name."; 1268 } 1269 leaf public-net { 1270 type boolean; 1271 description 1272 "Set the public-net."; 1273 } 1274 leaf server-port { 1275 type uint32 { 1276 range "1..65535"; 1277 } 1278 default "49"; 1279 description 1280 "Server port. Value range: 1-65535. The default port number is 49."; 1281 } 1282 leaf mux-mode-enable { 1283 type boolean; 1284 default "false"; 1285 description 1286 "Whether the MUX mode is enabled for the server. By default, the MUX mode is disabled."; 1287 } 1288 leaf server-state { 1289 type server-state; 1290 config false; 1291 description 1292 "Server running status."; 1293 } 1294 leaf current-server { 1295 type boolean; 1296 default "false"; 1297 config false; 1298 description 1299 "Whether the server is being used."; 1300 } 1301 leaf shared-key { 1302 type password-extend; 1303 description 1304 "Shared key for a TACACS server. Configuring a shared key improves the communication security between a router and TACACS server. By default, no shared key is configured."; 1305 } 1306 leaf authen-srv-connected-num { 1307 type uint32; 1308 config false; 1309 description 1310 "Number of times that the TACACS client connected to the authentication server."; 1311 } 1312 leaf authen-srv-disconnected-num { 1313 type uint32; 1314 config false; 1315 description 1316 "Number of times that the TACACS client disconnected from the authentication server."; 1317 } 1318 leaf authen-reqs-num { 1319 type uint32; 1320 config false; 1321 description 1322 "Number of authentication requests. "; 1323 } 1324 leaf authen-rsps-num { 1325 type uint32; 1326 config false; 1327 description 1328 "Number of authentication responses."; 1329 } 1330 leaf author-srv-connected-num { 1331 type uint32; 1332 config false; 1333 description 1334 "Number of times that the TACACS client connected to the authorization server."; 1335 } 1336 leaf author-srv-disconnected-num { 1337 type uint32; 1338 config false; 1339 description 1340 "Number of times that the TACACS client disconnected from the authorization server."; 1341 } 1342 leaf author-reqs-num { 1343 type uint32; 1344 config false; 1345 description 1346 "Number of authorization requests. "; 1347 } 1348 leaf author-rsps-num { 1349 type uint32; 1350 config false; 1351 description 1352 "Number of authorization responses."; 1353 } 1354 leaf acct-reqs-num { 1355 type uint32; 1356 config false; 1357 description 1358 "Number of accounting requests. "; 1359 } 1360 leaf acct-rsps-num { 1361 type uint32; 1362 config false; 1363 description 1364 "Number of accounting responses."; 1365 } 1366 leaf acct-srv-connected-num { 1367 type uint32; 1368 config false; 1369 description 1370 "Number of times that the TACACS client connected to the accounting server."; 1371 } 1372 leaf acct-srv-disconnected-num { 1373 type uint32; 1374 config false; 1375 description 1376 "Number of times that the TACACS client disconnected from the accounting server."; 1377 } 1378 } 1379 } 1380 } 1381 } 1382 } 1383 description 1384 "Grouping for tacacs"; 1385 } 1387 augment "/sys:system" { 1388 uses tacacs; 1389 description 1390 "Augment the system module"; 1391 } 1393 rpc rest-all-statistics { 1394 description 1395 "Reset All Statistics."; 1396 } 1397 rpc reset-authen-statistics { 1398 description 1399 "Reset authentication statistics of the TACACS server."; 1400 } 1401 rpc reset-author-statistics { 1402 description 1403 "Reset authorization statistics of the TACACS server."; 1404 } 1405 rpc reset-account-statistics { 1406 description 1407 "Reset accounting statistics of the TACACS server."; 1408 } 1409 rpc reset-common-statistics { 1410 description 1411 "Reset common statistics of the TACACS server."; 1412 } 1413 } 1415 1417 6. Security Considerations 1419 The YANG module defined in this document is designed to be accessed 1420 via network management protocols such as NETCONF [RFC6241] or 1421 RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport 1422 layer, and the mandatory-to-implement secure transport is Secure 1423 Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the 1424 mandatory-to-implement secure transport is TLS [RFC5246]. 1426 The NETCONF access control model [RFC6536] provides the means to 1427 restrict access for particular NETCONF or RESTCONF users to a 1428 preconfigured subset of all available NETCONF or RESTCONF protocol 1429 operations and content. 1431 There are a number of data nodes defined in this YANG module that are 1432 writable/creatable/deletable (i.e., config true, which is the 1433 default). These data nodes may be considered sensitive or vulnerable 1434 in some network environments. Write operations (e.g., edit-config) 1435 to these data nodes without proper protection can have a negative 1436 effect on network operations. 1438 7. IANA Considerations 1440 This document registers a URI in the IETF XML registry [RFC3688]. 1441 Following the format in [RFC3688], the following registration is 1442 requested to be made: 1444 URI: urn:ietf:params:xml:ns:yang:ietf-tacacs 1445 Registrant Contact: The IESG. 1446 XML: N/A, the requested URI is an XML namespace. 1448 This document registers a YANG module in the YANG Module Names 1449 registry [RFC7950]. 1451 Name: ietf-tacacs 1452 Namespace: urn:ietf:params:xml:ns:yang: ietf-tacacs 1453 Prefix: tcs 1454 Reference: RFC XXXX 1456 8. Normative References 1458 [RFC1492] Finseth, C., "An Access Control Protocol, Sometimes Called 1459 TACACS", RFC 1492, DOI 10.17487/RFC1492, July 1993, 1460 . 1462 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1463 Requirement Levels", BCP 14, RFC 2119, 1464 DOI 10.17487/RFC2119, March 1997, 1465 . 1467 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1468 DOI 10.17487/RFC3688, January 2004, 1469 . 1471 [RFC6021] Schoenwaelder, J., Ed., "Common YANG Data Types", 1472 RFC 6021, DOI 10.17487/RFC6021, October 2010, 1473 . 1475 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1476 and A. Bierman, Ed., "Network Configuration Protocol 1477 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1478 . 1480 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1481 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 1482 . 1484 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 1485 Protocol (NETCONF) Access Control Model", RFC 6536, 1486 DOI 10.17487/RFC6536, March 2012, 1487 . 1489 [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for 1490 System Management", RFC 7317, DOI 10.17487/RFC7317, August 1491 2014, . 1493 [RFC792] Postel, J., "Internet Control Message Protocol", RFC 792, 1494 September 1981. 1496 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 1497 RFC 7950, DOI 10.17487/RFC7950, August 2016, 1498 . 1500 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1501 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1502 May 2017, . 1504 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 1505 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 1506 . 1508 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 1509 and R. Wilton, "Network Management Datastore Architecture 1510 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 1511 . 1513 Authors' Addresses 1515 Guangying Zheng 1516 Huawei 1517 101 Software Avenue, Yuhua District 1518 Nanjing, Jiangsu 210012 1519 China 1521 Email: zhengguangying@huawei.com 1523 Michael Wang 1524 Huawei Technologies, Co., Ltd 1525 101 Software Avenue, Yuhua District 1526 Nanjing 210012 1527 China 1529 Email: wangzitao@huawei.com 1530 Bo Wu 1531 Huawei 1532 101 Software Avenue, Yuhua District 1533 Nanjing, Jiangsu 210012 1534 China 1536 Email: lana.wubo@huawei.com