Aller au contenu principal

3. Design of the TACACS+ Data Model

Cette section conserve le texte RFC relatif au TACACS+ client YANG model, y compris RFC 9105 changes, TLS 1.3 support, ietf-system-tacacs-plus module, credential references, NACM-sensitive nodes, IANA registrations, JSON examples et full tree.

Texte RFC original

3.  Design of the TACACS+ Data Model

This module is used to configure a TACACS+ client on a device to
support deployment scenarios with centralized AAA servers.
Authentication is used to validate a user's username and password,
authorization allows the user to access and execute commands at
various privilege levels assigned to the user, and accounting keeps
track of the activity of a user who has accessed the device.

The "ietf-system-tacacs-plus" module augments the '/sys:system' path
defined in the "ietf-system" module with the contents of the 'tacacs-
plus' grouping. Therefore, a device can use local, RADIUS, or
TACACS+ authentication to validate users who attempt to access the
device by several mechanisms, e.g., a command line interface or a
web-based user interface.

The 'server' list, which is directly under the 'tacacs-plus'
container, holds a list of TACACS+ servers and uses 'server-type' to
distinguish between AAA services. The list of servers is for
redundancy.

When there are multiple interfaces connected to a TACACS+ client or
server, the source address of outgoing TACACS+ packets could be
specified, or the source address could be specified through the
interface IP address setting or derived from the outbound interface
from the local Forwarding Information Base (FIB). For a TACACS+
server located in a Virtual Private Network (VPN), a VRF instance
needs to be specified.

The 'statistics' container under the 'server' list is a collection of
read-only counters for sent and received messages from a configured
server.

The YANG module for TACACS+ client has the structure shown in
Figure 1.

augment /sys:system:
+--rw tacacs-plus
+--rw client-credentials* [id] {credential-reference}?
| +--rw id string
| +--rw (auth-type)?
| +--:(certificate)
| | ...
| +--:(raw-public-key) {tlsc:client-ident-raw-public-key}?
| | ...
| +--:(tls13-epsk) {tlsc:client-ident-tls13-epsk}?
| ...
+--rw server-credentials* [id] {credential-reference}?
| +--rw id string
| +--rw ca-certs!
| | ...
| +--rw ee-certs!
| | ...
| +--rw raw-public-keys! {tlsc:server-auth-raw-public-key}?
| | ...
| +--rw tls13-epsks? empty
| {tlsc:server-auth-tls13-epsk}?
+--rw server* [name]
+--rw name string
+--rw server-type
| tacacs-plus-server-type
+--rw domain-name? inet:domain-name
+--rw sni-enabled? boolean
+--rw address inet:host
+--rw port inet:port-number
+--rw (security)
| +--:(tls)
| | +--rw client-identity!
| | | +--rw (ref-or-explicit)?
| | | +--:(ref)
| | | | +--rw credentials-reference?
| | | | sys-tcs-plus:client-credentials-ref
| | | | {credential-reference}?
| | | +--:(explicit)
| | | +--rw (auth-type)?
| | | +--:(certificate)
| | | | ...
| | | +--:(raw-public-key)
| | | | {tlsc:client-ident-raw-public-key}?
| | | | ...
| | | +--:(tls13-epsk)
| | | {tlsc:client-ident-tls13-epsk}?
| | | ...
| | +--rw server-authentication
| | | +--rw (ref-or-explicit)?
| | | +--:(ref)
| | | | +--rw credentials-reference?
| | | | sys-tcs-plus:server-credentials-ref
| | | | {credential-reference}?
| | | +--:(explicit)
| | | +--rw ca-certs!
| | | | ...
| | | +--rw ee-certs!
| | | | ...
| | | +--rw raw-public-keys!
| | | | {tlsc:server-auth-raw-public-key}?
| | | | ...
| | | +--rw tls13-epsks? empty
| | | {tlsc:server-auth-tls13-epsk}
| | +--rw hello-params {tlscmn:hello-params}?
| | +--rw tls-versions
| | | +--rw min? identityref
| | | +--rw max? identityref
| | +--rw cipher-suites
| | +--rw cipher-suite*
| | tlscsa:tls-cipher-suite-algorithm
| +--:(obfuscation)
| +--rw shared-secret? string
+--rw (source-type)?
| +--:(source-ip)
| | +--rw source-ip? inet:ip-address
| +--:(source-interface)
| +--rw source-interface? if:interface-ref
+--rw vrf-instance?
| -> /ni:network-instances/network-instance/name
+--rw single-connection? boolean
+--rw timeout? uint16
+--ro statistics
+--ro discontinuity-time? yang:date-and-time
+--ro connection-opens? yang:counter64
+--ro connection-closes? yang:counter64
+--ro connection-aborts? yang:counter64
+--ro connection-failures? yang:counter64
+--ro connection-timeouts? yang:counter64
+--ro messages-sent? yang:counter64
+--ro messages-received? yang:counter64
+--ro errors-received? yang:counter64
+--ro sessions? yang:counter64
+--ro cert-errors? yang:counter64
+--ro rpk-errors? yang:counter64
{tlsc:server-auth-raw-public-key}?

Figure 1: Tree Structure Overview

Specifically, the module is designed to cover the following key
requirements specified in [RFC9887]:

* Minimum TLS 1.3 [RFC8446] MUST be used for transport.

* Earlier TLS versions MUST NOT be used.

* The cipher suites offered or accepted SHOULD be configurable.

* Implementations MAY support raw public keys and Pre-Shared Keys
(PSKs).

* Implementations MUST support the ability to configure the server's
domain name, so that it may be included in the TLS Server Name
Indication (SNI) extension.

The following new data nodes are supported compared to [RFC9105]:

'client-credentials' and 'server-credentials': Define a set
credentials that can be globally provisioned and then referenced
under specific servers.

'domain-name': Provides a domain name of the server per
Section 3.4.2 of [RFC9887]. This is the TLS TACACS+ server's
domain name that is included in the SNI extension. This domain
name is distinct from the IP address/hostname used for the
underlying transport connection.

'sni-enabled': Controls activation of SNI (Section 3 of [RFC6066]).
This parameter can be used only if a domain name is provided.

'client-identity': Specifies the identity credentials that the
client may present when establishing a connection to a server.
Client identities can be configured at the top level and then
referenced for specific server instances. Alternatively, client
identities can be configured explicitly under each server
instance.

'server-authentication': Specifies how a client authenticates
servers. Server credentials can be configured at the top level
and then referenced for specific server instances. Alternatively,
client identities can be configured explicitly under each server
instance.

'hello-params': Controls TLS versions and cipher suites to be used
when establishing TLS sessions.

'discontinuity-time': The time of the most recent occasion at which
the client suffered a discontinuity (a configuration action to
reset all counters, re-initialization, etc.).

'cert-errors': Number of connection failures due to certificate
issues.

'rpk-errors': Number of connection failures related to raw public
keys.