Appendix B. TACACS+ over TLS Examples
この節では TACACS+ client YANG model の RFC テキストを保持し, RFC 9105 changes, TLS 1.3 support, ietf-system-tacacs-plus module, credential references, NACM-sensitive nodes, IANA registrations, JSON examples, full tree を扱う.
RFC 原文
Appendix B. TACACS+ over TLS Examples
This section provides examples to illustrate the configuration of
TACACS+ over TLS clients.
These examples follow the convention used in Section 1.5 of [RFC9645]
for binary data that has been base64 encoded.
B.1. Example TACACS+ Authentication Configuration with Explicit
Certificate Definitions
Figure 4 shows a configuration example with 'inline-definition' for
the client identity and server authentication.
=============== NOTE: '\' line wrapping per RFC 8792 ================
{
"ietf-system:system": {
"authentication": {
"user-authentication-order": [
"ietf-system-tacacs-plus:tacacs-plus",
"ietf-system:local-users"
]
},
"ietf-system-tacacs-plus:tacacs-plus": {
"server": [
{
"name": "instance-1",
"server-type": "authentication",
"domain-name": "tacacs.example.com",
"sni-enabled": true,
"address": "2001:db8::1",
"port": 1234,
"client-identity": {
"certificate": {
"inline-definition": {
"public-key-format": "ietf-crypto-types:subject-\
public-key-info-format",
"public-key": "BASE64VALUE=",
"private-key-format": "ietf-crypto-types:rsa-private\
-key-format",
"cleartext-private-key": "BASE64VALUE=",
"cert-data": "BASE64VALUE="
}
}
},
"server-authentication": {
"ca-certs": {
"inline-definition": {
"certificate": [
{
"name": "CA-Certificate-1",
"cert-data": "BASE64VALUE="
}
]
}
}
},
"hello-params": {
"tls-versions": {
"min": "ietf-tls-common:tls13",
"max": "ietf-tls-common:tls13"
},
"cipher-suites": {
"cipher-suite": [
"TLS_AES_128_GCM_SHA256"
]
}
},
"single-connection": false,
"timeout": 10
}
]
}
}
}
Figure 4: Example with TACACS+ over TLS with Inline Certificate
Definitions
B.2. Example TACACS+ Authentication Configuration with Certificate
References
Figure 5 shows a configuration example with credential references for
multiple service instances. Four server instances are configured,
all using the same credentials. These instances form a redundancy
group for both IPv4 and IPv6.
=============== NOTE: '\' line wrapping per RFC 8792 ================
{
"ietf-system:system": {
"ietf-system-tacacs-plus:tacacs-plus": {
"client-credentials": [
{
"id": "client-cred-1",
"certificate": {
"inline-definition": {
"public-key-format": "ietf-crypto-types:subject-public\
-key-info-format",
"public-key": "BASE64VALUE=",
"private-key-format": "ietf-crypto-types:rsa-private-\
key-format",
"cleartext-private-key": "BASE64VALUE=",
"cert-data": "BASE64VALUE="
}
}
}
],
"server-credentials": [
{
"id": "server-cred-1",
"ca-certs": {
"inline-definition": {
"certificate": [
{
"name": "CA-Certificate-1",
"cert-data": "BASE64VALUE="
}
]
}
}
}
],
"server": [
{
"name": "primary-v6",
"server-type": "authentication",
"domain-name": "tacacs.example.com",
"sni-enabled": true,
"address": "2001:db8::1",
"port": 1234,
"client-identity": {
"credentials-reference": "client-cred-1"
},
"server-authentication": {
"credentials-reference": "server-cred-1"
}
},
{
"name": "backup-v6",
"server-type": "authentication",
"domain-name": "tacacs.example.com",
"sni-enabled": true,
"address": "2001:db8::2",
"port": 1234,
"client-identity": {
"credentials-reference": "client-cred-1"
},
"server-authentication": {
"credentials-reference": "server-cred-1"
}
},
{
"name": "primary-v4",
"server-type": "authentication",
"domain-name": "tacacs.example.com",
"sni-enabled": true,
"address": "192.0.2.1",
"port": 49,
"client-identity": {
"credentials-reference": "client-cred-1"
},
"server-authentication": {
"credentials-reference": "server-cred-1"
}
},
{
"name": "backup-v4",
"server-type": "authentication",
"domain-name": "tacacs.example.com",
"sni-enabled": true,
"address": "192.0.2.2",
"port": 49,
"client-identity": {
"credentials-reference": "client-cred-1"
},
"server-authentication": {
"credentials-reference": "server-cred-1"
}
}
]
}
}
}
Figure 5: Example with TACACS+ over TLS with References