附录 B. 基于 TLS 的 TACACS+ 示例 (TACACS+ over TLS Examples)
中文导读: 本节对应 RFC 9950 的 附录 B. 基于 TLS 的 TACACS+ 示例 (TACACS+ over TLS Examples) 部分, 对应文档标题为 RFC 9950 - 终端访问控制器访问控制系统增强版 (TACACS+) 的 YANG 数据模型. 下方若包含英文 RFC 原文, 注册表名称, 字段名, 算法名, 对象标识符, 媒体类型, 邮箱地址, URL, 代码, ABNF, ASN.1, YANG, JSON, XML, 测试向量或参考文献条目, 均按规范原样保留, 因为这些内容需要与 RFC 文本, IANA 注册表, 实现代码或验证工具逐字一致. 中文段落用于说明本节的作用, 阅读重点和实现含义, 不改变任何协议语义或注册值.
本页中的示例, 测试向量和样例报文用于帮助实现者验证编码, 解析, 互操作或错误处理行为. 示例值, 二进制串, Base64, 十六进制, JSON/XML 成员, HTTP/邮件头字段, 域名和地址均属于可复制测试材料, 因此不翻译. 中文说明只解释示例目的, 字段关系和使用注意事项.
本节提供示例, 用于说明基于 TLS 的 TACACS+ 客户端配置.
这些示例遵循 [RFC9645] 第 1.5 节中用于 base64 编码二进制数据的约定.
B.1. 使用显式证书定义的 TACACS+ 认证配置示例 (Example TACACS+ Authentication Configuration with Explicit Certificate Definitions)
图 4 给出了一个配置示例, 其中客户端身份和服务器认证使用 inline-definition.
注: '\' 按 RFC 8792 进行换行.
{
"ietf-system:system": {
"authentication": {
"user-authentication-order": [
"ietf-system-tacacs-plus:tacacs-plus",
"ietf-system:local-users"
]
},
"ietf-system-tacacs-plus:tacacs-plus": {
"server": [
{
"name": "instance-1",
"server-type": "authentication",
"domain-name": "tacacs.example.com",
"sni-enabled": true,
"address": "2001:db8::1",
"port": 1234,
"client-identity": {
"certificate": {
"inline-definition": {
"public-key-format": "ietf-crypto-types:subject-\
public-key-info-format",
"public-key": "BASE64VALUE=",
"private-key-format": "ietf-crypto-types:rsa-private\
-key-format",
"cleartext-private-key": "BASE64VALUE=",
"cert-data": "BASE64VALUE="
}
}
},
"server-authentication": {
"ca-certs": {
"inline-definition": {
"certificate": [
{
"name": "CA-Certificate-1",
"cert-data": "BASE64VALUE="
}
]
}
}
},
"hello-params": {
"tls-versions": {
"min": "ietf-tls-common:tls13",
"max": "ietf-tls-common:tls13"
},
"cipher-suites": {
"cipher-suite": [
"TLS_AES_128_GCM_SHA256"
]
}
},
"single-connection": false,
"timeout": 10
}
]
}
}
}
图 4: 使用内联证书定义的 TACACS+ over TLS 示例
B.2. 使用证书引用的 TACACS+ 认证配置示例 (Example TACACS+ Authentication Configuration with Certificate References)
图 5 给出了一个配置示例, 其中多个服务实例使用凭据引用 (credential references). 配置了 4 个服务器实例, 它们全都使用相同凭据. 这些实例共同构成 IPv4 和 IPv6 的冗余组.
注: '\' 按 RFC 8792 进行换行.
{
"ietf-system:system": {
"ietf-system-tacacs-plus:tacacs-plus": {
"client-credentials": [
{
"id": "client-cred-1",
"certificate": {
"inline-definition": {
"public-key-format": "ietf-crypto-types:subject-public\
-key-info-format",
"public-key": "BASE64VALUE=",
"private-key-format": "ietf-crypto-types:rsa-private-\
key-format",
"cleartext-private-key": "BASE64VALUE=",
"cert-data": "BASE64VALUE="
}
}
}
],
"server-credentials": [
{
"id": "server-cred-1",
"ca-certs": {
"inline-definition": {
"certificate": [
{
"name": "CA-Certificate-1",
"cert-data": "BASE64VALUE="
}
]
}
}
}
],
"server": [
{
"name": "primary-v6",
"server-type": "authentication",
"domain-name": "tacacs.example.com",
"sni-enabled": true,
"address": "2001:db8::1",
"port": 1234,
"client-identity": {
"credentials-reference": "client-cred-1"
},
"server-authentication": {
"credentials-reference": "server-cred-1"
}
},
{
"name": "backup-v6",
"server-type": "authentication",
"domain-name": "tacacs.example.com",
"sni-enabled": true,
"address": "2001:db8::2",
"port": 1234,
"client-identity": {
"credentials-reference": "client-cred-1"
},
"server-authentication": {
"credentials-reference": "server-cred-1"
}
},
{
"name": "primary-v4",
"server-type": "authentication",
"domain-name": "tacacs.example.com",
"sni-enabled": true,
"address": "192.0.2.1",
"port": 49,
"client-identity": {
"credentials-reference": "client-cred-1"
},
"server-authentication": {
"credentials-reference": "server-cred-1"
}
},
{
"name": "backup-v4",
"server-type": "authentication",
"domain-name": "tacacs.example.com",
"sni-enabled": true,
"address": "192.0.2.2",
"port": 49,
"client-identity": {
"credentials-reference": "client-cred-1"
},
"server-authentication": {
"credentials-reference": "server-cred-1"
}
}
]
}
}
}
图 5: 使用引用的 TACACS+ over TLS 示例