rfc9950v1.txt   rfc9950.txt 
skipping to change at line 17 skipping to change at line 17
A YANG Data Model for Terminal Access Controller Access-Control System A YANG Data Model for Terminal Access Controller Access-Control System
Plus (TACACS+) Plus (TACACS+)
Abstract Abstract
This document defines a Terminal Access Controller Access-Control This document defines a Terminal Access Controller Access-Control
System Plus (TACACS+) client YANG module that augments the System System Plus (TACACS+) client YANG module that augments the System
Management data model, defined in RFC 7317, to allow devices to make Management data model, defined in RFC 7317, to allow devices to make
use of TACACS+ servers for centralized Authentication, Authorization, use of TACACS+ servers for centralized Authentication, Authorization,
and Accounting (AAA). Specifically, this document defines a YANG and Accounting (AAA). Specifically, the TACACS+ YANG module can be
module for TACACS+ over TLS 1.3. used to manage TACACS+ over TLS.
This document obsoletes RFC 9105. This document obsoletes RFC 9105.
Status of This Memo Status of This Memo
This is an Internet Standards Track document. This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has (IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the received public review and has been approved for publication by the
skipping to change at line 67 skipping to change at line 67
3. Design of the TACACS+ Data Model 3. Design of the TACACS+ Data Model
4. TACACS+ Client Module 4. TACACS+ Client Module
5. Operational Considerations 5. Operational Considerations
6. Security Considerations 6. Security Considerations
7. IANA Considerations 7. IANA Considerations
8. References 8. References
8.1. Normative References 8.1. Normative References
8.2. Informative References 8.2. Informative References
Appendix A. Example TACACS+ Authentication Configuration with Appendix A. Example TACACS+ Authentication Configuration with
Shared Secret Shared Secret
Appendix B. TACACS+TLS Examples Appendix B. TACACS+ over TLS Examples
B.1. Example TACACS+ Authentication Configuration with Explicit B.1. Example TACACS+ Authentication Configuration with Explicit
Certificate Definitions Certificate Definitions
B.2. Example TACACS+ Authentication Configuration with B.2. Example TACACS+ Authentication Configuration with
Certificate References Certificate References
Appendix C. Full Tree Appendix C. Full Tree
Acknowledgments Acknowledgments
Authors' Addresses Authors' Addresses
1. Introduction 1. Introduction
The System Management data model [RFC7317] defines separate The System Management data model [RFC7317] defines separate
functionality to support local and Remote Authentication Dial-In User functionality to support local and Remote Authentication Dial-In User
Service (RADIUS) authentication: Service (RADIUS) authentication:
User Authentication Model: Defines a list of user names with User Authentication Model: Defines a list of usernames with
associated passwords and a configuration leaf to decide the order associated passwords and a configuration leaf to decide the order
in which local or RADIUS authentication is used. in which local or RADIUS authentication is used.
RADIUS Client Model: Defines a list of RADIUS servers used by a RADIUS Client Model: Defines a list of RADIUS servers used by a
device for centralized user authentication. device for centralized user authentication.
[RFC9105] defines a YANG module ("ietf-system-tacacs-plus") that [RFC9105] defines a YANG module ("ietf-system-tacacs-plus") that
augments the System Management data model [RFC7317] for the augments the System Management data model [RFC7317] for the
management of Terminal Access Controller Access-Control System Plus management of Terminal Access Controller Access-Control System Plus
(TACACS+) clients as an alternative to RADIUS servers [RFC2865]. (TACACS+) clients as an alternative to RADIUS servers [RFC2865].
skipping to change at line 124 skipping to change at line 124
* Updated the description of 'address' to be consistent with the * Updated the description of 'address' to be consistent with the
type type
* Fixed a 'must' statement under 'tacacs-plus' * Fixed a 'must' statement under 'tacacs-plus'
* Fixed errors in the example provided in Appendix A of [RFC9105] * Fixed errors in the example provided in Appendix A of [RFC9105]
* Added an example to illustrate the use of VPN Routing and * Added an example to illustrate the use of VPN Routing and
Forwarding (VRF) Forwarding (VRF)
* Added new examples to illustrate the use of TACACS+TLS data nodes * Added new examples to illustrate the use of TACACS+ over TLS data
nodes
Detailed changes to the YANG module are listed in Section 4. Detailed changes to the YANG module are listed in Section 4.
2. Conventions and Definitions 2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
Some examples in this document contain long lines that are wrapped as
described in [RFC8792].
The terminology for describing YANG data models is defined in The terminology for describing YANG data models is defined in
[RFC7950]. [RFC7950].
The document uses the terms defined in Section 2 of [RFC9887] and The document uses the terms defined in Section 2 of [RFC9887] and
Section 3 of [RFC8907]. Section 3 of [RFC8907].
'client' refers to a TACACS+ client, while 'server' refers to a 'client' refers to a TACACS+ client, while 'server' refers to a
TACACS+ server. TACACS+ server.
2.1. Tree Diagrams 2.1. Tree Diagrams
The tree diagrams used in this document follow the notation defined The tree diagrams used in this document follow the notation defined
in [RFC8340]. in [RFC8340].
3. Design of the TACACS+ Data Model 3. Design of the TACACS+ Data Model
This module is used to configure a TACACS+ client on a device to This module is used to configure a TACACS+ client on a device to
support deployment scenarios with centralized Authentication, support deployment scenarios with centralized AAA servers.
Authorization, and Accounting (AAA) servers. Authentication is used Authentication is used to validate a user's username and password,
to validate a user's username and password, authorization allows the authorization allows the user to access and execute commands at
user to access and execute commands at various privilege levels various privilege levels assigned to the user, and accounting keeps
assigned to the user, and accounting keeps track of the activity of a track of the activity of a user who has accessed the device.
user who has accessed the device.
The "ietf-system-tacacs-plus" module augments the '/sys:system' path The "ietf-system-tacacs-plus" module augments the '/sys:system' path
defined in the "ietf-system" module with the contents of the 'tacacs- defined in the "ietf-system" module with the contents of the 'tacacs-
plus' grouping. Therefore, a device can use local, RADIUS, or plus' grouping. Therefore, a device can use local, RADIUS, or
TACACS+ authentication to validate users who attempt to access the TACACS+ authentication to validate users who attempt to access the
device by several mechanisms, e.g., a command line interface or a device by several mechanisms, e.g., a command line interface or a
web-based user interface. web-based user interface.
The 'server' list, which is directly under the 'tacacs-plus' The 'server' list, which is directly under the 'tacacs-plus'
container, holds a list of TACACS+ servers and uses 'server-type' to container, holds a list of TACACS+ servers and uses 'server-type' to
distinguish between AAA services. The list of servers is for distinguish between AAA services. The list of servers is for
redundancy. redundancy.
When there are multiple interfaces connected to a TACACS+ client or When there are multiple interfaces connected to a TACACS+ client or
server, the source address of outgoing TACACS+ packets could be server, the source address of outgoing TACACS+ packets could be
specified, or the source address could be specified through the specified, or the source address could be specified through the
interface IP address setting or derived from the outbound interface interface IP address setting or derived from the outbound interface
from the local Forwarding Information Base (FIB). For a TACACS+ from the local Forwarding Information Base (FIB). For a TACACS+
server located in a Virtual Private Network (VPN), a VPN Routing and server located in a Virtual Private Network (VPN), a VRF instance
Forwarding (VRF) instance needs to be specified. needs to be specified.
The 'statistics' container under the 'server' list is a collection of The 'statistics' container under the 'server' list is a collection of
read-only counters for sent and received messages from a configured read-only counters for sent and received messages from a configured
server. server.
The YANG module for TACACS+ client has the structure shown in The YANG module for TACACS+ client has the structure shown in
Figure 1. Figure 1.
augment /sys:system: augment /sys:system:
+--rw tacacs-plus +--rw tacacs-plus
skipping to change at line 294 skipping to change at line 297
Specifically, the module is designed to cover the following key Specifically, the module is designed to cover the following key
requirements specified in [RFC9887]: requirements specified in [RFC9887]:
* Minimum TLS 1.3 [RFC8446] MUST be used for transport. * Minimum TLS 1.3 [RFC8446] MUST be used for transport.
* Earlier TLS versions MUST NOT be used. * Earlier TLS versions MUST NOT be used.
* The cipher suites offered or accepted SHOULD be configurable. * The cipher suites offered or accepted SHOULD be configurable.
* Implementations MAY support Raw Public Keys (RPKs) and Pre-Shared * Implementations MAY support raw public keys and Pre-Shared Keys
Keys (PSKs). (PSKs).
* Implementations MUST support the ability to configure the server's * Implementations MUST support the ability to configure the server's
domain name, so that it may be included in the TLS Server Name domain name, so that it may be included in the TLS Server Name
Indication (SNI) extension. Indication (SNI) extension.
The following new data nodes are supported compared to [RFC9105]: The following new data nodes are supported compared to [RFC9105]:
'client-credentials' and 'server-credentials': Define a set 'client-credentials' and 'server-credentials': Define a set
credentials that can be globally provisioned and then referenced credentials that can be globally provisioned and then referenced
under specific servers. under specific servers.
'domain-name': Provides a domain name of the server per Section 3.3 'domain-name': Provides a domain name of the server per
of [RFC9887]. This is the TLS TACACS+ server's domain name that Section 3.4.2 of [RFC9887]. This is the TLS TACACS+ server's
is included in the SNI extension. This domain name is distinct domain name that is included in the SNI extension. This domain
from the IP address/hostname used for the underlying transport name is distinct from the IP address/hostname used for the
connection. underlying transport connection.
'sni-enabled': Controls activation of SNI (Section 3 of [RFC6066]). 'sni-enabled': Controls activation of SNI (Section 3 of [RFC6066]).
This parameter can be used only if a domain name is provided. This parameter can be used only if a domain name is provided.
'client-identity': Specifies the identity credentials that the 'client-identity': Specifies the identity credentials that the
client may present when establishing a connection to a server. client may present when establishing a connection to a server.
Client identities can be configured at the top level and then Client identities can be configured at the top level and then
referenced for specific server instances. Alternatively, client referenced for specific server instances. Alternatively, client
identities can be configured explicitly under each server identities can be configured explicitly under each server
instance. instance.
skipping to change at line 344 skipping to change at line 347
reset all counters, re-initialization, etc.). reset all counters, re-initialization, etc.).
'cert-errors': Number of connection failures due to certificate 'cert-errors': Number of connection failures due to certificate
issues. issues.
'rpk-errors': Number of connection failures related to raw public 'rpk-errors': Number of connection failures related to raw public
keys. keys.
4. TACACS+ Client Module 4. TACACS+ Client Module
This YANG module uses types and groupings defined in [RFC6991], This YANG module uses types and groupings defined in [RFC8341],
[RFC8341], [RFC8343], [RFC8529], [RFC9640], [RFC9641], [RFC9642], and [RFC8343], [RFC8529], [RFC9640], [RFC9641], [RFC9642], [RFC9645], and
[RFC9645]. [RFC9911].
The module augments [RFC7317]. The module augments [RFC7317].
The module also cites [RFC6520], [RFC9257], and [RFC9258]. The module also cites [RFC6520], [RFC9257], and [RFC9258].
<CODE BEGINS> file "ietf-system-tacacs-plus@2026-03-13.yang" <CODE BEGINS> file "ietf-system-tacacs-plus@2026-03-13.yang"
module ietf-system-tacacs-plus { module ietf-system-tacacs-plus {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus"; namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus";
prefix sys-tcs-plus; prefix sys-tcs-plus;
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
reference reference
"RFC 6991: Common YANG Data Types"; "RFC 9911: Common YANG Data Types";
} }
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
reference reference
"RFC 6991: Common YANG Data Types"; "RFC 9911: Common YANG Data Types";
} }
import ietf-system { import ietf-system {
prefix sys; prefix sys;
reference reference
"RFC 7317: A YANG Data Model for System Management"; "RFC 7317: A YANG Data Model for System Management";
} }
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
reference reference
"RFC 8341: Network Configuration Access Control Model"; "RFC 8341: Network Configuration Access Control Model";
skipping to change at line 474 skipping to change at line 477
- a new leaf 'rpk-errors' under 'statistics' - a new leaf 'rpk-errors' under 'statistics'
Also, this revision: Also, this revision:
- updates the reference for 'tacacs-plus' identity - updates the reference for 'tacacs-plus' identity
to also cite RFC 9887 to also cite RFC 9887
- fixes a 'must' statement under 'tacacs-plus' by adding - fixes a 'must' statement under 'tacacs-plus' by adding
a missing prefix a missing prefix
- requires that the list of servers must be unique per - requires that the list of servers must be unique per
address/port number. address/port number.
- updates the description of the 'name' under 'server' - updates the description of the 'name' under 'server'
list to better reflect the intended use and clarifies list to better reflect the intended use and clarifies
the difference with the new domain-name the difference with the new 'domain-name'
- updates the description of the 'address' to be - updates the description of the 'address' to be
consistent with the type consistent with the type
- removes the default statement for the 'port' under - removes the default statement for the 'port' under
'server' list because a distinct default port number 'server' list because a distinct default port number
is used for TACACS+TLS is used for TACACS+ over TLS
- updates the 'port' leaf under 'server' list to enumerate - updates the 'port' leaf under 'server' list to enumerate
the various TACACS+ default port numbers the various TACACS+ default port numbers
- adds a constraint on the VRF with 'source-interface' - adds a constraint on the VRF with 'source-interface'
is also provided
- updates the description of timeout to remove redundant - updates the description of timeout to remove redundant
text with the default statement"; text with the default statement";
reference reference
"RFC 9950: A YANG Data Model for Terminal Access Controller "RFC 9950: A YANG Data Model for Terminal Access Controller
Access-Control System Plus (TACACS+)"; Access-Control System Plus (TACACS+)";
} }
revision 2021-08-05 { revision 2021-08-05 {
description description
"Initial revision."; "Initial revision.";
skipping to change at line 637 skipping to change at line 639
leaf cert-errors { leaf cert-errors {
type yang:counter64; type yang:counter64;
description description
"Number of connection failures due to certificate "Number of connection failures due to certificate
issues."; issues.";
} }
leaf rpk-errors { leaf rpk-errors {
if-feature "tlsc:server-auth-raw-public-key"; if-feature "tlsc:server-auth-raw-public-key";
type yang:counter64; type yang:counter64;
description description
"Number of RPK-related connection failures."; "Number of connection failures related to raw public
keys.";
} }
} }
} }
grouping certificate { grouping certificate {
description description
"Specifies a certificate that can be used for client "Specifies a certificate that can be used for client
identity."; identity.";
uses "ks:inline-or-keystore-end-entity-cert-with-key-" uses "ks:inline-or-keystore-end-entity-cert-with-key-"
+ "grouping" { + "grouping" {
skipping to change at line 665 skipping to change at line 668
must 'not(deref(.)/../ks:public-key-format) or ' must 'not(deref(.)/../ks:public-key-format) or '
+ 'derived-from-or-self(deref(.)/../ks:public-' + 'derived-from-or-self(deref(.)/../ks:public-'
+ 'key-format, "ct:subject-public-key-info-' + 'key-format, "ct:subject-public-key-info-'
+ 'format")'; + 'format")';
} }
} }
} }
grouping raw-private-key { grouping raw-private-key {
description description
"Specifies raw private key (RPK) that can be used for "Specifies a raw private key that can be used for
client identity."; client identity.";
uses ks:inline-or-keystore-asymmetric-key-grouping { uses ks:inline-or-keystore-asymmetric-key-grouping {
refine "inline-or-keystore/inline/inline-definition" { refine "inline-or-keystore/inline/inline-definition" {
must 'not(public-key-format) or derived-from-or-self' must 'not(public-key-format) or derived-from-or-self'
+ '(public-key-format, "ct:subject-public-key-' + '(public-key-format, "ct:subject-public-key-'
+ 'info-format")'; + 'info-format")';
} }
refine "inline-or-keystore/central-keystore/" refine "inline-or-keystore/central-keystore/"
+ "central-keystore-reference" { + "central-keystore-reference" {
must 'not(deref(.)/../ks:public-key-format) or ' must 'not(deref(.)/../ks:public-key-format) or '
skipping to change at line 715 skipping to change at line 718
reference reference
"RFC 8446: The Transport Layer Security (TLS) Protocol "RFC 8446: The Transport Layer Security (TLS) Protocol
Version 1.3, Section 4.2.11 Version 1.3, Section 4.2.11
RFC 9257: Guidance for External Pre-Shared Key (PSK) RFC 9257: Guidance for External Pre-Shared Key (PSK)
Usage in TLS, Section 4.1"; Usage in TLS, Section 4.1";
} }
leaf hash { leaf hash {
type tlscmn:epsk-supported-hash; type tlscmn:epsk-supported-hash;
default "sha-256"; default "sha-256";
description description
"For externally established PSKs, the Hash algorithm must be "For externally established PSKs, the hash algorithm must be
set when the PSK is established or default to SHA-256 if no set when the PSK is established or default to SHA-256 if no
such algorithm is defined."; such algorithm is defined.";
reference reference
"RFC 8446: The Transport Layer Security (TLS) Protocol "RFC 8446: The Transport Layer Security (TLS) Protocol
Version 1.3, Section 4.2.11"; Version 1.3, Section 4.2.11";
} }
leaf context { leaf context {
type string; type string;
description description
"The context used to determine the EPSK, if any exists. For "The context used to determine the EPSK, if any exists. For
skipping to change at line 775 skipping to change at line 778
container certificate { container certificate {
description description
"Specifies the client identity using a certificate."; "Specifies the client identity using a certificate.";
uses certificate; uses certificate;
} }
} }
case raw-public-key { case raw-public-key {
if-feature "tlsc:client-ident-raw-public-key"; if-feature "tlsc:client-ident-raw-public-key";
container raw-private-key { container raw-private-key {
description description
"Specifies the client identity using RPK."; "Specifies the client identity using a raw public key.";
uses raw-private-key; uses raw-private-key;
} }
} }
case tls13-epsk { case tls13-epsk {
if-feature "tlsc:client-ident-tls13-epsk"; if-feature "tlsc:client-ident-tls13-epsk";
container tls13-epsk { container tls13-epsk {
description description
"An EPSK is established or provisioned out of band."; "An EPSK is established or provisioned out of band.";
uses tls13-epsk; uses tls13-epsk;
} }
skipping to change at line 1029 skipping to change at line 1032
key "name"; key "name";
unique "address port"; unique "address port";
ordered-by user; ordered-by user;
description description
"List of TACACS+ servers used by the device."; "List of TACACS+ servers used by the device.";
leaf name { leaf name {
type string; type string;
description description
"A name that is used to uniquely identify a TACACS+ "A name that is used to uniquely identify a TACACS+
server within the device configuration. server within the device configuration.
This name is not to be confused with the domain-name."; This name is not to be confused with the
'domain-name'.";
} }
leaf server-type { leaf server-type {
type tacacs-plus-server-type; type tacacs-plus-server-type;
mandatory true; mandatory true;
description description
"Server type: authentication/authorization/accounting and "The server type can be authentication, authorization,
various combinations."; accounting, or any combination of the three types.";
} }
leaf domain-name { leaf domain-name {
type inet:domain-name; type inet:domain-name;
description description
"Provides a domain name of the TACACS+ server."; "Provides a domain name of the TACACS+ server.";
reference reference
"RFC 9887: Terminal Access Controller Access-Control "RFC 9887: Terminal Access Controller Access-Control
System Plus (TACACS+) over TLS 1.3, System Plus (TACACS+) over TLS 1.3,
Section 3.4.2"; Section 3.4.2";
} }
skipping to change at line 1076 skipping to change at line 1080
mandatory true; mandatory true;
description description
"The IP address or name of the TACACS+ server."; "The IP address or name of the TACACS+ server.";
} }
leaf port { leaf port {
type inet:port-number; type inet:port-number;
mandatory true; mandatory true;
description description
"The port number of the TACACS+ server. "The port number of the TACACS+ server.
The default port number for legacy TACACS+ is 49, The default port number for legacy TACACS+ is 49,
while it is 300 for TACACS+TLS."; while it is 300 for TACACS+ over TLS.";
} }
choice security { choice security {
mandatory true; mandatory true;
description description
"Security mechanism between TACACS+ client and server."; "Security mechanism between TACACS+ client and server.";
case tls { case tls {
description description
"TLS is used to secure TACACS+ exchanges."; "TLS is used to secure TACACS+ exchanges.";
reference reference
"RFC 9887: Terminal Access Controller Access-Control "RFC 9887: Terminal Access Controller Access-Control
skipping to change at line 1147 skipping to change at line 1151
"Specifies the interface from which the IP address "Specifies the interface from which the IP address
is derived for use as the source for outbound is derived for use as the source for outbound
TACACS+ packets."; TACACS+ packets.";
} }
} }
} }
leaf vrf-instance { leaf vrf-instance {
type leafref { type leafref {
path "/ni:network-instances/ni:network-instance/ni:name"; path "/ni:network-instances/ni:network-instance/ni:name";
} }
must "(not(../source-interface)) or " must '(not(../source-interface)) or '
+ "(current() = /if:interfaces/if:interface" + '(current() = /if:interfaces/if:interface'
+ "[if:name = current()/../source-interface]" + '[if:name = current()/../source-interface]'
+ "/ni:bind-ni-name)" { + '/ni:bind-ni-name)' {
error-message error-message
"VRF instance must match the network instance of the "VRF instance must match the network instance of the
source interface."; source interface.";
} }
description description
"Specifies the VPN Routing and Forwarding (VRF) instance "Specifies the VPN Routing and Forwarding (VRF) instance
to use to communicate with the TACACS+ server. to use to communicate with the TACACS+ server.
If 'source-interface' is configured, this value MUST If 'source-interface' is configured, this value MUST
match the network instance bound to the source interface match the network instance bound to the source interface
(via bind-ni-name)."; (via bind-ni-name).";
skipping to change at line 1307 skipping to change at line 1311
Extensions: Extension Definitions", RFC 6066, Extensions: Extension Definitions", RFC 6066,
DOI 10.17487/RFC6066, January 2011, DOI 10.17487/RFC6066, January 2011,
<https://www.rfc-editor.org/info/rfc6066>. <https://www.rfc-editor.org/info/rfc6066>.
[RFC6520] Seggelmann, R., Tuexen, M., and M. Williams, "Transport [RFC6520] Seggelmann, R., Tuexen, M., and M. Williams, "Transport
Layer Security (TLS) and Datagram Transport Layer Security Layer Security (TLS) and Datagram Transport Layer Security
(DTLS) Heartbeat Extension", RFC 6520, (DTLS) Heartbeat Extension", RFC 6520,
DOI 10.17487/RFC6520, February 2012, DOI 10.17487/RFC6520, February 2012,
<https://www.rfc-editor.org/info/rfc6520>. <https://www.rfc-editor.org/info/rfc6520>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/info/rfc6991>.
[RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for
System Management", RFC 7317, DOI 10.17487/RFC7317, August System Management", RFC 7317, DOI 10.17487/RFC7317, August
2014, <https://www.rfc-editor.org/info/rfc7317>. 2014, <https://www.rfc-editor.org/info/rfc7317>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
skipping to change at line 1377 skipping to change at line 1377
[RFC9645] Watsen, K., "YANG Groupings for TLS Clients and TLS [RFC9645] Watsen, K., "YANG Groupings for TLS Clients and TLS
Servers", RFC 9645, DOI 10.17487/RFC9645, October 2024, Servers", RFC 9645, DOI 10.17487/RFC9645, October 2024,
<https://www.rfc-editor.org/info/rfc9645>. <https://www.rfc-editor.org/info/rfc9645>.
[RFC9887] Dahm, T., Heasley, J., Medway Gash, D.C., and A. Ota, [RFC9887] Dahm, T., Heasley, J., Medway Gash, D.C., and A. Ota,
"Terminal Access Controller Access-Control System Plus "Terminal Access Controller Access-Control System Plus
(TACACS+) over TLS 1.3", RFC 9887, DOI 10.17487/RFC9887, (TACACS+) over TLS 1.3", RFC 9887, DOI 10.17487/RFC9887,
December 2025, <https://www.rfc-editor.org/info/rfc9887>. December 2025, <https://www.rfc-editor.org/info/rfc9887>.
[RFC9911] Schönwälder, J., Ed., "Common YANG Data Types", RFC 9911,
DOI 10.17487/RFC9911, December 2025,
<https://www.rfc-editor.org/info/rfc9911>.
8.2. Informative References 8.2. Informative References
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", "Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, DOI 10.17487/RFC2865, June 2000, RFC 2865, DOI 10.17487/RFC2865, June 2000,
<https://www.rfc-editor.org/info/rfc2865>. <https://www.rfc-editor.org/info/rfc2865>.
[RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) [RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252, Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252,
January 2006, <https://www.rfc-editor.org/info/rfc4252>. January 2006, <https://www.rfc-editor.org/info/rfc4252>.
skipping to change at line 1401 skipping to change at line 1405
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>. <https://www.rfc-editor.org/info/rfc8040>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>. <https://www.rfc-editor.org/info/rfc8340>.
[RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu,
"Handling Long Lines in Content of Internet-Drafts and
RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020,
<https://www.rfc-editor.org/info/rfc8792>.
[RFC8907] Dahm, T., Ota, A., Medway Gash, D.C., Carrel, D., and L. [RFC8907] Dahm, T., Ota, A., Medway Gash, D.C., Carrel, D., and L.
Grant, "The Terminal Access Controller Access-Control Grant, "The Terminal Access Controller Access-Control
System Plus (TACACS+) Protocol", RFC 8907, System Plus (TACACS+) Protocol", RFC 8907,
DOI 10.17487/RFC8907, September 2020, DOI 10.17487/RFC8907, September 2020,
<https://www.rfc-editor.org/info/rfc8907>. <https://www.rfc-editor.org/info/rfc8907>.
[RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based [RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based
Multiplexed and Secure Transport", RFC 9000, Multiplexed and Secure Transport", RFC 9000,
DOI 10.17487/RFC9000, May 2021, DOI 10.17487/RFC9000, May 2021,
<https://www.rfc-editor.org/info/rfc9000>. <https://www.rfc-editor.org/info/rfc9000>.
skipping to change at line 1491 skipping to change at line 1500
"vrf-instance": "MANAGEMENT_VRF", "vrf-instance": "MANAGEMENT_VRF",
"timeout": 10 "timeout": 10
} }
] ]
} }
} }
} }
Figure 3: Example with VRF Figure 3: Example with VRF
Appendix B. TACACS+TLS Examples Appendix B. TACACS+ over TLS Examples
This section provides examples to illustrate the configuration of This section provides examples to illustrate the configuration of
TACACS+TLS clients. TACACS+ over TLS clients.
These examples follow the convention used in Section 1.5 of [RFC9645] These examples follow the convention used in Section 1.5 of [RFC9645]
for binary data that has been base64 encoded. for binary data that has been base64 encoded.
B.1. Example TACACS+ Authentication Configuration with Explicit B.1. Example TACACS+ Authentication Configuration with Explicit
Certificate Definitions Certificate Definitions
Figure 4 shows a configuration example with 'inline-definition' for Figure 4 shows a configuration example with 'inline-definition' for
the client identity and server authentication. the client identity and server authentication.
skipping to change at line 1568 skipping to change at line 1577
} }
}, },
"single-connection": false, "single-connection": false,
"timeout": 10 "timeout": 10
} }
] ]
} }
} }
} }
Figure 4: Example with TACACS+TLS with Inline Certificate Definitions Figure 4: Example with TACACS+ over TLS with Inline Certificate
Definitions
B.2. Example TACACS+ Authentication Configuration with Certificate B.2. Example TACACS+ Authentication Configuration with Certificate
References References
Figure 5 shows a configuration example with credential references for Figure 5 shows a configuration example with credential references for
multiple service instances. Four server instances are configured, multiple service instances. Four server instances are configured,
all using the same credentials. These instances form a redundancy all using the same credentials. These instances form a redundancy
group for both IPv4 and IPv6. group for both IPv4 and IPv6.
=============== NOTE: '\' line wrapping per RFC 8792 ================ =============== NOTE: '\' line wrapping per RFC 8792 ================
skipping to change at line 1676 skipping to change at line 1686
}, },
"server-authentication": { "server-authentication": {
"credentials-reference": "server-cred-1" "credentials-reference": "server-cred-1"
} }
} }
] ]
} }
} }
} }
Figure 5: Example with TACACS+TLS with References Figure 5: Example with TACACS+ over TLS with References
Appendix C. Full Tree Appendix C. Full Tree
The full tree structure is shown below: The full tree structure is shown below:
=============== NOTE: '\' line wrapping per RFC 8792 ================ =============== NOTE: '\' line wrapping per RFC 8792 ================
module: ietf-system-tacacs-plus module: ietf-system-tacacs-plus
augment /sys:system: augment /sys:system:
skipping to change at line 2201 skipping to change at line 2211
their helpful comments and suggestions. their helpful comments and suggestions.
Authors' Addresses Authors' Addresses
Mohamed Boucadair (editor) Mohamed Boucadair (editor)
Orange Orange
Email: mohamed.boucadair@orange.com Email: mohamed.boucadair@orange.com
Bo Wu Bo Wu
Huawei Technologies Huawei Technologies
Email: mlana.wubo@huawei.com Email: lana.wubo@huawei.com
 End of changes. 31 change blocks. 
48 lines changed or deleted 58 lines changed or added

This html diff was produced by rfcdiff 1.48.