From 51163a51a2c97887cb3f6f095f513408b85b60b4 Mon Sep 17 00:00:00 2001 From: Joe Clarke Date: Fri, 3 Apr 2026 09:50:47 -0400 Subject: [PATCH] chore: Full yc.o sync --- ...f-yang-library-augmentedby@2025-05-28.yang | 6 +- standard/iana/yang-parameters.xml | 74 +- .../ietf/RFC/ietf-system-tacacs-plus.yang | 2 +- .../ietf-system-tacacs-plus@2026-03-31.yang | 843 ++++++++++++++++++ 4 files changed, 915 insertions(+), 10 deletions(-) create mode 100644 standard/ietf/RFC/ietf-system-tacacs-plus@2026-03-31.yang diff --git a/experimental/ietf-extracted-YANG-modules/ietf-yang-library-augmentedby@2025-05-28.yang b/experimental/ietf-extracted-YANG-modules/ietf-yang-library-augmentedby@2025-05-28.yang index bf1c312a6..5a8f28d81 100644 --- a/experimental/ietf-extracted-YANG-modules/ietf-yang-library-augmentedby@2025-05-28.yang +++ b/experimental/ietf-extracted-YANG-modules/ietf-yang-library-augmentedby@2025-05-28.yang @@ -95,16 +95,14 @@ module ietf-yang-library-augmentedby { } augment "/yanglib:yang-library/yanglib:module-set/yanglib:module" { description - "Augments the augmented-by leaf-list from module info with the - augmented-by grouping."; + "Adds Augmented-by leaf-list to the list of modules of a module set"; uses augmented-by; } augment "/yanglib:modules-state/yanglib:module" { status deprecated; description - "Augments the augmented-by leaf-list from module info with the - augmented-by grouping."; + "Adds Augmented-by leaf-list to the list of modules of a module set"; uses augmented-by; } } diff --git a/standard/iana/yang-parameters.xml b/standard/iana/yang-parameters.xml index 63cb1d399..2fec24563 100644 --- a/standard/iana/yang-parameters.xml +++ b/standard/iana/yang-parameters.xml @@ -4,7 +4,7 @@ YANG Parameters 2010-06-10 - 2026-03-18 + 2026-04-01 YANG Module Names @@ -160,6 +160,20 @@ Codes", and "DOTS Attack Status Codes" registr New values must not be directly added to the "iana-msd-types" YANG module. They must instead be added to the "IGP MSD-Types" registry in the Interior Gateway Protocol (IGP) Parameters registry group. + + iana-ospf-functional-cap-bits + Y + + urn:ietf:params:xml:ns:yang:iana-ospf-functional-cap-bits + iana-ospf-fc-bits + + + + 's module file will be posted upon the document's publication as an RFC. + New values must not be directly added to the "iana-ospf-functional-cap-bits" YANG module. + They must instead be added to the "OSPF Router Functional Capability Bits" registry in the Open Shortest Path First (OSPF) Parameters registry group. + + iana-pseudowire-types Y @@ -1762,6 +1776,16 @@ and Subsequent Address Family Identi + + ietf-optical-impairment-topology + N + + urn:ietf:params:xml:ns:yang:ietf-optical-impairment-topology + oit + + + 's module file will be posted upon the document's publication as an RFC. + ietf-origin N @@ -1802,6 +1826,16 @@ and Subsequent Address Family Identi 's module file will be posted upon the document's publication as an RFC. + + ietf-ospf-functional-capability + N + + urn:ietf:params:xml:ns:yang:ietf-ospf-functional-capability + ospf-fc + + + 's module file will be posted upon the document's publication as an RFC. + ietf-ospf-sr-mpls N @@ -1812,6 +1846,16 @@ and Subsequent Address Family Identi + + ietf-ospf-unreachable-links + N + + urn:ietf:params:xml:ns:yang:ietf-ospf-unreachable-links + ospf-unreach-link + + + 's module file will be posted upon the document's publication as an RFC. + ietf-ospfv3-extended-lsa N @@ -2404,15 +2448,15 @@ and Subsequent Address Family Identi - + ietf-system-tacacs-plus N - + ietf-system-tacacs-plus@2026-03-31.yang urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus sys-tcs-plus - - 's module file will be posted upon the document's publication as an RFC. + + ietf-sztp-bootstrap-server @@ -2494,6 +2538,26 @@ and Subsequent Address Family Identi + + ietf-te + N + + urn:ietf:params:xml:ns:yang:ietf-te + te + + + 's module file will be posted upon the document's publication as an RFC. + + + ietf-te-device + N + + urn:ietf:params:xml:ns:yang:ietf-te-device + te-device + + + 's module file will be posted upon the document's publication as an RFC. + ietf-te-packet-types N diff --git a/standard/ietf/RFC/ietf-system-tacacs-plus.yang b/standard/ietf/RFC/ietf-system-tacacs-plus.yang index b82fef795..137d8d10f 120000 --- a/standard/ietf/RFC/ietf-system-tacacs-plus.yang +++ b/standard/ietf/RFC/ietf-system-tacacs-plus.yang @@ -1 +1 @@ -ietf-system-tacacs-plus@2021-08-05.yang \ No newline at end of file +ietf-system-tacacs-plus@2026-03-31.yang \ No newline at end of file diff --git a/standard/ietf/RFC/ietf-system-tacacs-plus@2026-03-31.yang b/standard/ietf/RFC/ietf-system-tacacs-plus@2026-03-31.yang new file mode 100644 index 000000000..4187e67cd --- /dev/null +++ b/standard/ietf/RFC/ietf-system-tacacs-plus@2026-03-31.yang @@ -0,0 +1,843 @@ +module ietf-system-tacacs-plus { + yang-version 1.1; + namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus"; + prefix sys-tcs-plus; + + import ietf-inet-types { + prefix inet; + reference + "RFC 9911: Common YANG Data Types"; + } + import ietf-yang-types { + prefix yang; + reference + "RFC 9911: Common YANG Data Types"; + } + import ietf-system { + prefix sys; + reference + "RFC 7317: A YANG Data Model for System Management"; + } + import ietf-netconf-acm { + prefix nacm; + reference + "RFC 8341: Network Configuration Access Control Model"; + } + import ietf-interfaces { + prefix if; + reference + "RFC 8343: A YANG Data Model for Interface Management"; + } + import ietf-network-instance { + prefix ni; + reference + "RFC 8529: YANG Data Model for Network Instances"; + } + import ietf-crypto-types { + prefix ct; + reference + "RFC 9640: YANG Data Types and Groupings for Cryptography"; + } + import ietf-truststore { + prefix ts; + reference + "RFC 9641: A YANG Data Model for a Truststore"; + } + import ietf-keystore { + prefix ks; + reference + "RFC 9642: A YANG Data Model for a Keystore"; + } + import ietf-tls-common { + prefix tlscmn; + reference + "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; + } + import ietf-tls-client { + prefix tlsc; + reference + "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; + } + + organization + "IETF OPSAWG (Operations and Management Area Working Group)"; + contact + "WG Web: + WG List: + + Editor: Mohamed Boucadair + + Author: Bo Wu + + Author: Guangying Zheng + "; + description + "This module provides management of TACACS+ clients. + + The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL + NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', + 'MAY', and 'OPTIONAL' in this document are to be interpreted as + described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, + they appear in all capitals, as shown here. + + Copyright (c) 2026 IETF Trust and the persons identified as + authors of the code. All rights reserved. + + Redistribution and use in source and binary forms, with or + without modification, is permitted pursuant to, and subject + to the license terms contained in, the Revised BSD License + set forth in Section 4.c of the IETF Trust's Legal Provisions + Relating to IETF Documents + (https://trustee.ietf.org/license-info). + + All revisions of IETF and IANA published modules can be found + at the 'YANG Parameters' registry group: + . + + This version of this YANG module is part of RFC 9950; see the + RFC itself for full legal notices."; + + revision 2026-03-31 { + description + "This revision adds TLS support. Specifically, this revision + adds: + - a new feature 'credential-reference' + - a new container 'client-credentials' + - a new container 'server-credentials' + - a new leaf 'domain-name' + - a new leaf 'sni-enabled' + - TLS as a new security choice + - a new leaf 'discontinuity-time' under 'statistics' + - a new leaf 'cert-errors' under 'statistics' + - a new leaf 'rpk-errors' under 'statistics' + Also, this revision: + - updates the reference for 'tacacs-plus' identity + to also cite RFC 9887 + - fixes a 'must' statement under 'tacacs-plus' by adding + a missing prefix + - requires that the list of servers must be unique per + address/port number. + - updates the description of the 'name' under 'server' + list to better reflect the intended use and clarifies + the difference with the new 'domain-name' + - updates the description of the 'address' to be + consistent with the type + - removes the default statement for the 'port' under + 'server' list because a distinct default port number + is used for TACACS+ over TLS + - updates the 'port' leaf under 'server' list to enumerate + the various TACACS+ default port numbers + - adds a constraint on the VRF with 'source-interface' + - updates the description of timeout to remove redundant + text with the default statement"; + reference + "RFC 9950: A YANG Data Model for Terminal Access Controller + Access-Control System Plus (TACACS+)"; + } + + revision 2021-08-05 { + description + "Initial revision."; + reference + "RFC 9105: A YANG Data Model for Terminal Access Controller + Access-Control System Plus (TACACS+)"; + } + + feature credential-reference { + description + "Indicates whether service credentials references are + supported."; + } + + identity tacacs-plus { + base sys:authentication-method; + description + "Indicates AAA operation using TACACS+."; + reference + "RFC 9887: Terminal Access Controller Access-Control + System Plus (TACACS+) over TLS 1.3 + RFC 8907: The TACACS+ Protocol"; + } + + typedef tacacs-plus-server-type { + type bits { + bit authentication { + description + "Indicates that the TACACS+ server is providing + authentication services."; + } + bit authorization { + description + "Indicates that the TACACS+ server is providing + authorization services."; + } + bit accounting { + description + "Indicates that the TACACS+ server is providing accounting + services."; + } + } + description + "The type can be set to authentication, authorization, + accounting, or any combination of the three types."; + } + + typedef client-credentials-ref { + type leafref { + path "/sys:system/sys-tcs-plus:tacacs-plus" + + "/sys-tcs-plus:client-credentials/sys-tcs-plus:id"; + } + description + "Defines a type to reference client credentials."; + } + + typedef server-credentials-ref { + type leafref { + path "/sys:system/sys-tcs-plus:tacacs-plus" + + "/sys-tcs-plus:server-credentials/sys-tcs-plus:id"; + } + description + "Defines a type to reference server credentials."; + } + + grouping statistics { + description + "Grouping for TACACS+ statistics attributes, including TLS + specifics."; + container statistics { + config false; + description + "A collection of server-related statistics objects."; + leaf discontinuity-time { + type yang:date-and-time; + description + "The time of the most recent occasion at which the + TACACS+ client suffered a discontinuity. Examples of + discontinuity can be a configuration action to reset + all counters, re-initialization of the system, or any + other events that prevent reliable contiguous tracking + of counters."; + } + leaf connection-opens { + type yang:counter64; + description + "Number of new connection requests sent to the server, + e.g., socket open."; + } + leaf connection-closes { + type yang:counter64; + description + "Number of connection close requests sent to the server, + e.g., socket close."; + } + leaf connection-aborts { + type yang:counter64; + description + "Number of aborted connections to the server. These do + not include connections that are closed gracefully."; + } + leaf connection-failures { + type yang:counter64; + description + "Number of connection failures to the server."; + } + leaf connection-timeouts { + type yang:counter64; + description + "Number of connection timeouts to the server."; + } + leaf messages-sent { + type yang:counter64; + description + "Number of messages sent to the server."; + } + leaf messages-received { + type yang:counter64; + description + "Number of messages received from the server."; + } + leaf errors-received { + type yang:counter64; + description + "Number of error messages received from the server."; + } + leaf sessions { + type yang:counter64; + description + "Number of TACACS+ sessions completed with the server. + If the Single Connection Mode was not enabled, the number + of sessions is the same as the number of + 'connection-closes'. If the Single Connection Mode was + enabled, a single TCP connection may contain multiple + TACACS+ sessions."; + } + leaf cert-errors { + type yang:counter64; + description + "Number of connection failures due to certificate + issues."; + } + leaf rpk-errors { + if-feature "tlsc:server-auth-raw-public-key"; + type yang:counter64; + description + "Number of connection failures related to raw public + keys."; + } + } + } + + grouping certificate { + description + "Specifies a certificate that can be used for client + identity."; + uses "ks:inline-or-keystore-end-entity-cert-with-key-" + + "grouping" { + refine "inline-or-keystore/inline/inline-definition" { + must 'not(public-key-format) or derived-from-or-self' + + '(public-key-format, "ct:subject-public-key-' + + 'info-format")'; + } + refine "inline-or-keystore/central-keystore/" + + "central-keystore-reference/asymmetric-key" { + must 'not(deref(.)/../ks:public-key-format) or ' + + 'derived-from-or-self(deref(.)/../ks:public-' + + 'key-format, "ct:subject-public-key-info-' + + 'format")'; + } + } + } + + grouping raw-private-key { + description + "Specifies a raw private key that can be used for + client identity."; + uses ks:inline-or-keystore-asymmetric-key-grouping { + refine "inline-or-keystore/inline/inline-definition" { + must 'not(public-key-format) or derived-from-or-self' + + '(public-key-format, "ct:subject-public-key-' + + 'info-format")'; + } + refine "inline-or-keystore/central-keystore/" + + "central-keystore-reference" { + must 'not(deref(.)/../ks:public-key-format) or ' + + 'derived-from-or-self(deref(.)/../ks:public-' + + 'key-format, "ct:subject-public-key-info-format")'; + } + } + } + + grouping tls13-epsk { + description + "An External Pre-Shared Key (EPSK) is established or + provisioned out of band, i.e., not from a TLS connection. + An EPSK is a tuple of (Base Key, External Identity, Hash). + When Pre-Shared Keys (PSKs) are provisioned out of band, + the PSK identity and the Key Derivation Function (KDF) hash + algorithm to be used with the PSK must also be + provisioned."; + reference + "RFC 8446: The Transport Layer Security (TLS) Protocol + Version 1.3, Section 4.2.11 + RFC 9257: Guidance for External Pre-Shared Key (PSK) Usage + in TLS, Section 6 + RFC 9258: Importing External Pre-Shared Keys (PSKs) for + TLS 1.3, Section 5.1"; + uses ks:inline-or-keystore-symmetric-key-grouping; + leaf external-identity { + type string; + mandatory true; + description + "A sequence of bytes used to identify an EPSK. A label for + a PSK established externally."; + reference + "RFC 8446: The Transport Layer Security (TLS) Protocol + Version 1.3, Section 4.2.11 + RFC 9257: Guidance for External Pre-Shared Key (PSK) + Usage in TLS, Section 4.1"; + } + leaf hash { + type tlscmn:epsk-supported-hash; + default "sha-256"; + description + "For externally established PSKs, the hash algorithm must be + set when the PSK is established or default to SHA-256 if no + such algorithm is defined."; + reference + "RFC 8446: The Transport Layer Security (TLS) Protocol + Version 1.3, Section 4.2.11"; + } + leaf context { + type string; + description + "The context used to determine the EPSK, if any exists. For + example, context may include information about peer roles or + identities to mitigate Selfie-style reflection attacks."; + reference + "RFC 9258: Importing External Pre-Shared Keys (PSKs) for + TLS 1.3, Section 5.1 "; + } + leaf target-protocol { + type uint16; + description + "Specifies the protocol for which a PSK is imported for + use."; + reference + "RFC 9258: Importing External Pre-Shared Keys (PSKs) for + TLS 1.3, Section 3 "; + } + leaf target-kdf { + type uint16; + description + "The KDF for which a PSK is imported for use."; + reference + "RFC 9258: Importing External Pre-Shared Keys (PSKs) for + TLS 1.3, Section 3"; + } + } + + grouping client-identity { + description + "Identity credentials that a TLS client may present when + establishing a connection to a TLS server. When configured + and requested by the TLS server when establishing a TLS + session, these credentials are passed in the Certificate + message."; + reference + "RFC 8446: The Transport Layer Security (TLS) Protocol + Version 1.3, Section 4.4.2"; + choice auth-type { + description + "A choice amongst authentication types."; + case certificate { + container certificate { + description + "Specifies the client identity using a certificate."; + uses certificate; + } + } + case raw-public-key { + if-feature "tlsc:client-ident-raw-public-key"; + container raw-private-key { + description + "Specifies the client identity using a raw public key."; + uses raw-private-key; + } + } + case tls13-epsk { + if-feature "tlsc:client-ident-tls13-epsk"; + container tls13-epsk { + description + "An EPSK is established or provisioned out of band."; + uses tls13-epsk; + } + } + } + } + + grouping client-identity-with-ref { + description + "Identity credentials that the TLS client may present when + establishing a connection to a TLS server. When configured + and requested by the TLS server when establishing a TLS + session, these credentials are passed in the Certificate + message."; + choice ref-or-explicit { + description + "A choice between a reference or explicit configuration."; + case ref { + description + "Provides a reference to a client identity."; + leaf credentials-reference { + if-feature "credential-reference"; + type sys-tcs-plus:client-credentials-ref; + description + "Specifies the client credentials reference."; + } + } + case explicit { + description + "Explicit configuration of the client identity."; + uses client-identity; + } + } + } + + grouping server-authentication { + description + "Specifies how a TLS client can authenticate TLS servers. + Any combination of credentials is additive and unordered."; + container ca-certs { + presence "Indicates that Certification Authority (CA) + certificates have been configured. + This statement is present so the mandatory descendant + nodes do not imply that this node must be + configured."; + description + "A set of CA certificates used by the TLS client to + authenticate TLS server certificates. + A server certificate is authenticated if it has a valid + chain of trust to a configured CA certificate."; + reference + "RFC 9641: A YANG Data Model for a Truststore"; + uses ts:inline-or-truststore-certs-grouping; + } + container ee-certs { + presence "Indicates that End Entity (EE) certificates have been + configured. + This statement is present so the mandatory descendant + nodes do not imply that this node must be + configured."; + description + "A set of server certificates (i.e., end entity certificates) + used by a TLS client to authenticate certificates + presented by TLS servers. A server certificate is + authenticated if it is an exact match to a configured server + certificate."; + reference + "RFC 9641: A YANG Data Model for a Truststore"; + uses ts:inline-or-truststore-certs-grouping; + } + container raw-public-keys { + if-feature "tlsc:server-auth-raw-public-key"; + presence "Indicates that raw public keys have been configured. + This statement is present so the mandatory descendant + nodes do not imply that this node must be + configured."; + description + "A set of raw public keys used by a TLS client to + authenticate raw public keys presented by the TLS server. + A raw public key is authenticated if it is an exact match + to a configured raw public key."; + reference + "RFC 9641: A YANG Data Model for a Truststore"; + uses ts:inline-or-truststore-public-keys-grouping { + refine "inline-or-truststore/inline/inline-definition/" + + "public-key" { + must 'derived-from-or-self(public-key-format,' + + ' "ct:subject-public-key-info-format")'; + } + refine "inline-or-truststore/central-truststore/" + + "central-truststore-reference" { + must 'not(deref(.)/../ts:public-key/ts:public-key-' + + 'format[not(derived-from-or-self(., "ct:subject-' + + 'public-key-info-format"))])'; + } + } + } + leaf tls13-epsks { + if-feature "tlsc:server-auth-tls13-epsk"; + type empty; + description + "Indicates that a TLS client can authenticate TLS servers + using configured EPSKs."; + } + } + + grouping server-authentication-with-ref { + description + "Specifies how a TLS client can authenticate TLS servers."; + choice ref-or-explicit { + description + "A choice between a reference or explicit configuration."; + case ref { + description + "Provides a reference to server credentials."; + leaf credentials-reference { + if-feature "credential-reference"; + type sys-tcs-plus:server-credentials-ref; + description + "Specifies the server credentials reference."; + } + } + case explicit { + description + "Explicit configuration of credentials of a server."; + uses server-authentication; + } + } + } + + grouping hello-params { + description + "Configurable parameters for the TLS Hello message."; + reference + "RFC 9887: Terminal Access Controller Access-Control + System Plus (TACACS+) over TLS 1.3, + Section 5.1"; + uses tlscmn:hello-params-grouping { + refine "tls-versions/min" { + must "not(derived-from-or-self(current(), " + + "'tlscmn:tls12'))" { + error-message + "TLS 1.2 is not supported as min TLS version"; + } + } + refine "tls-versions/max" { + must "not(derived-from-or-self(current(), " + + "'tlscmn:tls12'))" { + error-message + "TLS 1.2 is not supported as max TLS version"; + } + } + } + } + + grouping tls-client { + description + "A grouping for configuring a TLS client without any + consideration for how an underlying TCP session is + established."; + container client-identity { + presence "Indicates that a TLS-level client identity has been + configured. + This statement is present so the mandatory descendant + do not imply that this node must be configured."; + description + "Identity credentials that a TLS client may present when + establishing a connection to a TLS server."; + uses client-identity-with-ref; + } + container server-authentication { + must 'credentials-reference or ca-certs or ee-certs or ' + + 'raw-public-keys or tls13-epsks'; + description + "Specifies how a TLS client can authenticate TLS servers."; + uses server-authentication-with-ref; + } + container hello-params { + if-feature "tlscmn:hello-params"; + description + "Configurable parameters for the TLS Hello message."; + uses hello-params; + } + } + + grouping tacacs-plus { + description + "Grouping for TACACS+ attributes."; + container tacacs-plus { + must "not(derived-from-or-self(../sys:authentication" + + "/sys:user-authentication-order, " + + "'sys-tcs-plus:tacacs-plus'))" + + " or bit-is-set(server/server-type,'authentication')" { + error-message + "When 'tacacs-plus' is used as a system authentication + method, a TACACS+ authentication server must be + configured."; + description + "When 'tacacs-plus' is used as an authentication method, + a TACACS+ server must be configured."; + } + description + "Container for TACACS+ configurations and operations."; + list client-credentials { + if-feature "credential-reference"; + key "id"; + description + "Identity credentials that a TLS client may present + when establishing a connection to a TLS server. + A list of client credentials that can be referenced + when configuring server instances."; + nacm:default-deny-write; + leaf id { + type string; + description + "An identifier that uniquely identifies a client + identity within the device configuration."; + } + uses client-identity; + } + list server-credentials { + if-feature "credential-reference"; + key "id"; + description + "Identity credentials that a TLS client may use + to authenticate a TLS server."; + nacm:default-deny-write; + leaf id { + type string; + description + "An identifier that uniquely identifies server + credentials within the device configuration."; + } + uses server-authentication; + } + list server { + key "name"; + unique "address port"; + ordered-by user; + description + "List of TACACS+ servers used by the device."; + leaf name { + type string; + description + "A name that is used to uniquely identify a TACACS+ + server within the device configuration. + This name is not to be confused with the + 'domain-name'."; + } + leaf server-type { + type tacacs-plus-server-type; + mandatory true; + description + "The server type can be authentication, authorization, + accounting, or any combination of the three types."; + } + leaf domain-name { + type inet:domain-name; + description + "Provides a domain name of the TACACS+ server."; + reference + "RFC 9887: Terminal Access Controller Access-Control + System Plus (TACACS+) over TLS 1.3, + Section 3.4.2"; + } + leaf sni-enabled { + type boolean; + must '../domain-name' { + error-message + "A domain name must be provided to make use of Server + Name Indication (SNI)."; + } + description + "Enables the use of SNI when set to true. Disables the + use of SNI when set to false."; + reference + "RFC 6066: Transport Layer Security (TLS) Extensions: + Extension Definitions, Section 3 + RFC 9887: Terminal Access Controller Access-Control + System Plus (TACACS+) over TLS 1.3, + Section 3.4.2"; + } + leaf address { + type inet:host; + mandatory true; + description + "The IP address or name of the TACACS+ server."; + } + leaf port { + type inet:port-number; + mandatory true; + description + "The port number of the TACACS+ server. + The default port number for legacy TACACS+ is 49, + while it is 300 for TACACS+ over TLS."; + } + choice security { + mandatory true; + description + "Security mechanism between TACACS+ client and server."; + case tls { + description + "TLS is used to secure TACACS+ exchanges."; + reference + "RFC 9887: Terminal Access Controller Access-Control + System Plus (TACACS+) over TLS 1.3"; + uses tls-client; + } + case obfuscation { + leaf shared-secret { + type string { + length "1..max"; + } + description + "The shared secret, which is known to both the + TACACS+ client and server. TACACS+ server + administrators SHOULD configure a shared secret with + a minimum length of 16 characters. + It is highly recommended that this shared secret is + at least 32 characters long and sufficiently complex + with a mix of different character types, + i.e., upper case, lower case, numeric, and + punctuation. Note that this security mechanism is + best described as 'obfuscation' and not 'encryption' + as it does not provide any meaningful integrity, + privacy, or replay protection. + + The use of obfuscation is deprecated in favor + of TLS. + + This choice is provided in the model to accommodate + installed base."; + reference + "RFC 8907: The TACACS+ Protocol + RFC 9887: Terminal Access Controller Access-Control + System Plus (TACACS+) over TLS 1.3"; + nacm:default-deny-all; + } + } + } + choice source-type { + description + "The source address type for outbound TACACS+ packets."; + case source-ip { + leaf source-ip { + type inet:ip-address; + description + "Specifies the source IP address for TACACS+ outbound + packets."; + } + } + case source-interface { + leaf source-interface { + type if:interface-ref; + description + "Specifies the interface from which the IP address + is derived for use as the source for outbound + TACACS+ packets."; + } + } + } + leaf vrf-instance { + type leafref { + path "/ni:network-instances/ni:network-instance/ni:name"; + } + must '(not(../source-interface)) or ' + + '(current() = /if:interfaces/if:interface' + + '[if:name = current()/../source-interface]' + + '/ni:bind-ni-name)' { + error-message + "VRF instance must match the network instance of the + source interface."; + } + description + "Specifies the VPN Routing and Forwarding (VRF) instance + to use to communicate with the TACACS+ server. + If 'source-interface' is configured, this value MUST + match the network instance bound to the source interface + (via bind-ni-name)."; + reference + "RFC 8529: YANG Data Model for Network Instances"; + } + leaf single-connection { + type boolean; + default "false"; + description + "Indicates whether the Single Connection Mode is enabled + for the server."; + reference + "RFC 8907: The TACACS+ Protocol, Section 4.3"; + } + leaf timeout { + type uint16 { + range "1..max"; + } + units "seconds"; + default "5"; + description + "The number of seconds that the device will wait for a + response from each TACACS+ server before trying with a + different server."; + } + uses statistics; + } + } + } + + augment "/sys:system" { + description + "Augments the system model with the tacacs-plus data nodes."; + uses tacacs-plus; + } +}