module ietf-tacacs {
namespace "urn:ietf:params:xml:ns:yang:ietf-tacacs";
prefix tcs;
import ietf-inet-types {
prefix inet;
}
import ietf-network-instance {
prefix ni;
}
import ietf-system {
prefix sys;
}
organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact
"WG Web:
WG List:
Editor: Guangying Zheng
";
description
"This module provide defines a component that describe the
configuration of TACACS+.";
revision 2018-06-25 {
description
"Initial revision.";
reference "foo";
}
typedef password-extend {
type string {
length "1..255";
}
description
"now password extend is like string";
}
typedef timezone-name {
type string;
description
"A time zone name as used by the Time Zone Database,
sometimes referred to as the 'Olson Database'.
The exact set of valid values is an implementation-specific
matter. Client discovery of the exact set of time zone names
for a particular server is out of scope.";
reference "RFC 6557: Procedures for Maintaining the Time Zone Database";
}
typedef server-state {
type enumeration {
enum "up" {
description
"The server is active.";
}
enum "down" {
description
"The server is inactive.";
}
}
description
"The type of tacacs server state";
}
typedef server-type {
type enumeration {
enum "authentication" {
description
"The server is an authentication server.";
}
enum "authorization" {
description
"The server is an authorization server.";
}
enum "accounting" {
description
"The server is an accounting server.";
}
enum "common" {
description
"The server is a common server.";
}
}
description
"The type of tacacs server";
}
typedef domain-include {
type enumeration {
enum "no" {
description
"User name excludes domain.";
}
enum "yes" {
description
"User name includes domain.";
}
enum "original" {
description
"User name same as user input.";
}
}
description
"The type of domain mode";
}
feature tacacs {
description
"Indicates that the device can be configured as a tacacs
client.";
}
grouping tacacs {
container tacacs {
if-feature tacacs;
description
"Container for TACACS configurations and operations.";
container global-attributes {
description
"TACACS global attributes.";
leaf enable {
type boolean;
default "false";
description
"Whether the TACACS server is enabled.";
}
leaf total-templates {
type uint32;
config false;
description
"Total number of TACACS templates configured.";
}
leaf total-servers {
type uint32;
config false;
description
"Total number of TACACS servers configured.";
}
leaf service-name {
type string {
length "1..32";
}
description
"TACACS service name.";
}
}
container tacacs-templates {
description
"A set of TACACS templates.";
list tacacs-template {
key "name";
description
"List for tacacs template.";
leaf name {
type string;
description
"Name of a TACACS template, it is not case sensitive. The template name can have alphabets a to z (case insensitive) and numbers from 0 to 9 or symbols ('.', '-' and '_').";
}
leaf domain-include {
type boolean;
default "true";
description
"Whether a domain name is included in a user name. By default, a user name contains the domain name.";
}
leaf timeout {
type uint32 {
range "1..300";
}
default "5";
description
"Server response timeout period. The default timeout period is 5 seconds.";
}
leaf quiet-time {
type uint32 {
range "1..255";
}
default "5";
description
"Time period after which the primary server restores to active. The default time period is 5 minutes. The time period can be modified no matter whether users are using the TACACS template.";
}
leaf shared-key {
type password-extend;
description
"Shared key for a TACACS server. Configuring a shared key improves the communication security between a router and TACACS server. By default, no shared key is configured.";
}
leaf source-ip {
type inet:ipv4-address-no-zone;
description
"Source IP address for a TACACS server.";
}
leaf domain-mode {
type domain-include;
default "yes";
description
"To configure domain Mode";
}
leaf pri-authen-srv {
type inet:ipv4-address-no-zone;
config false;
description
"IP address of the primary authentication server.";
}
leaf pri-common-srv {
type inet:ipv4-address-no-zone;
config false;
description
"IP address of the primary common server.";
}
leaf pri-author-srv {
type inet:ipv4-address-no-zone;
config false;
description
"IP address of the primary authorization server.";
}
leaf cur-authen-srv {
type inet:ipv4-address-no-zone;
config false;
description
"IP address of the authentication server being used.";
}
leaf cur-author-srv {
type inet:ipv4-address-no-zone;
config false;
description
"IP address of authorization server being used.";
}
leaf sec-authen-srv-num {
type uint32;
config false;
description
"Total number of configured secondary authentication servers in the template.";
}
leaf sec-common-srv-num {
type uint32;
config false;
description
"Total number of configured secondary common servers in the template.";
}
leaf sec-author-srv-num {
type uint32;
config false;
description
"Total number of configured secondary authorization servers in the template.";
}
leaf pri-authen-port {
type uint32;
config false;
description
"Port of the primary authentication server.";
}
leaf pri-common-port {
type uint32;
config false;
description
"Port of the primary common server.";
}
leaf pri-author-port {
type uint32;
config false;
description
"Port of the primary authorization server.";
}
leaf cur-authen-port {
type uint32;
config false;
description
"Authentication server port being used.";
}
leaf cur-author-port {
type uint32;
config false;
description
"Authorization server port being used.";
}
leaf authen-srv-connected-num {
type uint32;
config false;
description
"Number of times that the TACACS client connected to the authentication server.";
}
leaf authen-srv-disconnected-num {
type uint32;
config false;
description
"Number of times that the TACACS client disconnected from the authentication server.";
}
leaf authen-reqs-num {
type uint32;
config false;
description
"Number of authentication requests. ";
}
leaf authen-rsps-num {
type uint32;
config false;
description
"Number of authentication responses.";
}
leaf authen-unknowns-num {
type uint32;
config false;
description
"Number of unknown authentication packets received by the TACACS client.";
}
leaf authen-timeouts-num {
type uint32;
config false;
description
"Number of times that authentication times out.";
}
leaf authen-pkts-drop-num {
type uint32;
config false;
description
"Number of times that authentication packets are dropped.";
}
leaf authen-passwords-change-num {
type uint32;
config false;
description
"Number of times that the password is changed for authentication.";
}
leaf authen-logins-num {
type uint32;
config false;
description
"Number of authentication logins.";
}
leaf authen-send-reqs-num {
type uint32;
config false;
description
"Number of authentication requests sent to server.";
}
leaf authen-send-passwords-num {
type uint32;
config false;
description
"Number of authentication password requests sent to the server.";
}
leaf authen-abort-reqs-num {
type uint32;
config false;
description
"Number of authentication abort requests sent to server.";
}
leaf authen-connection-reqs-num {
type uint32;
config false;
description
"Number of authentication connection requests sent to server.";
}
leaf authen-rsp-errs-num {
type uint32;
config false;
description
"Number of authentication error responses received from server.";
}
leaf authen-rsp-fails-num {
type uint32;
config false;
description
"Number of authentication response failures received from server.";
}
leaf authen-rsp-follows-num {
type uint32;
config false;
description
"Number of authentication Follow responses received from server.";
}
leaf authen-get-data-num {
type uint32;
config false;
description
"Number of authentication date responses received from server.";
}
leaf authen-get-password-num {
type uint32;
config false;
description
"Number of authentication password responses received from server.";
}
leaf authen-get-user-num {
type uint32;
config false;
description
"Number of authentication user responses received from server.";
}
leaf authen-rsps-pass-num {
type uint32;
config false;
description
"Number of authentication-pass responses received from server.";
}
leaf authen-restart-num {
type uint32;
config false;
description
"Number of authentication-restart responses received from server.";
}
leaf authen-no-process-num {
type uint32;
config false;
description
"Number of authentication requests that are not processed.";
}
leaf authen-time {
type uint32;
config false;
description
"Time (in tick) taken to complete the authentication.";
}
leaf authen-errors-num {
type uint32;
config false;
description
"Number of authentication errors.";
}
leaf author-srv-connected-num {
type uint32;
config false;
description
"Number of times that the TACACS client connected to the authorization server.";
}
leaf author-srv-disconnected-num{
type uint32;
config false;
description
"Number of times that the TACACS client disconnected from the authorization server.";
}
leaf author-reqs-num {
type uint32;
config false;
description
"Number of authorization requests. ";
}
leaf author-rsps-num {
type uint32;
config false;
description
"Number of authorization responses.";
}
leaf author-unknowns-num {
type uint32;
config false;
description
"Number of unknown authorization packets received by TACACS client.";
}
leaf author-timeouts-num {
type uint32;
config false;
description
"Number of times that authorization times out.";
}
leaf author-pkts-drop-num {
type uint32;
config false;
description
"Number of times that authorization packets are dropped.";
}
leaf author-reqs-exec-num {
type uint32;
config false;
description
"Number of authorization requests for execute.";
}
leaf author-ppp-num {
type uint32;
config false;
description
"Number of authorization requests for PPP.";
}
leaf author-vpdn-num{
type uint32;
config false;
description
"Number of authorization requests for VPDN.";
}
leaf author-rsps-err-num {
type uint32;
config false;
description
"Number of authorization error responses.";
}
leaf author-rsps-exec-num {
type uint32;
config false;
description
"Number of authorization execute responses.";
}
leaf author-rsps-ppp-num {
type uint32;
config false;
description
"Number of authorization PPP responses.";
}
leaf author-rsps-vpdn-num {
type uint32;
config false;
description
"Number of authorization VPDN responses.";
}
leaf author-time {
type uint32;
config false;
description
"Time (in tick) taken to complete authorization.";
}
leaf author-reqs-not-process-num {
type uint32;
config false;
description
"Number of authorization requests that are not processed.";
}
leaf author-errors-num {
type uint32;
config false;
description
"Number of authorization errors.";
}
leaf sec-accounting-servers-num {
type uint32;
config false;
description
"Number of secondary accounting servers in the template.";
}
leaf cur-account-port {
type uint32;
config false;
description
"Accounting server port being used.";
}
leaf pri-account-port {
type uint32;
config false;
description
"Port of the primary accounting server.";
}
leaf cur-account-srv {
type inet:ipv4-address-no-zone;
config false;
description
"Accounting server port being used.";
}
leaf pri-account-srv {
type inet:ipv4-address-no-zone;
config false;
description
"Primary accounting server.";
}
leaf account-pkts-stop-num {
type uint32;
config false;
description
"Number of responses to accounting-stop packets.";
}
leaf account-rsps-pass-num {
type uint32;
config false;
description
"Number of responses to accounting-pass packets.";
}
leaf account-rsps-num {
type uint32;
config false;
description
"Number of responses to accounting requests.";
}
leaf account-srvs-connected-num {
type uint32;
config false;
description
"Number of times that the TACACS client connected to the accounting server.";
}
leaf account-pkts-rsps-num {
type uint32;
config false;
description
"Number of responses to accounting-start packets.";
}
leaf account-reqs-num {
type uint32;
config false;
description
"Number of accounting requests sent to the server.";
}
leaf account-srv-disconnected-num {
type uint32;
config false;
description
"Number of times that the TACACS client disconnected from the accounting server.";
}
leaf account-rsps-errs-num {
type uint32;
config false;
description
"Number of abnormal accounting responses received from the server.";
}
leaf account-follow-rsps-num {
type uint32;
config false;
description
"Number of accounting Follow responses received from server.";
}
leaf account-reqs-not-process-num {
type uint32;
config false;
description
"Number of accounting requests that are not processed.";
}
container tacacs-servers {
description
"A set of TACACS servers.";
list tacacs-server {
key "server-ip server-type secondary-server network-instance public-net";
description
"TACACS IPV4 server. A maximum 32 servers can be configured in one template ";
leaf server-ip {
type inet:ipv4-address-no-zone;
description
"Server IPv4 address. Must be a valid unicast IP address.";
}
leaf server-type {
type server-type;
description
"Server type: authentication/authorization/accounting/common.";
}
leaf secondary-server {
type boolean;
description
"Whether the server is secondary. By default, a server is a secondary server.";
}
leaf network-instance {
type leafref {
path "/ni:network-instances/ni:network-instance/ni:name";
}
description
"VPN instance name.";
}
leaf public-net {
type boolean;
description
"Set the public-net.";
}
leaf server-port {
type uint32 {
range "1..65535";
}
default "49";
description
"Server port. Value range: 1-65535. The default port number is 49.";
}
leaf mux-mode-enable {
type boolean;
default "false";
description
"Whether the MUX mode is enabled for the server. By default, the MUX mode is disabled.";
}
leaf server-current-state {
type server-state;
config false;
description
"Server running status.";
}
leaf current-srv {
type boolean;
default "false";
config false;
description
"Whether the server is being used.";
}
leaf shared-key {
type password-extend;
description
"Shared key for a TACACS server. Configuring a shared key improves the communication security between a router and TACACS server. By default, no shared key is configured.";
}
leaf authen-srv-connected-num {
type uint32;
config false;
description
"Number of times that the TACACS client connected to the authentication server.";
}
leaf authen-srv-disconnected-num {
type uint32;
config false;
description
"Number of times that the TACACS client disconnected from the authentication server.";
}
leaf authen-reqs-num {
type uint32;
config false;
description
"Number of authentication requests. ";
}
leaf authen-rsps-num {
type uint32;
config false;
description
"Number of authentication responses.";
}
leaf author-srv-connected-num {
type uint32;
config false;
description
"Number of times that the TACACS client connected to the authorization server.";
}
leaf author-srv-disconnected-num {
type uint32;
config false;
description
"Number of times that the TACACS client disconnected from the authorization server.";
}
leaf author-reqs-num {
type uint32;
config false;
description
"Number of authorization requests. ";
}
leaf author-rsps-num {
type uint32;
config false;
description
"Number of authorization responses.";
}
leaf acct-reqs-num {
type uint32;
config false;
description
"Number of accounting requests. ";
}
leaf acct-rsps-num {
type uint32;
config false;
description
"Number of accounting responses.";
}
leaf acct-srv-connected-num {
type uint32;
config false;
description
"Number of times that the TACACS client connected to the accounting server.";
}
leaf acct-srv-disconnected-num {
type uint32;
config false;
description
"Number of times that the TACACS client disconnected from the accounting server.";
}
}
}
container ipv6-servers {
description
"A set of TACACS servers.";
list ipv6-server {
key "server-ip server-type secondary-server network-instance";
description
"TACACS IPV6 server. A maximum 32 servers can be configured in one template ";
leaf server-ip {
type inet:ipv6-address-no-zone;
description
"Server IPv6 address. Must be a valid unicast IP address.";
}
leaf server-type {
type server-type;
description
"Server type: authentication/authorization/accounting/common.";
}
leaf secondary-server {
type boolean;
description
"Whether the server is secondary. By default, a server is a secondary server.";
}
leaf network-instance {
type leafref {
path "/ni:network-instances/ni:network-instance/ni:name";
}
description
"Configure the vpn-instance name.";
}
leaf server-port {
type uint32 {
range "1..65535";
}
default "49";
description
"Server port. Value range: 1-65535. The default port number is 49.";
}
leaf mux-mode-enable {
type boolean;
default "false";
description
"Whether the MUX mode is enabled for the server. By default, the MUX mode is disabled.";
}
leaf server-state {
type server-state;
config false;
description
"Server running status.";
}
leaf current-srv {
type boolean;
default "false";
config false;
description
"Whether the server is being used.";
}
leaf shared-key {
type password-extend;
description
"Shared key for a TACACS server. Configuring a shared key improves the communication security between a router and TACACS server. By default, no shared key is configured.";
}
leaf authen-srv-connected-num {
type uint32;
config false;
description
"Number of times that the TACACS client connected to the authentication server.";
}
leaf authen-srv-disconnected-num {
type uint32;
config false;
description
"Number of times that the TACACS client disconnected from the authentication server.";
}
leaf authen-reqs-num {
type uint32;
config false;
description
"Number of authentication requests. ";
}
leaf authen-rsps-num {
type uint32;
config false;
description
"Number of authentication responses.";
}
leaf author-srv-connected-num {
type uint32;
config false;
description
"Number of times that the TACACS client connected to the authorization server.";
}
leaf author-srv-disconnected-num {
type uint32;
config false;
description
"Number of times that the TACACS client disconnected from the authorization server.";
}
leaf author-reqs-num{
type uint32;
config false;
description
"Number of authorization requests. ";
}
leaf author-rsps-num {
type uint32;
config false;
description
"Number of authorization responses.";
}
leaf acct-reqs-num {
type uint32;
config false;
description
"Number of accounting requests. ";
}
leaf acct-rsps-num {
type uint32;
config false;
description
"Number of accounting responses.";
}
leaf acct-srv-connected-num {
type uint32;
config false;
description
"Number of times that the TACACS client connected to the accounting server.";
}
leaf acct-srv-disconnected-num {
type uint32;
config false;
description
"Number of times that the TACACS client disconnected from the accounting server.";
}
}
}
container host-servers {
description
"A set of TACACS host servers.";
list host-server {
key "server-host-name server-type secondary-server network-instance public-net";
description
"TACACS host server. A maximum 32 servers can be configured in one template.";
leaf server-host-name {
type string {
length "1..255";
}
description
"Host name of TACACS server. Host name, Can include character '.', '-', '_' and lowercase or uppercase letters and digit, at least include one letter or digit.";
}
leaf server-type {
type server-type;
description
"Server type: authentication/authorization/accounting/common.";
}
leaf secondary-server {
type boolean;
description
"Whether the server is secondary. By default, a server is a secondary server.";
}
leaf network-instance {
type leafref {
path "/ni:network-instances/ni:network-instance/ni:name";
}
description
"VPN instance name.";
}
leaf public-net {
type boolean;
description
"Set the public-net.";
}
leaf server-port {
type uint32 {
range "1..65535";
}
default "49";
description
"Server port. Value range: 1-65535. The default port number is 49.";
}
leaf mux-mode-enable {
type boolean;
default "false";
description
"Whether the MUX mode is enabled for the server. By default, the MUX mode is disabled.";
}
leaf server-state {
type server-state;
config false;
description
"Server running status.";
}
leaf current-server {
type boolean;
default "false";
config false;
description
"Whether the server is being used.";
}
leaf shared-key {
type password-extend;
description
"Shared key for a TACACS server. Configuring a shared key improves the communication security between a router and TACACS server. By default, no shared key is configured.";
}
leaf authen-srv-connected-num {
type uint32;
config false;
description
"Number of times that the TACACS client connected to the authentication server.";
}
leaf authen-srv-disconnected-num {
type uint32;
config false;
description
"Number of times that the TACACS client disconnected from the authentication server.";
}
leaf authen-reqs-num {
type uint32;
config false;
description
"Number of authentication requests. ";
}
leaf authen-rsps-num {
type uint32;
config false;
description
"Number of authentication responses.";
}
leaf author-srv-connected-num {
type uint32;
config false;
description
"Number of times that the TACACS client connected to the authorization server.";
}
leaf author-srv-disconnected-num {
type uint32;
config false;
description
"Number of times that the TACACS client disconnected from the authorization server.";
}
leaf author-reqs-num {
type uint32;
config false;
description
"Number of authorization requests. ";
}
leaf author-rsps-num {
type uint32;
config false;
description
"Number of authorization responses.";
}
leaf acct-reqs-num {
type uint32;
config false;
description
"Number of accounting requests. ";
}
leaf acct-rsps-num {
type uint32;
config false;
description
"Number of accounting responses.";
}
leaf acct-srv-connected-num {
type uint32;
config false;
description
"Number of times that the TACACS client connected to the accounting server.";
}
leaf acct-srv-disconnected-num {
type uint32;
config false;
description
"Number of times that the TACACS client disconnected from the accounting server.";
}
}
}
}
}
}
description
"Grouping for tacacs";
}
augment "/sys:system" {
uses tacacs;
description
"Augment the system module";
}
rpc rest-all-statistics {
description
"Reset All Statistics.";
}
rpc reset-authen-statistics {
description
"Reset authentication statistics of the TACACS server.";
}
rpc reset-author-statistics {
description
"Reset authorization statistics of the TACACS server.";
}
rpc reset-account-statistics {
description
"Reset accounting statistics of the TACACS server.";
}
rpc reset-common-statistics {
description
"Reset common statistics of the TACACS server.";
}
}