On Nov 19, 2019, at 22:17, john heasley
<[email protected]<mailto:[email protected]>> wrote:
Regarding the question, on the second to last page of the opsawg-tacacs-yang
presentation slides, about the must in model ietf-system, which I believe was
whether to add a must for tacacs, remove the must for radius, or do nothing;
that must seems wrong to me.
I would expect the system to react no differently to missing sever
configuration than to a list of servers that all fail to respond. Some
vendors have done this historically in cli.
Whether ietf-system should be changed, I do not know it is worth the effort.
If the WG agrees that its existence is wrong, that might be another question
for yang doctors.
Lada replied on YANG docs with a suggestion for the T+ module authors. While
we can’t affect the authentication-order node, the tacacsplus container could
be defined like:
augment "/sys:system" {
container tacacs {
must "not(derived-from-or-self("
+ "../sys:authentication/sys:user-authentication-order, 'tacacs')"
+ "or server";
list server {
...
}
}
}
In this manner, T+ can provide enforcement. Lada also mentioned that this
would have been a better way of handling RADIUS in ietf-system. Certainly this
could be an item for a .bis, but not sure if this alone is worth taking on that
work.
Joe
_______________________________________________
OPSAWG mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsawg
