Technical Summary
This document defines a Terminal Access Controller Access-Control
System Plus (TACACS+) client YANG module, that augments the System
Management data model, defined in RFC 7317, to allow devices to make
use of TACACS+ servers for centralized Authentication, Authorization
and Accounting (AAA).
Working Group Summary
The contention over TACACS+ in general carried over a bit in the initial development of this document and its module. To alleviate that, the scope was reduced to avoid an overall AAA module and instead focus on configuring the client-side of the TACACS+ protocol specifically. Towards the end, there was good feedback on YANG structure, terminology and providing an example to make the module use clearer.
That said, the ietf-system currently only defines authentication and not authorization and accounting. So, while the TACACS+ module allows to specify a TACACS+ server that can do both authorization and accounting, the configuration nodes for that are not yet in the ietf-system module. The intent, as understood by the doc shepherd, is to propose new work to handle those methods in a more general approach outside the restricted scope of this TACACS+ document.
Document Quality
TACACS+ is certainly implemented and deployed.
Huawei has implemented this draft in their devices. It is likely that this YANG module will be implemented by other vendors as part of the wider IETF YANG ecosystem.
The document has undergone various expert-level reviews besides the WG review. In particular YANG Doctors and SECDIR have reviewed and said it was ready. The comments that arose from those reviews have been addressed in revision -05 of the document.
Personnel
Joe Clarke is the Document Shepherd.
Rob Wilton is the responsible Area Director.