IETF Logo Mail Archive

Re: [OPSAWG] re opsawg-tacacs-yang & ietf-system user-authen-order

"Joe Clarke (jclarke)" <jclarke@cisco.com> Wed, 20 November 2019 03:53 UTC

Return-Path: <jclarke@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBEBB120A79 for <opsawg@ietfa.amsl.com>; Tue, 19 Nov 2019 19:53:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=OhsLSFRs; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=HLqsQFS5
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IR49eZtePeJc for <opsawg@ietfa.amsl.com>; Tue, 19 Nov 2019 19:53:09 -0800 (PST)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 225B61209CD for <opsawg@ietf.org>; Tue, 19 Nov 2019 19:53:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1598; q=dns/txt; s=iport; t=1574221989; x=1575431589; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=Q8d07uo1+U0lT+8Ztz72KYyYdI1zw2Fh07dK5X/i+uc=; b=OhsLSFRsmWfPG0AcWlIT09H5W6XD8m/flT8xdxibt8VoEGC8BG6Qej9H IGvTLdRJYWavSS49ZFx5swrRU01ZikcRzotj3lVPp62nPhLTqAdFY+tSZ qEdpNFnIJkfnu6GNf/pK/JoFOGIG6mS3ptoNwh5+B6pEgGqDgZqlk9Fkw g=;
IronPort-PHdr: 9a23:/f9pXB0Qpv9d5EG2smDT+zVfbzU7u7jyIg8e44YmjLQLaKm44pD+JxKHt+51ggrPWoPWo7JfhuzavrqoeFRI4I3J8RVgOIdJSwdDjMwXmwI6B8vQC0b/JeTpYgQxHd9JUxlu+HToeUU=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ApAADFt9Rd/4oNJK1lGgEBAQEBAQEBAQMBAQEBEQEBAQICAQEBAYFtAgEBAQELAYFKUAVsWCAECyqEKoNGA4pzgl6YAIJSA1QJAQEBDAEBGAsKAgEBg3tFAheCDiQ3Bg4CAw0BAQQBAQECAQUEbYU3DIVRAQEBAQIBAQEQEREMAQEsCwEECwIBCBgCAhkNAgICJQsVEAIEDgUigwABgkYDDiABDqVzAoE4iGB1gTKCfgEBBYJJgkEYghcDBoEOKAGMFBiBQD+BOB+CTD6CYgEBgWGDEDKCLJATnhoKgiuMQIkPG5oRhyyhJAIEAgQFAg4BAQWBaCOBWHAVOyoBgkFQERSRGoNzhRSFP3SBKI4RAQE
X-IronPort-AV: E=Sophos;i="5.69,220,1571702400"; d="scan'208";a="664589533"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 20 Nov 2019 03:53:06 +0000
Received: from XCH-ALN-015.cisco.com (xch-aln-015.cisco.com [173.36.7.25]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id xAK3r3un009273 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 20 Nov 2019 03:53:05 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-ALN-015.cisco.com (173.36.7.25) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 19 Nov 2019 21:53:02 -0600
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 19 Nov 2019 21:53:02 -0600
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 19 Nov 2019 21:53:02 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BGIFbQbcgWEHiPRE+v+8PAuIdkpPfh+4uSkmhqa3zs6y/EG5VK+ZHZ1282lnOqzDhCcGlPu7THyvnNneC7FA798e8qj/8VkXCzcuiyr9SojFlLcfwoW41lhyZK49OD0Hms54DHHGmxj6jeg6sDvTx0MPsEZooKsp9mVs0uwzGiGlNkqy3F6W0dYp/YDaViBVV5T0G+0qMNKkOzKOfbZGj5XzRAT/dQ/mQQAOc0YOselNxl90y0v9ONjCByl1NIimjAZOsbXInUdUlT6qfqGMpvfcJJxDR7HT2J2Ac4aOq0kb1y3j5MW7upR5ZKJnWvUXNejihhWtg4W11+0EnEaIzQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q8d07uo1+U0lT+8Ztz72KYyYdI1zw2Fh07dK5X/i+uc=; b=Pr5SIwwJrtf8h3HASLzdLDMexStI1Z1pXAqphArjLNXTd89J3EacRPqf5KDfrz4E9Q1ihv/jTWria0RdZPg2h/CsFCQMU/YqvOmf8YeJc0JsvjCM5QkOlaUojrDpfsQd/6a9AfH66V4Rb+VKMnBfzfv43+3cHb9nEuYOc7C8Jur32lNLJn5W1LoqjuQIyiwKVNCUKQTxVv5tQqwsWeGmyLIlGo+FB+EN3+gQxlFm5fze/3NbJOnq/rAXMVoAayPpdaN0dq6etcx6hje+5Pps8BtCWKVesTRWr592bKXCRggVzM45ZzZnRx1nQLae1UI+2wlkpIJCD1lYv/ZGXXXGZw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q8d07uo1+U0lT+8Ztz72KYyYdI1zw2Fh07dK5X/i+uc=; b=HLqsQFS5oub+iwoy118hB0tYQ8DZrdMxWW6+HB/QzcL4sfDv3kr6QjEs2cEKdWpu5M1tQ1i80a+92G2loEP2Jh+3eDLQ7/K6XFBhoYE3fMbdYAasEx1f6j1oROaBE2Uw5UKSnwA+aizg3Elxi8GImhZ/VHbTSGNv8dxHoyX3ZP8=
Received: from BN6PR11MB1667.namprd11.prod.outlook.com (10.172.23.12) by BN6PR11MB1587.namprd11.prod.outlook.com (10.172.24.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.27; Wed, 20 Nov 2019 03:53:01 +0000
Received: from BN6PR11MB1667.namprd11.prod.outlook.com ([fe80::499:8548:e967:458e]) by BN6PR11MB1667.namprd11.prod.outlook.com ([fe80::499:8548:e967:458e%12]) with mapi id 15.20.2474.015; Wed, 20 Nov 2019 03:53:01 +0000
From: "Joe Clarke (jclarke)" <jclarke@cisco.com>
To: john heasley <heas@shrubbery.net>
CC: "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: [OPSAWG] re opsawg-tacacs-yang & ietf-system user-authen-order
Thread-Index: AQHVn1EmTy6mXPNIwkqu28KSNyZFj6eTbV4A
Date: Wed, 20 Nov 2019 03:53:01 +0000
Message-ID: <94E33AE8-E9FB-4EC7-86B1-549AE7D1FE41@cisco.com>
References: <20191120031745.GC49549@shrubbery.net>
In-Reply-To: <20191120031745.GC49549@shrubbery.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jclarke@cisco.com;
x-originating-ip: [2001:67c:370:128:1d07:4359:c46f:2718]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 11798250-b6ea-43e5-ede9-08d76d6d239e
x-ms-traffictypediagnostic: BN6PR11MB1587:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <BN6PR11MB1587FAB84CA2F8D4D9074212B84F0@BN6PR11MB1587.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02272225C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(4636009)(39860400002)(396003)(136003)(376002)(366004)(346002)(189003)(199004)(6436002)(6512007)(6306002)(6486002)(66946007)(476003)(229853002)(71200400001)(6246003)(2616005)(71190400001)(99286004)(446003)(53546011)(66476007)(11346002)(46003)(6506007)(8676002)(186003)(66446008)(81166006)(6916009)(81156014)(102836004)(76176011)(64756008)(8936002)(66556008)(966005)(2906002)(478600001)(7736002)(33656002)(305945005)(5660300002)(4326008)(86362001)(256004)(76116006)(91956017)(486006)(316002)(25786009)(14454004)(36756003)(6116002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR11MB1587; H:BN6PR11MB1667.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: HYuDQveBOOisb4St0418y46Ln7yTRAgvY+KwyokvVh00l1hnAoSI24FnbV64Fo9dLrUixLze19dcnb6jztE63h+iqGaBMXuI64iGcheOCZN+LTK/MzjWmW3Uuy0xoddV0NLITCQHZVONPL986C+001rOooNZ7SpN08CYAc1lYVivHsPmAHUudCea90hLs0rwNjRu0O2PxxsdiuUlU7UelobaxIf9VtS1GHfvLMQcTycQkdtON5t87AZ1+Bjs0UVgGHSD9nRMDAMdZughfQbvg6rM2R2ntQbi1xA7bBo9vLk/8KF6fKjA2CRDSX+ZuKXiKAxRDQmo2zLlbS/sswEL12pB5Iyl9eUJqflYkYLdeVFAXZyxKYkHP4w7TPKEAvlO+RCfNtqaJQxhd10m0pKim46Iysx2nr8lEIxIkNpej8lGJQS5M/1hOktMNQwRH53CrqusUUHkT11UpVTssiX3nSlxLSIQVeTAs7uLoUMUIxI=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <AED760FC4742FA428D41FADCCD72CFDA@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 11798250-b6ea-43e5-ede9-08d76d6d239e
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Nov 2019 03:53:01.0676 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1HrlOQposCnTP0FkzdsPJ/E5VqzF3goBWlrf1/jaGz56ADY7ZpnuHgd3lZt4jfmxnVQyjcyeNqm3SH5OHCIe/g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB1587
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.25, xch-aln-015.cisco.com
X-Outbound-Node: alln-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/Cmj5sIkUmUwCboyfkPkjv7Ptu5A>
Subject: Re: [OPSAWG] re opsawg-tacacs-yang & ietf-system user-authen-order
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 03:53:12 -0000


> On Nov 19, 2019, at 22:17, john heasley <heas@shrubbery.net> wrote:
> 
> Regarding the question, on the second to last page of the opsawg-tacacs-yang
> presentation slides, about the must in model ietf-system, which I believe was
> whether to add a must for tacacs, remove the must for radius, or do nothing;
> that must seems wrong to me.
> 
> I would expect the system to react no differently to missing sever
> configuration than to a list of servers that all fail to respond.  Some
> vendors have done this historically in cli.
> 
> Whether ietf-system should be changed, I do not know it is worth the effort.
> If the WG agrees that its existence is wrong, that might be another question
> for yang doctors.

Thanks, heas.  Apparently, Ebben has already been discussing this with the other docs.  I’ve followed up, and I’m trying to get their take on it. Your point is appreciated.  I tend to agree that if I have no servers, I would just fall back (if fallback was configured).

Joe

> 
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@ietf.org
> https://www.ietf.org/mailman/listinfo/opsawg

v2.23.0 | Report a Bug | By Email