From 97161aeadb4b70a0b912c178694a88834430dcba Mon Sep 17 00:00:00 2001 From: shdasari <53248666+shdasari@users.noreply.github.com> Date: Thu, 12 Jan 2023 06:12:24 +0530 Subject: [PATCH] SONiC YANG model for RADIUS. (#12749) #### Why I did it Added SONiC YANG model for RADIUS. Fixes https://github.com/sonic-net/sonic-buildimage/issues/12477 #### How I did it Added the RADIUS and RADIUS_SERVER tables for global and per RADIUS server configuration. RADIUS statistics reside in COUNTERS_DB and are not part of the configuration. These are not a part of this PR. #### How to verify it Compiled sonic_yang_mgmt-1.0-py3-none-any.whl. #### Description for the changelog SONiC YANG model for RADIUS. --- src/sonic-yang-models/doc/Configuration.md | 23 ++ src/sonic-yang-models/setup.py | 1 + .../tests/files/sample_config_db.json | 13 ++ .../tests/yang_model_tests/tests/radius.json | 36 +++ .../yang_model_tests/tests_config/radius.json | 139 +++++++++++ .../yang-models/sonic-system-radius.yang | 215 ++++++++++++++++++ 6 files changed, 427 insertions(+) create mode 100644 src/sonic-yang-models/tests/yang_model_tests/tests/radius.json create mode 100644 src/sonic-yang-models/tests/yang_model_tests/tests_config/radius.json create mode 100644 src/sonic-yang-models/yang-models/sonic-system-radius.yang diff --git a/src/sonic-yang-models/doc/Configuration.md b/src/sonic-yang-models/doc/Configuration.md index b56b9a2fbcd0..1c25f66a61c2 100644 --- a/src/sonic-yang-models/doc/Configuration.md +++ b/src/sonic-yang-models/doc/Configuration.md @@ -65,6 +65,7 @@ Table of Contents * [WRED_PROFILE](#wred_profile) * [PASSWORD_HARDENING](#password_hardening) * [SYSTEM_DEFAULTS table](#systemdefaults-table) + * [RADIUS](#radius) * [For Developers](#for-developers) * [Generating Application Config by Jinja2 Template](#generating-application-config-by-jinja2-template) * [Incremental Configuration by Subscribing to ConfigDB](#incremental-configuration-by-subscribing-to-configdb) @@ -1969,6 +1970,28 @@ The default value of flags in `SYSTEM_DEFAULTS` table can be set in `init_cfg.js If the values in `config_db.json` is changed by user, it will not be rewritten back by `init_cfg.json` as `config_db.json` is loaded after `init_cfg.json` in [docker_image_ctl.j2](https://github.com/Azure/sonic-buildimage/blob/master/files/build_templates/docker_image_ctl.j2) For the flags that can be changed by reconfiguration, we can update entries in `minigraph.xml`, and parse the new values in to config_db with minigraph parser at reloading minigraph. If there are duplicated entries in `init_cfg.json` and `minigraph.xml`, the values in `minigraph.xml` will overwritten the values defined in `init_cfg.json`. + +### RADIUS + +The RADIUS and RADIUS_SERVER tables define RADIUS configuration parameters. RADIUS table carries global configuration while RADIUS_SERVER table carries per server configuration. + +``` + "RADIUS": { + "global": { + "auth_type": "pap", + "timeout": "5" + } + } + + "RADIUS_SERVER": { + "192.168.1.2": { + "priority": "4", + "retransmit": "2", + "timeout": "5" + } + } +``` + #### 5.2.3 Update value directly in db memory For Developers diff --git a/src/sonic-yang-models/setup.py b/src/sonic-yang-models/setup.py index 46e48aae8203..783dfb8be1a1 100644 --- a/src/sonic-yang-models/setup.py +++ b/src/sonic-yang-models/setup.py @@ -145,6 +145,7 @@ def run(self): './yang-models/sonic-syslog.yang', './yang-models/sonic-system-aaa.yang', './yang-models/sonic-system-tacacs.yang', + './yang-models/sonic-system-radius.yang', './yang-models/sonic-telemetry.yang', './yang-models/sonic-tunnel.yang', './yang-models/sonic-types.yang', diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json index 63e15f052366..2d1f672542c7 100644 --- a/src/sonic-yang-models/tests/files/sample_config_db.json +++ b/src/sonic-yang-models/tests/files/sample_config_db.json @@ -1349,6 +1349,19 @@ "timeout": "10" } }, + "RADIUS": { + "global": { + "auth_type": "pap", + "timeout": "5" + } + }, + "RADIUS_SERVER": { + "192.168.1.2": { + "priority": "4", + "retransmit": "2", + "timeout": "5" + } + }, "NAT_BINDINGS": { "bind1": { "nat_pool": "pool1", diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/radius.json b/src/sonic-yang-models/tests/yang_model_tests/tests/radius.json new file mode 100644 index 000000000000..c7e68740881f --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests/radius.json @@ -0,0 +1,36 @@ +{ + "RADIUS_TEST": { + "desc": "RADIUS global configuration in the RADIUS table." + }, + "RADIUS_INVALID_SRC_IP_TEST": { + "desc": "Radius global configuration with invalid Src IP value in RADIUS table.", + "eStr": "InvalidValue" + }, + "RADIUS_INVALID_TIMEOUT_TEST": { + "desc": "Radius global configuration with invalid timeout in RADIUS table.", + "eStr": "RADIUS timeout must be 1..60." + }, + "RADIUS_SERVER_TEST" : { + "desc": "Radius server configuration in RADIUS_SERVER table." + }, + "RADIUS_SERVER_INVALID_PRIORITY_TEST": { + "desc": "Radius server configuration with invalid priority value in RADIUS_SERVER table.", + "eStr": "RADIUS priority must be 1..64." + }, + "RADIUS_SERVER_INVALID_TIMEOUT_TEST" : { + "desc": "Radius server configuration with invalid timeout value in RADIUS_SERVER table.", + "eStr": "RADIUS timeout must be 1..60." + }, + "RADIUS_SERVER_INVALID_RETRANSMIT_TEST" : { + "desc": "Radius server configuration with invalid retransmit value in RADIUS_SERVER table.", + "eStr": "RADIUS retransmit must be 0..10." + }, + "RADIUS_SERVER_INVALID_AUTH_TYPE_TEST" : { + "desc": "Radius server configuration with invalid auth type in RADIUS_SERVER table.", + "eStrKey": "InvalidValue" + }, + "RADIUS_SERVER_INVALID_VRF_TEST" : { + "desc": "Radius server configuration with invalid VRF in RADIUS_SERVER table.", + "eStr": "Invalid VRF name" + } +} diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/radius.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/radius.json new file mode 100644 index 000000000000..3f58635ef753 --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/radius.json @@ -0,0 +1,139 @@ +{ + "RADIUS_TEST": { + "sonic-system-radius:sonic-system-radius": { + "sonic-system-radius:RADIUS": { + "global": { + "auth_type": "chap", + "timeout": 5, + "passkey": "brcm123" + } + } + } + }, + + "RADIUS_INVALID_SRC_IP_TEST": { + "sonic-system-radius:sonic-system-radius": { + "sonic-system-radius:RADIUS": { + "global": { + "auth_type": "chap", + "src_ip": "INVALID" + } + } + } + }, + + "RADIUS_INVALID_TIMEOUT_TEST": { + "sonic-system-radius:sonic-system-radius": { + "sonic-system-radius:RADIUS": { + "global": { + "auth_type": "chap", + "timeout": 70 + } + } + } + }, + + "RADIUS_SERVER_TEST": { + "sonic-port:sonic-port": { + "sonic-port:PORT": { + "PORT_LIST": [ + { + "admin_status": "up", + "alias": "eth8", + "description": "Ethernet8", + "lanes": "65", + "mtu": 9000, + "name": "Ethernet0", + "speed": 25000 + } + ] + } + }, + + "sonic-system-radius:sonic-system-radius": { + "sonic-system-radius:RADIUS_SERVER": { + "RADIUS_SERVER_LIST": [ + { + "ipaddress": "192.168.1.1", + "priority": 5, + "timeout": 6, + "auth_type": "chap", + "passkey": "brcm123", + "src_intf": "Ethernet0", + "vrf": "default" + }, + { + "ipaddress": "10.10.10.10", + "priority": 2, + "timeout": 15, + "auth_type": "pap", + "passkey": "sonic_123", + "vrf": "mgmt" + } + ] + } + } + }, + + "RADIUS_SERVER_INVALID_PRIORITY_TEST": { + "sonic-system-radius:sonic-system-radius": { + "sonic-system-radius:RADIUS_SERVER": { + "RADIUS_SERVER_LIST": [ + { + "ipaddress": "192.168.1.1", + "priority": 70 + } + ] + } + } + }, + "RADIUS_SERVER_INVALID_TIMEOUT_TEST": { + "sonic-system-radius:sonic-system-radius": { + "sonic-system-radius:RADIUS_SERVER": { + "RADIUS_SERVER_LIST": [ + { + "ipaddress": "192.168.1.1", + "timeout": 70 + } + ] + } + } + }, + "RADIUS_SERVER_INVALID_RETRANSMIT_TEST": { + "sonic-system-radius:sonic-system-radius": { + "sonic-system-radius:RADIUS_SERVER": { + "RADIUS_SERVER_LIST": [ + { + "ipaddress": "192.168.1.1", + "retransmit": 20 + } + ] + } + } + }, + "RADIUS_SERVER_INVALID_AUTH_TYPE_TEST": { + "sonic-system-radius:sonic-system-radius": { + "sonic-system-radius:RADIUS_SERVER": { + "RADIUS_SERVER_LIST": [ + { + "ipaddress": "192.168.1.1", + "auth_type": "123" + } + ] + } + } + }, + "RADIUS_SERVER_INVALID_VRF_TEST": { + "sonic-system-radius:sonic-system-radius": { + "sonic-system-radius:RADIUS_SERVER": { + "RADIUS_SERVER_LIST": [ + { + "ipaddress": "192.168.1.1", + "vrf": "Vrf1" + } + ] + } + } + } + +} diff --git a/src/sonic-yang-models/yang-models/sonic-system-radius.yang b/src/sonic-yang-models/yang-models/sonic-system-radius.yang new file mode 100644 index 000000000000..2bf92f206c6c --- /dev/null +++ b/src/sonic-yang-models/yang-models/sonic-system-radius.yang @@ -0,0 +1,215 @@ +module sonic-system-radius { + namespace "http://github.com/sonic-net/sonic-system-radius"; + prefix ssys; + yang-version 1.1; + + import ietf-inet-types { + prefix inet; + } + + import sonic-port { + prefix port; + } + + import sonic-portchannel { + prefix lag; + } + +// Comment sonic-vlan import here until libyang back-links issue is resolved for VLAN leaf reference. +// import sonic-vlan { +// prefix vlan; +// } + + import sonic-loopback-interface { + prefix loopback; + } + + import sonic-mgmt_port { + prefix mgmt-port; + } + + import sonic-interface { + prefix interface; + } + + description + "SONiC RADIUS"; + + revision 2022-11-11 { + description "Initial revision."; + } + + typedef auth_type_enumeration { + type enumeration { + enum pap; + enum chap; + enum mschapv2; + } + } + + + container sonic-system-radius { + + container RADIUS { + + container global { + + + leaf passkey { + type string { + length "1..65"; + pattern "[^ #,]*" { + error-message 'RADIUS shared secret (Valid chars are ASCII printable except SPACE, "#", and ",")'; + } + } + description + 'RADIUS global shared secret (Valid chars are ASCII printable except SPACE, "#", and ",")'; + } + + leaf auth_type { + default "pap"; + type auth_type_enumeration; + description + "RADIUS global method used for authenticating the comm. mesg."; + } + + leaf src_ip { + type inet:ip-address; + description + "source IP address (IPv4 or IPv6) for the outgoing RADIUS pkts."; + } + + leaf nas_ip { + type inet:ip-address; + description + "NAS-IP|IPV6-Address attribute for the outgoing RADIUS pkts."; + } + + leaf statistics { + type boolean; + description + "Should statistics collection be enabled/disabled"; + } + + leaf timeout { + default 5; + type uint16 { + range "1..60" { + error-message "RADIUS timeout must be 1..60"; + } + } + } + + leaf retransmit { + default 3; + type uint8 { + range "0..10" { + error-message "RADIUS retransmit must be 0..10"; + } + } + } + } + } + + container RADIUS_SERVER { + + list RADIUS_SERVER_LIST { + key "ipaddress"; + + max-elements 8; + + leaf ipaddress { + type inet:host; + description + "RADIUS server's Domain name or IP address (IPv4 or IPv6)"; + } + + leaf auth_port { + default 1812; + type inet:port-number; + description + "RADIUS authentication port number."; + } + + leaf passkey { + type string { + length "1..65"; + pattern "[^ #,]*" { + error-message 'RADIUS shared secret (Valid chars are ASCII printable except SPACE, "#", and ",")'; + } + } + description + 'RADIUS servers shared secret (Valid chars are ASCII printable except SPACE, "#", and ",")'; + } + + leaf auth_type { + default "pap"; + type auth_type_enumeration; + description + "RADIUS server's method used for authenticating the comm. mesg."; + } + + leaf priority { + type uint8 { + range "1..64" { + error-message "RADIUS priority must be 1..64"; + } + } + description + "RADIUS server's priority"; + } + + leaf timeout { + default 5; + type uint16 { + range "1..60" { + error-message "RADIUS timeout must be 1..60"; + } + } + } + + leaf retransmit { + default 3; + type uint8 { + range "0..10" { + error-message "RADIUS retransmit must be 0..10"; + } + } + } + + leaf vrf { + type string { + pattern "mgmt|default" { + error-message "Error: Invalid VRF name"; + } + } + description + "VRF name"; + + } + + leaf src_intf { + type union { + type leafref { + path "/port:sonic-port/port:PORT/port:PORT_LIST/port:name"; + } + type leafref { + path "/lag:sonic-portchannel/lag:PORTCHANNEL/lag:PORTCHANNEL_LIST/lag:name"; + } + type string { + pattern 'Vlan([0-9]{1,3}|[1-3][0-9]{3}|[4][0][0-8][0-9]|[4][0][9][0-4])'; + } + + type leafref { + path "/loopback:sonic-loopback-interface/loopback:LOOPBACK_INTERFACE/loopback:LOOPBACK_INTERFACE_LIST/loopback:name"; + } + type leafref { + path "/mgmt-port:sonic-mgmt_port/mgmt-port:MGMT_PORT/mgmt-port:MGMT_PORT_LIST/mgmt-port:name"; + } + } + description "Source interface to use for RADIUS server communication."; + } + } + } + } +}