Disclaimer: I am not a TACACS+ nor a TLS expert. Overall the document looks good. Here are what I perceive are issues which should be addressed. "leaf address": it is of type inet:host, so is not necessarily an IP address as per the name and description. Rename to "server" or "host"? But this would be a non backwards compatible change.... At least change the description to say "IP address or host name of the ACACS+ server." leaf address { type inet:host; mandatory true; description "The address of the TACACS+ server."; } It is not clear to me why "leaf domain-name" was added. Section 3 refers to section 3.3 of [I-D.ietf-opsawg-tacacs-tls13] but that section does not mention domain-name. 'domain-name': Provides a domain name of the server per Section 3.3 of [I-D.ietf-opsawg-tacacs-tls13]. "leaf vrf-instance": not needed if source-type is source-interface (since the VRF of the source interface would be used)? Add "must not()" statement or describe the behaviour if vrf-instance does not have the same value as source-interface's VRF. "leaf port": remove the commented out “default 49”? "choice source-type": do we need “mandatary true”? Same question for the 2 instances of “choice ref-or-explicit” "leaf single-connection": please add a reference. I think that should be to Section 4.3 of [RFC8907].