[167792] in North American Network Operators' Group
Re: The state of TACACS+
daemon@ATHENA.MIT.EDU (cb.list6)
Mon Dec 30 09:07:34 2013
In-Reply-To: <20131230135948.GA12614@pob.ytti.fi>
Date: Mon, 30 Dec 2013 06:07:17 -0800
From: "cb.list6" <cb.list6@gmail.com>
To: Saku Ytti <saku@ytti.fi>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Dec 30, 2013 9:01 AM, "Saku Ytti" <saku@ytti.fi> wrote:
>
> On (2013-12-30 08:49 -0500), Christopher Morrow wrote:
>
> > Nor accounting...
>
> I think this is probably sufficient justification for TACACS+. I'm not
sure if
> command authorization is sufficient, as you can deliver group via radius
which
> maps to authorized commands.
> But if you must support accounting, per-command authorization comes as
free
> gift more or less.
>
Yes. Per-command auth and accounting is needed.
So what we need is tacacs over TLS (sctp / ipv6)
I agree tacacs is long in the tooth and needs to be revisited and invested
in. Please take my money (serious)
CB
> --
> ++ytti
>
