On Feb 3, 2017, at 10:26 AM, Michael Ströder <michael@stroeder.com> wrote:
A good addition for people stuck with legacy network hardware.
The IETF is in the process of standardizing TACACS+ https://tools.ietf.org/html/draft-ietf-opsawg-tacacs-05 Any feedback on the draft would be appreciated. I've done multiple reviews (it's *horrible*), and the authors are sort of vaguely fixing it.
What hit me in a former project integrating an LDAP user management with another TACACS+ server implementation was that IIRC TACACS+ cannot handle users with multiple group membership. It was one of the reasons to I wanted to be able to limit user group visibility in Æ-DIR for server groups.
Yeah. Most TACACS / RADIUS software is designed to implement TACACS+ / RADIUS. It's not designed to implement custom policies. In contrast, the bulk of the FreeRADIUS code is dealing with policies, and with gluing different systems together.
How does your implementation deal with that?
https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/sites-avai... We let the administrator do whatever they want with the data. :) You have to write your own "unlang" policies to deal with TACACS+ attributes. There is no module which reads "standard" TACACS+ files and enforces the policies. That should be written (hint hint). The point is that the *hard* part is getting the protocol implemented. Once the attributes are in the server, it becomes a lot simpler. Alan DeKok.