TACACS+ is now in the v4.0.x branch
Alan DeKok
aland at deployingradius.com
Fri Feb 3 16:38:29 CET 2017
On Feb 3, 2017, at 10:26 AM, Michael Ströder <michael at stroeder.com> wrote:
>
> A good addition for people stuck with legacy network hardware.
The IETF is in the process of standardizing TACACS+
https://tools.ietf.org/html/draft-ietf-opsawg-tacacs-05
Any feedback on the draft would be appreciated. I've done multiple reviews (it's *horrible*), and the authors are sort of vaguely fixing it.
> What hit me in a former project integrating an LDAP user management with another TACACS+
> server implementation was that IIRC TACACS+ cannot handle users with multiple group
> membership. It was one of the reasons to I wanted to be able to limit user group
> visibility in Æ-DIR for server groups.
Yeah. Most TACACS / RADIUS software is designed to implement TACACS+ / RADIUS. It's not designed to implement custom policies.
In contrast, the bulk of the FreeRADIUS code is dealing with policies, and with gluing different systems together.
> How does your implementation deal with that?
https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/sites-available/tacacs
We let the administrator do whatever they want with the data. :)
You have to write your own "unlang" policies to deal with TACACS+ attributes. There is no module which reads "standard" TACACS+ files and enforces the policies. That should be written (hint hint).
The point is that the *hard* part is getting the protocol implemented. Once the attributes are in the server, it becomes a lot simpler.
Alan DeKok.
More information about the Freeradius-Users
mailing list