TACACS+ is now in the v4.0.x branch

Alan DeKok aland at deployingradius.com
Fri Feb 3 16:38:29 CET 2017

On Feb 3, 2017, at 10:26 AM, Michael Ströder <michael at stroeder.com> wrote:
> A good addition for people stuck with legacy network hardware.

  The IETF is in the process of standardizing TACACS+


  Any feedback on the draft would be appreciated.  I've done multiple reviews (it's *horrible*), and the authors are sort of vaguely fixing it.

> What hit me in a former project integrating an LDAP user management with another TACACS+
> server implementation was that IIRC TACACS+ cannot handle users with multiple group
> membership. It was one of the reasons to I wanted to be able to limit user group
> visibility in Æ-DIR for server groups.

  Yeah.  Most TACACS / RADIUS software is designed to implement TACACS+ / RADIUS.  It's not designed to implement custom policies.

  In contrast, the bulk of the FreeRADIUS code is dealing with policies, and with gluing different systems together.

> How does your implementation deal with that?


  We let the administrator do whatever they want with the data. :)

  You have to write your own "unlang" policies to deal with TACACS+ attributes.  There is no module which reads "standard" TACACS+ files and enforces the policies.  That should be written (hint hint).

  The point is that the *hard* part is getting the protocol implemented.  Once the attributes are in the server, it becomes a lot simpler.

  Alan DeKok.

More information about the Freeradius-Users mailing list