TACACS+ is now in the v4.0.x branch
Michael Ströder
michael at stroeder.com
Fri Feb 3 16:47:57 CET 2017
Alan DeKok wrote:
> On Feb 3, 2017, at 10:26 AM, Michael Ströder <michael at stroeder.com> wrote:
>>
>> A good addition for people stuck with legacy network hardware.
>
> The IETF is in the process of standardizing TACACS+
>
> https://tools.ietf.org/html/draft-ietf-opsawg-tacacs-05
>
> Any feedback on the draft would be appreciated. I've done multiple reviews (it's
> *horrible*), and the authors are sort of vaguely fixing it.
Haven't looked at it for a while but I vaguely remember the I-D above was just meant to
document current TACACS+ usage and not to fix the protocol's deficiencies. This scope
might have changed but I don't know.
>> What hit me in a former project integrating an LDAP user management with another
>> TACACS+ server implementation was that IIRC TACACS+ cannot handle users with
>> multiple group membership. It was one of the reasons to I wanted to be able to limit
>> user group visibility in Æ-DIR for server groups.
>
> Yeah. Most TACACS / RADIUS software is designed to implement TACACS+ / RADIUS. It's
> not designed to implement custom policies.
>
> In contrast, the bulk of the FreeRADIUS code is dealing with policies, and with gluing
> different systems together.
Similar most LDAP deployments use LDAP servers as dumb backend database while I put
policies into Æ-DIR's schema / data structures.
>> How does your implementation deal with that?
>
> We let the administrator do whatever they want with the data. :)
I sort of expected "man unlang". ;-)
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170203/b1950e69/attachment-0001.bin>
More information about the Freeradius-Users
mailing list