TACACS+ is now in the v4.0.x branch
michael at stroeder.com
Fri Feb 3 16:47:57 CET 2017
Alan DeKok wrote:
> On Feb 3, 2017, at 10:26 AM, Michael Ströder <michael at stroeder.com> wrote:
>> A good addition for people stuck with legacy network hardware.
> The IETF is in the process of standardizing TACACS+
> Any feedback on the draft would be appreciated. I've done multiple reviews (it's
> *horrible*), and the authors are sort of vaguely fixing it.
Haven't looked at it for a while but I vaguely remember the I-D above was just meant to
document current TACACS+ usage and not to fix the protocol's deficiencies. This scope
might have changed but I don't know.
>> What hit me in a former project integrating an LDAP user management with another
>> TACACS+ server implementation was that IIRC TACACS+ cannot handle users with
>> multiple group membership. It was one of the reasons to I wanted to be able to limit
>> user group visibility in Æ-DIR for server groups.
> Yeah. Most TACACS / RADIUS software is designed to implement TACACS+ / RADIUS. It's
> not designed to implement custom policies.
> In contrast, the bulk of the FreeRADIUS code is dealing with policies, and with gluing
> different systems together.
Similar most LDAP deployments use LDAP servers as dumb backend database while I put
policies into Æ-DIR's schema / data structures.
>> How does your implementation deal with that?
> We let the administrator do whatever they want with the data. :)
I sort of expected "man unlang". ;-)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
More information about the Freeradius-Users