[Freeipa-users] Feature request: TACACS+ integration

david klein root at nachtmaus.us
Wed Aug 25 12:21:22 UTC 2010 

On Wed, Aug 25, 2010 at 6:50 AM, John Dennis <jdennis at redhat.com> wrote:
> On 08/24/2010 11:22 PM, david klein wrote:
>>
>> Sorry to those who have already seen this; I posted to the wrong
>> mailing list (the -interest mailing list instead of the -users list).
>>
>> As an NMS engineer, I have a use for integrated TACACS+ with a unified
>> identity solution, so that the same account name and password can
>> grant access for managing network infrastructure devices as well as
>> UNIX and Linux servers, and so that network rights can be assigned and
>> delegated through the same GUI as systems rights.
>>
>> There is an open source TACACS+ service called "tac_plus", which used
>> to be maintained by Cisco, and which is now maintained by Shrubbery
>> Networks, Inc (http://www.shrubbery.net/tac_plus/). It appears that
>> under Shrubbery's guidance and development, the tac_plus daemon can
>> use LDAP by way of PAM to handle authentication, according to
>> http://www.shrubbery.net/tac_plus/PAM_guide.txt. At this point, only
>> authentication appears to have been externalized, but it does prove
>> the concept.
>>
>> How does Redhat currently measure the degree of interest in possible
>> features for inclusion in the FreeIPA/EnterpriseIPA product, and would
>> it be worthwhile to gather statements from other systems
>> administrators to help demonstrate the desirability and usefulness of
>> this feature request? This would be a very helpful capability, as it
>> would remove dependence on ACS, which is expensive and complex (and
>> complicated) TACACS+ server.
>
> This is the first request I've seen for TACAS support. Since IPA is a
> unified identity solution at it's core it's not clear to me at the moment
> what advantage there would be to TACAS other than as emulating a TACAS
> server for legacy and/or 3rd party products which depend on the TACAS
> protocol. If one wants to set up a TACAS daemon there is a reasonable chance
> it could validate against IPA (more investigation would be needed) and this
> would give you something which provide TACAS protocol but be backed by IPA
> and it's management tools.
>
> We do have plans on our roadmap to support RADIUS which is often used as an
> alternative to TACAS.
>
> But perhaps I haven't fully understood your request. So let me rephrase it
> and see if I have it correct. You want something on your network which
> speaks the TACAS+ protocol but whose identity management is backed by our
> IPA server. Is that correct?
>
> --
> John Dennis <jdennis at redhat.com>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>

>From both a network and a security point of view, TACACS+ is
considered preferable to RADIUS; among other benefits, it enciphers
the entire conversation, rather than just portions of it, and can
provide more fine-grain authorization than RADIUS. Most Cisco shops
I've encountered consider RADIUS to be an unacceptable solution for
AAA. Cisco considers use of TACACS+ a best practice for AAA.

What I am looking for is a device on the network which provides AAA
facilities to network infrastructure devices, and which allows
provisioning of network infrastructure credentials through the same
interface and at the same time as systems credentials, and which keeps
those credentials synchronized.

-- 

david t. klein

Cisco Certified Network Associate (CSCO11281885)
Linux Professional Institute Certification (LPI000165615)
Redhat Certified Engineer (805009745938860)

Quis custodiet ipsos custodes?

More information about the Freeipa-users mailing list