[Freeipa-users] Feature request: TACACS+ integration

John Dennis jdennis at redhat.com
Wed Aug 25 12:58:29 UTC 2010 

On 08/25/2010 08:21 AM, david klein wrote:
> On Wed, Aug 25, 2010 at 6:50 AM, John Dennis<jdennis at redhat.com>  wrote:
>> On 08/24/2010 11:22 PM, david klein wrote:
>>>
>>> Sorry to those who have already seen this; I posted to the wrong
>>> mailing list (the -interest mailing list instead of the -users list).
>>>
>>> As an NMS engineer, I have a use for integrated TACACS+ with a unified
>>> identity solution, so that the same account name and password can
>>> grant access for managing network infrastructure devices as well as
>>> UNIX and Linux servers, and so that network rights can be assigned and
>>> delegated through the same GUI as systems rights.
>>>
>>> There is an open source TACACS+ service called "tac_plus", which used
>>> to be maintained by Cisco, and which is now maintained by Shrubbery
>>> Networks, Inc (http://www.shrubbery.net/tac_plus/). It appears that
>>> under Shrubbery's guidance and development, the tac_plus daemon can
>>> use LDAP by way of PAM to handle authentication, according to
>>> http://www.shrubbery.net/tac_plus/PAM_guide.txt. At this point, only
>>> authentication appears to have been externalized, but it does prove
>>> the concept.
>>>
>>> How does Redhat currently measure the degree of interest in possible
>>> features for inclusion in the FreeIPA/EnterpriseIPA product, and would
>>> it be worthwhile to gather statements from other systems
>>> administrators to help demonstrate the desirability and usefulness of
>>> this feature request? This would be a very helpful capability, as it
>>> would remove dependence on ACS, which is expensive and complex (and
>>> complicated) TACACS+ server.
>>
>> This is the first request I've seen for TACAS support. Since IPA is a
>> unified identity solution at it's core it's not clear to me at the moment
>> what advantage there would be to TACAS other than as emulating a TACAS
>> server for legacy and/or 3rd party products which depend on the TACAS
>> protocol. If one wants to set up a TACAS daemon there is a reasonable chance
>> it could validate against IPA (more investigation would be needed) and this
>> would give you something which provide TACAS protocol but be backed by IPA
>> and it's management tools.
>>
>> We do have plans on our roadmap to support RADIUS which is often used as an
>> alternative to TACAS.
>>
>> But perhaps I haven't fully understood your request. So let me rephrase it
>> and see if I have it correct. You want something on your network which
>> speaks the TACAS+ protocol but whose identity management is backed by our
>> IPA server. Is that correct?
>>
>> --
>> John Dennis<jdennis at redhat.com>
>>
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>
>  From both a network and a security point of view, TACACS+ is
> considered preferable to RADIUS; among other benefits, it enciphers
> the entire conversation, rather than just portions of it, and can
> provide more fine-grain authorization than RADIUS. Most Cisco shops
> I've encountered consider RADIUS to be an unacceptable solution for
> AAA. Cisco considers use of TACACS+ a best practice for AAA.
>
> What I am looking for is a device on the network which provides AAA
> facilities to network infrastructure devices, and which allows
> provisioning of network infrastructure credentials through the same
> interface and at the same time as systems credentials, and which keeps
> those credentials synchronized.
>

O.K. fair enough. However TACACS is not on our roadmap. If you can 
demonstrate strong need by enterprise customers for TACACS it would be 
taken into consideration for a future version of the product.

The more practical solution which may be available to you would be to 
avail yourself of the PAM integration in the tac_plus project (but to be 
honest I don't see how that would give you any of the sophisticated 
features you cite as being a prime motivator for utilization of TACACS). 
FreeIPA is an open source project and from what you say so is tac_plus. 
I would imagine patches would be welcomed by both projects which would 
allow the tac_plus daemon to utilize IPA as it's back end. We would be 
happy to answer any questions for the person(s) who wanted to undertake 
this and contribute their work.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list