[Freeipa-users] Feature request: TACACS+ integration

James Roman james.roman at ssaihq.com
Wed Aug 25 15:22:22 UTC 2010 

>>
>>  From both a network and a security point of view, TACACS+ is
>> considered preferable to RADIUS; among other benefits, it enciphers
>> the entire conversation, rather than just portions of it, and can
>> provide more fine-grain authorization than RADIUS. Most Cisco shops
>> I've encountered consider RADIUS to be an unacceptable solution for
>> AAA. Cisco considers use of TACACS+ a best practice for AAA.
>>
>> What I am looking for is a device on the network which provides AAA
>> facilities to network infrastructure devices, and which allows
>> provisioning of network infrastructure credentials through the same
>> interface and at the same time as systems credentials, and which keeps
>> those credentials synchronized.
>>
>
> O.K. fair enough. However TACACS is not on our roadmap. If you can 
> demonstrate strong need by enterprise customers for TACACS it would be 
> taken into consideration for a future version of the product.
>
> The more practical solution which may be available to you would be to 
> avail yourself of the PAM integration in the tac_plus project (but to 
> be honest I don't see how that would give you any of the sophisticated 
> features you cite as being a prime motivator for utilization of 
> TACACS). FreeIPA is an open source project and from what you say so is 
> tac_plus. I would imagine patches would be welcomed by both projects 
> which would allow the tac_plus daemon to utilize IPA as it's back end. 
> We would be happy to answer any questions for the person(s) who wanted 
> to undertake this and contribute their work.
>
 From what I can see it looks like the missing piece would be the 
ability to look up tac_plus user->group assignments from the FreeIPA/389 
LDAP server. It looks like tac_plus has ""integrated"" the 
authentication with LDAP via PAM, but not the authorization. When 
building an authentication solution for network devices with FreeIPA, 
providing authentication via TACACS+ would be secondary, since you could 
have your Cisco device directly authenticate the user against FreeIPA 
using Kerberos. TACACS+ primary benefit is in the granular control of 
Authorization to network device services. If you can get tac_plus to 
reference an LDAP server for group membership, then you might have a 
reasonable solution. You would still need to assign the group's network 
permissions in the tac_plus configuration file, but that would be done 
once. Once the group access was defined, you could assign LDAP users to 
groups that match what's in the tac_plus config file.

This really requires the tac_plus team to code direct LDAP integration 
into their application similar to the way Freeradius can rely on an LDAP 
server as a back-end. The local PAM stack was not really intended to be 
a service that can be farmed out for other systems to use. It was meant 
as a way to provide access to local services running on that system. To 
use PAM for group membership (I.E. through the pam_listfile ACL) would 
require a separate tac_plus daemon and PAM configuration for each 
network device.

More information about the Freeipa-users mailing list