is RADIUS for AAA network endpoint administration a deprecated best practice? Isn't it part of the reason TACACS came about in the first place?
One of my customers appears to not have a solution at all, I think they are still doing SSH with local accounts.
Quote from: config t on January 08, 2022, 11:12:37 AM
is RADIUS for AAA network endpoint administration a deprecated best practice? Isn't it part of the reason TACACS came about in the first place?
One of my customers appears to not have a solution at all, I think they are still doing SSH with local accounts.
yea RADIS is BAD, need to move to TACACS+ where you can create granular rules rather than "all or nothing" rules via RADIUS
And my God have mercy on the firm that uses all local accounts, for the auditor will have none.
I was able to talk them off the ledge by mentioning the RADIUS solution they were looking at explicitly uses PAP. My $VENDOR REALLY needs to implement a TACACS+ solution. Especially if we are calling ourselves a NAC product.
Quote from: deanwebb on January 10, 2022, 07:50:29 AM
And my God have mercy on the firm that uses all local accounts, for the auditor will have none.
You have an idea of the customer I am dealing with. Are you surprised they are using local accounts? I shouldn't be but I still am. They never cease to amaze me.
I've been wanting $VENDOR to have a TACACS+ feature since 2014...
:zomgwtfbbq:
^^ My reaction when I found out we don't
Yeah, it basically leaves the door wide open for $COMPETITOR who *has* a NAC product that does TACACS+ ever since ACS went EOL. Pretty much guarantees that they'll be onsite all the time, every time.
I'm losing count of how many times I've heard from a customer $COMPETITOR is too expensive and the only reason they still have it is because tacacs+
That expense is why we run the old school shrubbery tac_plus daemon. I am not going to pay stupid money just to get central authentication.
-Otanx
At first I thought you made a thinly veiled Monty Python reference until I looked it up and yep that's a real thing. I like it.
"It's not a question of where he grips it, it's a question of weight ratios. A 5 oz bird can not carry a 1 pound coconut." :XD:
Quote from: config t on January 25, 2022, 07:13:12 PM
At first I thought you made a thinly veiled Monty Python reference until I looked it up and yep that's a real thing. I like it.
"It's not a question of where he grips it, it's a question of weight ratios. A 5 oz bird can not carry a 1 pound coconut." :XD:
Ha. I actually never realized that, and I like Monty Python. It is just a really old, very stable, tac_plus daemon. Not a lot of features, but it works. The only things I wish we could do is nested groups, or put users in more than one group. It would be nice, but not nice enough to pay for it.
-Otanx
Now, if *Microsoft* did TACACS+, that would blow just about everyone else away.
Quote from: deanwebb on January 26, 2022, 08:16:24 AM
Now, if *Microsoft* did TACACS+, that would blow just about everyone else away.
I think MS ISE will support TACACS+
Does ISE support TACACS?
One of the main advantages of ISE is its rich capability to integrate with a whole range of external ID stores that provide authentication and authorization support natively or using RADIUS/TACACS+.
How do I configure ISE TACACS?
Configure TACACS Profile
Navigate to Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles.
Click Add to create a new TACACS Profile.
Specify the Profile name as Helpdesk_User.
Specify the Default Privilege as 1.
Specify the Maximum Privilege as 15.
Click Save.
But that's Cisco ISE running on an MSFT platform. I'm talking about TACACS+ being integrated with AD.
Quote from: deanwebb on January 26, 2022, 10:30:58 AM
But that's Cisco ISE running on an MSFT platform. I'm talking about TACACS+ being integrated with AD.
They should add it to the NPS role. I would probably stick to my tac_plus daemon, but people would use it.
-Otanx
Quote from: icecream-guy on January 26, 2022, 09:10:34 AM
Quote from: deanwebb on January 26, 2022, 08:16:24 AM
Now, if *Microsoft* did TACACS+, that would blow just about everyone else away.
I think MS ISE will support TACACS+
Dain Bramage
Fundamentally though this is a limitation in IOS - doesn't help 'in reality' but its really IOS's inability to do RBAC based on RADIUS than any fundamental limitation on RADIUS itself.
Exhibit A: Any NGFW, you can do RBAC roles, assign to different logins / profiles, and then auth them via any bloody protocol you want.
On the open source side, tac_plus is quite common esp. in ISP / service provider land. I'm not sure of the exact feature-set comparison vs ISE.
Speaking tactically (hahahaha) though this is the last of your $VENDOR worries IMO, the big C will always be there because their switches carry the same logo, end of story. Your best chance is a big SD-Access push that inevitably turns into a dumpster fire, and then they end up hating ISE because of the golden rule of NAC - any NAC is painful, so if ISE is their first encounter, they will hate it by default. lol
MS don't care, they're trying to take AD DS out the back and shoot it, like they would care about TACACS. LDAP/RADIUS/TACACS/kerberos etc. is old school and busted in cloud, its SAML/OIDC or GTFO, any use-cases that aren't neatly covered can go jump lol.
I am laughing now imagining a bunch of offshored CCNA's trying to configure SAML on a router (yeah I know its web based, but its still funny).
Also, since we're doing $VENDOR talk, I'll just leave this here (before you get worked up, this is not a NAC, its an identity server)
Administration Guide | FortiAuthenticator 6.4.1 | Fortinet Documentation Library (https://docs.fortinet.com/document/fortiauthenticator/6.4.1/administration-guide/791531/tacacs-service)
Very good points about SAML - and I'll make a point that even RBAC is being talked about as something that needs to give way in favor of ABAC. You start with RBAC (role-based) and then graduated to ABAC (attribute-based).