Using RADIUS as a sub for TACACS+

[icecream-guy]

Now, if *Microsoft* did TACACS+, that would blow just about everyone else away.

I think MS ISE will support TACACS+

Dain Bramage

[wintermute000]

Fundamentally though this is a limitation in IOS - doesn't help 'in reality' but its really IOS's inability to do RBAC based on RADIUS than any fundamental limitation on RADIUS itself.

Exhibit A: Any NGFW, you can do RBAC roles, assign to different logins / profiles, and then auth them via any bloody protocol you want.

On the open source side, tac_plus is quite common esp. in ISP / service provider land. I'm not sure of the exact feature-set comparison vs ISE.

Speaking tactically (hahahaha) though this is the last of your $VENDOR worries IMO, the big C will always be there because their switches carry the same logo, end of story. Your best chance is a big SD-Access push that inevitably turns into a dumpster fire, and then they end up hating ISE because of the golden rule of NAC - any NAC is painful, so if ISE is their first encounter, they will hate it by default. lol

MS don't care, they're trying to take AD DS out the back and shoot it, like they would care about TACACS. LDAP/RADIUS/TACACS/kerberos etc. is old school and busted in cloud, its SAML/OIDC or GTFO, any use-cases that aren't neatly covered can go jump lol.
I am laughing now imagining a bunch of offshored CCNA's trying to configure SAML on a router (yeah I know its web based, but its still funny).


Also, since we're doing $VENDOR talk, I'll just leave this here (before you get worked up, this is not a NAC, its an identity server)
Administration Guide | FortiAuthenticator 6.4.1 | Fortinet Documentation Library

[deanwebb]

Very good points about SAML - and I'll make a point that even RBAC is being talked about as something that needs to give way in favor of ABAC. You start with RBAC (role-based) and then graduated to ABAC (attribute-based).