Using RADIUS as a sub for TACACS+

[config t]

is RADIUS for AAA network endpoint administration a deprecated best practice? Isn't it part of the reason TACACS came about in the first place?

One of my customers appears to not have a solution at all, I think they are still doing SSH with local accounts.

[icecream-guy]

is RADIUS for AAA network endpoint administration a deprecated best practice? Isn't it part of the reason TACACS came about in the first place?

One of my customers appears to not have a solution at all, I think they are still doing SSH with local accounts.

yea RADIS is BAD, need to move to TACACS+ where you can create granular rules rather than "all or nothing" rules via RADIUS

[deanwebb]

And my God have mercy on the firm that uses all local accounts, for the auditor will have none.

[config t]

I was able to talk them off the ledge by mentioning the RADIUS solution they were looking at explicitly uses PAP. My $VENDOR REALLY needs to implement a TACACS+ solution. Especially if we are calling ourselves a NAC product.

And my God have mercy on the firm that uses all local accounts, for the auditor will have none.

You have an idea of the customer I am dealing with. Are you surprised they are using local accounts? I shouldn't be but I still am. They never cease to amaze me.

[deanwebb]

I've been wanting $VENDOR to have a TACACS+ feature since 2014...

[config t]

 

^^ My reaction when I found out we don't

[deanwebb]

Yeah, it basically leaves the door wide open for $COMPETITOR who *has* a NAC product that does TACACS+ ever since ACS went EOL. Pretty much guarantees that they'll be onsite all the time, every time.

[config t]

I'm losing count of how many times I've heard from a customer $COMPETITOR is too expensive and the only reason they still have it is because tacacs+

[Otanx]

That expense is why we run the old school shrubbery tac_plus daemon. I am not going to pay stupid money just to get central authentication.

-Otanx

[config t]

At first I thought you made a thinly veiled Monty Python reference until I looked it up and yep that's a real thing. I like it.

"It's not a question of where he grips it, it's a question of weight ratios. A 5 oz bird can not carry a 1 pound coconut." 

[Otanx]

At first I thought you made a thinly veiled Monty Python reference until I looked it up and yep that's a real thing. I like it.

"It's not a question of where he grips it, it's a question of weight ratios. A 5 oz bird can not carry a 1 pound coconut." 

Ha. I actually never realized that, and I like Monty Python. It is just a really old, very stable, tac_plus daemon. Not a lot of features, but it works. The only things I wish we could do is nested groups, or put users in more than one group. It would be nice, but not nice enough to pay for it.

-Otanx

[deanwebb]

Now, if *Microsoft* did TACACS+, that would blow just about everyone else away.

[icecream-guy]

Now, if *Microsoft* did TACACS+, that would blow just about everyone else away.

I think MS ISE will support TACACS+

Does ISE support TACACS?
One of the main advantages of ISE is its rich capability to integrate with a whole range of external ID stores that provide authentication and authorization support natively or using RADIUS/TACACS+.

How do I configure ISE TACACS?
Configure TACACS Profile
Navigate to Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles.
Click Add to create a new TACACS Profile.
Specify the Profile name as Helpdesk_User.
Specify the Default Privilege as 1.
Specify the Maximum Privilege as 15.
Click Save.

[deanwebb]

But that's Cisco ISE running on an MSFT platform. I'm talking about TACACS+ being integrated with AD.

[Otanx]

But that's Cisco ISE running on an MSFT platform. I'm talking about TACACS+ being integrated with AD.

They should add it to the NPS role. I would probably stick to my tac_plus daemon, but people would use it.

-Otanx