On 08/25/2010 08:21 AM, david klein wrote:
On Wed, Aug 25, 2010 at 6:50 AM, John Dennis<jden...@redhat.com> wrote:
On 08/24/2010 11:22 PM, david klein wrote:
Sorry to those who have already seen this; I posted to the wrong
mailing list (the -interest mailing list instead of the -users list).
As an NMS engineer, I have a use for integrated TACACS+ with a unified
identity solution, so that the same account name and password can
grant access for managing network infrastructure devices as well as
UNIX and Linux servers, and so that network rights can be assigned and
delegated through the same GUI as systems rights.
There is an open source TACACS+ service called "tac_plus", which used
to be maintained by Cisco, and which is now maintained by Shrubbery
Networks, Inc (http://www.shrubbery.net/tac_plus/). It appears that
under Shrubbery's guidance and development, the tac_plus daemon can
use LDAP by way of PAM to handle authentication, according to
http://www.shrubbery.net/tac_plus/PAM_guide.txt. At this point, only
authentication appears to have been externalized, but it does prove
How does Redhat currently measure the degree of interest in possible
features for inclusion in the FreeIPA/EnterpriseIPA product, and would
it be worthwhile to gather statements from other systems
administrators to help demonstrate the desirability and usefulness of
this feature request? This would be a very helpful capability, as it
would remove dependence on ACS, which is expensive and complex (and
complicated) TACACS+ server.
This is the first request I've seen for TACAS support. Since IPA is a
unified identity solution at it's core it's not clear to me at the moment
what advantage there would be to TACAS other than as emulating a TACAS
server for legacy and/or 3rd party products which depend on the TACAS
protocol. If one wants to set up a TACAS daemon there is a reasonable chance
it could validate against IPA (more investigation would be needed) and this
would give you something which provide TACAS protocol but be backed by IPA
and it's management tools.
We do have plans on our roadmap to support RADIUS which is often used as an
alternative to TACAS.
But perhaps I haven't fully understood your request. So let me rephrase it
and see if I have it correct. You want something on your network which
speaks the TACAS+ protocol but whose identity management is backed by our
IPA server. Is that correct?
Looking to carve out IT costs?
From both a network and a security point of view, TACACS+ is
considered preferable to RADIUS; among other benefits, it enciphers
the entire conversation, rather than just portions of it, and can
provide more fine-grain authorization than RADIUS. Most Cisco shops
I've encountered consider RADIUS to be an unacceptable solution for
AAA. Cisco considers use of TACACS+ a best practice for AAA.
What I am looking for is a device on the network which provides AAA
facilities to network infrastructure devices, and which allows
provisioning of network infrastructure credentials through the same
interface and at the same time as systems credentials, and which keeps
those credentials synchronized.
O.K. fair enough. However TACACS is not on our roadmap. If you can
demonstrate strong need by enterprise customers for TACACS it would be
taken into consideration for a future version of the product.
The more practical solution which may be available to you would be to
avail yourself of the PAM integration in the tac_plus project (but to be
honest I don't see how that would give you any of the sophisticated
features you cite as being a prime motivator for utilization of TACACS).
FreeIPA is an open source project and from what you say so is tac_plus.
I would imagine patches would be welcomed by both projects which would
allow the tac_plus daemon to utilize IPA as it's back end. We would be
happy to answer any questions for the person(s) who wanted to undertake
this and contribute their work.
John Dennis <jden...@redhat.com>
Looking to carve out IT costs?
Freeipa-users mailing list