Can I ask a possibly leading question: "Why do you want to use tacacs in the first place?"
Possible answers are: 1) we have always been at war with elbonia, so we continue to be at war with elbonia 2) we like 1 central place to manage access / authorization and we desire the collection of accounting type data so we know when Foo did Bar to Baz. 3) we like that when Foo leaves our orbit we can disable Foo's access 'instantly', in one place. 4) we don't have a method to manage config updates to every single relevant device in a timeperiod which our mgmt/security-folks believe is ok for when Foo leaves our orbit. You can enable tacacs-accounting only on most network OSs (not junos, darn!), and you can do ssh-key authentication (or cert auth, on most now?), you'd be having to sacrifice the timeline between: 'Foo leaves' and 'all devices updated to remove Foo's account'. Also, you'd want to be in a situation where you weren't trying to manage O(1000) users on any of these platforms. (I know you can shovel ~7k users on an arista of current flavor, and a juniper of same flavor... the initial commit time is 'stupendous' though :) - do not try this on a ciscoXR device was my recollection) You can also set some relatively clear authorization config on devices for read-only-ish or read-write account priveleges, on cisco/arista/juniper... anyway, why do you want to use tacacs? (for authorization and authentication) On Wed, Feb 11, 2026 at 12:37 PM Andrew Latham via NANOG <[email protected]> wrote: > > Untested but I also see: > > A. https://github.com/salesforce/tacrust > B. https://github.com/SaschaSchwarzK/tacacs_server > > I think B looks interesting > > On Tue, Feb 10, 2026 at 8:08 AM Drew Weaver via NANOG > <[email protected]> wrote: > > > > Howdy. > > > > I imagine that this is an issue that has come up before but I am having an > > issue finding how anyone else handled it. (Unless everyone is still running > > tac_plus on RHEL7) > > > > I'm trying to migrate some tac plus instances to a new Linux distro that > > apparently doesn't support tcp_wrappers and I'm having trouble both > > compiling it and making an RPM for it. > > > > I've tried both the original https://www.shrubbery.net/tac_plus/ and the > > now sadly abandoned Facebook version https://github.com/facebook/tac_plus > > > > If there is another tacacs+ solution everyone has moved to that I am > > unaware of please enlighten me. > > > > Thank you, > > -Drew > > > > > > > > _______________________________________________ > > NANOG mailing list > > https://lists.nanog.org/archives/list/[email protected]/message/REGURCJX4QAEZOEORGRO7TLFKTY36QPW/ > > > > -- > - Andrew "lathama" Latham - > _______________________________________________ > NANOG mailing list > https://lists.nanog.org/archives/list/[email protected]/message/MJTTEZIHC7EN66A4QQUB7QGFPNCJPX7A/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/EVU26ZR5Q6B6NFIQCPMDNGG7FWPDPI7E/
