> On 9 Jan 2017, at 20:18, Mahesh Jethanandani <[email protected]> wrote: > > >> On Jan 9, 2017, at 4:16 AM, Balazs Lengyel <[email protected]> >> wrote: >> >> Hello, >> >> We already have a radius model part in ietf-system; but are there any plans >> to develop a TACACS+ model for YANG? >> >> How widely is TACACS+ used for remote authorization/accounting?
einarnn> Quite widely. It is more capable than RADIUS for this task, and most used where traceability and auditing are key requirements. >> As an outsider I would guess that remote authorization could really slow >> down processing e.g. a big CLI script. einarnn> Yes. When it was humans typing at routers and switches it was not such a big deal, but with the rise of screen scraping as a substitute for the now-more-common model based APIs, I have seen instances of customer bring both network devices and TACAS servers to their knees when command authorisation is enabled. Cheers, Einar > Of the customers that I am interacting with, both use TACACS+ for > authorization and accounting. My take is that there would a requirement for > NETCONF to be able to interact with the server. > > One way to deal with authorization is for the server to download the > authorization rules and do local authorization instead of sending all the > requests to the server, which as you point out would otherwise slow > authorization down. > > A related question is, if NACM is used to setup rules for authorization, and > there is a remote AAA server configured, are the rules for the NETCONF server > to store and manage or are they for the AAA server? If the latter, what is > communication channel between them? > > Thanks. > > Mahesh Jethanandani > [email protected] > > > > _______________________________________________ > netmod mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/netmod _______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
