On Feb 12, 2016, at 1:32 PM, Warren Kumari <[email protected]> wrote: > ... *I* find it much simpler -- and, seeing as lots of network operators > choose TACACS+ for their network device authentication, I suspect that others > do too.
i.e. people find a TACACS+ daemon easier to deploy, because they choose TACACS+ as a protocol, because the features they need are only implemented in TACACS+ I don't see that one follows from the other. > We've used FreeRADIUS and it works -- I think I've even submitted a patch or > two (sometime around the IETF meeting in Beijing). It does *many* things, and > does them well -- but sometimes you don't really need a tool that does many > things, you just want something simple and easy. We're getting off-topic here... but people use that particular tool for non-standard uses because they find it easier to install and deploy than other tools. And because it has features that other tools don't have. So I'm entirely sympathetic to the argument that TACACS+ has features RADIUS doesn't have. i still have many, many, concerns about it. > This isn't (and doesn't need to be turned into) RADIUS versus TACACS+ -- lots > of people use TACACS+ (for whatever reason), and having it documented seems > (to me) like a good idea. > Telling people that they are wrong for wanting to use a tool *that they have > chosen to use* seems unhelpful. As I've argued, they don't have a choice. The vendors made the choice for them, via proprietary protocol and functionality lock-in. Claiming "free choice" is just... odd. I'm not telling people they're wrong, please don't make this argument a personal one. I'm happy for them to use TACACS+. I'm happy to see the protocol documented as an informational RFC. I'm *not* happy with pretty much everything else around the subject. Alan DeKok. _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
