Page MenuHomeVyOS Platform

TACACS+ Support
Closed, ResolvedPublicFEATURE REQUEST

Description

Centralized AAA support for system level administration is vital for broader acceptance, which ought to result in greater participation, contributorship, and resources. The absence of Triple-A is a showstopper, introducing tremendous administrative overhead, while falling short on concepts such as "least privilege," accountability, and auditability.

In a brief discussion on freenode yesterday, while looking for information about whether RADIUS was supported, there were questions about architectural choices that had yet to be made - such as how to handle home directories for TACACS or RADIUS authenticated system administrators. My response was:

  • If the goal is "router appliance," then no - there's no need for home directories.

If there are other architectural discussion points that need resolution before work can be started on TACACS+ and/or RADIUS support, I'm happy to participate in that discussion. When and where? I can't contribute code, but I'm happy to contribute time, and my 26+ years of networking experience.

This task is the result of a post/tweet I wrote yesterday, and a follow up to a comment left by Yuriy.

Details

Version
1.2
Is it a breaking change?
Perfectly compatible
Issue type
Unspecified (please specify)

Event Timeline

Welcome @whiskeyalpharomeo !
No code required(but of course welcomed if any)
After all this project not only about the code!
I like to think that is about giving access to advanced networking to everyone out there!
Since it not like 10 years ago, now technology(hardware) more accessible

Hi, I'm new and found my way here via WAR's blog post.
Big +1 for TACACS+ support.
I manage a bunch of cisco routers and now have half a dozen or so vyos routers in the mix too. I need to grant junior admins rights to these while limiting their ability to break stuff and currently use TACACS+ for this with the cisco routers we manage. I would love to do the same for the growing fleet of vyos virtual routers.

@whiskeyalpharomeo pointed to
https://github.com/jeroennijhof/pam_tacplus
I talked with @dmbaturin and it looks like via PAM we can perform at least something basic.
@dmbaturin can you comment more ?

syncer subscribed.

So now as radius is ready, can we just repeat same for tacacs on basic level?
for now only same as for radius

syncer changed the subtype of this task from "Task" to "Feature Request".Oct 19 2018, 9:14 AM
dmbaturin set Version to 1.2.
dmbaturin set Is it a breaking change? to Perfectly compatible.

I'm curious, I did a little research on Tacacs +, and I'm not sure what you want the certification service to do for you? SSH certification or?

syncer changed the edit policy from "Custom Policy" to "Custom Policy".
syncer added a subscriber: UnicronNL.
c-po changed the task status from Open to Needs testing.Jun 22 2023, 8:38 PM
c-po set Issue type to Unspecified (please specify).