Christopher I will not speak for OP but I have in my career dealt with contractual requirements, government mandates, and other silly-ness. I once worked on an emergency where a sales person had sold a 25 year contract on a tech stack and we had to show that updating the cryptography was an allowable change with 19 years left on the contract. TL;DR; 5) we have a requirement carved in marble in the lobby On Tue, Feb 17, 2026 at 1:12 PM Christopher Morrow via NANOG <nanog@lists.nanog.org> wrote:
Can I ask a possibly leading question: "Why do you want to use tacacs in the first place?"
Possible answers are: 1) we have always been at war with elbonia, so we continue to be at war with elbonia 2) we like 1 central place to manage access / authorization and we desire the collection of accounting type data so we know when Foo did Bar to Baz. 3) we like that when Foo leaves our orbit we can disable Foo's access 'instantly', in one place. 4) we don't have a method to manage config updates to every single relevant device in a timeperiod which our mgmt/security-folks believe is ok for when Foo leaves our orbit.
You can enable tacacs-accounting only on most network OSs (not junos, darn!), and you can do ssh-key authentication (or cert auth, on most now?), you'd be having to sacrifice the timeline between: 'Foo leaves' and 'all devices updated to remove Foo's account'. Also, you'd want to be in a situation where you weren't trying to manage O(1000) users on any of these platforms. (I know you can shovel ~7k users on an arista of current flavor, and a juniper of same flavor... the initial commit time is 'stupendous' though :) - do not try this on a ciscoXR device was my recollection)
You can also set some relatively clear authorization config on devices for read-only-ish or read-write account priveleges, on cisco/arista/juniper...
anyway, why do you want to use tacacs? (for authorization and authentication)
On Wed, Feb 11, 2026 at 12:37 PM Andrew Latham via NANOG <nanog@lists.nanog.org> wrote:
Untested but I also see:
A. https://github.com/salesforce/tacrust B. https://github.com/SaschaSchwarzK/tacacs_server
I think B looks interesting
On Tue, Feb 10, 2026 at 8:08 AM Drew Weaver via NANOG <nanog@lists.nanog.org> wrote:
Howdy.
I imagine that this is an issue that has come up before but I am having an issue finding how anyone else handled it. (Unless everyone is still running tac_plus on RHEL7)
I'm trying to migrate some tac plus instances to a new Linux distro that apparently doesn't support tcp_wrappers and I'm having trouble both compiling it and making an RPM for it.
I've tried both the original https://www.shrubbery.net/tac_plus/ and the now sadly abandoned Facebook version https://github.com/facebook/tac_plus
If there is another tacacs+ solution everyone has moved to that I am unaware of please enlighten me.
Thank you, -Drew
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/REGURCJX...
-- - Andrew "lathama" Latham - _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MJTTEZIH...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/EVU26ZR5...
-- - Andrew "lathama" Latham -