Howdy. I imagine that this is an issue that has come up before but I am having an issue finding how anyone else handled it. (Unless everyone is still running tac_plus on RHEL7) I'm trying to migrate some tac plus instances to a new Linux distro that apparently doesn't support tcp_wrappers and I'm having trouble both compiling it and making an RPM for it. I've tried both the original https://www.shrubbery.net/tac_plus/ and the now sadly abandoned Facebook version https://github.com/facebook/tac_plus If there is another tacacs+ solution everyone has moved to that I am unaware of please enlighten me. Thank you, -Drew
Tue, Feb 10, 2026 at 03:07:47PM +0000, Drew Weaver via NANOG:
I'm trying to migrate some tac plus instances to a new Linux distro that apparently doesn't support tcp_wrappers and I'm having trouble both compiling it and making an RPM for it.
Sorry, please be more specific. You have a problem compiling with tcp_wrap or without?
I have seen / heard good things about https://github.com/christian-becker/tac_plus-ng but of course no personal experience. Alpine linux with Docker. From: Drew Weaver via NANOG <nanog@lists.nanog.org> Date: Tuesday, 10 February 2026 at 8:38 PM To: 'North American Network Operators Group' <nanog@lists.nanog.org> Cc: Drew Weaver <drew.weaver@thenap.com> Subject: What are you guys doing for tacacs+ in 2026? Howdy. I imagine that this is an issue that has come up before but I am having an issue finding how anyone else handled it. (Unless everyone is still running tac_plus on RHEL7) I'm trying to migrate some tac plus instances to a new Linux distro that apparently doesn't support tcp_wrappers and I'm having trouble both compiling it and making an RPM for it. I've tried both the original https://www.shrubbery.net/tac_plus/ and the now sadly abandoned Facebook version https://github.com/facebook/tac_plus If there is another tacacs+ solution everyone has moved to that I am unaware of please enlighten me. Thank you, -Drew _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/REGURCJX...
tcp_ wrappers is pretty dated. Maybe move to using iptables/netfilter? In terms of newer software for TACACS+, Tacquito is decent: https://github.com/facebookincubator/tacquito Cheers, jof On Tue, Feb 10, 2026 at 07:08 Drew Weaver via NANOG <nanog@lists.nanog.org> wrote:
Howdy.
I imagine that this is an issue that has come up before but I am having an issue finding how anyone else handled it. (Unless everyone is still running tac_plus on RHEL7)
I'm trying to migrate some tac plus instances to a new Linux distro that apparently doesn't support tcp_wrappers and I'm having trouble both compiling it and making an RPM for it.
I've tried both the original https://www.shrubbery.net/tac_plus/ and the now sadly abandoned Facebook version https://github.com/facebook/tac_plus
If there is another tacacs+ solution everyone has moved to that I am unaware of please enlighten me.
Thank you, -Drew
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/REGURCJX...
no idea what people use. But FreeRADIUS supports tacacs+ in v4: https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/sites-avai... Bjørn
Marc Huber's tac_plus-ng from https://projects.pro-bono-publico.de/event-driven-servers/ but it's a manual installation process (not difficult really). There was a commit just two days ago and I see evidence of near continuous development. The shrubbery version still has Python 2 dependencies and was removed from Debian 12 and derivatives with the Python 2 sunset. I imagine that's also an issue with RHEL. On 2/10/26 08:07, Drew Weaver via NANOG wrote:
Howdy.
I imagine that this is an issue that has come up before but I am having an issue finding how anyone else handled it. (Unless everyone is still running tac_plus on RHEL7)
I'm trying to migrate some tac plus instances to a new Linux distro that apparently doesn't support tcp_wrappers and I'm having trouble both compiling it and making an RPM for it.
I've tried both the original https://www.shrubbery.net/tac_plus/ and the now sadly abandoned Facebook version https://github.com/facebook/tac_plus
If there is another tacacs+ solution everyone has moved to that I am unaware of please enlighten me.
Thank you, -Drew
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/REGURCJX...
-- Mike Lewinski Network Operations Director Massive Networks mlewinski@massivenetworks.com +1-303-800-1300 x.860
I’m not using tcp_wrappers I was just trying to build something that needed it but I think I already figured it out by looking through the rpm spec. Thanks, -Drew From: Jonathan Lassoff <jof@thejof.com> Sent: Tuesday, February 10, 2026 10:19 AM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Drew Weaver <drew.weaver@thenap.com> Subject: Re: What are you guys doing for tacacs+ in 2026? tcp_ wrappers is pretty dated. Maybe move to using iptables/netfilter? In terms of newer software for TACACS+, Tacquito is decent: https://github.com/facebookincubator/tacquito<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_facebookincubator_tacquito&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=90gkWo7kVvejNfQmbLf_nFPFontgjwZKPouPX5uiacioaXD-_bMHfdM33Lcqw__U&s=ybBxdKkTMKSgZ2NISFsLGJr0XjF6IDw8GhDlqAKs-TE&e=> Cheers, jof On Tue, Feb 10, 2026 at 07:08 Drew Weaver via NANOG <nanog@lists.nanog.org<mailto:nanog@lists.nanog.org>> wrote: Howdy. I imagine that this is an issue that has come up before but I am having an issue finding how anyone else handled it. (Unless everyone is still running tac_plus on RHEL7) I'm trying to migrate some tac plus instances to a new Linux distro that apparently doesn't support tcp_wrappers and I'm having trouble both compiling it and making an RPM for it. I've tried both the original https://www.shrubbery.net/tac_plus/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.shrubbery.net_tac-5Fplus_&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=90gkWo7kVvejNfQmbLf_nFPFontgjwZKPouPX5uiacioaXD-_bMHfdM33Lcqw__U&s=CUPi5Wn7hd7zYDhi1qioan7i57kWReHINdlM0ucfY88&e=> and the now sadly abandoned Facebook version https://github.com/facebook/tac_plus<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_facebook_tac-5Fplus&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=90gkWo7kVvejNfQmbLf_nFPFontgjwZKPouPX5uiacioaXD-_bMHfdM33Lcqw__U&s=WJ8j1UZ8sWNBISASDX1LY9ARye35p7KTb2R6taHMQPg&e=> If there is another tacacs+ solution everyone has moved to that I am unaware of please enlighten me. Thank you, -Drew _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/REGURCJX4QAEZOEORGRO7TLFKTY36QPW/<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.nanog.org_archives_list_nanog-40lists.nanog.org_message_REGURCJX4QAEZOEORGRO7TLFKTY36QPW_&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=90gkWo7kVvejNfQmbLf_nFPFontgjwZKPouPX5uiacioaXD-_bMHfdM33Lcqw__U&s=fL7ogmT5d3L0djXXI3eqTQn9o83WqARlxY3wkq4iEi0&e=>
On Tue, 10 Feb 2026 at 17:08, Drew Weaver via NANOG <nanog@lists.nanog.org> wrote:
If there is another tacacs+ solution everyone has moved to that I am unaware of please enlighten me.
I've bought radiator (radius, diameter, tacacs+) twice and both shops were very happy with it. That was when it was still the original shop, it has since been acquired and rewritten from perl to rust, and I have no personal experience on that timeline as my current employer doesn't use it. https://radiatorsoftware.com/products/radiator/ -- ++ytti
hey,
+1 for radiator, happily using this (the perl version) for both tacacs and radius for many-many years. -- tarko
Yeap +2 to Radiator. Running perfectly with Tacacs. On Wed, 11 Feb 2026 at 03:39, Tarko Tikan via NANOG <nanog@lists.nanog.org> wrote:
hey,
+1 for radiator, happily using this (the perl version) for both tacacs and radius for many-many years.
-- tarko _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/44RRTNYM...
Hi Drew, I'll answer in private to not reincinerate the OS wars. We're running tac_plus, and have been since... forever. We have not painted ourselves into a corner by using Linux, though. FreeBSD has a still-maintained package which works well; it needs a restart every two months or so, but is happy otherwise. I know this won't help you much, except maybe to think a bit outside the Linux box. Cheers, Elmar. nanog@lists.nanog.org (Drew Weaver via NANOG) wrote:
Howdy.
I imagine that this is an issue that has come up before but I am having an issue finding how anyone else handled it. (Unless everyone is still running tac_plus on RHEL7)
I'm trying to migrate some tac plus instances to a new Linux distro that apparently doesn't support tcp_wrappers and I'm having trouble both compiling it and making an RPM for it.
I've tried both the original https://www.shrubbery.net/tac_plus/ and the now sadly abandoned Facebook version https://github.com/facebook/tac_plus
If there is another tacacs+ solution everyone has moved to that I am unaware of please enlighten me.
Thank you, -Drew
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/REGURCJX...
Yeah, well, turns out I'm too stupid to check recipients before sending. Please let's not start an OS war... Elmar. nanog@lists.nanog.org (Elmar K. Bins via NANOG) wrote:
Hi Drew, I'll answer in private to not reincinerate the OS wars. We're running tac_plus, and have been since... forever. We have not painted ourselves into a corner by using Linux, though. FreeBSD has a still-maintained package which works well; it needs a restart every two months or so, but is happy otherwise.
I know this won't help you much, except maybe to think a bit outside the Linux box.
Cheers, Elmar.
nanog@lists.nanog.org (Drew Weaver via NANOG) wrote:
Howdy.
I imagine that this is an issue that has come up before but I am having an issue finding how anyone else handled it. (Unless everyone is still running tac_plus on RHEL7)
I'm trying to migrate some tac plus instances to a new Linux distro that apparently doesn't support tcp_wrappers and I'm having trouble both compiling it and making an RPM for it.
I've tried both the original https://www.shrubbery.net/tac_plus/ and the now sadly abandoned Facebook version https://github.com/facebook/tac_plus
If there is another tacacs+ solution everyone has moved to that I am unaware of please enlighten me.
Thank you, -Drew
You are making a big ask Elmar, by your absolutely wild rationale, hope it'll pay out :) On Wed, 11 Feb 2026 at 10:08, Elmar K. Bins via NANOG <nanog@lists.nanog.org> wrote:
Yeah, well, turns out I'm too stupid to check recipients before sending. Please let's not start an OS war...
Elmar.
nanog@lists.nanog.org (Elmar K. Bins via NANOG) wrote:
Hi Drew, I'll answer in private to not reincinerate the OS wars. We're running tac_plus, and have been since... forever. We have not painted ourselves into a corner by using Linux, though. FreeBSD has a still-maintained package which works well; it needs a restart every two months or so, but is happy otherwise.
I know this won't help you much, except maybe to think a bit outside the Linux box.
Cheers, Elmar.
nanog@lists.nanog.org (Drew Weaver via NANOG) wrote:
Howdy.
I imagine that this is an issue that has come up before but I am having an issue finding how anyone else handled it. (Unless everyone is still running tac_plus on RHEL7)
I'm trying to migrate some tac plus instances to a new Linux distro that apparently doesn't support tcp_wrappers and I'm having trouble both compiling it and making an RPM for it.
I've tried both the original https://www.shrubbery.net/tac_plus/ and the now sadly abandoned Facebook version https://github.com/facebook/tac_plus
If there is another tacacs+ solution everyone has moved to that I am unaware of please enlighten me.
Thank you, -Drew
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/H4EIWLBD...
-- ++ytti
participants (10)
-
Bjørn Mork -
Drew Weaver -
Drikus Brits -
Elmar K. Bins -
heasley -
Jonathan Lassoff -
Mike Lewinski -
Saku Ytti -
Suresh Ramasubramanian -
Tarko Tikan