Skip to main content

tacacs-the-good-and-the-bad

The good news is that the 3.0.1 release of the WiKID Strong Authentication server has improved support for TACACS+. You can now create a file in /opt/WiKID/private called tacacs.local and it's contents will appear in the tacacs.conf file, allowing finer grain control of permissions, etc.

The bad news is that the pam_stack module we used in the past for using tacacs+ for PAM has been deprecated in favor of include. Unfortunately, I don't think PAM Tacacs code has been updated. Hopefully, I'll get a chance to try it again soon. In the meantime, if anyone has any thoughts, please let me know.

I have mixed feelings about Tacacs+. It is a Cisco proprietary protocol and as such is less supported than Radius. Thus, our implementation is a bit of a hack. We could only find one open source solution for it and it's not in Java, which is the WiKID server's language. As a result, we have to write the one-time passcodes to tacacs.conf, the OTPs are time-bound but on one-time use. However, one prospect (now customer) at a German bank said we had the best TACACS+ server he had seen on the 'net. With his help, it's getting better too.

Current rating: 1

Recent Posts

Archive

2024
2022
2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom