Skip to main content

tacacs-the-good-and-the-bad

The good news is that the 3.0.1 release of the WiKID Strong Authentication server has improved support for TACACS+. You can now create a file in /opt/WiKID/private called tacacs.local and it's contents will appear in the tacacs.conf file, allowing finer grain control of permissions, etc.

The bad news is that the pam_stack module we used in the past for using tacacs+ for PAM has been deprecated in favor of include. Unfortunately, I don't think PAM Tacacs code has been updated. Hopefully, I'll get a chance to try it again soon. In the meantime, if anyone has any thoughts, please let me know.

I have mixed feelings about Tacacs+. It is a Cisco proprietary protocol and as such is less supported than Radius. Thus, our implementation is a bit of a hack. We could only find one open source solution for it and it's not in Java, which is the WiKID server's language. As a result, we have to write the one-time passcodes to tacacs.conf, the OTPs are time-bound but on one-time use. However, one prospect (now customer) at a German bank said we had the best TACACS+ server he had seen on the 'net. With his help, it's getting better too.

Currently unrated

Recent Posts

Archive

2022
2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom