On Fri, Feb 12, 2016 at 11:51 AM Alan DeKok <[email protected]> wrote:
> On Feb 12, 2016, at 11:34 AM, Warren Kumari <[email protected]> wrote: > > That is working on the assumption that the reason that operators are > using TACACS+ instead of RADIUS is /only/ because of this feature. In many > cases it is also because operators already have TACACS servers installed > and / or find TACACS+ *much* simpler to deploy and manage. > > Please suggest which operators use TACACS+ for general user > authentication, roaming, etc. > Still no hats.... You are right -- I left out the important "for engineer authentication to network devices". > > I'm unaware of any TACACS+ roaming consortium. I'm aware of multiple > RADIUS / Diameter roaming consortium. > > Please suggest *why* TACACS+ is simpler to deploy and manage than RADIUS > servers. I said that operators find it simpler to deploy and manage -- perhaps this is because it is what many operators are used to, or because it has fewer knobs and whistles. That statement is... surprising, to be polite. Installing and configuring > a new networking daemon is a matter of a few minutes on any modern Unix > distribution. > Having installed and run both RADIUS (mainly FreeRADIUS, but a little bit of Radiator) and have written a few TACACS servers, and installed and run tac_plus for a number in large (and small) deployments, *I* find it much simpler -- and, seeing as lots of network operators choose TACACS+ for their network device authentication, I suspect that others do too. > > RADIUS is a grand protocol - it has many bells and whistles and extra > functionality, but e.g: shrubbery's tac_plus is free, comes with many > distributions, and is dead simply to install and configure. > > So? > > As a biased person, FreeRADIUS is free, comes with *all* distributions, > and is dead simple to install and configure. It's packaged with every > single Unix distribution on the planet. It's shipped by essentially every > network equipment manufacturer other than Cisco, Alcatel-Lucent, and > Juniper as their embedded RADIUS solution. It supports all of the relevant > RADIUS RFCs. It *alone* has probably 10x the install base of all of the > TACACS+ servers, combined, world-wide. > > Simple "it's popular" is no argument. I say this as the author of the > most popular RADIUS server on the planet. > Heck, it supports DHCP, BFD, and we're working on Diameter support. As part of the IETF NOC team - "Thanks!" We've used FreeRADIUS and it works -- I think I've even submitted a patch or two (sometime around the IETF meeting in Beijing). It does *many* things, and does them well -- but sometimes you don't really need a tool that does many things, you just want something simple and easy. This isn't (and doesn't need to be turned into) RADIUS versus TACACS+ -- lots of people use TACACS+ (for whatever reason), and having it documented seems (to me) like a good idea. Telling people that they are wrong for wanting to use a tool *that they have chosen to use* seems unhelpful. > Again.. so? > > Alan DeKok. > > >
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
