Would it be possible to add some text about troubleshooting TACACS+ when TLS is enabled? More exactly, add a reminder that TLS keylog https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/ is a better option than:
- trying to enable NULL encryption, authentication and integrity only, ciphers for TLSv1.3 (see RFC 9150, supported by WolfSSL and OpenSSL 3.4); or - switching to non-TLS TACACS+ connections just because of troubleshooting Any of the above alternatives would likely require configuration changes on the TACACS+ server and client side which may affect more connections than necessary. After the troubleshooting is done, any changes to TLS settings would also need to be reverted. This may be easy to forget leaving the system in insecure state. The reason why debugging is done may also relate to the TLS handshake itself in which case any changes to TLS settings may make the debugging effort useless. I.e., the attempt to observe the system changes the system behaviour. To provide some background, I work on AAA software named Radiator that has supported TACACS+ for 20+ years. From what we see, Wireshark, as an example, is often used to debug TACACS+. It's well-known, supports TACACS+ well and very importantly, provides a neutral third party view of what's going on between the client and server. Because Wireshark also supports TLS keylog, it will likely continue to be a very important tool when TACACS+ runs over TLS. Thanks to authors working on this! Please excuse me for being a bit late for the party. -- Heikki Vatiainen h...@radiatorsoftware.com
_______________________________________________ OPSAWG mailing list -- opsawg@ietf.org To unsubscribe send an email to opsawg-le...@ietf.org
