Page 1 of 1

Feature Request: TACACS/TACACS+

Posted: Tue Dec 20, 2016 9:05 am
by grigoryx
I would be cool if TACACS/TACACS+ would be supported in next ROS version. Is it planned in ROSv6/ROSv7 or not?

Re: Feature Request: TACACS/TACACS+

Posted: Tue Dec 20, 2016 11:15 am
by janisk
Isn't that a protocol that RADIUS was/is based on?

Re: Feature Request: TACACS/TACACS+

Posted: Tue Dec 20, 2016 12:46 pm
by paoloaga
I would be cool if TACACS/TACACS+ would be supported in next ROS version. Is it planned in ROSv6/ROSv7 or not?
Why don't you just use RADIUS? I wrote a TACACS server for dial-up connections early in 1996 ... switched to RADIUS around year 2000.

Re: Feature Request: TACACS/TACACS+

Posted: Fri Dec 23, 2016 7:25 am
by agfjpcs
Isn't that a protocol that RADIUS was/is based on?

Wow.... Bit surprised to see a MikroTik employee asking this sort of question

Snip from http://www.tacacs.net/docs/TACACS_Advantages.pdf


The primary functional difference between RADIUS and
TACACS+ is that TACACS+ separates out the Authorization
functionality, where RADIUS combines both Authentication and
Authorization. Though this may seem like a small detail, it makes
a world of difference when implementing administrator AAA in a
network environment.

RADIUS doesn’t log the
commands used by the
administrator. It will only log
the start, stop, and interim
records of that session. This
means that if there are two or
more administrators logged at
any one time, there is no way
of telling which administrator
entered which commands.
RADIUS can include privilege information in the authentication reply; however, it can only provide the
privilege level, which means different things to different vendors. Because there is no standard between
vendor implementations of RADIUS authorization, each vendor’s attributes often conflict, resulting in
inconsistent results. Even if this information were consistent, the administrator would still need to manage the
privilege level for commands on each device. This will quickly become unmanageable.
RADIUS doesn’t log the commands used by the administrator. It will only log the start, stop, and interim
records of that session. This means that if there are two or more administrators logged at any one time, there
is no way to tell from the RADIUS logs which administrator entered which commands.



TACACS+ is far better than RADIUS if you need more than a simple 'Oh yep, that user account is allowed'

Re: Feature Request: TACACS/TACACS+

Posted: Fri Dec 23, 2016 10:51 am
by barkas
Tacacs is the proper solution for network device user management.

I would very much like to have that, too.

Re: Feature Request: TACACS/TACACS+

Posted: Wed Dec 28, 2016 10:01 am
by janisk
Isn't that a protocol that RADIUS was/is based on?

Wow.... Bit surprised to see a MikroTik employee asking this sort of question

Snip from http://www.tacacs.net/docs/TACACS_Advantages.pdf


The primary functional difference between RADIUS and
TACACS+ is that TACACS+ separates out the Authorization
functionality, where RADIUS combines both Authentication and
Authorization. Though this may seem like a small detail, it makes
a world of difference when implementing administrator AAA in a
network environment.

RADIUS doesn’t log the
commands used by the
administrator. It will only log
the start, stop, and interim
records of that session. This
means that if there are two or
more administrators logged at
any one time, there is no way
of telling which administrator
entered which commands.
RADIUS can include privilege information in the authentication reply; however, it can only provide the
privilege level, which means different things to different vendors. Because there is no standard between
vendor implementations of RADIUS authorization, each vendor’s attributes often conflict, resulting in
inconsistent results. Even if this information were consistent, the administrator would still need to manage the
privilege level for commands on each device. This will quickly become unmanageable.
RADIUS doesn’t log the commands used by the administrator. It will only log the start, stop, and interim
records of that session. This means that if there are two or more administrators logged at any one time, there
is no way to tell from the RADIUS logs which administrator entered which commands.



TACACS+ is far better than RADIUS if you need more than a simple 'Oh yep, that user account is allowed'
while your whole answer is based on TACACS+ that is later creation than RADIUS. However, DIAMETER is even newer and addresses many drawbacks of RADIUS and is compatible with the RADIUS.

and on the off-note, I am sure you know what sarcasm is.

Re: Feature Request: TACACS/TACACS+

Posted: Mon Apr 24, 2017 11:53 pm
by TheIPGuy
RADIUS has it's place, however, I think we can agree from a network administration perspective TACACS+ does have some nice features. One such feature is extremely granular centralized command authorization based on user permissions assigned by the server. Also, Tacacs was ported to linux, all though a bit roughly, via tac_plus. RADIUS user authentication for management purposes is nice if you want a read only or read/write access only, but is lacking when more granular control is required. Let's please keep a constructive dialog going on this issue as RADIUS and TACACS were intended for different purposes fundamentally. Sarcasm from a Mikrotik employee to mock a contributor on a valid point is childish.


+1 for TACACS support

Re: Feature Request: TACACS/TACACS+

Posted: Thu Jul 20, 2017 3:05 pm
by bruins0437
+1 for TACACS/TACACS+ support

Re: Feature Request: TACACS/TACACS+

Posted: Mon Jul 31, 2017 3:11 am
by tricksol
+1 for TACACS/TACACS+ support

Re: Feature Request: TACACS/TACACS+

Posted: Mon Aug 07, 2017 3:54 pm
by eric101
+1 for tacacs+ support, I think this would make a lot of people happy.

Re: Feature Request: TACACS/TACACS+

Posted: Wed Aug 23, 2017 10:57 am
by gidoos
+1 for this. Will defnitely be a big plus point for big networks.

Re: Feature Request: TACACS/TACACS+

Posted: Mon Sep 18, 2017 5:48 pm
by YourWordIsTruth
+1 for TACACS+ support, many companies don't consider your product, if you will, "Enterprise Grade", without TACACS+ support and frankly with security being the #1 issue in the enterprise TACACS+ is needed to not only secure a multitude of devices in complex networks, but also to provide auditing trails of admin usage when those pesky auditors come around yearly/quarterly :-)

Re: Feature Request: TACACS/TACACS+

Posted: Sun Oct 22, 2017 1:06 am
by branto
+1 for this this request. TACACS+ also encrypts the communications channel between client and server; RADIUS does not.

Re: Feature Request: TACACS/TACACS+

Posted: Mon Oct 23, 2017 1:38 am
by idlemind
I wonder if IPSec could be used to secure the RADIUS traffic between endpoints and an auth server. This would only cover the encryption side of the discussion not the feature differences.

Re: Feature Request: TACACS/TACACS+

Posted: Fri May 25, 2018 12:43 pm
by tonny
+1 for TACACS/TACACS+ support

Re: Feature Request: TACACS/TACACS+

Posted: Fri May 25, 2018 1:26 pm
by mlenhart
+1 for TACACS+ support

Re: Feature Request: TACACS/TACACS+

Posted: Fri May 25, 2018 11:50 pm
by networkfudge
+ 1

Re: Feature Request: TACACS/TACACS+

Posted: Fri Aug 31, 2018 3:25 pm
by sep
+1 for TACACS+ support

Re: Feature Request: TACACS/TACACS+

Posted: Fri Aug 31, 2018 3:30 pm
by IPANetEngineer
I would like to see TACACS+ support as well. Being able to restrict the commands that a user can execute is incredibly important.

Especially with all of the attacks against MikroTik devices - it provides another layer of protection in addition to the firewall if a lower level user account is compromised.

Re: Feature Request: TACACS/TACACS+

Posted: Fri Aug 31, 2018 3:56 pm
by Dude2048
+1 Tacacs

Re: Feature Request: TACACS/TACACS+

Posted: Mon Sep 03, 2018 7:42 pm
by TheCiscoGuy
At least disable the local users if AAA is configured and reachable. TACACS would be nice, but the current radius is functional, just doesnt disable local accounts.

Re: Feature Request: TACACS/TACACS+

Posted: Mon Sep 03, 2018 8:31 pm
by maznu
At least disable the local users if AAA is configured and reachable. TACACS would be nice, but the current radius is functional, just doesnt disable local accounts.
Why not just set your one local admin account to have an impossible IP address restriction, and then you've still got console-level access should your connectivity to TACACS go fubar...?

Re: Feature Request: TACACS/TACACS+

Posted: Tue Sep 18, 2018 4:51 pm
by caiot5
+1 for TACACS+ support.

Re: Feature Request: TACACS/TACACS+

Posted: Tue Sep 18, 2018 6:06 pm
by alessio79
+1 for TACACS+

Re: Feature Request: TACACS/TACACS+

Posted: Mon Oct 08, 2018 9:32 pm
by mAineAc
+1 on tacacs+ support.

Re: Feature Request: TACACS/TACACS+

Posted: Fri Nov 02, 2018 1:27 pm
by Faceless
+1 for TACACS+

Re: Feature Request: TACACS/TACACS+

Posted: Mon Nov 05, 2018 12:59 pm
by nz_monkey
+1 for TACACS+ support

Re: Feature Request: TACACS/TACACS+

Posted: Fri Jan 11, 2019 7:54 pm
by around
+1 for TACACS+ support

Re: Feature Request: TACACS/TACACS+

Posted: Fri Jan 11, 2019 7:59 pm
by around
+1 for TACACS+ support

Re: Feature Request: TACACS/TACACS+

Posted: Mon Jan 14, 2019 5:00 pm
by leoeletronics
+1 TACACS

Re: Feature Request: TACACS/TACACS+

Posted: Thu Jan 17, 2019 12:54 pm
by Kampfwurst
+1 TACACS

Re: Feature Request: TACACS/TACACS+

Posted: Sat Mar 02, 2019 8:49 pm
by Cha0s
+1 for TACACS+ support

Re: Feature Request: TACACS/TACACS+

Posted: Sun Mar 03, 2019 10:44 am
by Jotne
As long as Router OS does not log all commands run by who, I would also ask for TACACS support.

Re: Feature Request: TACACS/TACACS+

Posted: Sat Mar 09, 2019 3:50 pm
by nimbo78
As long as Router OS does not log all commands run by who I would also ask for TACACS support.
that's why +1 for TACACS+

Re: Feature Request: TACACS/TACACS+

Posted: Tue Apr 02, 2019 8:11 am
by TaBo
+1 for TACACS+

Re: Feature Request: TACACS/TACACS+

Posted: Sun Apr 07, 2019 10:32 pm
by mutinsa
+1.