Why don't you just use RADIUS? I wrote a TACACS server for dial-up connections early in 1996 ... switched to RADIUS around year 2000.I would be cool if TACACS/TACACS+ would be supported in next ROS version. Is it planned in ROSv6/ROSv7 or not?
Isn't that a protocol that RADIUS was/is based on?
while your whole answer is based on TACACS+ that is later creation than RADIUS. However, DIAMETER is even newer and addresses many drawbacks of RADIUS and is compatible with the RADIUS.Isn't that a protocol that RADIUS was/is based on?
Wow.... Bit surprised to see a MikroTik employee asking this sort of question
Snip from http://www.tacacs.net/docs/TACACS_Advantages.pdf
The primary functional difference between RADIUS and
TACACS+ is that TACACS+ separates out the Authorization
functionality, where RADIUS combines both Authentication and
Authorization. Though this may seem like a small detail, it makes
a world of difference when implementing administrator AAA in a
RADIUS doesn’t log the
commands used by the
administrator. It will only log
the start, stop, and interim
records of that session. This
means that if there are two or
more administrators logged at
any one time, there is no way
of telling which administrator
entered which commands.
RADIUS can include privilege information in the authentication reply; however, it can only provide the
privilege level, which means different things to different vendors. Because there is no standard between
vendor implementations of RADIUS authorization, each vendor’s attributes often conflict, resulting in
inconsistent results. Even if this information were consistent, the administrator would still need to manage the
privilege level for commands on each device. This will quickly become unmanageable.
RADIUS doesn’t log the commands used by the administrator. It will only log the start, stop, and interim
records of that session. This means that if there are two or more administrators logged at any one time, there
is no way to tell from the RADIUS logs which administrator entered which commands.
TACACS+ is far better than RADIUS if you need more than a simple 'Oh yep, that user account is allowed'
Why not just set your one local admin account to have an impossible IP address restriction, and then you've still got console-level access should your connectivity to TACACS go fubar...?At least disable the local users if AAA is configured and reachable. TACACS would be nice, but the current radius is functional, just doesnt disable local accounts.