Community discussions

MikroTik App
 
grigoryx
just joined
Topic Author
Posts: 1
Joined: Mon Dec 05, 2016 9:39 am

Feature Request: TACACS/TACACS+

Tue Dec 20, 2016 9:05 am

I would be cool if TACACS/TACACS+ would be supported in next ROS version. Is it planned in ROSv6/ROSv7 or not?
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Feature Request: TACACS/TACACS+

Tue Dec 20, 2016 11:15 am

Isn't that a protocol that RADIUS was/is based on?
 
User avatar
paoloaga
Member Candidate
Member Candidate
Posts: 227
Joined: Tue Mar 08, 2011 2:52 am
Location: Lugano - Switzerland
Contact:

Re: Feature Request: TACACS/TACACS+

Tue Dec 20, 2016 12:46 pm

I would be cool if TACACS/TACACS+ would be supported in next ROS version. Is it planned in ROSv6/ROSv7 or not?
Why don't you just use RADIUS? I wrote a TACACS server for dial-up connections early in 1996 ... switched to RADIUS around year 2000.
 
agfjpcs
newbie
Posts: 27
Joined: Mon Jul 04, 2016 6:36 am

Re: Feature Request: TACACS/TACACS+

Fri Dec 23, 2016 7:25 am

Isn't that a protocol that RADIUS was/is based on?

Wow.... Bit surprised to see a MikroTik employee asking this sort of question

Snip from http://www.tacacs.net/docs/TACACS_Advantages.pdf


The primary functional difference between RADIUS and
TACACS+ is that TACACS+ separates out the Authorization
functionality, where RADIUS combines both Authentication and
Authorization. Though this may seem like a small detail, it makes
a world of difference when implementing administrator AAA in a
network environment.

RADIUS doesn’t log the
commands used by the
administrator. It will only log
the start, stop, and interim
records of that session. This
means that if there are two or
more administrators logged at
any one time, there is no way
of telling which administrator
entered which commands.
RADIUS can include privilege information in the authentication reply; however, it can only provide the
privilege level, which means different things to different vendors. Because there is no standard between
vendor implementations of RADIUS authorization, each vendor’s attributes often conflict, resulting in
inconsistent results. Even if this information were consistent, the administrator would still need to manage the
privilege level for commands on each device. This will quickly become unmanageable.
RADIUS doesn’t log the commands used by the administrator. It will only log the start, stop, and interim
records of that session. This means that if there are two or more administrators logged at any one time, there
is no way to tell from the RADIUS logs which administrator entered which commands.



TACACS+ is far better than RADIUS if you need more than a simple 'Oh yep, that user account is allowed'
 
barkas
Member Candidate
Member Candidate
Posts: 260
Joined: Sun Sep 25, 2011 10:51 pm

Re: Feature Request: TACACS/TACACS+

Fri Dec 23, 2016 10:51 am

Tacacs is the proper solution for network device user management.

I would very much like to have that, too.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Feature Request: TACACS/TACACS+

Wed Dec 28, 2016 10:01 am

Isn't that a protocol that RADIUS was/is based on?

Wow.... Bit surprised to see a MikroTik employee asking this sort of question

Snip from http://www.tacacs.net/docs/TACACS_Advantages.pdf


The primary functional difference between RADIUS and
TACACS+ is that TACACS+ separates out the Authorization
functionality, where RADIUS combines both Authentication and
Authorization. Though this may seem like a small detail, it makes
a world of difference when implementing administrator AAA in a
network environment.

RADIUS doesn’t log the
commands used by the
administrator. It will only log
the start, stop, and interim
records of that session. This
means that if there are two or
more administrators logged at
any one time, there is no way
of telling which administrator
entered which commands.
RADIUS can include privilege information in the authentication reply; however, it can only provide the
privilege level, which means different things to different vendors. Because there is no standard between
vendor implementations of RADIUS authorization, each vendor’s attributes often conflict, resulting in
inconsistent results. Even if this information were consistent, the administrator would still need to manage the
privilege level for commands on each device. This will quickly become unmanageable.
RADIUS doesn’t log the commands used by the administrator. It will only log the start, stop, and interim
records of that session. This means that if there are two or more administrators logged at any one time, there
is no way to tell from the RADIUS logs which administrator entered which commands.



TACACS+ is far better than RADIUS if you need more than a simple 'Oh yep, that user account is allowed'
while your whole answer is based on TACACS+ that is later creation than RADIUS. However, DIAMETER is even newer and addresses many drawbacks of RADIUS and is compatible with the RADIUS.

and on the off-note, I am sure you know what sarcasm is.
 
TheIPGuy
just joined
Posts: 4
Joined: Fri Apr 21, 2017 4:33 pm

Re: Feature Request: TACACS/TACACS+

Mon Apr 24, 2017 11:53 pm

RADIUS has it's place, however, I think we can agree from a network administration perspective TACACS+ does have some nice features. One such feature is extremely granular centralized command authorization based on user permissions assigned by the server. Also, Tacacs was ported to linux, all though a bit roughly, via tac_plus. RADIUS user authentication for management purposes is nice if you want a read only or read/write access only, but is lacking when more granular control is required. Let's please keep a constructive dialog going on this issue as RADIUS and TACACS were intended for different purposes fundamentally. Sarcasm from a Mikrotik employee to mock a contributor on a valid point is childish.


+1 for TACACS support
 
bruins0437
newbie
Posts: 33
Joined: Thu Jul 13, 2017 4:30 am
Location: New Hampshire

Re: Feature Request: TACACS/TACACS+

Thu Jul 20, 2017 3:05 pm

+1 for TACACS/TACACS+ support
 
tricksol
newbie
Posts: 29
Joined: Thu Sep 03, 2015 3:55 pm

Re: Feature Request: TACACS/TACACS+

Mon Jul 31, 2017 3:11 am

+1 for TACACS/TACACS+ support
 
eric101
just joined
Posts: 3
Joined: Thu Jul 28, 2016 3:31 pm

Re: Feature Request: TACACS/TACACS+

Mon Aug 07, 2017 3:54 pm

+1 for tacacs+ support, I think this would make a lot of people happy.
 
gidoos
just joined
Posts: 1
Joined: Wed Aug 23, 2017 10:54 am

Re: Feature Request: TACACS/TACACS+

Wed Aug 23, 2017 10:57 am

+1 for this. Will defnitely be a big plus point for big networks.
 
User avatar
YourWordIsTruth
just joined
Posts: 18
Joined: Mon Mar 04, 2013 5:50 pm

Re: Feature Request: TACACS/TACACS+

Mon Sep 18, 2017 5:48 pm

+1 for TACACS+ support, many companies don't consider your product, if you will, "Enterprise Grade", without TACACS+ support and frankly with security being the #1 issue in the enterprise TACACS+ is needed to not only secure a multitude of devices in complex networks, but also to provide auditing trails of admin usage when those pesky auditors come around yearly/quarterly :-)
 
branto
just joined
Posts: 8
Joined: Mon Aug 21, 2017 2:03 am

Re: Feature Request: TACACS/TACACS+

Sun Oct 22, 2017 1:06 am

+1 for this this request. TACACS+ also encrypts the communications channel between client and server; RADIUS does not.
 
idlemind
Forum Guru
Forum Guru
Posts: 1146
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Feature Request: TACACS/TACACS+

Mon Oct 23, 2017 1:38 am

I wonder if IPSec could be used to secure the RADIUS traffic between endpoints and an auth server. This would only cover the encryption side of the discussion not the feature differences.
 
tonny
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Fri Oct 09, 2015 10:50 am

Re: Feature Request: TACACS/TACACS+

Fri May 25, 2018 12:43 pm

+1 for TACACS/TACACS+ support
 
mlenhart
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Mon Oct 30, 2017 11:30 pm

Re: Feature Request: TACACS/TACACS+

Fri May 25, 2018 1:26 pm

+1 for TACACS+ support
 
networkfudge
Trainer
Trainer
Posts: 136
Joined: Mon May 20, 2013 2:47 pm

Re: Feature Request: TACACS/TACACS+

Fri May 25, 2018 11:50 pm

+ 1
 
sep
newbie
Posts: 25
Joined: Thu Nov 28, 2013 2:34 pm

Re: Feature Request: TACACS/TACACS+

Fri Aug 31, 2018 3:25 pm

+1 for TACACS+ support
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: Feature Request: TACACS/TACACS+

Fri Aug 31, 2018 3:30 pm

I would like to see TACACS+ support as well. Being able to restrict the commands that a user can execute is incredibly important.

Especially with all of the attacks against MikroTik devices - it provides another layer of protection in addition to the firewall if a lower level user account is compromised.
 
Dude2048
Member Candidate
Member Candidate
Posts: 212
Joined: Thu Sep 01, 2016 4:04 pm

Re: Feature Request: TACACS/TACACS+

Fri Aug 31, 2018 3:56 pm

+1 Tacacs
 
TheCiscoGuy
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Fri Jun 22, 2018 8:32 am

Re: Feature Request: TACACS/TACACS+

Mon Sep 03, 2018 7:42 pm

At least disable the local users if AAA is configured and reachable. TACACS would be nice, but the current radius is functional, just doesnt disable local accounts.
 
User avatar
maznu
Member Candidate
Member Candidate
Posts: 207
Joined: Tue May 05, 2015 11:12 am
Location: 74, FR / SA48, UK
Contact:

Re: Feature Request: TACACS/TACACS+

Mon Sep 03, 2018 8:31 pm

At least disable the local users if AAA is configured and reachable. TACACS would be nice, but the current radius is functional, just doesnt disable local accounts.
Why not just set your one local admin account to have an impossible IP address restriction, and then you've still got console-level access should your connectivity to TACACS go fubar...?
 
User avatar
caiot5
just joined
Posts: 15
Joined: Wed Mar 27, 2013 5:48 pm
Location: Brazil

Re: Feature Request: TACACS/TACACS+

Tue Sep 18, 2018 4:51 pm

+1 for TACACS+ support.
 
alessio79
just joined
Posts: 4
Joined: Fri May 15, 2015 7:20 pm

Re: Feature Request: TACACS/TACACS+

Tue Sep 18, 2018 6:06 pm

+1 for TACACS+
 
mAineAc
just joined
Posts: 2
Joined: Thu May 03, 2018 1:45 pm

Re: Feature Request: TACACS/TACACS+

Mon Oct 08, 2018 9:32 pm

+1 on tacacs+ support.
 
Faceless
just joined
Posts: 18
Joined: Sat Mar 03, 2018 4:03 pm
Location: Ukraine
Contact:

Re: Feature Request: TACACS/TACACS+

Fri Nov 02, 2018 1:27 pm

+1 for TACACS+
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2095
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: Feature Request: TACACS/TACACS+

Mon Nov 05, 2018 12:59 pm

+1 for TACACS+ support
 
around
just joined
Posts: 3
Joined: Fri Jan 11, 2019 7:53 pm

Re: Feature Request: TACACS/TACACS+

Fri Jan 11, 2019 7:54 pm

+1 for TACACS+ support
 
around
just joined
Posts: 3
Joined: Fri Jan 11, 2019 7:53 pm

Re: Feature Request: TACACS/TACACS+

Fri Jan 11, 2019 7:59 pm

+1 for TACACS+ support
Last edited by around on Tue Jan 15, 2019 12:44 pm, edited 1 time in total.
 
leoeletronics
just joined
Posts: 2
Joined: Fri Sep 23, 2016 11:17 pm

Re: Feature Request: TACACS/TACACS+

Mon Jan 14, 2019 5:00 pm

+1 TACACS
 
Kampfwurst
Member Candidate
Member Candidate
Posts: 107
Joined: Mon Mar 24, 2014 2:53 pm

Re: Feature Request: TACACS/TACACS+

Thu Jan 17, 2019 12:54 pm

+1 TACACS
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1135
Joined: Tue Oct 11, 2005 4:53 pm

Re: Feature Request: TACACS/TACACS+

Sat Mar 02, 2019 8:49 pm

+1 for TACACS+ support
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Feature Request: TACACS/TACACS+

Sun Mar 03, 2019 10:44 am

As long as Router OS does not log all commands run by who, I would also ask for TACACS support.
Last edited by Jotne on Sat Mar 09, 2019 7:45 pm, edited 1 time in total.
 
nimbo78
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Jan 14, 2014 9:09 pm

Re: Feature Request: TACACS/TACACS+

Sat Mar 09, 2019 3:50 pm

As long as Router OS does not log all commands run by who I would also ask for TACACS support.
that's why +1 for TACACS+
 
TaBo
just joined
Posts: 2
Joined: Tue Apr 02, 2019 8:06 am

Re: Feature Request: TACACS/TACACS+

Tue Apr 02, 2019 8:11 am

+1 for TACACS+
 
mutinsa
just joined
Posts: 24
Joined: Tue Feb 06, 2018 4:55 am
Location: Plettenberg Bay, South Africa
Contact:

Re: Feature Request: TACACS/TACACS+

Sun Apr 07, 2019 10:32 pm

+1.
 
nimbo78
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Jan 14, 2014 9:09 pm

Re: Feature Request: TACACS/TACACS+

Fri Dec 27, 2019 12:17 pm

@normis
how about to add this feature?
 
SumNathan
just joined
Posts: 8
Joined: Tue May 07, 2019 2:44 am

Re: Feature Request: TACACS/TACACS+

Tue Jan 07, 2020 4:44 am

+1 for TACACS+ support!
Really like being able to limit what commands a user can run (great for creating a backup user that can only run a backup command).
 
User avatar
aacable
Member
Member
Posts: 435
Joined: Wed Sep 17, 2008 11:58 am
Location: ISLAMIC Republic of PAKISTAN
Contact:

Re: Feature Request: TACACS/TACACS+

Tue Jan 07, 2020 1:07 pm

+1 for TACACS+ support

I have TACASCS+ configured on Linux to authenticate / restrict sessions/cmd's on various switches. It really helps the admin when managing large enterprise. Plus we are now able to satisfy the external Audit team. Would love if its support adds in the TIK
 
smirre
just joined
Posts: 12
Joined: Thu Feb 16, 2006 3:12 pm

Re: Feature Request: TACACS/TACACS+

Fri Mar 27, 2020 9:01 pm

+1 for tacacs+ auth
 
User avatar
jimmer
just joined
Posts: 19
Joined: Wed Mar 06, 2019 10:06 am
Location: Tasmania, Australia

Re: Feature Request: TACACS/TACACS+

Tue Jun 02, 2020 7:32 am

+1 for TACACS+ on RouterOS
 
User avatar
daemontux
just joined
Posts: 4
Joined: Thu Dec 24, 2020 9:52 am
Location: Russsian

Re: Feature Request: TACACS/TACACS+

Fri Dec 25, 2020 5:46 am

+1 for TACACS+ support
 
antmix
just joined
Posts: 3
Joined: Sat Oct 12, 2019 6:19 pm

Re: Feature Request: TACACS/TACACS+

Wed Jan 06, 2021 1:35 pm

+1 for TACACS+ support
 
zanswer
just joined
Posts: 4
Joined: Tue Oct 03, 2017 2:50 pm
Location: Siberia

Re: Feature Request: TACACS/TACACS+

Thu Jan 07, 2021 8:32 am

+1 for TACACS+ support!
 
paulpaulpaul
just joined
Posts: 1
Joined: Sun May 23, 2021 1:07 pm

Re: Feature Request: TACACS/TACACS+

Sun May 23, 2021 1:10 pm

+1 for TACACS

Any feedback about the plans of microtik would be highly desirable
 
babukvb
just joined
Posts: 2
Joined: Thu Jun 06, 2013 6:22 pm

Re: Feature Request: TACACS/TACACS+

Fri Jun 04, 2021 5:59 am

+1 for TACACS
Only this feature can help mikrotik continue in enterprise/telecom/ISP networks in India.
 
grims
just joined
Posts: 4
Joined: Wed Aug 02, 2017 3:24 pm

Re: Feature Request: TACACS/TACACS+

Thu Dec 16, 2021 12:29 pm

+1 for TACACS
 
User avatar
clambert
Member Candidate
Member Candidate
Posts: 120
Joined: Wed Jun 12, 2019 5:04 am

Re: Feature Request: TACACS/TACACS+

Thu Dec 16, 2021 1:48 pm

+1 for TACACS
 
akschu
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Thu Mar 15, 2012 2:09 am

Re: Feature Request: TACACS/TACACS+

Tue Apr 19, 2022 9:18 pm

+1 for TACACS, I don't want to install radius just for Mikrotik and to have less functionality.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Feature Request: TACACS/TACACS+

Tue Apr 19, 2022 9:28 pm

-1 for TACACS
+1 for TACOS

How many just registered users just to put a +1, is all useless, you have only one device and don't count for anything.
Oh, am I wrong and have thousands of devices? Then you haven't figured out how it works!
Contact sales@mikrotik.com to request a quote on the desired feature, if feasible.
 
Pun1sh3r
just joined
Posts: 11
Joined: Thu Jul 27, 2017 11:19 am

Re: Feature Request: TACACS/TACACS+

Wed Nov 02, 2022 10:06 am

+1 for TACACS+ in ROS6
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Feature Request: TACACS/TACACS+

Wed Nov 02, 2022 11:30 am

Look, they were thinking about adding something to v6 right now...
 
amix
just joined
Posts: 8
Joined: Wed May 19, 2021 11:16 pm

Re: Feature Request: TACACS/TACACS+

Wed Nov 30, 2022 11:16 am

+1 for Tacacs support
 
kashifmax
newbie
Posts: 37
Joined: Mon Feb 22, 2016 9:53 pm

Re: Feature Request: TACACS/TACACS+

Wed Feb 22, 2023 10:18 am

1+ for tacacs
 
User avatar
enderst
just joined
Posts: 6
Joined: Fri Aug 28, 2020 4:29 am

Re: Feature Request: TACACS/TACACS+

Thu Jul 27, 2023 6:42 pm

+1 for Tacacs support
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Feature Request: TACACS/TACACS+

Thu Jul 27, 2023 7:16 pm

FWIW, I think folks should be clear as to what they are looking for here than just "+1"... I'm just not sure of the use-cases for "TACACS support" in 2023. Diameter was already a thing when this thread started and more modern than a 30 year old somewhat-Cisco specific protocol...

And support for any AAA protocol may not help that much since available RouterOS policy options are rather limited/course. e.g. command-level access control isn't something RouterOS supports today in the underlying policies, so is TACACS useful without that?
 
dooh
just joined
Posts: 14
Joined: Fri May 19, 2023 9:55 pm

Re: Feature Request: TACACS/TACACS+

Sun Jul 30, 2023 10:49 pm

Hi,

TAC/TAC+ should be added to Mikrotik devices as all (I really do not have any other equipment that does not know about AAA with tacacs) know how to use tacacs for remote AAA.

We use TACACS for all of our network equipment and just saw that Mikrotik does not use that. TACACS is the way to go for logging remote commands and restrict users.

Here is just a quick diff between TACACS+ and RADIUS from GPT:
The choice between TACACS+ (Terminal Access Controller Access Control System Plus) and RADIUS (Remote Authentication Dial-In User Service) for network equipment login depends on the specific requirements and priorities of the organization. Both protocols have their strengths, but TACACS+ is generally preferred over RADIUS for network equipment login in certain scenarios due to the following reasons:

1. Granular Access Control: TACACS+ offers more granular access control capabilities compared to RADIUS. It allows administrators to define detailed authorization policies on a per-user or per-group basis, specifying exactly what commands and network resources each user can access. This level of granularity is especially important in large enterprise networks with complex security requirements.

2. Separation of Authentication and Authorization: TACACS+ separates authentication and authorization functions, whereas RADIUS often combines them. This separation allows for a more secure implementation, as authentication can be handled centrally while authorization decisions are made locally on the network device. In contrast, RADIUS usually performs both authentication and authorization on the RADIUS server, potentially exposing the server to greater risks.

3. Enhanced Security: TACACS+ provides stronger security mechanisms, including end-to-end encryption of communication between the client and the TACACS+ server. This encryption ensures that sensitive data, such as user credentials, is protected from potential eavesdropping and tampering. While RADIUS can also support encryption, it is not a mandatory requirement, and some RADIUS implementations might not use it by default.

4. Accounting Flexibility: TACACS+ offers more comprehensive accounting features compared to RADIUS. It provides detailed logging of all user activities on the network device, offering valuable data for auditing and compliance purposes. While RADIUS can handle accounting as well, TACACS+ is known for its more robust accounting capabilities.

5. Vendor Support: While both TACACS+ and RADIUS are widely supported by networking vendors, TACACS+ is favored in environments with Cisco network equipment. Cisco devices, in particular, have native support for TACACS+ and offer more features and integration options when using TACACS+ for authentication and authorization.

6. Extensible Attributes: TACACS+ allows for extensible attributes to be passed during the authentication and authorization process. This feature enables administrators to exchange additional information between the client and server, providing more flexibility for implementing custom features.

7. Device Administration vs. Dial-in Access: Historically, RADIUS was designed for dial-in access scenarios (e.g., remote user access to the network via modems). While it has been extended to support other use cases, TACACS+ was specifically designed for device administration, making it a more suitable choice for network equipment login scenarios.

In summary, TACACS+ is often preferred over RADIUS for network equipment login when the organization requires fine-grained access control, enhanced security, comprehensive accounting, and native vendor support for Cisco devices. However, it's essential to evaluate the specific needs and infrastructure of the organization before making a final decision, as both protocols have their merits and can be suitable for different network environments.

Who is online

Users browsing this forum: Bing [Bot] and 78 guests