nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TACACS+ server recommendations?

From: Jim <mysidia () gmail com>
Date: Thu, 21 Sep 2023 05:56:39 -0500
On Thu, Sep 21, 2023 at 4:40 AM Simon Leinen <simon.leinen () switch ch> wrote:



Ahem... Cisco supports SSH authentication using *X.509* certificates.
Unfortunately this is not compatible with OpenSSH (the dominant SSH



It's not a great solution, but it is certainly a solution.
The feature exists for some routers/switch models running certain
licenses/images...
an existing 200 NE network is not likely to have the feature 100% available
by accident, though.

On the other hand:  the strategy of using local auth on devices and having
a few local users
with specific privilege levels,  and centralized systems that manage the
ones creds for all
normal day-to-day usage: Storage and frequent automatic rotation of
passwords, and
when an operator needs to login:  the central system authorize a privileged
User to access,

Either "check out" a device using AAA to decide who can check out which
devices,
Or users run their SSH sessions through centralized connection managers
(Acting as a man-in-the-middle authenticating
to devices using its own credentials.  Authorizing user commands proxied
through
the server)  -   Allows AAA  and command authorization to be performed by
the central server.

My understanding is a good number of password manager products exists which
will handle that,
and then the only AAA  which  network devices need to be concerned about
for Authentication and
Authorization is  Basic password auth,  which all equipment supports.   And
the security problems
don't arise so much for using the TACACS+ / Tac_plus service Solely for
Accounting
(in addition to basic remote syslog).

client implementation we use), which only supports *OpenSSH*

certificates.



--
-Jim
Previous By Date Next
Previous By Thread Next

Current thread: