nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TACACS+ server recommendations?

From: Christopher Morrow <morrowc.lists () gmail com>
Date: Thu, 21 Sep 2023 12:26:44 -0400
On Thu, Sep 21, 2023 at 6:56 AM Jim <mysidia () gmail com> wrote:
...

My understanding is a good number of password manager products exists which will handle that,
and then the only AAA  which  network devices need to be concerned about for Authentication and
Authorization is  Basic password auth,  which all equipment supports.   And the security problems
don't arise so much for using the TACACS+ / Tac_plus service Solely for Accounting
(in addition to basic remote syslog).


it's important to recognize that there's not really any protection
(practical protection) from MITM if
you use a passwd with your ssh connection.

A key'd authentication has these protections, as a quirk of the ssh
protocol... (or a design feature if you wish)
A certificate authenticated session has these same protections.
Previous By Date Next
Previous By Thread Next

Current thread: