On Tue, Feb 17, 2026 at 3:55 PM Andrew Latham <[email protected]> wrote: > > Christopher
chris is fine :) (sorry, a long long long time ago someone picked my username for me... oops!) > I will not speak for OP but I have in my career dealt with contractual > requirements, government mandates, and other silly-ness. I once > worked on an emergency where a sales person had sold a 25 year > contract on a tech stack and we had to show that updating the > cryptography was an allowable change with 19 years left on the contract. Oh sure I've seen this form of problem. that's a fair thing, my list was mostly a way to get the conversation going and to suss out 'why exactly?' :) Thanks for the other optional reason. I do suspect that MOST regulators / compliance regimes provide the flexibility to change these sorts of things if requested and if enough proper reasoning is provided, that's been my experience at any rate. Now, do you want to do that? maybe? or "still works, got other problems to slay". > > TL;DR; > > 5) we have a requirement carved in marble in the lobby > > On Tue, Feb 17, 2026 at 1:12 PM Christopher Morrow via NANOG > <[email protected]> wrote: > > > > Can I ask a possibly leading question: > > "Why do you want to use tacacs in the first place?" > > > > Possible answers are: > > 1) we have always been at war with elbonia, so we continue to be at > > war with elbonia > > 2) we like 1 central place to manage access / authorization and we > > desire the collection of accounting type data so we know when Foo did > > Bar to Baz. > > 3) we like that when Foo leaves our orbit we can disable Foo's > > access 'instantly', in one place. > > 4) we don't have a method to manage config updates to every single > > relevant device in a timeperiod which our mgmt/security-folks believe > > is ok for when Foo leaves our orbit. > > > > You can enable tacacs-accounting only on most network OSs (not junos, > > darn!), and you can do ssh-key authentication (or cert auth, on most > > now?), you'd be having to sacrifice the timeline between: 'Foo leaves' > > and 'all devices updated to remove Foo's account'. Also, you'd want to > > be in a situation where you weren't trying to manage O(1000) users on > > any of these platforms. > > (I know you can shovel ~7k users on an arista of current flavor, and a > > juniper of same flavor... the initial commit time is 'stupendous' > > though :) - do not try this on a ciscoXR device was my recollection) > > > > You can also set some relatively clear authorization config on devices > > for read-only-ish or read-write account priveleges, on > > cisco/arista/juniper... > > > > anyway, why do you want to use tacacs? (for authorization and > > authentication) > > > > On Wed, Feb 11, 2026 at 12:37 PM Andrew Latham via NANOG > > <[email protected]> wrote: > > > > > > Untested but I also see: > > > > > > A. https://github.com/salesforce/tacrust > > > B. https://github.com/SaschaSchwarzK/tacacs_server > > > > > > I think B looks interesting > > > > > > On Tue, Feb 10, 2026 at 8:08 AM Drew Weaver via NANOG > > > <[email protected]> wrote: > > > > > > > > Howdy. > > > > > > > > I imagine that this is an issue that has come up before but I am having > > > > an issue finding how anyone else handled it. (Unless everyone is still > > > > running tac_plus on RHEL7) > > > > > > > > I'm trying to migrate some tac plus instances to a new Linux distro > > > > that apparently doesn't support tcp_wrappers and I'm having trouble > > > > both compiling it and making an RPM for it. > > > > > > > > I've tried both the original https://www.shrubbery.net/tac_plus/ and > > > > the now sadly abandoned Facebook version > > > > https://github.com/facebook/tac_plus > > > > > > > > If there is another tacacs+ solution everyone has moved to that I am > > > > unaware of please enlighten me. > > > > > > > > Thank you, > > > > -Drew > > > > > > > > > > > > > > > > _______________________________________________ > > > > NANOG mailing list > > > > https://lists.nanog.org/archives/list/[email protected]/message/REGURCJX4QAEZOEORGRO7TLFKTY36QPW/ > > > > > > > > > > > > -- > > > - Andrew "lathama" Latham - > > > _______________________________________________ > > > NANOG mailing list > > > https://lists.nanog.org/archives/list/[email protected]/message/MJTTEZIHC7EN66A4QQUB7QGFPNCJPX7A/ > > _______________________________________________ > > NANOG mailing list > > https://lists.nanog.org/archives/list/[email protected]/message/EVU26ZR5Q6B6NFIQCPMDNGG7FWPDPI7E/ > > > > -- > - Andrew "lathama" Latham - _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/GBX62YBOJ6IPIYSAQQNJAEDVBM7SLMKG/
