On Wed, 18 Feb 2026 at 08:34, Christopher Morrow via NANOG <[email protected]> wrote:
> 100% yes, I guess my question sort of is, in the year 2026, if you have: > * automated updates to devices > * ssh key support in your fleet > * ability to enumerate the users / devices mapping necessary for > your operations > > would not using tac+ make more sense now? We can definitely expand on this. We can also ask, why have >1 account to devices. You can implement GUI, TUI or CLI access to a proxy code, which implements device specific commands and returns output from a given remote host. You can normalise experience regardless of platform or even enrich output from other systems potentially expediting debugging, but humans never interact directly with devices. You can have normalised logging and authentication on the proxy code. As the actual channel to remove can be SSH, netconf or telnet which can be always on, you can return output much faster using this approach, as you don't have to pay connect/auth tax. You can easily emulate legacy access via this code too, and expose the device under various loopback addresses which map to external devices, so legacy code can interact with it, as if it is a direct connection. But the problem with the above is that someone needs to write and maintain the code. But at least you control the code, and feature velocity on it. So if you can spare the development hour, adding this middle layer can help immensely. Problem with your quoted approach is that while you say thousands of users are fine on some devices, you also gave an example where it is a problem. Which is an excellent reason not to do this, generally don't do anything strange on NOS, unless you absolutely must. You really don't want to be the customer that pushes the envelope with vendors to support larger numbers of users, or whatever it may be. You assert almost no control on the feature velocity. On the opposite end, you know that TACACS is not a strange thing, everyone else is working with the vendor too, when there are issues on it. If you want boring outcomes, do boring things. -- ++ytti _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/7SZZJKULMRGOX3Z6PQ6Y2EOY3MOJTF6I/
