Tue, May 03, 2022 at 09:58:31AM +0200, Alan DeKok: > On May 3, 2022, at 12:23 AM, heasley <h...@shrubbery.net> wrote: > >> It may be good to have a note that the existing TACACS+ port can be used > >> for TLS, if both ends are configured to require TLS. That means systems > >> can use existing firewall rules, etc. for TACACS+TLS. > > > > We discussed this and question whether this needs to be discussed in > > the (any) document, because it is not unlike any other service, which may > > be configured by the admin to use any port they wish. > > The point is to suggest that it can be done. i.e. It's acceptable for > people to manually configure both client and server as both (a) TLS, and (b) > using port 49. > > i.e. just drop the use of legacy TACACS+ entirely.
This has been address in draft-dahm-tacacs-tls13-00. > > We also question if suggesting the use of 49/tcp will incite its use and > > therefore the pitfalls described in S8.2?. > > Allowing a new port just for TLS is fine, too. But I do agree that > STARTTLS is not useful. > The other items that you mention have not yet been. _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg