topic Re: tacacs+ authentication in General Topics

tacacs+ authentication

NetworkGeek — Thu, 06 Apr 2017 09:56:12 GMT

Hi All,

i need to undersatnd if tacacs+ is cisco properiety , so how come juniper and paloalto use it ?

second question here , tacacs+ used mainly for cisco command authorization , so what is the need for that inside paloalto ?

Re: tacacs+ authentication

bradk14 — Thu, 06 Apr 2017 10:06:39 GMT

i need to undersatnd if tacacs+ is cisco properiety , so how come juniper and paloalto use it ?

So I think the key definer here is server vs client. officially, TACACS+ server is a Cisco product. So in theory, if you want to employ TACACS+, you'd need to buy a server from Cisco (though I believe there are knockoffs out there). In terms of being a client, however, Cisco would only encourage that from other vendors because it only helps them sell more ACS/ISE servers.

second question here , tacacs+ used mainly for cisco command authorization , so what is the need for that inside paloalto ?

Need is a strong word. Since Palo Alto is RBAC-based (and continues to be so for TACACS+ as I understand it), the benefit isn't immediately clear, especially since both ACS and ISE support RADIUS. So all I can offer is the fundamental differences between the two, which is that TACACS+ is TCP oriented and also encrypts the entire payload vs RADIUS which only encrypts the password.

Re: tacacs+ authentication

NetworkGeek — Fri, 07 Apr 2017 11:56:08 GMT

Thank you

Re: tacacs+ authentication

drogers — Thu, 01 Jun 2017 19:14:36 GMT

TACACS+ is not a Cisco proprietary protocol. It was developed by Cisco as an extension to TACACS, but they did so openly, submitting a draft RFC and releasing a development kit to allow others to adopt the protocol. There is a more current IETF draft under way as well - https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs/

TACACS+ can be used for Authentication, Authorization, and Accounting - a common use case is for command-level authorization on Cisco devices, but that's due more to how long Cisco has been implementing and pushing the standard rather than because that's all it's good for. In many customer environments, it is replacing or has replaced RADIUS as the AAA standard.

In the case of a Palo Alto Networks firewall or Panorama, we can leverage TACACS+ to authenticate a user, as well as authorize the user to perform specific functions though the use of a role, all without needing to define each individual user in Panorama or on the firewall. This is exactly the same use case as RADIUS, it's just another (and much more secure) option for doing so.

Re: tacacs+ authentication

pulukas — Fri, 02 Jun 2017 22:53:18 GMT

TACACS+ is basically a Cisco solution. The vast majority of the deploys and usage is done by Cisco using enterprises.

The reason other vendors like Juniper and Palo Alto Networks support using TACACS+ for authentication is that a large number of companies have TACACS+ deployed as their primary AAA solution. Nework vendors don't want to lose out on an RFC for equipment just because they don't support a AAA solution that is in place on the network. By the nature of this type of solution enterprises only want to deploy one central AAA repository.

Re: tacacs+ authentication

D.Kumar271534 — Thu, 24 Oct 2024 08:38:22 GMT

Hi,

I want to just confirm what happens if m using PAP in TACACS and I want to change from PAP to CHAP. What will be the impact.