This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Radius vs TACACS - CLI Authorization

Radius vs TACACS - CLI Authorization

vobelic
New Contributor II

‎10-09-2015 10:07 PM

I'm looking to setup authorization based on CLI command with either TACACS or RADIUS.
Apparently RADIUS seems to be a no-go according to this post: https://community.extremenetworks.com/extreme/topics/configuring-command-authorization-using-windows...

TACACS on the other hand has the option in XOS
#enable tacacs-authorizationCan someone confirm this is currently only possible with TACACS and explain why such support is missing from RADIUS with XOS 15.1 onwards?
Afterall, TACACS is Cisco while RADIUS should be open and the preferred way.
0 Kudos
8 REPLIES 8

Drew_C
Valued Contributor III
In response to Kunlin_Lu

‎06-22-2016 09:08 AM

What TACACS+ server are you using?

If it helps, one of the labs I built some time back used a variation of Cisco's TACACS+ server. The user config looked like this:
# Configure User
user = drew {
login = cleartext "mypassword"
service = exec {
priv-lvl = 15
}
cmd = show {
permit .*
}
cmd = download {
permit .*
}
}
user = admin {
default service = permit
login = cleartext ""
}This gave "drew" an admin level account that could only run show and download commands, and denied everything else. You can also explicitly deny certain commands. The admin account was configured as it normally is on the switch by default.
0 Kudos

Stephane_Grosj1
Extreme Employee

‎10-10-2015 04:19 PM

Hi,

yes, you can deny some commands with TACACS+ on EXOS.
It was possible with Radius using the old VSA and some tweaking. Apparently, the VSA has been removed.
0 Kudos

vobelic
New Contributor II

‎10-10-2015 10:26 AM

Yes, thank you for quoting what I already know about RADIUS.

What about TACACS, does CLI authorization actually work?
0 Kudos

Ronald_Dvorak
Honored Contributor

‎10-10-2015 07:11 AM

https://en.wikipedia.org/wiki/TACACS

https://community.extremenetworks.com/extreme/topics/configuring-command-authorization-using-windows...

From the above post...
"These VSA's were used and supporting in older firmware (with limited commands) in FreeRadius server & Merit Radius servers.

As this was supported with limited commands and only with few Radius servers, we have removed this from EXOS 15.1.3.1 onwards."

-Ron
0 Kudos
GTM-P2G8KFN