Switching

Expand all | Collapse all

Tacacs vs Tacacs+

Jump to Best Answer
  • 1.  Tacacs vs Tacacs+

    Posted 04-08-2020 03:16

    Hi 

    I only found  Tacacs+ Authentication on EX2300. Is it possible to configure Tacacs+ Authentication but Destination is running Tacacs??

    I didn't see that EX2300 doesn't support Tacacs anymore in Pathfinder



  • 2.  RE: Tacacs vs Tacacs+
    Best Answer

     
    Posted 04-08-2020 09:42

    Hi Halo,

     

     

    Greetings, I am afraid that the answer is no, although I haven't tested it, a couple of reasons why:

     

    Tt is not an option in Junos 

     

    root@Halo# set system authentication-order ?
    Possible completions:
    [ Open a set of values
    password Traditional password authentication
    radius Remote Authentication Dial-In User Service
    tacplus TACACS+ authentication services

     

    As you mentioned is not available in pathfinder 

     

    Feature Name Introduced Release Prerequisites
    Authentication and Access ControlFeature Family Information
    TACACS+ 
    TACACS+
    Junos OS 15.1X53-D50 
     
    TACACS+ authorization for operational commands using regular expressions
    Junos OS 18.1R1

     

    Now, even if you configure it and for some super rare reason it works, what happens if it breaks one day? TAC won't help if you are running a feature that is not supported.

     

    Also In spite of its name, TACACS+ is an entirely new protocol.

     

    TACAS uses both TCP and UDP but TACAS+ uses TCP this could be a major issue if they don't sync on the transport protocol.

     

    And last but not least,  TACACS security is way below the standards so I would highly recommend you move to TACACS+ or radius as soon as you can.

     

    5.0 Security Notes

       While the protocol itself has been described, there are a number of
       other considerations worth mentioning.
    
       First, the protocol carries the username and password in clear text
       in either a single UDP packet or a TCP stream.  As such, if an
       attacker is capable of monitoring that data, the attacker could
       capture username/password pairs.  Implementations can take several

    https://tools.ietf.org/html/rfc1492

     


    If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

    Regards,

    Lil Dexx
    JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB

     

     

     

      

     

     

     

     



  • 3.  RE: Tacacs vs Tacacs+

     
    Posted 04-08-2020 09:50

    I would suggest this is a question to ask Cisco.  They should know backwards compatiability of TACACS and TACACS+.  If I had to guess, I would expect they are backwards compatiable, and therefore any devices that support TACACS+ also supports TACACS, but not the opposite way around.

     

    My 2 cents worth.