I would be cool if TACACS/TACACS+ would be supported in next ROS version. Is it planned in ROSv6/ROSv7 or not?

Isn't that a protocol that RADIUS was/is based on?

Isn't that a protocol that RADIUS was/is based on?

Wow.... Bit surprised to see a MikroTik employee asking this sort of question

Snip from http://www.tacacs.net/docs/TACACS_Advantages.pdf


The primary functional difference between RADIUS and
TACACS+ is that TACACS+ separates out the Authorization
functionality, where RADIUS combines both Authentication and
Authorization. Though this may seem like a small detail, it makes
a world of difference when implementing administrator AAA in a
network environment.

RADIUS doesn’t log the
commands used by the
administrator. It will only log
the start, stop, and interim
records of that session. This
means that if there are two or
more administrators logged at
any one time, there is no way
of telling which administrator
entered which commands.
RADIUS can include privilege information in the authentication reply; however, it can only provide the
privilege level, which means different things to different vendors. Because there is no standard between
vendor implementations of RADIUS authorization, each vendor’s attributes often conflict, resulting in
inconsistent results. Even if this information were consistent, the administrator would still need to manage the
privilege level for commands on each device. This will quickly become unmanageable.
RADIUS doesn’t log the commands used by the administrator. It will only log the start, stop, and interim
records of that session. This means that if there are two or more administrators logged at any one time, there
is no way to tell from the RADIUS logs which administrator entered which commands.


TACACS+ is far better than RADIUS if you need more than a simple 'Oh yep, that user account is allowed'

At least disable the local users if AAA is configured and reachable. TACACS would be nice, but the current radius is functional, just doesnt disable local accounts.

As long as Router OS does not log all commands run by who I would also ask for TACACS support.

The choice between TACACS+ (Terminal Access Controller Access Control System Plus) and RADIUS (Remote Authentication Dial-In User Service) for network equipment login depends on the specific requirements and priorities of the organization. Both protocols have their strengths, but TACACS+ is generally preferred over RADIUS for network equipment login in certain scenarios due to the following reasons:

1. Granular Access Control: TACACS+ offers more granular access control capabilities compared to RADIUS. It allows administrators to define detailed authorization policies on a per-user or per-group basis, specifying exactly what commands and network resources each user can access. This level of granularity is especially important in large enterprise networks with complex security requirements.

2. Separation of Authentication and Authorization: TACACS+ separates authentication and authorization functions, whereas RADIUS often combines them. This separation allows for a more secure implementation, as authentication can be handled centrally while authorization decisions are made locally on the network device. In contrast, RADIUS usually performs both authentication and authorization on the RADIUS server, potentially exposing the server to greater risks.

3. Enhanced Security: TACACS+ provides stronger security mechanisms, including end-to-end encryption of communication between the client and the TACACS+ server. This encryption ensures that sensitive data, such as user credentials, is protected from potential eavesdropping and tampering. While RADIUS can also support encryption, it is not a mandatory requirement, and some RADIUS implementations might not use it by default.

4. Accounting Flexibility: TACACS+ offers more comprehensive accounting features compared to RADIUS. It provides detailed logging of all user activities on the network device, offering valuable data for auditing and compliance purposes. While RADIUS can handle accounting as well, TACACS+ is known for its more robust accounting capabilities.

5. Vendor Support: While both TACACS+ and RADIUS are widely supported by networking vendors, TACACS+ is favored in environments with Cisco network equipment. Cisco devices, in particular, have native support for TACACS+ and offer more features and integration options when using TACACS+ for authentication and authorization.

6. Extensible Attributes: TACACS+ allows for extensible attributes to be passed during the authentication and authorization process. This feature enables administrators to exchange additional information between the client and server, providing more flexibility for implementing custom features.

7. Device Administration vs. Dial-in Access: Historically, RADIUS was designed for dial-in access scenarios (e.g., remote user access to the network via modems). While it has been extended to support other use cases, TACACS+ was specifically designed for device administration, making it a more suitable choice for network equipment login scenarios.

In summary, TACACS+ is often preferred over RADIUS for network equipment login when the organization requires fine-grained access control, enhanced security, comprehensive accounting, and native vendor support for Cisco devices. However, it's essential to evaluate the specific needs and infrastructure of the organization before making a final decision, as both protocols have their merits and can be suitable for different network environments.