Problem/Justification
(What is the problem you are trying to solve with this feature/improvement or why should it be considered?)
Radius or Tacacs authentication using Cisco ISE
Impact
(How is this feature going to impact all TrueNAS users? What are the benefits and advantages? Are there disadvantages?)
Give you the ability to use standard enterprised based authentication methods
User Story
(Please give a short description on how you envision some user taking advantage of this feature, what are the steps a user will follow to accomplish it)
This would be used for GUI and CLI access. Always with local machine login as a priority, in case there is an issue with AD or ISE.
I did not see any listing of using truenas with radius or tacacs. Do you all have that option and or documentation?
google search: tacacs+ authentication for debian
It looks like it can be done, but adding packages is not an option per your UI. Could you all add both radius and tacacs and have them listed as a service on the service page?
To access any of my network devices and most all my vendor appliances we use ISE, either RADIUS or TACACS+ to manage the devices, <cli access, and GUI access>. this is an enterprise security tool. If you use it with AD you can monitor, log, and control access via enforcement of RBAC, < role-based access control> cisco.com: /c/en/us/support/docs/security/identity-services-engine/200891-Understanding-Admin-Access-and-RBAC-Poli.html
Here is a YT vid for radius on linux box, tacacs is almost identical, just a different package.
Ah I see. In an enterprise situation TrueNAS is designed to be joined to ActiveDirectory as the “enterprise authentication method” both for admins and users. There was already an idea raised around that AD authentication web GUI with feedback that it is a TrueNAS Enterprise licensed feature.
yeah, but the ability to administer via tacacs and or radius, is much more granular and looks to be an easy package install and editing of a config file.
Yeah I have one appliance at home. but would like to at some point suggest truenas if the opportunity comes up. Having the ability to use tacacs or radius is a plus.
We offer AD, LDAP, and IPA support for auth. In theory we could add it as an another enterprise authentication option but historically we haven’t gotten any asks for it from customers or potential customers.
So I see Tacacs would require compiling from source since it is not included in current Debian releases. Though a radius client looks to still be supported.
To set up a RADIUS client on Debian, you typically install the freeradius-utils package for testing/utility tools or the libpam-radius-auth package for system authentication integration
Client Utilities (radclient)
The freeradius-utils package includes the radclient command-line utility, which is used to send arbitrary RADIUS packets to a server and display the reply. This is a common tool for testing a RADIUS server’s configuration or monitoring its status
sudo apt update
sudo apt install freeradius-utils
Then for authenticating against a radius server it would need the pam plugin.
After installation, you will need to configure the module, typically by editing files within the /etc/pam.d/ directory or a specific configuration file like /etc/radiusclient-ng/servers or a similar file created during installation. The configuration involves specifying the RADIUS server’s IP address and a shared secret key, which must match the configuration on the RADIUS server itself.
This would be a nice have, I would have installed but the UI barks about installing packages.
