TACACS+ and or Radius options for use for authentication for device management

oldshield · October 16, 2025, 3:01am

Problem/Justification
(What is the problem you are trying to solve with this feature/improvement or why should it be considered?)
Radius or Tacacs authentication using Cisco ISE

Impact
(How is this feature going to impact all TrueNAS users? What are the benefits and advantages? Are there disadvantages?)
Give you the ability to use standard enterprised based authentication methods

User Story
(Please give a short description on how you envision some user taking advantage of this feature, what are the steps a user will follow to accomplish it)
This would be used for GUI and CLI access. Always with local machine login as a priority, in case there is an issue with AD or ISE.

I did not see any listing of using truenas with radius or tacacs. Do you all have that option and or documentation?

google search: tacacs+ authentication for debian

It looks like it can be done, but adding packages is not an option per your UI. Could you all add both radius and tacacs and have them listed as a service on the service page?

To access any of my network devices and most all my vendor appliances we use ISE, either RADIUS or TACACS+ to manage the devices, <cli access, and GUI access>. this is an enterprise security tool. If you use it with AD you can monitor, log, and control access via enforcement of RBAC, < role-based access control>
cisco.com: /c/en/us/support/docs/security/identity-services-engine/200891-Understanding-Admin-Access-and-RBAC-Poli.html

Here is a YT vid for radius on linux box, tacacs is almost identical, just a different package.

/ watch?v=29xPmbTWKcc

Evan123 · October 16, 2025, 12:55pm

The major open source RADIUS server is FreeRADIUS, You can install on TrueNAS from container: https://hub.docker.com/r/freeradius/freeradius-server.

pmh · October 16, 2025, 1:02pm

The feature request is for TrueNAS admin logins to be authenticated against a RADIUS or TACACS+ server, not for running such a server on TrueNAS.

oldshield · October 16, 2025, 1:37pm

that is correct

oldshield · October 16, 2025, 1:38pm

im asking for a tacacs and or radius client

Evan123 · October 16, 2025, 9:08pm

Ah I see. In an enterprise situation TrueNAS is designed to be joined to ActiveDirectory as the “enterprise authentication method” both for admins and users. There was already an idea raised around that AD authentication web GUI with feedback that it is a TrueNAS Enterprise licensed feature.

oldshield · October 17, 2025, 2:13pm

yeah, but the ability to administer via tacacs and or radius, is much more granular and looks to be an easy package install and editing of a config file.

Bingo600 · October 17, 2025, 7:29pm

Didn’t they remove tac_plus from Debian (12) , as it was unmaintained ?
Seems like there might be a tac_plus-ng , but no packages in Debian

https://projects.pro-bono-publico.de/event-driven-servers/doc/tac_plus-ng.html

oldshield · October 17, 2025, 8:21pm

I dont need it to be a tacacs or radius server. I just need it to be a client.

Bingo600 · October 18, 2025, 5:49am

When talking Tacacs+ , i was just wondering what you would authenticate against ??

oldshield · October 19, 2025, 5:30pm

Either a local account on the ISE server or an external identity store.

Above is the guide for external identity stores.

Bingo600 · October 20, 2025, 12:38pm

The Cisco ISE - That’s a serious $$$ solution. I know as i have used those.

oldshield · October 22, 2025, 6:15pm

Yeah I have one appliance at home. but would like to at some point suggest truenas if the opportunity comes up. Having the ability to use tacacs or radius is a plus.