nanog mailing list archives
Re: The state of TACACS+
From: Robert Drake <rdrake () direcpath com>
Date: Mon, 29 Dec 2014 11:06:08 -0500
On 12/29/2014 10:32 AM, Colton Conor wrote:
My fear would be we would hire an outsourced tech. After a certain amount of time we would have to let this part timer go, and would disabled his or her username and password in TACAS. However, if that tech still knows the root password they could still remotely login to our network and cause havoc. The thought of having to change the root password on hundreds of devices doesn't sound appealing either every time an employee is let go. To make matters worse we are using an outsourced firm for some network management, so the case of hiring and firing is fairly consistent.You can setup your aaa in most devices so tacacs+ is allowed first and the local password is only usable if tacacs+ is unreachable. In that case, even if you fire someone you can just remove them from tacacs and they can't get in.
At that point you will want to do a global password change of the local password since it's compromised, but it's not an immediate concern.
You should also have access lists or firewall rules on all your devices which only allow login from specific locations. If you fire someone then you remove their access to that location (their VPN credentials, username and password for UNIX login, etc), which also makes it harder for them to log back into your network even if they know the local device password.
Current thread:
- Re: The state of TACACS+, (continued)
- Re: The state of TACACS+ Christopher Morrow (Dec 28)
- Re: The state of TACACS+ Jimmy Hess (Dec 28)
- Re: The state of TACACS+ Randy Bush (Dec 28)
- Re: The state of TACACS+ Robert Drake (Dec 29)
- Re: The state of TACACS+ Jimmy Hess (Dec 28)
- Re: The state of TACACS+ Colton Conor (Dec 29)
- Re: The state of TACACS+ Scott Helms (Dec 29)
- Re: The state of TACACS+ Colton Conor (Dec 29)
- Re: The state of TACACS+ joseph . snyder (Dec 29)
- Re: The state of TACACS+ Jared Mauch (Dec 29)
- Re: The state of TACACS+ Scott Helms (Dec 29)
- Re: The state of TACACS+ Robert Drake (Dec 29)
- Re: The state of TACACS+ Berry Mobley (Dec 29)
- Re: The state of TACACS+ Michael Douglas (Dec 29)
- Re: The state of TACACS+ Colton Conor (Dec 29)
- Re: The state of TACACS+ Michael Douglas (Dec 29)
- Re: The state of TACACS+ Tim Raphael (Dec 29)
- Re: The state of TACACS+ Scott Helms (Dec 29)
- Re: The state of TACACS+ Christopher Morrow (Dec 28)