Re: Cisco, haven't we learned anything? (technician reset)

[John Kinsella <jlk () thrashyour com>]

I've been pretty happy with Cisco ACS - fairly solid, good reporting,
once set up it seems to Just Work.

John

On Thu, Jan 12, 2006 at 11:00:10AM -0800, Bill Nash wrote:
> Just as an offshoot discussion, what's the state-of-the-art for AAA 
> services? We use an modified tacacs server for multi-factor 
> authentication, and are moving towards a model that supports 
> single-use/rapid expiration passwords, with strict control over when and 
> how local/emergency authentication can be used.
>
> I'd be interested in that discussion, on or offlist.
>
> - billn
>
> On Thu, 12 Jan 2006, Rob Thomas wrote:
>
> > Hi, NANOGers.
> >
> > ] On the other hand, the most common practice to hack routers today, is
> > ] still to try and access the devices with the notoriously famous default
> > ] login/password for Cisco devices: cisco/cisco.
> >
> > This is NOT a default password in the IOS.  The use of "cisco" as
> > the access and enable passwords is a common practice by users, but
> > it isn't bundled in the IOS.  I've heard it began in training
> > classes, where students were taught to use "cisco" as the
> > passwords.
> >
> > Oh, and for those of you who think it mad leet to use "c1sc0" as
> > your access and enable passwords, the miscreants are on to that as
> > well.  ;)
> >
> > We've seen large, massively peered and backbone routers owned
> > through this same technique.  We've even seen folks who have
> > switched to Juniper, yet continue to use "cisco" as the login and
> > password.  :(
> >
> > The nice thing about cooking up blame is that there is always
> > enough to serve everyone.
> >
> > Thanks,
> > Rob.
> > -- 
> > Rob Thomas
> > Team Cymru
> > http://www.cymru.com/
> > ASSERT(coffee != empty);