nanog mailing list archives

Re: The state of TACACS+

From: Tim Raphael <raphael.timothy () gmail com>
Date: Tue, 30 Dec 2014 07:35:49 +0800

Making the TACAC+ server unavailable is fairly easy - a small LAN-based
DDoS would do it, or a firewall rule change somewhere in the middle. Either
would cause the router to failover to it's local account.

- this is based on the fact that said attacker has some sort of access
previously and wanted to elevate their privileges.

On Tue, Dec 30, 2014 at 2:38 AM, Michael Douglas <Michael.Douglas () ieee org>
wrote:

If someone has physical access to a Cisco router they can initiate a
password recovery; tacacs vs local account doesn't matter at that point.

On Mon, Dec 29, 2014 at 12:28 PM, Colton Conor <colton.conor () gmail com>
wrote:

Glad to know you can make local access only work if TACAS+ isn't
available. However, that still doesn't prevent the employee who know the
local username and password to unplug the device from the network, and

the

use the local password to get in. Still better than our current setup of
having one default username and password that everyone knows.

Current thread:

Re: The state of TACACS+, (continued)
- - Re: The state of TACACS+ Scott Helms (Dec 29)
    - Re: The state of TACACS+ Colton Conor (Dec 29)
    - Re: The state of TACACS+ joseph . snyder (Dec 29)
    - Re: The state of TACACS+ Jared Mauch (Dec 29)
    - Re: The state of TACACS+ Scott Helms (Dec 29)
    - Re: The state of TACACS+ Robert Drake (Dec 29)
    - Re: The state of TACACS+ Berry Mobley (Dec 29)
    - Re: The state of TACACS+ Michael Douglas (Dec 29)
    - Re: The state of TACACS+ Colton Conor (Dec 29)
    - Re: The state of TACACS+ Michael Douglas (Dec 29)
    - Re: The state of TACACS+ Tim Raphael (Dec 29)
- RE: The state of TACACS+ emille (Dec 29)
- Re: The state of TACACS+ Clay Curtis (Dec 31)