[c-nsp] TACACS "emergency" password management
Lee
ler762 at gmail.com
Mon Nov 1 15:55:42 EDT 2010
On 11/1/10, Nick Hilliard <nick at foobar.org> wrote:
... snip...
> If you're using authorization, you'll also need to create a DR procedural
> note to permit authorization to be disabled if the tacacs server is
> completely unavailable, and to document how to do this on whatever device.
> Otherwise you need to wait for a TCP timeout every time you issue a
> command. This can be teeth-gnashingly frustrating when dealing with
> service outages (i.e. think: 02:00am, tired, service down, can't browse
> internet to check the exact command, your manager shouting at you, and to
> top it all off, each command takes 20 seconds to execute).
At 2am all my managers are busy sleeping :) But regardless, doesn't
if-authenticated fix that horrible timeout wait? - ie:
aaa authorization exec default group tacacs+ if-authenticated
Lee
More information about the cisco-nsp
mailing list