[c-nsp] TACACS "emergency" password management

David Rothera david.rothera at gmail.com
Mon Nov 1 13:46:53 EDT 2010


On Mon, Nov 1, 2010 at 5:38 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:

> On 01/11/10 16:35, Jeremy Bresley wrote:
>
>
>> In a properly designed network, the only times I've had to use the
>> locally configured username/password is when the links into the site are
>>
>
> Sure. But maybe the OP just prefers EEM, right?
>
> Having said that, I'm (genuinely) curious - where do you store the local
> admin password, and how often is it exercised? How do you ensure that
> everyone knows it, and there won't be a major delay while you have to dig it
> out of your password safe?
>
> One reason there's a degree of comfort with only using the local passwords
> at our place is that it means everyone knows (has to know) the "real" router
> password. There's no possibility of a:
>
> "darn, haven't used this in 6 months, can't remember it, oops the online
> password database is down, trudge down to physical storage, open it, oops
> someone forgot to update the bit of paper..."
>
> ...moment ;o)
>
> (Of course the major reason we don't use TACACS is absence of need due to
> absence of hierarchy, but I am curious how you deal with that)
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

We use it simply because if one person leaves the organization it is as
simple as removing one user and then they no longer have access.

Sure we use failover local accounts but these can only be used if the TACACS
server is down (all three of them) and even then the local password is some
obscure string that is stored in our CI database (one of the few advantages
of working in an ITIL house :P)

-- 
David Rothera


More information about the cisco-nsp mailing list