[c-nsp] TACACS "emergency" password management
Phil Mayers
p.mayers at imperial.ac.uk
Mon Nov 1 13:54:49 EDT 2010
On 01/11/10 17:46, David Rothera wrote:
>
> We use it simply because if one person leaves the organization it is as
> simple as removing one user and then they no longer have access.
Sure. TACACS has a lot of plusses (pardeon the pun) we just feel
relatively few of them are a big win for us e.g. we have a small team
with low rate of turnover so a leaving, which is very rare, just means a
password change, which is good practice to do often anyway.
I realise we're an outlier in this.
>
> Sure we use failover local accounts but these can only be used if the
> TACACS server is down (all three of them) and even then the local
> password is some obscure string that is stored in our CI database (one
> of the few advantages of working in an ITIL house :P)
...which is what I'm asking: how do you ensure you have fast, reliable
access to that database during a (sufficiently large, probably rare)
outage? How do you know you won't be blocking on availability of that
database?
I can think of a few obvious ways; I'm just wondering what people
actually *do* :o)
More information about the cisco-nsp
mailing list