[c-nsp] TACACS "emergency" password management

Saxon Jones saxon.jones at gmail.com
Mon Nov 1 14:31:46 EDT 2010


Using offline files and folders on our laptops (generally just for the
keepass and a few other folders, because it's annoying). On our
Blackberries and iPhones it gives the option to re-fetch or use the
previous copy, which is often recent enough that I'm not too
concerned. Having our passwords distributed/cached so widely means we
have a lot of work to do when someone leaves, which is about a yearly
event.

We use randomly generated passwords that are unique for every device
in our environment, so could be a PITA when we have to change
passwords but I've got that process scripted so it's only half bad.
It's the testing that's time consuming, though maybe there's a way to
test that the enable secret works when TACACS+ is still available, I
just haven't cared enough to look into it (taking TACACS+ down and
doing it manually is not a big deal in our shop).

-saxon

On 1 November 2010 11:59, David Rothera <david.rothera at gmail.com> wrote:
> On Mon, Nov 1, 2010 at 5:54 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>
>> ...which is what I'm asking: how do you ensure you have fast, reliable
>> access to that database during a (sufficiently large, probably rare) outage?
>> How do you know you won't be blocking on availability of that database?
>>
>> I can think of a few obvious ways; I'm just wondering what people actually
>> *do* :o)
>>
>
> Very good point and it's one that I don't really have an answer to, we have
> never had an outage internally so large that we lost access to the CI
> database, they are backed up elsewhere as well but I've never had to access
> that system :-/
>
> *Goes to check DR plan* :P
>
> --
> David Rothera
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list