[c-nsp] TACACS "emergency" password management

Nick Hilliard nick at foobar.org
Mon Nov 1 15:09:54 EDT 2010


On 01/11/2010 18:43, David Rothera wrote:
> You could configure an ACL to block access to the TACACS server on an
> upstream device and then test?

typically you will need to test two scenarios: 1. the tacacs daemon being
down, resulting in TCP RSTs being sent to the router/switch, and 2. the
tacacs server being completely unavailable (sending nothing in return).

Adding in "local" (or "line" on IOX) as an aaa authentication method will
usually deal with this.

If you're using authorization, you'll also need to create a DR procedural
note to permit authorization to be disabled if the tacacs server is
completely unavailable, and to document how to do this on whatever device.
 Otherwise you need to wait for a TCP timeout every time you issue a
command.  This can be teeth-gnashingly frustrating when dealing with
service outages (i.e. think: 02:00am, tired, service down, can't browse
internet to check the exact command, your manager shouting at you, and to
top it all off, each command takes 20 seconds to execute).

Nick


More information about the cisco-nsp mailing list