[c-nsp] TACACS "emergency" password management

Keegan Holley keegan.holley at sungard.com
Mon Nov 1 16:02:31 EDT 2010


On Mon, Nov 1, 2010 at 1:38 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:

> On 01/11/10 16:35, Jeremy Bresley wrote:
>
>
>> In a properly designed network, the only times I've had to use the
>> locally configured username/password is when the links into the site are
>>
>
> Sure. But maybe the OP just prefers EEM, right?
>

I'm glad this became a new thread.  We already established that the OP is
using radius so most of this is moot.

>
> Having said that, I'm (genuinely) curious - where do you store the local
> admin password, and how often is it exercised? How do you ensure that
> everyone knows it, and there won't be a major delay while you have to dig it
> out of your password safe?
>

There are a number of password databases.  In my experience most engineers
just had them written down somewhere though.  Especially if the management
network is a closed system and requires secure authentication (not that I'm
advocating this).  I've also seen the password database stored on a jump
host as an encrypted text file.  Still fallible, but if all the jumpservers
and all the TACACS servers are all down at the same time I'd probably be
more concerned with that than finding passwords.


>
> One reason there's a degree of comfort with only using the local passwords
> at our place is that it means everyone knows (has to know) the "real" router
> password. There's no possibility of a:
>
> "darn, haven't used this in 6 months, can't remember it, oops the online
> password database is down, trudge down to physical storage, open it, oops
> someone forgot to update the bit of paper..."
>

I think most large networks use some sort of centralized authentication
method, but I could be wrong.  Every company I've worked for in the last 10
years or so has used TACACS or RADIUS and sometimes both.  I cannot remember
auth being unavailable for more than a few minutes at any one company.  Even
if it would have been it would have taken an hour or so to restore from the
latest backup.  It's pretty cheap to scatter intel boxes about for auth and
jump access depending on the size of your network.

>
> ...moment ;o)
>
> (Of course the major reason we don't use TACACS is absence of need due to
> absence of hierarchy, but I am curious how you deal with that)
>

What do you mean by hierarchy?  Most of the companies I've seen have a
single level of access and just use tacacs as a way to grant or revoke
access to everything at once.  The biggest problem with local passwords is
that they almost never change.  So anyone that can convince someone to give
them a password or has worked at the company in the past can login to
equipment provided they can gain access to the correct resources.

Then there's policy enforcement.  For example how do you prevent an engineer
from accidentally deploying a router with "cisco" as the password or without
any password at all.  Or a password with too few characters... etc.


More information about the cisco-nsp mailing list