[c-nsp] TACACS "emergency" password management
Phil Mayers
p.mayers at imperial.ac.uk
Mon Nov 1 17:03:28 EDT 2010
On 11/01/2010 08:02 PM, Keegan Holley wrote:
> What do you mean by hierarchy? Most of the companies I've seen have a
> single level of access and just use tacacs as a way to grant or revoke
> access to everything at once. The biggest problem with local passwords
Interesting. I was under the impression that a common use-case for
TACACS was command authorization; letting "2nd line" engineers do things
like provision new gig ports, but needing a "3rd line" engineer to
change IP routing etc.
> is that they almost never change. So anyone that can convince someone
> to give them a password or has worked at the company in the past can
> login to equipment provided they can gain access to the correct resources.
Shrug. We change passwords & SNMP communities pretty frequently.
We certainly don't have hundreds of routers, and I'm not advocating this
method for huge networks or those with large teams / high turnover, but
it works well for us.
>
> Then there's policy enforcement. For example how do you prevent an
> engineer from accidentally deploying a router with "cisco" as the
> password or without any password at all. Or a password with too few
> characters... etc.
Templated configs.
If occurs to me that if one is archiving "fallback" passwords into some
kind of database, it should be pretty trivial to do an SHA of the
plaintext and compare that to the value on the router. Any differences
== bad. Obviously that would work just as well for "merely" local passwords.
More information about the cisco-nsp
mailing list