[c-nsp] TACACS "emergency" password management

Keegan Holley keegan.holley at sungard.com
Mon Nov 1 17:20:54 EDT 2010


On Mon, Nov 1, 2010 at 3:55 PM, Lee <ler762 at gmail.com> wrote:

> On 11/1/10, Nick Hilliard <nick at foobar.org> wrote:
> ... snip...
> > If you're using authorization, you'll also need to create a DR procedural
> > note to permit authorization to be disabled if the tacacs server is
> > completely unavailable, and to document how to do this on whatever
> device.
> >  Otherwise you need to wait for a TCP timeout every time you issue a
> > command.  This can be teeth-gnashingly frustrating when dealing with
> > service outages (i.e. think: 02:00am, tired, service down, can't browse
> > internet to check the exact command, your manager shouting at you, and to
> > top it all off, each command takes 20 seconds to execute).
>
> At 2am all my managers are busy sleeping :)   But regardless, doesn't
> if-authenticated fix that horrible timeout wait? - ie:
> aaa authorization exec default group tacacs+ if-authenticated
>
> Yea, most people don't want to auth every single command.  I think that's
off by default by the way.  The above command sequence lets you into enable
mode if you were able to get into the router at all if I remember correctly.
 If you implement it correctly TACACS can be pretty resilient.  I've seen
gigantic companies auth several hundred devices with almost no downtime (for
TACACS anyway).  It's not like you're strapping the tacacs servers to the
outside of the building in the middle of a storm.  Most just make sure they
have more than one server and remember to do a hardware refresh before the
harddrive platters turn to dust.  but YMMV.


More information about the cisco-nsp mailing list