[c-nsp] TACACS "emergency" password management

Andrew Koch andrew.koch at gawul.net
Tue Nov 2 06:08:33 EDT 2010


On Tue, Nov 2, 2010 at 03:35, Mark Tinka <mtinka at globaltransit.net> wrote:
> I've always wondered why (maybe it's supported and I just
> haven't figured out how) RANCID updates don't include the
> username of the person that made the changes which caused
> the updates in the first place in Cisco, like Juniper does.

I don't use RANCID, but I suspect that it is using SNMP WriteNet to
effect its changes.  This is an SNMP set command that contains the IP
address of a TFTP server and a string of the filename to import into
the running configuration.  As IOS has no user associated with the
SNMP daemon, when updates are made via this method, no username is
shown as the last change.  However, typically, the log will show a
SNMP WriteNet request was processed.

> I write/understand code for sh**, so I'm not sure whether
> this is a limitation in IOS(-**) or RANCID. But having this
> for Juniper helps a great deal, as it's much easier to tell
> who made the last change(s).

Yes, it would be nice to see who changed the configuration, but the
SNMP WriteNet doesn't have a user to go with.

Regards,
Andy Koch


More information about the cisco-nsp mailing list