[c-nsp] Offnet TACACS+

[My List Account]

I've looked over the archives and I think I know the answer to this but I
wanted to see if my thoughts are correct.   

 

I have some existing TACACS+ severs (one for the core network and one for
the cpe network) and I am at the point where the old password spread sheet
for offnet equipment is becoming a hassle.    If I start adding in offnet
devices that are coming across the internet into my CPE TACACS+ should I be
overly concerned about the security of TACACS+?   I believe I've read that
the TACACS+ conversation is completely encrypted so I should not worry about
someone grabbing the key or username/password/enable.   We already control
access with management ACLs and we only manage these devices via SSH so even
with knowledge it would be more difficult to gain access.    If I'm using
keys like klHDFD)(G&S)D(F*)Sleoeijeproiwu4p3oi4530495dg0f9g8 should I be
worried about opening up the world to attacks against the TACACS+ server
it's self?     

 

I am making use of the AAA as we sometimes give new trainee and intern
admins some limited access to CPE equipment to help us with early
troubleshooting and getting them some experience in the CPE.

 

Richey