[c-nsp] TACACS/ACS on the internet

James Bensley jwbensley at gmail.com
Tue Aug 25 03:38:23 EDT 2015

On 24 August 2015 at 10:30, Nick Cutting <ncutting at edgetg.co.uk> wrote:
> We are going to roll out TACACS soon, on an ACS appliance and I have hundreds (thousands?) of client devices that need to authenticate back to these appliances.


> Rather than maintain some monster ACL for all the client Public addresses that would need to be updated almost daily - how dangerous is it to just allow UDP port 49 to this device from any source?

That sounds like a disaster waiting to happen.

My general two pence on this;

Firstly,  TACACS (ACS) is full of exploits that can be executed
remotely over the web so this box could get rooted and then from there
an attacker could create a new "fully privileged" account and jump on
to the rest of your network

Secondly, without trying to sound like a massive twat, that ACL
updates could be easily automated without too much headache, I would
recommend this for all operations throughout the network anyway, so if
you've not got a system like that in place the this could be your
driving force to get that ball rolling

Thirdly, I can appreciate why you would want it on a public IP but
only if that public IP lived "inside" the network net accessible from
the Internet, but again, I can't see how pushing out new RTs to
customer VRFs should be too difficult or add the require IP to a BGP
prefix-list so from now on it gets included in advertisements (and
whatever changes  are needed to push out a new management route) -
this shouldn't be much of a struggle for a network operator (in my

Sorry if that seems a bit ranty but I really don't think it's a good idea.


More information about the cisco-nsp mailing list