[177100] in North American Network Operators' Group
Re: The state of TACACS+
daemon@ATHENA.MIT.EDU (Berry Mobley)
Mon Dec 29 11:21:32 2014
X-Original-To: nanog@nanog.org
Date: Mon, 29 Dec 2014 11:19:18 -0500
To: nanog@nanog.org
From: Berry Mobley <berry@gadsdenst.org>
In-Reply-To: <54A17BF0.6070508@direcpath.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
At 11:06 AM 12/29/2014, you wrote:
>On 12/29/2014 10:32 AM, Colton Conor wrote:
>>My fear would be we would hire an outsourced tech. After a certain
>>amount of time we would have to let this part timer go, and would
>>disabled his or her username and password in TACAS. However, if
>>that tech still knows the root password they could still remotely
>>login to our network and cause havoc. The thought of having to
>>change the root password on hundreds of devices doesn't sound
>>appealing either every time an employee is let go. To make matters
>>worse we are using an outsourced firm for some network management,
>>so the case of hiring and firing is fairly consistent.
>You can setup your aaa in most devices so tacacs+ is allowed first
>and the local password is only usable if tacacs+ is unreachable. In
>that case, even if you fire someone you can just remove them from
>tacacs and they can't get in.
>
>At that point you will want to do a global password change of the
>local password since it's compromised, but it's not an immediate concern.
>
>You should also have access lists or firewall rules on all your
>devices which only allow login from specific locations. If you fire
>someone then you remove their access to that location (their VPN
>credentials, username and password for UNIX login, etc), which also
>makes it harder for them to log back into your network even if they
>know the local device password.
Umm...what do you guys do when the network is down?
All of our engineers know the 'default' username/pw - but it is not
usable unless the AAA server is unreachable. I don't know of a way we
could do circuit troubleshooting with that password locked up in a
safe somewhere. Yes, it's a pain to change when people leave - but it
would be a much larger pain to do deployments without it, I think.
Berry
