[177117] in North American Network Operators' Group
Re: The state of TACACS+
daemon@ATHENA.MIT.EDU (Tim Raphael)
Mon Dec 29 18:35:57 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <CAOe-DYBfaa0VQirkvQEW1uL4S+ADze4aO9CFpUPhHANxaeLN=Q@mail.gmail.com>
Date: Tue, 30 Dec 2014 07:35:49 +0800
From: Tim Raphael <raphael.timothy@gmail.com>
To: Michael Douglas <Michael.Douglas@ieee.org>,
"nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Making the TACAC+ server unavailable is fairly easy - a small LAN-based
DDoS would do it, or a firewall rule change somewhere in the middle. Either
would cause the router to failover to it's local account.
- this is based on the fact that said attacker has some sort of access
previously and wanted to elevate their privileges.
On Tue, Dec 30, 2014 at 2:38 AM, Michael Douglas <Michael.Douglas@ieee.org>
wrote:
> If someone has physical access to a Cisco router they can initiate a
> password recovery; tacacs vs local account doesn't matter at that point.
>
> On Mon, Dec 29, 2014 at 12:28 PM, Colton Conor <colton.conor@gmail.com>
> wrote:
>
> > Glad to know you can make local access only work if TACAS+ isn't
> > available. However, that still doesn't prevent the employee who know the
> > local username and password to unplug the device from the network, and
> the
> > use the local password to get in. Still better than our current setup of
> > having one default username and password that everyone knows.
> >
> >
> >
>
