[5581] in bugtraq
Re: Cisco IOS password encryption facts
daemon@ATHENA.MIT.EDU (J. Sean Connell)
Wed Nov 12 21:43:44 1997
Date: Wed, 12 Nov 1997 14:13:49 +1300
Reply-To: "J. Sean Connell" <ankh@canuck.gen.nz>
From: "J. Sean Connell" <ankh@CANUCK.GEN.NZ>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199711111037.EAA12696@primus.paranoia.com>
On Tue, 11 Nov 1997, ice9 wrote:
> This is why, if you are worried about security, perhaps TACACS+ would be
> a good option. Even if the router can't reach the TACACS server, with
> proper configuration, you will still need the enable passwd just to enter
> maintenance mode...
Not necessarily. If you use TACACS+ for AAA and enable AAA accounting,
you will (at least in my humble experience) be unable to get in - the cisco
must send an accounting record to the TACACS+ server, but it can't reach
the TACACS+ server, so it refuses to let you in. (If anyone knows how to
get around this without turning off aaa accounting, *please* let me know! =)
(Also note that I may have any and/or all of the above wrong - it's so long
that I can't quite remember all the exact details...)
--
J. S. Connell | Systems Adminstrator, ICONZ. Any opinions stated above
ankh@canuck.gen.nz | are not my employers', not my boyfriends', my God's, my
ankh@iconz.co.nz | friends', and probably not even my own.
-------------------+---------------------------------------------------------
PGP key at http://www.canuck.gen.nz/~ankh/pgpkey.html
