The state of TACACS+

Robert Drake rdrake at
Mon Dec 29 16:06:08 UTC 2014

On 12/29/2014 10:32 AM, Colton Conor wrote:
> My fear would be we would hire an outsourced tech. After a certain 
> amount of time we would have to let this part timer go, and would 
> disabled his or her username and password in TACAS. However, if that 
> tech still knows the root password they could still remotely login to 
> our network and cause havoc. The thought of having to change the root 
> password on hundreds of devices doesn't sound appealing either every 
> time an employee is let go. To make matters worse we are using an 
> outsourced firm for some network management, so the case of hiring and 
> firing is fairly consistent.
You can setup your aaa in most devices so tacacs+ is allowed first and 
the local password is only usable if tacacs+ is unreachable.  In that 
case, even if you fire someone you can just remove them from tacacs and 
they can't get in.

At that point you will want to do a global password change of the local 
password since it's compromised, but it's not an immediate concern.

You should also have access lists or firewall rules on all your devices 
which only allow login from specific locations.  If you fire someone 
then you remove their access to that location (their VPN credentials, 
username and password for UNIX login, etc), which also makes it harder 
for them to log back into your network even if they know the local 
device password.

More information about the NANOG mailing list