The state of TACACS+

Berry Mobley berry at
Mon Dec 29 16:19:18 UTC 2014

At 11:06 AM 12/29/2014, you wrote:

>On 12/29/2014 10:32 AM, Colton Conor wrote:
>>My fear would be we would hire an outsourced tech. After a certain 
>>amount of time we would have to let this part timer go, and would 
>>disabled his or her username and password in TACAS. However, if 
>>that tech still knows the root password they could still remotely 
>>login to our network and cause havoc. The thought of having to 
>>change the root password on hundreds of devices doesn't sound 
>>appealing either every time an employee is let go. To make matters 
>>worse we are using an outsourced firm for some network management, 
>>so the case of hiring and firing is fairly consistent.
>You can setup your aaa in most devices so tacacs+ is allowed first 
>and the local password is only usable if tacacs+ is unreachable.  In 
>that case, even if you fire someone you can just remove them from 
>tacacs and they can't get in.
>At that point you will want to do a global password change of the 
>local password since it's compromised, but it's not an immediate concern.
>You should also have access lists or firewall rules on all your 
>devices which only allow login from specific locations.  If you fire 
>someone then you remove their access to that location (their VPN 
>credentials, username and password for UNIX login, etc), which also 
>makes it harder for them to log back into your network even if they 
>know the local device password.

Umm...what do you guys do when the network is down?

All of our engineers know the 'default' username/pw - but it is not 
usable unless the AAA server is unreachable. I don't know of a way we 
could do circuit troubleshooting with that password locked up in a 
safe somewhere. Yes, it's a pain to change when people leave - but it 
would be a much larger pain to do deployments without it, I think.


More information about the NANOG mailing list