The state of TACACS+

Tim Raphael raphael.timothy at
Mon Dec 29 23:35:49 UTC 2014

Making the TACAC+ server unavailable is fairly easy - a small LAN-based
DDoS would do it, or a firewall rule change somewhere in the middle. Either
would cause the router to failover to it's local account.

- this is based on the fact that said attacker has some sort of access
previously and wanted to elevate their privileges.

On Tue, Dec 30, 2014 at 2:38 AM, Michael Douglas <Michael.Douglas at>

> If someone has physical access to a Cisco router they can initiate a
> password recovery; tacacs vs local account doesn't matter at that point.
> On Mon, Dec 29, 2014 at 12:28 PM, Colton Conor <colton.conor at>
> wrote:
> > Glad to know you can make local access only work if TACAS+ isn't
> > available. However, that still doesn't prevent the employee who know the
> > local username and password to unplug the device from the network, and
> the
> > use the local password to get in. Still better than our current setup of
> > having one default username and password that everyone knows.
> >
> >
> >

More information about the NANOG mailing list