The state of TACACS+
raphael.timothy at gmail.com
Mon Dec 29 23:35:49 UTC 2014
Making the TACAC+ server unavailable is fairly easy - a small LAN-based
DDoS would do it, or a firewall rule change somewhere in the middle. Either
would cause the router to failover to it's local account.
- this is based on the fact that said attacker has some sort of access
previously and wanted to elevate their privileges.
On Tue, Dec 30, 2014 at 2:38 AM, Michael Douglas <Michael.Douglas at ieee.org>
> If someone has physical access to a Cisco router they can initiate a
> password recovery; tacacs vs local account doesn't matter at that point.
> On Mon, Dec 29, 2014 at 12:28 PM, Colton Conor <colton.conor at gmail.com>
> > Glad to know you can make local access only work if TACAS+ isn't
> > available. However, that still doesn't prevent the employee who know the
> > local username and password to unplug the device from the network, and
> > use the local password to get in. Still better than our current setup of
> > having one default username and password that everyone knows.
More information about the NANOG