There are other, more user-friendly, options that should satisfy your auditor. One possible option might be to require a login with a password and a physical security token using a RADIUS server. Yubico has some inexpensive ones.
WRT the "cisco" way, all the big companies I see use TACACS without enable so there must On Tue, Jan 22, 2013 at 6:34 PM, Kriss (Nebonet.com) <[email protected]>wrote: > This topic doesn't seam to come up at all. I started out in the ISP biz > and moved over to Information security for a company who was small enough > that tik's still seamed to fit the bill. > > However we are starting to get hit with PCI-DSS evaluations, Risk > Assessments and Gap Analysis with an array of requirements -- most which I > have been able to meet easily except one : Security authentication on the > router. Almost every third part wants to see me doing it the 'cisco' way > with primary remote logins being strictly unprivileged and forcing > elevation to a privileged user after connection. IE - enable. > > Now I can emulate this functionality by allowing only a stripped down user > remote access and setting up a loopback bridge interface with no ports, > setting an ip address to that bridge and ssh'ing into itself from there as > the allowed ip address for the administrative full access user being the > router itself. > > Which in of itself isn't too terrible other than i prefer to work with > firewall rules using winbox. Anyone else had experience with this and other > PCI-DSS compliance rules and getting the tik to be compliant ? > > - Kriss > > > ______________________________**_________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/**mailman/listinfo/mikrotik<http://mail.butchevans.com/mailman/listinfo/mikrotik> > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20130122/5f88a567/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
