On 12/29/2014 10:32 AM, Colton Conor wrote:
My fear would be we would hire an outsourced tech. After a certain
amount of time we would have to let this part timer go, and would
disabled his or her username and password in TACAS. However, if that
tech still knows the root password they could still remotely login to
our network and cause havoc. The thought of having to change the root
password on hundreds of devices doesn't sound appealing either every
time an employee is let go. To make matters worse we are using an
outsourced firm for some network management, so the case of hiring and
firing is fairly consistent.
You can setup your aaa in most devices so tacacs+ is allowed first and
the local password is only usable if tacacs+ is unreachable. In that
case, even if you fire someone you can just remove them from tacacs and
they can't get in.
At that point you will want to do a global password change of the local
password since it's compromised, but it's not an immediate concern.
You should also have access lists or firewall rules on all your devices
which only allow login from specific locations. If you fire someone
then you remove their access to that location (their VPN credentials,
username and password for UNIX login, etc), which also makes it harder
for them to log back into your network even if they know the local
device password.
