Making the TACAC+ server unavailable is fairly easy - a small LAN-based DDoS would do it, or a firewall rule change somewhere in the middle. Either would cause the router to failover to it's local account.
- this is based on the fact that said attacker has some sort of access previously and wanted to elevate their privileges. On Tue, Dec 30, 2014 at 2:38 AM, Michael Douglas <michael.doug...@ieee.org> wrote: > If someone has physical access to a Cisco router they can initiate a > password recovery; tacacs vs local account doesn't matter at that point. > > On Mon, Dec 29, 2014 at 12:28 PM, Colton Conor <colton.co...@gmail.com> > wrote: > > > Glad to know you can make local access only work if TACAS+ isn't > > available. However, that still doesn't prevent the employee who know the > > local username and password to unplug the device from the network, and > the > > use the local password to get in. Still better than our current setup of > > having one default username and password that everyone knows. > > > > > > >