We are able to implement TACAS+. It is my understanding this a fairly old
protocol, so are you saying there are numerous bugs that still need to be
fixed?
A question I have is TACAS+ is usually hosted on a server, and networking
devices are configured to reach out to the server for
Colton,
Yes, that's the 'normal' way of setting it up. Basically you still have to
configure a root user, but that user name and password is kept locked up
and only accessed in case of catastrophic failure of the remote
authentication system. An important note is to make sure that the fail
safe
Scott,
Thanks for the response. How do you make sure the failsafe and/or root
password that is stored in the device incase remote auth fails can't be
accessed without having several employees engaged? Are there any mechanisms
for doing so?
My fear would be we would hire an outsourced tech. After
Change the root when any senior person leaves. It shouldn't be known to a
large set of staff members. During the bubble burst rifs we were changing them
on 40k+ devices every week. Make sure you verify the pass before disconnecting
the login acct making the change. Also make sure you
On Mon, Dec 29, 2014 at 09:32:51AM -0600, Colton Conor wrote:
Scott,
Thanks for the response. How do you make sure the failsafe and/or root
password that is stored in the device incase remote auth fails can't be
accessed without having several employees engaged? Are there any mechanisms
for
Colton,
The best thing is to create the password with a random generator so it's
impossible for most people to memorize in a short amount of time. It
should be ~14 characters long with mixed cases, numbers, and special
characters. That password should be tested once and then put in an
envelope
On 12/29/2014 10:32 AM, Colton Conor wrote:
My fear would be we would hire an outsourced tech. After a certain
amount of time we would have to let this part timer go, and would
disabled his or her username and password in TACAS. However, if that
tech still knows the root password they could
At 11:06 AM 12/29/2014, you wrote:
On 12/29/2014 10:32 AM, Colton Conor wrote:
My fear would be we would hire an outsourced tech. After a certain
amount of time we would have to let this part timer go, and would
disabled his or her username and password in TACAS. However, if
that tech still
At 11:06 AM 12/29/2014, you wrote:
On 12/29/2014 10:32 AM, Colton Conor wrote:
My fear would be we would hire an outsourced tech. After a certain
amount of time we would have to let this part timer go, and would
disabled his or her username and password in TACAS. However, if
that tech still
On Mon, 29 Dec 2014 03:44:48 +, Stephen R. Carter said:
Here is a small excerpt I am seeing.
06:04:04.760869 In 00:21:a0:fb:53:d9 ff:ff:ff:ff:ff:ff, ethertype ARP
(0x0806), length 60: arp who-has 97.85.59.219 tell 97.85.58.1
06:04:04.761950 In 00:21:a0:fb:53:d9 ff:ff:ff:ff:ff:ff,
On 12/28/2014 10:21 PM, Christopher Morrow wrote:
and I wonder what percentage of 'users' a vendor has actually USE tac+
(or even radius). I bet it's shockingly low...
true.. even in large-ish environments centralized authentication
presents problems and can have a limited merit. Up to some
This is normal for a cable modem network. These are broadcast packets so
they get delivered to everybody on that node.
ARP uses layer-2 broadcast to ask for the owner of a given IP to respond
with its MAC so that subsequent communication with that IP can be addressed
directly.
[sent from mobile
In the Cisco world the AAA config is typically set up to try tacacs first,
and local accounts second. The local account is only usable if tacacs is
unavailable. Knowledge of the local username/password does not equate to
full time access with that credential. Also, you would usually filter the
On 12/29/14, 10:49 AM, valdis.kletni...@vt.edu valdis.kletni...@vt.edu
wrote:
On Mon, 29 Dec 2014 03:44:48 +, Stephen R. Carter said:
Here is a small excerpt I am seeing.
06:04:04.760869 In 00:21:a0:fb:53:d9 ff:ff:ff:ff:ff:ff, ethertype
ARP (0x0806), length 60: arp who-has
- Original Message -
From: Rampley Jr, Jim F jim.ramp...@charter.com
On 12/29/14, 10:49 AM, valdis.kletni...@vt.edu
valdis.kletni...@vt.edu
wrote:
On Mon, 29 Dec 2014 03:44:48 +, Stephen R. Carter said:
Here is a small excerpt I am seeing.
06:04:04.760869 In
Glad to know you can make local access only work if TACAS+ isn't available.
However, that still doesn't prevent the employee who know the local
username and password to unplug the device from the network, and the use
the local password to get in. Still better than our current setup of having
one
On Mon, Dec 29, 2014 at 12:27:04PM -0500, Jay Ashworth wrote:
Valdis, you are correct. What your seeing is caused by multiple IP
blocks being assigned to the same CMTS interface.
Am I incorrect, though, in believing that ARP packets should only be visible
within a broadcast domain,
- Original Message -
From: Brett Frankenberger r...@rbfnet.com
On Mon, Dec 29, 2014 at 12:27:04PM -0500, Jay Ashworth wrote:
Valdis, you are correct. What your seeing is caused by multiple IP
blocks being assigned to the same CMTS interface.
Am I incorrect, though, in
On Mon, Dec 29, 2014 at 11:12:34AM -0600, Rampley Jr, Jim F wrote:
On 12/29/14, 10:49 AM, valdis.kletni...@vt.edu valdis.kletni...@vt.edu
wrote:
On Mon, 29 Dec 2014 03:44:48 +, Stephen R. Carter said:
Here is a small excerpt I am seeing.
06:04:04.760869 In 00:21:a0:fb:53:d9
On 12/29/14, 12:51 PM, Jay Ashworth wrote:
Ok. But the interface to which the cablemodem is attached, in the general
single-DHCP-IP case, is a /24, is it not?
I'm on TWC. The IP address I get from them is on a /20.
104.230.32.0/20 dev eth7 proto kernel scope link src 104.230.32.x
The
On Dec 29, 2014, at 11:51 AM, Jay Ashworth j...@baylink.com wrote:
Ok. But the interface to which the cablemodem is attached, in the general
single-DHCP-IP case, is a /24, is it not?
No, I've seen multiple IPv4 /21s assigned to a single customer interface on a
CMTS. The newer CMTS are
The CM is just a bridge for that traffic. It has a management IP assigned to
it by the provider but that's a different network so to speak.
Phil
-Original Message-
From: Jay Ashworth j...@baylink.com
Sent: 12/29/2014 12:52 PM
To: NANOG nanog@nanog.org
Subject: Re: Charter ARP Leak
If someone has physical access to a Cisco router they can initiate a
password recovery; tacacs vs local account doesn't matter at that point.
On Mon, Dec 29, 2014 at 12:28 PM, Colton Conor colton.co...@gmail.com
wrote:
Glad to know you can make local access only work if TACAS+ isn't
available.
- Original Message -
From: David Coulson da...@davidcoulson.net
We all knows it's easier to add another secondary IP to the interface
and add a new DHCP scope than to try to expand a subnet.
From an intermediate routing standpoint, though, it would be easier to
add an *adjacent*
We'll I would for one be very interested if the 8 ARP packets a second count
against the caps.
Given len of 46 or 60 is not much, but that's about a gig of traffic almost
assuming 8 of those a second happen(and my cold medicine addled mind is
working). I'm sure it's not just that when it
Making the TACAC+ server unavailable is fairly easy - a small LAN-based
DDoS would do it, or a firewall rule change somewhere in the middle. Either
would cause the router to failover to it's local account.
- this is based on the fact that said attacker has some sort of access
previously and
On 12/29/2014 11:35, Brett Frankenberger wrote:
On Mon, Dec 29, 2014 at 12:27:04PM -0500, Jay Ashworth wrote:
Valdis, you are correct. What your seeing is caused by multiple IP
blocks being assigned to the same CMTS interface.
Am I incorrect, though, in believing that ARP packets should only
Well sure they are subnets :-) of 0.0.0.0/4
range: 0.0.0.0 15.255.255.255
range b10: 0 268435455
range b16: 0x0 0xfff
hosts: 268435456
prefixlen: 4
mask:240.0.0.0
Doubt anyone should ever describe them as such unless they own all that space
though. May God rest
On Mon, 29 Dec 2014 17:41:45 -0500, Corey Touchet
corey.touc...@corp.totalserversolutions.com wrote:
We'll I would for one be very interested if the 8 ARP packets a second
count against the caps.
Depends on where and what counters they probe. I would assume they look at
unicast fields,
On 12/29/2014 22:32, Ricky Beam wrote:
On Mon, 29 Dec 2014 17:41:45 -0500, Corey Touchet
corey.touc...@corp.totalserversolutions.com wrote:
We'll I would for one be very interested if the 8 ARP packets a second
count against the caps.
Depends on where and what counters they probe. I would
I like the idea of building on the Telecom Ramblings micro site:
http://www.telecomramblings.com/metro-fiber-maps/
Don't forget Greg's Cablemaps, the awesome undersea archive and the gold
standard of how to do this IMHO:
http://www.cablemap.info/
Best,
-M
On Sat, Dec 27, 2014 at
They generally use IPDR on the CMTS for accounting, and I don't believe it
counts ARP.
Phil
-Original Message-
From: Ricky Beam jfb...@gmail.com
Sent: 12/29/2014 11:34 PM
To: Corey Touchet corey.touc...@corp.totalserversolutions.com
Cc: nanog@nanog.org nanog@nanog.org
Subject: Re:
I've long since deleted the OP's message, but figured I would share our
experiences having been using TACACS+ with our Cisco hardware for a
couple of years.
Originally deployed for the need and want of controlling multiple users
across several devices, and to safely control 3rd party read, or
33 matches
Mail list logo