Is external authentication like TACACS & Radius required for audit compliance of devices without password policies

Posted on 2014-08-05
Last Modified: 2014-08-11
We have hundreds of HP & Cisco switches & routers
and IPS (Tipping Point etc) & various gateways (like
SMS gateway) that doesn't have password policy
features as their IOS or custom OS do not have it.  Eg:
 like password must expire every 90 days, password
 used must be a complex password, password must
 be of length > 8, failed attempts will lock an account
 & password can only be changed after 1 day, etc ...)

As it's not feasible to manually change the password
every 90 days or to enforce it to admins to adopt the
above manually, is it a best practice to implement
external authentication like TACACS & Radius?

Is it considered an audit non-compliance if we don't
implement external authentication?

Can anyone recommend a product that could be
used as external authentication for HP switches,
Cisco routers, HP Tipping Point & SendQuik
SMS gateway ?

Should this external authentication service fails,
it will lock out admins access to these devices.
What's the mitigation people normally deploy
to minimize such a situation?  Pls quote specific
configuration (if it's Cisco switches/routers &
Question by:sunhux
    LVL 28

    Accepted Solution

    Q1. Yes, this is best practice. It also gives you one central location to disable a user when they leave. RADIUS is very good at authentication but authorization (what can I do once I authenticate?) is not very good. TACACS is very good at both, but isn't as vendor-supported as RADIUS.

    Q2. Yes

    Q3. We use Windows IAS/NPS because it's a very easy form of RADIUS with good policy creation which can vary for different devices and users. You can get many free version of RADIUS but they're not as easy to implement.

    Q4. In cisco you can specify a secondary method, and different ones for different ports. So, we have a line password on the vty ports as a backup, and the console port only uses the line password (no radius). If you have physical access, you don't need radius to get in.
    aaa new-model
    aaa authentication login default group radius line
    aaa authentication login console-auth line
    line con 0
     login authentication console-auth
    line vty 0 15
     exec-timeout 5 15

    Author Comment

    as we have quite a number of HP & Arista switches and Cisco routers/devices
    & HP Tipping Points, Just to be certain for Q3, do the suggested Radius
    solutions esp the free ones, support those brands of devices?

    Author Comment

    In particular, I need to confirm if HP and Arista switches
    & TIpping Point IPS could work with

    a) any of the freeware Radius
    b) the Windows authentication mentioned
    c) or if all 3 can't work Radius or Windows authentication,
        can Tacacs+ work with them?

    With TACACS/Radius, the password/account is centralized
    ie when a Netadmin leaves, we only delete his account
    in TACACS/Radius rather than on individual network devices
    (which can be horrendous task if we have hundreds of the
    LVL 28

    Assisted Solution

    You would have to check with HP and Arista, but RADIUS is a standard protocol and if they say they support it, it will work. Some vendors have extensions to add functionality which may or may not be supported, but the basic authentication will be.

    If you're asking whether your last statement is correct, the answer is yes.

    Author Closing Comment


    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now