Is external authentication like TACACS & Radius required for audit compliance of devices without password policies
Posted on 2014-08-05
We have hundreds of HP & Cisco switches & routers
and IPS (Tipping Point etc) & various gateways (like
SMS gateway) that doesn't have password policy
features as their IOS or custom OS do not have it. Eg:
like password must expire every 90 days, password
used must be a complex password, password must
be of length > 8, failed attempts will lock an account
& password can only be changed after 1 day, etc ...)
As it's not feasible to manually change the password
every 90 days or to enforce it to admins to adopt the
above manually, is it a best practice to implement
external authentication like TACACS & Radius?
Is it considered an audit non-compliance if we don't
implement external authentication?
Can anyone recommend a product that could be
used as external authentication for HP switches,
Cisco routers, HP Tipping Point & SendQuik
SMS gateway ?
Should this external authentication service fails,
it will lock out admins access to these devices.
What's the mitigation people normally deploy
to minimize such a situation? Pls quote specific
configuration (if it's Cisco switches/routers &