Is external authentication like TACACS & Radius required for audit compliance of devices without password policies

We have hundreds of HP & Cisco switches & routers
and IPS (Tipping Point etc) & various gateways (like
SMS gateway) that doesn't have password policy
features as their IOS or custom OS do not have it.  Eg:
 like password must expire every 90 days, password
 used must be a complex password, password must
 be of length > 8, failed attempts will lock an account
 & password can only be changed after 1 day, etc ...)

Q1:
As it's not feasible to manually change the password
every 90 days or to enforce it to admins to adopt the
above manually, is it a best practice to implement
external authentication like TACACS & Radius?

Q2:
Is it considered an audit non-compliance if we don't
implement external authentication?

Q3:
Can anyone recommend a product that could be
used as external authentication for HP switches,
Cisco routers, HP Tipping Point & SendQuik
SMS gateway ?

Q4:
Should this external authentication service fails,
it will lock out admins access to these devices.
What's the mitigation people normally deploy
to minimize such a situation?  Pls quote specific
configuration (if it's Cisco switches/routers &
IPS)
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mikebernhardtCommented:
Q1. Yes, this is best practice. It also gives you one central location to disable a user when they leave. RADIUS is very good at authentication but authorization (what can I do once I authenticate?) is not very good. TACACS is very good at both, but isn't as vendor-supported as RADIUS.

Q2. Yes

Q3. We use Windows IAS/NPS because it's a very easy form of RADIUS with good policy creation which can vary for different devices and users. You can get many free version of RADIUS but they're not as easy to implement.

Q4. In cisco you can specify a secondary method, and different ones for different ports. So, we have a line password on the vty ports as a backup, and the console port only uses the line password (no radius). If you have physical access, you don't need radius to get in.
aaa new-model
aaa authentication login default group radius line
aaa authentication login console-auth line
line con 0
 password 7 XXXXXXXXXXXXXXXXXXXXXX
 login authentication console-auth
line vty 0 15
 exec-timeout 5 15
 password 7 XXXXXXXXXXXXXXXXXXXXXXXX
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
as we have quite a number of HP & Arista switches and Cisco routers/devices
& HP Tipping Points, Just to be certain for Q3, do the suggested Radius
solutions esp the free ones, support those brands of devices?
0
sunhuxAuthor Commented:
In particular, I need to confirm if HP and Arista switches
& TIpping Point IPS could work with

a) any of the freeware Radius
b) the Windows authentication mentioned
c) or if all 3 can't work Radius or Windows authentication,
    can Tacacs+ work with them?

With TACACS/Radius, the password/account is centralized
ie when a Netadmin leaves, we only delete his account
in TACACS/Radius rather than on individual network devices
(which can be horrendous task if we have hundreds of the
 devices)
0
mikebernhardtCommented:
You would have to check with HP and Arista, but RADIUS is a standard protocol and if they say they support it, it will work. Some vendors have extensions to add functionality which may or may not be supported, but the basic authentication will be.

If you're asking whether your last statement is correct, the answer is yes.
0
sunhuxAuthor Commented:
excellent
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.