Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Is external authentication like TACACS & Radius required for audit compliance of devices without password policies

Posted on 2014-08-05
5
Medium Priority
?
849 Views
Last Modified: 2014-08-11
We have hundreds of HP & Cisco switches & routers
and IPS (Tipping Point etc) & various gateways (like
SMS gateway) that doesn't have password policy
features as their IOS or custom OS do not have it.  Eg:
 like password must expire every 90 days, password
 used must be a complex password, password must
 be of length > 8, failed attempts will lock an account
 & password can only be changed after 1 day, etc ...)

Q1:
As it's not feasible to manually change the password
every 90 days or to enforce it to admins to adopt the
above manually, is it a best practice to implement
external authentication like TACACS & Radius?

Q2:
Is it considered an audit non-compliance if we don't
implement external authentication?

Q3:
Can anyone recommend a product that could be
used as external authentication for HP switches,
Cisco routers, HP Tipping Point & SendQuik
SMS gateway ?

Q4:
Should this external authentication service fails,
it will lock out admins access to these devices.
What's the mitigation people normally deploy
to minimize such a situation?  Pls quote specific
configuration (if it's Cisco switches/routers &
IPS)
0
Comment
Question by:sunhux
  • 3
  • 2
5 Comments
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 2000 total points
ID: 40241922
Q1. Yes, this is best practice. It also gives you one central location to disable a user when they leave. RADIUS is very good at authentication but authorization (what can I do once I authenticate?) is not very good. TACACS is very good at both, but isn't as vendor-supported as RADIUS.

Q2. Yes

Q3. We use Windows IAS/NPS because it's a very easy form of RADIUS with good policy creation which can vary for different devices and users. You can get many free version of RADIUS but they're not as easy to implement.

Q4. In cisco you can specify a secondary method, and different ones for different ports. So, we have a line password on the vty ports as a backup, and the console port only uses the line password (no radius). If you have physical access, you don't need radius to get in.
aaa new-model
aaa authentication login default group radius line
aaa authentication login console-auth line
line con 0
 password 7 XXXXXXXXXXXXXXXXXXXXXX
 login authentication console-auth
line vty 0 15
 exec-timeout 5 15
 password 7 XXXXXXXXXXXXXXXXXXXXXXXX
0
 

Author Comment

by:sunhux
ID: 40242806
as we have quite a number of HP & Arista switches and Cisco routers/devices
& HP Tipping Points, Just to be certain for Q3, do the suggested Radius
solutions esp the free ones, support those brands of devices?
0
 

Author Comment

by:sunhux
ID: 40249450
In particular, I need to confirm if HP and Arista switches
& TIpping Point IPS could work with

a) any of the freeware Radius
b) the Windows authentication mentioned
c) or if all 3 can't work Radius or Windows authentication,
    can Tacacs+ work with them?

With TACACS/Radius, the password/account is centralized
ie when a Netadmin leaves, we only delete his account
in TACACS/Radius rather than on individual network devices
(which can be horrendous task if we have hundreds of the
 devices)
0
 
LVL 28

Assisted Solution

by:mikebernhardt
mikebernhardt earned 2000 total points
ID: 40254450
You would have to check with HP and Arista, but RADIUS is a standard protocol and if they say they support it, it will work. Some vendors have extensions to add functionality which may or may not be supported, but the basic authentication will be.

If you're asking whether your last statement is correct, the answer is yes.
0
 

Author Closing Comment

by:sunhux
ID: 40254981
excellent
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question