North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical


  • From: Philip Smith
  • Date: Sun Apr 30 19:57:12 2000


As you pointed out to Barry Greene and myself previously, the "aaa accounting" command as below will log commands typed in at "enable" level. So, if you are changing the onboard router password, yes, you will see the new password in your accounting logs, in clear text.

However, I don't consider it good practice to keep any critical passwords on a router when an authentication mechanism such as TACACS+ is in place.

Also, if I was modifying the onboard enable secret (last resort password when TACACS+ or Radius is configured) at any stage, I'd tftp-load the configuration from a remote server, not ever type it in live.

We will explain this more clearly in the relevant section in the next version of IOS Essentials. Thanks for all the feedback!


At 08:36 30/04/00 -0600, Alec H. Peterson wrote:

Hank Nussbacher wrote:
> TACACS encryption won't help if you follow the Cisco Essential IOS Features
> (v 2.82 - Feb 18, 2000).  On page 45 they discuss router command auditing
> and recommend:
> aaa accounting command 15 start-stop tacacs+
> Unfortunately, this will log in your syslog the password commands in
> cleartext.  You would have to be sure that the Unix/NT system you are
> logging all Cisco commands to is as secure as your router.  How many of you
> run ISS/Cybercop/Netrecon scans every week on your logging servers to be
> sure they are secure?

Hrm, that's odd, since I was using TACACS+ accounting a while ago (that
exact command actually) and it never logged any passwords that I entered...


Alec H. Peterson - [email protected]
Staff Scientist
CenterGate Research Group -
"Technology so advanced, even _we_ don't understand it!"

Philip Smith ph: +61 7 3238 8200
Consulting Engineering, Office of the CTO, Cisco Systems