Solved: Re: TACACS Shared Secret

Geekstur1 · ‎06-08-2021

I'm curious if folks here use a common shared secret or if the shared secret is unique between ISE end each device in the network for tacacs authentication. I currently have switches using one secret, routers using another, and WAPs using yet another. I'm interested in what the best practice is for this process.

Thanks,

Geekstur

balaji.bandi · ‎06-08-2021

It is all security poliocy business to business.

I have done with different people - who has Physical Access controlled device all same secret.,

if they hosted in Public place used different secret of each device for security reason.,

All in same place. your approach also works, based on the Switch / Router / WLC have different secret.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎06-08-2021

It is all security poliocy business to business.

I have done with different people - who has Physical Access controlled device all same secret.,

if they hosted in Public place used different secret of each device for security reason.,

All in same place. your approach also works, based on the Switch / Router / WLC have different secret.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Seb Rupik · ‎06-08-2021

Hi there,

If a company is having to manually log into and update 00's of devices then they will probably opt for a single secret across all devices. I have worked at places with a security posture like this....they also had no AAA and a single local admin account across the entire network!

Once you start scaling out to 000's of devices by this point you will hopefully be using automation, getting a script to update both the NAC and endpoint with a unique secret takes no more effort than using a single secret.

cheers,

Seb.