Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
547
Views
0
Helpful
1
Replies

TACACS Router, Switch, and Firewall Access - Are two separate Windows Accounts Needed

terry-norris
Level 1
Level 1

‎06-28-2015 08:14 PM - edited ‎02-21-2020 08:19 PM

At my company, the Windows administrators use a separate account for day-to-day normal computer usage and another account with elevated privileges for performing admin tasks in the domain, etc.

We have recently implemented TACACS for controlling access to network infrastructure devices (routers, switches, firewalls, etc.) and the suggestion now is that Network Engineers use a separate Windows account when accessing this infrastructure.  So basically, I have a regular user account for authenticating to our Windows domain and then another Windows account is created for authenticating to devices via TACACAS.

I am not a Windows admin and have no administrative privileges other than on my local (laptop) machine.  I understand how you would not want a Windows (Active Directory), or Exchange admin, etc. logging on for everyday normal activity with a high level account. 

I am trying to understand how this makes sense for Network Engineers (who are not keepers of the Windows environment to use separate Windows accounts (one for logging on to the domain, and then one for TACACS).

I am interested to hear comments on this.

Labels:
0 Helpful
1 Reply 1

nspasov
Cisco Employee
Cisco Employee

‎06-29-2015 12:00 PM

Hi Terry-

I personally do NOT recommend integrating Active Directory with TACACS+ for Network Device Administration. The reason behind this is the fact that many if most attackers would go after your AD server as soon as they get a chance. More often than not, attackers do end up compromising your domain controller which will allow them to create themselves the appropriate AD account that will now give them access to your network infrastructure :)

As a result, I always recommend that the local database on the AAA appliance is used to manage network admin accounts. For instance, the Cisco solution (ACS) runs on a hardened Linux based appliance which would be very hard to compromise/exploit. 

This can obviously be a pain in the rear since admins would have to manage two and perhaps three accounts but it is also nice that you won't have to relay on your AD/Microsoft team to create, unlock and delete network based accounts :)

I hope this helps!

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful
Customers Also Viewed These Support Documents