From: Roberts, Larry (Larry.Roberts@xxxxxxxxxxxx)
Date: Wed Aug 28 2002 - 15:07:59 GMT-3
I'm quite in my right mind and I use CSACS.
Free TACACS+(FT+) doesn't support RADIUS which is what we use to
authenticate users when they dial into the internet through our business
partner.
They forward the LOGIN info to us, which we then either accept or deny.
Same thing with AP350's running LEAP or "other" brands running EAP/TLS.
Then there are the 3030's....
I'm not UNIX/ Linux illiterate, matter of fact I happen to really like
Linux, however, I have 2 ACS servers, that support TACACS+ and RADIUS so I
wanted a single box to do both. If I was just using TACACS+ then I would
highly consider running the free version, but since I already require CSACS,
it only makes sense to use it.
A question I do have however, is does FT+ support external DB's? We are
running a single NT domain that we use for all user accounts.
Does FT+ interact correctly with this ? Does it support password change
requirements? I don't know but I suspect that you do.
Second question, doesn't Jack the Ripper just do a brute force dictionary
attack against the hash? I haven't used it so I'm going by what I have been
told.
Note, this is not a hostile attack, just an example of when it makes sense
to have CSACS, or at least when it made sense to us.
Thanks
Larry
-----Original Message-----
From: mike greenberg [mailto:newbiecisco@yahoo.com]
Sent: Wednesday, August 28, 2002 12:46 PM
To: Owens, Michael; 'Wright, Jeremy'; 'security@groupstudy.com'
Cc: 'ccielab@groupstudy.com'
Subject: RE: Read Only Access For Telnet
1) I don't know why anyone in their right mind would want to use Cisco ACS
(either Windows or Solaris version) to manage routers and switches. The
software itself is expensive if you factor in the cost of running this on
top of Windows and/or Solaris Platforms. Furthermore, if you want to log
the accounting record into a database with Cisco ACS, I believe only Oracle
or Microsoft SQL servers, you are talking about spending a lot of money just
to set up your AAA servers. Finally, if you want AAA servers redundancies
(at least two or more ACS servers), I wouldn't be suprised if it costs at
least over $100k for the whole project. On the contrary, if you use Freeware
TACACS+ running on either FreeBSD or Linux, you are talking about a free
product that is not only very stable (in contrast to Microsoft Winblows) but
also scalable. Furthermore, the AAA accounting record can be log into MySQL
database (again, free). The beauty about Freeware TACACS+ is that
everything except the hardware is free and you can practically run Freeware
on a Pentium I machine with 32MB of RAM. Freeware TACACS+ has been widely
used by major Financial Corporation and Service Providers. Where I work, we
implement three Freeware TACACS+ boxes for less than $2K. I've trained many
people over the past twelve months on how to install, configure and maintain
TACACS+ server running on Linux and BSD platforms (Linux is my favorite
platform). Freeware TACACS+ is much more stable and easier to use than the
commercial Cisco ACS product. I've written a how-to install, configure and
maintain TACACS+ on Linux. This how-to is very to read and to implement.
It will show step-by-step on how to do it so that even a Unix dummy can do
it. It is actually a PowerPoint Presentation that is about 110 pages. I've
modified the TACACS+ source code so that everyone has his/her own enable
secret. There is no password sharing. I can sell the how-to instructions
to anyone who might be interested. Sometimes, I am just amazed how
"unix-illiterate" some of the network engineers are. It seems like, for a
majority of them, that the only thing they know is "point-and-click".
2) While it is true that enable secret is MD5 Hash; however, it is NOT
impossible to break.... If I can see the configuration file with the enable
secret in MD5 hash, I can recover the password using password cracker such
as "John the Ripper". I can crack an MD5 hash using John the Ripper on a
dual PIII machine in about 8 hours (depending on the difficulty).
"Owens, Michael" wrote:The best way to solve this would be to use ACS with
a TACACS+ database utilizing AAA.
The quickest way is to just use the enable secret command.
The Cisco decryption programs will not decrypt passwords set with the enable
secret command. The enable password command should no longer be used. Use
the enable secret command for better security. The only instance in which
the enable password command might be tested is when the device is running in
a boot mode that does not support the enable secret command.
Enable secrets are hashed using the MD5 algorithm. As far as anyone at Cisco
knows, it is impossible to recover an enable secret based on the contents of
a configuration file (other than by obvious dictionary attacks).
Michael C. Owens
-----Original Message-----
From: Wright, Jeremy [mailto:JA_WRIGHT@admworld.com]
Sent: Wednesday, August 28, 2002 9:42 AM
To: 'security@groupstudy.com'
Cc: 'ccielab@groupstudy.com'
Subject: Read Only Access For Telnet
I have a remote location that is needing read only access to my router. I
know you can decrypt the encrypted password in the show run and I want to
eliminate the possibility of them doing that. What is the best way to
accomplish this?
************************
Jeremy Wright
Network Analyst
Archer Daniels Midland
ja_wright@admworld.com
(217)451-4063
************************
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:40 GMT-3