Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
0
Helpful
3
Replies

tacacs enable versus enable secret

mchockalingam
Level 1
Level 1

‎07-20-2006 06:54 PM - last edited on ‎03-25-2019 05:23 PM by Community Manager

Hi All,

We are looking into the possibility of implementing tacacs for enable access. Currently, we are using tacacs for login access and enable secret for enable access.

I want to understand the advantages of using tacacs vs. enable secret.

Also, is it possible to use a different enable password other than the login using tacacs.

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎07-21-2006 10:49 AM

MEENA

The advantage of using TACACS instead of enable secret is that with TACACS every user should have their own unique password where with enable secret it is the same password shared by everyone. Unique passwords are inherently more secure than a shared password.

Another advantage of using TACACS is that you can set a time period on the password and force the password to change. With enable secret that password stays the same until you access the router and change it. A password that is changed periodically is more secure than a password that stays the same for a long period.

HTH

Rick

HTH

Rick
0 Helpful

mchockalingam
Level 1
Level 1
In response to Richard Burts

‎07-24-2006 01:48 AM

Rick,

Thank you so much for your reply. Perfectly makes sense to use tacacs for enable. We are using tacacs for login currently and we do not have any expiration set on it.

If I configure the password to expire after x number of days, I am sure users will be forced to change it. Will it also apply if you use a different password for enable? So, basically I have a login password and a different enable password for the same user.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to mchockalingam

‎07-24-2006 02:42 AM

MEENA

It can certainly work either way but I do believe that it enhances security to use TACACS for enable access. My experience of TACACS is that it uses the same password for user login and for enable. But the same password for user login and enable where the password is unique to the individual is more secure than a unique password for login and a shared password for enable.

Note that in configuring users in TACACS you can configure that certain users do have enable access and that other users do not have enable access.

Also note that expiration of passwords is optional. You can force them to expire and be changed or you can leave them permanent. You would need to evaluate the enhancement to security of periodically changing passwords vs the convenience to users of having the same password all the time. It is a tradeoff and some organizations decide one way and other organizations decide the other.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents