The advantage of using TACACS instead of enable secret is that with TACACS every user should have their own unique password where with enable secret it is the same password shared by everyone. Unique passwords are inherently more secure than a shared password.
Another advantage of using TACACS is that you can set a time period on the password and force the password to change. With enable secret that password stays the same until you access the router and change it. A password that is changed periodically is more secure than a password that stays the same for a long period.
Thank you so much for your reply. Perfectly makes sense to use tacacs for enable. We are using tacacs for login currently and we do not have any expiration set on it.
If I configure the password to expire after x number of days, I am sure users will be forced to change it. Will it also apply if you use a different password for enable? So, basically I have a login password and a different enable password for the same user.
It can certainly work either way but I do believe that it enhances security to use TACACS for enable access. My experience of TACACS is that it uses the same password for user login and for enable. But the same password for user login and enable where the password is unique to the individual is more secure than a unique password for login and a shared password for enable.
Note that in configuring users in TACACS you can configure that certain users do have enable access and that other users do not have enable access.
Also note that expiration of passwords is optional. You can force them to expire and be changed or you can leave them permanent. You would need to evaluate the enhancement to security of periodically changing passwords vs the convenience to users of having the same password all the time. It is a tradeoff and some organizations decide one way and other organizations decide the other.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...