> This is why, if you are worried about security, perhaps TACACS+ would be
> a good option. Even if the router can't reach the TACACS server, with
> proper configuration, you will still need the enable passwd just to enter
> maintenance mode...
Not necessarily. If you use TACACS+ for AAA and enable AAA accounting,
you will (at least in my humble experience) be unable to get in - the cisco
must send an accounting record to the TACACS+ server, but it can't reach
the TACACS+ server, so it refuses to let you in. (If anyone knows how to
get around this without turning off aaa accounting, *please* let me know! =)
(Also note that I may have any and/or all of the above wrong - it's so long
that I can't quite remember all the exact details...)
--
J. S. Connell | Systems Adminstrator, ICONZ. Any opinions stated above
ankh@canuck.gen.nz | are not my employers', not my boyfriends', my God's, my
ankh@iconz.co.nz | friends', and probably not even my own.
-------------------+---------------------------------------------------------
PGP key at http://www.canuck.gen.nz/~ankh/pgpkey.html