3/13/2014 6:31:22 PM
Anyone ever used or have any suggestions on using Secret Server with TACACS? We have all of our Cisco devices configured this way and the local admin is disabled while the device can communicate with the TACACS server. In the event the device loses communication with the TACACS server, it will allow logins using the regular admin account in the running-config.
So I want to build a password changer to change the admin account. Since I can't login as the admin account, I have created an AD account to use and that is what Secret Server will have to login as to change the passwords. This is where it gets sticky... When building the password changer in SS, it only allows you to pull a username for the current secret you are working with. I want to store the TACACS login account in as a secret as well, then reference those credentials while trying to update a device password...
I know that sounds kooky, but not having the admin account active is a security requirement for our company. I don't want to store the credentials for the AD account in the password changer. I want to keep it safe as a secret, where it can be protected and audited, and eventually automatically changed.
Let me know if anyone has run across this and what your angle on it is.