Problem solve Get help with specific problems with your technologies, process and projects.

How can I check to see that all of our routers are configured for TACACS access?

How can I check to see that all of our routers are configured for TACACS access? Basically, I want to make sure that only authorized people are accessing my routers.
There are several ways to validate that all of your routers are configured for TACACS access. Without knowing what brand of router(s) you have on your network, I will have to be generic regarding possible solutions.

Vendor-Specific Element Management Systems

Almost all router companies provide some type of configuration management software. Oftentimes, they will allow you to search through the configuration files to see what is configured on each router. This is becoming more and more common as QoS becomes more prevalent in the marketplace, and users need to validate QoS configuration end-to-end.

Configuration Management Systems

If you have a multi-vendor network or your vendor doesn't support detailed configuration management capabilities, there are companies that sell applications specifically for handling change management. Their main value is to track configuration changes across your infrastructure. A side value is the ability to validate which configuration files have various features turned on.

Modeling Applications

There are a couple of modeling applications that support multi-vendor environments (OPNET for one) that will read in your configuration files and display a model of your network, based on the current configuration of your routers. In addition, they will validate that routers have been configured to meet expectations.

Brute Force (Text Search)

Many routers have configuration files that are text-based, and the files can easily be searched for specific data strings. For example, if the command for configuring TACACS starts with "set TACACS…," you could search the various configuration files for this string. All routers without this string would not have TACACS configured. If there is a lengthier string (perhaps including the address of the TACACS server) that is consistent across the routers, this may help you isolate mis-configured routers as well. All this assumes you can gain access to all of the current configuration files on your routers. If you have access to a UNIX system, you can use the grep command against all the configuration files to get a quick list of router configurations with the string you are looking for.

Hope this helps steer you in the right direction.

This was last published in March 2005

Dig Deeper on Network Infrastructure

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.