[tac_plus] TAC+ and Solarwinds Orion NCM don't play well together

Alan McKinnon alan.mckinnon at gmail.com
Fri Oct 23 07:54:35 UTC 2015 

On 23/10/2015 09:41, Matt Almgren wrote:
> Rancid stores passwords in the clear. TACACS does not when you use LDAP/PAM authentication. 

Any automated system that logs into things with a password must somehow
store it in the clear. Even if you encrypt it, the software still needs
an unlock key and to get that, it's secret must be in the clear somehow.
If you use ssh keys the software needs the passphrase and the same
problem applies, or the key is not passphrase protected which is
effectively the same as a password in the clear.

The best protection is a secured rancid server with restricted access.

Of course none of this applies if you are dealing with an auditor who is
only looking for a reason to tick or not tick a check box on a form.


> 
> -- iMatt
> 
>> On Oct 21, 2015, at 2:48 PM, Alan McKinnon <alan.mckinnon at gmail.com> wrote:
>>
>>> On 21/10/2015 19:32, Daniel Schmidt wrote:
>>> Rancid isn't PCI compliant, but TAC+ is?
>>
>>
>>
>> And in what way is Rancid not PCI compliant?
>>
>> My reading of PCI is that it has a narrow well-defined scope, and rancid
>> is not in it, despite what those with agendas claim.
>>
>>
>>
>>
>>>
>>>> On Tue, Oct 20, 2015 at 6:01 PM, Heasley <heas at shrubbery.net> wrote:
>>>>
>>>>
>>>>
>>>>> Am 20.10.2015 um 13:12 schrieb Matt Almgren <matta at surveymonkey.com>:
>>>>>
>>>>> So we moved away from Rancid for something that is more PCI compliant.
>>>> So far so good, until very recently we see this problem.
>>>>>
>>>>> I have 26 juniper devices in a job in Orion NCM.  For some reason, for
>>>> the last week, the daily backup job reports that 8-10 devices were “unable
>>>> to login” or “connection refused”. However, when I switch Orion NCM to use
>>>> local Admin logins on the Junipers versus TAC+ accounts, I see no errors.
>>>> Something with the communication between the network devices and TAC+
>>>> isn’t playing nice together.
>>>>>
>>>>> I’ve tried the following:
>>>>>
>>>>> Increased the SSH Timeout settings on Orion to 120 seconds.
>>>>> Decreased the # of concurrent connections from default 11 to 1.
>>>>> Reinstalled Orion Job Engine + other tweaks on the Orion NCM side.
>>>>> Tried only Juniper devices, or only Arista devices, or 8 instead of 27
>>>> devices = all had mixed failures.
>>>>
>>>> How many concurrent jobs did you use eirh rancid?
>>>>
>>>>> None of the failures are consistent.  Job 1 has 8/27 failures.  Job 2
>>>> has 10/27 failures with some that failed in the first job passing in this
>>>> one.  Etc…
>>>>>
>>>>> Remember, local NAS accounts setup in Orion work just fine – TAC+ isn’t
>>>> even talked to when this happens.
>>>>>
>>>>> Is there any tuning I can do to the TAC+ server to make sure its able to
>>>> handle the connections?   What debug log level should I be looking at to
>>>> get the best information?  I’ve tried 24, 60, and even the higher ones, but
>>>> they’re too noisy.
>>>>>
>>>>>
>>>>>>>>>> Matt Almgren, Sr. Network Engineer
>>>>> [cid:29988614-ECDA-44BA-8377-ABD3ACFBCD1C]
>>>>> 101 Lytton Avenue, Palo Alto, CA 94301
>>>>> m: 408.499.9669
>>>>> www.surveymonkey.com
>>>>> -------------- next part --------------
>>>>> An HTML attachment was scrubbed...
>>>>> URL: <
>>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20151020/1db9bcf7/attachment.html
>>>>>
>>>>> -------------- next part --------------
>>>>> A non-text attachment was scrubbed...
>>>>> Name: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png
>>>>> Type: image/png
>>>>> Size: 8698 bytes
>>>>> Desc: 7B2F1B3D-E309-404C-ADEF-2AE84F8259F4[35].png
>>>>> URL: <
>>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20151020/1db9bcf7/attachment.png
>>>>>
>>>>> _______________________________________________
>>>>> tac_plus mailing list
>>>>> tac_plus at shrubbery.net
>>>>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>>> _______________________________________________
>>>> tac_plus mailing list
>>>> tac_plus at shrubbery.net
>>>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>
>>
>> -- 
>> Alan McKinnon
>> alan.mckinnon at gmail.com
>>
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/tac_plus


-- 
Alan McKinnon
alan.mckinnon at gmail.com

More information about the tac_plus mailing list