Not dangerous at all. So what is the public address that you are going to use? :)
Seriously, I wouldn't do it. These appliances contain your entire user list and passwords. Not a great idea to have them directly available for anyone from the Internet. Should there ever be a problem with the way the ACS servers treat the incoming UDP traffic, your box will most likely be compromised. The minimum I would do is drop a firewall/ (or even server with ip-tables) and then have an additional rule provisioned each time you provision a new ACS endpoint. And enable logging - and monitor these logs. It sounds as if you don't actually "need" to use a public address based on your original spec, and are doing this to avoid possible conflicts. Do you have the possibility of disabling access from the Internet to this address? -- Andrew On Mon, Aug 24, 2015 at 7:30 PM, Nick Cutting <ncutt...@edgetg.co.uk> wrote: > We are going to roll out TACACS soon, on an ACS appliance and I have hundreds > (thousands?) of client devices that need to authenticate back to these > appliances. > > We will most likely put this directly on a public address, to avoid address > conflicts etc. on our "shared services" zone. > > Rather than maintain some monster ACL for all the client Public addresses > that would need to be updated almost daily - how dangerous is it to just > allow UDP port 49 to this device from any source? > We are going to have to add each device to the ACS server anyway. > > Any suggestions welcome > > Nick Cutting | Network Engineer | ncutt...@edgetg.co.uk > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/