[nsp] router configuration tracking and AAA server used for audit trail

[Tomas Daniska]

> telneting using expect - it works good now.
> 
> I would like to have the ability to tell which config
> change is made by which user. I unfiltered some lines
> in rancid and now the "Last configuration change by"
> and the "NVRAM config last updated by" lines show in
> the config and this could be used to find who has made
> changes. Still, since I run rancid once an hour, if
> two users make changes between two runs (or even
> simultaneosly) then looking at just the running-config
> cannot show who made every change.

ios sends syslog/snmp trap each time a user ends the config mode
(regardless of wether there were changes or not)
 
> Some tools use syslog logoff messeges to trigger the
> config dowload and immediate diff with the old one.
> This  cannot cope with the case when two users are
> logged and make changes simultaneosly. 

cw rme listens for this and downloads config immediately after each
change (if configured to). if you do some tweaking - install a syslog
watcher and set it up to fire up rancid - then you can get the same
functionality

 
> I believe that a tool, tied closely to TACACS/RADIUS
> ААА server should be used for that
> purpose. I am using TACACS auth of commands, and have
> the raw log of every command made by any user.

not that needed as you still see the changes after you compare versions

--

deejay