[c-nsp] question on terminal access security
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Thu Apr 21 02:05:22 EDT 2005
> I have a few questions on how to do per-user AAA on
> remote router management. I would like to know if I
> can use radius to do command authorization and
> accounting on remote CLI logins on cisco or is this
> exclusive to tacacs?
Tacacs+ only.
> If radius cannot do that, anyone has done using both
> radius and tacacs on the same router? Radius for PPP
> users, tacacs+ for router management?
this is usually straight forward as PPP and Login/Exec deal with
different authentication and authorization methods. so you can use
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 2 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
> Except for the ACS, are the freeware tacacs+ servers
> capable of doing command authorization and
> accounting?
Yes, at least the tac_plus does
(http://www.cisco.com/warp/public/480/tacplus.shtml), and I guess most
others as well.
> With command authorization, can I easily
> change available commands for a particular user?
Well, depends how "easily" you want it.. I've seen installations where
command authorization is stored in a backend SQL DB and scripts are used
with tac_plus to query this DB..
oli
More information about the cisco-nsp
mailing list