[c-nsp] limit what customer see via tacacs+

Ed Ravin eravin at panix.com
Thu Dec 8 20:56:27 EST 2005


On Thu, Dec 08, 2005 at 05:27:39PM -0500, Luan Nguyen wrote:

> Anyone know of a way of limiting what a customer can see once they log on to
> your router?

TACAS authorization works by limiting the commands that the user can
execute.

> say...can I create an account on the tacacs+ server for a customer, and when
> they issue a show run > they won't be able to see the passwords, crypto key...etc?

If you don't give them privilege level 15, they won't be able to see any of
the config - there's a separate permission on the config file.

> can the tacacs+ smart enough when it sees show run, it will do show run |
> exclude crypto isakmp key * | exclude snmp-server community *...etc?

No - config access is all or nothing, as described above.

> maybe create a lias exec and let tacacs+ only limit customer to that alias?
> how can you create alias that replace the show run with show run | ect? so
> that you don't have to tell them to do show_run instead of show run.

If you use RANCID, you can let the users see the config through RANCID, and
it will have screened out all the passwords and other confidential stuff.
See shrubbery.net/rancid


More information about the cisco-nsp mailing list