[c-nsp] limit what customer see via tacacs+

Rubens Kuhl Jr. rubensk at gmail.com
Thu Dec 8 21:19:50 EST 2005


Never tested myself, but I would try to allow only "show tech", which
by default removes sensitive stuff.

Rubens


On 12/8/05, Ed Ravin <eravin at panix.com> wrote:
> On Thu, Dec 08, 2005 at 05:27:39PM -0500, Luan Nguyen wrote:
>
> > Anyone know of a way of limiting what a customer can see once they log on to
> > your router?
>
> TACAS authorization works by limiting the commands that the user can
> execute.
>
> > say...can I create an account on the tacacs+ server for a customer, and when
> > they issue a show run > they won't be able to see the passwords, crypto key...etc?
>
> If you don't give them privilege level 15, they won't be able to see any of
> the config - there's a separate permission on the config file.
>
> > can the tacacs+ smart enough when it sees show run, it will do show run |
> > exclude crypto isakmp key * | exclude snmp-server community *...etc?
>
> No - config access is all or nothing, as described above.
>
> > maybe create a lias exec and let tacacs+ only limit customer to that alias?
> > how can you create alias that replace the show run with show run | ect? so
> > that you don't have to tell them to do show_run instead of show run.
>
> If you use RANCID, you can let the users see the config through RANCID, and
> it will have screened out all the passwords and other confidential stuff.
> See shrubbery.net/rancid
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list