[c-nsp] AAA Command Authorization

Scott Altman staltman at gmail.com
Tue Jul 5 16:38:17 EDT 2005


If you grant the user priv 15 and then use command author. to limit
what they can do, this will work.  We do this today to limit what our
users see.  While not the most secure, we push everyone to level 15
and then limit what they can do based on command authorization.  Need
to give some serious consideration to how you would handle
authorization during time of failure  (ACS goes away, etc) where one
route would be that once you are authenticated, you have full access
to all commands, etc, but if you have 100% availability (hehe), this
will work great for your situation.

> Now I wonder if the same applies to AAA command authorization via
> TACACS+. If I grant a user access to "show run" via AAA command
> authorization, will the IOS display the entire config or will it run a
> command authorization check on every line in the config?



More information about the cisco-nsp mailing list