[c-nsp] AAA Command Authorization

[John Neiberger]

Ah, good point. If I turn on authorization then it's on for everyone.
That could get messy if the ACS server goes away for any length of time.
I'll go look this up for myself, but does authorization have some sort
of fallback method?

Thanks,
John
--

>>> Scott Altman <staltman at gmail.com> 7/5/05 2:38:17 PM >>>
If you grant the user priv 15 and then use command author. to limit
what they can do, this will work.  We do this today to limit what our
users see.  While not the most secure, we push everyone to level 15
and then limit what they can do based on command authorization.  Need
to give some serious consideration to how you would handle
authorization during time of failure  (ACS goes away, etc) where one
route would be that once you are authenticated, you have full access
to all commands, etc, but if you have 100% availability (hehe), this
will work great for your situation.

> Now I wonder if the same applies to AAA command authorization via
> TACACS+. If I grant a user access to "show run" via AAA command
> authorization, will the IOS display the entire config or will it run
a
> command authorization check on every line in the config?