[c-nsp] AAA Command Authorization
Scott Altman
staltman at gmail.com
Tue Jul 5 16:49:38 EDT 2005
The usual: group (tacacs / radius), if-authenticated, local or none,
so pick your poison I guess. We use if-auth so that we can at least
insure that someone had the right line/enable or local user/pw to get
on to the box and assume that they are a good person during an ACS
outage.
On 7/5/05, John Neiberger <John.Neiberger at efirstbank.com> wrote:
> Ah, good point. If I turn on authorization then it's on for everyone.
> That could get messy if the ACS server goes away for any length of time.
> I'll go look this up for myself, but does authorization have some sort
> of fallback method?
>
> Thanks,
> John
> --
>
> >>> Scott Altman <staltman at gmail.com> 7/5/05 2:38:17 PM >>>
> If you grant the user priv 15 and then use command author. to limit
> what they can do, this will work. We do this today to limit what our
> users see. While not the most secure, we push everyone to level 15
> and then limit what they can do based on command authorization. Need
> to give some serious consideration to how you would handle
> authorization during time of failure (ACS goes away, etc) where one
> route would be that once you are authenticated, you have full access
> to all commands, etc, but if you have 100% availability (hehe), this
> will work great for your situation.
>
> > Now I wonder if the same applies to AAA command authorization via
> > TACACS+. If I grant a user access to "show run" via AAA command
> > authorization, will the IOS display the entire config or will it run
> a
> > command authorization check on every line in the config?
>
More information about the cisco-nsp
mailing list