[c-nsp] AAA Command Authorization
John Neiberger
John.Neiberger at efirstbank.com
Tue Jul 5 17:00:19 EDT 2005
I just took a look on CCO and it looks like I can either permit or deny
commands. If I just want to deny the "config" command, will I need to
explicitly allow other commands? It would suffice to simply deny the use
of the config command because the user will need to see the config and
will also need to do a few other privileged-mode things. We just need to
make sure that the user can't make changes under normal circumstances.
John
>>> Scott Altman <staltman at gmail.com> 7/5/05 2:49:38 PM >>>
The usual: group (tacacs / radius), if-authenticated, local or none,
so pick your poison I guess. We use if-auth so that we can at least
insure that someone had the right line/enable or local user/pw to get
on to the box and assume that they are a good person during an ACS
outage.
On 7/5/05, John Neiberger <John.Neiberger at efirstbank.com> wrote:
> Ah, good point. If I turn on authorization then it's on for
everyone.
> That could get messy if the ACS server goes away for any length of
time.
> I'll go look this up for myself, but does authorization have some
sort
> of fallback method?
>
> Thanks,
> John
> --
>
> >>> Scott Altman <staltman at gmail.com> 7/5/05 2:38:17 PM >>>
> If you grant the user priv 15 and then use command author. to limit
> what they can do, this will work. We do this today to limit what
our
> users see. While not the most secure, we push everyone to level 15
> and then limit what they can do based on command authorization.
Need
> to give some serious consideration to how you would handle
> authorization during time of failure (ACS goes away, etc) where one
> route would be that once you are authenticated, you have full access
> to all commands, etc, but if you have 100% availability (hehe), this
> will work great for your situation.
>
> > Now I wonder if the same applies to AAA command authorization via
> > TACACS+. If I grant a user access to "show run" via AAA command
> > authorization, will the IOS display the entire config or will it
run
> a
> > command authorization check on every line in the config?
>
More information about the cisco-nsp
mailing list