[c-nsp] AAA Command Authorization
Scott Altman
staltman at gmail.com
Tue Jul 5 17:31:05 EDT 2005
You can run the logic in ACS either way, either it can allow by
default with specific deny commands or vice versa, depends on how you
want to construct your policy for your users. From a security policy
perspective, think of the ACS as a firewall, deny everything and add
what you want them to be able to do. At some point there is a break
even, i fyou have 50+ permit lines (not sure if there is an actual
limit) you may as well just let them do everything.
The command permit/deny stuff in ACS is flexible and allows wildcards
(it just doesn't explain if very well) so you can permit 'show' and
check the box to permit/deny any unlisted arguments, so that will
cover 'show run' or 'show config' or whatever.
On 7/5/05, John Neiberger <John.Neiberger at efirstbank.com> wrote:
> I just took a look on CCO and it looks like I can either permit or deny
> commands. If I just want to deny the "config" command, will I need to
> explicitly allow other commands? It would suffice to simply deny the use
> of the config command because the user will need to see the config and
> will also need to do a few other privileged-mode things. We just need to
> make sure that the user can't make changes under normal circumstances.
>
> John
>
> >>> Scott Altman <staltman at gmail.com> 7/5/05 2:49:38 PM >>>
> The usual: group (tacacs / radius), if-authenticated, local or none,
> so pick your poison I guess. We use if-auth so that we can at least
> insure that someone had the right line/enable or local user/pw to get
> on to the box and assume that they are a good person during an ACS
> outage.
>
> On 7/5/05, John Neiberger <John.Neiberger at efirstbank.com> wrote:
> > Ah, good point. If I turn on authorization then it's on for
> everyone.
> > That could get messy if the ACS server goes away for any length of
> time.
> > I'll go look this up for myself, but does authorization have some
> sort
> > of fallback method?
> >
> > Thanks,
> > John
> > --
> >
> > >>> Scott Altman <staltman at gmail.com> 7/5/05 2:38:17 PM >>>
> > If you grant the user priv 15 and then use command author. to limit
> > what they can do, this will work. We do this today to limit what
> our
> > users see. While not the most secure, we push everyone to level 15
> > and then limit what they can do based on command authorization.
> Need
> > to give some serious consideration to how you would handle
> > authorization during time of failure (ACS goes away, etc) where one
> > route would be that once you are authenticated, you have full access
> > to all commands, etc, but if you have 100% availability (hehe), this
> > will work great for your situation.
> >
> > > Now I wonder if the same applies to AAA command authorization via
> > > TACACS+. If I grant a user access to "show run" via AAA command
> > > authorization, will the IOS display the entire config or will it
> run
> > a
> > > command authorization check on every line in the config?
> >
>
More information about the cisco-nsp
mailing list