[c-nsp] AAA Command Authorization
Christopher Woodfield
rekoil at semihuman.com
Wed Jul 6 10:09:02 EDT 2005
One option is to run redundant ACS servers; Every Cisco I've worked
with can take multiple "tacacs-server host" statements, but you must
use the same key for both.
-C
On Jul 5, 2005, at 4:44 PM, John Neiberger wrote:
> Ah, good point. If I turn on authorization then it's on for everyone.
> That could get messy if the ACS server goes away for any length of
> time.
> I'll go look this up for myself, but does authorization have some sort
> of fallback method?
>
> Thanks,
> John
> --
>
>
>>>> Scott Altman <staltman at gmail.com> 7/5/05 2:38:17 PM >>>
>>>>
> If you grant the user priv 15 and then use command author. to limit
> what they can do, this will work. We do this today to limit what our
> users see. While not the most secure, we push everyone to level 15
> and then limit what they can do based on command authorization. Need
> to give some serious consideration to how you would handle
> authorization during time of failure (ACS goes away, etc) where one
> route would be that once you are authenticated, you have full access
> to all commands, etc, but if you have 100% availability (hehe), this
> will work great for your situation.
>
>
>> Now I wonder if the same applies to AAA command authorization via
>> TACACS+. If I grant a user access to "show run" via AAA command
>> authorization, will the IOS display the entire config or will it run
>>
> a
>
>> command authorization check on every line in the config?
>>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
More information about the cisco-nsp
mailing list