[c-nsp] AAA Command Authorization
Andrew Fort
afort at choqolat.org
Wed Jul 6 17:46:24 EDT 2005
On 06/07/2005, at 7:00 AM, John Neiberger wrote:
> I just took a look on CCO and it looks like I can either permit or
> deny
> commands. If I just want to deny the "config" command, will I need to
> explicitly allow other commands? It would suffice to simply deny
> the use
> of the config command because the user will need to see the config and
> will also need to do a few other privileged-mode things. We just
> need to
> make sure that the user can't make changes under normal
> circumstances.
>
> John
yes, you need to explicitly list the other commands you want to allow
people to run if you have a 'deny .*' as your rule at the end, since
every command is authorised. (as long as you've done 'aaa author
commands 15 <methods>'). You can use wildcards, and depending on
your AAA server these can be regular expressions, too.
I generally don't recommend using 'aaa author commands... if-auth' if
you're going to give everyone level 15 and then do per-command
authorisation - when the AAA server is unreachable, users who have
already authenticated can do whatever they like if 'if-auth' is
immediately after 'group <server-group>'. Another alternative is to
use 'local' after 'enable', so that you have a local user that is
ONLY available during AAA server outage; but of course it all depends
on the policy you want to define.
Per command authorisation is super useful, though. Allows us to
remove trouble-making commands, like 'switchport trunk allowed vlan
<vlan list>', forcing people to use 'switchport trunk allowed vlan
add <list>' and 'remove <list>'. Note to cisco: make the more
dangerous version of a command in a live network harder to type next
time! :)
More information about the cisco-nsp
mailing list