[c-nsp] TACACS+ question
mikus
der.mikus at gmail.com
Wed Mar 2 23:18:58 EST 2005
It's not terribly hard to do in ciscosecure acs for windoze. We
currently use 3.2.x line, where I create shared command authorization
sets for something akin to "network operations", and limit the
particular commands and args as I see fit. In the group config, i
have everyone come in at priv15, which gives them full access, and
then limit with command authorization sets assigning the "network
operations" group to limit them. This works well thus far.
All in all, I rather despise the fact that CSACS for unix is WAY
behind the windoze version in functionality (Slowaris only doesn't
help either - gimme linux already!), but it's about the only Cisco
software platform that is useful and fairly bug free even on windows.
Their management apps are generally rather atrocious for bugs, quirks,
and generally worthless, but I will give props to ACS for being fairly
good once you get used to it.
-mb
On Sun, 27 Feb 2005 15:34:15 +0200, Kim Onnel <karim.adel at gmail.com> wrote:
> Hi,
>
> I am sure that limiting each account for the NOC engineers to what
> they are authorized to do explicitly is advisable, so that even if an
> account is hijacked, minimum damage is guaranteed.
>
> And so it is, the NOC can only exec show commands now, but sometimes
> they need to clear some interfaces and view running configurations
> too, so i am confused on how to do this,
> there is also a need to allow specific commands on one router but not the other.
>
> Our sysadmin is gone, and we're waiting to hire a new one, so i'll be
> doing his task, i'm doing network tasks mostly, but since i had
> previous experiences, i'll try
>
> We have SecureACS now, its really annoying, i got *nix tac_plus,
> locally tested it, i want to migrate to tac_plus, on the other hand
> keep the old ACS server as backup incase the primary fails,
>
> send me your 0.2$ about it please.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list