[c-nsp] Radius or Tacacs+ for AAA
Asbjorn Hojmark - Lists
Lists at Hojmark.ORG
Mon Mar 13 14:53:09 EST 2006
>> In particular I would like to be able to control the
>> commands/configuration that various users/groups can
>> perform as well as recording the activities. Ability
>> to work with token systems (RSA, etc) would be a
>> bonus.
> Command accounting/authorization capabilities on Cisco devices
> is only implemented using Tacacs+, so the answer regarding the
> protocol is simple.
Hmm, you can do 'authorization' with RADIUS by using the enable
level and assigning different commands to different levels. The
different users can log in to different levels based on the
reply from the RADIUS-server.
Actually doing per-command authorization to a AAA-server can be
a real pain (because it slows things down), especially you're
troubleshooting and/or when the AAA-server is unreachable.
-A
More information about the cisco-nsp
mailing list