[c-nsp] Radius or Tacacs+ for AAA

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Tue Mar 14 02:23:58 EST 2006


Lawrence Wong <mailto:lawrencewong72 at yahoo.com> wrote on Tuesday, March
14, 2006 8:18 AM:

> --- Asbjorn Hojmark - Lists <Lists at Hojmark.ORG> wrote:
> 
>>>> In particular I would like to be able to control the
>>>> commands/configuration that various users/groups can
>>>> perform as well as recording the activities. Ability
>>>> to work with token systems (RSA, etc) would be a
>>>> bonus.
>> 
>>> Command accounting/authorization capabilities on Cisco devices
>>> is only implemented using Tacacs+, so the answer regarding the
>>> protocol is simple.
>> 
>> Hmm, you can do 'authorization' with RADIUS by using the enable
>> level and assigning different commands to different levels. The
>> different users can log in to different levels based on the
>> reply from the RADIUS-server.
> 
> Yeap, that's what I'm trying to achieve.

ok, but this requires quite a bit of local config at the device as well
(which needs to be maintained consistently), and is not as granular as
T+ command authorization.

> I know RADIUS was accounting feactires, but if I were
> to use radius with Cisco AAA, will I still be able to
> keep track of details like login/logout time as well
> as commands executed?

You can do session accounting, but command accounting is only possible
with Tacacs+.

	oli



More information about the cisco-nsp mailing list