[c-nsp] Radius or Tacacs+ for AAA
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Tue Mar 14 02:23:58 EST 2006
Lawrence Wong <mailto:lawrencewong72 at yahoo.com> wrote on Tuesday, March
14, 2006 8:18 AM:
> --- Asbjorn Hojmark - Lists <Lists at Hojmark.ORG> wrote:
>
>>>> In particular I would like to be able to control the
>>>> commands/configuration that various users/groups can
>>>> perform as well as recording the activities. Ability
>>>> to work with token systems (RSA, etc) would be a
>>>> bonus.
>>
>>> Command accounting/authorization capabilities on Cisco devices
>>> is only implemented using Tacacs+, so the answer regarding the
>>> protocol is simple.
>>
>> Hmm, you can do 'authorization' with RADIUS by using the enable
>> level and assigning different commands to different levels. The
>> different users can log in to different levels based on the
>> reply from the RADIUS-server.
>
> Yeap, that's what I'm trying to achieve.
ok, but this requires quite a bit of local config at the device as well
(which needs to be maintained consistently), and is not as granular as
T+ command authorization.
> I know RADIUS was accounting feactires, but if I were
> to use radius with Cisco AAA, will I still be able to
> keep track of details like login/logout time as well
> as commands executed?
You can do session accounting, but command accounting is only possible
with Tacacs+.
oli
More information about the cisco-nsp
mailing list