[c-nsp] Disallowing "sw tru all vlan X" w/o "add" or "remove" (was: Maximum spannig tree instances)
Gert Doering
gert at greenie.muc.de
Tue Jul 14 16:33:26 EDT 2009
Hi,
On Tue, Jul 14, 2009 at 08:40:17PM +0200, Peter Rathlev wrote:
> On Tue, 2009-07-14 at 18:05 +0200, Gert Doering wrote:
> > Mmmmh. If one does TACACS command authentication, one could
> > investigate whether disallowing the "without-add/-delete" form of the
> > command via TACACS works...
>
> It does indeed. We use something similar to the configuration below for
> "operators" who can do simple maintenance chores.
Cool.
We're currently not doing TACACS command authorization, but I might
be tempted to introduce that :-)
Now: what happens if the TACACS server is unavailable? The way we
currently run the shop is "there is a local username configured as
fallback if TACACS doesn't respond" - and people know that they get
slapped if they use this user without good reason.
How would command authorization work in that case?
... it's not unheard-of that router configuration is direly needed to
repair a broken network connection *to* the TACACS Server, so this
problem must be known to other folks as well :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090714/09909885/attachment.bin>
More information about the cisco-nsp
mailing list