[c-nsp] Disallowing "sw tru all vlan X" w/o "add" or "remove" (was: Maximum spannig tree instances)
Justin Shore
justin at justinshore.com
Tue Jul 14 18:06:13 EDT 2009
Gert Doering wrote:
> Now: what happens if the TACACS server is unavailable? The way we
> currently run the shop is "there is a local username configured as
> fallback if TACACS doesn't respond" - and people know that they get
> slapped if they use this user without good reason.
>
> How would command authorization work in that case?
I think it would once again require the mighty hand of the Gert to slap
his underling back into line.
I believe you can create an authorization list locally that simply
permits all commands. Then set that list as the backup to tacacs in the
AAA config. Like you said before, this is the backup plan in case the
world is coming to an end.
I don't do AAA authorization yet but I do use TACACS and I fall back to
a local user for authentication. It's very handy. That userid & passwd
don't stray far from my hands. I wouldn't make it something that's
known to everyone though. It would be a very select list.
Justin
More information about the cisco-nsp
mailing list