[c-nsp] Disallowing "sw tru all vlan X" w/o "add" or "remove" (was: Maximum spannig tree instances)
Phil Mayers
p.mayers at imperial.ac.uk
Tue Jul 14 19:22:14 EDT 2009
Justin Shore wrote:
> Gert Doering wrote:
>> Now: what happens if the TACACS server is unavailable? The way we
>> currently run the shop is "there is a local username configured as
>> fallback if TACACS doesn't respond" - and people know that they get
>> slapped if they use this user without good reason.
>>
>> How would command authorization work in that case?
>
> I think it would once again require the mighty hand of the Gert to slap
> his underling back into line.
>
> I believe you can create an authorization list locally that simply
> permits all commands. Then set that list as the backup to tacacs in the
> AAA config. Like you said before, this is the backup plan in case the
> world is coming to an end.
>
> I don't do AAA authorization yet but I do use TACACS and I fall back to
> a local user for authentication. It's very handy. That userid & passwd
> don't stray far from my hands. I wouldn't make it something that's
> known to everyone though. It would be a very select list.
That might work in some places, and our auditors certainly seem to think
there should only be 1 person with the router enable password (wtf?!)
but we adopted a slightly more low-tech solution. It's not as sexy as
running a TACACS server:
alias interface tagvlan switchport trunk allowed vlan add
alias interface detagvlan switchport trunk allowed vlan remove
...then:
conf t
int g1/1
tagvlan 100,101
detagvlan 200
...and just don't use the more dangerous commands.
I imagine something even more sophisticated could be done with the new
EEM cli commands interface.
Does anyone know if this can be done without TACACS? Using CLI views or
similar?
More information about the cisco-nsp
mailing list