[c-nsp] Disallowing "sw tru all vlan X" w/o "add" or "remove"

Peter Rathlev peter at rathlev.dk
Tue Jul 14 20:09:17 EDT 2009


On Tue, 2009-07-14 at 22:33 +0200, Gert Doering wrote:
> Now: what happens if the TACACS server is unavailable?  The way we 
> currently run the shop is "there is a local username configured as 
> fallback if TACACS doesn't respond" - and people know that they get 
> slapped if they use this user without good reason.
> 
> How would command authorization work in that case?

You can have "if-authenticated" as fall back mechanism. Kind of like a
local "permit any" authorization list.

aaa authorization exec METHOD group tacacs+ if-authenticated 
aaa authorization commands 0 METHOD group tacacs+ if-authenticated 
aaa authorization commands 15 METHOD group tacacs+ if-authenticated 

Currently we only allow "if-authenticated" on the console port. After a
few funny situations the past year I'm seriously considering just
enabling it for VTYs also. I'm not exactly sure why I haven't done this
yet, but there's something inside my head telling me that there's some
security aspect here. I just can think of it. :-)

Regards,
Peter




More information about the cisco-nsp mailing list