[c-nsp] Disallowing "sw tru all vlan X" w/o "add" or "remove"
Peter Rathlev
peter at rathlev.dk
Tue Jul 14 20:09:17 EDT 2009
On Tue, 2009-07-14 at 22:33 +0200, Gert Doering wrote:
> Now: what happens if the TACACS server is unavailable? The way we
> currently run the shop is "there is a local username configured as
> fallback if TACACS doesn't respond" - and people know that they get
> slapped if they use this user without good reason.
>
> How would command authorization work in that case?
You can have "if-authenticated" as fall back mechanism. Kind of like a
local "permit any" authorization list.
aaa authorization exec METHOD group tacacs+ if-authenticated
aaa authorization commands 0 METHOD group tacacs+ if-authenticated
aaa authorization commands 15 METHOD group tacacs+ if-authenticated
Currently we only allow "if-authenticated" on the console port. After a
few funny situations the past year I'm seriously considering just
enabling it for VTYs also. I'm not exactly sure why I haven't done this
yet, but there's something inside my head telling me that there's some
security aspect here. I just can think of it. :-)
Regards,
Peter
More information about the cisco-nsp
mailing list