[c-nsp] A question about TACACS+ and controlling command use
Ian MacKinnon
Ian.Mackinnon at lumison.net
Fri Jun 12 09:54:01 EDT 2009
Don't know if this would work, but why not bar them from the controller command instead
Ie
Conf t
Controller T3 1/0 -----Block this command
shut
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Byrd, William
> Sent: 12 June 2009 14:42
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] A question about TACACS+ and controlling command use
>
> I've done a lot of thinking and searching on this problem and I haven't
> been able to figure out any way to solve it. The rest of the Engineers
> here have come to the conclusion it just can't be done.
>
> We have a pretty large deployment of Cisco 7200's with the vast
> majority
> being carded out with PA-MC-2T3 cards. Typically a customer will order
> a
> DS1 or several DS1's which will be delivered MLPPP to the customer.
>
> As we do not currently have any automation tools in place to provision
> or
> remove old provisioning for customers we frequently end up in
> situations
> where a technician building or removing a customer has shutdown a DS3
> and
> taken down a lot of customers.
>
> The obvious answer is to restrict the use of the shutdown command.
> Unfortunately the technicians that often make the mistakes have to be
> able
> to use the command to shut down Serial or Ethernet interfaces in the
> course of their work.
>
> As TACACS is setup to basically permit or deny the use of the command I
> can't find a way to restrict it on say a T3 controller but permit it
> for
> everything else; example:
>
> cmd = no
> {
> permit ^shutdown.<cr>$
> deny .*
>
> cmd = shutdown
> {
> permit .*
> }
>
> Anyone ever deal with a similar problem and find a good solution to it?
>
> -Will
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted. Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison.
Finally, the recipient should check this email and any attachments for the
presence of viruses. Lumison accept no liability for any
damage caused by any virus transmitted by this email.
More information about the cisco-nsp
mailing list