[c-nsp] TACACS "emergency" password management
Lee
ler762 at gmail.com
Mon Nov 1 19:57:51 EDT 2010
On 11/1/10, Nick Hilliard <nick at foobar.org> wrote:
> On 01/11/2010 19:55, Lee wrote:
>> At 2am all my managers are busy sleeping :) But regardless, doesn't
>> if-authenticated fix that horrible timeout wait? - ie:
>> aaa authorization exec default group tacacs+ if-authenticated
>
> It does, yes. But it also authorises anything if you're authenticated.
> You may not want this.
Ahh.. right, hadn't thought of that. We used to have a group of
people that were allowed to do switch port changes (set the vlan &
up/dn ports) but that went away several years ago. So now if you're
allowed enable mode there's no [tacacs] restrictions on what you can
do.
Lee
More information about the cisco-nsp
mailing list