[c-nsp] TACACS "emergency" password management
David Rothera
david.rothera at gmail.com
Mon Nov 1 20:01:13 EDT 2010
On 1 Nov 2010, at 23:57, Lee wrote:
> On 11/1/10, Nick Hilliard <nick at foobar.org> wrote:
>> On 01/11/2010 19:55, Lee wrote:
>>> At 2am all my managers are busy sleeping :) But regardless, doesn't
>>> if-authenticated fix that horrible timeout wait? - ie:
>>> aaa authorization exec default group tacacs+ if-authenticated
>>
>> It does, yes. But it also authorises anything if you're authenticated.
>> You may not want this.
>
> Ahh.. right, hadn't thought of that. We used to have a group of
> people that were allowed to do switch port changes (set the vlan &
> up/dn ports) but that went away several years ago. So now if you're
> allowed enable mode there's no [tacacs] restrictions on what you can
> do.
>
> Lee
We just have two levels, one for the first-line guys who can run show commands but no config changes or clearing of things and another level for everyone else.
It seems to work pretty well for us and then there is the accounting side of being able to point fingers at people when things break... :P
More information about the cisco-nsp
mailing list