[c-nsp] TACACS "emergency" password management

Lee ler762 at gmail.com
Mon Nov 1 20:08:35 EDT 2010


On 11/1/10, David Rothera <david.rothera at gmail.com> wrote:
> On 1 Nov 2010, at 23:57, Lee wrote:
>
>> On 11/1/10, Nick Hilliard <nick at foobar.org> wrote:
>>> On 01/11/2010 19:55, Lee wrote:
>>>> At 2am all my managers are busy sleeping :)   But regardless, doesn't
>>>> if-authenticated fix that horrible timeout wait? - ie:
>>>> aaa authorization exec default group tacacs+ if-authenticated
>>>
>>> It does, yes.  But it also authorises anything if you're authenticated.
>>> You may not want this.
>>
>> Ahh..  right, hadn't thought of that.  We used to have a group of
>> people that were allowed to do switch port changes (set the vlan &
>> up/dn ports) but that went away several years ago.  So now if you're
>> allowed enable mode there's no [tacacs] restrictions on what you can
>> do.
>>
>> Lee
>
> We just have two levels, one for the first-line guys who can run show
> commands but no config changes or clearing of things and another level for
> everyone else.
>
> It seems to work pretty well for us and then there is the accounting side of
> being able to point fingers at people when things break... :P

exactly :)   Just because there's no technical restriction on what
we're allowed to do doesn't mean there aren't any managerial
restrictions.

Lee


More information about the cisco-nsp mailing list