[c-nsp] TACACS "emergency" password management
sthaug at nethelp.no
sthaug at nethelp.no
Tue Nov 2 05:29:29 EDT 2010
> > Interesting. I was under the impression that a common use-case for TACACS
> > was command authorization; letting "2nd line" engineers do things like
> > provision new gig ports, but needing a "3rd line" engineer to change IP
> > routing etc.
>
>
> Oh not at all. That's one of things that's available but no one remembers
> or needs.
I can't comment on how common it is, but we use it. We block commands
like "switchport trunk allowed vlan <digits>", while allowing "none",
"add" and "remove" forms of the same. It's a way of preventing a too
common case of shooting yourself in the foot.
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the cisco-nsp
mailing list