[c-nsp] Limit Access right on Cisco 6500 IOS ?

David Freedman david.freedman at uk.clara.net
Tue Aug 30 10:31:54 EDT 2011


> it is a
> challenge to do this on a "stateful" basis i.e. to permit users to run
> commands on certain interfaces but not others.

A simple way of doing this, assuming you are using Shrubbery
(http://www.shrubbery.net/tac_plus/) is to use authorization callout
scripts (man 5 tac_plus.conf, search for "AUTHORIZATION SCRIPTS")

Assuming you have a good (port) inventory system, with relevant linkage
to your BSS, these scripts can assist you in creation of such dynamic
policies.

However, I would recommend looking at the Radiator RADIUS server
(http://www.open.com.au/radiator/,
I have no connection with these people, other than being a happy customer)

It is a commercial RADIUS server, written in (and configured in) the
PERL Programming language, it supports serving clients via TACACS+ and
allows you to, with great ease write some quite complex checks through
which to grant authorization, whilst maintaining

Also, being a RADIUS server, it has the advantage of being able to serve
clients via RADIUS, if they do not have TACACS+ support, hence you can
have a collapsed platform.



--
David Freedman
Group Network Engineering
Claranet Group



More information about the cisco-nsp mailing list