[c-nsp] "reload" command doesn't check command line parameters
Peter Rathlev
peter at rathlev.dk
Tue Oct 8 17:34:49 EDT 2013
On Tue, 2013-10-08 at 10:44 -0500, Josh wrote:
> In reply to Saku Ytti, I know of at least one tacacs implementation
> that allows for restricting configuration of members of a port
> channel.
>
> https://rubyforge.org/projects/tacacs-plus/
I haven't delved deeply into the code, but I'm almost certain it cannot
do that. What Saku describes demands that the TACACS+ server keeps state
between commands, saying you cannot do e.g. "switchport trunk allowed
vlan add <n>" after "interface GigabitEthernet<n>/<m>" if the latter has
"channel-group <n> [mode <s>]" as part of its configuration. Otherwise
you can.
Saku's sentence could be expanded a bit:
I think it's not possible in TACACS to deny configuring member
ports of port-channels [and not deny configuring regular physical
interfaces that are not member ports].
It's technically not impossible to do, but since standard TACACS+ allows
for two back to back requests to be sent to two different servers it is
also not an easily solved problem.
--
Peter
More information about the cisco-nsp
mailing list