RE: Local Command Authorization [7:97107] posted 02/24/2005
Wow, bummer! I'm starting to think that this is going to be more trouble
than it's worth and we're just going to leave things as they are for
>>> "Troy Coulombe" 2/24/05 12:38:22
_just_ went through this, as I'm about to roll out TACACS+ [using
cisco's free *nix daemon, & a python script I wrote for
user-password-maintenance-etc] and we had wanted to give our level-2
a bit more 'ability'...
with the key wording [at least for us]:::
The write terminal / show running-config command shows a blank
configuration. This command displays all of the commands that the
current user is able to modify (in other words, all the commands at or
below the user's current privilege level). The command should not
display commands above the user's current privilege level because of
security considerations. If it did, commands like snmp-server
could be used to modify the current configuration of the router and
complete access to the router.
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf
Sent: Wednesday, February 23, 2005 9:26 AM
Subject: Local Command Authorization [7:97107]
Forgive me, but this is one of those things I've never needed to do so
didn't pay much attention when I read about it in the past. :) I have
that requires the ability to see the running config and startup config
device, but they are not allowed to go into config mode to make
there a relatively simple way to restrict them to EXEC mode commands
they can't even enter into CONFIG mode? I think that would be more
than trying to explicitly list the commands they are allowed to run.
Also, I do have Cisco Secure ACS and I know that I could easily do
through that application, but for various policy reasons (don't ask )
have to do this locally on the device itself.
Message Posted at:
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html