GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Local Command Authorization [7:97107] posted 02/24/2005
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Wow, bummer! I'm starting to think that this is going to be more trouble
than it's worth and we're just going to leave things as they are for
now.

Thanks!
John
--

>>> "Troy Coulombe"  2/24/05 12:38:22
AM >>>
_just_ went through this, as I'm about to roll out TACACS+ [using
cisco's free *nix daemon, & a python script I wrote for
user-password-maintenance-etc] and we had wanted to give our level-2
NOC
a bit more 'ability'...

But:::
http://www.cisco.com/warp/public/63/showrun.shtml 

with the key wording [at least for us]:::
//snippet//
The write terminal / show running-config command shows a blank
configuration. This command displays all of the commands that the
current user is able to modify (in other words, all the commands at or
below the user's current privilege level). The command should not
display commands above the user's current privilege level because of
security considerations. If it did, commands like snmp-server
community
could be used to modify the current configuration of the router and
gain
complete access to the router.
//end snippet//

Hth,
--
TroyC
c: 206.295.8051
d: 206.792.2356

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf
Of
John Neiberger
Sent: Wednesday, February 23, 2005 9:26 AM
To: cisco@xxxxxxxxxxxxxx 
Subject: Local Command Authorization [7:97107]

Forgive me, but this is one of those things I've never needed to do so
I
didn't pay much attention when I read about it in the past. :) I have
a
user
that requires the ability to see the running config and startup config
for a
device, but they are not allowed to go into config mode to make
changes.
Is
there a relatively simple way to restrict them to EXEC mode commands
so
that
they can't even enter into CONFIG mode? I think that would be more
elegant
than trying to explicitly list the commands they are allowed to run.

Also, I do have Cisco Secure ACS and I know that I could easily do
this
through that application, but for various policy reasons (don't ask )
I
have to do this locally on the device itself.

Any thoughts?

Thanks!
John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=97142&t=97107
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html