08-05-2004 08:12 AM - edited 03-09-2019 08:19 AM
We are currently taking over a network. The previous provider used TACACS and AAA which allowed the customer to view router configs with sensitive provider information "XXX" out. This would be a combination of IP addressing, snmp-server strings, passwords and secrets.
We are not planning to use TACACS, and wanted to know if there was a way to provide this using user priviledge levels?
Many Thanks
08-05-2004 01:07 PM
Hi,
Yes, you could use privilege levels to allow access to certain commands only such as debugs, certain show commands. As i am sure you know you would have to configure this on each switch/router.
You obviously have reasons for not using TACACS, if its budget then Cisco's free TACACS+ deamon (tac_plus) which runs on Linux/Unix would be more than adequate to provide a free TACACS server giving the option of centralised management of user priveleges using AAA.
I have a document i wrote on how to configure tac_plus, let me know if you are interested and i'll dig it out.
Rgds
Paddy
09-08-2004 05:42 PM
How does one give show config access and hide sensitive information such as SNMP strings etc? This question has come up before and answer was not found. Thanks.
09-13-2004 12:45 AM
As far as I know, you can't. You can, however, take certain precautions. "service password-encryption" is the absolut minimum.
As far as SNMP community strings are concerned, these are not very secure anyway as they are transmitted on the network in the clear when they are used. I don't have any RW communities on my routers and switches unless absolutely necessary. Furthermore, I put an access list on the snmp ("snmp-server community
Hope this helps.
Kevin Dorrell
Luxembourg
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: