Re: OT:manage routers with TACACS+ server

From: Tan Jeff (tanmx@xxxxxxx)
Date: Sun Jun 09 2002 - 05:23:47 GMT-3

• Next message: Malcolm Price: "unsetting cat5000 commands"
• Previous message: chris.w.polson@xxxxxxxxxxxxx: "Re: OT:manage routers with TACACS+ server"
• Maybe in reply to: Tan Jeff: "OT:manage routers with TACACS+ server"
• Next in thread: chris.w.polson@xxxxxxxxxxxxx: "Re: OT:manage routers with TACACS+ server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
thank you,Chris.I think you don't understand what I want to solve.I know
what you said actually.My question is if my company has two administrators
Jeff and Chris,Jeff administrate HQ routers,Chris administrate BRANCH
routers.All routers use the same TACACS+ server for AAA.I want Jeff has
privilege 15 with HQ routers but only has privilege 10 with BRANCH
routers,and Chris has privilege 10 with HQ routers but has privilege 15
with BRANCH routers.Can I do this using only one TACACS+ server?

thanks.
Jeff

>From: chris.w.polson@accenture.com
>To: "Tan Jeff" <tanmx@msn.com>
>CC: ccielab@groupstudy.com, nobody@groupstudy.com
>Subject: Re: OT:manage routers with TACACS+ server
>Date: Sat, 8 Jun 2002 23:10:05 -0500
>
>
>Hi Jeff,
>
>We are using TACACS+ as well and do have differing levels of access. The
>differing levels of access in our environment are provided by the
>"privilege exec level command" at the device. For example:
>
>privilege exec level 10 traceroute <- allows use of extended
>traceroute
>privilege exec level 10 ping <- allows use of extended ping
>privilege exec level 10 show startup-config <- allows viewing of
>startup-config, but not running
>
>Once configured on the router (or any NAS), you can give the group the
>privilege level you wish them to have. I did find a link regarding the
>"privilege" commands that may help you as well:
>
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_r
/srprt5/srpass.htm

>
>Hopefully that helps you out a bit.
>
>Regards,
>Chris
>
>Christopher W. Polson
>CIO Network Services - GNOC
>Dallas Infomart
>VPN 573/4021; direct: 214-672-4021
>chris.w.polson@accenture.com
>
>
>
> "Tan Jeff"
> <tanmx@msn.com> To:
ccielab@groupstudy.com
> Sent by: cc:
> nobody@groupstudy.com Subject: OT:manage routers
with TACACS+ server
>
>
> 06/08/2002 10:40 PM
> Please respond to "Tan
> Jeff"
>
>
>
>
>
>Hi,all
> My company has over 100 routers,and I found it is very diffcult to
>manage the routers' password with vty password and enable password. I
don't
>
>know how experts do it.I am tring to do it with cisco TACACS+ server(ver
>2.3),but I met a problem.
> I have definded two groups of routers, one is HQ routers and the other
>is BRANCH routers. And our company has two groups of administrators
too,one
>
>is HQ administrator ,the other is BRANCH administrator. My aim is to
permit
>
>HQ administrtor can access the two groups routers with privilege 15,and
>BRANCH administrator can access BRANCH routers with privilege 15,HQ
routers
>
>with privilege 10.It seem there are no such item in TACACS+ server. can
>TACACS+ server do what I want?
> I have searched the CCO,but found nothing about it.any help will be
>appreciated.
>
> Jeff
>
>
>

• Next message: Malcolm Price: "unsetting cat5000 commands"
• Previous message: chris.w.polson@xxxxxxxxxxxxx: "Re: OT:manage routers with TACACS+ server"
• Maybe in reply to: Tan Jeff: "OT:manage routers with TACACS+ server"
• Next in thread: chris.w.polson@xxxxxxxxxxxxx: "Re: OT:manage routers with TACACS+ server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 02 2002 - 08:12:29 GMT-3