RE: [Isms] charter proposal
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Isms] charter proposal

Hi David,

I would be interested in hearing from vendors and operators and the 
people arguing for this user-to-group-mapping feature just HOW they
currently use AAA to provide user-to-group mappings for network
management access control.



Cisco IOS currently has the following mechanisms for access control for
the CLI commands.

Cisco IOS supports 16 privilege levels (0-15) that can be setup
on a RADIUS (TACACS+) server and will be sent to the device using a
Cisco RADIUS VSA (shell:priv-lvl)

http://www.cisco.com/warp/public/480/PRIV.html

More recently we have augmented the privilege level model to support
more flexible RBAC like support with CLI views (a.k.a roles) and we have a Cisco
RADIUS VSA (shell:cli-view-name) used to communicate the view name of the user to the
device. CLI views (similar to SNMPv3 VACM views) must be defined locally
on the device.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b96.html#wp1073986

In addition to this, TACACS+  also supports per command
authorization, i.e. a TACACS+ authorization  request/response will be used to
authorize each command being received by the device.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scftplus.htm#1001102

Hope this helps,

kaushik! 

_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms



Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.