i have a issue where the same command which is denied in IOS switches is allowed in catOS switches. No idea why it happens since my TACACS server(free tacacs server from cisco) denies the sh conf or sh run command for a particular user
when a user logs into a ios switch and issue a sh run ,it says command authorisation failed since i denied that user from issuing that sh conf or sh run command.
But the same command sh conf or sh run works on the catos switch. both my CATOS and IOS switches points to the same tacacs server and i have no clue how it works with catos since i denied that command.
Also strange since the same command gets denied in IOS(the way i want) but works with catOS.
Every other thing with my tacacs works fine for both IOS and CATOS except for this strange thing.
I really dont want the user to run a sh conf command in CATOS switch. what should i do fix this and why this works like this.
I tried rearranging the commands like CATOS commands first and then IOS ,but no luck :(
It sounds to me like you have configured your IOS boxes with authentication and with authorization and that perhaps you have configured your catOS boxes with authentication but not authorization. If you would post the configuration of one of them we would be able to see more clearly what is going on and perhaps could then give you better advice.
I have enabled authorisation in catos switches as well. it works very well with authorisation since a person cant do any thing other than changing the port. if he tries to change the tacacs paramaters it will show command authorisation failed.
so that means (atlast as far as i know) the authorisation command works since the user cant change any thing except what i allowed in my tacacs and both the IOS and CATOS point to the same tacacs server. i have another group which has full access in the CATOS and that works the way i want. the only issue is with this user group which allows them to run a sh conf or sh run command in the catos switches
Would love to see ure config for both IOS and catos as I am trying to do the same but have not succeeded.
One thing I am doing tho, is I have multiple NDG's. I have two user groups. Grp A has access to all. Grp B shd. have "all" access to only some NDG's but restricted access to other NDG's. I have also enabled direct access to the priv mode .. so that everyone has to log in only once to get to enable.
So my question is how can I get grp B to have "one stop" login to priv. mode for some NDG's and not to others?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...