10-13-2010 08:59 AM - edited 03-10-2019 05:29 PM
I have two configs,
which config from a flexibility and security stand point would be better?
Authethenticating with ACS to AD
aaa authentication attempts login 2
aaa authentication login default group tacacs+ local enable
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ none
aaa accounting system default start-stop group tacacs+
!
or
aaa authentication login default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
Solved! Go to Solution.
10-14-2010 01:31 AM
The first configis without doubt the most secure as it includes authorization.
With authorization you can configure the ACS to send privilege levels for example, or to perform command authorization, and the user can have different set of commands allowed depending o nthe group it belongs on the AD for example.
HTH,
Tiago
--
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.
10-13-2010 10:59 AM
You can say that aaa authorization (1st config snippet) is more "secure" because commands will be authorized depending on the user that is executing them.
As for flexibility, as long as authorization is configured properly I think there is no difference. There might be more intervention when you are adding a new user in ACS, but even that can be avoided if you use user groups.
I hope it helps a little.
PK
10-14-2010 01:31 AM
The first configis without doubt the most secure as it includes authorization.
With authorization you can configure the ACS to send privilege levels for example, or to perform command authorization, and the user can have different set of commands allowed depending o nthe group it belongs on the AD for example.
HTH,
Tiago
--
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.
10-14-2010 09:37 AM
thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: