Security Basics mailing list archives

RE: CISCO Catalyst

From: "Worrell, Brian" <BWorrell () isdh IN gov>
Date: Wed, 23 Jan 2008 15:14:45 -0500

I recall reading that you can create access levels such as 13, allowing certain commands to that level.

From experience I know you can at least use the default 1 and 15, create two different Active Directory groups, then 
using Microsoft IAS as you Radius, pass thru the group to the Cisco device and get the proper permissions.

There was a document on the Cisco support site that I read when we did this.  It was almost two years ago, though.  If 
I find the link, I will pass it on.  If not, you should still be able to find it there. 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Vega - Brunello Ivan
Sent: Wednesday, January 23, 2008 11:55 AM
To: pepsdiaz () gmail com; security-basics () securityfocus com
Subject: R: CISCO Catalyst

In short: setup a TACACS+ server (that is, a server which manages the userbase).
This way, you can:
- setup users in a centralized location, and optionally bind user to external userbase (e.g. Active Directory, LDAP, or 
SQL).
- set password policies (if you use external userbase, external userbase policy apply).
- group users by role.
- grant users or groups access to every single command (TACACS+ lets you do, something else like RADIUS cannot).
- have log of every single action.

AFAIK the only one (for tacacs) is Cisco own ACS product.
Dunno if there are cheaper (and better) alternatives.

Ivan Brunello
System & Network Management

-----Messaggio originale-----
Da: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Per conto di pepsdiaz () gmail com
Inviato: mercoledì 23 gennaio 2008 10.27
A: security-basics () securityfocus com
Oggetto: CISCO Catalyst

Dear all,

I need to audit a CISCO Catalyst 6509 and 2950. I would like to know, if you can set up several users in order log 
their activities on it and how to do that.

Besides, I would like to know if you can set up password protection measures like:

 - Change password periodically.

 - Lenght of password

 - Historical of password

Can you set up more than one user role or just the administrator?

Thanks in advance to everybody.

Current thread:

CISCO Catalyst pepsdiaz (Jan 23)
- RE: CISCO Catalyst Worrell, Brian (Jan 23)
  - Re: CISCO Catalyst Leif Hardison (Jan 23)
- Re: CISCO Catalyst Andrea Gatta (Jan 23)
- RE: CISCO Catalyst Erik Soosalu (Jan 23)
- Re: CISCO Catalyst Gou, S.TOKIDA (Jan 23)
- Re: CISCO Catalyst a42n8k9 dejazzd.com (Jan 23)
- RE: CISCO Catalyst Aaron T. Rohyans (Jan 23)
- R: CISCO Catalyst Vega - Brunello Ivan (Jan 23)
  - RE: CISCO Catalyst Worrell, Brian (Jan 23)
  - Re: R: CISCO Catalyst Jens Link (Jan 23)
    - RE: R: CISCO Catalyst Erik Soosalu (Jan 23)
- Re: CISCO Catalyst brian . bevers (Jan 23)