Cisco IOS based TACACS+ device
management
With the never ending increases in the complexity and scale of the network, the task of managing it has never been harder. Whilst technologies and tools have emerged to assist in this task the
widespread use of command line (CLI) configuration using a Telnet session remains a crucial foundation in most installations. Combined with the dominance of Cisco IOS and its strong support for CLI, this is unlikely to change any time soon.
The scale of today’s networks means that they are beyond the capacity of a single administrator or indeed even a small number of administrators to manage. Spread across the
organization both by business and geography, individual administrators need appropriate access to the part of the network that they control. Controlling this access, (i.e., managing the administrators) is a real challenge and one that historically has often been ignored due to the complexities involved. This is unlikely to be a viable approach in the future as legislation such as
Sarbanes-Oxley (SOX) that exerts a legal requirement not only to control but also to properly audit what actions are being performed by network administrators.
Cisco have provided a strong
foundation for the implementation of scalable management regime
with device based privilege level controls and per command
authorization using TACACS+ and the Cisco Secure ACS Device
Command Sets (DCS) feature. The Cisco white paper ‘Building
a scalable TACACS+ Device Management framework’ provides a
good introduction to these capabilities. Either of these tools
can be used to create security regimes as appropriate to the
specific needs of the organization using them. Beyond these
facilities, the AAA server administrator needs help in reducing
the mountain of unordered log data that T+ Device Administration
(TDA) generates into useful information that can used for both
technical support and security audit purposes.
Read our TDA Audit Reports White Paper...
 |
how aaa-reports!
supports TDA |
 |
From the perspective of a
security audit, TDA falls into two basic categories:
What did you intend should happen on the network during a
given period?
What actually happened during the same period?
With aaa-reports! v2.1 enhanced TDA
audit reporting for Cisco Secure ACS it is now possible to
answer both of these questions and for the first time ever it is
possible to document both policy intent and operation!
Using an imported ACS database*, aaa-reports!
can report:
Summaries of
groups/users with TDA
related features in use
Detailed config for
groups/users
with TDA features
Summary &
detailed content of
Network Access Restrictions (NAR)
Summary &
detailed
content of
Device Commend Sets (DCS)**
What
devices (and device groups) a
group/user has access (or not) to
What
commands a group/user is
authorised to execute on a device (or device group)
What groups/users make
reference to
a specific Shared Device Command Set (DCS)**
What groups/users make
reference
to
a specific Shared Network Access Restriction (NAR)
Any Shared DCS/NAR that is
un-referenced (ie possibly redundant)
What devices are
associated with a
Network Device Group (NDG)
User account/password aging statuses
More...
* ACS v3.x Software, ACS 4.x Software &
Appliance (Solution Engine)
** Both shell(exec) and pixshell command authorisation supported
Using imported TACACS+ command
accounting, TACACS+ session accounting and ACS Failed Attempts
logs aaa-reports! can report:
Summaries of devices managed, commands issued, group/users
performing tasks, authentication & authorisation failures
All commands issued by a specific
user
All commands executed on a specific
device
All users who issued a specific command
More...
 |
aaa-reports!
gives you the in-depth analysis of your TACACS+ managed
network that you need |
 |
|
