topic Re: Control Device admin users login location using IP address in Network Access Control

Control Device admin users login location using IP address

dngore — Fri, 21 Feb 2020 19:11:37 GMT

Hi,

Can ISE (device administration) controls device admin users location (IP address) so that user can login NAD (router/switch) from specific IP address?

As per my understanding, ISE can't restrict device admin users based on IP Address as ISE communicates with NAD (as TACACS+ client) and not endpoint. Second point, AAA client (NAD) sends only user name to TACACS+ server.

Kindly confirm my understanding.

Re: Control Device admin users login location using IP address

Colby LeMaire — Wed, 06 Nov 2019 15:10:50 GMT

In TACACS Live Logs, you can open the details of an authentication/authorization event and see if you have any attribute that you can use to determine the location. In my system, I just checked and see an attribute called "Remote Address" that appears to be the originating client's IP address. But that is a Cisco IOS device using TACACS. Results may be different with different device types, IOS levels, etc.

For a more reliable/secure way of controlling admin access to network devices, use infrastructure ACL's or management plane ACL's on the device to control what subnets can SSH, SNMP, etc. to the device.

Re: Control Device admin users login location using IP address

dngore — Wed, 06 Nov 2019 16:01:34 GMT

Thx for reply.

But this is not deployed solution. We are proposing it. Customer has below query. Hence want to confirm on same.

So if remote client IP address is seen in log then does that mean we can control device admin user based on IP address in ISE?

We are aware of access list restriction on NAD devices but customer is specifically asking for this feature support in ISE.

Re: Control Device admin users login location using IP address

Colby LeMaire — Wed, 06 Nov 2019 19:53:35 GMT

You would need to figure out which Radius/TACACS+ AVP holds that information and test it out. But again, different hardware, IOS, protocol, etc could provide different results. I wouldn't trust it for all devices unless you test each use case in the lab first. Key is to test extensively first.

Re: Control Device admin users login location using IP address

Arne Bier — Thu, 07 Nov 2019 08:12:06 GMT

Hi @dngore

yes this is very straightforward

I have modified my lab as follows. I included a check to ensure that the user may not come from IP address 192.168.0.212 or else he will be dropped into read-only mode. If the user comes from any other address, then he will be in privilege level 15 (super admin). The key thing is that the attribute TACACS: Remote-Address is what you're after.