https://community.cisco.com/t5/network-access-control/tacacs-telnet-vs-ssh/m-p/3392558#M548572 <P>Hello,</P> <P>&nbsp;</P> <P>We are in the process of migrating our device access from Telnet to SSH using Tacacs+</P> <P>In ISE (2.0 #6) we would like to create 2 different users, one user if access is done using Telnet, an other user if access is done via SSH.</P> <P>Is there an attribute in the Tacacs+ authentication process in ISE were we can differentiate if a user is using Telnet or SSH?</P> <P>&nbsp;</P> <P>Kind regards,</P> <P>Lieven Stubbe</P> <P>Belgian Railways</P> Fri, 21 Feb 2020 18:57:16 GMT lni1 2020-02-21T18:57:16Z https://community.cisco.com/t5/network-access-control/tacacs-telnet-vs-ssh/m-p/3392558#M548572 <P>Hello,</P> <P>&nbsp;</P> <P>We are in the process of migrating our device access from Telnet to SSH using Tacacs+</P> <P>In ISE (2.0 #6) we would like to create 2 different users, one user if access is done using Telnet, an other user if access is done via SSH.</P> <P>Is there an attribute in the Tacacs+ authentication process in ISE were we can differentiate if a user is using Telnet or SSH?</P> <P>&nbsp;</P> <P>Kind regards,</P> <P>Lieven Stubbe</P> <P>Belgian Railways</P> Fri, 21 Feb 2020 18:57:16 GMT https://community.cisco.com/t5/network-access-control/tacacs-telnet-vs-ssh/m-p/3392558#M548572 lni1 2020-02-21T18:57:16Z https://community.cisco.com/t5/network-access-control/tacacs-telnet-vs-ssh/m-p/3392592#M548576 <P>Hi,</P> <P>I've had a quick look and don't think you can differentiate telnet/ssh protocols in a rule.</P> <P>&nbsp;</P> <P>What you could do is create 2 separate AuthZ rules and use the condition "TACACS·User EQUALS xxxxxx" for telnet user and another rule for the ssh user, to differentiate between the users. xxxxx = equals the name of the user you create for telnet/ssh.</P> <P>&nbsp;</P> <P>HTH</P> Fri, 01 Jun 2018 14:06:03 GMT https://community.cisco.com/t5/network-access-control/tacacs-telnet-vs-ssh/m-p/3392592#M548576 Rob Ingram 2018-06-01T14:06:03Z https://community.cisco.com/t5/network-access-control/tacacs-telnet-vs-ssh/m-p/3392605#M548577 <P>Hello RJI,</P> <P>&nbsp;</P> <P>Can you elaborate the AuthZ solution a little more? I don't quite get it...</P> <P>The one user should only be used for Telnet and the other for SSH</P> <P>&nbsp;</P> <P>Lieven</P> <P>&nbsp;</P> Fri, 01 Jun 2018 14:20:31 GMT https://community.cisco.com/t5/network-access-control/tacacs-telnet-vs-ssh/m-p/3392605#M548577 lni1 2018-06-01T14:20:31Z https://community.cisco.com/t5/network-access-control/tacacs-telnet-vs-ssh/m-p/3392628#M548579 Ah ok, sorry I mis-understood/mis-read, I don't think you can distinguish between telnet/ssh. My suggestion was to merely differentiate the user authentications, which could then be used for different levels of AuthZ. Fri, 01 Jun 2018 14:43:46 GMT https://community.cisco.com/t5/network-access-control/tacacs-telnet-vs-ssh/m-p/3392628#M548579 Rob Ingram 2018-06-01T14:43:46Z https://community.cisco.com/t5/network-access-control/tacacs-telnet-vs-ssh/m-p/3393131#M548580 <P>It seems possible with ASA. See&nbsp;<A href="https://communities.cisco.com/thread/92262" target="_blank">Device Policy Sets - tacacs ports 443 and 22</A></P> <P>This depends on the T+ implementation on the network device platforms.</P> Sun, 03 Jun 2018 06:00:49 GMT https://community.cisco.com/t5/network-access-control/tacacs-telnet-vs-ssh/m-p/3393131#M548580 hslai 2018-06-03T06:00:49Z