topic Re: SSH Access for Given User Restricted to IP Address in Network Access Control

SSH Access for Given User Restricted to IP Address

njsanders1 — Fri, 21 Feb 2020 18:47:51 GMT

I have a network management appliance that utilizes CLI access to my network devices to perform certain functions. For compliance and audit purposes, I would like to restrict the use of login credentials established for the appliance such that they can only be used if the SSH connection originates from a specific IP address. Is it possible in IOS to limit the use of a particular set of creds so that only connections from a given IP can utilize them (and perhaps log any attempts from other addresses)?

Re: SSH Access for Given User Restricted to IP Address

jwillie3 — Wed, 07 Mar 2018 19:37:17 GMT

I do not believe this can be accomplished from just using IOS commands.

Do you have something other than SSH enabled for an access method? Are you using some sort of external AAA server? ACS or ISE?

Within IOS you can restrict device access to only be SSH (line vty), then in the external AAA server, setup an authentication rule that only allows TACACS/RADIUS (you didn't specify which) from a specific IP, then an authorization rule to match a specific userID.