topic Re: 2FA + Static Login with IP Restriction in Network Access Control

2FA + Static Login with IP Restriction

eshaq786 — Tue, 09 Aug 2022 09:54:49 GMT

We have setup 2FA on our switches using Duo auth proxy. This is working fine.

However we would like to be able to add a static account with no 2FA so that our security scanning tool can login to the device to retrive config details etc. This login would come from a single IP address therefore we would like to restrict this login to that IP address.

This would need to work alongside our existing 2FA logins. Has anyone done this and can show us what we would need to do?

Below is our current login config:

aaa authentication login default group DUO

Re: 2FA + Static Login with IP Restriction

Rob Ingram — Tue, 09 Aug 2022 10:34:18 GMT

@eshaq786 you could configure a specific VTY line with a different authentication method list, which uses a different authentication server. Use the rotary command under VTY line and configure SSH on a specific port, which references the rotary number for that specific VTY line. You can also configure a specific ACL on that VTY line.

Example:

line vty 15
 access-class 102 in
 rotary 16
 transport input ssh
 login authentication METHOD-LIST
 !
ip ssh port 2016 rotary 16

You connect to the device using port SSH to port 2016

Re: 2FA + Static Login with IP Restriction

eshaq786 — Tue, 09 Aug 2022 10:33:40 GMT

Can i use this method but use a static username stored locally on the device? Furthermore, can i then restrict this so that only a specified ip address can login using this method as it would be deemed insecure since it had no 2FA.

Re: 2FA + Static Login with IP Restriction

Rob Ingram — Tue, 09 Aug 2022 10:54:25 GMT

@eshaq786 yes you just reference a method list that uses local authentication. Yes you can apply an ACL just to that VTY line.

Re: 2FA + Static Login with IP Restriction

eshaq786 — Tue, 09 Aug 2022 12:17:41 GMT

This is my existing VTY config

line con 0
password 7 xxxxx
logging synchronous
login authentication No-Radius-Login
line vty 0 4
password 7 xxxxxx
transport input ssh
line vty 5 15
password 7 xxxxxx
transport input ssh

If i issue just a line VTY 15, will that change the existing line vty 5 15 to vty 5 14?

access-list 1 permit 192.168.1.10

line vty 15
access-class 1 in
 rotary 16
 transport input ssh
 login authentication No-Radius-Login
!
ip ssh port 2016 rotary 16

Does the ACL look right? Or do i need to add a deny in there as well?

Re: 2FA + Static Login with IP Restriction

Rob Ingram — Tue, 09 Aug 2022 12:20:59 GMT

@eshaq786 if you configure line 15, then lines 5 - 14 will remain the same.

Configuration looks ok.

Re: 2FA + Static Login with IP Restriction

PSM — Mon, 15 Aug 2022 11:45:54 GMT

Hi.

If you have a static source IP for the scanning tool you easily can define a rule above the main rule in authentication section of ISE policy with source IP as condition in TACACS.Remote-Address Equals <scanning tool server ip> and choose ID store local or ID whatever is applicable. By this way you avoid modifying config on all devices.

Re: 2FA + Static Login with IP Restriction

Walker — Mon, 15 Aug 2022 14:12:26 GMT

Within the Device Admin policy, add the IP in the authentication condition and set the Identity store to internal users. Configure the security scanning tool username/pw in the local identity store.

Re: 2FA + Static Login with IP Restriction

eshaq786 — Wed, 09 Nov 2022 19:57:07 GMT

Should have specified that I am not using TACACS to manage the switches.

Re: 2FA + Static Login with IP Restriction

eshaq786 — Wed, 30 Apr 2025 15:27:54 GMT

So i finally got around to implementing this. However i can getting strange errors when attempting to login. The SSH client just disconnects with the message

% Authorization failed.

The logs show that the username and password was accepted. Not sure why its behaving like this.

Apr 30 16:19:16.988: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 192.168.1.10] [localport: 2016] at 16:19:16 BST Wed Apr 30 2025