cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

112
Views
5
Helpful
4
Replies
Cisco Employee

Control Device admin users login location using IP address

Hi,

Can ISE (device administration) controls device admin users location (IP address) so that user can login NAD (router/switch) from specific IP address?

As per my understanding, ISE can't restrict device admin users based on IP Address as ISE communicates with NAD (as TACACS+ client) and not endpoint.  Second point, AAA client (NAD) sends only user name to TACACS+ server. 

 

Kindly confirm my understanding.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

Re: Control Device admin users login location using IP address

Hi @dngore 

 

yes this is very straightforward

I have modified my lab as follows. I included a check to ensure that the user may not come from IP address 192.168.0.212 or else he will be dropped into read-only mode. If the user comes from any other address, then he will be in privilege level 15 (super admin).  The key thing is that the attribute TACACS: Remote-Address is what you're after.

 

comm07.PNG

 

View solution in original post

4 REPLIES 4
Beginner

Re: Control Device admin users login location using IP address

In TACACS Live Logs, you can open the details of an authentication/authorization event and see if you have any attribute that you can use to determine the location.  In my system, I just checked and see an attribute called "Remote Address" that appears to be the originating client's IP address.  But that is a Cisco IOS device using TACACS.  Results may be different with different device types, IOS levels, etc.

For a more reliable/secure way of controlling admin access to network devices, use infrastructure ACL's or management plane ACL's on the device to control what subnets can SSH, SNMP, etc. to the device.

Cisco Employee

Re: Control Device admin users login location using IP address

Thx for reply.

But this is not deployed solution. We are proposing it. Customer has below query. Hence want to confirm on same.

So if remote client IP address is seen in log then does that mean we can control device admin user based on IP address in ISE?

 

We are aware of access list restriction on NAD devices but customer is specifically asking for this feature support in ISE.

 

Beginner

Re: Control Device admin users login location using IP address

You would need to figure out which Radius/TACACS+ AVP holds that information and test it out.  But again, different hardware, IOS, protocol, etc could provide different results.  I wouldn't trust it for all devices unless you test each use case in the lab first.  Key is to test extensively first.

 

Highlighted
VIP Advocate

Re: Control Device admin users login location using IP address

Hi @dngore 

 

yes this is very straightforward

I have modified my lab as follows. I included a check to ensure that the user may not come from IP address 192.168.0.212 or else he will be dropped into read-only mode. If the user comes from any other address, then he will be in privilege level 15 (super admin).  The key thing is that the attribute TACACS: Remote-Address is what you're after.

 

comm07.PNG

 

View solution in original post