10-18-2006 05:12 AM - edited 03-10-2019 02:48 PM
Hi Experts,
is there a way to allow user / group in the acs to access comm equipment with telnet only (not allowed to use ssh or http)
many thanks
10-23-2006 09:06 AM
you can provide user group in acs.
http://cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a0080204ceb.html
10-23-2006 11:14 PM
but it's not answering the quastion how to allow only telnet access.
10-26-2006 11:03 AM
There is no way that ACS can differenticate between a telnet or a ssh session . It can differentiate a Http session from a telnet session but if you block the http , the telnet will be blocked automatically . The workaround is to put restrictions on the IOS devices .
If you want uses not to ssh to the IOS devices , then disable the ssh on the vty of the device .( use the command transport input telnet on vty and this will enble only telnet on vty )
For Http authentication there are 2 ways :
1) Point the http authentication to local database of the device and donot configure local username pass for all the users except for those you want to allow.
2) For the second method you need to configure aaa authorization exec default group tacacs local " command on the device and in ACS group check shell (exec) and under privelege level assign 2 privelege . Now users will not ve able to http to device but can telnet .
Hope this helps .
regards,
Jasjeet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide