Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2048
Views
2
Helpful
4
Replies

Console Server TTY/Port Control with ISE

Go to solution
nplusplus
Level 1
Level 1

‎02-07-2022 01:57 PM

Good Evening, All,

 

Does anyone know how I might refer to a particular TTY line or range of TTY lines on a device to use as an authorization condition for TACACS device administration in ISE?  We are providing console services via an async module with a few octa cables, and I would like to limit access for a certain LDAP group to the async lines or specific async lines only.  It is not clear to me how to reference those lines in a network condition.  I have been able to see that when I connect to one of these lines and authenticate, which allows me access to a console or serial device connected to the other end, ISE receives a "Device Port" authentication attribute from the authenticating console server with a value of "tty<something>" (i.e. 0/1/1 or 0/1/0).

 

Any help is appreciated.

 

Thank you,

Nathan

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nplusplus
Level 1
Level 1
In response to Mike.Cifelli

‎04-06-2023 12:51 PM - edited ‎04-06-2023 12:52 PM

@Mike.Cifelli , I apologize for not replying for so long, but I just wanted to provide an update.  This fell on the back burner but came back up again in the last few weeks.  I ultimately ended up doing it in TACACS and used a "Device Port Network Condition" with an entry like "<network device name>,tty0/1/12" on the "Devices" tab of the condition set.  I then used that condition in a device admin policy authorization rule.

Thank you!

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-08-2022 03:59 AM

I think what you are looking for condition wise is something like this:

NAS Port ID - tty1

Taking a look at a detailed radius live log will show you this information:

rad_detail_log_nas_port_id.PNG

 

Then authz condition:

rad_attr_nas_port_id.PNG

HTH!

Go to solution
nplusplus
Level 1
Level 1
In response to Mike.Cifelli

‎02-09-2022 03:26 AM

Thank you, @Mike.Cifelli ,

 

I'll try this as soon as I get an opportunity and let you know the outcome.  My only doubt comes from not seeing "NAS-Port-Id" in the session logs.

 

Regards,

Nathan

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-09-2022 04:28 AM

My only doubt comes from not seeing "NAS-Port-Id" in the session logs.

-NAS-Port-ID is a radius attribute.  Take a look at this: ISE Profiling Design Guide - Cisco Community -  Device Sensor 'Configuring Radius Probe' section.  The RADIUS probe collects attributes sent in RADIUS accounting packets by the Device Sensor feature.

Go to solution
nplusplus
Level 1
Level 1
In response to Mike.Cifelli

‎04-06-2023 12:51 PM - edited ‎04-06-2023 12:52 PM

@Mike.Cifelli , I apologize for not replying for so long, but I just wanted to provide an update.  This fell on the back burner but came back up again in the last few weeks.  I ultimately ended up doing it in TACACS and used a "Device Port Network Condition" with an entry like "<network device name>,tty0/1/12" on the "Devices" tab of the condition set.  I then used that condition in a device admin policy authorization rule.

Thank you!

0 Helpful
Customers Also Viewed These Support Documents