cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1750
Views
2
Helpful
4
Replies

Console Server TTY/Port Control with ISE

nplusplus
Level 1
Level 1

Good Evening, All,

 

Does anyone know how I might refer to a particular TTY line or range of TTY lines on a device to use as an authorization condition for TACACS device administration in ISE?  We are providing console services via an async module with a few octa cables, and I would like to limit access for a certain LDAP group to the async lines or specific async lines only.  It is not clear to me how to reference those lines in a network condition.  I have been able to see that when I connect to one of these lines and authenticate, which allows me access to a console or serial device connected to the other end, ISE receives a "Device Port" authentication attribute from the authenticating console server with a value of "tty<something>" (i.e. 0/1/1 or 0/1/0).

 

Any help is appreciated.

 

Thank you,

Nathan

1 Accepted Solution

Accepted Solutions

@Mike.Cifelli , I apologize for not replying for so long, but I just wanted to provide an update.  This fell on the back burner but came back up again in the last few weeks.  I ultimately ended up doing it in TACACS and used a "Device Port Network Condition" with an entry like "<network device name>,tty0/1/12" on the "Devices" tab of the condition set.  I then used that condition in a device admin policy authorization rule.

Thank you!

View solution in original post

4 Replies 4

Mike.Cifelli
VIP Alumni
VIP Alumni

I think what you are looking for condition wise is something like this:

NAS Port ID - tty1

Taking a look at a detailed radius live log will show you this information:

rad_detail_log_nas_port_id.PNG

 

Then authz condition:

rad_attr_nas_port_id.PNG

HTH!

Thank you, @Mike.Cifelli ,

 

I'll try this as soon as I get an opportunity and let you know the outcome.  My only doubt comes from not seeing "NAS-Port-Id" in the session logs.

 

Regards,

Nathan

Mike.Cifelli
VIP Alumni
VIP Alumni

My only doubt comes from not seeing "NAS-Port-Id" in the session logs.

-NAS-Port-ID is a radius attribute.  Take a look at this: ISE Profiling Design Guide - Cisco Community -  Device Sensor 'Configuring Radius Probe' section.  The RADIUS probe collects attributes sent in RADIUS accounting packets by the Device Sensor feature.

@Mike.Cifelli , I apologize for not replying for so long, but I just wanted to provide an update.  This fell on the back burner but came back up again in the last few weeks.  I ultimately ended up doing it in TACACS and used a "Device Port Network Condition" with an entry like "<network device name>,tty0/1/12" on the "Devices" tab of the condition set.  I then used that condition in a device admin policy authorization rule.

Thank you!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: