cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1982
Views
10
Helpful
4
Replies

Limit AAA authetication for certain users by source IP

kdotzoltan_2004
Level 1
Level 1

Hi,

we have TACACS+ based AAA on our network equipment, authenticating against internal user database on a network of ACS 5.3s.

What I want is to limit certain AAA users (namely automated tools) to be only permitted to authenticate from a list of known IPs.

I can do this for authorization, easily, that isn't a problem. The problem is to only accept authentication attempts coming from certain IPs and ignore the rest. My problem is, as it is currently, the automated tools are prone to a sort of a DoS attack - if I attempt logging in to any device using the tool's user account and a wrong password, I can get the account disabled in five tries.

I want to ignore all authentication attempts, unless they are coming from well known source IPs.

Ex: netmon user is the user for a tool running on server 10.20.30.40. If I try to log in from my own laptop with user netmon, it should fail, and the attempt ignored. Currently after five (or whatever is configured) failed attempts, the user will be disabled. Oly attempts from 10.20.30.40 should be considered for user netmon.

I can't use ACLs on the devices, as I want other users to be able to log in from other IPs.

Any ideas?

1 Accepted Solution

Accepted Solutions

Tarik Admani
VIP Alumni
VIP Alumni

You can use a compound condition such that you include the tacacs attribute "remote-address" and and that condition with username. You can set the condition in the service selection rules so authentication doesnt occur and the request is discarded:

Then you can set the service that you want to map this user request to.

thanks,

Tarik Admani

View solution in original post

4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

You can use a compound condition such that you include the tacacs attribute "remote-address" and and that condition with username. You can set the condition in the service selection rules so authentication doesnt occur and the request is discarded:

Then you can set the service that you want to map this user request to.

thanks,

Tarik Admani

Tarik: you are always have very good answers. +5 my friend.

Rating useful replies is more useful than saying "Thank you"

Thanks, I guess this is what I was looking for, although for now our service selection rules are just the basic set.

Well, When I started with ACS 5.x I found later it is better to keep all things in rule based (even simiple rules are there). That will make it easier to add more roles in the future than moving from single selection policy to rule based policy.

BTW, don't forget please to mark the Tarik's correct answer for others to take better use of this thread in the future.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"