Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1945
Views
10
Helpful
4
Replies

Limit AAA authetication for certain users by source IP

Go to solution
kdotzoltan_2004
Level 1
Level 1

‎07-02-2012 12:23 AM - edited ‎03-10-2019 07:15 PM

Hi,

we have TACACS+ based AAA on our network equipment, authenticating against internal user database on a network of ACS 5.3s.

What I want is to limit certain AAA users (namely automated tools) to be only permitted to authenticate from a list of known IPs.

I can do this for authorization, easily, that isn't a problem. The problem is to only accept authentication attempts coming from certain IPs and ignore the rest. My problem is, as it is currently, the automated tools are prone to a sort of a DoS attack - if I attempt logging in to any device using the tool's user account and a wrong password, I can get the account disabled in five tries.

I want to ignore all authentication attempts, unless they are coming from well known source IPs.

Ex: netmon user is the user for a tool running on server 10.20.30.40. If I try to log in from my own laptop with user netmon, it should fail, and the attempt ignored. Currently after five (or whatever is configured) failed attempts, the user will be disabled. Oly attempts from 10.20.30.40 should be considered for user netmon.

I can't use ACLs on the devices, as I want other users to be able to log in from other IPs.

Any ideas?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎07-02-2012 09:12 PM

You can use a compound condition such that you include the tacacs attribute "remote-address" and and that condition with username. You can set the condition in the service selection rules so authentication doesnt occur and the request is discarded:

Then you can set the service that you want to map this user request to.

thanks,

Tarik Admani

View solution in original post

4 Replies 4

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎07-02-2012 09:12 PM

You can use a compound condition such that you include the tacacs attribute "remote-address" and and that condition with username. You can set the condition in the service selection rules so authentication doesnt occur and the request is discarded:

Then you can set the service that you want to map this user request to.

thanks,

Tarik Admani

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to Tarik Admani

‎07-03-2012 10:30 PM

Tarik: you are always have very good answers. +5 my friend.

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
kdotzoltan_2004
Level 1
Level 1
In response to Tarik Admani

‎07-04-2012 12:02 AM

Thanks, I guess this is what I was looking for, although for now our service selection rules are just the basic set.

0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to kdotzoltan_2004

‎07-04-2012 12:15 AM

Well, When I started with ACS 5.x I found later it is better to keep all things in rule based (even simiple rules are there). That will make it easier to add more roles in the future than moving from single selection policy to rule based policy.

BTW, don't forget please to mark the Tarik's correct answer for others to take better use of this thread in the future.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"
0 Helpful
Customers Also Viewed These Support Documents