cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1193
Views
10
Helpful
4
Replies
kdotzoltan_2004
Beginner

Limit AAA authetication for certain users by source IP

Hi,

we have TACACS+ based AAA on our network equipment, authenticating against internal user database on a network of ACS 5.3s.

What I want is to limit certain AAA users (namely automated tools) to be only permitted to authenticate from a list of known IPs.

I can do this for authorization, easily, that isn't a problem. The problem is to only accept authentication attempts coming from certain IPs and ignore the rest. My problem is, as it is currently, the automated tools are prone to a sort of a DoS attack - if I attempt logging in to any device using the tool's user account and a wrong password, I can get the account disabled in five tries.

I want to ignore all authentication attempts, unless they are coming from well known source IPs.

Ex: netmon user is the user for a tool running on server 10.20.30.40. If I try to log in from my own laptop with user netmon, it should fail, and the attempt ignored. Currently after five (or whatever is configured) failed attempts, the user will be disabled. Oly attempts from 10.20.30.40 should be considered for user netmon.

I can't use ACLs on the devices, as I want other users to be able to log in from other IPs.

Any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
Tarik Admani
Advocate

You can use a compound condition such that you include the tacacs attribute "remote-address" and and that condition with username. You can set the condition in the service selection rules so authentication doesnt occur and the request is discarded:

Then you can set the service that you want to map this user request to.

thanks,

Tarik Admani

View solution in original post

4 REPLIES 4
Tarik Admani
Advocate

You can use a compound condition such that you include the tacacs attribute "remote-address" and and that condition with username. You can set the condition in the service selection rules so authentication doesnt occur and the request is discarded: