Solved: Limit tacacs access

Srin_G · ‎01-04-2012

Hi,

Is it possible to limit access for a specific tacacs username? For example, i need priviledge 15 for the username xyz from 10.1.1.1 to the client 192.168.1.1 but for the rest of the AAA clients all ip connection should be blocked.

I tried DACLS and per user NAR but didnt work. Any suggestions are really appreciated.

cheers

Srinie

camejia · ‎01-05-2012

Srini,

Thanks for the clarification. Unfortunately the ACS will not be able to prevent the user from getting to the Username/Password prompt on any other IOS device.

The most common solution to avoid device to present username/password prompts for SSH and Telnet sessios is with an extended ACL defined on Global Configuration mode and apply that ACL to the "line vty 0 15" configuration.

It should be something like:

access-list 100 deny ip host 192.168.250.21 any

access-list 100 permit ip any any

line vty 0 4

access-class 100 in

line vty 5 15

access-class 100 in

However, the above configuration is based on IP Address and not "username". This configuration would work if we now the IP Address the username might be connecting from but if the source IP address is unsure then it might now apply.

Regards.

View solution in original post

Srin_G · ‎01-04-2012

By the way we use cisco ACS appliance version 4.2

cheers

camejia · ‎01-05-2012

Srinie,

Can you please configure the User Level NAR as follows:

As you can see I am defining the Permitted NAR on both IP-Based and CLI/DNIS Based. It is working for me right now. I can access the AAA client called "Switch" but I cannot access any other device.

Hope this helps and will be waiting for your response.

Regards.

camejia · ‎01-05-2012

Srini,

I have also noticed an interesting detail. If you want to filter TACACS+ access, how did you test the IP-Based NAR?

If you were performing the "test aaa group tacacs legacy" then the user will be successfully authenticated by the ACS as the "test" command does not include an IP Address on the request. This will cause the ACS to ignore the IP-Based NAR configuration.

If you want to test the IP-Based NAR you might need to Telnet/SSH to the allowed AAA client and then Telnet/SSH to another that should be restricted.

Regards.

Srin_G · ‎01-05-2012

g'day Carlos, thanks for the reply mate.

This tacacs+ username is not for a user it is a generic username that is used by the waas express to communicate to the waas central manager.I have attached the screenshot in which 10.97.80.30 is the central manager. It works fine but when i try to telnet/ssh to other routers with this username i get a login prompt but cant login. The issue here is i just dont want even to get this login prompt.

camejia · ‎01-05-2012

Srini,

Thanks for the clarification. Unfortunately the ACS will not be able to prevent the user from getting to the Username/Password prompt on any other IOS device.

The most common solution to avoid device to present username/password prompts for SSH and Telnet sessios is with an extended ACL defined on Global Configuration mode and apply that ACL to the "line vty 0 15" configuration.

It should be something like:

access-list 100 deny ip host 192.168.250.21 any

access-list 100 permit ip any any

line vty 0 4

access-class 100 in

line vty 5 15

access-class 100 in

However, the above configuration is based on IP Address and not "username". This configuration would work if we now the IP Address the username might be connecting from but if the source IP address is unsure then it might now apply.

Regards.

Srin_G · ‎01-05-2012

yeah thought so mate. Thanks for your clarification.

cheers