cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

829
Views
0
Helpful
6
Replies
Srin_G
Beginner

Limit tacacs access

Hi,

Is it possible to limit access for a specific tacacs username? For example, i need priviledge 15 for the username xyz from 10.1.1.1 to the client 192.168.1.1 but for the rest of the AAA clients all ip connection should be blocked.

I tried DACLS and per user NAR but didnt work. Any suggestions are really appreciated.

cheers

Srinie

1 ACCEPTED SOLUTION

Accepted Solutions

Srini,

Thanks for the clarification. Unfortunately the ACS will not be able to prevent the user from getting to the Username/Password prompt on any other IOS device.

The most common solution to avoid device to present username/password prompts for SSH and Telnet sessios is with an extended ACL defined on Global Configuration mode and apply that ACL to the "line vty 0 15" configuration.

It should be something like:

access-list 100 deny ip host 192.168.250.21 any

access-list 100 permit ip any any

line vty 0 4

access-class 100 in

line vty 5 15

access-class 100 in

However, the above configuration is based on IP Address and not "username". This configuration would work if we now the IP Address the username might be connecting from but if the source IP address is unsure then it might now apply.

Regards.

View solution in original post

6 REPLIES 6
Srin_G
Beginner

By the way we use cisco ACS appliance version 4.2

cheers

Srinie,

Can you please configure the User Level NAR as follows:

As you can see I am defining the Permitted NAR on both IP-Based and CLI/DNIS Based. It is working for me right now. I can access the AAA client called "Switch" but I cannot access any other device.

Hope this helps and will be waiting for your response.

Regards.

Srini,

I have also noticed an interesting detail. If you want to filter TACACS+ access, how did you test the IP-Based NAR?

If you were performing the "test aaa group tacacs legacy" then the user will be successfully authenticated by the ACS as the "test" command does not include an IP Address on the request. This will cause the ACS to ignore the IP-Based NAR configuration.

If you want to test the IP-Based NAR you might need to Telnet/SSH to the allowed AAA client and then Telnet/SSH to another that should be restricted.

Regards.

g'day Carlos, thanks for the reply mate.

This tacacs+ username is not for a user it is a generic username that is used by the waas express to communicate to the waas central manager.I have attached the screenshot in which 10.97.80.30 is the central manager. It works fine but when i try to telnet/ssh to other routers with this username i get a login prompt but cant login. The issue here is i just dont want even to get this login prompt.

Srini,

Thanks for the clarification. Unfortunately the ACS will not be able to prevent the user from getting to the Username/Password prompt on any other IOS device.

The most common solution to avoid device to present username/password prompts for SSH and Telnet sessios is with an extended ACL defined on Global Configuration mode and apply that ACL to the "line vty 0 15" configuration.

It should be something like:

access-list 100 deny ip host 192.168.250.21 any

access-list 100 permit ip any any

line vty 0 4

access-class 100 in

line vty 5 15

access-class 100 in

However, the above configuration is based on IP Address and not "username". This configuration would work if we now the IP Address the username might be connecting from but if the source IP address is unsure then it might now apply.

Regards.

yeah thought so mate. Thanks for your clarification.

cheers

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube