Solved: SSH Access for Given User Restricted to IP Address

njsanders1 · ‎03-07-2018

I have a network management appliance that utilizes CLI access to my network devices to perform certain functions. For compliance and audit purposes, I would like to restrict the use of login credentials established for the appliance such that they can only be used if the SSH connection originates from a specific IP address. Is it possible in IOS to limit the use of a particular set of creds so that only connections from a given IP can utilize them (and perhaps log any attempts from other addresses)?

jwillie3 · ‎03-07-2018

I do not believe this can be accomplished from just using IOS commands.

Do you have something other than SSH enabled for an access method? Are you using some sort of external AAA server? ACS or ISE?

Within IOS you can restrict device access to only be SSH (line vty), then in the external AAA server, setup an authentication rule that only allows TACACS/RADIUS (you didn't specify which) from a specific IP, then an authorization rule to match a specific userID.

View solution in original post

jwillie3 · ‎03-07-2018

I do not believe this can be accomplished from just using IOS commands.

Do you have something other than SSH enabled for an access method? Are you using some sort of external AAA server? ACS or ISE?

Within IOS you can restrict device access to only be SSH (line vty), then in the external AAA server, setup an authentication rule that only allows TACACS/RADIUS (you didn't specify which) from a specific IP, then an authorization rule to match a specific userID.