03-07-2018 08:35 AM - edited 02-21-2020 10:47 AM
I have a network management appliance that utilizes CLI access to my network devices to perform certain functions. For compliance and audit purposes, I would like to restrict the use of login credentials established for the appliance such that they can only be used if the SSH connection originates from a specific IP address. Is it possible in IOS to limit the use of a particular set of creds so that only connections from a given IP can utilize them (and perhaps log any attempts from other addresses)?
Solved! Go to Solution.
03-07-2018 11:37 AM
I do not believe this can be accomplished from just using IOS commands.
Do you have something other than SSH enabled for an access method? Are you using some sort of external AAA server? ACS or ISE?
Within IOS you can restrict device access to only be SSH (line vty), then in the external AAA server, setup an authentication rule that only allows TACACS/RADIUS (you didn't specify which) from a specific IP, then an authorization rule to match a specific userID.
03-07-2018 11:37 AM
I do not believe this can be accomplished from just using IOS commands.
Do you have something other than SSH enabled for an access method? Are you using some sort of external AAA server? ACS or ISE?
Within IOS you can restrict device access to only be SSH (line vty), then in the external AAA server, setup an authentication rule that only allows TACACS/RADIUS (you didn't specify which) from a specific IP, then an authorization rule to match a specific userID.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: