06-01-2018 06:22 AM - edited 02-21-2020 10:57 AM
Hello,
We are in the process of migrating our device access from Telnet to SSH using Tacacs+
In ISE (2.0 #6) we would like to create 2 different users, one user if access is done using Telnet, an other user if access is done via SSH.
Is there an attribute in the Tacacs+ authentication process in ISE were we can differentiate if a user is using Telnet or SSH?
Kind regards,
Lieven Stubbe
Belgian Railways
06-01-2018 07:06 AM
Hi,
I've had a quick look and don't think you can differentiate telnet/ssh protocols in a rule.
What you could do is create 2 separate AuthZ rules and use the condition "TACACS·User EQUALS xxxxxx" for telnet user and another rule for the ssh user, to differentiate between the users. xxxxx = equals the name of the user you create for telnet/ssh.
HTH
06-01-2018 07:20 AM
Hello RJI,
Can you elaborate the AuthZ solution a little more? I don't quite get it...
The one user should only be used for Telnet and the other for SSH
Lieven
06-01-2018 07:43 AM
06-02-2018 11:00 PM
It seems possible with ASA. See Device Policy Sets - tacacs ports 443 and 22
This depends on the T+ implementation on the network device platforms.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide