Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1470
Views
0
Helpful
2
Replies

Prevent VTY Access by Username

jobrien2
Level 1
Level 1

‎07-15-2019 11:51 AM

I've been digging and I cannot find a solution to this issue, so I'm hoping you can help. We are going to be changing some things in network and I need the following:

User1 able to SSH with name/password

Network team able to SSH with RSA

Admin (console) username UNABLE to ssh with name/password.

 

I can get the first 2 to work with AAA just fine, but in doing so it allows Admin to also login with username/password. This needs to be resolved before we can implement these changes. Is there a way to apply a limit to vty 0 15 that allows only User1 and RSA, but will deny Admin?

 

Relevant show run:

enable secret xxx
!

username Admin secret xxx

username User1 secret xxx

!
aaa new-model
!
aaa group server radius ISE
server name ISE_xxx
server name ISE_xxx
ip radius source-interface Vlan2
!
aaa group server radius AAA
server name xxx
server name xxx
!
aaa authentication login default local group AAA
aaa authentication login emergency local
aaa authentication dot1x default group ISE
aaa authorization exec default local group AAA
aaa authorization network default group ISE
aaa authorization network auth-list group ISE
aaa accounting update newinfo
aaa accounting dot1x default start-stop group ISE

!

!
line con 0
exec-timeout 20 0
logging synchronous
login authentication emergency
stopbits 1

!
line vty 0 4
exec-timeout 20 0
length 0
transport input ssh

!
line vty 5 15
transport input ssh
!

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎07-15-2019 12:03 PM

Console means you need to connect Console Cable Blue color to device, (its not SSH)

 

Admin (console) username UNABLE to ssh with name/password.

!

line con 0
exec-timeout 20 0
logging synchronous
login authentication emergency

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

jobrien2
Level 1
Level 1
In response to balaji.bandi

‎07-16-2019 04:29 AM

I apologize, I should be more specific.

 

With the above config, User1 can SSH with name & password (good); Network team can SSH with name & token (good); and Admin can SSH with name & password (bad). This will not pass our security guidelines.

 

I'm wondering if there is a config that I'm missing that allows User1 to SSH with name/password, and the Network team able to SSH with token, but I need it to *deny* Admin to SSH with name/password and only be allow Admin on physical Console login. IP ACL will not work as anywhere the Network team would need access from, Admin would also work. I need a deny based on username. Is this possible?

 

Thank you for your help.

0 Helpful
Customers Also Viewed These Support Documents