Tacacs : Telnet Vs SSH

lni1 · ‎06-01-2018

Hello,

We are in the process of migrating our device access from Telnet to SSH using Tacacs+

In ISE (2.0 #6) we would like to create 2 different users, one user if access is done using Telnet, an other user if access is done via SSH.

Is there an attribute in the Tacacs+ authentication process in ISE were we can differentiate if a user is using Telnet or SSH?

Kind regards,

Lieven Stubbe

Belgian Railways

Rob Ingram · ‎06-01-2018

Hi,

I've had a quick look and don't think you can differentiate telnet/ssh protocols in a rule.

What you could do is create 2 separate AuthZ rules and use the condition "TACACS·User EQUALS xxxxxx" for telnet user and another rule for the ssh user, to differentiate between the users. xxxxx = equals the name of the user you create for telnet/ssh.

HTH

lni1 · ‎06-01-2018

Hello RJI,

Can you elaborate the AuthZ solution a little more? I don't quite get it...

The one user should only be used for Telnet and the other for SSH

Lieven

Rob Ingram · ‎06-01-2018

Ah ok, sorry I mis-understood/mis-read, I don't think you can distinguish between telnet/ssh. My suggestion was to merely differentiate the user authentications, which could then be used for different levels of AuthZ.

hslai · ‎06-02-2018

It seems possible with ASA. See Device Policy Sets - tacacs ports 443 and 22

This depends on the T+ implementation on the network device platforms.