09-09-2021 03:49 PM
I don't need to know how to do it, just need to know if it can be done.
09-09-2021 03:56 PM
Hello,
what do you mean by 'admin' accounts ? Any user/account can be blocked by RADIUS. What RADIUS host software are we talking about ?
09-10-2021 12:16 AM
To have more clarity, admin accounts locally created one? "prevent remote logins" - means outside your network ?
You can allow only network IP address to access devices ?
09-10-2021 08:45 AM
What I mean is: can local administrative accounts be blocked from any remote access?
If users with admin privileges can log in locally, can those same users be blocked from logging in remotely?
Can RADIUS be configured to notice that an account has admin privileges, and because of those privileges, deny any remote login.
Can RADIUS be configured so that those with admin privileges can only login locally?
09-10-2021 09:04 AM
Is this ISE or ACS, you can have condition match with against IP range.
But again, when the user coming from remote ? using Public IP, why would you allow External Access to devices, that is security Risk.
You can add ACL to allow only IP address range can access device from Lan.(with IP address range)
is this make sense ?
09-12-2021 05:23 PM
Thank you for your reply. That does make sense. However, I am not looking to block by IP range.
I want to allow users with admin privileges to login locally, but not remotely.
09-13-2021 01:06 AM
I am still not clear about your terminology and what you are wanting to accomplish. When you talk about local administrative accounts is this user IDs and passwords configured on the individual router/switch? Or is there more to this term? And when you say login locally are you talking just about logging in on the console? Or is there more to it than just console access? And when you talk about remote login is this just access to vty ports using telnet/SSH or is there more to it than this?
If what you want to accomplish is that any login on the console authenticates uses only the locally configured IDs and any login on the vty uses only IDs configured on the Radius server it is fairly simple. When you enable aaa new-method it default to using locally configured ID. So that would take care of console login. So you need to configured an aaa authentication method for the vty that specifies authentication using your Radius server.
If what I am describing is not what you want to accomplish then please provide clarification.
09-13-2021 11:10 AM
Thank you for the reply. You clearly know much more about this than I do. I did not think the question was that complicated.
Using the method that you described, would the RADIUS server have to use Active Directory, or LDAP, or something, to see if a remote user can be logged in? Or does RADIUS have it's own user database that needs to be configured? Does RADIUS have to be configured to exclude certain users, or can RADIUS be configured to look up user access permissions, and then exclude any user that has administrative privileges?
Thank you again.
09-13-2021 10:20 PM
The Radius server could use LDAP or Active Directory but is not required to use LDAP or Active Directory and could use some other resource to determine which users to allow access.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide