Terminal Server Access Restrictions

sw1 · ‎04-14-2005

Hi, I'm in the process of setting up a test LAN consisting of a number of switches/routers. The devices in turn will be connected to a Cisco terminal server which is configured to use ACS for authentication. The question is, how do I restrict access to a group of engineers to connect only to devices on ports 2001 through 2008 and another group of engineers to connect only to devices on ports 2009 through to 2016??

Kind Regards

Steve

lgijssel · ‎04-14-2005

If the engineers are using fixed IP adresses, you can use an extended access-list. This kind of solution is not 100% safe though.

Otherwise you could apply a radius server to allow access based on username/password. This is a beteer solution but it is also more expensive and more complicated.

Regards,

Leo

sw1 · ‎04-15-2005

Hi Leo,

The engineers would be using non fixed addresses so I guess the first solution would be more difficult to implement.

The sound of your 2nd solution sounds good. Would this mean applying say TACACS/RADIUS to the individual async lines, creating a group, placing the engineers in that group and only allow that specific group to access a specific number or lines??

Regards

Steve

lgijssel · ‎04-15-2005

Bingo! Each group (may be more than two) has the rights to access a subset of the lines. Group membership defines which lines.

Now, this is easier said than done but in concept it is a perfect solution to many security issues.

If you are looking for a cheap solution and you are not afraid of non-windows based solutions , try FreeRadius at www.freeradius.org

Goodluck,

Leo

sw1 · ‎04-15-2005

Hi Leo,

Your a star - thanks for your help. I'll give it a go next week and let you know how I get on.

Best Wishes & Thanks once again.

Regards

Steve