TACACS: restrict telnet login to defined NAS

sthon · ‎11-01-2002

Hi,

I am using the TACAS freeware: tac_plus version 2.1.

I am searching for a config, where I can configured restrict for some users the telnet access only to defined routers.

I remembered some config like "NAS-IPAdress = 1.1.1.1", but not really sure

the user profile looks like:

user = sthon_guest {

default service = permit

login = cleartext guest

service = exec {

priv-lvl = 1

}

regards

sascha

4brown · ‎11-01-2002

Are you speaking of dialup users? If so, just put an acl in the NAS and deny telnet to the devices. An example of using acls for dialup is here:

If you are not dialing into a NAS, and you want to explicitly deny telnet access to all devices, you could add:

cmd=telnet {

deny .*

If you want to deny specific hosts, then use regular expressions or specific matches:

cmd = telnet {

deny 192\.168\.10\.[0-9]+

permit .*

Permits everything but 192.168.10.x

There should be numerous samples in the Freeware Readme.

Make sure you have aaa authorization enforced or this will not work. Good examples are in:

Hope this helps.

Robert

sthon · ‎11-01-2002

Hi Robert,

you did not understand right. your configuration:

cmd = telnet {

deny 192\.168\.10\.[0-9]+

permit .*

allows only to telnet to the specified address after router login from this router

an example for my requests:

I configure an user test.

this user should only telnet from a network server to the Routers:

1.1.1.1

1.1.1.2

1.1.1.3

If he try to access 1.1.1.4 the TACACS Server should deny this access.

So I have to configure the addresses 1.1.1.1, 1.1.1.2, 1.1.1.3 as allowed Routers in TACACS Userprofile.

regards

sascha