11-01-2002 03:06 AM - edited 02-21-2020 12:09 PM
Hi,
I am using the TACAS freeware: tac_plus version 2.1.
I am searching for a config, where I can configured restrict for some users the telnet access only to defined routers.
I remembered some config like "NAS-IPAdress = 1.1.1.1", but not really sure
the user profile looks like:
user = sthon_guest {
default service = permit
login = cleartext guest
service = exec {
priv-lvl = 1
}
}
regards
sascha
11-01-2002 06:01 AM
Are you speaking of dialup users? If so, just put an acl in the NAS and deny telnet to the devices. An example of using acls for dialup is here:
http://www.cisco.com/warp/public/480/tacacs_ACL1.html
If you are not dialing into a NAS, and you want to explicitly deny telnet access to all devices, you could add:
cmd=telnet {
deny .*
If you want to deny specific hosts, then use regular expressions or specific matches:
cmd = telnet {
deny 192\.168\.10\.[0-9]+
permit .*
Permits everything but 192.168.10.x
There should be numerous samples in the Freeware Readme.
Make sure you have aaa authorization enforced or this will not work. Good examples are in:
http://www.cisco.com/warp/public/480/tacplus.shtml
Hope this helps.
Robert
11-01-2002 07:53 AM
Hi Robert,
you did not understand right. your configuration:
cmd = telnet {
deny 192\.168\.10\.[0-9]+
permit .*
allows only to telnet to the specified address after router login from this router
an example for my requests:
I configure an user test.
this user should only telnet from a network server to the Routers:
1.1.1.1
1.1.1.2
1.1.1.3
If he try to access 1.1.1.4 the TACACS Server should deny this access.
So I have to configure the addresses 1.1.1.1, 1.1.1.2, 1.1.1.3 as allowed Routers in TACACS Userprofile.
regards
sascha
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide