ACS 4.1 Enable VPN on IOS Router but disable Telnet/SSH for same user

Unanswered Question
Dec 23rd, 2008

Hi, sorry for this subject as there are many similar threads but not identical. Having a little trouble getting this to work even after searching all the related threads exhaustively.

I have an IOS router for VPN client access. Authentication and group authorisation for users done on ACS. This works well, but have the consequence of user able to login to router with telnet/ssh. I know I could create ACLs so that only certain mgmt IP addresses may connect, but would prefer to control telnet/ssh access through ACS.

ACS 4.1 is used for VPN and Telnet/SSH access.

How do I configure the NAR in order to give users VPN access to router while disallowing telnet/SSH?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Tue, 12/23/2008 - 12:15

Use only IP based NAR. That control's only IP based connections such as SSH and telnet. It won't impact vpn connection.



Do rate helpful posts

jamesgef Sat, 12/27/2008 - 21:42


Thanks for the reply, but it still doesn't work.

I have two groups: admin (no restrictions) & vpnusers

In my vpnusers groups, I created an IP based NAR to restrict (r1841 * *) all to my router.

SSH/Telnet access is effectively denied for users in the vpnusers group, but I can't connect to that same router with VPN client with same user.

Thanks again for your help!


This Discussion