Cisco 2901 terminal server and restricting access

cciesec2011 · ‎04-20-2011

I have a Cisco 2901 Terminal server with AAA authentication via ACS server. I create two
accounts on the acs server, cciesec2011 and vendor. Both accounts can log into the Cisco
2901 Terminal Server without any issues. By the way, I am NOT using AAA authorization on
the Cisco Terminal Server. Once cciesec2011 or vendor accounts are authenticated, these
accounts can access all the async line on the Cisco Terminal Server.

Now I have a new requirements. I would like to allow cciesec2011, once this account is
successfully authenticated, this account has access to ALL async line on the Terminal
Server. The "vendor" account, I want to restrict this account access only to async
line 35 (there are 32 async lines available on the Cisco Terminal Server) and nothing
else.

How can I accomplish without using AAA authorization on the Cisco Terminal Server?
Is it possible to use "privlege level" to accomplish this? if so, how?

Thanks in advance.

andrew.prince · ‎04-21-2011

write a "menu" that is delivered based on username.

HTH>

david.tran · ‎04-21-2011

How do you do that when the username is on the ACS server? From the example below, the username is "local":

http://routerric.blogspot.com/2008/10/cisco-menu.html

andrew.prince · ‎04-22-2011

I am no ACS exeprt - but I do know how to use google - search on "cisco acs auto menu command"

cciesec2011 · ‎04-22-2011

Ofcourse, it can be done with ACS for autocommand but AAA authorization is required. In my original post, I was trying to avoid it. How can it be done with the username on the ACS but AAA authorization is local on the cisco terminal server?

andrew.prince · ‎04-22-2011

Well AFAIK the router has to refer to the authorization for exec to the ACS for it to work.

Your other option is just create a local user on the TS and refer the menu to the local db.

HTH>