ACS - allow only telnet access

amisu · ‎10-18-2006

Hi Experts,

is there a way to allow user / group in the acs to access comm equipment with telnet only (not allowed to use ssh or http)

many thanks

gmarogi · ‎10-23-2006

you can provide user group in acs.

http://cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a0080204ceb.html

amisu · ‎10-23-2006

but it's not answering the quastion how to allow only telnet access.

jasjsingh · ‎10-26-2006

There is no way that ACS can differenticate between a telnet or a ssh session . It can differentiate a Http session from a telnet session but if you block the http , the telnet will be blocked automatically . The workaround is to put restrictions on the IOS devices .

If you want uses not to ssh to the IOS devices , then disable the ssh on the vty of the device .( use the command transport input telnet on vty and this will enble only telnet on vty )

For Http authentication there are 2 ways :

1) Point the http authentication to local database of the device and donot configure local username pass for all the users except for those you want to allow.

2) For the second method you need to configure aaa authorization exec default group tacacs local " command on the device and in ACS group check shell (exec) and under privelege level assign 2 privelege . Now users will not ve able to http to device but can telnet .

Hope this helps .

regards,

Jasjeet