Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Limit AAA authetication for certain users by source IP

Hi,

we have TACACS+ based AAA on our network equipment, authenticating against internal user database on a network of ACS 5.3s.

What I want is to limit certain AAA users (namely automated tools) to be only permitted to authenticate from a list of known IPs.

I can do this for authorization, easily, that isn't a problem. The problem is to only accept authentication attempts coming from certain IPs and ignore the rest. My problem is, as it is currently, the automated tools are prone to a sort of a DoS attack - if I attempt logging in to any device using the tool's user account and a wrong password, I can get the account disabled in five tries.

I want to ignore all authentication attempts, unless they are coming from well known source IPs.

Ex: netmon user is the user for a tool running on server 10.20.30.40. If I try to log in from my own laptop with user netmon, it should fail, and the attempt ignored. Currently after five (or whatever is configured) failed attempts, the user will be disabled. Oly attempts from 10.20.30.40 should be considered for user netmon.

I can't use ACLs on the devices, as I want other users to be able to log in from other IPs.

Any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions

Limit AAA authetication for certain users by source IP

You can use a compound condition such that you include the tacacs attribute "remote-address" and and that condition with username. You can set the condition in the service selection rules so authentication doesnt occur and the request is discarded:

Then you can set the service that you want to map this user request to.

thanks,

Tarik Admani

Tarik Admani *Please rate helpful posts*
4 REPLIES

Limit AAA authetication for certain users by source IP

You can use a compound condition such that you include the tacacs attribute "remote-address" and and that condition with username. You can set the condition in the service selection rules so authentication doesnt occur and the request is discarded:

Then you can set the service that you want to map this user request to.

thanks,

Tarik Admani

Tarik Admani *Please rate helpful posts*

Limit AAA authetication for certain users by source IP

Tarik: you are always have very good answers. +5 my friend.

Rating useful replies is more useful than saying "Thank you"
New Member

Limit AAA authetication for certain users by source IP

Thanks, I guess this is what I was looking for, although for now our service selection rules are just the basic set.

Limit AAA authetication for certain users by source IP

Well, When I started with ACS 5.x I found later it is better to keep all things in rule based (even simiple rules are there). That will make it easier to add more roles in the future than moving from single selection policy to rule based policy.

BTW, don't forget please to mark the Tarik's correct answer for others to take better use of this thread in the future.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"
588
Views
5
Helpful
4
Replies
CreatePlease to create content