Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Limit tacacs access

Hi,

Is it possible to limit access for a specific tacacs username? For example, i need priviledge 15 for the username xyz from 10.1.1.1 to the client 192.168.1.1 but for the rest of the AAA clients all ip connection should be blocked.

I tried DACLS and per user NAR but didnt work. Any suggestions are really appreciated.

cheers

Srinie

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Limit tacacs access

Srini,

Thanks for the clarification. Unfortunately the ACS will not be able to prevent the user from getting to the Username/Password prompt on any other IOS device.

The most common solution to avoid device to present username/password prompts for SSH and Telnet sessios is with an extended ACL defined on Global Configuration mode and apply that ACL to the "line vty 0 15" configuration.

It should be something like:

access-list 100 deny ip host 192.168.250.21 any

access-list 100 permit ip any any

line vty 0 4

access-class 100 in

line vty 5 15

access-class 100 in

However, the above configuration is based on IP Address and not "username". This configuration would work if we now the IP Address the username might be connecting from but if the source IP address is unsure then it might now apply.

Regards.

6 REPLIES
New Member

Limit tacacs access

By the way we use cisco ACS appliance version 4.2

cheers

Silver

Limit tacacs access

Srinie,

Can you please configure the User Level NAR as follows:

As you can see I am defining the Permitted NAR on both IP-Based and CLI/DNIS Based. It is working for me right now. I can access the AAA client called "Switch" but I cannot access any other device.

Hope this helps and will be waiting for your response.

Regards.

Silver

Limit tacacs access

Srini,

I have also noticed an interesting detail. If you want to filter TACACS+ access, how did you test the IP-Based NAR?

If you were performing the "test aaa group tacacs legacy" then the user will be successfully authenticated by the ACS as the "test" command does not include an IP Address on the request. This will cause the ACS to ignore the IP-Based NAR configuration.

If you want to test the IP-Based NAR you might need to Telnet/SSH to the allowed AAA client and then Telnet/SSH to another that should be restricted.

Regards.

New Member

Limit tacacs access

g'day Carlos, thanks for the reply mate.

This tacacs+ username is not for a user it is a generic username that is used by the waas express to communicate to the waas central manager.I have attached the screenshot in which 10.97.80.30 is the central manager. It works fine but when i try to telnet/ssh to other routers with this username i get a login prompt but cant login. The issue here is i just dont want even to get this login prompt.

Silver

Limit tacacs access

Srini,

Thanks for the clarification. Unfortunately the ACS will not be able to prevent the user from getting to the Username/Password prompt on any other IOS device.

The most common solution to avoid device to present username/password prompts for SSH and Telnet sessios is with an extended ACL defined on Global Configuration mode and apply that ACL to the "line vty 0 15" configuration.

It should be something like:

access-list 100 deny ip host 192.168.250.21 any

access-list 100 permit ip any any

line vty 0 4

access-class 100 in

line vty 5 15

access-class 100 in

However, the above configuration is based on IP Address and not "username". This configuration would work if we now the IP Address the username might be connecting from but if the source IP address is unsure then it might now apply.

Regards.

New Member

Limit tacacs access

yeah thought so mate. Thanks for your clarification.

cheers

494
Views
0
Helpful
6
Replies
CreatePlease to create content