11-01-2002 03:06 AM - edited 02-21-2020 12:09 PM
Hi,
I am using the TACAS freeware: tac_plus version 2.1.
I am searching for a config, where I can configured restrict for some users the telnet access only to defined routers.
I remembered some config like "NAS-IPAdress = 1.1.1.1", but not really sure
the user profile looks like:
user = sthon_guest {
default service = permit
login = cleartext guest
service = exec {
priv-lvl = 1
}
}
regards
sascha
11-01-2002 06:01 AM
Are you speaking of dialup users? If so, just put an acl in the NAS and deny telnet to the devices. An example of using acls for dialup is here:
http://www.cisco.com/warp/public/480/tacacs_ACL1.html
If you are not dialing into a NAS, and you want to explicitly deny telnet access to all devices, you could add:
cmd=telnet {
deny .*
If you want to deny specific hosts, then use regular expressions or specific matches:
cmd = telnet {
deny 192\.168\.10\.[0-9]+
permit .*
Permits everything but 192.168.10.x
There should be numerous samples in the Freeware Readme.
Make sure you have aaa authorization enforced or this will not work. Good examples are in:
http://www.cisco.com/warp/public/480/tacplus.shtml
Hope this helps.
Robert
11-01-2002 07:53 AM
Hi Robert,
you did not understand right. your configuration:
cmd = telnet {
deny 192\.168\.10\.[0-9]+
permit .*
allows only to telnet to the specified address after router login from this router
an example for my requests:
I configure an user test.
this user should only telnet from a network server to the Routers:
1.1.1.1
1.1.1.2
1.1.1.3
If he try to access 1.1.1.4 the TACACS Server should deny this access.
So I have to configure the addresses 1.1.1.1, 1.1.1.2, 1.1.1.3 as allowed Routers in TACACS Userprofile.
regards
sascha
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: