Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TACACS: restrict telnet login to defined NAS

Hi,

I am using the TACAS freeware: tac_plus version 2.1.

I am searching for a config, where I can configured restrict for some users the telnet access only to defined routers.

I remembered some config like "NAS-IPAdress = 1.1.1.1", but not really sure

the user profile looks like:

user = sthon_guest {

default service = permit

login = cleartext guest

service = exec {

priv-lvl = 1

}

}

regards

sascha

2 REPLIES
New Member

Re: TACACS: restrict telnet login to defined NAS

Are you speaking of dialup users? If so, just put an acl in the NAS and deny telnet to the devices. An example of using acls for dialup is here:

http://www.cisco.com/warp/public/480/tacacs_ACL1.html

If you are not dialing into a NAS, and you want to explicitly deny telnet access to all devices, you could add:

cmd=telnet {

deny .*

If you want to deny specific hosts, then use regular expressions or specific matches:

cmd = telnet {

deny 192\.168\.10\.[0-9]+

permit .*

Permits everything but 192.168.10.x

There should be numerous samples in the Freeware Readme.

Make sure you have aaa authorization enforced or this will not work. Good examples are in:

http://www.cisco.com/warp/public/480/tacplus.shtml

Hope this helps.

Robert

New Member

Re: TACACS: restrict telnet login to defined NAS

Hi Robert,

you did not understand right. your configuration:

cmd = telnet {

deny 192\.168\.10\.[0-9]+

permit .*

allows only to telnet to the specified address after router login from this router

an example for my requests:

I configure an user test.

this user should only telnet from a network server to the Routers:

1.1.1.1

1.1.1.2

1.1.1.3

If he try to access 1.1.1.4 the TACACS Server should deny this access.

So I have to configure the addresses 1.1.1.1, 1.1.1.2, 1.1.1.3 as allowed Routers in TACACS Userprofile.

regards

sascha

164
Views
0
Helpful
2
Replies