Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to prevent/allow admin access from certain ip address.

Hello

trying to setup the following scenario:

have a user BOB created in Cisco ACS 4.2

have several network devices with different management IP addresses  all added in Cisco ACS 4.2

want to be able to allow BOB to access network devices only if BOB's access request is coming from one ip address 1.1.1.1

If BOB is trying to access network devices from any other ip addresses, the request should be denied regardless of the fact that BOB has full access to all network devices.

Is there a way to acomplish this using Cisco ACS 4.2

Appreciate your input.

Regards,

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

How to prevent/allow admin access from certain ip address.

I'm not sure how or if you can do this using ACS. You MIGHT be able to use the Network Access Restriction feature although I've never tried it. Reference.

It would be easy to just put an access-list on the devices' vty lines though restricting access to 1.1.1.1. (although that would affect all users.)

3 REPLIES
Hall of Fame Super Silver

How to prevent/allow admin access from certain ip address.

I'm not sure how or if you can do this using ACS. You MIGHT be able to use the Network Access Restriction feature although I've never tried it. Reference.

It would be easy to just put an access-list on the devices' vty lines though restricting access to 1.1.1.1. (although that would affect all users.)

New Member

How to prevent/allow admin access from certain ip address.

It is actually possible, thanks for your doc reference:

in ACS setup AAA client user will be allowed to call from

in ACS setup NAR (devices you want to allow access to);

create user in ACS

configure user access in ACS:

     allow access to required NARs

     define IP - based access restrictions

          Permitted calling / point of access locations

               enter AAA client from which user will call (* for ports and * for ip address)

Save and test

In failed attempts you should see Authentication failure code "Users access filtered" when trying to login to NAR devices with new username and from non-permitted calling client/ip address.

Thanks for you help.

Hall of Fame Super Silver

How to prevent/allow admin access from certain ip address.

Excellent. Glad it worked out for you. We both learned something.

1100
Views
0
Helpful
3
Replies