Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1964
Views
0
Helpful
3
Replies

How to prevent/allow admin access from certain ip address.

Go to solution
endpoint
Level 1
Level 1

‎08-02-2013 03:03 PM - edited ‎02-21-2020 04:56 AM

Hello

trying to setup the following scenario:

have a user BOB created in Cisco ACS 4.2

have several network devices with different management IP addresses  all added in Cisco ACS 4.2

want to be able to allow BOB to access network devices only if BOB's access request is coming from one ip address 1.1.1.1

If BOB is trying to access network devices from any other ip addresses, the request should be denied regardless of the fact that BOB has full access to all network devices.

Is there a way to acomplish this using Cisco ACS 4.2

Appreciate your input.

Regards,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-05-2013 03:58 PM

I'm not sure how or if you can do this using ACS. You MIGHT be able to use the Network Access Restriction feature although I've never tried it. Reference.

It would be easy to just put an access-list on the devices' vty lines though restricting access to 1.1.1.1. (although that would affect all users.)

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-05-2013 03:58 PM

I'm not sure how or if you can do this using ACS. You MIGHT be able to use the Network Access Restriction feature although I've never tried it. Reference.

It would be easy to just put an access-list on the devices' vty lines though restricting access to 1.1.1.1. (although that would affect all users.)

0 Helpful

Go to solution
endpoint
Level 1
Level 1
In response to Marvin Rhoads

‎08-12-2013 09:54 AM

It is actually possible, thanks for your doc reference:

in ACS setup AAA client user will be allowed to call from

in ACS setup NAR (devices you want to allow access to);

create user in ACS

configure user access in ACS:

     allow access to required NARs

     define IP - based access restrictions

          Permitted calling / point of access locations

               enter AAA client from which user will call (* for ports and * for ip address)

Save and test

In failed attempts you should see Authentication failure code "Users access filtered" when trying to login to NAR devices with new username and from non-permitted calling client/ip address.

Thanks for you help.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to endpoint

‎08-12-2013 08:24 PM

Excellent. Glad it worked out for you. We both learned something.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card