[c-nsp] restricting source IP for management by username
Ed Ravin
eravin at panix.com
Fri May 6 16:39:33 EDT 2005
On Fri, May 06, 2005 at 04:21:53PM -0400, joshua sahala wrote:
> or you can do it in tac+ (similar to the acl, but I don't remember the
> syntax...) I think it is something like:
>
> user = ed {
> password = something
> service = shell {
> acl = 1
> }
> }
>
> where you would still have an acl on the router
That's what I was trying to do. My config in tac_plus looks more or
less like the example above, except I'm using "service = exec" since
"service = shell" didn't seem to work. Here's the results:
tty3 AAA/AUTHOR/EXEC (1583822733): Port='tty3' list='' service=EXEC
AAA/AUTHOR/EXEC: tty3 (1583822733) user='bozouser'
tty3 AAA/AUTHOR/EXEC (1583822733): send AV service=shell
tty3 AAA/AUTHOR/EXEC (1583822733): send AV cmd*
tty3 AAA/AUTHOR/EXEC (1583822733): found list "default"
tty3 AAA/AUTHOR/EXEC (1583822733): Method=tacacs+ (tacacs+)
AAA/AUTHOR/TAC+: (1583822733): user=bozouser
AAA/AUTHOR/TAC+: (1583822733): send AV service=shell
AAA/AUTHOR/TAC+: (1583822733): send AV cmd*
TAC+: (1583822733): received author response status = PASS_ADD
AAA/AUTHOR (1583822733): Post authorization status = PASS_ADD
AAA/AUTHOR/EXEC: Processing AV service=shell
AAA/AUTHOR/EXEC: Processing AV cmd*
AAA/AUTHOR/EXEC: Processing AV acl=33
AAA/AUTHOR/EXEC: Authorization successful
And acl 33 looks like this:
Standard IP access list 33 (Compiled)
permit 10.20.30.40
And it still doesn't matter which IP address I connect from, the user
is always allowed in.
What am I doing worng?
> > Ed Ravin wrote:
> > > I have several users with access to a router. I want to add a new
> > > user, one who can only log into that router when he or she is connecting
> > > from a particular host. How can I set this up? I have a TACACS+ server,
> > > if that's any help, though I don't mind setting the config locally if it's
> > > simpler.
More information about the cisco-nsp
mailing list