[nsp] permit vty ssh, no telnet for some users ?
Bruce Pinsky
bep at whack.org
Mon Apr 26 16:09:29 EDT 2004
Gert Doering wrote:
> Hi,
>
> On Mon, Apr 26, 2004 at 12:09:11PM -0700, Hudson Delbert J Contr 61 CS/SCBN wrote:
>
>>the solution exists on the clients not on infra-structure boxes which
>>by rights ought not to have perofm this type operation.
>
>
> There is *no way* to "perform this type of operation".
>
> You cannot limit the connection type to specific users if you only know
> the user name *after* establishing the connection.
>
Well, true you can't deny the transport type based on user identity prior
to learning that identity over said transport. However, I think there is a
way to limit certain users to being authenticated over certain transports
using AAA server groups. Here is a sample config:
aaa group server tacacs+ FOR-TELNET
server 1.1.1.1
!
aaa group server tacacs+ FOR-SSH
server 2.2.2.2
!
aaa authentication login SSH-ONLY group FOR-SSH
aaa authentication login TELNET-ONLY group FOR-TELNET
!
tacacs-server host 1.1.1.1 key FOO
tacacs-server host 2.2.2.2 key BAR
!
line vty 1
login authentication SSH-ONLY
transport input ssh
line vty 2
login authentication TELNET-ONLY
transport input telnet
In this case, you would be running two different TAC+ servers (or two
instances on different ports if you choose) where a limited set of users is
in one of those instances and a different set is in the other.
A bit of an administrative pain, but I know of many organizations that run
multiple authentication services depending on a varying number of factors
including a certain router set, etc.
--
=========
bep
More information about the cisco-nsp
mailing list