[nsp] permit vty ssh, no telnet for some users ?

Sam Munzani smunzani at comcast.net
Mon Apr 26 16:39:32 EDT 2004 

How do you control your SSH will always use VTY 2 upon logon? Your SSH
session might come on VTY 1 and may end up failed authentication.

Sam


> Gert Doering wrote:
>
> > Hi,
> >
> > On Mon, Apr 26, 2004 at 12:09:11PM -0700, Hudson Delbert J Contr 61
CS/SCBN wrote:
> >
> >>the solution exists on the clients not on infra-structure boxes which
> >>by rights ought not to have perofm this type operation.
> >
> >
> > There is *no way* to "perform this type of operation".
> >
> > You cannot limit the connection type to specific users if you only know
> > the user name *after* establishing the connection.
> >
>
> Well, true you can't deny the transport type based on user identity prior
> to learning that identity over said transport. However, I think there is a
> way to limit certain users to being authenticated over certain transports
> using AAA server groups.  Here is a sample config:
>
> aaa group server tacacs+ FOR-TELNET
>   server 1.1.1.1
> !
> aaa group server tacacs+ FOR-SSH
>   server 2.2.2.2
> !
> aaa authentication login SSH-ONLY group FOR-SSH
> aaa authentication login TELNET-ONLY group FOR-TELNET
> !
> tacacs-server host 1.1.1.1 key FOO
> tacacs-server host 2.2.2.2 key BAR
> !
> line vty 1
>   login authentication SSH-ONLY
>   transport input ssh
> line vty 2
>   login authentication TELNET-ONLY
>   transport input telnet
>
> In this case, you would be running two different TAC+ servers (or two
> instances on different ports if you choose) where a limited set of users
is
> in one of those instances and a different set is in the other.
>
> A bit of an administrative pain, but I know of many organizations that run
> multiple authentication services depending on a varying number of factors
> including a certain router set, etc.
>
> -- 
> =========
> bep
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list