[nsp] permit vty ssh, no telnet for some users ?

Bruce Pinsky bep at whack.org
Tue Apr 27 13:25:12 EDT 2004 

Sam Munzani wrote:
> Very interesting approach.
> 

In the absence of an ability to pass the transport type to the AAA server 
for authorization, this is about the best I can think of.  If such an 
ability existed, even if the person was authenticated, you could reject 
them for using an unauthorized transport method.

One other point.  In my example, I said two instances of a TAC+ server. 
That need be the only scenario.  Certainly you could use a combination of 
TAC+ and RADIUS, TAC+ and Local user, etc, etc.  The only combo that would 
not work would be to have both named methods use Local usernames since 
there is no concept of a "local user group" as there is with a server group.

> Thanks,
> Sam
> ----- Original Message ----- 
> From: "Bruce Pinsky" <bep at whack.org>
> To: "Gert Doering" <gert at greenie.muc.de>
> Cc: "Hudson Delbert J Contr 61 CS/SCBN" <Delbert.Hudson at losangeles.af.mil>;
> <cisco-nsp at puck.nether.net>
> Sent: Monday, April 26, 2004 3:09 PM
> Subject: Re: [nsp] permit vty ssh, no telnet for some users ?
> 
> 
> 
>>Gert Doering wrote:
>>
>>
>>>Hi,
>>>
>>>On Mon, Apr 26, 2004 at 12:09:11PM -0700, Hudson Delbert J Contr 61
> 
> CS/SCBN wrote:
> 
>>>>the solution exists on the clients not on infra-structure boxes which
>>>>by rights ought not to have perofm this type operation.
>>>
>>>
>>>There is *no way* to "perform this type of operation".
>>>
>>>You cannot limit the connection type to specific users if you only know
>>>the user name *after* establishing the connection.
>>>
>>
>>Well, true you can't deny the transport type based on user identity prior
>>to learning that identity over said transport. However, I think there is a
>>way to limit certain users to being authenticated over certain transports
>>using AAA server groups.  Here is a sample config:
>>
>>aaa group server tacacs+ FOR-TELNET
>>  server 1.1.1.1
>>!
>>aaa group server tacacs+ FOR-SSH
>>  server 2.2.2.2
>>!
>>aaa authentication login SSH-ONLY group FOR-SSH
>>aaa authentication login TELNET-ONLY group FOR-TELNET
>>!
>>tacacs-server host 1.1.1.1 key FOO
>>tacacs-server host 2.2.2.2 key BAR
>>!
>>line vty 1
>>  login authentication SSH-ONLY
>>  transport input ssh
>>line vty 2
>>  login authentication TELNET-ONLY
>>  transport input telnet
>>
>>In this case, you would be running two different TAC+ servers (or two
>>instances on different ports if you choose) where a limited set of users
> 
> is
> 
>>in one of those instances and a different set is in the other.
>>
>>A bit of an administrative pain, but I know of many organizations that run
>>multiple authentication services depending on a varying number of factors
>>including a certain router set, etc.
>>
>>-- 
>>=========
>>bep
>>
>>_______________________________________________
>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 


-- 
=========
bep

More information about the cisco-nsp mailing list