[c-nsp] restricting source IP for management by username

[joshua sahala]

On (06/05/05 15:48), Ed Ravin wrote:
>
> I have several users with access to a router.  I want to add a new
> user, one who can only log into that router when he or she is connecting
> from a particular host.  How can I set this up?  I have a TACACS+
> server,
> if that's any help, though I don't mind setting the config locally if
> it's
> simpler.

Ed,

You can apply an access-class on the inbound vty - where the included ip
addresses are whatever hosts/networks you want to allow:

access-list 1 permit x.x.x.x
access-list 1 deny any log

line vty 0 N
access-class 1 in

or you can do it in tac+ (similar to the acl, but I don't remember the
syntax...)  I think it is something like:

user = ed {
    password = something
    service = shell {
        acl = 1
    }
}

where you would still have an acl on the router

hth

/joshua
-- 
A common mistake that people make when trying to design something 
completely foolproof is to underestimate the ingenuity of complete
fools.
	- Douglas Adams -