[c-nsp] restricting source IP for management by username
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Sat May 7 07:51:51 EDT 2005
Ed Ravin <> wrote on Friday, May 06, 2005 10:40 PM:
> On Fri, May 06, 2005 at 04:21:53PM -0400, joshua sahala wrote:
>> or you can do it in tac+ (similar to the acl, but I don't remember
>> the syntax...) I think it is something like:
>>
>> user = ed {
>> password = something
>> service = shell {
>> acl = 1
>> }
>> }
>>
>> where you would still have an acl on the router
>
> That's what I was trying to do. My config in tac_plus looks more or
> less like the example above, except I'm using "service = exec" since
> "service = shell" didn't seem to work. Here's the results:
>
> And acl 33 looks like this:
>
> Standard IP access list 33 (Compiled)
> permit 10.20.30.40
>
> And it still doesn't matter which IP address I connect from, the user
> is always allowed in.
>
> What am I doing worng?
This ACL restricts the hosts the user is allowed to connect *to* (i.e.
telnet from the router). It doesn't restrict where the user is able to
connect from.
You need to do this on the Tacacs-Server, the user's address is included
in the T+ packets. If you use the freeware tac_plus server, I think you
need to use an authorization script to achieve this, the value you want
to pass to the script and check there is $address
oli
More information about the cisco-nsp
mailing list