Page 1 of 2

specific IP

PostPosted: Mon Jul 09, 2012 5:26 pm
by mehi1353
Hi all,

Is it possible to restrict the TSO logon of a userid to his/her specific IP address? (impossible tso logon from another IP address)


best regards,

Mehrdad Rastgar,
Bank Mellat,
Tehran,IRAN

Re: specific IP

PostPosted: Mon Jul 09, 2012 7:42 pm
by dick scherrer
Hello,

Suggest you talk with your system support people.

Most places i've been for years use dynamic ip addresses. . .

If the person is the person, why should the system care which terminal happens to be used? Many places Do restrict an id to logging on to only one terminal at a time.

Re: specific IP

PostPosted: Sat Jul 14, 2012 8:57 am
by jaggz
Hi,

To Restrict to a specific IP,Yes Network People Can enforce Firewall to prevent accessing a specific IP address.

Is that you are Looking for ?? If not Could you please describe your need in detail.

Re: specific IP

PostPosted: Sat Jul 14, 2012 9:22 am
by dick scherrer
Hello,

I believe TS question is the other way around.

If i understand the question, the goal is to restrict a user to only one terminal (ip address).

Re: specific IP

PostPosted: Sat Jul 14, 2012 10:27 am
by mehi1353
hi all,

Yes.I want to limit the TELNET of every user to his/her tcp/ip station.

besed on IBM books,I used this commands:(for example:limit auser1 to use TELNET only from ip address 172.20.149.8)

SETROPTS TERMINAL(READ)
SETROPTS CLASSACT(TERMINAL) RACLIST(TERMINAL)
RDEFINE TERMINAL AC149508 UACC(NONE)
SETROPTS RACLIST(TERMINAL) REFRESH
PERMIT AC149508 CLASS(TERMINAL) ID(AUSER1) ACCESS(READ)
SETROPTS RACLIST(TERMINAL) REFRESH

But it didn't work in my system.

any other idea?

best regards,
Mehrdad

Re: specific IP

PostPosted: Sat Jul 14, 2012 11:20 am
by steve-myers
There is the idea of restricting TSO access by VTAM terminal ID, but it is rarely used. I've never heard of using an IP address for this purpose. I believe others have already said it's a dumb idea, since workstations seldom have fixed IP addresses, and even if they have fixed IP addresses at your site, users often want to be able to logon from other workstations or from home using a VPN type interface to actually access your site's network.

I think this idea needs some serious rethinking.

Re: specific IP

PostPosted: Sat Jul 14, 2012 11:27 am
by dick scherrer
Hello,

Why does someone believe this "ip address restriction" is worth investigating? If a user is at my desk or i am at some user's desk, why does it matter if one of us log on via the "other person's" terminal.

I believe there is a big difference between security and paranoia. . .

Re: specific IP

PostPosted: Sun Jul 15, 2012 7:57 am
by jaggz
Hi,

Well if you really want to limit the user accessing TELNET.

Please Refer : z/OS V1R11.0 Communications Server IP Configuration Guide z/OS V1R11.0
SC31-8775-16
Check under : TCPIP resource protection.

I hope it helps to accomplish your Objective. If you are part of Security side then its worth testing in sandbox.

Jaggz

Re: specific IP

PostPosted: Sun Jul 15, 2012 8:02 am
by dick scherrer
Hello,

Please Refer : z/OS V1R11.0 Communications Server IP Configuration Guide z/OS V1R11.0
SC31-8775-16
Check under : TCPIP resource protection.
Does this prevent using a "different" ip address when the ip address is subject to change at each new login?

I'm not familiar with this, but do wonder how one could enforce a limit to one ip address that is dynamic. . .

Re: specific IP

PostPosted: Sun Jul 15, 2012 8:05 am
by jaggz
Hi,

I believe OP was trying to Limit the user accessing TELNET(TN3270 server) ?

Jaggz