topic ACS 5.3 / Cisco MDS - End Station Filter with ip domain-lookup a in Network Access Control

ACS 5.3 / Cisco MDS - End Station Filter with ip domain-lookup activated

ludovicterrier — Mon, 11 Mar 2019 02:22:16 GMT

ACS Version : 5.3.0.40.5

Cisco MDS with system version 4.1(3a)

Some accounts have a dedicated policy which allows access only from a specific IP address (by using the End Station Filter on the ACS). But with Cisco MDS boxes, which have "ip domain-lookup" activated, MDS resolved the IP address and replace it by the name of the server in the TACACS+ packet... the "End Station Filter" doesn't match (IP address expected) and access to the MDS is denied. After digging through NX-OS I didn't find any directive disabling name-resolution for TACACS+ exchanges. Is there a way to make an "End Station Filter" based on domain name on the ACS ?

End Station Filter is configured as follow :

Policy Elements --> Session Conditions --> Network Conditions --> End Station Filters and in the "IP address" tab I add IP address from which access should be granted.

Thanks

ACS 5.3 / Cisco MDS - End Station Filter with ip domain-lookup a

Tarik Admani — Wed, 01 Aug 2012 15:02:41 GMT

Ludovic,

Can you post the pdf of the report that is generated by the MDS entry, or can you post a screenshot?

thanks,

Tarik Admani
*Please rate helpful posts*

Re: ACS 5.3 / Cisco MDS - End Station Filter with ip domain-look

ludovicterrier — Thu, 02 Aug 2012 09:28:05 GMT

Hi Tarik,

Please find attached the screenshot showing denied acces for MDS box and content of "Remote address" field.

Thanks.

ACS 5.3 / Cisco MDS - End Station Filter with ip domain-lookup a

Tarik Admani — Thu, 02 Aug 2012 09:48:03 GMT

Ludovic,

There is not an easy workaround for this issue. We can remove the PTR records on your dns server (which I am sure is not feasible). Since the packet is originating from the MDS I am pretty sure today that the ACS isn't able to detect and "convert" the remote address attribute via dns (with command authorization this can really bog the box down if a feature like this existed). You can try to open a service request with the MDS product team and see if they can leave ip address in the remote address field. You can try to explore either of these options within Cisco. As far as a workaround it looks like you can remove the ip domain lookup (which you identified), use a pattern if one is present in the workstation, or rename the workstations, if manageable, and create a compound condition that also checks the remote address field.

For example if all the workstations are named adminpc, adminpc1...adminpcn, then you can use the contains operation and set that to adminpc for the remote address field, combine that with your mds network device groups and then set the proper authorization for the users.

I hope this helps,

Tarik Admani
*Please rate helpful posts*

Re: ACS 5.3 / Cisco MDS - End Station Filter with ip domain-look

ludovicterrier — Thu, 02 Aug 2012 14:43:25 GMT

As you said, removing PTR record from our DNS servers is not possible. Moreover, deactivating the "ip domain-lookup" isn't possible too (option needed for some other usage), so I'll see with Cisco.

Thanks for your time,

ACS 5.3 / Cisco MDS - End Station Filter with ip domain-lookup a

shawn — Thu, 13 Jun 2013 12:24:36 GMT

Was this ever resolved?

We're hitting the samthing.

I got it to work by adding

William Everett — Tue, 25 Nov 2014 20:07:03 GMT

I got it to work by adding the DNS name into the CLI/DNSI section of End Station Filters. Check the "remote address" in the ACS logs to make sure you get the exact name that is being sent to ACS from the device. I had to enter in the FQDN for each end station.