https://community.cisco.com/t5/network-access-control/acs-one-time-password-collaboration/m-p/822419#M408804 <HTML><HEAD></HEAD><BODY><P>I am not sure I understand your question.</P><P>Can you elaborate on it? In term of OTP,</P><P>I use SecurID and ACS integration and it </P><P>works fine.</P><P></P><P></P></BODY></HTML> Tue, 25 Sep 2007 20:42:06 GMT kevin.jones1 2007-09-25T20:42:06Z https://community.cisco.com/t5/network-access-control/acs-one-time-password-collaboration/m-p/822418#M408803 <P>I am having problems implementing ACS to work with One Time Password (OTP) server. The problem is that there are multiple NAS devices, and ACS is not representing them with their own IP address but with ACS ip address which leads to security issues. </P><P></P><P>How do i transfer NAS Ip address to OTP so otp knows where from is client coming. </P><P>I am aware of radius IETF attribute 4 (NAS IP address), however i cant find it on attribute list and im not even sure that that would resolve the problem.</P><P></P><P>Suggestions welcome.</P><P></P><P>Sinisa</P> Sun, 10 Mar 2019 22:24:38 GMT https://community.cisco.com/t5/network-access-control/acs-one-time-password-collaboration/m-p/822418#M408803 smitrovi 2019-03-10T22:24:38Z https://community.cisco.com/t5/network-access-control/acs-one-time-password-collaboration/m-p/822419#M408804 <HTML><HEAD></HEAD><BODY><P>I am not sure I understand your question.</P><P>Can you elaborate on it? In term of OTP,</P><P>I use SecurID and ACS integration and it </P><P>works fine.</P><P></P><P></P></BODY></HTML> Tue, 25 Sep 2007 20:42:06 GMT https://community.cisco.com/t5/network-access-control/acs-one-time-password-collaboration/m-p/822419#M408804 kevin.jones1 2007-09-25T20:42:06Z https://community.cisco.com/t5/network-access-control/acs-one-time-password-collaboration/m-p/822420#M408807 <HTML><HEAD></HEAD><BODY><P>Its Active identity OTP. Request for authentication goes to OTP over ACS and ACS always represents users with its own address and it does not include NAS ip address. However some users for instance can gain access via 802.1x but not via VPN access, but OTP can not distinguish where are they coming from. </P><P></P><P>I am also a little bit unsure about this issue...</P></BODY></HTML> Tue, 25 Sep 2007 20:47:10 GMT https://community.cisco.com/t5/network-access-control/acs-one-time-password-collaboration/m-p/822420#M408807 smitrovi 2007-09-25T20:47:10Z https://community.cisco.com/t5/network-access-control/acs-one-time-password-collaboration/m-p/822421#M408809 <HTML><HEAD></HEAD><BODY><P>I think I know what you're trying to do.</P><P></P><P>Basically you want to have the ACS acting</P><P>like a Proxy between the NAS and the OTP </P><P>server. Problem is that ACS will proxy </P><P>all the connection from the NAS devices</P><P>so the OTP will only see the IP address</P><P>of the ACS. Is that a pretty accurate</P><P>picture of what you're trying to do?</P><P></P><P>I think RSA SecurID and the OTP you're</P><P>referring to is also doing the same thing.</P><P></P><P>However, there is a work around that you</P><P>can do. You can have multiple IP addresses</P><P>on the OTP server, like 192.168.1.1 and .2</P><P>on the OTP server. Then on the ACS server,</P><P>you define two separate external database</P><P>configuration with separate ip addresses for</P><P>the OTP server. you then create two separate</P><P>user group, one for VPN and one for 802.1x</P><P>group. Then you map group into the NDG.</P><P></P><P></P></BODY></HTML> Wed, 26 Sep 2007 01:56:20 GMT https://community.cisco.com/t5/network-access-control/acs-one-time-password-collaboration/m-p/822421#M408809 kevin.jones1 2007-09-26T01:56:20Z