https://community.cisco.com/t5/network-access-control/acs-5-4-selective-authentication-authorization-based-on-remote/m-p/2347453#M97618 <HTML><HEAD></HEAD><BODY><P>You will have to work with HP to have this remote address AV pair added. this does seem like a bug within TACACS on the HP side which will have to be addressed by them.</P><P></P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Thu, 19 Sep 2013 05:18:10 GMT Tarik Admani 2013-09-19T05:18:10Z https://community.cisco.com/t5/network-access-control/acs-5-4-selective-authentication-authorization-based-on-remote/m-p/2347452#M97592 <P>Hi everyone!</P><P>Lets say I have a management pc in my network located in the same subnet as management addresses of switches (e.g. both hp and cisco; 192.168.10.0/24 is management network); <SPAN style="font-size: 10pt;">PCs ip is 10.254. </SPAN><SPAN style="font-size: 10pt;">Access to switches is controlled by the tacacs on acs 5.4;</SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;"> </SPAN><SPAN style="font-size: 10pt;">On the mgmt pc there is Kiwi Cattools which saves running-configs of devices to a tftp server based on a regular schedule (e.g. every 2 weeks). </SPAN></P><P><SPAN style="font-size: 10pt;">For this purpose there is a special user </SPAN><SPAN style="font-size: 10pt;">on the acs </SPAN><SPAN style="font-size: 10pt;">account called "cattools", which is used by that soft to access devices and save running-configs.</SPAN></P><P>Now my purpose is to disallow the usage of "cattools" for any usage from anywhere, <SPAN style="text-decoration: underline;">except when the access request comes from mgmt pc 10.254 (i.e. kiwi).</SPAN> The account should not be used to access devices from any other location. Here`s what I did:</P><P></P><P>In the log messages from acs I notices Remote Address field contaninig an ip address of the device/pc, from which access is being made. So I created an End Station filter list (name "mgmtonly") on the acs with a single value of 192.168.10.254; Then in the access services for tacacs protocol in the Identity section I created an Identity policy saying that <STRONG>"if system.username=cattools AND end station filter DOESN`T MATCH <SPAN style="font-size: 10pt;">mgmtonly, then Identity source is DenyAccess"; </SPAN></STRONG><SPAN style="font-size: 10pt;">This rule is followed by other rules permiiting access with the other user accounts. </SPAN></P><P></P><P><SPAN style="font-size: 10pt;">And this scheme is working: when access is being made from mgmt pc with username cattools, access is granted. From any other location it is denied.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Unfortunately, it is working <STRONG>only for Cisco devices</STRONG> because through monitoring logs I noticed that they always send remote address to the acs server. But Hp switches lack this ability. Every time procurves access the acs server, its remote address field is empty, i.e. it doesn`t relay an ip address to the server. So the above rule is not matched and not working.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Is there any solution to his, or is there more suitable solution?</SPAN></P><P></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P> Mon, 11 Mar 2019 03:55:12 GMT https://community.cisco.com/t5/network-access-control/acs-5-4-selective-authentication-authorization-based-on-remote/m-p/2347452#M97592 ILKIN GASIMOV 2019-03-11T03:55:12Z https://community.cisco.com/t5/network-access-control/acs-5-4-selective-authentication-authorization-based-on-remote/m-p/2347453#M97618 <HTML><HEAD></HEAD><BODY><P>You will have to work with HP to have this remote address AV pair added. this does seem like a bug within TACACS on the HP side which will have to be addressed by them.</P><P></P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Thu, 19 Sep 2013 05:18:10 GMT https://community.cisco.com/t5/network-access-control/acs-5-4-selective-authentication-authorization-based-on-remote/m-p/2347453#M97618 Tarik Admani 2013-09-19T05:18:10Z