Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1390
Views
0
Helpful
6
Replies

ACS 5.3 / Cisco MDS - End Station Filter with ip domain-lookup activated

ludovicterrier
Level 1
Level 1

‎08-01-2012 05:58 AM - edited ‎03-10-2019 07:22 PM

ACS Version : 5.3.0.40.5

Cisco MDS with system version 4.1(3a)

Some accounts have a dedicated policy which allows access only from a specific IP address (by using the End Station Filter on the ACS). But with Cisco MDS boxes, which have "ip domain-lookup" activated, MDS resolved the IP address and replace it by the name of the server in the TACACS+ packet... the "End Station Filter" doesn't match (IP address expected) and access to the MDS is denied. After digging through NX-OS I didn't find any directive disabling name-resolution for TACACS+ exchanges. Is there a way to make an "End Station Filter" based on domain name on the ACS ?

End Station Filter is configured as follow :

Policy Elements --> Session Conditions --> Network Conditions --> End Station Filters and in the "IP address" tab I add IP address from which access should be granted.

Thanks

Labels:
0 Helpful
6 Replies 6

Tarik Admani
VIP Alumni
VIP Alumni

‎08-01-2012 08:02 AM

Ludovic,

Can you post the pdf of the report that is generated by the MDS entry, or can you post a screenshot?

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

ludovicterrier
Level 1
Level 1
In response to Tarik Admani

‎08-02-2012 02:28 AM

Hi Tarik,

Please find attached the screenshot showing denied acces for MDS box and content of "Remote address" field.

Thanks.

Preview file
49 KB
0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to ludovicterrier

‎08-02-2012 02:48 AM

Ludovic,

There is not an easy workaround for this issue. We can remove the PTR records on your dns server (which I am sure is not feasible). Since the packet is originating from the MDS I am pretty sure today that the ACS isn't able to detect and "convert" the remote address attribute via dns (with command authorization this can really bog the box down if a feature like this existed). You can try to open a service request with the MDS product team and see if they can leave ip address in the remote address field. You can try to explore either of these options within Cisco. As far as a workaround it looks like you can remove the ip domain lookup (which you identified), use a pattern if one is present in the workstation, or rename the workstations, if manageable, and create a compound condition that also checks the remote address field.

For example if all the workstations are named adminpc, adminpc1...adminpcn, then you can use the contains operation and set that to adminpc for the remote address field, combine that with your mds network device groups and then set the proper authorization for the users.

I hope this helps,

Tarik Admani
*Please rate helpful posts*

0 Helpful

ludovicterrier
Level 1
Level 1
In response to Tarik Admani

‎08-02-2012 07:43 AM

As you said, removing PTR record from our DNS servers is not possible. Moreover, deactivating the "ip domain-lookup" isn't possible too (option needed for some other usage), so I'll see with Cisco.

Thanks for your time,

0 Helpful

shawn
Level 1
Level 1

‎06-13-2013 05:24 AM

Was this ever resolved?

We're hitting the samthing.

0 Helpful

William Everett
Level 1
Level 1

‎11-25-2014 12:07 PM

I got it to work by adding the DNS name into the CLI/DNSI section of End Station Filters.  Check the "remote address" in the ACS logs to make sure you get the exact name that is being sent to ACS from the device.  I had to enter in the FQDN for each end station.

0 Helpful
Customers Also Viewed These Support Documents