08-01-2012 05:58 AM - edited 03-10-2019 07:22 PM
ACS Version : 5.3.0.40.5
Cisco MDS with system version 4.1(3a)
Some accounts have a dedicated policy which allows access only from a specific IP address (by using the End Station Filter on the ACS). But with Cisco MDS boxes, which have "ip domain-lookup" activated, MDS resolved the IP address and replace it by the name of the server in the TACACS+ packet... the "End Station Filter" doesn't match (IP address expected) and access to the MDS is denied. After digging through NX-OS I didn't find any directive disabling name-resolution for TACACS+ exchanges. Is there a way to make an "End Station Filter" based on domain name on the ACS ?
End Station Filter is configured as follow :
Policy Elements --> Session Conditions --> Network Conditions --> End Station Filters and in the "IP address" tab I add IP address from which access should be granted.
Thanks
08-01-2012 08:02 AM
Ludovic,
Can you post the pdf of the report that is generated by the MDS entry, or can you post a screenshot?
thanks,
Tarik Admani
*Please rate helpful posts*
08-02-2012 02:28 AM
08-02-2012 02:48 AM
Ludovic,
There is not an easy workaround for this issue. We can remove the PTR records on your dns server (which I am sure is not feasible). Since the packet is originating from the MDS I am pretty sure today that the ACS isn't able to detect and "convert" the remote address attribute via dns (with command authorization this can really bog the box down if a feature like this existed). You can try to open a service request with the MDS product team and see if they can leave ip address in the remote address field. You can try to explore either of these options within Cisco. As far as a workaround it looks like you can remove the ip domain lookup (which you identified), use a pattern if one is present in the workstation, or rename the workstations, if manageable, and create a compound condition that also checks the remote address field.
For example if all the workstations are named adminpc, adminpc1...adminpcn, then you can use the contains operation and set that to adminpc for the remote address field, combine that with your mds network device groups and then set the proper authorization for the users.
I hope this helps,
Tarik Admani
*Please rate helpful posts*
08-02-2012 07:43 AM
As you said, removing PTR record from our DNS servers is not possible. Moreover, deactivating the "ip domain-lookup" isn't possible too (option needed for some other usage), so I'll see with Cisco.
Thanks for your time,
06-13-2013 05:24 AM
Was this ever resolved?
We're hitting the samthing.
11-25-2014 12:07 PM
I got it to work by adding the DNS name into the CLI/DNSI section of End Station Filters. Check the "remote address" in the ACS logs to make sure you get the exact name that is being sent to ACS from the device. I had to enter in the FQDN for each end station.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide