Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3281
Views
10
Helpful
8
Replies

ACS 5.3 load balancing - TACACS+ NAS IP address

Go to solution
Josef Fuehrer
Level 1
Level 1

‎06-27-2012 05:55 AM - edited ‎03-10-2019 07:14 PM

Dear all,

I'm currently evaluating a scenario where AAA request are load balanced across multiple ACS 5.3 instances. The application delivery controller runs in L3 mode, which naturally causes the original packet's source IP address to be replaced by a randomly selected proxy address.

As far as RADIUS is concerned, I can perfectly determine the originating NAS by means of a 'Device Filter' condition. Unfortunately, ACS seems to lack the possibility of achieving the same for TACACS+. According to the user manual, only the actual IP address from the received packet is taken into account. I've also come across the 'NAS-Address' attribute in the protocol dictionary, but it can't be used in a custom condition either.

Does anyone happen to know how to retrieve the initial device IP address from a TACACS+ request in order to use it for further policing?

Cheers,

Josef

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
maldehne
Cisco Employee
Cisco Employee

‎06-27-2012 06:35 AM

Hello Josef , thats not possible.

View solution in original post

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Josef Fuehrer

‎06-29-2012 07:15 AM

Josef,

That is not an attribute that is present in  the authentication request due to the fact it is in the tacacs  dictionary section. Typically the dictionary values are for attributes  you want to send back in the authorization response, however there isnt  anything online as to what this address is for. At this point there isnt  much you can do from your design but you should open a TAC case so they  can get on a webex with you to see if there something I may have  missed.

Thanks

Tarik Admani

View solution in original post

8 Replies 8

Go to solution
maldehne
Cisco Employee
Cisco Employee

‎06-27-2012 06:35 AM

Hello Josef , thats not possible.

Go to solution
Josef Fuehrer
Level 1
Level 1
In response to maldehne

‎06-27-2012 07:55 AM

Hi,

Thanks for your reply.

So am I right to assume that currently there's no way to load balance TACACS+ requests while maintaining the full ACS feature set? If so, are there any plans to add corresponding functionality to future ACS or ISE releases?

Cheers,

Josef

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Josef Fuehrer

‎06-27-2012 10:51 AM

Josef,

Are the shared secrets the same for all the devices? Are you only authorizing users based on user group (no network device group or network device location used in the authorization policies), if so you can use the default network device option and set a shared secret to decrypt these requests.

If there is a pool of network addresses that this loadbalancer uses, you can create an network device entry and choose the range so it also this this "network device".

let me know if that is something that will fit what you are looking for.

Thanks,

Tarik Admani

0 Helpful

Go to solution
Josef Fuehrer
Level 1
Level 1
In response to Tarik Admani

‎06-28-2012 02:07 AM

Dear Tarik,

my current setup is pretty much as per your description. I've created network device entries for the pool of proxy addresses and assigned a single shared secret for common use among all AAA clients.

However, in certain cases I've to apply further access restrictions to certain devices. In order to identify them, it's necessary to filter out the original NAS IP address from the Tacacs+ request.

For Radius requests this functionality is implemented in the 'Device Filter' policy element. But so far I haven't been able to work out a solution for Tacacs+.

Cheers,

Josef

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Josef Fuehrer

‎06-28-2012 07:33 AM

Josef,

Can you explain why the loadbalancer is randomly re-writing the source ip addresses of the tacacs requests? Can you assign a group of devices to a specific address? There isnt any attribute that has the same source address so what you are trying to achieve isnt possible.

Here is a screenshot of a decrypted tacacs request:

thanks,

Tarik Admani

0 Helpful

Go to solution
Josef Fuehrer
Level 1
Level 1
In response to Tarik Admani

‎06-28-2012 08:33 AM

Dear Tarik,

The source IP addresses are replaced because the load balancer operates in layer 3 mode. Due to the physical placement, switching to layer 2 mode isn't a valid option at the moment. Additionally, the current software release doesn't support static proxy address assignment.

Apparently, a Tacacs+ NAS address attribute does exist. At least it's listed in the protocol dictionary:

Is there a way to make use of it as a policy condition?

Cheers,

Josef

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Josef Fuehrer

‎06-29-2012 07:15 AM

Josef,

That is not an attribute that is present in  the authentication request due to the fact it is in the tacacs  dictionary section. Typically the dictionary values are for attributes  you want to send back in the authorization response, however there isnt  anything online as to what this address is for. At this point there isnt  much you can do from your design but you should open a TAC case so they  can get on a webex with you to see if there something I may have  missed.

Thanks

Tarik Admani

Go to solution
Josef Fuehrer
Level 1
Level 1
In response to Tarik Admani

‎07-03-2012 01:02 AM

Dear Tarik,

so it seems like a chance in my design is really worth consideration.

Thanks a lot for your help.

Cheers,

Josef

0 Helpful
Customers Also Viewed These Support Documents