Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Cisco ACS Server Tacacs Based on LDAP AND Source IP Possible???

Hi All,

I have used Cisco ACS tacacs for authentication based on Active Directory. Is it possible to use Active Directory as a criteria for authentication AND source IP?

For example, if someone wants to log in to a certain device... they must have correct credentials AND their IP must be sourcing from the acceptable subnet range.



Hi Martin,

If we are talking here about the ACS 5.x, this is very simple. You only need to customize the Access Policies/Authorization Conditions and add "Device IP" and "AD1:External Database" as your Conditions, check the example below:

This way only the ACS will check if the user belongs to the correct AD group and if the source IP address of the AAA client (router/switch/ASA, etc) is valid or not.

There are many ways to accomplish this for example using Policy Elements, but this is a basic example.

Let me know if it helps.

Hi Mauricio,

This helps some. However, I was more wondering if ACS can take into account the source IP of the user requesting authentication. Let's say someone wants to authenticate to a router or even server, the device sends the request to ACS server along with the user's IP and if the credentials and source IP match what is allowed, authentication is granted.

I see your point. This will depend if the user's IP is provided in the authentication request, if this information is provided then you can use the feature called "End Station Filter". This feature is used as a Condition in the Access Policy to deny or allow access. Below are the steps:

1. Create a End Station Filter, here configure the user's IP

2. Customize your Conditions under Access Policies/Authorization to use End Station Filter

3. Define your rule with the required result


Ah... do you know if a TACACS auth packets contain source IP information? I think radius does.

Yes, TACACS+ sends the address in a value called "Remote Address":

Let me know if it helps.

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube