Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2651
Views
0
Helpful
5
Replies

Cisco ACS Server Tacacs Based on LDAP AND Source IP Possible???

martinezaw
Level 1
Level 1

‎11-30-2012 06:45 AM - edited ‎03-10-2019 07:50 PM

Hi All,

I have used Cisco ACS tacacs for authentication based on Active Directory. Is it possible to use Active Directory as a criteria for authentication AND source IP?

For example, if someone wants to log in to a certain device... they must have correct credentials AND their IP must be sourcing from the acceptable subnet range.

Thanks!

Labels:
0 Helpful
5 Replies 5

mauzamor
Level 1
Level 1

‎11-30-2012 07:02 AM

Hi Martin,

If we are talking here about the ACS 5.x, this is very simple. You only need to customize the Access Policies/Authorization Conditions and add "Device IP" and "AD1:External Database" as your Conditions, check the example below:

This way only the ACS will check if the user belongs to the correct AD group and if the source IP address of the AAA client (router/switch/ASA, etc) is valid or not.

There are many ways to accomplish this for example using Policy Elements, but this is a basic example.

Let me know if it helps.

0 Helpful

martinezaw
Level 1
Level 1
In response to mauzamor

‎11-30-2012 07:50 AM

Hi Mauricio,

This helps some. However, I was more wondering if ACS can take into account the source IP of the user requesting authentication. Let's say someone wants to authenticate to a router or even server, the device sends the request to ACS server along with the user's IP and if the credentials and source IP match what is allowed, authentication is granted.

0 Helpful

mauzamor
Level 1
Level 1
In response to martinezaw

‎11-30-2012 08:27 AM

I see your point. This will depend if the user's IP is provided in the authentication request, if this information is provided then you can use the feature called "End Station Filter". This feature is used as a Condition in the Access Policy to deny or allow access. Below are the steps:

1. Create a End Station Filter, here configure the user's IP

2. Customize your Conditions under Access Policies/Authorization to use End Station Filter

3. Define your rule with the required result

0 Helpful

martinezaw
Level 1
Level 1

‎11-30-2012 01:22 PM

Ah... do you know if a TACACS auth packets contain source IP information? I think radius does.

0 Helpful

mauzamor
Level 1
Level 1
In response to martinezaw

‎12-03-2012 06:14 AM

Yes, TACACS+ sends the address in a value called "Remote Address":

Let me know if it helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents