11-30-2012 06:45 AM - edited 03-10-2019 07:50 PM
Hi All,
I have used Cisco ACS tacacs for authentication based on Active Directory. Is it possible to use Active Directory as a criteria for authentication AND source IP?
For example, if someone wants to log in to a certain device... they must have correct credentials AND their IP must be sourcing from the acceptable subnet range.
Thanks!
11-30-2012 07:02 AM
Hi Martin,
If we are talking here about the ACS 5.x, this is very simple. You only need to customize the Access Policies/Authorization Conditions and add "Device IP" and "AD1:External Database" as your Conditions, check the example below:
This way only the ACS will check if the user belongs to the correct AD group and if the source IP address of the AAA client (router/switch/ASA, etc) is valid or not.
There are many ways to accomplish this for example using Policy Elements, but this is a basic example.
Let me know if it helps.
11-30-2012 07:50 AM
Hi Mauricio,
This helps some. However, I was more wondering if ACS can take into account the source IP of the user requesting authentication. Let's say someone wants to authenticate to a router or even server, the device sends the request to ACS server along with the user's IP and if the credentials and source IP match what is allowed, authentication is granted.
11-30-2012 08:27 AM
I see your point. This will depend if the user's IP is provided in the authentication request, if this information is provided then you can use the feature called "End Station Filter". This feature is used as a Condition in the Access Policy to deny or allow access. Below are the steps:
1. Create a End Station Filter, here configure the user's IP
2. Customize your Conditions under Access Policies/Authorization to use End Station Filter
3. Define your rule with the required result
11-30-2012 01:22 PM
Ah... do you know if a TACACS auth packets contain source IP information? I think radius does.
12-03-2012 06:14 AM
Yes, TACACS+ sends the address in a value called "Remote Address":
Let me know if it helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide