cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2192
Views
0
Helpful
4
Replies

TACACS Remote-address condition

Northy
Beginner
Beginner

With most of our users working from home ourselves included, we are using AnyConnect to access resources on the network. We have a privileged user profile and regular user profile. The privileged profile receives a different IP address from a different pool to the regular user profile. 

 

We are looking to use the TACACS Remote-Address attribute that is sent when accessing network devices as a method to determine if they are on the privileged user profile, if they are then they are forwarded to the DUO Authentication proxy to perform both primary and secondary authentication.

 

I have managed to get the above to work however it feels like the conditions we are using for the remote-address could be better. 

 

one of the conditions we currently use 

 

TACACS Remote-Address CONTAINS 10.6.

 

I want to be able to use the whole subnet, 10.6.0.0/21 to match against but cannot seem to get it to work when entering the whole network/mask. I have also attempted to use an Endstation Network condition that defines the network but this just doesn't seem to work. 

 

I was hoping someone could offer a better way of doing it

 

Currently, we are using ISE 2.4.0.357 Patches 5 & 11

 

1 Accepted Solution

Accepted Solutions

paul
Advocate
Advocate

Did you try TACACS Remote address Matches ^10\.6\.[0-7]\..*

 

My Regex skill are ok, but that should match 10.6.0.0/21 addresses.

View solution in original post

4 Replies 4

paul
Advocate
Advocate

Did you try TACACS Remote address Matches ^10\.6\.[0-7]\..*

 

My Regex skill are ok, but that should match 10.6.0.0/21 addresses.

Thanks, Paul, That's much better. 

 

Tested and working great. Didn't realise i could use REGEX in conditions like that. Looks like I am going to have to familiarise myself with it a little bit at least. 

 

So we can do 2 factor with duo for tacacs?

You cannot do TACACS directly with DUO. My configuration relies on the use of ISE to send the request onwards to the DUO Authentication Proxy. 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers