With most of our users working from home ourselves included, we are using AnyConnect to access resources on the network. We have a privileged user profile and regular user profile. The privileged profile receives a different IP address from a different pool to the regular user profile.
We are looking to use the TACACS Remote-Address attribute that is sent when accessing network devices as a method to determine if they are on the privileged user profile, if they are then they are forwarded to the DUO Authentication proxy to perform both primary and secondary authentication.
I have managed to get the above to work however it feels like the conditions we are using for the remote-address could be better.
one of the conditions we currently use
TACACS Remote-Address CONTAINS 10.6.
I want to be able to use the whole subnet, 10.6.0.0/21 to match against but cannot seem to get it to work when entering the whole network/mask. I have also attempted to use an Endstation Network condition that defines the network but this just doesn't seem to work.
I was hoping someone could offer a better way of doing it
Currently, we are using ISE 126.96.36.1997 Patches 5 & 11