06-24-2020 01:20 AM
With most of our users working from home ourselves included, we are using AnyConnect to access resources on the network. We have a privileged user profile and regular user profile. The privileged profile receives a different IP address from a different pool to the regular user profile.
We are looking to use the TACACS Remote-Address attribute that is sent when accessing network devices as a method to determine if they are on the privileged user profile, if they are then they are forwarded to the DUO Authentication proxy to perform both primary and secondary authentication.
I have managed to get the above to work however it feels like the conditions we are using for the remote-address could be better.
one of the conditions we currently use
TACACS Remote-Address CONTAINS 10.6.
I want to be able to use the whole subnet, 10.6.0.0/21 to match against but cannot seem to get it to work when entering the whole network/mask. I have also attempted to use an Endstation Network condition that defines the network but this just doesn't seem to work.
I was hoping someone could offer a better way of doing it
Currently, we are using ISE 2.4.0.357 Patches 5 & 11
Solved! Go to Solution.
06-24-2020 12:16 PM
Did you try TACACS Remote address Matches ^10\.6\.[0-7]\..*
My Regex skill are ok, but that should match 10.6.0.0/21 addresses.
06-24-2020 12:16 PM
Did you try TACACS Remote address Matches ^10\.6\.[0-7]\..*
My Regex skill are ok, but that should match 10.6.0.0/21 addresses.
06-25-2020 12:09 AM
Thanks, Paul, That's much better.
Tested and working great. Didn't realise i could use REGEX in conditions like that. Looks like I am going to have to familiarise myself with it a little bit at least.
06-25-2020 12:48 AM
So we can do 2 factor with duo for tacacs?
06-25-2020 03:15 AM
You cannot do TACACS directly with DUO. My configuration relies on the use of ISE to send the request onwards to the DUO Authentication Proxy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide