Solved: Re: TACACS Remote-address condition

Northy · ‎06-24-2020

With most of our users working from home ourselves included, we are using AnyConnect to access resources on the network. We have a privileged user profile and regular user profile. The privileged profile receives a different IP address from a different pool to the regular user profile.

We are looking to use the TACACS Remote-Address attribute that is sent when accessing network devices as a method to determine if they are on the privileged user profile, if they are then they are forwarded to the DUO Authentication proxy to perform both primary and secondary authentication.

I have managed to get the above to work however it feels like the conditions we are using for the remote-address could be better.

one of the conditions we currently use

TACACS Remote-Address CONTAINS 10.6.

I want to be able to use the whole subnet, 10.6.0.0/21 to match against but cannot seem to get it to work when entering the whole network/mask. I have also attempted to use an Endstation Network condition that defines the network but this just doesn't seem to work.

I was hoping someone could offer a better way of doing it

Currently, we are using ISE 2.4.0.357 Patches 5 & 11

paul · ‎06-24-2020

Did you try TACACS Remote address Matches ^10\.6\.[0-7]\..*

My Regex skill are ok, but that should match 10.6.0.0/21 addresses.

View solution in original post

paul · ‎06-24-2020

Did you try TACACS Remote address Matches ^10\.6\.[0-7]\..*

My Regex skill are ok, but that should match 10.6.0.0/21 addresses.

Northy · ‎06-25-2020

Thanks, Paul, That's much better.

Tested and working great. Didn't realise i could use REGEX in conditions like that. Looks like I am going to have to familiarise myself with it a little bit at least.

yogesh2009 · ‎06-25-2020

So we can do 2 factor with duo for tacacs?

Northy · ‎06-25-2020

You cannot do TACACS directly with DUO. My configuration relies on the use of ISE to send the request onwards to the DUO Authentication Proxy.