Re: TACACS+ requests through NAT device

jsteffensen · ‎07-15-2005

Hi everyone.

I want to Authenticate and Authorize VTY-Access to Cisco devices using TACACS+. The config is pritty "straight forwasrd", BUT:

I want to forward the TACACS+ Request through a NAT device and on to the "Internet" where the TACAS+ server is located. (ACS 3.3)

2 Questions in this situation appeares:

- Does TACACS+ protocol support request through NAT devices?

- Is it possible to connect different devices begind the NAT device, using only one Outside NAT IP address? (Using the same secret key for all aaa-clients and on the ACS)

As you see, i want to connect "as many aaa-clients as possible" to a TACACS+ Server with "as easy = less configuration changes, as possible" .

I know VPN's are options as well, but it is not prefered in my design.

Best Regards

Jarle Steffensen

vasthorvak · ‎07-20-2005

- Does TACACS+ protocol support request through NAT devices?

Yes.

- Is it possible to connect different devices begind the NAT device, using only one Outside NAT IP address? (Using the same secret key for all aaa-clients and on the ACS)

I highly recommend not doing this. If you will be accessing a remote TACACS server then use site to site vpn tunnels where the negotiating of keys will be traversing any public space.

Richard Burts · ‎07-20-2005

As far as I know what you propose will work. You are the only one who knows what the local environment is and what the real requirements are and you must decide whether it is a good idea to do it this way.

I do not see why passing the TACACS request through a NAT device would impact it, so long as the NAT was static or an overload (PAT). The request needs to get to the TACACS server with a consistent source address. If it was a dynamic NAT and one request came with one source address and the next request came with a different source address, it would only work if the TACACS server was configured with ALL of the possible translated addresses. (and part of your requirement is to simplify the config not to complicate it).

If there are multiple devices sending requests to TACACS through the NAT device, it would look to the TACACS server as if there were a single remote device with lots of users. If you do not care that the TACACS server can not differentiate the remote devices then your solution should work. Do you want to be able to look at the TACACS reports and see that this successful (or that unsuccessful) attempt came from this machine or that machine? If you do not care then your solution should work. If you do care to differentiate the remote activity then you need a solution like VPN which maintains the individuality of the remote devices.

HTH

Rick

HTH

Rick

jsteffensen · ‎07-20-2005

Thanx for the answers so far.

The topology is a bit "strange". It might (maybe) be enough to be able to group more devices in to one ip (or Client).

One more question:

Will the connection through the NAT device require "Single Connect" Clients, or will this cause problems if more devices are accessed at the same time?

I have installed a small lab, and I'm recieving "strange" user names like:

1. :

(x"IP Addres"x:1332) sent 446 bytes -- responder (x"IP Address"x:80) sent 1870 bytes

2.:

ted at '^' marker.

3.:

cation

Does anyone have an idea?

I will continue do tests, and see if i can find the dependencies as well.

jsteffensen · ‎08-10-2005

Hi Rick

I've verified it now:

TACACS+ works through PAT Address.

It is possible to have multiple AAA Clients behind one PAT address, by using the single NAT'ed IP Address as the AAA-Client Address in the ACS Server.

Also important as you pointed out, All devices must have the same Tackacs+ secret key.

Thanks for your help

Greetings

Jarle