09-25-2007 01:36 PM - edited 03-10-2019 03:24 PM
I am having problems implementing ACS to work with One Time Password (OTP) server. The problem is that there are multiple NAS devices, and ACS is not representing them with their own IP address but with ACS ip address which leads to security issues.
How do i transfer NAS Ip address to OTP so otp knows where from is client coming.
I am aware of radius IETF attribute 4 (NAS IP address), however i cant find it on attribute list and im not even sure that that would resolve the problem.
Suggestions welcome.
Sinisa
09-25-2007 01:42 PM
I am not sure I understand your question.
Can you elaborate on it? In term of OTP,
I use SecurID and ACS integration and it
works fine.
09-25-2007 01:47 PM
Its Active identity OTP. Request for authentication goes to OTP over ACS and ACS always represents users with its own address and it does not include NAS ip address. However some users for instance can gain access via 802.1x but not via VPN access, but OTP can not distinguish where are they coming from.
I am also a little bit unsure about this issue...
09-25-2007 06:56 PM
I think I know what you're trying to do.
Basically you want to have the ACS acting
like a Proxy between the NAS and the OTP
server. Problem is that ACS will proxy
all the connection from the NAS devices
so the OTP will only see the IP address
of the ACS. Is that a pretty accurate
picture of what you're trying to do?
I think RSA SecurID and the OTP you're
referring to is also doing the same thing.
However, there is a work around that you
can do. You can have multiple IP addresses
on the OTP server, like 192.168.1.1 and .2
on the OTP server. Then on the ACS server,
you define two separate external database
configuration with separate ip addresses for
the OTP server. you then create two separate
user group, one for VPN and one for 802.1x
group. Then you map group into the NDG.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: