Access Control Server authentication restriction

xine xine · ‎09-22-2009

Hi !

I have to setup our ACS to authentication all administrative session on our telecom device. Based on our security policies all use need to be authenticate by a secured password and also a second component like a security token or something else.... At this this OK I see the ACS can work with external database user which can use OTP or security token.

My concern is about our user's management software CiscoWorks. Because Ciscoworks software use it's user credentiels to run most of management job in telecom device it's use must can be autheticate by the ACS. For second authentication factor, I would like to use the source IP address of the request (I know it's very basic, security feature, but I think it's the first step.... we are not using any certificate server...) The CiscoWorks user must not be used from other IP address of the CiscoWorks server... which in some part of the network was maybe NAT by FireWalls.... I would like to know if the source of the request is also transmis to the ACS and how I can make sure the authentication request came from CiscoWorks server IP address.

I use ACS SE software version 4.2.0.124-12, at this time.... because the version 5 does'nt support token authentification....

Thanks a lot !

Erick Delgado · ‎09-28-2009

Hi,

The AAA client that in this case is CISCOWORKS always send the IP address information.

The restriction that you want to accomplish can be done with a NAR.

Please see link below that explain this feature.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

Hope it helps.