Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.3 / Cisco MDS - End Station Filter with ip domain-lookup activated

ACS Version : 5.3.0.40.5

Cisco MDS with system version 4.1(3a)

Some accounts have a dedicated policy which allows access only from a specific IP address (by using the End Station Filter on the ACS). But with Cisco MDS boxes, which have "ip domain-lookup" activated, MDS resolved the IP address and replace it by the name of the server in the TACACS+ packet... the "End Station Filter" doesn't match (IP address expected) and access to the MDS is denied. After digging through NX-OS I didn't find any directive disabling name-resolution for TACACS+ exchanges. Is there a way to make an "End Station Filter" based on domain name on the ACS ?

End Station Filter is configured as follow :

Policy Elements --> Session Conditions --> Network Conditions --> End Station Filters and in the "IP address" tab I add IP address from which access should be granted.

Thanks

Everyone's tags (5)
6 REPLIES

ACS 5.3 / Cisco MDS - End Station Filter with ip domain-lookup a

Ludovic,

Can you post the pdf of the report that is generated by the MDS entry, or can you post a screenshot?

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: ACS 5.3 / Cisco MDS - End Station Filter with ip domain-look

Hi Tarik,

Please find attached the screenshot showing denied acces for MDS box and content of "Remote address" field.

Thanks.

ACS 5.3 / Cisco MDS - End Station Filter with ip domain-lookup a

Ludovic,

There is not an easy workaround for this issue. We can remove the PTR records on your dns server (which I am sure is not feasible). Since the packet is originating from the MDS I am pretty sure today that the ACS isn't able to detect and "convert" the remote address attribute via dns (with command authorization this can really bog the box down if a feature like this existed). You can try to open a service request with the MDS product team and see if they can leave ip address in the remote address field. You can try to explore either of these options within Cisco. As far as a workaround it looks like you can remove the ip domain lookup (which you identified), use a pattern if one is present in the workstation, or rename the workstations, if manageable, and create a compound condition that also checks the remote address field.

For example if all the workstations are named adminpc, adminpc1...adminpcn, then you can use the contains operation and set that to adminpc for the remote address field, combine that with your mds network device groups and then set the proper authorization for the users.

I hope this helps,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: ACS 5.3 / Cisco MDS - End Station Filter with ip domain-look

As you said, removing PTR record from our DNS servers is not possible. Moreover, deactivating the "ip domain-lookup" isn't possible too (option needed for some other usage), so I'll see with Cisco.

Thanks for your time,

New Member

ACS 5.3 / Cisco MDS - End Station Filter with ip domain-lookup a

Was this ever resolved?

We're hitting the samthing.

New Member

I got it to work by adding

I got it to work by adding the DNS name into the CLI/DNSI section of End Station Filters.  Check the "remote address" in the ACS logs to make sure you get the exact name that is being sent to ACS from the device.  I had to enter in the FQDN for each end station.

746
Views
0
Helpful
6
Replies
CreatePlease login to create content