ACS 5.3 / Cisco MDS - End Station Filter with ip domain-lookup activated
ACS Version : 18.104.22.168.5
Cisco MDS with system version 4.1(3a)
Some accounts have a dedicated policy which allows access only from a specific IP address (by using the End Station Filter on the ACS). But with Cisco MDS boxes, which have "ip domain-lookup" activated, MDS resolved the IP address and replace it by the name of the server in the TACACS+ packet... the "End Station Filter" doesn't match (IP address expected) and access to the MDS is denied. After digging through NX-OS I didn't find any directive disabling name-resolution for TACACS+ exchanges. Is there a way to make an "End Station Filter" based on domain name on the ACS ?
End Station Filter is configured as follow :
Policy Elements --> Session Conditions --> Network Conditions --> End Station Filters and in the "IP address" tab I add IP address from which access should be granted.
ACS 5.3 / Cisco MDS - End Station Filter with ip domain-lookup a
There is not an easy workaround for this issue. We can remove the PTR records on your dns server (which I am sure is not feasible). Since the packet is originating from the MDS I am pretty sure today that the ACS isn't able to detect and "convert" the remote address attribute via dns (with command authorization this can really bog the box down if a feature like this existed). You can try to open a service request with the MDS product team and see if they can leave ip address in the remote address field. You can try to explore either of these options within Cisco. As far as a workaround it looks like you can remove the ip domain lookup (which you identified), use a pattern if one is present in the workstation, or rename the workstations, if manageable, and create a compound condition that also checks the remote address field.
For example if all the workstations are named adminpc, adminpc1...adminpcn, then you can use the contains operation and set that to adminpc for the remote address field, combine that with your mds network device groups and then set the proper authorization for the users.
I got it to work by adding the DNS name into the CLI/DNSI section of End Station Filters. Check the "remote address" in the ACS logs to make sure you get the exact name that is being sent to ACS from the device. I had to enter in the FQDN for each end station.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :