Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 5.4: Selective authentication (authorization) based on remote address.

Hi everyone!

Lets say I have a management pc in my network located in the same subnet as management addresses of switches (e.g. both hp and cisco; is management network); PCs ip is 10.254. Access to switches is controlled by the tacacs on acs 5.4;

On the mgmt pc there is Kiwi Cattools which saves running-configs of devices to a tftp server based on a regular schedule (e.g. every 2 weeks).

For this purpose there is a special user on the acs account called "cattools", which is used by that soft to access devices and save running-configs.

Now my purpose is to disallow the usage of "cattools" for any usage from anywhere, except when the access request comes from mgmt pc 10.254 (i.e. kiwi). The account should not be used to access devices from any other location. Here`s what I did:

In the log messages from acs I notices Remote Address field contaninig an ip address of the device/pc, from which access is being made. So I created an End Station filter list (name "mgmtonly") on the acs with a single value of; Then in the access services for tacacs protocol in the Identity section I created an Identity policy saying that "if system.username=cattools AND end station filter DOESN`T MATCH mgmtonly, then Identity source is DenyAccess"; This rule is followed by other rules permiiting access with the other user accounts.

And this scheme is working: when access is being made from mgmt pc with username cattools, access is granted. From any other location it is denied.

Unfortunately, it is working only for Cisco devices because through monitoring logs I noticed that they always send remote address to the acs server. But Hp switches lack this ability. Every time procurves access the acs server, its remote address field is empty, i.e. it doesn`t relay an ip address to the server. So the above rule is not matched and not working.

Is there any solution to his, or is there more suitable solution?


ACS 5.4: Selective authentication (authorization) based on remot

You will have to work with HP to have this remote address AV pair added. this does seem like a bug within TACACS on the HP side which will have to be addressed by them.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
CreatePlease to create content