Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS + One time password collaboration

I am having problems implementing ACS to work with One Time Password (OTP) server. The problem is that there are multiple NAS devices, and ACS is not representing them with their own IP address but with ACS ip address which leads to security issues.

How do i transfer NAS Ip address to OTP so otp knows where from is client coming.

I am aware of radius IETF attribute 4 (NAS IP address), however i cant find it on attribute list and im not even sure that that would resolve the problem.

Suggestions welcome.


Community Member

Re: ACS + One time password collaboration

I am not sure I understand your question.

Can you elaborate on it? In term of OTP,

I use SecurID and ACS integration and it

works fine.

Community Member

Re: ACS + One time password collaboration

Its Active identity OTP. Request for authentication goes to OTP over ACS and ACS always represents users with its own address and it does not include NAS ip address. However some users for instance can gain access via 802.1x but not via VPN access, but OTP can not distinguish where are they coming from.

I am also a little bit unsure about this issue...

Community Member

Re: ACS + One time password collaboration

I think I know what you're trying to do.

Basically you want to have the ACS acting

like a Proxy between the NAS and the OTP

server. Problem is that ACS will proxy

all the connection from the NAS devices

so the OTP will only see the IP address

of the ACS. Is that a pretty accurate

picture of what you're trying to do?

I think RSA SecurID and the OTP you're

referring to is also doing the same thing.

However, there is a work around that you

can do. You can have multiple IP addresses

on the OTP server, like and .2

on the OTP server. Then on the ACS server,

you define two separate external database

configuration with separate ip addresses for

the OTP server. you then create two separate

user group, one for VPN and one for 802.1x

group. Then you map group into the NDG.

CreatePlease to create content