cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
547
Views
0
Helpful
7
Replies

Tacacs authentication request attributes

davide.fichera
Level 1
Level 1

                   Hi ALL,

                         the authentication on a Router 2911 is done via tacacs (ACS 5.1). In the dashboard (or in the reports) of ACS  the IP address of the "calling station" (client used for authentication activity) is not reported. If I use RADIUS I could configure the router to send attributes (such as the number 31 = calling-station-id). How can I solve with tacacs protocol instead?

Thanks in advance,

Davide

7 Replies 7

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Davide,

Not exactly the same usage, BUT when you're attempting to authenticate to device via tacacs it would send remote address.

What's the use case, if I may know?

M.

Hi Marcin and thanks for your answer. The use case is a simple authentication activity. I've made a check and as you correctly show it is possible to retrieve the IP address of the remote client looking at the details of the log entry. It's very good news! However in the main (live) dashboard that information is not shown... Do you know why?

Davide.

Davide,

I think it was conscious design choice, the IP address in administration could be misleading. Although I'm not part of business unit so I'm not the best to comment.

If you're looking for a place where it pops up, check accounting logs, you should be able to see the IP address as part of the audit session key.

M.

Hi Marcin,

could you provide the detailed path to get the "audit session key" report shown above? Our version is ACS 5.1... maybe is missing?

Thanks,

Davide

Davide,

No access to 5.1 I'm afraid, at least to one I can test freely.

AAA Protocol > TACACS+ Accounting is where the session key should be visible.

Verfied for both IOS and ASA exec accounting.

M.

I've found this:

CSCth31525

Live authentication report does not show TACACS+ data.

Symptom: The TACACS+ live authentication report is missing data on some columns, including NAS and IP address.

Conditions: This problem occurs only on ACS 5.1.

Workaround: Use one of the other available reports to view this data.

at http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html

Unfortunately it's a bug of this specific version...

Davide

Davide,

Good find, this one has not been fixed in any ACS release and is considered an enhancement.

Go figure... :/

M.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: