Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tacacs authentication request attributes

                   Hi ALL,

                         the authentication on a Router 2911 is done via tacacs (ACS 5.1). In the dashboard (or in the reports) of ACS  the IP address of the "calling station" (client used for authentication activity) is not reported. If I use RADIUS I could configure the router to send attributes (such as the number 31 = calling-station-id). How can I solve with tacacs protocol instead?

Thanks in advance,

Davide

7 REPLIES
Cisco Employee

Tacacs authentication request attributes

Davide,

Not exactly the same usage, BUT when you're attempting to authenticate to device via tacacs it would send remote address.

What's the use case, if I may know?

M.

New Member

Tacacs authentication request attributes

Hi Marcin and thanks for your answer. The use case is a simple authentication activity. I've made a check and as you correctly show it is possible to retrieve the IP address of the remote client looking at the details of the log entry. It's very good news! However in the main (live) dashboard that information is not shown... Do you know why?

Davide.

Cisco Employee

Tacacs authentication request attributes

Davide,

I think it was conscious design choice, the IP address in administration could be misleading. Although I'm not part of business unit so I'm not the best to comment.

If you're looking for a place where it pops up, check accounting logs, you should be able to see the IP address as part of the audit session key.

M.

New Member

Tacacs authentication request attributes

Hi Marcin,

could you provide the detailed path to get the "audit session key" report shown above? Our version is ACS 5.1... maybe is missing?

Thanks,

Davide

Cisco Employee

Tacacs authentication request attributes

Davide,

No access to 5.1 I'm afraid, at least to one I can test freely.

AAA Protocol > TACACS+ Accounting is where the session key should be visible.

Verfied for both IOS and ASA exec accounting.

M.

New Member

Tacacs authentication request attributes

I've found this:

CSCth31525

Live authentication report does not show TACACS+ data.

Symptom: The TACACS+ live authentication report is missing data on some columns, including NAS and IP address.

Conditions: This problem occurs only on ACS 5.1.

Workaround: Use one of the other available reports to view this data.

at http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html

Unfortunately it's a bug of this specific version...

Davide

Cisco Employee

Tacacs authentication request attributes

Davide,

Good find, this one has not been fixed in any ACS release and is considered an enhancement.

Go figure... :/

M.

177
Views
0
Helpful
7
Replies
CreatePlease login to create content