Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
404
Views
0
Helpful
2
Replies

Wildcard AAA Client in ACS4.1

Go to solution
niesommer
Level 1
Level 1

‎08-01-2008 03:06 AM - last edited on ‎03-25-2019 05:25 PM by Community Manager

Hi I'm trying to solve the following problem:

I use ACS for admin auth & accounting to network devices and I want to differentiate what devices users have access to. In my network I have about 2500 network devices and instead of adding all of them to the ACS DB I created a wildcard AAA client with IP *.*.*.*.

this has worked fine so far, an extremely simple setup I know, but now I want to add FWs and other sensitive devices and restrict access using NAR. The idea was to create new AAA clients for each type of device and deny access with NAR to restricted groups. The issue is that when defining the new groups an IP conflict is detected with the wildcard AAA client.

Is there any other way to resolve this issue apart from importing all the network devices and create NDGs? this was what I wanted to avoid.

Any help is greatly appreciated.

Thanks,

Niels

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎08-02-2008 06:40 AM

Niels,

Firstly I would not recommend to have this kind of setup. Any person can plug in aaa-client and send many request to acs causing delay in processing legitimate requests. Its like opening acs doors for everyone.

For your issue, there is no way you can add separate IP since wildcard covers whole range.

Best way is to upload your aaa devices. You can use RDBMS synchronization to upload all in one go.

Other easy way is to add networks like, 10.5.*.* / 30.34.*.* / 30.35.*.*

Regards,

~JG

Do rate helpful posts

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎08-02-2008 06:40 AM

Niels,

Firstly I would not recommend to have this kind of setup. Any person can plug in aaa-client and send many request to acs causing delay in processing legitimate requests. Its like opening acs doors for everyone.

For your issue, there is no way you can add separate IP since wildcard covers whole range.

Best way is to upload your aaa devices. You can use RDBMS synchronization to upload all in one go.

Other easy way is to add networks like, 10.5.*.* / 30.34.*.* / 30.35.*.*

Regards,

~JG

Do rate helpful posts

0 Helpful

Go to solution
niesommer
Level 1
Level 1
In response to Jagdeep Gambhir

‎08-05-2008 05:56 AM

Thanks for this JG.

I was looking, not happily though, forward to exporting the dev DB, manipulating it and importing it using scripts but this RDBMS sync function seems to have cut this work down quite a bit.

The network solution would be too much manual work and too many networks, I don't see it as being scalable nor practical at this stage.

Thank you very much,

Niels

0 Helpful
Customers Also Viewed These Support Documents