Hi Guys,

I'm doing a bit of R&D for my employer (Managed Services Provider and Systems Integrator).
We currently have quite a number of small to medium clients (~30) that have networks with up to 20 routers / switches and we are looking at ACS as a central authentication system. As it stands as the moment, most clients have their own un/pw combination we use on their network. The problem is that because the IT industry is the way that it is, we have employees coming and going all the time. To keep client networks secure we would have to change hundreds of passwords every couple of months (if at all). ACS would allow us to use AD credentials to authenticate engineers and provide better change tracking / authorisation.

Labbing up this solution I have come across an interesting problem. TACACS+ will use an interface on the network devices to identify itself to the TACACS server. Because these clients are not connected there is the possibility for network devices to have the same private IP address. ACS will not let you add two devices (abeit in different network device groups) to have the same IP address. Also, this IP address needs to be routeable as it is used as the source address for the authentication request so I can't just use a custom loopback on the device.

Does anyone know if there is provision in ACS / TACAS to use another field for device identification?

Your thoughts are greatly appreciated

You can specify what interface tacacs uses. If you can use loopback 0 you can subnet a completely new private network just for tacacs. If the clients connect outside their network to the tacacs server then im assuming theyre gonna have the same public ip. If you can get a vpn established just for tacacs that should work just fine

Sent from my DROID X2 using Tapatalk 2

I guess i should answer your question. No you cant specify anything but an ip for identification

Sent from my DROID X2 using Tapatalk 2

Thanks for that,

Because these are individual clients we don't really want to a) have to setup a new routable subnet on each or b) create a VPN on each.

I think i'll have to try and work out some other way.

You could also use radius on each domain.

Sent from my DROID X2 using Tapatalk 2

Radius at each site would probably best for larger clients that have dedicated administrator accounts however it's the broad range of small clients i'm targeting.

Can anyone think of an alternate technology that might do what I want?
I just need the central authentication to not use the source IP address but use another field such as hostname...

Sorry bud, im tapped out. I have managed thousands of devices and never had the need to do what you are trying. I know that they use the ip addresses for identifying which is which

Sent from my DROID X2 using Tapatalk 2

Thanks for the input justa2e2, i'm sure there must be something out there that will allow us to do this, finding what is looking like the challenge...

If you have multiple clients with the same IP scheme you arn't going to be able to tie them to the same server. The only thing I can think of without knowing more about your network is to use multiple authentication servers. One for each client. Then stick a second NIC in them. One NIC will link the server to the client. Default gateway will point this way. The second NIC will link to your network with the AD server. A static on the box will point traffic to your AD servers. Use a free linux distribution, and a free TACACS client so you don't have to worry about licensing of multiple systems. Then virtualize everything to reduce hardware costs.

-Otanx

I've done up a quick diagram to help explain.
The following clients A -> D are not related and there is no routing between their networks. The only connectivity they have in common is the internet. All client are running NAT on their routers with private address space behind the border. NB: If / when this solution gets deployed the auth server will be placed in an appropriate DMZ with rules monitoring connectivity with the AD box. The diagram is simplified for ease of reading.

In the below example, using ACS I cannot have devices from Client A and Client D on the same auth server if those devices have the same private managment address. Thanks for the suggestion Otanx but creating multiple instances of an auth server just adds to the management overhead, though it is something worth considering.

If the clients are traversing the internet to the auth server you wont see private ips i dont believe due to it being natd. Can you set up some ipsec tunnels just for the auth traffic

Sent from my DROID X2 using Tapatalk 2