Verify Group access in ACS

Unanswered Question
Oct 4th, 2007

I am trying to understand how to configre a more granular access to the network via group network access restriction.

Basically, we have several groups set up, but I think they are all allowed access to everything.

I have remote users that work for the company that need access to network resources, but none of the network gear.

we also have third parties that have access to Firewalls for management and another third party that has access to routers and switches.

I need to make sure everything is controlled and they only have access to what we want to allow.

What does "Shared Network Access Restictions" allow you to do?

I am unable to view anything in "View IP NAR" after selecting the

"Only allow network access when"

In Per Group Defined Network Access Restrictions, I have the checkmark on

"Define IP Based access restrictions"


"Permitted Calling/Point of access Locations"

Do you set one as permit and the other as deny?

What if you want to allow access to servers, do you have to add every port in the box shown?

If Network Access Restrictions are not configured, does the user in that group have access to everything?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Jagdeep Gambhir Sat, 10/06/2007 - 05:27


If you allow only one device in "Permitted Calling/Point of access Locations" then rest all devices would be denied access.

If you deny one device then rest all devices would be allowed.

If NAR's is not configured then acs will allow user to login in to all aaa clients. But other way is if you use ex db then you can set mapping for some groups and deny rest of the combinations.

Example :

ACS ---> Ex db---> Ext db group mapping,

AD Group ACS

domain user <====> Group1

domain admin<====> Group2

All other combination<==> No Acsess

That means only if user is a part of AD group (domain admin or domain user) acs will authorize that user as per condition defined in acs groups BUT any user who is not a part of above AD group would not be allowed to login due to the reason we have set mapping (all other combinations = No access)

So , in your scenario this is what you need to do,

Let say we have acs group 1 ( we want this group to be allow access only to Firewalls)

We will set up NAR's as per the attached file. You need to set up both IP based and CLI/DNIS based NAR.

Let me know if you have any doubts.



Please rate helpful posts.

wilson_1234_2 Sat, 10/06/2007 - 16:21

Thank you for the informative post.

Does the document show that wildcard (*) can be used for all ports and all addresses?

In "IP Based Access Restriction" can I use the groups defined in "Network Configuration" in the ACS?

What is the difference between "IP Based Access Restriction" and "CLI/DNIS access restriction"?

Why do I need to define both of the above?

Jagdeep Gambhir Mon, 10/08/2007 - 14:49

Hi Wilson,

Yes, in ip based access restriction you can use groups defined in "Network Configuration" in the ACS.

CLI/DNIS is used in restricting a AAA client when you do not have an established IP-based connection. Like PPP , wireless.

It is not necessary to use both. If request is coming have a IP address then there is no need to use CLI based NAR.




This Discussion