ACS NAR mystery!!!!

Unanswered Question
May 7th, 2008


We are trying to work out Lock & Key for our PIX 5.5e using "Virtual Telnet". We have two sites in question ie. two firewalls.

For this the ACS is playing up as for site number 1, it's granting access when any NAR is assigned to the user. For site number 2, it's not granting access with any NAR BUT one that contains an NDG that has no entry for any IP /host.

No access for both when no NAR is assigned.

Can someone please solve the mystery? We want to select the NAR that contains particular NDG for particular site IPs/hosts.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darpotter Thu, 05/08/2008 - 02:04

Without seeing the exact content of the NAR and the inbound T+ requests its impossible to say what the problem is.

Remember that NAR checks are pretty simple string matches using the rem_addr value from the inbound packet and the nas ip address.

The NDG part of a NAR refers to the authenticating device (ie PIX) and not the end client.

As a permit the below NAR would allow any remote client via the PIX (or other authenticating device in the NDG MyNdg). As a deny it would stop all connections.

AAA Client/IP/Port


I think you've got the purpose of NDGs mixed up. They hold authenticating devices (Pix, access server etc) and not the endpoint addresses.

Are you trying to restrict what users in site 1 can do in site 2?


This Discussion