Network Access Restrictions - ACS

Unanswered Question

hi ,

Was wondering if anyone could help. I am wanting to configure groups of users in ACS so that for example a VPN user is not allowed to access management of network devices.

I have setup NAR , with groups of NAS devices, and find that NAR works well with switches, with the PIX firewall however i find that the NAR configuration does not work. I see that the Switch sends a Calling-Station-Id", the PIX does not seem to send this and i am wondering if this could be causing the issue.

Any ideas around this would be great thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Wed, 07/09/2008 - 09:26

I recommend configuring both IP-based NAR's and CLI/DNIS-based NAR's at the same time.

Some devices send a NAS-Port attribute as an IP address, and some devices send as a phone number or something else. It's easiest to just

configure the top and bottom sections at the same time. If you only want to deny access to one device, just configure a 'deny' with that device listed in the "NAS" section and all other devices will be permitted by default.

After you select the appropriate NAS in both sections, fill in all fields with an asterisk '*'. In other words, the Port and Address fields in IP-Based will have a *, and Port, CLI, and DNIS in CLI-Based will also have a *.

This configuration should work for you.

Regards,

~JG

Do rate helpful posts

Actions

This Discussion