Deny Access to some AAA clients from ACS 3.3

Unanswered Question
Apr 12th, 2009
User Badges:

Hello to all,

Can anyone please help me with one of my problem? I have some Cisco IPSEC VPN Concentrator's that need to be removed from the network. We already have another Juniper VPN which is working fine all the way.But a large number of users were using this IPSEC VPN previously.So the customer needs to allow access to this IPSEC VPN to some users and deny access to others.But these "some" permitted users are from different groups inside the Windows AD.So i tried creating a local group and adding all these permitted users in to it and applied Network Access Restrictions. I have applied both shared NAR and the per group NAR to deny access to my IPSEC VPN. but somehow it doesnt work. After applying i can still access those IPSEC VPN using my client.

Anyone can help me to find a solution for this...? My customer is chasing me every day and i have tried my all to find a solution.

Waiting for all of yours expert advise.

Thanks and Regards,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sahmedshahcsd Mon, 04/13/2009 - 01:18
User Badges:

As long as the MS Active Directory is integrated with ACS, Users from AD in ACS will be denied access after enabling NAR for a single or all AAA clients or on the basis of NDG as selected.

It works in either case of configured or default group mappings in External Database.



subhash.sharma Tue, 04/14/2009 - 20:44
User Badges:

Thanks a lot for ur valued recommendations...

But i follow the same...but it is not working....I got one doubt..

inside the Shared NAR, do i need to specify two NAR's...i mean..NAR to deny access to the IPSEC VPN's and also NAR to allow access to all other devices...?

Also which check box i need to tick..??..

1. All selected NARs result in permit

2. Any one selected NAR results in permit


i haven tried both bcos this is a live network and i cannot try it any how...thanks a lot for ur advise...

Jagdeep Gambhir Mon, 04/13/2009 - 06:19
User Badges:
  • Red, 2250 points or more

Apply NAR on CLI DNIS bases instead of IP based NAR. Use * for rest of the fields.



Do rate helpful posts

subhash.sharma Tue, 04/14/2009 - 20:45
User Badges:

Hi JG,

I will try it out and will let u know the results...

Appreciate ur great help..

subhash.sharma Fri, 04/17/2009 - 12:23
User Badges:

Hi JG,

I have tried the CLI DNIS option also. But the user can still access the VPN Client after applying the NAR.

Please help me to find a solution. By right, ACS can block some of the AAA clients using NAR rite..??But i dono why it is not working here...

Anyone please help to solve any issues.....thanks in advance..


This Discussion