Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
0
Helpful
5
Replies

Deny Access to some AAA clients from ACS 3.3

subhash.sharma
Level 1
Level 1

‎04-12-2009 11:41 PM - edited ‎03-10-2019 04:26 PM

Hello to all,

Can anyone please help me with one of my problem? I have some Cisco IPSEC VPN Concentrator's that need to be removed from the network. We already have another Juniper VPN which is working fine all the way.But a large number of users were using this IPSEC VPN previously.So the customer needs to allow access to this IPSEC VPN to some users and deny access to others.But these "some" permitted users are from different groups inside the Windows AD.So i tried creating a local group and adding all these permitted users in to it and applied Network Access Restrictions. I have applied both shared NAR and the per group NAR to deny access to my IPSEC VPN. but somehow it doesnt work. After applying i can still access those IPSEC VPN using my client.

Anyone can help me to find a solution for this...? My customer is chasing me every day and i have tried my all to find a solution.

Waiting for all of yours expert advise.

Thanks and Regards,

Subhash

Labels:
0 Helpful
5 Replies 5

sahmedshahcsd
Level 1
Level 1

‎04-13-2009 01:18 AM

As long as the MS Active Directory is integrated with ACS, Users from AD in ACS will be denied access after enabling NAR for a single or all AAA clients or on the basis of NDG as selected.

It works in either case of configured or default group mappings in External Database.

HTH

Ahmed

0 Helpful

subhash.sharma
Level 1
Level 1
In response to sahmedshahcsd

‎04-14-2009 08:44 PM

Thanks a lot for ur valued recommendations...

But i follow the same...but it is not working....I got one doubt..

inside the Shared NAR, do i need to specify two NAR's...i mean..NAR to deny access to the IPSEC VPN's and also NAR to allow access to all other devices...?

Also which check box i need to tick..??..

1. All selected NARs result in permit

2. Any one selected NAR results in permit

....

i haven tried both bcos this is a live network and i cannot try it any how...thanks a lot for ur advise...

0 Helpful

Jagdeep Gambhir
Level 10
Level 10

‎04-13-2009 06:19 AM

Apply NAR on CLI DNIS bases instead of IP based NAR. Use * for rest of the fields.

Regards,

~JG

Do rate helpful posts

0 Helpful

subhash.sharma
Level 1
Level 1
In response to Jagdeep Gambhir

‎04-14-2009 08:45 PM

Hi JG,

I will try it out and will let u know the results...

Appreciate ur great help..

0 Helpful

subhash.sharma
Level 1
Level 1
In response to Jagdeep Gambhir

‎04-17-2009 12:23 PM

Hi JG,

I have tried the CLI DNIS option also. But the user can still access the VPN Client after applying the NAR.

Please help me to find a solution. By right, ACS can block some of the AAA clients using NAR rite..??But i dono why it is not working here...

Anyone please help to solve any issues.....thanks in advance..

0 Helpful
Customers Also Viewed These Support Documents