ACS NAR Configuration problem

Answered Question
Apr 14th, 2009
User Badges:

Hi all!


I have a problem with configuration of Network Access Restriction.

I set the feature via Shared Profile Component and Group Level NAR also, but none of them works.


My test AAA client is a VASCO RADIUS Client Simulator. I thought that this software doesn't send the proper RADIUS attributes, but behaviour of ACS is never prohibitive, but sometime it should be.

I tried it with version 3.2 and 4.2 also.


Is there a trick or something I messed up?


Thank you for the answeres!


Correct Answer by Jagdeep Gambhir about 8 years 3 months ago

For wireless user you need to use CLIS/DNIS based access restriction.



If you user Radius IETF for wireless AP, basic authentication should work but issue would be with authorization part.




Regards,

~JG

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jagdeep Gambhir Tue, 04/14/2009 - 06:25
User Badges:
  • Red, 2250 points or more

NAR works on the basis of attributes sent by aaa client.



IP-based NAR filters work only if ACS receives the Radius Calling-Station-Id (31) attribute. The Calling-Station-Id (31) must contain a valid IP address. If it does not, it will fall over to DNIS rules.


See this link


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SPC.html#wpxref8530



Regards,

~JG


Do rate helpful posts

miklos.andrasi Tue, 04/14/2009 - 06:49
User Badges:

Would it be problem, if I use RADIUS (IETF) "Authentication using" in the Network Configuration in ACS for Wireless AP? The productive envirement contains this configuration, and another device with TACACS+ configuration.

Correct Answer
Jagdeep Gambhir Tue, 04/14/2009 - 07:05
User Badges:
  • Red, 2250 points or more

For wireless user you need to use CLIS/DNIS based access restriction.



If you user Radius IETF for wireless AP, basic authentication should work but issue would be with authorization part.




Regards,

~JG

miklos.andrasi Wed, 04/15/2009 - 04:31
User Badges:

Thank you for your answers. If I use CLIS/DNIS based access restriction, it works but in case of router works only with CLIS/DNIS based access restriction also. It's interest for me.


Regards,

Miki

Actions

This Discussion