Solved: ACS NAR Configuration problem

miklos.andrasi · ‎04-14-2009

Hi all!

I have a problem with configuration of Network Access Restriction.

I set the feature via Shared Profile Component and Group Level NAR also, but none of them works.

My test AAA client is a VASCO RADIUS Client Simulator. I thought that this software doesn't send the proper RADIUS attributes, but behaviour of ACS is never prohibitive, but sometime it should be.

I tried it with version 3.2 and 4.2 also.

Is there a trick or something I messed up?

Thank you for the answeres!

Jagdeep Gambhir · ‎04-14-2009

For wireless user you need to use CLIS/DNIS based access restriction.

If you user Radius IETF for wireless AP, basic authentication should work but issue would be with authorization part.

Regards,

~JG

View solution in original post

Jagdeep Gambhir · ‎04-14-2009

NAR works on the basis of attributes sent by aaa client.

IP-based NAR filters work only if ACS receives the Radius Calling-Station-Id (31) attribute. The Calling-Station-Id (31) must contain a valid IP address. If it does not, it will fall over to DNIS rules.

See this link

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SPC.html#wpxref8530

Regards,

~JG

Do rate helpful posts

miklos.andrasi · ‎04-14-2009

Would it be problem, if I use RADIUS (IETF) "Authentication using" in the Network Configuration in ACS for Wireless AP? The productive envirement contains this configuration, and another device with TACACS+ configuration.

Jagdeep Gambhir · ‎04-14-2009

For wireless user you need to use CLIS/DNIS based access restriction.

If you user Radius IETF for wireless AP, basic authentication should work but issue would be with authorization part.

Regards,

~JG

miklos.andrasi · ‎04-15-2009

Thank you for your answers. If I use CLIS/DNIS based access restriction, it works but in case of router works only with CLIS/DNIS based access restriction also. It's interest for me.

Regards,

Miki