ACS - Network Access Restriction

Unanswered Question
Apr 23rd, 2009
User Badges:


We have simple ACS deployment where we have a number of users throughout the world that require access to network devices.

At present, I can manage access using custom attributes for specific clients, WCS, WLC's for example.

What I want to do is limit access to specific networks. So, for example, I want to assign a restriction to a group of users that can only access devices located in France.

What is the best method for doing this? I have tried to apply a NAR to a group but this does not appear to work.

Appreciate some guidance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darpotter Thu, 04/23/2009 - 01:34
User Badges:
  • Silver, 250 points or more


Do you mean purely for administrative access, ie using TACACS+ or generally for network end-users?


andrew-mccabe Thu, 04/23/2009 - 01:47
User Badges:


This is purely for administrative access. I have a list of ACS users created and they are assigned to specific ACS groups. I just want to limit administrative access to specific networks.


darpotter Thu, 04/23/2009 - 05:49
User Badges:
  • Silver, 250 points or more

Ok, so traditionally NARs have been used to do this.

Try creating (if you havent already) geographic based Network Device Groups (NDGs).

At a group level you can map an NDG to a Shared NAR for maximum re-use (and minmum data entry)

The classic example is to give a french group full admin access to the french NDG and perhaps read-only or even no access to other NDGs.

Make sure you use IP-Based NARs.

The original white we did can still be found on

andrew-mccabe Thu, 04/23/2009 - 07:33
User Badges:

Thanks for this.

For test purposes, I added a NAR to a user and then a group denying access to a specified IP range (e.g. Oddly it doesnt work!

The only way I have been able to restrict access is to create a NAF and identify the AAA client that a user or group is to have access to. Unfortunately, I dont have switches defined by an NDG. I just have all switches pointing to the default TACACS group. I just dont see why the NAR wont work...

darpotter Thu, 04/23/2009 - 07:55
User Badges:
  • Silver, 250 points or more

For a simple NAR you'd normally enter the device name or NDG and leave the client ip & port as *,*

Entering a range of address as per your example wont work because ACS does simple pattern matching. You could have put 10.59.2.* but that would have been to wide.

If you cant use an NDG then using the more flexible NAF to spec the range would be the correct thing to do.

andrew-mccabe Thu, 04/23/2009 - 23:39
User Badges:

Many thanks for your guidance. Much appreciated. I will put this to the test.


This Discussion