cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
529
Views
0
Helpful
6
Replies

ACS - Network Access Restriction

andrew-mccabe
Level 1
Level 1

Hi,

We have simple ACS deployment where we have a number of users throughout the world that require access to network devices.

At present, I can manage access using custom attributes for specific clients, WCS, WLC's for example.

What I want to do is limit access to specific networks. So, for example, I want to assign a restriction to a group of users that can only access devices located in France.

What is the best method for doing this? I have tried to apply a NAR to a group but this does not appear to work.

Appreciate some guidance.

6 Replies 6

darpotter
Level 5
Level 5

Hi

Do you mean purely for administrative access, ie using TACACS+ or generally for network end-users?

Darran

Hi

This is purely for administrative access. I have a list of ACS users created and they are assigned to specific ACS groups. I just want to limit administrative access to specific networks.

Andy

Ok, so traditionally NARs have been used to do this.

Try creating (if you havent already) geographic based Network Device Groups (NDGs).

At a group level you can map an NDG to a Shared NAR for maximum re-use (and minmum data entry)

The classic example is to give a french group full admin access to the french NDG and perhaps read-only or even no access to other NDGs.

Make sure you use IP-Based NARs.

The original white we did can still be found on http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/ndmse_wp.pdf

Thanks for this.

For test purposes, I added a NAR to a user and then a group denying access to a specified IP range (e.g. 10.59.2.1-10). Oddly it doesnt work!

The only way I have been able to restrict access is to create a NAF and identify the AAA client that a user or group is to have access to. Unfortunately, I dont have switches defined by an NDG. I just have all switches pointing to the default TACACS group. I just dont see why the NAR wont work...

For a simple NAR you'd normally enter the device name or NDG and leave the client ip & port as *,*

Entering a range of address as per your example wont work because ACS does simple pattern matching. You could have put 10.59.2.* but that would have been to wide.

If you cant use an NDG then using the more flexible NAF to spec the range would be the correct thing to do.

Many thanks for your guidance. Much appreciated. I will put this to the test.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: