Restriction through radius

Unanswered Question
May 24th, 2009
User Badges:


I have many devices that are authenticated by ACS by one user account, it was required to seperate the access to security devices (firewall) from network devices (switches and router).

i have created 2 users and used NAR. in this case i was able to access network devices with only the account created (all these devices uses tacacs)

but the problem is that when i access ASA firewall ( uses radius protocol) i can access by the second account created and also the account for the switches and routers.

Any idea how to work on radius protocol.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gaboughanem Mon, 05/25/2009 - 10:02
User Badges:

Hello JG , thank you for your respond.

yes i have used NAR. actually as said that i have separated the devices into two groups, one group for switches and another group for firewalls. Then i created 2 users and applied NAR at the user level, one is used to access the switches ONLY and other to access firewalls ONLY. The problem is that when i try to access the switches with its account created it works fine (i mean i cannot access with the account that i created for firewall), but when i access the firewall i can access the firewall with both account (including the user account created for switches).

any idea ?

Thank you and Regards,


darpotter Tue, 05/26/2009 - 05:18
User Badges:
  • Silver, 250 points or more

So the NARs work when the authentication is TACACS but fails when RADIUS.

This will be because ACS looks at incoming attributes to decide which type of NAR should be applied (regardless of whats been configured). Basically the caller-id attribute needs to contain an ip-address for it to work with IP based NARs.

Try duplicating the ip-based NAR (as best you can) as a non-ip NAR.

TIP: if you have the software version of ACS you can run CSRadius -z -p to get a full dump of the inbound packet. You can use this to see whats in the Calling and Called-Station-Id attributes.

Jagdeep Gambhir Tue, 05/26/2009 - 06:38
User Badges:
  • Red, 2250 points or more

Hi George,

"IP-based NAR filters work only if ACS receives the Radius Calling-Station-Id

(31) attribute. The Calling-Station-Id (31) must contain a valid IP address."

So check RDS.log for the authentication request and see what value is there for attribute 31.

Also what is the software version of ACS?



gaboughanem Wed, 05/27/2009 - 11:37
User Badges:

hello JG,

i am using ACS version 4.2, please can u send a link where i can find an example that explain more on this subject.

Thank you and Regards,


This Discussion