cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1041
Views
0
Helpful
6
Replies

Restriction through radius

gaboughanem
Level 1
Level 1

Hello,

I have many devices that are authenticated by ACS by one user account, it was required to seperate the access to security devices (firewall) from network devices (switches and router).

i have created 2 users and used NAR. in this case i was able to access network devices with only the account created (all these devices uses tacacs)

but the problem is that when i access ASA firewall ( uses radius protocol) i can access by the second account created and also the account for the switches and routers.

Any idea how to work on radius protocol.

Regards,

George

6 Replies 6

Jagdeep Gambhir
Level 10
Level 10

Hi ,

Did you use IP based network access restriction?

http://cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

Regards,

~JG

Do rate helpful posts

Hello JG , thank you for your respond.

yes i have used NAR. actually as said that i have separated the devices into two groups, one group for switches and another group for firewalls. Then i created 2 users and applied NAR at the user level, one is used to access the switches ONLY and other to access firewalls ONLY. The problem is that when i try to access the switches with its account created it works fine (i mean i cannot access with the account that i created for firewall), but when i access the firewall i can access the firewall with both account (including the user account created for switches).

any idea ?

Thank you and Regards,

George

So the NARs work when the authentication is TACACS but fails when RADIUS.

This will be because ACS looks at incoming attributes to decide which type of NAR should be applied (regardless of whats been configured). Basically the caller-id attribute needs to contain an ip-address for it to work with IP based NARs.

Try duplicating the ip-based NAR (as best you can) as a non-ip NAR.

TIP: if you have the software version of ACS you can run CSRadius -z -p to get a full dump of the inbound packet. You can use this to see whats in the Calling and Called-Station-Id attributes.

Hi George,

"IP-based NAR filters work only if ACS receives the Radius Calling-Station-Id

(31) attribute. The Calling-Station-Id (31) must contain a valid IP address."

So check RDS.log for the authentication request and see what value is there for attribute 31.

Also what is the software version of ACS?

Regards,

~JG

hello JG,

i am using ACS version 4.2, please can u send a link where i can find an example that explain more on this subject.

Thank you and Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: