×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Group NAR for ACS 4.2

Answered Question
May 23rd, 2012
User Badges:

                   I have a problem implementing a NAR for a specific device group. I am running Cisco ACS 4.2 and it works fine for all the other stuff I do but this issue is perplexing me a bit.



I have a device group with Juniper devices in it and I authenticate using RADIUS (Juniper) as the radius setting.


I have a Administration user group set up.


I placed a NAR into the group "Per Group Defined Network Access Restrictions" specific to the device group with * for port and address


I placed this group into both the Define IP-Based as well as the Define CLI/DNIS-based section.


No matter what I do I keep getting authenticated.


When I go to the passed authentications page I see my login and the group-name is identified correctly and the network device group is identified correctly too. The filter says "no filters activated".


So how can I get this NAR to kick in? I would like to restrict one device group from a ACS user group.


Thanks for any information you can provide!

Correct Answer by Jatin Katyal about 5 years 2 months ago

Now, try one last thing, disable IP ( just uncheck it) based NAR and just use CLI/DNIS based NAR.


Regards,

Jatin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jatin Katyal Wed, 05/23/2012 - 16:41
User Badges:
  • Cisco Employee,

What did you select from below listed options.


In order to specify whether the subsequent listing specifies permitted or denied values, from the Table Defines list, choose one:


    Permitted Calling/Point of Access                 Locations

    Denied Calling/Point of Access                     Locations


What kind of authentication are you trying?


Please add the screen shots of you NAR settings and Passed authentication from ACS.


Regards,

Jatin


Do rate helpful posts-

iceteanolemon Wed, 05/23/2012 - 16:55
User Badges:

I have configured "denied calling point" for both ip and cli with no luck.


Right now I am just putting one device in there but i plan on putting a device group in when i can test it in a working condition.


The type of authentication is for configuration access to the device. I am trying to block aministration access to the device/device group for a particular user group using NAR.

iceteanolemon Wed, 05/23/2012 - 17:12
User Badges:

I read that a few times today, just dont seem to get the traction to see whats wrong with my config though.

Jatin Katyal Wed, 05/23/2012 - 18:45
User Badges:
  • Cisco Employee,

What would you see when you reverse it that means set it to "Permit calling point of access" and try again.


Also, please provide me the passed authentication logs from ACS reports and monitoring along with the username you are trying with.


Regards,

Jatin



Do rate helpful posts-

iceteanolemon Wed, 05/23/2012 - 19:34
User Badges:

This is the area where I claimed a test firewall that I want to block administrative access to.

“CBP-1A-FW001”

The group config I am in at the moment is “Network Engineering”



Here is the authentication that is being marked “successful” even though the user is categorized into the correct group and the group has the NAR configured. notice the no filters activated. I am sure I am missing something but I just guess I may not understand it to be working as I expect.


Jatin Katyal Wed, 05/23/2012 - 19:41
User Badges:
  • Cisco Employee,

Thanks for sharing the info I requested. The settings seems to be correctly configured. Just make sure we don't have NAR configured on user level because it  always take precedence over group level configuration.



If there is no settings for NAR on user level then let me know what would you see when you reverse it that means set it to "Permit calling point of access" and try again?


There is a defect wherein if you select permit under NAR, it actually work as deny and vice versa.


Regards,

Jatin



Do rate helpful posts-

iceteanolemon Wed, 05/23/2012 - 20:00
User Badges:

OK well I did what you wanted and I changed the NAR setting from "deny" to "Permit" and it blocked the account from access. I then tested the account to another device which is not in the NAR and it blocked that one too!


So the result now is if I place a device in the NAR under Deny, it wont deny it or anything.


If I place a device in the NAR and switch the setting to "permit" then It blocks everything.


It definitely does stuff but not what I want it to do.

Correct Answer
Jatin Katyal Wed, 05/23/2012 - 20:05
User Badges:
  • Cisco Employee,

Now, try one last thing, disable IP ( just uncheck it) based NAR and just use CLI/DNIS based NAR.


Regards,

Jatin

iceteanolemon Wed, 05/23/2012 - 20:10
User Badges:

You did it.


I am happy it works but how come it was such a pain to get to this point?


Why is the setting inverted? This is really bad.


I am P.O.C. ing ISE so I will have bigger fish to fry but wow this one stumped me.

Jatin Katyal Wed, 05/23/2012 - 20:20
User Badges:
  • Cisco Employee,

I agree with you. Lately I have observed some issues with this feature. This could be a possible defect.

We're working w/ concern deptt. I will reply to this post soon in couple of days with some more information.


Regards,

Jatin

iceteanolemon Wed, 05/23/2012 - 20:25
User Badges:

now te question.... I have other groups i already use the "deny" to deny these accounts user access to the wireless environment as a client but i would also like to deny the administrative access to the other systems. This would not be possible as I cannot have the deny and permit enabled at the same time!

Actions

This Discussion

Related Content