NAR restriction for dialup clients

Answered Question
May 26th, 2003
User Badges:

Hello,


just a question how to restrict dialup users for certain NAS servers.

We have an ACS2.6 AAA servers and several 3640 based NAS sever for user dialup. The users are collected into a group in the ACS.


We have an other group, called ISP. The user in this group can use the internet all over the world, they must dial the given ISP's local NAS number and all those NAS-es forward the authentication request to our ASC. So we can centrally manage the direct RAS users and the internet users.

The problem is, that a user in a certain group can use the other dialin facility since all dialin appemps will be authenticated on the same server.


HOw can I restrict that a ISP group can only use the NASes outside of the company and cannot dialin to our dedicated RAS server? And the traditional RAD users cannot use the internet (what is given for the ISP users)

I applied filters in the ACS on the group settings but found no ducuments how to setup it exactly. Any help appreciated,

regards,

Balázs

Correct Answer by mhoda about 14 years 2 months ago

Balázs,


Thanks for sharing your experience. I am sure it would be helpful for others. Yes, browser is an issue for any management sofwtare ;-)


Thanks again,


Mynul

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mhoda Mon, 05/26/2003 - 11:44
User Badges:
  • Silver, 250 points or more

Hi,


I agree that there is not a clean document on CCO that shows the step by step of how to configure NAR. But, answer to your specific question is that, you need to craete 2 NDG (Network device group) and assign your NASes under the corresponding device group. Then configure CLI/DNIS based NAR, not the IP based. I am assuming that you are using radius, so here is the details:


DNIS/CLI based NAR

------------------------------

NAR entry Data source

AAA client NAS-IP-Address (radius attribute #4) or NAS-Identifier

(radius attribute #32) if the above doesn’t exist.

Port NAS-Port (radius attribute #5) orNAS-Port-Id (radius attribute

#87) if the above doesn’t exist

Cli Calling-Station-Id (radius attribute #31)

DNIS Called-Station-Id (radius attribute #30)


Your DNIS would be the NDG that you have defined for.


This link may be helpful in setting up the above attributes:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007deca.html#983105


Please let me know if you this answers your question or need more clarifications. Thanks,


Mynul




mhoda Mon, 05/26/2003 - 11:46
User Badges:
  • Silver, 250 points or more

Sorry, the attributes are not very readable, here are they again:


AAA client : NAS-IP-Address (radius attribute #4) or NAS-Identifier

(radius attribute #32) if the above doesn’t exist.


Port NAS-Port: (radius attribute #5) orNAS-Port-Id (radius attribute

#87) if the above doesn’t exist


Cli : Calling-Station-Id (radius attribute #31)


DNIS : Called-Station-Id (radius attribute #30)


Thanks,


Mynul

balazs.szabo Mon, 05/26/2003 - 13:08
User Badges:

Mynul,


is this sure that it works on ACS2.6 as well?

The attached docu says that it is for ACS3.0

thanks,

Balázs

mhoda Mon, 05/26/2003 - 14:42
User Badges:
  • Silver, 250 points or more

Balázs,


Same procedure should work. in ACS 3.0, you have more options like shared profile components option. But, the procedure described in the link should work. Please do let me know if it doesn't. Thanks,


Mynul

balazs.szabo Tue, 05/27/2003 - 08:52
User Badges:

Mynul,


my problem was that I put the reasonable commands into the NAS/PORT section and after submitting the change I didn't get the same data what I wrote in. I saw several "?" after the NAS name. I thought that I made a mistake regarding the syntax but today I tried with an other internet browser (IE5.5 without hotfix) and so I COULD apply the commands. And the filtering works fine. Considering all of this it is important what internet browser you use.

Thanks,

Balázs

Correct Answer
mhoda Tue, 05/27/2003 - 09:11
User Badges:
  • Silver, 250 points or more

Balázs,


Thanks for sharing your experience. I am sure it would be helpful for others. Yes, browser is an issue for any management sofwtare ;-)


Thanks again,


Mynul

Actions

This Discussion