Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
378
Views
0
Helpful
1
Replies

ACS NAR mystery!!!!

arififtikhar
Level 1
Level 1

‎05-07-2008 03:46 PM - edited ‎03-10-2019 03:49 PM

Hi,

We are trying to work out Lock & Key for our PIX 5.5e using "Virtual Telnet". We have two sites in question ie. two firewalls.

For this the ACS is playing up as for site number 1, it's granting access when any NAR is assigned to the user. For site number 2, it's not granting access with any NAR BUT one that contains an NDG that has no entry for any IP /host.

No access for both when no NAR is assigned.

Can someone please solve the mystery? We want to select the NAR that contains particular NDG for particular site IPs/hosts.

Regards,

Arif

Labels:
0 Helpful
1 Reply 1

darpotter
Level 5
Level 5

‎05-08-2008 02:04 AM

Without seeing the exact content of the NAR and the inbound T+ requests its impossible to say what the problem is.

Remember that NAR checks are pretty simple string matches using the rem_addr value from the inbound packet and the nas ip address.

The NDG part of a NAR refers to the authenticating device (ie PIX) and not the end client.

As a permit the below NAR would allow any remote client via the PIX (or other authenticating device in the NDG MyNdg). As a deny it would stop all connections.

AAA Client/IP/Port

NDG:MyNdg/*.*.*.*/*

I think you've got the purpose of NDGs mixed up. They hold authenticating devices (Pix, access server etc) and not the endpoint addresses.

Are you trying to restrict what users in site 1 can do in site 2?

0 Helpful
Customers Also Viewed These Support Documents