Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS - Network Access Restriction

Hi,

We have simple ACS deployment where we have a number of users throughout the world that require access to network devices.

At present, I can manage access using custom attributes for specific clients, WCS, WLC's for example.

What I want to do is limit access to specific networks. So, for example, I want to assign a restriction to a group of users that can only access devices located in France.

What is the best method for doing this? I have tried to apply a NAR to a group but this does not appear to work.

Appreciate some guidance.

6 REPLIES
Silver

Re: ACS - Network Access Restriction

Hi

Do you mean purely for administrative access, ie using TACACS+ or generally for network end-users?

Darran

New Member

Re: ACS - Network Access Restriction

Hi

This is purely for administrative access. I have a list of ACS users created and they are assigned to specific ACS groups. I just want to limit administrative access to specific networks.

Andy

Silver

Re: ACS - Network Access Restriction

Ok, so traditionally NARs have been used to do this.

Try creating (if you havent already) geographic based Network Device Groups (NDGs).

At a group level you can map an NDG to a Shared NAR for maximum re-use (and minmum data entry)

The classic example is to give a french group full admin access to the french NDG and perhaps read-only or even no access to other NDGs.

Make sure you use IP-Based NARs.

The original white we did can still be found on http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/ndmse_wp.pdf

New Member

Re: ACS - Network Access Restriction

Thanks for this.

For test purposes, I added a NAR to a user and then a group denying access to a specified IP range (e.g. 10.59.2.1-10). Oddly it doesnt work!

The only way I have been able to restrict access is to create a NAF and identify the AAA client that a user or group is to have access to. Unfortunately, I dont have switches defined by an NDG. I just have all switches pointing to the default TACACS group. I just dont see why the NAR wont work...

Silver

Re: ACS - Network Access Restriction

For a simple NAR you'd normally enter the device name or NDG and leave the client ip & port as *,*

Entering a range of address as per your example wont work because ACS does simple pattern matching. You could have put 10.59.2.* but that would have been to wide.

If you cant use an NDG then using the more flexible NAF to spec the range would be the correct thing to do.

New Member

Re: ACS - Network Access Restriction

Many thanks for your guidance. Much appreciated. I will put this to the test.

197
Views
0
Helpful
6
Replies