Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Configuring NARs on ACS3.0

I am struggling to get my head around NARS - the documentation says which buttons to press but I am struggling to figure how to do what I want.

Lets says I have a group of uses (600+ and rising) that I want to allow to access via AAA client "concentrator" which is unsurprisingly a VPN Concentrator.

We also have a single user, that I want to allow via aaa client "Radius" which is another radius server.

NARs look to be the way to do it, but I can't seem to get the effect I want.

I have NAR one that has Define IP based... checked, and the table defines set to permitted and I list concentrator there with wildcards set for port and source IP.

I have NAR two that is basically the same but names radius as the point of access.

If I select NAR by going to User/Network Access Restrictions, Check only allow access when and select all selected NARs, I select two and click to move it to selected.

I then attempt a connection from the user via the concentrator (Nonselected AAA client) The ACS permits the request.

What have I misunderstood?


Cisco Employee

Re: Configuring NARs on ACS3.0

If this is a VPN3000 concentrator, put it in the "CLI/DNIS based access restrictions" section, not the "IP-based". There's something about the format of the Radius packet the 3000 sends that makes ACS use that section, never have investigated what it is exactly but it's just the way it is.

Re: Configuring NARs on ACS3.0

Thanks for that - that bit is working great, but I am obvoiusly missing something even more obvoius.

We are using a telco to provide dial access, and I want to prevent users from using the VPN user and password to access the telco.

I have a NAR that I would like to prevent access via the Telco. I have listed the telcos Radius servers, and following on I have listed them as deny for both IP and CLI. I have assigned the NAR to a group, ang clicking the buttons to view the NARs lists the Radius servers as denied under both CLI and IP.

When I try to use a user applied to the group, it gets permitted. The entry in permitted lists the user against the correct group, but permits it.

Any thoughts?

CreatePlease to create content