Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Deny Access to some AAA clients from ACS 3.3

Hello to all,

Can anyone please help me with one of my problem? I have some Cisco IPSEC VPN Concentrator's that need to be removed from the network. We already have another Juniper VPN which is working fine all the way.But a large number of users were using this IPSEC VPN previously.So the customer needs to allow access to this IPSEC VPN to some users and deny access to others.But these "some" permitted users are from different groups inside the Windows AD.So i tried creating a local group and adding all these permitted users in to it and applied Network Access Restrictions. I have applied both shared NAR and the per group NAR to deny access to my IPSEC VPN. but somehow it doesnt work. After applying i can still access those IPSEC VPN using my client.

Anyone can help me to find a solution for this...? My customer is chasing me every day and i have tried my all to find a solution.

Waiting for all of yours expert advise.

Thanks and Regards,

Subhash

5 REPLIES
New Member

Re: Deny Access to some AAA clients from ACS 3.3

As long as the MS Active Directory is integrated with ACS, Users from AD in ACS will be denied access after enabling NAR for a single or all AAA clients or on the basis of NDG as selected.

It works in either case of configured or default group mappings in External Database.

HTH

Ahmed

New Member

Re: Deny Access to some AAA clients from ACS 3.3

Thanks a lot for ur valued recommendations...

But i follow the same...but it is not working....I got one doubt..

inside the Shared NAR, do i need to specify two NAR's...i mean..NAR to deny access to the IPSEC VPN's and also NAR to allow access to all other devices...?

Also which check box i need to tick..??..

1. All selected NARs result in permit

2. Any one selected NAR results in permit

....

i haven tried both bcos this is a live network and i cannot try it any how...thanks a lot for ur advise...

Re: Deny Access to some AAA clients from ACS 3.3

Apply NAR on CLI DNIS bases instead of IP based NAR. Use * for rest of the fields.

Regards,

~JG

Do rate helpful posts

New Member

Re: Deny Access to some AAA clients from ACS 3.3

Hi JG,

I will try it out and will let u know the results...

Appreciate ur great help..

New Member

Re: Deny Access to some AAA clients from ACS 3.3

Hi JG,

I have tried the CLI DNIS option also. But the user can still access the VPN Client after applying the NAR.

Please help me to find a solution. By right, ACS can block some of the AAA clients using NAR rite..??But i dono why it is not working here...

Anyone please help to solve any issues.....thanks in advance..

133
Views
0
Helpful
5
Replies