Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAR Confusion ACS3.2

I'm getting unexpected results with shared network access restrictions.

For example, I have a user group that can authenticate against a firewall but I don't want to allow them to authenticate to wireless access points.

I have a network group called FIREWALL that contains the firewall AAA clients. And a network group called WIRELESS that contains the wireless AAA clients.

When I apply a NAR that has ip based access restriction that permits access from

FIREWALL Port * IP x.x.x.*

To a user group, members of that group can still authenticate to the wireless access point.

The passed authentication report shows :

Access Filter FIREWALL from USERGROUP1 did not fail any criteria. This is sufficient to satisfy an 'Any Selected' SPC NAR config.

I assumed that if you create a NAR that specifically permits or denies access from an AAA client or group it would work as expected.

Ideally I want to group all my wireless access points into one network group and be able to permit a user or user group access to them using NAR.

Any help or comments would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: NAR Confusion ACS3.2

Ok, this is a little quirky in the way its implemented in CiscoSecure

Basically there are two types of filters

Dialup/DNIS/CLI and IP

What happens is that at authentication time the RADIUS server attempts to determien what type of access is being sought.

Is it a LAYER 3 and above style access or is it a LAYER 2 style of access.

It does this by inspecting the CLI field and if its an IP address applys the IP Address filter

If it does not find a valid IP address it uses the CLI/DNIS filter

In this particular case a request coming from a wireless AP is considered CLI/DNIS filter since this is LAYER 2 access.

If you define in addition a CLI/DNIS filter for theses users that DENYS all then I believe it should work as you are hoping.

2 REPLIES
New Member

Re: NAR Confusion ACS3.2

Ok, this is a little quirky in the way its implemented in CiscoSecure

Basically there are two types of filters

Dialup/DNIS/CLI and IP

What happens is that at authentication time the RADIUS server attempts to determien what type of access is being sought.

Is it a LAYER 3 and above style access or is it a LAYER 2 style of access.

It does this by inspecting the CLI field and if its an IP address applys the IP Address filter

If it does not find a valid IP address it uses the CLI/DNIS filter

In this particular case a request coming from a wireless AP is considered CLI/DNIS filter since this is LAYER 2 access.

If you define in addition a CLI/DNIS filter for theses users that DENYS all then I believe it should work as you are hoping.

New Member

Re: NAR Confusion ACS3.2

Yes, I eventually figured this out and you are absolutely correct, the NAR should have a CLI/DNIS filter the same as the IP filter for layer two authentications that don't yet have an IP address assigned.

thanks for your reply.

105
Views
0
Helpful
2
Replies