just a question how to restrict dialup users for certain NAS servers.
We have an ACS2.6 AAA servers and several 3640 based NAS sever for user dialup. The users are collected into a group in the ACS.
We have an other group, called ISP. The user in this group can use the internet all over the world, they must dial the given ISP's local NAS number and all those NAS-es forward the authentication request to our ASC. So we can centrally manage the direct RAS users and the internet users.
The problem is, that a user in a certain group can use the other dialin facility since all dialin appemps will be authenticated on the same server.
HOw can I restrict that a ISP group can only use the NASes outside of the company and cannot dialin to our dedicated RAS server? And the traditional RAD users cannot use the internet (what is given for the ISP users)
I applied filters in the ACS on the group settings but found no ducuments how to setup it exactly. Any help appreciated,
I agree that there is not a clean document on CCO that shows the step by step of how to configure NAR. But, answer to your specific question is that, you need to craete 2 NDG (Network device group) and assign your NASes under the corresponding device group. Then configure CLI/DNIS based NAR, not the IP based. I am assuming that you are using radius, so here is the details:
DNIS/CLI based NAR
NAR entry Data source
AAA client NAS-IP-Address (radius attribute #4) or NAS-Identifier
(radius attribute #32) if the above doesnt exist.
Port NAS-Port (radius attribute #5) orNAS-Port-Id (radius attribute
#87) if the above doesnt exist
Cli Calling-Station-Id (radius attribute #31)
DNIS Called-Station-Id (radius attribute #30)
Your DNIS would be the NDG that you have defined for.
This link may be helpful in setting up the above attributes:
my problem was that I put the reasonable commands into the NAS/PORT section and after submitting the change I didn't get the same data what I wrote in. I saw several "?" after the NAS name. I thought that I made a mistake regarding the syntax but today I tried with an other internet browser (IE5.5 without hotfix) and so I COULD apply the commands. And the filtering works fine. Considering all of this it is important what internet browser you use.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...