Network Access Restrictions (NAR) on multiple Radius clients
Hi, I'm running two Radius clients (a C3005 and a web-server, i.e. an IETF client) and I want to restrict access of users/groups to them.
The problem I have is that when I'm using 'Ip based AR', no matter what I enter (permitted/denied, All Clients or a selection), all authentications are succesfull, and therefore not usable to me.
When I'm using a 'CLI/DNIS AR', the C3005 functions correctly (denied or allowed when applicable), but the web-server gets denied allways unless I'm configuring a 'permit all clients' entry (again, not usable to me...)
When looking at the ACS-logs (failed attempts) I see all entries are correct except for the NAS-port entry, which shows the username (odd...). The failure-code is 'User Access Filtered' (which is, considering the results, to be expected).
The important part , related to your question , is probably understanding what IP-Based NARs are based on (calling-station-id and called-station-id). If your Radius clients don't send those attributes in their requests , IP Based NARs won't operate as you expect them to.
Hope this helps, let me know if you still have questions.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...