Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Network Access Restrictions (NAR) on multiple Radius clients

Hi, I'm running two Radius clients (a C3005 and a web-server, i.e. an IETF client) and I want to restrict access of users/groups to them.

The problem I have is that when I'm using 'Ip based AR', no matter what I enter (permitted/denied, All Clients or a selection), all authentications are succesfull, and therefore not usable to me.

When I'm using a 'CLI/DNIS AR', the C3005 functions correctly (denied or allowed when applicable), but the web-server gets denied allways unless I'm configuring a 'permit all clients' entry (again, not usable to me...)

When looking at the ACS-logs (failed attempts) I see all entries are correct except for the NAS-port entry, which shows the username (odd...). The failure-code is 'User Access Filtered' (which is, considering the results, to be expected).

Anyone any ideas?

Grtz, Joost

New Member

Re: Network Access Restrictions (NAR) on multiple Radius clients


My best advise to you is to get the NAR White Paper that explains the "inside" of NARs operation and the rules they operate upon.

The white paper is at http://www/en/US/partner/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

The important part , related to your question , is probably understanding what IP-Based NARs are based on (calling-station-id and called-station-id). If your Radius clients don't send those attributes in their requests , IP Based NARs won't operate as you expect them to.

Hope this helps, let me know if you still have questions.