Re: Restrict access to LMS that authenticate via ACS
I presume you added this into the Network Access Restrictions (NAR) section of ACS. Did you add it into the IP-Based Access Restriction section, or the CLI/DNIS-based section below it?
Which section ACS uses here depends on whether or not the NAS (LMS in this case) sends the "caller-id" or "calling-station-id" attribute in the request with an IP address. I have no idea if LMS does this, but if it's not working in the IP-based section, try adding it into the CLI/DNIS section and see how that goes.
Switches, and most other devices, DO send an IP address in the calling-station-id attribute so that's why that is working in the IP-based section. A good example of this is the VPN3000 which does NOT send an IP address, so it has to be added into the CLI/DNIS section for restrictions to work.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...