Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Restrict access to LMS that authenticate via ACS


I have installed a ACS 2.6 server which has joined domain. Local accounts are created in ACS and their password is using domain password.

Beside switches, I have also defined LMS as one of the device on ACS, authenticating via TACACS+.

I would like to restricted only 2 out of those local accounts to be able to login to LMS. So I added in deny access to NAS:LMS for the rest of other accounts.

Now the problem is all the local accounts are still able to login to LMS. On ACS log, it says authenticate successful.

I tried to verify by using the same method to restricted switch access to a local account and it works.

Pls advise.

Cisco Employee

Re: Restrict access to LMS that authenticate via ACS

I presume you added this into the Network Access Restrictions (NAR) section of ACS. Did you add it into the IP-Based Access Restriction section, or the CLI/DNIS-based section below it?

Which section ACS uses here depends on whether or not the NAS (LMS in this case) sends the "caller-id" or "calling-station-id" attribute in the request with an IP address. I have no idea if LMS does this, but if it's not working in the IP-based section, try adding it into the CLI/DNIS section and see how that goes.

Switches, and most other devices, DO send an IP address in the calling-station-id attribute so that's why that is working in the IP-based section. A good example of this is the VPN3000 which does NOT send an IP address, so it has to be added into the CLI/DNIS section for restrictions to work.