Re: Restricting ACS access by dialing number

williamparis · ‎06-04-2003

Is there a way to restrict access to ACS via the number that the dialing client has called from?

Aka use calling-station id or something such as this? I thought I had found a way in the ACS admin via the DNIS, but I could get it to work. I know I can setup an ACL that contains the numbers to accept, but can I do this per externally-authenticated user?

Kind Regards,

William Paris

tepatel · ‎06-04-2003

Need more information on what exactly you mean by access to ACS. Pl. explain that lets say if user dialin to NAS from caller ID say 11111, you don't want ACS to authenticate that user?

OR if user with callerid 2222 dialin, you want ACS to authenticate. Also need to know what type of NAS you have and also need to know that dialin line is capable of sending callerid to NAS or not?

sghosh · ‎06-04-2003

Hi William,

Do you mean ACS admin pages access or logging into the NAS itself.

Thanks

Sujit

williamparis · ‎06-05-2003

My apologies to all for the unclear post:

What I want to do is this:

Using ACS authentication (which I do via the external authenticator to an NT domain) I would like to restrict each user to only be allowed to dial in from a specific phone number. Example: user \\ntdomain\bob is only allowed to dial in FROM phone number 555-5555. If any other number is received for user \\ntdomain\bob then it rejects it.

Failing to be able to do this from a specific username, can I set up an ACL that only allows the phone numbers from all my users to dial in? Example, only accept calls from numbers 555-5555, 555-4444, etc.

Kind Regards and thank you for you answers.

William Paris

williamparis · ‎06-05-2003

My apologies to all for the unclear post:

What I want to do is this:

Using ACS authentication (which I do via the external authenticator to an NT domain) I would like to restrict each user to only be allowed to dial in from a specific phone number. Example: user \\ntdomain\bob is only allowed to dial in FROM phone number 555-5555. If any other number is received for user \\ntdomain\bob then it rejects it.

Failing to be able to do this from a specific username, can I set up an ACL that only allows the phone numbers from all my users to dial in? Example, only accept calls from numbers 555-5555, 555-4444, etc.

Kind Regards and thank you for you answers.

William Paris

williamparis · ‎06-09-2003

Can anyone help me out here? I would greatly appreciate it.

SteveGodfrey · ‎06-23-2003

You can set CLI based retrictions for individual users. It's under 'Per User Defined Network Access Restrictions' you'll see "Define CLI/DNIS-based access restrictions".

Although I don't use this feature I have tested it in the lab and it worked fine.

mhoda · ‎07-01-2003

Hi,

Yes, CLI/DNIS based NAR is what you need -

I am assuming that you are using radius. Here is the details -

DNIS/CLI based NAR

=================

AAA client = NAS-IP-Address (radius attribute #4) orNAS-Identifier (radius attribute #32) if the above doesn’t exist.

Port = NAS-Port (radius attribute #5) orNAS-Port-Id (radius attribute #87) if the above doesn’t exist

Cli = Calling-Station-Id (radius attribute #31)

DNIS = Called-Station-Id (radius attribute #30)

Thanks,

Mynul