Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Restricting ACS access by dialing number

Is there a way to restrict access to ACS via the number that the dialing client has called from?

Aka use calling-station id or something such as this? I thought I had found a way in the ACS admin via the DNIS, but I could get it to work. I know I can setup an ACL that contains the numbers to accept, but can I do this per externally-authenticated user?

Kind Regards,

William Paris

7 REPLIES
Cisco Employee

Re: Restricting ACS access by dialing number

Need more information on what exactly you mean by access to ACS. Pl. explain that lets say if user dialin to NAS from caller ID say 11111, you don't want ACS to authenticate that user?

OR if user with callerid 2222 dialin, you want ACS to authenticate. Also need to know what type of NAS you have and also need to know that dialin line is capable of sending callerid to NAS or not?

New Member

Re: Restricting ACS access by dialing number

Hi William,

Do you mean ACS admin pages access or logging into the NAS itself.

Thanks

Sujit

New Member

Re: Restricting ACS access by dialing number

My apologies to all for the unclear post:

What I want to do is this:

Using ACS authentication (which I do via the external authenticator to an NT domain) I would like to restrict each user to only be allowed to dial in from a specific phone number. Example: user \\ntdomain\bob is only allowed to dial in FROM phone number 555-5555. If any other number is received for user \\ntdomain\bob then it rejects it.

Failing to be able to do this from a specific username, can I set up an ACL that only allows the phone numbers from all my users to dial in? Example, only accept calls from numbers 555-5555, 555-4444, etc.

Kind Regards and thank you for you answers.

William Paris

New Member

Re: Restricting ACS access by dialing number

My apologies to all for the unclear post:

What I want to do is this:

Using ACS authentication (which I do via the external authenticator to an NT domain) I would like to restrict each user to only be allowed to dial in from a specific phone number. Example: user \\ntdomain\bob is only allowed to dial in FROM phone number 555-5555. If any other number is received for user \\ntdomain\bob then it rejects it.

Failing to be able to do this from a specific username, can I set up an ACL that only allows the phone numbers from all my users to dial in? Example, only accept calls from numbers 555-5555, 555-4444, etc.

Kind Regards and thank you for you answers.

William Paris

New Member

Re: Restricting ACS access by dialing number

Can anyone help me out here? I would greatly appreciate it.

New Member

Re: Restricting ACS access by dialing number

You can set CLI based retrictions for individual users. It's under 'Per User Defined Network Access Restrictions' you'll see "Define CLI/DNIS-based access restrictions".

Although I don't use this feature I have tested it in the lab and it worked fine.

Silver

Re: Restricting ACS access by dialing number

Hi,

Yes, CLI/DNIS based NAR is what you need -

I am assuming that you are using radius. Here is the details -

DNIS/CLI based NAR

=================

AAA client = NAS-IP-Address (radius attribute #4) orNAS-Identifier (radius attribute #32) if the above doesn’t exist.

Port = NAS-Port (radius attribute #5) orNAS-Port-Id (radius attribute #87) if the above doesn’t exist

Cli = Calling-Station-Id (radius attribute #31)

DNIS = Called-Station-Id (radius attribute #30)

Thanks,

Mynul

197
Views
0
Helpful
7
Replies