yes i have used NAR. actually as said that i have separated the devices into two groups, one group for switches and another group for firewalls. Then i created 2 users and applied NAR at the user level, one is used to access the switches ONLY and other to access firewalls ONLY. The problem is that when i try to access the switches with its account created it works fine (i mean i cannot access with the account that i created for firewall), but when i access the firewall i can access the firewall with both account (including the user account created for switches).
So the NARs work when the authentication is TACACS but fails when RADIUS.
This will be because ACS looks at incoming attributes to decide which type of NAR should be applied (regardless of whats been configured). Basically the caller-id attribute needs to contain an ip-address for it to work with IP based NARs.
Try duplicating the ip-based NAR (as best you can) as a non-ip NAR.
TIP: if you have the software version of ACS you can run CSRadius -z -p to get a full dump of the inbound packet. You can use this to see whats in the Calling and Called-Station-Id attributes.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...