Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using Network Device Groups

I am not sure if I am taking the proper steps to this or not. Here is my scenario:

I have a device that can utilize any Radius. I am using Cisco ACS 3.3. Only particular devices on our network will be allowed to authenticate via radius to this device. In a nutshell, if you are using mac address 00101010906c, when you connect to our network, you will be directly straight through ACS and into the device. Can this be accomplished through NDG? Or do I need to do something different? I appreciate your help.

New Member

Re: Using Network Device Groups

I need to add that when the end users wants to go to the web or to any other network device, he must be able to, but if he wants to go to the NDG device, he must be authenticated and on the access list. Please advise. And I hope this is going to the right group (AAA),



New Member

Re: Using Network Device Groups

Is this an issue that is only with ACS 3.3? Can this be accomplished in 3.2? Can someone out there, at least point me in a direction that I will be able to use? I have looked through some documentation and I am unclear on how to set up the NDG users. I am also wondering if this is the direction we need to take? Any ideas?

Thank you,



Re: Using Network Device Groups


Sounds like you need to use Network Access Restrictions and not NDGs. NARs allow you to filter access based on the RADIUS attributes Calling-Station-Id and Called-Station-Id. Depending on your device these may or may not be populated with the client mac address.

However, ACS doesnt really have any support for un-authenticated access, so you need to authenticate a userid BEFORE the NAR gets applied.

In both NAC and wireless MAC auth, the device sends a pre-configured username+password to get around this. ACS can then apply the NAR post authentication.


CreatePlease login to create content