10-04-2007 07:23 AM
I am trying to understand how to configre a more granular access to the network via group network access restriction.
Basically, we have several groups set up, but I think they are all allowed access to everything.
I have remote users that work for the company that need access to network resources, but none of the network gear.
we also have third parties that have access to Firewalls for management and another third party that has access to routers and switches.
I need to make sure everything is controlled and they only have access to what we want to allow.
What does "Shared Network Access Restictions" allow you to do?
I am unable to view anything in "View IP NAR" after selecting the
"Only allow network access when"
In Per Group Defined Network Access Restrictions, I have the checkmark on
"Define IP Based access restrictions"
and
"Permitted Calling/Point of access Locations"
Do you set one as permit and the other as deny?
What if you want to allow access to servers, do you have to add every port in the box shown?
If Network Access Restrictions are not configured, does the user in that group have access to everything?
10-06-2007 05:27 AM
Hi,
If you allow only one device in "Permitted Calling/Point of access Locations" then rest all devices would be denied access.
If you deny one device then rest all devices would be allowed.
If NAR's is not configured then acs will allow user to login in to all aaa clients. But other way is if you use ex db then you can set mapping for some groups and deny rest of the combinations.
Example :
ACS ---> Ex db---> Ext db group mapping,
AD Group ACS
domain user <====> Group1
domain admin<====> Group2
All other combination<==> No Acsess
That means only if user is a part of AD group (domain admin or domain user) acs will authorize that user as per condition defined in acs groups BUT any user who is not a part of above AD group would not be allowed to login due to the reason we have set mapping (all other combinations = No access)
So , in your scenario this is what you need to do,
Let say we have acs group 1 ( we want this group to be allow access only to Firewalls)
We will set up NAR's as per the attached file. You need to set up both IP based and CLI/DNIS based NAR.
Let me know if you have any doubts.
Regards,
~JG
Please rate helpful posts.
10-06-2007 04:21 PM
Thank you for the informative post.
Does the document show that wildcard (*) can be used for all ports and all addresses?
In "IP Based Access Restriction" can I use the groups defined in "Network Configuration" in the ACS?
What is the difference between "IP Based Access Restriction" and "CLI/DNIS access restriction"?
Why do I need to define both of the above?
10-08-2007 02:49 PM
Hi Wilson,
Yes, in ip based access restriction you can use groups defined in "Network Configuration" in the ACS.
CLI/DNIS is used in restricting a AAA client when you do not have an established IP-based connection. Like PPP , wireless.
It is not necessary to use both. If request is coming have a IP address then there is no need to use CLI based NAR.
Regards,
~JG
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide