If you allow only one device in "Permitted Calling/Point of access Locations" then rest all devices would be denied access.
If you deny one device then rest all devices would be allowed.
If NAR's is not configured then acs will allow user to login in to all aaa clients. But other way is if you use ex db then you can set mapping for some groups and deny rest of the combinations.
ACS ---> Ex db---> Ext db group mapping,
AD Group ACS
domain user <====> Group1
domain admin<====> Group2
All other combination<==> No Acsess
That means only if user is a part of AD group (domain admin or domain user) acs will authorize that user as per condition defined in acs groups BUT any user who is not a part of above AD group would not be allowed to login due to the reason we have set mapping (all other combinations = No access)
So , in your scenario this is what you need to do,
Let say we have acs group 1 ( we want this group to be allow access only to Firewalls)
We will set up NAR's as per the attached file. You need to set up both IP based and CLI/DNIS based NAR.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...