Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Verify Group access in ACS

I am trying to understand how to configre a more granular access to the network via group network access restriction.

Basically, we have several groups set up, but I think they are all allowed access to everything.

I have remote users that work for the company that need access to network resources, but none of the network gear.

we also have third parties that have access to Firewalls for management and another third party that has access to routers and switches.

I need to make sure everything is controlled and they only have access to what we want to allow.

What does "Shared Network Access Restictions" allow you to do?

I am unable to view anything in "View IP NAR" after selecting the

"Only allow network access when"

In Per Group Defined Network Access Restrictions, I have the checkmark on

"Define IP Based access restrictions"


"Permitted Calling/Point of access Locations"

Do you set one as permit and the other as deny?

What if you want to allow access to servers, do you have to add every port in the box shown?

If Network Access Restrictions are not configured, does the user in that group have access to everything?

  • Network Management

Re: Verify Group access in ACS


If you allow only one device in "Permitted Calling/Point of access Locations" then rest all devices would be denied access.

If you deny one device then rest all devices would be allowed.

If NAR's is not configured then acs will allow user to login in to all aaa clients. But other way is if you use ex db then you can set mapping for some groups and deny rest of the combinations.

Example :

ACS ---> Ex db---> Ext db group mapping,

AD Group ACS

domain user <====> Group1

domain admin<====> Group2

All other combination<==> No Acsess

That means only if user is a part of AD group (domain admin or domain user) acs will authorize that user as per condition defined in acs groups BUT any user who is not a part of above AD group would not be allowed to login due to the reason we have set mapping (all other combinations = No access)

So , in your scenario this is what you need to do,

Let say we have acs group 1 ( we want this group to be allow access only to Firewalls)

We will set up NAR's as per the attached file. You need to set up both IP based and CLI/DNIS based NAR.

Let me know if you have any doubts.



Please rate helpful posts.

New Member

Re: Verify Group access in ACS

Thank you for the informative post.

Does the document show that wildcard (*) can be used for all ports and all addresses?

In "IP Based Access Restriction" can I use the groups defined in "Network Configuration" in the ACS?

What is the difference between "IP Based Access Restriction" and "CLI/DNIS access restriction"?

Why do I need to define both of the above?

Re: Verify Group access in ACS

Hi Wilson,

Yes, in ip based access restriction you can use groups defined in "Network Configuration" in the ACS.

CLI/DNIS is used in restricting a AAA client when you do not have an established IP-based connection. Like PPP , wireless.

It is not necessary to use both. If request is coming have a IP address then there is no need to use CLI based NAR.



This widget could not be displayed.