Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS 3.0 overlapping device groups

Trying to restrict users to a single device group e.g. 172.17.*.*. I can get it to work fine using "Network Configuration-> Network Device Groups"but I can't set up overlapping NDGs.

Now I can't get NAR to restrict access.

** My NAR call "172.17-Europe" looks like

Define IP-based access restrictions - ticked

Table defines = Permitted Calling/Point of Access Locations

AAA Client = "All AAA Clients"

Port = *

Src IP Address = 172.17.*.*

** My group looks like

Only allow network access when - ticked

Any one selected NAR results in permit - selected

Selected-NARs=172.17-Europe

When I attempt to telnet and login to any 172.17 device, Failed Attempts.csv reports....

Message Type = Authen failed

Authen Failure Code = User Access Filtered

If I can get this woirking I then want to create additional NAR which are subsets of the 172.17 domain e.g. 172.17.20-London or 172.17.*.1-Europe-routers.

Thanks in advance.

2 REPLIES

Re: ACS 3.0 overlapping device groups

Often times complex configuration/troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, it’s often difficult to do so for this type of issue.

To utilize the resources at our Technical Assistance Center, please visit http://www.cisco.com/tac and to open a case with one of our TAC engineers, visit http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

Community Member

Re: ACS 3.0 overlapping device groups

Some trial and error in the lab proved successful.

AAA Clients cannot overlap

NDGs cannot overlap

BUT NARs can overlap

It's a bit messy but works, on to the next problem, applying priv levels to diff user in diff groups on diff over lapping device groups.

273
Views
0
Helpful
2
Replies
CreatePlease to create content