Restrict dial in user to specific port of NAS using ACS2.6

ysuardi · ‎01-22-2002

We are using Cisco ACS 2.6 and need to restrict some of the users only

can dial in to specific port of NAS. It means that the users can only dial in to certain telephone number.

Anybody know how to do it?

wcarballo · ‎01-22-2002

You can make this solution merging the access server facilities (as5300 etc.) and Cisco Secure Configuration. What Cisco secure (unix) and version you have and what kind of access servers.

My E-mail is wcarball@gbm.net or w_carballo@yahoo.com

ysuardi · ‎01-22-2002

We are using Cisco Secure ACS ver.26 Windows NT and the access server is Cisco Router 2600 series. The interfaces serial of the router is configured as physical-layer async.

wcarballo · ‎01-23-2002

you can make one modem-pool in the 2600 and assign the DNIS number to this pool and assort the ports that you need in this pool and in the other hand you can use authorization filters applied to group to limit the access for this tty ports previously assigned to the modem pool, whe haved some configurations similar to this situation although with Cisco Secure for Unix and AS5300 and AS5800

ysuardi · ‎01-23-2002

I found the information on the Web that DNIS is only for ISDN Connection. In our case we are not using ISDN but only PPP connection with the serial of the router configured as physical asynchronous.

I think the only way is configuring NAS/Port on Cisco ACS. But I still confused what should I key in for NAS/PORT and value. I cannot found any detail information on Cisco secure ACS2.6 documentation.

vijkrish · ‎01-24-2002

Please try this:

NAS - name as you defined in network configuration

PORT - for async PPP, example would be: Async35

if the incoming line is on this one.

If you are not sure, check the actual port value that is sent in the debugs to the ACS (debug radius/tacacs will show this). Use that information in the port value.

ACS 3 has improved documentation which mentions this:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt30/user/c.htm#xtocid100117

Pls. let us know if this solves your issue or not. Thanks.

ysuardi · ‎01-24-2002

I still cannot solve this issue and always got the message " user access filtered" in reports and activity on the ACS.

if I checked Dial-up (PPP/ARAP) Access Control

Table Defines: Permitted Calling/Point of Access Locations

Type : NAS/PORT ( I choose this because I am no using ISDN connection )

Value: ? ( Still no so sure what should i use , I have tested using serial1/0, tty33 but still problem )

Interface Dial Configuration:

interface Serial1/5

physical-layer async

ip unnumbered Loopback1

encapsulation ppp

ip tcp header-compression passive

async mode interactive

peer default ip address pool jakarta-pool

ppp authentication chap pap dial-in

Debug Result

1w0d: AAA/AUTHEN/START (4078173987): port='Serial1/0' list='dial-in' action=LOGIN service=PPP

1w0d: AAA/AUTHEN/START (4078173987): found list dial-in

1w0d: AAA/AUTHEN/START (4078173987): Method=tacacs+ (tacacs+)

1w0d: TAC+: send AUTHEN/START packet ver=193 id=4078173987

1w0d: TAC+: Using default tacacs server-group "tacacs+" list.

1w0d: TAC+: Opening TCP/IP to 10.4.6.11/49 timeout=5

1w0d: TAC+: Opened TCP/IP handle 0x80EADAE0 to 10.4.6.11/49

1w0d: TAC+: 10.4.6.11 (4078173987) AUTHEN/START/LOGIN/CHAP queued

1w0d: TAC+: (4078173987) AUTHEN/START/LOGIN/CHAP processed

1w0d: TAC+: ver=193 id=4078173987 received AUTHEN status = FAIL

1w0d: AAA/AUTHEN (4078173987): status = FAIL

1w0d: TAC+: Closing TCP/IP 0x80EADAE0 connection to 10.4.6.11/49

1w0d: AAA/MEMORY: free_user (0x80EAE294) user='ysdi' ruser='' port='Serial1/0' rem_addr='async' authen_type=CHAP service=PPP priv=1

1w0d: %LINK-5-CHANGED: Interface Serial1/0, changed state to reset

1w0d: %LINK-3-UPDOWN: Interface Serial1/0, changed state to down