Re: Using Network Access Restrictions with Easy ACS 2.4

fethi · ‎05-16-2002

Hello,

I mus use Network Access Restrictions with Easy ACS 2.4 for PPP dial-up users, and I have not found any information about how to use it or the syntax.

I want to use it for restricting the access for some users just for some routers and access servers.

Another thing, does it work with another RAS not from Cisco ?

Thanks in advance.

tepatel · ‎05-16-2002

You can download the per-user access-list from the ACS to cisco router

Here is the place which explains it how to configure the router with the RADIUS server

http://www.cisco.com/warp/public/480/radius_ACL1.html#

If you use TACACS, here is the link.

http://www.cisco.com/warp/public/480/tacacs_ACL1.html

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/dial_c/dcperusr.htm

YES..the Cisco Secure ACS does wotk with other RAS too..

fethi · ‎05-17-2002

Hello,

Thank you for your response but my problem is that we have 2 routers A and B with users dialing in using PPP sessions.

I want to deny access for some users on router A but allow it on router B and vice-versa for the others. Even, some users are allowed access only in some ports of a router.

I have read somewhere that I can do that using the "Network Access Restrictions" but I've not found the syntax how using it.

Do you have an example ???

Thanks.

Fethi OUALI.

tepatel · ‎05-17-2002

So you have two routers pointed to the same radius server...right?

You can configure the access-list on the router itself and get the "Filter-Id" on per user basis from radius server..

If you want to deny access on one router and allow on other, then you need to have a seperate defination of that "Filter-ID" on different router..

Link below does discuss that.

http://www.cisco.com/warp/public/480/radius_ACL1.html

fethi · ‎05-18-2002

Thank you for your help.

But what you said is for assigning a per-user access-list.

Me, I want to deny the access for dial-in users, just at the level of the authentication.

So for example, when the dial on router A, they are denied access, and when the dial on the router B, they are allowed access, and both router A and B are pointing to the same radius server.

What's the idea !?!?

Fethi OUALI.

tepatel · ‎05-18-2002

You can do that.Let me get it straight,,You need to get the call accepted if it dialed on one Access Server and reject the call if the same user dialin the another AS. ..Right???

What kind of routers(Access Servers) and Dialin lines on those Access Servers you have? Same number fo all AS or Different?

The feature you need is RPM (Resource Pool Manager)..so based on Caller ID, Access server will Reject/Accept the call. In this case, important thing is, you need to have Caller ID enabled on the on the dialin lines so that the Access Server can screen it.

OR.. you can have RADIUS server accept/deny call based on caller ID..

fethi · ‎05-18-2002

I have two routers : a 3640 and a 3660 with asynchronous lines (NM-16AM modules). Each router has its proper phone number but the Telco can't enable the Caller ID option. So I can't use any solution based on caller Id option !

I think the "Network Access Restrictions", part "Dial-up (ppp..." is the only way to do that. And now the problem is : How to use it ?

Fethi OUALI

tepatel · ‎05-19-2002

On POTS line, the DNIS or CLID is out of question..Now we have to let the call go thru and block the network access using "access-list"..

Its not that easy now..here is the possible way that i think.

So lets say for user A..in profile define fialter-id=101

Now if you want the user A to work ok on 3600-1 then define access-list 101 on that router which permits the network access..

Now on 3600-2, don't define access-list 101 or block everyting under that so he will not be able to do anything if he dials in the 3600-2.