Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Using Network Access Restrictions with Easy ACS 2.4

Hello,

I mus use Network Access Restrictions with Easy ACS 2.4 for PPP dial-up users, and I have not found any information about how to use it or the syntax.

I want to use it for restricting the access for some users just for some routers and access servers.

Another thing, does it work with another RAS not from Cisco ?

Thanks in advance.

  • Other Security Subjects
7 REPLIES
Cisco Employee

Re: Using Network Access Restrictions with Easy ACS 2.4

You can download the per-user access-list from the ACS to cisco router

Here is the place which explains it how to configure the router with the RADIUS server

http://www.cisco.com/warp/public/480/radius_ACL1.html#

If you use TACACS, here is the link.

http://www.cisco.com/warp/public/480/tacacs_ACL1.html

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/dial_c/dcperusr.htm

YES..the Cisco Secure ACS does wotk with other RAS too..

New Member

Re: Using Network Access Restrictions with Easy ACS 2.4

Hello,

Thank you for your response but my problem is that we have 2 routers A and B with users dialing in using PPP sessions.

I want to deny access for some users on router A but allow it on router B and vice-versa for the others. Even, some users are allowed access only in some ports of a router.

I have read somewhere that I can do that using the "Network Access Restrictions" but I've not found the syntax how using it.

Do you have an example ???

Thanks.

Fethi OUALI.

Cisco Employee

Re: Using Network Access Restrictions with Easy ACS 2.4

So you have two routers pointed to the same radius server...right?

You can configure the access-list on the router itself and get the "Filter-Id" on per user basis from radius server..

If you want to deny access on one router and allow on other, then you need to have a seperate defination of that "Filter-ID" on different router..

Link below does discuss that.

http://www.cisco.com/warp/public/480/radius_ACL1.html

New Member

Re: Using Network Access Restrictions with Easy ACS 2.4

Thank you for your help.

But what you said is for assigning a per-user access-list.

Me, I want to deny the access for dial-in users, just at the level of the authentication.

So for example, when the dial on router A, they are denied access, and when the dial on the router B, they are allowed access, and both router A and B are pointing to the same radius server.

What's the idea !?!?

Fethi OUALI.

Cisco Employee

Re: Using Network Access Restrictions with Easy ACS 2.4

You can do that.Let me get it straight,,You need to get the call accepted if it dialed on one Access Server and reject the call if the same user dialin the another AS. ..Right???

What kind of routers(Access Servers) and Dialin lines on those Access Servers you have? Same number fo all AS or Different?

The feature you need is RPM (Resource Pool Manager)..so based on Caller ID, Access server will Reject/Accept the call. In this case, important thing is, you need to have Caller ID enabled on the on the dialin lines so that the Access Server can screen it.

OR.. you can have RADIUS server accept/deny call based on caller ID..

New Member

Re: Using Network Access Restrictions with Easy ACS 2.4

I have two routers : a 3640 and a 3660 with asynchronous lines (NM-16AM modules). Each router has its proper phone number but the Telco can't enable the Caller ID option. So I can't use any solution based on caller Id option !

I think the "Network Access Restrictions", part "Dial-up (ppp..." is the only way to do that. And now the problem is : How to use it ?

Fethi OUALI

Cisco Employee

Re: Using Network Access Restrictions with Easy ACS 2.4

On POTS line, the DNIS or CLID is out of question..Now we have to let the call go thru and block the network access using "access-list"..

Its not that easy now..here is the possible way that i think.

So lets say for user A..in profile define fialter-id=101

Now if you want the user A to work ok on 3600-1 then define access-list 101 on that router which permits the network access..

Now on 3600-2, don't define access-list 101 or block everyting under that so he will not be able to do anything if he dials in the 3600-2.

191
Views
0
Helpful
7
Replies
This widget could not be displayed.