NAR would restrict access to selected list of networking devices for users in that group. This won't prevent users is our AD authenticate to the networking device because we have unknown user policy enabled to pass the authentication to AD.
It sounds like you may need to structure ACS a little. So you want to create a group called "VPN-CLNT" and drop those users in for VPN access to a PIX? They way I didn mine is since a user can only be a member of one grp then for each department I have subgrps I create vpn groups for each dept for instance (HR:RMT) and tie these users to users that need to VPN and have Wireless. But then I have the base (HR) group with a "deny" any created as a placeholder for future use such as Clean Access Every organization has their own way of doing it. But anyway r.perera is right about using NAR. But you do have to enable NAR on all the other groups to deny or permit authentication to your NAS devices. That's why I'm recommending that it would be a good time to plan out your layout so appling NARS won't be so painful and confusing. Hopefully that helps.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...