5-7
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Chapter 5 Setting Up and Managing Shared Profile Components
Network Access Restrictions
In setting up a NAR you can choose whether the filter operates positively or
negatively. That is, you specify in the NAR whether to permit—or deny—access
from AAA clients that send information that matches the information stored in the
NAR. However, if a NAR encounters insufficient information to operate, it
defaults to denied access. This is shown in Table 5-1.
Cisco Secure ACS supports two basic types of NARs:
• IP-based restrictions where the originating request relates to an existing IP
address.
• Non-IP-based filters for all other cases where automatic number
identification (ANI) may be used.
IP-based restrictions are based on one of the following attribute fields, depending
on the protocol the AAA client uses:
• If you are using TACACS+—The rem_addr field is used.
• If you are using RADIUS IETF—The calling-station-id (attribute 31)
and
called-station-id (attribute 30) fields are used.
AAA clients that do not provide sufficient IP-address information (for example,
some types of firewall) do not support full NAR functionality.
A non-IP-based NAR is a list of permitted or denied “calling”/ “point of access”
locations that you can employ in restricting a AAA client when you do not have
an IP-based connection established. The non-IP-based NAR generally uses the
calling line ID (CLI) number and the Dialed Number Identification Service
(DNIS) number.
However, by entering an IP address in place of the CLI you can use the
non-IP-based filter even when the AAA client does not use a Cisco IOS release
that supports CLI or DNIS. In another exception to entering a CLI, you can enter
a MAC address to permit or deny; for example, when you are using a Cisco
Aironet AAA client. Likewise, you could enter the Cisco Aironet AP MAC
address in place of the DNIS. The format of what you specify in the CLI
Table 5-1 NAR Permit/Deny Conditions
Match No Match Insufficient Information
Permit Access Granted Access Denied Access Denied
Deny Access Denied Access Granted Access Denied
To Next Page
Loading...
Need help?
General