https://community.cisco.com/t5/network-access-control/cisco-secure-acs-4-1-blocking-authentication-attempts-to-a/m-p/2165125#M138030 <HTML><HEAD></HEAD><BODY><P>Thanks Brian. I am glad that I was able to help. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P></P><P><SPAN style="color: blue;">Rating useful replies is more useful than saying <SPAN style="color: green;"> "<SPAN style="text-decoration: underline;">Thank you</SPAN>"</SPAN></SPAN></P></BODY></HTML> Wed, 20 Mar 2013 05:29:41 GMT Amjad Abdullah 2013-03-20T05:29:41Z https://community.cisco.com/t5/network-access-control/cisco-secure-acs-4-1-blocking-authentication-attempts-to-a/m-p/2165122#M137937 <P>We use ACS 4.1's RADIUS implementation for both wireless 802.1x and for our old PIX 515E authentication, along with a couple other devices.</P><P></P><P>We're attempting to migrate users off of the PIX, and want a method of disabling their ability to login via the PIX once we have migrated them to the new remote access method.</P><P></P><P>The passed authentication logs in ACS do show the IP of our PIX under "NAS-IP-Address" as the source of the auth attempt.</P><P></P><P>Is there a relatively simple/easy way to block attempts from that IP (causing those attempts to fail) while allowing the wireless and other systems to proceed as normal on a per-user basis?</P> Mon, 11 Mar 2019 03:12:17 GMT https://community.cisco.com/t5/network-access-control/cisco-secure-acs-4-1-blocking-authentication-attempts-to-a/m-p/2165122#M137937 brian.emil.harris 2019-03-11T03:12:17Z https://community.cisco.com/t5/network-access-control/cisco-secure-acs-4-1-blocking-authentication-attempts-to-a/m-p/2165123#M137968 <HTML><HEAD></HEAD><BODY><P>Brian:</P><P>If I understood correctly, you need to allow users to connect to the wifi but prevent same users from connecting via PIX.</P><P>What you can do is to create a Network Access Restriction (NAR) config under the gorup config (or under user config if per-user basis).</P><P></P><P>see this image:</P><P></P><P><IMG src="http://i.imgur.com/QSsH5Sf.png" /> </P><P></P><P>If you do not see the network access restriciton config under the user and/or group config, you can enable it from Interface configuration -&gt; Advanced options.</P><P></P><P></P><P>HTH</P><P></P><P>Amjad</P><P></P><P><SPAN style="color: blue;">Rating useful replies is more useful than saying <SPAN style="color: green;"> "<SPAN style="text-decoration: underline;">Thank you</SPAN>"</SPAN></SPAN></P></BODY></HTML> Sat, 16 Mar 2013 07:18:16 GMT https://community.cisco.com/t5/network-access-control/cisco-secure-acs-4-1-blocking-authentication-attempts-to-a/m-p/2165123#M137968 Amjad Abdullah 2013-03-16T07:18:16Z https://community.cisco.com/t5/network-access-control/cisco-secure-acs-4-1-blocking-authentication-attempts-to-a/m-p/2165124#M138001 <HTML><HEAD></HEAD><BODY><P>Excellent, thank you very much!&nbsp; That does it, perfectly!</P></BODY></HTML> Tue, 19 Mar 2013 15:42:38 GMT https://community.cisco.com/t5/network-access-control/cisco-secure-acs-4-1-blocking-authentication-attempts-to-a/m-p/2165124#M138001 brian.emil.harris 2013-03-19T15:42:38Z https://community.cisco.com/t5/network-access-control/cisco-secure-acs-4-1-blocking-authentication-attempts-to-a/m-p/2165125#M138030 <HTML><HEAD></HEAD><BODY><P>Thanks Brian. I am glad that I was able to help. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P></P><P><SPAN style="color: blue;">Rating useful replies is more useful than saying <SPAN style="color: green;"> "<SPAN style="text-decoration: underline;">Thank you</SPAN>"</SPAN></SPAN></P></BODY></HTML> Wed, 20 Mar 2013 05:29:41 GMT https://community.cisco.com/t5/network-access-control/cisco-secure-acs-4-1-blocking-authentication-attempts-to-a/m-p/2165125#M138030 Amjad Abdullah 2013-03-20T05:29:41Z