https://community.cisco.com/t5/network-access-control/restriction-through-radius/m-p/1145581#M405390 <HTML><HEAD></HEAD><BODY><P>Hi ,</P><P></P><P>Did you use IP based network access restriction?</P><P></P><P></P><P><A class="jive-link-custom" href="http://cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml" target="_blank">http://cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml</A></P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Do rate helpful posts</P></BODY></HTML> Mon, 25 May 2009 12:47:10 GMT Jagdeep Gambhir 2009-05-25T12:47:10Z https://community.cisco.com/t5/network-access-control/restriction-through-radius/m-p/1145580#M405387 <P>Hello,</P><P></P><P>I have many devices that are authenticated by ACS by one user account, it was required to seperate the access to security devices (firewall) from network devices (switches and router).</P><P>i have created 2 users and used NAR. in this case i was able to access network devices with only the account created (all these devices uses tacacs) </P><P>but the problem is that when i access ASA firewall ( uses radius protocol) i can access by the second account created and also the account for the switches and routers.</P><P></P><P>Any idea how to work on radius protocol.</P><P></P><P></P><P>Regards,</P><P>George</P> Sun, 10 Mar 2019 23:30:20 GMT https://community.cisco.com/t5/network-access-control/restriction-through-radius/m-p/1145580#M405387 gaboughanem 2019-03-10T23:30:20Z https://community.cisco.com/t5/network-access-control/restriction-through-radius/m-p/1145581#M405390 <HTML><HEAD></HEAD><BODY><P>Hi ,</P><P></P><P>Did you use IP based network access restriction?</P><P></P><P></P><P><A class="jive-link-custom" href="http://cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml" target="_blank">http://cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml</A></P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Do rate helpful posts</P></BODY></HTML> Mon, 25 May 2009 12:47:10 GMT https://community.cisco.com/t5/network-access-control/restriction-through-radius/m-p/1145581#M405390 Jagdeep Gambhir 2009-05-25T12:47:10Z https://community.cisco.com/t5/network-access-control/restriction-through-radius/m-p/1145582#M405392 <HTML><HEAD></HEAD><BODY><P>Hello JG , thank you for your respond.</P><P></P><P>yes i have used NAR. actually as said that i have separated the devices into two groups, one group for switches and another group for firewalls. Then i created 2 users and applied NAR at the user level, one is used to access the switches ONLY and other to access firewalls ONLY. The problem is that when i try to access the switches with its account created it works fine (i mean i cannot access with the account that i created for firewall), but when i access the firewall i can access the firewall with both account (including the user account created for switches).</P><P></P><P>any idea ?</P><P></P><P>Thank you and Regards,</P><P>George</P></BODY></HTML> Mon, 25 May 2009 17:02:24 GMT https://community.cisco.com/t5/network-access-control/restriction-through-radius/m-p/1145582#M405392 gaboughanem 2009-05-25T17:02:24Z https://community.cisco.com/t5/network-access-control/restriction-through-radius/m-p/1145583#M405395 <HTML><HEAD></HEAD><BODY><P>So the NARs work when the authentication is TACACS but fails when RADIUS.</P><P></P><P>This will be because ACS looks at incoming attributes to decide which type of NAR should be applied (regardless of whats been configured). Basically the caller-id attribute needs to contain an ip-address for it to work with IP based NARs.</P><P></P><P>Try duplicating the ip-based NAR (as best you can) as a non-ip NAR.</P><P></P><P>TIP: if you have the software version of ACS you can run CSRadius -z -p to get a full dump of the inbound packet. You can use this to see whats in the Calling and Called-Station-Id attributes.</P><P></P><P></P></BODY></HTML> Tue, 26 May 2009 12:18:03 GMT https://community.cisco.com/t5/network-access-control/restriction-through-radius/m-p/1145583#M405395 darpotter 2009-05-26T12:18:03Z https://community.cisco.com/t5/network-access-control/restriction-through-radius/m-p/1145584#M405398 <HTML><HEAD></HEAD><BODY><P>Hi George,</P><P>"IP-based NAR filters work only if ACS receives the Radius Calling-Station-Id </P><P>(31) attribute. The Calling-Station-Id (31) must contain a valid IP address."</P><P></P><P>So check RDS.log for the authentication request and see what value is there for attribute 31.</P><P></P><P>Also what is the software version of ACS?</P><P></P><P>Regards,</P><P>~JG</P><P></P><P></P></BODY></HTML> Tue, 26 May 2009 13:38:58 GMT https://community.cisco.com/t5/network-access-control/restriction-through-radius/m-p/1145584#M405398 Jagdeep Gambhir 2009-05-26T13:38:58Z https://community.cisco.com/t5/network-access-control/restriction-through-radius/m-p/1145585#M405402 <HTML><HEAD></HEAD><BODY><P>hello JG,</P><P></P><P>i am using ACS version 4.2, please can u send a link where i can find an example that explain more on this subject.</P><P></P><P>Thank you and Regards,</P></BODY></HTML> Wed, 27 May 2009 18:37:46 GMT https://community.cisco.com/t5/network-access-control/restriction-through-radius/m-p/1145585#M405402 gaboughanem 2009-05-27T18:37:46Z https://community.cisco.com/t5/network-access-control/restriction-through-radius/m-p/1145586#M405407 <HTML><HEAD></HEAD><BODY><P>Please see this link,</P><P></P><P><A class="jive-link-custom" href="http://cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml" target="_blank">http://cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml</A></P><P></P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Do rate helpful posts</P></BODY></HTML> Wed, 27 May 2009 20:09:56 GMT https://community.cisco.com/t5/network-access-control/restriction-through-radius/m-p/1145586#M405407 Jagdeep Gambhir 2009-05-27T20:09:56Z