https://community.cisco.com/t5/network-access-control/acs-3-3-access-restriction-question/m-p/616482#M422636 <HTML><HEAD></HEAD><BODY><P>In theory NARs should work for you - depending on what the ASA sticks in its authentication request.</P><P></P><P>For layer 2 authentications ACS applies CLI/DNIS NARs. Traditionally with dial the AAA client would put the calling number and called number into the RADIUS attributes: Calling-Station-Id and Called-Station-Id respectively.</P><P></P><P>With 802.1x devices stick the MAC address of the endpoint into Calling-Station-Id.</P><P></P><P>If the ASA does this to you can create a CLI/DNIS NAR just for this user (in the user record) that has a single permit entry:</P><P></P><P>AAA Client = All AAA Clients</P><P>Port = *</P><P>CLI = <MAC address="" of="" user=""></MAC></P><P>DNIS = *</P><P></P><P>Note that user level NARs need to be enabled under interface config first.</P><P></P><P>Darran</P></BODY></HTML> Wed, 18 Oct 2006 09:43:02 GMT darpotter 2006-10-18T09:43:02Z https://community.cisco.com/t5/network-access-control/acs-3-3-access-restriction-question/m-p/616481#M422634 <P>Hello all. We're currently running ACS 3.3.3 and are wanting to restrict access for a particuler user based up on his MAC address, simply wether or not he can connect or not. It doesn't necessarly need to be the MAC, but something unique to that Host, the hostname, mac address, ect. We can't use the IP as it is DSL and dhcp. The user will have full rights, but we just want him coming off a particuler machine(laptop). He would be going through our ASA5520. Any ideas?</P> Sun, 10 Mar 2019 21:48:04 GMT https://community.cisco.com/t5/network-access-control/acs-3-3-access-restriction-question/m-p/616481#M422634 raun.williams 2019-03-10T21:48:04Z https://community.cisco.com/t5/network-access-control/acs-3-3-access-restriction-question/m-p/616482#M422636 <HTML><HEAD></HEAD><BODY><P>In theory NARs should work for you - depending on what the ASA sticks in its authentication request.</P><P></P><P>For layer 2 authentications ACS applies CLI/DNIS NARs. Traditionally with dial the AAA client would put the calling number and called number into the RADIUS attributes: Calling-Station-Id and Called-Station-Id respectively.</P><P></P><P>With 802.1x devices stick the MAC address of the endpoint into Calling-Station-Id.</P><P></P><P>If the ASA does this to you can create a CLI/DNIS NAR just for this user (in the user record) that has a single permit entry:</P><P></P><P>AAA Client = All AAA Clients</P><P>Port = *</P><P>CLI = <MAC address="" of="" user=""></MAC></P><P>DNIS = *</P><P></P><P>Note that user level NARs need to be enabled under interface config first.</P><P></P><P>Darran</P></BODY></HTML> Wed, 18 Oct 2006 09:43:02 GMT https://community.cisco.com/t5/network-access-control/acs-3-3-access-restriction-question/m-p/616482#M422636 darpotter 2006-10-18T09:43:02Z