Trying to restrict users to a single device group e.g. 172.17.*.*. I can get it to work fine using "Network Configuration-> Network Device Groups"but I can't set up overlapping NDGs.

Now I can't get NAR to restrict access.

** My NAR call "172.17-Europe" looks like

Define IP-based access restrictions - ticked

Table defines = Permitted Calling/Point of Access Locations

AAA Client = "All AAA Clients"

Port = *

Src IP Address = 172.17.*.*

** My group looks like

Only allow network access when - ticked

Any one selected NAR results in permit - selected

Selected-NARs=172.17-Europe

When I attempt to telnet and login to any 172.17 device, Failed Attempts.csv reports....

Message Type = Authen failed

Authen Failure Code = User Access Filtered

If I can get this woirking I then want to create additional NAR which are subsets of the 172.17 domain e.g. 172.17.20-London or 172.17.*.1-Europe-routers.

Thanks in advance.