Re: ACS 3.3

nawas · ‎05-30-2007

I'm using ACS 3.3 and I'm trying to restrict telnet access to some subnets only. Is there any option in the ACS that can be accomplished with?

Jagdeep Gambhir · ‎05-30-2007

Hi Nawas,

You mean to restrict ONLY telnet access or you want to deny access using all modes like telnet, SSH, HTTP/s etc.

If you want to deny all modes to a specific AAA Clients, then you can use NAR's

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/c.htm#wp697095

Regards,

nawas · ‎05-30-2007

No, I want to allow some users to (5 users) to access telnet only to subnet like 10.9.x.x and 10.8.x.x. and other users to access everything.

Premdeep Banga · ‎06-01-2007

Still the answer is NAR,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

You need to apply NAR on per user basis, for those 5 users, and nothing on rest of them.

Resulting, Rest of them will have full access.

And under IP based NAR for these 5 users on user basis, restrict them to subnet

Use Shared Profile component section,s NAF and NAR together, and then apply it on user level.

10.9.*.* (Create a NAF for this)

Port : *

Address : *

10.8.*.* (Create a NAF for this)

Port : *

Address : *

NAF : Available on 4.x, else if you have 3.x, then it depends on how you have created your NDG, else it depends on how you have created AAA clients on ACS, lots of combinations possible. To summarize it all.

You have to play with it.

Regards,

Prem

Regards,

Prem