Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
886
Views
0
Helpful
3
Replies

Cisco Secure ACS 4.1 - blocking authentication attempts to a specific host

Go to solution
brian.emil.harris
Level 1
Level 1

‎03-15-2013 02:21 PM - edited ‎03-10-2019 08:12 PM

We use ACS 4.1's RADIUS implementation for both wireless 802.1x and for our old PIX 515E authentication, along with a couple other devices.

We're attempting to migrate users off of the PIX, and want a method of disabling their ability to login via the PIX once we have migrated them to the new remote access method.

The passed authentication logs in ACS do show the IP of our PIX under "NAS-IP-Address" as the source of the auth attempt.

Is there a relatively simple/easy way to block attempts from that IP (causing those attempts to fail) while allowing the wireless and other systems to proceed as normal on a per-user basis?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎03-16-2013 12:18 AM

Brian:

If I understood correctly, you need to allow users to connect to the wifi but prevent same users from connecting via PIX.

What you can do is to create a Network Access Restriction (NAR) config under the gorup config (or under user config if per-user basis).

see this image:

If you do not see the network access restriciton config under the user and/or group config, you can enable it from Interface configuration -> Advanced options.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎03-16-2013 12:18 AM

Brian:

If I understood correctly, you need to allow users to connect to the wifi but prevent same users from connecting via PIX.

What you can do is to create a Network Access Restriction (NAR) config under the gorup config (or under user config if per-user basis).

see this image:

If you do not see the network access restriciton config under the user and/or group config, you can enable it from Interface configuration -> Advanced options.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
brian.emil.harris
Level 1
Level 1
In response to Amjad Abdullah

‎03-19-2013 08:42 AM

Excellent, thank you very much!  That does it, perfectly!

0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to brian.emil.harris

‎03-19-2013 10:29 PM

Thanks Brian. I am glad that I was able to help.

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful
Customers Also Viewed These Support Documents
Top