Thanks very much for your response...

I have tried to follow the doc through but it has been written for ACS 2.3 Unix, rather than Windows 3.1. However, Ithink the procedure is similar.

The [11] Filter-Id field allows for the input of an ACL number and the direction it works in.

Do you know if there is any more up-to-date documentation with a working example that shows where the ACL entries are written e.g. permit 10.0.0.0

Also, do you know if Shiva equipment is able to understand the filter-Id attribute?

Thanks for your help

Check out:

http://www.cisco.com/warp/public/480/radius_ACL1.html

This is a better example. Not sure about Shiva.

Thanks

I am still having problems with this...

The above links shows how you can enable authorisations by having an ACL defined in the NAS and the name referenced in ACS.

What I need to be able to do is restrict access for certain users to specific servers only, can this be done with all the configurations held on the ACS instead of the NAS?

Having an ACL on the NAS is unmanageable, as we have many NAS devices.

Any sugesstions?

Thanks again for your help

You can useper user virtual profiles and assign the acls to the user such as:

RADIUS user profile: foo

Password = "bar"

User-Service-Type = Framed-User,

Framed-Protocol = PPP,

cisco-avpair = "ip:inacl#1=deny 10.10.10.10 0.0.0.0"

You assign the avpair under the custom attributes section. This works when virtual profiles are configured in the NAS. For an example how, search on the Cisco site for virtual profiles.

Here is the link which explains that in detail with different AAA server config.

http://www.cisco.com/warp/customer/480/radius_ACL1.html