Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2091
Views
5
Helpful
2
Replies

Configuring NARs on ACS3.0

paul.matthews
Level 5
Level 5

‎01-16-2003 07:35 AM - edited ‎03-10-2019 07:06 AM

I am struggling to get my head around NARS - the documentation says which buttons to press but I am struggling to figure how to do what I want.

Lets says I have a group of uses (600+ and rising) that I want to allow to access via AAA client "concentrator" which is unsurprisingly a VPN Concentrator.

We also have a single user, that I want to allow via aaa client "Radius" which is another radius server.

NARs look to be the way to do it, but I can't seem to get the effect I want.

I have NAR one that has Define IP based... checked, and the table defines set to permitted and I list concentrator there with wildcards set for port and source IP.

I have NAR two that is basically the same but names radius as the point of access.

If I select NAR by going to User/Network Access Restrictions, Check only allow access when and select all selected NARs, I select two and click to move it to selected.

I then attempt a connection from the user via the concentrator (Nonselected AAA client) The ACS permits the request.

What have I misunderstood?

Thanks.

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎01-16-2003 03:44 PM

If this is a VPN3000 concentrator, put it in the "CLI/DNIS based access restrictions" section, not the "IP-based". There's something about the format of the Radius packet the 3000 sends that makes ACS use that section, never have investigated what it is exactly but it's just the way it is.

paul.matthews
Level 5
Level 5
In response to gfullage

‎01-17-2003 01:54 AM

Thanks for that - that bit is working great, but I am obvoiusly missing something even more obvoius.

We are using a telco to provide dial access, and I want to prevent users from using the VPN user and password to access the telco.

I have a NAR that I would like to prevent access via the Telco. I have listed the telcos Radius servers, and following on I have listed them as deny for both IP and CLI. I have assigned the NAR to a group, ang clicking the buttons to view the NARs lists the Radius servers as denied under both CLI and IP.

When I try to use a user applied to the group, it gets permitted. The entry in permitted lists the user against the correct group, but permits it.

Any thoughts?

0 Helpful
Customers Also Viewed These Support Documents