Solved: Group NAR for ACS 4.2

iceteanolemon · ‎05-23-2012

I have a problem implementing a NAR for a specific device group. I am running Cisco ACS 4.2 and it works fine for all the other stuff I do but this issue is perplexing me a bit.

I have a device group with Juniper devices in it and I authenticate using RADIUS (Juniper) as the radius setting.

I have a Administration user group set up.

I placed a NAR into the group "Per Group Defined Network Access Restrictions" specific to the device group with * for port and address

I placed this group into both the Define IP-Based as well as the Define CLI/DNIS-based section.

No matter what I do I keep getting authenticated.

When I go to the passed authentications page I see my login and the group-name is identified correctly and the network device group is identified correctly too. The filter says "no filters activated".

So how can I get this NAR to kick in? I would like to restrict one device group from a ACS user group.

Thanks for any information you can provide!

Jatin Katyal · ‎05-23-2012

Now, try one last thing, disable IP ( just uncheck it) based NAR and just use CLI/DNIS based NAR.

Regards,

Jatin

~Jatin

View solution in original post

Jatin Katyal · ‎05-23-2012

What did you select from below listed options.

In order to specify whether the subsequent listing specifies permitted or denied values, from the Table Defines list, choose one:

Permitted Calling/Point of Access Locations

Denied Calling/Point of Access Locations

What kind of authentication are you trying?

Please add the screen shots of you NAR settings and Passed authentication from ACS.

Regards,

Jatin

Do rate helpful posts-

~Jatin

iceteanolemon · ‎05-23-2012

I have configured "denied calling point" for both ip and cli with no luck.

Right now I am just putting one device in there but i plan on putting a device group in when i can test it in a working condition.

The type of authentication is for configuration access to the device. I am trying to block aministration access to the device/device group for a particular user group using NAR.

Jatin Katyal · ‎05-23-2012

You may refer this link and check if you have configured it in the same way.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

Regards,

Jatin

Do rate helpful posts-

~Jatin

iceteanolemon · ‎05-23-2012

I read that a few times today, just dont seem to get the traction to see whats wrong with my config though.

Jatin Katyal · ‎05-23-2012

What would you see when you reverse it that means set it to "Permit calling point of access" and try again.

Also, please provide me the passed authentication logs from ACS reports and monitoring along with the username you are trying with.

Regards,

Jatin

Do rate helpful posts-

~Jatin

iceteanolemon · ‎05-23-2012

This is the area where I claimed a test firewall that I want to block administrative access to.

“CBP-1A-FW001”

The group config I am in at the moment is “Network Engineering”

Here is the authentication that is being marked “successful” even though the user is categorized into the correct group and the group has the NAR configured. notice the no filters activated. I am sure I am missing something but I just guess I may not understand it to be working as I expect.

Jatin Katyal · ‎05-23-2012

Thanks for sharing the info I requested. The settings seems to be correctly configured. Just make sure we don't have NAR configured on user level because it always take precedence over group level configuration.

If there is no settings for NAR on user level then let me know what would you see when you reverse it that means set it to "Permit calling point of access" and try again?

There is a defect wherein if you select permit under NAR, it actually work as deny and vice versa.

Regards,

Jatin

Do rate helpful posts-

~Jatin

iceteanolemon · ‎05-23-2012

OK well I did what you wanted and I changed the NAR setting from "deny" to "Permit" and it blocked the account from access. I then tested the account to another device which is not in the NAR and it blocked that one too!

So the result now is if I place a device in the NAR under Deny, it wont deny it or anything.

If I place a device in the NAR and switch the setting to "permit" then It blocks everything.

It definitely does stuff but not what I want it to do.

Jatin Katyal · ‎05-23-2012

Now, try one last thing, disable IP ( just uncheck it) based NAR and just use CLI/DNIS based NAR.

Regards,

Jatin

~Jatin

iceteanolemon · ‎05-23-2012

You did it.

I am happy it works but how come it was such a pain to get to this point?

Why is the setting inverted? This is really bad.

I am P.O.C. ing ISE so I will have bigger fish to fry but wow this one stumped me.

Jatin Katyal · ‎05-23-2012

I agree with you. Lately I have observed some issues with this feature. This could be a possible defect.

We're working w/ concern deptt. I will reply to this post soon in couple of days with some more information.

Regards,

Jatin

~Jatin

iceteanolemon · ‎05-23-2012

now te question.... I have other groups i already use the "deny" to deny these accounts user access to the wireless environment as a client but i would also like to deny the administrative access to the other systems. This would not be possible as I cannot have the deny and permit enabled at the same time!