Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
550
Views
0
Helpful
2
Replies

I suffering a strange issue with ACS 4.2

Go to solution
CSCO11518107
Level 1
Level 1

‎08-28-2012 12:55 PM - edited ‎03-10-2019 07:28 PM

Hi Guys

I suffering a strange issue , I have two group users (wireless user , VPN users),

  • I created a NAR To restrict users,, created two group NAR (network access restriction ) wirless group and vpn group
  • I attached wireless NAR group to wireless group user , and attached VPN NAR group to VPN group users ,

Supposed Wireless users only have access to wireless ,and VPN users just have access to connect VPN and they don’t have access wireless .

The issue VPN user can access wireless!!!!!

Notice I used ACS4.2 And Aruba controller

Is this bug in ACS 4.2 or what ? please advice

1.gif

22.png

33.png

444.png

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎08-28-2012 01:12 PM

Hi,

NAR is based on matching attribute information sent by a AAA client. Therefore the format and content of the attributes that a AAA client 
sends is important if we want to employ NARs effectively.  It seems that the device ( on which the user tried to log on) is not able to send 
attributes 30, 31 to the ACS server and therefore NAR is not getting applied.

Radius attributes 30 and 31 are required for ACS to process the NAR. This is why many third party devices do not work properly with ACS 
NAR's.  Also attribute 32 is used to identify the NAS under Network Configuration only if attribute 4 does not exist in the access-accept 
packet.  If attribute 4 exists, then 32 is ignored.  In summary, attributes 4 and 32 are used to identify the NAS, and attributes 30 and 
31 are used to filter based.

I would suggest you to use both IP base and CLI/DNIS base NAR and that should work fine.


Regards,
~JG


Do rate helpful posts!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎08-28-2012 01:12 PM

Hi,

NAR is based on matching attribute information sent by a AAA client. Therefore the format and content of the attributes that a AAA client 
sends is important if we want to employ NARs effectively.  It seems that the device ( on which the user tried to log on) is not able to send 
attributes 30, 31 to the ACS server and therefore NAR is not getting applied.

Radius attributes 30 and 31 are required for ACS to process the NAR. This is why many third party devices do not work properly with ACS 
NAR's.  Also attribute 32 is used to identify the NAS under Network Configuration only if attribute 4 does not exist in the access-accept 
packet.  If attribute 4 exists, then 32 is ignored.  In summary, attributes 4 and 32 are used to identify the NAS, and attributes 30 and 
31 are used to filter based.

I would suggest you to use both IP base and CLI/DNIS base NAR and that should work fine.


Regards,
~JG


Do rate helpful posts!
0 Helpful

Go to solution
CSCO11518107
Level 1
Level 1
In response to Jagdeep Gambhir

‎08-28-2012 10:17 PM

thank you veery match , it's working fine now .

0 Helpful
Customers Also Viewed These Support Documents