Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
0
Helpful
2
Replies

NAR Confusion ACS3.2

Go to solution
d-g-c
Level 1
Level 1

‎09-21-2005 01:42 AM - edited ‎03-10-2019 02:19 PM

I'm getting unexpected results with shared network access restrictions.

For example, I have a user group that can authenticate against a firewall but I don't want to allow them to authenticate to wireless access points.

I have a network group called FIREWALL that contains the firewall AAA clients. And a network group called WIRELESS that contains the wireless AAA clients.

When I apply a NAR that has ip based access restriction that permits access from

FIREWALL Port * IP x.x.x.*

To a user group, members of that group can still authenticate to the wireless access point.

The passed authentication report shows :

Access Filter FIREWALL from USERGROUP1 did not fail any criteria. This is sufficient to satisfy an 'Any Selected' SPC NAR config.

I assumed that if you create a NAR that specifically permits or denies access from an AAA client or group it would work as expected.

Ideally I want to group all my wireless access points into one network group and be able to permit a user or user group access to them using NAR.

Any help or comments would be appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrewclymer
Level 1
Level 1

‎09-21-2005 01:31 PM

Ok, this is a little quirky in the way its implemented in CiscoSecure

Basically there are two types of filters

Dialup/DNIS/CLI and IP

What happens is that at authentication time the RADIUS server attempts to determien what type of access is being sought.

Is it a LAYER 3 and above style access or is it a LAYER 2 style of access.

It does this by inspecting the CLI field and if its an IP address applys the IP Address filter

If it does not find a valid IP address it uses the CLI/DNIS filter

In this particular case a request coming from a wireless AP is considered CLI/DNIS filter since this is LAYER 2 access.

If you define in addition a CLI/DNIS filter for theses users that DENYS all then I believe it should work as you are hoping.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
andrewclymer
Level 1
Level 1

‎09-21-2005 01:31 PM

Ok, this is a little quirky in the way its implemented in CiscoSecure

Basically there are two types of filters

Dialup/DNIS/CLI and IP

What happens is that at authentication time the RADIUS server attempts to determien what type of access is being sought.

Is it a LAYER 3 and above style access or is it a LAYER 2 style of access.

It does this by inspecting the CLI field and if its an IP address applys the IP Address filter

If it does not find a valid IP address it uses the CLI/DNIS filter

In this particular case a request coming from a wireless AP is considered CLI/DNIS filter since this is LAYER 2 access.

If you define in addition a CLI/DNIS filter for theses users that DENYS all then I believe it should work as you are hoping.

0 Helpful

Go to solution
d-g-c
Level 1
Level 1
In response to andrewclymer

‎09-21-2005 01:44 PM

Yes, I eventually figured this out and you are absolutely correct, the NAR should have a CLI/DNIS filter the same as the IP filter for layer two authentications that don't yet have an IP address assigned.

thanks for your reply.

0 Helpful
Customers Also Viewed These Support Documents