Solved: Re: NAR restriction for dialup clients

balazs.szabo · ‎05-26-2003

Hello,

just a question how to restrict dialup users for certain NAS servers.

We have an ACS2.6 AAA servers and several 3640 based NAS sever for user dialup. The users are collected into a group in the ACS.

We have an other group, called ISP. The user in this group can use the internet all over the world, they must dial the given ISP's local NAS number and all those NAS-es forward the authentication request to our ASC. So we can centrally manage the direct RAS users and the internet users.

The problem is, that a user in a certain group can use the other dialin facility since all dialin appemps will be authenticated on the same server.

HOw can I restrict that a ISP group can only use the NASes outside of the company and cannot dialin to our dedicated RAS server? And the traditional RAD users cannot use the internet (what is given for the ISP users)

I applied filters in the ACS on the group settings but found no ducuments how to setup it exactly. Any help appreciated,

regards,

Balázs

mhoda · ‎05-27-2003

Balázs,

Thanks for sharing your experience. I am sure it would be helpful for others. Yes, browser is an issue for any management sofwtare ;-)

Thanks again,

Mynul

View solution in original post

mhoda · ‎05-26-2003

Hi,

I agree that there is not a clean document on CCO that shows the step by step of how to configure NAR. But, answer to your specific question is that, you need to craete 2 NDG (Network device group) and assign your NASes under the corresponding device group. Then configure CLI/DNIS based NAR, not the IP based. I am assuming that you are using radius, so here is the details:

DNIS/CLI based NAR

------------------------------

NAR entry Data source

AAA client NAS-IP-Address (radius attribute #4) or NAS-Identifier

(radius attribute #32) if the above doesn’t exist.

Port NAS-Port (radius attribute #5) orNAS-Port-Id (radius attribute

#87) if the above doesn’t exist

Cli Calling-Station-Id (radius attribute #31)

DNIS Called-Station-Id (radius attribute #30)

Your DNIS would be the NDG that you have defined for.

This link may be helpful in setting up the above attributes:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007deca.html#983105

Please let me know if you this answers your question or need more clarifications. Thanks,

Mynul

mhoda · ‎05-26-2003

Sorry, the attributes are not very readable, here are they again:

AAA client : NAS-IP-Address (radius attribute #4) or NAS-Identifier

(radius attribute #32) if the above doesn’t exist.

Port NAS-Port: (radius attribute #5) orNAS-Port-Id (radius attribute

#87) if the above doesn’t exist

Cli : Calling-Station-Id (radius attribute #31)

DNIS : Called-Station-Id (radius attribute #30)

Thanks,

Mynul

balazs.szabo · ‎05-26-2003

Mynul,

is this sure that it works on ACS2.6 as well?

The attached docu says that it is for ACS3.0

thanks,

Balázs

mhoda · ‎05-26-2003

Balázs,

Same procedure should work. in ACS 3.0, you have more options like shared profile components option. But, the procedure described in the link should work. Please do let me know if it doesn't. Thanks,

Mynul

balazs.szabo · ‎05-27-2003

Mynul,

my problem was that I put the reasonable commands into the NAS/PORT section and after submitting the change I didn't get the same data what I wrote in. I saw several "?" after the NAS name. I thought that I made a mistake regarding the syntax but today I tried with an other internet browser (IE5.5 without hotfix) and so I COULD apply the commands. And the filtering works fine. Considering all of this it is important what internet browser you use.

Thanks,

Balázs

mhoda · ‎05-27-2003

Balázs,

Thanks for sharing your experience. I am sure it would be helpful for others. Yes, browser is an issue for any management sofwtare ;-)

Thanks again,

Mynul