Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1580
Views
0
Helpful
1
Replies

Network Access Restrictions (NAR) on multiple Radius clients

JOOST HAGE
Level 1
Level 1

‎10-29-2003 10:13 AM - edited ‎03-10-2019 07:32 AM

Hi, I'm running two Radius clients (a C3005 and a web-server, i.e. an IETF client) and I want to restrict access of users/groups to them.

The problem I have is that when I'm using 'Ip based AR', no matter what I enter (permitted/denied, All Clients or a selection), all authentications are succesfull, and therefore not usable to me.

When I'm using a 'CLI/DNIS AR', the C3005 functions correctly (denied or allowed when applicable), but the web-server gets denied allways unless I'm configuring a 'permit all clients' entry (again, not usable to me...)

When looking at the ACS-logs (failed attempts) I see all entries are correct except for the NAS-port entry, which shows the username (odd...). The failure-code is 'User Access Filtered' (which is, considering the results, to be expected).

Anyone any ideas?

Grtz, Joost

Labels:
0 Helpful
1 Reply 1

aschiebe
Level 1
Level 1

‎11-12-2003 02:53 PM

Joost,

My best advise to you is to get the NAR White Paper that explains the "inside" of NARs operation and the rules they operate upon.

The white paper is at http://www/en/US/partner/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

The important part , related to your question , is probably understanding what IP-Based NARs are based on (calling-station-id and called-station-id). If your Radius clients don't send those attributes in their requests , IP Based NARs won't operate as you expect them to.

Hope this helps, let me know if you still have questions.

Ami

0 Helpful
Customers Also Viewed These Support Documents