Restrict access to LMS that authenticate via ACS

twpua · ‎03-27-2004

Hi,

I have installed a ACS 2.6 server which has joined domain. Local accounts are created in ACS and their password is using domain password.

Beside switches, I have also defined LMS as one of the device on ACS, authenticating via TACACS+.

I would like to restricted only 2 out of those local accounts to be able to login to LMS. So I added in deny access to NAS:LMS for the rest of other accounts.

Now the problem is all the local accounts are still able to login to LMS. On ACS log, it says authenticate successful.

I tried to verify by using the same method to restricted switch access to a local account and it works.

Pls advise.

gfullage · ‎03-28-2004

I presume you added this into the Network Access Restrictions (NAR) section of ACS. Did you add it into the IP-Based Access Restriction section, or the CLI/DNIS-based section below it?

Which section ACS uses here depends on whether or not the NAS (LMS in this case) sends the "caller-id" or "calling-station-id" attribute in the request with an IP address. I have no idea if LMS does this, but if it's not working in the IP-based section, try adding it into the CLI/DNIS section and see how that goes.

Switches, and most other devices, DO send an IP address in the calling-station-id attribute so that's why that is working in the IP-based section. A good example of this is the VPN3000 which does NOT send an IP address, so it has to be added into the CLI/DNIS section for restrictions to work.