Hello All,

We have a solution where home users connect via ATM onto our network. Currenty their radius requests are passed onto Cisco ACS 3.3 and they are authenticated using RSA SecurID Fobs to an ACE server.

I am trying to look at an alternative to using a SecurID fob and restrict the end user's access based on MAC address.

I found this on the online documentation for ACS 3.3

"About Non-IP-based NAR Filters

A non-IP-based NAR filter (that is, a DNIS/CLI-based NAR filter) is a list of permitted or denied "calling"/"point of access" locations that you can use in restricting a AAA client. However, by entering an IP address in place of the CLI you can use the non-IP-based filter even when the AAA client does not use a Cisco IOS release that supports CLI or DNIS. In another exception to entering a CLI, you can enter a MAC address to permit or deny; for example, when you are using a Cisco Aironet AAA client. The format of what you specify in the CLI box—CLI, IP address, or MAC address—must match the format of what you receive from your AAA client. You can determine this format from your RADIUS Accounting Log."

If I specify a clients MAC in any of the non IP NAR options (CLI, Port, DNIS)access is refused. I am using radius IETF and the only time I can see the MAC in the radius accounting logs is when I turn on the option to log cisco-av-pair. Nothing is being logged under CLI or DNIS, so I don't think I can restrict access based on MAC using a non IP NAR. Has anyone implemented what is referred to in the documentation above? Is it just applicable to cisco Aironet? Any ideas?

Thanks.