Re: Using Network Device Groups

dpatkins · ‎01-20-2006

I am not sure if I am taking the proper steps to this or not. Here is my scenario:

I have a device that can utilize any Radius. I am using Cisco ACS 3.3. Only particular devices on our network will be allowed to authenticate via radius to this device. In a nutshell, if you are using mac address 00101010906c, when you connect to our network, you will be directly straight through ACS and into the device. Can this be accomplished through NDG? Or do I need to do something different? I appreciate your help.

dpatkins · ‎01-21-2006

I need to add that when the end users wants to go to the web or to any other network device, he must be able to, but if he wants to go to the NDG device, he must be authenticated and on the access list. Please advise. And I hope this is going to the right group (AAA),

Thanks

Dwane

dpatkins · ‎01-24-2006

Is this an issue that is only with ACS 3.3? Can this be accomplished in 3.2? Can someone out there, at least point me in a direction that I will be able to use? I have looked through some documentation and I am unclear on how to set up the NDG users. I am also wondering if this is the direction we need to take? Any ideas?

Thank you,

Dwane

darpotter · ‎01-27-2006

Hi

Sounds like you need to use Network Access Restrictions and not NDGs. NARs allow you to filter access based on the RADIUS attributes Calling-Station-Id and Called-Station-Id. Depending on your device these may or may not be populated with the client mac address.

However, ACS doesnt really have any support for un-authenticated access, so you need to authenticate a userid BEFORE the NAR gets applied.

In both NAC and wireless MAC auth, the device sends a pre-configured username+password to get around this. ACS can then apply the NAR post authentication.

Darran