Cisco Systems 3.3 Manual De Usuario
5-3
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 5 Shared Profile Components
Network Access Filters
•
NAFs in shared network access restrictions—An essential part of
specifying a shared NAR is listing the AAA clients from which user access is
permitted or denied. Rather than list every AAA client that makes up a shared
NAR, you can simply list one or more NAFs instead of, or in combination
with, individual AAA clients. For more information on using NAFs in shared
NARs, see
specifying a shared NAR is listing the AAA clients from which user access is
permitted or denied. Rather than list every AAA client that makes up a shared
NAR, you can simply list one or more NAFs instead of, or in combination
with, individual AAA clients. For more information on using NAFs in shared
NARs, see
Tip
Shared NARs can contain NDGs, or NAFs, or both. NAFs can contain one or more
NDGs.
NDGs.
You can add a NAF that contains any combination of NDG, network devices
(AAA clients), or IP addresses. For these network devices or NDGs to be
selectable you must have previously configured them in Cisco Secure ACS.
(AAA clients), or IP addresses. For these network devices or NDGs to be
selectable you must have previously configured them in Cisco Secure ACS.
The network elements that make up a NAF can be arranged in any order. For best
performance, place the elements most commonly encountered at the top of the
Selected Items list. For example, in a NAF where the majority of users gain
network access through the NDG “accounting” but you also grant access to a
single technical support AAA client with the IP address 205.205.111.222, you
would list the NDG first (higher) in the list of network elements to prevent all
NAF members from having to be examined against the specified IP address.
performance, place the elements most commonly encountered at the top of the
Selected Items list. For example, in a NAF where the majority of users gain
network access through the NDG “accounting” but you also grant access to a
single technical support AAA client with the IP address 205.205.111.222, you
would list the NDG first (higher) in the list of network elements to prevent all
NAF members from having to be examined against the specified IP address.
Adding a Network Access Filter
To add a NAF, follow these steps:
Step 1
In the navigation bar, click Shared Profile Components.
The Shared Profile Components page appears.
Step 2
Click Network Access Filtering.
The Network Access Filtering table page appears.
Tip
If Network Access Filtering does not appear as a selection on the Shared
Profile Components page, you must enable it on the Advanced Options
page of the Interface Configuration section.
Profile Components page, you must enable it on the Advanced Options
page of the Interface Configuration section.