Cisco Systems 3.3 Manual De Usuario
5-15
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 5 Shared Profile Components
Network Access Restrictions
This section contains the following topics:
•
•
•
•
About Network Access Restrictions
A NAR is a definition, which you make in Cisco Secure ACS, of additional
conditions that must be met before a user can access the network. Cisco Secure
ACS applies these conditions using information from attributes sent by your AAA
clients. Although there are several ways you can set up NARs, they all are based
on matching attribute information sent by a AAA client. Therefore, you must
understand the format and content of the attributes your AAA clients send if you
want to employ effective NARs.
conditions that must be met before a user can access the network. Cisco Secure
ACS applies these conditions using information from attributes sent by your AAA
clients. Although there are several ways you can set up NARs, they all are based
on matching attribute information sent by a AAA client. Therefore, you must
understand the format and content of the attributes your AAA clients send if you
want to employ effective NARs.
In setting up a NAR you can choose whether the filter operates positively or
negatively. That is, in the NAR you specify whether to permit or deny network
access, based on comparison of information sent from AAA clients to the
information stored in the NAR. However, if a NAR does not encounter sufficient
information to operate, it defaults to denied access. This is shown in
negatively. That is, in the NAR you specify whether to permit or deny network
access, based on comparison of information sent from AAA clients to the
information stored in the NAR. However, if a NAR does not encounter sufficient
information to operate, it defaults to denied access. This is shown in
Cisco Secure ACS supports two types of NAR filters:
•
IP-based filters—IP-based NAR filters limit access based upon the IP
addresses of the end-user client and the AAA client. For more information on
this type of NAR filter, see
addresses of the end-user client and the AAA client. For more information on
this type of NAR filter, see
.
•
Non-IP-based filters—Non-IP-based NAR filters limit access based upon
simple string comparison of a value sent from the AAA client. The value may
be the calling line ID (CLI) number, the Dialed Number Identification
Service (DNIS) number, the MAC address, or other value originating from
simple string comparison of a value sent from the AAA client. The value may
be the calling line ID (CLI) number, the Dialed Number Identification
Service (DNIS) number, the MAC address, or other value originating from
Table 5-1
NAR Permit/Deny Conditions
IP-Based
Non-IP Based
Insufficient Information
Permit
Access Granted
Access Denied
Access Denied
Deny
Access Denied
Access Granted
Access Denied