Cisco Systems Servers Manuale Utente
Chapter 5 Setting Up and Managing Shared Profile Components
Network Access Restrictions
5-6
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Network Access Restrictions
This section includes a description of NARs followed by detailed instructions
regarding shared NAR access configuration and management.
regarding shared NAR access configuration and management.
About Network Access Restrictions
NARs enable you to define additional authorization conditions that must be met
before a user can gain access to the network. Cisco Secure ACS supports two
basic types of network access restrictions:
before a user can gain access to the network. Cisco Secure ACS supports two
basic types of network access restrictions:
•
IP-based restrictions where the originating request relates to an existing IP
address
address
•
Non-IP-based filters for all other cases where automatic number
identification (ANI) may be used
identification (ANI) may be used
A non-IP-based NAR is a list of permitted or denied “calling”/“point of access”
locations that you can employ in restricting a AAA client when you do not have
an IP-based connection established. The non-IP-based NAR generally uses the
calling line ID (CLI) number and the Dialed Number Identification Service
(DNIS) number.
locations that you can employ in restricting a AAA client when you do not have
an IP-based connection established. The non-IP-based NAR generally uses the
calling line ID (CLI) number and the Dialed Number Identification Service
(DNIS) number.
However, you can use the non-IP-based filter even when the AAA client does not
use a Cisco IOS release that supports CLI or DNIS by entering a IP address in
place of the CLI. In another exception to entering a CLI, you can enter a MAC
address to permit or deny; for example when you are using a Cisco Aironet AAA
client. Likewise, you could enter a the Cisco Aironet AP MAC address in place
of the DNIS. The format of what you specify in the CLI box—be it CLI, IP
address, or MAC address—must match the format of what you receive from your
AAA client. You can determine this format from your RADIUS Accounting Log.
use a Cisco IOS release that supports CLI or DNIS by entering a IP address in
place of the CLI. In another exception to entering a CLI, you can enter a MAC
address to permit or deny; for example when you are using a Cisco Aironet AAA
client. Likewise, you could enter a the Cisco Aironet AP MAC address in place
of the DNIS. The format of what you specify in the CLI box—be it CLI, IP
address, or MAC address—must match the format of what you receive from your
AAA client. You can determine this format from your RADIUS Accounting Log.
When specifying a NAR you may use asterisks (*) as wildcards for any value, or
as part of any value to establish a range. Cisco Secure ACS also accepts comma
separated values in NAR definitions. All the values/conditions in a NAR
specification must be met for the NAR to restrict access; that is, the values are
“ANDed”.
as part of any value to establish a range. Cisco Secure ACS also accepts comma
separated values in NAR definitions. All the values/conditions in a NAR
specification must be met for the NAR to restrict access; that is, the values are
“ANDed”.