Cisco Systems Servers Manuale Utente

When an authentication request is forwarded by proxy to a Cisco Secure ACS, 
any NARs for TACACS+ requests are applied to the IP address of the 
forwarding AAA server, not to the IP address of the originating AAA client.

You can define a NAR for, and apply it to, a single, particular user or user group. 
For more information on this, see the 

 or the 

. However, in the Shared Profile Components 

section of Cisco Secure ACS you can create and name a shared NAR without 
directly citing any user or user group. You give the shared NAR a name that can 
be referenced in other parts of the Cisco Secure ACS HTML interface. Then, 
when you set up users or user groups, you can select none, one, or multiple shared 
restrictions to be applied. When you specify the application of multiple shared 
NARs to a user or user group, you choose one of two access criteria: either “All 
selected filters must permit”, or “Any one selected filter must permit”.

Shared access restrictions are kept in the CiscoSecure user database and can be 
backed up/restored by the Cisco Secure ACS backup and restore features and 
replicated to secondary Cisco Secure ACS servers along with other 
configurations.

You can configure multiple shared NARs to restrict access to particular AAA 
clients, all AAA clients, or to named NDGs.

This section contains the following procedures: