Table of Contents
Advertisement
Chapter 5
Shared Profile Components
About IP-based NAR Filters
78-16592-01
For IP-based NAR filters, ACS uses the following attributes, depending upon the
AAA protocol of the authentication request:
If you are using TACACS+—The
•
packet body is used.
When an authentication request is forwarded by proxy to a
Note
Cisco Secure ACS, any NARs for TACACS+ requests are applied to
the IP address of the forwarding AAA server, not to the IP address of
the originating AAA client.
If you are using RADIUS IETF—The
•
and
called-station-id
AAA clients that do not provide sufficient IP address information (for example,
some types of firewall) do not support full NAR functionality.
Other attributes for IP-based restrictions, per protocol, include the following
NAR fields:
•
If you are using TACACS+—The NAR fields listed in Cisco Secure ACS use
the following values:
AAA client—The
–
the socket between Cisco Secure ACS and the TACACS+ client.
Port—The
–
port
If you are using RADIUS—The NAR fields listed in Cisco Secure ACS use
•
the following values:
–
AAA client—The
does not exist,
Port—The
–
NAS-port
NAS-port-ID
rem_addr
(attribute 30) fields are used.
NAS-IP-address
field is taken from the TACACS+ start packet body.
NAS-IP-address
(attribute 32) is used.
NAS-identifier
(attribute 5) or, if NAS-port does not exist,
(attribute 87) is used.
User Guide for Cisco Secure ACS for Windows Server
Network Access Restrictions
field from the TACACS+ start
calling-station-id
is taken from the source address in
(attribute 4) or, if NAS-IP-address
(attribute 31)
5-17
Advertisement
Table of Contents
Troubleshooting
