Adding A Shared Network Access Restriction - Cisco 3.3 User Manual

Chapter 5 Shared Profile Components

Adding a Shared Network Access Restriction

78-16592-01
If you are using RADIUS—The NAR fields listed use the following values:
•
AAA client—The
–
does not exist,
Port—The
–
NAS-port
NAS-port-ID
CLI—The
–
calling-station-ID
DNIS—The
–
called-station-ID
When specifying a NAR you can use asterisks (*) as wildcards for any value, or
as part of any value to establish a range. All the values/conditions in a NAR
description must be met for the NAR to restrict access; that is, the values are
"ANDed".
You can create a shared NAR that contains many access restrictions. Although the
Cisco Secure ACS HTML interface does not enforce limits to the number of
access restrictions in a shared NAR or to the length of each access restriction,
there are limits that you must adhere to, as follows:
The combination of fields for each line item cannot exceed 1024 characters.
•
The shared NAR cannot have more than 16 KB of characters. The number of
•
line items supported depends on the length of each line item. For example, if
you create a CLI/DNIS-based NAR where the AAA client names are 10
characters, the port numbers are 5 characters, the CLI entries are 15
characters, and the DNIS entries are 20 characters, you can add 450 line items
before reaching the 16 KB limit.
Before You Begin
Before defining a NAR, you should be sure that you have established the elements
you intend to use in that NAR. This means that you must have specified all NAFs
and NDGs, and defined all relevant AAA clients, before making them part of the
NAR definition. For more information see
page 5-15.
NAS-IP-address
(RADIUS attribute 32) is used.
NAS-identifier
(attribute 5) or, if NAS-port does not exist,
(attribute 87) is used.
(attribute 31) is used.
(attribute 30) is used.
About Network Access Restrictions,
User Guide for Cisco Secure ACS for Windows Server
Network Access Restrictions
(attribute 4) or, if NAS-IP-address
5-19