About ip-based nar filters – Cisco 3.3 User Manual
Page 171
5-17
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 5 Shared Profile Components
Network Access Restrictions
About IP-based NAR Filters
For IP-based NAR filters, ACS uses the following attributes, depending upon the
AAA protocol of the authentication request:
•
If you are using TACACS+—The
rem_addr
field from the TACACS+ start
packet body is used.
Note
When an authentication request is forwarded by proxy to a
Cisco Secure ACS, any NARs for TACACS+ requests are applied to
the IP address of the forwarding AAA server, not to the IP address of
the originating AAA client.
•
If you are using RADIUS IETF—The
calling-station-id
(attribute 31)
and
called-station-id
(attribute 30) fields are used.
AAA clients that do not provide sufficient IP address information (for example,
some types of firewall) do not support full NAR functionality.
Other attributes for IP-based restrictions, per protocol, include the following
NAR fields:
•
If you are using TACACS+—The NAR fields listed in Cisco Secure ACS use
the following values:
–
AAA client—The
NAS-IP-address
is taken from the source address in
the socket between Cisco Secure ACS and the TACACS+ client.
–
Port—The
port
field is taken from the TACACS+ start packet body.
•
If you are using RADIUS—The NAR fields listed in Cisco Secure ACS use
the following values:
–
AAA client—The
NAS-IP-address
(attribute 4) or, if NAS-IP-address
does not exist,
NAS-identifier
(attribute 32) is used.
–
Port—The
NAS-port
(attribute 5) or, if NAS-port does not exist,
NAS-port-ID
(attribute 87) is used.