beautypg.com

About non-ip-based nar filters, About non-ip-based – Cisco 3.3 User Manual

Page 172

background image

Chapter 5 Shared Profile Components

Network Access Restrictions

5-18

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

About Non-IP-based NAR Filters

A non-IP-based NAR filter (that is, a DNIS/CLI-based NAR filter) is a list of
permitted or denied “calling”/“point of access” locations that you can use in
restricting a AAA client when you do not have an established IP-based
connection. The non-IP-based NAR feature generally uses the calling line ID
(CLI) number and the Dialed Number Identification Service (DNIS) number.

However, by entering an IP address in place of the CLI you can use the
non-IP-based filter even when the AAA client does not use a Cisco IOS release
that supports CLI or DNIS. In another exception to entering a CLI, you can enter
a MAC address to permit or deny; for example, when you are using a Cisco
Aironet AAA client. Likewise, you could enter the Cisco Aironet AP MAC
address in place of the DNIS. The format of what you specify in the CLI
box—CLI, IP address, or MAC address—must match the format of what you
receive from your AAA client. You can determine this format from your RADIUS
Accounting Log.

Attributes for DNIS/CLI-based restrictions, per protocol, include the following
NAR fields:

If you are using TACACS+—The NAR fields listed employ the following
values:

AAA client—The

NAS-IP-address

is taken from the source address in

the socket between Cisco Secure ACS and the TACACS+ client.

Port—The

port

field in the TACACS+ start packet body is used.

CLI—The

rem-addr

field in the TACACS+ start packet body is used.

DNIS—The

rem-addr

field taken from the TACACS+ start packet body

is used. In cases in which the

rem-addr

data begins with “/” the DNIS

field contains the

rem-addr

data without the “/” character.

Note

When an authentication request is forwarded by proxy to a
Cisco Secure ACS, any NARs for TACACS+ requests are applied to
the IP address of the forwarding AAA server, not to the IP address of
the originating AAA client.