Filter
Top Products
5-17
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 5 Shared Profile Components
Network Access Restrictions
About IP-based NAR Filters
For IP-based NAR filters, ACS uses the following attributes, depending upon the
AAA protocol of the authentication request:
• If you are using TACACS+—The rem_addr field from the TACACS+ start
packet body is used.
Note When an authentication request is forwarded by proxy to a
Cisco Secure ACS, any NARs for TACACS+ requests are applied to
the IP address of the forwarding AAA server, not to the IP address of
the originating AAA client.
• If you are using RADIUS IETF—The calling-station-id (attribute 31)
and
called-station-id (attribute 30) fields are used.
AAA clients that do not provide sufficient IP address information (for example,
some types of firewall) do not support full NAR functionality.
Other attributes for IP-based restrictions, per protocol, include the following
NAR fields:
• If you are using TACACS+—The NAR fields listed in Cisco Secure ACS use
the following values:
–
AAA client—The NAS-IP-address is taken from the source address in
the socket between Cisco Secure ACS and the TACACS+ client.
–
Port—The port field is taken from the TACACS+ start packet body.
• If you are using RADIUS—The NAR fields listed in Cisco Secure ACS use
the following values:
–
AAA client—The NAS-IP-address (attribute 4) or, if NAS-IP-address
does not exist,
NAS-identifier (attribute 32) is used.
–
Port—The NAS-port (attribute 5) or, if NAS-port does not exist,
NAS-port-ID (attribute 87) is used.