Cisco Systems 3.3 Server User Manual


 
Chapter 5 Shared Profile Components
Network Access Restrictions
5-18
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
About Non-IP-based NAR Filters
A non-IP-based NAR filter (that is, a DNIS/CLI-based NAR filter) is a list of
permitted or denied “calling”/“point of access” locations that you can use in
restricting a AAA client when you do not have an established IP-based
connection. The non-IP-based NAR feature generally uses the calling line ID
(CLI) number and the Dialed Number Identification Service (DNIS) number.
However, by entering an IP address in place of the CLI you can use the
non-IP-based filter even when the AAA client does not use a Cisco IOS release
that supports CLI or DNIS. In another exception to entering a CLI, you can enter
a MAC address to permit or deny; for example, when you are using a Cisco
Aironet AAA client. Likewise, you could enter the Cisco Aironet AP MAC
address in place of the DNIS. The format of what you specify in the CLI
box—CLI, IP address, or MAC address—must match the format of what you
receive from your AAA client. You can determine this format from your RADIUS
Accounting Log.
Attributes for DNIS/CLI-based restrictions, per protocol, include the following
NAR fields:
If you are using TACACS+—The NAR fields listed employ the following
values:
AAA client—The NAS-IP-address is taken from the source address in
the socket between Cisco Secure ACS and the TACACS+ client.
Port—The port field in the TACACS+ start packet body is used.
CLI—The rem-addr field in the TACACS+ start packet body is used.
DNIS—The rem-addr field taken from the TACACS+ start packet body
is used. In cases in which the
rem-addr data begins with “/” the DNIS
field contains the
rem-addr data without the “/” character.
Note When an authentication request is forwarded by proxy to a
Cisco Secure ACS, any NARs for TACACS+ requests are applied to
the IP address of the forwarding AAA server, not to the IP address of
the originating AAA client.