Cisco Systems 3.3 Server User Manual


 
Chapter 7 User Management
Basic User Setup Options
7-12
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Typically, you define (shared) NARs from within the Shared Components section
so that these restrictions can be applied to more than one group or user. For more
information, see Adding a Shared Network Access Restriction, page 5-19. You
must have selected the User-Level Shared Network Access Restriction check box
on the Advanced Options page of the Interface Configuration section for this set
of options to appear in the HTML interface.
However, Cisco Secure ACS also enables you to define and apply a NAR for a
single user from within the User Setup section. You must have enabled the
User-Level Network Access Restriction setting on the Advanced Options page of
the Interface Configuration section for single user IP-based filter options and
single user CLI/DNIS-based filter options to appear in the HTML interface.
Note When an authentication request is forwarded by proxy to a Cisco Secure ACS, any
NARs for TACACS+ requests are applied to the IP address of the forwarding
AAA server, not to the IP address of the originating AAA client.
When you create access restrictions on a per-user basis, Cisco Secure ACS does
not enforce limits to the number of access restrictions and it does not enforce a
limit to the length of each access restriction; however, there are strict limits, as
follows.
The combination of fields for each line item cannot exceed 1024 characters
in length.
The shared NAR cannot have more than 16 KB of characters. The number of
line items supported depends on the length of each line item. For example, if
you create a CLI/DNIS-based NAR where the AAA client names are 10
characters, the port numbers are 5 characters, the CLI entries are 15
characters, and the DNIS entries are 20 characters, you can add 450 line items
before reaching the 16 KB limit.
To set NARs for a user, follow these steps:
Step 1 Perform Step 1 through Step 3 of Adding a Basic User Account, page 7-4.
The User Setup Edit page opens. The username being added or edited is at the top
of the page.