Cisco Systems Servers Server User Manual


 
5-7
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter 5 Setting Up and Managing Shared Profile Components
Network Access Restrictions
Note When an authentication request is forwarded by proxy to a Cisco Secure ACS,
any NARs for TACACS+ requests are applied to the IP address of the
forwarding AAA server, not to the IP address of the originating AAA client.
You can define a NAR for, and apply it to, a single, particular user or user group.
For more information on this, see the Setting Network Access Restrictions for a
User section on page 7-12 or the Setting Network Access Restrictions for a
User Group section on page 6-7. However, in the Shared Profile Components
section of Cisco Secure ACS you can create and name a shared NAR without
directly citing any user or user group. You give the shared NAR a name that can
be referenced in other parts of the Cisco Secure ACS HTML interface. Then,
when you set up users or user groups, you can select none, one, or multiple shared
restrictions to be applied. When you specify the application of multiple shared
NARs to a user or user group, you choose one of two access criteria: either All
selected filters must permit, or Any one selected filter must permit.
Shared access restrictions are kept in the CiscoSecure user database and can be
backed up/restored by the Cisco Secure ACS backup and restore features and
replicated to secondary Cisco Secure ACS servers along with other
configurations.
Shared Network Access Restrictions Configuration
You can configure multiple shared NARs to restrict access to particular AAA
clients, all AAA clients, or to named NDGs.
This section contains the following procedures:
Adding a Shared Network Access Restriction, page 5-8
Editing a Shared Network Access Restriction, page 5-10
Deleting a Shared Network Access Restriction, page 5-12