Cisco 3.3 User Manual

Page 170

Advertising
background image

Chapter 5 Shared Profile Components

Network Access Restrictions

5-16

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

the client. For this type of NAR to operate, the value in the NAR description
must exactly match what is being sent from the client, including whatever
format is used. For example, (217) 555-4534 does not match 217-555-4534.
For more information on this type of NAR filter, see

About Non-IP-based

NAR Filters, page 5-18

.

You can define a NAR for, and apply it to, a specific user or user group. For more
information on this, see

Setting Network Access Restrictions for a User,

page 7-11

, or

Setting Network Access Restrictions for a User Group, page 6-8

.

However, in the Shared Profile Components section of Cisco Secure ACS you can
create and name a shared NAR without directly citing any user or user group. You
give the shared NAR a name that can be referenced in other parts of the
Cisco Secure ACS HTML interface. Then, when you set up users or user groups,
you can select none, one, or multiple shared restrictions to be applied. When you
specify the application of multiple shared NARs to a user or user group, you
choose one of two access criteria: either “All selected filters must permit”, or
“Any one selected filter must permit”.

It is important to understand the order of precedence related to the different types
of NARs. The order of NAR filtering is as follows:

1.

Shared NAR at the user level

2.

Shared NAR at the group level

3.

Non-shared NAR at the user level

4.

Non-shared NAR at the group level

You should also note that denial of access at any level takes precedence over
settings at another level that do not deny access. This is the one exception in
Cisco Secure ACS to the rule that user-level settings override group-level settings.
For example, a particular user may have no NAR restrictions at the user level that
apply, but if that user belongs to a group that is restricted by either a shared or
non-shared NAR, the user is denied access.

Shared NARs are kept in the CiscoSecure user database. You can use the
Cisco Secure ACS backup and restore features to back up and restore them. You
can also replicate the shared NARs, along with other configurations, to secondary
Cisco Secure ACSes.

Advertising