About ip-based nar filters – Cisco 3.3 User Manual

5-17

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 5 Shared Profile Components

Network Access Restrictions

About IP-based NAR Filters

For IP-based NAR filters, ACS uses the following attributes, depending upon the
AAA protocol of the authentication request:

•

If you are using TACACS+—The

rem_addr

field from the TACACS+ start

packet body is used.

Note

When an authentication request is forwarded by proxy to a
Cisco Secure ACS, any NARs for TACACS+ requests are applied to
the IP address of the forwarding AAA server, not to the IP address of
the originating AAA client.

•

If you are using RADIUS IETF—The

calling-station-id

(attribute 31)

and

called-station-id

(attribute 30) fields are used.

AAA clients that do not provide sufficient IP address information (for example,
some types of firewall) do not support full NAR functionality.

Other attributes for IP-based restrictions, per protocol, include the following
NAR fields:

•

If you are using TACACS+—The NAR fields listed in Cisco Secure ACS use
the following values:

–

AAA client—The

NAS-IP-address

is taken from the source address in

the socket between Cisco Secure ACS and the TACACS+ client.

–

Port—The

port

field is taken from the TACACS+ start packet body.

•

If you are using RADIUS—The NAR fields listed in Cisco Secure ACS use
the following values:

–

AAA client—The

NAS-IP-address

(attribute 4) or, if NAS-IP-address

does not exist,

NAS-identifier

(attribute 32) is used.

–

Port—The

NAS-port

(attribute 5) or, if NAS-port does not exist,

NAS-port-ID

(attribute 87) is used.