Adding a shared network access restriction – Cisco 3.3 User Manual
Page 173
5-19
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 5 Shared Profile Components
Network Access Restrictions
•
If you are using RADIUS—The NAR fields listed use the following values:
–
AAA client—The
NAS-IP-address
(attribute 4) or, if NAS-IP-address
does not exist,
NAS-identifier
(RADIUS attribute 32) is used.
–
Port—The
NAS-port
(attribute 5) or, if NAS-port does not exist,
NAS-port-ID
(attribute 87) is used.
–
CLI—The
calling-station-ID
(attribute 31) is used.
–
DNIS—The
called-station-ID
(attribute 30) is used.
When specifying a NAR you can use asterisks (*) as wildcards for any value, or
as part of any value to establish a range. All the values/conditions in a NAR
description must be met for the NAR to restrict access; that is, the values are
“ANDed”.
Adding a Shared Network Access Restriction
You can create a shared NAR that contains many access restrictions. Although the
Cisco Secure ACS HTML interface does not enforce limits to the number of
access restrictions in a shared NAR or to the length of each access restriction,
there are limits that you must adhere to, as follows:
•
The combination of fields for each line item cannot exceed 1024 characters.
•
The shared NAR cannot have more than 16 KB of characters. The number of
line items supported depends on the length of each line item. For example, if
you create a CLI/DNIS-based NAR where the AAA client names are 10
characters, the port numbers are 5 characters, the CLI entries are 15
characters, and the DNIS entries are 20 characters, you can add 450 line items
before reaching the 16 KB limit.
Before You Begin
Before defining a NAR, you should be sure that you have established the elements
you intend to use in that NAR. This means that you must have specified all NAFs
and NDGs, and defined all relevant AAA clients, before making them part of the
NAR definition. For more information see