6-9
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter6 Setting Up and Managing User Groups Common User Group Settings
Step 4 To define and apply a NAR, for this particular user group, that permits or denies
this group’s access based on IP address, or IP address and port, follow these steps:
Tip You should define most NARs from within the Shared Components section so
that the restrictions can be applied to more than one group or user. For more
information, see the “Shared Network Access Restrictions Configuration”
section on page 5-7.
a. In the Network Access Restrictions table, select the Define IP-based access
restrictions check box.
b. To specify whether the subsequent listing specifies permitted or denied IP
addresses, from the Table Defines list, select either Permitted Calling/Point
of Access Locations or Denied Calling/Point of Access Locations.
c. Select or enter the information in the following boxes:
•AAA Client—Select either All AAA Clients or the name of the NDG or
the name of the individual AAA client to which to permit or deny access.
•Port—Type the number of the port to which to permit or deny access.
You can use the wildcard asterisk (*) to permit or deny access to all ports
on the selected AAA client.
•Address—Type the IP address or addresses to filter on when performing
access restrictions. You can use the wildcard asterisk (*).
d. Click Enter.
Result: The specified the AAA client, port, and address information appears
in the NAR Access Control list.
Step 5 To permit or deny this user group’s access based on calling location or values
other than an established IP address, follow these steps:
a. Select the Define CLI/DNIS-based access restrictions check box.
b. To specify whether the subsequent listing specifies permitted or denied
values, from the Table Defines list, select one of the following:
•Permitted Calling/Point of Access Locations
•Denied Calling/Point of Access Locations
c. From the AAA Client list, select either All AAA Clients or the name of the
NDG or the name of the particular AAA client to which to permit or deny
access.