From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Sun Jun 17 2007 - 07:26:26 ART
Hello Peter
For Group/User Based NARs the "No Filters activated" column is *not* used,
its only there for the NARs defined in Shared Profile Components, for this
reason whenever there is no restriction in the security lab always configure
Shared NARs to ease in troubleshooting, shared NARs generate very precise
logs in ACS logs/reports:
have a look at this link:
Network Access Restrictions White Paper
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
Make sure to check out the "Logging and Debugging Information" section
It reads:
"When the reason for acceptance or denial is unclear, you can add the Filter
Information field to these reports (both to failed attempts and passed
authentications). This field will provide additional data only when using
SPC NARs. (All existing NARs can be easily replaced with SPC NARs.) When you
use existing NARs, this field will show the first message (No Filter
Activated) regardless of the results."
Also remember that the default action for both permit/deny NARs is that the
user is denied if 'incomplete' information is sent from the NAS, which is
true for some security devices, as per the Cisco ACS User Guide. So make a
Shared NAR and disable the Group NAR, and have a look at the 'Filter'
column, it will give you very precise details about what is happening and
why the user is being denied, something like:
"Access Filter *<filter name>* from *<id>* denied Because of lack of
required attributes. This is sufficient to reject an "All Selected" SPC NAR
config."
Contact me offline if you wish for further help :)
Regards
Farrukh
On 6/17/07, Peter Svidler <doubleccie@yahoo.com> wrote:
>
> I went through this document and few others , I created the NAR on the
> group directly , still i get authentication failure when the user (belongs
> to the group ) tries to login to the router , if i removed the NAR
> configuration ..the user can login normally
>
> i get the authentication failure on the reports due to "No Filters
> activated"
>
> do I need to enable anything on the router other than authentication and
> authorization exec method lists?
>
>
>
>
> Tarun Pahuja <pahujat@gmail.com> wrote:
> Peter,
> Are you applying the filter to the right group? I would
> suggest that you look at the following url. There are a number of Variables
> in NAR that would have to be configured correctly for it to work.
>
>
> http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e960.html#wp697095
>
> HTH,
> Tarun
>
>
> On 6/17/07, Peter Svidler <doubleccie@yahoo.com> wrote: Guys ;
> I am trying to configure Network access restriction on the ACS ,my
> authentication and authorization is working fine on the router before
> enabling NAR , but when i enabled per-group NAR and speicified certain
> subnet .i keep getting authentication failure error , on the ACS failed
> attempts report i get the following error "authentication failure , No
> active filter "
>
> what else do i need to configure , is there anything need to be done on
> the router , or something is missing on the ACS?
>
>
>
>
>
> ---------------------------------
> It's here! Your new message!
> Get new email alerts with the free Yahoo! Toolbar.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> --
> Tarun Pahuja
> CCIE#7707(R&S,Security,SP,Voice,Storage),CCSI
>
>
> ---------------------------------
> Yahoo! oneSearch: Finally, mobile search that gives answers, not web
> links.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:49 ART