| You can configure multiple shared NARs to restrict access to particular AAA clients, all AAA clients, or to named Network Device Groups (NDGs). This section provides the configuration steps for NARs, as well as edit and delete steps. Creating Shared NARs To add a shared NAR, follow these steps: Step 1. | Select Shared Profile Components in the left navigation bar. This opens the Shared Profile Components page.
| Step 2. | Select Network Access Restrictions.
| Step 3. | Select Add. This opens the Network Access Restrictions page.
| Step 4. | In the Name box, type a name for the new shared NAR. This can be up to 32 characters and cannot contain any leading or trailing spaces, nor can the following special characters be used:
- [ - ] - , - /
| Step 5. | In the Description box, type a description of the new shared NAR.
| Step 6. | To create an IP-based NAR, follow Steps 7 through 10. To create a non-IPbased NAR, follow Steps 1 through 7 in the step sequence in the section titled "Creating a Non-IPBased NAR."
| Step 7. | Select the Define IP-based access restrictions check box.
| Step 8. | To specify whether you are listing addresses that are permitted or denied, from the Table Defines list, select the applicable value.
| Step 9. | Select or type the applicable information in each of the following boxes:
- - AAA Client Select All AAA clients, or the name of the NDG, or the individual AAA client, to which access is permitted or denied.
- - Port Type the number of the port to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access to all ports on the selected AAA client.
- - Src IP Address Type the IP address to filter on when performing access restrictions. You can type multiple entries separated by a comma or use the wildcard asterisk (*) to specify all IP addresses.
| Step 10. | Click Enter.
| Step 11. | To enter additional IP-based line items, repeat Steps 8 and 9.
|
Configuration Details and Tips This section details some options that are available to you during the configuration: When you specify a NAR, you can use asterisks (*) as wildcards for any value, or as part of any value to establish a range. All the values and conditions in a NAR specification must be met for the NAR to restrict access. These values are "ANDed" to determine the result. NARs can be applied to a user profile or a group profile. When you create the NAR, you don't need to specify if it is to be used for a user profile or a group profile. It is tied to either in their respective configuration page. When you name a NAR, use some type of keyword that will be easy to recognize later and provides some info as the specifics of the NAR. You can use multiple NARs in one profile. When you specify the application of multiple shared NARs to a user or user group, you choose one of two access criteria: either "All selected filters must permit" or "Any one selected filter must permit." Shared access restrictions are kept in the ACS user database. Shared access restrictions can be backed up/restored by the ACS backup and restore features and replicated to secondary CSACS servers along with other configurations.
Creating a Non-IPBased NAR The following steps apply to non-IPbased NARs rather that IP-based NARs: Step 1. | Select the Define CLID/DNIS-based access restrictions check box.
| Step 2. | To specify whether you are listing addresses that are permitted or denied, select the applicable value from the Table Defines list.
| Step 3. | To specify the applicability of this NAR, select one of the following values from the AAA Client list:
- The name of the NDG - The name of the particular AAA client - All AAA clients
At this point, if you have not configured any NDGs, they do not appear in the list. Subsequently, only the NDGs that you have created appear in the list.
| Step 4. | To specify the information on which this NAR should filter, fill in the following boxes, as applicable:
- - Port Type the number of the port on which to filter.
- - CLID Type the CLIDs number on which to filter. You can also use this box to restrict access based on values other than CLIs, such as an IP address or MAC address.
- - DNIS Type the number being dialed into on which to filter.
| Step 5. | Click Enter. By clicking Enter, the information is placed as a NAR line item and appears in the table.
| Step 6. | To enter additional non-IPbased NAR line items, repeat Steps 3 through 5.
| Step 7. | To complete your configuration, select Submit. This saves the NAR that you have created and displays it in the Network Access Restriction Sets table.
|
This completes your configuration. A sample of an IP-based NAR can be seen in Figure 10-3. This is intended only as an example. The output on your screen might differ. Figure 10-3. Configuring an NAR 
Editing Shared NARs After you have configured a NAR, it is fairly simple to edit it. To edit a NAR, perform the following steps: Step 1. | Select Shared Profile Components in the left navigation bar. This opens the Shared Profile Components page.
| Step 2. | Select Network Access Restrictions.
| Step 3. | In the Name column, select the shared NAR you want to edit.
| Step 4. | To edit the name or description of the filter, type and delete information, as needed.
|
To edit a line item in the IP-based access restrictions table, follow these steps: Step 1. | Double-click the line item to be edited.
| Step 2. | Edit the information, as applicable.
| Step 3. | Click Enter.
|
To remove a line item, follow these steps: Step 1. | Select the line item.
| Step 2. | Below the table, select Remove. This removes the line item.
| Step 3. | Click Submit. These changes take effect immediately.
|
To edit a line item in the CLID/DNIS access restrictions table, follow these steps: Step 1. | Double-click the line item to be edited.
| Step 2. | Edit the information, as applicable.
| Step 3. | Click Enter.
| Step 4. | Click Submit. These changes take effect immediately.
|
To remove a line item from the CLID/DNIS access restrictions table, follow these steps: Step 1. | Select the line item.
| Step 2. | Below the table, click Remove. This removes the item.
| Step 3. | Click Submit. These changes take effect immediately.
|
Deleting a Shared NAR To remove a shared NAR, follow these steps: Step 1. | Select Shared Profile Components in the left navigation bar. This opens the Shared Profile Components page.
| Step 2. | Select Network Access Restrictions.
| Step 3. | Select the name of the shared NAR you want to delete.
| Step 4. | At the bottom of the page, select Delete. This causes a dialog box to warn you that you are about to delete a shared NAR.
| Step 5. | To confirm that you intend to delete the shared NAR, select OK.
| Step 6. | The selected shared NAR is deleted.
|
The warning message that appears when you are deleting a NAR is seen here in Figure 10-4. Figure 10-4. NAR Delete Warning 
|
