RADIUS authentication is required to support the downloadable IP ACL feature.
The following Cisco devices support Downloadable IP ACL:
PIX and ASA Firewalls
VPN 3000 Concentrators
Routers
Network Access Filter (NAF)
NAF is one of the newer features introduced in the ACS Shared Profile component.
Before NAF, per-device access restriction was not an option. The same level of access restrictions and ACLs
were applied to all the devices in the network group. With NAF, granular application of access restrictions and
downloadable ACLs is now possible, applying network-access restrictions and downloadable ACLs on network
device names, network device groups (NDG), or their IP addresses. NAF can also use the IP address range and
wildcards.
NAF can be defined as a named group with any combination of one or more of the following network elements:
IP address
AAA client (network device)
Network device group (NDG)
Several applications of NAF exist. As discussed previously, NAF can be used in conjunction with Downloadable IP
ACLs or in shared NARs to apply device-specific filtering and to regulate access control based on the AAA client's
IP address.
Note
NAF needs to be enabled on the Advanced Options page of the Interface Configuration section before it
appears as a selection on the Shared Profile Components page.
Pages:
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493