ACS 5.3 cannot create default network access authorization rule

Similar Messages

• Query: Best practice SAN switch (network) access control rules?

  Dear SAN experts,
  Are there generic SAN (MDS) switch access control rules that should always be applied within the SAN environment?
  I have a specific interest in network-based access control rules/CLI-commands with respect to traffic flowing through the switch rather than switch management traffic (controls for traffic flowing to the switch).
  Presumably one would want to provide SAN switch demarcation between initiators and targets using VSAN, Zoning (and LUN Zoning for fine grained access control and defense in depth with storage device LUN masking), IP ACL, Read-Only Zone (or LUN).
  In a LAN environment controlled by a (gateway) firewall, there are (best practice) generic firewall access control rules that should be instantiated regardless of enterprise network IP range, TCP services, topology etc.
  For example, the blocking of malformed TCP flags or the blocking of inbound and outbound IP ranges outlined in RFC 3330 (and RFC 1918).
  These firewall access control rules can be deployed regardless of the IP range or TCP service traffic used within the enterprise. Of course there are firewall access control rules that should also be implemented as best practice that require specific IP addresses and ports that suit the network in which they are deployed. For example, rate limiting as a DoS preventative, may require knowledge of server IP and port number of the hosted service that is being DoS protected.
  So my question is, are there generic best practice SAN switch (network) access control rules that should also be instantiated?
  regards,
  Will.

  Hi William,
  That's a pretty wide net you're casting there, but i'll do my best to give you some insight in the matter.
  Speaking pure fibre channel, your only real way of controlling which nodes can access which other nodes is Zones.
  for zones there are a few best practices:
  * Default Zone: Don't use it. unless you're running Ficon.
  * Single Initiator zones: One host, many storage targets. Don't put 2 initiators in one zone or they'll try logging into each other which at best will give you a performance hit, at worst will bring down your systems.
  * Don't mix zoning types:  You can zone on wwn, on port, and Cisco NX-OS will give you a plethora of other options, like on device alias or LUN Zoning. Don't use different types of these in one zone.
  * Device alias zoning is definately recommended with Enhanced Zoning and Enhanced DA enabled, since it will make replacing hba's a heck of a lot less painful in your fabric.
  * LUN zoning is being deprecated, so avoid. You can achieve the same effect on any modern array by doing lun masking.
  * Read-Only exists, but again any modern array should be able to make a lun read-only.
  * QoS on Zoning: Isn't really an ACL method, more of a congestion control.
  VSANs are a way to separate your physical fabric into several logical fabrics.  There's one huge distinction here with VLANs, that is that as a rule of thumb, you should put things that you want to talk to each other in the same VSANs. There's no such concept as a broadcast domain the way it exists in Ethernet in FC, so VSANs don't serve as isolation for that. Routing on Fibre Channel (IVR or Inter-VSAN Routing) is possible, but quickly becomes a pain if you use it a lot/structurally. Keep IVR for exceptions, use VSANs for logical units of hosts and storage that belong to each other.  A good example would be to put each of 2 remote datacenters in their own VSAN, create a third VSAN for the ports on the array that provide replication between DC and use IVR to make management hosts have inband access to all arrays.
  When using IVR, maintain a manual and minimal topology. IVR tends to become very complex very fast and auto topology isn't helping this.
  Traditional IP acls (permit this proto to that dest on such a port and deny other combinations) are very rare on management interfaces, since they're usually connected to already separated segments. Same goes for Fibre Channel over IP links (that connect to ethernet interfaces in your storage switch).
  They are quite logical to use  and work just the same on an MDS as on a traditional Ethernetswitch when you want to use IP over FC (not to be confused with FC over IP). But then you'll logically use your switch as an L2/L3 device.
  I'm personally not an IP guy, but here's a quite good guide to setting up IP services in a FC fabric:
  http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/ipsvc.html
  To protect your san from devices that are 'slow-draining' and can cause congestion, I highly recommend enabling slow-drain policy monitors, as described in this document:
  http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/5_0/configuration/guides/int/nxos/intf.html#wp1743661
  That's a very brief summary of the most important access-control-related Best Practices that come to mind.  If any of this isn't clear to you or you require more detail, let me know. HTH!

• Cannot create scheduled task, access denied

  Windows Server 2003 R2
  I am logged in as a local administrator and cannot create a scheduled task:
  [Task Scheduler]
  The new task could not be created.
  The specific error is:
  0x80070005: Access is denied.
  Try using the Task page Browse button to locate the application.
  [OK]
  My research lead me to look look in the Group Policy Object Editor for:
  Windows Settings > Security Settings > File System > %SystemRoot%\Tasks
  On this machine, there is no "File System" folder. In the MSDN Library, I find:
  "The File System folder is available only in Group Policy objects associated with domains, OUs, and sites. The File System folder does not appear in the Local Computer Policy object."
  Any ideas?

  found this information, problem solved...
  Problem Description:
  ===================
  When trying to create a new scheduled task, error occurred "The new task could not be created." "0x80070005: Access is denied. Try using the Task page Browse button to locate the application."
  Cause:
  ===================
  The Administrators group lack permission on the C:\WINDOWS\Tasks folder.
  Resolution:
  ===================
  Start - Run - CMD - C:/windows - CACLS TASKS /E /G builtin\administrators:F
  The steps above grant Administrators group full control permission to the C:\WINDOWS\Tasks folder.
  Again, thank you for posting in the SBS newsgroups. Please feel free to contact us again in the future.
  Best regards,
  Robbin Meng(MSFT)
  Microsoft Online Newsgroup Support

• Cannot create wireless network. I use the 2wire modem of att verse...

  I cannot creat a wireless network connecting the time capsule to the 2wire att uverse modem....

  Need a bit more info..
  You cannot create a wireless network that joins another.
  And you cannot extend a non-apple wireless network.
  If you want to join the TC to the existing wireless network.. old down the options key when you click on options for wireless mode.. now if you are on lion you need 5.6 utility.
  Once the TC joins the network it becomes a simple wireless client with everything basically off.
  A much better option is to plug the TC into the 2wire with ethernet.. and bridge the TC.. it is then accessible from the 2wire wireless network or you can create a second wireless network or a reinforced one.
  Bridge is under internet tab in manual setup.. connection sharing.. off bridged mode.

• Cannot create wireless network

  I am having an issue making the myRIO create its own wireless network. It has the capacity to do so, as shown in the NI myRIO tutorial video at http://www.ni.com/academic/students/learn-rio/applications/ in the Data Dashboard and NI myRIO video @ 57 seconds. In the video, it clearly shows the option to create the wireless network, however, when i follow the video's instruction, I don't have the listed option to create the wireless network. The image attached shows my screen and the clear absence of the option.
  I am new to myRIO and thus still learning, but I don't have any idea why I don't have that option. Any help would be greatly appreciated.
  Thank you,
  Juan
  Solved!
  Go to Solution.
  Attachments:
  my screen.JPG ‏42 KB

  It was a while ago when I last udated, so I am not completely sure what I did.
  I would just run the NI update service and see what it wants to update.
  Then open Max and find the myRIO. Go to the "system setting tab (along the bottom) and click the button to "update firmware". Select the newest from the dialog.
  LabVIEW Champion . Do more with less code and in less time .

• Creating LDAP filter in authorization rule OAM 10G

  Hi,
  I want to set up a LDAP filter in Authorization rule based on which i will redirect users to specific URL's. what is the syntax to writing LDAP filters in OAM authorization policy. Any pointers to documentation will be appreciated.
  Also i want to know whether authorizations always follow authentication. i.e. my redirection will be successful only after a user is authenticated in end application based on the headers we send out after successful authentication.
  Please Help
  Thanks
  Edited by: 904630 on Dec 27, 2011 5:34 AM
  Edited by: 904630 on Dec 27, 2011 5:36 AM

  Open Identity server console and check the attribute's Display Name and type in Object classes section. I recently faced a similar issue and it got fixed after providing these two values.
  Hope it works for your as well :)

• Acs 5.3 and wlc 2504 config with restricted network access

  Hello,
  i submit you the following issue that i'm actually facing:
  i must configure a secured wireless network with access restriction based on SSID. the equipements are : cisco wlc 2504 (soft 7.3) cisco secure acs aplliance 1121 (soft 5.4) .
  the users that will connect to the network are regrouped by identity groups, each identity group having it's own SSID. Clearly each group of users must access only one SSID.
  i followed the procedure below to configure it:
  -- creating user identity groups;
  -- creating users and assigning them to the groups;
  --- creating authorization profiles for each SSID under policy element/ authorization and permission/network access/authorization profiles and putting the Airespace-Wlan-Id(the SSID number) in the radius tab.
  --- assigning the authorization profiles to the identity groups under access policies.
  after all these config the users can access the network using there userid/password configured. But the problem is Every user can access every SSID, seems like the restriction is so not very well configured.
  i found some documentation on this kind of config but the version of ACS used seems older than the one that i use, so menu are very different.
  Please can someone provide with the right steps to follow to achieve this kind of config.
  tkx in advance

  Yes.. you only have to add the end filter like what I posted... as far as the calling station id in the WLC security tab, it doesn't matter because that is not used when using 802.1x.  I would also try to not enable everything that you have just to start from the basic and make sure it works first.  The WAP Authentication Method might or might not work for you.  Uncheck that for now and when you have a successful authentication, look at the monitor log and see what radius attributes are being sent, because those attributes is what you can use to build your policies.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• SCCM 2012 R2 - Distribution Point untrusted domain - Not acknowledging Network Access Account (FYI)

  Hello!
  Scenario
  Built a single primary site server in one domain with multiple distribution points. All site servers are member of this one site.
  The distribution points in the primary site servers' domain function as expected. The distribution point deployed to an untrusted domain does not. The primary site server can see all objects in the domain, publishes successfully, and CCM client on the
  DP in the untrusted domain knows its part of the site, knows its AD site (according to locationservices.log). The DP role is installed properly, logs are populating, queries are being made for application lists and updates. nfortuantely authentication
  errors indicate that this software can'tbe downloaded.
  In essence the DP in the untrusted domain can't pull down content from the primary site server. The role uses BITS to download content from IIS on the primary site server, but the requests each throw a 401 error. Unauthorised. This should be an easy fix.
  Create a Network Access Account in the primary site server's domain, assign it to the site (Software Distribution setting), wait for the DP to pick up the setting and watch it retrieve its content. The DP in the untrusted domain is configured as a Pull DP,
  implying it has to use a Network Access Account to download content. It knows the content is available and makes every effort to download it.
  Problem
  The DP in the untrusted domain doesn't know a Network Access Account (NAA) has been defined for the site.
  The account does exist, created in the primary site server's domain and assigned to the site. Its not a password issue. IIS has not been set for Anonymous access as this isn't needed - the NAA should provide the credentials it requires to pull down content.
  A manual check using the URL of the package confirms the package is accessible from the DP when using the NAA's credentials. I've allowed enough time (i think) for the DP to acknowledge the NAA. For fun the DP role was removed, and the CCM agent removed. Both
  were reinstalled. A fresh install didn't detect the NAA.
  Solution
  After some soul searching and a little frustration, it came down to this: A Pull DP always uses the Network Access Account. If the DP can't find a Network Access account it will fail to pull down content. This is undisputed. Found an article that states
  the Pull DP always uses the CCM client configuration to do its dirty work. At that point the CCM client was checked. It had the classic problem of only displaying two Actions - Machine Policy Retrieval & Evaluation Cycle, User policy Retrieval & Evaluation
  Cycle. Most components were installed but not enabled. This is fairly common. Looked at the console, found the device, added the Approval column. Turns out it wasn't auto-approved. Reason being that the client is in an untrusted domain and clients in untrusted
  domains aren't approved automatically (by default).
  In this case something as simple as an Approving the client fixed these issues. 
  The DataTransferService.log highlights the issue:
  <![LOG[CDTSJob::JobError: DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' BITS Job ID='{38B81ADE-55B5-4BD7-A881-DBFF13943EDE}' ErrorCode=0x80190191]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="1" thread="3136" file="dtsjob.cpp:3501">
  <![LOG[CDTSJob::JobError: DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' URL='http://PRIMARYSERVER.A.B.COM:80/SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68'
  ProtType=1]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3136" file="dtsjob.cpp:3504">
  <![LOG[Authentication required by the proxy, DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' BITS Job ID='{38B81ADE-55B5-4BD7-A881-DBFF13943EDE}'.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="3" thread="3136" file="dtsjob.cpp:3513">
  <![LOG[DTSJob {8814E9A1-3D26-4089-83CF-3C7D17BCEC6E} in state 'Cancelled'.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3688"
  file="dtsjob.h:166">
  <![LOG[DTS job {17E0B672-F699-434D-B063-87CC2ACF715C} BITS job
  {38B81ADE-55B5-4BD7-A881-DBFF13943EDE} encountered Access Denied error during download.  Will retry using Network Access Account.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="2" thread="3136" file="dtsjob.cpp:3652">
  <![LOG[DTSJob {8814E9A1-3D26-4089-83CF-3C7D17BCEC6E} cancelled by client.]LOG]!><time="18:25:54.280+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3688"
  file="dtsjob.cpp:3205">
  <![LOG[No network access account info found.]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context="" type="1"
  thread="3136" file="netaccessaccount.cpp:288">
  <![LOG[The network access account is not defined.]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context=""
  type="1" thread="3136" file="netaccessaccount.cpp:858">
  <![LOG[DTSJob {17E0B672-F699-434D-B063-87CC2ACF715C} encountered error setting BITS job to use Network Access Account
  (0x00000000).]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context="" type="3" thread="3136" file="dtsjob.cpp:1885">
  The IIS server logs u_ex150219.log captures the request:
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 2 5 1509 2
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 1 3221225581 1509 4
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 1 3221225581 1509 3
  2 x Domains: DomainA and DomainX
  - Single domain forests
  - No trusts between domains/forests
  DomainA\PRIMARYSERVER
  - Primary Site Server, MP, DP, IIS, all roles
  DomainX\DP1
  - Distribution Point, IIS, etc
  - CCM client installed

  Based on the above, you are using a PullDP. If so, have you installed the client agent on this system? The client agent is required on PullDPs in untrusted domains so that they can acquire the NAA.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Was able to create guest network but when I try to access guest network to test it, I cannot connect.

  Was able to create guest network but when I try to access guest network to test it, I cannot connect.  I tried iPad and iPhone.

  The Guest Network feature will not function correctly if the AirPort Exteme is configured in Bridge Mode.
  But unfortunately, Bridge Mode is the correct setting if you have the AirPort Extreme connected to a modem/router or gateway type of device.
  So, is the AirPort Extreme configured in Bridge Mode as illustrated above?
  Can you provide the make and model number of the device that you might call your "modem"?

• ACS 5.3 - 11033 Selected Service type is not Network Access

  I have some older devices on the network that only support RADIUS (not TACACS) for authentication and would like to have them use SecureACS 5.3 
  I understand that by default, ACS only supports TACACS for device administration.  So I'll get this error when trying RADIUS:
  11033 Selected Service type is not Network Access
  Description:
  RADIUS requests can only be processed by Access Services that are of type Network Access
  Resolution Text:
  Verify that the Service Selection Policy rules are correct
  However, even after adjusting the Service Selection rules and seeing hits, I still see the same message in the logs, as if it has no affect.  Any Ideas?

  If you use the protocol as radius you can not use a device admin service. You can only use network access. That will allow you for authentication to the devices.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Time Capsule 4 gen. with iMac OS X Lion   3 Windows PC (XP OS, Vista OS, Seven OS) cable modem with TC as Wi-Fi. Time Machine on iMac found TC for backup easily. Have Wi-Fi access on PC XP with Airport utility but cannot create TC.

  Installed today Time Capsule 4 gen. with iMac OS X Lion. I also have  3 Windows PC (XP OS, Vista OS, Seven OS). Internet Access is cable modem with TC as Wi-Fi. Time Machine on iMac found TC for backup easily. Have Wi-Fi access on PC XP with Airport utility but cannot create TC. Does the Airport utility under Windows is way to access backup capabilities with TC ?

  The TC is really just an external networked hard disk plus router.. you can access the hard disk and place files on it from any computer. You can backup any computer to the TC but it will have to use a backup software in windows.. there are literally thousands available. The built in msbackup is horrible.. but you can download lots of different software and buy then online for not a lot. Macrium Reflect has a free disk image backup, and when you pay for it includes incremental. I think disk images are well worth it, as they recover much better.. and their is a proper method of recovery using a boot cd.
  BTW the TC space is not endless. And it is designed to hold a large number of incremental backups.. so anything you do in backing up several machines will make the number of backups limited. Remember you can also use a usb hard disk plugged in as a Network accessible disk. But it has to be formatted HFS+ or Fat32.. the later being highly undesirable.

• I cannot create a catalog because everywhere I try on my computer, it comes up with cannot Lightroom cannot create a catalog on network volumes.  And is there any way to contact Adobe directly?  Would you be able to give me a phone number and/or email add

  I cannot create a catalog because everywhere I try on my computer, it comes up with cannot Lightroom cannot create a catalog on network volumes.  And is there any way to contact Adobe directly?  Would you be able to give me a phone number and/or email address?@@

  The short and direct answer to your question about catalogs on a network drive is that you can't do that. The catalog must reside on a local drive.
  Here is a link to a list of telephone numbers. Choose one that is appropriate:
  Adobe Connect Support phone numbers

• Is it possible that network access permission control in acs 5.1

  Hello
  We have ACS5.1, WLC 7.0 and using 802.1x to authentication users.
  Anybody know how I can configure network access restriction with using internal user group information.
  For example, under the same SSID(like that "test") , same VLAN ID.
  But two different user group has a different network access permission.
  One group has full permission and the other has a limit network access permission.
  Is it possible?

  The equivalent of a NAR would be ACS 5.1 returning an authorization profile after authentication. Just configure your authorization policy to return one profile for one group of user and the other profile for the others.
  Now to restrict access to the network, I think you're best with an ACL ? So link ACLs to your profiles.
  Nicolas

• **Creating default directory in failed: \logging.properties (Access is denied)**

  Hello Experts,
  i am deploying edq on weblogic.
  After deployment, when lauching the edq url getting below error on firefox.
  **Creating default directory in failed: \logging.properties (Access is denied)**
  by default, it took the path as:
  C:\oraclesw\oracle\middleware\user_projects\domains\oedq_dev_domain\servers\edqdev_server1\tmp\_WL_user\dndirector\1i3bzo\war\WEB-INF\config
  i have unzipped the config.zip into above mentioned config folder.

  When we restart the application server up and start the managed server, the deployment is in the failed status with the following message:
  We have the Memory settings on the managed server set as : -Xmx5024M –XX:MaxPermSize=256M
  <Jul 11, 2013 4:45:13 PM EDT> <Warning> <Deployer> <BEA-149004> <Failures were detected while initiating start task for application 'dndirector'.>
  <Jul 11, 2013 4:45:13 PM EDT> <Warning> <Deployer> <BEA-149078> <Stack trace for message 149004
  weblogic.application.ModuleException:
          at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1520)
          at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:484)
          at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
          at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
          at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
          Truncated. see log file for complete stacktrace
  Caused By: java.lang.ClassNotFoundException: com.datanomic.utils.transport.TransportSignature
          at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
          at java.security.AccessController.doPrivileged(Native Method)
          at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
          at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
          at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
          Truncated. see log file for complete stacktrace
  >
  <Jul 11, 2013 4:49:42 PM EDT> <Warning> <netuix> <BEA-423420> <Redirect is executed in begin or refresh action. Redirect url is /console/console.portal?_nfpb=true&_pageLabel=WebAppApplicationOverviewPage&WebAppApplicationOverviewPortlethandle=com.bea.console.handles.AppDeploymentHandle%28%22com.bea%3AName%3Ddndirector%2CType%3DAppDeployment%22%29.>

• Cisco ACS 4.2.1.15 for Windows and Network Access Profiles

  We are attempting to configure ACS 4.2.1.15 on Windows Server 2008 Member Server. Initially I only have the need to authenticate Network Admins for device administration and authenticate Windows AD groups using PEAP authentication. The general problem that I am having is that if I configure a Cisco 1200 Access Point  for PEAP and also setup The Access Point for Radius authentication pointed to the ACS server it always maps to the the first Network Access Profile and rather than it trying the second it will error sayiing some condition is not met depending on what changes I make. Can someone tell me what the criteria that is used to determine what NAP is used? According to the manual if all 4 criteria are not met then the Profile will not apply.
  I am using one ACS group that is mapped to an AD group for Wireless Access and a Second ACS group mapped to an AD group that includes the Net Admins. This group mapping appers to be working as the user group name seems to mapped correctly in the logs.  In short I have tried only configuring the Wireless NAP to only Allow EAP authentication using PEAP EAP-MSCHAPv2 and the Netadmins profile to include all protocols. Bascially what happens is if I have the Wireless NAP first it works fine for PEAP authentication on Wireless but if I try to administer the access point and provide credentials I get a message in the failed log that the authentication profile is not allowed in this Network Access Profile. Why does this not just go onto the next Network Access profile?
  I am familiar with version 3.2 but it does not seem to work the same.
  Any help would be appreciated on what I am missing.
  Thanks

  Hi Surenda,
                     Thanks for your reply. Nop, there is no WLC yet, but the WLC will be installed shortly.
  Thanks,
  Jean Paul