10.5.2 Kills Admin Access, No Fix.

Similar Messages

• Help needed restricting users admin access to devices using ACS 4.2

  I have users that access the network via a VPN client to a PIX 515 which authenticates to the ACS (using the default group for unknown users) which uses an external Active Directory Database.
  The problem I have is that as the ACS authenticates these users, it now allows them admin access to the PIX. How do I restrict access? I have looked at NARs using the 'All AAA clients, *, *' approach but that just stops their VPN access. ( I have a separate group called 'PIX ACCESS' which will contained only defined users for admin access).
  Incidentally I have other devices on the network which are AAA clients, in particular Nortel switches. I can set the group settings for that RADIUS set up to 'Authenticate Only' (RADIUS Nortel option) and that works fine, I was expecting the ACS to have a similar setting for TACACS+.
  So how do I allow the unknown users to authenticate to their AD database but restrict them admin access to the AAA clients?

  Very common problem. I've solved it twice over the last 6 years with ACS. I'm sketchy on the details. But here goes. First option to explore is using RADIUS for VPN access, then TACACS on all the Cisco switches and PIX firewall. That would make it alot easier. I think that with TACACS, you can build a NAR based on TCP port number instead of IP address....
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml
  So you'd have a group with 3-4 Administrators that can access PIX CLI, and another group of VPN users that can't access the PIX but can VPN in. So on the VPN group, put a NAR that restricts access to SSH/Telnet TCP ports?
  This comes up everytime I install an ACS server, (every 2-3 years), and it's always a trick.
  Please let me know if this works for you. And if it doesn't, let us know how you fixed it. I think I can get back into the ACS I last did this with and take a look, but I'd have to call up and make a special trip.

• Using Windows Network Policy Server to authenticate Prime Infrastructure 1.2 admin access

  Dear all,
  How can I authenticate admin access to the Prime infrastructure 1.2 using AAA mode RADIUS with Windows Network Policy Server as RADIUS server? I find some information using ACS as RADIUS server but cannot find how to for Windows NPS.
  I try to configure the NPS but an error prompted when logging in to PI using an account in the NPS server, "No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server"
  Thanks for your help.
  Dennis

  Ok, I was able to resolve this over the weekend.  The actual fix is a little complicated.  You can find the full explination here: http://technologyordie.com/windows-nps-radius-authentication-of-cisco-prime-infrastructure
  The basics are that Prime (1.3 is the version I am using at this point) expects two AV pairs from radius.  They are as as follows:
  NCS:role0=Admin
  NCS:virtual-domain0=ROOT-DOMAIN
  "Admin" is the name of the group you would like your users to have access at and "ROOT-DOMAIN" is the name of the domain you would like them to have access to.
  For TACACS+ I suspect the AV Pairs are going to be the same but I have not been able to test that.

• ISE Admin Access Authentication to RADIUS Token Server

  Hi all!
  I want to use an External  RADIUS Token Server for ISE Admin Access Authentication and Authorization.
  Authentication works, but how do I map the users  to Admin Groups? Is there a way  to map a returned RADIUS Attribute  (IETF "Class" or Cisco-AVPair "CiscoSecure-Group-Id") to an Admin Group?
  Thanks in advance,
  Michael Langerreiter

  ISE 1.3 does have an bug: Authentication failed due to zero RBAC Groups.
  Cisco Bug: CSCur76447 - External Admin access fails with shadow user & Radius token
  Last Modified
  Nov 25, 2014
  Product
  Cisco Identity Services Engine (ISE) 3300 Series Appliances
  Known Affected Releases
  1.3(0.876)
  Description (partial)
  Symptom:
  ISE 1.3 RBAC fails with shadow user & Radius token
  Operations > Reports > Deployment Status > Administrator Logins report shows
  Authentication failed due to zero RBAC Groups
  Conditions:
  RBAC with shadow user & Radius token
  View Bug Details in Bug Search Tool
  Why Is Login Required?
  Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
  Bug Details Include
  Full Description (including symptoms, conditions and workarounds)
  Status
  Severity
  Known Fixed Releases
  Related Community Discussions
  Number of Related Support Cases
  Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.

• Why is Domain Admin access required for NTFS crawling?

  Need some assistance from the experts in here..
  Our company has a policy against granting Domain Admin access to service accounts.
  Oracle states that Domain Administrative priviledges are required for NTFS crawling. However, they aren't able to provide a reasonable explanation as to why such a high level of access is necessary. In theory, Local Administrative privildges on the target file host should suffice if the crawler is grabbing ACL details, but in practice does not seem to work.
  Can anyone point me to some technical documentation on SES NTFS crawling or help me understand what actions are being invoked?
  Many thanks.
  LC

  They do seem confused. I have heard on a few occasions, someone has taken their computer in for some major work and it comes back with the latest OS! I think some Service technicians have the opinion that any OS less than the latest is a kind of defect that they can remedy.
  I suppose they are trying to be helpful, but as you say, compatibility with existing applications can be a pitfall when doing that.
  The main thing is you have your OS backed up. I keep a clone (made by SuperDuper!) of my OS on a backup disk, and if you were really worried about a service technician trawling through your hard drive on their lunch break, having the working clone would allow you to reinstall a fresh OS and hand it to them with nothing of yours on it whatsoever.
  When it comes back fixed, copy the external clone back onto your Mac. This is a bit of trouble, but it ensures the integrity of your data.

• Account hacked and admin access transferred to new...

  I'm hoping I can get help quickly with this. I have a business account and my user id: "[Removed for privacy]" has been the admin for over a year, since I've opened my account. Recently, my account was hacked from someone from Algeria and administrator access was changed from my id to a different one, that I don't have access to. Then $300 was charged to my credit card and all these Algeria calls were made!!! My bank is refunding the amounts, but still, it put me in a major bind. I would have though that Skype would have seen this fraudulent activity and put a stop to it, but nothing happened.
  How on earth do I restore admin access to my user id? Now I can't do anything with the limited access I have.
  Thanks in advance for the help.
  Eric

  I think you may need to contact customer service regarding that matter. Just open the link pasted below to see the instructions on how to get in touch with customer service -
  https://support.skype.com/en/faq/FA1170/how-can-i-​contact-skype-customer-service
  IF YOU FOUND OUR POST USEFUL THEN PLEASE GIVE "KUDOS". IF IT HELPED TO FIX YOUR ISSUE PLEASE MARK IT AS A "SOLUTION" TO HELP OTHERS. THANKS!
  ALTERNATIVE SKYPE DOWNLOAD LINKS | HOW TO RECORD SKYPE VIDEO CALLS | HOW TO HANDLE SUSPICIOS CALLS AND MESSAGES

• How can i give multiple users admin access?

  I would like to give another user on my macbook pro admin access, so that they can install programs without having to ask me for the password each time. I do not want the password to be the same for my profile, because I don't want them getting into my account. So is it possible to have a separate password for admin use only? This might be a dumb question and I know their is probably a simple way to do this, but I'm new to macs so any help would be greatly appreciated. Thank you.

  Convert a standard user to an administrator
  Choose Apple menu > System Preferences, then click Users & Groups.
  Click the lock icon  to unlock it, then enter an administrator name and password.
  Select a standard user or managed user in the list of users, then select “Allow user to administer this computer.”
  http://support.apple.com/kb/PH18891

• No admin access to NSS4000 anymore

  I can no longer access my NSS4000 through any means.  CISCO tech support said this is end of live and does no longer support.  So this community is my only option.
  The NSS4000 worked fine until a few weeks ago it was or is setup as a RAID1.
  ALL Leds on the front panel show everything is working fine.  Solid green power, solid green disk drives, blinking green Lan1 led.  I have used 3 different operating systems and twices as many different browers and versions trying to access the admin web interface but with no luck.  ALL browsers show CAN NOT DISPLAY PAGE.  I can ping the NSS4000,  The Cisco Discovery Tool finds the NSS4000, but the GUI button can not access the NSS4000 either.   Using the CISCO Discoverty Tool  to change the IP address does not work either.  It says the password is not correct, even the default password.   I have rebooted like a zillion times using the USB Boot Loader with no luck either.  I have reset the NSS4000 network configuration,  after the reset the CISCO Discovery Tool finds the NSS4000, I can ping it but that is it, still no admin access.
  HOW DO I GET BACK IN CONTROL OF MY NSS4000 and MY DATA?

  Hi,
  I don't know if this is still relevant (because the post is 1+ year old) but I had the same problem and I managed to solve it.
  The bottom line is that I had some policy that blocked all the traffic except from my old network IP range (I replaced my router and my network IP).
  I managed to find this information by connecting to the system with the following port : https://:8888 (Probably a backdoor to the system when you have something like this).
  From that point I was in the web interface and went to "Access" -> "Network" screen and I deleted all the "Drop Traffic" policy.
  Good Luck
  Oded

• ISE 1.2 Admin Access via Active Directory

  Hi Experts,
  Good Day!
  I want to configure my ISE 1.2 to authenticate (for admin) against the active directory. I know it is possible but our AD doesn't have any groups named for admins.
  Is it possible for the ISE 1.2 to configure a local user ID and check it to the AD for the password of the UserID?
  Thanks for your great help.
  niks

  Niks,
  I just got done doing this.  First of all you have to have the Active Directory setup as an external data source.  Once you do that Click on Administration - - Admin Access.
  For the Authentication Type ensure that Password Based is toggled and change your data source to Active Directory (or whatever you named it).
  Then click in Administrators - - Admin Users.  Click Add a user - - Create Admin User.  Ensure to check the External box and you will notice the Password field goes away.  Fill out the appropriate information and then assign them to an Admin Group.
  Once you are done with that you can test that user by logging out of your ISE session.  You will notice that when you try to log back in you will have a choice of the data sources used to authenticate the user.  Change the selection to Active Directory and enter the AD user/password for the newly created account you should be good to go.
  Make sure that you don't delete or disable your original admin account in this process.  (Change the password if you like.)

• ISE Admin Access Authentication against multiple AD/LDAP Identity Sources

  Hi all!
  We would like to grant admin cccess to our ISE deplyoment to users stored in multiple Active Directories. Since there is no trust relationship between these ADs, we created an LDAP Identity Source for each AD and also an Identity Source Sequence but in the UI we can only select one Identity Source.
  Any ideas how to solve this problem?
  Thanks in advance!
  Kind regards,
  Michael Langerreiter

  I did check in my lab and yes for admin access we can't select identity store sequence in authentication. We can only pick one external database. However, on the login page you may select the appropriate database before you enter the username and password.
  Jatin Katyal
  - Do rate helpful posts -

• ISE Admin Access with AD Credentials fails after upgrade 1.2.1 to 1.3.0

  Hello,
  After upgrading ISE VM from 1.2.1 to 1.3.0.876, I can't connect on ISE with AD Credentials (Invalid Username or Password). It worked find before upgrading to 1.3.
  On another ISE VM in 1.3.0.876 version (w/o upgrade) with this kind of configuration, it's OK.
  I have double check the Post-upgrade tasks (particularly rejoining Active Directory). Everything worked find after this upgrade except the admin access with AD credentials.
  I don't use user certificate-based authentication for admin access. So I didn't execute application start ise safe CLI.
  My 802.1x wireless users passed authentication with AD credentials. So the ISE had correctly join my AD.
  I didn't find anything related to this admin access with AD credentials failure in the output of show logging application ise and show logging.
  I don't find anything related to this in bug search on Cisco tools.
  I tried to :
  - update the SID of my Admin AD Group, the result is still the same.
  - delete my admin access with AD credentials configuration then make this configuration again, but still the same error.
  Any ideas on this ? Could I find elements in another log ?
  Regards.

  Dear Markus,
  After logging as user "prdadm"
  su - prdadm
  bssltests% bash-3.00$ ls -a
  .                            .dbenv_bssltests.sh-old      .sapenv_bssltests.sh         startdb.log
  ..                           .dbenv_bssltests.sh-old10    .sapenv_bssltests.sh-new     startsap_.log
  .bash_history                .dbsrc_bssltests.csh         .sapenv_bssltests.sh-old10   startsap_DVEBMGS00.log
  .cshrc                       .dbsrc_bssltests.sh          .sapsrc_bssltests.csh        startsap_DVEBMGS01.log
  .dbenv_bssltests.csh         .login                       .sapsrc_bssltests.sh         stopdb.log
  .dbenv_bssltests.csh-new     .profile                     dev_sapstart                 stopsap_.log
  .dbenv_bssltests.csh-old     .sapenv_bssltests.csh        local.cshrc                  stopsap_DVEBMGS00.log
  .dbenv_bssltests.csh-old10   .sapenv_bssltests.csh-new    local.login                  stopsap_DVEBMGS01.log
  .dbenv_bssltests.sh          .sapenv_bssltests.csh-old    local.profile                trans.log
  .dbenv_bssltests.sh-new      .sapenv_bssltests.csh-old10  sqlnet.log
  bash-3.00$
  bash-3.00$
  I have changed envt settings in .dbenv_bssltests.csh & .dbenv_bssltests.sh
  .sapenv_bssltests.sh & .sapenv_bssltests.csh  [4 files]
  Regards,
  Ankita

• System has amnesia about non-admin access to system log

  Time Machine Buddy often doesn't show current backups. So I used the tip from Pondini to give my user account system log access. That worked fine.
  But it doesn't "stick." I fired up the Console app this morning, and the system log is grayed out.
  Any idea why, and what to do?
  Thanks,
  Harv

  Hey James,
  I did indeed get a reply in the Unix forum, and it worked fine. Here's the content:
  *BobHarris posted "Re: System has amnesia about non-admin access to system log" in "System has amnesia about non-admin access to system log" on Jun 2, 2010 6:21:28 PM.*
  *You could try*
  *sudo /bin/chmod +a "harv47 allow read,file_inherit" /var/log*
  *This assumes that your usename is 'harv47' on your Mac. This also assumes that the log files are created in the /var/log directory.*
  *In theory this will make sure that any file created in /var/log will inherit an ACL that allows harv47 read access to that file.*
  *However, I have not spent much time working with Mac OS X ACLs, so your mileage may vary.*
  *BobHarris posted "Re: System has amnesia about non-admin access to system log" in "System has amnesia about non-admin access to system log" on Jun 2, 2010 8:13:24 PM.*
  *Oh yea. You can view the ACL you applied, and see if the inherit_file worked using*
  *ls -leO@a /var/log*
  *again, assuming /var/log is the directory containing the log you are trying to read.*
  The system log continues to be accessible, even after the midnight "rollover."
  I'm a happy camper. I'm not sure if it's a coincidence or not, but TM Buddy has so far continued to show the log excerpts after the rollover as well.
  BTW, the SpamSieve app (Bayesian spam filter for Mail) is one of those database apps mentioned in your tips. It accounts for about 1 GB every backup.
  Thanks!
  Harv

• How do I get admin access to my child's iPad

  I am setting up my child's iPad using my apple ID. I want to let her have her own passcode, but I want to have ultimate admin access. Is this possible on iPad 3 and if so how?

  You can set up Restrictions (Settings > General > Restrictions) on the iPad.
  The iPad does not support multiple user accounts if that is what you mean.

• To create new user for rpd with Admin access in obiee 10g

  Hi All,
  I need to create a user in RPD which has equivalent privileges as Administrator in RPD.Please note that this is for accessing RPD Admin not for Dashboard admin access.Can anyone please let me know of how we shall implement this?..
  Regards,
  Vengatesh.

  Hi,
  Create a user and give the check box for 'Administrators' group and check.
  If required give 'Presentation Service Administrator'group too.
  In Settings->Manage Privileges you can restrict the user to the Answers.
  Hope this helped/ answered
  Kind Regards
  MuRam

• Identity Service Engine (ISE) Admin Access

  Is it possible to authenticate the ISE administrator via an external Radius Server? The option I find is that it will not work, 
  The manual reads: 
  In Cisco ISE, you can authenticate administrators via an external identity store such as Active Directory, LDAP, or RSA SecureID. There are two models you can use to provide authentication via an external identity store:
  Is this the case ?

  Sure you can!
  Make sure you have the RADIUS server added to the ISE (Administration > Identity Management > External Identity Sources  Select RADIUS Token from the left menu).
  Then head over to Administration > System > Admin Access.  Change the * Identity Source to your RADIUS Server and click Save
  Log out and you will see an new entry on the log in screen.  Click the dropdown for Identity Source and choose your RADIUS Server.  If this connection gets dropped for any reason, you can always log in using the internal identity source as a fallback.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton