802.1X wirelss restriction on User Login policies

Similar Messages

• 802.1X wirelss restriction on user authentication

  Hi,
  In the 802.1x wireless environment, I would like to know is there any method to control single user credential only able to be autheticated for one time, at any given time.
  Example: user ABC in domain XYZ.ORG authenticated via his/her desktop, this is using user authentication method.
  After this he/she not able to use the same username/password trying to get authenticate neither using any another PC/tablet/smartphone devices.
  The motive is to prevent user using same user credential able sign-in after he/she made the authenticaiton at first place.
  Meaning to say he/she only able to authenticate to single device, at any given time. Same user credential is not allow to be use for authenticate purpose on other device.
  The components as below:
  supplicant: Window 7, authentication method using PEAP/MSCHAPv2; Apple iPhone iOS version 5.x, 6.x
  Authenticator: Cisco Wireless Controller 5800 Series on code version 7.2
  Authentication server: Cisco secure server ACS 5.3
  Identity Source : Microsoft server 2008 ADDS, single forest single domain.
  Question:
  01. What we can configure on WLC, or ACS to enable above mention requirement
  Thanks
  Noel

  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112175-acs51-peap-deployment-00.html

• WLC 4400 issue on "user login policies" parameter.

  Hi,
  I'm using a Cisco Wireless controller in my company.
  (the model is a AIR-WLC4402-50-K9 in 4.2.207.0 version).
  The WLAN is configured with WPAv2 AES and 802.1X (PEAP MS-CHAPv2) authentication on an external Microsoft IAS server (2003 R2).
  the authentication rely on Active Directory login and password.
  The user authentication works fine and the WLAN too.
  But it's possible for a single user to log on different laptops with the same AD login and password and use the wireless network.
  And it has to be forbiden by  "user login policies" parameter set to 1 on the WLC (in security parameters).
  Does anybody says if it's a known issue and how to solve this problem?
  thanks,
  raphael Paviot.

  Dancampb,
  Many thanks ,  you're right, I have to find the solution on IAS server side.
  In fact, I have also applied these commands on the controller and the max-user login works (in the case of an externan radius server).
  I have seen it in the "message logs".
  (Cisco Controller) config>advanced eap max-login-ignore-identity-response disable
  (Cisco Controller) config> netuser maxuserLogin 1
  But the problem still remain , because the IAS server is not case sensitive for user logins instead of the Wireless Controller.
  For exemple:
  raphaelpaviot login and RaphaelPAVIOT login are:
  -one user for the IAS server.
  -two different users on the WLC.
  cordially.

• Restrict local user login via GPO

  I need a way to restrict domain user's access to the PCs in my department. All users at the company are put into company wide general user groups and then, as a department, we put them into separate user groups per department OU. I want to restrict access
  to all users except the users in my OU user groups but there are hundreds of other user groups created by other departments so direct exclusion per group is out. I need a way to restrict everyone except my users via a group policy object. 
  Any help is appreciated.

  Hi,
  Please follow the below steps for denying logon to all users, except the users who are the members of groups in your department OU,
  1. Create a new group called "MyExcludedGroups" (To whom we are going to add the groups, for excluding logon to your department computers).
  2. Check the below steps for adding the groups to "MyExcludedGroups" group using powershell,
  - Go to Start -> Open Windows Powershell using Run as Administrator 
  - In the powershell type, set-executionpolicy unrestricted (for allowing commands to execute)
  - Type the command import-module activedirectory           (to enable and execute AD cmdlets)
  - For example to add the groups in "ou=test1,dc=mydomain,dc=com" to "MyExcludedGroups" group, type the below commands,
             $test1=Get-ADGroup -Filter * -SearchBase "ou=test1,dc=mydomain,dc=com" 
             Add-GroupMember -Identity MyExcludedGroups -Members $test1
        Similarly you can run the commands on each OU to add the groups to "MyExcludedGroups" group.
  3. Create a Group Policy Object (GPO) linked at the OU containing your department computers called "Deny Interactive Logon".
  4. Right click and edit the GPO "Deny Interactive Logon" and navigate to the node "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment".
  5. In the "User Rights Assignment" node add "Deny log on locally" permission for "MyExcludedGroups" group.
  Regards,
  Gopi
  www.jijitechnologies.com

• Restricting Max users login

  Hi experts,
  i want to restrict the max users login in sap gui. because sombody unknownly login in the production sytem with other user ids.
  cheers
  deepak

  Deepak,
  login/multi_login_users
  List of excepted users, that is, the users that are permitted to log on to the system more than once.
  Ex as follows:
  Valid Input, Formats, Areas:
  List the user IDs separated by commas ",".
  Blanks before/between user names are not allowed!
  Correct:  login/multi_login_users=ALPHA,BETA,GAMMA,DELTA
  Incorrect:   login/multi_login_users= ALPHA, BETA,GAMMA , DELTA
  Hope this helps.
  Cheers,
  Praveen

• Restrict user login

  Dear All,
  DB we use 9.2.0.1.0
  Can i restrict the user login once.
  What i mean is when user logs in unless and untill he logsout he cannot connect to DB again.
  e:g : User1 logs in and starts one report/form at the same time User1 again wants to login and run same or other report/form he should not be allowed to login and appropriate message to be shown to the user.
  Thanking You in anticipation
  Best Regards,
  Devendra

  Dear Miehoff;
  Following are the steps carried out by me
  SQL> connect posys/posys@dev
  Connected.
  SQL> CREATE PROFILE clerk LIMIT
  2 SESSIONS_PER_USER 1
  3 IDLE_TIME 30
  4 CONNECT_TIME 600
  5 /
  Profile created.
  SQL> alter user posys profile clerk;
  User altered.
  Simultaneously I loged in another oracle client
  SQL*Plus: Release 8.0.6.0.0 - Production on Wed Jul 16 15:52:21 2008
  (c) Copyright 1999 Oracle Corporation. All rights reserved.
  Connected to:
  Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
  With the Partitioning, OLAP and Oracle Data Mining options
  JServer Release 9.2.0.1.0 - Production
  SQL> show user
  USER is "POSYS"
  SQL>
  It allowed me to connect to posys user againg.
  What my question is if SESSIONS_PER_USER 1 then why it is allowing me 2 login second time i.e same user is connected having 2 differnet session.
  Best Regards,
  Devendra

• Cisco WLC 5508 simultaneous Web Auth Users logins?

  Hi there,
  We have 2 WLC5508 (7.2.111.3) with several SSID's.
  One of them is configured as Passthrough with an external splash server. Works fine.
  Now we want to use the "On MAC Filter failure".
  If the client MAC-adresse is configured under MAC Filtering on the WLC, the authentication is done without WebAuth.
  If MAC-adress is not known, the client will be redirect to the external WebAuth server for authentication.
  To keep the Passthrough functionality for the user, we hardcoded an username&password in the splash-page.
  So, every client WebAuth uses the same username&password for authentication against the WLC.
  User Login Policies is set to unlimited.
  So far so good, it seems to work, but I have read, that Cisco 5500 controllers supports only 150 simultaneous Web Auth Users logins.
  The two WLC's have abount 100-170 clients connected.
  Question:
  - Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
  - Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
    If yes, some guide information wolud be great.
  - When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
  Thanks for the answers ;-)
  Kind regards,
  Norbert

  Question:
  - Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
  > I believe this means at the same time... I have clients doing the same thing with hundreds or more of guest users
  - Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
    If yes, some guide information would be great.
  > ISE is really used to login with a username and password and to be able to profile.  You would need to ask that on the Security forum to get their input if this is something then would do or just leave it on the WLC
  - When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
  > Not really... some machines with popup blocker does block this and you don't see the logout, but you can't remove this.
  Thanks,
  Scott
  *****Help out other by using the rating system and marking answered questions as "Answered"*****

• How to restrict a user to login twice

  hei evryone!
  Here's my prob... I need to restrict a user to login more than once meaning, if a certain user account is currently login , that account cannot be used concurrently using another window or machine... If another user attempts to login, using that same account an error message will be displayed saying "this user account is already logged in".. i tried to do this in javascript but the code that i've got only works for IE and its kinda hard to capture the event for closing window.. plus using onunload is not advisable with my situation since my webpage can be redirected to other codes meaning the cause of unloading the page could either be closing the browser or redirecting the window to another page such as window.location="anothercode.jsp";... I was wondering if there's a way to do this in jsp...
  Any suggestions, ideas, or sample codes would be deeply appreciated. Thanks in advance!
  btw, i need to generate a code that is cross browser.. What i really need to accomplish is to be able to determine when the browser is closed either by clicking the X button on the window, alt f4 or my own close button and not when the page is unloaded.
  Here's a sample code : This only works in IE =(
  ---------- default.jsp-------------------------
  <html>
  <head>
  <script language="Javascript">
       onunload=function(e) {      
       winX = navigator.appName=="Microsoft Internet Explorer" ? window.event.clientX : e.screenX;
       winY =navigator.appName=="Microsoft Internet Explorer" ? window.event.clientY :e.screenY;
  if (winX<0 && winY<0)
            // redirect to logout.jsp n do some stuff
  </script>
  </head>
  <body>
  Logout
  List
  View Schedules
  </body>
  </html>
  the default screen would be the code above: "default.jsp" wherein there are many ways that the page
  can be unloaded such as :
  - clicking the logout link
  - click the View Schedules
  - click the x button the left side of the window
  - alt f4
  - if the window is minimized , right click then select close option
  Now, what i needed to do is to determined when the browser is closed so i reset the login flag of the account and can be used later on.

  hei everyone!
  im tryin to resolve this prob by adding a session id field on the users table. Everytime a user logs in i will update the session id field so that if anyone attempts to use the same account i will redirect the later into the login page with a warning msg. I'll do this by comparing the session id that u got from the dbase and the session id from request.getSessionId() of the browser. However, my prolem now is how to cleanup my database.. i need the cleanup coz i have a user tracking screen wherein i cud show who's account are login n who's not. I have created an applet and embed it in all of jsp files so that i cud catch the event for closing window whether by using the x button of the window or a power intrerruption. However, i need to find a way where i cud determine whether the event was really a close window or just a redirection from another page. I mean , you could leave the page either by viewing another screen or by actually closing the window.. For instance, my main page has main menu which are (1) View Users and (2) View Schedule .By default, im in the "View Users" screen . These two menus have their corresponding jsp n both jsp files have an embeded applet. So if the user click the "View Schedules " screen or if the user chooses to click the logout button or window's x button to exit the browser, then the applet will call the stop method. This what i meant by how will i determine if the user really exits on my application or not.. Coz if the user clicks from one screen to another then, user actually does not leave my application the user only exit on my application if the user logs out or close the window..
  Please help me out on this matter... Thanks in advance!

• Restricting user login

  This is regarding, restricting user login.
  my application pointing to Oracle Database.
  for example: one user loggedin with userid: nbiaadmin.
  when the same user trying to login using another browser or another system. Then i want to invalidate the existing user's session and allow new user to login.
  how to achieve this?
  please let me know.
  Thanks,
  Natesh.

  You try running maxl with something like
  alter system logout session on application appname force;
  alter application appname disable connects;
  then your load then
  alter application appname enable connects;
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Restrict SAP user ID login on certain PC

  Hi,
  Is there a way to restrict the SAP user ID to login only on certain PC?
  Example User ID A can only login at computer A. He cannot login SAP if he using computer B.
  Kindly please advise. Thank you.

  Hi Li,
  Find below two steps: a) To track the user in SAP with any number of logon's and other to restric user from a single login prespective:
  Single PC login:
  Implement Note 748424.
  All logons are then entered with the terminal ID, the user ID, the SAP GUI version, patch level and how many time logged in.
  e.g.
  Terminal ID User Operating System SAPGUI Version Patch Level Logins
  PC111555 USER1 WINDOWS 710 22 7
  Tracking user in SAP with multi logins:
  It is possible to track the audit log filters using SM19 transaction code. Once the filter is applied, the system will start tracking all the activities of the users (Based on the options you select in the filter.)
  You can further use SM20 transaction code to analyze the audit logs where you can find the user login/logout time, transaction executed by the user, amount of time he spent in each screen etc.,
  As the audit logs occupy more space, you should be careful while choosing the filter option. The old audit logs can be deleted using SM18 transaction code.
  There is also a background system house keeping job that deletes the old logs from the system.
  Do let me know if this helps you.
  Thanks
  Madhu

• Restrict ESS user to login via sapgui

  Hello All,
  Can anyone pl  suggest if the ESS users can be restricted by some means to access into the R/3 via the sapgui.
  Thanks in advance

  Shiva,
  By design SAP B1 permits two instances for one user login.  Therefore the same user/ password will be permitted to login on 2 clients at the same time.
  I do not think this can be changed.
  Suda

• How we can restrict remote user to access same URL?

  HI,
  We have two remote sites A and B.
  Site-A    ---  Users accessing application by using this URL: http://frsys.abc.com.pk:7777/forms/frmservlet?config=sales
  Site-B    ---  Users accessing application by using this URL: http://frsys.abc.com.pk:7777/forms/frmservlet?config=market
  We want to restrict the users A and B, to access the login pages vise versa.
  Regards.

  Hi,
  I m not sure how the task would be achieved throughOAS.
  But with the help of developer n DBA,we can restrict the users A and B, to access the login pages vise versa.
  1) Create 2 tables in DB,one table which contains only user A and another only for user B
  2) With the help of Developers,create inital login page(Userrname/Password) for both applications ie Site A and Site B
  3) At Login page validate with the respective table created ie check whether the user is from table A or table B
  Regards,
  Fabian

• How to restrict the user(Schema) from deleting the data from a table

  Hi All,
  I have scenario here.
  I want to know how to restrict a user(Schema) from deleting the values from a table created in the same schema.
  Below is the example.
  I have created a table employee in abc schema which has two values.
  EMPLOYEE
  ABC
  XYZ
  In the above scenario the abc user can only fire select query on the EMPLOYEE table.
  SELECT * FROM EMPLOYEE;
  He should not be able to use any other DML commands on that table.
  If he uses then Insufficient privileges error should be thrown.
  Can anyone please help me out on this.

  Hi,
  kumar0828 wrote:
  Hi Frank,
  Thanks for the reply.
  Can you please elaborate on how to add policies for a table for just firing a select DML statement on table.See the SQL Packages and Types manual first. It has examples. You can also search the web for examples. This is sometimes called "Virtual Private Database" or VPD.
  If you have problems, post a specific question here. Include CREATE TABLE and INSERT statements to create a table as it exists before the policies go into effect, the PL/SQL code to create the policies, and additonal DML statements that will be affected by the policies. Show what the table should contain after each of those DML statements.
  Always say which version of Oracle you're using. Confirm that you have Enterprise Edition.
  See the forum FAQ {message:id=9360002}
  The basic idea behind row-level security is that it generates a string that is automatically added to SELECT and/or DML statement WHERE clauses. For example, if user ABC is only allowed to query a table on Sunday, then you might write a function that returns the string
  USER  != 'ABC'
  OR      TO_CHAR (SYSDATE, 'DY', 'NLS_DATE_LANGUAGE=ENGLISH') = 'SUN'So whenever any user says
  SELECT  *
  FROM    table_x
  ;what actually runs is:
  SELECT  *
  FROM    table_x
  WHERE   USER  != 'ABC'
  OR      TO_CHAR (SYSDATE, 'DY', 'NLS_DATE_LANGUAGE=ENGLISH') = 'SUN'
  ;If you want to prevent any user from deleting rows, then the policy function can return just this string
  0 = 1Then, if somone says
  DELETE  employee
  ;what actually gets run is
  DELETE  employee
  WHERE   0 = 1
  ;No error will be raised, but no rows will be deleted.
  Once again, it would be simpler, more efficient, more robust and easier to maintain if you just created the table in a different schema, and not give DELETE privileges.
  Edited by: Frank Kulash on Nov 2, 2012 10:26 AM
  I just saw the previous response, which makes some additional good points (e.g., a user can always TRUNCATE his own tables). ALso, if user ABC applies a security policy to the table, then user ABC can also remove the policy, so if you really want to prevent user ABC from deleting rows, no matter how hard the user tries, then you need to create the policies in a different schema. If you're creating things in a different schema, then you might as well create the table in a different schema.

• How do i Restrict the users up to the self service pag only in IDM 11g

  Hi all,
  can any one please help me out to restrict the users to self service page only in 11g.
  thanks for your time and support
  Regards
  Siva

  Your user will have the Administration page if they have an Authorization Policy configured to allow the user any of the User Management or Role Management Functions. Also, if you login as a user that has those tabs, and logout while on the Administration tab, sometimes i've noticed the new user logging in with the same browser session will be in the Administration tab but with no items available.
  -Kevin

• Generate User Login in "Create User" Request

  Hi Guys,
  I have more a problem. To create user, I am using a Request (Create User Template), I managed add the attributes that would necessary normally, but I use a Event Handler (Post-Process) to generate user login. So I marked the User Login in Attributes Restrictions, fixing an user login default for example: autogenerate.
  Then I created a new request to create user, I filled out all the fields that I marked to appear. I approved this request, and the user is created with the User Login generate by my Event Handler normally. The issue is, when I create 2 create user requests, as I use a Default value in the User Login attribute, if the first request still isn't approved, the second request isn't created because the "autogenerate" user login already being used.
  Exists some otherwise to I resolve this issue?
  Thanks

  Hi Bikash,
  Use a prepopulate adapter an attribute with timestamp is nice idea, but I use the "Create User" template CreateUserDataSet.xml and not exists a form in Design Console to associate the prepopulate adapter.
  I had thought in eventhundler because I use a method that check on Active Directory if the user login generated by other method, already is being used. And I use this eventhandler in HR GTC recon too.
  About XL.LDAPReservationPluginImpl, I opened the oracle.iam.identity.usermgmt.impl.plugins.reservation.ReservationInOID but I not understood as use this option. If I needs add in this class my method of generate user login. If I needs implement an new class similar to this class, using my methods and associate the name of class in XL.LDAPReservationPluginImpl.
  Thanks a lot