AAA Device Groups

Similar Messages

• AAA - Restrict Group access from logging onto all NDG excpet one

  I've recently created a group of users to only be able to shut and unshut interfaces using the aaa authorize config-commands and have all the relevant groups etc.. in place and working. My problem now is that the new users can now log into any device on the network (cant do anything other than show ver and show logg) i need to stop them from accessing anything other than the group i specified under group settings.

  I'm assuming your using CiscoSecure ACS? Why not create some NARs (network access restrictions) that limit the devices or device groups (NDG) that users in a particular group can access?
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/c.htm#wp697095

• I see "Enrollment Settings" under device groups but it doesn't seem to do anything.  Is that normal?

  Hello, first time poster.
  I'm new to most things apple aside from basic use of ipads and iphones.  I was put in charge of the ipads for my school district and after some research and effort, I've gotten a mac server (on mavericks) up and running.
  I have setup an MDM, gotten the token, gotten the VPP, etc...
  Everything is working as it seems to be working.  But...
  In Device groups, under settings for a device group I see "Enrollment Settings" with things like "prompt user to enroll device" and "Supervise (IOS only)".  So I added a device to a new group, reset the device in question and nothing.  The settings appeared to do nothing.  Is that normal or am I missing something?

  Which version of Server.app?  3.1.2?
  Verifty local DNS services.  Invalid DNS causes other OS X Server components to have issues.  You'll need DNS on your local network somewhere, whether that's served by OS X Server, or another DNS server doesn't matter.
  Launch Terminal.app from Applications > Utilities and issue the following harmless, diagnostic command:
  sudo changeip -checkhostname
  That'll require an administrative password for the sudo, might generate a one-time message about the use of sudo, and will then display some configuration information and then an indication that no changes are required, or that there are network or DNS issues.  If you're not in .local or .arpa, that'll usually give you a good view of your local network configuration.
  The device has to be enrolled with Profile Manager server.   How you do that depends on how you want to manage your devices.   There are various overviews of how this stuff works too, if you're getting started: here is one video.

• Delivery Assignment to Device group in standalone deployment?

  Hi,
  I am using the standalone deployment of SAP AII 2.1. I have the following two queries regarding assignment of deliveries to device groups.
  1. I am able to assign the same delivery to multiple device groups with same business roles as well as different business roles at the same time.
  For example, I am assigning the delivery to a device group that handles tag commissioning and I also assign the same delivery to a device group that handles the loading at the same time. Is this the correct behavior?
  Or is it that once a delivery is assigned to a device group, it should be first processed by that device group or unassigned before the same delivery can be assigned to a different device group?
  If this is the case, then is there any configuration setting in AII that can control the delivery assignment to device groups?
  2. Logically I believe that only one delivery can be assigned to a device group.
  I assign a delivery to a device group. Then I immediately assign another delivery to the same device group. I believe that the first delivery gets unassigned from the device group, but there is no message to this effect
  Again is there any configuration setting for handling this situation?
  Regards,
  Dhananjay

  What you are deploying is a Client Settings policy, not the client itself. This is akin to a Group Policy Object being linked to an OU. The machines in the collection which already have the ConfigMgr client will process those policies, but additional non-client
  machines added to the collection will not automatically install the client.
  As Torsten indicated, you can deploy the client to these machines using the manual client push method.  Simply right click on the clients themselves (or the collection) and select Install Client.  If doing it at the collection level, I recommend
  against selecting "Always install the client software" in the wizard as it will force an unnecessary repair of the existing ConfigMgr clients. I would recommend testing this on one machine in the collection in question before attempting to do them in bulk.
  Note that this requires that a Client Push Installation account be configured (Administration > Site Configuration > Sites > Client Installation Settings >  Client Push Installation > Accounts tab) which has admin rights on the clients.
  You *DO NOT need to enabled site-wide client push installation* to be able to use the Install Client method in the console. Enabling this will force the client to attempt installation on ALL systems that ConfigMgr sees.

• Multiple Network Device Groups when importing to ISE using template

  I have a question about importing a group of network devices into ISE using the template provided. The template only has a single column for Network Device Groups - is there a way to import devices and include more than one NDG? For instance, the NDG's we use are "Device Type" and "Location". I'd like to include both when doing my import and I've tried multiple ways to seperate the two strings within the column (comma's colons, semi-colons, spaces, pipes, tabs, etc), but i always get an error message that "NDG group does not exist". I also tried adding a new column into the template, but that just plain failed to import.
  If there is any way to do this, I would appreciate any advice on how - I have to add about 40 devices per week to our ISE deployment and I'd rather not have to go in and add any parameters manually if it can be helped. Thanks very much!
  Ross
  BTW, we are running ISE ver 1.1.2 in case it is relevant.             

  Yes, you can do it. You have to use the pipe "|" to separate the groups. But please notice you must create the network device groups in advance.
  For example, I have the following groups in my csv file to import a lot of network devices
  Device Type#All Device Types#SWITCHES#375O-X|Location#All Locations#PERU#LIMA
  But as a pre-requisite I have to create the network device groups.
  If you have lots of network device groups, you can mass import them instead of creating them one by one.
  Please rate if it helps

• Anyconnect IKEV2 restricting access via AAA auth Group

  Hi Everyone,
  I have ASA config with 2 connection groups
  Say Group  1 and 2.
  Currently both are assigned to Same Auth AAA group
  One of our external vendor has access to both XM files of connection group 1 and 2..
  If i want Vendor should connect only to  Connection Group 2 should i change the AAA auth group for connection group 2?
  Then even if he tries to connection group 1 it should not work as AAA Auth group will be only assigned to Group 2 right?
  Regards
  Mahesh

  Hi Rick,
  There is info
  Our ASA is configured with two connection groups.Our Vendor has XML files of both the
  Connection groups say                                      1 and 2.
  AAA Authentication group  called ----------------- RSA  ----Two servers are there in RSA group.
  We are using 2 factor Authentication.
  We want vendor to connect to connection group 2 only.
  We have two RSA Authentication  servers they are in HA mode so if one dies other can do the authentication.ASA has only 1 authentication  group called say RSA and both connection groups 1 and 2 are tied to the same Authentication group called RSA.
  If i configure new AAA server group say RSA2 for connection group 2 but it has same 2 servers will
  it restrict the vendors connection to connection group 2 only?
  Also when you say --- authentication server can differentiate between the vendor users and other users and supply a group membership ID in the authentication response?
  Need to know how i can do this?
  Regards
  MAhesh

• Printer device group and a label format in SAP AII

  Hello @ all,
  I try to configure a SAP OER System with SAP AII. Now I should configure the label printing with the transaktion /AIN/ASGN_PRF_FORMAT. I must take a profile name, a printer device group and a label format. The problem is now, that I can't chose a printer device group and also I don't know the label format. Where can I adjust the printer device group and which label format must be in that field?
  Can anybody help me?
  Thank you.
  Peter

  Hi Peter,
  SAP AII sends the label format filename as part of the Command message xml to the printer during tag commissioning.
  I assume you have configured the label format filename for SAP_PRINT_PROFILE using transaction /AIN/ASGN_PRF_FORMAT - Assign Format to Printer and Profile
  Now you have to assign that profile to an ID type or GTIN, etc. using the menus under Profiles for Tag Commissioning and Label Printing.
  Once this configuration is done, the xml command message containing the element WriteTagData is sent to the printer RFC destination configured against the Device controller as an HTTP message.
  This command message will contain the label format and  field names - value pairs as per the SAP_PRINT_PROFILE.

• Device group and applications affinity

  Hello all.
  I have some device groups created with CFS configured on them.
  I need to ensure that a clusterized application runs on the server that is primary for the device group. I need to set an affinity between the affinity and the device group/file system.
  The problem is that the SUNW.HAStoragePlus does not indicates the real primary for the device group, for example:
  # cldg status ufs_homedg
  Cluster Device Groups ===
  --- Device Group Status ---
  Device Group Name Primary Secondary Status
  ufs_homedg billbd2 billbd1 Online
  # clrg status ufsg-home-rg
  Cluster Resource Groups ===
  Group Name Node Name Suspended Status
  ufsg-home-rg billbd1 No Online
  billbd2 No Offline
  In this output, the resource group is online in billbd1 and the device group primary is billbd2.
  If I failover the resource group, the device group is switched also, but it seems that at startup, the resource group does not check who is the primary to start on that node.
  This means that the status of the resource group does not helps to identify who is the primary for a device group and I cannot use it for affinity configuration.
  ¿How can I ensure that an cluster application starts on the node who is primary for the device group on which the file system is created?
  I was thinking on a SUNW.gds for this purpose, but I wonder if there is another way.
  Thanks in advance.
  Edited by: Ivan.Ferreira on Jun 19, 2008 8:04 AM

  Hi Tim, thanks for your time.
  Yes, I'm using AffinityOn=TRUE. After some testings, I can see that the device group is switched at startup, but I don't know under which circunstances it does not.
  Also, I can force discrepancy with the device group and the resource group if a perform a cldg switch.
  So, if I run clrg switch, the device group is switched also. If I run cldg switch, the device group is switched but the HAStoragePlus resource does not.
  This means that HAStoragePlus cannot ensure that the node is the primary for a device group and cannot be used for affinity on applications.
  �What do you think?

• 1) Device groups

  First question:
  Workstations (devices) are currently allocated under /Devices/Workstations to
  folders that represent the office location of the workstation.
  Is there a way to create device groups without removing the devices from their
  primary location-related folder?
  Is there a way to use AD device groups to assign bundles?
  What's the latest thinking on to how to apply a constraint on a bundle to apply
  both "user-membership-in-AD-group", and "device is approved for this app"?
  e.g. I know I can add "specified devices" as a requirement, but that demands
  adding individual workstations and I see no way to add device groups, which can
  be very tedious if I want, for example, "this app can install for these users
  on these 200 devices".
  Thanks.
  -- DE

  Originally Posted by DE
  thsundel wrote:
  > Yes, create a workstation group and add the computers you want as
  > members (they will not be removed from their "location-related" folder.
  OK, so I want to be sure that I am understanding ...
  Currently the workstations are in, say,
  /Devices/Workstations/bigcity1/desktops
  /Devices/Workstations/bigcity1/laptops
  /Devices/Workstations/bigcity2/desktops
  /Devices/Workstations/bigcity2/laptops
  They need to stay in those folders, for obvious reasons. And unfortunately,
  this will never match up to AD because it starts at the top level by
  differentiating between workstations & servers, while AD identifies "computers"
  that are placed into whatever AD structure you define.
  In any case: So I can create device groups that won't result in them being
  moved out of those folders?
  IOW, I could define a device group that contained the systems that were allowed
  to have a certain app installed, and that group membership won't disrupt the
  above folders?
  And are we talking about Dynamic device groups (which I've never used) or are
  there other regular "device groups" that don't just represent the structure above?
  Thanks again. I have a feeling that others before me have already requested an
  enhancement that device groups be an option in Requirements, since I think I've
  read discussions of these same issues here in the past.
  -- DE
  Yes, just create e "regular" Device Group where ever you want in the folder structure and add workstations as members.. You probably hava a test workstation that you can try with if your not confident.
  Thomas

• SSL Accelerated Service and device groups

  I have a need to set up SSL accelerated services on a data center WAE and one edge WAE. In reading through the Cisco Wide Area Application Services SSL Application Optimiser Deployment Guide (2010), it states that best practice is to create an SSL device group and configure the SSL service and generate the keys through that group.
  Simple question:  Should only the data center WAE be placed in that group, or should also the edge WAE be in the group?  The devices are running 4.3.3.

  Only the data center wae's need to be placed in the SSL device group.
  Regards
  -Smita

• MARS Device Groups

  I am working with MARS 4.3.4 and have a question on what you can do with Device Groups. I don't see where they can be referenced in queries or rules. Am I missing something?

  No, you're not. They're somewhat pointless really. You can create them, but they're only used to filter what is displayed, you still have to manually select each individual device in a query.
  In other words, you can't create a report using a device group and expect future updates to the device group to show up in the report.
  FWIW, there are lots of other "groups" like this too. Protego/Cisco seems to have forgotten the real value of making groupings like this.

• ACS web interface hangs on Network Device Group

  We are facing problem of ACS web interface stop responding whenever a Network Device Group is edited/added/deleted. This happens regardless of whether the web interface is opened remotely or on the ACS server.
  The session needs to be killed and then have to wait several minutes before attempting to edit NDG (although new session to ACS can be opened up almost immediately).
  I have checked there are no proxy settings in the browser, no firewall in between, etc.
  ACS is installed on Windows 2003 Server Enterprise Edition with SP1.
  ACS installation on another server of same hardware specs and java version works fine. The difference is that the OS on the working ACS is Win 2K3 Ent Ed. without SP1. However, according to Cisco, WIN 2K3 Ent Ed with SP1 is a supported platform.
  My ACS version is 4.0(1) build 27.
  Any ideas?

  I assume you have a java runtime installed?
  alas in the "old days" you could troubleshoot this type of thing by looking in the windows registry. This is all internal to the ACS SQLAnywhere DB now :(
  Darran

• In Profile Manager, Can I assign users to ONLY a specific Device Group?

  In profile Manager (Lion Server 10.7.3) I created DEVICE GROUPS per Lab, and each Lab has a manager. I want to give each manager permissions to see and manage ONLY their devices. Is this possible?

  I'm not sure this was ever designed to be user friendly as typically only Admins or those with elevated permissions would see these groups.  There isn't as far as I can see, any way to add this step within a Wokflow too, unless you're able to install
  some third party steps.
  Steven Andrews
  SharePoint Business Analyst: LiveNation Entertainment
  Blog: baron72.wordpress.com
  Twitter: Follow @backpackerd00d
  My Wiki Articles:
  CodePlex Corner Series
  Please remember to mark your question as "answered" if this solves (or helps) your problem.

• AAA server group tag

  is the "AAA server group tag" the same as the proxy distribution entry.
  trying to setup my asa for tacacs+
  cisco# aaa-server ?
  WORD < 17 char Enter a AAA server group tag

  I hope I get your question correctly. The AAA group tag is local to the AAA Client and has nothing to do with the AAA Server (e.g. ACS). It is meant to group more than one TACACS/RADIUS server.
  Proxy Distribution Table is used when you have Multiple ACS servers and you want to route incoming AAA requests to particular server(s) based on pre-defined criteria. Like user1@NY should be redirected to the NewYork ACS.
  Regards
  Farrukh

• Device group failback enabled

  Hey folks, is here someone who can tell me,
  what the device group failback enabled option mean.
  You could type the folowing comand:
  scconf -pv
  and it spits out the options:
  Device group name: categat-ora9-ms
  (categat-ora9-ms) Device group type: SDS
  (categat-ora9-ms) Device group failback enabled: no
  (categat-ora9-ms) Device group node list: cnode1, cnode2
  (categat-ora9-ms) Device group ordered node list: yes
  (categat-ora9-ms) Device group diskset name: categat-ora9-ms

  When a node mastering the disk group leaves the cluster, the disk group will failover to the Secondary. When the failed node (original primary) rejoins the cluster, the disk group can be mastered by the Secondary or by the original primary based on 'failback' property.
  If failback property is enabled, the disk group will become mastered by the original primary. If failback is disabled, the disk device group will continue to be mastered by the secondary. By default, failback is disabled.
  HTH.