Aaa network access restrictions with secure authen (asa device)

Similar Messages

• About Network Access Restrictions

  i am using acs3.2,but i find a question about
  Network Access Restrictions.i edit Network Access Restrictions in shared profile
  components,then i Select the Define IP-based access descriptions check box.i choose aaa client,type the applicable information in each of the following boxes,then click enter and sumbit.when i logging into acs server again,i find the AAA client, port, and address information does not appears as a line item in the table.why ?
  Acs version : Release 3.2(1) Build 20

  To administer all features included in Cisco Secure ACS 3.2, use an English-language version of one of the following tested and supported web browsers:
  Microsoft Internet Explorer version 6.0 with Service Pack 1 for Microsoft Windows
  Netscape Communicator version 7.0 for Microsoft Windows
  Netscape Communicator version 7.0 for Solaris 2.7
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp32/rn322.htm#wp1043943

• Aaa network access limit user session

  Hi, I'd like to limit a user to one authenticated session in aaa network access, with ASA and ACS.
  Is tacacs+ accounting necessary ?
  thank you in advance
  RS

  I have never done it with Cisco ACS so I can not offer much support on this.
  However, I've done it many times on Cisco Freeware TACACS+ and it is very easy.
  1- in Cisco Freeware tacacs, include "max-session = 1" under either the user
  profile or group file definition.
  2- in the router itself, you need to enable "ip finger". This will allow the
  TACACS+ server to querry the router everytime there is a new attempt to loggin.
  If you already have a session to the router, TACACS+ server will see this and
  reject a new session for that same user. If the login ID is different than what
  is already connected to the router, it will then be accepted:
  C7140#who
  Line User Host(s) Idle Location
  0 con 0 idle 11w2d
  * 2 vty 0 cciesec idle 00:00:00 192.168.15.9
  Interface User Mode Idle Peer Address
  C7140#
  Now if user "cciesec" tries to login again through another session, it will
  be rejected by the TACACS server:
  [root@LinuxES-lab1 root]# finger @192.168.15.1
  Line User Host(s) Idle Location
  0 con 0 idle 11w2d
  2 vty 0 cciesec idle 00:04:00 192.168.15.9
  * 3 vty 1 idle 00:00:00 192.168.128.100
  Interface User Mode Idle Peer Address
  [root@LinuxES-lab1 root]#
  Easy right?

• ACS User Group Network Access Restrictions

  Hi to all,
  We have a problem trying to restrict the access for users to an acces point: All users in any group can access the access point, although the group has a network restriction whichs restricts this access.
  We have other restrictions which work perfectly. So we are beginning to think that this must be a problem in the access point (Cisco Aironet 1100)...
  Thanks in advance,
  Coloma Crespí

  Hi Andrew,
  Thanks a lot for your reply. I was really worried about this problem, I had tried everything to solve it and anything worked...
  Regarding what you say, the network access restrictions we have created are the generic ones. I don´t have the option to choose between a dialup or telnet restriction. Where is it? Can you give more detailed information, please?
  Thanks in advance,
  Coloma Crespí

• [ASK] Set Network Address Restriction With Script

  Hi all, i have a question about set network address restriction.. if i post in wrong category i'm very sorry about it because i don't know where i supposed to post this..
  i need to set network address restriction to every user in my tree..
  the problem is there is hundreds of user that i need to set the restriction.. i think it will take a lot of time if i do it one by one..
  i created the user with script, and i want to ask whether there is a command to set network address restriction with script or maybe there is another simple way to set network address restriction..
  thanks..

  Is the restriction going to be the same for all users? Depending on what
  "script" you use, you should be able to also set the restriction at the
  same time - its just another attribute value to set.
  Peter
  eDirectory Rules!
  http://www.DreamLAN.com

• Network Access Manager - Service (Secure Mobility Client)

  We are currently working on Deploying the Secure Mobility Client.
  1. We are looking at the ability to stop the Network Acess Manager without Admin rights, According to the Cisco Documentation on this:
  "Stopping and Starting the Network Access Manager"
  Users with local administrator privileges can start and stop the Network  Access Manager. Users without local administrator privileges cannot  start and stop the Network Access Manager without using the service  password defined in the Authentication panel of the profile editor.
  Question: I am unable to find the said option in the Authentication panel in the profile editor
  2. Since we will be using NAM for all of our computers, and since some users will not be using the VPN, we will need to push out profiles to the users (This is easy however we are concerned about updates and getting those pushed). A collegue shared that he head at Cisco Live2011 that there is an option in NAM to update it's profiles by connecting to the VPN-Headend without actually authenticating and logging into the VPN.
  I know if a user connects to the VPN Headend we can update the profiles on NAM/VPN etc... however without them connecting I'm not sure if there is any way to do so?

  Hi Alwin,
  There is nothing to be done with your anyconnnect client.... if needed changes needs to ne done at VPN FW/Router where your anyconnect connection is established..... here i guess your corporate office is having this VPN server.....
  They have configured it as tunnel all mode... means all traffic will be taken through VPN... see from your output preferred default route is pointed to 192.168.0.101, which is a vpn gateway....
  If needed anyconnect vpn configuration needs to be changed from tunnel all to split-tunnel....
  Active Routes:
  Network Destination Netmask Gateway Interface Metric
  0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.101 20
  0.0.0.0 0.0.0.0 146.236.12.1 146.236.12.73 2
  Regards
  Karthik

• E4200 guest network access restrictions

  I have the E4200 router with fw v1.0.01.
  I need to provide guest access and limit the hours it is available.
  I am not able to use access restrictions because when I attempt to enter the range of IP addresses it forces me to use 192.168.1 and the guest subnet is 192.168.33, therefore it never gets a match when the cutoff time comes. I do not know the MAC addresses of the guests and  cannot force them to use predefined static IP addresses, so the range of addresses seems to be my only option. It's just that it won't let me input the "33" where it is needed.
  Perhaps I am misunderstanding something or perhaps there is some other way to accomplish this.
  Please advise.
  Thank you,
  -Marty

  Thanks for the reply. I'm pretty sure you're right, at least it looks that way. That's a little too open for me. I suppose I could change the config when I want to cut off access, it would just be nice to have it automated.

• How do i diagnose a network access error with Gracenote or other sites??

  Ok, this is not strictly itunes but here goes.
  Since i upgraded to 7.2 about 3 weeks ago, i have had only 50% success in accessing gracenote when i put a cd in (ie this morning around 10am no problem, now at 5pm can't get to it). My internet connection is AT&T DSL. It comes with a connection diagnosing tool which never says there is a problem, windows xp connection diagnosing tool says no problem, and yet there are certain websites i can now no longer get to not just gracenote via itunes. using ie or firefox i can't get to discussions.apple.com ironically (i can get to www.apple.com), so is gracenote, and occasionally the weather channel desktop, and yahoo email. i turned off all firewalls and there is no change. however. i then access my work vpn (via the at&t dsl connection, not dial up) and hey presto i can get to all these sites i couldn't before. so if i go through vpn i can always get to gracenote if i use native dsl connection i can't. i think at&T is preventing access through it's own network to parts of the web because of bandwidth issues ( i have emailed them and they say there is no problem in my area), but won't admit it, and i can't prove it. so my question is how do i prove where the network bottleneck is in accessing these sites since the tools i get say there is no problem??? or could it be a dns problem???
  plz if anyone can help offline i would be so happy, it is so frustrating not being able to load cd's into itunes whenever i feel like it.

  How did you set up chroot?
  FYI, you don't need to chroot to use pacman with a not root filesystem.
  man pacman wrote:-r, --root <path>
  Specify an alternative installation root (default is /). This should not be used as a way to install software into /usr/local instead of /usr. This option is used if you want to install a package on a temporary mounted partition that is "owned" by another system.  NOTE: if database path or logfile are not specified on either the command line or in pacman.conf(5), their default location will be inside this root path.

• Network access restriction ACS 4.2

  Hi,
  we have a ACS 4.2 SERVER,in that i created a 2 groups like
  full access user group & read only user group.
  Now i want to give full access for one particular device
  to the user who is in read only use group.
  Thanks in advance for your help.

  Try creating a NAR with "no" NDG in it and assign it to the user you want to give full access.

• Is it possible that network access permission control in acs 5.1

  Hello
  We have ACS5.1, WLC 7.0 and using 802.1x to authentication users.
  Anybody know how I can configure network access restriction with using internal user group information.
  For example, under the same SSID(like that "test") , same VLAN ID.
  But two different user group has a different network access permission.
  One group has full permission and the other has a limit network access permission.
  Is it possible?

  The equivalent of a NAR would be ACS 5.1 returning an authorization profile after authentication. Just configure your authorization policy to return one profile for one group of user and the other profile for the others.
  Now to restrict access to the network, I think you're best with an ACL ? So link ACLs to your profiles.
  Nicolas

• Configured Nacs- how to restrict AAA client access by specified Password

  Hi all
  i hav given the below config in AAA Client& added the Client in User,Group, the NAR is configured for all Clients ,
  But my requirement is restrict AAA client access by specified Password
  aaa new-model
  aaa group server tacacs+ NACS_Group1
  server 10.x.x.x
  server 10.y.y.y
  aaa authentication login default group NACS_Group1 local
  aaa authentication enable default group NACS_Group1 enable
  aaa authorization config-commands
  aaa authorization exec default group NACS_Group1 if-authenticated
  aaa authorization exec NACS_Group1 group tacacs+ local
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+

  You use the Network Access Restrictions table in the Advanced Settings area of User Setup to set NARs in three ways:
  Apply existing shared NARs by name.
  Define IP-based access restrictions to permit or deny user access to a specified AAA client or to specified ports on an AAA client when an IP connection has been established.
  Define CLI/DNIS-based access restrictions to permit or deny user access based on the CLI/DNIS that is used.
  Note: You can also use the CLI/DNIS-based access restrictions area to specify other values. See the Network Access Restrictions section for more information.

• WRT120N v1.0.07 Access Restriction Problem

  My Wireless-N Home Router WRT120N with version 1.0.07 seems to have a problem blocking Sites through scheduling with Access Restriction "Allow" ...
  I notice that... when I enable access restriction, with policy and some range of computers connecting to my router  , and set it to "allow" from "monday - friday" from  "8am-6pm" .. with a purpose of blocking some social networking sites, example facebook, It works perfectly fine. But when the "scheduled" time comes ( before 8am and after 6pm ).. I cannot access the internet.. router is working, it detects my modem.. but no internet connection. 
  It always happen before and after the "scheduled time" before the configured access restriction takes over.  I have to disable the Access Restriction to continue our internet access.

  In this case, I would like to ask whether you have upgraded the firmware of the router yourself? If yes, did you reset and reconfigure the router after the firmware upgrade? If you haven't, then I would recommend you to reset and reconfigure the router. The following link shows how to reset the router http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&docid=eaa3127db5f4402584c959a7251e754c_4008.xml&pid=80&r... 
  Click on the link below which shows how to reconfigure the router in case of a cable and DSL connection:
  Cable connection - http://www6.nohold.net/Cisco2/ukp.aspx?pid=80&vw=1&articleid=3686
  DSL connection- http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&docid=20ee1457387f40178cd5f41d4b585db4_3687.xml&pid=80&r...

• AAA caller-ID restriction?

  I want to make restrictions for those who authenticate through AAA, after the authentication passed it will check the user caller-ID, if it is found at her/his account succeed, otherwise failed reply. Is this feature supported at the ACS 3.3?

  A non-IP-based Network access restriction (NAR) is a list of permitted or denied "calling" or "point of access" locations that you may employ in restricting a AAA client when an IP-based connection is not established. The non-IP-based NAR generally uses the calling line ID (CLID) number and the Digital Number Identification Service (DNIS) number.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

• Access restriction policy

  I own a e2000 router with the latest firmware. Set up access restriction policy for the mobile devices from my children. Deny policy based on Mac adress. Sometimes it works en sometimes it won' t work. It seems that my children keep using for instance whatssapp busy that the internet connections keeps open despite the policy. Does anyone know a solution for this?
  kind regards,
  cees

  Thanks Jake,
  Ik know that factory reset is possible via the webinterface. My quenstion was if it is possible to do a scheduled reboot with a option in the firmware? Indeed the time-zone is important. I checked this.
  Does anybody know if access restriction policy works on a live internet connection? For example: my daughter uses her smartphone with Facebook and she uses it from 16:00 tot 17:00 hour and the policy is that at 16:30 it must be blocked? Or can the policy only work on a connection when it starts up (and then checks the time in the policy to know if a restriction is possible.
  cheers

• Access restriction question

  I have a WRT54G v2 wireless router/access point (Firmware Version v2.02.7) ...and I am using access restrictions with some success, but I have one question - is there any way to setup a rule (or rules) such that site blocking is time-based?
  For example, the internet is up and available, except for myspace.com, which is blocked between 7pm and 5am.
  I know that a time window that spans midnight requires two rules, but what I don't know is how to have a rule that is both site-based AND time-based. If I create a new rule and change its status from "allow PCs" to "deny PCs", the router's web-based GUI immediately disables the blocked protocols, blocked sites, and blocked keywords fields...and so it seems that what I am asking for is not possible...unless I am missing something.
  Any ideas? Thanks.
  cheers,
  Steve
  Message Edited by Scuba_Steve on 09-18-2007 12:10 PM

  Okay...the answer is this - NO. So what to do? Install a different firmware. I installed Tomato and it blows the doors off of the standard Linksys firmware...and the supported access restriction rules are far more powerful and intuitive.