AAA - Restrict Group access from logging onto all NDG excpet one

I've recently created a group of users to only be able to shut and unshut interfaces using the aaa authorize config-commands and have all the relevant groups etc.. in place and working. My problem now is that the new users can now log into any device on the network (cant do anything other than show ver and show logg) i need to stop them from accessing anything other than the group i specified under group settings.

I'm assuming your using CiscoSecure ACS? Why not create some NARs (network access restrictions) that limit the devices or device groups (NDG) that users in a particular group can access?
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/c.htm#wp697095

Similar Messages

  • Any way to prevent XP machines from logging onto domain?

    We've just completed upgrading our hundreds of XP workstations however, I am concerned that there could still be a laptop or two sitting in someones car that will eventually make it's way back in. Is the any way I can prevent XP machines from logging onto
    the network/domain?

    Hi,
    Checkout the below thread on similar discussion and steps to solve your requirement,
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/986bc78e-0ade-47a1-9e14-fc46f4cad24d/group-policy-restrict-all-xp-computer-to-log-into-domain?forum=winserverGP
    Hope this information will be helpful to you.
    Recommended: You can test this scenario in a test environment before moving ahead to production.
    Regards,
    Gopi
    www.jijitechnologies.com

  • Licensing restrictions prevent access from this address.

    After updating CF7 to the new DST requirements, we are seeing
    INTERMITTENT issues with some SWF movies not being loaded.
    flash forms work just fine.
    Any indication which way to look would be fabulous.
    Coldfusion-err.log shows:
    03/13 15:47:48 ERROR Proxy Servlet: Licensing restrictions
    prevent access from xx.xx.xx.xxx
    03/13 15:47:48 ERROR Proxy Servlet: Allows addresses: [
    {71.218.19.250} {192.168.1.145} {74.93.23.77} {24.131.24.127}
    {192.168.1.1} ]
    03/13 15:47:48 error Licensing restrictions prevent access
    from this address.
    java.io.IOException: Licensing restrictions prevent access
    from this address.
    at
    flex.services.license.AddressRestrictionFilter.invoke(AddressRestrictionFilter.java:28)
    at
    flex.server.j2ee.cache.CacheFilter.doFilter(CacheFilter.java:165)
    at
    flex.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:66)
    at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
    at jrun.servlet.FilterChain.service(FilterChain.java:101)
    at
    jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91)
    at
    jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
    at
    jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:257)
    at
    jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:541)
    at
    jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:204)
    at
    jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:318)
    at
    jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:426)
    at
    jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:264)
    at
    jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

    alexfrates wrote:
    > After updating CF7 to the new DST requirements, we are
    seeing INTERMITTENT
    > issues with some SWF movies not being loaded.
    >
    > flash forms work just fine.
    > Any indication which way to look would be fabulous.
    >
    > Coldfusion-err.log shows:
    > 03/13 15:47:48 ERROR Proxy Servlet: Licensing
    restrictions prevent access from
    > xx.xx.xx.xxx
    > 03/13 15:47:48 ERROR Proxy Servlet: Allows addresses: [
    {71.218.19.250}
    > {192.168.1.145} {74.93.23.77} {24.131.24.127}
    {192.168.1.1} ]
    On a J2EE multiserver install this usually means your JRun
    instance is
    not registered. In the JRun admin, drill down to the settings
    of the
    instance and check whether it is a developer edition or a
    registered
    edition. I wouldn't know any way to fix this other then a
    reinstall.
    Jochem
    Jochem van Dieten
    Adobe Community Expert for ColdFusion

  • Website/software that prevens you from logging onto the Internet

    Recently I read about a website or software that allows you to disengage from the Internet for a period of time.
    Do you know the URL for this site or product?
    Thank you.

    Your question says that you want to prevent logging onto the internet...that is very easy to do, simply unplug the cable to your modem. Or turn the AirPort card off if you are using wireless.
    If you are looking for software for another purpose, such as parental controls, that is a different topic and there are various ways of preventing unfettered access to the internet.

  • Redirector prevents computer from logging onto network

    I am using Desktop Manager v4.7. Ever since I upgraded from v4.6 to v4.7, the redirector tries to launch and connect to the network before my desktop computer is able to do so. To make matters worse, the computer wont log onto the network because the redirector is trying to log onto it.
    Finally, the redirector crashes at which point the computer is able to log onto the network. However, by then, the redirector wont try to log onto the network again, and my emails are not forwarded to my blackberry.
    Thus, is it possible to have the redirector wait until the computer has logged onto the network before it tries launch itself? 
    Your help is greatly appreciated. 

    OK, MnJim,
    Then in that case, if your disabling the SSID, you'll need to type in the SSID manually each time since I don't believe that Airport on the Mac can find an SSID to automatically connect to, if the SSID is not being broadcast.
    So it almost seems like you're between a rock and a hard place. Don't want to type the SSID in order to 'find' it? Then don't disable it.
    Also:
    With the SSID broadcast disabled, if there is another access point within range that is broadcasting, systems will automatically switch to the access point that's broadcasting its SSID. This happens even if you didn't list that broadcasting system as a preferred network and you've listed the access point that's not broadcasting as preferred.
    and:
    http://www.netstumbler.org/archive/index.php/t-11738.html
    and:
    http://forums.wi-fiplanet.com/archive/index.php/t-1293.html
    It seems as if it's "to-may-to", "to-mah-to". A serious hacker will find a way to find your SSID, broadcasted or not. Disabling it simply makes your life more of a hassle.
    ...for what it's worth...
    Anyone else find other factoids to support 'disabling', or a better way to keep the connection 'automatic' without an publicized SSID ?

  • From external: block all domains except one MAPPINGS file?

    Here's the problem...
    I have an old domain that my mailserver is still authoritive for. We receive mail through a mail ISP cluster, in that sense that our internal mailserver does not have any MX-records associated with it. All MX-records point to the ISP.
    We have recently changed domain name because of a merger.
    I am still rewriting all RCPT TO: [user]@olddomain.com to RCPT TO: [user]@newdomain.com in imta config.
    I now want to end that rewriting using the mappings file for all except but one domain.
    So the end result should be:
    MAIL FROM: all domains -> [user]@olddomain.com REJECT $Netc......
    but!
    MAIL FROM: specific domain -> [user]@olddomain.com should still be passed on to the IMTA.
    I have used SEND_ACCESS before as a method of blocking mail, but this is specific... I want to block the whole world except one originating domain (for the old domain)
    Does anyone have a working example of this and could you provide it for me?
    TIA
    Eli

    Jay :-)
    We have reinstalled iPlanet Messaging Server 5.2 on Windows Server using all new servername FQDN and all new domain hosting for.
    FQDN: mail.new-domain.local
    Mail authoritive for: new-domain.com
    Server is located on the LAN and gets it's mail from an ISP using mailkick.
    Server is actually not aware (neither in MX, nor in LDAP records) of the old domain.
    The only way the server gets it's mail is through smart-hosting. It just works and acts as a new server. Mail for the old-domain.com (organization) is accepted because I rewrite the domain part of the old-domain.com to new-domain.com
    old-domain.com $U%[email protected]
    Server accepts mail from all sending/origination domains only for the TO: new-domain.com it is authoritive for.
    Now here is the catch... I want to disable the TO: domain-rewriting, because people need to use the new-domain when addressing us.
    There is still only ONE organization out there that needs to address the old-domain.com because of X.509 encrypted mail. This is the only domain I will do rewriting for.
    Hence is why I was looking at the SEND_ACCESS
    It has some ways of blocking part of a sender or address part of a enveloppe based on wildcards etc....
    Yet only blocking....
    How do I block the whole world except that old organization we still do business with. Mail for the old domain is also delivered through the same mailkick by ISP.
    So if whole world -> [some user]@old-domain.com REJECT
    and
    single organization -> [some user]@old-domain.com ACCEPT and continue REWRITING
    Hope I shed a bit more light on the subject....
    Eli

  • I can log onto all secure web sites except one particular one. Can be logged onto from other computers but not mine.

    I also tried IE and the same thing. I am Win. XP with Norton. When I fill in the user name and password then click login, the page flashes back with the information gone.

    Clear the cache and the cookies from sites that cause problems.
    * "Clear the Cache": Tools > Options > Advanced > Network > Offline Storage (Cache): "Clear Now"
    * "Remove the Cookies" from sites causing problems: Tools > Options > Privacy > Cookies: "Show Cookies"
    * http://support.mozilla.com/kb/How+to+clear+the+cache
    * http://support.mozilla.com/kb/Deleting+cookies

  • Problems restricting AD users from logging in

    We previously had a Snow Leopard Server/client setup and used the magic triangle, placing AD users in an AD group and then nesting this within an OD group in Workgroup Manager.  This group was then given access to logon to our clients in the computer group pane (login preference > access) of workgroup manager and all other users were automatically dissallowed.  This worked perfectly and our system relies on this mechanism.
    Having replaced this system with Mountain Lion Server latest release and 10.8.4 clients, the same setup is not working.  We have not extended the AD schema (just for info).
    To restrict access to our clients to a particular user group, we place the users in the AD group, nest the AD group in the OD group and it appears to break the preference and give access to everyone.
    I have tried some other combinations to determine where the problem lays.
    1.     I explicitly give access to a single AD user - the single AD user can log in and no other users can log in.  This is working.
    2.     I explicitly give access to a single AD user and a deny to a second user.  The single AD user can log in, the second user cannot log in.  Other users cannot log in.  This is working.
    3.     I give access to a single OD group containing a nested AD group containing the single AD user that had access in (2).  I also explicitly deny a second user.  Now all AD users can log in except the one user I denied.  This is broken.  All users not in the nested AD group should be denied access.
    4.     I give access to the nested AD group directly instead of nesting within the OD group.  I also explicitly deny a second user.  Now all AD users can log in except the one user I denied.  This is broken and the same result as (3).
    There are some other quirks in Workgroup manager regarding the AD groups and users.  If I add an AD user directly to an OD group then it is displayed correctly until I change tab.  If I return to the tab again the name is "Not Found" with a "target" icon displayed to the left.  The ID is hexidecimal string.  The same occurs with AD groups.  I have read about this and the suggestion was to change the AD user groups to domain.local groups rather than global groups.  I did this and the AD groups then display correctly but this has not solved the login problem.
    If I use the Server.app to view the users and groups they show up correctly including an AD users added directly to the OD groups so this is better than workgroup manager but I cannot restrict access to the clients using Server.app.
    If anyone has any ideas of how to deal with this or workarounds I would really appreciate it.

    Methinks you should be posting to the server forum.

  • Restrict Opportunity access from other Org Unit Sales agent

    Hello,
    My Scenario is, there is different Organisation Units and Sales agents are assigned to those Org units. Now the issue is, Sales agent from one Org unit is looking into the opportunity of other Org unit. As the sales agents have their own targets and competition, one should not see the Opportunities of other Org unit.
    How can we achieve this ?
       a ) Can we achieve this through PFCG roles, if so how ?
       b) I heard about the concept of Access control engine, which is usefull in this kind of scenario's. but again we need to implement ACS here, which I dont have ides.
    Please suggest me the best method to achieve this. Also provide me step by step procedure also to achieve this.
    Thanks,
    MD.

    Hi, madhusudan444.
    Yes, you can achieve this by PFCG.  Authorization objects CRM_ORD_LP or CRM_ORD_OE will help you.
    For more information, please, follow to this link:
    http://help.sap.com/saphelp_crm70/helpdata/EN/48/a44236ceb873e8e10000000a42189b/frameset.htm
    I would not recommend using ACE in this issue, because ACE is abap. Your issue can achieve by standard procedure.

  • Group and Ungroup without moving all data to one layer?

    Good morning!  When I group multiple features (usually for alignment purposes), ungrouping them then tosses all items onto one layer.  This is quite frustrating; anyone know a workaround? 

    My coworkers and I realized this workflow is a hang-over from FreeHand.  FH took issue with moving multiple objects, but did so happily if said objects were grouped.  Ungrouping then released to the original layers.  AI moves multiple objects without complaint!  Thanks again!

  • I was logged onto FB and on one of my friends wall. I cannot back out of it, the notifications header that is usually in the top left corner is not there anymore. Anyone know how to retrieve this or get me logged of FB? HELP

    I am logged into facebook on my iphone...I am on a friends status and I am not being able to back out of his status because the "notification" header that should be in the top left corner to back me out of his status is not there. Anyone ever experience this before? I have tried soft reset, shaking the phone and syncing again with my computer.

    Facebook is a webpage but also have several Apps when you ask facebook questions stateing how you access facebook would be beneficial for people IN order to HELP you

  • Restricting owa 2013 from internet for group users using ARR

    I am trying to restrict owa access from internet for group of users using ARR.
    http://www.msexchange.org/articles-tutorials/exchange-server-2013/mobility-client-access/iis-application-request-routing-part1.html
    please suggest

    Hello,
    Thank you for your question.
    This is a quick note to let you know that I am trying to involve someone familiar with this topic to further look at this issue.
    Regards,
    Winnie Liang
    TechNet Community Support

  • HT2905 When i use itunes to transfer photos from my pc to my iphone it transfers two duplicate folders onto the phone. One called photo library the other the name of the folder i transfered. I dont want the photos on my phone twice

    Hi. I hope someone can help.
    I have just downloaded itunes onto my pc.
    Firstly when my iphone is plugged in and i open itunes it does not have a picture/photo folder under my phone listing.
    Secondly when i go to photos from the top of screen and tick sync. It asks me to select the folder i want to sync with phone which i do. I then press apply and it transfers all the photos from that folder to my phone BUT it does it twice! I end up with two folders with the same photos. One named as per folder on pc and the other named photo library. I am not able to delete either of them. If i go back to itunes and unsync it deletes them both.
    I have been trying for hours now.
    If i just try to do it from my pc ie right click and send to iphone it wont do it just says phone not responding or disconnected
    Any ideas?

    You do NOT have duplicates.  This is how Apple handles photos.
    Just as a song is in your Itunes Library and that exact same song can be accessed from a playlist, all synced photos are in the Photo Library and those exact same photos can be accessed from the album.

  • Access controll Logs and DNS entries

    Hello there,
    We have upgraded from Border Manager 3.5 to Border Manager 3.8 SP4 on
    new hardware. Everything runs fine except a little niggle. When we
    view the Access Control logs now all we see is IP addresses there are
    no host names. In real time monitoring we can click on DNS Host Name
    and get some of the names but most come back Unknown. Under the logs
    themselves the DNS host Name option is grayed out. Have I messed up
    the configuration in some manner?
    Dan

    Thanks Craig, We are indeed runing the transparent proxy. Is this a
    change between 3.5 and 3.8? When we ran the transparent Proxy under
    3.5 we were able to see the URL's.
    On Tue, 17 Jul 2007 21:36:53 GMT, Craig Johnson
    <[email protected]> wrote:
    >In article <[email protected]>, Dan Larson
    >wrote:
    >> When we
    >> view the Access Control logs now all we see is IP addresses there are
    >> no host names. In real time monitoring we can click on DNS Host Name
    >> and get some of the names but most come back Unknown. Under the logs
    >> themselves the DNS host Name option is grayed out. Have I messed up
    >> the configuration in some manner?
    >>
    >If you have transparent proxy working, you will get IP addresses of
    >hosts instead of URL's.
    >
    >If you are not using proxy authentication, you will get IP addresses of
    >user PC's instead of user names.
    >
    >Craig Johnson
    >Novell Support Connection SysOp
    >*** For a current patch list, tips, handy files and books on
    >BorderManager, go to http://www.craigjconsulting.com ***
    >

  • I cant log onto app store through my macbook air - an unknown error keeps occuring

    Ive been trying to log onto the app store and i cant manage to get on - the system keeps saying that there is an unknown error when i try to log on. I have tried to do the whole reset the system using the alt and power button (i bought this mac second hand so i also want to restore to factory settings). I was thinking that the reason app store wouldnt work is because the previous user might not have reset the system properly? i can log onto all the other applictions with my apple ID perfectly fine, its just with the app store. any help is hugely appreciated!!!

    The first thing you should do with a second-hand computer is to erase the internal drive and install a clean copy of OS X. How you do that depends on the model. Look it up on this page to see what version was originally installed.
    If the machine shipped with OS X 10.4 or 10.5, you need a boxed and shrink-wrapped retail Snow Leopard (OS X 10.6) installation disc, which you can get from the Apple Store or a reputable reseller — not from eBay or anything of the kind. If the machine has less than 1 GB of memory, you'll need to add more in order to install 10.6. I suggest you install as much memory as it can take, according to the technical specifications.
    If the machine shipped with OS X 10.6, you need the installation media that came with it: gray installation discs, or a USB flash drive for some MacBook Air models. If you don't have the media, order replacements from Apple. A retail disc, or the gray discs from another model, will not work.
    To boot from an optical disc or a flash drive, insert it, then reboot and hold down the C key at the startup chime. Release the key when you see the gray Apple logo on the screen.
    If the machine shipped with OS X 10.7 or later, you don't need media. It should boot into Internet Recovery mode when you hold down the key combination option-command-R at the startup chime. Release the keys when you see a spinning globe.
    Once booted from the disc or in Internet Recovery, launch Disk Utility and select the icon of the internal drive — not any of the volume icons nested beneath it. In the Partition tab, select the default options: a GUID partition table with one data volume in Mac OS Extended (Journaled) format. This operation will permanently remove all existing data on the drive, which is what you should do.
    After partitioning, quit Disk Utility and run the OS X Installer. When the installation is done, the system will automatically reboot into the Setup Assistant, which will prompt you to transfer the data from another Mac, its backups, or from a Windows computer. If you have any data to transfer, this is usually the best time to do it.
    You should then run Software Update and install all available system updates from Apple. If you want to upgrade to a major version of OS X newer than 10.6, buy it from the Mac App Store. Note that you can't keep an upgraded version that was installed by the previous owner. He or she can't legally transfer it to you, and without the Apple ID you won't be able to update it in Software Update or reinstall, if that becomes necessary. The same goes for any App Store products that the previous owner installed — you have to repurchase them.
    If the previous owner "accepted" the bundled iLife applications (iPhoto, iMovie, and Garage Band) in the App Store so that he or she could update them, then they're linked to that Apple ID and you won't be able to download them without buying them. Reportedly, Apple customer service has sometimes issued redemption codes for these apps to second owners who asked.
    If the previous owner didn't deauthorize the computer in the iTunes Store under his Apple ID, you wont be able toauthorize it under your ID. In that case, contact iTunes Support.

Maybe you are looking for

  • $300 Apple Display

    I'm thinking about buying a Mac mini computer and a Apple Display monitor but there is no way I'm going to pay more for a monitor than the computer.... do anyone think Apple should offer monitors that cost less than $300 that can be used with the Mac

  • Iphoto won't open with new Yosemite upgrade

    I just updated my iMac to the OS X Yosemite.  I couldn't open iPhoto, so I did what it said, which was to install the iPhoto upgrade.  Once I did that, I tried to open it again, and got the message, "To open your library with this version of iPhoto,

  • Server wont accept smtp relays

    I have a 10.5 mail server that until recently accepted smtp connections from our users while offsite. For no apparent reason we are now getting a message that the server does not accept relays. I have turned off the accept relays only from these netw

  • WLC Deleting Interface: Interface group is being used by AP Group

    When trying to delete an interface from an interface group, I am getting the error Interface group is being used by AP Group. Is there a way I can delete the interface?

  • Documentos sin redondeo

    Puedo hacer que sap no me redonde los importes de los documentos??...alguien sabe??