About Network Access Restrictions
i am using acs3.2,but i find a question about
Network Access Restrictions.i edit Network Access Restrictions in shared profile
components,then i Select the Define IP-based access descriptions check box.i choose aaa client,type the applicable information in each of the following boxes,then click enter and sumbit.when i logging into acs server again,i find the AAA client, port, and address information does not appears as a line item in the table.why ?
Acs version : Release 3.2(1) Build 20
To administer all features included in Cisco Secure ACS 3.2, use an English-language version of one of the following tested and supported web browsers:
Microsoft Internet Explorer version 6.0 with Service Pack 1 for Microsoft Windows
Netscape Communicator version 7.0 for Microsoft Windows
Netscape Communicator version 7.0 for Solaris 2.7
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp32/rn322.htm#wp1043943
Similar Messages
-
ACS User Group Network Access Restrictions
Hi to all,
We have a problem trying to restrict the access for users to an acces point: All users in any group can access the access point, although the group has a network restriction whichs restricts this access.
We have other restrictions which work perfectly. So we are beginning to think that this must be a problem in the access point (Cisco Aironet 1100)...
Thanks in advance,
Coloma CrespíHi Andrew,
Thanks a lot for your reply. I was really worried about this problem, I had tried everything to solve it and anything worked...
Regarding what you say, the network access restrictions we have created are the generic ones. I don´t have the option to choose between a dialup or telnet restriction. Where is it? Can you give more detailed information, please?
Thanks in advance,
Coloma Crespí -
ABOUT wrt54g 'Access Restriction'
Dear all:
once the duration of rule expired. It won't apply another rule by the time serial.
For example, I set up one of PCs was allowed to access internet between 7:00am~11:55am. This PC could access to internet after 11:55am, even I set another rule for this PC with duration 12:00pm~18:00pm.
Is any solution for my needs.
Beswt Regards
tom
Solved!
Go to Solution.The Access Restrictions feature allows you to limit Internet access on your network. You can deny access to certain computers, block certain applications and services, and block certain websites by the use of keywords or by the URL at a given time. This feature allows you to customize up to 10 different Internet Access Policies for particular computers, which are identified by their IP or MAC addresses.
Here is the link Implementing Access Restrictions for computers: http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&docid=20b29e54474a4a17aff594cb659747ea_4041.xml&pid=80&r... -
E4200 guest network access restrictions
I have the E4200 router with fw v1.0.01.
I need to provide guest access and limit the hours it is available.
I am not able to use access restrictions because when I attempt to enter the range of IP addresses it forces me to use 192.168.1 and the guest subnet is 192.168.33, therefore it never gets a match when the cutoff time comes. I do not know the MAC addresses of the guests and cannot force them to use predefined static IP addresses, so the range of addresses seems to be my only option. It's just that it won't let me input the "33" where it is needed.
Perhaps I am misunderstanding something or perhaps there is some other way to accomplish this.
Please advise.
Thank you,
-MartyThanks for the reply. I'm pretty sure you're right, at least it looks that way. That's a little too open for me. I suppose I could change the config when I want to cut off access, it would just be nice to have it automated.
-
Aaa network access restrictions with secure authen (asa device)
Hi all,
I've been reading a lot about how to configure the cut-through-proxy to allow certain network traffic only after being authenticated. The procedures seem pretty straightforward when using plain telnet or ftp (works pretty good).
However, doing so securely seems to be a bit more "fuzzy".
I don't like the idea of authenticating users over clear text telnet or ftp, and https has its own issues (weird timeouts that i can't seem to figure out).
Is it not possible to simply log in to the ASA (or whatever) device securely (ssh?), to authenticate and authorize other network traffic?
I see people talking about ssh not being proxy-able. I do not want to "proxy" the ssh connection, i just want to tell the ASA:
"Hey, this is me, allow me this (acl) traffic when i'm coming from this IP address, for X minutes or untill i log off again. Please.".
Sounds simple to me. :-)
Perhaps i'm looking at the wrong thing? Perhaps i do not need the cut-through-proxy for this?
I've been looking at articles like this:
https://supportforums.cisco.com/docs/DOC-14842
And some of Cisco's ASA AAA articles, like this:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html
They all pretty much seems to do what i want, except that they seem to want to "proxy" my traffic for some reason, and authenticate me in clear-text.
Do i have any other options? Like logging on directly to the device to do the authentication?
Using fixed or named access lists or even downloadable access lists doesn't really matter, i would just like a secure way of activating those access lists.
I'm currently investigating my options, like using a VPN client or script some acl injection, but that just sounds so disturbing.
Thanks a lot.
/Sune T.I have never done it with Cisco ACS so I can not offer much support on this.
However, I've done it many times on Cisco Freeware TACACS+ and it is very easy.
1- in Cisco Freeware tacacs, include "max-session = 1" under either the user
profile or group file definition.
2- in the router itself, you need to enable "ip finger". This will allow the
TACACS+ server to querry the router everytime there is a new attempt to loggin.
If you already have a session to the router, TACACS+ server will see this and
reject a new session for that same user. If the login ID is different than what
is already connected to the router, it will then be accepted:
C7140#who
Line User Host(s) Idle Location
0 con 0 idle 11w2d
* 2 vty 0 cciesec idle 00:00:00 192.168.15.9
Interface User Mode Idle Peer Address
C7140#
Now if user "cciesec" tries to login again through another session, it will
be rejected by the TACACS server:
[root@LinuxES-lab1 root]# finger @192.168.15.1
Line User Host(s) Idle Location
0 con 0 idle 11w2d
2 vty 0 cciesec idle 00:04:00 192.168.15.9
* 3 vty 1 idle 00:00:00 192.168.128.100
Interface User Mode Idle Peer Address
[root@LinuxES-lab1 root]#
Easy right? -
Network access restriction ACS 4.2
Hi,
we have a ACS 4.2 SERVER,in that i created a 2 groups like
full access user group & read only user group.
Now i want to give full access for one particular device
to the user who is in read only use group.
Thanks in advance for your help.Try creating a NAR with "no" NDG in it and assign it to the user you want to give full access.
-
Is it possible that network access permission control in acs 5.1
Hello
We have ACS5.1, WLC 7.0 and using 802.1x to authentication users.
Anybody know how I can configure network access restriction with using internal user group information.
For example, under the same SSID(like that "test") , same VLAN ID.
But two different user group has a different network access permission.
One group has full permission and the other has a limit network access permission.
Is it possible?The equivalent of a NAR would be ACS 5.1 returning an authorization profile after authentication. Just configure your authorization policy to return one profile for one group of user and the other profile for the others.
Now to restrict access to the network, I think you're best with an ACL ? So link ACLs to your profiles.
Nicolas -
Access Restriction - Internet Connection Policy (between two times)
I want to say something about the Access Restriction.
I set the policy for allow internet connection for one of my LAN PC's. For example, I set the policy to ALLOW internet connection EVERY DAY from 8:00PM to 10:00PM. Starting with 10M internet connection stops. BUT, after a few minutes I do a power circle (turn OFF and turn ON the router) and I have internet connection again. For me, allowing internet connection from 8:00 PM to 10:00 PM means to have internet connection ONLY BETWEEN THIS HOURS, not before and not after.
In my opinion, this is the same situation with two DENY policies for internet connection, one from 12:00 AM to 8:00 PM and other from 10:00 PM to 11:55 PM (for the same PC, of course).
Why POWER CIRCLE broken this policies ?
ps - sorry for my English.@sunwatcher,
If I set a policy for my little boy PCs ... for allowing internet connection from 4:00PM to 6:00PM (for example) ... after 6:00 PM internet connection stops and he turn OFF and turn ON the router (power circle) and after that he have internet connection, from then for a long time ...
I am from Romania, and I set time zone on GMT +2 (Bucharest time zone)
I insist with this problem because I want for him to use internet only between two times. Outside this time frame I want him to do their homework. -
Network Access dialog box keeps popping up too quickly to click
Lately, Compressor (or maybe Batch Monitor) has been causing this problem:
While a batch is compressing, a dialog box pops up on the screen for a fraction of a second, way too quickly to read it or click on it. I see "Deny" and "Allow" buttons, so I am guessing it's a dialog box asking about network access.
I found that it pops up at the same time interval I set in Batch Monitor's prefs for updating.
I tried trashing Compressor's prefs and restarting it.
The frustrating thing about this problem is that it interrupts anything else I'm doing. It interrupts typing, or a mouse drag. The only workaround I've found, so far, is to not run Batch Monitor at all.
I'd reinstall, but that'll take days because I have to track down someone in the company who keeps the install media under lock and key. I'm hoping you know of a way to solve this... please? A search of this forum turned up nothing, so far, but I saw a user posted about this problem on another site... and the solution suggested there didn't work for me (not sure it worked for him, either).I was having the same problem and noticed that while hovering over a menu item, the popping box stopped popping up. I of course couldn't keep my mouse hovering over a menu item forever and do anything else, but luckily I tried selecting "About Compressor" from the menu and that stopped the box from popping up as well and let me go on to other applications. As long as you don't click the About Compressor box off the screen, the popping box problem is solved, at least for me it is working...
I hope this helps you... -
WRT300N Access Restrictions by Keyword
Hello All!
I have just installed the WRT300N router to my desktop computer for wireless access for both of my son's laptop's and Xbox 360's. I have searched all over this forum and have not been able to find the answer to the question I have, although, I have found many other useful posts.
My question is about the Access Restrictions by Keyword. There are only 4 boxes for the keywords to be listed. Can you enter as many keywords in the one box that you want. Listing only 4 keywords will not do anything to block access to sites. I had a NETGEAR that would allow you to enter as many keywords as you want, but it wouldn't let you set it up to block certain MAC addresses.
Thanks in advance!That is true that only four boxes are provided for that purpose. But i think you should be able to give multiple keywords in a box. I have never tried it myself. Just give it a try and see if it works and also let us know about it.
-
Acs 5.3 and wlc 2504 config with restricted network access
Hello,
i submit you the following issue that i'm actually facing:
i must configure a secured wireless network with access restriction based on SSID. the equipements are : cisco wlc 2504 (soft 7.3) cisco secure acs aplliance 1121 (soft 5.4) .
the users that will connect to the network are regrouped by identity groups, each identity group having it's own SSID. Clearly each group of users must access only one SSID.
i followed the procedure below to configure it:
-- creating user identity groups;
-- creating users and assigning them to the groups;
--- creating authorization profiles for each SSID under policy element/ authorization and permission/network access/authorization profiles and putting the Airespace-Wlan-Id(the SSID number) in the radius tab.
--- assigning the authorization profiles to the identity groups under access policies.
after all these config the users can access the network using there userid/password configured. But the problem is Every user can access every SSID, seems like the restriction is so not very well configured.
i found some documentation on this kind of config but the version of ACS used seems older than the one that i use, so menu are very different.
Please can someone provide with the right steps to follow to achieve this kind of config.
tkx in advanceYes.. you only have to add the end filter like what I posted... as far as the calling station id in the WLC security tab, it doesn't matter because that is not used when using 802.1x. I would also try to not enable everything that you have just to start from the basic and make sure it works first. The WAP Authentication Method might or might not work for you. Uncheck that for now and when you have a successful authentication, look at the monitor log and see what radius attributes are being sent, because those attributes is what you can use to build your policies.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
I have set up a wireless network in my office using a couple of Airport Extremes, and, for some reason, our Windows computers are able to view the password of the network. Well, given that we employ teenagers, you can imagine what happens when they all find out the password. We want to restrict network access to only those devices we deem necessary. How do I accomplish this?
SidMed wrote:
We need 18-20 devices to access, all wirelessly.
You can keep using your Apple routers as AP devices.. but get a router running a secure OS as the actual router that controls the network..
If you have 18-20 teens on the network.. then setting quota and restrictions on bandwidth is far more important than time..
Gargoyle on a cheap router can do it.. eg WNDR3800 or the newer W1024ND v2.
Simply turn off the wireless in these devices.. and use the ethernet connection to the airport as WAP.
Honestly you just will never get the security or control using apple domestic routers. -
Is there a way to restrict the network access of an application?
Is there a way to restict the network access of an application? In other words, is there a way to guarantee that an application will only operate in offline mode?
Well, more than just knowing if an application will work in offline mode, I'm interested in whether there's a way to forcibly the revoke network access of an application. For example, I don't think something like an epub reader should have network access and I want to insure it does not communicate to an external server.
-
Problem with access restriction
I have about 50 to 80 users under my internet connection and i used the router 2500 and make there repeater of the single connection but i want to restrict many of the user on interner and some on timely but is not possible with this version of product, what can i do house, or what software do you suggest for me to use with this to restrict the internet access on this network.
Again, i try to use switch sf100-24 becos of the numbers of the cable to use that is more than 4 as we have only 4 port on the router for ethernet but if i connect it after few second it will make all the connection saying 'unidentify network' and it will not function again what can i do to solve this problem too please!!! help me houseHi, you might perhaps consider getting a gigabit switch in order for those devices to be able to work with access restriction.
-
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Hi guys,
What will happen if I enable "Network access: Do not allow anonymous enumeration on SAM accounts and shares" ?
Does the users (everyone) would not be able to list all shared folders on that computer?
What is the impact of this one?
Been searching for the effect of this but I cannot find precise answer.
Thank you in advance for your help!Hi whitesql,
It’s difficult to talk about when a policy disable effect if we know how it works right? You can refer the following KB to realize the enumeration mainly work for first:
The effects of removing null sessions from the Microsoft Windows 2000 and Microsoft Windows NT environment
http://support.microsoft.com/kb/890161/EN-US
Network access: Do not allow anonymous enumeration of SAM accounts
https://msdn.microsoft.com/en-us/subscriptions/downloads/jj852230(v=ws.10).aspx
Restricting Anonymous Access
https://msdn.microsoft.com/zh-cn/library/cc785670(v=ws.10).aspx
I’m glad to be of help to you!
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Maybe you are looking for
-
Hi, I've been looking to get a cable to connect my macbook to a normal widescreen CRT TV. I found the Apple Mini DVI to Video cable on the website, but it doesn't list the Macbook as one of the compatible systems. Can someone let me know - preferably
-
I cannot write on pdf as I used to. What do I get back to do it?
-
ITunes won't open, now Quicktime is giving me a hard time!
Hi, i've been having some problems with my iTunes lately; when I try to open it, it immediately shuts down and then I'm asked wether or not I want to send a bugreport. After getting no reply to the report, I started looking around on this discussion
-
I've asked a similar question to this on an Office Community Forum but nobody knows the answer. So I was hoping that an IT professional responsible for installing and deploying Office 2013 might know. If you download an installation disk image (ISO/
-
i need my built in apps back . Does any one know about this ?