ACS 3.2.2 : user access restriction on define AAA client

Similar Messages

• Cisco ACS - HOW ARE INTERNAL USER'S RESTRICTED IN THEIR ACCESS TO RESOURCES

  Does anyone have any insight into this process. Please advise.

  Hi Eduardoaliaga,
  I believe that when we are using PAP as the authentication protocol, the ACS is able to strip the domian prefix. However, my side is using the PEAP MsChapv2 as the authentication protocol and I believe that the TLS tunnel is prevent the ACS from stripping the domain prefix/sufix. Thus, I have also posted another discussion on the issue of when the authentication protocol of PEAP MsChapv2 is used, ACS is not able to strip the domain prefix/sufix. Thus, would you be also able to advice on if that is correct. Please refer to the links below.
  1) https://supportforums.cisco.com/thread/2061835
  2) http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/eap_pap_phase_ps9911_TSD_Products_User_Guide_Chapter.html#wp1031191
  3) https://supportforums.cisco.com/message/3581951#3581951
  Thks and Rgds

• ACS 4.2 (Trial) User Group Restrictions?

  I'm currently in the process of migrating from Microsoft IAS to Cisco ACS 4.2. I'm running an Eval of CSACS v4.2 for Windows in a Lab so I can work out the issues.
  So far I've been fairly successful getting user accounts authenticated with active directory credentials using the "Windows Database" as my external user database. The only problem I've run into is that I can't seem to figure out how to restrict access to Active Directory group membership.
  For instance, in the lab I have a Cisco 3750 switch that is using ACS to control login access. But given my current ACS configuration everyone in the windows domain can login to the switch. How can I restrict that down to just the Network Operations group in Active Directory?

  Yogesh:
  To move existing users from one group to another you can:
  - go manually to each user and change its group membership. OR:
  - Use RDBMS synchronization where you can fill a CSV file with the actions that you want (change group membership in your case) and import that to the ACS.
  For RDBMS sync you can read the user guide:
  http://tiny.cc/n13b1w
  This config example may also be useful about how to import the csv file:
  http://tiny.cc/533b1w
  I suggest that you read the guide and come back to ask here if you have any concern.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Schedule Portal Users Access Restriction

  Hi All,
  I have a scenario where in I need to restrict the access of some specific user(s)/Groups to the portal during a specific time period daily. This has to be automated and scheduled accordingly. I dont want to either delete the users or specifiy user expiry date. Please suggest if any one of you have a solution or suggestion regarding this.
  Regards,
  Sreeram

  What are you using for your LDAP?
  I do not see a way to do it via portals but with me in MSADS I can restrict days and time from there.

• User Access Restriction to BPEL & ESB PM

  Hi,
  When we install SOA Suite, the default admin user that gets configured for BPEL PM and ESB Control is “oc4jadmin”. This user can perform any action on the server right. But can we create new set of users who will have “view-only” access (or any other type of restricted access for that matter) upon their login? If so, kindly advise how to achieve this. This will be useful when people want to only view processes on a BPEL Console or an ESB Control in a production environment.
  Appreciate your quick response!
  Best Regards,
  CC

  Am sorry to say that 10g BPEL and ESB do not support such functionality.
  You could look at http://chintanblog.blogspot.com/2007/12/i-saw-numerous-people-asking-about-bpel_290.html for a mechanism to control it.

• User Access restriction for certain infotype

  Hi,
  We have a requirement from our management that for some specific user we need to give all infotype view access I mean PA20 but excluding payroll data for 14 grade and above.
  For this requirement I cannot give grade wise authorization because as per the requirement they can view all the hr related infotype except grade 14 and above our user should not view any payroll related infotype but less than 14 they can view the same.
  For this I need to create one object and give it to them but I donu2019t how to find it out?
  Can any one guide me?
  Thanks
  Gudia

  Hi,
  You can create dynamic action for IT 0008 that will copy grade value to field org.key in IT 0001.
  This field can be used in authorization object P_ORGIN.
  Then you can specify 2 P_ORGIN objects in the user role:
  1. IT - all
      Org.key 1-13
  2. IT - non-payroll
      Ogr.key 14 and above.
  Cheers!

• Configured Nacs- how to restrict AAA client access by specified Password

  Hi all
  i hav given the below config in AAA Client& added the Client in User,Group, the NAR is configured for all Clients ,
  But my requirement is restrict AAA client access by specified Password
  aaa new-model
  aaa group server tacacs+ NACS_Group1
  server 10.x.x.x
  server 10.y.y.y
  aaa authentication login default group NACS_Group1 local
  aaa authentication enable default group NACS_Group1 enable
  aaa authorization config-commands
  aaa authorization exec default group NACS_Group1 if-authenticated
  aaa authorization exec NACS_Group1 group tacacs+ local
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+

  You use the Network Access Restrictions table in the Advanced Settings area of User Setup to set NARs in three ways:
  Apply existing shared NARs by name.
  Define IP-based access restrictions to permit or deny user access to a specified AAA client or to specified ports on an AAA client when an IP connection has been established.
  Define CLI/DNIS-based access restrictions to permit or deny user access based on the CLI/DNIS that is used.
  Note: You can also use the CLI/DNIS-based access restrictions area to specify other values. See the Network Access Restrictions section for more information.

• ACS User Group Network Access Restrictions

  Hi to all,
  We have a problem trying to restrict the access for users to an acces point: All users in any group can access the access point, although the group has a network restriction whichs restricts this access.
  We have other restrictions which work perfectly. So we are beginning to think that this must be a problem in the access point (Cisco Aironet 1100)...
  Thanks in advance,
  Coloma Crespí

  Hi Andrew,
  Thanks a lot for your reply. I was really worried about this problem, I had tried everything to solve it and anything worked...
  Regarding what you say, the network access restrictions we have created are the generic ones. I don´t have the option to choose between a dialup or telnet restriction. Where is it? Can you give more detailed information, please?
  Thanks in advance,
  Coloma Crespí

• ACS user access setting

  I am trying to find solution for some type of settings in ACS.
  Imagine for instance real situation as follows:
  There is group "A" with 100 users. I need for 20 of them assign the access to devices in the group "B". I can't find any easy possibility how to do that.
  Examples:
  Enable the user section “Per User Defined Network Access Restrictions” this replace the settings of the user group and I have to add there all the devices from Group "A" to preserve their access. When Group "A" changes, I have to apply the changes to separate persons.
  when I insert the device group into user group Enable privileges (level 0) and I set the Max Privilege for any AAA Client for separate persons, I will grant them level 15 privileges for all the AAA devices
  When I create new user group instead Group "A" and move the users to this group, I have 2 groups for maintenance with the same privileges except the Group "B"
  When I create separate level 15 privileges for every person, I have to insert there all the groups and devices from user group and I have to maintain again changes to all the people, when settings of user group changes
  We often have such kind of problems. Is there any normal possibility how to add the users from this group this privileges and preserve settings from Group "A" for them?

  Sounds like you really do need 2 groups since the access restrictions are totally different. If these 20 users always have different NARs to the other 80 users they should not be in the same group.
  In essence this is the reason for shared profile components. So that you can multiple groups re-using pieces of config. It s obviously not perfect.
  Im guessing you would like to see either nested groups or multi-group membership - but thats a world of pain and complexity.

• How to restrict user access in Oracle Application Server 10g (9.0.4)?

  Can anybody please let me know how to restrict user access in 10g AS? To be specific, how to allow http requests from specific IPs only?

  Hi,
  You have to edit httpd.conf and modify acces rights for each protected directory
  e.g.
  <Directory /var/www/sub/payroll/>
  Order allow,deny
  Allow from 192.168.1.0/24
  </Directory>
  then you have to restart Oracle HTTP Server
  jm--

• Restricting user access to delegated administration pages

  I have a question about delegated administration services.
  When a user is defined, regardless of its privileges, it has access to OIDDAS pages.
  And he or she can see the other users' information. (through Directory and Users tabs)
  Is there any way to restrict OIDDAS pages to selected userids?
  Regards
  Farbod

  If your version of the servlet container is compliant (I assume iPlanet is), then you can declaratively set your security in the web.xml. You can specify entire directories (HTML, JSP, graphics, etc) to be secured. This also prevents you from converting all your static content to JSP and inserting code into each one to validate the user. You may define your own custom login page as well. This is by far the best method of security if you're not trying to do anything fancy like data-level security. The J2EE security model is role-based.
  Hope this helps.
  Chris

• Restrict the User name / Password Auto complete option for users accessing

  Hi All,
  Can any one know the Restrict the User name / Password Auto complete option for users accessing Portal from within and outside of Portal.
  Regard's
  Rama

  Are your referring to the browser functionality of remembering the usernames and passwords?
  Thanks,
  GLM

• Time restricted user access

  Dear Experts,
  we are dealing with the following issue. Is it possible to set up time restricted user access in BPC 7.5? It means e.g. we want user to have access to BPC only in the first half of the year or (a bit trickier) in every first half of each month.
  And is it possible to temporarily prohibit access for an user without deleting him or his rights?
  Thanks for the reply,
  Jakub

  Hi Jakub,
  Can you explain why you want to set up your system this way? Depending on what you are trying to accomplish, there may be a good way to make it work in BPC (work status, security, data model design), but as Nilanjan said, there is not an easy way to totally lock out users based on date.
  Ethan

• How to configure CLI/DNIS based access restriction in 5.3 ?

  Hi,
  does anybody have an idea how the setting
  define CLI/DNIS-based access restrictions which is defined in ACS v. 4.2
  can be configured in acs 5.3 ?
  in v. 4 for every user in a group with 40 members  a different CLI is defined for each. How can I configure that in version 5.3 ?
  any help as always much appreciated!

  The equivalebt to NAR functionality can be found at:
  Policy Elements > Session Conditions > Network Conditions > End Station Filters
  Can then define an object with a set of CLI values
  These objects can then be used in policy conditions. So can create a condition with a set of CLI values and then match in authorization policy for values that are included in this set and set authorizations accoridngly
  Not sure if this is your use case but hopefully may be a start

• ACS/ASA authentication for vpn access vs. console management access

  I have an ACS 4.2 Server and an ASA 5540. I have setup AnyConnect SSL VPN on the ASA and want to authenticate users using AAA tacacs+ authentication with the ACS and an external Windows AD database. I have done this successfully. I also want to use the ACS for authenticating SSH management sessions into the ASA. I have setup a group in AD and on the ACS called VPNUSERS and NETADMINS. The problem is, I want the VPN users to ONLY be able to authenticate for VPN but not have access to logging into the ASA CLI or ASDM. The NETADMINS should be able to do both. The question I have is how do I setup the VPNUSER group in ACS to have access to connect to the ASA for VPN but not for the management console? It seems that if they can authenticate for vpn, they can also ssh the firewall which is what I want to prevent.

  Try using Network Access Restrictions (NAR)where you can restrict the administrative access on per device or on NDG basis.
  By default user accounts from external database such as AD in ACS will get authenticated through telnet on network device or a AAA client which can be restricted by enabling NAR in ACS.
  In your case it should be VPNUSERS group in ACS.
  HTH
  Ahmed