ACS - ASA Authorization and Accounting

Similar Messages

• Cisco 300 support TACACS+ authorization and accounting

  Hi All,
  Can someone please confirm that does Cisco 300 switch supports tacacs authorization and accounting ? or just authentication ?
  Kindly guide

  Hello
  Please review this - Cisco 300
  res
  Paul

• SG300 tacacs authorization and accounting support

  Hi All,
  Can someone please confirm that does Cisco 300 switch supports tacacs authorization and accounting ? or just authentication ?
  Kindly guide

  Hello
  Please review this - Cisco 300
  res
  Paul

• AAA authorization and accounting

  Hello everyone.
  I am given a project to implement AAA on routers and switches in our environment. Can some one please help me out in understanding the difference between,
  1) aaa authorization exec and aaa authorization command option.
  2) aaa accounting exec and aaa accounting command option.
  Many thanks.
  Sent from Cisco Technical Support Android App

  Hello,
  1) aaa authorization exec and aaa authorization command option.
  The first one authorizes if the user has the right privilege level to enter to one of the IOS priviliege levels (0,1,15) you can customize this.
  The second one authorizes the different commands a user can type and send to the device
  2) aaa accounting exec and aaa accounting command option.
  The first one again accounts when a users enters a specific user-level (Privileged level 15 or Exec user-level 1)
  Second one sends an accounting message per each command send to the box
  Check my blog at http:laguiadelnetworking.com for further information.
  Cheers,
  Julio Carvajal Segura

• Problem - acs command authorization and web access control

  Hi, I'm trying to add the control of some aironet 1310 bridges with a ACS 3.2 (tacacs+). I wanted to be able to do telnet command authorization restrictions trough shell command authorization sets and be able to give similar restrictive web access at the same time. I have it working if I permit some commands that are sent by the browser as "write memory quiet" and few other ones, but for it to work, I must give them limited users the privilege level 15 and by having the tacacs server authorizing the commands, it work for both, http and telnet. Where my problem begin is when I loose the connection with the ACS server, the user being already authenticated as level 15 user, the device become open to all commands; there is no more restriction applied by the ACS. Do anybody now a workaround.

  It is already at local, that is just that the user already have a level 15 access and I used to control the commands through level settings before. So when I try it, my user that is localy level 5 is already recognized as a level 15 user from when it was authenticated through the ACS. If I could find a way to give web access to the 1310 at priv level 5 and still controlling the command set, it would be ok but as soon as I try to access a page that is not permitted other way than by the view level (i think it's level 1... or 0), I get a username password prompt with that line on the top of it:"level_15_or_view_access" and the only way I can access it is by entering a level 15 un/pass. I attached my 1310 aaa config
  and here are the command set that work at level 15 to do a "shut" or "no shut" of the radio interface by the web interface:
  configure
  permit terminal
  exit
  permit Unmatched Args
  interface
  permit Dot11Radio0
  no
  permit shutdown
  permit cca
  ping
  permit Unmatched Args
  show
  permit Unmatched Args
  shutdown
  permit Unmatched Args
  telnet
  permit Unmatched Args
  write
  permit memory quiet
  Thanks for the help !

• How can I authorize and access my itunes account on a new computer if I cant access my old computer to enable home sharing

  How can I authorize and access my itunes account on a new computer if I cant access my old computer to enable home sharing

  Authorization
  Macs:  iTunes Store- About authorization and deauthorization.
  Windows: How to Authorize or Deauthorize iTunes | PCWorld.
  In iTunes you use the Authorize This Computer or De-authorize This Computer option under the Store menu in iTunes' menubar. For Windows use the ALT-S keys to access it. Or turn on Windows 7 and 8 iTunes menus: iTunes- Turning on iTunes menus in Windows 8 and 7.
  To deauthorize a computer you don't have:
  De-authorizing Computers (contributed by user John Galt)
  You can de-authorize individual computers, but only by using those computers. The only other option is to "de-authorize all" from your iTunes account.
    1. Open iTunes on a computer
    2. From the Store menu, select "View my Account..."
    3. Sign in with your Apple ID and password.
    4. Under "Computer Authorizations" select "De-authorize All".
    5. Authorize each computer you still have, as you may require.
  You may only do this once per year.
  After you "de-authorize all" your authorized computers, re-authorize each one as required.
  If you have de-authorized all computers and need to do it again, but your year has not elapsed, then contact: Apple - Support - iTunes - Contact Us.
  For more information on authorization and de-authorization: iTunes Store- About authorization and deauthorization.

• TS1389 i have windows 8 and cant authorize my account to transfer my icloud/iphone purchases to this computer. authorize computer is not part of the store. what do i do next?

  I have windows 8 and can't authorize my account to transfer my icloud/iphone tunes to my computer. i dont seem to be able to do this from the store as it is not on the menu. my options when i click on my account are limited to stopping all devises and do not include adding a new device- i only have 4 associated with the apple id account. this is all so frustrating. HELP!

  Press the Alt and S keys and choose Authorize this Computer, or click here, follow the instructions, click on Store in the menu bar, and choose Authorize this Computer.
  (85244)

• HT1206 my other computers have fried or have been broken. so how am i supposed to deauthorize those computers if i cant even turn them on? and why is there a maximum to how many computers i can authorize my account to?

  why cant i authorize my account to this computer? i cant turn on my other computers with this account authorized because they were fried and broken so how am i supposed to deauthorize those computers?

  "why cant i authorize my account to this computer?"
  No idea, as you have not explained your problem.  What happens when you try to authorize it?
  " i cant turn on my other computers with this account authorized because they were fried and broken so how am i supposed to deauthorize those computers?"
  You cannot until you reach the limit of 5, then you can deauthorize all.
  iTunes Store: About authorization and deauthorization

• My computer(A toshiba) crashed and when I bought a new computer(a Mac), my previous apple ID does not word and I was only able to get songs that I bought in 2004. I am unable to authorize my account to get to songs that I purchased recently. Please help.

  My computer(A toshiba) crashed and when I bought a new computer(a Mac), my previous apple ID does not word and I was only able to get songs that I bought in 2004. I am unable to authorize my account to get to songs that I purchased recently. Please help.

  Steve Taylor1 wrote:
  If you have exceeded your allowance of 5 machines then Apple will not allow you to authorise additional Computers. If you still have access to your old toshiba fire it up de-authorise it and then try again with the new computer.
  While this won't help if you are having password problems, I did want to point out that you do not need to access old machines to de-authorize them. Once you are signed in at the iTunes store, access "my account" by clicking on your username in the top navigation bar. Then "manage devices".  You can remove any old machines that way.

• I'm trying to play a song and itunes is repeatly asking me to authorize the account.  I have authorized the account and it will not play one particular song.  What should I do?

  I'm trying to play a song and itunes is repeatly asking me to authorize the account.  I have authorized the account and it will not play one particular song.  What should I do?

  If just one song on an album is doing that, that suggests the track is damaged.
  If your country's iTunes Store allows you to redownload purchased tracks, I'd delete your current copy of the track and try redownloading a fresh one. See the following document for instructions:
  Downloading past purchases from the App Store, iBookstore, and iTunes Store
  Otherwise, I'd report the problem to the iTunes Store.
  Log in to the Store. Click on "Account" in your Quick Links. When you're in your Account information screen, go down to Purchase History and click "See all".
  Find the item that is not playing properly. If you can't see "Report a Problem" next to the item, click the "Report a problem" button. Now click the "Report a Problem" link next to the item.

• ACS, Access Service and Authorization

  I am running ACS 5.2 and I am trying to set up 3 new SSIDs, 2 of which are unsecured and 1 that is secured.  I am trying to figure out the best way to authorize them based on which network they are coming from.  All the authentication requests are coming from the same devices, the Wireless LAN Controllers, so NDG cannot be used as criteria.  I have been looking at either creating 3 Access Services and using Service Selection Rules, or creating 1 Access Service and using Authorization to choose.  Regardless, I cannot find an attribute to use that can determine which network they came from.
  Does anyone have a suggestion for the best way to do this?  I

  Go to in Policy Elements -> Network Conditions -> End Station Filters, and create a CLI/DNIS rule that includes the name of the SSID, then use it as a condition in any rule you create for authentication. The SSID will be preceded by the MAC address, so enter *ssidname (ie, match anything before the SSID name, then match the SSID name). For example, if the SSID is called lab then you would enter *lab.
  Then go to Access Policies -> Service Selection and create a service selection rule that has End Station Filter as the criteria.

• ACS 5 Limited user account

  Hi, i have cisco ACS 5.2 and want to create user account for technician, with only certain commands.
  how can i achieve this ?
  thanks                  

  Hi,
  You can not do per-commadn authorization.
  But You can assign some of the pre-defined roles to the admin.
  check this:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/admin_admin.html#wp1068641
  Reards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• ACS/ASA authentication for vpn access vs. console management access

  I have an ACS 4.2 Server and an ASA 5540. I have setup AnyConnect SSL VPN on the ASA and want to authenticate users using AAA tacacs+ authentication with the ACS and an external Windows AD database. I have done this successfully. I also want to use the ACS for authenticating SSH management sessions into the ASA. I have setup a group in AD and on the ACS called VPNUSERS and NETADMINS. The problem is, I want the VPN users to ONLY be able to authenticate for VPN but not have access to logging into the ASA CLI or ASDM. The NETADMINS should be able to do both. The question I have is how do I setup the VPNUSER group in ACS to have access to connect to the ASA for VPN but not for the management console? It seems that if they can authenticate for vpn, they can also ssh the firewall which is what I want to prevent.

  Try using Network Access Restrictions (NAR)where you can restrict the administrative access on per device or on NDG basis.
  By default user accounts from external database such as AD in ACS will get authenticated through telnet on network device or a AAA client which can be restricted by enabling NAR in ACS.
  In your case it should be VPNUSERS group in ACS.
  HTH
  Ahmed

• ACS command Authorization on PIX Console

  I have configured the pix firewall for ACS authentication and command authorization, everything is working fine
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (inside) host 172.28.x.x x.x.x
  aaa-server TACACS+ (inside) host 172.28.x. xx
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication serial console LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authorization command TACACS+
  aaa accounting command privilege 15 TACACS+
  aaa accounting enable console TACACS+
  but porblem is that i dont wana have ACS authentication while connecting with console. In case of emergency when
  ACS down, i wana to get console and access the device by using local username and password
  but now after this configuration when i try to access the firewall via console, i m getting error of
  command authorization fail.
  I dont wana have any command authorization while connected with console, Please tell me how to resolve this issue
  I have made the command authorization set in ACS and it is working fine for me,

  kindly once again check my modified configuration,
  I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.
  aa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (edn) host 172.28.31.132
  aaa-server TACACS+ (edn) host 172.28.31.133
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication serial console LOCAL
  aaa authentication http console LOCAL
  aaa authorization command TACACS+ LOCAL
  aaa accounting command privilege 15 TACACS+
  aaa accounting enable console TACACS+
  but i m not able to login i m getting following eror
  Command authorization failed
  TDC-INT-525-01> exit
  Command authorization failed
  TDC-INT-525-01> exit
  Command authorization failed
  TDC-INT-525-01> enable
  Command authorization failed
  i also defined the local command authorization set like this
  privilege cmd level 15 mode exec command exit
  privilege show level 5 mode exec command running-config
  privilege show level 15 mode exec command version
  privilege show level 0 mode exec command access-list
  privilege show level 0 mode configure command access-list
  privilege cmd level 15 mode configure command exit
  privilege cmd level 15 mode configure command no
  privilege cmd level 0 mode configure command access-list
  privilege cmd level 15 mode interface command exit
  privilege cmd level 15 mode subinterface command exit
  privilege cmd level 15 mode dynupd-method command exit
  privilege cmd level 15 mode trange command exit
  privilege cmd level 15 mode route-map command exit
  privilege cmd level 15 mode router command exit
  privilege cmd level 15 mode ldap command exit
  privilege cmd level 15 mode aaa-server-host command exit
  privilege cmd level 15 mode aaa-server-group command exit
  privilege cmd level 15 mode context command exit
  privilege cmd level 15 mode group-policy command exit
  privilege cmd level 15 mode username command exit
  privilege cmd level 15 mode tunnel-group-general command exit
  privilege cmd level 15 mode tunnel-group-ipsec command exit
  privilege cmd level 15 mode tunnel-group-ppp command exit
  privilege cmd level 15 mode mpf-class-map command exit
  privilege cmd level 15 mode mpf-policy-map command exit
  privilege cmd level 15 mode mpf-policy-map-class command exit
  privilege cmd level 15 mode mpf-policy-map-class command exit
  privilege cmd level 15 mode mpf-policy-map-param command exit
  Please tell me how to solve this problem

• Acs 5.3 and wlc 2504 config with restricted network access

  Hello,
  i submit you the following issue that i'm actually facing:
  i must configure a secured wireless network with access restriction based on SSID. the equipements are : cisco wlc 2504 (soft 7.3) cisco secure acs aplliance 1121 (soft 5.4) .
  the users that will connect to the network are regrouped by identity groups, each identity group having it's own SSID. Clearly each group of users must access only one SSID.
  i followed the procedure below to configure it:
  -- creating user identity groups;
  -- creating users and assigning them to the groups;
  --- creating authorization profiles for each SSID under policy element/ authorization and permission/network access/authorization profiles and putting the Airespace-Wlan-Id(the SSID number) in the radius tab.
  --- assigning the authorization profiles to the identity groups under access policies.
  after all these config the users can access the network using there userid/password configured. But the problem is Every user can access every SSID, seems like the restriction is so not very well configured.
  i found some documentation on this kind of config but the version of ACS used seems older than the one that i use, so menu are very different.
  Please can someone provide with the right steps to follow to achieve this kind of config.
  tkx in advance

  Yes.. you only have to add the end filter like what I posted... as far as the calling station id in the WLC security tab, it doesn't matter because that is not used when using 802.1x.  I would also try to not enable everything that you have just to start from the basic and make sure it works first.  The WAP Authentication Method might or might not work for you.  Uncheck that for now and when you have a successful authentication, look at the monitor log and see what radius attributes are being sent, because those attributes is what you can use to build your policies.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"