ACS User Group Network Access Restrictions
Hi to all,
We have a problem trying to restrict the access for users to an acces point: All users in any group can access the access point, although the group has a network restriction whichs restricts this access.
We have other restrictions which work perfectly. So we are beginning to think that this must be a problem in the access point (Cisco Aironet 1100)...
Thanks in advance,
Coloma Crespí
Hi Andrew,
Thanks a lot for your reply. I was really worried about this problem, I had tried everything to solve it and anything worked...
Regarding what you say, the network access restrictions we have created are the generic ones. I don´t have the option to choose between a dialup or telnet restriction. Where is it? Can you give more detailed information, please?
Thanks in advance,
Coloma Crespí
Similar Messages
-
About Network Access Restrictions
i am using acs3.2,but i find a question about
Network Access Restrictions.i edit Network Access Restrictions in shared profile
components,then i Select the Define IP-based access descriptions check box.i choose aaa client,type the applicable information in each of the following boxes,then click enter and sumbit.when i logging into acs server again,i find the AAA client, port, and address information does not appears as a line item in the table.why ?
Acs version : Release 3.2(1) Build 20To administer all features included in Cisco Secure ACS 3.2, use an English-language version of one of the following tested and supported web browsers:
Microsoft Internet Explorer version 6.0 with Service Pack 1 for Microsoft Windows
Netscape Communicator version 7.0 for Microsoft Windows
Netscape Communicator version 7.0 for Solaris 2.7
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp32/rn322.htm#wp1043943 -
Not able to restrict user groups from accessing certain entities
We have created user groups and are trying to give them restricted access to certain entities so that they can perform consolidations only for those entities. But even after creating Security Classes (and assigning them to the entities in the metadata) and assigning [Default] security class access as Read Only, the users are still able to access and consolidate all the entities using process control.
Can anyone please let me know how to restrict consolidation to only certain entities?To solve this you need the following information:
-- What roles do the users have? Anyone with the Administrator role has full access to all classes.
-- Examine the groups. If any users are members of a group which has more access than the users have as individuals, they get the greater access level. You can generate a report which shows all roles for all users including the derived roles.
-- Examine your metadata. Do the entities in question have the classes you intend? If you omit a class (the field has been left blank), HFM treats it like the [Default] class.
With this information we could help you troubleshoot the issue.
--Chris -
Network access restriction ACS 4.2
Hi,
we have a ACS 4.2 SERVER,in that i created a 2 groups like
full access user group & read only user group.
Now i want to give full access for one particular device
to the user who is in read only use group.
Thanks in advance for your help.Try creating a NAR with "no" NDG in it and assign it to the user you want to give full access.
-
E4200 guest network access restrictions
I have the E4200 router with fw v1.0.01.
I need to provide guest access and limit the hours it is available.
I am not able to use access restrictions because when I attempt to enter the range of IP addresses it forces me to use 192.168.1 and the guest subnet is 192.168.33, therefore it never gets a match when the cutoff time comes. I do not know the MAC addresses of the guests and cannot force them to use predefined static IP addresses, so the range of addresses seems to be my only option. It's just that it won't let me input the "33" where it is needed.
Perhaps I am misunderstanding something or perhaps there is some other way to accomplish this.
Please advise.
Thank you,
-MartyThanks for the reply. I'm pretty sure you're right, at least it looks that way. That's a little too open for me. I suppose I could change the config when I want to cut off access, it would just be nice to have it automated.
-
Add User/Group API's restricted functionality.
I'm trying to add user/group attributes that are present within the iPortal GUI but appear absent within the API (WWSEC_API). Namely 'Default Homepage'. Could someone please advise if this element can be assigned values through an API (perhaps other than the one I am using).
Cheers.It doesn't appear so. I have managed to assign a default homepage via setting up a default homepage for a group and then assigning the person to the group. Unfortunately, it works off and on.
-
Aaa network access restrictions with secure authen (asa device)
Hi all,
I've been reading a lot about how to configure the cut-through-proxy to allow certain network traffic only after being authenticated. The procedures seem pretty straightforward when using plain telnet or ftp (works pretty good).
However, doing so securely seems to be a bit more "fuzzy".
I don't like the idea of authenticating users over clear text telnet or ftp, and https has its own issues (weird timeouts that i can't seem to figure out).
Is it not possible to simply log in to the ASA (or whatever) device securely (ssh?), to authenticate and authorize other network traffic?
I see people talking about ssh not being proxy-able. I do not want to "proxy" the ssh connection, i just want to tell the ASA:
"Hey, this is me, allow me this (acl) traffic when i'm coming from this IP address, for X minutes or untill i log off again. Please.".
Sounds simple to me. :-)
Perhaps i'm looking at the wrong thing? Perhaps i do not need the cut-through-proxy for this?
I've been looking at articles like this:
https://supportforums.cisco.com/docs/DOC-14842
And some of Cisco's ASA AAA articles, like this:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html
They all pretty much seems to do what i want, except that they seem to want to "proxy" my traffic for some reason, and authenticate me in clear-text.
Do i have any other options? Like logging on directly to the device to do the authentication?
Using fixed or named access lists or even downloadable access lists doesn't really matter, i would just like a secure way of activating those access lists.
I'm currently investigating my options, like using a VPN client or script some acl injection, but that just sounds so disturbing.
Thanks a lot.
/Sune T.I have never done it with Cisco ACS so I can not offer much support on this.
However, I've done it many times on Cisco Freeware TACACS+ and it is very easy.
1- in Cisco Freeware tacacs, include "max-session = 1" under either the user
profile or group file definition.
2- in the router itself, you need to enable "ip finger". This will allow the
TACACS+ server to querry the router everytime there is a new attempt to loggin.
If you already have a session to the router, TACACS+ server will see this and
reject a new session for that same user. If the login ID is different than what
is already connected to the router, it will then be accepted:
C7140#who
Line User Host(s) Idle Location
0 con 0 idle 11w2d
* 2 vty 0 cciesec idle 00:00:00 192.168.15.9
Interface User Mode Idle Peer Address
C7140#
Now if user "cciesec" tries to login again through another session, it will
be rejected by the TACACS server:
[root@LinuxES-lab1 root]# finger @192.168.15.1
Line User Host(s) Idle Location
0 con 0 idle 11w2d
2 vty 0 cciesec idle 00:04:00 192.168.15.9
* 3 vty 1 idle 00:00:00 192.168.128.100
Interface User Mode Idle Peer Address
[root@LinuxES-lab1 root]#
Easy right? -
Server 4: Local user can't access restricted website
Hello.
One of our locally hosted websites (LAN-only) is set up to require restricted access via OS X Server's "Access Group" setting. It contains a number of OD-based users and a single local user (the machine's admin user). All OD-based users can access the website (after supplying their credentials), but the single local user can't (keeps rejecting the credentials). This worked fine for this user under 10.9 Server—the issue has only been introduced after the 10.10 upgrade.
The only thing I'm able to find in the logs is:
[Thu Oct 23 13:03:23.125136 2014] [apple_digest:error] [pid 1971] [client XXX.XXX.XXX.XXX:XXXXX] Access to / failed, reason: user 'XXX' does not meet 'require'ments for user to be allowed access
[Thu Oct 23 13:03:23.125276 2014] [authz_core:error] [pid 1971] [client XXX.XXX.XXX.XXX:XXXXX] AH01631: user XXX: authorization failure for "/":
I've confirmed the correct credentials being used (as it's the same user used to physically access the server itself).
Anyone have any ideas what might be wrong?
Thanks,
Kristin.I opted to use ".com.na" in which case the Internal Domain Name and Internet Website
now has the same name.
This ends up with a split-DNS stup for internal and external resolution which requires extra administration tasks and attention from the administrators.
When attempting to open the extarnal website eg. "www.company.com.na" from a client PC within the internal "company.com.na" Domain, I keep getting error "403 - Forbidden: Access is denied. You do not have permission to view
this directory or page using the credentials that you supplied."
I should also mention, the website is hosted by an ISP and not locally.
I added a "www" Host record in the Forward Lookup Zone, I have added the url and ip address to the Hosts file on a client pc (Windows 7) and even tried setting up Split-Brains DNS. Nothing seems to work.
Running a Tracert takes me to the correct public ip address of the website, but I keep getting this 403 error.
This means that you are able to reach the Website but it is responding with the access denied error message. That should be checked on the middleware level so if this is IIS running then I would recommend asking them in IIS forum: http://forums.iis.net/
If this is a Website that is completely managed by your ISP then I would recommend checking with them.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
How to move users, groups and access rights to new envronment
Hi,
I have existing 9.3.1 shared services, I created new environment with 9.3.3 .
Can some one suggesting me how move the existing 9.3.1 users to another server where it has 9.3.3 shared services.
is there any way move all at a time with some migration or we need to create manually?
thanks,
sudhakarYou can use the cssimportexport utility.
Even though this link is for 11.1.1.3 and states that its only for native users, you can in fact use the utility to migrate the provisioning of users both native and external: http://download.oracle.com/docs/cd/E12825_01/epm.111/epm_security/ch09s08.html
FWIW, I prefer the .csv format because its ease of reading and editing.
Regards,
Cameron Lackpour
P.S. The format is really confusing -- use the export functionality to show you what the format needs to be if you change anything (and I think that at least some of the names of the apps/projects you will have in 9.3.3 will be a little different).
P.P.S. I would imagine there's an upgrade path but that's beyond my expertise.
Edited by: CL on Mar 30, 2011 7:55 AM
I wish OTN had an alert system that indicated when JG was posting on the same subject. I would save my energy as I never get the answer out as fast. :) -
I am trying to find solution for some type of settings in ACS.
Imagine for instance real situation as follows:
There is group "A" with 100 users. I need for 20 of them assign the access to devices in the group "B". I can't find any easy possibility how to do that.
Examples:
Enable the user section âPer User Defined Network Access Restrictionsâ this replace the settings of the user group and I have to add there all the devices from Group "A" to preserve their access. When Group "A" changes, I have to apply the changes to separate persons.
when I insert the device group into user group Enable privileges (level 0) and I set the Max Privilege for any AAA Client for separate persons, I will grant them level 15 privileges for all the AAA devices
When I create new user group instead Group "A" and move the users to this group, I have 2 groups for maintenance with the same privileges except the Group "B"
When I create separate level 15 privileges for every person, I have to insert there all the groups and devices from user group and I have to maintain again changes to all the people, when settings of user group changes
We often have such kind of problems. Is there any normal possibility how to add the users from this group this privileges and preserve settings from Group "A" for them?Sounds like you really do need 2 groups since the access restrictions are totally different. If these 20 users always have different NARs to the other 80 users they should not be in the same group.
In essence this is the reason for shared profile components. So that you can multiple groups re-using pieces of config. It s obviously not perfect.
Im guessing you would like to see either nested groups or multi-group membership - but thats a world of pain and complexity. -
Is it possible that network access permission control in acs 5.1
Hello
We have ACS5.1, WLC 7.0 and using 802.1x to authentication users.
Anybody know how I can configure network access restriction with using internal user group information.
For example, under the same SSID(like that "test") , same VLAN ID.
But two different user group has a different network access permission.
One group has full permission and the other has a limit network access permission.
Is it possible?The equivalent of a NAR would be ACS 5.1 returning an authorization profile after authentication. Just configure your authorization policy to return one profile for one group of user and the other profile for the others.
Now to restrict access to the network, I think you're best with an ACL ? So link ACLs to your profiles.
Nicolas -
Denying AAA Clients to a specific user group in ACS v4.1
Using 4.1 is there a "simple" method of simply denying a usergroup the ability to even login to specific AAA clients? Customer has a telephony group that they want to allow them to telnet and check into all the voice routers, but no other routers, they have the command sets and all that setup but wanted to see if a way to push that group simply to voice routers only ??
thanks in advance,
daveHi,
Why don't you use NAR (Network access restriction)
Under the network config > simply create one NDG and assign all the voice router under it.
After that go to the group/user where you want to put this restriction
You need to check that what are we getting in calling station id. If we are getting ip address then
[1] To accomplish above we would configure the group with following
NAR (network access restriction)
Define IP based Network Access Restriction
Permitted Calling Point
AAA client: VOICE NDG created
Port *
Src IP Address *
Subit the changes and try.
Here is more on configuring Network Access Restriction:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.
2/user/guide/GrpMgt.html#wp478900
HTH
JK
Plz rate helpful posts- -
User in 2 user groups always picks the rights from the group with least access -BOBJ 4.1 SP2
We have BOBJ 4.1 SP2 installed.
Lets say User1 is in a role1(User group) that has restricted access(no access to design menu for WEBI report in launchpad). Works fine when User1 logs into the launchpad. Cannot see the Design menu in Launchpad.
User1 is also in another role2(user group) that has Design access for WEBI report (more like Power user access).
Now when logged into a launch pad via SAP portal, and opening WEBI report on which role2 (user group) is applied that has Design access, user1 cannot see the Design menu of WEBI report. This is probably happening because User1 is also part of role1 that has restricted access. So it looks like it is always picking
the role with least access and applying it no matter which report I am opening.
I would expect the role to regulate the authorizations on the report. And one user could be a simple end user for one report and a power user for another report.
Please advise if this is a Known issue or expected behavior. Is there a work around?
Thank you very much
SumanHello Suman,
Try avoid denial based security rights assignment instead you can specify the unspecifed. As Greg said
Denied + Granted = Denied
Denied + Not Specified = Denied
Granted + Not Specified = Granted.
You should not deny rights for HR End User usergroup, Instead make them as unspecified. If you do so the whenever the user part of both the groups , your security rights aggregation would be
Granted + Not Specified = Granted.
Make sure you follow the approach as above. You can refer the blog below for how to structure the folder, report and User group hierarchy and effective maintenance of security
BusinessObjects Administration - Content Management Plan
Regards
Mani -
Restricting Queries in HR: Compensation Management User Group
I am trying to restrict the Infoset /SAPQUERY/HR_XX_CM_03, which contains salary/compensation queries, assigned to User Group /SAPQUERY/H0, from being accessed by anyone. In SQ03, user group /SAPQUERY/H0, there are no users assigned but users with access to SQ01 can select the user group /SAPQUERY/H0 and access the queries tied to infoset /SAPQUERY/HR_XX_CM_03. Why are users able to access the infosets of the user group when no users are assigned to the user group?
Turns out that security authorization for access to SQ01 had an S_QUERY value of 02 which allows for full change. With this value the user group/user assignments done via sq03 did not work. Setting S_QUERY to 23 allows for user group assignment to restrict access in sq01
-
why do i need to type in password when i delete things? how do i remove it?
and i can't delete items directly from the dock as well. like opening from the downloads folder and dragging the file to trash. i have to bring open up Finder and delete from the folder directly.
another issue is that am i able to remove the gues user from my start up screen? i've already disabled it from the user groups but i still see it in my login screen.
one last problem, is it a norm to have current leakage for the MBP? i've been having frequent shocks from the 2 bottom corners of it when i plug it in to a power source. i bought it from an authorized retailer and using it in the country where i've gotten it from. i've just gotten my mbp about 3 weeks back.
thanks for replying my queries!Hi,
Yeah in ACS 3.1 its under the Shared Profile Components page. In ACS 4.1 its directly under the user groups or under SPC page.
You need to check the box for "define ip based access restriction" and deny access for all other groups to the wireless access points network device group.
ACS 3.X)
1. Denied Calling/Point of access restrictions
2. AAA Clients =UPS_PDU (Power Supplies)
3. Port = just put a * for all
4. Src IP address = just put a * as well
SUBMIT to SAVE
Create a second one for the other group like so:
1. Denied Calling/Point of access restrictions
2. AAA Clients =Routers_Switches
3. Port = just put a * for all
4. Src IP address = just put a * as well
Click submit to save it.
Go to the ACS User groups section and select the Network Administrators Group " that don't need access to the UPS's" and apply the NAR you created to that group. Do the same for the other grouping.
(ACS 4.X)
Go directly under the "user groups" and create the NAR under there. No need to go under the Shared Profile Components section
Hope this helps and let me know if you need further assistance or explanation.
Craig
Maybe you are looking for
-
Can't find admin files on former startup disk - now 2nd drive on MacPro
Help, My G5 tower died and I bought a MacPro tower. I put the drive from the G5 in the MacPro as a second drive and it runs fine but I can't find any files I created under the root user. I used Root for about six months while my system was dying a sl
-
Opening private browsing w/ Ctrl+Shift+P works fine. But when I try to toggle back, it just opens up a new private window. Is this a bug? Or an intentional change in the newest version? Those of us who depend on keyboard shortcuts are often overlooke
-
Source command on solaris9 x86
I have ran every version of 'find' on my computer, and the 'source' command is not loaded. Is it not inclued in the Solaris9 x86 download? If not where can I get it? These are some of the commands I used(as root): find / file source | grep /source |
-
E4200 - PCs don't see each other and printer on USB port not working
I been around tech all my life. Acquired by MS when they had only 2000 employees. I don't get excited about tech. Its a tool to help you do something better, excluding games. I had the linksys wrt54... with booster antennas. Worked great, but could n
-
Color conversion : special behavior with Spot Color "All"
Hello, I have a document with printmarks which have a spot color "All". While I convert the page using the "Color conversion" to Gray 1.8 with Adobe Acrobat X the spot color "All" are still present (with the alternate color space DeviceGray). Using A