Allowing VPN access from Guest

Similar Messages

• How to prevent/allow admin access from certain ip address.

  Hello
  trying to setup the following scenario:
  have a user BOB created in Cisco ACS 4.2
  have several network devices with different management IP addresses  all added in Cisco ACS 4.2
  want to be able to allow BOB to access network devices only if BOB's access request is coming from one ip address 1.1.1.1
  If BOB is trying to access network devices from any other ip addresses, the request should be denied regardless of the fact that BOB has full access to all network devices.
  Is there a way to acomplish this using Cisco ACS 4.2
  Appreciate your input.
  Regards,

  It is actually possible, thanks for your doc reference:
  in ACS setup AAA client user will be allowed to call from
  in ACS setup NAR (devices you want to allow access to);
  create user in ACS
  configure user access in ACS:
       allow access to required NARs
       define IP - based access restrictions
            Permitted calling / point of access locations
                 enter AAA client from which user will call (* for ports and * for ip address)
  Save and test
  In failed attempts you should see Authentication failure code "Users access filtered" when trying to login to NAR devices with new username and from non-permitted calling client/ip address.
  Thanks for you help.

• Raw LUN access from guest LDOM

  Hi,
  Is it possible to have raw access to LUNs from guest LDOM ?
  Scenario is - 2 mpxio HBAs conected to control domain, 20 LUNs presented, 10 for ZFS filesystems inside LDOMs and 10 with raw access for HORCM operations inside LDOMs for switching TrueCopy pairs. So each LDOm should have exclusive access to two LUNs. This is requred for campus cluster with TrueCopy replicated storage for HA service running inside two ldoms.
  We do not have T4 connected to storage yet and I can't check output of ldm list-io, but I've yet to see any examples of such setup on the net so a bit worrying if this possible at all.
  Thanks !
  Edited by: 907565 on 12-Jan-2012 00:31

  You might be looking at PCIe Direct I/O - This extends current PCIe support to enable you to assign either individual PCIe cards or entire PCIe buses to a guest domain.
  You would probably need more pci cards on different slots

• ACS shell profile to only allow VPN authentication from TACACS+

  I'm currently rebuilding all of my VPN profiles after it was found that we were using TACACS+ for authentication to the VPNs, that would also allow users to SSH all of the network infrastructure. The new profiles will be radius based and will take some time to get them to the users.
  In the meantime I'm looking to create a new shell profile for the VPN users that will only allow them to authenticate to the VPN and not gain access to the CLI of the infrastructure.
  Thanks

  Hi,
  i tested this with Cisco ACS 5.5 with TACACS for VPN tunnel it doesn't work.
  It gives you an error which is stated that service protocol used is for device administration.
  So it doesn't all VPN authentication to work. but for radius this works properly.
  Thanks & Regards,
  Nitesh

• Easiest method to block employees from Guest network?

  We have WCS and several WLCs (WISMv1, 5508, 4402) all running the 7.0.240.0 code.  The "Guest" SSID is "garden-walled" from the corp LANs.  We used to have web-auth page that required ID / PW.   This became unreasonable as IT Dept was getting requests at all hours for immediate access from guest / resident family memebrs.  So we changed the web-auth to remove the the ID / PW and just display corp policy and have to hit a "continue" button to gain access to Guest SSID.  Healthcare staff on the floor are not tech-savvy enough to want to use or perform Hotel Ambassador functions.
  The issue now is that we have employees with smartphones, tablets and even personal laptops conecting the Guest SSID. Sr. Mgt wants to find a way to stop the abuse.
  I do not believe there is any perfect solution to prevent employees from gaining access, but have been asked to find a manageable method to deter most employees from connecting to the Guest network.   Looked at seing up MAC filtering in WCS, it seems that you have to enter MACs that you *allow* on to the network - by default, other MACs are blocked.  I would rather have the template block the MACs listed in the csv file and allow access as the default..
  We have several SSIDs.  Our corporate SSID uses 802.1x and we use Microsoft Server 2012 Network Policy Server (RADIUS) to pass user ID / PW to our AD for authentication.  We do not have Cisco ACS.  I am not sure if integrating RADIUS is the answer here either.  
  I have had some webex sessions on ISE, NCS, and Prime infrastructure.  We are only interested at the moment to monitor  / control access to Guest.  I have been told that ISE will have "sponsorship" functionality added in soon -- where user fills out info and ID / PW is sent via text or email to a cell phone or other device.
  Any ideas??
  TIA -- Perry

  Steve,
  The employees don't use / need any credentials for the Guest.  The nurse staff / aides have balked at performing what they see as IT responsibilities.   I can actually understand their point....their job is to provide care to the residents. 
  IT can't realistically respond to requests at all hours for access to Guest. 
  One thought was to see if we can require a name to be on the web-auth form that we can upload and record the corresponding MAC.  The name is not verified against AD or anything  -- more to track and see if the MAC associated "moves"  across the network -- which would signal that it is likely an employee using a smartphone. 
  But we still need a way to specifically block a MAC while allowing the default permit in WCS.  As I mentoned earlier, the default seems to be block MACs and permit specific MACs in the list....
  Perry  

• Tiger Server firewall issues - forwarding protocol 47 (GRE) for VPN access

  Hi everybody,
  I'm trying to allow VPN access to my Mac Pro running 10.4.10 Server. I've allowed the TCP and UDP ports, but the sticking point is this: the client tries to connect but I get a bunch of these in the firewall log:
  Deny P:47 xxx.xxx.xxx.xxx(address initiating VPN) 10.0.100.222(MacPro local address) in via en0
  After doing some research I figured I needed to allow protocol 47 (GRE) and so tried to add a rule via the "Advanced" tab for firewalls in server manager. I click the + button, select allow, leave the other field, select GRE, and then select from:any and to:any and the in dropdown. When I try to save and activate the rule, however, it complains that there is an error and that all subsequent rules are skipped. I've tried all the possible variations (within my parameters, of course) but it won't work.
  Manually inspecting the /etc/ipfw file shows the rule added but without a specification for the GRE or protocol 47 part. i.e.:
  add 1050 allow from any to any in
  (This looks a little like a server manager bug to me, but I digress)
  So I tried manually editing the file in /etc/ipfilter but no joy.
  Being somewhat new to OSX I am getting flustered. Am I completely misunderstanding something here? While a search on "VPN GRE firewall" turns up about million hits, none seem applicable to my situation. Thanks in advance.

  Try using the "Services" tab, selecting "any" (for example) and configuring the rule there.
  The "Advanced" section will allow you to add rules that don't already exist, but there is already a rule for GRE so that might, possibly have something to do with the error you're getting.

• WIN2008R2: No external network access from Hyper-V guest using Virtual Machine Bus - Legacy ok

  Windows Server 2008 R2 Enterprise x64 Hyper-V host
  HP DL370 G6, HP NC375i integrated Quad Port Multifunction Gigabit Server Adapter
  Static IP (.11), internet connection via a Cisco switch and PIX firewall
  External virtual network connected to port 1, allowing management OS to share the network adapter
  Windows Server 2008 R2 Enterprise x64 guest
  Static IP (.21) on the same subnet, same subnet mask and default gateway (.1) as host
  * with Virtual Machine Bus network adapter:
   - host can ping guest (.21), switch (.5), and has internet access
   - guest can ping host (.11), but cannot ping switch (.5) and has no internet access. 
   - network map shows the guest and host connected via a hub (Microsoft virtual switch), connected to a gateway, then a red X between gateway and internet
  * with Legacy network adapter:
   - host can ping guest (.21), switch (.5), and has internet access
   - guest can ping host (.11), switch (.5) and has internet access. 
   - network map shows the guest and host connected via a hub (Microsoft virtual switch), connected to a gateway, and no red X between gateway and internet
  I installed Hyper-V before adding the HP network drivers (there's a known problem if you install Hyper-V after adding the network drivers), so that's not it.
  This happens both with straight network adapters, and also when two are configured as a network team - no difference.
  I don't want to use the Legacy network adapter as the performance is terrible, but right now I have no choice as otherwise I can't get network or internet access from the guest. 
  Any ideas?

  Hi,
  Please refer to the following post to see whether you can resolve the issue.
  Network Adapter (not Legacy) does not work on Virtual Machine after installation through ISO
  http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2virtualization/thread/b1e9d24c-e298-472e-ad72-90cf079f6fbd
  By the way, did you only encounter this issue with one VM or all VMs? Please do the same test on VMs with other version of Windows such as Windows Server 2008 or Windows Server 2003.
  Best Regards,
  Vincent Hu

• 5508 WLC - VPN disconnects from Wlan guest

  Strange issue that our support staff is seeing on our guest WLAN.
  I have 2 wlans, 1 is production and authenticates our Domain controllers, this is working fine.
  The other is a wlan that has restricted access internally, I allow http, https and VPN access out only.
  It appears that on the guest wlan, after random amount of time an established VPN connection using Cisco VPN client disconnects.
  Wireless connectivity doesnt appear to go down, just the vpn connection.
  On this guest wlan, I have configured QOS bronze and I read a link where this may be affecting the UDP conversation between VPN client and end point.
  Can anyone shed light on this ?
  I just upgraded to latest and greatest code and I am still seeing same issue.
  Cheers
  Dave

  Soemthing I want to make you aware of is another guest bug we hit... After fixing the VPN problem by moving to 7.0.220.0 we hit this bug!
  The fix ... Reboot your WLC weekly. We have a call with Cisco BU on Monday to talk about this...
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx00942
  Webauth stops redirecting after some time
  Symptom:
  It is seen on 7.0.220 4404 WLC that users in the webauth SSID are not redirected to the login page anymore after 1 week or so.This message appears :
  sshglue.c:7009 WebAuth HTTP Redirect rule creation failed for peer 192.168.1.8
  Conditions:
  webauth, 4404 running 7.0.116/220
  Workaround:A reboot solves the problem for another week or so
  Status
  Open             
  Severity
  2 - severe
  Last Modified
  In Last 7 Days        
  Product
  Cisco 5500 Series Wireless Controllers         
  Technology
  1st Found-In
  7.0(116.0)
  7.0(220.0)       
  Interpreting This Bug
  Bug Toolkit provides access to the latest raw bug data so you have  the earliest possible knowledge of bugs that may affect your network,  avoiding un-necessary downtime or inconvenience. Because you are viewing  a live database, sometimes the information provided is not yet complete  or adequately documented. To help you interpret this bug data, we  suggest the following:
  This bug has a Severe severity level 2 designation.  Important functions are unusable but the router's other functions and  the rest of the network is operating normally.
  Severity levels  are designated by the engineering teams working on the bug.  Severity is  not an indication of customer priority which is another value used by  engineering teams to determine overall customer impact.
  Bug  documentation often assumes intermediate to advanced troubleshooting and  diagnosis knowledge.  Novice users are encouraged to seek fully  documented support documents and/or utilize other support options  available.

• Access to Guest Folder requires login when accessed from Portal/SSO

  We have wired XML-P to use OID and then registered it as a Partner Application in our Portal/SSO server (which also uses the same OID instance). All works well except now when we try to access the Guest folder from within Portal the SSO login screen pops-up. We have created a very simple HTML/URL portlet that points to the Guest folder and the idea is for users to have Public/anonymous access to this folder. Any ideas?

  Hi,
  You can try to enable "Turn on password protected sharing" in Network Sharing Center. After that, only people with a user name and password on the computer will be able to log into shared network folders.
  Another workaround method you can try:
  Open Run, type rundll32.exe keymgr.dll, KRShowKeyMgr, then Press
  Enter.
  In the prompt dialog, choose and delete the user account used to network sharing.
  Roger Lu
  TechNet Community Support

• I changed laptops and went from Vista to Windows 8. It requires icloud. I did icloud setup but it will not allow me access and wants to give me a new password. That is OK but it will not send me the promised password

  I changed laptops and went from Vista to Windows 8. It requires icloud. I did icloud setup but it will not allow me access and wants to give me a new password. That is OK but it will not send me the promised password even though itunes recognizes my password

  This has been posted for almost 2 weeks and not one reply. Thanks a bunch! As a newbie to OOo and Mozilla, I am not impressed with responsiveness to support needs with either. So, the future of my new experiment with going non-Microsoft remains an open question.
  Oddly enough, the problem mysteriously went away. I have followed the same routine and changed no settings. Suddenly all of the downloaded spreadsheets were no longer read-only. So I consider the matter resolved.

• Redundant access from MPLS VPN to global routing table

  Several our customers have MPLS VPNs deployed over our infrastructure. Part of them requires access to Internet (global routing table in our case).
  As I'm not aware of any methods how to dynamicaly import/export routes between VRF/Global routing tables, at the moment there are static routes configured - one inside VRF pointing to global next hop, another one in global routing table, pointing to interface inside VRF.
  Task is to configure redundant access to Internet. By redundancy I mean using several exit points (primary and backup), what physically represents separate boxes.
  Here comes tricky part - both global static routes (on both boxes, meaning) are valid and reachable in all cases - no matter if specific prefix is reachable in VRF or not. What I'd like to achieve is that specific static route becomes valid only if specific prefix is reachable inside VRF. Yea, sounds like dynamic routing :), I know
  OK, hope U got the idea. Any solutions/recommendations ? Running all Internet routing inside VRF isn't an option, at least for now :(

  Hi Andris,
  I did not mean to have a VRF on the CE. The CE would have both PVCs in the global routing table - his ONLY routing table in fact. One PVC would be used to announce routes into the customer specific VPN (VRF configured on the PE). The other PVC would allow for internet access through the PE (global IP routing table on the PE).
  dot1q will be ok as well.
  This way the CE can be a normal BGP peer to the PE, i.e. there is no MPLS VPN involved here. This allows all options of customer-ISP connectivity.
  Example:
  PE config:
  interface Serial0/0
  encapsulation frame-relay
  interface Serial0/0.1 point-to-point
  description customer VPN access
  ip vrf customer
  ip address 10.1.1.1 255.255.255.252
  interface Serial0/0.2 point-to-point
  description customer Internet access
  ip address 192.168.1.1 255.255.255.252
  router rip
  address-family ipv4 vrf customer
  version 2
  network 10.0.0.0
  no auto-summary
  redistribute bgp 65000 metric 5
  router bgp 65000
  neighbor 192.168.1.2 remote-as 65001
  address-family ipv4 vrf customer
  redistribute rip
  CE config:
  interface Serial0/0
  encapsulation frame-relay
  interface Serial0.1 point-to-point
  description VPN access
  ip address 10.1.1.2 255.255.255.252
  interface Serial0.2 point-to-point
  description Internet access
  ip address 192.168.1.2 255.255.255.252
  router bgp 65001
  neighbor 192.168.1.1 remote-as 65000
  router rip
  version 2
  network 10.0.0.0
  no auto-summary
  Of course you can replace RIP with whatever is suitable for you. And don´t sue me when you do not apply required BGP filters for internet access... ;-)
  The other option ("mini internet") would be feasible as well. Just make sure your BGP filters are NEVER messed up and additionally apply a limit on the numbers of prefixes in your VRF mini-internet.
  Regards
  Martin

• I have a Mac OS X version 10.5.8 and recently got an Iphone4. I can not access Icloud from my computer. Is there any software, new operating system or anything I can purchase that will allow me access to the cloud?

  I have a Mac OS X version 10.5.8 and recently got an Iphone4. I can not access Icloud from my computer. Is there any software, new operating system or anything I can purchase that will allow me access to the cloud?

  Upgrading to Snow Leopard, Lion, or Mountain Lion
  You can upgrade to Mountain Lion from Lion or directly from Snow Leopard. Mountain Lion can be downloaded from the Mac App Store for $19.99. To access the App Store you must have Snow Leopard 10.6.6 or later installed.
  You can purchase Snow Leopard by contacting Customer Service: Contacting Apple for support and service - this includes international calling numbers. The price is $19.99 plus tax. You will receive physical media - DVD - by mail.
  Third-party sources for Snow Leopard are:
  Snow Leopard from Amazon.com
  Snow Leopard from eBay
  After you install Snow Leopard you will have to download and install the Mac OS X 10.6.8 Update Combo v1.1 to update Snow Leopard to 10.6.8 and give you access to the App Store.
  You can purchase Lion by contacting Customer Service: Contacting Apple for support and service - this includes international calling numbers. The cost is $19.99 (as it was before) plus tax.  It's a download. You will get an email containing a redemption code that you then use at the Mac App Store to download Lion. Save a copy of that installer to your Downloads folder because the installer deletes itself at the end of the installation.
  Be sure your computer meets the minimum requirements:
  Apple - OS X Mountain Lion - Read the technical specifications.
  Macs that can be upgraded to OS X Mountain Lion
    1. iMac (Mid 2007 or newer)
    2. MacBook (Late 2008 Aluminum, or Early 2009 or newer)
    3. MacBook Pro (Mid/Late 2007 or newer)
    4. MacBook Air (Late 2008 or newer)
    5. Mac mini (Early 2009 or newer)
    6. Mac Pro (Early 2008 or newer)
    7. Xserve (Early 2009)
  Are my applications compatible?
  See App Compatibility Table - RoaringApps - App compatibility and feature support for OS X & iOS.
  Am I eligible for the free upgrade?
  See Apple - Free OS X Mountain Lion upgrade Program.
  For a complete How-To introduction from Apple see Apple - Upgrade your Mac to OS X Mountain Lion.
  Model Eligibility for Snow Leopard and Lion.
  Snow Leopard General requirements
    1. Mac computer with an Intel processor
    2. 1GB of memory
    3. 5GB of available disk space
    4. DVD drive for installation
    5. Some features require a compatible Internet service provider; fees may
        apply.
    6. Some features require Apple’s MobileMe service; fees and terms apply.
  Lion System Requirements
    1. Mac computer with an Intel Core 2 Duo, Core i3, Core i5, Core i7, or
        Xeon processor
    2. 2GB of memory
    3. OS X v10.6.6 or later (v10.6.8 recommended)
    4. 7GB of available space
    5. Some features require an Apple ID; terms apply.

• Qemu-kvm: network access from host to guest

  I need ssh and http access from my host (Arch) to the guest (other Linux). I've failed at setting up Tap networking as described in the wiki. I don't need to have the whole LAN access the guest, so is there another way the host can access the guest? Using the guest's IP of 10.0.2.15 doesn't work, but I'm hoping there is a way to do it.
  Thanks.

  Mr.Elendig wrote:Bridging is the best way todo it, so you should give us some more info on your atempt at it, so that we can help you fix it.
  Ok, I've followed the instructions from the wiki.
  One problem is that I'm on a laptop. eth0 is wireless and eth1 is wired. I chose to use eth1 since I thought it'd be easier to get working on one device before trying to make it work on both.
  1. bridge and tun modules are loaded from rc.conf
  2. In /etc/conf.d/bridges I have this:
  bridge_br0="eth1"
  BRIDGE_INTERFACES=(br0)
  3. In /etc/rc.conf I changed my networking portion to this:
  eth1="eth1 up"
  br0="dhcp"
  INTERFACES=(eth1 br0)
  4. In /etc/udev/rules.d/65-kvm.rules I have this:
  KERNEL=="tun", NAME="net/%k", GROUP="kvm", MODE="0660"
  5. My user is part of the kvm group, although I have also tried running qemu-kvm as root.
  6. In /etc/qemu-ifup I put:
  #!/bin/sh
  echo "Executing /etc/qemu-ifup"
  echo "Bringing up $1 for bridged mode..."
  sudo /sbin/ifconfig $1 0.0.0.0 promisc up
  echo "Adding $1 to br0..."
  sudo /usr/sbin/brctl addif br0 $1
  sleep 2
  7. Using visudo I added this to the bottom:
  Cmnd_Alias QEMU=/sbin/ifconfig,/sbin/modprobe,/usr/sbin/brctl,/usr/bin/tunctl
  %kvm ALL=NOPASSWD: QEMU
  8. I launch qemu-kvm with the following script:
  USERID=`whoami`
  IFACE=`sudo tunctl -b -u $USERID`
  qemu-kvm -net nic -net tap,ifname="$IFACE" -vga std -m 1024 -k en-us -usbdevice tablet -localtime /dev/sda
  sudo tunctl -d $IFACE &> /dev/null
  My system starts with br0 getting the dhcp IP on boot, so that part is working.
  When I run the qemu-kvm start script I get this error (running as user or root):
  /etc/qemu-ifup: could not launch network script
  Could not initialize device 'tap'
  /etc/qemu-ifup is executable
  Last edited by shakin (2009-06-05 19:13:14)

• Netgear and 'Allow Access From "Any" Name'

  I have a Netgear Wireless Router MR814. My iBook with Airport Extreme connects without problems and reconnects automatically after sleep. I have turned on every level of security available except for one labelled 'Wireless Broadcast: Allow Access From "Any" Name'. If I turn this off (uncheck it), the Router does not appear in the iBook's Airport list but I can still connect if I use Internet Connect and select "Other Network". I then have to manually type in the name of the network and the 26 character WEP passphrase. However if I put the computer to sleep when it wakes up the connection is not automatically restored. I have the "Network" control panel set to "Connect to a specific Network" and entered my Network Name and WEP password with preceding $ but no joy. These settings work fine if I turn on 'Allow Access From "Any" Name'.
  12 iBookG4 + Quicksilver 867   Mac OS X (10.3.9)  

  <cut>
  </cut>
  IME, Windows wireless utilities could care less
  whether the name is broadcast or not. They decipher
  and show the name of the network anyway.
  Dueane,
  Who cares if your Windoze Utilities can find the SSID when someone turns the broadcast of their station name off? If the person is using WPA2 Personal level security as I am, You still have to crack the 63 character hex passphrase in order to gain entrance to my network.
  Not everyone is foolish enough to use a simple enlish passphrase so a Dictionary Attack can succeed with ease. Many of us make it as difficult as possible for some "script kiddie" or "war driver" to invade our private network.
  IIRC, a crack has yet to be found for WPA2 if you only know the station name & MAC address, but do NOT know the 63 hex character passphrase. I welcome urls from reliable web sites that will prove that WPA2 can be cracked withOUT the proper passphrase.
  Regards,
  Albatross
  G4 QuickSilver01 OWC 1.47Ghz CPU 1.5GB RAM 740GB HD   Mac OS X (10.4.2)   Al 17" G4 1.33 Ghz PowerBook with Aiport Extreme / Netgear WG302 & FVS318v3

• Allowing IPSec PPTP, and L2TP passthrough for VPN Access

  Does anyone know where you can allow VPN Passthrough in the Airport Extreme? I am not able to connect to work using the Nortel VPN client, however when using my Linksys (where I have configured IPSec, PPTP and L2TP) it works fine.

  I have the exact same problem with my work windows machine. I temporily got it working by setting the default NAT address to the IP address of my work laptop.
  This is not an acceptable long term solution for me. I will have to return the airport extreme and go back to linksys myslef if it cannot be resolved.