Anyconnect IKEV2 restricting access via AAA auth Group

Hi Everyone,
I have ASA config with 2 connection groups
Say Group  1 and 2.
Currently both are assigned to Same Auth AAA group
One of our external vendor has access to both XM files of connection group 1 and 2..
If i want Vendor should connect only to  Connection Group 2 should i change the AAA auth group for connection group 2?
Then even if he tries to connection group 1 it should not work as AAA Auth group will be only assigned to Group 2 right?
Regards
Mahesh

Hi Rick,
There is info
Our ASA is configured with two connection groups.Our Vendor has XML files of both the
Connection groups say                                      1 and 2.
AAA Authentication group  called ----------------- RSA  ----Two servers are there in RSA group.
We are using 2 factor Authentication.
We want vendor to connect to connection group 2 only.
We have two RSA Authentication  servers they are in HA mode so if one dies other can do the authentication.ASA has only 1 authentication  group called say RSA and both connection groups 1 and 2 are tied to the same Authentication group called RSA.
If i configure new AAA server group say RSA2 for connection group 2 but it has same 2 servers will
it restrict the vendors connection to connection group 2 only?
Also when you say --- authentication server can differentiate between the vendor users and other users and supply a group membership ID in the authentication response?
Need to know how i can do this?
Regards
MAhesh

Similar Messages

  • Securing AnyConnect VPN user access via specific LDAP groups in Active Directory?

    Is there a brief tutorial on how to secure AnyConnect VPN access using Active Directoty security groups?
    I have AAA LDAP authentication working on my ASA5510, to authenticate users against my internal AD 2008 R2 server, but the piece I'm missing is how to lock down access to AnyConnect users ONLY if they are a member of a specific Security Group (i.e. VPNUsers) within my AD schema.

    This looks fairly complete
    http://www.compressedmatter.com/guides/2010/8/19/cisco-asa-ldap-authentication-authorization-for-vpn-clients.html
    Sent from Cisco Technical Support iPad App

  • Restricting  Access for SQ01 User Group

    Hi ,
    Please let me how to Restrict  Access for a   User Group  to only some of  the specific users?
    Thank you
    Edited by: Vibhor Arora on Apr 12, 2010 7:29 AM

    Hi,
    Can you please clarify what exactly you want to know, your request can be interpreted in a few different ways.
    If you are concerned that people have access to all user groups, then you need to remove access to S_QUERY activity 02 and I think activity 23.  They will lose access to all user groups that they are not assigned to via SQ03.

  • Restricting access of to auth relevant characteristics

    Hello Experts,
    We have a requirement wherein I have to restrict access for a user by which the user would not be able change the poroperties of characteristics even in the local view in the query designer.
    The requirement is like the user should be able to go into change query (local view) and change rows and columns but the user should not be able to change the properties of any characteristic.
    In our case the user is trying to change the properties of a authorisation relevant characterstics which the user should not.
    Thanks in advance.
    Best Regds,
    Suyog.

    Hi Suyog,
    As per my knowldge, you cant control change acceess only to rows and column only in query designer. Also please note that maintaining auth. relevant charactristics as processing type authrization or customer exit is BW developers job, as BI security consultant you can give suggestions to maintain such varaiables.
    Hence you give change  query access in Dev and  give only display in QA & production.
    Best Regards
    Imran

  • Restricting access via MAC address?

    Hello,
    Could someone please tell me how to restrict access to my wireless network (and internet sharing) by only allowing computers with a certain MAC address to join?
    I'm kinda stumbling around here
    Thanks,
    Jonny

    Sorry if I wasn't being specific enough...
    I have my eMac set up as a Software Base Station, which streams internet & Airtunes to an Airport Express. I have it set up this way, because my ADSL modem is connected via USB (so it's a bit of a workaround). As a result, I have Internet Sharing switched on, so I can access it from all my other macs.
    What I want to do is to stop other people from accessing my eMac's internet connection. If I set up a WEP password for Internet Sharing, I lose my Airtunes facility... so I was thinking another way might be to restrict access to the connection via MAC address. I only want my other airport card-equipped macs to access the internet connection and network generally.
    Surely it's possible?

  • Restricting Access via User Groups

    So I have created some user groups via the Administration page in APEX. I would like to use these groups to control access to various tabs in my database application. Can someone please tell me how I might go about doing this? I can't seem to locate a good example.
    Thanks,
    Mark

    Hi Mark,
    You can e.g. create an authorization scheme (shared components) - pl/sql function returning boolean.
    You can use some functions in apex_util to determine if they should have access. e.g. apex_util.current_user_in_group(p_group_name in varchar2); http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21676/apex_util.htm#BABHCBEG
    Then just apply that authorization scheme to the tab and consequent pages associated to the tab.

  • Is Guest Access via web auth available on Standalone 1130AP?

    Hi,
    I have seen that using LWAPP and a WLC, Guest WLans can be authenticated via a web page.
    Is this possible on an Autonomous 1130 AP ?
    Or is that only a functionality of the Controller ?
    Thanks

    As the other user said, this web authorization isn't native to the access point. It is a web authorization portal that is on the WLC.
    With that said, any web authorization portal on your network could be used. I'm not sure what your budget is, but if you are looking to do this on a handful of devices, you might go with something like NoCat (nocat.net). I haven't actually used it but I think it is just an entry level (free?) portal.
    I'm sure there are many of product out there, and cisco probably has thier fair share...
    Note: in this case, it would most likely be used to authorize anyone to get connected to the LAN (or Internet), it probably wouldn't be used to authorize the actual Wireless Connection, just authorize the ability to get off the VLAN (like to the Internet)

  • Restricting access via user agent

    I was wondering if someone could point me in the right direction, I remember my instructor on my course saying that restricting by User Agent was possible by adding a few lines to the obj.
    I have a problem whereby people are scrapping our site but it seems a D.I.Y application with a non standard user agent. Any replies greatly appreciated
    Regards
    LL

    See <Client> in
    http://docs.sun.com/source/817-1835-10/npgobjcn.html#wp1041206
    And also SAF docs in:
    http://docs.sun.com/source/817-1834-10/crobjsaf.html
    Probably many ways of accomplishing it depending on details of desired behavior. Here's one possible variant.
    <Client browser="*bad-client*">
    PathCheck fn=deny-existence
    </Client>
    That all said, unless those requests are part of some firehose attack which doesn't really care whether any individual requests work, it's trivial for the client to adjust what it sends.

  • Anyconnect using IKEV2 allowing access to Vendor

    Hi Everyone,
    We have configured Anyconnect using IKEv2 for our internal users and it is working fine.
    Recently i got  Request from our management to allow our  vendor to access our network but they dont need full access to our internal network.
    This vendor is also using the anyconnect  IKEv2  to access their own internal network.
    What i have done is asked our Vendor IT guy to update their xml profile with below info
    <ServerList>
      <HostEntry>
       <HostName>xyz.com</HostName>
       <HostAddress>xyz.com</HostAddress>
    where xyz.com is our VPN ASA hostname.
    Need to know do i need to config new anyconnect profile and group policy to make this work or can i only create new group policy for this vendor?
    Regards
    Mahesh

    To configure the vpn filter you would do something like the following:
    access-list VPN-FILTER permit ip 192.168.1.0 255.255.255.0 host 10.1.1.10
    access-list VPN-FILTER deny ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
    access-list VPN-FILTER permit ip any any
    group-policy VPN internal
    group-policy VPN attributes  
      vpn-filter value VPN-FILTER
    Please remember to select a correct answer and rate helpful posts

  • How to get list of Users under an Auth Group (for executable Programs)?

    Hi experts.  I have a requirement to get a list of all users under a particular Auth Group for Program Objects.
    Goal of this requirement is to identify the users allowed to use/access a program - we're doing some sort of Program Inventory and we'd like to identify the users per program, via the Auth Group. 
    So question is:  Which tables hold data about Program <-> Auth Group <-> Users, and how are they linked?
    I know this is Basis/Security stuff, but I was thinking of developing a report program to output the information needed.
    Thanks in advance.
    Edited by: George Esquerra on Nov 17, 2011 10:24 AM

    This is available in the standard via tx SUIM - user - users by complex selection criteria - by authorization values.
    If you enter auth object = S_PROGRAM and value = auth group, you will get the list of users.
    You can analyse how this program finds the information and incorporate it into your own logic.
    Thomas

  • Restricting access to a  cube while it is being maintained

    Hi,
    We are trying to restrict access via discoverer/excel add in to a CUBE while cube is being maintained. We were able to achieve this by revoking privileges to certain roles before the start of the cube build.
    I would like to know if there is any better way or built in functionality(out of box) that restricts access to a cube a while it is refreshing? Any help is appreciated.

    Ragnar is correct, the best way to do this is to attach the AW in exclusive mode. You can either do this manually yourself before starting your load job, or automatically by scheduling the job and using mutiple processes to load and solve the cube.
    The problem is removing users currently viewing data via Excel/Disco when the job starts. If you can ensure there will be no users accessing the AW when the job starts, then the exclusive attach mode will prevent any users from attaching the AW during the processing. If you cannot guarantee this, then there is a problem because the job will fail when it tries to attach the AW in exclusive mode. Obviously you could put this in a loop and wait until a user exits the front end application and releases the AW. Alternatively, you could write a SQL script to disconnect/kill all sessions accessing the AW - not very nice for the users though if they are building a report because they will lose all their unsaved changes.
    When the AW is attached in exclusive mode, bad news is that Discoverer/Excel will probably generate a nasty Java error message when a user tries to connect using Discoverer/Excel.
    Therefore, overall not an ideal situation. But I cannot think of a really good way to manage this at the moment. Sorry I can't be more helpful.
    Keith Laker
    Oracle EMEA Consulting
    OLAP Blog: http://oracleOLAP.blogspot.com/
    OLAP Wiki: http://wiki.oracle.com/page/Oracle+OLAP+Option
    DM Blog: http://oracledmt.blogspot.com/
    OWB Blog : http://blogs.oracle.com/warehousebuilder/
    OWB Wiki : http://wiki.oracle.com/page/Oracle+Warehouse+Builder
    DW on OTN : http://www.oracle.com/technology/products/bi/db/11g/index.html

  • How do I restrict access at the field level in vendor creation XK01

    Hello All,
    Does anyone know a way to restrict access to a certain group of fields or a screen in vendor create? I know it is possible in vendor change XK02 using the field groups (transactions OBAT and OBAU) but we have a requirement to have one group of users create all vendor information except the bank details and another group of users just to create the bank details.
    Thanks for any help you can offer.
    rgds,
    ian

    We have had a similar discussion some while back. please refer to the thread below as it seems to be much similar to your requirement.
    [click here|Hide or Encrypt Bank Account Number]

  • Need to restrict access to XD02/XD03

    Hi All,
    I  need to restrict access to some acct group in the search screens for individuals who do not have access to this account group in transaction XD02/XD03.  Other than this group we should not allow to search the screens.
    Please guid me if any exit / badi....etc. where i can put this validation.
    Thanks.
    Raj.

    Hi,
    Try this link...
    Customer Master Maintenace - restriction general data tabs
    Regards,
    Guru

  • ASA WebVPN - restrict access to users in an AD group via ACS

    Hi folks.
    I'm doing an WebVPN pilot on one of our ASA's (running 7.2.2). Everything is working fine, but I've been asked to restrict access to users that are members of a certain Active Directory group (lets call the group "VPNTEST")
    Right now the ASA does radius auth against out ACS 4.x appliance, which has an external database mapping (via the ACS remote agent) to our Windows active directory domain.
    Currently there are only two groups in ACS, the Default (which we use for Wireless authentication) and the "Operations" group, which we use for TACACS auth for the network.
    I can create a group in ACS that maps to the AD VPNTEST group, but where/how do I restrict WebVPN access to just members of that group? Is it a setting on the ACS or the ASA?

    Try using the following to tie users to certain group policies:
    Using a RADIUS Server
    Using a RADIUS server to authenticate users, assign users to group policies by following these steps:
    Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group
    policy.
    Step 2 Set the class attribute to the group policy name in the format OU=group_name
    For example, to set a WebVPN user to the SSL_VPN group, set the RADIUS Class Attribute to a value
    of OU=SSL_VPN; (Do not omit the semicolon.)

  • Restricting SM30 via auth. groups, any flaws in thinking?

    Hi,
    I got a request to assign SM30 to a role as table J_1IEWT_ACKN_N needs to be maintained monthly. I checked an earlier thread regarding this table, and in this case maintaining table in DEV + transport is also not accepted.
    This role also includes other table maintenance activities (period opening/closing, exchange rate maintenance), but for these SM30 is not required. As this role would now include SM30, it would possibly grant access to quite a bunch of tables (through S_TABU_DIS, DICBERCLS values KC and FC31).  User with this role would not have any other roles.
    I created a Zxxx-authorization group in SE54, assigned it to the J-table and then included this auth group to S_TABU_DIS object.
    As this role only needs access to a few tables, I was thinking of changing the authorization group assignments of these tables from KC/FC31 to Zxxx and then giving only DICBERCLS value Zxxx to the role.
    Does this sound like a reasonable solution? Can I just change the auth group assignments of the tables in SE54 or does this have any consequences that should be acknowledged and that I'm not aware of?

    You should try to find an existing group which contains data with the same classification as this one, and use SE54 to assign the value to it. Possibly, if the correct set of users are already classified for that group then you don't need to change anything inthe roles.
    If nothing which already exists matches the classification of the data, then classify it yourself by creating the Zxxx group and assign it via Se54.
    If Z-groups already exist, as for the documentation on the concept so that the one you create or use is conform with the intended concept and naming conventions.
    There is nothing wrong with a Z-table authorization group.
    Cheers,
    Julius

Maybe you are looking for

  • How to Publish application developed in Oracle APEX(3.2.1) in Oracle XE

    Hi, I have created an application using Oracle Application (3.2.1) availabe in Oracle XE, The problem is I'm not able to publish the url(it is I'm not able to access my application from oother pc in my network). Kindly help me. Thanks for the help. K

  • Business System creating issue

    there are two Production SAP R/3 on our landscape. so we can see PRD on AHOST and PRD on BHOST on technical system on SLD. they are using same 100 client. whenn i create BS, I got error message "The selected client has an associated logical system na

  • What file size is a PDF?

    I receive lots of PDF files but I can't figure out what file size the creator used. If he used the smallest size setting, it wouldn't have a high enough resolution for professional printing would it? I have preflighted PDFs but can't figure out where

  • Fileconnection on pda's

    Hi, I am working on a applications for pda. I am using j2me and j2mepolish for writing the application. I want to save some data into some files and i am using for that the fileconnection and jsr75 library. When i make a build for pda i get this erro

  • License to distribute Adobe

    Is anyone else not receiving an answer from the license distribution application page. I've far longer than the 2 days promised and still no reply. Is there any alternate download location for the corporate package of Acrobat Reader 8.1?