Authenticating Device Admin users against AD specific groups

Similar Messages

• Restricting end user to one specific group with anyconnect

  Hello all
  I just started configuring AnyConnect with ASA 5520 that uses Cisco SecureACS to pass radius authentication.  I configured two profiles with different split tunnel restrictions and what I discovered is that when the client connects to the ASA, they are provided a choice of these two groups (I guess there is no way to restrict this) and I can log into either one with any user account.  How do I restrict this so that the user can only use one profile?  Currently users capable of VPN would be placed in one specifc AD group so that is what SecureACS checks.  Is there a sample configuration guide to handle multiple profiles with different levels of access?

  Alternatively, you can use Radius authorization to place user into a specific group-policy:
  - Configure the Group-Policy attribute under Radius to be OU=
  http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_extserver.html#wp1605475
  On  the ASA, just configure 1 tunnel-group, and depending on the  authentication, the user will be placed into the correct group-policy  specified under the ACS server.

• Script to logout users from a specific group, when queries are long

  Hi,
  I have a requirement that users from a specific group need to be logged out, when they are running queries for more than say 20 mins.
  I could get the list of users from that group and could get the list of active sessions on the application, but I get too many info there like connection IP request state etc. and if I spool it to a file, output is not very easy to format to select what's required, rather I have to write lot of shell scripting to format the file.
  So my question here is to know if there's a MAXL script or any other method through which I can just get only couple of columns from the "display session on application <app name>" that I require for my work like username, session ID, DB connect time, and request time.
  Thanks!!

  There are a number of ways to accomplish this, but AFAIK none of them is straightforward like writing a script to accomplish the task.
  This could be accomplished quite readily with the Essbase API.
  Unfortunately, when Maxl outputs tabular data such as what comes out after DISPLAY SESSION ALL; - it comes out as all one big string with lots of spaces.
  So to parse that output you would need to use a language that can tokenize the text into a collection and parse that for the users.
  Then you need to do the same sort of thing after running DISPLAY USER IN GROUP ALL; (or instead of all, use a specific group name);
  Then run ALTER SYSTEM LOGOUT SESSION BY USER <parsed_username>;
  What would be ideal (hello Oracle... <wink> ) is a MAXL command ALTER SYSTEM LOGOUT SESSION BY GROUP <GroupName>;
  The way I would approach this would be to write a little utility that does exaclty what you seek:
  - Scan the current session periodically (say, once every 5 mins)
  - for each user that belongs to group(s) <group>(<group>...)
  - if user has an open query running longer than n minutes, kill the user request.
  This way you're not kicking people, your just taking back resources. Of course you can be more aggressive and code it to kick the user by forcefully ending (invalidating) his session too.
  I can give you a hand with this offline if you want.
  Robb

• Authentication an admin user on AP1200 with Cisco Secure

  Hello,
  I am trying to configure a Radius authentication for an administrator logging on an AP1200 via HTTP. On the Cisco Secure ACS server I can see that the authentication was successful and with a trace I can see also the 'Radius Pass' answer coming back to the AP1200.
  Unfortunately the administrators gets no access to the AP1200 Web page, and the login windows still ask for username/password. The log of the AP1200 does not give any error message.
  The software versions are following:
  AP1200 version 12.02A (the last one non-IOS available)
  CiscoSecure ACS v2.6 for Windows 2000/NT
  Release 2.6(3) Build 2
  The return packet 'Radius Pass' answer coming back to the AP1200 is the following:
  0000: 00 0b 46 aa a0 e8 00 a0 8e 77 de 75 08 00 45 00 |..F......w.u..E.|
  0010: 00 36 0b 70 00 00 7b 11 8b 0e ac 13 58 fd ac 12 |.6.p..{.....X...|
  0020: f8 15 06 6d 06 fd 00 22 05 f3*02 2b 00 1a 95 ad |...m..."...+....|
  0030: c4 60 e7 21 54 67 2a 60 0e 79 da b1 8f a6 08 06 |.`.!g*`.y......|
  0040: ff ff ff ff |....|
  I suspect that the the last ff ff ff ff (255.255.255.255) shall be equal to the IP address of the AP1200 which was send within the initial Radius request packet.
  Thanks in advance for your answer

  I had a similar problem with the 350 series. I receieved the following information that resolved my issues.
  Using RADIUS, You need to use cisco AV-Pair attribute for admin users with following syntex
  aironet:admin-capability=write+ident+admin+firmware
  Here is the procedure for the admin user you to define the Cisco AV pair Attributes .
  a) On acs select the interface configuration and go to the advance option ,
  selct "per-user Tacacs/ radius attribute " click on submit .
  b)On ACS , Select network configuration ,
  1) check if you have configuration >> Radio ( IOS /PIX available ) on the ACS
  if not add NAS type Radius IOS/PIX , note that this needed for IOS / PIX attribute
  2) After adding IOS/PIX device , select interface configuration >>Radius ( IOS / PIX )
  Enable [026/009/001] "cisco av-pair" option , again make sure that you enable
  at user and group level click on submit
  3) Add a user ( User setup >> ADD/EDIT ) to restrict administrator access control
  1) enable and configure cisco 09\001 cisco av-pair using
  aironet:admin-capability=write+ident+admin+firmware
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch8.htm#1073082

• How to retrieve all users in a specific group

  Hi,
  I am using SunOne directory server. Can someone please post a sample code that illustrates how to fetch all the list of users in a particular group.
  1) Let's say I want to find all the users in a group called "marketing". The root context is dc=mycompany,dc=com This group can be anywhere below this root context. Only information I am told is the name of the group - "marketing". How will I get all the users in this group?
  2) For each user that is retrieved from the group marketing, how will I find out the user's DN?
  Thanks for the help,
  - Satish

  Do it like this...
  String searchBase = "ou=marketing";
  StringBuffer filter = new StringBuffer();
  filter.append("(|");
  if (organizationName != null && !organizationName.trim().equals("")) {
       filter.append("(");
       filter.append(ou);
       filter.append("=");
       filter.append("marketing");
       filter.append(")");
  SearchControls constraints = new SearchControls();
  constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
  constraints.setCountLimit(200); // How many users should be found
  constraints.setTimeLimit(100000); // how much time should this search wait
  // Get a initial context and set it to the ctx object
  ctx.search(searchBase, filter.toString(), constraints);

• Subsciptions - Sending mail to a user using a specific group.

  Hello.
  We currently have SCSM 2012 R2 set up to send mail when an analyst updates a ticket with a comment. We have a template with specific verbage for the user. This works as designed. We've now taken on the role to support a different,  line of business.
   We've created a new connector to monitor our LOB 2 support mailbox.  We've got the workflow set up to assign the correct support group (LOB 2 support group) and email the LOB 2 end-user that a ticket has been created.  We're running into a
  snag now with subscriptions that are used to notify the end-user that the ticket has been updated by an analyst and needs a response. 
  We are trying to expand our subscriptions to do the following:
  Send email to an existing LOB 1 end-user with Template A (LOB 1) when the support group is (LOB 1 Support) - This is our base subscription, and is working correctly.
  Send email to LOB 2 - end-user with Template B (LOB 2) when support group is (LOB 2 Support)
  We are currently using the "when an object of a selected class is created"  and the targeted class = Trouble Ticket Analyst Comments.  However there's no way to filter out the group under additional criteria.
  Does anyone have a suggestion on how to do this?  We are not well versed in XML or PS so I'm hoping that it's something that can be managed inside the SCSM console.
  Thank you.
  Milnesy

  in the criteria window, look for the parent work item relationship in the tree on the left, then find the tier queue or support group value. this should allow you to filter by that value on the parent of the comment. 

• How to create User in the specific group in Microsoft Active Directory

  Hi,
  I am using Nestcape LDAP, and want to create user in the user defined group. I have created a new user group "TestUsers" in the "Users" container of Active Directory, I want to add the new user to Test Users group But my problem is that whenever I create a new user
  it get added to Domain Users group.
  I tried adding memberOf attribute with value "TestUsers"
  attr = new LDAPAttribute("memberOf", "TestUsers");          
  attrs.add(attr);
  It gives me following error :
  code= 53 Exception 0000209A: SvcErr: DSID-031A0D6F, problem 5003 (WILL_NOT_PERFORM), data 0
  Following is the code I am using.
  public LDAPResult createUserID(
  String userId,
  String pwd,
  String pId,
  boolean resetonLogOn,
  LDAPConnection ldCon) {
  boolean flag = false;
  int code=0;
  try {
  String pwdLastSetVal;
  String desName;
  String desc;
  /* Specify the DN of the new entry. */
  String dn =
  "CN=" + userId + ",CN=" + this.container + "," + this.baseDN; // container = "Users"
  /* Create and add attributes to the attribute set. */
  String objectclass_values[] =
  { "top", "person", "organizationalPerson", "user" };
  // LDAPEntry findEntry=null;
  /* Create a new attribute set for the entry. */
  LDAPAttributeSet attrs = new LDAPAttributeSet();
  /* Attribute sAMAccountName */
  LDAPAttribute attr = new LDAPAttribute(LDAP_SAM_KEY, userId);
  attrs.add(attr);
  /* Attribute unicodePwd */ // LDAP_PASSWORD_KEY = "unicodePwd"
  attr =
  new LDAPAttribute(
  LDAP_PASSWORD_KEY,
  (byte[]) this.encodePassword(pwd));
  attrs.add(attr);
  /* Attribute Display Name */
  desName = userId + ":" + pId;
  //desName = userId ;
  attr = new LDAPAttribute(LDAP_DIS_NAME_KEY, desName);
  attrs.add(attr);
  /** Attribute userAccountControl to enable the userid.
  attr = new LDAPAttribute(LDAP_ACCOUNT_KEY, LDAP_ACCOUNT_EN_VAL); // LDAP_ACCOUNT_EN_VAL= "548"
  attrs.add(attr);
  /* Attribute pwdLastSet to reset the password on first logon*/
  if (resetonLogOn == true) {
  pwdLastSetVal = "0";
  } else {
  pwdLastSetVal = "-1";
  attr = new LDAPAttribute(LDAP_RESET_KEY, pwdLastSetVal);
  attrs.add(attr);
  /* Attribute Description */
  desc = " Account Created by HelpNow App";
  attr = new LDAPAttribute(LDAP_DESC_KEY, desc);
  attrs.add(attr);
  /* Attribute objectclass */
  attr = new LDAPAttribute("objectclass", objectclass_values);
  attrs.add(attr);
  attr = new LDAPAttribute("memberOf", "TestUsers");          
  attrs.add(attr);
  /* Create an entry with this DN and these attributes . */
  LDAPEntry myEntry = new LDAPEntry(dn, attrs);
  /* Add the entry to the directory. */
  ldCon.add(myEntry);
  flag = true;
  }catch (LDAPException e) {
  flag = false;
  code=e.getLDAPResultCode();
  }catch (Exception e) {
  flag = false;
  code=LDAPException.OTHER;
  }finally {
  ldaprs.flag=flag;
  ldaprs.code=code;
  return ldaprs;
  }

  Refer to the post titled "JNDI, Active Directory and Group Memberships" available at http://forum.java.sun.com/thread.jspa?threadID=581444&tstart=150

• How do I authenticate users in a specific AD group with Cisco ISE

  I have ISE up and running authenticating properly.  But right now it will authenticate and allow ANY account in Active Directory.  I want to allow access to only users in a specific group in Active Directory.  I have added the group under Administration>Identity Management>External Identity Sources>Active Directory>Groups.  But, I have not been able to find a way to link membership in that group to the Authentication Policy rules.

  Thanks for the reply.
  I'm not getting AD as an option (see below).  Any idea why that might be?

• Allow specific group/user to logon the spectic/group of computer

  Hello All,
  need suggestion, allow specific user/group of user to permit logon the specific/group of computers.

  Hi Parvez lslam,
  According to your description, you would like to allowspecific user/group of user to the specific/group of computers. Right?
  You can enable the following policy to determines which users can interactively log on to this computer:
  Computer Configuration > Policies > Window Settings > Security Settings > Local Policies > User Rights Assignment:
  Allow log on locally
  For your information, please refer to the following article to learn more about this policy:Allow log on locally
  You can enable the following policy to determines which users can not interactively log on to this computer:
  Computer Configuration > Policies > Window Settings > Security Settings > Local Policies > User Rights Assignment:
  Deny log on locally
  This security setting determines wgucg users are prevent from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policy. For your information,
  Deny log on locally.
  You can configure the users or group who are restricted to logon depending on your requirements. In addition, please pay attention to the scope of the policy. If you only to apply this setting to a specifis computer, you can configure this GPO to this computer
  or configure this computer's local group policy.
  Regards,
  Lamy Zhang

• How can I access user permission for specific items in Sharepoint 2013 via REST API?

  I want to access user permissions for specific items like lists, documents, folders etc. via the REST API.
  Currently I am hitting the following endpoint:
  http://win-5a8pp4v402g/sharepoint_test/site_1/_api/web/getUserEffectivePermissions('win-5a8pp4v402g\\Sharepoint User 2')
  However the response looks like this:
     "d":
         "GetUserEffectivePermissions":
             "__metadata":
                 "type": "SP.BasePermissions"
             "High": "0",
             "Low": "0"
  I cant understand why high and low are both 0? I have added the user to a specific group. Also this is the same result for each of the users. Another thing to note is that I havent added the "Guest" user in the sharepoint server. So when I hit the endpoint for the Guest user, it still shows the same response. So I know there is something I am doing wrong.I want to access permission of a user for a specific item, say a document using the REST API. Can someone tell me how? What would be the endpoint?

  Thanks for the reply. Although this works for Lists, I need to get permissions of documents too. Here is what I have tried:
  http://win-5a8pp4v402g/sharepoint_test/site_1/_api/web/GetFileByServerRelativeUrl('/sharepoint_test/site_1/Documents/file1.txt')/GetUserEffectivePermissions(@user)?@user='i%3A0%23%2Ew%7Cwin-5a8pp4v402g%5Csharepoint%20user%201'
  And the response is:
     "error":
         "code": "-1, Microsoft.SharePoint.Client.ResourceNotFoundException",
         "message":
             "lang": "en-US",
             "value": "Cannot find resource for the request GetUserEffectivePermissions."
  Clearly this doesnt work for a file. Whats wrong?

• Securing AnyConnect VPN user access via specific LDAP groups in Active Directory?

  Is there a brief tutorial on how to secure AnyConnect VPN access using Active Directoty security groups?
  I have AAA LDAP authentication working on my ASA5510, to authenticate users against my internal AD 2008 R2 server, but the piece I'm missing is how to lock down access to AnyConnect users ONLY if they are a member of a specific Security Group (i.e. VPNUsers) within my AD schema.

  This looks fairly complete
  http://www.compressedmatter.com/guides/2010/8/19/cisco-asa-ldap-authentication-authorization-for-vpn-clients.html
  Sent from Cisco Technical Support iPad App

• Essbase Error 1051440 - Authentication fails for user admin

  We are facing a very unique problem...
  The application is up & running.. even I can login into the application, can perform member addition, editing & mamage database from planning.... but I get this error while retreiving from excel addin or running scripts.
  What I analysed is that this problem is Actually coming when a particular set of members are called anywhere either in scripts or during retreival thru Addin.
  Recently we had added one dimension in one of the database of our application. After that that this problem started.
  There were fewer Xref functions used to pull data from other cubes.... The problem is cominng with only those set of members where this Xref function has been used.
  Even I had changed the formulas & incorporated member of new dimension in the formulas to point to target members....
  Can you guys ever had faced such kind of issue....
  Please help in resolving....
  Complete Error is: msg fromremote site[date n time] Local////Error(1051440) Essbase user[admin] Authentication fails against shared services serverwith Error[30:1005:Authentication failed for user admin. Enter valid credentials.]]

  Hi,
  are you sure that user "admin" has all necessary rights to run your scripts? I have to ask because we sometimes had problems with our admin user... There is an "native essbase server admin" and the admin user in shared services.
  We dont had any idea how this could happen but sometimes our admin user changed to the mentioned "native essbase server admin" - you can see it if you are connected as "admin (internal)".
  If you are logged in as "admin (internal)" you have to "externalize" this user.
  Hope this helps and my bad english is not so much confusing... :-)
  Kind regards
  André

• Google drive does not work with specific group but works with all users group!!

  Hi,
  Why Google drive does not work with specific group but works with all users group?
  My rule :  Internal > external > all users = works fine
  But
                 Internal > external > A group = not working !!

  Hi,
  if you require user authentication in Firewall policy rules, the clients must bei Webproxy clients (for HTTP / HTTPS) or TMG clients (for TCP/UDP):
  http://technet.microsoft.com/en-us/library/bb794762.aspx
  regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3276?GPP=MarcGrote

• NCS Admin User Group / Permissions

  Recently made a migration from WCS to NCS.  Users were carried over from WCS to NCS.  Users in the admin group were able to rename APs in WCS now cannot rename APs in the NCS.  Admin user group has all permissions available for various actions all checked.  Root user can still rename APs...
  Any ideas? Or is a TAC case a better option...

  Can you please be more specific?
  What are the permissions of "/media/dd500" (like "drwxr-xr-x root:root" or something?) What permissions do you change it to? What are the permissions of the files and folders inside that directory (generally speaking)? What are you trying to do (create a directory, edit a file...) that causes you to know that it "does not appear to work"?
  Lastly, I see that the partition is formatted as NTFS. Does Linux support writing to NTFS partitions nowadays?
  EDIT: By the way, I think all of this would be a lot easier to do from the command line instead of from Thunar.
  Last edited by drcouzelis (2014-01-30 15:12:26)

• Authenticating a User against UNIX LDAP

  I recently submitted a post to determine how to authenticate a user against the Windows Active Directory. Is this also possible with UNIX? Is the code syntax basically the same? Thanks in advance.

  "Yonatan Taub" <[email protected]> wrote in message
  news:[email protected]..
  I'm using Weblogic server 7.
  I need to authenticate a user against a domain: establish whether the user
  exists and if so, verify his password.
  Code samples would be most welcome.
  You can use the login method .
  http://e-docs.bea.com/wls/docs81/javadocs/weblogic/security/services/Authent
  ication.html