Cisco ACS 4.2 one user in multiple local groups

Similar Messages

• HT1206 Lots of info about one user using multiple computers. What about multiple users with separate Apple IDs using same computer? Having problems getting my wifes new iPhone talking to her apple account on the computer we share (2 users)

  Lots of info about one user using multiple computers. What about multiple users with separate Apple IDs using same computer? Having problems getting my wifes new iPhone talking to her apple account on the computer we share (2 users)

  You need to create a user account for your wife (or yourself depending on who has the current user account). When syncing, each of you should sign in as a separate user, login to iTunes and then sync. I had this problem when my sister got an iPhone. When we did her initial sync, everything on my iPhone showed up on hers. Apple gave me this solution.

• 'BBPSC11' error in Monitor SC for one User having multiple positions but on

  Hello,
  'BBPSC11' error in Monitor SC for one User - having multiple positions in org structure - but having one BP code associated to all positions.
  We have one BP ID associated to multiple positions of the same user - in multiple org structure.
  The org unit is refered as one Project and like wise we have multiple projects people worked on.
  Once the Proj is over we move the Users from one Proj (Org unit) to another Proj, with new Position created copying the old and associate old BP code to it.
  With this when we go for Monitor SC option - enter User ID in Created By field - old SC are listed but we are getting error if we click on the Detail icon.
  Error:The Internet Transaction Server could not start the transaction "BBPSC11" because of the following error: Attribute for user contains errors. Inform systemadmin. .
  AD

  Hi,
  Pl. verify the user with txn-bbp_attr_check. It could be that the org. relationship of the user changed with what was captured on shopping cart. Also use txn-users_gen to repair the user.
  Regards,
  Sanjeev

• Grant RDP access to ONE user on multiple computers !

  I want to Grant RDP access to ONE user on multiple computers using PowerShell.
  List of computer names are stored in an excel sheet.
  Can this be done easily ?
  Thanks, Yeleshwar

  Hi, this script add users to remote desktop users group.
  $InputServers = Import-Csv "c:\servers.csv"
  $InputUsers = Import-Csv "c:\users.csv"
  $Servercount = 1
  $ServerCountTotal = $InputServers.Count
  $InputServers | ForEach-Object {
  $ServerTemp=$_.ComputerName
  "Starting " + $Servercount + " of " + $Servercounttotal + " : " + $ServerTemp
  $InputUsers | ForEach-Object {
  $objUser = [ADSI]("WinNT://" + $_.Username )
  $objGroup = [ADSI]("WinNT://" + $ServerTemp +"/Remote Desktop Users")
  $objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)
  "Complete " + $Servercount + " of " + $Servercounttotal + " : " + $ServerTemp
  $Servercount++
  Servers.csv has a header of “ComputerName” and then a list of servers you want to affect one per line.
  Users.csv has a header of “UserName” and then a list of user names Domain/User one per line.
  check this blog > http://www.blackops.ca/cms/blog/?p=215

• ACS 4.2 - one local user be part of multiple local groups

  Hello,
  I have a group of network engineers that need full admin access to two groups locally in ACS - Network Admins and LMS Admins <--- (New group created for recent LMS CiscoWorks installation).
  I have two NDG's - Cores and LMSserver <-- new
  Problem: If a user belongs to Network Admins group, user can login to the LMS server but limited functions.  If user is moved to LMS admin has full functions but loses level 15 access to the routers and switches, which are AAA clients for Cores.
  I've tried many different settings and still can not find the right one.  Is this doable in ACSv4.2?
  Thank you very much in advanced for your input.
  Cheers!

  Here is the a workaround to solve it.
  Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless.
  Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
  Select the AD group NetworkAdmin and map it to ciscosecure group 1
  select the AD group RouterAdmin and map it to ciscosecure group 2
  select the AD group Wireless and map it to ciscosecure group 3
  Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and
  that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure
  group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
  Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2
  and 3 respectively as per above mappings.
  You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
  SCENARIO:
  Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because
  NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG  or individual  NetworkAdmin NAS device.
  NOTE:
  If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
  routers and switches.
  IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
  username is to go to usersetup find that user and delete it manually.
  ACS will not support the following configuration:
  *An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
  *The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a  NAR  configured assigning
  specific AAA clients to the group.
  However there if your mappings are in below order...
  NT Groups            ACS groups
  A,B,C =============>  Group 1  
  A     =============>  Group 2
  B     =============>  Group 3
  C     =============>  Group 4.
  You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
  This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
  You can create a rule for users in  group A (Group 2)
  You can create a rule for users in  group B (Group 3)
  You can create a rule for users in  group C (Group 4)
  Please check this links
  Group mapping order:
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/qg.htm
  #wp940485
  Regards,
  ~JG
  Do rate helpful posts

• One user appearing multiple time in Users on System report

  Hi,
  While checking the logging report I found one user is appearing multiple times. Is this the normal behaviour of Hyperion of Is there any setting in Hyperion to display one user only once.
  Also can we control the users the from loging into systme multiple time at a time.
  Thanks,
  Ajaya Kumar

  If multiple people know the username and password they can definitely be shared. This is a violation of your licensiing and is a major reason why most SOX departments require Active Directory linking. For testing purposes I have created native IDs to be shared among people so that I know they are identical.

• CISCO ACS, How to Limit User Session ?

  Hi Guys,
  hope you would help me,
  how to limit the user session in ACS 5.x ?
  i'm aware the menu on
  Access Policies >Max User Session Policy > Max Session Group Settings
  i already set the global value to 1, Max Session for User in Group to 1, and Max Session for Group to 1.
  so it means the user only could open 1 connect at the same time right?
  the problem, it didn't works.
  i had 1 ACS 5.5
  2 CISCO Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T13, RELEASE SOFTWARE (fc3)
  (let's call it R1 and R2 )
  i'm trying to telnet both of them at the same time, and it works ( it means the session limit didn't works, cmiiw )
  i already include :
  radius-server attribute 44 include-in-access-req
  radius-server host 192.168.217.98 auth-port 1645 acct-port 1646 key somekey
  on the line vty :
   accounting connection acs
   login authentication acs
  am i missing something?
  also, is this feature works on tacacs+ too?
  Thanks,

  Dash,
  You can leverage the group mapping feature where members of a certain AD group are mapped to a local group in ACS with the max sessions defined.
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-3/user/guide/acsuserguide/access_policies.html#pgfId-1162308
  Thanks,
  Tarik Admani

• One user for multiple tablespaces

  Hello.
  Oracle 11g enterprise.
  Whenever I setup a new tablespace on my server, I create a user for each tablespace on the server.
  Is is possible to create only one user for all tablespaces on a server?
  What is the easiest way to create this one user to have all roles and privileges across all tablespaces?
  Any suggestions are greatly appreciated.

  I would seriously question a design with 'N' databases (whether they are on 1 or more or 'N' servers is not the issue) and DBLink from each of the databases to every other database.
  Not only is it going to be hell to manage (how and when can you decide to shutdown a database for maintenance / patching / server/hardware maintenance when you have N-1 others connecting to it online), but it indicates a possibly high level of data duplication.
  So we still revert to why you think you need that many databases and that many users and that many database links.
  As has been pointed out, there is no relation between tablespaces and DBLinks. NONE whatsoever.
  As for tablespaces and users, I can have
  a. One Tablespace and 10 database accounts with any 1 to 10 of the accounts storing data objects in the tablespace
  b. Ten Tablespaces and 1 database account storing data objects across all 10 tablespaces
  c. 100 database accounts but only 1 to N of them having any data objects, the others only doing SELECT/INSERT/UPDATE/DELETE on objects owned by 1 to N schemas. (This one schemas all being in 1 tablespace or M tablespaces).
  There is no one-to-one correspondence between users and tablespaces necessary. Tablespaces are for logical grouping of data objects.
  I keep referring to data objects as these (Tables, Indexes, LOBs, IOTs, Clusters etc) require storage. Objects like Sequences do not require separate tablepaces although they have persistent values. Objects like DBLinks and Views are only definitions and require no storage (other than in the data dictionary !). Objects like Procedures and Packages and Triggers are code objects and require no storage (other than in the data dictionary).
  So :
  1. Such a design needs to be questioned.
  2. Even if you need such a design, do not tie DBLinks to Tablespaces.
  3. Even if you need DBLinks, do not tie Users to Tablespaces.

• Is there a way to give a local user permission to add a local user using the local group policy editor?

  I need to find a way to have the local administrator of a Windows Server 2012 system grant a local user (non-administrator) the ability to add a user for the machine using the local group policy editor. The machine is not part of any Active Directory environment,
  this is strictly on the one machine.  In my situation it is not an option to just make the user an administrator. The idea is to give someone the right to add a user and have no other such administrative rights. I need to accomplish this using the
  Local Group Policy editor or the Group Policy Management Console if it is possible to do this outside of an active directory environment. This is not an assignment to learn how to use these tools and I am not even sure if it would even be possible though I
  need to either find a way or find proof that it is not possible using these applications.

  Hi,
  Sorry for the delay reply.
  So did you want to non-admin user have the ability to add another user?
  As far as i know, we cannot add the user if we have no local admin permission, we will receive the error"Access denied".
  Regards.
  Vivian Wang

• ACS 5.3 one user multiple roles

  Hi.
  I have got ACS 5.3 and two AD groups: vpn_users and wifi_users. My goal is to permit authentication of user trying to connect to wireless network (via WLC) if he is a  member of wifi_users group. The similar goal is for vpn users (via ASA). I have no idea how to configure ACS Access Polieces.
  In Default Network Access -> Identity    I  created two rules:
  Wifi:  Compound Condition: System:Device IP address = WLC's IP  --> result: AD1 Identity Store
  VPN: Compound Condition: System:Device IP address = ASA's IP  --> result: AD1 Identity Store
  What can i do in Authorization section? My rule is sth like:
  If user is member of AD1:vpn_users  then permit access
  If user is member of AD1:wifi_users  then permit access
  As a resul if user is member of vpn_users but is not a member of wifi_users, he is authorizated both wifi and vpn
  How can i create a rule saying sth like:
  If System:Device IP address = WLC's IP  AND  AD1:group=vpn_users  THEN permit access.
  Thanks.

  Hi there,
  The roles for ACS administrators cannot be modified, and is not possible to add new ones in the current version, this could be an option in the future release.
  According to the role privileges from the User Guide, the closest role to your goal will be ReportAdmin however seems like you already tested this and is not doing what you were expecting.
  Documentation about roles:
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/admin_admin.html#wp1068633
  Rate if it helps!

• Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

  Hello,
  I'm trying to do machine and user authentication using EAP-TLS and digital certificates.  Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
  In ISE, I can define multiple Certificate Authentication Profiles (CAP).  For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
  Problem is how do you specify ISE to check both in the Authentication Policy?  The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.  
  Any way to resolve this?
  Thanks,
  Steve

  You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
  an example (uses user/pass though, but same concept)
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

• Cisco ACS - HOW ARE INTERNAL USER'S RESTRICTED IN THEIR ACCESS TO RESOURCES

  Does anyone have any insight into this process. Please advise.

  Hi Eduardoaliaga,
  I believe that when we are using PAP as the authentication protocol, the ACS is able to strip the domian prefix. However, my side is using the PEAP MsChapv2 as the authentication protocol and I believe that the TLS tunnel is prevent the ACS from stripping the domain prefix/sufix. Thus, I have also posted another discussion on the issue of when the authentication protocol of PEAP MsChapv2 is used, ACS is not able to strip the domain prefix/sufix. Thus, would you be also able to advice on if that is correct. Please refer to the links below.
  1) https://supportforums.cisco.com/thread/2061835
  2) http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/eap_pap_phase_ps9911_TSD_Products_User_Guide_Chapter.html#wp1031191
  3) https://supportforums.cisco.com/message/3581951#3581951
  Thks and Rgds

• One tray for multiple button group items

  Hi,
  I have 3 button group items in my templaate ,in the propoerties of these button grps the tray is on .NOw I can see 3 trays when I execute my template instead I want to have one tray for these 3 button group items . How is this possible?
  THanks
  Sany

  OK, I'm having trouble again. I need multiple items to drag
  to one target. I'm putting all my actionscript in the same frame,
  and here's how it looks:
  stop();
  name_mc.onPress = function():Void {
  this.startDrag(true);
  name_mc.onRelease = function():Void {
  this.stopDrag();
  if (eval(this._droptarget) == safe_mc) {
  this.swapDepths(this._parent.getNextHighestDepth());
  this.removeMovieClip();
  address_mc.onPress = function():Void {
  this.startDrag(true);
  address_mc.onRelease = function():Void {
  this.stopDrag();
  if (eval(this._droptarget) == safe_mc) {
  this.swapDepths(this._parent.getNextHighestDepth());
  this.removeMovieClip();
  And I'm getting the following error message:
  **Error** Scene=Recap, layer=actions, frame=1:Line 21:
  Statement block must be terminated by '}'
  address_mc.onRelease = function():Void {
  **Error** Scene=Recap, layer=actions, frame=1:Line 27: Syntax
  error.
  Total ActionScript Errors: 2 Reported Errors: 2
  Do you know what I'm doing wrong?

• Upload multiple documents option is not visible for one user in SharePoint 2007.

  Hi,
  For one user Upload multiple documents option is not visible.
  We are using SharePoint 2007 environment.
  User is using IE 9 32 bit,Office 2010.
  I did repair office 2010.
  Active x controls are enabled.
  Please anyone help me on this.
  Thanks,
  Ashok

  Hi,
  According to your post, my understanding is that after client upgraded to Office 2013 the option for Upload multiple document was grayed out.
  I try to reproduce the issue in my environment, however everything works well.
  My configuration of system is:
  Windows 8.1;
  IE11;
  Office 2013 32bit.
  Please repair the Office 2013 to check whether it works.
  In addition, there are many thing you need to check. Please refer to:
  http://sharepointknowledgebase.blogspot.com/2013/09/upload-multiple-documents-is-disabled.html
  Here is a similar thread for your reference:
  http://social.msdn.microsoft.com/Forums/en-US/1a5af332-ed21-41ee-bf64-9122a7439623/sharepoint-not-activating-stsuplddll-upload-mutliple-documents-greyed-out?forum=sharepointgeneralprevious
  More information:
  "Upload Multiple Documents" is disabled in Document Library
  SharePoint 2010 : How to Enable Uploading Multiple Documents Functionality
  Best Regards,
  Linda Li
  Linda Li
  TechNet Community Support

• Add-MailboxPermission for multiple users on multiple mailboxes

  I have a need to grant a large number of users full access to an equally large number of mailboxes. I've previously been able to do this easily in the management shell where I have multiple users for one mailbox (or vice-versa; one user for multiple mailboxes)
  by using one of the following 2 commands:
  get-content c:\xxxx.txt | foreach { Add-MailboxPermission $_ -User user.name -AccessRights FullAccess}
  or
  get-content c:\xxxx.txt | foreach { Add-MailboxPermission examplemailbox -User $_ -AccessRights FullAccess}
  This works fine for when there are only multiple entries on one side of the equation, but using this method, I would need to run the command multiple times to get all of the accesses set up as requested. So I've been looking to see if there is a way of writing
  one command that could achieve it all in one go.
  What I've been looking at doing is creating a .csv file, filled as such;
  name,mail
  user.name1,mailbox1
  user.name2,mailbox2
  And then writing a shell command like the below:
  import-csv c:\xxxx.csv | foreach { Add-MailboxPermission $_.mail -User $_.name -AccessRights FullAccess}
  Will this achieve the result that I'm aiming for? or is it going to be easier to just go with the more time-consuming method of just having the multiple entries on one side of the equation?

  Hi,
  I have a test in my environment, you can use the following cmdlet to grant multiple users full access to multiple mailboxes.
  Import-csv c:\test1.csv | foreach { Add-MailboxPermission $_.mail -User $_.name -AccessRights FullAccess}
  For example, if I want to grant amy02, amy03 full access permission to amy01; grant amy01, amy02 full access permission to amy03, the test1.csv file should be:
  Hope this can be helpful to you.
  Best regards,
  Amy Wang
  TechNet Community Support