Cisco ACS - HOW ARE INTERNAL USER'S RESTRICTED IN THEIR ACCESS TO RESOURCES

Similar Messages

• CISCO ACS, How to Limit User Session ?

  Hi Guys,
  hope you would help me,
  how to limit the user session in ACS 5.x ?
  i'm aware the menu on
  Access Policies >Max User Session Policy > Max Session Group Settings
  i already set the global value to 1, Max Session for User in Group to 1, and Max Session for Group to 1.
  so it means the user only could open 1 connect at the same time right?
  the problem, it didn't works.
  i had 1 ACS 5.5
  2 CISCO Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T13, RELEASE SOFTWARE (fc3)
  (let's call it R1 and R2 )
  i'm trying to telnet both of them at the same time, and it works ( it means the session limit didn't works, cmiiw )
  i already include :
  radius-server attribute 44 include-in-access-req
  radius-server host 192.168.217.98 auth-port 1645 acct-port 1646 key somekey
  on the line vty :
   accounting connection acs
   login authentication acs
  am i missing something?
  also, is this feature works on tacacs+ too?
  Thanks,

  Dash,
  You can leverage the group mapping feature where members of a certain AD group are mapped to a local group in ACS with the max sessions defined.
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-3/user/guide/acsuserguide/access_policies.html#pgfId-1162308
  Thanks,
  Tarik Admani

• Cisco ISE - How to map User- Location - Restrict Access to other locations

  Hi,
  i've got a simple question and I hope someone here can help me out with this mess.
  The problem is about WLAN 802.1x Auth with Cisco WLC and a ISE.
  The design goal is the following:
  There are several branch facilities. A user belongs to only ONE facility. This user should not access the WLAN in other facilities.
  The technical design is this:
  Local WLC and/or central vWLC. In the datacenter is one ISE which must handle the auth-requests. The identity source of the users, where I add and manage them, should be the ISE itself for the first time, later I want to AD and LDAP sources.
  Here is the problem:
  I don't understand how I can create a ruleset or something else where I can define that a user of facility A can only login over APs, WLCs,.....in facility A and NOT facility B. Or maybe my design is so bad that I have to start from scratch.
  PLEASE HELP.

  I don't know but may be this is the correct way to validate the user:
  NAS-ID in AP-Groups (One AP-Group per facility) must match "12345" AND Identity-Group must match "12345".
  Iam confused because there is no way to compare these values. 
  In this case to compare the value of "NAS-ID" and die users "IDENTITY-GROUP".
  If they match against each other than "Permit-Access".

• ACS 4.2 (Trial) User Group Restrictions?

  I'm currently in the process of migrating from Microsoft IAS to Cisco ACS 4.2. I'm running an Eval of CSACS v4.2 for Windows in a Lab so I can work out the issues.
  So far I've been fairly successful getting user accounts authenticated with active directory credentials using the "Windows Database" as my external user database. The only problem I've run into is that I can't seem to figure out how to restrict access to Active Directory group membership.
  For instance, in the lab I have a Cisco 3750 switch that is using ACS to control login access. But given my current ACS configuration everyone in the windows domain can login to the switch. How can I restrict that down to just the Network Operations group in Active Directory?

  Yogesh:
  To move existing users from one group to another you can:
  - go manually to each user and change its group membership. OR:
  - Use RDBMS synchronization where you can fill a CSV file with the actions that you want (change group membership in your case) and import that to the ACS.
  For RDBMS sync you can read the user guide:
  http://tiny.cc/n13b1w
  This config example may also be useful about how to import the csv file:
  http://tiny.cc/533b1w
  I suggest that you read the guide and come back to ask here if you have any concern.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• ACS 5.1 internal users

  Hi
  I have an customer with an ACS config that has an identity store sequence to authenticate agains for tacacs.  First the internal database is checked for the user.  If they do not exist there they are checked against AD.
  If the user is one of the 200+ they have migrated from an ACS 4 config into internal users they want to give them full enable access.  If the user is not in the internal database and needs verified via AD they only get priv 1 access.
  Is there an easy way to create an Authorization rule in the default device admin service selection rule to do this. ?
  I'm trying to test via a compound Condition.  The condition matches the Dictionary Internal Users group attribute with a value of All Groups.  I cannot connect to AD at the moment to test this as it's in a lab environment but I'm hoping that when this rule is checked then only users that are explicitly in the internal database via the All Groups condition will match.  If the user was matched via AD this rule won't match and the next one will come into effect which is a default rule to give priv 1 access.
  Anyone have any thoughts on this method ?
  Many thanks, Stephen.

  Excuse my stupidity.  There is an Identity group condition in the Authorization rules page for this.  I don't need and compound condition.
  My intention is to match on Any Group there and apply priv 15 access with a shell profile.
  I will then leave the default rule to catch all others which go to AD for authentication.  I assume they will not match the Any Groups Identity Group so will use the default rule.  I'll then apply the appropriate shell profile to the default rule.
  Thanks, Stephen.

• Cisco ACS 4.2 one user in multiple local groups

  Currently i have group mapping like this
  ACS Groups           Window Groups
      Grp-A-B             Grp-1 and Grp-2
      Grp-A                        Grp-1
      Grp-B                        Grp-2
  For example currently one user test1 is part of both groups 1 and 2 in windows and is mapped to Grp-A-B in ACS. Is it possible if i delete the Grp-A-B mapping in ACS and can see the user test1 speratley in both groups ( Grp-A and Grp-B) in ACS?            

  Salam Muhammad,
  If you have a local user in ACS, that user can not be a member of two groups at the same time.
  The same concept applies to the external users. They can not be mapped to two different groups at the same time.
  If you remove the Grp-A-B configuration, the user test1 will be mapped to the first group in the list because ACS 4.2 process the goup mapping in order:
  '''snip'''
  Group Mapping Order
  ACS always maps users to a single ACS group; yet a user can belong to more than one group set mapping. For example, a user named John could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If ACS group set mappings exist for both these combinations, ACS has to determine to which group John should be assigned.
  ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user who is authenticated by an external user database is assigned to an ACS group, ACS starts at the top of the list of group mappings for that database. ACS sequentially checks the user group memberships in the external user database against each group mapping in the list. When finding the first group set mapping that matches the external user database group memberships of the user, ACS assigns the user to the ACS group of that group mapping and terminates the mapping process.
  '''snip'''
  Reference:http://goo.gl/cvc474
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• GP on Domain User to Restrict other PC Access

  Hi Team,
  Thanks for reading, I have the following scenerio - 
  Being the administrator of Domain i have to restrict other domain user to access other PC.
  Domain User should not able to access the other PC's WITHIN the domain.
  Awaiting for your response..
  OS - Windows Server 2008 R2.
  Client pc using OS- Windows 7
  Thanks,
  Regards, Ravi Kumar

  Hi,
  you can set the User Attribute "userWorkstations"
  Source of Picture: http://www.selfadsi.de/user-attributes-w2k8.htm
  So yo can restrict where the users can logon.
  Is this what you searched for?
  Regards
  Eric
  Eric Berg -- http://www.ericberg.de -- MCSE: Private Cloud MCSE: Server Infrastructure MCSE: Desktop Infrastructure

• How are the User Id created

  Hi,
  We went live with the external posting for e-recruiting and the user id's generated contain a nine char value in the back end. Now we are working for internal candidates and this question poped up because for any internal employee who's applying for a job should have his PERNR number too in the user id(correct me if I am wrong), so that his with his user id he can login into any HR related applications. This is when CUA is coming into picture. CUA is going to be implemented to our productions system which currently for external postings only, will this create for internal problems.
  Is there to know how these nine character user id's are getting generated.
  Your piece of information is highly regarded.
  Please elaborate if possible.
  Regards,
  Victoria

  You are user that you created a new account with the same primary email address, and/or you hadn't changed the address on the existing account ?
  Only Apple can potentially delete an account, and if you had asked them to do so and they did delete it then its purchase history will also have gone.

• Cisco ACS 4.2 Internal Error

  Good Evening. I have problem with ACS 4.2 and AD, on autification on PC i have an internal error. In RDS.log i have that line:
  Error UDB_NT_UNKNOWN_ERR authenticating (DOMAIN)\(USERNAME) - no response sent to NAS
  I already checked physhic layer problems, switch configured dot1x, ciscosecure remote agent installed.

  Hello,
  Is the Auth.log file also reporting "Windows authentication FAILED (error 6L)" for the same RDS timestamps/failure?
  Also, which ACS version (Include Patch) are you using? Are you authenticating against Windows Server 2003 or 2008 or 2008 R2 AD?
  NOTE: Remember that 2008 R2 AD is not supported by any ACS 4.x version.
  Also verify that you have complied with the following requirements:
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp311476
  Verify which one applies for you as there are two options: Windows Member Server or Windows Domain Controller.
  Regards.

• How are different user names being created on my Apple ID accounts??

  I can no longer access the Guest Account on my IMac running Snow Leopard. Guest account says I have the wrong pwd? Funny thing is I never gave it a pw! Once before I found the Guest Account configured in a lower layer IFrame with several missing programs from my personal account being used by it. No one else has physical access to my Imac, although I often see activity and references to Remote Desktop in my logs and source files.
  Recently had to have a FirmWare PW removed from my IMac and I've never set the fw pw in the first place. After the firmware reset when I got home and turned it on first time, tells me it doesn't recognize my administrator /user pws? Can these strange but true issues be related? Am I hacked? If so how do I begin to untangle it all? I did go ahead and set the FW password this time as I don't want anyone else to set it for me and have to go through that ordeal again. Is this something I should do, or not? How else can I protect my IMac, from these rogue changes and settings/menu/program alterations that keep happening. these things seem to happen in spite of several virus, anti spam, security programs I've installed; or any other security steps I've always tried to follow to prevent being hacked.
  Started to reinstall Snow Leopard from original disc this evening and Utility tab shows two other volumes installed, that's three total; one being Boot Camp, the other Untitled. I never installed any of these except SL from the original disc. It appears I neither have full access to these other 2 partitions as the i button only shows partial information. Also the verify permissions, users, etc buttons do not allow me to repair, or do anything with these other volumes. Now I'm afraid to try and use the os disc without someone's more knowledgeable guidance, and/or wisdom. I've already made 2 trips to local Apple Store, plus the 3 hour round trip to authorized tech center to get the FW pw reset, so I'm hoping someone on the forum might be able to help me out this time .. argh!

  HI Suzie,
  Not to alarm you, but it does seem somebody got nto your Mac Remotely.
  Disconnect from the Internet & try reinstaliling the OS... can you afford to erase & install?
  Do you have backups?
  ClamXAV, free Virus scanner...
  http://www.clamxav.com/
  Free Sophos...
  http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-ed ition/features.aspx
  http://www.sophos.com/products/enterprise/endpoint/security-and-control/mac/
  Little Snitch, stops/alerts outgoing stuff...
  http://www.obdev.at/products/littlesnitch/index.html

• How are Ipad users finding Ipad for reading books, novels, etc.

  Hi - I have not purchased an iPad yet, but was wondering what user's experiences have been so far with reading books - i.e. spending a lot of time reading on the device. I know some say reading on a LED backlit screen is harsh on the eyes and causes strain over time. I have a MacBook Pro and have not had this problem reading on my notebook, but then again, I have never read an entire novel on my notebook.
  Just curious about user experiences.
  Thanks
  M.

  3 ipad apps for reading and acquiring books-iBooks, kindle and kobo.
  I am preferring iBooks and kobo because you do not leave the app to shop for books.
  I have read 1 whole novel and assorted bits of others.
  No eye strain. Those complaining they are to frail to hold 1.5 lbs for an extended time need to learn to cradle the ipad on their forearm and join a gym
  if the content you are reading is any good-you quickly forget about the device. It gets out of the way of the content and you because of the simplicity of the interface.

• How are the User screen and the Configuration screen Related in SPRO

  Thanks

  stop trying to read directly from the database. it's not supported and you're only going to make things harder for yourself. 
  import-module smlets
  $userclass = get-scsmclass System.User$
  get-scsmobject $userclass | ? {$_.OrganizationalUnit -ne ""} | ft DisplayName,OrganizationalUnit
  DisplayName OrganizationalUnit
  LAB\Public Folder Management Microsoft Exchange Security Groups
  LAB\Recipient Management Microsoft Exchange Security Groups
  LAB\Help Desk Microsoft Exchange Security Groups
  LAB\Exchange All Hosted Organizations Microsoft Exchange Security Groups
  LAB\Exchange Windows Permissions Microsoft Exchange Security Groups
  LAB\ExchangeLegacyInterop Microsoft Exchange Security Groups
  LAB\Discovery Management Microsoft Exchange Security Groups
  LAB\View-Only Organization Management Microsoft Exchange Security Groups
  LAB\UM Management Microsoft Exchange Security Groups
  LAB\Server Management Microsoft Exchange Security Groups
  LAB\Delegated Setup Microsoft Exchange Security Groups
  LAB\Compliance Management Microsoft Exchange Security Groups
  LAB\Exchange Servers Microsoft Exchange Security Groups
  LAB\Exchange Trusted Subsystem Microsoft Exchange Security Groups
  LAB\Hygiene Management Microsoft Exchange Security Groups
  LAB\Records Management Microsoft Exchange Security Groups
  LAB\Organization Management Microsoft Exchange Security Groups

• Cisco ACS 4.2.1.15 for Windows and Network Access Profiles

  We are attempting to configure ACS 4.2.1.15 on Windows Server 2008 Member Server. Initially I only have the need to authenticate Network Admins for device administration and authenticate Windows AD groups using PEAP authentication. The general problem that I am having is that if I configure a Cisco 1200 Access Point  for PEAP and also setup The Access Point for Radius authentication pointed to the ACS server it always maps to the the first Network Access Profile and rather than it trying the second it will error sayiing some condition is not met depending on what changes I make. Can someone tell me what the criteria that is used to determine what NAP is used? According to the manual if all 4 criteria are not met then the Profile will not apply.
  I am using one ACS group that is mapped to an AD group for Wireless Access and a Second ACS group mapped to an AD group that includes the Net Admins. This group mapping appers to be working as the user group name seems to mapped correctly in the logs.  In short I have tried only configuring the Wireless NAP to only Allow EAP authentication using PEAP EAP-MSCHAPv2 and the Netadmins profile to include all protocols. Bascially what happens is if I have the Wireless NAP first it works fine for PEAP authentication on Wireless but if I try to administer the access point and provide credentials I get a message in the failed log that the authentication profile is not allowed in this Network Access Profile. Why does this not just go onto the next Network Access profile?
  I am familiar with version 3.2 but it does not seem to work the same.
  Any help would be appreciated on what I am missing.
  Thanks

  Hi Surenda,
                     Thanks for your reply. Nop, there is no WLC yet, but the WLC will be installed shortly.
  Thanks,
  Jean Paul

• How to find users machine / IP who is accessing forms through Oracle AS

  Dear Gurus
  We need to know the users machine / IP who are accessing forms through Oracle 9i Application Server, how can we find that?
  thanks in advance
  regards
  Mehmood

  Mehmood,
  Set serverURL=/forms90/f90servlet/session in the Forms Web configuration default section or add it to the URL to start tracing host name and ip-addresses from clients. The output appears in the servlet log file application.log. sessionperf , perf and debug are the other options instead of session.
  regards,
  Bernhard Jongejan
  http://bernhardjongejan.spaces.live.com

• How do two users on the same computer access the same itunes Library

  Guys
  I just bought a new computer for the household and set up two users on it.  we all have iphones and ipads but now all the music is only accessible by one user.  I am no longer able to synch my music to it because it cannot locate my music !!!
  Anyone have any ideas on how we can both access this library please
  Thanks

  See iTunes: How to share music between different user accounts on a single computer.
  tt2