Command Authorization and the CSS

HI,
is it possible to do command authorization via usernames witha CSS. I want to implement something similar to the command authorization of an IOS device.
Is there any refrence on the CCO how to setup the ACS and the CSS?
Any hint or help is appreciated.
Kind Regards,
Joerg

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080192ef2.html#wp1077431
The ACS setup would be the same as for ios I believe.
Gilles.

Similar Messages

  • Installed new harddrive and I am trying to restore from time machine external back up. I restarted the computer and held the Command key and the R and the restore utility does not appear. what can I do

    I installed new hard drive and I am trying to restore from time machine external back up. I restarted the computer and held the Command key and the R and the restore utility does not appear. what can I do

    Command + R keys are for Macbooks running Lion and Mountian Lion only. ( i could be wrong on this)
    you have a couple of options:
    Do a clean install of Snow Leopard via Install DVD.
    Clone your old hard drive to your new hard drive via Carbon Copy Cloner
    Or click on the link below to give you a better idea.
    Hope you get it sorted out.
    http://pondini.org/TM/14.html

  • I will starting afresh website in my iWeb, it shows only the head or the command line and the command new website is inactive - what do I need to start over

    Help........
    I will starting afresh website in my iWeb, when I start the program it only shows the head or the command line and the command new website is inactive - what do I need to start over - what have I done wrong

    Don't quite understand what you mean, but it says at the bottom that you are still using iWeb 08 so depending on what OSX you are running, you might consider upgrading to iWeb 09.  This works with Lion, Mountain Lion and Mavericks.
    Apple no longer sells iWeb so if you decide to upgrade, then you'll need to purchase iWeb by going to Amazon and buying the iLife 09 or 11 boxed sets, both of which contain iWeb 09.
    Install this on your Mac and it might solve your problems, or just ditch iWeb and start again with one of the newer programmes out there that are still being supported and updated, such as RapidWeaver, Sandvox, Freeway Pro/Express, Flux 4, WebAcapella 4 and EverWeb (http://www.everwebapp.com).

  • Problem - acs command authorization and web access control

    Hi, I'm trying to add the control of some aironet 1310 bridges with a ACS 3.2 (tacacs+). I wanted to be able to do telnet command authorization restrictions trough shell command authorization sets and be able to give similar restrictive web access at the same time. I have it working if I permit some commands that are sent by the browser as "write memory quiet" and few other ones, but for it to work, I must give them limited users the privilege level 15 and by having the tacacs server authorizing the commands, it work for both, http and telnet. Where my problem begin is when I loose the connection with the ACS server, the user being already authenticated as level 15 user, the device become open to all commands; there is no more restriction applied by the ACS. Do anybody now a workaround.

    It is already at local, that is just that the user already have a level 15 access and I used to control the commands through level settings before. So when I try it, my user that is localy level 5 is already recognized as a level 15 user from when it was authenticated through the ACS. If I could find a way to give web access to the 1310 at priv level 5 and still controlling the command set, it would be ok but as soon as I try to access a page that is not permitted other way than by the view level (i think it's level 1... or 0), I get a username password prompt with that line on the top of it:"level_15_or_view_access" and the only way I can access it is by entering a level 15 un/pass. I attached my 1310 aaa config
    and here are the command set that work at level 15 to do a "shut" or "no shut" of the radio interface by the web interface:
    configure
    permit terminal
    exit
    permit Unmatched Args
    interface
    permit Dot11Radio0
    no
    permit shutdown
    permit cca
    ping
    permit Unmatched Args
    show
    permit Unmatched Args
    shutdown
    permit Unmatched Args
    telnet
    permit Unmatched Args
    write
    permit memory quiet
    Thanks for the help !

  • Confused With Dreamweaver CC and the CSS Styles Panel!

    Hi all
    I'm relativley new to the CC but I'm having alot of fun learning how to use dreamweaver, But now comes where I get confused. I'm learning from Lynda.com "Dreamweaver and WordPres Core Concepts" and as I follow the tutorial regarding the actual structure of wordpress themes I have different panels to the tutour.
    As you can see from the pics I have a different set up and this makes it very hard to follow the tutour.
    I have tried the windows menu but there is no CSS Style Panel, plus I have media, sources, selectors, and properties. Apparently the tutour is also usin CC.
    Can someone please guide me on how to learn dreamweaver with up to date tutourials....

    I'm not familiar with the Dreamweaver/WordPress videos on lynda.com, but if the tutorials are showing the CSS Styles panel, it means that it was recorded on Dreamweaver CS6 or earlier.
    The CSS Designer panel replaces the old CSS Styles panel in DW CC. Since you have access to lynda.com, I suggest that you take a look at James Williamson's CSS Designer overview in Dreamweaver CC Essential Training.

  • Edit command menu and the Find option

    How can I delete the 'find' and the 'find again' option, so annoying that more or less, every time I try to type a message, or press shift to get a capital letter, this so annoying box appears and what I am typing continues in the text box of this 'find'. I justy want to get rid of this 'helpful item'

    See http://kb.mozillazine.org/Find_bar_opens_when_typing_in_textbox

  • TACACS+ command authorization and ACS "Quirk"(?)

    Hi All,
    I've created a limited access command set for a few of my engineers. They can shut/no shut ports, change VLANs on access-ports etc, but they can't access critical ports like uplinks. That's working fine. I'd like to take it a step further and ensure that they can't accidently assign a server vlan to a user access port. Using ACS 4.2
    For the example, i'll use Vlan 101, which is one of my server networks.
    My Command set says:
    Command: switchport
    Arguements: permit access, permit vlan, deny 101
    Permit Unmatched Args is UNCHECKED.
    When I debug the aaa authorization, i see this:
    146425: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): user=<my Testuser>
    146426: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV service=shell
    146427: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd=switchport
    146428: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=access
    146429: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=vlan
    146430: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=101
    146431: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=<cr>
    146432: Mar  8 09:39:19.362: AAA/AUTHOR (3413047404): Post authorization status = PASS_ADD
    I know I have the correct command set applied, because it blocks me appropriately for other commands.
    146451: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): user=<my Testuser>
    146452: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV service=shell
    146453: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd=interface
    146454: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=GigabitEthernet
    146455: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=1/1
    146456: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=<cr>
    146457: Mar  8 09:39:22.730: AAA/AUTHOR (838742026): Post authorization status = FAIL
    Any thoughts why it's not working as expected?

    Don’t mean to be ignorant about this, but is there a way to export the config from ACS? Router config section is below…I’ve used this successfully with 4.2 several times…
    ip tacacs source-interface gi 0/0
    tacacs-server directed-request
    tacacs-server key
    tacacs-server host x.x.x.x
    aaa new-model
    aaa authentic login default group tacacs+ local
    aaa authentic login no-tacacs none
    aaa authentic enable default group tacacs+ enable
    aaa author config-commands
    aaa author exec default if-authenticated
    aaa author commands 1 default if-authenticated
    aaa author commands 15 default group tacacs+ local
    aaa author console
    aaa account exec default start-stop group tacacs+
    aaa account commands 0 default start-stop group tacacs+
    aaa account commands 1 default start-stop group tacacs+
    aaa account commands 15 default start-stop group tacacs+
    aaa account connection default start-stop group tacacs+
    aaa account system default start-stop group tacacs+
    aaa session-id common

  • What is the difference between using the command "dsmgmt" and the "Managed By" tab when adding users to the local administrators Account on a Read-Only Domain Controller?

    When I use the
    "dsmgmt" command to add a user to the local administrators account of a RODC I can actually see the user when I use the "Show Role Administrators" parameter. However, I can't see the members of the
    group added to the "Managed By" tab of the RODC object in AD. Even though, the users added using
    "dsmgmt" and by the "Managed By" tab can all log in locally and have admin rights to the RODC. Are there any differences between these two ways of adding users to the local administrators account? 

    Hi,
    For groups, managedBy is an administrative convenience to designate “group admins”. Whatever principal listed in
    managedBy gets permission to update a group’s membership (the actual security is updated on the group’s AD object to allow this).
    In Win2008 and later managedBy also became the way you delegated local administration on an RODC, allowing branch admins to install patches, manage shares, etc. (http://technet.microsoft.com/en-us/library/cc755310(WS.10).aspx). 
    On the RODC, this is updating the RepairAdmin registry value within RODCRoles.
    So the difference between them should be only the way they do the same thing.
    For more details, please refer to the below article:
    http://blogs.technet.com/b/askds/archive/2011/06/24/friday-mail-sack-wahoo-edition.aspx
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Query authorizations and the result in Bex Analyzer

    Hi,
    Is the following possible to achieve by nesting authorizations?
    User X has the following 2 authorization roles:
    role 1 (description: FIGL)
    |--- Query 1
    role 2 (description: FIGL)
    |--- Query 2
    Visualisation in BEx:
    Folder FIGL
    |--- Query 1
    |--- Query 2
    At the moment I see
    FIGL
    |--- Query 1
    FIGL
    |--- Query 2
    I hope the ASCII art is a little bit clear
    As you can see, both roles are technical 2 different objects, so they are split. Any possibility to let the queries from role 1 to appear in role 2 (merge them in the visualisation)? I already played with the "derive from role" option, but this totally replaced the menu from the receiving role...
    kr,
    Rutger Hennico

    Hi.
    'ZCDAY' = User date Variable on 0CALDAY. (If User will give date).
    'ZDYS'   = Formula Variable with Customer Exit, Dimension ID = Number.
    DATA: DY TYPE SY-DATUM.
      WHEN 'ZDYS'.
          LOOP AT i_t_var_range INTO loc_var_range WHERE vnam = 'ZCDAY'.
            CLEAR l_s_range.
            DY = loc_var_range-low+6(2).
            l_s_range-low = DY.
            l_s_range-sign = 'I'.
            l_s_range-opt = 'EQ'.
            APPEND l_s_range TO e_t_range.
            CLEAR l_s_range.
          ENDLOOP.
    if there is no User Input then use..**
    WHEN 'ZDYS'.
          LOOP AT i_t_var_range INTO loc_var_range.
            CLEAR l_s_range.
            DY = loc_var_range-low+6(2).
            l_s_range-low = DY.
            l_s_range-sign = 'I'.
            l_s_range-opt = 'EQ'.
            APPEND l_s_range TO e_t_range.
            CLEAR l_s_range.
          ENDLOOP.
    Thanks
    Reddy

  • ACS - Shell Command Authorization Sets

    Hi,
    I have had a problem where a set of users in two groups in ACS are struggling entering commands.  The commands are set in the Shell Command Authorization Sets and this hasnt changed.  Other commands are working.  As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
    Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
    permit port-security
    permit mac address-table'
    I've also ticked 'Permit unmatched args'
    At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
    Test Timed out for service: CSAdmin
    Test Timed out for service: CSAuth
    Test Timed out for service: CSDbSync
    Test Timed out for service: CSLog
    I have looked at other posts and have restarted CSMon.  This then stops the messages for some time, then a day or so later I get the messages again.
    Could this be tied in with the command issue?  Is there something else I should look at other than restarting the server and the CSMon service again?  All other CS' services are running.
    Thanks!!
    Steve

    Thanks for your reply!
    there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised.  On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode.  The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
    I am using ACS v 4.1.
    While I receive the service messages and also when they go away - I always have the authorisation problem.
    Thanks
    Steve

  • Nexus, command authorization using TACACS.

    Hello.
    Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
    Thanks.
    Regards.
    Andrea

    Hi Andrea,
    We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
    username admin password role network-admin ; local admin user
    feature tacacs+ ; enable the tacacs feature
    tacacs-server host key ; define key for tacacs server
    aaa group server tacacs+ tacacs ; create group called 'tacacs'
        server ;define tacacs server IP
        use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
        source-interface mgmt0 ; ...and send them from the mgmt interface
    aaa authentication login default group tacacs ; use tacacs for login auth
    aaa authentication login console group tacacs  ; use tacacs for console login auth
    aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
    aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
    aaa accounting default group tacacs ; send accounting records to tacacs
    Hope that works for you!
    (That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
    Rob...

  • ACS - ASA Authorization and Accounting

    Hi
    I have some questions regarding authorization and accounting on ASA via ACS server
    when I enable the command "aaa authorization       command " to control SSH users commands  I get locked out on       console then i have to configure the console , telnet , and enable to be       authenticated via tacacs too , is there any way to authorize SSH via       tacacs while keeping Console and telnet authenticated locally or even no       authentication ?
    i issued  accounting command "aaa accounting       command TAC" on ASA but i noticed that the ACS just logs commands in       configuration mod "privilege 15 " not any show command or       privilege 1 , is there any way to fix this ?
    does RADIUS support SHELL authorization ?
    thanks for your support

    1.] Unfortunately, there currently isn't any way to exclude command authorization from the  serial/ console or ssh users while having it apply to other access methods in case of ASA. Once you issue this command, it would be applicable for ALL methods like ssh,telnet,enable,http and console. This can be easily achieved in IOS (routers and switches) by creating a method list.
    2.] When you configure the aaa accounting command command, each command other than  show commands entered by an administrator is recorded and sent to the accounting server or servers. This is a default behaviour on ASA. IOS does send/record all show commands on ACS/Tacacs.
    http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a1.html
    Regards,
    Jatin
    Do rate helpful posts-

  • Restrict aaa access using command authorization windows acs3.6

    i need to enable aaa users to shut and unshut interfaces but nothing else. i already have all the users and groups setup but when i modify the command auth set to include "configure" "permit term" they are given unrestricted access.
    any help appreciated

    On the router there's a:
    aaa authorization config-commands
    command, make sure you have that in. You then have to set up command authorization on the TACACS server to allow "interface permit any", "shutdown" and "no shutdown" commands.

  • AAA command authorization in ACE

    How do we enable AAA command authorization in the ACE module on 6500 switch.i dont find any aaa authorization commands in it .
    Kind regards
    Ullas

    Hi,
    See the ACE Security Guide - Chapter 2. You need to set a CiscoAVPair. How you do this will depend on the RADIUS software that you are using. It sounds like you're being put into Network-Monitor role by default. Quote from the manual:
    "The user profile attribute serves an important configuration function for a RADIUS server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, a default role (Network-Monitor) and a default domain (default-domain) are assigned to the user if the authentication is successful."
    There are postings in this and other Cisco fora about exactly how to set these values (which depends on your RADIUS server implementation).
    HTH
    Cathy

  • Updating css in the CSS repository

    Hi,
    I have a problem with updating a css which is in the CSS repository. It seems that none of the updates has any effect on the page. Even if I delete the css from the CSS repository it seems to be still there. How can I update a css in the CSS repository??
    Thanks, Maren

    I am experiencing the same situation and dont understand what is happening.
    I have my own css which has been working fine.
    When I edit the css in HTML with the edit button and press APPLY CHANGES it save it somewhere because when I edit again the change is there but I dont see the change in my application since the classes I changed are still showing with the old values.
    If I press the link on the cssname I Download the css and I get the old version.
    It seems that html updates css in one place and the css file is in another.
    Can someone please give me an idea of what is happening.
    Thank you.
    Carlos

Maybe you are looking for