Exclude specific user from aaa authorization commands

Similar Messages

• Exclude specific user from ACS logging ?

  Hi,
  My customer and I are looking for a way to exclude actions/commands logging on AAA servers (ACS) for a single specific user, though logging still goes on for other users as AAA clients on networks devices have been configured with:
  aaa accounting commands start-stop tacacs+
  I have not found any solution up to now, either on the ACS side, either on the IOS side and aaa commands.
  (Though it looks like a potential security issue), can anyone advise?
  Thanks for your cooperation.
  Yvon.

  ACS 5.1 has the concept of collection filters which I think can do what you are looking for
  See: http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/viewer_sys_ops.html#wp1072344

• Exclude a user from Shared Services LCM export

  How do I exclude a specific user from the Shared Services LCM export?  In the migration definition file I am trying to specify something like the following:
  pattern="*" and pattern<>"lcm_admin"

  What exactly you want to try after/by exporting users from Shared services?
  Regards,
  Santy.

• AAA authorization commands

  Hi All
  Probably i am going to ask a stupid question but i am really confused regarding the purpose of "aaa authorization commands x default local" command. I understand that if this command is configured, it authorizes each and every command of that level but in my experience, this command is not doing anything. The outcome is same whether it is configured or not.
  Following is my aaa part config
  username cisco privilege 15 secret cisco 
  aaa new-model
  aaa authentication login default local enable
  aaa authorization exec default local if-authenticated
  aaa authorization commands 15 default local if-authenticated
  Now whether i keep the last command or remove it, username "cisco" is able to use every level 15 command so my question is, why i bother configuring this command?
  Would really appreciate your quick reply
  Regards

  Thanx a lot for your quick response. Really appreciate that.
  So does this mean, can i safely assume that if i am using local database then i don't require "aaa authorization command level" command??
  that is following should be the config
  username cisco privilege 15 secret cisco 
  aaa new-model
  aaa authentication login default local enable
  aaa authorization exec default local if-authenticated
  privilege exec level 15 show   (just an example)
  privilege exec level 15 debug
  I have tested this and it worked fine without using "aaa authorization command level"
  Moreover, regarding the use of AAA server, my eventual plan is to use TACACS+ but before that,  i wanted to get a good grip of AAA functionality and therefore started off with local user database.  
  So u mean to say, if i am using TACACS+ for authentication and authorization purposes and in ACS Server, user "cisco" has been assigned level 15 but with authorization set of "show" and "debug" only then by using "aaa authorization commands level" in a router, i can successfully restrict user "cisco" to "debug" and "show" only? In my point of view, i can achieve this anyway (restricting "cisco" user to only use "show and debug) without using "aaa authorization command level" (like i tested with local database)??
  will really appreciate your kind response

• Aaa authorization commands for pix 535

  Hi ,
  Can you provide aaa authorization commands for pix 535
  Sanjay Nalawade.

  Hi,
  Please find the AAA config for PIX.
  aaa-server TACACS+ protocol tacacs+
  max-failed-attempts 5
  aaa-server TACACS+ (ExranetFW-In) host
  timeout 5
  key ********
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication serial console TACACS+ LOCAL
  aaa authentication http console TACACS+ LOCAL
  aaa authentication ssh console TACACS+ LOCAL
  aaa authorization command LOCAL
  aaa accounting command privilege 15 TACACS+
  aaa authorization exec authentication-server
  Karuppuchamy

• Aaa authorization command

  Hi!
  I have issued the aaa authorization command tacacs on my asa, but the ACS is not letting me do any command now. I'm trying to issue the no
  aaa authorization command tacacs, but it does not let me.
  How can i rollback??
  Please Help me
  Tkx
  Miguel

  What version of ACS are you running?
  If you are running acs 4.x then you will have to go to your group settings and under shell command authorization permit all commands, if you are using acs 5, you will have to go to your authorization policy, click customize if the command set column isnt active already and assign the command set to allow all commands. I think by default there should be a permit all.
  Thanks,
  Tarik

• Is there a way to exclude specific calendars from Notifications and alerts?

  I have 4 calendars:  1 Exchange and 1 Yahoo that includes 2 shared calendars (wife and MIL).  I activate the Yahoo calendars only when I need them and do not need any yahoo reminders at all.  When I swipe down the Notifications page, it includes all four calendars including the shared Yahoo calendars. What's worse, I get alerts from all four calendars. 
  I only want Exchange alerts and notifications. Is there a way to exclude the Yahoo calendars from Notifications and alerts?
  Right now, the only way I can eliminate them is by deactivating the Yahoo account in Settings/Mail, Contacts, Calendars.

  Is there a way to only choose specific contacts from an existing group and add to a new group? 
   I mean there has be a faster way than typing everybody by hand..

• No "list-name" option availbale for aaa authorization command.

  I have a 1721 router running 122-15.T14 and want to implement authorization but the router does not provide command option for list name.
  I want to implement the following command:
  "aaa authorization network groupauthor group radius"
  but the only option is default after "network".
  Router#sh ver
  Cisco Internetwork Operating System Software
  IOS (tm) C1700 Software (C1700-K9SY7-M), Version 12.2(15)T14, RELEASE SOFTWARE (fc4)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2004 by cisco Systems, Inc.
  Compiled Fri 27-Aug-04 23:26 by cmong
  Image text-base: 0x80008120, data-base: 0x80F731A0
  ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)
  ROM: C1700 Software (C1700-K9SY7-M), Version 12.2(15)T14, RELEASE SOFTWARE (fc4)
  Router uptime is 5 minutes
  System returned to ROM by reload
  System image file is "flash:c1700-k9sy7-mz.122-15.T14.bin"
  cisco 1721 (MPC860P) processor (revision 0x400) with 56844K/8692K bytes of memory.
  Processor board ID FOC08302CF6 (610086355), with hardware revision 0000
  MPC860P processor: part number 5, mask 2
  Bridging software.
  X.25 software, Version 3.0.0.
  1 FastEthernet/IEEE 802.3 interface(s)
  2 Serial(sync/async) network interface(s)
  32K bytes of non-volatile configuration memory.
  32768K bytes of processor board System flash (Read/Write)
  Configuration register is 0x2102
  Router(config)#aaa authorization network ?
  default The default authorization list.
  Router(config)#aaa authorization network

  I think that your issue is version related. I have a customer who is running a bunch of 1721 routers and when I do aaa authorization network ?
  I get both default and the option to name a list.
  I checked with the Software Advisor on CCO and it looks to me like the named-list feature was added in 12.3. As long as you are running 12.2 I do not think you will have the option for a named-list for network authorization.
  HTH
  Rick

• Access to Oracle Database by a specific user from a client system.

  Hi All,
  I need to restrict a particular client system to access the database only by a specific user credentials. I mean system A(hostname) can only connect the database PQR only and only by user U123. Any help is sincerely appreciated.
  Regards
  Swapan

  Hi,
  I solved it by a trigger at logon on V$SESSION which validates MACHINE like [HOSTNAME] and username not like [the_user_I_would_allow].
  It works now.
  Thanks for your reply.
  Regards
  Swapan

• Send a message to multiple computers(Not users) from win7/xp command/or scirpt

  Hi Team, is there a way to send a message to multiple windows xp/win7 computers from my win7/xp? 3rd party software,commercial or free, command line,batch or script all welcome. I have a few hundreds of computers, ping-them alive,but I don't know their
  location and user name. I was failed  to push SCCM client to them,some could be in work group or admin$ disabled. so I plan to send a message like " please contact IT department for your pc maintenance by this Friday or this PC will be deleted from
  the corp domain", when the user contact IT, we can RDP or manual install SCCM onsite with user cooperation. The msg.exe can only send to user,instead of computer names. I tried shutdown /m \\pc-name -f -s -t 1200000 "testMessage" but I got alert
  of access denied. though it works if put my local PC name. is there any other way to accomplish this? Many thanks!
  Thanks and best regards, -- KF

  Hi,
  Base on my experience, personally I think solve this case the better method is through your help desk collect the new computer information because consider this: “some
  could be in work group or admin$ disabled”, if there have more workgroup PC, it will always hardly to manage them though a purely technical method.
  About the domain computer, you can refer the following thread I replayed solution, notice a message to users to connect IT department.
  Security Warning Message
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/60c1a896-0996-4e88-ace9-8da2284883f7/security-warning-message?forum=winserverhyperv
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Exclude specific songs from factoring into auto calculated Album Rating?

  I really like using the calculated (empty star) Album Rating system, however I was wondering if there was a way to exclude some songs on an album from being averaged into the Album Rating. My reasoning for this is that I don't want intros/outros/skits or bonus tracks to bring the overall rating of an album down (there are many albums in my library that drop down a star rating because of bonus tracks that I don't really like, but wish to keep a part of the album for collection purposes). Is there anyway to make this happen? Thanks.

  You do have a very complex looking site and may need several tables in mysql to handle all that data. If you knew to phpmysql I would suggest taking a look at this tutorial it will help get you started in understanding how to $_GET info from a database and also how to $_POST data to a database. I am no expert just learning myself and I found this very helpful. This is the link http://www.adobe.com/devnet/dreamweaver/articles/first_dynamic_site_pt1.html
  There are also many tutorials on Youtube to help build a CMS Content Management Site I would suggest the following: -
  http://www.youtube.com/user/phpacademy
  http://www.youtube.com/user/betterphp
  http://www.youtube.com/user/flashbuilding
  And many more on my channel here
  http://www.youtube.com/user/Whisperingonthewind
  CMS's are easier to maintain, add edit and delete content.
  I have also recently bought a Book by David Powers Training from the Source very helpful.
  Anyway hope you get it sorted.

• How to Write Path to Exclude Specific Folder From Scanning in Endpoint Antimalware policy

  Dears,
  I have configured endpoint protection antimalware policy to make scanning windows servers, and I have some specific folders which I need excluded from scanning because of they are critical folders, so, when I wants to excluded the folder, how do I write
  the path to add the path to excluded filed? is this correct path
  C:\MyFolder or there is s special path writing?
  Thanks..

  If that's the folder you want to exclude then your doing fine. For more information see (List of Antimalware Policy Settings):
  http://technet.microsoft.com/en-us/library/hh508785.aspx
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• ACS Tacacs+ aaa authorization commands

  Hi,
  I would like to authorize only certain configuration commands by the Tacacs Server, so in the group setup of ACS, I have checked : command, I have written in the field : configure, and declared as arguments : permit terminal and permit snmp-server enable traps. But I can not configure snmp until I declare in the router : privilege config level 7 snmp-server enable. (I use a level 7 user)
  My question is : is there a way to control the granularity of configuration commands on the ACS, in the same way as you can control the granularity of the show commands ?
  Many thanks
  Patrice

  Yes, you can get very granular using Command Authorization Sets and they can be applied to individual users or groups.
  Setting Up and Managing Shared Profile Components
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00800d9e6b.html
  hth

• Possible to delete Offline Files content for a specific user from the Client Side Cache (CSC) ?.

  Hello Everyone,
  We would like to implement a script to delete the offline files in the Client Side Cache (CSC) for a nominated user (on Windows 7 x64 enterprise).
  I am aware that;
  1. We can use a registry value to flush the entire CNC cache (for all users) next time the machine reboots.
  2. If we delete the user's local profile it appears that Windows 7 also removes their content from the local CSC.
  However, we would like to just delete the CSC content for a particular nominated user without having to delete their local user profile.
  In our environment we have many users that share workstations but only use them occasionally. We don't use roaming profile so we would like to retain all the users' local profiles but still delete the CSC content for any users that haven't
  logged on in a week.
  Any ideas or info would be appreciated !
  Thanks, Makes

  Hi,
  I don't think this is possible.
  If you want to achieve it via script, I suggest you post it in official script forum for more professional help:
  http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?category=scripting
  The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.
  Karen Hu
  TechNet Community Support

• How to exclude FBA users from an audience

  I have the following situation (SharePoint 2013):
  I have an audience: internal users (rule is based on emailadress because internal users all have an email adress that ends the same)
  I created a navigation button which should only be visible for 'internal users' so I audience it at 'internal users'. When I'm testing this with an AD account that does not have an internal emailadress (so is not in the 'internal users' audience), this is
  working as I expected. The user does not see the navigation link/button
  Now the problem is that when I log in as FBA user, I can still see the navigation button, even though the FBA user does not have an emailadress that meets the rule of the audience. 
  Any suggestion on how te make this work? And if its not possible, does anyone have a workaround? 
  Help is much appreciated!

  Hi,
  if you already have the Local Net Users and if you want them to be used for other WLAN on thhe same WLC, then its simple..
  For each LNU that you have configured edit it by mapping the WLAN to ALL WLAN, this will help you in getting the migration done with ease!!
  Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
  Regards
  Surendra