Guest access to Internet using ACS (TACACS+ mode)
Hi,
I have ACS 1121 configured in TACACS+ mode. I need guest wired users to go only to internet. I don't have any proxy server or any radius server currently. How can i achieve this?
Hi Blisk1,
Based on your description, the goal is to prevent users to connect their home laptops to your network.
You could try to deploy NAP enforcement for DHCP. Using DHCP enforcement, DHCP servers and NPS can enforce health policy when a computer attempts to lease or renew an IPv4
address. NAP can enforce health policies by inspecting and assessing the health of client computers, restricting network access when client computers are noncompliant with health policy, and remediating noncompliant client computers for unlimited network access.
When create NAP policies with a Wizard in NPS server, to grant or deny access to groups of computers, you could add specific groups to Machine Groups, such as, domain computers.
Checklist: Configure NAP Enforcement for DHCP
http://technet.microsoft.com/en-us/library/cc772356(v=WS.10).aspx
Best Regards,
Tina
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Similar Messages
-
when im accessing the internet using my iphone i cant use it because i am having a grey screen and the phone disables itself. how can i fix it. thanks.
You must have a valid form of payment for the app store in the country you are using. Most app stores are separate legal entities to comply with local laws. It is possible to have an account without a credit card, however; see: http://support.apple.com/kb/HT2534
-
I can't access the internet using Firefox. My internet connection is working perfectly fine as I can access the internet using internet explorer. I don't feel safe using internet explorer and prefer Firefox. Please help!
See --> [https://support.mozilla.com/en-US/kb/Cannot%20connect%20after%20upgrading%20Firefox Cannot connect after upgrading Firefox]
Your firewall may not recognize the new version of Firefox; it is just doing its job. You may need to remove references to Firefox from your firewall's allowed applications list, then try to go to any website, let your firewall detect the new version of Firefox, and give Firefox the permissions needed by your firewall to access the internet.
'''If this reply solves your problem, please click "Solved It" next to this reply when <u>signed-in</u> to the forum.''' -
Can you access the internet using wifi only on an iPhone 4?
How can you access the internet using WiFi only (no service) on an iPhone 4?
Assuming your connected to wifi - go to safari.
-
Is it possible to create a login page to access the internet without ACS ?
Hello
My company would like a solution where guests can only access the intenet with a username or password so a web login page before accessing the internet. is this possible to configure onm a cisco router with no ACS ?
Thanks
AndyMaybe.
Are they wired or wireless clients? What model and IOS version is your router and switch? -
HT201415 iPhone is unable to access into internet use wi-fi connectoins
Hi,
When use Wi-Fi connections sometimes can't get access to the network. Phone get ip and successfully connected to Access Point.
Use Wi-Fi Router: D-link DAP-2310I won't be able to find out for a to maximum of 72 hours regarding why I can't connect to the xfinity hotspot. I won't be at the location I'm the at now for the next 72 hours.
As a temporary workaround, I signed up for a free one hour trial of internet service by being a 'new member.' That will have to do for now. -
Controlling Access to devices using ACS
I am using ACS 3.2 and on the NAR section,I have used a wildcard (*) to define all the network devices on my network.All my users are in one group. However,I have just realised there is the need for me to create another group and put some users in that group so they only have access to some routers and switches and not all as define by the wildcard.
How do I achieve this goal.?Under NAR select the Per Group Defined Network Access Restrictions.
Select the AAA clients you want the group to access.
Use the wildcard mask in the port and the address field.
You can also group the devices which you want to give access under a seperate NDG and in the NAR give permission to only this NDG for the group. In this way you may need not add individual AAA clients
HTH, rate if it does
Narayan -
Restrict access to SSID using ACS NAR
Hi,
I currently have 2 ssid's one is for trusted users, the other is for non trusted but employees. Guest access is completely different.
I have a mixture of lightweight and fat AP's as we are undergoing migration.
I have setup a NAR on the two groups using DNIS *(trusted-ssid).
This seems to allow access for the lightweight AP's howevetr they can still use the untrusted credentials to access the trusted network.
On the fat Ap's it seems to not see the SSID and filters all trusted users out.
Is there a better way of doing this??
Is the syntax for matchign the ssid different on fat AP's?
Cheers
scottJust a bit more background, I am backing off auth to AD and using group match. Just need a way to tie the groups to one SSID and not allow them to use both.
Thanks
Scott -
Ok, as it was suggested, I am asking here. :)
Is there a way to prevent users which connect his personal laptops to workplace network, to have no access to internet.
Something like they don't get right DNS, but only domain clients can.
I use DHCP for IPs and clients gets servers IP 192.168.0.1 for DNS and on server DNS i have setup internets DNS.
Point is to prevent users to connect their home laptops to our network and use torrent to download things and using FB.
server is windows 2008 r2, ad clients are windows 7
I never left an open problem....I search, dig and ask, until it's solved....Hi Blisk1,
Based on your description, the goal is to prevent users to connect their home laptops to your network.
You could try to deploy NAP enforcement for DHCP. Using DHCP enforcement, DHCP servers and NPS can enforce health policy when a computer attempts to lease or renew an IPv4
address. NAP can enforce health policies by inspecting and assessing the health of client computers, restricting network access when client computers are noncompliant with health policy, and remediating noncompliant client computers for unlimited network access.
When create NAP policies with a Wizard in NPS server, to grant or deny access to groups of computers, you could add specific groups to Machine Groups, such as, domain computers.
Checklist: Configure NAP Enforcement for DHCP
http://technet.microsoft.com/en-us/library/cc772356(v=WS.10).aspx
Best Regards,
Tina
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Help needed restricting users admin access to devices using ACS 4.2
I have users that access the network via a VPN client to a PIX 515 which authenticates to the ACS (using the default group for unknown users) which uses an external Active Directory Database.
The problem I have is that as the ACS authenticates these users, it now allows them admin access to the PIX. How do I restrict access? I have looked at NARs using the 'All AAA clients, *, *' approach but that just stops their VPN access. ( I have a separate group called 'PIX ACCESS' which will contained only defined users for admin access).
Incidentally I have other devices on the network which are AAA clients, in particular Nortel switches. I can set the group settings for that RADIUS set up to 'Authenticate Only' (RADIUS Nortel option) and that works fine, I was expecting the ACS to have a similar setting for TACACS+.
So how do I allow the unknown users to authenticate to their AD database but restrict them admin access to the AAA clients?Very common problem. I've solved it twice over the last 6 years with ACS. I'm sketchy on the details. But here goes. First option to explore is using RADIUS for VPN access, then TACACS on all the Cisco switches and PIX firewall. That would make it alot easier. I think that with TACACS, you can build a NAR based on TCP port number instead of IP address....
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml
So you'd have a group with 3-4 Administrators that can access PIX CLI, and another group of VPN users that can't access the PIX but can VPN in. So on the VPN group, put a NAR that restricts access to SSH/Telnet TCP ports?
This comes up everytime I install an ACS server, (every 2-3 years), and it's always a trick.
Please let me know if this works for you. And if it doesn't, let us know how you fixed it. I think I can get back into the ACS I last did this with and take a look, but I'd have to call up and make a special trip. -
VMWare guest OS no internet using DHCP, OK with static
My 3801HGV gateway is working fine providing DHCP to devices on my network, but I have a Macbook with VMWare Fusion installed and have a Windows 7 Pro running as a guest and when it obtains an address from the gateway it has no internet access. The DNS and gateway are the address of the gateway. If I set the IP of the guest to static using the same values it works fine. The network adapter of the guest has a different MAC address than the Macbook's nic. If I connect my Macbook to my iPhone's hotspot it works with DHCP OK. Is there a setting in the gateway I've missed that would cause this?
Although I have the NVG589 gateway, I suspect I have the same problem. I noticed last night that I could not properly connect via VPN to my company network. (The last time I tried doing so was on 7/24 and was successful.) I have made no changes to my VM nor to my Mac so something happened between the 24th of July and yesterday. (update of some sort pushed to the router perhaps?) I will try assigning a static IP in the guest when I get home to see if that resolves my VPN issue. Like you I do not have any issues if I connect my Mac to a hotspot or a network OTHER than my home network.
-
How can i access the internet using a non-wireless...
Before upgrading my BT broadband to BT Infinity, I was able to connect my two desktop PC's to the BTHUB2 without a problem. One of them is running Windows 7 and has a wireless connection, the other is running Windows XP and does not have a wireless adapter but it was connected by an ethernet cable to the BTHub2 which was portable and could therefore be plugged into any of the telephone sockets that were positioned around the house.
Unfortunately, since upgrading to the BTHub3 which is not portable, the Windows XP PC is too far away to connect using an ethernet cable and it is impractical to move it closer to the hub.
I'm happy with the position of the hub and do not wish to move it, so I need to consider other options.
As both PC's are in the same room, I understand that it is possible to link them with a Lan cable, and this will enable me to add the XP PC to my home network.
What I would like to know is what cable I need. (ie. what do I ask for) ? Is it an ethernet crossover cable ?
I'm sure that other BT Infinity users must have experienced a similar problem with older non-wireless equipment that is not in close proximity to the hub. I would be grateful for any advice that may help me to find the best solution to the problem.Thank you for confirming that a LAN and ethernet connection are the same thing. I have tried linking the two PC's with an ethernet cable and I've read so many articles on how to configure them both to enable the XP computer to connect to the internet via the WIN7 computer and it's wireless connection to the BTHub3, but I'm afraid that I'm now more confused than when I started.
It should be possible to do so, but unless someone can explain the correct procedure in step-by-step fashion, I don't think that I will ever find the solution using this method.
Using a power line solution sounds like a simpler solution, but even that raises more questions.
Just to clarify the problem as I understand it -
The BT Hub is static and positioned in the hallway.
Both PC's are in the same upstairs room.
The room has a telephone socket on an extension which works with a telephone. There are also power sockets available.
I already have a home network set up with the WIN7 wireless PC as the host.
I have wireless devices connected to the home network that are working perfectly (eg. HDTV,Xbox360, Laptop), but can I heck figure out how to connect the WIN XP to the home network.
I have managed to connect it directly to the Hub using an ethernet cable, but it involved carrying it downstairs into the hall and plugging the ethernet cable directly into the hub, and although this worked a treat, I need the PC to be upstairs.
Using a long ethernet cable is not an option either I'm afraid. Apart from the untidiness, I believe that it would seriously reduce the speed of the BT Infinity connection, which is also the reason that BT do not recommend plugging the hub into a telephone extension socket.
So far, using the ethernet cable between the two PC's and using the Networking Connection Wizard on the XP PC, I have tried connecting using the local area network with limited success. The STATUS window shows that it is connected with a speed of 100.0 Mbps, but the ACTIVITY only shows that there are packets being sent, none received. Also, clicking on Internet Explorer brings up a window stating that no connection to the internet is avalable.
However, my initial optimism that this at least indicated that progress had been made quickly disappeared after adding the XP machine as a device to my Homegroup on the WIN7 PC. The local area connection STATUS window on the WIN7 PC shows the media state as 'enabled' and 'speed 100.0 Mbps', but again it only shows that packets are being sent and none received. Furthermore, IPv4 connectivity is showing 'no internet access' and IPv6 connectivity shows 'no network access'.
I've tried running Windows Network Diagnostics and the troubleshooter stated that the Local Area Connection does not have a valid IP configuration. Here is the troubleshooting report:
Issues found:
"Local Area Connection" doesn't have a valid IP configuration NOT FIXED
Reset the "Local Area Adapter" Completed
Investigate router or broadband modem issues Completed
Details about network adapter diagnosis:
Network adapter Local Area Connection driver information:
Description............................ Intel (R) 82562v-2 10/100 Network Connection
Manufacturer......................... Intel
Provider................................ Microsoft
Version................................. 9.13.4.10
Inf File Name........................ C:\Windows\INF\netele32.inf
Inf File Date.......................... Monday, July 13, 2009 8:46:31 PM
Section Name........................ E104C
Hardware ID......................... pci\ven_8086&dev_10c0
Instance Status Flags............. 0x180200a
Device Manager Status Code.. 0
IfType.................................. 6
Physical Media Type.............. 0
The Internet Protocol (TCP/IP) Properties on both PC's for the Local Area Connection were input as follows:
IP address: 192.168.1.68 (with 68 being the next device number available)
Subnet mask: 255.255.255.0
Default Gateway: 192.168.1.254
Preferred DNS server: 192.168.1.254
Alternate DNS server: . . . .
I've also tried configuring the above properties by ticking the box 'Automatically detect settings', but it reports no connectivity. I haven't tried the third available configuration option which is 'using a proxy server', because I don't know if it is relevant or not and it is asking me to input an 'address' and 'port' ?
Any solution ideas would be greatly appreciated. -
When I click on the icon for firefox, a little toolbar (the one you see in the top right corner of the screen) pops up and nothing else happens. I'll close it out and retry, with only the same results. I tried Firefox safemode, with the same result. Like there is something blocking me, but I don't know what. It doesn't matter if I've been on the computer for some time or just started up, I cannot access the web thru Firefox. This has only started in the last couple days. Previously, I've never had this problem. I haven't loaded any new programs anytime recently to account for this. I use Norton for my anti virus program which is the newest and had since end of December. I am not happy having to use the windows internet explorer, so would be very happy to get this resolved. Should I uninstall the mozilla program, and then reinstall it?
"I have an ethernet cable in port 1 on my computer. That is configured manually to access ther office network."
Do you have a "real" IP address or a private (192.168.x.x, 10.x.x.x, 172.x.x.x) IP address?
"The wireless router was connected to the company server only for the purpose of getting me online through Airport because I couldn't access it using an ethernet connection"
Could not access it because their network security blocked you by intent, or had some unknown technical difficulty?
Unless you are blocked by intent or ommission (if they have to explicitly allow your machine) I can think of no technical reason why your wired connection should not both get you on their network and on the internet in general. You should not need to be dual homed (though dual homing should work as well).
Please answer the questions above when you can - I think solving the wired LAN issue will be easier if you are not being intentionally blocked. -
Accessing the internet using iPad.
When using my ipad, one day I could no longer go to the internet. I received the message,"Safari could not open the page because the server stopped responding". I can go to the internet on my macbook pro. Can someone tell me what I need to do to be able to go to the internet?
Some things to try first:
1. Turn Off your iPad. Then turn Off (disconnect power cord for 30 seconds or longer) the wireless router & then back On. Now boot your iPad. Hopefully it will see the WiFi.
2. Go to Settings>Wi-Fi and turn Off. Then while at Settings>Wi-Fi, turn back On and chose a Network.
3. Change the channel on your wireless router (Auto or Channel 6 is best). Instructions at http://macintoshhowto.com/advanced/how-to-get-a-good-range-on-your-wireless-netw ork.html
4. Go into your router security settings and change from WEP to WPA with AES.
5. Renew IP Address: (especially if you are droping internet connection)
• Launch Settings app
• Tap on Wi-Fi
• Tap on the blue arrow of the Wi-Fi network that you connect to from the list
• In the window that opens, tap on the Renew Lease button
6. Potential Quick Fixes When Your iPad Won’t Connect to Your Wifi Network
http://ipadinsight.com/ipad-tips-tricks/potential-quick-fixes-when-your-ipad-won t-connect-to-your-wifi-network/
~~~~~~~~~~~~~~~~~~~~~~~~~
iOS 6 Wifi Problems/Fixes
Wi-Fi Fix for iOS 6
https://discussions.apple.com/thread/4823738?tstart=240
How To: Workaround iPad Wi-Fi Issues
http://www.theipadfan.com/workaround-ipad-wifi-issues/
Another Fix For iOS 6 WiFi Problems
http://tabletcrunch.com/2012/10/27/fix-ios-6-wifi-problems-ssid/
Wifi Doesn't Connect After Waking From Sleep - Sometimes increasing screen brightness prevents the failure to reconnect after waking from sleep. According to Apple, “If brightness is at lowest level, increase it by moving the slider to the right and set auto brightness to off.”
Fix For iOS 6 WiFi Problems?
http://tabletcrunch.com/2012/09/27/fix-ios-6-wifi-problems/
Did iOS 6 Screw Your Wi-Fi? Here’s How to Fix It
http://gizmodo.com/5944761/does-ios-6-have-a-wi+fi-bug
How To Fix Wi-Fi Connectivity Issue After Upgrading To iOS 6
http://www.iphonehacks.com/2012/09/fix-wi-fi-connectivity-issue-after-upgrading- to-ios-6.html
iOS 6 iPad 3 wi-fi "connection fix" for netgear router
http://www.youtube.com/watch?v=XsWS4ha-dn0
Apple's iOS 6 Wi-Fi problems
http://www.zdnet.com/apples-ios-6-wi-fi-problems-linger-on-7000004799/
~~~~~~~~~~~~~~~~~~~~~~~
How to Boost Your Wi-Fi Signal
http://ipad.about.com/od/iPad_Troubleshooting/a/How-To-Boost-Your-Wi-Fi-Signal.h tm
Troubleshooting a Weak Wi-Fi Signal
http://ipad.about.com/od/iPad_Troubleshooting/a/Troubleshooting-A-Weak-Wi-Fi-Sig nal.htm
How to Fix a Poor Wi-Fi Signal on Your iPad
http://ipad.about.com/od/iPad_Troubleshooting/a/How-To-Fix-A-Poor-Wi-Fi-Signal-O n-Your-iPad.htm
iOS Troubleshooting Wi-Fi networks and connections http://support.apple.com/kb/TS1398
iPad: Issues connecting to Wi-Fi networks http://support.apple.com/kb/ts3304
WiFi Connecting/Troubleshooting http://www.apple.com/support/ipad/wifi/
How to Fix: My iPad Won't Connect to WiFi
http://ipad.about.com/od/iPad_Troubleshooting/ss/How-To-Fix-My-Ipad-Wont-Connect -To-Wi-Fi.htm
iOS: Connecting to the Internet http://support.apple.com/kb/HT1695
iOS: Recommended settings for Wi-Fi routers and access points http://support.apple.com/kb/HT4199
How to Quickly Fix iPad 3 Wi-Fi Reception Problems
http://osxdaily.com/2012/03/21/fix-new-ipad-3-wi-fi-reception-problems/
iPad Wi-Fi Problems: Comprehensive List of Fixes
http://appletoolbox.com/2010/04/ipad-wi-fi-problems-comprehensive-list-of-fixes/
Connect iPad to Wi-Fi (with troubleshooting info)
http://thehowto.wikidot.com/wifi-connect-ipad
Fix iPad Wifi Connection and Signal Issues http://www.youtube.com/watch?v=uwWtIG5jUxE
Fix Slow WiFi Issue https://discussions.apple.com/thread/2398063?start=60&tstart=0
How To Fix iPhone, iPad, iPod Touch Wi-Fi Connectivity Issue http://tinyurl.com/7nvxbmz
Unable to Connect After iOS Update - saw this solution on another post.
https://discussions.apple.com/thread/4010130
Note - When troubleshooting wifi connection problems, don't hold your iPad by hand. There have been a few reports that holding the iPad by hand, seems to attenuate the wifi signal.
Wi-Fi or Bluetooth settings grayed out or dim
http://support.apple.com/kb/TS1559
~~~~~~~~~~~~~~~
If any of the above solutions work, please post back what solved your problem. It will help others with the same problem.
Cheers, Tom -
Cannot login to 4400 using ACS-TACACS+
Hello,
I am using a 4402 running 4.2.207 setup with TACACS+ to management user authentication. I am running ACS 4.2 in a VM. I went thru the setup and added the ciscowlc-common attribute under the user group and added role1=ALL.
I cannot get any user to login to the WLC. If I turn off the ACS service the local auth works fine. The ACS says that the authentication passed in the log but all I get when I try to connect to the WLC is prompted over and over again for username and password.
Here are some captures from the WLC when I try to login to it from the web browser.
Mon Aug 9 15:43:06 2010: Forwarding request to 192.168.1.90 port=49
Mon Aug 9 15:43:06 2010: tplus response: type=1 seq_no=2 session_id=223f532e length=16 encrypted=0
Mon Aug 9 15:43:06 2010: TPLUS_AUTHEN_STATUS_GETPASS
Mon Aug 9 15:43:06 2010: auth_cont get_pass reply: pkt_length=22
Mon Aug 9 15:43:06 2010: processTplusAuthResponse: Continue auth transaction
Mon Aug 9 15:43:06 2010: tplus response: type=1 seq_no=4 session_id=223f532e length=6 encrypted=0
Mon Aug 9 15:43:06 2010: tplus_make_author_request: athr server not found
Mon Aug 9 15:43:06 2010: tplus_make_author_request() from tplus_authen_passed returns rc=1
(Wireless) >show tacacs auth statistics
Authentication Servers:
Server Index..................................... 1
Server Address................................... 192.168.1.90
Msg Round Trip Time.............................. 0 (1/100 second)
First Requests................................... 1
Retry Requests................................... 1
Accept Responses................................. 1
Reject Responses................................. 0
Error Responses.................................. 0
Restart Responses................................ 0
Follow Responses................................. 0
GetData Responses................................ 0
Encrypt no secret Responses...................... 0
Challenge Responses.............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Timeout Requests................................. 0
Unknowntype Msgs................................. 0
Other Drops...................................... 0
show aaa auth
Management authentication server order:
1............................................ tacacs
2............................................ local
Any help is greatly appreciated.
SethDid you also configure the server info under TACACS Authorization and Accounting on the controller? You can get this debug response if you only set up the server under the Authentication section.
Maybe you are looking for
-
How to use testdb?(answered for two options,thanks)
No info found for this tool. Last edited by lilsirecho (2008-01-23 04:24:45)
-
the amount of time it takes to load is so frustrating that i close firefox and use other methods 2 get onto the web. i would rather use firefox, but time is a commodity. please help.
-
Issue at query level aggregation
Hi All, I have a query in 3.5 which has aggregation on it. Because of this aggregation the performance of query is very bad. Now we plan to develop new query in bi 7. How should query aggregation be handled in bi 7? Ex: Emp id, salary of ASC,
-
I use camino and safari back and forth alot. But i've started to favor safari and now the only reason i use camino is that it actually works with my keychain to auto fill in passwords, and i have TONS of them in keychain. Safair will not, the keychai
-
I have a simple animation of some pictures fading in when a page loads that I want to work in an already existing page. The whole site uses jquery mobile, which uses ajax, which also causes problems with javascript running properly. Just using the de