Restrict access to other WLN clients

When clients are associated to a Cisco AP, is there away to restrict the clients from sending traffic to other clients associated to the same AP?

Yes, the feature is called "Public Secure Packet Forwarding".
This works like protected ports (Private VLAN edge) on switches,
blocking all layer 2 traffic between clients associated to the same AP.
On the GUI it's enabled/disabled under Network Interfaces->Radio...->Settings->Public Secure Packet Forwarding
With the CLI you configure "protected port" for the bridge group.
<http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00804e7d2f.html#wp1038494>

Similar Messages

  • Cisco ISE - How to map User- Location - Restrict Access to other locations

    Hi,
    i've got a simple question and I hope someone here can help me out with this mess.
    The problem is about WLAN 802.1x Auth with Cisco WLC and a ISE.
    The design goal is the following:
    There are several branch facilities. A user belongs to only ONE facility. This user should not access the WLAN in other facilities.
    The technical design is this:
    Local WLC and/or central vWLC. In the datacenter is one ISE which must handle the auth-requests. The identity source of the users, where I add and manage them, should be the ISE itself for the first time, later I want to AD and LDAP sources.
    Here is the problem:
    I don't understand how I can create a ruleset or something else where I can define that a user of facility A can only login over APs, WLCs,.....in facility A and NOT facility B. Or maybe my design is so bad that I have to start from scratch.
    PLEASE HELP.

    I don't know but may be this is the correct way to validate the user:
    NAS-ID in AP-Groups (One AP-Group per facility) must match "12345" AND Identity-Group must match "12345".
    Iam confused because there is no way to compare these values. 
    In this case to compare the value of "NAS-ID" and die users "IDENTITY-GROUP".
    If they match against each other than "Permit-Access".

  • Workset validation and restricted access to other workset based on first

    Hi All,
        I have a requirement in which I need to allow other worksets in ESS to be accessed only if one workset "Personal Information" is completed.
    in this workset, there is an iView "Certify Own Data". In this ivew there are couple of checkboxes which need to be ticked and saved. this checkboxes will automatically be checked when the user enters required data in other related ivews such as "Address", "Family Details", "communications" etc.
    Please someone suggest me how to achive this functionality. Do i need to develop new application or i can achieve this functionality by just maintaining some kind of  iview validation.
    Earlier response would be much appreciated.
    Thanks
    Uday

    HI
    In your case,If your users are limited users then no worries....
    They cannot open it with their license...
    Only "Super user" can do that....
    OR
    You can restrict the other users by giving 'Authorisations'.
    Goto Administration -> system initialisation ->Authorisation_>General Authorisation.
    Now you select the users to whom you want to restrict the access and at right hand side you can see "Customization tools"
    You can set as "No authorisation" for Customization tools for that particular user and update it...
    So that he cannot do anything with the user defined windows
    Edited by: kambadasan on May 25, 2011 2:21 PM

  • Need advice for an application that restricts access to other applications using a smart card

    Hello everybody,
    I am developing a system that uses a smart card reader attached to a USB port of a PC.
    What the system should provide is:
    When computer boots up and shows the users login screen, a user, previously registered, can use his smart card to access the system, instead of entering his password
    Once the user is logged in, when he tries to launch an application, which has previously marked as "secured", a dialog box is shown indicating that the user has to present his smart card. If the smart card has access to the application, the application
    is launched, otherwise an error message is shown to the user and the application is not executed.
    I develop in C++ and C#. I have already created a library (in Visual C++) that manages the smart card reader and provides the card presented to it.
    Now I am developing the applicastion (in C#) that will configure the security (assigning cards to users and applications).
    Concerning this, I have 2 questions regarding each point above:
    Is it possible to create the centralized application that lists all users and allows to assign cards to them? Then, when the users login screen is shown, the system must access that data before logging in, so that it can check which card was presented and
    what user it corresponds to. I have seen in laptops, that have embedded fingerprint readers, a user must login to his account first and then he can register his fingerprints. In fact, what I need to do is something similar but with smart card reader instead
    of fingerprint reader. So, perhaps, user must login into his account first and then he will be able to add his card and store that information somewhere (in windows registry maybe).
    How can I launch my application when other application is executed but before its interface is actually shown? this is similar to what antivirus programs do, because they check the executable before it is actually ran. What is the best method to address
    the application? by executable file name? process name? or other? if the best is by process name, how can I know the process name without actually running the application?
    Well, that is all what I need to do. Please advice regarding this subject.
    I look forward to hearing from you,
    Best regards,
    Jaime
    Powered by C++

    > what was the guidance?
    1. Research other software that does similar things (not just exactly the same) as you need. If you like something in their solutions, copy it :)
    The only software I know that does that is an antivirus, but I am unlucky to find some code in c++ that allows to intercept the program execution before actually executing it.
    2. If a kernel driver would fit in your solution, go for it (google for what is available for free, or find a consultant to write it for you).
    There are a lot of information about kernel drivers, but the question is, is that really the solution?
    Otherwise, you can just hide the application from user's reach and substitute the executable in shortcuts, etc. to run your program instead.
    Definetly this is not the way to go
    What is the best method to address the application? by executable file name? process name? or other?
    By executable file name, like in the Windows Applocker, I think. Processes do not have names (they are artifact of Task manager and debugging tools, to represent the processes for user somehow). Or, only by the filename part of the full path.
    I agree with that
    if the best is by process name, how can I know the process name without actually running the application?
    When the user runs the application, the driver will detect this and do its magic.
    I have found this page: http://stackoverflow.com/questions/3556048/how-to-detect-win32-process-creation-termination-in-c. They mention WMI, but I will study it tommorow... it is so late for today :-)
    Regards,
    -- pa
    Regards
    Jaime
    Powered by C++

  • CHARM - Restrict access to other documents

    Dear All,
    When Change manager approves the CR & assign the developer, mail will trigger to developer & he will starts development, thats ok. If the ticket is not assigned to me and if i tried to open the UC, system should not allow me to open that ticket itself. How can we do this ? If my BP number is not assigned in that ticket, system should not allow me to open the ticket, is this possible ?
    regds,
    CB

    Hello Kallumama
    you have two different options to achieve this:
    - first one is playing in CRMBS02 with the authorization codes. As a result, people will have access to tickets according to user status of ticket and not according to who the ticket is assigned to
    - second one (and maybe better for you) is BAdI crm_order_auth_check. Thanks to MF 'CRM_ORDER_READ' you retrieve who is assigned to your ticket, then thank to a specific MF or to a Z evaluation path you ll have to get the BP assigned to SAP User who is trying to access to ticket; after comparaison if first is different from second then write an error message. That will not authorize User access in change mode to ticket !
    Regards,
    Khalil

  • How to set-up Guest Client Wireless Access "PIN" with Restricted Access ???

    This is my first time, and, I am not familiar with the rules.
    Is it possible for someone to answer a slightly different question...
    I just bought a TC and hooked it up to my cable modem. I have 3 computers that I want to configure, with the following requirements: WPA/WPA2 security all around, only the 3 computers I have to be allowed use of the TC, and, no listing of the network should appear on remote computers (i.e., a "closed network"). With these basic needs, the three computers I want to be in this network are listed below --- subject to the following ACCESS limitations:
    1. A G4 iMAC (10.5.5), wired to the TC via an Ethernet cable: FULL ACCESS; i.e., shared file access, TM back-ups, HP printer access, internet access;
    2. A MacBook (10.5.5), airport wireless access to the TC: FULL ACCESS, as the iMAC.
    3. A (new generation) PC laptop: VERY LIMITED access --- access only to the internet, so that the TC looks only like a "wireless router." Internet access available at any time of the day or week. It would be good if this client did not have to use any of my passwords, just a "PIN." Also, I do NOT want this PC client to see my printer, and, also, to NOT see my TC base station and NOT have access to my TC/TM disks. To set this up, I entered the PC laptop name and the "MAC" address using the Airport Utility. Then, I selected the "PIN" choice for access, so that this client need not have to ever use or know of any of my passwords. After I selected the "PIN" option, the utility asked me to enter the PC client's PIN. How do I obtain the PC's PIN? This is very confusing to me, so, I apologize to you all (I'm very new at this).
    Hopefully, this TC-only network concern is within the guidelines to be answered.
    Thanks,
    David.

    Dear Smokerz,
    Well, this is where I'm confused. I did use the Airport Utility. I went to the place where it asks for the PIN number. So, I made up an 8-digit number and entered it. I assumed that after I entered the number, it would prompt me to do something with the PC. But, the "Continue" button did not become highlighted. Hence, my confusion. Can you please be more specific as to exactly what I should do using the Airport Utility? The detailed instructions are vague to me, unfortunately.
    Also, with respect to the PC Laptop: I only want it to have access to the internet via the TC (so that the TC acts as a wireless router). And, I want to set up restrictions for limited use of the PC: NO ACCESS to the HP printer, and NO ACCESS to the TM/TC (other than as a wireless router). As before, can you please be more specific as to exactly what I should do using the Airport Utility?
    I must be missing a trivial menu item, so, again, I apologize.
    Thank you,
    David.

  • Just trying out my new mac but email won't load, error says "The mail server denied access to the account because an administrator or other mail client was using it when Mail tried to log in. Try again later." A little lock is beside the email inbox

    Just trying out my new mac but email won't load, error says "The mail server denied access to the account because an administrator or other mail client was using it when Mail tried to log in. Try again later." A little lock is beside the email inbox account, no password prompted and account is online and enabled... Thoughts?

    Have you tried clicking on the lock to see it it will then ask for a passwored.  Otherwise, try reblooting.

  • Airport Utility Timed Access Control does not allow/restrict access to wireless clients per the time set.

    I have been trying to setup Timed Access Control in Airport Utility and it does not seem to be working correctly. 
    In Airport Utility from Edit Timed Access Control I Enter a name for my device (iPad/iPhone any device), enter my mac address, set time for Everyday and use default Between 9:00 AM and 5:00 PM, save and then update. When I go to my device iPad iPhone etc. I still have access even when it is after the time set, 5:00PM.  If I set no access it will restrict access also I set a time between 2:00 PM and 5:00 PM and access was restricted.  It doesnt seem to matter what the device is.  I know that the MAC Adress is set correctly.  It seems like an issue with the Utility, possibly time miss match or something.  Not sure if I am missing something or if this Utility just has flaws. Please Help.

    I changed the default to (no access) and set an entry for my test device (an iPad) to "Everyday Between 9am to 5pm.  The iPad was still able to gain access to the network. 
    Something else to note, if I try to edit the time of an entry it gives me an error on my MBP "Invalid value", "The value for “Timed Access Control” is invalid."  This happens even if I delete a digit (number or letter in the time field) and replace with the exact same. Not sure if the two are related. I have tried to edit access from my iPad.  I don't get any errors but I still don't get the expected results.  I called Apple to try and get Tech support but they were not much help. Thanks again.

  • How do i restrict access to clients coming in with weaker SSL keys ( 56 bits or les ) and redirect them to a special page ?

    I tried the "ssl-check" PathCheck directive. Doesn't seem to do anything.

    Hi,
    To restrict access(56 bits or less). follow the below steps.
    1. Go to your Webserver instance ServerManager
    2. Click Preferences Tab ------> Encryption Preference
    ------> There disable "DES with 56 bit
    encryption and MD5 message authentication."
    for SSL 2.0 ciphers or SSL3.0 Ciphers. Which ever
    needed.
    3. Save and Restart the Webserver instance.
    The above steps are for 4.x version.
    Thanks,
    Daks.

  • ASA WebVPN. How do you restrict access to users in an AD group using LDAP?

    Hi All,
    I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership.  This has been very difficult, even though I beleive it should be easy.
    The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.
    There are two other portals that I would like to restrict access to based on AD group membership.  I have set these up to be selected by URL.
    The biggest problem is, I have no way of knowing how to go about this.  The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.
    I can only do an all or nothing scenario.
    It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use.  So how do I go about using them in this scenario?  Turning off the aliases or URLs is not really an option right now.
    Scenario 1 would work the best for me.  Restrict access to profiles/groups based on AD group membership using LDAP.
    Scenario 2 would be an ideal longer term solution.
    Any thoughts, ideas or assitance would be greatly appreciated.
    Cheers

    This is exactly what i was looking for, and Nelson is correct.  When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression.  The guide (ther is a button to access this) is really helpful, with a couple of examples.  This is what i used:
    assert(function()
       if ( (type(aaa.ldap.distinguishedName) == "string") and
            (string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
    then
           return true
       end
       return false
    end)()
    from the debug dap you can see what Users relates to;
    DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
    My admin account fails to get me in to the same profile:
    DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
    Thanks
    Andrew

  • Restrict access to users in customer line item display FBL5N

    Hi all,
    We got a requirement from my client that, they want to restrict access of their users to view details of few customers  only. The user has a right to view FBL5N transaction code, but he cannot view all customers details.
    we created 4 customer account groups,we created like .. SD customers1
                                 SD customers2
                                 Onetime customers
                                 FI customers
    These FI customers cannot be viewed by all users except who has authorization in Tcode  FBL5N, we need to restrict to display only SD and one time customers details.
    we have tried with Basis but its not working and its blocking to view all customers.
    anyone got this kind of requirement , Is it possible to restrict....please help me.
    Thanks
    Nagesh
    Edited by: nag on Dec 27, 2011 5:26 PM

    It is standard behaviour that the authorization object F_KNA1_GRP(account group authroization) is not checked
    in the transacion FBL5N. You can confirm this functionality in trans. SE24.
    As a workaround, I would suggest you to use the authorization object F_KNA1_BED Customer: Account Authorization
    If you assign an authorization group as the accouting group, perhaps you can get a similar functionality.
    Please note that for the 'drill-down' or direct call of FBL5N these objects are checked:
      F_BKPF_BLA Accounting Document: Authorization for Document Types
      F_BKPF_BUK Accounting Document: Authorization for Company Codes
      F_BKPF_GSB Accounting Document: Authorization for Business Areas
      F_BKPF_KOA Accounting Document: Authorization for Account Types
      F_BKPF_BED Accounting Document: Account Authorization for Customers
      F_KNA1_BED Customer: Account Authorization
      F_KNA1_BUK Customer: Authorization for Company Codes
    Kind Regards
    Soumya

  • How to get OS X to accept an SSL Cert the way other UNIX clients do?

    I'm hoping some of the network gurus can suggest a solution for me. My current config is 10.5.4 on PPC.
    I have a host that I need to connect to using SSL but their certificate has a host name mismatch (they are a small org, and can't afford another SSL cert for the moment). I know the cert is valid, so I'm not worried about the security implications of using it.
    On other *NIX clients, I simply have to add the cert into the root chain (e.g. /etc/ssl/certs/ca-certificates.crt), restart the application, and all apps will then accept it as valid.
    On OS X, I've imported the cert into Keychain Access, marked it as "Always Trusted" and set up a policy to "alias" it to the URL I need to access with my application (not a web browser) (ref: KB article: HT1679) in both the login and the System keychains, yet the client application still errors out and refuses to connect to the URL.
    How can I configure client SSL on OS X to work like other UNIX configurations? There doesn't seem to be a way to override the extremely restricted behavior.
    I have MacPorts installed and am open to an application specific "hack" if necessary, ala "LDLIBRARYPATH", if anyone thinks that's feasible (which is what I am looking at now). Conceivably I could recompile the client application since it's OSS, though I'd rather avoid that if possible.
    Any suggestions would be appreciated.
    Thanks in advance--
    =N=

    when you connect with a web browser to an https site that has a mistmatched cert it warns you and you have to tell the browser to ignore the security issue to let you carry on.
    what unix apps are you using to connect to this server?

  • Using the Security Manager to restrict access to a single package

    After reading up on the Security Manager, the package.access property and the use of the [accessClassInPackage RuntimePermission|http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html#RuntimePermission] , it seemed to me that it would possible to set up the following: I have a security-sensitive code base packaged in a jar, and I want to make sure that only one client code base that I specify is permitted to access it. The idea here is to prevent malicious code from executing anything in the sensitive code base; the sensitive code is only accessible to one client that I name in a security policy file. Perhaps rather foolishly, I advised a client to consider this before testing out a sample myself, because much to my surprise, it appears to me that it isn't possible to get the Security Manager to do this at all. Am I missing something? I'm a bit startled by this conclusion -- it seems like such an obvious use for the Security Manager, I'm hard-pressed to be believe that it can't be done, and more inclined to suspect that I'm going about it wrong.
    Here's what I thought I could do: set up the package.access property so that it denies access to any package; then in the policy file, grant the RuntimePermission/accessClassInPackage to the client code base that is permitted to access the sensitive code.
    Of course, you wouldn't want the package.access property to exclude all packages in the global java.security file, because then no code could be accessed at all. It would be necessary to use the trick of resetting the package.access property within the code, as [illustrated in the secure coding guidelines|http://java.sun.com/security/seccodeguide.html#1-1a] .
    But the problem lies in the idea of "use the package.access property to deny access to +any+ package". There doesn't seem to be any way to use wildcards or the like with the property -- it has to specifically name packages (or package prefixes) to which access is forbidden. It wouldn't do to try to name the packages to which I'm trying to prevent access, since we're trying to prevent access from malicious code -- the attacker could just choose package names that aren't on the list. I'd really need to say that access is denied to all packages, except for those in the permitted code base, but the security mechanisms for package access don't seem to allow that.
    Moreover, the trick of changing the value of package.access can't be done within the client code -- otherwise, the attacker client would just set the property to his own purposes. But it can't really be done within the sensitive package either, because the whole idea is to prevent access to that package, and by the time it's busy setting the property, it's already too late, because the package has to have been accessed by a client to get there at all.
    It seems to me that this a symptom of something I've never really understood about the design of the Security Manager -- you can grant permissions to specific code bases, but you can't revoke permissions from specific code bases, let alone all code bases. What I want to do here is grant access permission to one specific code base and revoke it from all others. There doesn't seem to be any way to express that with the mechanisms of the Security Manager.
    The more I look at it, the more it seems that there's just no way to use the Security Manager this way -- set up package access so that a specific code base can only be accessed by one specific client code base. There are surely other ways to get the effect that I'm looking for, but as far as I can tell, none of them involve restricting package access (for example: define a custom permission, grant it only to the permitted client. and check against that permission within the sensitive code base; meaning that the sensitive code has to be accessible to anyone in the first place). This conclusion really surprises me (not to mention my bit of embarrassment with the client); wouldn't this be precisely the sort of thing the Security Manager ought to be good for?

    You're looking at this back to front. The security policy file is there for the client to decide how much access he is going to give this application, not for to application to restrict who can use it. If you want to control what used to be called 'state orientation' you can do that directly by looking down the stack trace inside your code.

  • Restrict Access to Page Using a password.php Instead of Server Behavior

    I previously used "log in" and "restrict access to page" server behaviors for my client portal when I only had one client. I had my username and password stored in mySQL database. I recently have gained more clients that all needed to be redirected to their own customized landing page when logged in. Because of this, I used a password.php to store the usernames and passwords and to redirect to different pages. Now, I am wondering how I can restrict access to these pages (i.e. someone won't be able to access the pages by typing the url) since I will not be connecting to a database anymore.

    I'm also confused by your statements.
    >Now, I am wondering how I can restrict access to these pages
    >(i.e.  someone won't be able to access the pages by typing the url)
    >since I  will not be connecting to a database anymore.
    It doesn't matter where you store the credentials - database or php file - the techniques for restricting access will be similar. I really don't understand why you moved away from the database when you got more clients. The more data you need to manage, the more reason to store it in a database.
    After logging in, most sites direct users to the same page, yet pull user specific data from the database. If for some reason you can't do this and need to built individual pages for each client, then store the 'landing' page for the client in the php file or database. Restrict access to each page by comparing the logged in name with an allowed login name. Or a more dynamic approach would be to dynamically pass the page name to a database query that validates that it's ok for the logged in user to access.
    Also, these questions are more appropriate for the app dev forum.

  • What is the best way to restrict access to the page

    Hello Everyone,
    We are trying to restrict access to the web page that is being accessed by the applet. Currently it is public so anybody can view it just by entering URL in the address window. We tried to restrict its access to only certain IP Addresses but then we need to enter every client's address out there since applets execute on the client and not on the server.
    Is there any good way of restricting access to the web page from an applet?
    Any help will be greatly appreciated.
    Thanks,
    Y.M.

    Most web servers allow protection of web resources.
    In particular, apache allows .htaccess (or other, if changed in the root configuration) files to change the access to various resources, and IIS allows you to set up protection domains to restrict access to folders.

Maybe you are looking for