Restrict SCEP Proxy access using %machineid%/AD?

Similar Messages

• Unable to restrict afp folder access using File Sharing in System Prefs

  If I share files using AFP, and authenticate using a standard account from another machine on the LAN, I can browse and access ALL files and folders on the machine, not just those specified under "Shared Folders" in System Preferences->Sharing->File Sharing. Machine is running OS 10.6.5.

  ...You shouldn't be able to authenticate as a user/account that is not on the local machine.
  Also for each item listed in Sharing Preferences, you have to specify POSIX permissions for specific users, check to make sure 'everyone' isn't set to read and write.

• Help needed restricting users admin access to devices using ACS 4.2

  I have users that access the network via a VPN client to a PIX 515 which authenticates to the ACS (using the default group for unknown users) which uses an external Active Directory Database.
  The problem I have is that as the ACS authenticates these users, it now allows them admin access to the PIX. How do I restrict access? I have looked at NARs using the 'All AAA clients, *, *' approach but that just stops their VPN access. ( I have a separate group called 'PIX ACCESS' which will contained only defined users for admin access).
  Incidentally I have other devices on the network which are AAA clients, in particular Nortel switches. I can set the group settings for that RADIUS set up to 'Authenticate Only' (RADIUS Nortel option) and that works fine, I was expecting the ACS to have a similar setting for TACACS+.
  So how do I allow the unknown users to authenticate to their AD database but restrict them admin access to the AAA clients?

  Very common problem. I've solved it twice over the last 6 years with ACS. I'm sketchy on the details. But here goes. First option to explore is using RADIUS for VPN access, then TACACS on all the Cisco switches and PIX firewall. That would make it alot easier. I think that with TACACS, you can build a NAR based on TCP port number instead of IP address....
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml
  So you'd have a group with 3-4 Administrators that can access PIX CLI, and another group of VPN users that can't access the PIX but can VPN in. So on the VPN group, put a NAR that restricts access to SSH/Telnet TCP ports?
  This comes up everytime I install an ACS server, (every 2-3 years), and it's always a trick.
  Please let me know if this works for you. And if it doesn't, let us know how you fixed it. I think I can get back into the ACS I last did this with and take a look, but I'd have to call up and make a special trip.

• Restricting Wireless Access using ACS 3.3

  We are currently running ACS 3.3 and I am trying to figure out how to restrict Wireless access to specific user groups. Our current setting is using PEAP and ACS as the Radius. Our user database is mapped to Windows 2003 AD. I've got the PEAP working and the radius authentication is also working but I cannot seem to figure out how to restrict the wireless access to specific Windows/ACS groups.
  Erik

  Hi,
  On ACS 3.3.x You can certinly achive this, al you have to do is configure NAR( Network Access Restriction) Here is the link which should provide you further informatio on it.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
  -Parm

• Restricting MDM client access when LDAP is in use

  Hi all,
  I'm struggling a bit with MDM's security concept an hope you can help.
  We're using LDAP integration so we don't need to create all users in MDM. Most users shall use the Portal with MDM iViews to access and maintain data. Very few users shall use rich clients, like Data Manager or Import Manager.
  Some MDM WebServices run in the background of the portal process to automate some tasks, but still with the portal user authentification to make sure that the change tracking / user stamp fields are filled correctly.
  I know that LDAP is either on or off, so if we use it, we must use it for both portal and rich client. This means, everybody with a Data Manager installation and MDMRoles in LDAP can log in to Data Manager and use it according to their role. This, we want to prevent, as Data Manager generally offers way more functionality than we want our endusers to have but which we cannot restrict in the role definition so as not to corrupt our portal integration (e.g. the Web Services need more functional rights than a Data Manager user shall have).
  Of course we will restrict who gets an installation of Data Manager, but this is hardly enough to ensure security policy, if people simply install the client software themselves.
  We already considered a firewall between client and server and only opening the port 20005 for select users (by fixed IP addresses), but that same port is used by Data Manager and Java API (meaning our portal / Web Services), so we would also restrict the portal access.
  Is there a solution to grant portal access for basically everyone and rich client access for a select few while having LDAP in use?
  Thanks a lot in advance!
  Cheers
  Christiane

  Hi Christiane,
  I think you can restrict more functionality of Data Manager for a LDAP User. For this user assign a role which do not have access to create data etc as per the Role assigned to that user of LDAP. I mean the user is able to perform operations in Data Manager according the groups he is member of (Roles in MDM). In MDM Console, You have Role table where you can see Table and Fields and Functions, here you can give access to none for the functions & table and Fields.
  Please refer for more details Page no 4 onwards [Step-by-Step Process to Configure LDAP Support for MDM|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/8054d5e1-1000-2c10-a09e-a168973f74b5?quicklink=index&overridelayout=true]
  Just check and revert with result.
  Hope it helps..
  Regards,
  Mandeep Saini

• Restricting Internet access using ARD

  I am trying to restrict students for accessing the internet using ARD. Students accounts are set using Workgroup Manager. Under preferences, I did not allow Dock.app or Safari in the list of aproved applications. I also only selected applications I allow them to use to be in the dock and did not allow them to merge their dock.
  One group still has Safari listed in the dock.
  The others can still get to the internet using dashboard and going to weather settings.
  How can I eliminate this access.

  One option is to send the unix command:
  ipfw add 2005 deny tcp from any to any 80 out xmit en0
  This will block the standard internet port. If the computers are restarted then it will go back to normal. To get rid of the rule without actually restarting use this command.
  ipfw delete 2005
  Note: They have to be done with the root (or admin) user.
  PowerBook G4 15in, Xserve, G5 Dual 2ghz,   Mac OS X (10.4.3)  
  PowerBook G4 15in, Xserve, G5 Dual 2ghz,   Mac OS X (10.4.3)  

• Restrict wireless internet access on certain periods of time

  Hello,
  We need help on setting up a network with some restrictions for the attached clients.
  We're quite new at setting up a network at this size.
  Used devices:
  1x SRP 540 router
  1x SG 300-10P managed switch
  4x AP 541N accesspoint
  What we want to do:
  1. Around 100 laptops and desktop computers need wireless internet access, but some of them on limited times during the day.
  2. Not all wireless devices are allowed on using the wireless network.
  3. There are also wired desktops that don't need restrictions.
  4. We need the possibility to restrict most of the wireless devices to access certain websites or use certain applications on those computers to use internet access during the times that the computers are allowed to access the internet.
  5. We want to restrict the clients for using torrents or other possibilities of downloading illegal content.
  What we were able to do:
  1. The accesspoints (AP 541N) are clustered to achieve 1 large wireless network.
  2. Only mac-adresses that are listed in the accesspoints are capable of using the wireless network. Other mac-adresses are not allowed to use the accesspoints.
  What we tried already:
  1. adding the mac-adresses for the accesspoints to the list of "internet access policy" in the router. Internet access seemed still possible during periods the access wasn't supposed to be possible.
  2. adding the mac-adresses from all clients in this internet access policy seemed useless. Only 10 Internet Access Policies seem to be possible to program. 8 mac-adresses per policy. Knowing there are (at least) two policies needed to restrict a group of 8 macs to access the internet in 24 hours (because blocking the internet from f.e. 22u in the evening to 6 in the morning is not possible because 6 is smaller than 22 - or 10PM).
  Besides, after blocking internet access, we need also to write policies in blocking some websites or keywords.
  Thanks already for your guidelines.
  Wim

  what about the thoughts of radius for authentication which is connected to active directory for your wireless users. Then have those people you must limit access too during the day in their own security group that's only allowed to login to the domain during certain times of the day.
  To limit sites or what they can do on the Internet will require a separate solution for content/URL filtering. Then you can make policies and apply to your security groups in active directory block by category, keyword, and so on.
  This is all great assuming you can get these clients into AD.
  Just a quick thought, hope it helps.
  _dschlicht
  Sent from Cisco Technical Support iPad App

• Can I use MachineID.getBytes() or MachineID.getUniqueID() as a unique identifier?

  The bytes from MachineID.getBytes() are not to be treated as a unique identifier for a device.  It is unique, but is volatile and not suitable to be used as an identifier.  There are various system/hardware events which can cause the MachineID bytes to change over time.  The same rule applies to MachineID.getUniqueID().  If you do .getBytes() and then compare that to AnotherMachineID.getBytes(), even though they can be the same device (but different runtime or browser), you will get a "false" if you're doing a direct byte-by-byte comparison.  This is because during the device individualization process, the device's hardware attributes are interrogated to get a hardware "fingerprint" of the device.  This is stored as a data structure in the MachineID data structure.
  The only resilient way (with limtiations, as stated in the next section) to compare to different devices to determine if they are the same device is to use MachineID.matches().  That comparison is resilient against machine hardware upgrades (changing hard drives, upgrading your video card, upgrading your CPU, reformatting your machine, changing user accounts, using different browsers, etc…). 
  (NOTE): There are 2 known limitations to using MachineID.matches():
  1. MachineID in the Chrome browser (on any platform) a randomly-generated ID string that is not tied to the hardware.  The reason for this is that with the release of Chrome Version 28 browser introduced a sandbox, where code in the browser is not allowed to communicate directly with the hardware layer. This will cause .matches() to fail if comparing a MachineID from Chrome against a MachineID from Firefox, even from the same machine.  This also means that if a user "resets Adobe Access DRM/Licenses", they will lose their ID, and it will be re-generated (as a new ID) the next time DRM content is consumed and their machine has to create a new MachineID.
  2. A similar limitation applies to iOS devices running iOS7 and higher, as a sandbox was also introduced to that platform, preventing applications from directly accessing the hardware.  If you are using iOS7 with a the Primetime Player SDK (PSDK) 1.0 or 1.1, the MachineID for all devices will be the same value, as Apple blocked the device-access APIs (which Adobe Access uses) and caused them to return a static string.  Since all iOS7 devices will return the same string when the device hardware interrogation happens, all iOS7 devices using the the PSDK 1.1 or earlier will return true when MachineID.matches() is called.  Adobe is working on a high-priority fix to this issue, which will be released in a PSDK 1.1 patch/hotfix, where another persistent API is used to bind the MachineID to the device, instead of the blocked device-access APIs.  This new binding mechanism will be persistent across application uninstall/re-installs.
  What is consistent between iOS7 and Chrome 28 (and higher), is that the MachineID will no longer be tied to the hardware attributes of the device.
  cheers,
  /Eric.

  In case you would like to find some way to do something that requires concurrency monitoring (e.g. You run a service and wish to limit the # of devices that can access a your service), the best way to do this would be to move towards a "# of concurrent streams" model, similar to Netflix.
  To do this, you can use Adobe Pass technology called Mai Tai, or implement your own technology (via cookies or authentication tokens) to limit user accounts to no more than XX concurrent streams.
  cheers,
  /Eric.

• Restrict read/edit access for a Manager, when Manager Visibility is enabled

  Customer wants to restrict read/edit access for a Manager on his/her subordinates' owned record, if manager Visibility is enabled at the company level.
  For example: If SM1 is a manager of SR1 and SM1 owner profile says that he has Edit Access on his owned records then, he will get Edit Access
  on the records owned by his sales rep.
  Current requirement here is Manager should not be able to edit the records of his sales rep but should able to only View. And manager also
  need the Edit/Read access on the records which they owned.
  Is there a possible workaround ?

  I have devised this to our customer:
  First, create a custom text field named "Reports To" on the object, say, Accounts.
  Second, user JoinFieldValue to set a default value for the "Reports To" field: equal to the "Reports To" User field value for the current owner.
  Third, add a new value named "Manager Read-Only" to 'Account Type' picklist. make sure that this picklist value is active.
  Fourthly, add a new page layout marking all Account Fields as 'read-only' and name it "Account Read-Only layout".
  Fifthly, create a new Account Dynamic Layout and set "Account Read-Only layout"
  for Field Type = "Manager Read-Only".
  Sixthly, create a new workflow rule condition for Account object ( before modified record saved ). Use the workflow rule condition similar to UserValue('<Alias>') = [<ReportsTo>] and set the workflow action to update 'Account Type' picklist value to
  "Manager Read-Only".
  This is just an example. Customer needs to improvise on this.
  Any more suggestions please ?

• How to restrict the change access in CRM for OLTP orders

  Hi Guru's,
  Please let me know  how to restrict the change access in CRM for the orders that are created in ECC. The ECC orders will only for display in CRM but not for change,
  We have  the orders that are  created in ECC, it will flows to CRM and should restrict the access to get in to the change mode in CRM but as of now CRM  system is allowing change mode for ECC orders and ending up with errors.
  Is there any additional middleware parameter that needs to be added to SMOFPARSFA table to get this functionality! Please advice! Thank your for your help.
  Regards
  Suneel

  Hi.
  You can use the PFCG role to control if the user is able to create, change, delete or only display a business transaction type.
  Regards.

• Block database access using toad or other tools

  We have a forms application running on oracle database 10g release 2, with the users created in the application the database can be accessed using the same id's through sql plus or any other tool. We have already restricted sql plus access by product_user_profile. Is there any other way to make sure toad or any other tool can be stopped from accesing the database.
  Thanks
  Eric

  eric_in wrote:
  We have a forms application running on oracle database 10g release 2, with the users created in the application the database can be accessed using the same id's through sql plus or any other tool. We have already restricted sql plus access by product_user_profile. Is there any other way to make sure toad or any other tool can be stopped from accesing the database.
  Thanks
  EricHi Eric
  I've a blog post on this issue. You can look for .exe extentsion of the program which connects to the database
  http://kamranagayev.wordpress.com/2009/10/04/block-developers-from-using-toad-and-other-tools-on-production-databases/

• BPM SMQ2 in sysfail Access using a 'ZERO' object reference is not possible

  Hi ,
  I am working on a IDOC to SOAP synchronous scenario
  So I am using a BPM....
  I have written a operation mapping outside BPM
  1) Request MM creates the SOAP rquest
  2) Response is a ABAP mapping where i am checking the response from webserice and then generating an email using ABAP code.
  now when i am running this scneario works fine and the mail gets generated...
  however i get a green flag in moni  and in SMQ2 in sysfail Access using a 'ZERO' object reference is not possible
  PS : Also  the response coming from the webserice has a custom header which does not match with the response ABAP mapping source MT
  however if I work on the same thing using Proxy to SOAP sync there is no sysfail message and it works fine
  Is this a bug in the system ...i am using PI 7.1

  Hi,
  Try to implement SAP note 1164228 or apply package SAPKB71007 to resolve your issue.

• Setup proxy access

  Is there a way to setup email proxy access on somebody elses account,
  without logging into that groupwise account? That is, I need to assign some
  people proxy access on somebody elses account.

  "Michael Bell" <[email protected]> wrote in message
  news:25Lws.574$[email protected]..
  > On 12/7/2012 8:30 AM, Renee Keller wrote:
  >> Is there a way to setup email proxy access on somebody elses account,
  >> without logging into that groupwise account? That is, I need to assign
  >> some
  >> people proxy access on somebody elses account.
  >>
  Alright, let's try a different angle.
  In Console One (current version), if I click on a user account, then select
  the Groupwise tab, then select the [View Client Options] button which is
  next to the [Change GroupWise Password] button, and on the window that comes
  up I select the PASSWORD tab, about half way down is a box to use eDirectory
  authentication instead of password. I understand what that does, but to the
  right of that is a box with the picture of a unlocked padlock, followed by
  the picture of a domain (globe), but SOME accounts it shows the unlocked
  padlock, followed by the User symbol (little red person). What is the
  difference and how is it changed?

• Implement strategy for ASA on TACACS w/ restricted read-only access

  An ASA5550 will need to be configured to use TACACS AAA. Currently, the ASA is setup for local authentication. A couple of privilege 15 admin users and a few more privilege 5 read-only users.
  ASA 5550
  running ASA 8.2(2)
  using ASDM 6.3(5)
  authenticating to ACS 4.2
  The admin users and read-only users already have established TACACS usernames and are in established TACACS user groups for logging into routers/switches.
  What's the best way to implement configuration of the ASA and ACS server to maintain the same type of restrictions that's applied using the local database?
  1. Try and avoid the creation of a second TACACS username for the admin and read-only users.
  2. ACS allows restrictions on what devices can be access by users/groups. Possible to do reverse? Restrict what usernames can access a device in the ACS database.

  If you want to configure ASA for read-only access via tacacs then you have to do the following task
  ASA/PIX/FWSM Configuration
  In addition to your preset configuration, these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
      aaa-server authserver protocol tacacs+
      aaa-server authserver host 10.1.1.1
      aaa authorization command authserver
  On the ACS, you need to create command authorization set for only SHOW commands:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2
  Associate command authorization set with user or group
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#asso2
  Regards,
  Jatin
  Do rate helpful posts-

• Configured Nacs- how to restrict AAA client access by specified Password

  Hi all
  i hav given the below config in AAA Client& added the Client in User,Group, the NAR is configured for all Clients ,
  But my requirement is restrict AAA client access by specified Password
  aaa new-model
  aaa group server tacacs+ NACS_Group1
  server 10.x.x.x
  server 10.y.y.y
  aaa authentication login default group NACS_Group1 local
  aaa authentication enable default group NACS_Group1 enable
  aaa authorization config-commands
  aaa authorization exec default group NACS_Group1 if-authenticated
  aaa authorization exec NACS_Group1 group tacacs+ local
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+

  You use the Network Access Restrictions table in the Advanced Settings area of User Setup to set NARs in three ways:
  Apply existing shared NARs by name.
  Define IP-based access restrictions to permit or deny user access to a specified AAA client or to specified ports on an AAA client when an IP connection has been established.
  Define CLI/DNIS-based access restrictions to permit or deny user access based on the CLI/DNIS that is used.
  Note: You can also use the CLI/DNIS-based access restrictions area to specify other values. See the Network Access Restrictions section for more information.