Restricting access to unknown networks.

Similar Messages

• HT1178 How do I restrict access to my network to mac addresses?

  I am setting-up a new Time Capsule and wish to restrict access to my wireless network to only those mac addresses of my equipment.  I can't find instructions on how to do this.  Any help in pointing me to the correct resource would be appreciated.

  Suggest that you check the Help area in AirPort Utility for instructions.
  Open AirPort Utility
  Click the Help menu at the top of the screen
  Click AirPort Utility Help
  Wait for Help to load
  Click Setting up a Wi-FI network on the left side of the main page
  Click Control when a user can access your network
  Click Control access to your wireless network

• Restrict access to specific network devices

  Is there a way through ACS to limit user logons to only specific devices? I know through NAR, I can restrict the source address, but how can I restrict the destination?
  Thanks

  I'm having the same problem.
  The ACS in NAR is mandatory to use a AAA Client plus the client and I would like to limit only by the AAA client.
  It means, the ACS uses the attributes
  Calling-station-ID (Final client)
  Called-station-ID (Network Access Server NAS)
  I would like to limit only based on Called station.
  If you get somehow to solve it please post here.
  Thanks

• How do I restrict access to 4 devices using ACS

  Currenlty in our ACS we have Group A configured to have access to all network devices-f with ull privilege level 15 access to all devies
  We are now trying to implement 4 new users, however we only want them
  to have access to 4 devices-routers (4 IP addresses)-and only have
  basic level 1 functions in the router
  Is this done under Network Access Filter or Network Access Group?
  Do I need to create a new group or can I somehow implent that into

  I'm using ACS v 4.2 on windows server-TACACS
  Under NAF I have configured the IP's of the server I want them to access under Selected Items
  Under NAR I have permitted calling point
  with the NAF and  *  *
  Under the Group Settings
  Network Access Restrictions (NAR)
    Shared Network Access Restrictions
  Only Allow network access when
  All selected NARs result in permi
  all selected NARs result in permit..with the NAR i just configured in the selected NAR list

• How do I restrict access to USB Disk connected to Airport Extreme

  I have attached a USB HDD to my Airport Extreme Base Station. The drive is divided into 4 partitions, which I did with the HDD connected directly to a MBP before plugging into the AEBS. All the Macs on the network seem to be able to read and write into all 4 partitions. Is there anyway to restrict which Macs can access with partition? Or, if I went to a single partition, is there a way to restrict access on a folder by folder basis?
  I've tried searching, but the best answer I've found so far is that the AEBS will only support a single partition/volume.... which doesn't appear to be true anymore.
  Thanks in advance

  You can put a filter on your wifi or use something like the K9 browser.

• When getting online Macbook defaults to an unknown network.

  Lately, when I get online, my connection defaults to an unknown network. This happens only on the Macbook, other devices are OK. Is there any way to lock the computer into just my own nework? Could not find anything in preferences.

  Please try the following on your MacBook:
  1a. Delete Preferred Network(s)
  System Preferences > Network > AirPort > Advanced > AirPort tab
  Under "Preferred Networks," delete the network(s) you regularly use from the list.
  1b. Delete AirPort Keychain Entries
  Launch the "Keychain Access" application located in Applications/Utilties.
  Click on the "Kind" filter at the top, and look for any "AirPort network password" entries...and delete them.
  1c. Add Preferred Network(s)
  System Preferences > Network > AirPort > Advanced > AirPort tab
  Add the preferred network(s) using the "+" button.
  Restart or log out then back in.

• Unknown network name on my computer

  I have in addition to the local network I created a few years back, suddenly an unknown network on my list, using my high speed internet connection? when I try to access it, it will ask for a password... I would like to know how I can delete this network and how I can prevent this from happening again. I use an ibook, latest tiger os, and a g4, os 10.3.9 Any suggestions? thanks, e_moma

  e_moma, Welcome to the discussion area!
  ...suddenly an unknown network on my list...
  That is a wireless network created by one of your neighbors.
  I would like to know how I can delete this network and how I can prevent this from happening again.
  You can't. Your Mac will show all available networks on the list. Kind of like hearing your neighbor's dog barking.

• Restrict access to Dynamics CRM 2015 to only company laptops or Ipads

  Dear all,
  I have deployed MS Dynamics CRM 2015 server on premise and I want to restrict access to company laptops only.
  All company laptops are joined to my domain.
  Any guide/help would be greatly appreciated.
  Many Thanks & Regards
  Vinay

  CRM has no specific functionality to restrict access to certain machines, but you may be able to achieve this by more general functionality. One option is to block the Crm url on specific client machines, as per the previous post, but that only works for
  known machines.
  Another option could be to add restrictions in IIS on the Crm Server. This can restrict access to only certain IP addresses, but that would only work if the laptops always connect via a known set of IP addresses - this is probably OK if they're always connected
  via a company network, either directly, or via a VPN
  Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

• Federated identity and Visual Studio Online - Restricting Access

  Hi,
  Using federated identity, can I restrict access to Visual Studio Online only from the corporate network, the same way I can with office 365? If so anyone know what claim rules should be used. Going further can I restrict by client certificate?
  Thanks

  Hi PMLIO,
  So the answer to your question is a mixture of both yes and no, depending on the level of restriction you desire.
  VSO has deep integration with Azure Active Directory, which allows you to restrict access to your Visual Studio Online account to only users who exist in your corporate directory.
  This page details more about this support and how to enable it. If you remove users from your Azure AD directory (which can be synced with your on-prem directory), they will lose access to your Visual Studio Online account automatically, without you
  having to manually remove them from the account. Will that fulfill your requirements?
  We currently don't support a scenario where only users who are connecting to Visual Studio Online from a corporate network are permitted to access your account. If that's something you need, we recommend an on premise deployment of Team Foundation Server.
  We'd certainly welcome a feature suggestion on the
  Visual Studio Uservoice to add support for this in Visual Studio Online!
  Client certificate authentication falls into the same bucket as above: Visual Studio Online doesn't support client certificate authentication. There's a
  UserVoice suggestion about supporting SSH auth that's in a similar vein, so it's definitely something we're hearing desire for.
  Let me know if you have any more questions!
  Regards,
  Will Barr
  Software Engineer | VSCS Developer Identity

• Restricting access via MAC address?

  Hello,
  Could someone please tell me how to restrict access to my wireless network (and internet sharing) by only allowing computers with a certain MAC address to join?
  I'm kinda stumbling around here
  Thanks,
  Jonny

  Sorry if I wasn't being specific enough...
  I have my eMac set up as a Software Base Station, which streams internet & Airtunes to an Airport Express. I have it set up this way, because my ADSL modem is connected via USB (so it's a bit of a workaround). As a result, I have Internet Sharing switched on, so I can access it from all my other macs.
  What I want to do is to stop other people from accessing my eMac's internet connection. If I set up a WEP password for Internet Sharing, I lose my Airtunes facility... so I was thinking another way might be to restrict access to the connection via MAC address. I only want my other airport card-equipped macs to access the internet connection and network generally.
  Surely it's possible?

• 13017 Received TACACS+ packet from unknown Network Device or AAA Client

  I am adding new routers to our Corporate network for a new MPLS network.  I am getting 13017 Received TACACS+ packet from unknown Network Device or AAA Client  errors for these new routers.  They are added to ACS 5.4.0.30 correctly just like all of our other devices.  We have never had real routers on the network before, just switches and access points.  Is there something special I need to set in ACS for these to work and authenticate correctly?  I can only access the currently with built in login locally.
  One of the new router configs
  Current configuration : 2370 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname T666
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$h7b3$.T2idTKb9H98BQ8Op0MAC/
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa session-id common
  clock timezone CST -6
  clock summer-time CDT recurring
  ip cef
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  voice-card 0
  crypto pki trustpoint TP-self-signed-2699490457
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-2699490457
   revocation-check none
   rsakeypair TP-self-signed-2699490457
  username netadmin privilege 15 secret 5 $1$SIR2$A3MpShVNeAOlTPyLZESr..
  interface FastEthernet0/0
   ip address 10.114.2.1 255.255.255.0
   ip helper-address 10.30.101.4
   duplex auto
   speed auto
  interface FastEthernet0/1
   no ip address
   shutdown
   duplex auto
   speed auto
  interface Serial0/1/0
   ip address X.X.X.X 255.255.255.252
   no fair-queue
   service-module t1 timeslots 1-24
   service-module t1 remote-alarm-enable
   service-module t1 fdl ansi
   no cdp enable
  router bgp 65065
   no synchronization
   bgp log-neighbor-changes
   network 10.114.2.0 mask 255.255.255.0
   neighbor X.X.X.X remote-as 209
   neighbor X.X.X.X default-originate
   default-information originate
   no auto-summary
  ip forward-protocol nd
  ip bgp-community new-format
  ip http server
  ip http authentication aaa
  ip http secure-server
  ip tacacs source-interface FastEthernet0/0
  no logging trap
  tacacs-server host 10.30.101.221 key 7 1429005B5C502225
  tacacs-server host 10.30.101.222 key 7 1429005B5C502225
  tacacs-server directed-request
  control-plane
  banner exec ^CC
  C
  Login OK
  ^C
  banner motd ^CC
  C
  **  UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED.  USE OF
  **  THIS SYSTEM CONSTITUES CONSENT TO MONITORING AT ALL TIMES.
  **  RUAN Transport Corporation
  **  Network Services
  **  [email protected]
  **  515.245.2512
  ^C
  line con 0
  line aux 0
  line vty 0 4
   exec-timeout 30 0
   transport input all
  line vty 5 15
   exec-timeout 30 0
  scheduler allocate 20000 1000
  end
  T666#

  AAA Protocol > TACACS+ Authentication Details
  Date :
  September 19, 2014
  Generated on September 19, 2014 10:21:27 AM CDT
  Authentication Details
  Status:
  Failed
  Failure Reason:
  13017 Received TACACS+ packet from unknown Network Device or AAA Client
  Logged At:
  Sep 19, 2014 10:21 AM
  ACS Time:
  Sep 19, 2014 10:21 AM
  ACS Instance:
  acs01
  Authentication Method:
  Authentication Type:
  Privilege Level:
  User
  Username:
  Remote Address:
  Network Device
  Network Device:
  Network Device IP Address:
  10.114.2.1
  Network Device Groups:
  Access Policy
  Access Service:
  Identity Store:
  Selected Shell Profile:
  Active Directory Domain:
  Identity Group:
  Access Service Selection Matched Rule :
  Identity Policy Matched Rule:
  Selected Identity Stores:
  Query Identity Stores:
  Selected Query Identity Stores:
  Group Mapping Policy Matched Rule:
  Authorization Policy Matched Rule:
  Authorization Exception Policy Matched Rule:
  Other
  ACS Session ID:
  Service:
  AV Pairs:
  Response Time:
  Other Attributes:
  ACSVersion=acs-5.3.0.40-B.839 
  ConfigVersionId=359 
  Device Port=59840 
  Protocol=Tacacs
  Authentication Result
  Steps
  Received TACACS+ packet from unknown Network Device or AAA Client
  Additional Details
  DiagnosticsACS Configuration Changes

• Error 23002 when restricting access to specific TS

  I am a bit stumped at the moment on my TSGW.  I am attempting to restrict which Terminal Servers the TSGW will redirect to.
  I am doing this via RAP > Network Resource > "RD Gateway-managed group"
  I created a new group and added the FQDN of the TS I want to connect to and I was unable to connect (received error 23002)
  I then modified the group to use the IP address of the TS and received the same error.
  I then set the Network Resource option in RAP to "Allow users to connect to any network resource" and I was able to connect.  I naturally don't want to do this and want to restrict access as we have other Terminal Servers for other groups.
  I must be missing something, but I am not sure what.  Any thoughts from anyone?

  OK... I may have solved my own issue here.  Sometimes typing it out makes me think...
  One thing I didn't try was the NetBIOS name within the RD Gateway-managed group.
  I entered the 3 entries:  IP/FQDN/NetBIOS  and things came alive.  Now, I shouldn't need all three, so I will need to do some more checking, but at least I'm now in the right direction.

• Airport Utility Timed Access Control does not allow/restrict access to wireless clients per the time set.

  I have been trying to setup Timed Access Control in Airport Utility and it does not seem to be working correctly. 
  In Airport Utility from Edit Timed Access Control I Enter a name for my device (iPad/iPhone any device), enter my mac address, set time for Everyday and use default Between 9:00 AM and 5:00 PM, save and then update. When I go to my device iPad iPhone etc. I still have access even when it is after the time set, 5:00PM.  If I set no access it will restrict access also I set a time between 2:00 PM and 5:00 PM and access was restricted.  It doesnt seem to matter what the device is.  I know that the MAC Adress is set correctly.  It seems like an issue with the Utility, possibly time miss match or something.  Not sure if I am missing something or if this Utility just has flaws. Please Help.

  I changed the default to (no access) and set an entry for my test device (an iPad) to "Everyday Between 9am to 5pm.  The iPad was still able to gain access to the network. 
  Something else to note, if I try to edit the time of an entry it gives me an error on my MBP "Invalid value", "The value for “Timed Access Control” is invalid."  This happens even if I delete a digit (number or letter in the time field) and replace with the exact same. Not sure if the two are related. I have tried to edit access from my iPad.  I don't get any errors but I still don't get the expected results.  I called Apple to try and get Tech support but they were not much help. Thanks again.

• Limit/Restrict access between subnets

  A wireless access point grants wireless clients the same access to networks as any wired client has. So, if there are several subnets (routed or bridge) on the LAN, then any client wired or wireless) will have the same access to all subnets (unless specific rules exist saying otherwise).
  Source: http://www.tomshardware.co.uk/forum/page-9358_18_0.html
  Hi Everyone
  I found this text on some forum and I'd like to understand it, or at least, I'd like to understand what is meant by "unless specific rules exist saying otherwise".
  The reason for my question is that it's exactly what I'm looking to do. I have a 1st subnet that isn't equipped with wifi and has a few computers connected to it. This subnet is on 192.168.0.0/24. I connected to this subnet a Linksys WRT54G2 that works as a "Gateway" and not as a "Router" and defines the subnet 10.0.0.0/24. This way I can share my internet connection, however, my original idea was to have 2 different subnets and make sure they wouldn't be able to communicate to each other (except for the printer that's on the 1st subnet at  192.168.0.2/24.
  Internet
  |
  Modem
  |
  Router (no wireless)
  |
                              ------------------------------------------------------- 192.168.0.0/24
  |            |            |            |              |                 |
  PC1     PC2     PC3     PC4     Router    Printer
                                       (wireless)
                                       |
                                                            ------------------ 10.0.0.0/24
                                      |          |          |
                                      PC5    PC6    PC7
  What happens is that the machines on the 2nd subnet (10.0.0.0/24) can see the machines of the 1st one (192.168.0.0/24). For example, when I'm on machine 10.0.0.5/24 and I ping 192.168.0.2, not receiving any answer from my subnet the request is therefore sent to the gateway (WRT54G2), which in turn forwards the request to the subnet 192.168.0.0/24 that does indeed get an answer.
  And of course, the machines on the 1st subnet cannot see the machines on the 2nd. Obviously, when I'm on 192.168.0.5/24 and I ping 10.0.0.5, the 1st subnet doesn't have any static routes defined to ask the 2nd router to route the request.
  All that's not bad, but not good enough yet I'd like to make sure the 2 subnets cannot communicate at all, except for the printer. Or, ideally, the 1st subnet could access the 2nd one, but the 2nd one couldn't access the 1st one.
  After thinking a little bit I thought, it shouldn't be that hard, I could simply swap the 2 subnets, PC5, 6 and 7 would be connected through wireless to a first router that is itself directly connected to the internet, and my 2nd subnet would be initialised by the router that doesn't have wifi, like this:
  Internet
  |
  Modem
  |
  Router (wireless)
  |
                              -------------------------------------------- 192.168.0.0/24
  |            |            |            |                 |
  PC5     PC6     PC7     Router    Printer
                             (no wireless)
                             |
                                                 ---------------------------- 10.0.0.0/24
                             |          |          |          |
                            PC1    PC2    PC3    PC4
  But here's the problem, that 1st subnet is in fact the one of my dad in law, and he has no intention whatsoever to change anything, he's also very paranoid with security (he buys and sells shares and does quite a few sensitive things), and I don't really want to invest in another internet connection when we have a perfectlly working one already...
  So all that to resume my question to: would it be possible, in one way or another, without changing the topologie, to restrict the access between the 2 subnets keeping a door opened for the printer?
  I realise this post is quite long, so thank you for reading it until the end!!

  Well as your Both the Routers are Connected to each other, so this means your Both the Routers are in the same Network, and if you try to ping the Computer, which is on the 1st Network you will be getting the replies. When you Ping the computer on the 1st Routers, your 2nd Router will talk to your 1st Router, and your 1st Router will give him the replies.
  So Basically you want do is, just block all the computers to access each other network on the different subnet. This means Router 1 Computers, should not access the Computers on Router 2. In this case you can try is, Change the Workgroup name of the Computers which are Connected to your 1st Router, and change the Workgroup names of the Computers which are connected to the 2nd Router. On your Router setup page, below the Security tab, you need to check the Box "Filter Anonymous Internet Requests" and click on Save Settings. Well will disable the File and Printer sharing, and your Router 1 Computers will not have a access to the Router 2 Computers As this both the Computers will be in the Different Domain. 
  The Printer which you have is it a Network Printer or a Normal USB Printer. If its a USB Printer, then if you change the Workgroup name of the Computer where the Printer is Connect, then that printer might not work on the Computers on the 2nd Router. 

• Using NAR to restrict access by MAC address

  Hello All,
  We have a solution where home users connect via ATM onto our network. Currenty their radius requests are passed onto Cisco ACS 3.3 and they are authenticated using RSA SecurID Fobs to an ACE server.
  I am trying to look at an alternative to using a SecurID fob and restrict the end user's access based on MAC address.
  I found this on the online documentation for ACS 3.3
  "About Non-IP-based NAR Filters
  A non-IP-based NAR filter (that is, a DNIS/CLI-based NAR filter) is a list of permitted or denied "calling"/"point of access" locations that you can use in restricting a AAA client. However, by entering an IP address in place of the CLI you can use the non-IP-based filter even when the AAA client does not use a Cisco IOS release that supports CLI or DNIS. In another exception to entering a CLI, you can enter a MAC address to permit or deny; for example, when you are using a Cisco Aironet AAA client. The format of what you specify in the CLI box—CLI, IP address, or MAC address—must match the format of what you receive from your AAA client. You can determine this format from your RADIUS Accounting Log."
  If I specify a clients MAC in any of the non IP NAR options (CLI, Port, DNIS)access is refused. I am using radius IETF and the only time I can see the MAC in the radius accounting logs is when I turn on the option to log cisco-av-pair. Nothing is being logged under CLI or DNIS, so I don't think I can restrict access based on MAC using a non IP NAR. Has anyone implemented what is referred to in the documentation above? Is it just applicable to cisco Aironet? Any ideas?
  Thanks.

  A NAR is a definition, which you make in Cisco Secure ACS, of additional conditions that must be met before a user can access the network. Cisco Secure ACS applies these conditions using information from attributes sent by your AAA clients. So it is not device specific.