Restricting Wireless Access using ACS 3.3

We are currently running ACS 3.3 and I am trying to figure out how to restrict Wireless access to specific user groups. Our current setting is using PEAP and ACS as the Radius. Our user database is mapped to Windows 2003 AD. I've got the PEAP working and the radius authentication is also working but I cannot seem to figure out how to restrict the wireless access to specific Windows/ACS groups.
Erik

Hi,
On ACS 3.3.x You can certinly achive this, al you have to do is configure NAR( Network Access Restriction) Here is the link which should provide you further informatio on it.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
-Parm

Similar Messages

  • Restricting Wireless Access using BT Home Hub

    Hi
    I am trying to set up my BT home hub so that my daughter can only have limited access (fed up with her being on FB 24/7!)
    I thought I had done by using the set up access mode, but I have a feeling that this is not working all the time.  Has any one else managed to successfully do this? 
    Thank you for reading and would be grateful of any advice as this is driving us to the brink!

    Did you follow the intructions on this site?
    http://bt.custhelp.com/app/answers/detail/a_id/113​64/~/what-is-bt-access-control-and-how-do-i-set-it​...
    Are you sure that she is not simply bypassing it via the hub manager?
    You could change the hub manager password.
    There are some useful help pages here, for BT Broadband customers only, on my personal website.
    BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

  • Restricting Wireless Access...Why Aren't Parental Controls Working?

    We're pretty new to OSX. Just got my son an iBook, and we're looking to not let him hop on the wireless network in the house (we want him to access the Internet only from a lan cable in the kitchen...keeping him out of harm's way). I'm set up as the administrator, and we've gone into his account and disabled his ability to modify Airport Utility. And then we turn it off, but when we go back into his account, he can still access the Internet wirelessly. What might we be doing wrong?

    The Airport Utility is only used to configure an Airport Base Station, it has no effect on wireless connectivity.
    What you'll need to do is go into the Network pane in System Preferences. Click on the Show menu and select Network Port Configurations. Uncheck the box next to the airport card. Then, click the little lock at the bottom of the system preferences window to make the Network preferences un-editable without the admin password.
    Good Luck.

  • Restricting Internet access using ARD

    I am trying to restrict students for accessing the internet using ARD. Students accounts are set using Workgroup Manager. Under preferences, I did not allow Dock.app or Safari in the list of aproved applications. I also only selected applications I allow them to use to be in the dock and did not allow them to merge their dock.
    One group still has Safari listed in the dock.
    The others can still get to the internet using dashboard and going to weather settings.
    How can I eliminate this access.

    One option is to send the unix command:
    ipfw add 2005 deny tcp from any to any 80 out xmit en0
    This will block the standard internet port. If the computers are restarted then it will go back to normal. To get rid of the rule without actually restarting use this command.
    ipfw delete 2005
    Note: They have to be done with the root (or admin) user.
    PowerBook G4 15in, Xserve, G5 Dual 2ghz,   Mac OS X (10.4.3)  
    PowerBook G4 15in, Xserve, G5 Dual 2ghz,   Mac OS X (10.4.3)  

  • Restrict URL Access using location directive

    I'm trying to restrict access to a URL using the location directive in Apache.
    I want to allow access to "/analytics/saw.dll?WSDL" to everyone and restrict access to "/analytics/saw.dll?Answers" to certain IPs.
    Putting the URLs in location directives doesnt seem to work. I believe the problem is the ? which is a wildcard.
    <Location /analytics/saw.dll?WSDL>
    Allow from all
    </Location>
    <Location /analytics/saw.dll?Answers>
    Order Deny,Allow
    Deny from all
    Allow from 192.168.2.161
    </Location>
    Can anyone help?

    Hi,
    1.
    What about using an Authorization Scheme and then using Security of Page Attributes.
    In fact it is schema of users, roles, and passwords.
    2.
    f?p=App:Page:Session:Request:Debug:ClearCache:itemNames:itemValues:PrinterFriendly
    f?p=6000:6004:&SESSION.::NO:6003:MY_ITEM1,MY_ITEM2,MY_ITEM3:1234,,5678
    This example:
    * Runs page 6004 of application 6000 and use the current session ID
    * Clears the current session's cache for items on page 6003
    * Indicates debug information should be hidden (NO)
    * Sets the value of MY_ITEM1 to 1234, sets the value of MY_ITEM2 to null
    (indicated by the comma used as placeholder), and sets the value of MY_ITEM3 to 5678
    - Into Column Attributes/Column Link/Link Text pick an icon.
    - Select for Attributes/Column Link/Target “URL” for table Emp_Address and into URL field type:
    javascript: popupURL('f?p=&APP_ID.: 6004:&SESSION…………');
    You can use the value of any Item. Then in the URL link page check that item.
    Moreover, you can use f?p=&APP_ID.: 6004:&SESSION…..My_Item:#ReportColumnName#.......
    I hope this would help.
    Konstantin

  • Wireless network using ACS server

    Good morning.. do you have a step by step guide on how to config Cisco 1231g to authenticate using the ACS ver 4.1
    Thanks alot

    Hi,
    Download the PDF file from the below, it will give the step by step procedure.
    http://www.cisco.com/application/pdf/paws/70149/tacacs_ap_config.pdf
    Rate me if it is help to you.

  • Restrict aaa access using command authorization windows acs3.6

    i need to enable aaa users to shut and unshut interfaces but nothing else. i already have all the users and groups setup but when i modify the command auth set to include "configure" "permit term" they are given unrestricted access.
    any help appreciated

    On the router there's a:
    aaa authorization config-commands
    command, make sure you have that in. You then have to set up command authorization on the TACACS server to allow "interface permit any", "shutdown" and "no shutdown" commands.

  • Windows 2008 R2 GPO for wireless access restriction to Windows 8/8.1

    Dear All
    We have windows 2008 R2 as domain controller with windows 7/8/8.1 client.
    we want to restrict wireless access by SSID and allow only company wireless.
    is there any templates or gpo available?
    Sunil
    SUNIL PATEL SYSTEM ADMINISTRATOR

    Dear SKPATEL,
    Yep it is really possible, please follow these instructions:
    Open Group Policy Management Console as an administrator.
    In the navigation pane, open User Configuration\Administrative Templates\Network\Network Connections.
    In the details pane, double-click one of the Group Policy settings described above.
    Do one of the following:
    To enforce the Group Policy setting on the currently logged on user, select
    Enabled, click Apply, and then click OK.
    To not enforce the Group Policy setting on the currently logged on user, select
    Disabled, click Apply, and then click OK.
    After you have modified all of the Group Policy settings you want, close Group Policy Management Console.
    Enforce the changes you made and test.
    More info, please check:
    http://technet.microsoft.com/en-us/library/cc732613(v=ws.10).aspx
    Best Regards,

  • How do I restrict wireless network access to specific devices/computers, using an Airport Extreme, when the WPA2 password is able to be found by other devices?

    I have set up a wireless network in my office using a couple of Airport Extremes, and, for some reason, our Windows computers are able to view the password of the network. Well, given that we employ teenagers, you can imagine what happens when they all find out the password. We want to restrict network access to only those devices we deem necessary. How do I accomplish this?

    SidMed wrote:
    We need 18-20 devices to access, all wirelessly.
    You can keep using your Apple routers as AP devices.. but get a router running a secure OS as the actual router that controls the network..
    If you have 18-20 teens on the network.. then setting quota and restrictions on bandwidth is far more important than time..
    Gargoyle on a cheap router can do it.. eg WNDR3800 or the newer W1024ND v2.
    Simply turn off the wireless in these devices.. and use the ethernet connection to the airport as WAP.
    Honestly you just will never get the security or control using apple domestic routers.

  • How do I restrict access to 4 devices using ACS

    Currenlty in our ACS we have Group A configured to have access to all network devices-f with ull privilege level 15 access to all devies
    We are now trying to implement 4 new users, however we only want them
    to have access to 4 devices-routers (4 IP addresses)-and only have
    basic level 1 functions in the router
    Is this done under Network Access Filter or Network Access Group?
    Do I need to create a new group or can I somehow implent that into

    I'm using ACS v 4.2 on windows server-TACACS
    Under NAF I have configured the IP's of the server I want them to access under Selected Items
    Under NAR I have permitted calling point
    with the NAF and  *  *
    Under the Group Settings
    Network Access Restrictions (NAR)
      Shared Network Access Restrictions
    Only Allow network access when
    All selected NARs result in permi
    all selected NARs result in permit..with the NAR i just configured in the selected NAR list

  • How to set-up Guest Client Wireless Access "PIN" with Restricted Access ???

    This is my first time, and, I am not familiar with the rules.
    Is it possible for someone to answer a slightly different question...
    I just bought a TC and hooked it up to my cable modem. I have 3 computers that I want to configure, with the following requirements: WPA/WPA2 security all around, only the 3 computers I have to be allowed use of the TC, and, no listing of the network should appear on remote computers (i.e., a "closed network"). With these basic needs, the three computers I want to be in this network are listed below --- subject to the following ACCESS limitations:
    1. A G4 iMAC (10.5.5), wired to the TC via an Ethernet cable: FULL ACCESS; i.e., shared file access, TM back-ups, HP printer access, internet access;
    2. A MacBook (10.5.5), airport wireless access to the TC: FULL ACCESS, as the iMAC.
    3. A (new generation) PC laptop: VERY LIMITED access --- access only to the internet, so that the TC looks only like a "wireless router." Internet access available at any time of the day or week. It would be good if this client did not have to use any of my passwords, just a "PIN." Also, I do NOT want this PC client to see my printer, and, also, to NOT see my TC base station and NOT have access to my TC/TM disks. To set this up, I entered the PC laptop name and the "MAC" address using the Airport Utility. Then, I selected the "PIN" choice for access, so that this client need not have to ever use or know of any of my passwords. After I selected the "PIN" option, the utility asked me to enter the PC client's PIN. How do I obtain the PC's PIN? This is very confusing to me, so, I apologize to you all (I'm very new at this).
    Hopefully, this TC-only network concern is within the guidelines to be answered.
    Thanks,
    David.

    Dear Smokerz,
    Well, this is where I'm confused. I did use the Airport Utility. I went to the place where it asks for the PIN number. So, I made up an 8-digit number and entered it. I assumed that after I entered the number, it would prompt me to do something with the PC. But, the "Continue" button did not become highlighted. Hence, my confusion. Can you please be more specific as to exactly what I should do using the Airport Utility? The detailed instructions are vague to me, unfortunately.
    Also, with respect to the PC Laptop: I only want it to have access to the internet via the TC (so that the TC acts as a wireless router). And, I want to set up restrictions for limited use of the PC: NO ACCESS to the HP printer, and NO ACCESS to the TM/TC (other than as a wireless router). As before, can you please be more specific as to exactly what I should do using the Airport Utility?
    I must be missing a trivial menu item, so, again, I apologize.
    Thank you,
    David.

  • Controlling Access to devices using ACS

    I am using ACS 3.2 and on the NAR section,I have used a wildcard (*) to define all the network devices on my network.All my users are in one group. However,I have just realised there is the need for me to create another group and put some users in that group so they only have access to some routers and switches and not all as define by the wildcard.
    How do I achieve this goal.?

    Under NAR select the Per Group Defined Network Access Restrictions.
    Select the AAA clients you want the group to access.
    Use the wildcard mask in the port and the address field.
    You can also group the devices which you want to give access under a seperate NDG and in the NAR give permission to only this NDG for the group. In this way you may need not add individual AAA clients
    HTH, rate if it does
    Narayan

  • Help! I need to restrict wired access by time of day to limit XBOX 360 use

    AirPort Extreme N allows timed access restriction for wireless clients, but Apple bewilderingly decided not to make this feature available to "wired" clinents that access the network via ethernet cable. *This permits our teenagers to play XBOX all night long.* HELP! Which third-party vendor makes wired routers that I can use to restrict this access by time of day. NOTE: I will need a router that still supports AppleTalk over ethernet to keep my HP LaserJet working. I tried a LinkSys router but it killed the AppleTalk packets and wreaked havoc with print jobs sent to the HP. I also want to keep the AirPort Extreme N in the network and use it as the sole DHCP server (I specifically need its ability to reserve private IP addresses for some devices), so this complicates where in the network I place the third-party router. Where should this router be, if I need the AirPort Extreme N to serve as DHCP server, and do I need to change any other setting like bridge mode, etc? _I just can't believe Apple would only allow timed access restrictions for wireless clients._ Come on! Maybe this will be fixed in a firmware update?

    Thanks, Duane. I was just looking at the PDF instructions for this router, and it offers extensive control of wired time access by IP number.
    So: If I (1) put this Belkin device at the top of my network chain, between my cable modem and my AirPort Extreme; and I (2) turn off the DHCP server in the Belkin device but turn on the DHCP server in the AirPort router; and I (3) use the AirPort Extreme to assign a reserved IP adddress to the XBOX; and I (4) use this reserved IP address to restrict the XBOX access by time of day via the Belkin router software... Everthing will work OK?
    Seems awfully complicated. Basically, I would be using the Belkin router only as high-octane network switch -- one that permits timed access resrictions for devices at specific IP addresses (and handshakes with the cable modem to provide a unique MAC address to the cable company). Right?

  • Guest access to Internet using ACS (TACACS+ mode)

    Hi,
    I have ACS 1121 configured in TACACS+ mode. I need guest wired users to go only to internet. I don't have any proxy server or any radius server currently. How can i achieve this?

    Hi Blisk1,
    Based on your description, the goal is to prevent users to connect their home laptops to your network.
    You could try to deploy NAP enforcement for DHCP. Using DHCP enforcement, DHCP servers and NPS can enforce health policy when a computer attempts to lease or renew an IPv4
    address. NAP can enforce health policies by inspecting and assessing the health of client computers, restricting network access when client computers are noncompliant with health policy, and remediating noncompliant client computers for unlimited network access.
    When create NAP policies with a Wizard in NPS server, to grant or deny access to groups of computers, you could add specific groups to Machine Groups, such as, domain computers.
    Checklist: Configure NAP Enforcement for DHCP
    http://technet.microsoft.com/en-us/library/cc772356(v=WS.10).aspx
    Best Regards,
    Tina
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • How can I set up a guest access point with a Time Capsule and an Airport Extreme? I am using a Telus router with the Time Capsule used as a wireless access point (bridge mode). I don't want the guest access point to have access to my network.

    How can I set up a guest access point with a Time Capsule and an Airport Extreme? I am using a Telus router with the Time Capsule used as a wireless access point (bridge mode). I don't want the guest access point to have access to my network.

    The Guest Network function of the Time Capsule and AirPort Extreme cannot be enabled when the device is in Bridge Mode. Unfortunately, with another router...the Telus...upstream on your network, Bridge Mode is indicated as the correct setting for all other routers on the network.
    If you can replace the Telus gateway with a simple modem (that performs no routing functions), you should be able to configure either the Time Capsule or the AirPort Extreme....whichever is connected to the modem....to provide a Guest Network.

Maybe you are looking for