Restriction of client

Similar Messages

• Configured Nacs- how to restrict AAA client access by specified Password

  Hi all
  i hav given the below config in AAA Client& added the Client in User,Group, the NAR is configured for all Clients ,
  But my requirement is restrict AAA client access by specified Password
  aaa new-model
  aaa group server tacacs+ NACS_Group1
  server 10.x.x.x
  server 10.y.y.y
  aaa authentication login default group NACS_Group1 local
  aaa authentication enable default group NACS_Group1 enable
  aaa authorization config-commands
  aaa authorization exec default group NACS_Group1 if-authenticated
  aaa authorization exec NACS_Group1 group tacacs+ local
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+

  You use the Network Access Restrictions table in the Advanced Settings area of User Setup to set NARs in three ways:
  Apply existing shared NARs by name.
  Define IP-based access restrictions to permit or deny user access to a specified AAA client or to specified ports on an AAA client when an IP connection has been established.
  Define CLI/DNIS-based access restrictions to permit or deny user access based on the CLI/DNIS that is used.
  Note: You can also use the CLI/DNIS-based access restrictions area to specify other values. See the Network Access Restrictions section for more information.

• Restricting MDM client access when LDAP is in use

  Hi all,
  I'm struggling a bit with MDM's security concept an hope you can help.
  We're using LDAP integration so we don't need to create all users in MDM. Most users shall use the Portal with MDM iViews to access and maintain data. Very few users shall use rich clients, like Data Manager or Import Manager.
  Some MDM WebServices run in the background of the portal process to automate some tasks, but still with the portal user authentification to make sure that the change tracking / user stamp fields are filled correctly.
  I know that LDAP is either on or off, so if we use it, we must use it for both portal and rich client. This means, everybody with a Data Manager installation and MDMRoles in LDAP can log in to Data Manager and use it according to their role. This, we want to prevent, as Data Manager generally offers way more functionality than we want our endusers to have but which we cannot restrict in the role definition so as not to corrupt our portal integration (e.g. the Web Services need more functional rights than a Data Manager user shall have).
  Of course we will restrict who gets an installation of Data Manager, but this is hardly enough to ensure security policy, if people simply install the client software themselves.
  We already considered a firewall between client and server and only opening the port 20005 for select users (by fixed IP addresses), but that same port is used by Data Manager and Java API (meaning our portal / Web Services), so we would also restrict the portal access.
  Is there a solution to grant portal access for basically everyone and rich client access for a select few while having LDAP in use?
  Thanks a lot in advance!
  Cheers
  Christiane

  Hi Christiane,
  I think you can restrict more functionality of Data Manager for a LDAP User. For this user assign a role which do not have access to create data etc as per the Role assigned to that user of LDAP. I mean the user is able to perform operations in Data Manager according the groups he is member of (Roles in MDM). In MDM Console, You have Role table where you can see Table and Fields and Functions, here you can give access to none for the functions & table and Fields.
  Please refer for more details Page no 4 onwards [Step-by-Step Process to Configure LDAP Support for MDM|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/8054d5e1-1000-2c10-a09e-a168973f74b5?quicklink=index&overridelayout=true]
  Just check and revert with result.
  Hope it helps..
  Regards,
  Mandeep Saini

• How to restrict AP client-to-client traffic in same SSID

  Dear all,
  Please kindly advise how wireless client-to-client traffic can be restricted? The AP is controlled by WLC.
  Thanks.
  Eric

  Hi Eric,
  Great question! Here is the related info, note the nice change in WLC Version 4.2.x.x;
  Q. In autonomous APs, Public Secure Packet Forwarding (PSPF) is used to avoid client devices associated to this AP from inadvertently sharing files with other client devices on the wireless network. Is there any equivalent feature in Lightweight APs?
  A. The feature or the mode that performs the similar function of PSPF in Lightweight architecture is called peer-to-peer blocking mode. Peer-to-peer blocking mode is actually available with the controllers that manage the LAP.
  If this mode is disabled on the controller, which is by default, it allows the wireless clients to communicate with each other through the controller. If the mode is enabled, it blocks the communication between clients through the controller.
  It only works among the APs that have joined to the same controller. When enabled, this mode does not block wireless clients terminated on one controller from the ability to get to wireless clients terminated on a different controller, even in the same mobility group.
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00806a4da3.shtml
  Configuring Peer-to-Peer Blocking
  In controller software releases prior to 4.2, peer-to-peer blocking is applied globally to all clients on all WLANs and causes traffic between two clients on the same VLAN to be transferred to the upstream VLAN rather than being bridged by the controller. This behavior usually results in traffic being dropped at the upstream switch because switches do not forward packets out the same port on which they are received.
  In controller software release 4.2, peer-to-peer blocking is applied to individual WLANs, and each client inherits the peer-to-peer blocking setting of the WLAN to which it is associated.
  http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42wlan.html#wp1084832
  Hope this helps!
  Rob

• Restrict WLAN Clients based on device

  Hello Guys
  I had a question for all you experts.
  I have 2 SSIDs being broadcasted out in my campus, one for computers, macs etc and other for just cell phones, Is there a way we can restrict the cellphones from not connecting to the SSID used by computers. I do not have an identity management system like ISE. My controllers are WISM2 and I use 3502 APs.
  Following is the detail from one of my controllers
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 7.2.110.0
  Bootloader Version............................... 1.0.16
  Field Recovery Image Version..................... 7.0.43.32
  Firmware Version................................. FPGA 1.6, Env 0.0, USB console 2.2
  Build Type....................................... DATA + WPS
  Any guidance will be highly helpful.
  Regards

  You need something that can profile based on SSID and device type, like ISE to be able to do that.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Restrict access to other WLN clients

  When clients are associated to a Cisco AP, is there away to restrict the clients from sending traffic to other clients associated to the same AP?

  Yes, the feature is called "Public Secure Packet Forwarding".
  This works like protected ports (Private VLAN edge) on switches,
  blocking all layer 2 traffic between clients associated to the same AP.
  On the GUI it's enabled/disabled under Network Interfaces->Radio...->Settings->Public Secure Packet Forwarding
  With the CLI you configure "protected port" for the bridge group.
  <http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00804e7d2f.html#wp1038494>

• Restrict wireless internet access on certain periods of time

  Hello,
  We need help on setting up a network with some restrictions for the attached clients.
  We're quite new at setting up a network at this size.
  Used devices:
  1x SRP 540 router
  1x SG 300-10P managed switch
  4x AP 541N accesspoint
  What we want to do:
  1. Around 100 laptops and desktop computers need wireless internet access, but some of them on limited times during the day.
  2. Not all wireless devices are allowed on using the wireless network.
  3. There are also wired desktops that don't need restrictions.
  4. We need the possibility to restrict most of the wireless devices to access certain websites or use certain applications on those computers to use internet access during the times that the computers are allowed to access the internet.
  5. We want to restrict the clients for using torrents or other possibilities of downloading illegal content.
  What we were able to do:
  1. The accesspoints (AP 541N) are clustered to achieve 1 large wireless network.
  2. Only mac-adresses that are listed in the accesspoints are capable of using the wireless network. Other mac-adresses are not allowed to use the accesspoints.
  What we tried already:
  1. adding the mac-adresses for the accesspoints to the list of "internet access policy" in the router. Internet access seemed still possible during periods the access wasn't supposed to be possible.
  2. adding the mac-adresses from all clients in this internet access policy seemed useless. Only 10 Internet Access Policies seem to be possible to program. 8 mac-adresses per policy. Knowing there are (at least) two policies needed to restrict a group of 8 macs to access the internet in 24 hours (because blocking the internet from f.e. 22u in the evening to 6 in the morning is not possible because 6 is smaller than 22 - or 10PM).
  Besides, after blocking internet access, we need also to write policies in blocking some websites or keywords.
  Thanks already for your guidelines.
  Wim

  what about the thoughts of radius for authentication which is connected to active directory for your wireless users. Then have those people you must limit access too during the day in their own security group that's only allowed to login to the domain during certain times of the day.
  To limit sites or what they can do on the Internet will require a separate solution for content/URL filtering. Then you can make policies and apply to your security groups in active directory block by category, keyword, and so on.
  This is all great assuming you can get these clients into AD.
  Just a quick thought, hope it helps.
  _dschlicht
  Sent from Cisco Technical Support iPad App

• HT2688 How do I restrict access to *specific* songs (or give access to a specific playlist) in Home Sharing

  http://support.apple.com/kb/HT2688?
  This article describes two different things:
  Music Sharing and
  Home Sharing
  Music Sharing allows you to select playlist(s) to share, and allows you to play the song from another device. It does *not* allow you to transfer the song to another device.
  Home Sharing allows you to share your ENTIRE music library and transfer the songs to another device. It does not allow you to restrict the share to a specific playlist(s).
  Try it. You can set a password and check the boxes to restrict your playlists, but that only restricts while Home Sharing is turned off. EVERY file is accessible when you have Home Sharing running.
  I have a bunch of music I don't want my kids listening to. I've created a playlist for them, and I want them to be able to load their ipods with music from that list without accessing other music.  Any ideas?

  say suppose i have no control over wcf client. so i want to do it at client side. so what is your suggestion. thanks
  If you can't  implement role based secuirty on the client-side, the you may want to look at what is in the link.
  http://blog.clauskonrad.net/2010/04/wcf-restrict-which-clients-can-call.html

• How to creat pdf documents with printing restrictions in Aperture

  Hi,
  I wondered if it is possible to create a pdf document made up of 9-12 image per page contact sheets, to send to clients that restricts the client to open and view only i.e no printing allowed.
  Photoshop allows this, however i would like to create /correct versions in aperture and then create a pdf [with the above printing restrictions applied, simply to save time.
  the way i work in photoshop is to export approx a 500 to 1000 jpegs [ per client] in aperture to a folder which I then open with Bridge- create the contact sheets and then create the pdf document with printing restrictions applied.
  is there any way for me to make this simpler, especially just using Aperture?

  just been reading about terminal on another thread.... Spinning beach ball,,[page 2 of Aperture discussions].Apparently there is a command line explained there that can help speed up Aperture. I tried it but Had a problem when trying to type in my Password... It would not let me type anything....So I canceled the proceedure. [ knowing my luck I would cause some irrepairable damage to the machine].
  Think I need to do a lot of reading up to get up to scratch with folk using this discussion Board!!!
  With regards to the pdfauxinfo- is it complicated to get running, or does it run straiaght away in automator?

• Federated identity and Visual Studio Online - Restricting Access

  Hi,
  Using federated identity, can I restrict access to Visual Studio Online only from the corporate network, the same way I can with office 365? If so anyone know what claim rules should be used. Going further can I restrict by client certificate?
  Thanks

  Hi PMLIO,
  So the answer to your question is a mixture of both yes and no, depending on the level of restriction you desire.
  VSO has deep integration with Azure Active Directory, which allows you to restrict access to your Visual Studio Online account to only users who exist in your corporate directory.
  This page details more about this support and how to enable it. If you remove users from your Azure AD directory (which can be synced with your on-prem directory), they will lose access to your Visual Studio Online account automatically, without you
  having to manually remove them from the account. Will that fulfill your requirements?
  We currently don't support a scenario where only users who are connecting to Visual Studio Online from a corporate network are permitted to access your account. If that's something you need, we recommend an on premise deployment of Team Foundation Server.
  We'd certainly welcome a feature suggestion on the
  Visual Studio Uservoice to add support for this in Visual Studio Online!
  Client certificate authentication falls into the same bucket as above: Visual Studio Online doesn't support client certificate authentication. There's a
  UserVoice suggestion about supporting SSH auth that's in a similar vein, so it's definitely something we're hearing desire for.
  Let me know if you have any more questions!
  Regards,
  Will Barr
  Software Engineer | VSCS Developer Identity

• Client dependent & client independent objects

  Hi All,
  What is meant by client independent & client dependent ?
  I know that sapscripts are client dependent while smartfiorms are client independent. Also reports & FMs are client independent.
  Want to have a better idea on this concept....
  Thanks in advance..
  Sweta

  If you create a table in 010 client in DEV server with CLNT as its first fields type, then you will find that table structure in all clients in DEV server. (i.e client independent)
  example: function module, abap program, smart form.
  If you create a record in that table in 010 client, you will not find that record in other clients. (i.e client dependent)
  Example: script.
  Sap script was developed a long back.
  smartform is developed to avoid these type of some restrictions
  Also:
  Client dependent Means if you create that data in one client is limited to that client only and it is not accessable in other clients
  Like SAP SCRIPTS and STD texts data
  where as Client Independent means the data if you create in one client that is available in that as well as in other clients
  Like SMARTFORMS, All dictionary Objects data and Repository objects data like Programs, Fun modules, tables etc..
  There is no specific reason behind why scripts are client dep[endent and smartforms are client independent!!!
  As for SAP -- Scripts are called client dependent because if you create client in say,200 it would be available in that only.If you want to test the script in client 300 then it won't be there,you will have to go to transaction se71 in 300 .Then Utilities-> Copy from client.Give the source as 200 & form name(i.e. script name) & copy.
  Few more reasons why....? Please read below:
  SAPscript technology is based on a mainframe product from the 1980s.SAPscript forms have always been -- under the hood -- relatively passive objects, with minimal embedded logic. These forms were designed to be driven and controlled by ABAP programs, much in the way ABAP programs read in database tables to produce reports;
  if you ever download a SAPscript form (e.g., via utility program RSTXSCRP), and look at the portable text file it produces you'll see what I mean.
  Many text objects (e.g., invoice header texts) are bound directly to documents which are client-dependent, so it makes sense for these text objects to also be client-dependent. From a complexity standpoint, SAPscript forms are close enough to these text objects where I can see how it made sense at the time to make them client-dependent too.
  MANDT is the field which differenciates the table from Client Dependent and Client Independent Tables.
  All the Scripts are Client Dependent Objects
  Smart Forms, Function Modules are Client Independent Objects.

• Limitar clientes en un AP

  Buen día
  Tengo un WLC 2504 y quiero bloquear a ciertos usuarios de un AP ademas de limitar el numero de clientes que se pueden firmar en un AP, algo que me puedan recomendar?
  saludos!

  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01001011.html
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/113303-restrict-wlan-clients-00.html

• Wireless clients cannot get to internet

  Hi All,
  I'm fairly new to networking and have been trying to troubleshoot an issue with my home lab.
  I have a Cisco 2800 router with 2 interfaces, gig0/0 that is the "external" interface and gets an IP via DHCP, and gig0/1 that is the internal interface with IP 10.10.10.1 and a DHCP pool of 10.10.10.100 - 10.10.10.254. A nat pool containing the external interface IP (192.168.1.110) exists.
  Current configuration : 3229 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  no aaa new-model
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 10.10.10.1 10.10.10.99
  ip dhcp pool dpool1
  import all
  network 10.10.10.0 255.255.255.0
  dns-server 8.8.8.8 8.8.4.4
  default-router 10.10.10.1
  ip domain name home.local
  ip name-server 8.8.8.8
  ip name-server 8.8.4.4
  multilink bundle-name authenticated
  interface GigabitEthernet0/0
  ip address dhcp
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  ip address 10.10.10.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  no mop enabled
  interface FastEthernet0/3/0
  shutdown
  interface FastEthernet0/3/1
  shutdown
  interface FastEthernet0/3/2
  shutdown
  interface FastEthernet0/3/3
  shutdown
  interface Vlan1
  no ip address
  shutdown
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat pool ovrld 192.168.1.110 192.168.1.110 prefix-length 30
  ip nat inside source list 1 pool ovrld
  access-list 1 permit 10.10.10.0 0.0.0.255
  snmp-server community public RO
  control-plane
  scheduler allocate 20000 1000
  end
  Coming off the internal interface is a 3750, and attached to that 3750 is a 4400 Wireless Lan Controller.
  I'm able to create a wireless network that uses the router for DHCP and clients can connect to this wireless network and obtain an IP from that DHCP pool. The wireless clients can ping the default gateway (10.10.10.1) as well as every other device on that network, including hard-wired devices on the 3750. The arp table on the router also shows the wireless clients.
  However, only clients connected via ethernet can access the outside (internet), wireless clients, who appear to get the exact same network config, are unable to access the internet they can only access other devices on that 10.10.10.0 network.
  So I'm confused as to why with what appears to be the proper default gateway (10.10.10.1) and a valid IP from the router, what could be broken so hard-wired clients can NAT to the outside while wireless clients can't? I can't find any setting on the WLC 4400 that would be restricting wireless clients from leaving the local network.
  Any clarification on my issue/my understanding of the problem would be greatly appreciated. Cheers!

  Hello smorrissey,
  May I ask, how many end devices do you have connected to the switch? And if you tried to connect wireless clients simultaneously with wired devices?
  Because from your config it seems you're using only dynamic NAT:
  ip nat inside source list 1 pool ovrld    // this command will translate IP picked by ACL 1 to address in pool named ovrld. Because you have only 1 address in this pool, only 1 inside device will be able to communicate with outside world (Internet) at a time.
  I would suggest to add keyword "overload" at the end of this command (ip nat inside source list 1 pool ovrld overload) to enable PAT, which will allow multiple LAN devices to use 1 outside address at the same time thanks to port address translation.
  Hope this will help.
  Michal

• Restrict SSID in Access Connections?

  Here at my company we have two wireless networks available in the building.  
  "guest": allows access to internet outside the DMZ
  "internal": allows access to intranet
  We want to restrict access to "guest" for our internal users. ls there a way to restrict access to the "guest" wireless network in AC?  
  Any help would be great. 
  Thanks!

  Hi,
  in case you already have this profile in the lit of all AC profiles, and you want to remove it from the list of roamed Wifi profiles, then you can remote this particular profile from the roaming list manually or in registry:HKEY_LOCAL_MACHINE\SOFTWARE\Lenovo\Access Connections\Locations\%pofileName%\m_bSelectedForRoaming => change to "0" zero
  Otherwise, I don't know of any otehr option, how to hide, or restrict a wifi profile for the users.
  However, there might be an option how to do it.
  Here is what I'm thinking of:
  - use the Access Connection ADM file and restrict the clients to connect to any profile
  - insert all Wifi profiles to the AC location list
  - use the above description, or the ADM file to block this particular profile, so that the users will not be able to connect to it
  Maybe a bit workaround more then a solution, but this should lead to the situation, that you want to happen.
  Let me knwo, if this is not what you are looking for.
  Cheers

• Avoid Printer selection Dialogue box when printing Crystal report in JAVA

  Hi i am calling crystal report in my servlet using Report Client Document SDK, now i want to print the report directly to the default printer set without selecting the printer from the select printer dialogue box. In other words want to avoid the select printer dialogue box from appearing . Can any body suggest me how do i do this .
  Any suggestions appreciated.

  In javascripting the code is
  function Print()
  if (document.all)
  WebBrowser1.ExecWB(6, -1) //use 6, 1 to prompt the print dialog or 6, 6 to omit it;
  WebBrowser1.outerHTML = "";
  <object ID="WebBrowser1" WIDTH="0" HEIGHT="0"
  CLASSID="CLSID:8856F961-340A-11D0-A96B-00C04FD705A2">
  But the above code does not work in windows XP SP2.... and i cannot restrict my clients OS.
  where as C#,ASP.NET  provides the functionality to print directly to printer as
  The ReportDocument class provides PrintToPrinter method that may be used to print a CR direct to the printer. If no printer is selected, the default printer will be used to send the printing pages to.
  The PrintToPrinter method takes four parameters.
  nCopies : Indicates the number of copies to print.
  collated : Indicates whether to collate the pages.
  startPageN : Indicates the first page to print.
  endPageN : Indicates the last page to print.
  The following steps will guide you to achieve the same:
  Add crystal report (.cr) file to your ASP.NET application.
  Add a report instance on the page level.
  Dim report As MyReport = New MyReport
  Populate reports data on Page_Init 
    ' Get data in a DataSet or DataTable
          Dim ds As DataSet = GetData()
          ' Fill report with the data
       report.SetDataSource(ds)
  Print Report
  report.PrintToPrinter(1, False, 0, 0)
  If you wish to print certain page range, change last two parameters From to To page number.
  If you want to set page margins, you need to create a PageMargin object and set PrintOptions of the ReportDocument.
  The following code sets page margins and printer name:
  Dim margins As PageMargins =  Report.PrintOptions.PageMargins
     margins.bottomMargin = 200
     margins.leftMargin = 200
     margins.rightMargin = 50
     margins.topMargin = 100
     Report.PrintOptions.ApplyPageMargins(margins)
     ' Select the printer name
     Report.PrintOptions.PrinterName = printerName
  Thn Why not a java SDK for Crystal report can provide such a functionality...
  Edited by: rtabassum on Mar 25, 2010 6:34 AM
  Edited by: rtabassum on Mar 25, 2010 6:36 AM
  Edited by: rtabassum on Mar 25, 2010 6:42 AM