Restriction SSID Per User with ACS 5.x version

Similar Messages

• Limiting Bandwitdth per user with WLC

  Hi,
  Is there anyone who can provide a deeper explanation for "Per-User Bandwidth Contracts (k)" on the "Edit QoS Profiles" menu of a Wireless LAN Controller 4402? Does it limit each value to 0 to 60 Kbps as maximum ONLY, as indicated on the Help window?
  I want to limit 512 Kbps per user (client attached to an AP) not for WLAN.
  I read http://www.cisco.com/univercd/cc/td/doc/product/wireless/hahcont/contc.htm#wp1041926 but it is not sufficient.
  I know I can do it with 3rd party equipments, but it is possible only with APs (1010, LAP1231), Cisco switches and WLC 4402?
  JVC

  Yes I think your assumption is correct. "Per-User Bandwidth Contracts (k)" limits each value at the maximum. This I think I have read in a document stating this information.

• 802.1x EAP-TLS for wired users with ACS 5.5

  Hi All,
  We are configuring a new setup for wired users authentication with 802.1x(EAP-TLS). ACS 5.5 we are using as authentication server.
  We have added the root CA(internal) certificate and certifcate for ACS signed by CA. Now We want to check the authentication is working or not . I hope both root CA and identity certifcate also we need to install in the laptops. But I am not sure how to download the certifcates for client machine manually from CA.
  Kindly suggest on how to get certificates for clients both manually as well as automatically?
  Thanks,
  Vijay

  Hi Vijay,
     for the Wired 802.1x (EAP-TLS) you need to have following certificates:
  On ACS--- Root CA, Intermediate CA, Server Certificate
  On Client-- Root CA, Intermediate CA, User certificate(In case of user authentication) OR Machine certificae(In case of Machine authentication)
   I am not sure which third party certificate are you using, If its in house Microsoft or any other certificate server then you need download the client certificate from the server itself. 
  In case of Microsoft, There will be a template for user certificate. You can select it and create user certificate
  This one is an old document, But has steps to configure Machine certificate for the user, You can see the steps to download user certificate if its Microsoft server:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/43722-acs-eap.html#wc-2
  In case You are using the third party certificate serevr , Then you need to check with them on how to download the user certificate
  Cheers
  Minakshi(rate the helpful post)

• Limit connection time to SSID per user

  Hi,
  I would like to know if it's possible to configure an SSID with the constraint that, each user that connects to the SSID needs to "register" and only gets acces for a specific amount of time. So basically I would like to create an SSID specificly for customers that are on our premises whom I would like grant connectivity for a limited amount of time. I know this is possible via the Lobby Ambassador who can create guest accounts but sometimes there too many. We use this for customers who are on our premises for longer periods. But now we would like something for those who are only there for a day, let's say.
  So therefor the selfregistration of guest users on a seperate SSID... Is something like that possible? Time based ACL's? time based access?
  Kind regards

  Hi Tim
  Welcome to CSC.
  It sounds like you want to provide simple guest access on a limited time basis with a log on. There are a few challenges .. As you know lobby admin is the way to go .. but here are a few other options ...
  You could provide a OPEN guest SSID and do a WCS / NCS WLAN schedule to turn on off the WLAN during the hours needed. This would of course be open to all ..
  You could create a single guest account for folks to use and still do the above.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• How to restrict a VPN user with a specific anyconnect profile?

  I need to assign to anyconnect users different profiles. This is done easily with IPSec, with the group policy configured in the client. With anyconnect I have two options:
  - Allow the user to select the connect profile: The problem here is the user can select any profile and connect with the rules and permissions configured in this profile. I do not how to force one specific profile for each user.
  - Use  the DefaultWebVPNGroup as connection profile for everybody combined with DAP. This what I am doing now. Everybody connect with the default anyconnect profile and I use DAP to assign each user the network ACL's, Bookmarks, etc. The problem here is that I can not use other options that are included in the profiles or in the policies, like split tunneling or user authentication method.
  I have seen some answers about this point but none of them is clear enough. I am using ASA 5540 with 8.4(6) and Windows IAS radius.
  Thanks.

  Thanks Elias. This works. Easy to configure. When I connect using the client it takes de group policy from the radius attribute 25 and apply it.
  Just one little problem. This doesn't work with bookmarks when the user connect with WebVPN. In the logs I can see the connection taking the correct group policy but the bookmarks from that policy are not applied. Any idea?

• Determining active wireless users with ACS

  Is there a way to determine how many active wireless users are on the network by checking ACS? Currently our users need to re-authenticate periodically (about every 15 minutes), however, ACS shows no logged in users. There should at least be one -- ME!

  We should be looking for something like this on the AP:
  aaa group server radius rad_acct
  server auth-port XXXX acct-port XXXX
  aaa accounting network acct_methods start-stop group rad_acct

• Setting A default view per location per user VSM7.6

  Hello
  Is it possible to define a default view for each location per user with VSM 7.6 ?
  In other words, I would like for a user X , once logged, when he hits any location name, he gets a default view composed of all or a subset of the cameras with the secondary stream .
  Is this possible with VSM7.6 ?
  thanks.

  Hi,
  First enable that end user can set rows per page displayed. (that you did disabled)
  Run page. Set rows per page to report to 10.
  Save default report from action menu.
  Then disable that end users can not set rows per page.
  Regards,
  Jari

• Connections per user

  I have a WAVE 474 running v4.2.3.    I see 20-30 connections per user, with several to the same host and sequential ports.   Ex.  x.x.x.y:56678, 56679, 56680.. to 56685 going to x.x.x.z:3456...3480.    Is this correct?   I am running out of TFO connections on this box and am not sure what is going on.   I have 3 other sites with 474's and the connections/user appear to be much lower.

  Hi,
  This type of behavior is usually indicative of a virus or maybe a security scanner of sorts on your network.
  The fact that WAAS is optimizing the flows and taking up TFO resources is unfortunate, but there is not much you can do from a WAAS perspective to stop these PC's from consuming your TFO resources. 
  An interim work around would be to use a WCCP redirect list or an inline interception ACL (whichever is applicable to that site) and bypass those IPs completely from WAAS interception.
  However, the long term solution would be resolving the virus/ disabling the security scanner.
  Regards,
  Mike Korenbaum
  Cisco Data Center PDI Help Desk - http://www.cisco.com/go/pdihelpdesk

• Switch from per Device to per User

  I have a few RDS servers in an isolated environment that I was going to use our corporate RDS license server with.   I later found out that the servers need to be in the same domain as the licensing server itself (which they are not).  The
  RDS servers were already built "Per Device" but now I have to build a new RDS licensing server and I am thinking about going per User with this instance.  Since the RDS servers are already Per Device (but are not technically pointing to any
  valid license server yet) can I switch them to be per User and then point them to the new per User RDS license server?
  Thanks
  NK

  Hi,
  Yes, you can switch the licensing mode of the RDSH servers to Per User.  For Server 2012/2012 R2 RDSH servers you would just change the mode in deployment properties, and of course make sure the RDSH servers are part of a collection so that the change
  will apply to them.
  You will need purchased Per User RDS CALs.  If you already purchased Per Device RDS CALs I recommend contacting the reseller and seeing if you can return them and purchase Per User instead.  Per User RDS CALs cost more than Per Device
  RDS CALs.
  -TP

• Restrict multiple log in with same user ID

  I have a JSF Project where I use Oracle JAAS for Login.
  The login works perfectly and also the components on the JSF page shows as per User Role. I am using OAS 10.1.3.3.
  I want to now implement the code so as to restrict simultaneous logins with the same user id. That is a user id cannot be looged in at once to the server from more than one machine.
  The login.html is:
  <form  name="loginFrm" method="post" action="j_security_check">
        <p>Log in to access restricted zone.</p>
        <table>
         <tr>
          <td>User name</td>
          <td>
           <input id="j_username" type="text" name="j_username"/>
          </td>
         </tr>
         <tr>
          <td>Password</td>
          <td>
           <input type="password" name="j_password"/>
          </td>
         </tr>
         <tr>
          <td> </td>
          <td>
           <input type="submit" value="Login" onclick="document.body.style.cursor='wait';"/>
          </td>
         </tr>
        </table>
       </form>The securityconfig int he web.xml file is:
  <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>jazn.com</realm-name>
        <form-login-config>
           <form-login-page>/login.html</form-login-page>
           <form-error-page>/loginError.html</form-error-page>
        </form-login-config>
      </login-config>
      <security-role>
        <role-name>ADMINISTRATOR</role-name>
      </security-role>   
      <security-role>
        <role-name>MANAGER</role-name>
      </security-role>
      <security-role>
        <role-name>INSURER</role-name>
      </security-role>
      <security-role>
        <role-name>TRACKER</role-name>
      </security-role>
      <security-role>
        <role-name>INSURER_MANAGER</role-name>
      </security-role>

  Then I would say it is not possible:  Restrict multiple login in SAP Business Objects 4.0 SP6 for single user
  multiple login disable in BO | SCN

• Restrict access to buttons, regions, etc. on a per user basis?

  My application restricts access to buttons, regions, etc. on a per user basis.
  Here is my application logic...
  1. A User can only edit items they own.
  2. A Super-User can edit all items
  So, when a user logs in, I use a post-authentication process to set the user ID to an application level item.
  Now, for example, to have an edit button display on a page, I need to check the item's owner ID against the application level user ID...and check to see if this user is on the Super User list via a query.(which could be set to another application level item upon login...I guess)
  Question...What is the best way to do this? Conditional display? Authorization scheme?
  Would something like the following work for a Conditional Display?
  Condition: SQL Expression
  &USER_ID.=&P6_ITEM_OWNER_ID. OR USER_ID in (select USER_ID from table where USER_ID=&USER_ID.)
  How would I do this with an Authorization Scheme? (I like the idea of updating the logic in single location...but I'm not sure if it is possible because I have to check PX_OWNER_ID would be different on each page.)

  Hi Denes,
  Thanks for your code which allows user to edit (if authorized) and view (if not).
  But some how - I do not get the image to show up - instead it show a small underline.
  From SQL point of view - here is what I get - when i run the sql
  '<img src="/i/ed-item.gif">',2,CR TEST,,,,dune2.cit.cornell.edu,CRDMTEST.CIT.CORNELL.EDU,PSPROD,,,CRDMTEST
  Here is my wrap_image function
  create or replace function wrap_image(p_user_name in varchar2,p_dm_name_id in number)
  return varchar2 IS
  v boolean := False;
  ret_val varchar2(1000);
  begin
  dbms_output.put_line('user='||p_user_name);
  dbms_output.put_line('dm_name='||p_dm_name_id);
  -- Check authorization if the user is super user - return true, else if he has edit priv on dm_name_id - return true - else false
  v:=ACL_DMTOOLS_DM_PRIV(p_user_name,p_dm_name_id);
  if v then
  ret_val := '<img src="/i/ed-item.gif">';
  ret_val := ''''||ret_val||'''';
  dbms_output.put_line('TRUE');
  else
  ret_val := '';
  dbms_output.put_line('FALSE');
  end if;
  return ret_val;
  end;
  Thanks for your great educational site.
  Regards
  atul

• Restrict application instances per user?

  We have a new ERP application.  As with most enterprise software, it has a restrictive license on concurrent uses.  It even counts multiple instances from the same user as multiple uses of its license.
  The application runs from a Windows 2012 R2 server, as a RemoteApp.
  Is there a way to restrict it so that each user may only run a single instance of the application?

  Hi Itwally1,
  All RemoteApp programs on the same server for the same user will run in the same session.
  There seems to be no built-in method to limit a RemoteApp to a single instance per user session. Please refer to following threads and check if can help you.
  Restrict a published RemoteApp to a single instance per user
  Limite RemoteApp to one instance per user
  If anything I misunderstand or any update, please don't hesitate to let me know.
  Best regards,
  Justin Gu
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• SSID To Group Mapping With ACS 5.1

  Hi ;
             I am trying to implement PEAP authentication with ACS 5.1 and PEAP is working fine. I have two SSID's with peap authentication and i have two groups in AD. I need to map one ssid with one group and another SSID with the other group.
  I implemented the same with ACS 4.2 (Screenshot attached) .  Now the requirement is to implement the same concept in ACS 5.1.  Could you please help me on this.

  If you go under Access Policies and Service Selection Rules and check  you hit count( you may need to refresh if you just tried connecting) see  if the rule is incrementing.
  If that rule has a condition tied to that SSID, it should only increment when that SSID sends traffic.  If users credentials are working, thats a separate issue.
  For the Access service you created, that your selection rule feeds, check the following
  Identity will be set to internal users
  Authorization you will need to have hit custom and selected "Identity Group" as a selector"  Then when you make the rule, check that box and set it to your Staff Group.  Set the default at the bottom of the page to Deny Access.

• VPN filter per remote access user (via ACS)?

  Hello everyone,
  I'm deploying IPSec Remote Access VPN for my company. I have Cisco ASA 5540 (8.0.4) and Cisco Secure ACS. I have successfully configured the system with authentication by ACS.
  The question is, I want to apply filter policy for per user. I know that there's a method called vpn-filter. If I use local authentication, I can apply ACL to user attribute.
  eg.
  access−list 103 extended permit tcp 10.1.49.2 255.255.255.0 host 10.1.1.10 eq 3389
  username testvpn attributes
  vpn−filter value 103
  But users are configured on ACS, so how can I apply vpn-filter policy to the user? I dont really want to apply vpn-filter to group-policy.
  Please help me to find a method. Thank you very much.
  Regards,
  Hiep Nguyen.

  Hi,
  I think this is what you are looking for
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml
  You will need to setup the IETF like this
  filter-id=acl_name
  There is a good example right there (better than mine) let me know how it goes.
  Mike

• ASA WebVPN - restrict access to users in an AD group via ACS

  Hi folks.
  I'm doing an WebVPN pilot on one of our ASA's (running 7.2.2). Everything is working fine, but I've been asked to restrict access to users that are members of a certain Active Directory group (lets call the group "VPNTEST")
  Right now the ASA does radius auth against out ACS 4.x appliance, which has an external database mapping (via the ACS remote agent) to our Windows active directory domain.
  Currently there are only two groups in ACS, the Default (which we use for Wireless authentication) and the "Operations" group, which we use for TACACS auth for the network.
  I can create a group in ACS that maps to the AD VPNTEST group, but where/how do I restrict WebVPN access to just members of that group? Is it a setting on the ACS or the ASA?

  Try using the following to tie users to certain group policies:
  Using a RADIUS Server
  Using a RADIUS server to authenticate users, assign users to group policies by following these steps:
  Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group
  policy.
  Step 2 Set the class attribute to the group policy name in the format OU=group_name
  For example, to set a WebVPN user to the SSL_VPN group, set the RADIUS Class Attribute to a value
  of OU=SSL_VPN; (Do not omit the semicolon.)