Router Access for Specific ACS Group
I want to use TACACS to control access to all our Cisco switches and routers. I have an Cisco ACS device that can be used to centrally manage engineer accounts. The ACS server is, however, also used to store our corporate users VPN accounts.
Can I limit access to the routers and switches to only users in the Engineers group on the ACS server?
Hello,
If you are using ACS 4.x, limiting access through Network Access Restrictions (NARs) might help you out:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml
Let me know if this helps, or alternatively if you are using ACS 5 (in which case the scenario is a little bit different).
Regards,
Fede
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Similar Messages
-
Restricting Access for SQ01 User Group
Hi ,
Please let me how to Restrict Access for a User Group to only some of the specific users?
Thank you
Edited by: Vibhor Arora on Apr 12, 2010 7:29 AMHi,
Can you please clarify what exactly you want to know, your request can be interpreted in a few different ways.
If you are concerned that people have access to all user groups, then you need to remove access to S_QUERY activity 02 and I think activity 23. They will lose access to all user groups that they are not assigned to via SQ03. -
CANNOT OVERRIDE DOCUMENT ROUTING ID FOR SPECIFIC TRADING PARTNER FOR ROSETT
Cannot override Document Routing ID for specific trading partner for RosettaNet transactions.
The Document Routing ID for other transactions types (e.g EDI) can be overridden when creating operation capability for a trading partner by unchecking "Use Existing Document Proto Parameter Values" and "Use Default Document Definition".
This does not work for RosettaNet transactions as no option to override the values is available when "Use Default Document Definition" is unchecked.Hello,
I have replicated this issue and it appears to be a bug. I shall follow up regarding the same.
Rgds,Ramesh -
Modification in me23n :for specific purch. group ,user can enter specific
Hi ,
I have to make modification in me23n that for specific purchase group ,user can enter specific matrial no .But I have never did anything before in standerd sap.So how I have to proceed in order to achieve this.
Regards,
Seema.Hi,
This can be achieved using enhancements in SAP, which could be customer-Exits or BAdi implementations. I think this can be achieved using enhancement(Customer-Exit) MM06E005(Tcode-SMOD) function module EXIT_SAPMM06E_012.Here you have import parameter I_EKKO which will have purchase org and tables TEKPO which will ahve all lines so youc an add a custom check to validate materail based on purchase org.
Regards,
Himanshu -
File and folder permissions for specific AD groups
Having a special folder over multiple servers that certain user groups can access with specific permissions I'd like to audit the security mappings using get-acl commandlet. It's easy for a single folder but I would need subfolders and files too. I know
I can assign a variable say $object = dir c:\MyShare -recurse and then would need to somehow pipe each object to get-acl and filter for the AD groups I'm interested in. Ideally if the results were then passed on to csv. Can someone help with getting
this to work?
yaroHi Yaro,
I checked your script, and found you haven't defined the variable $folder before use, please refer to the script below:
$folders = dir D:\TEST1 -recurse | where {$_.psiscontainer -eq $true}
foreach($folder IN $folders){
$folder|Get-Acl | Select-Object -ExpandProperty Access | where {$_.identityreference -match "sys|Adm"}
Get-Acl $folder.fullname | Select-Object -ExpandProperty Access | where {$_.identityreference -match "sys|Adm"} |
Select-Object @{n="object";e={ $folder.fullname }},
@{n="security_principal";e={ $_.identityreference }},
@{n="type";e={ $_.accesscontroltype }},
@{n="rights";e={ $_.filesystemrights }}
And to list the nested groups on local computer, please check this function writed by Boe Prox, which will also list the property "isGroup":
Get-LocalGroupMembership
If there is anything else regarding this issue, please feel free to post back.
Best Regards,
Anna Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Securing AnyConnect VPN user access via specific LDAP groups in Active Directory?
Is there a brief tutorial on how to secure AnyConnect VPN access using Active Directoty security groups?
I have AAA LDAP authentication working on my ASA5510, to authenticate users against my internal AD 2008 R2 server, but the piece I'm missing is how to lock down access to AnyConnect users ONLY if they are a member of a specific Security Group (i.e. VPNUsers) within my AD schema.This looks fairly complete
http://www.compressedmatter.com/guides/2010/8/19/cisco-asa-ldap-authentication-authorization-for-vpn-clients.html
Sent from Cisco Technical Support iPad App -
Approve suppliers only for specific material groups
Dear Experts,
Current scenario: Our purchasers can buy products from all material groups from every boarded supplier. E.g. they can buy production materials from an office paper supplier.
Target scenario: The moment a purchaser buys a material that's not part of the approved material group of that specific supplier, he get's an error.
What is a practical way to achieve this?
Thanks a lot,
SteffenNormally we maintain Source lists, which restrict the list of vendors from whom certain materials can be purchased.
Sometimes you can also create a Material group level contract, and then in the PO specify the materials from that specific material group.
but ideally you should go for source list, as it is the simplest and standard way to control approved suppliers for materials. I know its not at material group level , but still its the best option.
Last case, you can go for a development , use the BADI ME PO PROCESS CUST i think it is. -
Restrict telnet access for specific users on ios router
aaa new-model
aaa authentication login default local
username aaa password aaa
username bbb password bbb
user aaa should have ssh and telnet access.
user bbb is only used for vpn authentication, i dont want him to access router via ssh or telnet ,even in user exec mode.
i also can not apply access-class on vty lines because i am loging in device from different places ,and dont know exact ranges of ip address to create access-list
radius and tacacs is not option for me
what can be done in order to restrict user bbb from ssh and telnet access ?OK. I did not clearly remember the OP description of aaa and bbb. So for bbb to only have VPN access try
User bbb password bbb privilege 0
HTH
Rick
Sent from Cisco Technical Support iPhone App -
ACS- Dynamic VLANS for different ACS groups with AD
Hi all,
How do I tied diff Active Directory domain groups to diff ACS defined groups? Each domain group will be tied to an ACS defined group with a diff vlan. I read about the option in help but don't see the option to actually do it.
using ACS 3.3.
JTYou could refer to the document 'User Group Mapping and Specification' at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/qg.htm#.
-
ISE - Guest - permanent access for specific device
Hello,
In brief: I'm using ISE 1.2, 5508 wlc and few 3702-I APs - brodcasting 2 SSIDs: Internal and Guest (Internet olny). Guest SSID forces user to provide username and password through guest portal.
Is there any way to configure some policy on ISE to allow specified mobile device(s) (filtering by IMEI or MAC address) access to Internet via Guest network without necessity of provide username and password? An exception that is avoiding guestportal and/or permanent remember that particular device.Hey kkoziarski,
It sounds like you are looking for the functionality of that known as Web Passthrough. Where the device can just view some TOC and possibly be presented with a Guest AUP. This is something that is doable with a Standalone WLC, as I am sure you know.
Funny thing is that I was coming here to post something along the same lines. I've spent the past week researching and trying some configs on both ISE 1.2 and ISE 1.3. It appears that the final answer is no. This wouldn't be performing any authentication and neither would it be applying any permissions to the device/user, which at that point - it wouldn't be utilizing any of the functionality of ISE.
What I have found is that there are 2 methods that can offer a similar experience, but will not be a true Webb Passthrough, and it will not be easily configurable.
1. Creating a customized HTML page for the WebAuth AUP, that would then have the username and password embedded in the code, and more than likely need to be linked to the Submit button or something of that nature.
2. Utilizing ISE policies on a per-WLAN basis and including specific attributes, which would then have to communicate with the above custom HTML page.
Any other users out there, please feel free to correct me if I am wrong! I wonder if they will ever come out with a feature as such :/ -
SCOM 2012 - how to setup alerts for specific IT groups.
Hello everyone - I have seen a few similar questions but never any specific answers.
Our IT department is split up in teams. We have a Database team - Exchange Team - SharePoint Team - Web Team and others.
We currently run around 650 Servers for the department. Exchange team for example will need to get alerts off of their 12 Exchange servers. SharePoint team will need alerts off of say 22 servers and etc...
Is there "Anyway" to make sure they only get the alerts for their servers?
I recently setup a new group for our Web Team and they are getting SharePoint, Exchange, DPM and other alerts which they do not need to be getting. Also I have noticed from this that the SharePoint and Exchange teams are not even getting all their
alerts since apparently we had to refine them so much so as not to get other alerts (thus causing them to miss many). SCOM seems like a great package but it falls very short (from my limited experience with it so far) in being able to really customize
alerts for IT environments.
Can you enable a group to get all alerts for a specific group of servers?
SharePoint uses IIS, Database, Windows OS etc.... If I set it up for this it gets all IIS, Database servers when I only want them to see the 22 servers - if I restrict it down then they miss alerts. Sorry repeating myself now -
Thanks for any help.
WillisHi,
"Can you enable a group to get all alerts for a specific group of servers?"
Yes you can. In Authoring, Group, create groups with the servers, e.g create an Exchange Group with all 12 Exchange servers. In Adminstration, Notifications, Subcricptions, create a subscription and in the "raised by any instance in a specific group" select
the group (Exchange servers)
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
How can I know how many views are maintained for specific or group material
Hello, All,
How can I get know how many views which are already maintained in the material master for one specific or one group material? And which views? Is there any T-code or table to get those views list for material?
Thank you very muchHi,
You can check in table MARA, field VPSTA details as given below
User department Maintenance status
Work scheduling A
Accounting B
Classification C
MRP D
Purchasing E
Production resources/tools F
Costing G
Basic data K
Storage L
Forecasting P
Quality management Q
Warehouse managemen S
sales V
Plant stocks X
Storage location stocks Z
regards,
zafar -
Email Alert for Specific Server Groups
We are using SCOM 2012 R2. We have windows server 2003 and 2012 servers.
I configured email alerts for this servers.
Criteria:
Notfiy on alerts
of a critical severity.
and of a high priority
and with New(0) resolution state.
I succesfully recieve alerts and emails from this configuration.
But i want to recieve email alerts from specific Windows Server 2003 servers or Windows Server 2012 servers.
I create a server 2003 and server 2008 group in scom.
I use "raised by any instance in a specific group" OR "raised by any instance of a specific class". I shutdown one of the servers. I can see alerts in scom active alerts section (hearthbeat alerts) but i cannot recieve emails about
this alerts.
If i use monitor rule (for example printer spool service rule) , I can recieve emails but it does not for work hearthbeats alerts.
I recently install Windows Server MP and Active Directory MP .Create a group containing watchers/watcher groups for your servers and use this group in subscription filter. See this
post for more info.
Gleb. -
Recycle bin to show all deleted items on the site collection for specific user group
hi there, is there any way where a certain sharepoint group (i.e. site collection members) to view and restore deleted items on theentire collection, without giving them site collection rights orgive them more rights than necessary? we wanted to create
aSP group that has the permission to restore deleted items and give them to selected users so that our users won't have to contact us when they want to restore a deleted itemI don't believe you can. If an item get's deleted it should go to the first recycle bin @ /_layouts/15/RecycleBin.aspx
The Recycle Bin gives a site collection administrator
greater control when users delete files, versions of files, list items, libraries, lists, and folders from a SharePoint site by providing a second stage safety net before an item is permanently deleted from a site. When a user deletes an item from the Recycle
Bin, the item is sent to a second stage Recycle Bin (also known as the Site Collection Recycle Bin) that the site collection administrator manages. This article focuses on how a site collection administrator can manage the Recycle Bin for a site collection.
https://support.office.com/en-US/Article/Manage-the-Recycle-Bin-of-a-SharePoint-site-collection-5fa924ee-16d7-487b-9a0a-021b9062d14b
Ibrahim Sukari, Technical Consultant | SharePoint | Dynamics CRM |
LinkedIn Profile -
PO Qty in SKU configuration for specific Material Group in PO
Dear All,
I face issue when I do MIGO, which is that unit measure KG can not covert to stockunitstock unit measure PC.
After I checking, I found the following information in tab Qualities/Weights of PO:
PO Quantity 2 PC Order Unit <-> Ord. Price Unit PC <-> KG
PO Qty in SKU 0.000 Order Unit <-> SKU 0 PC <-> 0
What I can configure is "Order Unit <-> Ord. Price Unit PC <-> KG", but I can not conifgure "Order Unit <-> SKU" for PO to buy material group rather than sepcific material.
Could anybody can tell me how to configure "PO Qty in SKU 0.000 Order Unit <-> SKU 0 PC <-> 0" for PO to buy material group in ME21N?
I am looking forward to your kind suggestion, which is really appreciated!
Cheers!Does anyone face the same issue before? could you give me any tips if you have such problem? thanks in advance!
Maybe you are looking for
-
Generic file attachments in Webdynpro
Hi all, I would like to upload file attachments of various types to a document within SAP (in this case Expense Reports), using Webdynpro ie. The attachment belongs to a particular expense report. So each document , whether Word, Text, Bitmap etc. wo
-
How do I report a billing problem?
I have had a transaction on my credit card that I have not purchased.
-
I list color on External monitor
I have a Macpro note book The color on my external monitor is all green How do I fix that?
-
Problem migrating account from one active directory domain to another. Using NetBIOS
Hello, I'm migrating a Lion machine from one domain to another. When I try to join it to abc.example.com it joines it to 123.example.com in the list of domains. 123.example.com is the NetBIOS name of abc.example.com. This configuration does not work.
-
Acrobat Standard XI, serializing a for inclusion of license in layer within unidesk
We are a volume license holder for Adobe Acrobat. We are currently using a virtual desktop environment through unidesk, pushing virtual desktop views to thin clients. We have created a script as a .bat file which uses the adobe_prtk command line tool