***WLC AAA for admin access***

Similar Messages

• Freecorder asked for admin access & now i don't know what it installed

  hi there! 
  first time writing a thread.  i stupidly installed freecorder.  it is reknown ... more like notorious for installing all kinds of garbage on windows.  they must have just come up with a dmg for mac - as applian's customer service still has no idea that there's a mac app.  it asked for admin access during install.  briefly afterwards, i realized that that was not normal for an app to do - so i started looking around & sure enough, it's filled with nasty stuff.  i have since deleted the app, but wondering what else it could have left on my computer.  also if there is a way to see what changes it made, or why it even needed access to my admin ...
  i'd be grateful for any help.  still getting to know mac.
  thanks,
  adam

  It's normal for your Mac to prompt for your admin password when installing apps.
  If the app is still in the trash... drag it out of the Trash to the Desktop.
  Then install this utility >  Download AppCleaner for Mac - Uninstall your apps easily. MacUpdate.com
  AppCleaner will not only uninstall the app but all the associated files.
  If you emptied the trash, click the Spotlight icon top right in your screen. Type freecorder in the search field.
  Hopefully that will help you find any of the associated files.
  You are correct in that it's a nasty one >  http://download.cnet.com/Freecorder/3640-2071_4-11594257.html

• For admin access how can I change my password if I don't know my password?

  I have a new Powerbook G4 (OS X 10.4.2) and want to install Office:mac software. I am the only user for this computer, and under Accounts I am listed as the Administrator. I don't recall ever entering a password when I first set up my computer. So, now I am unable to gain administrative access to my own computer.
  When I click the lock icon to make changes to my admin account, it asks for a password. When I don't click the lock and just go straight to "Change Password" it also asks for my old password in order to create the new password. I do not know the old password because I don't recall ever creating one in the first place! Is there a way to find that password? If not, is there a way to create a new password without knowing the old password? Do I need to reinstall my start-up software? If I do need to reinstall, can someone please walk me through that process? The other postings on this topic did not make sense to me.
  I am very new to the world of computers so I thank you for your patience.

  If you did not set up a password (left it blank) then you don't enter anything when prompted and simply click on OK. If that does not work, then you did set up a password at some point. If you've forgotten the password you can reset it by booting from your Tiger Installer Disc. After the installer loads select your language and click on Continue. Then select Reset Password from the Installer menu. You will then be able to create a new password without having the old one.

• WLC ACL For Internet Access Only

  I've implemented  Cicso ISE 3495's with the advanced subscription license.  I've built my policy sets, and authorization profiles.  It all works great!  Here's the issue that I'm having.  I have internal employees who bring in their own devices (BYOD).  I want to allow them onto the secured SSID that I've created, but only want to give them access to the intra/internet.  I've created an ACL (EmpInternetOnly) on the WLC.  Here are my rules:
  I can get to the intranet, with no issue (ACL lines 1-4).  I can't get to the internet whatsoever.  I see everything falling down to the deny statement.  When I remove the deny statement (ACL line 14), and put a permit all, then the internet works with no issue.  Am I missing something here?  I've researched this topic on several message boards, but can't find an answer.  I've tried to run the acl debug, on the controller, but do not see any output when I run it.  It might be because I don't understand the proper format of how to set it up.  Any and all replies would be much appreciated!  Thanks!
  Steve

• Cisco WLC Whitelist for Guest Access? and securing guest-access?

  Is it possible to allow certain websites to bypass the web authentication pages, so that they do not need to autnehticate to get to our own website, but do have to if they wish to go anywhere else?
  Looking at a 5508 model at the moment
  Thanks

  Hello Stephen,
  Exactly how long is "an extended period of time?" Also, is this period enforced in the controller in some way, and if so, can it be configured?
  I'm asking because I have a WLAN for guests with a pre-authentication ACL allowing VPN traffic (ESP, IKE, SSL).
  For "normal" use of this guest WLAN you have to click on an "accept" button on a captive portal page before you can get anywhere with traffic not matching the pre-auth ACL.
  The pre-auth ACL does actually work, but it stops passing any traffic after 5 minutes of use per user. This happens every time and is 100% repeatable.
  So I'm very interested to know if we can change this apparent 5 minute restriction in some way.
  Thanks!
  Chris Slater-Walker
  Senior System Analyst
  Nokia UK Ltd.

• WLC AAA Radius to ISE - Multiple Domains in Single Forrest

  I am currently having a problem configuring AAA for management access to our wireless controllers.
  Our active directory structure is as below: (note all domains are part of the same forest and full trusts between the domains)
  Root Domain
  Americas domain                UK Domain              EU Domain            APAC Domain
  Because of the multiple domains that exist when admins login they need to use their full UPN ([email protected]), since just using username will only authenticate agains the Root Domain and there may be duplicate usernames between the domains.
  I cant even see the radius request hitting ISE and i found out that this is due to a 24 character limit on the username field on the WLC's. 
  I dont have this issue with other IOS based devices. 
  I could just create some admin accounts in the root domain but the problem is that lobbyadmin staff also needs to authenticate and they will run into the same issue.
  Dont know if someone has any suggestions for a possible workaround?

  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_45_multiple_active_directories.pdf

• Help needed restricting users admin access to devices using ACS 4.2

  I have users that access the network via a VPN client to a PIX 515 which authenticates to the ACS (using the default group for unknown users) which uses an external Active Directory Database.
  The problem I have is that as the ACS authenticates these users, it now allows them admin access to the PIX. How do I restrict access? I have looked at NARs using the 'All AAA clients, *, *' approach but that just stops their VPN access. ( I have a separate group called 'PIX ACCESS' which will contained only defined users for admin access).
  Incidentally I have other devices on the network which are AAA clients, in particular Nortel switches. I can set the group settings for that RADIUS set up to 'Authenticate Only' (RADIUS Nortel option) and that works fine, I was expecting the ACS to have a similar setting for TACACS+.
  So how do I allow the unknown users to authenticate to their AD database but restrict them admin access to the AAA clients?

  Very common problem. I've solved it twice over the last 6 years with ACS. I'm sketchy on the details. But here goes. First option to explore is using RADIUS for VPN access, then TACACS on all the Cisco switches and PIX firewall. That would make it alot easier. I think that with TACACS, you can build a NAR based on TCP port number instead of IP address....
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml
  So you'd have a group with 3-4 Administrators that can access PIX CLI, and another group of VPN users that can't access the PIX but can VPN in. So on the VPN group, put a NAR that restricts access to SSH/Telnet TCP ports?
  This comes up everytime I install an ACS server, (every 2-3 years), and it's always a trick.
  Please let me know if this works for you. And if it doesn't, let us know how you fixed it. I think I can get back into the ACS I last did this with and take a look, but I'd have to call up and make a special trip.

• ISE Admin Access Authentication against multiple AD/LDAP Identity Sources

  Hi all!
  We would like to grant admin cccess to our ISE deplyoment to users stored in multiple Active Directories. Since there is no trust relationship between these ADs, we created an LDAP Identity Source for each AD and also an Identity Source Sequence but in the UI we can only select one Identity Source.
  Any ideas how to solve this problem?
  Thanks in advance!
  Kind regards,
  Michael Langerreiter

  I did check in my lab and yes for admin access we can't select identity store sequence in authentication. We can only pick one external database. However, on the login page you may select the appropriate database before you enter the username and password.
  Jatin Katyal
  - Do rate helpful posts -

• ISE Admin Access with AD Credentials fails after upgrade 1.2.1 to 1.3.0

  Hello,
  After upgrading ISE VM from 1.2.1 to 1.3.0.876, I can't connect on ISE with AD Credentials (Invalid Username or Password). It worked find before upgrading to 1.3.
  On another ISE VM in 1.3.0.876 version (w/o upgrade) with this kind of configuration, it's OK.
  I have double check the Post-upgrade tasks (particularly rejoining Active Directory). Everything worked find after this upgrade except the admin access with AD credentials.
  I don't use user certificate-based authentication for admin access. So I didn't execute application start ise safe CLI.
  My 802.1x wireless users passed authentication with AD credentials. So the ISE had correctly join my AD.
  I didn't find anything related to this admin access with AD credentials failure in the output of show logging application ise and show logging.
  I don't find anything related to this in bug search on Cisco tools.
  I tried to :
  - update the SID of my Admin AD Group, the result is still the same.
  - delete my admin access with AD credentials configuration then make this configuration again, but still the same error.
  Any ideas on this ? Could I find elements in another log ?
  Regards.

  Dear Markus,
  After logging as user "prdadm"
  su - prdadm
  bssltests% bash-3.00$ ls -a
  .                            .dbenv_bssltests.sh-old      .sapenv_bssltests.sh         startdb.log
  ..                           .dbenv_bssltests.sh-old10    .sapenv_bssltests.sh-new     startsap_.log
  .bash_history                .dbsrc_bssltests.csh         .sapenv_bssltests.sh-old10   startsap_DVEBMGS00.log
  .cshrc                       .dbsrc_bssltests.sh          .sapsrc_bssltests.csh        startsap_DVEBMGS01.log
  .dbenv_bssltests.csh         .login                       .sapsrc_bssltests.sh         stopdb.log
  .dbenv_bssltests.csh-new     .profile                     dev_sapstart                 stopsap_.log
  .dbenv_bssltests.csh-old     .sapenv_bssltests.csh        local.cshrc                  stopsap_DVEBMGS00.log
  .dbenv_bssltests.csh-old10   .sapenv_bssltests.csh-new    local.login                  stopsap_DVEBMGS01.log
  .dbenv_bssltests.sh          .sapenv_bssltests.csh-old    local.profile                trans.log
  .dbenv_bssltests.sh-new      .sapenv_bssltests.csh-old10  sqlnet.log
  bash-3.00$
  bash-3.00$
  I have changed envt settings in .dbenv_bssltests.csh & .dbenv_bssltests.sh
  .sapenv_bssltests.sh & .sapenv_bssltests.csh  [4 files]
  Regards,
  Ankita

• Product number CQ183A can not access setting in EWS keeps asking for admin login and password.

  HP Photosmart 5510d B11H
  CQ183A
  Windows 7, Vista, and Linux
  I installed the printer everything works until I try to access certain settings in the Embedded Web Server.  I pops up a box asking for admin login.  Initially, the status page claimed the Admin password was set even though I never set that up.  Through chatting with tech support rests cleared this, it is now reporting Not Set.  However, I still can not login to check/change settings etc.
  I think this printer had been purchased then returned to the store because the manual was missing.  I downloaded the manual and did not find any mention of how to access the password settings.  So far tech support has not been able to answer my question,
  Is there a default?
  How do I access the EWS settings -> security to setup a password?

  Hello MREnder,
  From what I am reading, you may need to call in to get a factory reset done.  These resets can only be done over the phone.  You can find the number at eprintcenter.com under the support section.
  -------------How do I give Kudos? | How do I mark a post as Solved? --------------------------------------------------------

• To create new user for rpd with Admin access in obiee 10g

  Hi All,
  I need to create a user in RPD which has equivalent privileges as Administrator in RPD.Please note that this is for accessing RPD Admin not for Dashboard admin access.Can anyone please let me know of how we shall implement this?..
  Regards,
  Vengatesh.

  Hi,
  Create a user and give the check box for 'Administrators' group and check.
  If required give 'Presentation Service Administrator'group too.
  In Settings->Manage Privileges you can restrict the user to the Answers.
  Hope this helped/ answered
  Kind Regards
  MuRam

• WLC as a Mobility Anchor for guest access - Management on DMZ or not DMZ

  When using Guest Access Cisco recommend a Mobility Anchor Controller be placed on a DMZ and the guest access wireless Lan is tunneled to this controller.  This means that 2 DMZ subnetworks are required - one for the management interface and one for the wireless lan's dynamic interface itself.
  I am trying to see if there are any disadvantages/security risks using 2 physical ports on the controller (no LAG) and placing one on a corporate network inside the firewall for management and to terminate the mobility anchor tunnel, and one outside the firewall on a DMZ for the wireless lan's dynamic interface.
  Advantages that I see are that no tunnels need to go though a firewall, management of the WLC is kept completely inside the corporate network, protected by the firewall and not left on the DMZ.
  Thanks.

  OK, so to recap;
  - place the 2nd WLC in the DMZ with only 1 port (set for dynamic AP management)?
  - Then Anchor the guest SSID (on it's DMZ IP instead of management IP as is now)
  And to make that kind of anchoring work, I have to open ports below on the firewall.. right?
  UDP port 16666 for inter-WLC  communication, and IP protocol ID 97 Ethernet in IP for client traffic.
  and:
  •TCP 161 and 162 for SNMP 
  •UDP 69 for TFTP 
  •TCP 80 or 443 for HTTP, or HTTPS for GUI access 
  •TCP 23 or 22 for Telnet, or SSH for CLI access
  Thanks to confirm that

• Snmp error for guest access ticket on two WLC

  Hi,
  I have one wcs (5.0.56.2) and two wlc 4400 ( 5.0.148.2). When i try to create a ticket for guest access on the two wlc without time restriction, it works well. But when I defined time restriction for the ticket, i have a snmp error on the passive wlc (snmp operation to device failed, attempt to set conflicting attribute value) and not on the active xlc.
  Thks.

  The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the specified time elapses, the guest user accounts expire automatically.
  The local user database is limited to a maximum of 2048 entries and is set to a default value of 512 entries (on the Security > General page). This database is shared by local management users (including lobby ambassadors), net users (including guest users), MAC filter entries, and disabled clients. Together these cannot exceed the configured database size.
  For the configuration following URL may help you
  http://www.cisco.com/en/US/docs/wireless/controller/5.0/configuration/guide/c5users.html

• Why is Domain Admin access required for NTFS crawling?

  Need some assistance from the experts in here..
  Our company has a policy against granting Domain Admin access to service accounts.
  Oracle states that Domain Administrative priviledges are required for NTFS crawling. However, they aren't able to provide a reasonable explanation as to why such a high level of access is necessary. In theory, Local Administrative privildges on the target file host should suffice if the crawler is grabbing ACL details, but in practice does not seem to work.
  Can anyone point me to some technical documentation on SES NTFS crawling or help me understand what actions are being invoked?
  Many thanks.
  LC

  They do seem confused. I have heard on a few occasions, someone has taken their computer in for some major work and it comes back with the latest OS! I think some Service technicians have the opinion that any OS less than the latest is a kind of defect that they can remedy.
  I suppose they are trying to be helpful, but as you say, compatibility with existing applications can be a pitfall when doing that.
  The main thing is you have your OS backed up. I keep a clone (made by SuperDuper!) of my OS on a backup disk, and if you were really worried about a service technician trawling through your hard drive on their lunch break, having the working clone would allow you to reinstall a fresh OS and hand it to them with nothing of yours on it whatsoever.
  When it comes back fixed, copy the external clone back onto your Mac. This is a bit of trouble, but it ensures the integrity of your data.

• Using Windows Network Policy Server to authenticate Prime Infrastructure 1.2 admin access

  Dear all,
  How can I authenticate admin access to the Prime infrastructure 1.2 using AAA mode RADIUS with Windows Network Policy Server as RADIUS server? I find some information using ACS as RADIUS server but cannot find how to for Windows NPS.
  I try to configure the NPS but an error prompted when logging in to PI using an account in the NPS server, "No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server"
  Thanks for your help.
  Dennis

  Ok, I was able to resolve this over the weekend.  The actual fix is a little complicated.  You can find the full explination here: http://technologyordie.com/windows-nps-radius-authentication-of-cisco-prime-infrastructure
  The basics are that Prime (1.3 is the version I am using at this point) expects two AV pairs from radius.  They are as as follows:
  NCS:role0=Admin
  NCS:virtual-domain0=ROOT-DOMAIN
  "Admin" is the name of the group you would like your users to have access at and "ROOT-DOMAIN" is the name of the domain you would like them to have access to.
  For TACACS+ I suspect the AV Pairs are going to be the same but I have not been able to test that.