4.2 authorization control ACS

Similar Questions

• Limited permission problem control ACS 3.2

  I'm trying to implement a command authorization set allowing a group to set up and change the loopback interfaces, but any other interface. Currently, once I have to configure, I can't limit what interface they can change. It's either full configure access or none.

  I implemented the command set like this:

  -unmatched orders = deny

  -allow the unmatched arguments is DISABLED in both cases

  Configure

  terminal licence

  Interface

  allow ^ loopback

  AAA server Ganymede group + tsg1

  Server x.x.x.x

  !

  AAA authentication login default group Ganymede +.

  AAA authentication login vty group tsg1

  the AAA authentication enable default

  AAA authorization exec default group tsg1

  AAA authorization exec vtyauth group tsg1

  AAA authorization commands default Ganymede group 0 +.

  AAA authorization commands by default 1 group Ganymede +.

  AAA authorization commands by default 15 group Ganymede +.

  AAA - the id of the joint session

  RADIUS-server host x.x.x.x

  RADIUS-server timeout 20

  RADIUS-server application made

  RADIUS-server labrat1 key

  RADIUS server authorization allowed missing Type of service

  Is could someone please tell me what I'm missing?

  Works of "... aaa authorization commands. "only on the commands in exec mode. Once you're in config mode, this authorization has no effect and the user will be able to do anything.

  Add the following command to activate also the authorization for the config mode commands:

  AAA authorization config-commands

  and you should be good to go.

• What is the difference between Cisco NAC and ACS?

  I am currently part of a new construction project and my Cisco account manager and sales engineer recommend Cisco NAC for our new MDF. I'm confused because I don't clearly know the difference between a Cisco ACS and the NAC. What is the difference?

  Thank you

  Chris

  Chris,

  The two are completely different, maybe the sales rep could present you with more information and application. Each offers a variety of services tailored to the specific needs. I think that we need to read more in depth on the proceeds of the NAC. NAC seems an excellent solution for authentication authorization but other regulatory compliance.

  When you see ask your representative to sales for more information/demo.

  ACS is more widely use as a central point to access control to network devices routers, an example is for acs accounting management and the authority to order on all devices on the network using acs as RADIUS server. Considering that the NAC is over a central point of safety inspection on earlier systems of access to your network by via LAN or outside, an example of these respected regulatory defined could be inspections could be virus definition checks before getting lan access thus preventing access to the LAN if the system does not have regulatory compliance defined in NAC access is denied. Another example could be the unknown local host connections etc... So, it seems that NAC is a much broader product that provides endpoint security internal, not only the authentication authorization as acs... ACS has been there for a long time, NAC is rather new product.

  NAC

  http://www.Cisco.com/en/us/NetSol/ns466/networking_solutions_package.html

  http://www.Cisco.com/en/us/solutions/collateral/ns340/ns394/ns171/ns466/ns617/net_qanda0900aecd800fdd6f_ns466_Networking_Solutions_Q_and_A.html

  ACS

  http://www.Cisco.com/en/us/products/sw/secursw/ps5338/index.html

  Rgds

  Jorge

• Authentication of ACS in the VPN tunnel

  We want to enable the ACS authentication to connect to different routers (Cisco 881 s) we have obtained who are communicating with our WAN via VPN tunnels. We want to avoid using public IP of the router to communicate and pass information to user/password with the ACS server and rely on the IP of the server private instead. The problem is that external interfaces of the router connect to the Internet using public IP addresses and when the router wishes to communicate with the ACS server it will use its IP of the interface to the public and which will fail. We can ping on the server of course when we set the source to the internal LAN IP.

  The question is are there any way to have the router contact ACS through the VPN tunnel using a private IP address?

  config is used and tested with success on local equipment:

  AAA new-model

  RADIUS-server host 10.x.x.x single-connection key xxxxxx

  AAA authentication login Ganymede-local group local Ganymede

  AAA authorization commands x Ganymede-local group Ganymede + if authenticated

  AAA authorization exec Ganymede-local group Ganymede + authenticated if

  See the establishment of privileges exec level x

  line vty 0 4

  Ganymede-local authentication login

  authorization controls Ganymede-local x

  -ACS ping to the router (WAN via VPN connection) when using public IP address of the router as the source address:

  RT881 #ping 10.x.x.x

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 10.x.x.x, time-out is 2 seconds:

  .....

  Success rate is 0% (0/5)

  -ACS ping to the router (WAN via VPN connection) when using IP private of the LAN as source address:

  RT881 #ping source 10.x.x.1 10.x.x.x

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 10.x.x.x, time-out is 2 seconds:

  Packet sent with a source address of 10.x.x.1

  !!!!!

  Success rate is 100 per cent (5/5), round-trip min/avg/max = 72/72/76 ms

  Looking forward to your responses and suggestions.

  Thanks, M.

  Hey Maher,

  You can use the command 'Ganymede-source interface ip' or 'RADIUS source-interface ip' for your scenario.

  I hope this helps!

  Kind regards

  Assia

• "You are not allowed to use the resources. Check the authorization or get in touch with your administrator to assign the permission.

  I and Home XP computer which is in my network, I'm tryng to get access to my computer vista laptop but every time he gives me permission to access error. I was looking the properties of share on the computer vista, still the same problem. I'm the only one who uses computers and I have 2 different user names are admin for the respective machines... is their anyway to solve the problem of sharing or file permission? ... Thanks in advance

  Hello

  For the best newspaper of the results of each computer screen system and together all computers on a network of the same name, while each computer has its own unique name.

  http://www.ezlan.NET/Win7/net_name.jpg

  Make sure that the software firewall on each computer allows free local traffic. If you use 3rd party Firewall on, Vista/XP Firewall Native should be disabled, and the active firewall has adjusted to your network numbers IP on what is sometimes called the Zone of confidence (see part 3 firewall instructions

  General example, http://www.ezlan.net/faq.html#trusted
  Please note that some 3rd party software firewall continue to block the same aspects it traffic Local, they are turned Off (disabled). If possible, configure the firewall correctly or completely uninstall to allow a clean flow of local network traffic. If the 3rd party software is uninstalled, or disables, make sure Windows native firewall is active .

  ------------------------------

  Vista file and printer sharing - http://technet.microsoft.com/en-us/library/bb727037.aspx

  Windows XP file sharing - http://support.microsoft.com/default.aspx?scid=kb;en-us;304040

  In Win XP Pro with Off simple sharing, you can visually see the setting of authorization/security and configure them according to your preferences.

  http://www.Microsoft.com/windowsxp/using/security/learnmore/AccessControl.mspx#securityTab

  Sharing printer XP - http://www.microsoft.com/windowsxp/using/networking/expert/honeycutt_july2.mspx

  Setting Windows native firewall for sharing XP - http://support.microsoft.com/kb/875357
  Windows XP Patch for sharing with Vista (no need for XP - SP3) - http://support.microsoft.com/kb/922120

  When you have finished the configuration of the system, it is recommended to restart everything the router and all computers involved.

  -------------

  If you have authorization and security problems, check the following settings.

  Point to a folder that wants to share do right click and choose Properties.

  In the properties

  Click on the Security tab shown in the bellows of the photo on the right) and verify that users and their permissions (see photo below Centre and left) are configured correctly. Then do the same for the authorization tab.

  This screen shot is to Win 7, Vista menus are similar.

  http://www.ezlan.NET/Win7/permission-security.jpg

  The Security Panel and the authorization Panel, you need to highlight each user/group and consider that the authorization controls are verified correctly.

  When everything is OK, restart the network (router and computer).

  * Note . The groups and users listed in the screen-shoot are just an example. Your list will focus on how your system is configured.

  * Note . All the users who are allowed to share need to have an account on the computers they are allowed to connect to everyone is an account, that means a group of all users who already have an account now as users. This does not mean everyone who feel they would like to connect.

  Jack-MVP Windows Networking. WWW.EZLAN.NET

• Question of authorization

  I searched through some configurations of sample trying to get a better grip on the authorization. I need help to understand how the following lines.

  Group default AAA authorization exec network no

  Group by default 15 AAA authorization network command no

  Secure group 15 AAA-authorization-controls network no

  Thanks in advance for any help you can give.

  Scott

  default AAA authorization exec network group none tells the router to use the authorization for the exec process (essentially is the user allowed to run exec processes). The is the default authorization exec method. The main method is to go to a group identified as network. I expect that the router config identified one or more servers (radius or GANYMEDE) in the group called network. If there is no response from the servers in the network group there is no backup for the authorization method.

  AAA authorization commands by default 15 network group none tells the router to use the authorization for level 15 orders (orders in privilege mode). This line sets the default permission for these commands. The router will use the network group to identify the servers that can authorize these orders. If there is no response from server there is no backup method of approval.

  sure 15 AAA authorization commands group network none tells the router to use the authorization for level 15 orders (orders in privilege mode). This line defines an alternative to the default method. There must be something in the config of the router on some lines (probably the vty lines) that says secure authorization. Like other orders, this one tells the router to use the servers defined in the netgroup do authorization and if there is no response from server there is no backup method.

  Comment I'd have is related to any parameter, which explains that each order authorization has no backup method. I think it's a little dangerous. If there was a situation where you have lost communication with the server you could basically be locked on the router because it would not be something that could allow access. When I configure permission on routers for guests, I usually use the authenticated case backup method that says that if the router cannot allow with the server to allow access if the user has been properly authenticated (which could be through line passwords, or definitions in a local user database).

  So to sum up, the first line indicates the router to check the permission when any user tries to start an exec session.

  The second line shows the router to check the permission when a user tries to use a command to level 15.

  The third line is a more specific version of the second. For some specific lines on the router, where the second is for another with a session on the router any line, they are logically associated.

  HTH

  Rick

• command authorization failed

  I turned on the aaa command authorization without applying the correct user privileges. I can now log on this user, but the ASA 5510 displays an error:

  ============================

  EUKFW2 # show running-config

  ^

  % ERROR: invalid input detected at ' ^' marker.

  ERROR: Failed authorization control

  ============================

  I'm unable to change the configuration of the firewall. Is there any default user through which I can connect and disable the authorization of aaa? If this is not the case, how can I solve this problem?

  Please visit this link

  http://www.ciscotaccc.com/Kaidara-Advisor/security/showcase?case=K10386224

  Please evaluate the useful messages

  Kind regards

  ~ JG

• Replacement of Cisco ACS Solutions 4.2 engine

  Hello

  Our ACS (Cisco 1113) is dead and it is not cost-effective to replace because it will serve only until the end of this year.

  Is it possible to get the Ganymede software to install on a Windows Server? How can I go on the procurement software as the original documentation is no longer available? The fact that I have a dead unit will be sufficient evidence for a copy of the software? We are currently running v4.1

  Thank you.

  Here's a path to download the Eval of ACS 4.2 windows.

  Cisco.com > downloads Home > Products > Security > access control and

  Policies > policy and access management > Cisco Secure Access Control

  Server for Windows > Cisco Secure ACS for Windows 4.2 > secure access

  Control (ACS) server for Windows - 4.2.0.124 > scroll down

  and you will see a file named

  ACS v4.2.0.124 90-Days Evaluation Software

  EVAL-ACS - 4.2.0.124 - SW.zip

  ACS installation under windows

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/Windows/install.html

  Once installed, you can restore the previous backup on windows server.

  Restore from a backup ACS file

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/SCBasic.html#wp222758

  Jatin kone

  -Does the rate of useful messages-

• EEM to circumvent AAA

  Dear all,

  I'm running into a problem with an old script IOS and EEM like I can't do work around the AAA.

  So I have a script that needs to log config mode and close an interface if an event occurs. Write the scenario is not a problem.

  But to make it work! We have Ganymede + and to make it work on the router, I need a user authenticated. Or I have to log in to a router in a way that the Ganymede + is bypassed.

  The config does not support the feature known EEM 3.1 - event manager applet work around auth...

  I did the script and the ring road, by putting in place a the indicated below:

  !

  local EEMScript AAA authentication login

  activate the default AAA authentication no

  EEMScript AAA authorization exec no

  AAA authorization commands 0 EEMScript no

  AAA authorization commands 1 EEMScript no

  AAA authorization commands 15 EEMScript no

  !

  username secret privilege 15 EEMScript 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX

  !

  line vty 0 2

  exec-timeout 1 0

  privilege level 15

  authorization controls EEMScript 0

  authorization controls 1 EEMScript

  authorization controls EEMScript 15

  exec authorization EEMScript

  authentication of the connection EEMScript

  length 0

  nun entry transportation

  transport of output no

  4

  Event manager session username EEMScript cli

  However, in this case, the problem is that if I connect to this router I either connected to the vty 0 - which means I can't be authenticated by the GANYMEDE as not his vty lines 0-2 set. Which means the router becomes unmanageable...

  On the other hand the solution works! Because if I'm not connected on the script will use the vty 0 by default, which as you see is 'proper' installation do not use AAA - but I need a little modification.

  That's the real question:

  Can I force my EEM script to use a specific vty line? as Vty 20 I will never use?

  The best solution or ideas would be appreciated!

  "HW is 1841 - c1841-advipservicesk9 - mz.124 - 17.bin".

  Once attempts are deferred on the RADIUS server group, how can set you a timer on the method list to be restored in the local user database?

  A problem I see is that the ACS server crashes and is accessible by intellectual property, however, he don't respond with an accept or reject.  Therefore, no one is able to connect to all devices.

  Thank you!

• Custom attribute in the patch ACS4.2 17

  I have an optional custom attribute in my ACS group to pass on ACE config mode: shell: Admin * Admin by default-field

  Privilege level 15 is also part of the configuration of the exec.

  

  Recently I applied the patch 17 on ACS 4.2 (0) build 124. Since then I can not connect with the level of privilege 15 in IOS routers/switches.

  Looks like IOS box considers this attribute custom as a mandatory now.

  ---------------------------------------------------------------------------------------------------

  Debugging IOS (Cat6500, 12.2 (33) SXJ4):

  May 27, 13:23:56.819: MORE: application created for 61929 (pehruby)

  May 27, 13:23:56.819: MORE: previously set server group Ganymede 10.105.24.44 +.

  May 27, 13:23:56.819: HIGHER (0000F1E9) / 550052 A-4/NB_WAIT/0: started 5 sec timeout

  May 27, 13:23:56.819: HIGHER (0000F1E9) / 0/NB_WAIT: made event 2

  May 27, 13:23:56.819: HIGHER (0000F1E9) / 0/NB_WAIT: 62 bytes written requests

  May 27, 13:23:56.819: HIGHER (0000F1E9) / 0/READING: made event 1

  May 27, 13:23:56.823: HIGHER (0000F1E9) / 0/READING: would block during playback

  May 27, 13:23:56.823: HIGHER (0000F1E9) / 0/READING: made event 1

  May 27, 13:23:56.823: HIGHER (0000F1E9) / 0/READING: read all 12 byte header (wait for data 51 bytes)

  May 27, 13:23:56.823: HIGHER (0000F1E9) / 0/READING: made event 1

  May 27, 13:23:56.823: HIGHER (0000F1E9) / 0/READING: read all the answer 63 bytes

  May 27, 13:23:56.823: HIGHER (0000F1E9) / 0 / 550052 A 4: the package of treatment response

  May 27, 13:23:56.823: MORE: handled AV priv-lvl = 15

  May 27, 13:23:56.823: MORE: could not decode a unknown AV hull: FAIL

  May 27, 13:23:56.823: HIGHER (0000F1E9) / 0/REQ_WAIT / 550052 A 4: expired

  May 27, 13:23:56.823: MORE: Protocol is set to None. Jump

  May 27, 13:23:56.823: MORE: AV = shell shipping service

  May 27, 13:23:56.823: MORE: sending AV cmd *.

  ACS TCS.log (different time, same attempt):

  TC 27/05/2013 11:59:39 I 0043 5088 0 X 15< packet="" to="" client:10.106.11.114="" type:author/pass_add,="" seq="" 2,="" flags="">

  TC 27/05/2013 11:59:39 I 0043 5088 0 X 15 SESSIONID-998342923 (0XC47E7EF5), DATALEN 51 (0 X 33)

  TC 27/05/2013 11:59:39 type I 0043 5088 0 x 15 = AUTHOR/RESPONSE status = 1 (AUTHOR/PASS_ADD)

  TC 27/05/2013 11:59:39 I 0043 5088 0 x 15 msg_len = 0, data_len = 0 arg_cnt = 2

  TC 27/05/2013 11:59:39 I 0043 5088 0 x 15 size arg [0] = 11 = priv-lvl = 15

  TC 27/05/2013 11:59:39 I 0043 5088 0 x 15 size arg [1] = 32 = shell: Admin * Admin by default-field

  TC 27/05/2013 11:59:39 I 0043 5088 0 x 15 end >

  ------------------------------------------------------------------------------------------------------------------------

  Debugging IOS (C1841, 12.3 (14) T7):

  May 30, 12:21:58.248: AAA/BIND(00000A52): link i / f

  12:21:58.272 30 may: AAA/AUTHOR (0xA52): list of selection method "acs."

  12:21:58.272 30 may: MORE: AAA Queuing 2642 authorization for treatment

  12:21:58.272 30 may: HIGHER: processing of the application for authorization id 2642

  12:21:58.272 30 may: MORE: Protocol is set to None. Jump

  12:21:58.276 30 may: MORE: AV = shell shipping service

  12:21:58.276 30 may: MORE: sending AV cmd *.

  12:21:58.276 30 may: MORE: application created for 2642 (ph)

  12:21:58.276 30 may: MORE: previously set server group Ganymede 10.105.24.44 +.

  12:21:58.276 30 may: HIGHER (A 00000, 52) / 656FB000/NB_WAIT/0: started 5 sec timeout

  12:21:58.276 30 may: HIGHER (A 00000, 52) / 0/NB_WAIT: made event 2

  12:21:58.276 30 may: HIGHER (A 00000, 52) / 0/NB_WAIT: 59 bytes written requests

  12:21:58.276 30 may: HIGHER (A 00000, 52) / 0/READING: made event 1

  12:21:58.276 30 may: HIGHER (A 00000, 52) / 0/READING: would block during playback

  12:21:58.280 30 may: HIGHER (A 00000, 52) / 0/READING: made event 1

  12:21:58.280 30 may: HIGHER (A 00000, 52) / 0/READING: read all 12 byte header (wait for data 51 bytes)

  12:21:58.280 30 may: HIGHER (A 00000, 52) / 0/READING: made event 1

  12:21:58.280 30 may: HIGHER (A 00000, 52) / 0/READING: read all the answer 63 bytes

  12:21:58.280 30 may: HIGHER (A 00000, 52) / 0/656FB000: the package of treatment response

  12:21:58.280 30 may: MORE: handled AV priv-lvl = 15

  12:21:58.280 30 may: MORE: could not decode AV shell: Admin * Admin by default-field - PASS - PASS

  May 30, 12:21:58.284: AAA/AUTHOR/EXEC(00000A52): AV cmd = treatment

  May 30, 12:21:58.284: AAA/AUTHOR/EXEC(00000A52): successful authorization

  ACS.log:

  TC 30/05/2013 12:21:58 I 0043 1280 0 X 0< received="" from="" client:10.106.0.50="" type="AUTHOR," seq="1," flags="">

  TC 30/05/2013 12:21:58 I 0043 1280 SESSIONID 0 X 0 1990425999 (0X76A37D8F), DATALEN 47 (0X2F)

  TC 30/05/2013 12:21:58 I 0043 1280 type 0 x 0 = AUTHOR, priv_lvl = 1, authentic = 1

  TC 30/05/2013 12:21:58 I 0043 1280 0 x 0 METHOD = Ganymede +.

  TC 30/05/2013 12:21:58 I 0043 1280 SVC 0 X 0 = 1 USER_LEN = 2 PORT_LEN = 6 REM_ADDR_LEN = 12 ARG_CNT = 2

  TC 30/05/2013 12:21:58 I 0043 1280 0 x 0 USER = ph

  TC 30/05/2013 12:21:58 I 0043 1280 PORT 0 x 0 = tty195

  TC 30/05/2013 12:21:58 I 0043 1280 0 X 0 = 10.106.33.22 REM_ADDR

  TC 30/05/2013 12:21:58 I 0043 1280 0 x 0 arg [0](size=13) = service = shell

  TC 30/05/2013 12:21:58 I 0043 1280 0 x 0 arg [1](size=4) = cmd *.

  TC 30/05/2013 12:21:58 I 0043 1280 0 X 0 END >

  TC 30/05/2013 12:21:58 I 0850 3244 1 allocated connection wire work unique 0xf

  TC 30/05/2013 12:21:58 I 0143 3244 0xf author data: phtty19510.106.33.22service = shellcmd. = 13362timezone = MEZservi

  TC 30/05/2013 12:21:58 I 0163 3244 0xf - excerpts from the info service

  TC 30/05/2013 12:21:58 I have 0189 3244 0xf - Checked NARs

  TC 30/05/2013 12:21:58 I 0199 3244 0xf - implemented Reqs:

  TC 30/05/2013 12:21:58 I 0209 3244 0xf - a profile

  TC 30/05/2013 12:21:58 I 0261 3244 0xf - executed

  TC 30/05/2013 12:21:58 I 0263 3244 0xf - set of controls done clean

  TC 30/05/2013 12:21:58 I 0265 3244 0xf - version NDG provided

  TC 30/05/2013 12:21:58 I 0043 3244 0XF< packet="" to="" client:10.106.0.50="" type:author/pass_add,="" seq="" 2,="" flags="">

  TC 30/05/2013 12:21:58 I 0043 3244 SESSIONID 0XF 1990425999 (0X76A37D8F), DATALEN 51 (0 X 33)

  TC 30/05/2013 12:21:58 I 0043 3244 0xf type = AUTHOR/RESPONSE status = 1 (AUTHOR/PASS_ADD)

  TC 30/05/2013 12:21:58 I 0043 3244 0xf msg_len = 0, data_len = 0 arg_cnt = 2

  TC 30/05/2013 12:21:58 I 0043 3244 0xf arg [0] size = 11 = priv-lvl = 15

  TC 30/05/2013 12:21:58 I 0043 3244 0xf arg [1] = 32 = shell size: Admin * Admin by default-field

  TC 30/05/2013 12:21:58 I 0043 3244 0xf end >

  PuTTY session:

  Connect as: ph

  [email protected]/ * / password:<------ (10.106.0.16="" and="" 10.106.0.50="" are="" ip="" addresses="" of="" the="" same="">

  1841_hra_lab >

  1841_hra_lab ><------ i'm="" not="" in="" enable="" mode="" (priv.level="">

  --------------------------------------------------------------------------------------------------------------------

  Unfortunalety I don't have newspapers/debug of the period before the update, when everything was ok.

  I guess that the problem is somewhere in this argument that goes from the ACS to the customer:

  TC 30/05/2013 12:21:58 I 0043 3244 0xf arg [1] = 32 = shell size: Admin * Admin by default-field

  Can someone tell me how this argument with the option setting should look like?

  Maybe * shell: Admin * Admin by default-field?

  Petr

  Hi Peter,

  You are using in a default.

  CSCth75577    ACS incorrectly sends optional custom attributes GANYMEDE +.

  Symptom:

  Authorization GANYMEDE + IOS fails if client attributes (even as an option) are configured on the ACS user group.  The connection will work, but the attributes passed will be not honored.

  Conditions:

  ACS 4.2.0.124 patch 16

  ACS 4.2.1.15 patch 2

  Workaround solution:

  Return to a previous fix ACS.

  This problem has been fixed in

  ACS 4.2.1.15 patch 3 or later.

  Upgrade of the ACS to 4.2.1.15 and apply the latest patch 10.

  Jatin kone
  -Does the rate of useful messages-

• Cisco ASA GANYMEDE + mode does not

  Hello

  I'm setting the ASA 8.4 with GANYMEDE with below CLI configurations, I can only successfully connect on the MODE of USE of the ASA via GANYMEDE, but unable to get to the activation of the mode of the ASA via GANYMEDE. Also the ASA does not password enable local no more.

  Also, I can successfully run "test the aaa of authentication GANYMEDE + username password password1 abc.

  INFO: Authentication successful

  Similarly, GANYMEDE ACS work for user mode and activate the mode for routers / switches.

  Run ASA CLI

  ~~~~~~~~~~~~~

  privilege of [ENTER ADMIN password PASSWORD HERE] user_name [ENTER name of USER HERE] 15

  activate the password [ENTER ENABLE MODE PASSWORD HERE]

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  AAA-server GANYMEDE + (inside) host [ENTER GANYMEDE + SERVER IP ADDRESS HERE] [ENTER SECRET KEY HERE] timeout 10

  GANYMEDE + LOCAL console for AAA of http authentication

  authentication AAA ssh console GANYMEDE + LOCAL

  Console telnet authentication GANYMEDE + LOCAL AAA

  AAA authentication enable console LOCAL + GANYMEDE

  AAA GANYMEDE + LOCAL authorization control

  AAA accounting enable console GANYMEDE +.

  AAA accounting console GANYMEDE + ssh

  HeyRizwan,

  What version of ACS are you running?

  Make sure that you set the user name with a static 15 privilege level, otherwise it will not be able to pass authentication enable.

  If ACS 5.x or higher to pass the elements of the policy: the Shell profile and make sure that you have assigned to a maximum static privilege to 15 and more important than its access policy rule

  Looking for a Networking Assistance?
  Contact me directly to [email protected] / * /

  I will fix your problem as soon as POSSIBLE.

  See you soon,.

  Julio Segura Carvajal
  http://laguiadelnetworking.com

• Make the computer Visible on the network

  I have several computers connected to my router.  Some wireless, some by ethernet.  One of the computers is an old WinXP machine, the others are all either Vista or Win7. (BTW the XP computer connects with ethernet

  1. The XP computer can "see" all the others available in network connection
  2. All new Vista & Win7 machines can 'see' each other
  3. None of the latest you can 'see' the XP computer as available for a connection

  I guess I have to change something in the XP computer to make it visible to others.

  Any suggestions?

  gsnu201101

  Hello

  It see all availble devices that are configured for Sharew on the network.

  -----------------

  Maybe this can help.

  Win7 when configured on the peer-to-peer network has three types of configurations of sharing.

  Group residential network = only works between Win 7 computers. This type of configuration, it is very easy to entry level users to start sharing network.

  Working network = fundamentally similar to previous methods of sharing that allow you to control what, how and to whom the records would be shared with.
  
  Public share = network Public (as Internet Café) in order to reduce security risks.

  For the best newspaper of the results of each computer screen system and together all computers on a network of the same name, while each computer has its own unique name.

  http://www.ezlan.NET/Win7/net_name.jpg

  Make sure that the software firewall on each computer allows free local traffic. If you use 3rd party Firewall on, Vista/XP Firewall Native should be disabled, and the active firewall has adjusted to your network numbers IP on what is sometimes called the Zone of confidence (see part 3 firewall instructions

  General example, http://www.ezlan.net/faq.html#trusted
  Please Note that some 3rd party software firewall continue to block the same aspects it traffic Local, they are turned Off (disabled). If possible, configure the firewall correctly or completely uninstall to allow a clean flow of local network traffic.

  If you end up with the 3rd party software uninstalled or disabled, make sure that Windows native firewall is active .

  ------------------------------

  Network Win 7 with another version of Windows as a work network (works very well if all computers are Win 7 also).

  In the center of the network, by clicking on the type of network opens the window to the right.

  Choose your network type. Note the check box at the bottom and check/uncheck depending on your needs.

  http://www.ezlan.NET/Win7/net_type.jpg

  Win 7 - http://windows.microsoft.com/en-us/windows7/Networking-home-computers-running-different-versions-of-Windows

  Win 7 network sharing folder specific work - http://www.onecomputerguy.com/windows7/windows7_sharing.htm

  Vista file and printer sharing - http://technet.microsoft.com/en-us/library/bb727037.aspx

  Windows XP file sharing - http://support.microsoft.com/default.aspx?scid=kb;en-us;304040

  In Win XP Pro with simple sharing Off, you can visually see the Permission/security level and set them up at your convenience.

  http://www.Microsoft.com/windowsxp/using/security/learnmore/AccessControl.mspx#securityTab

  Sharing printer XP - http://www.microsoft.com/windowsxp/using/networking/expert/honeycutt_july2.mspx

  Setting Windows native firewall for sharing XP - http://support.microsoft.com/kb/875357
  Windows XP Patch for sharing with Vista (no need for XP - SP3) - http://support.microsoft.com/kb/922120

  When you have finished the configuration of the system, it is recommended to restart everything the router and all computers involved.

  -------------

  If you have permission and security issues with Vista/Win7, check the following settings.

  Point to a folder that wants to share do right click and choose Properties.

  In the properties

  Click on the Security tab shown in the bellows of the photo on the right) and verify that users and their permissions (see photo below Centre and left) are configured correctly. Then do the same for the authorization tab.

  This screen shot is to Win 7, Vista menus are similar.

  http://www.ezlan.NET/Win7/permission-security.jpg

  The Security Panel and the authorization Panel, you need to highlight each user/group and consider that the authorization controls are verified correctly.

  When everything is OK, restart the network (router and computer).

  * Note . The groups and users listed in the screen-shoot are just an example. Your list will focus on how your system is configured.

  * Note . All the users who are allowed to share need to have an account onall computers that they are allowed to connect to.

  Everyone is an account, that means a group of all users who already have an account now as users. It is available to avoid the need to configure permission for each on its own, it does not mean all those who feel that they would like to connect.

  Jack-MVP Windows Networking. WWW.EZLAN.NET

• PC can see and access the laptop without asking for a user name and password but the laptop cannot access the PC because it asks me a username and password that I don't know.

  Vista - Windows 7 network connection. username and password is unknown.

  Hello

  I just got a laptop with windows 7 on it and I want to connect to my other PC for it, they are on the same network through a router. the PC can see and access the laptop without asking for a user name and password but the laptop cannot access the PC because it asks me a username and password that I don't know.

  If someone could answer this question, it would be great.

  Hello
  Maybe this can help.

  Win7 when configured on the peer-to-peer network has three types of configurations of sharing.

  Group residential network = only works between Win 7 computers. This type of configuration, it is very easy to entry level users to start sharing network.

  Working network = fundamentally similar to previous methods of sharing that allow you to control what, how and to whom the records would be shared with.
  
  Public share = network Public (as Internet Café) in order to reduce security risks.

  For the best newspaper of the results of each computer screen system and together all computers on a network of the same name, while each computer has its own unique name.

  http://www.ezlan.NET/Win7/net_name.jpg

  Make sure that the software firewall on each computer allows free local traffic. If you use 3rd party Firewall on, Vista/XP Firewall Native should be disabled, and the active firewall has adjusted to your network numbers IP on what is sometimes called the Zone of confidence (see part 3 firewall instructions

  General example, http://www.ezlan.net/faq.html#trusted
  Please note that some 3rd party software firewall continue to block the same aspects it traffic Local, they are turned Off (disabled). If possible, configure the firewall correctly or completely uninstall to allow a clean flow of local network traffic. If the 3rd party software is uninstalled, or disables, make sure Windows native firewall is active .

  ------------------------------

  If your network consists only of Win 7 and you want a simple network, use it.

  http://Windows.Microsoft.com/en-us/Windows7/help/videos/sharing-files-with-HomeGroup

  After you have configured the homegroup, scroll to the bottom for the Permission/security section.

  -----------------------------

  Win 7 networking with other version of Windows as a work network.

  In the center of the network, by clicking on the type of network opens the window to the right.

  Choose your network type. Note the check box at the bottom and check/uncheck depending on your needs.

  http://www.ezlan.NET/Win7/net_type.jpg

  Win 7 - http://windows.microsoft.com/en-us/windows7/Networking-home-computers-running-different-versions-of-Windows

  Win 7 network sharing folder specific work - http://www.onecomputerguy.com/windows7/windows7_sharing.htm

  Vista file and printer sharing - http://technet.microsoft.com/en-us/library/bb727037.aspx

  Windows XP file sharing - http://support.microsoft.com/default.aspx?scid=kb;en-us;304040
  Sharing printer XP - http://www.microsoft.com/windowsxp/using/networking/expert/honeycutt_july2.mspx

  Setting Windows native firewall for sharing XP - http://support.microsoft.com/kb/875357
  Windows XP Patch for sharing with Vista (no need for XP - SP3) - http://support.microsoft.com/kb/922120

  When you have finished the configuration of the system, it is recommended to restart everything the router and all computers involved.

  -------------

  If you have authorization and security problems, check the following settings.

  Point to a folder that wants to share do right click and choose Properties.

  In the properties

  Click on the Security tab shown in the bellows of the photo on the right) and verify that users and their permissions (see photo below Centre and left) are configured correctly. Then do the same for the authorization tab.

  This screen shot is to Win 7, Vista menus are similar.

  http://www.ezlan.NET/Win7/permission-security.jpg

  The Security Panel and the authorization Panel, you need to highlight each user/group and consider that the authorization controls are verified correctly.

  When everything is OK, restart the network (router and computer).

  * Note . The groups and users listed in the screen-shoot are just an example. Your list will focus on how your system is configured.

  * Note . There must be specific users. All means all users who already have an account now as users. This does not mean everyone who feel they would like to connect.

  ---------------------

  *** Note. Some of the processes described above are made sake not for Windows, but to compensate for different routers and how their firmware works and stores information about computers that are networked.

  Jack-MVP Windows Networking. WWW.EZLAN.NET

• Xp network & machines Win 7.

  I have 3 computers, two XPand running a race new windows 7.  One of the XP networking two machines (laptop & desktop) works very well & vice versa machine of windows 7 to a (laptop) XP.  The other XP (desktop) machine has become a boring nightmare that I can't access all the Windows 7 machine.  Two XP machines see via a wireless router and also see the Windows 7 machine. Despite the many FAQ, I can't yet the Win 7 machine to access the Office XP machine, although he "sees" it.  He gives an answer of "you are not allowed access-...» "Recognizing the computer name, but it grinds all to stop.   I guess it may be a firewall issue, but don't know what to do.  Any help appreciated.

  Hello

  Maybe this can help.

  
  

  Win7 when configured on the peer-to-peer network has three types of configurations of sharing.

  Homegroup = only works between Win 7 computers. This type of configuration, it is very easy to entry level users to start sharing network.

  Network of home or work = fundamentally similar (and better) to the previous Working Group sharing methods which allow you to control what, how and to whom the records would be shared with.
  
  Public share = network Public (as Internet Café) in order to reduce security risks.

  To get best results connect to each computer system screen and set all the computers to be on a bearing the same name of Working Group , while each computer has its own unique name.

  http://www.ezlan.NET/Win7/net_name.jpg

  Make sure that the software firewall, AV, or other security components allow free local traffic on all network computers. If you use the 3rd group of security, firewall native Vista/XP must be disabled, and the active firewall has adjusted to your network numbers IP on what is sometimes called the Zone of confidence (see part 3 firewall instructions

  General example, http://www.ezlan.net/faq.html#trusted
  Please Note that some 3rd party software firewall/AV/security costumes continue to block aspects of the Local traffic even it they are off (off). If possible, configure the firewall correctly or completely uninstall to allow a clean flow of local network traffic.

  If you end up with the 3rd party software uninstalled or disabled, make sure that Windows native firewall is active

  ------------------------------

  Network Win 7 with another version of Windows as a work network (works very well if all computers are Win 7 also).

  In the center of the network, by clicking on the type of network opens the window to the right.

  Choose your network type. Note the check box at the bottom and check/uncheck depending on your needs.

  http://www.ezlan.NET/Win7/net_type.jpg

  Win 7 - http://windows.microsoft.com/en-us/windows7/Networking-home-computers-running-different-versions-of-Windows

  Win 7 network sharing folder specific work - http://www.onecomputerguy.com/windows7/windows7_sharing.htm

  Vista file and printer sharing - http://technet.microsoft.com/en-us/library/bb727037.aspx

  Windows XP file sharing - http://support.microsoft.com/default.aspx?scid=kb;en-us;304040

  In Win XP Pro with simple sharing Off, you can visually see the Permission/security level and set them up at your convenience.

  http://www.Microsoft.com/windowsxp/using/security/learnmore/AccessControl.mspx#securityTab

  Sharing printer XP - http://www.microsoft.com/windowsxp/using/networking/expert/honeycutt_july2.mspx

  Setting Windows native firewall for sharing XP - http://support.microsoft.com/kb/875357
  Windows XP Patch for sharing with Vista (no need for XP - SP3) - http://support.microsoft.com/kb/922120

  When you have finished the configuration of the system, it is recommended to restart everything the router and all computers involved.

  -------------

  If you have permission and security issues with Vista/Win7, check the following settings.

  Point to a folder that wants to share do right click and choose Properties.

  In the properties

  Click on the Security tab shown in the bellows of the photo on the right) and verify that users and their permissions (see photo below Centre and left) are configured correctly. Then do the same for the authorization tab.

  This screen shot is to Win 7, Vista menus are similar.

  http://www.ezlan.NET/Win7/permission-security.jpg

  The Security Panel and the authorization Panel, you need to highlight each user/group and consider that the authorization controls are verified correctly.

  When everything is OK, restart the network (router and computer).

  * Note . The groups and users listed in the screen-shoot are just an example. Your list will focus on how your system is configured.

  * Note . All the users who are allowed to share need to have an account onall computers that they are allowed to connect to.

  Everyone is an account, that means a group of all users who already have an account now as users. It is available to avoid the need to configure permission for each on its own, it does not mean all those who feel that they would like to connect.

• I have a laptop Windows XP and win7, connected via a wireless router.

  I have a portable desktop and win7 winXP connected via a wireless router.  Can see the XP machine with the file full access Win 7 but not vice versa.  On XP, clicking on C: of the laptop gives error "C: is not accessible. You have no permissions... "How can I fix it?  As far as I can tell all together relevant upward is correct on Win7.  No password have been set.

  Hello

  Maybe this can help.

  Win7 when configured on the peer-to-peer network has three types of configurations of sharing.

  Homegroup = only works between Win 7 computers. This type of configuration, it is very easy to entry level users to start sharing network.

  Network of home or work = fundamentally similar (and better) to the previous Working Group sharing methods which allow you to control what, how and to whom the records would be shared with.
  
  Public share = network Public (as Internet Café) in order to reduce security risks.

  To get best results connect to each computer system screen and set all the computers to be on a bearing the same name of Working Group , while each computer has its own unique name.

  http://www.ezlan.NET/Win7/net_name.jpg

  Make sure that the software firewall, AV, or other security components allow free local traffic on all network computers. If you use the 3rd group of security, firewall native Vista/XP must be disabled, and the active firewall has adjusted to your network numbers IP on what is sometimes called the Zone of confidence (see part 3 firewall instructions

  General example, http://www.ezlan.net/faq.html#trusted
  Please Note that some 3rd party software firewall/AV/security costumes continue to block aspects of the Local traffic even it they are off (off). If possible, configure the firewall correctly or completely uninstall to allow a clean flow of local network traffic.

  If you end up with the 3rd party software uninstalled or disabled, make sure that Windows native firewall is active .

  -----------------

  Network Win 7 with another version of Windows as a work network (works very well if all computers are Win 7 also).

  In the center of the network, by clicking on the type of network opens the window to the right.

  Choose your network type. Note the check box at the bottom and check/uncheck depending on your needs.

  http://www.ezlan.NET/Win7/net_type.jpg

  Win 7 - http://windows.microsoft.com/en-us/windows7/Networking-home-computers-running-different-versions-of-Windows

  Win 7 network sharing folder specific work - http://www.onecomputerguy.com/windows7/windows7_sharing.htm

  Vista file and printer sharing - http://technet.microsoft.com/en-us/library/bb727037.aspx

  Windows XP file sharing - http://support.microsoft.com/default.aspx?scid=kb;en-us;304040

  In Win XP Pro with simple sharing Off, you can visually see the Permission/security level and set them up at your convenience.

  http://www.Microsoft.com/windowsxp/using/security/learnmore/AccessControl.mspx#securityTab

  Sharing printer XP - http://www.microsoft.com/windowsxp/using/networking/expert/honeycutt_july2.mspx

  Setting Windows native firewall for sharing XP - http://support.microsoft.com/kb/875357
  Windows XP Patch for sharing with Vista (no need for XP - SP3) - http://support.microsoft.com/kb/922120

  When you have finished the configuration of the system, it is recommended to restart everything the router and all computers involved.

  -------------

  If you have permission and security issues with Vista/Win7, check the following settings.

  Point to a folder that wants to share do right click and choose Properties.

  In the properties

  Click on the Security tab shown in the bellows of the photo on the right) and verify that users and their permissions (see photo below Centre and left) are configured correctly. Then do the same for the authorization tab.

  This screen shot is to Win 7, Vista menus are similar.

  http://www.ezlan.NET/Win7/permission-security.jpg

  The Security Panel and the authorization Panel, you need to highlight each user/group and consider that the authorization controls are verified correctly.

  When everything is OK, restart the network (router and computer).

  * Note . The groups and users listed in the screen-shoot are just an example. Your list will focus on how your system is configured.

  * Note . All the users who are allowed to share need to have an account onall computers that they are allowed to connect to.

  Everyone is an account, that means a group of all users who already have an account now as users. It is available to avoid the need to configure permission for each on its own, it does not mean all those who feel that they would like to connect.