4.2 of the ACS and ASA, authorized users in connection which should not

ACS 4.2, AAA/Ganymede on my ASA configuration using. Currently any user to any NG can log in to the ASA, however, they cannot make changes without the enable password. We only want people in a NG to be allowed to log in to the ASA.  I'm not finding a good way to do it.

You can create NAR:

http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SPC.html#wp697095

And then use it in the configuration of the user/group:

http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478900

---

Michal

Tags: Cisco Security

Similar Questions

  • Version 7.0 of the PIX and ASA 5500

    Hi all

    Is ASA 5500 series identical a PIX 515 or 525 or 535 with version 7.0... I still see some areas where it confused between version 7.0 of the PIX and ASA 5500 series... If not, what are the benefits of ASA 5500 on the PIX 7.0?

    ASA is not the same as PIX, ASA is different hardware architecture. Although both can run the same code. One of the benefits of the SAA is that you can have an IPS module in it to make the prevention of intrusions.

    Search for comprarison on CCO.

  • Why can't an iBook on iTunes in South Africa? They promote the iBooks and iBooks author on their Web site, but it seems that SA is not on the list of countries of distribution. Same tax iBooks are not available. Someone know why? Thank you.

    Why can't an iBook on iTunes in South Africa? They promote the iBooks and iBooks author on their Web site, but it seems that SA is not on the list of countries of distribution. Free IBooks are not available. Someone know why? Thank you.

    Liz...

    According to Apple eBooks aren't yet available > > I can buy on the iTunes Store in my country?

    Simply because Apple makes the promotion of iBooks does not necessarily that they are available in all locations.

    Sorry!

  • EIGRP running between the router and ASA by switch

    Hello

    Is that possible I can running an EIGRP between router and ASA by switch?

    Router and ASA connected to the switch with static route.

    Hi Tommy Chin.

    It is possible, we must advertise to the route between the router and ASA.

    Please provide your connectivity diagram to better explain.

    For example...

    interface GigabitEthernet0/0

    Description links to WAN router

    nameif OUTSIDE

    security-level 50

    IP 10.1.1.1 255.255.255.192 ensures 10.1.1.2

    Summary-address eigrp 100 10.1.0.0 255.255.0.0 1

    !

    Confiuration Protocol EIGRP

    standard access list eigrpACL_FR allow a

    !

    Router eigrp 100

    eigrpACL_FR distribute-list in the interface outside

    neighbor 10.1.1.3 OUTSIDE interface

    neighbor 10.1.1.2 OUTSIDE interface

    Network 10.1.1.0 255.255.255.192

    redistribute connected

    redistribute static

    !

    Kind regards

    Srinivas.

    Note: if it solves your problem it mark it as resolved.

  • authentication between the ACS and AD

    Hello

    I would like to know what kind of authentication mechanism ACS 5.1 use to speak with Active Directory. Does simply use MSCHAP, MSCHAPv2 or PAP. By default, it uses PAP to talk between the Cisco IOS and the AEC on the 5.1.

    If you llook at the default admin tab and click on allowed protocols---> he mentions PAP.

    Should I use a safe means of transport between the ACS and AD. IDF, so anyone can say the authentication mechanism?

    Thank you

    Any meeting of directors like telnet, ssh and comfort they always use PAP as an authentication method.

    Although communication pap can be captured and read in this case in clear text. However, since we have Ganymede in use, he always encrypt the whole package with shared secret defined on the IOS and ACS/GANYMEDE so if you capture traffic between the radius and the device you won't be able to decipher it without the key.

    In case you have Ray then using SSH (Putty) so that it can help you for a safe communication.

    ACS and AD support PAP, CHAP, MSCHAPv1 and MSCHAPv2.

    However, the administration does not work on another method of authentication except PAP.

    HTH

    Regds,

    Jousset

    Note the useful posts ~

  • Offers day and slow downloads WiFi (very slow).  Is there a way that I can download some updates and new programs using my macbook pro (to a public site in the city) and transfer it on my iMac which is too heavy to cart autour?

    Difficulty to access the updates and downloads with very slow wifi ("country").  Is it possible that I can download some updates and new programs using my MaBbook Pro (retina) on a public site in the city and transfer them on my iMac which is too heavy to cart autour?

    New programs, Yes.

    Updates, depends on what you're updating.

  • None of my restore points will not work. He directed the restoration of the system and that it recharges, but says system has not been restored.

    None of my restore points will not work. He directed the restoration of the system and that it recharges, but says system has not been restored.

    What is your system brand and model?

    What is your Version of XP and the Service Pack?
    Describe your current antivirus and software anti malware situation: McAfee, Norton, Spybot, AVG, Avira!, Defender, ZoneAlarm, PC Tools, MSE, Comodo, etc..
    What is the issue that you are experiencing that you think that the system restore will be remedied (or you are just convenient)?  System Restore is not a time machine, but of course, this should work if you think you need.
    Some tools Anti Virus 'protect' your system so that they will not allow a restore of the system work properly.

    For example, if you use Norton/Symantec products, you will see a message like this:
    Restoration incomplete. Your computer cannot be restored...
    It is also a popular Symantec problem (well, I'll be polite and call an "undocumented feature"...), they wrote an article about it:
    According to what you use for malware protection, you may need to disable the product temporarily, do the system restore and then turn the products light up again when the system restore is complete.
    Sometimes you need start your system in Mode safe and so that your protection programs are not running, and then do the system restore.  Tips from Microsoft in some of their articles that if the system restore does not restore your computer, start in Safe Mode, and then run the system restore.  It works for some configurations.
    System Restore is sometimes so afflicted or Restore Points are suspicious, the best solution is to reinstall your system restore.  This will remove the old Restore Points, but sometimes it's the only way to fix a broken system restore.  You don't have to reinstall XP, only the part of system restore.
    That can leave you with your problem of unspecified origin that you hope the system restore will fix (using a system restore is usually not equivalent to fixing the problem though).
    Give these ideas some consideration if they apply to you.
    Sometimes malicious will afflict your system restore to prevent you to find and remove malware.  It would much rather you trick into thinking that you need to repair or reinstall your XP when it is not necessary.
    No matter what you use for protection against malware, I do so and then only begin to solve any problems:
    Download, install, update and do a full scan with these free malware detection programs can solve any problems:
    Malwarebytes (MMFA): http://malwarebytes.org/
    SUPERAntiSpyware: (SAS): http://www.superantispyware.com/
    It can be uninstalled later if you wish.

    The scans by operating clean, reboot, test and we can fix any other issues

  • cannot log on as administrator with the password and open a user button session sends to the temporary profile.

    cannot log on as administrator with the password and log on user button wife sends him to temp. access to some of my articles on his desk.  She lost all access to his information.

    Original title: cannot log on as administrator with the password and log on user button wife sends him to temp. access to some of my articles on his desk. She lost all access to his information.

    Hello

    • Remember to make changes to your computer before this problem started?

    However, you can access the link below and follow the steps mentioned in the article and check if it helps you to fix the problem, and connect you to your normal user account.

    http://support.Microsoft.com/kb/947242

    I hope this helps. Let us know the result.

    Thank you and best regards,

    Srinivas R

    Microsoft technical support.

    Visit our Microsoft answers feedback Forum and let us know what you think.

  • Support the contact - person I'm trying to communicate with a person that I paid for my subscription to the CC and it is to show that I have not bought the product.  The page to contact technical support is a labyrinth and continues to loop back to the sa

    I am trying to contact a person that I paid for my subscription to the CC and it is to show that I have not bought the product.  The page contact technical support is a labyrinth and continues to loop back to the same place without giving me any contact information! Help, please!

    Move the debate towards Adobe Creative cloud

    We have checked your account details, we see active participation of Photography Photoshop program.  Please make sure that you are connected with correct Adobe Id to Adobe.com to get it. You can check:Adobe Store | Order FAQ and your online payment

    To install Creative Cloud app - https://helpx.adobe.com/creative-cloud/help/install-apps.html, you can also Learn how to enable or disable Adobe applications from here.

    Kindly let us know in case you have further questions on your membership.

    I hope this helps.

  • I just paid almost $10 to create a PDF from a jpg file, but I did it so that I can change it. Now I find that I needed another Adobe package that would create the pdf AND I would change it. What should I do now?

    I just paid almost $10 to create a PDF from a jpg file, but I did it so that I can change it. Now I find that I needed another Adobe package that would create the pdf AND I would change it. What should I do now?

    If you create a PDF file from an image, it is always a picture, and you cannot change it.

    If the image contains text, then you need to perform the text recognition (OCR) before you can actually change the text.  Acrobat can do that.

  • 5 Lightroom has stopped working. A says to remove the program and reinstalled. Installation of creative cloud does not deliver to 0%. What's wrong? With the help of a PC.

    5 Lightroom has stopped working. A says to remove the program and reinstalled. Installation of creative cloud does not deliver to 0%. What's wrong? With the help of a PC.

    I installed again the creative cloud. Now it's working.

  • I can't track of the railroad on this version of Google Earth. Should not show with "roads" audited?

    I can't track of the railroad on this version of Google Earth. Should not show with "roads" audited?

    Hi, Urbisoler,

    This is a question for the forum Google Earth

    https://groups.Google.com/a/googleproductforums.com/Forum/#! Forum/Earth

    Google groups - railway

    https://groups.Google.com/a/googleproductforums.com/Forum/#! $20 Searchin'/Earth/railways

  • 4.1 of the ACS and 802. 1 x dynamic assignment of VLANS

    Hi guys,.

    a customer wants to implement assignment of VLANs with 802 dynamics. 1 x. The customer has the following facilities, Cisco ACS 4.1 for Windows, Cisco ASA 5540, CSA 5.2 with CSA MC, several routers and Cisco switches.

    Now, the questations are, we can implement assignment of vlan dynamic without a unit of the ANC and the customer also wants to decide between customers with real antivirus signatures and the old signatures. Older clients are denied access to the anti-virus server and the update of the signature and if everything is ok, to have access to the internal network.

    How could implement us this without a new hardware or software?

    Any ideas? Thanks for help.

    René

    You can have a look on the frame of the NAC system. If you want only the posture validate cable customers then there no extra components to buy. If you want to go wireless, you will likely need to buy a Cisco client that supports wireless. You can get the configuration from here guide:

    http://www.Cisco.com/application/PDF/en/us/guest/NetSol/ns617/c649/cdccont_0900aecd8040bbd8.PDF

    I suggest you prototype and see what you think, the good thing is that you can deploy on a per switchport basis so you can make the installer on ACS without disturbing what is there already and apply it by configuring the switch.

  • 802. 1 x with the ACS and Windows AD

    Hello

    Im trying to configure 802. 1 x with ACS 5.2 but I am wrong as his very differnet ACS 4.2.

    I installed the ACS for the field and think that I installed the external Idnetity store, however when I try to authenticate a pc using probable authentication "PEAP (EAP-MSCHAPv2), I get a reason for failure 22056 object was not found in the store there is identity.

    Marco

    Hi Marco,.

    I guess you missed a mapping configuration in the Section of access policy.

    Create an Access Service name AS-802. 1 x select user select the Service Type, and select network access. Select the identity of political Structure and authorization. Select PEAP as the authorized Protocol. Click on finish

    You will see the new service click on identity.

    Select the source of the identity you have created, then save.

    Click permission

    Select an access permission by default authorization rule and save.

    Create a Service access rule name 802. 1 x

    Select the Protocol Radius as a Condition and as a compound Condition select RADIUS - IETF:Service - Type match box, then select the service that you created before.

    then you can try again.

    concerning

    Alex

  • 4.1 of the ACS and Windows AD authentication

    Hi all

    I want to install an ACS, 1113 and will authenticate users through AD.

    It is preferable to install the remote agent on a domain controller or a member server? What are the Pro and cons

    Thank you

    Randall

    Randall,

    You can install it on the DC and the Member Server. My suggestion would be to install on a member for this domain controller server use its resources for activities in the field.

    Kind regards

    ~ JG

    Note the useful messages

Maybe you are looking for

  • About this Mac reads the false news?

    Hello My Mac's Go 247 apps, yet I franco departure 499 404 GB. I read it wrong, or is the about this Mac glitched? Here is a picture of what I see. Thank you!

  • Empty FF29 my bookmarks toolbar.

    I had a row of bookmarks above my tabs in the previous version. I'm not really Diggin ' this new UI, so I followed the steps to achieve the classic look, with square on the bottom tabs and the star to bookmark, but at some point during the fight with

  • USB ports do not work on Satellite L30 - 11G

    The USB port on the side didn't work for awhile, but now when I plug anything in thePort USB at the back, only now, he says just "device USB not recognized" on everything I plug.I tried to uninstall them and reinstall but nothing I plug still will no

  • The Windows login user name

    How would I get the user name of the Windows using LabWindow/CVI 2009 connection? TIA

  • I locked myself in my own settings!

    I accidentally erased the administrator as a user and now it does not recognize, im basically locked out most my settings. Is there a way around this problem?