AAA - ACS - users authenticate to different NDG

Similar Questions

• AAA ACS RADIUS ASA administrative access

  We have an ASA 8.2 we'd like to AAA to configure ssh access using a 5.5 running ACS RADIUS.

  Can get users authenticate, but ASA retains user record in user EXEC instead level privileged EXEC.

  Installation on the ASA:

  RADIUS protocol Server AAA rad-group1
  AAA-server host of rad-Group1 (inside_pd) rad-server-1
  key *.
  AAA-server host of rad-Group1 (inside_pd) rad-Server-2
  key *.
  authentication AAA ssh console LOCAL rad-group1
  AAA authentication telnet console LOCAL rad-group1
  HTTP authentication AAA console LOCAL rad-group1
  AAA authorization exec-authentication server

  Have you tried pushing various combinations of these attributes of the ACS:

  Value CVPN3000/ASA/PIX7.x-Priviledge-Level = 15
  Value of RADIUS-IETF Service-Type = administrative (6)
  Cisco-av-pair value = "" shell: priv-lvl = 15 ""

  Hi Phil,

  You are able to manage the privilege level is assigned to a user with Ganymede, however, you are not able to go to privilege level without enable authentication, unless you go to 9.1 (5) code.

• Have I not a name of user and password different for each different mozilla page?

  Have I not a name of user and password different for each different mozilla page?
  FOR EXAMPLE. support.mozilla.org, or the services.mozilla.comaccount.
  I can't seem to find out what username/pw I used before on the latter and received no pw reset email that I asked (three times).
  Also, what is 'persona', and it is related somehow?
  Thank you!

  Sync is currently synchronize personal data to other devices.
  
  Who can be other profiles and/or versions of Firefox on the same computer or other computers and mobile devices.
  
  Some like to use Sync as a backup system to a computer and is not implemented reliably and can fail at any time, especially if you reinstall Firefox and you want to retrieve the data stored on the server.
  
  The services.mozilla.com web page is where you can check your sync account.
  
  This server does not support the connection through Persona (Persona no icon on the login page) and requires its own password.

  Persona is just a special way to authenticate on the Mozilla servers independently of the web page (Mozilla server or subdomain).
  
  This requires JavaScript transmit these data to back and forth between the servers, so that the server must support this way to authenticate.

• ACS > User Configuration

  When the user authenticates in ACS v3.3, a profile is created and stored under the User Configuration. When employees leave the company, to delete this profile. We use the external database which is Active Directory.

  Questions

  (1) if the Active Directory account is disabled, the user will be able to connect because the identification information is recorded in the ACS?

  (2) is there a way to expire these credentials as in 24 or 48 hours?

  In ACS3.3, you can expire the account also if the account is disabled and that the user put in cache in ACS points to the database of windows for authentication, in that it should not allow the user.

  Here is where you can set how long the account is active for:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/u.html#wp273167

  Thank you

  Tarik

• Unable to connect wireless, "ACS user exceeded max sessions" users

  Some corporate users are unable to connect to the wireless company.

  On the WLC, I get the following logs:

  Authentication failure AAA for UserName:dto029 user Type: USER WLAN

  The GBA, I get the error:

  Authentic doesn't have a default group for ACS user exceeded max sessions (by default) 192.168.47.46 DTO029......

  That means "user ACS exceeded max Sessions? How can I solve this problem? Connection problem faces few users, while others are able to connect.

  Corporate SSID, Session Timeout & Client Exclusion is not enabled. The WLC version is 7.0.98.0 and the version of the CSA 4.2.0.124

  The problem is solved the ACS is restarted. Is there a permanent solution?

  Thanks in advance.

  Hello

  the error means that the users belong to the ACS Group (or the user themselves) has a "max session" setting, as described here:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp826493

  .. and the user exceeds this limit.

  ACS can indeed limit the number of concurrent sessions for the same user name; This counter is based on the RADIUS account management information received from the AAA client: the session counter is increased when receiving a 'Start' accounting and it is decreased when you receive a "Stop" on accounting package.

  ACS for a reason if any don't receive an Acct-Stop, it won't reduce the number of session, so it may happen that your users exceed the max concurrent sessions allowed indeed.

  You can check the active sessions on the "users" ACS report:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/LgsRpts.html#wp680304

  If you restart ACS, this info is reset, so everything will work again, as you say; as an alternative, you can also use the options 'Purge logged in users' on the logged users page, but it would be wiser to really solve this problem by checking if... :

  -do you really need the config of max sessions? Otherwise, you can simply disable this on users/groups configuration

  -If you need for this limitation and the problem is related to the session that overlap, which means that the WLC should not send the Acct-Stop because there is always a session active and a new one is created at the same time, you can consider increasing the number of maximum session.

  HTH,

  Federico

  --

  If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.

• How directly the user to a different scene from inside a clip?

  Hey,.

  I have a button inside a mc and I need to direct users to a different (outside mc) scene when you click.

  How can I do?

  Thanks in advance!

  AS3: MovieClip (root) .gotoAndPlay (name of frame or label, stage name);

  AS2: _root.gotoAndPlay (image tag);  don't use not scenes for navigation.  which frame label and use the image tag.

• Redirect the user to the different menu item

  Hi guys,.
  
  JHeadstart 11.1.1.3.35
  
  I use the JhsTree menu structure. One of my menu items is a wizard that goes directly to the insert mode, so at the end of the wizard, I redirect the user to a different group (menu item). The problem is that while the new menu page is displayed to the user, the previous menu item (Assistant menu) is still selected, so that if you try and you reenter the Wizard menu item, nothing happens as the structure of the menu and the page are out of sync (and the menu believes that you are already on the page of the wizard even if you're not)
  
  My question is, also the creation of a navigation to a different menu item rule, how can I programmatically change the selected menu item?
  
  See you soon,.
  Brent

  Brent,

  No, you can remove these goods safely.

  Steven Davelaar,
  JHeadstart team.

• How different users to use different Plan_Tables?

  How different users to use different Plan_Tables?
  I want that every user the use of its own from Plan_Table. How to achieve this?
  

• The ACS user groups

  I have a problem.

  We have 2 groups that are created in ACS, group 1: access Ganymede and 2:Radius Access group. Group 1 has the people that have been created on the server ACS itself. The 2nd group is dynamic to users who are enabled access through Manager users for domains. We do not want to have the 2nd group in order to access our routers and switches with their Accounts of Microsoft, they can now, at least insofar as, at the prompt to activate it. I wish I had 2 completely independent from the other groups. Our group 1 is used only for our administrators to have access to all of our network devices.

  I'm sure some type of filtering or to a group of addresses IP could be implemented on GBA, but I'm not sure where, if this is the case.

  Can someone please!

  Thank you!

  Matt

  You must set up Network Access Restrictions (NAR), group 2 to not be able to access the routers/switches to restrict.

  Make sure the Group and level NAR is checked under the Interface of configuration - Advanced Options. Then go under Group 2, NAR section, check the box "Set IP access restrictions", select Table sets 'Appeal denied Points', and then select each of the routers/switches, using a * for the Port and address and add them to the table.

  It doesn't matter that in Group 2 will refuse to authenticate on one of the routers/switches.

• problems with the login as a user even on different xp in the same vmware workstation vm

  I use vmware desktop application in Ubuntu x 64 and I try to run several windows XP virtual machines.  However, when you try to connect to the virtual machine with the same user name, it won't let me.  User accounts are not roaming user accounts but authenticate with our server for storage on network drives Setup once the user connections.  I can not connect with this username at the same time on different machines, however, I am not able to do it on the virtual machines.  By connecting to one of them and you try to connect to another, I get this error:

  Windows cannot connect to the domain, either because the field controls is declining, or are otherwise unavailable, your computer account was not found.  Please try again later.

  I don't know why I can't use two virtual machines on a single machine, because they receive both their own IP address through the host.  My network card is defined as - bridged: directly connected to the physical network.  The repeated physical network connection status area is not checked.

  Any input would be greatly appreciated.

  Thank you

  The area is an AD domain?

  How did you make the virtual machine and are you enrolled in each domain separately?

  If you just copy, maybe AD gets angry because they have the same credentials.

  If they are not copies, you can try "unjoining' the machine from the domain, and then join her again.

  Lou

• Unique users OID in different realms

  Hello
  
  I use OID to store users in different organizations/kingdoms. I use DAS to delegate administration so that users with certain privileges can create new users. One of the fields that the user must enter when you create new users is uid (userID). OBIEE uses the OID data to authenticate users.
  
  When users are created two users in different areas with the same user name can be created in different kingdoms in OID. OBIEE however requires unique user name to authenticate users. Can someone of you guide me please know what steps I need to take to make sure that userID in different kingdoms are unique, while authentication in OBIEE arrives without hassle.
  
  Thank you
  Nikita

  http://download.Oracle.com/docs/CD/B28196_01/idmanage.1014/b15991/attruniq.htm#i128455

• Passwords admin vs user: same or different?

  What is desirable or just paranoid to use two different passwords for user and Admin accounts? I prefer to use the same if it is just as safe (I guess that's for the most part). THX

  In the professional world, it is advisable to use two different passwords, or each account has its own. It is also advisable to change every 30 to 90 days. What is your strategy in your own home is to you alone, but it is advisable to have a password.

• How to present the user programmatically with different input parameters based on the choice of the Group of entry?

  I have an array of items that represent the inputs to an operation.  The user is allowed to choose a random order for entries to assemble in the table.  Each element, however, requires different input associated parameters that are used by the operation to define each choice.  I realize that, for an array of clusters, the individual cluster array element must all have the same format, that is, they must all have the same type and number of the cluster inputs or outputs.

  Ideally, I would like to have a picture of the clusters, where each cluster has a different set of inputs.  Does anyone have ideas for a solution of programming would be to approach or to simulate such a structure?

  Thank you

  Mike H.

  Hello

  I tried soemthing and attached the VI (LV 2010)

  develop something similar to what is in the attached VI and then package clusters for which the user enters the parameters... I prefer the tabs page, more than the cluster "all settings".

• I want to limit the file sharing on a home network, Windows XP Pro (working group) to a specific user on a different computer.

  I can't get this username entered with success because I'm limited to only users on the computer, I'm trying.  I have Windows XP off file sharing simple.  Both computers running XP Pro and I can share the folder, but it is open to ALL.  Is there a way to do this?

  I would like to try to explain how it works.  You have XP Pro on Computer1 and you have disabled Simple file sharing.  It is a step in the right direction.  The facts are that the file exists on the computer 1 and is 1 computer to control what external connection gets access to this file.  Computer 1 can only validate combinations of username/password names he knows.  Is not in a domain, computer environment 1 includes only names of user and password that exists on the computer 1.  He cannot know or trust any combination of name of user and password that does not exist within itself.  The normal method, most people use is to create the same user on computer 1 that exists on the computer that connects and gives the same password that is used on the computer that connects to this user.  If this is the case, the external user connects seamlessly and have access if 1 computer gave this authorization to the user in this file.  Access can be controlled by right-clicking on the file or folder, select 'Properties' and then use the 'Security' tab to generate an access matrix.

  Authentication: When connecting to the computer 1 from another computer, computer 1 search first if the username on the computer connection exists on the computer 1.  If the user name of the user on the computer connection exists on computer 1 and passwords on both computers to match, the connection is established.  If the passwords do not match, the connection is refused.  If the user name of the logged in user does not match a user on computer 1, then the 'Guest' user is attempted.  If the guest user is not protected by a, then the user will resemble the user 'Guest' and 'Guest' appropriate access.  If the guest user is disabled on Computer1, and then the computer connection displays a name of User/Login screen asking the user to provide credentials (name and password) 1 computer can use and recognize to check that the user.  If a name of user and password recognizes that computer 1 is entered, then computer 1 authenticates the user with this credential.

  Of course, once authenticated, the user will have access to these files to which permissions have been granted to this user authenticated according to the KB307874.  XP cannot grant permissions to users, he knows not (obviously) beyond the 'Guest '.

  Bottom line is that you have discovered in a domain environment (workgroup), you MUST authenticate as a legitimate user who is (and who is not disabled) on Computer1.

  HTH,
  JW

• How can I move the folder of my users on a different Partition?

  Hi, I recently bought Windows 7 for my PC.

  I want to know how to move my complete record of users (C:\Users) to my D drive partition, that make (D:\Users) and then remove the users from the C drive folder, so that all my files and user data are stored on my D drive partition, since my C drive is for the OS and drivers only. Now, I know that you can move files within your name in the users, by right-click folder and clicking on the location tab, but this option is not available on the users folder itself. If it is not possible to move all of the users folder, find at least one solution where I can move my folder by name (C:\Users\Jord) D drive instead.

  Thanks in advance

  -Jordan

  I answered this question at least three times in the last few days/weeks. Please visit the following links. Some are on the folder C:\Users (work folder to be more general) while others refer to the same concept, but for different folders. I hope this helps.

  Link 1: http://social.answers.microsoft.com/Forums/en-US/w7files/thread/8d15f660-293a-48cc-bfc3-f978ad59d67e
  Link 2: http://social.answers.microsoft.com/Forums/en-US/w7files/thread/924138a5-bdb2-4ab4-870b-57b3a8b8ff44
  Link 3: http://social.answers.microsoft.com/Forums/en-US/w7files/thread/bb84d104-d6d6-43c5-be62-b065ee4fa819
  Link 4: http://social.answers.microsoft.com/Forums/en-US/w7files/thread/6af0cf60-84f6-4e48-b0a1-2780a5fd7b7a if you find my answer was what you are looking for, please don't forget to click on the link "Propose as answer" below.