ACS - ASA authorization and accounting

Similar Questions

• ACS, Service access and authorization

  I'm under ACS 5.2 and I'm trying to set up 3 new SSID, which 2 are not guaranteed and 1 which is secure.  I'm trying to understand the best way to allow their evolution on which network they come.  All authentication requests are from the same devices, LAN controllers without wire, so NDG cannot be used as criteria.  I was watching either create 3 Access Services and using selection rules, or by creating 1 Service access and using permission to choose.  However, I can't find an attribute to use for determining what network they came.

  Anyone has a suggestion for the best way to do it?  I have

  Go to the elements of the policy-> Conditions of network-> end of Station filters and create a rule CLI/DNIS that includes the name of the SSID, and then use it as a condition to any rule you create for authentication. The SSID will be preceded by MAC address, then enter * ssidname (i.e., match whatever it is before the name SSID, then match the SSID). For example, if the SSID is called lab, then you must enter * lab.

  Then go to access-> Service selection policies and create a service selection rule that has end Station filter as a criterion.

• Specific shell - ACS command authorization / GANYMEDE + on 2900XL

  Hello all-

  I was struggling with a particular issue here. I am running ACS 3.2 and tries to implement secure access to my switch. I have 'students' of my University I want to leave running specific functions, i.e. change the vlan port and write in memory, etc.

  I created with success the piece of the authorization, and my test account can connect. I have successfully assigned a privilege level of 7 also, that gives me a look of default base rights. Accountants strives also, indicating connections and commands me to come home.

  I want to do is use ACS to allow a particular group of controls, so I can change if needed in one place (ACS) and I not touch + 400 devices. ACS says can be done, but it doesn't seem to work. I created a Shell command group and specified commands, no luck. Even if I change the 'unmatched orders' rocking 'allow' (which should allow all orders, right?) it does not yet allow all orders. I added the Shell command group for the group, of which students are members...

  My AAA commands are as follows:

  AAA new-model

  AAA of default login authentication group local Ganymede +.

  Group AAA authorization exec default local Ganymede +.

  AAA authorization commands by default 7 Group Ganymede +.

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 7 by default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  AAA accounting system default start-stop Ganymede group.

  Any ideas? Any thoughts?

  Thank you!

  Michael

  QU.edu

  Michael,

  You perform permission to order order that exist with a privilege level of 7. By default, the configuration commands have a privilege to 15. There are two ways you can go about solving this problem. The first would be to authorization of installation for level 15 command. The second would be to change the privilege level of the commands that you want your students to be able to run level 15 at level 7. This can be done with the command of privilege. Here is a link that shows the use of the technology locally within the unit. http://www.Cisco.com/warp/public/480/Priv.html

  I don't know if the ACS can push the configuration of the device on a per user basis, so the first option may be your best bet. Be sure to allow access to all controls for yourself.

  Steve

• My outlook express won't let emails through. I am getting an authorization and then an error will appear.

  Outlook express won't come through

  My outlook express won't let emails through. I am getting an authorization and then an error will appear. Sometimes it will say: reception of messages, but none will come by.  A box appears and says that he put an end to the connection, maybe because of the connection to the server, the long period of inactivity or network connection. Also, I get a message on and which was completely removed several times on the file inbox and delete. I have no idea how to solve this problem or what I did to make it. I've never experienced this before.

  You probably have the widespread corruption of dbx files. Try in a new identity.

  File | Identities | Add the new identity. Create a new one and try it. If all goes well, you can import your messages and address book from the old identity and delete it.

  Note: Do not use the main word in the name of the new identity.

  In addition, follow these guidelines to help avoid this in the future.

  Do not archive mail in the receipt or sent items box. Create your own user-defined folders and move messages you want to put in them. Empty the deleted items folder daily. Although the dbx files have a theoretical capacity of 2 GB, I recommend all a 300 MB max for less risk of corruption.

  Information on the maximum size of the .dbx files that are used by Outlook Express:
  http://support.Microsoft.com/?kbid=903095

  After you're done, followed by compacting your folders manually while working * off * and do it often.

  Click Outlook Express at the top of the the folder tree so no folders are open. Then: File | Work offline (or double-click on work online in the status bar). File | Folder | Compact all folders. Don't touch anything until the compacting is completed.

  Disable analysis in your e-mail anti-virus program. It is a redundant layer of protection that devours the processors and causes a multitude of problems such as time-outs and account setting changes. Your up-to-date A / V program will continue to protect you sufficiently. For more information, see:
  http://www.oehelp.com/OETips.aspx#3

  And backup often.

  Outlook Express Quick Backup (OEQB Freeware)
  http://www.oehelp.com/OEBackup/default.aspx

• Log each ASA connection and router

  Hello

  I have a Cisco ASA 5520 and a Cisco 3825 router in my network. I want to log every connection to these devices. There are a few users who have different levels of access to these devices in n/w. I would like to connect all these users and what they actually change and to implement in the devices. Is this possible using a RADIUS server or any other method pls. I also have access to reading / writing to these devices. Thank you very much

  You can do it too.

  You can use auth-proxy (router) passage proxy (ASA) to have the user to authenticate to the connections he and do accounting of GBA. But I don't think you need to do this for all connections, for those who require the intervention of the user.

  Let us know if that answers the question.

  PK

• ACS 3.1 user account disable failure attempts to exceed:

  I look through the documentation on ACS 3.1 and can't seem to find the default password attempts failed. What I want to know is if there is a time limit for how long between password attempts failed the counter is reset. ACS retains an infinite number of the race and after failed attempts the account determined locks if there were 2 minutes or 2 weeks between failed attempts or there at - it some time, after which the failed attempts are disabled?

  Thanks in advance.

  There is no timetable associated with it. If the user enters an incorrect password 5 times in a row (by default) over a period of time, the account is disabled.

  ACS maintains a counter of the current number of connection failures for each account in its database, and it resets it to 0 if there is a successful connection. Theoretically, you can connect 4 times incorrectly, wait a year, and as long as your database is still intact connection again with an invalid pw and the account will be disabled.

• ASA 5545 and Anyconnect Licenses

  Currently, we use several devices to Cisco ASA 5545.  Initially, we learned that we were automatically allowed using the Anyconnect Secure Mobility client with our ASA devices.   With recent security issues, we are trying to move to a solution that supports TLS 1.2, and it seems that anyconnect Mobility Client 4.0 will do exactly that.   My question is, the automatic authorization supplied with the unit of 5545 ASA include Client Anyconnect 4.0?   After an exhaustive search, I am still unable to find this information.   Also, is there an official document detailing exactly what licenses is part of 5545 device, with respect to other Cisco Software Solutions?

  Thank you

  David

  All * ASAs include two licenses AnyConnect Premium "free." Which is designed primarily for the evaluation, as most businesses need more two simultaneous remote access users. However, if that's all you need is free and fully functional. It was designed around the Client AnyConnect Secure Mobility 3.x and earlier offer.

  From 4.0, there is a new model of licence for AnyConnect. It is explained in the Guide of command AnyConnect. While it is not currently applied by technical means, use of AnyConnect 4.0 requires having a license to do so.

  For some additional supporting documents as you initially requested, see also "Feature Licenses" of the Configuration Guide of the SAA.

  * Some models do not support remote access VPN and either do not have the feature available or cannot use the license - for example ASA 1000v and an ASA working in multiple context mode.

• ACS 5.4 and Juniper J-Web

  Hello

  I have set up a box of the ACS 5.4 and will test the devices on it.

  Cisco and Juniper, both works well with GANYMEDE

  I can connect both the use of SSH or Telnet but my problem is the Juniper J-Web GUI

  I can't access the J-web no problem with the root account.

  I can't seem to make it work, no matter what I try. Here is my shell of the GBA box

  

  And the following configuration of Juniper.  I tried to bind the local-user-name attribute to the remote and remoteadmin with no luck. Anyone got any ideas how I can fix this problem? Or if its even possible?

  version 9.6R1.13;

  System {}

  host name of Juniper-pare-fire;

  authentication-order [tacplus password];

  {root-authentication

  password encrypted "$1$ $1tRuy9o2 LwSPxNwe4XGNMOMIMo1pd1"; # SECRET - DATA

  }

  {tacplus-Server

  10.251.200.25 {}

  secret ' $9$ zaUL6/AtuOIRS5QF/CuEhws2 "; # SECRET - DATA

  Timeout 10;

  Single-connection;

  }

  }

  accounting {}

  events [connection change-journal interactive-commands];

  {destination}

  tacplus;

  }

  }

  {Login

  the user admin {}

  UID, 2001;

  root class;

  {authentication

  password encrypted "$1$ MNUZBLFW$ X2sJL/UTgRYcgBNV4RLe.0"; # SECRET - DATA

  }

  }

  user remote {}

  full name of the "remote user";

  UID 2025;

  operator class;

  }

  the user remoteadmin {}

  full name of "Remote Admin";

  UID 2026;

  root class;

  }

  }

  services {}

  SSH;

  Telnet;

  Web-management {}

  {https}

  System - certificate generated;

  interface fe-0/0/0.0;

  I worked on almost similar issues today and he confirmed that he is able to access J-WEB with the credentials of Ganymede. You can check the config here: https://supportforums.cisco.com/message/3953224#3953224

  Through your config it seems that you have not defined/created classes as he did:

  for example:

  {Login

  class CLASS Number {}

  permissions [view configuration];

  }

  class CLASS RW {}

  permissions in full;

  }

  user {JUNOS-RO

  UID 2000;

  Jatin kone
  -Does the rate of useful messages-

• ACS 5 limited user account

  Hi, I have cisco ACS 5.2 and you want to create the user account of technician, with only some commands.

  How can I achieve this?

  Thank you

  Hello

  It is possible of course.

  This paper (part of it) shows approval of order on acs 5.x

  http://www.Cisco.com/en/us/products/ps9911/products_configuration_exampl...

  HTH

  Amjad
  Sent by Cisco Support technique iPad App

• The system, I cannot delete permission in the help section. I need to authorize another account. Help, please!

  The system, I cannot delete permission in the help section. I need to authorize another account. Help, please!

  The account I want to delete the authorization already has the limit of the installed PC. I want to authorize another account.

  If for some reason you cannot withdraw the authorization of ADE, follow the steps below:

  Mac:

  1. go-> go to folder.

  Go to the folder dialog box will appear.

  2. Enter ~/Library/Application Support/Adobe/Digital Editions

  Drag the activation.dat file to the trash.

  ADE will be cancelled now.

  Now allow ADE new [help-> allow the computer].

  Windows:

  Click Start > run.

  Open, type regedit in the text box and press ENTER. The Registry Editor opens.

  In the left pane of the registry editor, find the following registry key:

  HKEY_CURRENT_USER\Software\Adobe\Adept

  Right click on the key to the follower, and then choose Remove.

  In the dialog box confirm the key deletion, click OK.

  Your permission is removed.

  ADE will be cancelled now.

  Now allow ADE new. [Help-> allows computer].

• My computer crashed and I restore my my hard drive recovered Thunderbird email, how do I restore my old emails (stored emails and accounts)?

  My computer crashed and I restore my my hard drive recovered Thunderbird email, how do I restore my old emails (stored emails and accounts)? I found 2 folders (a local sub) & another under roaming which appear to contain my email stuff. How in Thunderbird set up again to access my old emails/files? Also, I have three accounts/email configuration in my old email. Thank you!
  -Erwin

  Create a new profile and copy the one above him. See this article for instructions.
  http://KB.mozillazine.org/Moving_your_profile_folder_-_Thunderbird#Create_a_new_profile_and_copy_the_old_one_over_it

  Your old profile is located under "roaming."
  For Thunderbird there is nothing that you need to restore from "local."

• Lack of Options and account and settings under the Tools tab in the toll bar

  I installed Thunderbird 38.3.0 in Linux mint 17.2, but for some reason any, I miss the Options tab of the tool in the menu of the toolbar and account settings. I uninstalled and reinstalled the Thunderbird and Firefox so deleted my profile and Add-ons. Note I don't have Mint module search Enhancer and stylish disabled both in Firefox and Message Menu disabled in Thunderbird this that I can't remove.

  When I reinstalled Firefox and Thunderbird, the Options tab of the tool in the toolbar and account settings menu are still reported missing. Can so someone help me to restore these features of toolbar?

  Best regards

  Oobals,

  Look under Edit. Preferences and account settings.

  _Linux, http://KB.mozillazine.org/Menu_differences_in_Windows, _and_Mac

  You can right click on an account and choose settings, or you can click on an account, see its Central account summary page and select its parameters there too.

  And most are under the Menu button of the Application; one that looks like a hamburger.

  To restore the toolbars and menus, < alt > missing + v, toolbars and tick the boxes. You must repeat this in each window, depending on the case: address book, Write and reading window message, if you use it.

• Why have I not the calendar option checking / unchecking at two locations in the Prefs system, iCloud and accounts on the Internet?

  Why have I not the calendar option checking / unchecking at two locations in the Prefs system, iCloud and accounts on the Internet?

  Why have I not 2 switches that control the same light fixture in my living room? It's the way it was designed.

• LAN to Lan tunnel between ASA 5505 and 3030.

  I am unable to build a tunnel vpn site-to-site between an ASA 5505 and our Cisco 3030.  I tried all possible combinations except one that will work.  I am able to ping each peer on the other site.  Someone at - it a config between two tunnels of Lan to Lan to work between a 5505 and 3030 that works.  Thank you

  Hello

  Please visit this link using config:

  http://www.Cisco.com/c/en/us/support/docs/security/VPN-3000-series-conce...

  Kind regards

  Aditya

  Please evaluate the useful messages.

• Removal of E-mails in handset and account

  Hi all

  am able to delete emails on handset programmatically but account not on. is it possible to delete messages on the handset and account programmactically? I referred this link too...

  http://supportforums.BlackBerry.com/T5/Java-development/how-to-delete-message-on-mailbox-and-Handhel...

  can someone provide me with more details?

  Thanks in advance...

  It depends on the configuration of the user's email account.  To view this setting open the mail application, choose Options from the menu, select Email reconciliation and check the option delete on for this e-mail account.