ACS device groups Question

Similar Questions

• Access to the ACS SPECIFIC group router

  I want allows you to control access to all of our routers and switches Cisco GANYMEDE. I have a Cisco ACS device that can be used for centralized management accounts of the engineer. The ACS server, however, also used to store our business users VPN accounts.

  Can I restrict access to routers and switches only to users in the Group of engineers on the ACS server?

  Hello

  If you use ACS 4.x, limiting access through Restrictions on access network (NARS) could help you:

  http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

  I would like to know if this helps, or alternatively if you use DCC 5 (in which case the scenario is a little different).

  Kind regards

  Fede

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Level of access for a user on the network device group

  Hello

  1 al ' ACS is possible to give Readwrite access to a user when it connects to a network and readonly device group when it connects to another group of network devices.

  Thanks in advance

  Hello

  You need to set up the command authorization set on a per network device group basis

  Assign permission to control Shell Set on a per network basis-Associates ammunition special device group command authorization sets to be effective on particular NDG.

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMgt.html#wp480029

  Kind regards

  ~ JG

• Web Jetadmin restricted the role of safety device group does not not as expected

  Hi all

  I just configured HP Web Jetadmin 10.3 SR8 and trying to implement a restricted security group peripheral role but is not working as I hope.

  I created a group of devices for a specific department within our Organization. It is filled with a query and I confirmed that the correct set of devices makes its appearance in the group.

  I created a security role called "administrators of small device." I set the type of restriction to "Volume groups" and ticked the box "all permissions".

  I added a user by selecting 'device restricts administrators' with my new role selected. I checked the box "Restrict permissions to the group" and selected the group created earlier.

  When I log in Association with this user account, I expect to see only the devices in the device group. However, I am able to see all detected devices.

  Am I misunderstood how this is supposed to work? How do I give a user access to HOSTS and make them only to be able to see the devices in their Ministry?

  Currently, Web Jetadmin (WJA) no not the feature to limit devices which can be consulted but not restricted this that a user has the ability to management.  Any user can see all the features, but cannot manage that those who were assigned to their role.  If they attempt to perform an action on a device outside their role, they will get a message saying that they do not have permissions to perform this action.

  One thing to keep in mind is that any account that is a member of the local Windows Administrators group of the server HOSTS is automatically a member of the Administrators group on the application HOSTS.  This means that if a domain user account is a member of the local Windows of the WJA Server Administrators group, the permissions for the Administrators group of the ASSOCIATION will take precedence over any other restrictions that may have been placed on this user through other roles.  It goes the same for any user who is a member of a domain group that is a member of the Windows Administrators group local servers HOSTS.

  I hoope this helps.

• Restrict access for device groups in ACS 4.0 SE

  I have limitation of logging configured on groups in Cisco ACS 4.0 SE

  Here's what I want to achieve.

  There will be two groups siteA and siteB

  I also create 2 groups of network devices say NDG1 and 2 NDG

  Now in the SiteA users need access to the associcated with NDG1 and NDG2 devices

  But in SiteB users should be able to access only the devices associated with NDG2 and ny ACS should not authenticate them when they try to log on to any device associated with NDG1

  With my current setup, the NGD2 user gets a prompt to user for NDG1 devices.

  Thanks in advance

  Narayan

  Hi Narayan,

  Pls have a look at the next post:

  http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&CommCmd=MB?cmd=pass_through&location=outline@^[email protected]/0#selected_message

  Rgds,

  AK

• Cisco ACS 5.2 with NX - OS (Nexus) devices user - questions

  Hey, I have a really strange problem with Cisco ACS 5.2 and Nexus NX - OS devices.

  I create an account on ACS, let's call him User1 and give privilege 15. With User1, I am able to access on all our IOS, IOS - XE, ASA and PIX devices with privilege 15.

  When I use the User1 account in our NEXUS devices, I do NOT receive the access privilege 15. As you probably know, the NEXUS devices have roles: predefined or custom roles. So I assumed I would get the role of "network-admin" (15 private read/write) User1 when you connect, but instead I got the role of 'vdc-operator' (private 1 read-only).

  Then I tried to twist User1 and give network-admin under profile Shell > Custom Attributes. I logged in the NEXUS and of course I was able to get a network-admin access. However, my access to ALL other devices (IOS, ASA, PIX, etc.) does NOT work! I am not even able to connect with my login and my password for these devices.

  Has anyone ever experience this problem? Help, please!

  Thank you

  neocec

  This is a common problem when you mix with RBAC and IOS devices authorization policies, the pair av that you created must be set 'optional' instead of 'compulsory', please make this change and you will be able to access all your devices.

  Thank you

  Tarik

• ACS 5.3 - change device group or location error

  I am trying to move a device from the default location to a subgroup and get the following message when I try (be it with IE or Firefox)

  This failure has occurred: Index: 0, size: 0. your changes have not been saved. Click OK to return to the list page.

  It also gives me the same error if I try to change the default device for a subgroup. I don't know that I could do before. The construction of the ACS is (installing VMWARE):

  Deploying applications engine Cisco OS version: 1.2
  ADE-OS Build Version: 1.2.0.228
  ADE-OS System Architecture: i386

  Copyright (c) 2005-2009 by Cisco Systems, Inc.
  All rights reserved.
  HostName: ACS1

  Version information for the installed applications
  ---------------------------------------------

  Cisco ACS VERSION INFORMATION
  -----------------------------
  Version: 5.3.0.40
  The identifier for the internal version: B.839

  I'm he suspect a problem reading/writing with the database or a corruption of the database. Can someone enlighten me on how to fix it please?

  I stopped and started the acs application via the console application status and see the acs has this to say about himself.

  ACS1 / admin # display the status of the acs application

  Role of the ACS: PRIMARY

  Process of database ' ' running
  'Management' running process
  'Runtime' running process
  "View-database" running process
  "View-jobmanager' running process
  "View-alertmanager' running process
  "Notice-collector' running process
  "View-logprocessor' running process

  Mel

  Does this happen to small number of network devices or the entire

  If the former, then I found the following CDETS

  CSCtw59271    Corruption of device random network after upgrade of ACS 5.2 to 5.3

  Which includes the following workaround solution

  Symptom 1: Remove and re-add the AAA client

  Symptom 2: changing the secret shared GANYMEDE + of the network device, enter the same key again and save the network device.

  > Use when GANYMEDE + has been used

  There are a few important fixes related to the upgrade of issues in patch 5 and later versions for ACS 5.3. While they didn't wear on NDs, I recommend not to install this patch

• Control access to the network with ACS device

  Hi all!

  I currently have in place an Appliance, Cisco Secure ACS using Windows as main server authentication. Cisco Secure acts as a GANYMEDE server +. I have two groups defined in Cisco Secure: Netadmins and security ITD. Users of the Netadmins group need access to all switches and routers on the network. ITD security must only access async line 53 on a router 2611 for a band of a firewall and no other access to all network devices offline. How can I limit access to the Cisco Secure security ITD group to line 53 only?

  My current config on this router is:

  AAA new-model

  AAA authentication login netadmins group Ganymede + line

  connection ITDSEC authentication group Ganymede + line of AAA.

  RADIUS-server host 10.30.X.X

  RADIUS-server host 10.18.X.X

  key radius-server XXXXXXX

  line 53

  No exec

  authentication of the connection ITDSEC

  transport of entry all

  StopBits 1

  Speed 115200

  line vty 0 4

  exec-timeout 30 0

  login timeout 120 response

  login authentication netadmins

  but users in the ITD security can still access by vty and then reverse telnet to any asynchronous line on the router. In addition, security ITD always access any switch or router using telnet: what should be my setup on these devices? I do an ACS configuration?

  All other devices:

  AAA new-model

  AAA authentication login netadmins group Ganymede + line

  RADIUS-server host 10.30.X.X

  RADIUS-server host 10.18.X.X

  key radius-server XXXXXXX

  Line con 0

  password 7 141C015C5806

  login authentication netadmins

  line vty 0 4

  password 7 11020A 524310

  login authentication netadmins

  line vty 5 15

  password 7 11020A 524310

  login authentication netadmins

  Any help will be greatly appreciated.

  Hello

  In the security group, I would create a Restriction of access to IP network with an entry permit. Essentially to allow access to the single port on 2611 only.

  The AAA Client field is the name that you gave to the 2611 in the network config. Address will be * unless you want to restrict access to the ip or address. Port... never quite sure with async if the port value must be "async 53" or "line 53".

  If you look in the pass/fail for the nas-port attribute, you'll see what that T + sends to the ACS. This should help you know what to put in the NAR.

  Mounira

• Device grouping with the IP address of subnet

  Hello

  We are GBA for authentication GANYMEDE +.

  We have two network in the administrative field 2 with IP address 172.16.0.0/25 and 172.16.128.0/25.

  I want to configure the authentication policy so that the administrator of a domain will not be able to access other field devices.

  In the configuration of the peripheral ACS group, there is an option to include the address of IP network with wild-card mask.

  But how do we separate/mention one IP network in the form of 172.16.0.0/25 and 172.16.128.0/25.

  Kind regards

  Salome.

  You will need to set up two groups of devices. I recommend you set up a simple NAS in each group using the multi-NAS addressing.

  The first NAS system should have the following IP address: 172.16.0.1 - 127

  The second NAS server should have the following IP: 172.16.0.129 - 255

  Once these are configured, you can use Network Access Restrictions to limit access to different users or groups.

  Jeff

• The ACS user groups

  I have a problem.

  We have 2 groups that are created in ACS, group 1: access Ganymede and 2:Radius Access group. Group 1 has the people that have been created on the server ACS itself. The 2nd group is dynamic to users who are enabled access through Manager users for domains. We do not want to have the 2nd group in order to access our routers and switches with their Accounts of Microsoft, they can now, at least insofar as, at the prompt to activate it. I wish I had 2 completely independent from the other groups. Our group 1 is used only for our administrators to have access to all of our network devices.

  I'm sure some type of filtering or to a group of addresses IP could be implemented on GBA, but I'm not sure where, if this is the case.

  Can someone please!

  Thank you!

  Matt

  You must set up Network Access Restrictions (NAR), group 2 to not be able to access the routers/switches to restrict.

  Make sure the Group and level NAR is checked under the Interface of configuration - Advanced Options. Then go under Group 2, NAR section, check the box "Set IP access restrictions", select Table sets 'Appeal denied Points', and then select each of the routers/switches, using a * for the Port and address and add them to the table.

  It doesn't matter that in Group 2 will refuse to authenticate on one of the routers/switches.

• I can't send/receive pictures or messages from non-Apple device group

  I was never able to send photos to non-Apple devices. I can not send or receive group messages that include non-Apple devices. This has happened for years on every iPhone I've ever had. I tried all the suggestions on this site. Any ideas?

  Contact your operator. SMS/MMS is a function of the carrier, which is what you use when sending non - iOS devices. You must have a texting plan and one that includes the MMS to send pictures.

• FIFO device custom questions

  Question again on the custom device.

  If there are 200 channels of output but every 100ms only 40 of them updated by the driver.

  Is it possible to write only the 40 channel data at the exit of the FIFO device at a time?

  What is the write FIFO RT speed when writing 200 channels of data at once?

  Thank you.

  If your custom device is a custom device inline, you update only the channels dedicated by iteration.

  In the case of an asynchronous (parallel) custom, you are forced to write always all the channel stack regardless of what happened to values. (if none of the values have changed, so it's ok not to call the Write FIFO function).

  FIFO writing does not cause a huge head.

  You can compare easily than yourself well.

  Tom

• No device startup & questions more

  Hi all

  I need some advice, my laptop did direct me to this Web site to help. So here's my question.

  I have windows 7 Home Edition (HP pavilion dv5 Notebook PC)

  OK, I know that my computer is working, but I've had my laptop on and my cell phone hooked to "charge only", well the computer is dead, but I forgot to unplug my cell phone (phone is fortunately very well) but I do a lot of sync'n with my USB cable for my cell phone to get on my phone/SD; mainly for music and make mp3 ringtones and sometimes to charge the phone. Well, as I noted above, shut down the computer because the battery is dead. I turned on it, and since I forgot to unplug my phone at least he tried to start but in my terms confused my computer that my phone is a Smartphone device. Okay, well I turned off my PC in now the switch because she says "no boot device - insert boot disk and press any key"; Well, I decided to see if I hit any key and it will repeat you above the quote above my laptop friendly said: * sigh *.

  So here are my steps that I tried to correct the problem:

  I hit the ctrl + alt + delete keys and it restarted I hit Esc a couple of times: who raised the

  Start menu

  F1 system information
  F2 System Diagnostics
  F9 boot device
  F10 BIOS Setup
  F11 system

  ENTER - continue starting

  For more information, please visit: www.HP.com \go\techcenter\startup

  (Which is where I am now, but anyway, I will continue.)

  Then I hit F2 while on this screen for display of Diagnostics system; I hit F2 again to run the start-up Test and the results are: 100% of the memory system tested OK. Passage of test of memory; (in yellow) There is no hard drive. OK everything is good, but that my hard drive? So I click ESC to continue. So I'm back to the system of diagnosis, but especially in red says: Failed "Test at startup '; "Boot device not found" (03F0).

  Now, I'm a little frustrated!

  I hit the running F3 Test then and the results of that are: (in yellow) passage of Test of memory and hard drive are not. Then I hit new ESC to continue towards the System Diagnostics. Yet once the top red appears indicating the Failed "Test running" and "Boot device not found" (03F0).

  Then, I hit F4 hard drive Test and the results are: (in yellow) hard disk not exist. Yet once I hit ESC to continue towards the System Diagnostics. And at the top in red: Failed 'Test drive' and 'Boot devicd not found' (03F0).

  In general, my memory on this laptop is awesome. With Test at startup and Test running in the System Diagnostics.

  So I hit the F11 Error Log and it displays a newspaper with results and time, but for me I get 03F0 about 14 times, then under that result on 6 times displays - No Data-. Yet once hit ESC to continue. Press ESC to exit the diagnostic system.

  Which brings back me to the screen with: no boot device - insert boot disk and press any key.

  Once again, I have to ctrl + alt + del again and press ESC twice. Return to the Start Menu. Press F1 Information System; He traveled. Press ESC to continue to the Start Menu. I hit F9 Boot Device Options. In the Boot Manager screen, it gives me only a single item under Start Menu Option: drive internal DVD ROM (press ENTER to continue. Well, hit enter to which takes back you to the screen with the bootable device No. screen; then ctrl + alt + delete once more and press ESC twice.

  Return to the Start Menu once more. This time I hit F10 BIOS Setup; InsydeH20 Setup utility. Now, it provides information on hand. If anyone needs to know, I would gladly go overboard. Following (left arrow) security - this area is very good; Click Diagnostics - hard primary Office Self Test - enter blue box appeared to remind me of hard drive are not; Click ok. Went ahead and did the memory Test: submenu guest memory Test: Yes - memory... running test: results - test run of memory; Press enter for ok. Press the arrow key to the left above the System Configuration: everything is enabled, but down below > Boot Options: now under Boot Options: some options are disabled and some are activated. The characteristics of disables are HP QuickWeb, diskettes; start, & Internal Network Boot Features enabled are just the boot CD. Then below it is written > Boot Order (left alone because the only option is to Boot CD/DVD in this Menu in the Start Menu.) Press ESC to exit the Configuration of the system. So, I left it alone as I just watched: mainly looks like default settings anyway. So, I left arrow match over output; Scroll to exit discard changes; as I don't change anything. Except run a test. But this test would not give me the ability to run fast or full test on your drive (mine) (call it disappeared). Then I hit enter on ok on the scrapping of output changes. And return to the screen: no boot device.

  I'm not a happy camper; I'm not too good, but I'll let you know what I tried of running things. I know that my hard drive works (a fairly new) and I have not had problems, but my extended warranty is gone? Idk how long these things last, Wal-Mart gave me two years, manufracturer gives you a year, so idk if is only one year in both or if its technically 3; but the extension has been through Wal-Mart plan. I wonder if it is not repairable if this need to come back cause they fixed some time ago and now idk if I'm possibly covered. I mean no, but idk. Anyway, back to my line of what I was doing.

  Then ctrl + alt + delete again hit ESC twice more, back to the Start Menu. F11 Recovery System - results from a click on F11 took back me to the no bootable devices screen, argh!

  When I restart my computer laptop ctrl + alt + delete: appears the HP logo (which when I hit ESC, the 2nd time cause it goes pretty quickly and automatically take me to page of bootable device No.)

  Back to ctrl + alt + delete and click F9 Boot Manager and insert the Windows® system recovery DVD 7 Recovery Media for Windows 7 products disc 1 of 2 in my disc drive, or I can insert the disc and reboot in this way. So yes, I have both recovery disks 1 and 2 and an Application and a recovery of the drivers CD.

  So after I insert the disc I hit enter on the CD/DVD-ROM drive internal and click on enter once it is in place.

  This is the beginning to the disc; Windows is loading files... (white bar) as when he is finished he will set out starting Windows with the logo; Press on a white background with BACK flashing in the background because it seems that its loading, my caps lock flashes on and off during this process. On oh less then 20 seconds and box appears: title: reducer the yellow triangle with '! ' which, in the center of it on the left. on the right, he said: narrow Application [Info] No. HDD. And so I click ok and it turn my laptop OFF completely. At this point, I turn it back on and let the disc again, but I get the same results. The mouse pointer is displayed and is usable as well.

  I even tried the Application and Driver recovery CD and it wouldn't even read restart my PC while the CD, but it does not work! Back me to the terrible no boot device; even using F9 when you restart with ctrl + alt + del I get the same results.

  Well, now, back in the day if that were to happen or something easily fixable, I hit F8 SEVERAL times before start up, but has no effect. I think perhaps, safe mode delete virus or something, I don't remember which OS, but honestly I think F8 was one who responded after u turn it on.

  Here's my problem! I have the right and any recovery disks, just do not know what on the HARD drive, floppy, etc... I know that is when the laptop battery is dead and I shot it accidentally while this was connected.

  Advise is NECESSARY, I can't fix my PC, and usually I can and fix it. But I am concerned by this error 03F0. So I apologize for the long post and I was wondering one of computer experts you could lend me a helping hand, I got the recovery directly from them discs.

  Thanks for listening and reading at the technical level; I hope a solution to the problem can be resolved. Ask me questions if necessary.

  Much appreciation,

  Katie

  Hi, Katie:

  Thanks for the detailed report.

  The key is that the hard disk of your laptop probably doesn't and should be replaced.

  Whether or not it is under warranty will be to you and HP/Wal-Mart to sort.

  I would start by Wal-Mart if they gave you an extended warranty.

  It is difficult to say what caused the problem with the hard drive. The most likely cause is the heat.

  It is also difficult to say how long a laptop hard drive should last, because it depends on how much you use the laptop, how long you use it at the time, and the amount of heat is generated.

  It is not unusual for a hard drive on the laptop to fail after a year or two if under heavy use and high calorific power.

  Best regards

  Paul

• Several downloadable ACLs by ACS user group

  It is possible to map several downloadable ACLs to a single user or group of users use ASA and ACS?

  For example, you have an ACL controlling access to servers (ACL A) and another ACL (ACL B) internet access. Is it possible to assign several ACL to a group of users, such as user group can only access the servers, while the user group B can access servers and internet (ACL A + B ACL)?

  Thank you and best regards.

  George,

  The user and group settings only would allow you to select only a single instance of DACL list at once.

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080a9eddc.shtml#configuringtheserverwitfddhias

  Kind regards

  Jousset

  The rate of useful messages-

• Group question Outlook of blackBerry Smartphones

  I have two groups of contact created in Outlook, one for my personal contacts and who is the public address book. After my "BOLD" with the BES synchronized, all my contacts appear in a group. If I go to the filter, I have the possibility of personal and business. Is it possible to have the groups in Outlook apply on the Blackberry? I see that you can create groups on the device, but I won't go through all of the contacts and sort them.

  You create categories in Outlook and after synchronization with the device through blackberry desktop Manager