Authentication of command within FAC 5.1

I have set up a new unit of ACS 5.1 and it seems to take place. I would like to be able to restrict access to the SHOW CDP NEIGHBOR DETAIL command to a specific group, but continue to allow that SHOW CDP NEIGHBORS.

I can access the SHOW CDP command or deny them but am unable to get more granular with command arguments.

Can anyone offer any suggestions?

Thanks for the help.

Paul Blake

This is my example which works very well

and the result

If it is possible

Tags: Cisco Security

Similar Questions

"Navto" command within the overlay network does not not in Windows

We have exactly the same problem as in this thread, just for Windows: "Navto" command within the overlay network does not not in Android
There is some code in an overlay of web which should "navto" one other article, if there is no interaction with the screen after a defined period of time.

But unfortunately our folio of test does not work on Windows. There is an error message indicating that no application is defined for navto links. Shouldn't the Viewer for content Windows catch these links?

I have confirmed with our engineers navto in the meta tag is not supported on Windows. It will work in a , or via window.location in JavaScript, but not in the meta tag.

Neil

"Navto" command within the overlay network does not not in Android

We are building an Android app for the native Viewer. We placed another article of the code within a web overlay which should "navto" If there is no interaction with the screen after a defined period of time.
We used a piece of code, saved to a file .html, in an iPad app and works great. Import the html file in a box with Web content overlay. However, the same code and the process does not work in Android - we've even created a test iPad Folio (who worked on the iPad) and downloaded the same folio on our Android device in the content viewer - which did not work.
Instead, what is happening, it's the box that we have placed our code in "Web Page not available" poster in the desired space after the end of our timer.
It seems that he cannot understand the URL navto. Instead, it looks like an external web page. Whereas the iPad include cela and redirects to the section of the screen saver.

We use a Samsung Galaxy S Tab.
We expect a response from Adobe Support on this, but our time is fast approaching, so any help would be welcome please

He broke. We have a bug fix in the process, and it should be available Monday.

Neil

Can't manually type us the commands within the execution block?

11.2.0.3/Linux

I was doing a RMAN restore to a new server.

Here's the code I wanted to run to restore

run
 {
 SET NEWNAME FOR DATABASE TO '/fnup/hwrc/oradata/spikey';
 restore database  ;
 }

Because it's just 2 lines in an execution block, so I thought to type manually. After typing the first line (SET NEW NAME..) that ends with a semi colon, I pressed the ENTER key so that the following line, and then type the RESTORE command. But I got the following error message.

RMAN> run
2> {
3> set new name for database to '/fnup/hwrc/oradata/spikey';   ###### After typing the semicolon I pressed ENTER here

RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-00558: error encountered while parsing input commands
RMAN-01009: syntax error: found "new": expecting one of: "archivelog, autobackup, auxiliary, auxname, backup, command, compression, controlfile, database, dbid, decryption, echo, encryption, high, incarnation, maxcorrupt, maxseq, newname, nocfau, restore, snapshot, to restore point, until restore point, until"
RMAN-01007: at line 3 column 5 file: standard input


------| Second Attempt |----------------------------------------------

RMAN> run
2> {
3> set new name for database to '/fnup/hwrc/oradata/spikey'; ###### After typing the semicolon I pressed ENTER here

RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-00558: error encountered while parsing input commands
RMAN-01009: syntax error: found "new": expecting one of: "archivelog, autobackup, auxiliary, auxname, backup, command, compression, controlfile, database, dbid, decryption, echo, encryption, high, incarnation, maxcorrupt, maxseq, newname, nocfau, restore, snapshot, to restore point, until restore point, until"
RMAN-01007: at line 3 column 5 file: standard input

Finally, I had to put the 2 lines above into a script and run using the cmdfile parameter. Can we execute RMAN commands in an execution only block via a script?

The VALUE of NEWNAME should be included in the execution block. In your case, you must divide the NEWNAME the NEW NAMEkeyword.

new name for the database to ' / UNPF/Edda/oradata/spikey. "

You must use the command in the execution below block

the value of newname for database to "/ UNPF/Edda/oradata/spikey."

Another failure of the LDAP authentication

I'm trying to setup LDAP authentication for my ASA, as well as the AD Agent. Currently my authentication fails with the following debug output...

[- 2147483610] Starting a session

[- 2147483610] New Session request, the 0xcc854d8c, reqType = authentication context

[- 2147483610] Fiber has started

[- 2147483610] Create LDAP context with uri = ldap://10.11.1.15:389

[- 2147483610] Connect to the LDAP server:

LDAP://10.11.1.15:389

status = success

supportedLDAPVersion [-2147483610]: value = 3

supportedLDAPVersion [-2147483610]: value = 2

[- 2147483610] Liaison as a Sargent\

[- 2147483610] Authentication Simple for Sargent\ to 10.11.1.15

[- 2147483610] LDAP search:

Base DN = [DC = City, DC = charlottesville, DC = org]

Filter = [sAMAccount = sargentm]

Range = [subtree]

[- 2147483610] The analysis of returned search results State failure

[- 2147483610] Fiber output Tx = 308 bytes Rx = 677 bytes, status =-1

[- 2147483610] End of the session

ERROR: Authentication rejected: not specified

I can however run successful AD etc., queries using the following commands.

show the identity of the user ad-users city.charlottesville.org filter sargentm

Ideas?

Replace the below listed command within the parameters of the server:

sAMAccount name-attribute LDAP

With

LDAP-naming-attribute sAMAccountName

Note: the sAMAccountName is configured correctly.

Jatin kone

-Does the rate of useful messages-

update of a command in a cluster

Hello

How can I update an order within a cluster.

I can just read using disassemble by name. How can I write in one order?

Thanks in advance.

Kind regards

F

How can I update a command within a cluster.

something like that? [edit] (Create the property node / value) [/ Edit]

ACS3.3 AD authentication

I need to get AD authentication works between a FAC in domain A and domain B. There is a trust between A and B. No, I'm not using an administrator account for the candidate countries, but a user account. My administrator Windows tells me that Netbios is a sine qua non for this to wor. NetBIOS is not used in domain B. Is this true or is the admin account enough?

Pat,

You must run the ACS help account with special privileges as "act as part of operating system" and "open as a service and lot '."

It will not work uisng user account.

Kind regards

~ JG

Direct connection VMAgent: black / activity of the Client - logs show authentication error - please help

If anyone has experience with this, I would appreciate the help. I have tried everything I can find for three days, and it still does not. I think I have a problem of local authentication on the Agent of the view. The user is included in the Remote Desktop user group and the view group Agent direct connection to users. There is no errors in the event logs, but there are errors in the logs VDM. The suspect is the user 'WIN7B\user' unauthorized (non-local admin). I can't find a solution to solve this error. The firewall is disabled.
Symptoms: Horizon View Client makes the initial connection logon sound, black screen, time-out. User is logged on to the remote computer after failure of connection of Horizon view, then part of the logon process ends.
Capture of logs on the Agent computer:
2015-12 - T 11, 14: 21:16.102 - 06:00 DEBUG (04DC-0E10) < MessageFrameWorkDispatch > [MessageFrameWork] added worker MessageFrameWork, Name = PCoIPVChan-APP (3608), Description = PCoIPVChan, channel = 0000000003F0E960
2015-12 - T 11, 14: 21:16.102 - 06:00 DEBUG (0E18-0A3C) < 2620 > [TPAutoConnect] pcoip_vchan_plugin_app_init2(): loan on the session 1
2015-12 - T 11, 14: 21:16.102 - 06:00 DEBUG (04DC - 0 C 84) < MessageChannel ReceiveThread > [MessageFrameWork] 'WIN7B\user' unauthorized (non-local admin) user, tail = PCoIPVChan-SVR (1) tip = MESSAGE_IPC
2015-12 - T 11, 14: 21:16.102 - 06:00 DEBUG (04DC - 0 C 84) < MessageChannel ReceiveThread > [MessageFrameWork] 'WIN7B\user' unauthorized (non-local admin) user, tail = PCoIPVChan-SVR (1) tip = MESSAGE_IPC
2015-12 - T 11, 14: 21:16.102 - 06:00 DEBUG (04DC - 0 C 84) < MessageChannel ReceiveThread > [MessageFrameWork] 'WIN7B\user' unauthorized (non-local admin) user, tail = PCoIPVChan-SVR (1) tip = MESSAGE_IPC
2015-12 - T 11, 14: 21:16.102 - 06:00 DEBUG (0E18 - 110 C) < VChanConnectionMonitor > [TPAutoConnect] VChanConnectionMonitor(): failed to get the ID of process PCoIP (err = IPC_ERROR)
2015-12 - T 11, 14: 21:16.102 - 06:00 DEBUG (04DC - 0 C 84) < MessageChannel ReceiveThread > [MessageFrameWork] 'WIN7B\user' unauthorized (non-local admin) user, tail = PCoIPVChan-SVR (1) tip = MESSAGE_IPC
What works:
RDP by Horizon View Client and RDP Windows Client connections.
Installed on the server:
ESXi 6.0
Windows 7 64 bit
And the following VMWare products:
Installed on the Client:
Office Window 8.1
What I'm trying to demonstrate:
Portscan on Agent computer:
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
554/tcp open rtsp
2869/tcp open icslap
3389/tcp open ms-wbt-server
4000/tcp open remoteanything
5357/tcp open wsdapi
9427/tcp open unknown
10243/tcp open unknown
22443/tcp open unknown
32111/tcp open unknown
MAC address: 00: 0C: 29:92:C9:CF (VMware)
The full debug log file is attached.

It certainly works in other environments, so it must be something to do with your specific configuration.

I know that in the beginning, it has not been enough video RAM configured and certainly causes a PCoIP black screen.

2015-12 - 10T 14: 29:07.819 - 06:00 INFO (1074-041 C) [wsnm_xmlapi] video driver name = VMware SVGA 3D

2015-12 - 10T 14: 29:07.819 - 06:00 INFO (1074-041 C) [wsnm_xmlapi] Version of the video driver = 8.15.1.32

2015-12 - 10T 14: 29:07.819 - 06:00 INFO (1074-041 C) [wsnm_xmlapi] video = 8 MB RAM

It seems that this problem has been corrected, because later we see:

2015-12 - 10T 14: 56:55.626 - 06:00 INFO (04DC - 09C 4) [wsnm_xmlapi] video = 128 MB RAM

I also see that the modified host name:

2015-12 - 10T 15: 03:27.050 - 06:00 WARN (04 B 0-0858) [wsnm_xmlapi] default SSL server certificate is not for this host name. The name may have changed.

VADC itself automatically corrects the server SSL certificate, but maybe it's the other parts of the Agent posed problems that we see:

2015-12 - 11T 09: 16:15.351 - 06:00 WARN (04EC-0CB4) authentication ticket error [MessageFrameWork]

2015-12 - 11T 09: 16:15.351 - 06:00 WARN (04EC-0CB4) [MessageFrameWork] unable to accept the connection, authentication failed

This does not refer to the authentication of the user customer Horizon (which is successful). This authentication is internal within the messaging system.

Given previous problems with this Setup, I can only suggest you uninstall VADC and Agent, restart, and then reinstall the Agent and the VADC. Don't change video RAM or change the name of host/computer name.

Let us know if that fixes it.

Run a remote command on a virtual machine

I have a remote application that generated virtual machines by request. After that each machine is generated and custom, I need to run a command-line on this machine (machine all have Windows OS installed) of the application itself.
Is there a way to do it through the java/vsphere API? (The machine is running on)
Thank you

the vSphere API does not provide capabilities to execute commands within the guestOS which is what uses the SDK for Java (VMware Tech Preview of Java SDK) and VI (Version of Steve Jin).

However, VMware has an another API that is available for the management of comments called VIX API. This API allows you to perform operations within the guest, transfer files to/from host, etc. There is even a project open source similar to that of VI Java API called Toolkit Java VIX you could look in - http://sourceforge.net/projects/vixjava/

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at: http://www.virtuallyghetto.com/

Twitter: @lamw

repository scripts vGhetto

Introduction to the vMA (tips/tricks)

Getting started with vSphere SDK for Perl

VMware Code Central - Scripts/code samples for developers and administrators

VMware developer community

If you find this information useful, please give points to "correct" or "useful".

Production server has encountered a problem with authentication

I am creating my first app using DPS app builder, what step have been done correctly, however create the application gives the f
the following error
"The production server has encountered a problem with authentication.
Everyone face this before? How to solve this problem? I can't find anything in the document files

Sign on dashboard of DPS, agreement with terms and conditions and check your email id. This should solve the problem.

ASA 5505 - order Internet access for users

Hi all

I have a Cisco ASA 5505 connect my LAN over the internet using NAT/PAT. I want to restrict access to the internet on ports 80 and 443 on a per user basis.

That is to say access to management staff while limiting the general staff.

I understand how this on a per device level by creating an access list to block certain IP addresses to the internet, but I would limit some users.

I guess they will have to authenticate to the ASA some how.

Pointers?

TIA.

You need to set up the Cup via proxy in ASA.

Here is the configuration that we add on ASA:-

access-list WEBAUTH permit tcp any any eq 80

access-list WEBAUTH permit tcp any any eq 443

AAA authentication WEBAUTH indoor soccer match

AAA authentication secure-http-client

AAA authentication listener http inside port www redirect

Redirect the AAA authentication listener https within the https port

http://www.Cisco.com/en/us/docs/security/ASA/asa72/configuration/guide/fwaaa.html#wp1043431

http://www.Cisco.com/en/us/docs/security/ASA/asa72/command/reference/a1_72.html#wp1437427

Kind regards

~ JG

Note the useful messages

User in several Windows/ACS group. Deny a permit

I have several groups on ACS each tied to a group of AD windows.

I have a VPN concentrator and a wireless Lan controller.

I use ACS to authenticate access to the time, but I would like some VPN users have wireless users too, not all.

If I use NAR to limit the "VPN users" to access WLC device all users with access to the VPN is not wireless, even those who are in the wireless group.

Is - it there anyway to operate?

This is how it works.

Lets say you have three different groups on ad for NetworkAdmin, RouterAdmin,.

Wireless.

Go to the external user database == database group mappings == Windows NT/2000 == select the field

to which you log == Add mapping.

Select the ad NetworkAdmin group and ciscosecure Group 1 card select the ad RouterAdmin group and map it to ciscosecure Group 2

Select the ad wireless Group and map it to ciscosecure Group 3

Mappings of working groups in the order in which they are defined, first set up mapping is

considered first and then second, third and so on. If a user is in AD Group NetworkAdmin and

which is mapped to the ACS 1 group and it's the first configured mapping is

First of ALL (if there is a user in the Group NetworkAdmin, it is always mapped to ciscosecure

1 and NO further mappings for this user group is enabled and the user is authenticated or

rejected)

Scenario: If you have a user called cisco, group NetworkAdmin, cisco1 in RouterAdmin

Group and cisco2 wireless. They will be always dynamically mapped to group 1, 2 ACS

and 3 respectively as above mappings.

You can see the mappings on authentication passed to users as to which group are

they are mapped to.

SCENARIO:

Now if you want a NetworkAdmin user to authenticate to the NetworkAdmin devices and not

devices or wireless RouterAdmin you should apply NARs for Group 1 because

NetworkAdmin users connect to this group. Which will allow you access on the Group

basis for a particular NetworkAdmin NDG or NetworkAdmin individual NAS device.

NOTE:

If you are applying NARs for VPN or wireless devices, you must configure two IP

Base AND CLI/DNIS founded together as NARs were originally designed for cisco IOS for

routers and switches.

IMPORTANT: If a user authenticates successfully to the database AD once, his user name is cached on the database of ACS (NOT password) the only way to remove the previously cached user name is to go to usersetup find this user and manually remove it.

ACS will not support the following configuration:

* A user active directory which is a member of the 3 AD groups (groups A, B and C) * 3 people

groups are mapped within FAC as follows-> A Group1, Group2-> B and group 3-> C.

* The user is in the 3 groups, however it will be always authenticated by Group 1 because

This is the first group, it appears in, even if there is a configured NAR summons

the group-specific AAA clients.

However there are if your maps are below order...

Groups NT groups ACS

A, B, C ===> Group 1

A ===> group 2

B ===> group 3

C ===> Group 4.

You can create a rule DIFFERENT for users a, B, C by configuring the NARS in Group1.

This rule applies for use ONLY if it is present in ALL three groups (A, B and C).

You can create a rule for users in Group A (Group 2)

You can create a rule for users in Group B (Group 3)

You can create a rule for users in Group C (Group 4)

Here I am also attaching links related to the group mapping in the user guide:

Order of group mapping:

http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacs4nt/acs33/user/QG.htm

#wp940485

Kind regards

~ JG

Note the useful messages

Cisco ACS 5.2 loses connectivity AD - are there ways to do this choose local?

Hello

I'm trying to configure ACS 5.2 while he should loose connectivity to Active Directory, he chose local authentication, but I can't seem to make this work.

Within FAC 5.2,-access policies, access to Services, Admin default device, identity,.

I have one rule configured for any device that matches Ganymede to use the Active Directory identity source.

If authentication failed: reject

If the user did not find: reject

If the process failed: Drop

When the ACS cannot access Active Directory, when RADIUS authentication on any device 65 k or 2921 for debug I get "received authentic status error."

According to the RFC that should try the configured RADIUS server following, but it doesn't.
```
If the status equals TAC_PLUS_AUTHEN_STATUS_ERROR, then the host is indicating that it is experiencing an

unrecoverable error and the authentication should proceed as if that host could not be contacted.
```
I want to make it clear, if ACS is not available then the Cisco switch will choose local authentication, but if the ACS is available, but it has link to AD is broken, it seems, he does not seem to be a way to get the device to timeout and switch to local.

see you soon

In general this issue can be resolved by defining a sequence of identity containing Active Directory and the user database in-house so that if the user is not found the definition of internal user will be used. Problem will this approach is that the active directory is not accessible it is defined as a failure of the process and the sequence of identity is existed and if the internal user record cannot be accessed. In this case can configure the identity policy in order to proceed to the authorization and can detect the case where a process error appeared, but the user has not yet been authenticated.

There's a CDETS open on this issue and a feature set for ACS 5.3 that will allow authentication to continue to access the internal user database after a process error. 5.3 of the ACS will be available later in the year

Understand the AAA basic router configuration

There are two commands within our router from companies that I'm not sure. I need an explanation of these two commands and what they do. Thanks advance.

R # AAA authentication ppp tse local

R # AAA authorization network tse local

Hi mwentwrth,

AAA of authentication ppp local tse is a command to authenticate the serial with ppp interfaces. TSE is a listname and local is a user of your router.

AAA authorization network local tse is first an authorization control (typical via Radius or Ganymede +) in your case your tse list then local.

so please watch where tse is configured must be a radius or Ganymede

Kind regards

Flo

iMessage activation - it generates SMS to00447786205094

Hello

While the national roaming in Delhi, India, I was accused cool SMS for SMS sent to 00447786205094. To the best of my knowledge, I had not sent SMS to the number. When I checked with my Airtel service provider, they responded to me with the message below.

I would understand if the following statement is true.

This is the first time that this kind of accusations have been levied on my account.

I wish to inform you that the SMS was started at 00447786205094, which is the Apple server to the United Kingdom from an iPhone for authentication of iMessage and Face Time.

This SMS cannot be blocked from our end. In case you want to avoid these fees in the future, I ask you kindly turn off iMessage through settings of your phone.

dheerajdua wrote:

I would understand if the following statement is true.

Yes it's true.

If you are roaming on a network not supported wireless, you will be charged for the SMS.

Authentication of command within FAC 5.1

Similar Questions

Maybe you are looking for