Control access to the network with ACS device
Hi all!
I currently have in place an Appliance, Cisco Secure ACS using Windows as main server authentication. Cisco Secure acts as a GANYMEDE server +. I have two groups defined in Cisco Secure: Netadmins and security ITD. Users of the Netadmins group need access to all switches and routers on the network. ITD security must only access async line 53 on a router 2611 for a band of a firewall and no other access to all network devices offline. How can I limit access to the Cisco Secure security ITD group to line 53 only?
My current config on this router is:
AAA new-model
AAA authentication login netadmins group Ganymede + line
connection ITDSEC authentication group Ganymede + line of AAA.
RADIUS-server host 10.30.X.X
RADIUS-server host 10.18.X.X
key radius-server XXXXXXX
line 53
No exec
authentication of the connection ITDSEC
transport of entry all
StopBits 1
Speed 115200
line vty 0 4
exec-timeout 30 0
login timeout 120 response
login authentication netadmins
but users in the ITD security can still access by vty and then reverse telnet to any asynchronous line on the router. In addition, security ITD always access any switch or router using telnet: what should be my setup on these devices? I do an ACS configuration?
All other devices:
AAA new-model
AAA authentication login netadmins group Ganymede + line
RADIUS-server host 10.30.X.X
RADIUS-server host 10.18.X.X
key radius-server XXXXXXX
Line con 0
password 7 141C015C5806
login authentication netadmins
line vty 0 4
password 7 11020A 524310
login authentication netadmins
line vty 5 15
password 7 11020A 524310
login authentication netadmins
Any help will be greatly appreciated.
Hello
In the security group, I would create a Restriction of access to IP network with an entry permit. Essentially to allow access to the single port on 2611 only.
The AAA Client field is the name that you gave to the 2611 in the network config. Address will be * unless you want to restrict access to the ip or address. Port... never quite sure with async if the port value must be "async 53" or "line 53".
If you look in the pass/fail for the nas-port attribute, you'll see what that T + sends to the ACS. This should help you know what to put in the NAR.
Mounira
Tags: Cisco Security
Similar Questions
-
PIX501 customer VPN - cannot access inside the network with VPN Session
What follows is based on the config on the attached link:
PIX Ver 6.2 (3) - VPN Client 3.3.6(A) - Windows XP Client PC
We can establish the VPN to the PIX501 session, but we cannot access the network private behind the pix.
Here is the config - I can't determine why it does not work, we are desperate to get there as soon as POSSIBLE!
We have the same problem with the customer 4.0.3(c)
Thanks in advance for any help!
=======================================
AKCPIX00 # sh run
: Saved
:
6.2 (3) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
hostname AKCPIX00
domain.com domain name
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
fixup protocol sip udp 5060
names of
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
Outside 1500 MTU
Within 1500 MTU
external IP address #. #. #. # 255.255.240.0
IP address inside 192.168.1.5 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool akcpool 10.0.0.1 - 10.0.0.10
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
(Inside) NAT 0-list of access 101
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Route outside 0.0.0.0 0.0.0.0 #. #. #. # 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
the ssh LOCAL console AAA authentication
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set esp - esp-md5-hmac RIGHT
Crypto-map dynamic dynmap 10 transform-set RIGHT
map mymap 10-isakmp ipsec crypto dynamic dynmap
mymap outside crypto map interface
ISAKMP allows outside
part of pre authentication ISAKMP policy 10
encryption of ISAKMP policy 10
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
vpngroup address akcpool pool akcgroup
vpngroup dns 192.168.1.10 Server akcgroup
vpngroup akcgroup by default-domain domain.com
vpngroup split tunnel 101 akcgroup
vpngroup idle 1800 akcgroup-time
vpngroup password akcgroup *.
vpngroup idle 1800 akc-time
Telnet timeout 5
SSH #. #. #. # 255.255.255.255 outside
SSH timeout 15
dhcpd address 192.168.1.100 - 192.168.1.130 inside
dhcpd dns 192.168.1.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd allow inside
Terminal width 80
Cryptochecksum:XXXXX
: end
AKCPIX00 #.
Config looks good - just as domestic mine to my local network. The only thing I can think is that you may have entered commands in the wrong order - which means, you could have isakmp or encryption before the config map was complete. Write memory, then reloading the pix is a way to reset everything. If you do not want downtime:
mymap outside crypto map interface
ISAKMP allows outside
Enter these two commands should be enough to reset the ipsec and isakmp.
-
Access to the network of a device ethernet via the ports of the router.
I was wondering if someone can help me with a router configuration. I have an ethernet device, a built-in Digi Connect me stack ethernet. I put the IP, subnet, gateway, etc. on this device. It has a serverver web and telnet and FTP features. What I want to do, this is the device connected to a WRT54GS router to one of the ports on the back. Then I want to connect internet routers connecting to my local network. On the LAN, I have a PC I want to use to access the web page of the Digi device through the router. The LAN has affected the PC an IP address of 3.11.201.33 and assigns the router IP Internet of 3.11.201.32. The PC is set to dynamically set an IP address. I have configured the Digi device to have an IP address of 192.168.1.100. I want to open a web page on the PC and connect a digi device. I can't get this to work. I tried to add the IP address of the device Digi to the DMZ on the router, but that did not help. How can I get from the PC via the LAN, through the router, on the port that is connected to the Digi? Any help is apprecieated!
Outgoing FTP for multiple devices behind the router need not any special installation... you will not need to pass all the ports for that.
You can port forward more than a device with the stock firmware digi... I just forgot how port forwarding 'niche roles' it is on the page... the WRT54G V5 has 10, so assuming that no other device in transmitted port, you should be able to forward the ports ftp and telnet for 5 devices.
-
several devices on the network with the same name
I want to install Windows 7 OS computers on a domain with Small Business SERVER 2003. Curiously, I see all the computers on the network, where I should be able to, but one of them WK02011, is not accessible from all Windows 7 systems because there are multiple devices with the same name on the network according to a diagnosticn check. WK02011 is visible and accessible from other systems on the network that are runjning XP OS. There is only one device named WK02011 on the network. I don't have this problem with any other XP system - that is - I can see and access all of the other XP machines on the network with the exception of WK02011. I can't access WK2011 from the server and the server indicates that it is multiple devices with the same ID. Rename the XP would be complicated because of having to re - set up the service to the customer and then turn around and install 7 OS in the workstation in the coming days.
How to find the ghost device double?
Hello
Your question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for Windows 7 on TechNet. Please post your question in the Technet forums. You can follow the link to your question:
-
Hello, I have a desktop PC and a laptop (DELL Inspiron N-4050).
I have problem with my internet connection cable which is working fine on my PC, but does not not on my laptop giving an error "no access to the network.When I troubleshoot it says "your computer seems to be correctly configured but the device or resource (DNS SERVER) is not responding."
I said to many technicians of microsoft online response, but they could not solve my problem and said this is my DNS problem and advised me to contact my Internet service provider. Guess it's because of my internet so why it works on my PC not on laptop?Yesterday, my ethernet cable pulled out my cell phone and I couldn't connect to the internet more. But on my desktop PC, it works perfectly fine. (I do not use wifi, if this information is also required) I have studied several threads with similar situations, and I have tried different methods to solve the problem to no avail. I did a system restore, but I'm having no luck. Also, I did not of the latest changes with my anti virus software and my LAN card drivers look to date.
When I remove my cable from the laptop and again connect my cable then it works but only after the PC sat for awhile.
1.I did flush DNS by typing "ipconfig/flushdns" in the command prompt.
2. my IP address, DNS, subnet mask etc are set to automatic.
3.I also added physical address taken from command line giving "ipconfig/all". for the properties of the network driver settings.
4.I ' installed the drivers to date of 2014 on my laptop.
5.I did a lot of searching the web, but they do not solve my problem.Please help me to solve it.
I appreciate your help.
Thank you.Hello Hall,
Please keep us updated on the status of the issue.
I suggest you to follow the steps in this Microsoft article troubleshooting and check if it helps:
Error message "your computer seems to be configured correctly, but the device or resource (DNS server) is not responding" in Windows 7
http://support.Microsoft.com/kb/2779064/en-us
Hope the helps of information.
Please reply with the results, in order to help you solve the problem.
Thank you
-
Dear Sir
Migrated domain users are needed to access shared folders on the network with AD username old or need to share with the new AD IDI am in a field & I'll migrate with a domain name.EX: now I'm in the field of the AAA tomorrow my domain name will change to BBB. User accounts are created in two AAA & BBB and the two domain user IDs are different.data servers are also migrating with the new domain.is it possible to access share with the old user id folder in new field or both to share the files again with the new user ID Active directory.Kind regardsChauvet J.Hello
The question you have posted is related to professional level support. Please visit the below mentioned link to find a community that will support what ask you:
http://social.technet.Microsoft.com/forums/en/category/WindowsServer/
-
I'm trying to access a wireless network with the password provided for me. I get the following error message: "the network password needs to be 40bits or 104bits depending on your network configuration. This can be entered as 5 or 13 characters ascii or hexadecimal 10 or 26. "what does this error message mean and how do I address so that I can access the wireless network?
I use XP Professional with service pack 3. I get this error message every other time I try to log in to a protected wireless network security. I used to not get this message; but, now, it may be impossible, sometimes to call all wireless providers when I might only need for a short period or after hours service opening.
In addition, it is my computer that requires the network password to be different, not the provider of wireless. A password is given to me who works for other users, but my computer won't let me use it.
Hello
I suggest you to visit these links and check if it helps:
It will be useful.
-
How to access multiple VMs on the network with nic 1 host?
Greetings,
I have a server vmware running windows XP with 3 virtual machines in suse. I would like to access the 3 virtual machines from the network at the same time. The vm 3 has their own static ip address. I use the bridge network mode. There is only 1 NETWORK card on the XP computer. With this configuration, I can access only 1 vm the network at a time. When I added an another NIC and jumpered it on a second computer, virtual, then I can access 2 at the same time. Any ideas on how I can access all the vm 3 at the same time on the network with just 1 NETWORK card?
Even if you only have a physical NETWORK adapter, you should be able to access all the guests at the same time when they use bridged networking and have a correct IP configuration. Can you put your host IP configuration and your guests so we can check it out. Make sure the guests are really "bridged" and disable all firewall during the test.
If you found this information useful, please consider awarding points to 'Correct' or 'Useful' answers and answers. Thank you!!
-
When my kids play online on the X - Box I get an error message on my laptop when I start after them. It is said there is an IP address conflict and that another device is already on the network with the same IP address. It does not affect me access internet even if. How can I fix thi.
Hello
1. which is the version of Windows installed on the computer? For example, Windows 7, Vista
2. only the error message appears only when the Xbox is connected to the computer or at both times?
3. have you made any software or changes to the material on the computer before this problem?
Please answer these questions and provide additional information so that we can better guide you.
-
Adapter LAN question, "no access to the network.
Original title: LAN adapter issue
Hi all, when connecting my laptop to a switch of the LED on the switch is green which means connected. The IP address on the laptop is entered manually, but when will the cmd and issue ipconfig it shows "media disconnected" and the network adapter in the Control Panel indicates "no access to the network. It also indicates that "this device is working propoerly! Please advice
Hello
What is the number and the model of the computer?
Remember to make changes to the computer before the show?
Thanks for posting in Microsoft Communities. The problem description, I understand that you can not connect to the Internet. Correct me I misunderstood the question
Follow these steps:
Method 1: Follow these steps:
How to troubleshoot possible causes of Internet connection problems in Windows XP: http://support.microsoft.com/kb/314095Method 2: Follow these steps:
Step 1: renew DHCP Dynamic Host Configuration Protocol)
a. click Start, click run, type cmd and click OK.
b. in the command prompt, type ipconfig / renew
c. Close command prompt.
d. check the result.Step 2: Try to obtain an IP address automatically
a. open Internet Explorer, go to Tools, click on Internet Options, connections, LAN settings.b. uncheck all boxes except automatically detect connection settings
c. click OK to apply the changes.
d. check if the problem persists.Method 3: If the methods above do not help, check if the wireless card is very well and try to update the drivers on the manufacturer's Web site.
a. click Start and right-click my computer.
b. Select Properties and then click the hardware tab.
c. click on Device Manager and expand network adapters in the list.
d. right click on the adapter, then click Properties.
e. click the driver tab and click Update the driver.Please follow the steps and let us know if this helped. If the problem persists, answer and we will be happy to help you.
-
Original title: USB problem
I use windows 7 as operating system. I have problem when I insert USB devices as pan tie drive, mobile, reader of cards ect. USB port of my PC. The problem is the USB Devices folder shown as a shortcut so I can not Capy of data in the folder with other devices or hard drive. so please suggest me what I can do?
Hello
Start Windows Explorer, and then see if there is a drive letter assigned for access to the
drive. If this is not the case, check if the disc is shown in disk management.- Open Computer Management by clicking on the button start , by clicking on Control Panel, system and security, clicking Administrative Tools and then double-click computer management. If you are prompted for an administrator password or a confirmation, type the password or provide confirmation.
In the left pane, under storage, click Disk Management.
If there has made a right click option - assign a drive letter for you can use Windows
Explorer to copy files.I hope this helps.
--------------------------------------------------------------------------------------------
Rob Brown - Microsoft MVP<- profile="" -="" windows="" experience :="" bicycle="" -="" mark="" twain="" said="" it="">-> -
LATITUDE DE820 wiped out loaded XP drivers DELL &; SW, no access to the network
Everyone out there - I need HELP... I bought a second hand LATITUDE DE820 with Windows 7 above and it worked fine (also WIFI). I need to load XP Prof on it (Yes...) and therefore all DELL SW disappeared (had no CD DELL) that I loaded package XP 3 Service that I plugged in Ethernet, but I also have a WLAN - but NO communication to all NETWORKS. Ping an IP address any LAN brings 'Host unreachable' IPConfig/all shows: IP of Windows host Setup...: laptop Prim. DNS: Enter Mode: Broadcast IP routing enabled: No. WINS Proxy enabled: Ethernet adapter without Bluetooth network connection: media state: media disconnected Description: peripheral physical addr Bluetooth (Personal Area Network): Mac addr. Control Panel-> network connections displays LAN at the Connecticut 1394 network adapter (properties: peripheral works properly, driver: MS 07/01/2001!) Connection status: connected but 0 packet protocols: f. Client Microsoft NW File & Printer sharing TCP - IP - trying to hit the repair-> msg "TCP/IP not enabled for this connection") Conclusion: I think that my XP drivers are too old, or not DELL problem: I have no access to the network - minimum need drivers update for access to Internet, and then upgrade to download that/those pilot on a Non-Dell PC then CD, then install on the laptop don't know DELL HW, used Service tag to find 11 drivers, drivers resp. 75 for that I think it's a driver of 'network' - but don't know what or any other suggestion? Thks for any help Peter
Well well maybe it was because I realized that I needed to insert HTML
to get my text with line breaks.
But in any case the problem is solved by support group European German DELL who responded very quickly by there DELL Forum and help me great to go again. Thank you DELL-Dave S.
Problem solved by:
followind drivers downloaded from the CD, and then installed on D820
WLAN: HTTP://WWW.DELL.COM/SUPPORT/DRIVERS/DE/DE/DEBSDT1/DRIVERDETAILS/PRODUCT/LATITUDE-D820?DRIVERID=R257701&OSCODE=WW1&FILEID=2731111614&LANGUAGECODE=DE&CATEGORYID=NI.
LAN: HTTP://WWW.DELL.COM/SUPPORT/DRIVERS/DE/DE/DEBSDT1/DRIVERDETAILS/PRODUCT/LATITUDE-D820?DRIVERID=04VK6&OSCODE=WW1&FILEID=2731090506&LANGUAGECODE=DE&CATEGORYID=NI.
Now using Ethernet and wireless network worked with access to the network, all the others downloaded drivers from the net.
Viva -
From Firefox blocks all access to the network
When I start Firefox (41.0.1), all access to the network is completely blocked. Before you start the FF, I can access the Internet (with Chrome or IE), other computers, but as soon as I launch Firefox, all access to the network (including the connection to other computers) is blocked. In addition, my computer will turn off more.
As far as I KNOW, I have not installed lately extensions or add-ins.
Thank you for your resolution. Today, when I mentioned to work, I was told to update Firefox. This seems to do the trick (so far, fingers crossed!).
(https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings) so very probably an extension is causing harm.
When this isn't ' t the resolution, I will surely return to your resolutions.
-
Network says it has detected another computer on the network with my IP address.
Original title: ip addy
My internet access icon said that it has detected another computer on the network with my ip address, is there something that I have to take
Try restarting your router. It should solve the problem.
-
vSwitch ESXi 5.1 workaround to virtual machines (direct access to the network)
Hello world!
I have a server running properly the 5.1 ESXi hypervisor and got inside the physical grid active router with DHCP. How can I configure the vSwitch on ESXi 5.1 work not managed on the network, without VLAN and have direct access to the network?
Just to clarify, I would like to first of all virtual machines VMware Workstation works - if it is possible to run several virtual machines and define all NICS (Network Interface Card) as connected by a bridge, that is to say. Each VM gets the specific configurations of IP to the external router.
Since now, thank you very much for the help!
Best regards
Eduardo
With ESXi the vSwitches work comparable to Bridged networking, so there is really nothing special to do.
André
Maybe you are looking for
-
Canvio Desk 3.5 "is always close and then go back
I got the 3 t Toshiba Canvio Desk 3.5 "of data storage external, butThere must be something wrong with the software in there as alwaysStop and then come back so that for example if you want to watchvideo which is very annoying. If this happen so many
-
Need new card system for Satellite A40
Hello I dropped my satellite a40 laptop yesterday and it was a map of wireless network in it, it caused damage to the pcmcia, folded slot location, broke the release button and broke the connector.IM assuming that this means a new motherboard, do any
-
How to recover pictures on SD SanDisk card 512 MB, which was quick formatted?
How to recover pictures on SD SanDisk card 512 MB, which was quick formatted under Windows XP SP3? The SD card has been affected through SanDisk Imagemate 12 in 1 model number: SDDR - 89 V4. The camera was a digital pocket old KODAK cam 4 years... (S
-
The sound is very low and Panel beating is not displayed
Hello I reinstalled windows on my Hp envy 15-J028tx 8.1, but the volume is very low, more beat audio Panel does not appear. Thanks in advance for the help.
-
I want to know if there is an easy way to hide the information SSN number personal self service page.for example, the social security number is 123-45-6789I want to be able to show as 123-45-XXXXIs it possible to data mask using personalization ofa o