Control access to the network with ACS device

Hi all!

I currently have in place an Appliance, Cisco Secure ACS using Windows as main server authentication. Cisco Secure acts as a GANYMEDE server +. I have two groups defined in Cisco Secure: Netadmins and security ITD. Users of the Netadmins group need access to all switches and routers on the network. ITD security must only access async line 53 on a router 2611 for a band of a firewall and no other access to all network devices offline. How can I limit access to the Cisco Secure security ITD group to line 53 only?

My current config on this router is:

AAA new-model

AAA authentication login netadmins group Ganymede + line

connection ITDSEC authentication group Ganymede + line of AAA.

RADIUS-server host 10.30.X.X

RADIUS-server host 10.18.X.X

key radius-server XXXXXXX

line 53

No exec

authentication of the connection ITDSEC

transport of entry all

StopBits 1

Speed 115200

line vty 0 4

exec-timeout 30 0

login timeout 120 response

login authentication netadmins

but users in the ITD security can still access by vty and then reverse telnet to any asynchronous line on the router. In addition, security ITD always access any switch or router using telnet: what should be my setup on these devices? I do an ACS configuration?

All other devices:

AAA new-model

AAA authentication login netadmins group Ganymede + line

RADIUS-server host 10.30.X.X

RADIUS-server host 10.18.X.X

key radius-server XXXXXXX

Line con 0

password 7 141C015C5806

login authentication netadmins

line vty 0 4

password 7 11020A 524310

login authentication netadmins

line vty 5 15

password 7 11020A 524310

login authentication netadmins

Any help will be greatly appreciated.

Hello

In the security group, I would create a Restriction of access to IP network with an entry permit. Essentially to allow access to the single port on 2611 only.

The AAA Client field is the name that you gave to the 2611 in the network config. Address will be * unless you want to restrict access to the ip or address. Port... never quite sure with async if the port value must be "async 53" or "line 53".

If you look in the pass/fail for the nas-port attribute, you'll see what that T + sends to the ACS. This should help you know what to put in the NAR.

Mounira

Tags: Cisco Security

Similar Questions

  • PIX501 customer VPN - cannot access inside the network with VPN Session

    What follows is based on the config on the attached link:

    http://www.Cisco.com/en/us/Partner/Tech/tk583/TK372/technologies_configuration_example09186a008009442e.shtml

    PIX Ver 6.2 (3) - VPN Client 3.3.6(A) - Windows XP Client PC

    We can establish the VPN to the PIX501 session, but we cannot access the network private behind the pix.

    Here is the config - I can't determine why it does not work, we are desperate to get there as soon as POSSIBLE!

    We have the same problem with the customer 4.0.3(c)

    Thanks in advance for any help!

    =======================================

    AKCPIX00 # sh run

    : Saved

    :

    6.2 (3) version PIX

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    hostname AKCPIX00

    domain.com domain name

    fixup protocol ftp 21

    fixup protocol http 80

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol they 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol sip 5060

    fixup protocol 2000 skinny

    fixup protocol sip udp 5060

    names of

    access-list 101 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

    pager lines 24

    interface ethernet0 10baset

    interface ethernet1 10full

    Outside 1500 MTU

    Within 1500 MTU

    external IP address #. #. #. # 255.255.240.0

    IP address inside 192.168.1.5 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    IP local pool akcpool 10.0.0.1 - 10.0.0.10

    history of PDM activate

    ARP timeout 14400

    Global 1 interface (outside)

    (Inside) NAT 0-list of access 101

    NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

    Route outside 0.0.0.0 0.0.0.0 #. #. #. # 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    RADIUS Protocol RADIUS AAA server

    AAA-server local LOCAL Protocol

    the ssh LOCAL console AAA authentication

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    No trap to activate snmp Server

    enable floodguard

    Permitted connection ipsec sysopt

    No sysopt route dnat

    Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

    Crypto-map dynamic dynmap 10 transform-set RIGHT

    map mymap 10-isakmp ipsec crypto dynamic dynmap

    mymap outside crypto map interface

    ISAKMP allows outside

    part of pre authentication ISAKMP policy 10

    encryption of ISAKMP policy 10

    ISAKMP policy 10 md5 hash

    10 2 ISAKMP policy group

    ISAKMP life duration strategy 10 86400

    vpngroup address akcpool pool akcgroup

    vpngroup dns 192.168.1.10 Server akcgroup

    vpngroup akcgroup by default-domain domain.com

    vpngroup split tunnel 101 akcgroup

    vpngroup idle 1800 akcgroup-time

    vpngroup password akcgroup *.

    vpngroup idle 1800 akc-time

    Telnet timeout 5

    SSH #. #. #. # 255.255.255.255 outside

    SSH timeout 15

    dhcpd address 192.168.1.100 - 192.168.1.130 inside

    dhcpd dns 192.168.1.10

    dhcpd lease 3600

    dhcpd ping_timeout 750

    dhcpd allow inside

    Terminal width 80

    Cryptochecksum:XXXXX

    : end

    AKCPIX00 #.

    Config looks good - just as domestic mine to my local network. The only thing I can think is that you may have entered commands in the wrong order - which means, you could have isakmp or encryption before the config map was complete. Write memory, then reloading the pix is a way to reset everything. If you do not want downtime:

    mymap outside crypto map interface

    ISAKMP allows outside

    Enter these two commands should be enough to reset the ipsec and isakmp.

  • Access to the network of a device ethernet via the ports of the router.

    I was wondering if someone can help me with a router configuration. I have an ethernet device, a built-in Digi Connect me stack ethernet. I put the IP, subnet, gateway, etc. on this device. It has a serverver web and telnet and FTP features. What I want to do, this is the device connected to a WRT54GS router to one of the ports on the back. Then I want to connect internet routers connecting to my local network. On the LAN, I have a PC I want to use to access the web page of the Digi device through the router. The LAN has affected the PC an IP address of 3.11.201.33 and assigns the router IP Internet of 3.11.201.32. The PC is set to dynamically set an IP address. I have configured the Digi device to have an IP address of 192.168.1.100. I want to open a web page on the PC and connect a digi device. I can't get this to work. I tried to add the IP address of the device Digi to the DMZ on the router, but that did not help. How can I get from the PC via the LAN, through the router, on the port that is connected to the Digi? Any help is apprecieated!

    Outgoing FTP for multiple devices behind the router need not any special installation... you will not need to pass all the ports for that.

    You can port forward more than a device with the stock firmware digi... I just forgot how port forwarding 'niche roles' it is on the page... the WRT54G V5 has 10, so assuming that no other device in transmitted port, you should be able to forward the ports ftp and telnet for 5 devices.

  • several devices on the network with the same name

    I want to install Windows 7 OS computers on a domain with Small Business SERVER 2003.  Curiously, I see all the computers on the network, where I should be able to, but one of them WK02011, is not accessible from all Windows 7 systems because there are multiple devices with the same name on the network according to a diagnosticn check.  WK02011 is visible and accessible from other systems on the network that are runjning XP OS.  There is only one device named WK02011 on the network.  I don't have this problem with any other XP system - that is - I can see and access all of the other XP machines on the network with the exception of WK02011.  I can't access WK2011 from the server and the server indicates that it is multiple devices with the same ID.  Rename the XP would be complicated because of having to re - set up the service to the customer and then turn around and install 7 OS in the workstation in the coming days.

    How to find the ghost device double?

    Hello

    Your question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for Windows 7 on TechNet. Please post your question in the Technet forums. You can follow the link to your question:

  • "No access to the network" problem in Windows 7 and error message "your computer seems to be correctly configured but the device or resource (DNS SERVER) is not responding."

    Hello, I have a desktop PC and a laptop (DELL Inspiron N-4050).
    I have problem with my internet connection cable which is working fine on my PC, but does not not on my laptop giving an error "no access to the network.

    When I troubleshoot it says "your computer seems to be correctly configured but the device or resource (DNS SERVER) is not responding."
    I said to many technicians of microsoft online response, but they could not solve my problem and said this is my DNS problem and advised me to contact my Internet service provider. Guess it's because of my internet so why it works on my PC not on laptop?

    Yesterday, my ethernet cable pulled out my cell phone and I couldn't connect to the internet more. But on my desktop PC, it works perfectly fine. (I do not use wifi, if this information is also required) I have studied several threads with similar situations, and I have tried different methods to solve the problem to no avail. I did a system restore, but I'm having no luck. Also, I did not of the latest changes with my anti virus software and my LAN card drivers look to date.

    When I remove my cable from the laptop and again connect my cable then it works but only after the PC sat for awhile.
    1.I did flush DNS by typing "ipconfig/flushdns" in the command prompt.
    2. my IP address, DNS, subnet mask etc are set to automatic.
    3.I also added physical address taken from command line giving "ipconfig/all". for the properties of the network driver settings.
    4.I ' installed the drivers to date of 2014 on my laptop.
    5.I did a lot of searching the web, but they do not solve my problem.

    Please help me to solve it.
    I appreciate your help.
    Thank you.

    Hello Hall,

    Please keep us updated on the status of the issue.

    I suggest you to follow the steps in this Microsoft article troubleshooting and check if it helps:

    Error message "your computer seems to be configured correctly, but the device or resource (DNS server) is not responding" in Windows 7

    http://support.Microsoft.com/kb/2779064/en-us

    Hope the helps of information.

    Please reply with the results, in order to help you solve the problem.

    Thank you

  • Migrated domain users are needed to access shared folders on the network with AD username old or need to share with the new AD ID

    Dear Sir

    Migrated domain users are needed to access shared folders on the network with AD username old or need to share with the new AD ID

    I am in a field & I'll migrate with a domain name.
    EX: now I'm in the field of the AAA tomorrow my domain name will change to BBB. User accounts are created in two AAA & BBB and the two domain user IDs are different.
    data servers are also migrating with the new domain.
    is it possible to access share with the old user id folder in new field or both to share the files again with the new user ID Active directory.
    Kind regards
    Chauvet J.

    Hello

    The question you have posted is related to professional level support. Please visit the below mentioned link to find a community that will support what ask you:

    http://social.technet.Microsoft.com/forums/en/category/WindowsServer/

  • I'm trying to access a wireless network with the password provided for me. I get the following error message

    I'm trying to access a wireless network with the password provided for me. I get the following error message: "the network password needs to be 40bits or 104bits depending on your network configuration. This can be entered as 5 or 13 characters ascii or hexadecimal 10 or 26. "what does this error message mean and how do I address so that I can access the wireless network?

    I use XP Professional with service pack 3. I get this error message every other time I try to log in to a protected wireless network security. I used to not get this message; but, now, it may be impossible, sometimes to call all wireless providers when I might only need for a short period or after hours service opening.

    In addition, it is my computer that requires the network password to be different, not the provider of wireless. A password is given to me who works for other users, but my computer won't let me use it.

    Hello

    I suggest you to visit these links and check if it helps:

    http://answers.Microsoft.com/en-us/Windows/Forum/windows_xp-networking/the-network-password-needs-to-be-40-bits-or-104/f3fdc3ee-CB40-4107-A632-082093dcdcb8

    http://answers.Microsoft.com/en-us/Windows/Forum/windows_xp-networking/need-to-connect-to-home-wireless-network-Windows/5bf37a22-cc42-4a0f-9d15-83e780f00123

    It will be useful.

  • How to access multiple VMs on the network with nic 1 host?

    Greetings,

    I have a server vmware running windows XP with 3 virtual machines in suse. I would like to access the 3 virtual machines from the network at the same time. The vm 3 has their own static ip address. I use the bridge network mode. There is only 1 NETWORK card on the XP computer. With this configuration, I can access only 1 vm the network at a time. When I added an another NIC and jumpered it on a second computer, virtual, then I can access 2 at the same time.  Any ideas on how I can access all the vm 3 at the same time on the network with just 1 NETWORK card?

    Even if you only have a physical NETWORK adapter, you should be able to access all the guests at the same time when they use bridged networking and have a correct IP configuration. Can you put your host IP configuration and your guests so we can check it out. Make sure the guests are really "bridged" and disable all firewall during the test.

    If you found this information useful, please consider awarding points to 'Correct' or 'Useful' answers and answers. Thank you!!

  • Message appear conflict of IP address at startup. Another computer already uses the network with the same IP address. How do I cure this?

    When my kids play online on the X - Box I get an error message on my laptop when I start after them. It is said there is an IP address conflict and that another device is already on the network with the same IP address. It does not affect me access internet even if. How can I fix thi.

    Hello

    1. which is the version of Windows installed on the computer? For example, Windows 7, Vista

    2. only the error message appears only when the Xbox is connected to the computer or at both times?

    3. have you made any software or changes to the material on the computer before this problem?

    Please answer these questions and provide additional information so that we can better guide you.

  • Adapter LAN question, "no access to the network.

    Original title: LAN adapter issue

    Hi all, when connecting my laptop to a switch of the LED on the switch is green which means connected. The IP address on the laptop is entered manually, but when will the cmd and issue ipconfig it shows "media disconnected" and the network adapter in the Control Panel indicates "no access to the network. It also indicates that "this device is working propoerly! Please advice

    Hello

    What is the number and the model of the computer?

    Remember to make changes to the computer before the show?

    Thanks for posting in Microsoft Communities.  The problem description, I understand that you can not connect to the Internet.  Correct me I misunderstood the question

    Follow these steps:

    Method 1: Follow these steps:
    How to troubleshoot possible causes of Internet connection problems in Windows XP:
    http://support.microsoft.com/kb/314095

     

    Method 2: Follow these steps:


    Step 1:
    renew DHCP Dynamic Host Configuration Protocol)
    a. click Start, click run, type cmd and click OK.
    b. in the command prompt, type ipconfig / renew
    c. Close command prompt.
    d. check the result.

     

    Step 2: Try to obtain an IP address automatically
    a. open Internet Explorer, go to Tools, click on Internet Options, connections, LAN settings.

    b. uncheck all boxes except automatically detect connection settings
    c. click OK to apply the changes.
    d. check if the problem persists.

     

    Method 3: If the methods above do not help, check if the wireless card is very well and try to update the drivers on the manufacturer's Web site.

    a. click Start and right-click my computer.
    b. Select Properties and then click the hardware tab.
    c. click on Device Manager and expand network adapters in the list.
    d. right click on the adapter, then click Properties.
    e. click the driver tab and click Update the driver.

    Please follow the steps and let us know if this helped.  If the problem persists, answer and we will be happy to help you.

  • The problem is the USB Devices folder shown as a shortcut so I can not Capy of data in the folder with other devices or hard drive.

    Original title: USB problem

    I use windows 7 as operating system. I have problem when I insert USB devices as pan tie drive, mobile, reader of cards ect. USB port of my PC. The problem is the USB Devices folder shown as a shortcut so I can not Capy of data in the folder with other devices or hard drive. so please suggest me what I can do?

    Hello

    Start Windows Explorer, and then see if there is a drive letter assigned for access to the
    drive. If this is not the case, check if the disc is shown in disk management.

    1. Open Computer Management by clicking on the button start , by clicking on Control Panel, system and security, clicking Administrative Tools and then double-click computer management. If you are prompted for an administrator password or a confirmation, type the password or provide confirmation.
    2. In the left pane, under storage, click Disk Management.

    If there has made a right click option - assign a drive letter for you can use Windows
    Explorer to copy files.

    I hope this helps.
    --------------------------------------------------------------------------------------------
    Rob Brown - Microsoft MVP<- profile="" -="" windows="" experience :="" bicycle="" -="" mark="" twain="" said="" it="">

  • LATITUDE DE820 wiped out loaded XP drivers DELL &amp; SW, no access to the network

    Everyone out there - I need HELP... I bought a second hand LATITUDE DE820 with Windows 7 above and it worked fine (also WIFI). I need to load XP Prof on it (Yes...) and therefore all DELL SW disappeared (had no CD DELL) that I loaded package XP 3 Service that I plugged in Ethernet, but I also have a WLAN - but NO communication to all NETWORKS. Ping an IP address any LAN brings 'Host unreachable' IPConfig/all shows: IP of Windows host Setup...: laptop Prim. DNS: Enter Mode: Broadcast IP routing enabled: No. WINS Proxy enabled: Ethernet adapter without Bluetooth network connection: media state: media disconnected Description: peripheral physical addr Bluetooth (Personal Area Network): Mac addr. Control Panel-> network connections displays LAN at the Connecticut 1394 network adapter (properties: peripheral works properly, driver: MS 07/01/2001!) Connection status: connected but 0 packet protocols: f. Client Microsoft NW File & Printer sharing TCP - IP - trying to hit the repair-> msg "TCP/IP not enabled for this connection") Conclusion: I think that my XP drivers are too old, or not DELL problem: I have no access to the network - minimum need drivers update for access to Internet, and then upgrade to download that/those pilot on a Non-Dell PC then CD, then install on the laptop don't know DELL HW, used Service tag to find 11 drivers, drivers resp. 75 for that I think it's a driver of 'network' - but don't know what or any other suggestion? Thks for any help Peter

    Well well maybe it was because I realized that I needed to insert HTML
    to get my text with line breaks.
    But in any case the problem is solved by support group European German DELL who responded very quickly by there DELL Forum and help me great to go again. Thank you DELL-Dave S.
    Problem solved by:
    followind drivers downloaded from the CD, and then installed on D820
    WLAN: HTTP://WWW.DELL.COM/SUPPORT/DRIVERS/DE/DE/DEBSDT1/DRIVERDETAILS/PRODUCT/LATITUDE-D820?DRIVERID=R257701&OSCODE=WW1&FILEID=2731111614&LANGUAGECODE=DE&CATEGORYID=NI.
    LAN: HTTP://WWW.DELL.COM/SUPPORT/DRIVERS/DE/DE/DEBSDT1/DRIVERDETAILS/PRODUCT/LATITUDE-D820?DRIVERID=04VK6&OSCODE=WW1&FILEID=2731090506&LANGUAGECODE=DE&CATEGORYID=NI.
    Now using Ethernet and wireless network worked with access to the network, all the others downloaded drivers from the net.
    Viva

  • From Firefox blocks all access to the network

    When I start Firefox (41.0.1), all access to the network is completely blocked. Before you start the FF, I can access the Internet (with Chrome or IE), other computers, but as soon as I launch Firefox, all access to the network (including the connection to other computers) is blocked. In addition, my computer will turn off more.

    As far as I KNOW, I have not installed lately extensions or add-ins.

    Thank you for your resolution. Today, when I mentioned to work, I was told to update Firefox. This seems to do the trick (so far, fingers crossed!).

    (https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings) so very probably an extension is causing harm.

    When this isn't ' t the resolution, I will surely return to your resolutions.

  • Network says it has detected another computer on the network with my IP address.

    Original title: ip addy

    My internet access icon said that it has detected another computer on the network with my ip address, is there something that I have to take

    Try restarting your router.  It should solve the problem.

  • vSwitch ESXi 5.1 workaround to virtual machines (direct access to the network)

    Hello world!

    I have a server running properly the 5.1 ESXi hypervisor and got inside the physical grid active router with DHCP. How can I configure the vSwitch on ESXi 5.1 work not managed on the network, without VLAN and have direct access to the network?

    Just to clarify, I would like to first of all virtual machines VMware Workstation works - if it is possible to run several virtual machines and define all NICS (Network Interface Card) as connected by a bridge, that is to say. Each VM gets the specific configurations of IP to the external router.

    Since now, thank you very much for the help!

    Best regards

    Eduardo

    With ESXi the vSwitches work comparable to Bridged networking, so there is really nothing special to do.

    André

Maybe you are looking for