How to give different Anyconnect profiles for some users
Hello
I am very new to Anyconnect but managed to configure our ASA5510 with connection files 2, one with split tunneling is active and the other without. How to configure the ASA/Anyconnect client so that most users see the connection with split tunneling profile disable but others the chance to see two connection profiles in the client? Currently, all users the chance to see the two profiles in the client and I'm stuck at the moment to try to understand how I control what they have a chance to see the profiles of connection... Users are authenticated on a Microsoft IAS server if what counts and the ASA is running V8.2 (1) and ASDM 6.2 (5) 53. Thanks for any help.
Kind regards
Terry
Microsoft IAS is a good piece of information. Thank you.
So I assume you are using for Radius Authentication.
You have 2 options:
(1) configure the radius server IAS user mapping to a specific group by using attribute radius policy.
Here is an example of configuration using Cisco ACS radius for your reference server:
(Sorry, can't find an example of configuration using the Microsoft IAS server, but the concept is the same)
(2) as you run microsoft IAS, I assume you are using Active Directory? Assuming it's true, you can actually authenticate via the LDAP protocol and LDAP mapping to place the user in specific group policy.
Here is the sample configuration for LDAP authentication:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808c3c45.shtml
and here is the example of mapping of LDAP attributes configuration:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008089149d.shtml
Hope a using the option.
Tags: Cisco Security
Similar Questions
-
VMware VIEW how to block or unallow USB for some users
Hi guys,.
I have a question, I can block or unallow USB for some users? not all users just someone, I have a pool with 25 machines and need block USB for 4 users, do you have any idea how to do that?
Thanks for your help
GPO USB - http://www.petri.co.il/disable_usb_disks_with_gpo.htm
-
How to give admin on webcat for a user access?
Hello
I created a new user of SchedulerAdmin in the RPD to congiguring ibots.
I have add this user to the Administrators group. This means that this user has the same privileges as an administrator in RPD?
Also, I need to give this user admin webcat role side also. How to go?
Thanks in advance!
AartiHello
Yes, the user created in the administrator group has access to all content to which group administrator's access.Also, I need to give this user admin webcat role side also. How to go?
No need to give any what access to this user in the catalog of the web that you create in the Administrators group.
If you create the user under a new group then you must create this group in the web catalog and provide access.Kind regards
Srikanth -
I found some help on older versions of Firefox, but I can't seem to find anything for the latest versions greater than 8. There must be a way to do this for imaging large scale.
Have you created a defaults\profile in the folder of the program Firefox (C:\Program Files\Mozilla Firefox\)?
All files in this folder will be moved into each newly created profile folder.
To give the prefs a default, it is best to do this via a mozilla.cfg file.
Use a mozilla.cfg file in the Firefox program folder to lock the prefs or specify default values.
Place a local file - settings.js in the defaults\pref folder where you will also find the channel - prefs.js to specify using mozilla.cfg file.pref("general.config.filename", "mozilla.cfg"); pref("general.config.obscure_value", 0); // use this to disable the byte-shift
See:
You can use these functions in mozilla.cfg:
defaultPref(); // set new default value pref(); // set pref, but allow changes in current session lockPref(); // lock pref, disallow changes
-
How to create a default profile for all users of Firefox 9.
I run a computer lab and am looking for a way to create a default profile in Firefox 9 that allows new users. I want them to be able to launch Firefox for the first time and see my home page. I want to disable any control for default browsers, firstrun pages or all the other guests.
The former for group policy .adm files did not work longer.
See http://www.frontmotion.com/Firefox/howtodeploy.htm
You can create a defaults\profile file in the Firefox program folder and place the files that it be used to create and initialize a new profile.
-
How can I stop auto correct for some words?
How can I stop auto correct for some words?
Here's a great explanation and solution:
mamadi http://coolestguidesontheplanet.com/turn-AutoCorrect-OSX-Mac-mail-Skype-10-9-MAV.
-
RemoteScan is not for some users
I recently installed RemoteScan on a new machine and got all this work in one programs installed on the RDS Server. In the other program requiring analysis, RemoteScan appears only for some users. I tried to recreate the user profile. I tried to copy it to the file remote.ini of a profile that works. I tried to reinstall RemoteScan on the workstation, but so far nothing has solved the problem. I have no idea what could be the cause and was hoping that someone could have encountered the same problem. Any help would be greatly appreciated.
RemoteScan files must be in the user homepath. These files should be as follows:
TWAIN_32 (folder... RemoteScan internal folder)
TWAIN_32.dll 44KO
Twunk_32.exeAll these RemoteScan files should be in the folder windows homepath from the user. To confirm the homepath from the user, you need to connect to the server as the user and then display a command prompt. Type set home.
If you have questions contact RemoteScan to 406-721-0276.
Thank you
-
ACS5: method of different external authentication for each user account
ACS4 I could specify a different external authentication for each user account. I'm trying to find a way to do the same thing to the ACS 5? When I go under identity in Access Services, I see the system requirement: username I can use to identify the user who logs in, so that I can directly to a source of different identity, but the separate political configuration for each user is very inconvinient and would require hundreds of policies, in our case.
I was hoping that we can create a kind of attribute for each user. SysAdmin > Configuration > dictionaries > identity > internal users. I created the new attribute called 'Storage of identity' with the enumeration type, which has 4 values: internal, Entrust Token, Token RSA, counts AD and checked the box "add a political Condition." I can then go under each user and select the storage of identity for each user. But now I can't find where I can use under part of identity of an access policy. I can use it under "Group mapping" but that maps to one group and not to an identity store. I need to use it under the identity somehow, but I can't find how.
Hello Roman,
The attribute you created will be available when the user is authenticated through internel ID store, so that you cannot use to select the store ID.
The best way to do this would be to use other attributes to differentiate the identity store.
Allows you to create a sequence of identity store so that for each user, ACS will try to authenticate by using multiple identity store.For example, you can use these:
Network status
> End Station filter
> Device filter
> Devide filter Ports
Here you can import filters from a file and it would therefore be more scalable.
Hope this helps.
-
Questions not selectable answers in quiz slide for some users
We have a training SCORM Captivate content published on our LMS (SAP Learning Solutions). Some users are unable to answer questions about the content. For these users, the answers are locked and can not be selected. In addition, don't seem not buttons validate and clear.
The problem about 10% of our users.
This training contains content and quiz slides slides.
The content is published in SCORM 1.2 (SWF + HTML) with Adobe Captivate 5.5. We had the same problem for some users with the previous version of this training content with Captivate 4.
All users have the same settings:
Flash Player 10.3.183.11
Internet Explorer 6
Microsoft Windows XP
Place a button on the first or second slide you need the user to click to go forward with the course. I've usually place it on a slide that gives an overview of what the module will be about. Once the user has finished with the slide, they need to click on this button to continue in the content. The user is not aware that this button has a fixed score and the FACT that it has a score means that Captivate believes that it is part of the questionnaire, which means the scope quiz begins at this time, the first question of the quiz.
Yes, you click the button, go to properties > reports and select the check box to include in the questionnaire.
-
have been unable to install the driver for some users. We do not receive the following error message.
Error: 0 x 00000006
Hi Sameer,
Thanks for posting your query on the Microsoft Community.
According to the description, I understand that you are getting an error code.
I would like to know some information.
You are connected to a domain network?
When exactly do you get this error code?
Do you also have any error message?
This problem may occur if the print spooler service is stopped.
To start the spooler service, follow these steps:
1. click on Startand then click Control Panel.
2. double-click Administrative Toolsand then click Services.
3. double-click on the Printer Spooler service and then change the startup type to Automatic. This option sets the spooler service starts automatically when you restart the computer.
4. If you want to start the spooler service immediately, click Start in the area of The State of the Service .
I would also refer to the Microsoft Help Article below and check if that helps.
Hope this information helps. Please let us know if you need any other help with Windows in the future. We will be happy to help you.
-
How can I block the SMTP for all users but mail server
I can't understand (1) how can I refuse port 25 for all users on the network and allow for Exchange server SMTP, also I have MS Exchange, which manages the web and smtp and in my setup below you can see that there static mapping to publick ip with http/smtp only, then (2) how can we separate the traffic entering a publc IP will outside servers inside ex : (MSexchange public ip address is x.x.x.207-> http = 172.16.2.13, 172.16.2.14 = smtp)
Thank you
___________________________________________________
6.3 (1) version PIX
interface ethernet0 car
Auto interface ethernet1
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
names of
name 172.16.4.10 pdc
name 172.168.4.11 llc
name 172.16.4.11 ftp
object-group service E-mail tcp
port-object eq www
EQ smtp port object
object-group service tcp - udp terminal
3389 3389 port-object range
object-group service mw tcp - udp
Beach of port-object 367 367
radmin tcp service object-group
RemoteAdmin description
4899 4899 object-port Beach
object-group service mw1 tcp
Beach of port-object 367 367
access-list 101 tcp refuse any any eq smtp
access-list 101 permit tcp any host object-group x.x.x.251 terminal
access-list 101 permit tcp any host x.x.x.214 object-group radmin
access-list 101 permit tcp any email host x.x.x.207 object-group
access-list 101 permit tcp any host x.x.x.212 object-group mw1
access-list 101 permit tcp any host x.x.x.211 eq ftp
sheep ip access-list allow any 192.168.101.0 255.255.255.240
IP address outside x.x.x.194 255.255.255.192
IP address inside 172.16.2.1 255.255.0.0
IP verify reverse path to the outside interface
IP verify reverse path inside interface
alarm action IP verification of information
IP audit attack alarm drop action
IP local pool mypool 192.168.101.1 - 192.168.101.20
don't allow no history of pdm
ARP timeout 14400
Global interface 10 (external)
NAT (inside) 0 access-list sheep
NAT (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside, outside) x.x.x.212 172.16.4.12 netmask 255.255.255.255 0 0
static (inside, outside) x.x.x.251 172.16.4.51 netmask 255.255.255.255 0 0
public static x.x.x.214 (Interior, exterior) pdc netmask 255.255.255.255 0 0
public static x.x.x.211 (Interior, exterior) ftp netmask 255.255.255.255 0 0
"REM # 172.16.2.13's Exchange with Outlook Web servers #
static (inside, outside) x.x.x.207 172.16.2.13 netmask 255.255.255.255 0 0
Access-group 101 in external interface
Route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
enable floodguard
Sysopt connection permit-pptp
VPDN PPTP-VPDN-group accept dialin pptp
VPDN group PPTP-VPDN-GROUP ppp authentication pap
VPDN group PPTP-VPDN-GROUP ppp authentication chap
VPDN group PPTP-VPDN-GROUP ppp mschap authentication
VPDN group PPTP-VPDN-GROUP ppp encryption mppe 40
VPDN group VPDN GROUP-PPTP client configuration address local mypool
VPDN group VPDN GROUP-PPTP client configuration dns 172.16.2.6 172.16.4.6
client PPTP-VPDN-GROUP VPDN group configuration wins nymc_pdc
VPDN group VPDN GROUP-PPTP pptp echo 60
VPDN group VPDN GROUP-PPTP client for local authentication
VPDN username * password *.
VPDN allow outside
This is your problem:
Access-group 101 in external interface
You link this access list to your external interface. This means that the rules are applied to incoming traffic IN your network. The implicit IP any any rule is because you have not bound to an access list on your inside interface.
To prevent users from going out, you will need this:
access list permit tcp host exchange_IP OUTPUT no matter what eq smtp
access list tcp OUTPUT deny any any eq smtp
Access-group interface inside OUT
See how this access list is linked to the inside interface... it will affect traffic leaving your network. Note: Once you apply this inside allow any interface it will remove the implicit.
-
Is it possible to hide a conditional function in responsibility. Say it together a small number of users, I need the function display and for some users, it must be hidden.
Hello
The normal thing to do is to create a similar additional responsibility and using Exclusions to 'hide' the features you want.
Then assign it to restricted users.
Kind regards
Bashar
-
object is missing for some users
Hello
I have a custom connector and im doing request put in service, but for some users in the form of object-based is just jumping in based provisioning request. I have checked the Group and permissions, and all eyes. can pls someone tell what could be the reason?
Thank youHello
I checked "Allow multiple" on the subject of resource and now the form object appears
I don't understand this... no explanation?
-
How to set the default printer for the user in 11i
How to set the default printer for the user in 11i, please let me know how to set the new printer to the user, its Linux OS EBS 11i.Please see these documents.
How to install the default printer for a user. [153927.1 ID]
How to set up a default printer for a user in Oracle Applications [ID 1018856.102]
How to set a default printer? [1237254.1 ID]
How to configure the default printer for Applications [ID 184109.1]Thank you
Hussein -
Possible to make an element editable for some users and read-only for others
Is it possible to make an element editable for some users and read only for others?
I was able to achieve by catches of the select statement that I used to define an authorization scheme, placing in the State of read-only element. However, I would simply refer to the authorization scheme to use caching and to help keep things cleaner for future maintenance.
Is it possible for a system of authorisation under a condition similar to the way point another element can be referenced by preceding with two reference points (e.g.: P1_First_Name)?I accomplished this in one of my applications by setting the value of a hidden Page 0 item on connect, for example P0_ACCESS_PRIVILIGES, and then use the feature 'Read only' integrated into the APEX for each article that I don't read for some users check the value of this element.
Maybe you are looking for
-
The connection was reset?
It has been some time now that I've tried to connect to k2nblog.com. I thought it was just the site are down, but then I tried logging in with my smartphone using the same IP address as my computer via wifi, and it worked. I already deleted my cookie
-
Satellite Pro M10 does not start
My M10 Pro Sat will not start.Power cable shows a green light and a light orange constant and nothing else, but does nothing when the network is not pluged. Any suggestions? With our thanks.
-
You just bought a MacBook Pro 13 "retina. A check of SN and he says initially 2015 but box has a label saying 23.9.2015. A black buy Friday save £100, but that should have is not the latest model. It's going to be as good as the last model? J
-
How can I disable windows Defender
How to DISABLE settings for windows deffender, I turned it on, it might conflict with my McAfee Mc
-
Windows 7 Upgrade Advisor isn't complete
Whenever I try to run the Windows 7 Upgrade advisor it never ends (I even gave it the day after once!) and I have to cancel it. Any ideas what can go wrong?