Refuse the AAA Clients to a specific group of users GBA v4.1
With the help of 4.1 is there a method 'simple' simply deny a user group the ability to connect to specific clients of AAA? Customer has a group of phones they want to allow them to Telnet and check in all routers of the voice, but not other routers, they have sets of orders and that the installation but I wanted to see if a way to push this group simply to voice only routers?
Thanks in advance,
Dave
You can configure using NAR GBA.
http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml
Kind regards
~ JG
Note the useful messages
Tags: Cisco Security
Similar Questions
-
How to check the roles agreed on a specific group?
Hello
How to check the roles granted to a specific group?
If a user belongs to this group in particular, will have the same roles granted so much that the Group?
Thank you.
SQL> select grantee 2 from dba_role_privs 3 where granted_role = 'DBA'; GRANTEE --------------------------------- SYS SYSTEM
-
Internal DB ACS4.2 replication - do not replicate the AAA clients
I'm trying to set up a new server ACS4.2. ACS is installed, a partner of replication configured, etc. Master and slave new run every two ACS4.2 (0) Build 124. (Master shows 'Patch 12', slave shows any patch info)
Replication on the new ACS server settings are identical to those on my current secondary ACS server that receives data replicated correctly.
Problem: I have reproduce manually master ACS server on the new ACS server. Logs on both servers show a successful replication. Users, groups of users, network device groups (NDG) all reproduce them correctly. However, there are zero features in each of the NDG.
Master is set to send, new slave set to receive:
User and group database
Network device Configuration tables
WBS
Configuration of the interface
Interface security settings
Password validation settings
I also tried to reproduce the network access profiles instead of peripheral Network Configuration tables. Still no customer AAA in the NDG.
I need my replicated AAA clients. Should I be reproducing different or additional components? Am I missing some settings elsewhere in ACS?
Hello
Please apply patch 12 on slave ACS as well.
Try the replication and let me know the results.
Also on the Configuration of the network see the name NDG? or just no customer AAA under each NDG.
Kind regards
Anisha
-
Customization of the emailing of the alerts based on a specific group of servers?
Hello
I'm wondering how to set up electronic mail based on a specific service of Foglight? For example, I know that I can put "SYSADMIN" to an e-mail address and it becomes the email address golbal all alerts are sent to.
What I want to do, is keep global electronic mail as address, but take a few exclusions and have another set of servers to a diffferent e-mail address e-mail.
In this example I am using services that I created my groupings. For example, I have a FSM Service called "DHCP servers" I want alll alerts for servers in this group to go to another email address that defined globally in the sysadmin variable e-mail address.
Here's what I've tried, but alerts are not sent to "[email protected]".
How to achieve this?
Thank you
Tony
Hello Tony
This can be done with a service (as far as I know), but my requirements were much simpler. I had three machines CRM and CRM team wanted to know when CRM Windows services had problems.
At the end of the day, I used two - general rule of 'The host Services' and a specific rule of 'Hosting CRM Services' rules.
My "Host Services CRM" rule has the following in the rule definition:
HostService where monitoredHost.name = "crm1.mycompany.com" or monitoredHost.name = "crmapp01.mycompany.com" or monitoredHost.name = "crmapp02.mycompany.com".
There is a variable in the Conditions tab, alarms & Actions for registry ("NewAddress"). In the registry, "NewAddress" is essentially "SYSADMIN" from the e-mail address for the CRM team.
To avoid duplicate emails, 'Host Services' rule has the following in the definition of the rule to exclude CRM systems:
HostService where monitoredHost.name! = "crm1.mycompany.com" and monitoredHost.name! = "crmapp01.mycompany.com" and monitoredHost.name! = "crmapp02.mycompany.com".
I'm sure (but does not ) that you can change monitoredHost.name to something like service. Name it extended to a service. Obviously, it would be preferable to application domain service so that you don't have that one place to update unlike me, but my customizations refer only to three systems with two rules, so it's easy to keep up-to-date.
I hope this helps for you an overview on how to attempt it.
Brian
-
The value of Hours in specific groups of aggregate
First of all, I have some documents after you have used a SQL like this:
Just explain briefly,YEARS MONTHS SUMMONTH SUMQUARTER SUMYEAR ----- ------ -------- ---------- ------- 2009 Jan 153904 459909 1692462 2009 Feb 144643 459909 1692462 2009 Mar 161362 459909 1692462 2009 Apr 133407 423148 1692462 2009 May 148397 423148 1692462 2009 Jun 141344 423148 1692462 2009 Jul 136838 428743 1692462 2009 Aug 139550 428743 1692462 2009 Sep 152355 428743 1692462 2009 Oct 122030 380662 1692462 2009 Nov 121963 380662 1692462 2009 Dec 136669 380662 1692462 2010 Jan 139709 430608 1747257 2010 Feb 143226 430608 1747257 2010 Mar 147673 430608 1747257 2010 Apr 155311 441330 1747257 2010 May 143274 441330 1747257 2010 Jun 142745 441330 1747257 2010 Jul 137887 422751 1747257 2010 Aug 130827 422751 1747257 2010 Sep 154037 422751 1747257 2010 Oct 138790 452568 1747257 2010 Nov 162764 452568 1747257 2010 Dec 151014 452568 1747257
The column SUMMONTH is a dynamic that is the total value of a month
The column SUMQUARTER is a dynamic column means that the total value in a quarter of the year (January-March, April-June, July, sept, Oct - Dec)
The column SUMYEAR is a dynamic that is the total value of the year
In addition, the data (value) are calculated by each hour per day and combine them to a certain amount.
You can assume that the structure of the table have a field call 'HOURS', which has preserved a number (for example 00,01,02, 03,..., 21, 22, 23) and a 'VALUE' field that stored the data respectively.
This can be easy understand later with my SQL provided.
Now, the essential problem is "HOW to calculate a specific group of hours"...?
There are groups of serval of hours:
Group1. 08-20 (08:00-20:00)
Group2. 20 / 08 (20:00-08:00)
Group 3. 20-24 (20:00 to 12: 00)
Group 4. 24 / 08 (12:00 to 08:00)
You can see a little duplicated (Group2 = Group 3 and group 4) but it's ok...
Here's the SQL code that I use now:
Using a 'Q' parameter so I can force the month of a quarter...select years, months, summonth, sum(summonth) over(partition by years || to_char(ym, 'Q') order by years || to_char(ym, 'Q')) sumquarter, sumyear from( select years,months,summonth,sumyear,to_date(years || months, 'YYYYMon', 'NLS_DATE_LANGUAGE=American') ym from( select years, months, days, hours, mins, sumHour, SUM (sumHour) OVER (PARTITION BY years,months,days) sumDay, SUM (sumHour) OVER (PARTITION BY years,months) sumMonth, SUM (sumHour) OVER (PARTITION BY years) sumyear from (SELECT x.years, x.months, x.days, x.hours, x.mins, sum(x.value) as sumHour FROM xmltest, XMLTABLE ('$d/cdata/name' passing xmldoc as "d" COLUMNS years integer path 'year', months varchar(3) path 'month', days varchar(2) path 'day', hours varchar(2) path 'hour', mins varchar(2) path 'minute', value float path 'value' ) as X group by x.years, x.months, x.days, x.hours, x.mins order by x.years, x.months, x.days ) ) ) group by years,months,summonth,sumyear order by ym
but I don't really know how about the value of a specific group of hours group...
Output final format may be something like this:
Thanks that helps everyone!YEARS MONTHS SUMMONTH SUMQUARTER SUMYEAR 8AM_20PM 20PM_8AM 20PM_00AM 00AM_8AM ----- ------ -------- ---------- ------- ---------- ---------- ---------- ---------- 2009 Jan 153904 459909 1692462 15000 3904 3000 904 2009 Feb 144643 459909 1692462 2009 Mar 161362 459909 1692462 2009 Apr 133407 423148 1692462 2009 May 148397 423148 1692462 2009 Jun 141344 423148 1692462 2009 Jul 136838 428743 1692462 2009 Aug 139550 428743 1692462 2009 Sep 152355 428743 1692462 2009 Oct 122030 380662 1692462 2009 Nov 121963 380662 1692462 2009 Dec 136669 380662 1692462 2010 Jan 139709 430608 1747257 2010 Feb 143226 430608 1747257 2010 Mar 147673 430608 1747257 2010 Apr 155311 441330 1747257 2010 May 143274 441330 1747257 2010 Jun 142745 441330 1747257 2010 Jul 137887 422751 1747257 2010 Aug 130827 422751 1747257 2010 Sep 154037 422751 1747257 2010 Oct 138790 452568 1747257 2010 Nov 162764 452568 1747257 2010 Dec 151014 452568 1747257
Hello.
Here is a way.
WITH data AS ( SELECT '01' hour, 10 val FROM DUAL UNION SELECT '18' hour, 12 val FROM DUAL UNION SELECT '01' hour, 14 val FROM DUAL UNION SELECT '17' hour, 15 val FROM DUAL UNION SELECT '03' hour, 17 val FROM DUAL UNION SELECT '20' hour, 16 val FROM DUAL UNION SELECT '03' hour, 14 val FROM DUAL UNION SELECT '21' hour, 15 val FROM DUAL UNION SELECT '04' hour, 13 val FROM DUAL UNION SELECT '23' hour, 12 val FROM DUAL UNION SELECT '20' hour, 13 val FROM DUAL UNION SELECT '06' hour, 16 val FROM DUAL UNION SELECT '24' hour, 17 val FROM DUAL UNION SELECT '07' hour, 18 val FROM DUAL UNION SELECT '08' hour, 14 val FROM DUAL UNION SELECT '09' hour, 15 val FROM DUAL UNION SELECT '21' hour, 16 val FROM DUAL UNION SELECT '10' hour, 16 val FROM DUAL UNION SELECT '21' hour, 17 val FROM DUAL ), data_2 AS ( SELECT SUM(CASE WHEN TO_NUMBER(hour) BETWEEN 8 AND 20 THEN val ELSE 0 END) r8_20, SUM(CASE WHEN TO_NUMBER(hour) BETWEEN 20 AND 24 OR TO_NUMBER(hour) BETWEEN 0 AND 8 THEN val ELSE 0 END) r20_8, SUM(CASE WHEN TO_NUMBER(hour) BETWEEN 20 AND 24 THEN val ELSE 0 END) r20_24, SUM(CASE WHEN TO_NUMBER(hour) BETWEEN 0 AND 8 THEN val ELSE 0 END) r0_8 FROM data ) SELECT * FROM data_2; R8_20 R20_8 R20_24 R0_8 ---------- ---------- ---------- ---------- 101 222 106 116
I hope this helps.
Kind regards.
-
Restrict the metadata field during an update to a specific group of users
Hi all
I have some difficulty to find the best way to restrict permissions to change some fields of metadata for 2 different groups of users.
I have two user groups, A and b. Group A will check in the documents that group B will then review for accuracy and quality. Group B will then update an optionlist field called "State" with "recommended" or "not recommended".
This is not a situation of workflow as the scope requires that all documents are immediately available for research. I currently have a profile CheckIn and search for content to read write access for both groups A and B. The 'Status' field is hidden on the page of CheckIn. Can someone please suggest a good way to limit the 'Status' field on a page to update users to simply "B"? Groups A and B must be able to update all the fields except for the limited B field "Status".
Thank you!
Published by: user6750815 on June 2, 2010 16:11Hey rMac,.
I understand in this way you have a profile for A and B groups of users. On this profile status field is hidden.If this is your problem, you can the two-step approach, while making the rule in order to hide the status field, use the activation of rule condition. Make active only for users with A role. This way even with the only profile some of the user with the role B will be able to see the status field.
Alternatively, you can put a similar code to restrict the link of personalization where you make this hidden field editable and mandatory for users in B.
see you soon,
Sicard -
Test command of the AAA for EAP - TLS authentication for wireless users
Hi all
Can anyone suggest me the test command to verify the eap - tls authentication for the Cisco WAP's wireless.
If it's an authetication jump we can use the command to test the connection below
Radius of group aaa Testwap-01 #test [email protected] / * / o4 & yJ) NoL$ new-code %0
Trying to authenticate with the server radius group
User successfully authenticatedBut eap - tls is not delivered with the password. He insists that for the user name.
We strive for remote location then test remotely before production.
If someone help pls in that if we have a command to test or debug command to test this authentication.
EAP - TLS requires a client certificate. How can you have a simple command that analysis without loading any certificate on the router/switch? It does not exist. This is why eap - tls is not considered an easy to deploy eap method: because it can go wrong on several levels.
The aaa command test performs a PAP authentication, therefore, it tests the connectivity of the base RADIUS and name of user and password.
If it works, the only thing that can break for eap - tls are certificates, as well as the radius server will be able to tell if something worng.
-
I can't check in a group of area if a user is "administrator, user and guest.
I'm using labview 2012 in the windows domain.
I think that there are tools. NET to resolve this, but could not yet.
Attached a file that checks if a user belongs to a group in the area, but without the information of privileges.
In the past, I used the command line. Use ' Net User % username / Domain % domain % ' to get information about the user. Actually, I don't have the right to see the other commands, so I don't know how it works now. .NET looks more elegant, but I never used it for that.
-
Join the Windows clients to a specific ORGANIZATIONAL unit
Hello community,
Does anyone know if it is possible to join a virtual machine to a specific OU using customization of comments? Failure of any attempt to do so before I add a script for RunOnce commands, I was wondering if there is a way to do it through the interface of GC?
Thank you.
Hello
Have you tried the following:
http://www.tech-tap.com/2011/10/01/vcloud-trick-joining-a-domain-and-specifying-a-machine-ou/ - should work across different products that have comments customization
Hope this helps
-
Assign the radius server to specific groups of VPN 3000
Last week, I assigned a test Cisco ACS server to be used for authentication and device of accounting for a specific group on a Cisco VPN concentrator 3060. When I looked at ACS, it appears that not only the Group was to go there but others through this way and using the default values on the Cisco Secure ACS. Is it possible that I can make sure only the traffic assigned to this specific group of VPN using the ACS server defined?
Thank you
Hello
Not sure about your implementation. But you must configure the group for this specific ad group map can only authentication.
In the external group map db, map
Group ACS VPN---> with<---- ad="" vpn="">---->
Any other combination should point to any access group.
Kind regards
~ JG
Note the useful messages
-
How to count the number of AAA clients
Hello
As we know, ACS5.2 is necessary with a basic license - 500 devices support network.
Sometimes, there are a lot of AAA clients or network devices that are authenticate simultaneous. So my question is, how to count network devices allowed to auth on ACS5.2? This only includes network, including network devices, or the AAA clients or devices?
Rgds,
Laowu5017
Hello
ACS 5.x counts the number of AAA clients that are configured on the ACS.
Please note that clients and network devices of AAA is the same and they conform, switches, routers, WLCs, or any other device configured under
Network resources > ... > Network devices and the AAA Clients The AAA Clients aren't the AAA suplicants.
End-user PCs customers are the AAA suplicants, and for this, there is no limit to number.
HTH,
Tiago
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
Hello
I am running CiscoSecure ACS v3.0 for Windows 2000/NT version 3.0 (1) build 40 in my environment. I have a problem when adding the AAA clients in a group of network devices, because it gives an error saying that the device already exist.
I did a manual search of the device and it can not be found. Is there any other way to remove this device by its ip address, which the system think already exist.
Diop
Hmm, you enter the peripheral IPS, ranges or DNS names?
Even an accidental overlap somewhere?
You can use regedit to inspect the network configuration db. He lives under HKLM/SOFTWARE/Cisco/CiscoAAAv3.3/Hosts
If you spot the duplicate, you can simply delete the subkey, and then restart all CS * services (including the CSAdmin) of the control panel.
Mounira
-
ISE has not found any AAA Client or network devices
During authentication using 802.1 x and MAB, I get a failure of authentication with the error 11007 (impossible to locate AAA Client or network device). The cause that ISE spits me is "Cannot find the network device or the AAA Client while accessing NAS by IP for authentication." I got almost everything by the book but instead use a loopback interface, I used a vlan with a defined ip address. Could it be the cause of the problem?
Here is the config of the port that I have tested on:
interface GigabitEthernet1/0/9
switchport access vlan 9
switchport mode access
switchport voice vlan 8
IP access-group ACL-LEAVE in
SRR-queue bandwidth share 1 30 35 5
queue-series 2
priority queue
authentication event fail following action method
action of death event authentication server reset vlan 4
action of death event authentication server allow voice
the host-mode multi-auth authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
restrict the authentication violation
MAB
MLS qos trust device cisco-phone
MLS qos trust cos
dot1x EAP authenticator
dot1x tx-time 10
Auto qos voip cisco-phone
spanning tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
endRegardless of the IP address you entered in ISE when adding this switch must match the IP address of the interface configured under your command "ip source RADIUS interface. In your first post you said you use an IVR for this but in your message later, I see that your being RADIUS packets come from "TenGigabitEthernet1/0/1 interface" Doublecheck cela and make sure things.
If you have a Loopback interface configured it is strongly recommended that use you for the source of these services it (Radius, GANYMEDE +, SNMP, Syslog, etc.).
Thank you for evaluating useful messages!
-
How to restrict access to the service web application deployed on weblogic for user group only
I built the web service application in jdevelopler 11.1.1.7. Their security policy applied in the web service of the default Oracle policy which is (policy: Wssp1.2 - 2007-Https-UsernameToken - Plain.xml)
Now all want to access the web service application must provide the name of user and password in the header section of the SOAP request to meet the requirement of the policy.
the following steps I'm trying to restrict access to the application of web service with a specific group of users among users of weblogic:
Connect to the weblogic administration console
Create user or group of users
Click on the links of deployments
Select your web service
Click the Security tab
Click the sub-tab political
Choose your authorization provider in the menu drop-down (looks like by default)
Choose Add Conditions-> Group-> Type in the name of the Group
Finishing
But access is always available for all weblogic users (IE users not in the group specified in the above security configuration). How can I restrict access to only authorized group? Any thing lacking in my approach?
There is nothing wrong with the steps mentioned in the question. In addition, you must do the following
At the time of the application deployment with regard to the security part, there is a list in the title of the question (which security template you want to use with this application?)
You must select (Advanced: use a custom template that you have configured on the page of configuration of the Kingdom) a configuration mentioned in the question will be work
-
Using the boot-block to identify users within a group of users?
Hello
I need help with the following scenario:
I need to identify if a user is a member of a specific group of users, and if so I want to fill a session variable.
I do not have (or want) an external table that contains the user id and user groups. Instead, I want to perform this check completely in the repository. I know that there are two session variable system that contain the necessary information:
USER (containing the OBI accountname)
GROUP (containing a list of all the groups that a user is a member)
Can anyone provide me with the syntax or a sample script to perform this check:
If: GROUP contains "name_of_group_to check_for" then CHECK = CHECK 'Yes' to another = 'no '.
In addition, when creating a block initialization, I need to specify a collection of connection, but in my case, I don't think that I need to specify one?
Thanks for any help!I don't think you can do what you want. The reason is that the GROUP of session variable is filled with the guarantee of the RPD groups Finally, so if you were to create an Init Block to the If statement (IF in SQL) you mention below will be empty. Init blocks must also run on a database.
Now, I think you are trying to solve a requirement in a very strange way. I would ask you that, instead of posting the solution he's better, clearly state you your real business needs to see if it's the best way to solve it.
Maybe you are looking for
-
Basically what I said above? Where is this toolbar? He was on top of the open line of windows. She also 'tools' and probably something else, but I don't remember now that I'm not. I want to go back!
-
MacBook Pro freezes, screen starts shaking and shuts
I am facing a problem that after starting to use the macbook for a few minutes. Screen suddenly starts to shake quickly. Everything freezes, and if all the sounds played, last moments will continue to repeat. This happens for like 10 seconds until th
-
There is an option to 'save all tabs before closing' - what happened with the last update?
In formats previous Mozilla, if I had more than 1 tablet open as: Facebook, Aol.comand much much more. When I was ready to close the window and hit the 'x' at the top right, I'd get the options "save tabs & close" "close tabs" "Cancel". This gave the
-
Time machine won't back up e-mail
My problem is that the e-mail messages in the e-mail on my iMac iCloud account are not saved to Time Machine. This seems to go back to the upgrade of the El Capitan. I have four IMAP accounts in Mail (ICloud, Btinternet, Google and Yahoo), which work
-
Problems with outlook express, do not receive or send,
Problem 1: receive error host 'pop.gmail.com' messages could not be found. Check the name of the server. server pop.gmail.com protocol POP3, port 995, secure Yes (SSL), socket error 11001 error # ox 800CCCoD and smtp.gmail.com, port 465 SMTP Protocol