Restrict access for device groups in ACS 4.0 SE

I have limitation of logging configured on groups in Cisco ACS 4.0 SE

Here's what I want to achieve.

There will be two groups siteA and siteB

I also create 2 groups of network devices say NDG1 and 2 NDG

Now in the SiteA users need access to the associcated with NDG1 and NDG2 devices

But in SiteB users should be able to access only the devices associated with NDG2 and ny ACS should not authenticate them when they try to log on to any device associated with NDG1

With my current setup, the NGD2 user gets a prompt to user for NDG1 devices.

Thanks in advance

Narayan

Hi Narayan,

Pls have a look at the next post:

http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&CommCmd=MB?cmd=pass_through&location=outline@^[email protected]/0#selected_message

Rgds,

AK

Tags: Cisco Security

Similar Questions

  • Same access for several groups...

    Hi all


    Is it possible to offer the same access to different indigenous groups using Shared services.thanks inadvance.

    Thank you and best regards,
    Ravi

    An often overlooked feature is associate roles that may or may not be useful for you.

    According to Oracle.

    Aggregated roles, roles also known as personalized, aggregate several predefined application roles. An associate role can contain other roles aggregated. For example, a Shared Services or Provisioning Manager administrator can create an associate role that combines the Scheduler and roles of the user to see an Oracle Hyperion Planning, the Fusion Edition, the application. Aggregation of roles to simplify the administration of applications that have more granular roles. Global shared Services roles can be included in aggregate roles. You cannot create an associate role that spans applications or products.

    Thank you

    Todd Rebner

  • How to restrict access for all? Single user mode...

    I do export/import Windows for Oracle schema objects. How to ensure that when I export in the database of migration no one else doesn't change the data. Is there a single user mode so that I can be sure the only connection when exporting?
    Oracle 10g R2 on Windows Server.
    Thank you
    Smith

    Perhaps you are not familiar with the concept of multi version consistent reading.

    No one can see that that is not validated and reading can never be blocked.

    If you want a system where no one can see things kill their sessions and make a START RESTRICTING.

  • E3000 at the request of the access for devices on Kids - both times in the same afternoon?

    Hi, I'm running an E3000 with Firmware - 1.0.04)is.

    I like to plan my iPod of boys to be on the network from 14:00 to 16:00 every day.

    Running the Cisco connect software it seems I can plan from 14:00 until the next morning, but not a 2-hour afternoon window.

    Looking through the other messages I see software earlier where it can maintained by the firmware on the router but 1.0.04)is that I seem to have to use Cisco Connect.

    So, how is it possible with my current setup?

    Thanks Graeme

    Thank you looks good, everything I have to do is now working on the MAC addresses of the devices that are on the network.

  • Level of access for a user on the network device group

    Hello

    1 al ' ACS is possible to give Readwrite access to a user when it connects to a network and readonly device group when it connects to another group of network devices.

    Thanks in advance

    Hello

    You need to set up the command authorization set on a per network device group basis

    Assign permission to control Shell Set on a per network basis-Associates ammunition special device group command authorization sets to be effective on particular NDG.

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMgt.html#wp480029

    Kind regards

    ~ JG

  • Access restriction configuration network devices with the level of the ACS 5.0 user

    Hi Experts,

    I have some configuration tasks TACAC with level of different user for all routers and switches,

    To further develop, I engineer, analyst and site engineers, so I want to configure centralized authentication with Annie tacac different levels for the various categories of network engg. Analyst, site engineer,

    can someone explain about how to proceed with ACS 5.2 and what configuration is required at the peripheral level.

    I'm particularly looking for the 5.2 acs configuration procedure.

    Looking forward to get the answer.

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/policy_mod.html#wp1076053

    In "default device admin" just create authorization rules.

    They should look like "If the user/group type = site engineer, then assign the shell profile X.

    You then define the profile of shell in the elements of policy and put in there all the privileges of your engineer to site.

    And so on for the other roles

  • How to restrict access to the service web application deployed on weblogic for user group only

    I built the web service application in jdevelopler 11.1.1.7. Their security policy applied in the web service of the default Oracle policy which is (policy: Wssp1.2 - 2007-Https-UsernameToken - Plain.xml)

    Now all want to access the web service application must provide the name of user and password in the header section of the SOAP request to meet the requirement of the policy.

    the following steps I'm trying to restrict access to the application of web service with a specific group of users among users of weblogic:

    Connect to the weblogic administration console

    Create user or group of users

    Click on the links of deployments

    Select your web service

    Click the Security tab

    Click the sub-tab political

    Choose your authorization provider in the menu drop-down (looks like by default)

    Choose Add Conditions-> Group-> Type in the name of the Group

    Finishing

    But access is always available for all weblogic users (IE users not in the group specified in the above security configuration). How can I restrict access to only authorized group? Any thing lacking in my approach?

    There is nothing wrong with the steps mentioned in the question. In addition, you must do the following

    At the time of the application deployment with regard to the security part, there is a list in the title of the question (which security template you want to use with this application?)

    You must select (Advanced: use a custom template that you have configured on the page of configuration of the Kingdom) a configuration mentioned in the question will be work

  • Control access to the network with ACS device

    Hi all!

    I currently have in place an Appliance, Cisco Secure ACS using Windows as main server authentication. Cisco Secure acts as a GANYMEDE server +. I have two groups defined in Cisco Secure: Netadmins and security ITD. Users of the Netadmins group need access to all switches and routers on the network. ITD security must only access async line 53 on a router 2611 for a band of a firewall and no other access to all network devices offline. How can I limit access to the Cisco Secure security ITD group to line 53 only?

    My current config on this router is:

    AAA new-model

    AAA authentication login netadmins group Ganymede + line

    connection ITDSEC authentication group Ganymede + line of AAA.

    RADIUS-server host 10.30.X.X

    RADIUS-server host 10.18.X.X

    key radius-server XXXXXXX

    line 53

    No exec

    authentication of the connection ITDSEC

    transport of entry all

    StopBits 1

    Speed 115200

    line vty 0 4

    exec-timeout 30 0

    login timeout 120 response

    login authentication netadmins

    but users in the ITD security can still access by vty and then reverse telnet to any asynchronous line on the router. In addition, security ITD always access any switch or router using telnet: what should be my setup on these devices? I do an ACS configuration?

    All other devices:

    AAA new-model

    AAA authentication login netadmins group Ganymede + line

    RADIUS-server host 10.30.X.X

    RADIUS-server host 10.18.X.X

    key radius-server XXXXXXX

    Line con 0

    password 7 141C015C5806

    login authentication netadmins

    line vty 0 4

    password 7 11020A 524310

    login authentication netadmins

    line vty 5 15

    password 7 11020A 524310

    login authentication netadmins

    Any help will be greatly appreciated.

    Hello

    In the security group, I would create a Restriction of access to IP network with an entry permit. Essentially to allow access to the single port on 2611 only.

    The AAA Client field is the name that you gave to the 2611 in the network config. Address will be * unless you want to restrict access to the ip or address. Port... never quite sure with async if the port value must be "async 53" or "line 53".

    If you look in the pass/fail for the nas-port attribute, you'll see what that T + sends to the ACS. This should help you know what to put in the NAR.

    Mounira

  • Web Jetadmin restricted the role of safety device group does not not as expected

    Hi all

    I just configured HP Web Jetadmin 10.3 SR8 and trying to implement a restricted security group peripheral role but is not working as I hope.

    I created a group of devices for a specific department within our Organization. It is filled with a query and I confirmed that the correct set of devices makes its appearance in the group.

    I created a security role called "administrators of small device." I set the type of restriction to "Volume groups" and ticked the box "all permissions".

    I added a user by selecting 'device restricts administrators' with my new role selected. I checked the box "Restrict permissions to the group" and selected the group created earlier.

    When I log in Association with this user account, I expect to see only the devices in the device group. However, I am able to see all detected devices.

    Am I misunderstood how this is supposed to work? How do I give a user access to HOSTS and make them only to be able to see the devices in their Ministry?

    Currently, Web Jetadmin (WJA) no not the feature to limit devices which can be consulted but not restricted this that a user has the ability to management.  Any user can see all the features, but cannot manage that those who were assigned to their role.  If they attempt to perform an action on a device outside their role, they will get a message saying that they do not have permissions to perform this action.

    One thing to keep in mind is that any account that is a member of the local Windows Administrators group of the server HOSTS is automatically a member of the Administrators group on the application HOSTS.  This means that if a domain user account is a member of the local Windows of the WJA Server Administrators group, the permissions for the Administrators group of the ASSOCIATION will take precedence over any other restrictions that may have been placed on this user through other roles.  It goes the same for any user who is a member of a domain group that is a member of the Windows Administrators group local servers HOSTS.

    I hoope this helps.

  • ACS device groups Question

    Hello

    I have install ACS with a device group that covers a large number of devices on my network and I apply rights to this if necessary.

    But now I need to give to a group of users access to a single device that is included in this group. I can't create a new device group to cover this unique device as the address overlaps. Is there a way that I do this without having to split my existing at least 3 volume group.

    Hello

    This can be achieved by using restricted access network (OAN) GBA.

    By NAR, you can deny access permission/user/group based on device/NDG/NAF.

    The following link can give you more details about it:

    http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

    Note: If you do not get the option to NAR allow configuration of the interface.

    ~ Rohit

  • New for mapping SSL VPN ACS ASA - ASA groups

    Greetings,

    I am new to ASA, so any help is greatly appreciated.

    I just installed and installed an ASA 5520. I installed an SSL VPN. What I'm trying to achieve is to configure profiles of different groups and different users can access various resources when they access the VPN.

    Current config-

    ASA 5520 v8.3

    ACS 4.0

    Field of Windwos 2003

    I have different installation profiles in the ASA. (i.e. business Dept.) When I choose in the drop down menu, it allows me to open a session and displays the options I've chosen for this group. The problem is that I can connect in this group with any account. GBA, all windows domain users are in the default group. I guess the default group is being processed and which has hosted and user logon.

    Can anyone provide a good article or tips on how to configure the ASA and the ACS for several groups of users. We have several departments that will have to get the parameters when they connect. The ACS groups are mapped to the Windows groups that correspond to each Department

    Any help is greatly appreciated.

    Thank you

    Tim

    Hello

    I think that you need to activate locking group.

    In order to configure Group locking, send group policy name in the attribute class 25 on the Authentication Dial - In User Service (RADIUS Remote) server and choose the group to lock the user in policy.  For example, to lock the user 123 of Cisco in the RemoteGroup group, define the class of attributes 25 Internet Engineering Task Force (IETF) UO = RemotePolicy; for this user on the RADIUS server.

  • How to restrict access to certain pages of a user group

    I want to restrict access to certain pages in my application to a set of users only. How can I achieve this.

    use the authorization scheme for permission to the users group"

    See also follows her

    Schema authorization using the APEX authentication scheme

    security - authorization roles and user in Oracle Apex? -Stack overflow

    How to create the schema for permission for the users group.

    Leave.

  • Windows 3.0 for device 3.3.2.2 ACS database

    I have 3.0 for windows GBA and bought 2 ACS devices to replace ACS Windows. Is it possible to load the windows config ACS 3.0 for ACS 3.3.2.2 device

    Yes. The backup of the ACS 3.0 configuration, copy the file to an FTP server restore it on the device.

    If the restore fails, you may need upgrading to ACS 3.3 can back up and restore.

  • How to create the user account of readonly for all devices to CISCO ACS?

    Elements of strategy > ... > Authorization and permissions > The peripheral Administration > Shell profiles > Edit: 'ReadOnly '.

    I tried all levels of privilege, but I am unable to connect to the "asdm" with only the privilege to read.

    so, can someone help me?

    I'm not an expert on all devices, but I can tell you that while you can use a name of user and password to access all devices, you can't have a "generic" set of rules. AAA services operate different based on the model/platform. For example, ASAs, WLCs and Nexus devices are completely different compared to the standard IOS routers and switches. For this this situation (ASDM read-only), you must check for this useful post:

    https://supportforums.Cisco.com/message/853437

    Thanks for the note!

  • Using filters Essbase to restrict access to OBIEE dashboards for multiple users

    Hello

    You can use Essbase filters to restrict access to the data in OBIEE dashboards so that users with no access to specific members are not able to see all data for multiple users.

    Any suggestions on how to go about it.

    Thank you!

    Hello

    Like any data source as an essbase.

    You can filter the data by the user, use a NQSESSION. to get the session the correct access.

    Kind regards

Maybe you are looking for