Restrict access for device groups in ACS 4.0 SE
I have limitation of logging configured on groups in Cisco ACS 4.0 SE
Here's what I want to achieve.
There will be two groups siteA and siteB
I also create 2 groups of network devices say NDG1 and 2 NDG
Now in the SiteA users need access to the associcated with NDG1 and NDG2 devices
But in SiteB users should be able to access only the devices associated with NDG2 and ny ACS should not authenticate them when they try to log on to any device associated with NDG1
With my current setup, the NGD2 user gets a prompt to user for NDG1 devices.
Thanks in advance
Narayan
Hi Narayan,
Pls have a look at the next post:
http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&CommCmd=MB?cmd=pass_through&location=outline@^[email protected]/0#selected_message
Rgds,
AK
Tags: Cisco Security
Similar Questions
-
Same access for several groups...
Hi all
Is it possible to offer the same access to different indigenous groups using Shared services.thanks inadvance.
Thank you and best regards,
RaviAn often overlooked feature is associate roles that may or may not be useful for you.
According to Oracle.
Aggregated roles, roles also known as personalized, aggregate several predefined application roles. An associate role can contain other roles aggregated. For example, a Shared Services or Provisioning Manager administrator can create an associate role that combines the Scheduler and roles of the user to see an Oracle Hyperion Planning, the Fusion Edition, the application. Aggregation of roles to simplify the administration of applications that have more granular roles. Global shared Services roles can be included in aggregate roles. You cannot create an associate role that spans applications or products.
Thank you
Todd Rebner
-
How to restrict access for all? Single user mode...
I do export/import Windows for Oracle schema objects. How to ensure that when I export in the database of migration no one else doesn't change the data. Is there a single user mode so that I can be sure the only connection when exporting?
Oracle 10g R2 on Windows Server.
Thank you
SmithPerhaps you are not familiar with the concept of multi version consistent reading.
No one can see that that is not validated and reading can never be blocked.
If you want a system where no one can see things kill their sessions and make a START RESTRICTING.
-
E3000 at the request of the access for devices on Kids - both times in the same afternoon?
Hi, I'm running an E3000 with Firmware - 1.0.04)is.
I like to plan my iPod of boys to be on the network from 14:00 to 16:00 every day.
Running the Cisco connect software it seems I can plan from 14:00 until the next morning, but not a 2-hour afternoon window.
Looking through the other messages I see software earlier where it can maintained by the firmware on the router but 1.0.04)is that I seem to have to use Cisco Connect.
So, how is it possible with my current setup?
Thanks Graeme
Thank you looks good, everything I have to do is now working on the MAC addresses of the devices that are on the network.
-
Level of access for a user on the network device group
Hello
1 al ' ACS is possible to give Readwrite access to a user when it connects to a network and readonly device group when it connects to another group of network devices.
Thanks in advance
Hello
You need to set up the command authorization set on a per network device group basis
Assign permission to control Shell Set on a per network basis-Associates ammunition special device group command authorization sets to be effective on particular NDG.
Kind regards
~ JG
-
Access restriction configuration network devices with the level of the ACS 5.0 user
Hi Experts,
I have some configuration tasks TACAC with level of different user for all routers and switches,
To further develop, I engineer, analyst and site engineers, so I want to configure centralized authentication with Annie tacac different levels for the various categories of network engg. Analyst, site engineer,
can someone explain about how to proceed with ACS 5.2 and what configuration is required at the peripheral level.
I'm particularly looking for the 5.2 acs configuration procedure.
Looking forward to get the answer.
In "default device admin" just create authorization rules.
They should look like "If the user/group type = site engineer, then assign the shell profile X.
You then define the profile of shell in the elements of policy and put in there all the privileges of your engineer to site.
And so on for the other roles
-
How to restrict access to the service web application deployed on weblogic for user group only
I built the web service application in jdevelopler 11.1.1.7. Their security policy applied in the web service of the default Oracle policy which is (policy: Wssp1.2 - 2007-Https-UsernameToken - Plain.xml)
Now all want to access the web service application must provide the name of user and password in the header section of the SOAP request to meet the requirement of the policy.
the following steps I'm trying to restrict access to the application of web service with a specific group of users among users of weblogic:
Connect to the weblogic administration console
Create user or group of users
Click on the links of deployments
Select your web service
Click the Security tab
Click the sub-tab political
Choose your authorization provider in the menu drop-down (looks like by default)
Choose Add Conditions-> Group-> Type in the name of the Group
Finishing
But access is always available for all weblogic users (IE users not in the group specified in the above security configuration). How can I restrict access to only authorized group? Any thing lacking in my approach?
There is nothing wrong with the steps mentioned in the question. In addition, you must do the following
At the time of the application deployment with regard to the security part, there is a list in the title of the question (which security template you want to use with this application?)
You must select (Advanced: use a custom template that you have configured on the page of configuration of the Kingdom) a configuration mentioned in the question will be work
-
Control access to the network with ACS device
Hi all!
I currently have in place an Appliance, Cisco Secure ACS using Windows as main server authentication. Cisco Secure acts as a GANYMEDE server +. I have two groups defined in Cisco Secure: Netadmins and security ITD. Users of the Netadmins group need access to all switches and routers on the network. ITD security must only access async line 53 on a router 2611 for a band of a firewall and no other access to all network devices offline. How can I limit access to the Cisco Secure security ITD group to line 53 only?
My current config on this router is:
AAA new-model
AAA authentication login netadmins group Ganymede + line
connection ITDSEC authentication group Ganymede + line of AAA.
RADIUS-server host 10.30.X.X
RADIUS-server host 10.18.X.X
key radius-server XXXXXXX
line 53
No exec
authentication of the connection ITDSEC
transport of entry all
StopBits 1
Speed 115200
line vty 0 4
exec-timeout 30 0
login timeout 120 response
login authentication netadmins
but users in the ITD security can still access by vty and then reverse telnet to any asynchronous line on the router. In addition, security ITD always access any switch or router using telnet: what should be my setup on these devices? I do an ACS configuration?
All other devices:
AAA new-model
AAA authentication login netadmins group Ganymede + line
RADIUS-server host 10.30.X.X
RADIUS-server host 10.18.X.X
key radius-server XXXXXXX
Line con 0
password 7 141C015C5806
login authentication netadmins
line vty 0 4
password 7 11020A 524310
login authentication netadmins
line vty 5 15
password 7 11020A 524310
login authentication netadmins
Any help will be greatly appreciated.
Hello
In the security group, I would create a Restriction of access to IP network with an entry permit. Essentially to allow access to the single port on 2611 only.
The AAA Client field is the name that you gave to the 2611 in the network config. Address will be * unless you want to restrict access to the ip or address. Port... never quite sure with async if the port value must be "async 53" or "line 53".
If you look in the pass/fail for the nas-port attribute, you'll see what that T + sends to the ACS. This should help you know what to put in the NAR.
Mounira
-
Web Jetadmin restricted the role of safety device group does not not as expected
Hi all
I just configured HP Web Jetadmin 10.3 SR8 and trying to implement a restricted security group peripheral role but is not working as I hope.
I created a group of devices for a specific department within our Organization. It is filled with a query and I confirmed that the correct set of devices makes its appearance in the group.
I created a security role called "administrators of small device." I set the type of restriction to "Volume groups" and ticked the box "all permissions".
I added a user by selecting 'device restricts administrators' with my new role selected. I checked the box "Restrict permissions to the group" and selected the group created earlier.
When I log in Association with this user account, I expect to see only the devices in the device group. However, I am able to see all detected devices.
Am I misunderstood how this is supposed to work? How do I give a user access to HOSTS and make them only to be able to see the devices in their Ministry?
Currently, Web Jetadmin (WJA) no not the feature to limit devices which can be consulted but not restricted this that a user has the ability to management. Any user can see all the features, but cannot manage that those who were assigned to their role. If they attempt to perform an action on a device outside their role, they will get a message saying that they do not have permissions to perform this action.
One thing to keep in mind is that any account that is a member of the local Windows Administrators group of the server HOSTS is automatically a member of the Administrators group on the application HOSTS. This means that if a domain user account is a member of the local Windows of the WJA Server Administrators group, the permissions for the Administrators group of the ASSOCIATION will take precedence over any other restrictions that may have been placed on this user through other roles. It goes the same for any user who is a member of a domain group that is a member of the Windows Administrators group local servers HOSTS.
I hoope this helps.
-
Hello
I have install ACS with a device group that covers a large number of devices on my network and I apply rights to this if necessary.
But now I need to give to a group of users access to a single device that is included in this group. I can't create a new device group to cover this unique device as the address overlaps. Is there a way that I do this without having to split my existing at least 3 volume group.
Hello
This can be achieved by using restricted access network (OAN) GBA.
By NAR, you can deny access permission/user/group based on device/NDG/NAF.
The following link can give you more details about it:
http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
Note: If you do not get the option to NAR allow configuration of the interface.
~ Rohit
-
New for mapping SSL VPN ACS ASA - ASA groups
Greetings,
I am new to ASA, so any help is greatly appreciated.
I just installed and installed an ASA 5520. I installed an SSL VPN. What I'm trying to achieve is to configure profiles of different groups and different users can access various resources when they access the VPN.
Current config-
ASA 5520 v8.3
ACS 4.0
Field of Windwos 2003
I have different installation profiles in the ASA. (i.e. business Dept.) When I choose in the drop down menu, it allows me to open a session and displays the options I've chosen for this group. The problem is that I can connect in this group with any account. GBA, all windows domain users are in the default group. I guess the default group is being processed and which has hosted and user logon.
Can anyone provide a good article or tips on how to configure the ASA and the ACS for several groups of users. We have several departments that will have to get the parameters when they connect. The ACS groups are mapped to the Windows groups that correspond to each Department
Any help is greatly appreciated.
Thank you
Tim
Hello
I think that you need to activate locking group.
In order to configure Group locking, send group policy name in the attribute class 25 on the Authentication Dial - In User Service (RADIUS Remote) server and choose the group to lock the user in policy. For example, to lock the user 123 of Cisco in the RemoteGroup group, define the class of attributes 25 Internet Engineering Task Force (IETF) UO = RemotePolicy; for this user on the RADIUS server.
-
How to restrict access to certain pages of a user group
I want to restrict access to certain pages in my application to a set of users only. How can I achieve this.
use the authorization scheme for permission to the users group"
See also follows her
Schema authorization using the APEX authentication scheme
security - authorization roles and user in Oracle Apex? -Stack overflow
How to create the schema for permission for the users group.
Leave.
-
Windows 3.0 for device 3.3.2.2 ACS database
I have 3.0 for windows GBA and bought 2 ACS devices to replace ACS Windows. Is it possible to load the windows config ACS 3.0 for ACS 3.3.2.2 device
Yes. The backup of the ACS 3.0 configuration, copy the file to an FTP server restore it on the device.
If the restore fails, you may need upgrading to ACS 3.3 can back up and restore.
-
How to create the user account of readonly for all devices to CISCO ACS?
Elements of strategy > ... > Authorization and permissions > The peripheral Administration > Shell profiles > Edit: 'ReadOnly '. I tried all levels of privilege, but I am unable to connect to the "asdm" with only the privilege to read.
so, can someone help me?
I'm not an expert on all devices, but I can tell you that while you can use a name of user and password to access all devices, you can't have a "generic" set of rules. AAA services operate different based on the model/platform. For example, ASAs, WLCs and Nexus devices are completely different compared to the standard IOS routers and switches. For this this situation (ASDM read-only), you must check for this useful post:
https://supportforums.Cisco.com/message/853437
Thanks for the note!
-
Using filters Essbase to restrict access to OBIEE dashboards for multiple users
Hello
You can use Essbase filters to restrict access to the data in OBIEE dashboards so that users with no access to specific members are not able to see all data for multiple users.
Any suggestions on how to go about it.
Thank you!
Hello
Like any data source as an essbase.
You can filter the data by the user, use a NQSESSION. to get the session the correct access.
Kind regards
Maybe you are looking for
-
How to fix the 'no service' on my iphone. I had s new SIM and reset all settings and set up in the new phone and still the same. Does not pick up service with sims others either. Help
-
Perhaps this questrion belonged at the hardware level. If so, sorry. My machine is Windows 7, 64-bit Ultimate. Long story short. I returned the camels that caused do not provide you with a map of GTO Nvidea upgraded more. He needed 500W power supply,
-
When I start my computer, an error page appears. At the bottom of the page it says, "Primary Master Hard Disk S.M.A.R.T. Status Bad." WARNING: Return immediately-up your data and replace your hard drive. Press F1 for Setup, F2 to continue"I was just
-
A few days ago I pressed the space bar to wake up my (HP pavilion m8100n) office, and I met several things at once: 1. the icon of the internet was just two monitors blinks back 2. a box pops up saying "an audio input jack has been disconnected" (whe
-
How to transfer music from the sandisk sansa 1 GB to the computer?