Restrict calls remote modem with ACS
Hello..
Using ACS I try to limit the reverse telnet access to a modem which will later be used by TTYredirector. I want users to have access to the modem only. We are on 3.01 ACS (yes I know old)...
When to use access to the network with device restrictions: 2065: * (being the assigned line port 2065) subscribe to the denied service service = raccess tty65 in the journal of the attempts failed.
Do I need to add this service to the GANYMEDE + under Interface Config?... What is the params? I tried to just raccess in services which added a section under user/group that I chose but nothing else.
I have the router:
AAA for authorization Ganymede + default reverse-access group
Welcome tips, google has attracted so far zero.
Paul
Paul
It's not the NAR causing the problem-, this would result in a message 'filtered user' in the failed attempts.
Looks like the problem is that your group configuration is not allow the raccess service.
Because this isn't a standard service preset in ACS you config sys goto then Ganymede + (ACS) and define a service personalized Ganymede. Call it "raccess". In the settings group, you will then be to activate and define all the attributes you need.
Mounira
Tags: Cisco Security
Similar Questions
-
Save the Remote Agent with ACS
Recently, I installed the version 4.1 Build 23 ACS eval (1). I also downloaded the same version of the remote agent and load on a domain controller, so I can authenticate on my ad. However, if you follow the directions to configure the remote agent on ACS I encountered a problem.
The online instructions say click on the Network Configuration and click on 'Add an entry' in the table of the Remote Agents. The problem is that I don't see a Remote Agents table in my network setup page. What I am doing wrong?
Thanks in advance,
Nick
Nick,
You have acs running on windows server, so there is no no need to have installed remote agent.
Remote agent is required with the GBA unit and not with windows of GBA.
Kind regards
~ JG
Please note if assistance
-
THE ISSUE WITH ACS REMOTE AGENT LOG
Hello guys,.
I installed a Cisco ACS SE with version 3.3. I try to configure for sendo journal acs agent remotely, but it does not work. I installed acs remote agent and I activated the registration service during the installation. ACS appliance may communicate with the remote agent, but ACS cannot write logs on the Remote Agent. If I look at logg on ACS its OK, but when I look at the logs on the Remote Agent Windows there is nothing there. Could someone help me?
Thank you
Hello
Please try logging configuration remotely as shown in the link:
Kind regards
Anisha
P.S.: ACS 3.3 is out of life and support. Please install the latest version.
-
Access restriction configuration network devices with the level of the ACS 5.0 user
Hi Experts,
I have some configuration tasks TACAC with level of different user for all routers and switches,
To further develop, I engineer, analyst and site engineers, so I want to configure centralized authentication with Annie tacac different levels for the various categories of network engg. Analyst, site engineer,
can someone explain about how to proceed with ACS 5.2 and what configuration is required at the peripheral level.
I'm particularly looking for the 5.2 acs configuration procedure.
Looking forward to get the answer.
In "default device admin" just create authorization rules.
They should look like "If the user/group type = site engineer, then assign the shell profile X.
You then define the profile of shell in the elements of policy and put in there all the privileges of your engineer to site.
And so on for the other roles
-
I cannot pair the new Apple TV Remote app with my first generation Apple TV.
I cannot pair the new Apple TV Remote app with my first generation Apple TV. Someone knows what to do?
You can use the old, now called iTunes Remote? A new one seems really targeted to ATV 4.
-
The remote database for ACS 5.3 compatibility
Hi all
I'd like to check either Microsoft SQL Express 2012 is in working with ACS 5.3 remote database?
Thank you
Noel
It should work with both. I have seen a few cases for Oracle Database 11 g Enterprise Edition Release 11.2.0.3.0 with 64-bit operating system.
Jatin kone
-Does the rate of useful messages- -
Hello
Thanks in advance for helping me to solve after publication:
I tried to run a report of OBIEE including data model comes from the layer of the ADF.
In my module of the application, I have 5 display objects:
For Ex: VO1 VO2 VO3, VO4 VO5
And I show the links between: VO1 and VO2 (lets say: VO1_VO2_VIewLink).
VO2 at VO3 ((permet de dire: VO2_VO3_VIewLink)), VO4 is related to the ((permet de dire: VO4_VO3_VIewLink) VO3) & VO5 is linked to VO3 (lets say: VO5_VO3_VIewLink)
When I deploy this application on OBIEE and run a report with objects of:
(1) VO1 and VO2-report works fine
(2) VO2 and VO3 -report works fine
(3) VO4 and VO3 -report works fine
(4) VO5 and VO3 -report works fine
(5) VO1, VO2, VO3 -report works fine
It is when I run the report with the objects of
VO1 and VO2 VO3 VO4, it throws an error message:
"Error occurs when calling remote ADFService11G service. Details: ADFException-3007: The ViewObject "AppModule.VO3" is used as a destination more than a ViewLink. (HY000) »
OBIEE Version is: 11.1.1.7.0 (with no patches) basis data: 11 GR 2, Jdev:11.1.1.7.0
Kind regards
RAM.
I was able to resolve this error by changing my AppModule datamodel application, by changing the cardinality between VO3 and any other 1: n VO (VO3) to 1 (VO3): n. making VO3 as source VO object rather than view destination object.
Kind regards
RAM.
-
Why the DR unit does not trigger schema when it is called remotely?
Hi all
I have a question about the triggers of oracle schema and I would be grateful if you could kindly give me a helping hand.
Oracle version: 11 GR 2 (11 g Enterprise Edition Release 11.2.0.1.0 - 64 bit)
OS: Linux Fedora Core 17 (X86_64)
I was reading the online documentation on schema triggers where oracle says:
Assume that users user1 and user2 own schema triggers and user1 invokes a DR unit owned by user2. Inside the DR unit, User2 is the current user. Therefore, If the DR unit triggers the triggering event of a trigger schema that User2 owns, while the trigger is activated.
I wanted to see this behavior in practice, so I made the following test case:
-There are two schemas:
- testuser where I create a procedure with AUTHID DEFINE (a unit of the Dr. therfore) named createTab. This procedure takes a table name as a parameter and if no table with this name exists already in the testuser schema, it will create a new table with the same name with a single column of type NUMBER (well, it's just an example to this issue, in practice I never create my tables this way)
- training is therefore another scheme to which we grant the privilege EXECUTE on the above mentioned procedure createTab so that it may be possible to create tables on schema testuser by calling the remote procedure.
The idea behind the test is to create a schema for testusertrigger, so that whenever he is, for example, a creation of the table, a message is inserted into a table of newspaper (just an example to show proof that trigger the diagram has been drawn on the table creation event). Now assuming I admit the EXECUTE privilege on the procedure of createTab for the trainingscheme, then any creation of the remote table must trigger the schema trigger, because according to the documentation inside the unit of the DR, the user is not considered appellant user (= training) but actually the owner (= testuser) that created the trigger and procedure.
The problem is that I cannot see it in my test. Therefore I will write here my test case so that you can have a look at it and to indicate where I did wrong, and what I misunderstood in the documentation.
So here's what I created on the schema testuser
Code SET SQLBLANKLINES
ALTER SESSION SET PLSQL_WARNINGS = ' ENABLE: ALL ';
SET SERVEROUTPUT ON;
-A table of newspaper in which the schema trigger inserts messages
-indicating that the schema trigger was triggered (as proof)CREATE TABLE tablog (logMsg VARCHAR2 (100));
-Here is the procedure that updates the above defined log table (tablog)
-This procedure (autonomous transaction) is called by the schema trigger
CREATE OR REPLACE PROCEDURE updateLog (p_logMsg IN tablog.logMsg%TYPE)
DEFINE AUTHID
IS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
INSERT INTO tablog (logMsg) VALUES (p_logMsg);
COMMIT;
END updateLog;
/
DISPLAY ERRORS;
-This is the procedure we use to create tables (which will be called so
-remotely from another schema-> training)
-As stated above, the procedure takes a table
-name as a parameter and creates a table with a single column of type NUMBER-that if no table with this name exists already
CREATE OR REPLACE PROCEDURE createTab
(
p_tabName IN user_tables.table_name%TYPE
)
AUTHID DEFINE - Therefore a unit DR that we explicitly specify AUTHID DEFINE
IS
BEGIN
< < bk > >
DECLARE
tabName user_tables.table_name%TYPE;
BEGIN
-Check to see if a table with the name p_tabName
-already existsT1.table_name SELECT INTO bk.tabName
FROM user_tables t1
WHERE t1.table_name = upper (p_tabName);
EXCEPTION
-No table with this name exists, so we create now
WHEN NO_DATA_FOUND THEN
IMMEDIATELY RUN 'CREATE TABLE ' |
p_tabName | '(NUMÉRO n) ';
END;
END createTab;
/
DISPLAY ERRORS;
- And finally it is the schema for the schema 'testuser '.
-Any appeal of the above mentioned procedure createTab (if the procedure)
-creates a new table) fires the following triggerCREATE OR REPLACE TRIGGER testuser_schema_tr
Before you CREATE on testuser.schema
BEGIN
-Just insert a message into the table of the newspaper showing the evidence
-that our schema trigger wiped of CREATE TABLE
-statementsupdateLog
(
TO_CHAR (sysdate, ' ' MON-DD-YYYY HH24:Mi:ss) |
' ': Schema for testuser trigger pulled.
);
END testuser_schema_tr;
/
DISPLAY ERRORS;
-I grant the privileges required for the formation of the user/schema
-may also be able to remotely run my procedureGRANT EXECUTE ON createTab to training;
GRANT SELECT ON tablog to training;
First, I tested the procedure createTab locally (so be etre connecte connected as drawing testuser , in other words, the owner of the procedure and the relaxation). Everything worked pretty well and created table, that table the journal has been updated by the trigger which showed that in fact after each CREATE TABLE statement, the trigger was activated.
However, when I opened a new SQL * Plus term, this time in being connected as a training scheme, I have observed that, once again, it was possible to create tables on schema testuser remotely, but the log table has been updated no more, which means that the trigger has not wiped CREATE TABLE statements that were issued remotely (by remote createTab procedure call).
Code SQL > EXECUTE testuser.createTab ('tmptab');
PL/SQL procedure successfully completed.
SQL > SELECT * FROM testuser.tablog;
no selected line
SQL > USER to see THE
The USER is 'TRAINING'
SQL >
Any idea? Why unity DR (createTab procedure) does not have the schema trigger, unlike what documents said, when it is called remotely?
Thanks in advance,
Dariyoosh
It works for me on Oracle 11.2.0.3
August 21, 2013 18:10:12: trigger pulled schema
But not on 11.2.0.1
It looks like a bug.
- testuser where I create a procedure with AUTHID DEFINE (a unit of the Dr. therfore) named createTab. This procedure takes a table name as a parameter and if no table with this name exists already in the testuser schema, it will create a new table with the same name with a single column of type NUMBER (well, it's just an example to this issue, in practice I never create my tables this way)
-
Remote debugging with Apex and SQL Developer
Hello
I try to turn on remote debugging with Apex and SQL Developer.
I can debug the PL/SQL procedure when it is called from SQL * PLUS, but when I call the procedure from Apex 'Process', the debugger does not stop at breakpoints.
I checked that the procedure is called Apex process as I can see 'things' happening in the procedure but the debugger does not stop at breakpoints. The program being debugged (session Apex) manages to fix the SQL Developer debug listener.
Apex (OnSubmit) process
---------------------------
BEGIN
DBMS_DEBUG_JDWP. CONNECT_TCP ('10.176.20.225', 4000);
DONOTHING;
DBMS_DEBUG_JDWP. DISCONNECT;
END;
Procedure
-------------------------------------
CREATE OR REPLACE
PROCEDURE DONOTHING ACE
testvar VARCHAR2 (100);
BEGIN
update cross-set test_data = 'I came here 11111'; -It is run
commit;
testvar: = "aaa"; -bREAK POINT IS HERE
DONOTHING END;
/
Thanks in advance,
Paresh
Published by: pyadav1 on November 19, 2008 15:19Hello
Sorry... seems I was too hasty in reading your question...
You also gave * DEBUG ON [Parsingschema]. [procediurename] * APEX_PUBLIC_USER (or ANONYMOUS or HTMLDB_PUBLIC_USER). Otherwise, the behavior is exactly the same as you have described...
The privilege of the DEBUGGING SESSION to CONNECT need to given to the schema analysis but the APEX_PUBLIC_USER schema needs debug privilege on the function or procedure...
Does that help?
Carsten-
-
Is it possible to use the Remote app with the Apple TV connected via ethernet and iPhone via WiFi? When I try this Apple TV does not appear in the list of devices on my iPhone.
Yes, I'm doing exactly this with the same put in place.
If the problem persists the next relative to the following articles might help you.
-
When I send a message or call a contact with my Apple Watch, what message or free call? or I am paying it with my mobile plan?
Apple Watch is just an extension of your iPhone.
If you send a message or make a call, you would via the paired iPhone. Just as if you had sent the message to the iPhone or telephoned him with the iPhone.
-
Problem with call on Skype with Lolipop 5.1.1
When I call on Skype with set helmet, have problem with my microphone, when I turned off and got into this mess, he... Have this problem, anyone? How can I say team xperia to fix?
This isn't a matter of Sony, it's a matter of Skype, which means you will need to contact the developers of Skype in this regard.
-
Restricting calls between a subarea and specific extensions on Cisco VCS
Hello, I use Cisco VCS 8.5.3, my goal is to restrict calls between a subarea and specific extensions.
I tried following solutions:- Download of XML strategy
- Use of political appeal web interface in order to limit calls
XML file:
But when I apply the XML file, or try using the web simple rule (for example: 11111 12222 destination source, dismiss the action) I'm still able to place the call to 11111 to 12222.
What can be the cause of the problem and what else can I try to be able to prohibit calls between a particular Subzone and exentions?
Attached, is an example of CPL script that should work. Using this script, CPL, I was able to block calls to a subarea set to a destination alias located in the subzone of default and was always able to call any other end point in the default subfield without problem. Note that you must enter the name of the subarea, as you have configured on the VCS, including spaces if they exist.
The scenario is based on the example of CPL "limiting access to a local gateway" X8.5 VCS Administrator's Guide on pg 413, other documents of CPL reference and examples can be seen starting on pg 410.
-
WLC 4402 impossible to authenticate correctly with ACS 5.2
For some reason, I can't WLC to authenticate correctly with ACS 5.2. It's very strange in the sense that when I checked the log. ACS authenticates and authorizes the WLC 4402, but I can't log on the WLC. login screen appears, if I typed the username that he jumped
Controller of >
user:
password:
No matter what I typed (internal or external users), nothing seems to work.
It comes to my frustration, I have no problem with authentication of routers and switches except WLC 4402.
Hello
Please delete privilege on the ACS level settings.
Elements of strategy > authorization and permissions > peripheral Administration > Shell profiles > common tasks
By default the privilege - do not use.
Maximum privilege - not in use
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages
-
Permission of AAA with ACS Shell-games
Hi all
I use a router cisco 871 running that version 12.4 (11) T advanced IP Services.
I have difficulty getting permission to AAA to work properly with ACS.
I am able to configure ACS fine users and assign them shell and private level 7.
I then install a set of Shell Auth and enter the issuance of orders and configure.
When I log in as a user, I get an exec with a level of 7 priv no problem, but I never seem to be able to
to access global configuration mode by typing in conf (or set up) terminal or t.
If I type con? It is the only command connect, configure is never an option...
The only way I can get this to work is by entering the command:
privilege exec level 7 Configure terminal
I thought the whole purpose of the ACS Shell Set to provide this information to the router?
It's frustrating
The ACS server is set up with the Shell Set named Level_7 order authorization
It is attributed to the relevant groups and I have the 'Unmatched orders' option selected in the 'license '.
The "unmatched Args allowed" is also selected.
See an extract of my IOS config below:
AAA new-model
!
!
AAA group Ganymede Server + ACS
Server 10.90.0.11
!
AAA authentication login default group local ACS
AAA authorization exec default group ACS
AAA authorization commands 7 by default local ACS group
!
Cisco radius-server host 10.90.0.11 keys
!
!
privilege exec level 7 Configure terminal
privilege exec level 7 set up
privilege exec level 7 show running-config
privileges exec level 7 show
!
Hope you can help me with this one...
PS I tried with orders of privilege on the router and remove the router and just keep getting the same results!
Hello
So now,
You're actually using two different options and trying to couple then together. What I would say is you either use authorization Command Shell function or play with level privileges. Not mixed together both.
Above scenario might work, if you move orders to focus on level 6 and give the 7 user privilege level. He couldn't be sure. Try it and share the results.
That's what I suggest that orders back to a normal level.
Provided below are the steps to set up the shell command authorization:
-------------------------------------------
Follow these steps on the router:
-------------------------------------------
! - is the desired username
! - is the password
! create - us a local user name and password
! - in case we are not able to get authenticated via
! - our Ganymede server +. To provide a backdoor.
password username 15 privilege
! - To apply the aaa on the router model
AAA new-model
! - Following command is to specify our ACS
! - location of the server, where is the
! - ip address of the ACS server. And
! - is the key which must be the same during the FAC and the router.
radius-server host key
! - To get the authentication of users through ACS, when they try to log - in
! - If our router is unable to join the ACS, we will use
! - our local user name & the password that we created above. This
! - we prevent locking.
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + local
AAA authorization config-commands
AAA authorization commands 0 default group Ganymede + local
AAA authorization commands 1 default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
! - Sequence of commands are for posting to the activity of the user.
! - When the user connects to the device.
AAA accounting exec default start-stop Ganymede group.
AAA accounting system default start-stop Ganymede group.
orders accounting AAA 0 arrhythmic default group Ganymede +.
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
--------------------
ACS configuration
--------------------
[1] Goto 'Profile components shared' a-> 'Shell command authorization sets'-> 'Add '.
Provide any name at all.
provide sufficient description (if necessary)
(a) for full administrative access set.
In the unmatched controls, select 'allow '.
(b) for all access limited.
In the unmatched controls, select "decline."
And in the field above 'Add a command' box, type in the box below and the main command "permit unmatched Args" Order under allow.
For example: If we want the user to only have access to the following commads:
opening of session
Logout
output
Enable
Disable
Show
Then, the configuration should be:
-----------------------------------------------
-Allowed unparalleled Args.
-----------------------------------------------
connection permit
permit disconnection
exit permits
Select the permit
disable the permit
license terminal configuration
ethernet interface license
permits 0
to see the running-config
------------------------------------------------
in example above, user will be allowed to run only from commands. If the user tries to run the interface ethernet 1', the user will get "failed command authorization.
[2] press 'submit '.
[3] Goto Group on which we want to apply these command authorization set. Select 'change settings '.
(more...)
Maybe you are looking for
-
Links make activated by touch elsewhere
Everything is fine with Chrome and Android Browser in this example: http://jsfiddle.net/6512pu9b/6/ But in Firefox mobile, touch the lines that are not links in the following example causes one of the links to be activated. Is it possible to make mob
-
Only recently did switch from IE...Running w & and Firefox 10.0.2 I have the spelling corrector activated on toll > option > advancedAlso if I go to tool menu low weight now appears as "check spelling". However it does not work - exampleThid speeling
-
Satellite Pro 6100 - is to "restore" a re - recovery CD install?
Hello My Satellite pro 6100 won't start. "Starting process crashes and a message appears saying that the \windows\system32\config\system file:-«' is missing or damaged.When I ran the product recovery DVD, he asked me to confirm what operating system,
-
Install Windows 7 Pro on new Inspiron 17R occurs disk hard error message and pilot application
I want to install Win 7 pro 64 on my Inspiron 17r, which came with Win 8 House. I use a Dell Win 7 pro 64 DVD reinstallion I bought on Ebay. He came in a sealed envelope and included a (supposedly) used United Nations w COA / product key, barcode,
-
Peripheral PSG Bluetooth does not connect
I'm under an Inspirion790 Dell with Windows 7/64 bit SP1 Profesional, with PSG bluetooth device, with the latest version of the driver and it won't start, any ideas? [Moved from the community centre of Participation]