Select the Tunnel-Group based on OS devices
Hello
having an ASA5512x is possible to have anyconnect-dial-in-PC-users asking their IDs AND also a one-time-password
Whereas smartphone users only need to provide their username and a password without the need to manually select the profile?
I've set up two groups of tunnel:
(1) requires an LDAP server for authentication
(2) is in contact with a RADIUS server running the software One Time Password.
Is it possible to have the asa affect smartphone users (based on their OS) that it automatically uses the first profile (which has limited access to the resources of the intranet) and Anyconnect-PC-users pinned to the second category of tunnel? Dynamic access policies seem to be able to differentiate only ' in' a tunnel-group.
Thank you very much!
Kind regards
David
I never tried this way, but if it does not (as I suspect) there is a solution:
- Point your customers on the two different groups of tunnel with the help of tunnel-group-URL.
- Later in the DAP impose that the customer does not use the wrong tunnel-group.
Tags: Cisco Security
Similar Questions
-
Hello
In the configuration below I put in place a tunnel-group name that is the same as the counterpart of VPN tunnel. Is that what you have to do, or could call you the tunnel-group what you want?
part of pre authentication ISAKMP policy 1
ISAKMP policy 1 3des encryption
ISAKMP policy 1 sha hash
Group of ISAKMP policy 1 2
ISAKMP policy 1 life 43200
ISAKMP allows outside
Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet
l2l_list to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
pre-shared key xxx
card crypto abcmap 1 match address l2l_list
card crypto abcmap 1 set counterpart 10.10.10.1
card crypto abcmap 1 set of transformation-FirstSet
abcmap interface card crypto outside
Robert,
The tunnekl group should be the IP address of the remote end - because it is used as ID. The only time where ever you need to use a specific name - is if you are certificate authentication.
HTH.
-
ASA by the issue of authentication of the tunnel-group
Is it possible to do so by the tunnel-group authentication on ASA 8.4.x?
Here are the scenarios:
(1) tunnel-group_A performs authentication using the digital certificate (PKI)
(2) tunnel-group_B performs the authentication using AAA (RSA SecurID token)
(3) tunnel-group_C performs authentication for LOCAL assistance (AAA user defined locally)
Tunnel-group_A, B, and C are all using the same physical interface and outside the interface.
I tested it, but it doesn't work the way I expected. BTW, I have already disabled "interface authentication ssl certificate outside of port 443"
Here are the results of the tests:
If the tunnel group_A is configured with the certificate, then tunnel_group_B connection will fail, but connection tunnel-group_C works very well.
It seems that tunnel-group_B trying to authenticate with certificate too, if she does not. BTW, it seems to authenticate to the LOCAL help will still work.
I understand that you can configure tunnel_group_A to "both" certificate and AAA, but that's not what I want.
Anyone seen this before? Is there a way to bypass?
Thank you
Joe,
Yes, I would then use Group-url. And I would create and profile of XML with the specific URL in the list of servers.
Let me know.
-
Hide the tunnel-group in client anyconnect
Hi all
How to hide dropdown menu profiles that don't interest me not?
see always all tunnel group set up on asa.
in path of the cisco anyconnect client, I have preferences.xml.
Thanks in advance for your help
concerning
If the group alias are configured on the SAA, no matter which user goes to the external interface to connect to the VPN will see the list.
ASA administrator may eventually publish a URL shortcut using the "group-url" attribute when configuring the SSL VPN. Here is a link to the section of the configuration guide to do so. in this place you can browse (or point AnyConnect) directly to this URL and skip having to select from the drop-down list.
-
Select the query to select the month range based on the current date.
It's the database 10 g oracel.
I want to choose two months of data in the table. But these two months should be based on the current date.
For example.
If I run the select query on July 7, 2013, then the query must ignore the current month being July 2013 and last month, which is June 2013 and it shoud select only may 2013 and April 2013.
Can someone help me how to make this request.
SELECT *.
FROM my_table
WHERE my_date > = TRUNC (ADD_MONTHS (sysdate,-3), 'MY') - first day of the month 3 months ago
AND my_date< trunc(add_months(sysdate,-1),'mon')="" --="" first="" day="" of="" last="">
-
Select the duplicate rows, based on a combination of columns as the key
Hello
I have a table with 5 columns.
Code ID S_DATE E_DATE name
1 23 01012001 null ABC
1 09 01012001 null XYZ
2 81 04022007 null TVU
1 43 03092008 null XXX
Now, I need to write a select statement to extract the lines duplicated in the table above with the combination of (Code, S_DATE, E_DATE) as the key.
So in the above example, I need to get Row1 and Row2 as output (but not Row3 as she has a different S_DATE)
Thanks in advance for your suggestions.
Thank you
Published by: thotaramesh on March 9, 2009 16:54The XE;
WITH sample_data AS ( SELECT 1 code,23 ID, '01012001' s_date, null e_date, 'ABC' NAME FROM dual UNION ALL SELECT 1, 09, '01012001', null, 'XYZ' FROM dual UNION ALL SELECT 2, 81, '04022007', null, 'TVU' FROM dual UNION ALL SELECT 1, 43, '03092008', null, 'XXX' FROM dual) SELECT code, ID, s_date, e_date, NAME FROM ( SELECT sample_data.*, COUNT(*) over (PARTITION BY code, s_date, e_date) dups FROM sample_data) WHERE dups > 1; CODE ID S_DATE E_DATE NAME ---------- ---------- -------- ------ ---- 1 23 01012001 ABC 1 9 01012001 XYZ -
Hello.
I wanted to ask you:
There he shortened or key combination special to select the layer on the Web when he's in the band?
When I press ctrl + lmb in a layer that sits on canvas PS selects the entire group, but not this layer.
Hi Oxmstr,
There is a shortcut to select the layers that are inside a group.
If you have a mouse with more than one button, select the move tool and right click on the area of the image that's on the layer you want to select. If you use a Mac and a mouse to a button, select the tool move and Ctrl + click. A context menu appears and you can select the layer you want very quickly.
To find more Photoshop CS6 shortcuts, see the Photoshop CS6 quick reference Guide. You can search for tools, menus and shortcuts.
I hope this helps.
Luanne
-
FRM-30187: size of the column of type CHAR in the record group must be between 1 and 2000.
Hi, forms 6i, db 10g
I created a lov based on this query
select * from items_qty_vu -- database view
and the view code is
CREATE OR REPLACE FORCE VIEW items_qty_vu (serial, item_id, expiry_date, qty) AS WITH item_units_plus AS (SELECT item_id, unit_id, factor, LEAD (factor, 1, 1e99) OVER (PARTITION BY item_id ORDER BY factor) AS next_factor, ROW_NUMBER () OVER (PARTITION BY item_id ORDER BY factor DESC) AS rnk FROM item_units) SELECT ID.serial, ID.item_id, ID.expiry_date, SUBSTR (SYS_CONNECT_BY_PATH ( TRUNC ( MOD (( ID.qty - ID.qty_allocated ), iup.next_factor ) / iup.factor ) || ' ' || u.unit_name, ', ' ), 3 ) AS qty FROM item_detail ID JOIN items i ON i.item_id = ID.item_id JOIN item_units_plus iup ON iup.item_id = ID.item_id JOIN units u ON u.unit_code = iup.unit_id WHERE CONNECT_BY_ISLEAF = 1 START WITH iup.rnk = 1 CONNECT BY iup.rnk = PRIOR iup.rnk + 1 AND ID.serial = PRIOR ID.serial ORDER BY ID.serial;
When I compile the form, I face the error FRM-30187,
If I replace my query "select * from items_qty_view" with "select item_id, serial, expiry_date of items_qty_vu", it compiles successfully.
As salamualikum, Salem,.
You must follow my instructions carefully.
1. Select the record group.
2. go in the record group property
3. Select and open the column specifications
4. highlight the column and check the decrease of the length, the bellows of the size that you cross more than 2000 then 2000.
Compilation of now and you're done.
Wow. you did.
Hamid
-
Site to Site VPN. pick up DfltGrpPolicy instead of Tunnel-Group
Hello
Our ASA was set by a consultant some time ago to allow connectivity SSLVPN RSA backend. I am now trying to get a Site to Site VPN working but seem to get into a lot of difficulties. I get a load of the l2l VPN-related debugging messages which I believe is set up correctly. Here's what I think is of interest
"January 24, 2009 12:13:01: % ASA-6-113009: AAA recovered in group policy by default (DfltGrpPolicy) to the user = x.x.x.x".
The user specifies the IP address of the Cisco router remote that we try to get the VPN configuration.
I have to admit that I haven't done a lot with the side things SSLVPN so this part of the config is out of my depth, that's why I post here.
If anyone can help it would be really appreciated.
Here are the relevant details (I can post more if there isn't enough). My question is, how do I get the l2l using the tunnel-group and not the default group policy?
Thanks in advance for any help.
dynamic-access-policy-registration
DfltAccessPolicy
WebVPN
list of URLS no
SVC request no svc default
RADIUS protocol AAA-server VPNAUTH
AAA-server VPNAUTH *. *. *
interval before new attempt-5
timeout 3
key *.
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
LOCAL AAA authentication serial console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
LOCAL AAA authorization command
attributes of Group Policy DfltGrpPolicy
value of DNS server! !. !. !
VPN-idle-timeout no
VPN-tunnel-Protocol webvpn
enable IP-comp
enable IPSec-udp
field default value mondomaine.fr
the address value vpnpool pools
WebVPN
enable http proxy
SVC Dungeon - install any
SVC keepalive 60
SVC generate a new method ssl key
SVC request no svc default
disable ActiveX-relays
disable file entry
exploration of the disable files
disable the input URL
tunnel-group DefaultRAGroup webvpn-attributes
message of rejection-RADIUS-
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
attributes global-tunnel-group DefaultWEBVPNGroup
address vpnpool pool
authentication-server-group VPNAUTH
tunnel-group DefaultWEBVPNGroup webvpn-attributes
message of rejection-RADIUS-
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared-key *.
Wayne
Do "sh run all tunnel-group" you should see the strategy of group associated with it.
for example:
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 General attributes
no accounting server group
Group Policy - by default-DfltGrpPolicy
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *.
by the peer-id-validate req
no chain
no point of trust
ISAKMP retry threshold 10 keepalive 2
Let me know if it helps.
See you soon,.
Gilbert
-
Has features missing from Windows XP in Windows 7?
I'm doing a simple import of photos using the option 'Import pictures and videos using Windows' native Autoplay.
In Windows XP, I could choose what images to import and give them all the basic name custom during the import process, with each photo added later with a "001", "002" etc using the scanner and Camera Wizard. It is very convenient because it could have been hundreds of photos on some of my cards from a long period of shots, I could run the tool more than once for different groups of photos that I would choose Import, and the pictures would be get named sequentially and stored in their files you want immediately. I imported thousands of photos in this way.
This new tool for Windows 7 allows me to add tags to all of the photos on the cards and devices and name photos after their date, or on the label, or other combinations of that... but why doesn't this new tool in Windows 7 suppose I want to import every single photo on the card device / I just connect and more that I want them all to have the same tag assigned to them? It's stupid and useless - there, makes only has pictures of a theme on their card at any time that they connect to import their photos and always wants to import everything each time?
To illustrate this point, let's look at my current situation. I'm just on vacation in Europe and took pictures to more than one place, I visited, of course and now I would like to mark photos with the location of the names individually... or even more, I would like to actually name photos when importing with the name of the place in the picture. Scanner and digital camera Assistant & would do that, no problem - you just had to run the tool once for each different group name, then select the appropriate images to import with the same group name. It has been easy. This type of naming is far superior to the addition of tags to images named simple-list or date-wise because you can tell what the image file in your library that you want to open just by going to (or get) the group name. Want to see pictures of St. Peter's Basilica? If you named the photos with that (added with 001, 002 etc), then simply browse to that name in your folder of photos «The Italy, holiday 2010» Without trying to find photos Tags into the sea by the name of "IMG20100324005" - soup and no program Photo Gallery Windows Live Photos or necessary Picasa.
This new program in Windows 7 for the import of images does not appear to be able to handle the very handy feature of its predecessor Windows XP. It's very frustrating to have opted for the version of Windows newer and supposed to be 'better' but find several programs that have been very useful for XP have valuable features removed or are no longer present at all (like how Windows 7 is no longer a Clipboard Viewer - that has great idea that is?).
So is it possible to recover the image import feature I apparently lost by 'redevelopment' of Windows Windows 7? I could of course go and buy an image import and edition program (Smart Photo Import very nice for the price, a quick search I just do), but as this feature was native in Windows XP it is still stupid to have to buy a 3rd party simply program now because Microsoft does not understand the idea of keeping popular features in their software and seems rather "he dumb down.
Any help to select the pictures I want to import and naming them when importing with a custom group name using the import wizard would be greatly appreciated... + 10 GB of photos and videos of this trip is sitting & waiting for a solution!
Has features missing from Windows XP in Windows 7?
I'm doing a simple import of photos using the option 'Import pictures and videos using Windows' native Autoplay.
In Windows XP, I could choose what images to import and give them all the basic name custom during the import process, with each photo added later with a "001", "002" etc using the scanner and Camera Wizard. It is very convenient because it could have been hundreds of photos on some of my cards from a long period of shots, I could run the tool more than once for different groups of photos that I would choose Import, and the pictures would be get named sequentially and stored in their files you want immediately. I imported thousands of photos in this way.
This new tool for Windows 7 allows me to add tags to all of the photos on the cards and devices and name photos after their date, or on the label, or other combinations of that... but why doesn't this new tool in Windows 7 suppose I want to import every single photo on the card device / I just connect and more that I want them all to have the same tag assigned to them? It's stupid and useless - there, makes only has pictures of a theme on their card at any time that they connect to import their photos and always wants to import everything each time?
To illustrate this point, let's look at my current situation. I'm just on vacation in Europe and took pictures to more than one place, I visited, of course and now I would like to mark photos with the location of the names individually... or even more, I would like to actually name photos when importing with the name of the place in the picture. Scanner and digital camera Assistant & would do that, no problem - you just had to run the tool once for each different group name, then select the appropriate images to import with the same group name. It has been easy. This type of naming is far superior to the addition of tags to images named simple-list or date-wise because you can tell what the image file in your library that you want to open just by going to (or get) the group name. Want to see pictures of St. Peter's Basilica? If you named the photos with that (added with 001, 002 etc), then simply browse to that name in your folder of photos «The Italy, holiday 2010» Without trying to find photos Tags into the sea by the name of "IMG20100324005" - soup and no program Photo Gallery Windows Live Photos or necessary Picasa.
This new program in Windows 7 for the import of images does not appear to be able to handle the very handy feature of its predecessor Windows XP. It's very frustrating to have opted for the version of Windows newer and supposed to be 'better' but find several programs that have been very useful for XP have valuable features removed or are no longer present at all (like how Windows 7 is no longer a Clipboard Viewer - that has great idea that is?).
So is it possible to recover the image import feature I apparently lost by 'redevelopment' of Windows Windows 7? I could of course go and buy an image import and edition program (Smart Photo Import very nice for the price, a quick search I just do), but as this feature was native in Windows XP it is still stupid to have to buy a 3rd party simply program now because Microsoft does not understand the idea of keeping popular features in their software and seems rather "he dumb down.
Any help to select the pictures I want to import and naming them when importing with a custom group name using the import wizard would be greatly appreciated... + 10 GB of photos and videos of this trip is sitting & waiting for a solution!
===========================================
Perhaps the following links will propose a few ideas:Windows 7 - change settings for importing pictures and videos
http://Windows.Microsoft.com/en-us/Windows7/change-settings-for-importing-pictures-and-videos
(don't forget to extend "Import in the view settings" at the bottom of the page)Windows 7 - How to make photos from my camera to my computer?
http://Windows.Microsoft.com/en-us/Windows7/how-do-I-get-pictures-from-my-camera-to-my-computerYou might find the free Picasa software or Windows Live Photo Gallery
to be useful:(FWIW... it's always a good idea to create a system)
Restore point before installing software or updates)Download Windows live Photo Gallery
http://explore.live.com/Windows-Live-Photo-Gallery
(There are other applications included in the download...
Uncheck the ones you don't want)Picasa
http://Picasa.Google.com/Volunteer - MS - MVP - Digital Media Experience J - Notice_This is not tech support_I'm volunteer - Solutions that work for me may not work for you - * proceed at your own risk *.
-
ACS 5.2 assign VLAN based on the ad group
I am trying to configure ACS 5.2 to assign the VLAN to a dynamic user based on the group to which the user belongs. I went to:
Users and identity stores-> external identity-> Active Directory-> tab directory stores groups
and selected the name of the pub group. If I understand correctly, I should now see this group by virtue:
Elements of strategy-> authorization and permissions->-> authorization profiles for access to the network-> common tasks-> VLAN ID/name
However, it is not. Am I missing something?
N °
' VLAN id/name "is, in the name clearly States, a vlan id or name. Not a "group name".
You don't assign it a group name in the vlan.
The name of the group must go to the condition 'if' in your authorization profile. If "usergroup AD = x" and then assign this vlan.
Then the id/name vlan's you type manually what vlan refers to the users AD Group.
If you create too many rules because you have a lot of ad groups, you can do is create an AD AD attribute to store the number of vlan name and ACS will simply return that.
Nicolas
-
Profile VPN (tunnel group) under the same IP pool
Hello
I have on my clients VPN from Cisco ASA 5510 works perfectly. The thing is that now I want to create a new profile or a tunnel in order to create the new cause of ACL I want to restrict only to certain hosts. But I don't know if I can do it under the same IP pool. If the answer is yes how could bind the new tunnel group to the correct ACL.
This is my config:
vpnxxxx list of allowed ip extended access all 192.168.125.0 255.255.255.0
IP local pool ippool 192.168.125.10 - 192.168.125.254
NAT (outside) 1 192.168.125.0 255.255.255.0
NAT (inside) 0-list of access vpnxxxx
RADIUS Protocol RADIUS AAA server
RADIUS protocol AAA-server partnerauth
AAA-server partnerauth (inside) host xxxx.xxxx.xxxx.xxxx
key xxxx
Crypto-map dynamic dynmap1 20 set transform-set Myset1
lifespan 20 set security-association crypto dynamic-map dynmap1 seconds 28800
Crypto-map dynamic dynmap1 20 kilobytes of life together - the association of safety 4608000
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal group RA - VPN strategy
attributes of RA-VPN-group policy
Server DNS 172.16.1.100 value
VPN-idle-timeout 30
Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
Split-tunnel-policy tunnelspecified
type tunnel-group RA - VPN remote access
General-attributes of RA - VPN Tunnel-group
ippool address pool
authentication-server-group (outside partnerauth)
Group Policy - by default-RA-VPN
tunnel-group RA - VPN ipsec-attributes
pre-shared-key *.
Thank you
The command is "vpn-filter" in the Group Policy section.
Define a group policy for each group of tunnel and select it with 'by default-group-policy' in the section of the tunnel.
-
Objective is that the anyconnect user must select group-alias, so that when a user enters his username and password he must go to his political group and tunnel-group specific. as I removed this command in webvpn 'no tunnel-group-list don't enable '. This I can not connect (user does not authenticate).
1 - my question is why his past does not?
Solution:
If I keep only a single tunnel-group by default and make several group policies and assign to each user with his specific group policy that it works. in user attribute means I have only question following the commands it works, but if I put "group-lock value test-tunnel" that it did not identify.
Please explain why.
WebVPN
allow outside
limit the cache-fs 50
SVC disk0:/anyconnect-win-3.0.10055-k9.pkg 1 image
enable SVC
internal strategy of group test-gp
attributes of the strategy of group test-gp
VPN-tunnel-Protocol svc webvpn
the address value test-pool pools
username, password test test
username test attributes
VPN-tunnel-Protocol svc
group-lock value test-tunnel
Strategy Group-VPN-test-gp
tunnel-group test-tunnel type remote access
attributes global-tunnel-group test-tunnel
Group Policy - by default-test-gp
tunnel-group test-tunnel webvpn-attributes
allow group-url https://192.168.168.2/test
Yes, you have the right solution. You only need to create 1 group of tunnel and multiple group policy. Under the attribute of the user, you re then group policy of vpn that you want the user assigned too.
You can also authenticate users against AD and configure ldap attribute map to map the user to a specific group policy automatically.
Here is an example of configuration if you happen to have the AD and will authenticate against AD:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
Hope that helps.
-
Return the value to the second point based on LOV select on the Fort point
When a user selects a value (Group_Desc) of an element of LOV (created from a table), I want a corresponding value in the table to display in a second point (Director_Name) on the page. I don't know JavaScript, but found an example clear to the sum of the 3 elements of page in the 4th point-http://download.oracle.com/docs/cd/E10513_01/doc/appdev.310/e10497/javascript.htm#CHDDCIFE is similar but rather then making the sum of the values of the elements for the new item, I want to use a select look up of the table based on the return value for Group_Desc (point 1) to be included in article 2.
If the use of javascript is the only way to do it (and I would appreciate another way), I need help with the code for the example cited to reflect a return value to pass to the point 2 of this selection.
Select Director_Name from groups where Group_Desc =: P7_Group_Desc;
Here's the example I found.
function getVal (item) {}
If (document.getElementById (point) .value! = "")
Return parseFloat (document.getElementById (item) .value);
on the other
return 0;
}
document.getElementById('P1_TOTAL').value =.
getVal ('P1_ONE') + getVal ('P1_TWO') + getVal ('P1_THREE');
}
Thanks for any help,
KarenKaren
I'll take a look in the morning.
Your description is not yet very clear (although I admit that I have not yet watched the app).
Please can you set desired entries and exits in you app.
See you soon
Ben
-
That should make the function groups when it is selected in the phone app?
I see an option for selecting groups when you use the Contacts feature in the phone application. What makes that? I want to set up groups of my own, but don't see how to do it or if it is still possible. Any ideas? My app has a function of groups and I set up some groups here as family, teammates in our fantasy football league, etc..
Thank you
jbacinti
Basically, the use of groups allows you to send an email or a message to everyone in the group. You simply select the group you want to instead of each individual. To configure groups, check out these links:
Send a message from your iPhone, iPad or iPod touch - Apple Support Group
iCloud: create a group and add contacts
Can create you additional groups to your Favorites. iPhone 6 s
Maybe you are looking for
-
Container of notes in iCloud drive deleted by mistake
After many sync problems with Notes, I decided to start from scratch. I backed up all the notes on my Mac, disconnected all iCloud drive and then removed from the Notes container in stock to manage devices. It was clearly a mistake - I realize now I
-
How can I prevent the download Thunderbird automatically emails?
I do not have thunderbird to automatically download my emails from my server. I want to manually click to receive email. How can I prevent automatic download?
-
in my program, I have a struct event so when I amplant my VI in one NOR compactRIO his does not work and when I search for the resolution I found that I should use a dynamic event. my questions are:-in one compact RIO can I use dynamic event or not?
-
Installation of Service Pack 1 for Vista
I received the error message during the installation of SP1. Error code 0 x 80073712
-
Get the error code 0 x 80244001 when checking for Windows updates
Original title: error 0 x 80244001 windows checking for windows up to date and had this error... any ideas?... tks