The ACS user groups
I have a problem.
We have 2 groups that are created in ACS, group 1: access Ganymede and 2:Radius Access group. Group 1 has the people that have been created on the server ACS itself. The 2nd group is dynamic to users who are enabled access through Manager users for domains. We do not want to have the 2nd group in order to access our routers and switches with their Accounts of Microsoft, they can now, at least insofar as, at the prompt to activate it. I wish I had 2 completely independent from the other groups. Our group 1 is used only for our administrators to have access to all of our network devices.
I'm sure some type of filtering or to a group of addresses IP could be implemented on GBA, but I'm not sure where, if this is the case.
Can someone please!
Thank you!
Matt
You must set up Network Access Restrictions (NAR), group 2 to not be able to access the routers/switches to restrict.
Make sure the Group and level NAR is checked under the Interface of configuration - Advanced Options. Then go under Group 2, NAR section, check the box "Set IP access restrictions", select Table sets 'Appeal denied Points', and then select each of the routers/switches, using a * for the Port and address and add them to the table.
It doesn't matter that in Group 2 will refuse to authenticate on one of the routers/switches.
Tags: Cisco Security
Similar Questions
-
Several downloadable ACLs by ACS user group
It is possible to map several downloadable ACLs to a single user or group of users use ASA and ACS?
For example, you have an ACL controlling access to servers (ACL A) and another ACL (ACL B) internet access. Is it possible to assign several ACL to a group of users, such as user group can only access the servers, while the user group B can access servers and internet (ACL A + B ACL)?
Thank you and best regards.
George,
The user and group settings only would allow you to select only a single instance of DACL list at once.
Kind regards
Jousset
The rate of useful messages-
-
AAA RADIUS authentication for the only user group
Hello
I use ACS3.1 and tries to use authentication radius for all network switches in my company.
Meet the im problem now is how to restrict only a user group to access the connection/exec switches? It seems that all user IDS in my acs able to telnet (user access) to the switch (using their login credentials).
I would like to limit still from telnet by using their ID except administrator group.
Counsel on how this is possible.
TKS!
The GBA, you need admin users in their own ACS group separated, leaving other users in their own group also.
Change the group that contains the users you don't want to give access to and under the heading of restricted access network (OAN), in "Group defined Network Access Restrictions", check the "Define based on IP access restrictions", choose "Rejected the call point" and enter switches in the table below (put a * in the port and address).
This prevents standard users authentication to switches. You can add all your switches in a group of network devices (NDG) to this, then you have to add that, in the section NAR rather than adding each switch individually.
-
Access to the ACS SPECIFIC group router
I want allows you to control access to all of our routers and switches Cisco GANYMEDE. I have a Cisco ACS device that can be used for centralized management accounts of the engineer. The ACS server, however, also used to store our business users VPN accounts.
Can I restrict access to routers and switches only to users in the Group of engineers on the ACS server?
Hello
If you use ACS 4.x, limiting access through Restrictions on access network (NARS) could help you:
http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml
I would like to know if this helps, or alternatively if you use DCC 5 (in which case the scenario is a little different).
Kind regards
Fede
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
Logged in as admin. Cannot change the domain users group to the domain administrator
My domain administrator is defined as a domain user and I want to change it to domain administrator. The groups gathered outside the account > users > Admin > groups section.
Hello Tripline,
Please provide number and firmware version of your ReadyNAS model.
What's your ReadyNAS built-in AD? The ReadyNAS will simply copy the accounts of the ADS in your ad. Existing domain user, 'Administrator' should be adjusted to have administrator rights. I guess you should change everything first, and then integrate the NAS again to the AD.
Kind regards
-
What is the name of the table that stores the APEX User Group
Hello
-J' created 2 users (user1, user2) APEX [Developer = NO & admin = NO]
-also created 2 user group, say Admin & General
and then have assigned User1 to the Admin group
and user2 in the general group.
I am able to find the list of the users of APEX_WORKSPACE_APEX_USERS, but the groups aren't there.
How to check for groups of users whose individual end-user belongs to... I mean the name of the TABLE...
Thank you
DeepakHello
I missed the post read first
Point of view is WWV_FLOW_GROUP_USERSBR, jari
Published by: jarola on January 14, 2010 12:47 AM
Published by: jarola on January 14, 2010 12:48 AM
-
ACS 4.1 engine lists NT but not the NT users groups
Hello
I have the following problem. I can access using remote agent Win NT ad groups but the GBA engine does not list users in groups after ACS group mapping. What could be the problem?
AD runs on Win 2 K sp4.
Hello
ACS does not list the user in the groups until you do 1st authentication with this user.
Then ACS will list the user as a user "mapped Dynamics" in this group.
Concerning
Rohit Chopra
-
I gave my domain users with local administrator rights. But they do not get the Control Panel, rights to open the network and sharing Center, and they could not change the registry... etc what is the solution for this? domain administrator I could be able to make any changes in this PC. We are facing this problem in all of our VMWare PC 7 on windows. I tried to add everyone in the local system Local Administrator and add the domain users group to the local administrator groups, but no luck...
This issue is beyond the scope of this site and must be placed on Technet or MSDN
-
Windows 7 Pro 64 bit (and 32-bit) Setup on the domain.The domain users group is added to the local Administrators group.Printers are installed under the first domain user. These aren't the printers shared, but local usb printers or printers attached to the tcpip port and driver installed.All right.Users in the second domain is connected to the computer. They are part of the local Administrators group, because they are part of the domain users group.They're going to look at the properties of the printer and almost everything is grayed out.Why? Because they are part of the local Administrators group, they should not have full access?I look at security for printers and I don't see the first person in the list because it was created with their profile, but I also see local administrators that this new user belongs to a group. Now I can take everyone and increase the rights and then log in as a new person and they can then change the properties, but why can't new users "who are admins the" does not alter the properties?Thanks in advance for your help.
Hi Gsaunders,
If the computer is connected to the domain network then the question you posted would be better suited in the TechNet Forums. I would recommend posting your query in the TechNet Forums.
It will be useful.
-
Why the ACS is blocking my connection to the Console?
I have aaa to my SWs one routers, but wen my server goes down that I can't have access to the console port.
My config is attached and debug aaa authorization.
These are debugs it for each access: Telnet user, consoling Ganymede user Ganymede and testing of Pentecost the local user.
Telnet access
Oct 15 01:03:09: AAA: analyze name = tty2 BID type =-1 ATS = - 1
Oct 15 01:03:09: AAA: name = tty2 flags = 0 x 11 type = 5 shelf = 0 = 0 = 0 = channel 2 = 0 port adapter slot
Oct 15 01:03:09: AAA/MEMORY: create_user (0x2778E84) user = ruser 'NULL' = 'NULL' ds0 = 0 port = 'tty2' rem_addr'10.10.10.23 = 'authen_type = ASCII service = CONNECTION priv = 1 initial_task_id = ' 0', vrf = (id = 0)
Oct 15 01:03:10: CDP-4-NATIVE_VLAN_MISMATCH %: incompatibility of VLAN native on GigabitEthernet0/37 (102), was discovered with tst1-s2 GigabitEthernet0/1 (1).
Oct 15 01:03:11: AAA/MEMORY: free_user (0x28E1BFC) user = ruser 'ACS-USER' = 'NULL' port = 'tty2' rem_addr = '10.10.10.23' authen_type = ENABLE priv = 15 = ASCII service
Oct 15 01:03:13: AAA/MEMORY: free_user (0x2778E84) user = ruser 'ACS-USER' = 'NULL' port = 'tty2' rem_addr = '10.10.10.23' authen_type = ASCII = priv = 1 CONNECTION service
Access to consoles (work of Pentecost the ACS user)
Oct 15 01:08:57: AAA: analyze name = tty0 BID type =-1 ATS = - 1
Oct 15 01:08:57: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot
Oct 15 01:08:57: AAA/MEMORY: create_user (0x28AA8E4) user = ruser 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)
Oct 15 01:09:11: AAA/MEMORY: free_user (0x27C0DC4) = user tweak "ACS-USER" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII service = ENABLE priv = 15
Oct 15 01:09:18: AAA/MEMORY: free_user (0x28AA8E4) = user tweak "ACS-USER" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII = priv = 1 CONNECTION service
Access console (not working whit the local user)
Oct 15 01:05:24: AAA: analyze name = tty0 BID type =-1 ATS = - 1
Oct 15 01:05:24: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot
Oct 15 01:05:24: AAA/MEMORY: create_user (0x27C1310) user = ruser 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)
Oct 15 01:05:36: AAA/MEMORY: free_user_quiet (0x27C1310) = user tweak "LOCAL_USER" = "NULL" port = "tty0" rem_addr = "async" authen_type = 1 = 1 = 1 private service
Oct 15 01:05:36: AAA: analyze name = tty0 BID type =-1 ATS = - 1
Oct 15 01:05:36: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot
Oct 15 01:05:36: AAA/MEMORY: create_user (0x28D201C) user = ruser 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)
Oct 15 01:06:09: AAA/MEMORY: free_user_quiet (0x28D201C) = user tweak "NULL" = "NULL" port = "tty0" rem_addr = "async" authen_type = 1 = 1 = 1 private service
Oct 15 01:06:09: AAA: analyze name = tty0 BID type =-1 ATS = - 1
Oct 15 01:06:09: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot
Oct 15 01:06:09: AAA/MEMORY: create_user (0 x 2773004) = user tweak 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)
Oct 15 01:06:41: AAA/MEMORY: free_user (0 x 2773004) = user tweak "NULL" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII = priv = 1 CONNECTION service
Thanks for your help.
Change your orders
AAA of default login authentication group Ganymede + activate
the AAA authentication enable default group Ganymede +.
TO
AAA authentication login default group Ganymede + local
the AAA authentication enable default group Ganymede + activate
Kind regards
Prem
Please if it helps!
-
TOSHIBA Power Saver does not work with the limited user account
Hello
This same question has been posted in 2006 - not by me - with no successful response. I try again.
If you create a user with the account of restrictions (member of the local USERS group) under XP, it cannot manage or power options Windows embedded and the Toshiba Power Saving tool.
I managed, working on the file and registry permissions, to have power options Windows works. But I can not yet launch the Toshiba Power Saving tool, it always skip - rises the box 'you have no rights. "Is there really anything I can do to work around this problem?
Thank you
Yes:
Log in as administrator
Run the Toshiba Power Saver
Go to "configuration Options".
Check "Allow Limited user to change settings" -
I can't start PC error "user group be found."
Original title: problem with user profile
I can't boot the PC, user group is not found. The data is there, but I can't. Most likely a virus. I ran virus apps but nothing helped. Any help appreciated.
Hello, Mike,.
See if this helps:
Unable to view or add trusted domain security principals are "members of" Properties tab
http://support.Microsoft.com/kb/237905
If you think that malicious software, restart your computer and start typing the F8 key
Select Mode safe mode with networking
Download the following tool and run a full scan
http://www.Microsoft.com/en-US/Download/details.aspx?ID=16
When you're done, restart and Windows loading
You can also try to create a new user profile. A test to see if the same problem arises when you use the new profile. If this is not the case, your may be damaged.
Difficulty of a corrupted user profile
http://Windows.Microsoft.com/en-us/Windows-Vista/fix-a-corrupted-user-profile
-
ASA LDAP is not find memberOf Active Directory domain users group
It seems that any group I have add an account for the ldap memberOf thinks it is except for the domain users group. Is there a specific exclusion of this group somewhere? It does not seem to be a problem with space in name, because if I test it with other default groups like domain administrators, it works. I get the same result of the ldap attribute card as long as you try to use the domain users group in a DAP policy. Debugging ldap 255 returns every other group membership for an account with the exception of users in the domain.
When I run the command "sh filter LDAP ad 'Domain' group ' is the domain users group in the list of results, so he is able to see it and it exists."
Please see the attached link under primaryGroupID, which states that the Domain Users group is not part of the memberOf attribute. http://msdn.microsoft.com/en-us/library/ms677943.aspx That explains why the mapping fails for any Domain Users as seen in the debugs
-
Remove access from unwanted users/groups
Hi all
We have a planning Application test for the arrest trial, we have created several groups, users and implemented (access to members and forms) for them. The same application now wants migate in the Production;
now the question is, here the Test users, groups and their commissioning (access to members and forms) also migrates or not in migration planning applciation?.
IF yes how to remove specific user and available (access to members and forms) to the group in the Planning?
We use the Hyperion 9.3.1
Thanks in advance,
Published by: user12865804 on June 20, 2010 06:35How to export all the access permissions, update the export file to delete users/groups is more, you need, then use safety of importation with the [SL_CLEARALL] parameter so that it clears all the security and care of your new security file. (Make sure that you have a recent backup of the application before you destroy security)
See you soon
John
http://John-Goodwin.blogspot.com/ -
Hi, is it possible to define the 'report links' by user group
for example, the report links are download, user group discount sales.
report links are download, update and change to the admin user group sales.
I just want to know if this is possible.
Thank you!If "Sales" do not have the privilege of answers, then the "Modfiy" link will not be returned even if specified for the query. So you can just keep him and he will see all users who have access to the answers. Read only users (i.e. no responses) will not.
See you soon,.
C.
Maybe you are looking for
-
iPad 'No. Service' after updating to iOS 9.3.1
I see that some have encountered the problem of «No. Service» update to IOS 9.3.1. My iPad has no data connection cell with 'No. Service' after the update more. Advice or assistance?
-
History of cats after installing windows
Hello Can you please tell me if I can get the history of cats after the installation of windows. Thank you
-
Connection between Plantronics pulsar 590 and advent Toshiba Blootooth USB2 stack class 1
I tried the following in both windows xp / and vista 64 using the relevant drivers found here worm 5.10.01http://APS.toshiba-tro.de/Bluetooth/pages/download.php Unfortunately, I get the same problem each time. After installing the software I match my
-
W530 upgrade Windows 7->; Win 8: Tools Levono?
Hello I have updated the OS on my new W530 of Windows 7 to 8. Lenovo partition is still there, but I can't access the features of Lenovo. There is no entry program. Or F11 does not work when you start. How to bring back the features of Lenovo? Thanks
-
How can I change to manually install the Windows updates?
whenever I start my laptop it will be automatically updated to allsoftware without my permission... I want 2 control it how I can? Please help me