AAA/Identity/Nac :: ACS 5.1 Domain User Authentication Restriction
Sep 26, 2011
We have configured ACS 5.1 for autenticating wireless users with active directory, which is working fine now.But we would like implement that single user should be authenticated through ACS . If any user try to access WLAN from multi system will be notified with multi login access restriction.Can we implement this policy in acs, if possible what are the exact configuration changes we have to implement.
View 1 Replies
ADVERTISEMENT
Dec 28, 2011
We have cross domain trust relationship established and I have added the user group in our ACS 5.1. we are using Active directory as an external Identity store. Also I have created a rule in the 'Access polices' to allow the user group. From the cross domain, I use abc@xxx.xyz as a user id, but I get this error message 13036 Selected Shell Profile is DenyAccess.
View 3 Replies
View Related
Aug 24, 2011
I've my ACS linked with AD to give administration access to few network devices and I've created an access policy to link my AD groups with those network devices and command sets.
Unfortunately I found I can use any user from my AD to login to my devices. Only LOGIN, the authorization definition is restricting the command set for those users.
How can I restrict the LOGIN to an specific AD group?
View 2 Replies
View Related
Jun 11, 2011
I am trying to create a user restriction to allow one user to access only two networks (10.192.3.0 and 10.192.5.0) I have range of networks but I want to permit only two networks for limited user and full access for the admins. I know this was possible with ACS 3.3 but I am not too sure if this is also applicable with ACS 5.2.
View 1 Replies
View Related
Sep 21, 2011
I`ll get straight to the point. I have at work a domain of computers. on one of the computers (I have admin rights) I want to share a folder that can be accessed by other computers that are not in the domain. By default accessing that share requires a user/pass. My question is: can I configure something on the computer (running windows 2008 server) to the shared folder so that other computers that are not from the domain will gain access to without user/pass requirement (like a normal share)?
View 3 Replies
View Related
Jun 26, 2011
I have a remote access VPN profile configured on an ASA 5540. This profile is almost identical to the same profiles configured on other ASA 5540. The profile is linked to Active Directory for authentication. For some reason, users are not being prompted for the domain name field when connecting to the firewall, on the other firewalls they get prompted for all three (user/pass/domain).
All the firewalls are running 8.0(4) 32. And the following is the configuration of the firewall that I am experiencing issues with:
ip local pool TESTVPN 10.244.124.1-10.244.127.254 mask 255.255.252.0
group-policy TESTCERT internal
group-policy TESTCERT attributes
banner value **** WARNING ****
banner value You are Now Successfully Connected (code)
View 1 Replies
View Related
Feb 3, 2013
I have acs 4.2 for windows installed on a windows server 2003 box, because of a merger I need to now authenticate against 2 different domains, there is a bidirectional trust between the two domains and the dial-in permission has been set in ADUC but whenever I try to authenticate a user it says dial-in permissions needed in the acs failed authentication log.
View 5 Replies
View Related
Jun 6, 2011
I'm installing ACS4.2 in our lab domain and want to leverage the corporate domain for authentication. The one way trust is in place, but there is a facet that I'm not clear on in regards to the installation requirement.
I'd like to install ACS on a lab domain member server, but I'm not sure that will work. The installation docs seem to imply that a member server must be in the same domain as the authentication server, but its not very clear. if I want to use the one way trust to the Corporate Domain, am I required to install ACS on the domain controller of the Lab Domain?
View 3 Replies
View Related
Sep 1, 2011
I am trying to setup up a rule to allow wireless access only to users in my AD when they use computers from my AD.I have Machine authentication working on it's own (computer boots up and connects to wireless - confrimed by ACS logs) I have User authentication working But when I try to creat the floowing rule:it does not work.
Access Policy
Access Service:
Default Network Access Identity Store:
AD1
Authorization Profiles:
DenyAccess
Exception Authorization Profiles:
Active Directory Domain:
[code]....
Everything seem to fine until it gets to the last rule.
View 1 Replies
View Related
Nov 12, 2012
I want to have a local user in ACS that is permitted to login to routers. I have TACACS with AD already working but cannot get a local user to work. I used to do this in ACS 4.x.I created a user in the internal identity store.I tried configuring a policy to allow this users TACACS authentication multiple ways to no avail. I cannot find a config example doc and cannot figure it out from the user guide as the documention is sorely lacking.
View 5 Replies
View Related
Jun 5, 2012
Can use ACS 5.2 as Guest user authentication server?
View 3 Replies
View Related
Apr 12, 2013
I am using ISE 1.1.3.124.My first question:I want to know the relation between the attribute "WasMachineAuthenticated" and the MAR (MAchine access restriction in advanced setting for AD).Is-it the same or not ?Once you time out, you need to do machine auth again. What is the timer ?Using the attribute "WasMachineAuthenticated", is-it the same timer that you configure in MAR ? In a distributed environnement, is the information about machine previously authenticated replicated to all policy node ?Because, if a swicth has 2 radius-server, we are not sure that it will point everytime to the same server.
View 1 Replies
View Related
Jul 18, 2011
For our wireless, we enabled the machine authentication, but we want to bind the machine authentication and user authentication together which means they need to meet both requirements to access the wireless, how can we do this? Right now looks like as soon as the machine is authenticated, it can access the network, no user authentication needed.
View 6 Replies
View Related
Aug 18, 2011
how do i configure user authentication via TACACS on UCS 1.4 with ACS 5.2? My TACACs connection works, and my user authentication is successful, but i can only get read-only rights. I have tried several versions of "cisco-av-pair= role=admin" both as mandatory attributes named role and as cisco-av-pair=role , with "admin" as the value, and i still get read-only.
When i attempt to find any documentation, it only describes ACS 4.2, which is another problem i have with most documentation for new cisco products (i have this exact issue with my NAMs, nothing i do to change the attributes results in successfully logging into the NAM, and all config guides are written in 4.2 speak).
is there any possiblity cisco is going to release some documentation on how to convert 4.2 speak to 5.2 speak?
View 8 Replies
View Related
Jul 19, 2011
I am migrating from ACS 4.2 to 5.2. In 4.2 you could assign one user to auth via Internal Database and another user to auth via Radius Token Server. I cannot find how to do this with 5.2. There is a note in the doc that states 'Identity-related attributes are not available as conditions in a service selection policy'. Does this mean that you can only choose one auth method for all users? If it is possible to have multiple methods, how am I able to accomplish this?
View 1 Replies
View Related
Dec 17, 2011
While configuring LDAP , I got struck in “Step 3 - Directory Organization”. How to make this work? My aim is to make users authenticated from their windows domain usernames and passwords while they log in to AAA clients.
View 1 Replies
View Related
Jul 18, 2011
I have some queries regarding on the report generation for on Cisco ACS v5.2.
1) Can we schedule to run a customized report on ACS and then email the report to the user?
2) Can we run a users authentication trend report based on the AD directory group rather than individual user.
3) Can we configure user authentication logs to be viewed on WCS.
View 6 Replies
View Related
Apr 18, 2011
I have setup ACS 5.2 in my lab and have it completely funcation with Downloadable ACLs, Dynamic VLANs and the identity store on the backend is Active Directory. I need it to lock a user account in AD if there are to many auth attempts. I have gone into AD and set a max login attempts to 3 but if I continue to fail authentication (on purpose) using radius auth, it never locks out my AD account? I am using the Anyconnect 3.0 with NAM as the supplicant installed on my workstation. I have also configured the switchport that I am connect to with the following commands. I tried the dot1x max-reauth-req 3 command and that didn't really do anything for me either. What am I missing here?
switchport mode access ip access-group 10 in authentication event fail action authorize vlan 40 authentication event no-response action authorize vlan 40 authentication host-mode multi-host authentication priority dot1x mab authentication port-control auto authentication timer reauthenticate 10 authentication timer inactivity 20 authentication violation protect mab dot1x pae authenticator dot1x timeout quiet-period 5 dot1x timeout tx-period 5 dot1x max-req 3 spanning-tree portfast
View 1 Replies
View Related
Aug 2, 2011
While I was at school there was a system in place where by you had to enter a user name and password to access the internet. Every student had a data limit like 3GB per month for example. I remember it had something to do with a proxy. I would like to recreate this system on my office LAN as some staff members have been downloading a lot slowing down the (very expensive) Internet connection. Limiting each users data will discourage large downloads.
View 1 Replies
View Related
Nov 23, 2011
We are using ASA 5510 Version 7.2(4) at our organisation. The requirement is we need to give an access to a user with limited access so that he can run only specific commands on configuration mode. We don't have Cisco TACACS server instead of that we are using a microsoft radius server.
View 6 Replies
View Related
Sep 15, 2011
I would like to ask some question on WLAN technology, which I using WiSM version 2. And i get requirement that user must be restrict with SSID, so, i found that it can do it on ACS version 4.x via NAR for SSID-based authentication feature. Then, is it possible to do restriction on ACS Version 5.x?
View 4 Replies
View Related
Mar 22, 2012
I have a Active Directory user that cannot log onto any computer that's on my organizational domain. The error is "You cannot log on because the logon method you are using is not allowed on this computer"
View 5 Replies
View Related
Sep 22, 2011
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
View 1 Replies
View Related
Jan 29, 2012
We have a computer running Windows 2000 Pro that used to connect to a domain at work. Upon bootup, it asks for the user/password.Yesterday we tried to connect it to a little home network by changing the domain to a workgroup with a different name (network name that i used at home) as well. Now when it boots up, asks for a user/password, but now it does not recognize my user name and password.I can log in as an administrator to the Workgroup with the new name. but i cannot access the old Domain with its user and passwords. I tried to change back to the old name and to domain, but when doing that i get and error messsage which says: The following error occurred validating the name "xxxxxxx" (network name that I use at home) this condition may be caused by a DNS lookup problem. so I'm not sure if a should run the clear DNS cache. and if in doing that I'll be able to restored it back to the stage that i was before I made the changes.
View 1 Replies
View Related
Sep 28, 2012
We have shared network drives on my network whose folder structure must not change. We have users who must have full access to the contents of these folders and be able to read/modify/erase and create new files inside these folders. However, the structure of the folders must not change so that other users/programs can locate files within these folders.
Some users sometimes "aggressively click" and drag and drop folders into different locations and can't remember where they dropped them. This makes them inaccessible for other users. We have a lot of folders so I implemented FileWatcher Simple program to monitor these folders and if there is a change in folder structure I get an email with an attached log. The log tells me which folders got created/deleted/renamed and I am able to restore the folder structure if need; but I cannot see who caused these changes.
1. Is there a way for me to see which user in my domain modified the folders?
2. Is there a way to disable users from drag and dropping, deleting, renaming folders yet still maintain full access to the files within these folders?
View 1 Replies
View Related
Aug 22, 2011
how to find the current logged on user on a domain network? I tried nbtscan but it gives me ip address, machine name and mac address. In the server column it gives <server> and in the user name column it give <unknown>.
View 1 Replies
View Related
Jan 13, 2012
We had a power outage that kicked off our server and our network switch (2008R2, Cisco2960), before we could get it back up, a user was able to log into his laptop.
The user used the domain login - not the local machine account - he obviously wasn't able to access any shared resources, but how did he log in with a domain account, when the server and switch were both off?
View 1 Replies
View Related
Jun 29, 2012
I started getting into IT (as a job) a little less than a year ago, though I've been working with computers for close to 20. So networking was never something I was into while working on computers at home. I've been handed a significant position at work and I am learning a lot as I go. I want to know how to grant permissions for a domain user to a directory without adding the user to all of the sub-directories and directories. The only way I've figure thus far is to grant permissions to said folder, then inside remove the "inherit permissions..." but then I have to manually remove the permissions to every other sub-folder.I want to add a single path to a folder by adding single permissions to each folder until the directory in question is reached.
View 2 Replies
View Related
Feb 19, 2013
user can't login into domain with right credentials in active directory
View 6 Replies
View Related
Jul 20, 2011
I have a desktop without a wireless card and i want my network to be wireless so i bought a d-link wireless card for the desktop, the system then discover the wireless network but could not connect it kept on trying to authenticate, it did not even ask me for the web security key, what do I do
View 1 Replies
View Related
Aug 21, 2012
I am trying to setup a VPN with AnyConnect on my ASA5510 and it works fine. I have setup an AAA server group for my Active Directory with the "NT Domain" protocol". Right now, every user is able to connect with their Active Directory credentials. I would like to restrict access to the Anyconnect VPN to only a few users in AD.
View 1 Replies
View Related
May 20, 2012
A wireless router linksys has been installed but the internet through that wireleless works only if i type the proxy on the IE browser and authenticate with domain
View 1 Replies
View Related
Apr 5, 2011
We are changing our old Pix 515e this weekend and for brand new ASA 5510.With this new installation, I would like to implement the Radius authentication for remote vpn user. Changing the firewall of the company has many impact and for the first phase the user will keep authenticating locally but I need that in phase 2, they will be authenticated via a radius server.Is there a way to configure both authentication for remote vpn user?
All user will be authenticated locally except the member of the IT Department who will be authenticated by the radius server for testing.I have remote vpn users around the world so I do not want these users to be blocked by the testing of the radius authentication. What I want is that users in group1 will be authenticated locally on the ASA and users in group2 will be authenticated by the radius. When testing will be done, all users will be transfer to the radius authentication gradually.
View 1 Replies
View Related
