AAA/Identity/Nac :: ACS 5.4 And User Admin Roles

May 8, 2012

we have created some administration accounts which should only have the possibility to work on the user database.  the useradmin role is to limited to create a user and set a fixed password only, but not able to enable the users authentication against a predefined external identity store. Other roles which makes this possible are far  to powerful for a second level adminstrator.The adminstrator should have the possibility the create an user and set the password check against an external database. This is not possible with the predefine role "UserAdmin". Other roles do have to many rights for these users.

View 4 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: ACS 5.2 User Roles And Restricting User Access To Add Items?

Sep 22, 2011

We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Can Add / Modify ACS 5.2 CLI User Roles

Apr 28, 2011

My company's security group uses Tripwire to monitor for changes in start-config and running-config on network devices in PCI scope.  We are migrating from ACS v4.2 to v5.2.  I need to create the account for Tripwire on the ACS Appliance but did not want to assign the admin role which would give access to configure terminal.  The user role does not have privileges for show start-config or show running-config.  Am I missing something or are these the only 2 roles available at the CLI?  Can another rolle be added?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Logged User Cannot Access To Admin Parameters

Sep 9, 2012

After upgrade  to ACS 5.2 appliance ,  we are trying to configure AAA between Ciscoworks  and ACS. Authentication is working but authorization fails , logged user cannot access to admin parameters. I've configured attributes manually but it doesn't work.Does ACS 5.2 support integration with CiscoWorks?

View 1 Replies View Related

AAA/Identity/Nac :: ACS 5.3 How To Have Different Roles On Different VDC's

Mar 6, 2013

I have ACS 5.3 running TACACS+ and Nexus 7K with 2 x non-default VDC's, VDC-OTV and VDC-CR.I want my TACACS account to have role "vdc- admin" on VDC-CR, and "vdc-operator" on VDC-OTV.I tried putting the VDC's into different Network Device Groups, with VDC-CR being in an Authorization Rule that associated the Device Group with the "vdc-admin" Shell Profile. But I'm getting the same roles on both VDC's--both get whatever the role in the Shell Profile.
 
It's possible I'm not organizing the Devices and Network Device Groups correctly. It seems to me when I add a new Device, it knows about all the Device Groups, and the IP range and exclude syntax seems to be a pain. I have existing Device Groups, one with a 10.10.*.* IP range, and I'm trying to isolate these two VDC's out of that IP range into their own individual Device Groups.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 VM Editing CLI Roles For VMWare Admins

Mar 7, 2012

I have a client that is running ACS 5.3 as a VM in ESX 4.1.  The client wants their VMWare admins to have the ability to shut down the ACS server during maintenance etc...  I know I could create a CLI user with admin priviliges, however, assigning full admin priviliges is beyond the scope of what the user requires.  They simply want a user account with the added privilige of performing a halt from the CLI.  In the CLI Reference Guide for ACS.
 
So is it possible to create an account with user priviliges, then modify its permissions to allow for a halt?

View 3 Replies View Related

Making A User A Domain Admin In Server 2003

Jul 20, 2011

I have a desktop without a wireless card and i want my network to be wireless so i bought a d-link wireless card for the desktop, the system then discover the wireless network but could not connect it kept on trying to authenticate, it did not even ask me for the web security key, what do I do

View 1 Replies View Related

Cisco :: 4400 WLC / WCS - Monitoring Lobby Admin User Activity

Jan 26, 2011

We currently have about 8 WLC 4400 series controllers deployed around the company, one of these controllers is acting as an Achor controller for GUEST wifi access for visitors to the company, as a result of this we have many users with "LobbyAdmin" access to setup users.
 
We have recently introduced a Cisco WCS to manage these devices but its not fully implemented/active to see all WLC's.I need to be able to report on the LobbyAdmin users to see who is setting up accounts and for who etc. Currently access to the WLC/WCS is done via Local admin accounts. All accounts for the LobbyAdmin people are setup on our anchor controller.
 
I have added the anchor controller for this to the WCS system but when looking in Administration/AAA/Groups the LobbyAdmin groups shows No Members.Is there a way that i can import the Lobby Admin names from the anchor WLC to the WCS so i can do reports/audit checks on these users?

View 2 Replies View Related

Linksys Wireless Router :: E2000 -Admin User ID Changed To SSID Name?

Jul 12, 2010

I have manually configured the E2000 and set the admin password. When I was trying to log back in, I could not. I reset and reconfigured and set the password again. I still could not log in using "admin" and the password I set up. I thought I was losing my mind. Just on a hunch, I used the SSID name instead of "admin", then entered the password that worked. I am able to login, but I need the username to be admin, not the SSID. Has anyine else had this issue? Any way to change the administrator name back to admin??

View 5 Replies View Related

Cisco :: Router 8803G - Erase Admin User / Change Password

Jan 15, 2013

i have a Cisco Router 8803G and i would like following commands to be run by telnet:
 
1) erase an admin user
2) change the password of an admin user

View 2 Replies View Related

Cisco Application :: ACE 4710 To Setup User With Admin Context Access Permission

Jan 12, 2011

ACE 4710 TACACS issues ,How to setup user with Admin context access permission. I have enable the TACACS and it can directly put me in Context mode not in Admin Context mode .

View 8 Replies View Related

Cisco AAA/Identity/Nac :: Can't Ssh Into ACS 5.2 By Using The Admin Account

Jun 5, 2011

We created the admin account during the setup and were able to log into the Web GUI, but we can't use this admin to access the CLI by using ssh, always said permission denied.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Use AD Authentication For ACS 5.2 Admin Accounts?

Jul 7, 2011

I want to set it up so that when you log into any of the ACS 5.2 servers you have to use your AD credentials to log in and define what access you have. Is this possible? If so, how can this be set up?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ASA5500 / ACS 5.1 Radius For VPN And Admin?

Feb 27, 2011

I am trying to configure ACS 5.1 to authenticate SSL VPNs on an ASA5500 and aslo to provide admin access to the ASA5500 both via radius.I want to authenticate the VPN against a SeureID appliance and the admin login against a different database (using internal for testing but will use LDAP in the end).I cant seem to get the ACS to distinguish between the two authentication types. If I create a rule that says match protocol radius I can point that at either database but if I try saying match radius and service type 5 it doesnt match the VPN and falls through to the default authentication service. I have also tried matching service type 6 for admin and that doesnt seem to work either.In the end what I want to acheive is to authenticate teh ASA5500 VPN against the SecureID appliance and then admin access to all devices on teh newtork (a mixture of Cisco, F5 and Juniper) to active directory via LDAP where if the user is a member of the "admin" group they get access.I was intending to use specific devices for the ASA5500s (there aretwo) and then creat a device group based on IP address range for everything else.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.x Admin Users Authentication Against AD

Apr 23, 2012

Do you know if it's possible to use ACS 5.x in such manner that the admin users (so not the end users, but the administrator users of ACS) are authenticated against and external database, like Active Directory?

View 2 Replies View Related

AAA/Identity/Nac :: ACS 5.2 Creation Of Network Admin Policy For Nx-os Devices?

May 28, 2012

i have acs 5.2 i need to create a network admin policy to our nx-os devices such as nexus switches, how this will be done on acs 5.2?

View 0 Replies View Related

AAA/Identity/Nac :: ACS V5.1 View Not Showing Full Admin Logs?

May 18, 2011

I am having trouble viewing all the Administration logs in ACS View. I have my Local Log Target set to a Maximum log retention period of 90 days. In ACS View I can display authentications that go back 90 days + However when I try and display the "ACS_Configuration_Audit" in View and perform a Custom query that goes back 90 days it will only display about 35 days of Admin logs.I know the logs are there because when I go into CLI and do a search like "show logging | i "ObjectType=Administrator Account" the Administration logs go back over a year.why ACS View cannot display all the Admin logs?The ACS is running v5.1.0.44 Patch 6 (Also experiencing this in a v5.2 ACS as well)

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Device Admin Privilege Assignment?

Dec 1, 2011

my admin user is still being assigned privilege level 1, as shown in AAA Protocol > TACACS+ Authentication Details report.The report seems to show that the user is getting the right shell profile (Selected Shell Profile: Net-Admin -- is the one I setup for this user's group with both Default Privilege and Maximum Privilege set to Static 15). But still not the right privilege (Privilege Level: 1).Also, I found this document via Google: [URL] The router configuration examples all show this "aaa authorization exec tacacs+|radius local" command, which my device does not have.So I am wondering if I am not reading the ACS report right, or the device actually was assigned the correct privilge but that does not work without the "aaa authorization exec" command in the configuration?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Configuring ACS 5.x For Restricted Dev Admin Command Set?

Apr 25, 2013

this is the first time I am about to configure ACS 5.3 to authorize user group from doing some commands in the "configure mode" while permitting them some other commands. As example, I want to deny them from doing "reload" but give them access to configure "time-range", what happen is, they are denied access to "reload" on the exec mode, but once they went into "configure" mode, they would be able to "do reload"I mean to say, is it possible to manage the subsequent commands to "configure terminal" ?

View 4 Replies View Related

Cisco AAA/Identity/Nac :: Configure ACS 5.2 And Checkpoint For Firewall Admin

Aug 5, 2012

how to configure ACS 5.2 for device administration of Checkpoint firewalls and security management servers?

View 4 Replies View Related

Cisco AAA/Identity/Nac :: Banner For ACS 5.3 Admin Login Page

Feb 20, 2012

Is there a way to put a login banner on the ACS admin web page?  Either display it directly on the web page or do a redirect to a banner page?  Can I edit the admin pages directly or does ACS provide a mechanism to add this type of feature?
 
We are using ACS 5.3 running on VMWare.

View 2 Replies View Related

AAA/Identity/Nac :: ACS 5.2 Using AD To Manage Network Device Admin Policy Creation

May 22, 2012

we managed to integrate our newly setup ACS 5.2 to our regional domain.  now im creating a Device Admin access Policy for Regional Network Admin group and Regional Network Operators group. each having full  and read access respectively. 
 
i already have the default  identity policy and authorization policy with with command sets  fullaccess and showonly for each group, now i dont know how can i match the AD group regionaladm and regionalops so that  each user falls under one of these groups will have a correct  read/write access.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: 3355 / Reset / Recover ISE Admin-CLI Password

Jul 30, 2012

I have to reset/recover admin-CLI password. I had posed the question in [URL]Now as per the CLI-admin password recovery procedure at [URL] I have inserted DVD in the hardware appliance, but I don't see any prompt with these options:

"Welcome to Cisco Identity Services Engine - ISE 3355
  #
To boot from hard disk press <Enter>
  #
Available boot options: "
 
I  just see login prompt ( and of course, I cannot login because I don't  know the password). I am using serial console connection to the  appliance.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Using Active Directory To Manage Network Device Admin

Jun 14, 2012

we've configured an ACS 5.1 and integrated it with active directory Win2K3, we created two groups in the AD for managing network devices one for Administrators and the other for operators (read-only),  so we configured a device admin policy and both groups work fine, but now we are facing a little problem any user who exists in the AD can login (user exec mode) in the network devices and we want to restric the login with the policy, but we just don't know how. Is there a way to get a user be authenticated against external group or internal acs but at user level, just like you can do it in the ACS 4.X?

View 8 Replies View Related

Cisco AAA/Identity/Nac :: ISE 1.1.3 Authenticate Wireless Users / Admin Access To WLC / Switches

Mar 13, 2013

Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.

Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below: [code]

Update:

1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.

2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 / Authenticating Device Admin Users Against AD Specific Groups

Jan 28, 2013

I am using ACS 5.3 What I am about is setting user authentication against existence of the user in specific AD group, not just being a member in any AD. What is happening now, users get authenticated as long as they exists in the AD, luckily they fail on authorization, as it is bound to specific AD group.
 
how can I bind the authentication aginst specific group in AD, not just using AD1 as the identity source.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Web Admin Password Recovery For Nac Server Applicance 3355

Jul 8, 2012

What is the procedure for web admin password recovery for nac server applicance 3355?

View 14 Replies View Related

Cisco AAA/Identity/Nac :: Backup Admin Requested To Install VMWare Tools On ACS 5.3 Server

Nov 11, 2012

to backup an ACS 5.3 vm running on ESXi 5.0 our backup admin requested to install vmware tools on the acs server.

View 2 Replies View Related

AAA/Identity/Nac :: ACS 5.2 Machine Authentication And AD User?

Sep 1, 2011

I am trying to setup up a rule to allow wireless access only to users in my AD when they use computers from my AD.I have Machine authentication working on it's own (computer boots up and connects to wireless - confrimed by ACS logs) I have User authentication working But when I try to creat the floowing rule:it does not work.
 
Access Policy
Access Service:
Default Network Access Identity Store:
AD1
Authorization Profiles:
DenyAccess
Exception Authorization Profiles:
Active Directory Domain:

[code]....
 
Everything seem to fine until it gets to the last rule.

View 1 Replies View Related

AAA/Identity/Nac :: AD User Password Changing With ACS 5.0?

Oct 11, 2011

I use ACS appliance 1120 for cisco devices administration. The identity store is  external. I use Active directory. Actually, Authentication, authorization and accounting work well but users can not change theirs Active directory password when they have expired. Do you now how to configure ACS to permit password changing?

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Add A User Into Several Groups?

Apr 5, 2011

We are running two ACS appliances but we cannot figure out how we can add a user into 2 differents groups.Here's the context :We have a company A which is having devices, this company uses Group A.then we have a company B which is having devices, this company uses Group B.But the admin has to manage the devices for both companies A & B.We don't want to mix devices from company A with company B.Is there a way to add the user into both groups A & B.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Maximum User ID

Jan 5, 2013

what is the maximum user IDs that I can create to the ACS server? The client have an ACS appliance with version 5.2.

View 2 Replies View Related

Make A Backup Of Roles And Their Configurations?

Jun 1, 2011

I have a Domain Controller on windows 2003 advanced server. and I have roles and some configuration such as rights, user accounts, DHCP configuration, DNS server and etc on it.Some times windows needs to be reinstalled but after reinstalling,configuration of roles would be lost. I don't know how can I backup these settings? Is there any solution about this problem.I know a simple way is creating an image of windows installation drive by an application such as Norton Ghost but I'm talking about windows solution.

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved