AAA/Identity/Nac :: Creating More Options In ACS 5.2 User Section
May 27, 2012I Need to create more options on Cisco ACS 5.2 under internal identity store in users. How to do add, default not showing all.i have seen on internet.
View 1 Replies
ADVERTISEMENT
AAA/Identity/Nac :: Create More Options In ACS 5.2 User Section?
Nov 16, 2006I Need to create more options on Cisco ACS 5.2 under internal identity store in users. How to do add, default not showing all.
View 6 Replies View RelatedCisco AAA/Identity/Nac :: Creating Internal User Account In ACS 5.2
Dec 12, 2011I have an ACS 5.2 server integrated with Active directory . Now i need to create an internal user account to login to some radisu devices using internal user database .I have near about 600 users all are authenticating through AD .
View 3 Replies View RelatedASA 5580 - AD / XP SysPrep And Automatically Creating User Folders
Jan 25, 2012I've only worked with 7/asa5580 in an Active Directory setting. Sysprepping to clone those machines with default profiles with unattends was very easy, but XP is a different story. I'm now faced with moving several buildings with XP machines to a few Server 2008 R2 boxes, which all will all be in one location. There are around 700 machines but this will be a building by building process, maybe 100 at a time over the course of a year or more. Moving these machines to Win 7 is not an option. There are several buildings but they are all in the same town, all connected with fiber. I do not manage the physical network. My plan is to just offer each user thier mapped network home drive and possibly redirected folders. I'm just keeping it basic.
How important is it to sysprep these XP machines after I do clean installs? I've heard it's very important but also know a lot of people on AD that just clone machines without sysprepping. I've heard not sysprepping can screw with WSUS, but in the years up to this point the machines on Novell have been cloned without sysprep and WSUS worked fine.
Also, will Sites give me the advantage of forcing groups/buildings of machines to authenticate to a specific DC? Otherwise I only know of Sites to allow you to control the replication between servers over WAN. What other benefits is there to using Sites for each building?
If I'm running a few DC/FS's, how to handle DNS? Each server that needs DNS installed will have it installed per requirement, but as for configuring the workstations DNS settings, should I dedicate one server to DNS or have two, or something different?
My last question is about folder permission inheritance. My previous experience, I created a folder inheritance system where when the user was created, their home drive pointed to a folder using \%username%, and a folder would be automatically created, give ownership to the user, and inherit permissions to only view that folder and no one elses. It works brilliantly. My problem is that when I use group policy to deploy folder redirections, I couldn't figure out a way to automatically create folders. I ended up pointing the redirection policy back to their own home folder. It ended up working out OK, but whenever the users look in their network drive they could see the redirected folders.
Cisco Firewall :: ASA 5500 - Command For Creating Read Only User
Jan 13, 2009What is the command for creating a user on an ASA 5500 running 7.2(3) that can only view the config but not make any changes?
View 8 Replies View RelatedCisco :: LMS 4.0.1 - Error Creating User Tracking Custom Report
Aug 9, 2011Using Custom Reports from Reports> Report Designer> User Tracking to create an end host report we get this error message: the syntax is not valid the system cannot find the path specified.
View 9 Replies View RelatedCisco :: LMS 4.0.1 - Error Creating User Tracking End Host Report
Sep 19, 2011I have installed LMS 4.0.1 again. Now LMS is running on a Windows 2008 R2, 64 bit. Using Custom Reports from Reports> Report Designer> User Tracking to create an end host report I get this error message: "The syntax is not valid: the system cannot find the path specified". Anyway, the report is created but I’m not able to edit or delete: it is not listed on Available Custom Reports.
View 6 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.2 User Roles And Restricting User Access To Add Items?
Sep 22, 2011We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
View 1 Replies View RelatedAAA/Identity/Nac :: ACS 5.2 Machine Authentication And AD User?
Sep 1, 2011I am trying to setup up a rule to allow wireless access only to users in my AD when they use computers from my AD.I have Machine authentication working on it's own (computer boots up and connects to wireless - confrimed by ACS logs) I have User authentication working But when I try to creat the floowing rule:it does not work.
Access Policy
Access Service:
Default Network Access Identity Store:
AD1
Authorization Profiles:
DenyAccess
Exception Authorization Profiles:
Active Directory Domain:
[code]....
Everything seem to fine until it gets to the last rule.
AAA/Identity/Nac :: AD User Password Changing With ACS 5.0?
Oct 11, 2011I use ACS appliance 1120 for cisco devices administration. The identity store is external. I use Active directory. Actually, Authentication, authorization and accounting work well but users can not change theirs Active directory password when they have expired. Do you now how to configure ACS to permit password changing?
View 5 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.2 Add A User Into Several Groups?
Apr 5, 2011We are running two ACS appliances but we cannot figure out how we can add a user into 2 differents groups.Here's the context :We have a company A which is having devices, this company uses Group A.then we have a company B which is having devices, this company uses Group B.But the admin has to manage the devices for both companies A & B.We don't want to mix devices from company A with company B.Is there a way to add the user into both groups A & B.
View 5 Replies View RelatedAAA/Identity/Nac :: ACS 5.4 And User Admin Roles
May 8, 2012we have created some administration accounts which should only have the possibility to work on the user database. the useradmin role is to limited to create a user and set a fixed password only, but not able to enable the users authentication against a predefined external identity store. Other roles which makes this possible are far to powerful for a second level adminstrator.The adminstrator should have the possibility the create an user and set the password check against an external database. This is not possible with the predefine role "UserAdmin". Other roles do have to many rights for these users.
View 4 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.2 Maximum User ID
Jan 5, 2013what is the maximum user IDs that I can create to the ACS server? The client have an ACS appliance with version 5.2.
View 2 Replies View RelatedAAA/Identity/Nac :: ACS 5.1 Domain User Authentication Restriction
Sep 26, 2011We have configured ACS 5.1 for autenticating wireless users with active directory, which is working fine now.But we would like implement that single user should be authenticated through ACS . If any user try to access WLAN from multi system will be notified with multi login access restriction.Can we implement this policy in acs, if possible what are the exact configuration changes we have to implement.
View 1 Replies View RelatedAAA/Identity/Nac :: ACS 5.2 - Disable Logging Of Testing User?
Apr 30, 2013I am looking for the way how to disagle logging of one user. We are using one testing user for checking accesibility of ACS from large number of switches - this checking exhausting logs quite quickly. Is it possible to disable logging of such user?
View 2 Replies View RelatedAAA/Identity/Nac :: ACS 5.1 Authentication From Cross Domain User
Dec 28, 2011We have cross domain trust relationship established and I have added the user group in our ACS 5.1. we are using Active directory as an external Identity store. Also I have created a rule in the 'Access polices' to allow the user group. From the cross domain, I use abc@xxx.xyz as a user id, but I get this error message 13036 Selected Shell Profile is DenyAccess.
View 3 Replies View RelatedCisco AAA/Identity/Nac :: Restricting User Sessions In ACS 5.1?
Jul 26, 2011We are using ACS 5.1 in our network. We have created users and grouped them as per the requirements. We want to restrict the user sessions in the network. A user should authenticate and able to access a network resource. But when he is active with that session, we need to block him from another successful authentication. We want to avoid multiple users using same user credentials for logging into the devices. whether this can be achieved by making configuration changes in ACS.
View 2 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.1 How To Deny Access To User
Jun 12, 2011I have ACS 5.1.I have created the Identity Group 'Admin' and added 2 users in that, say User1 and User2.How do I permit only User1 to get authenticated when he logins in to the device?There is option to select 'UserName' while creating Service Access Policy , but I have observed that though I have mentioned only User1 in the rule, User2 is also getting permitted
View 1 Replies View RelatedAAA/Identity/Nac :: Add User (mac-addresses) To ACS 4.2 Via RDBMS With CSV File?
Mar 23, 2011I would like to add user (mac-addresses) to the ACS4.2 via RDBMS with a .csv file. How can I simultaneously add supplimentary user infos, like Real Name and Description ?
View 3 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.2 Limited User Account?
Mar 29, 2013i have cisco ACS 5.2 and want to create user account for technician, with only certain commands.
View 3 Replies View RelatedCisco AAA/Identity/Nac :: User Change Password On ACS 5.3
Mar 7, 2012On the ACS ver5, there is a "User Change Password" feature. When i click the UCP WSDL, it gives me a page with WSDL language. how is it supposed to be installed? does it copy or install to any web server
View 1 Replies View RelatedCisco AAA/Identity/Nac :: Can Add / Modify ACS 5.2 CLI User Roles
Apr 28, 2011My company's security group uses Tripwire to monitor for changes in start-config and running-config on network devices in PCI scope. We are migrating from ACS v4.2 to v5.2. I need to create the account for Tripwire on the ACS Appliance but did not want to assign the admin role which would give access to configure terminal. The user role does not have privileges for show start-config or show running-config. Am I missing something or are these the only 2 roles available at the CLI? Can another rolle be added?
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.3 Local User Authentication
Nov 12, 2012I want to have a local user in ACS that is permitted to login to routers. I have TACACS with AD already working but cannot get a local user to work. I used to do this in ACS 4.x.I created a user in the internal identity store.I tried configuring a policy to allow this users TACACS authentication multiple ways to no avail. I cannot find a config example doc and cannot figure it out from the user guide as the documention is sorely lacking.
View 5 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.2 - Delete Specific Log For User X
Jun 25, 2012on the acs 5.2 , how to delete specific log for user X, ?
View 3 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.3 Connected To AD Locking Out User?
Feb 18, 2013 So we have this problem that just started, I can replicate the issue as well, if a user makes a mistake on typing there password after 1 attempt ACS sends 3 to AD locking out the user.
In a putty or secureCRT session after 1 password failed attempt, I am unable to retry with that same session.
The issue seems to be that after 1 bad password attempt, from the client side I am unable to get another try.
Cisco AAA/Identity/Nac :: ACS 4.2 User Group Mapping?
Sep 12, 2012We are using ACS 4.2.1.15 with patch 8 on ACS 1113 SE box.
Our requirement is to assign ACS loal group to user on basis of windows Nt group. Which means I dont wants to create individual users in ACS rather when user will login, the auth request will be forwarded to AD(remote database). Depeneding on the remote database group the user should be mapped to local database.
For this I have configured "database group mapping" according to following cisco guide. [URL]
However when ever my AD users are authenticating they are getting the membership of default group as configured in "Default" profile. I am using TACACS+ protocol in my routers and switches for authentication.
whether "Group mapping by External user database" works with TACACS+ or only with RADIUS protocol. If it works with TACACS+ what else configuration need to be done so that my ACS can map users to proper groups instead of default group.
AAA/Identity/Nac :: ACS5 Try To Authenticate User In External Database
Jan 16, 2012Is it possible to create on ACS5 rule which will:
1. Try to authenticate user in external database1 (radius)
2. When external database1 returns FAIL (because of bad password) ACS5 should try to authenticate user in another external database2 (radius)
AAA/Identity/Nac :: ISE 1.0.4 Machine / User ActiveDirectory Group Retrieving
Mar 6, 2012We are migrating our ACS 5.1 to ISE 1.0.4.
- On ACS we were doing 802.1x Authentification over an Activedirectory, assigning Vlan according to computer/user group. In some case the user vlan could be different from the computer vlan (ex admin account connecting to a user account). This works great with ACS.I tested the same function with ISE and the behaviour is a bit different :
- When the computer boot, I can see the computer account being authenticated on ISE. The logs show the AD groups the computer belongs to and the Authorization profile is well applied according to the AD group.
- When the user login, I can see the user account being authenticated on ISE, BUT the logs show the AD groups of the previous authentication, the one belonging to the computer not the user. So the authorization profile is the one from the computer not the user.
It seems that the AD group attributes are not well updated :
- AD logs show the second authentication doesn't engage a new group parsing from AD
- Shutting down the switch port when user is logged engage a new authentication a AD group are well updated.
- Bug toolkit reference the same bug but for WLC CSCto83897 so I suspect it's present in other case.
Cisco AAA/Identity/Nac :: ACS 5.2 Expiration Date Per Internal User?
May 2, 2011Migrating from 4.2 to 5.2 acs and have noticed there is no expiration date per internal user added. We expire users at different times due to their time on site. Is there something that has to be added to get back this basic feature we had before?
View 6 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.3 Authorization Of User Based On MAC Address
Aug 23, 2012A short background. Our corporate SSID is being migrated from using PEAPv0 to EAP-TLS. This restricts access only to company notebooks. Additionally we have barcode scanners which are used to inventory assets. Those devices are not able to use EAP-TLS as they cannot be integrated in the domain and being unable to do certificate based authentication.
As a workaround we planned to use another SSID with access to the same network but using PEAPv0 as authentication method, basically the same SSID but with a different name. As this naturally allows anyone to access the corporate network with a valid username/password I now wanted to add another step into the authentication process - the MAC of the device. I know I can do the filtering at the WLAN controller, but as it has a limited database as well as the fact that it is cumbersome to maintain the MAC list on all the controllers I thought I can do it over our ACS system.
I am now trying to accomplish the following: The user gets authenticated via the internal user store, which is succesful. Now I want to authorize the user via the MAC address, which is stored in the internal host store of the ACS, if access is granted or not.
For this I created the following policy:
Service Selection Policy -- (Rule based result selection)
-- (NDG:Device Type in All Device Types:Wireless And RADIUS-IETF:Called-Station-ID contains <SSID>) | Result: PEAP access
-- Default | Result: DenyAccess
Service PEAP access Identity: Internal Users -- (Single result selection) Authorization -- (Rule based result selection) -- Internal Hosts:HostIdentityGroup in All Groups:Valid_MACs
When I then try to access the wireless network I won't get authenticated. The error I get, when I look into the logs is: 15039 Selected Authorization Profile is DenyAccess
Is it not possible to use one identity store as "attribute database" for the other identity store?
Cisco AAA/Identity/Nac :: User Restriction With Access-list In ACS 5.2
Jun 11, 2011I am trying to create a user restriction to allow one user to access only two networks (10.192.3.0 and 10.192.5.0) I have range of networks but I want to permit only two networks for limited user and full access for the admins. I know this was possible with ACS 3.3 but I am not too sure if this is also applicable with ACS 5.2.
View 1 Replies View RelatedCisco AAA/Identity/Nac :: Can Use ACS 5.2 As Guest User Authentication Server?
Jun 5, 2012Can use ACS 5.2 as Guest user authentication server?
View 3 Replies View RelatedCisco AAA/Identity/Nac :: ISE 1.1.3.124 / Machine And User Authentication / MAR / Timeout?
Apr 12, 2013I am using ISE 1.1.3.124.My first question:I want to know the relation between the attribute "WasMachineAuthenticated" and the MAR (MAchine access restriction in advanced setting for AD).Is-it the same or not ?Once you time out, you need to do machine auth again. What is the timer ?Using the attribute "WasMachineAuthenticated", is-it the same timer that you configure in MAR ? In a distributed environnement, is the information about machine previously authenticated replicated to all policy node ?Because, if a swicth has 2 radius-server, we are not sure that it will point everytime to the same server.
View 1 Replies View Related