Cisco AAA/Identity/Nac :: 6500 / Restricting Access To SSIDs?
Oct 29, 2012
I have Configured a WLAN with WiSM2 Controller installed on a 6500 series, Aironet 3600series APs and ACS 5.3 for userauthentication. The ACS is connected to Active directory so users are authenticating using the AD (802.1x is used and not a pre-shared key) on SSID A. I have created a separate SSID B for guest users. I have put restrictions on this SSID. Guest users are also created on the same AD where internal users are created. How can I force Guest users to connect to SSID B and not be able to connect to SSID A? Currently they can connect to both.
I have a customer that wants to restrict SSIDs that groups get based on their AD credentials. Currently, he is using Windows 2008 Radius Server and AD with Cisco 5508 WLCs. I found examples that shows this is possible but my question is if I have 2 user groups (teachers and students) in AD and apply a policy for the Radius to send SSID x to teachers and SSID y to students. Upon successfully authentication, would this deny teachers access to SSID y and students access to SSID x?
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
We are using ACS 5.1 in our network. We have created users and grouped them as per the requirements. We want to restrict the user sessions in the network. A user should authenticate and able to access a network resource. But when he is active with that session, we need to block him from another successful authentication. We want to avoid multiple users using same user credentials for logging into the devices. whether this can be achieved by making configuration changes in ACS.
I'm looking to restrict Inter-VLAN routing through L3 switch (cisco 6500) and wanted to know best possible way to do it. I used VACL and achieved success to some extent, but my config is making clients take up to 5-6 mins to authenticate IP address from the DNS (bootps).My VACL config was as follows:
Subnet to restrict is 10.100.15.0 (VLAN 15) STEP 1: Created extended ACL to allow bootpc/bootps through DNS ip access-list extended EACL_DNS permit udp any eq bootps any permit udp any eq bootpc any
STEP 2: Created standard ACLs to allow only relevant subnet, server VLANs & some IPs from other subnets for printers/scanners etc.
ip access-list standard SACL_VLAN_15 permit 10.100.15.0 0.0.0.255 (the subnet I'm restricting) permit 10.100.50.0 0.0.0.255 (server VLANs) permit 10.100.25.45 0.0.0.0 (printer in another VLAN which has to have access in VLAN 15)
STEP 3: Created VLAN access list
vlan access-map VACL_15 10 match ip address EACL_DNS action forward vlan access-map VACL_15 20 match ip address SACL_15 action forward
STEP 4: Applying VLAN Access list on VLAN 15 vlan filter VACL_15 vlan-list 15 Though the above works, below is noted:
1. I'm still able to PING 10.100.15.2 (the switch virtual interface) from outside the subnet, which I don't intend to do so. Howeve all cients in the subnet have no connectivity from outside the VLAN 15.
2. As mentioned its taking quiet some time to negotiate with the DNS server at system boot time.
I am trying to block access to facebook and twitter on my router, to a certain range of ips, 192.168.1.8 - 254. I have been digging around and trying stuff but all I do seems to restrict everyone access to the internet.
Not sure If I am asking this correct. I want to install a wireless access point into a switch and out the WAN. Going to PW access into the wireless access point. Can I restrict the user from entering the LAN from wireless access point? Change subnets, what to do? Would not mind resticting speed, etc. I think I can through my switch.
I have installed a video security system into my home/office and several IP cameras are connected via my wired cat5 network which connects to my router and switcher into a PC with internet access. This will allow me to record any break ins and alert me of this event and view it in real time.I would like to restrict access to these devices for anyone else on the network, with either dedicated access or password protection.
got myself the Netgear internal PCI wifi adapter today & it works just fine on my Windows XP SP3 desktop.
The only problem I have is the question of restricting complete internet access to kids @ home. If it was an external USB adapter, I could have just taken it away but the concern is the device being an internal & always available one.
The user configuration on the PC is such that there is 1 main administrator (The actual windows "administrator" account) that no one uses. Apart from that,
- 1 user with admin privileges (me)
- 1 limited account for the kid
- 1 admin privilege account for the kid again (for purposes like installation of games which require an admin account as mandatory)
I would like for the wifi PCI card to work only when I login to my user account. There must be someway by which I could disable the device or make the internet inaccessible in the other accounts,, (but pls bear that 1 of the account that the kid uses also has admin privilege)
I tried disabling the device from control panel but in vain.. (tried something like the sys admins do in corporates ..) disabling the usb ports on the PC's in my office..!
This is my scenario. I have my IP as 172.16.1.1 (aaaa.bbbb.cccc.dddd) which has full internet access. Now when i am not available in the office, i noticed some one assigning my IP in to his workstation and gaining full internet access. How do i restrict such things? i.e. even if some one assigning my IP on the network, they shouldnt access LAN or WAN.I tried 'arp 172.16.1.1 aaaa.bbbb.cccc.dddd arpa' configuring on my L3 Cisco 3750X switch assuming i can acheive, but that did not work.
I have an ASA firewall and I have never configured an FTP server for a large scale network (well large in my opinion). I want to ensure we have the highest level of security available for the FTP and to limit only the specific users designated by an ACL. Would SFTP be the best available option for security measures? Should I only use Passive FTP and what range of ports above 1023 should I open for only 1 or 2 FTP clients at a time? Also if I use Passive mode do I need to use protocol inspection for FTP?Also, Currently I'm unsure of what files need to be accessed on our network but should the SFTP Server always only be installed within the DMZ?
I have a Cisco 2901 Terminal server with AAA authentication via ACS server. I create twoaccounts on the acs server, cciesec2011 and vendor. Both accounts can log into the Cisco 2901 Terminal Server without any issues. By the way, I am NOT using AAA authorization on the Cisco Terminal Server. Once cciesec2011 or vendor accounts are authenticated, theseaccounts can access all the async line on the Cisco Terminal Server.
Now I have a new requirements. I would like to allow cciesec2011, once this account is successfully authenticated, this account has access to ALL async line on the Terminal Server. The "vendor" account, I want to restrict this account access only to async line 35 (there are 32 async lines available on the Cisco Terminal Server) and nothing else.
How can I accomplish without using AAA authorization on the Cisco Terminal Server?Is it possible to use "privlege level" to accomplish this? if so, how?
We have recently ordered a laptop along with a docking station with the intention of connecting it with the desktop PC in the office. We want the documents folders of both computers to be synchronized and to that end we want to share the folders between each computer. However, to do so we will have to connect the laptop to the larger network in our office. Given the sensitive nature of the documents we only want the desktop PC and the laptop to be able to access these files and synchronize them.
Is there anyway in Windows 7 to specify exactly which computers are allowed access to shared folders on a computer? What's the best way to achieve the file synchronization between the two?
Is there a way to restrict wireless access to my router from wireless pc's in my home. Two grandsons are off from school now, and are playing online games to the wee hours of the morning. Can I do something to have the routher shut off their connection at a certain time? Is that possible. If I have to go back to dd-wrt to do that, fine. I have lynksis wrt54g with their 4.2.1 firmware.
I have 2 cisco 1242Ag APs in one building and 7 in other building installed in my infrastructure. All these 9 APs are connected to WLC and all of them are added to default ap group to broadcast all the ssid... But 7 in the second bulding are working properly, but the 2 in the other building are not broadcasting the ssids. I checked the configuration in both APs and WLC as well... All the 9 APs are having the same configuration.
I have a rental property with 3 apartments that are sharing the same internet connection. The users are consistantly downloading more than their monthly allowance, and I would like to monitor how much data each apartment's users are downloading.My plan is to purchase a Cisco WAP2000 Access Point and configure 3 SSIDs (one for each apartment). I havent decided if each SSID is to be setup on it's own VLAN.
Will I be able to use SNMP to monitor the data that each SSID has downloaded each month? I am happy to use a network management software package (such as PRTG from Paessler) for the actual monitoring itself, but I just need to know if the SNMP in the WAP2000 Access Point will provide the information to begin with.
I have recently purchase Aironet Access Point. I'm pretty new to Cisco systems and what i'm try to do is have the access point broadcast multiple SSIDs lets call them Guest and Admin. My problems is when i config router to have a DHCP address it works perfectly fine but when i assign a static IP it shows all the any connected device as unkown with IP 0.0.0.0. So i'm guessing i will need to setup a dhcp server. Is there a way access point can have its own DHCP server and IP address ( i don't want to use any from my STATIC ip subnet as i dont know alot of empty ones left) like home wifi router where they assign each device an IP like 192.168.0.1. Is this possible?
I have a WRVS4400N that brocasts two different SSIDs. One is a public network and the second is a private network. Right now, both SSIDs are pulling from the same DHCP server, but I would like to seperate the public from the private. How can I seperate these SSIDs by vlans? I can't seem to get the vlans to route to sperate ports.
This is my vlan settings. I have two DHCP servers right now. One is in an isolated network plugged into Port 3 of the WRVS4400N. The other is on the production network, plugged into port 1 of the WRVS4400N. For some reason, whenever I connect to SSID Public, it won't pull an IP from the DHCP on port 1, it only pulls it from the one on port 2.I know there is three SSIDs here, the Static one is going to be the same network as the EMS one.
I've ISE v1.1.2.145 and Cat 6500 IOS ADVENTERPRISEK9-M, Version 15.0(1)SY2
I'm trying to add 6500 in the trustsec group with ISE and followed the trustsec 2.1 documentation. After configuring it keeps on giving me error in the ISE logs below with the subject #CTSREQUEST#
11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute
Below are the steps: 11001 Received RADIUS Access-Request 11017 RADIUS created a new session 15012 Selected Access Service - NDAC_SGT_Service 11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute
Also after i configure cts credentials and radius-server pac command in 6500, it starts giving me log messages that radius is down and the next moment it comes up again. It is continously doing that.
aaa new-model aaa authentication login default group radius local aaa authorization exec default group radius local aaa session-id common ip radius source-interface Vlan31 vrf LEGACY [Code] .....
I´ve implemented 2 Cisco ISE v1.1 in HA to run MAB and 802.x Authentication / Authorization. Using Local ISE DB and Active Directory as an External Identity Source for wireless and wired users and devices. This was working fine 2 weeks ago after finishing installation.
My NAD devices are a Core SW 6500 for wired users (there are no access SW, just the Core for the whole network, its a small office) and a WLC 2405 for Wireless Users.[code].....
Today I have configured my ACS 5.2-0.26.4 to synchronize with NTP server which is implemented in Cisco 6500, but it don´t become to work. The switch Core is configuared in HSRP, for that reason in the ACS server I defined the IP virtual of the Core like ntp server, maybe the ACS don´t work with IP virtual of the switch Core. Finally I wanto to kown if is posible to synchronize this versión of the ACS withc cisco 6500. I had integrated this ACS versión with cisco 2800.. maybe the ACS could integrate with same special models.
I have 6500 VSS Core Switch configured as NTP Server .I have installed ACS 5.2 vmware and sucessfuly integrated with the AD . I have noticed in some case, i lose connectivity between ACS and AD and when i say test connection , it shows clock skew error . Reboot of ACS sometimes solves the issue, else it comes up automatically after some hours . In core switch , i have configured time as PST +4 and in ACS it is configured as PST +4 , which automatically goes to GST.
I have a need to allow a small group of users temporary level-15 access to several 6500 switches (running 12.2-33 SXJ2 code), but do not want to provide them with the enable secret password which is used on the rest of the network (over 1200 devices). I tried to eliminate AAA using the "no aaa new-model" command, but was told I could not remove aaa while there were active sessions, and "login local" no longer appeared as an option for vty lines. So, I created a local user database called "support" which I used to replace the "group" entry in the authentication and authorization sections of our AAA config and for login on vty 0 4. [The username is given a privilege level of 15 along with an individual password for authentication. (ex. user name jsmith privilege 15 password 0 xxxxx)] I modified our AAA configuration to support local login, but was unable to establish "enable mode" (i.e. # prompt) with any account. I can login locally, but only to a normal "user mode" (i.e. > prompt).Here is the current, unmodified and sanitized config for our AAA and line vty 0 4 sections. [code]
I have ACS 5.2 running as a VM. I'm AD, then local authentication successfully for device access, but I want to define ACS user groups to restrict login. I don;t see any way to do this. If I use AD groups, they don;t show up as selection options on the policy screens, just the ACS locallyy defined groups.
I have a neighbor, whom I barely know, (don't know his name even) ask if I would be willing to give him the number off of my modem so he can cannot wireless to my internet. I believe that is a bad idea. For one I don't know him but if it was possible and I did that, would he be able to access my account? or start more trouble? He at first said If I give him the numbers off of my router but then I stopped him because I have a modem not a router. So I would never let him but was curious if someone can tap into a signal of mine from a laptop next door to me using wireless signal? And if so can that person see all of my stuff? Would my computer and I be at risk?
I am currently running a guest wireless network using 4404 controllers on the wireless side and a 4402 as an anchor controller, all running 7.0.98.0 and all is working fine. Accounts being created via the WCS lobby admin and applied to the 4402.The question I have is, is there any way of restricting the use of an account to 1 device at a time. I am currently seeing evidence of password sharing and my boss would like to make sure that everyone who use the system has their own credentials.
I use a mail filtering service that delivers mail to me via SMTP on standard port 25 on one of my 5 static external IP's. I wish to restrict this to their IP's only (they have two) and I am unsure on how to do so? As it stands now, anything on the net can talk to my mailserver and my logs are filling quickly with failed attempts as a result. Here's my setup and what I am trying to accomplish:
mail filtering service -> my public ip:25 -> internal mailserver at 10.0.10.2:25, deny everything inbound except traffic from the mail filtering service, I am thinking an ACL would fit the bill here, but unsure of how to implement. Router is an 1811 with version 15.1(4)M3 IOS. WAN is on fa0, lan is on fa1.
I am a networking student so have access to a free copy of Windows Server 2012. I want to setup and get experience with AD, DHCP, and DNS, among other services. Right now I have a Netgear router attached to a Cisco switch. (studying for CCENT cert) I have my desktop and server plugged into switch. I want my desktop to connect to the domain for testing and messing aroudn with. My wife has a netboook, smartphone, and wireless ipod. I'd like her 3 devices to get an IP from the DHCP server without having her authenticate to the server. Will the Netgear router allow this since wirless access is on? Or will she need to authenticate with the server to get a DHCP IP? I am gonig to disable the router's DHCP service.
First I tried restricting all computers from accessing the internet from 11:00PM to 6:00 through access control. I enabled it and set up the schedule but it does not cut off the internet. I went through create a new schedule and did that but again it still connects. Then, in access control, I selected always and put in my son's IP address and created a schedule for him but it won't allow him any internet access.
I just started configuring AnyConnect with ASA 5520 that uses Cisco SecureACS to pass radius authentication. I configured two profiles with different split tunnel restrictions and what I discovered is that when the client connects to the ASA, they are provided a choice of these two groups (I guess there is no way to restrict this) and I can log into either one with any user account. How do I restrict this so that the user can only use one profile? Currently users capable of VPN would be placed in one specific AD group so that is what SecureACS checks. Is there a sample configuration guide to handle multiple profiles with different levels of access?
I have a 2900 router at branch office. This router has a 4 port switch card and two gigabyte ports. The gigabyte port is use for wan connection and the 4 port switch card is use for lan connection. I have two separate networks on my lan side. (network 1 and network 2)
I have assigned port 0,1 of the switch card to vlan1 for network 1 Ports 2,3 of the switch card is assigned vlan 20 for network 2
My problem is I would like to applied a bandwidth restriction for all data coming out from vlan20 capping same to 384 kb.
Note I do not want use QOS because this will only kickin when saturation occurs,
