Cisco AAA/Identity/Nac :: ACS 5.2 - Delete Specific Log For User X
Jun 25, 2012on the acs 5.2 , how to delete specific log for user X, ?
View 3 Replieson the acs 5.2 , how to delete specific log for user X, ?
View 3 RepliesWe are trying to apply specific service policies per PPPOE-User.
Our BRAS is a Cisco 7206VXR , running c7200-spservicesk9-mz.122-33.SRE3.bin
When we try an very easy service policy as following the policy is well applied:
Code...
I want to access server with different account names at times. After google search, I found that it is something related to "net use drive: /delete" but we usually access different drives so I wonder how to cancel all the drives and what is the exact command.
View 1 Replies View RelatedWe are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
View 1 Replies View RelatedI've inherited some ACS appliances from another part of my organization. I need to keep most of the settings but want to remove all the AAA clients; and preferably not one-by-one. I don't see a way in the documentation and web searches have proven fruitless.
View 1 Replies View RelatedWe are evaluating Cisco ACS 5.2 and I can not delete a service policy that was created. The message we receive is " the item that you are trying to delete is being referenced by other items". I am new to ACS, but I did go through each tab in the manager multiple times.
View 5 Replies View RelatedI'm doing a basic setup of ACS 5.3. For now, I'm configuring backup to a local repository
!
repository Backup
url disk:/Backup
!
How can I automatically delete old files? I need to keep only the last seven files.
I have two ACS 5.2 running as primary and secondary instances respectively. When I try to delete a remote log target under System Administration > ... > Configuration > Log Configuration > Remote Log Targets I get the following error message...."The item you trying to delete is referenced by other items. You must remove all references to this item before it can be deleted".
I have searched the configuration within the web gui and was unable to find anything that reference the object that I'm trying to delete.
We have a pair of ACS 4.1 servers (Windows Server 2003 R2). Let's call them ACS1 and ACS2. We don't want either one of them to proxy to any AAA server, including each other. We're using mostly TACACS authentication.
While troubleshooting a general problem, I'm guessing that one of us did this on ACS1:
pressed the Network Configuration button,saw the Proxy Distribution Tableclicked (Default)moved ACS1 from the AAA Servers column to the Forward To column.
So, essentially, we're telling ACS1 to proxy all requests to itself, which doesn't seem to make sense. I don't know for sure whether it should work when configured to "self proxy," but in that state, it does not authenticate anyone and gives merely "Internal error" as the reason.
If I change the configuration so that "ACS2" appears in the Forward To column, and I move "ACS1" back to AAA Servers and restart, ACS1 starts responding correctly to TACACS requests. Of course, ACS1 is just proxying all requests to ACS2, so having two servers isn't doing much good.
I cannot simply remove ACS1 from the Forward To column and leave it empty. The interface complains that it can't forward to zero servers. Of course, on ACS2, there are no servers in the Forward To column, since we never touched the Proxy Distribution Table there.
Is there any way to return the Proxy Distribution Table to its default setup, that is, no servers appear in the "Forward To" column?
We're planning to upgrade to version 4.2 very soon, so this question is mostly academic, unless the same problem exists in 4.2.
For full disclosure, I should mention that the problem we were troubleshooting was loss of connectivity to our Windows Domain Controllers from our ACS servers. We had missed adding some exceptions in our firewalls to allow for four new DCs. As far as we can tell from testing, connectivity to the DCs is now fine. The firewall rules group ACS1 and ACS2 together, so connectivity should be the same, and ACS2 authenticates users correctly.
How to delete the accounting/authorization Reports or logs ?
View 2 Replies View RelatedI would like to ask some question about VPN clinet and SSL VPN, on my ASA 5510 i have many tunnel-group it have around 5 tunnel-group and i have one SSL VPN,i also have user 20 user. let me show you that:
1- tunnel-group Staff-VPN remote-access
2- tunnel-group Manager-VPN remote-access
3- tunnel-group normalstaff-VPN remote-access
4- tunnel-group guest-VPN remote-access
5- tunnel-group other-VPN remote-access
and tunnel-group sslgroup type remote-access
and i have user around 20 user and i want to specific user to tunnel-groups like this
1- tunnel-group Staff-VPN remote-access
username AAA password AAA
username AAA01 password AA01
2- tunnel-group Manager-VPN remote-access
username BBB password BBB
username BBB01 password BBB01
3- tunnel-group normalstaff-VPN remote-access
username CCC password CCC
username CCC01 password CCC01
5- tunnel-group other-VPN remote-access
username DDD password DDD
username DDD01 password DDD01
So, How can i manag tunel-groups with user?
We have an ASA 5510 version 8.3 (2) that we accept VPN users via a radius server. Is there a way to lock down a specific user that connects to the ASA as a SSL client or IPSEC VPN user? If the specific user were to connect to the ASA, we would want the user to have minimal to not access to our system.
View 1 Replies View RelatedI just started configuring AnyConnect with ASA 5520 that uses Cisco SecureACS to pass radius authentication. I configured two profiles with different split tunnel restrictions and what I discovered is that when the client connects to the ASA, they are provided a choice of these two groups (I guess there is no way to restrict this) and I can log into either one with any user account. How do I restrict this so that the user can only use one profile? Currently users capable of VPN would be placed in one specific AD group so that is what SecureACS checks. Is there a sample configuration guide to handle multiple profiles with different levels of access?
View 3 Replies View RelatedWorking on setting up a Cisco 10008 with PPPOE and it seems like we kind of have it working but only one user can get on.
Here is part of the config:
Cisco-10008#show run
Building configuration...
Current configuration : 4134 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
Also is there a way to show a specific user once they are connected with PPPOE? I'm currently using "show aaa sessions", but was thinking it would be "show pppoe something"
I am trying to find a tool that will monitor the web traffic for one specific user. If it is capable of bundling it into a report that would also be a benefit. I have searched, but not come up with much aside from broad network monitoring tools. All that is really needed is to capture all the activity from http traffic for this one specific user/PC (since she uses the same PC all the time). We have a Sonicwall NSA 2400 as our internet filter, but I was not able to locate anything on there for specific user reporting.
View 2 Replies View Relatedconfiguring a switch or a router to limit the bandwidth for a specific user/IP when need it. Most of my remote offices are configured like this:
Users ------ 3560 switch ------- 2801 router -------- T1 to NOC -------- 7204 router with channelized DS3
I use Netflow Analyzer for high bandwidth usage alerts and can see the user's IP right away when someone is clogging our T1s. My goal is to be able to temporarily limit the bandwidth of the user taking over the T1. Whatever is best switch config or on the router.
Is it possible for ACS 5.1 to only allow specific AD users to authenticate the switches and routers? Currently What I have configured is only for all AD users. I can't seem to find a way to be selective.
View 9 Replies View RelatedI've configured three specific AD groups, Admin, Storage, and HelpDesk, with their own commands sets.
This seems to be working fine, but everyone can log into everything, but they can't do anything except exit.
My goal is to not allow anyone to login that is not part of the three AD groups I have specified with the respective command sets.
All the logins hit the Admin account, even though the id in AD is not in the that AD group. I have something screwed up.
I'd like to know if there is a way to exclude passed authentications for a specific username from reporting in the Authentications-TACACS and Authentications-RADIUS reports?
We have a few usernames that are used in scheduled jobs. We only need to know when they fail authentication, so we don't need to fill up the reports with every passed authentication from these accounts. Can this be done?
I am doing MAB (MAC authentication bypass) for IP phones and printers.
But these devices are authenticated with different identity stores (IP phones with AD, printer local host on ACS)
Is there any specific AV Radius attributes that i can use in the compound conditions selections which is specific for the IP Phones?
so when doing the Authentication, i could seperate each type (IP phones or Printers) with the appropriate database.
I'm using Cisco ACS 3.3 for RADIUS. How to do I make Vendor-Specific attribute available? (Attribute number 26, format: OctetString) The online help makes reference to it, but does not tell you how to make it available.
View 9 Replies View RelatedWe have a distributed ACS 5.3 set up - a PR and DR replicating successfully.I've set up 4 remote syslog targets. 2 of them are at the same site as the PR ACS and 2 are at the same site as the DR ACS.The logging collector is set on the PR ACS.
The problem is that it "appears" that PR ACS is only sending PR ACS syslog info to one of the remote syslog targets out of the four.
The syslog target which does receive from the PR ACS is at the same site as the PR ACS.
"appears" means that some one has looked on the syslog targets to see what's been received / or not received.
I've been told that the syslog traffic for syslog targets is being received from the DR ACS. Which is strange as the PR ACS is the actual log collector (and is not at the same site as the DR ACS).
I've also got Alarm Syslog targets set up on the PR ACS , (2 are the same ip addresses used in the 4 remote syslog targets). IP addresses of the remote syslog targets have been double checked and can be pinged from each ACS (PR and DR).
I am using ACS 5.3 What I am about is setting user authentication against existence of the user in specific AD group, not just being a member in any AD. What is happening now, users get authenticated as long as they exists in the AD, luckily they fail on authorization, as it is bound to specific AD group.
how can I bind the authentication aginst specific group in AD, not just using AD1 as the identity source.
I have ACS 1120 ACS appliance running ACS version 5.2.0.26.5 ,authenticating VPN users connecting from internet using radius protocol , we have requirement that VPN user account should be disabled by a specific date , Means user ID should be revoked when their contract expire connecting to our data center .
I know this feature is available on ACS version 4.2.,but i could not this feature set on ACS 5.2.0 when user account is created , whether any new sepicfic patch has this feature enabled after acs version 5.2.0.26.5.
With out this feature this set , i cannot ensure ID are revoked automatically ,when specific date come in to end user.
Is there a way to configure an email notification for a specific authentication failure? Specifically, I'd like to see if I can have an email notifcation sent to me when failure reason is "13017 Received TACACS+ packet from unknown Network Device or AAA Client".
View 1 Replies View RelatedWe are running two ACS appliances but we cannot figure out how we can add a user into 2 differents groups.Here's the context :We have a company A which is having devices, this company uses Group A.then we have a company B which is having devices, this company uses Group B.But the admin has to manage the devices for both companies A & B.We don't want to mix devices from company A with company B.Is there a way to add the user into both groups A & B.
View 5 Replies View Relatedwhat is the maximum user IDs that I can create to the ACS server? The client have an ACS appliance with version 5.2.
View 2 Replies View RelatedWe are using ACS 5.1 in our network. We have created users and grouped them as per the requirements. We want to restrict the user sessions in the network. A user should authenticate and able to access a network resource. But when he is active with that session, we need to block him from another successful authentication. We want to avoid multiple users using same user credentials for logging into the devices. whether this can be achieved by making configuration changes in ACS.
View 2 Replies View RelatedI have ACS 5.1.I have created the Identity Group 'Admin' and added 2 users in that, say User1 and User2.How do I permit only User1 to get authenticated when he logins in to the device?There is option to select 'UserName' while creating Service Access Policy , but I have observed that though I have mentioned only User1 in the rule, User2 is also getting permitted
View 1 Replies View Relatedi have cisco ACS 5.2 and want to create user account for technician, with only certain commands.
View 3 Replies View RelatedOn the ACS ver5, there is a "User Change Password" feature. When i click the UCP WSDL, it gives me a page with WSDL language. how is it supposed to be installed? does it copy or install to any web server
View 1 Replies View RelatedMy company's security group uses Tripwire to monitor for changes in start-config and running-config on network devices in PCI scope. We are migrating from ACS v4.2 to v5.2. I need to create the account for Tripwire on the ACS Appliance but did not want to assign the admin role which would give access to configure terminal. The user role does not have privileges for show start-config or show running-config. Am I missing something or are these the only 2 roles available at the CLI? Can another rolle be added?
View 1 Replies View RelatedI want to have a local user in ACS that is permitted to login to routers. I have TACACS with AD already working but cannot get a local user to work. I used to do this in ACS 4.x.I created a user in the internal identity store.I tried configuring a policy to allow this users TACACS authentication multiple ways to no avail. I cannot find a config example doc and cannot figure it out from the user guide as the documention is sorely lacking.
View 5 Replies View Related