I need a specify users to allow access to particular devices and give privilege only for show command or show run. Here is how I tried to configured.
1. Configured two seperate Shell Profile and Command set with privilege level 4-5 and allowing only show run command
2. create seperate service selection rule with adding the require NDG and protocol TACACS and maching service "RestrictAccess"
3. In the RestrictAccess Service I have following configured; Identity: internal users, Group Mapping to a particular group where the user exists, authorization: matching the above created identity group, NDG, shell profile, command sets
All the steps are attached in the .doc file. However when I tried with the particular user he is able to access everything and he is not hitting the correct access rule.
Is there any way to link the Role-based CLI views created in the AAA client to the user created in the ACS 5.2 server? I know that you could do that in ACS 4.2 by using the “cli-view-name” attribute.What I have in mind is to login with some user and that the ACS 5.2 server links this user with a view previously created in the AAA client:This is what I would like to achieve:view configured in the AAA client:parser view DiData secret 5 $1$jPNA$gr9o8gGNmWh9sk8Axbfx91 commands exec include copy running-config ftp commands exec include copy running-config commands exec include copy startup-config ftp commands exec include copy startup-config commands exec include copy commands exec include all show Login to the device using a user created on ACS 5.2 and linked to the above DiData view:
telnet xx.xx.xx.xx username: cenetacspassword: Router#?Exec commands: <1-99> Session number to resume copy Copy from one file to another enable Turn on privileged commands exit Exit from the EXEC show Show running system information Router#
Typing the command "enable view something" is not an option for us.
I had a problem about authentication use AD group member. Below webiside is the way I config on ACS.
I'm using ACS 220.127.116.11 and this version has a bug , ACS cannot read AD group. I have to add it manually . After I change the access policy from Internal user to AD1. I can use anyone AD ID to pass authenticaiton. I finished all config from the website had same result.
I checked the access polices -- default device admin -- authorization , the new rules I created had no hit count. How can I make sure that I make a right config ?
We want to buy a ISE-3315-K9 for 500 end-devices.In the price-list I found the ISE-3315-K9 but cannot find the base license: L-ISE-BSE-500=. (I think I need this license)Will the shipment of the ISE-3315-K9 includes a 3000 end-points base license (maximum support of the ISE-3315) or do I need to order the base 500 license seperately?
Getting the following alarm from my ISE:Cause:Base License Enforcement Details: Base concurrent users exceed license allowable count.Currently only using 1656 out of 2000 base licenses so I'm not sure what the issue is. Running 18.104.22.168 patch 3.
My customer has to change the ip address of one of the ACS server that is in production. In my opinion change in ip address would cause AAA client information in ACS gui to update and point to new ip address automatically.
2nd I do not see any download image available on CCO for ACS4.2. There was only clean access utility and patches. where can I get the ACS4.2 complete software image
We're running ISE 1.1 for guest services. We use Active Directory for Sponsor Portal login, as well as for administration of the ISE itself. Our corporate policy requires a password change for service accounts, and the service account password we use for ISE to connect into AD expires in a few days. So I changed the password on the account, but how do I tell this to ISE? I don't see anything in the documentation, only some references to only use non-expiring accounts to connect to AD. This made me laugh. If our corporate policy was that lax, we'd never have purchased ISE.
1) Is there a way to communicate this to ISE? Or is leave and then join the only way? Will that even work?
2) I see that after the password change, ISE continues to work fine. Does it only synch with AD periodically? On reboot, or every X hours? Right now things are working, but I'm afraid as soon as I turn my back it will stop.
How do you assign each customer to a vlan ? and what kit do you use at the core to roll out VLANS to each pop? We are thinking of using Juniper kit - putting customers on there own VLAN, and having a managed service like TR-069 on those VLANS.Is it do-able and what does everyone use for a TR-069 server - I've been looking on the net and havent had much joy in finding a server - or is it not as easy as I understand it to be.
I was asked to performe upgrade from acs 5.3 to 5.4 (vm), but i noticed that someone installed it on 80gb partition and there is 500gb as one of the requriments in upgrade and install procedure. What is strange to me is that "dir disk:" command shows such an output: 5165345067 bytes available.And under ESX i see 80gb partition. Anyway, is there any way to extend partition size to 500gb? Can I just change it under ESX? Is there any procedure to take under ACS console?
On the ACS ver5, there is a "User Change Password" feature. When i click the UCP WSDL, it gives me a page with WSDL language. how is it supposed to be installed? does it copy or install to any web server
I need two vpn tunnels from one ASA5510 to two customer endpoints but with the same host on the remote side, the two tunnels are for redundancy reasons. Can I just configure two tunnels with the same host on the remote side and assume the ASA will understand to just use one of the tunnels when both active or the one left when one is down? Or do I need extra configuration for that.
Now, My ACS and ASA connected with RADIUS(MSCHAPv2). I set up Password Lifetime on ACS and Password Management on ASA.But Cisco ASA doesn't has prompt change or notify anything when user try to login with Clientless SSL VPN. Could user change or notify password expired?
I check change password on th first login on ACS that ASA propmt to change password dialog. But I want to change or notify when password expired
We have a new remote site for customer which only have 3G connection and to add more pain to that they have dynamic IP address.the easist possible solution was EZY VPN.....client has 2800 router with 3G and at our end we have ASA.....the issue is that , that always server (clients nehind) asa initiate connection to the remote site ie to 3G.....the rule of thumb is that whenever client(ie EZY VPN) will initiate conection the tunnel will establish.
We are upgrading a customer network and have found that users of a particular application [which is very bursty/bandwidth hungry] have experienced a marked performance drop. I see lots of output drops on the interfaces. This is only happening on 2960S-48 the rest of the users on 2960PSTL [all PoE] are not having nearly as bad a time.I have tried various QoS configs with little success. I have seen on some other blogs that the 2960S has less buffers than the rest of the family.
Removing QoS or upping the users to 1Gb cures the performance problem.
As observed ACS 5.x " Change Password on Next Login" Feature does not work with SSH Clients ( tried with X-sheel, Secure CRT, Putty etc...) , however through telnet session to IOS devices, users can change their password on their next login.
1: on ACS 5.x i create a new user & Set " Change password on NExt Login" option.
2: Logged into the device through Telnet & Password can be changed after i authenticate successfully. however the same is not happening when i login to the devices through SSH.
is it because of the fact that SSH is encrypted session ?
Because changing password through a telnet session is not accepted in many fanancial organizations as per PCI Standard.
I run a small coffee shop and want to offer free wifi to my customers while also having a secure network for my point of sale/internal network. What is the best way to do this on a limited budget? And what is the best way to protect the secure network?
I need to change the username and password ACS uses to connect to AD. I do a "clear configuration" and reboot and am unable to join the ACS appliance back into my AD with a different username and password. I am able to rejoin the ACS machine to the domain using the original username and pass. how to clear all of the AD config off of the appliance and start fresh and use a new account to join AD?
We're in the process of implementing an ISE 1.1 server for Guest Wireless Access / BYOD at our company and ran into an issue with authenticating from iPhones / iPads when the account is set with 'change password on next logon' (it's a local account created on the ISE server - not AD). It fails and displays 'unable to join network' on the iPhone. The ISE log shows a '5411: No response received in 120 seconds'. We're able to authenticate from Windows devices and are prompted to change the password during the authentication process. If we unchecked the 'change password' box we can authenticate from iPhones & iPads without any issue but we need to have a way for users to set their own password.
I was in the process of creating a AAA setup on my NX-0S (MDS9148), logged out/attempted to login to test AAA login and now I can no longer login as admin either! I didn't change the local account. I have the Cisco Device Manager open still (in the fabric switch) and how I remedy this (AAA is not up and running as of yet with this switch).
IP address of Primary had to be changed, to respond to a hardware failure of TACACS server with IP in many device configs.
Now the Secondary fails to respond to repeated "Deregister from Primary" requests, even after reload - apparently because it cannot reach the Primary at its old IP address.
Requesting Deregister in GUI generates pop-up that says, "This operation will deregister this ACS Instance from the Primary Instance. Management applications on this ACS instance will be restarted and you will be required to login again. After performing this operation
I am configuring ise to do the posture assessment. I am having avaya as my LAN and Core switches. The idea is once the user is authenticated using 802.1x then it will be moved to qurantine vlan and after it is compliant with the company's policy then it will be moved to the actual vlan. I have configured the avaya switch to accept the radius assigned vlan and also configured the 802.1x dynamic-authorization. Currently, radius assigned qurantine vlan is working but once the nac agent scan and mark the PC status as Compliant then the CoA is not happening and User is not moved to the actual vlan.
I tested the same ise authorization policy of dynamically assigning VLANs on cisco switches and it worked perfectly, but the same is not happening on avaya switch.
I'm part way through trying to set a Catalyst 4510R to factory defaults, One thing I'm stumped on is how do i remove the Customer Disclaimer eg what commands do i need to remove this and any other customer text within the switch, below is copy of text from the switch with customers details omitted.
I have a Cisco 3750 switch stack and am performing QOS against a number of SVI vlans on per customer basis. I have 8 customers, each with a /29 public subnet and each with an SVI as a gateway within that /29 range. I then have a "routable" SVI vlan for routing upstream to the internet. [code]
The service policy attached to the interfaces above is supposed to perform policing on download and upload traffic. The service policy is attached to the Routable VLAN for download policing and the Customer VLAN for upload policing. For example, traffic entering the routable VLAN will be policed based on traffic matching an access list to the customers IP range (download). Traffic entering the customer VLAN will be policed based on traffic matching an access list from the customers IP range (upload).The command I am using to police is as follows - police 10485500 966080 exceed-action drop.The problem I am experiencing is traffic into the routable VLAN is being successfully policed down to the 10Mbps i have specified on a per customer basis (download).Traffic entering the customer VLAN is NOT being policed at all (upload).I am limited as to the use of the parent policy map I have specified on the interface, as I can only assign it in one direction (input).