Cisco VPN :: ASA 8.2 Anyconnect User Authentication And Authorization

Jan 17, 2012

I would like to configure RADIUS authentication and authorization in ASA 8.2 (ADSM 6.2) by configuring Cisco anyconnect VPN client connection profile.So the end result would be user enters his username, password and a token in any connect client, then the RADIUS server validates this information and sends the user attributes to ASA upon successful authentication.I would be grateful if i can get the step by step procedure to achieve this:The below is what iam trying to do:

1) Create an AAA server group.
2) Add the AAA server to this group (here its RADIUS).
3) create an LDAP-cisco ASA group mapping (for authorization)
3) Add a group policy and create IP pool. (We can add two types of group policies, one is internal and external. Not sure which one to select here).
4) create a any connect vpn client connection profile. Here we specify the created server group name, IP pool and group policy.(While creating a connection profile, it asks us to select an interface. As of now i have only one interface which is "inside". Not sure what the interface "outside" means).

View 5 Replies


ADVERTISEMENT

Cisco Firewall :: 5510 - Display User Message When User Connects Using AnyConnect Client?

Apr 20, 2009

We are using an ASA 5510 and remote access (SSL VPN) using the AnyConnect client.
 
Is it possible to display a user message when a user connects using the AnyConnect client, matching a specific dynamic access policy?  Can the message be displayed when the action is "Continue" rather than "Terminate"?  I can't seem to get this to work and wondered if there was a LUA function to do this.
 
We have a DAP which gives a restricted ACL when the user's anti-virus is out of date, and I wanted to notify the user to update their anti-virus and reconnect.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: NCS TACACS+ With ACS 4.2 - Authentication / Authorization?

Sep 13, 2011

I tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2. For that I followed the configuration guide:
 
1. Configured the service for NCS with HTTP (see attachment)
 
2. Added the tasks to the user (see attachment)
  
When I try to login on the NCS it fails, in the logs on the NCS I see the following lines:
 
09/14/11 16:53:03.333 TRACE [system] [http-443-7] [TACACS+ AAAModule] Creating authorization socket   - To Server:  192.168.49.14  - For User:  netadmin
09/14/11 16:53:03.335 TRACE [system] [http-443-7] [TACACS+ AAAModule] Sending authorization request packet  - To Server:  192.168.49.14  - For User:  netadmin
09/14/11 16:53:03.336 TRACE [system] [http-443-7] [TACACS+ AAAModule] Receiving authorization response packet  - From Server:  192.168.49.14  - For User:  netadmin

[code].....

View 7 Replies View Related

Cisco AAA/Identity/Nac :: Authentication With One ACS 4.2 Server While Authorization With Another

Apr 5, 2011

1 ) : Is it possible to do authentication with one ACS server while authorization with another ACS? Use case is if the user authenticated to one ACS server and then switch loses the connectivity to this ACS. Now command authorization requests will go to another ACS server since switch is not able to communicate to the 1st ACS.
 
2): How can the local database sync be acheived in distributed ACS deployments?
 
3): Are the accounting records are sync between different ACS? In other words can accounting be centeralised with ACS4.2

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Authorization Of User Based On MAC Address

Aug 23, 2012

A short background. Our corporate SSID is being migrated from using PEAPv0 to EAP-TLS. This restricts access only to company notebooks. Additionally we have barcode scanners which are used to inventory assets. Those devices are not able to use EAP-TLS as they cannot be integrated in the domain and being unable to do certificate based authentication.
 
As a workaround we planned to use another SSID with access to the same network but using PEAPv0 as authentication method, basically the same SSID but with a different name. As this naturally allows anyone to access the corporate network with a valid username/password I now wanted to add another step into the authentication process - the MAC of the device. I know I can do the filtering at the WLAN controller, but as it has a limited database as well as the fact that it is cumbersome to maintain the MAC list on all the controllers I thought I can do it over our ACS system.
 
I am now trying to accomplish the following: The user gets authenticated via the internal user store, which is succesful. Now I want to authorize the user via the MAC address, which is stored in the internal host store of the ACS, if access is granted or not.
 
For this I created the following policy:
 
Service Selection Policy -- (Rule based result selection)

-- (NDG:Device Type in All Device Types:Wireless And RADIUS-IETF:Called-Station-ID contains <SSID>) | Result: PEAP access

-- Default | Result: DenyAccess
 
Service PEAP access Identity: Internal Users -- (Single result selection) Authorization -- (Rule based result selection) -- Internal Hosts:HostIdentityGroup in All Groups:Valid_MACs
 
When I then try to access the wireless network I won't get authenticated. The error I get, when I look into the logs is: 15039 Selected Authorization Profile is DenyAccess
 
Is it not possible to use one identity store as "attribute database" for the other identity store?

View 5 Replies View Related

Cisco :: Wireless User Session Authorization With WLC 5508

Oct 8, 2012

I have a user authentication issue with our WLAN deployment. My issue relates to the guest access WLAN. First a brief descrition of our setup. We have a local WLC in the branch office (5508) with two SSIDs configured, CorpNet for the internal network and GuestNet of external guest access. We also have a WLC (5508) in the DMZ to provide the guest access. We are using Cisco ISE server to authenticate guest users via a web portal.
 
The authentication process works as it should. An external client gets an IP in the DMZ and is redirected to the web portal to authenticate their account. When they do they are able to access and browse the internet. No problems. My issue is that if we disable their account (ie suspend or delete it) in ISE it does not seem to terminate the users session and they can continue to have internet access. What I would like to happen is that when the account is disabled in ISE then the associated device's access to the internet is removed.

View 2 Replies View Related

Wireless :: Entering MAC Address Authorization For Second User?

Jul 13, 2012

I would like to authorize a friend in my house to access my wifi I was told to go to http://192.1.1 and enter the MAC address of my friend. However on the site I was unable to enter the information into the box - how can I authorize my friend to use my wifi?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Authentication Against Microsoft AD / TACACS Authorization

Feb 2, 2013

I am trying to configure ACS 5.2 to do all authentication against Microsoft AD, but use local identity groups to determine TACACS+ authorization. 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 Authorization Failed By User That Doesn't Exist

Jan 8, 2013

I am getting Authorisation requests failed log entries for a user however there aren't any successful authentication logs.
 
The user would never be able to authenticate as it no longer exists in ACS (it was the user for someone who left the company 3-4 month ago)
 
The other wierd thing is that the caller-id is 0.0.0.0 BTW the NAS is a Cisco ASA firewall running 8.0(3)

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - LDAP Authentication Works / Authorization Fails

Oct 24, 2011

I set up LDAP store pointing to a Windows domain and am testing authenticating users via an ASA.  In my LDAP config, its set for "Groups Objects refer to subjects" and I selected usernames in the drop down.  I also added a a Global Group to the Directory groups tab in the LDAP store that I created.
 
Under my Access Polices, I created a rule that meets two condititons - coming from the ASA, and then I was able to select the group from the drop down box for my ldap domain.  As a condition, it shows up as DomainName:External Groups.  I set the permission to Permit Access.
 
Originally, I was failing authentication and I was receiving Subject Not Found in Store.  I adjusted the Identity Sequence and now I receive a the following error:
 
15039:  Selected Authorization Profile is Deny Access.  So it must not be associating my account with the group with the Permit Access and using the Default Permissions.So it does match the correct Access Service, and Identity Store.

View 1 Replies View Related

Cisco Wireless :: 4.2 No Authorization Information Found For Remote Authenticated User

Apr 18, 2013

I've just installed NCS. When trying to configure NCS for ACS Tacacs+ authentication, I receive the message below when trying to login to NCS. ACS records my login in the 'passed authentications' log. I am using ACS 4.2."No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server". I used the following link to configure ACS for NCS, url...

View 3 Replies View Related

Cisco VPN :: Adding User Profiles In AnyConnect VPN 2.5

Feb 15, 2012

I recently upgraded to Windows 7 in my company and the OS came bundled with Anyconnect VPN client version 2.5.
 
In the earlier version I used to add user profile using a .pcf file by importing it into the client to access customer LAN.
 
But in the Anyconnect VPN client I dint find any option to import the file. The IT support has told to edit the xml file to add it. The problem is I even after i edit the anyconnect-cert.xml with changes in host name and host address tags  I am not able to start a connection. I dont knw know exactly what address must be given in Host address tag. I copied the host address from .pcf file which i used earlier.
 
Whether I will be able to add a user profile in this way or any correction is to be done in the whole process of adding the user profile,

View 1 Replies View Related

Cisco VPN :: MAC-Based Authentication In ASA 8.2 AnyConnect VPN

Sep 19, 2010

I have been configuring anyconnect VPN. The requirement from customer is to configure MAC address based authentication for anyconnect clients. I have gone through various cisco documents. I couldnot find this option explained. Is MAC address based authentication possible in anyconnect vpn without having AAA server in place?There is an option to select end point attribute as MAC address, while creating Dynamic access policies. But at the host scan configuration of Cisco secure desktop, there are no options for performing MAC retrieval.
 
My ASA is running on version 8.2(1) and ASDM version 6.3(1) and a memory of 512 MB RAM. Any way for MAC based authentication in cisco anyconnect VPN.

View 3 Replies View Related

Cisco VPN :: MAC Authentication On ASA 5520 For Anyconnect?

Mar 3, 2013

I have a query regarding MAC authentication for end systems on ASA 5520. Inspite of proving MAC address in endpoint authentication along with AAA, only AAA attribute policies are getting created. MAC authentication is not happening.
 
Is there any requirement like LDAP or AD is required for MAC authentication?

View 1 Replies View Related

Cisco VPN :: Anyconnect 3.1 Certificate Authentication

Dec 20, 2012

I am doing a proof of concept with anyconnect and certificate authentication. with 3.0 i was able to do this with a certificate from my CA and a client cert in a smartcard. I have upgraded to 3.1 and now it doesnt work anymore ( i need 3.1 and Asa 9.0 because of IPv6 Split-tunneling).Reading the forum i got some info that the ASA cert must have a EKU value of 'Server Authentication' and the client cert must have a similar EKU (client Auth)

View 4 Replies View Related

Cisco VPN :: 5520 AnyConnect Can Auth A Machine And Then A User?

Aug 10, 2012

We are rolling out a new VPN infrastructure utilizing ASA 5520's (one active/standby cluster at each of our two sites) and making the conversion from the old IPsec client over to AnyConnect 2.5 clients. We do have AnyConnect Premium licenses at both sites, but are not utilizing ISE. What we want to do is first auth the machine that's trying to initiate the AC VPN session to determine if it a company-owned machine (with the idea that only co-owned machines can connect), and then auth the user using RADIUS, which uses attribute 25 to assign them into groups for policy application. We have the RADIUS piece working now, but is there a way to first do the machine auth, and then the user auth? We don't just want to use something like cert-based VPN because if the machine gets stolen (or a non-co user otherwise gets into the OS) then we don't want the non-legit user to be able to establish a VPN session just because they have access to a company machine. The other rub is that the machine auth solution must be cross-OS compatible (we use a mix of Windows, MacOS and Linux on the machines that should be allowed to VPN.)

View 7 Replies View Related

Cisco VPN :: ASA 8.4(1) AnyConnect Premium User Upgrade Licensing?

Feb 22, 2012

Prior to version 8.4(1) Cisco called their licensing name for SSL/VPN users AnyConnect Premium SSL VPN and currently the new name of the licensing is simply AnyConnect Premium.  Also, the IOS display name for the amount of SSL/VPN users enabled via your licensing (ex. 2, 10, 25, 50, ...) by running a 'show activation-key' was changed from SSL VPN Peers to AnyConnect Premium Peers.With that said, my question is if the license for upgrading 10 users to 25 users (L-ASA-SSL-10-25= - ASA 5500 SSL VPN 10 to 25 Premium User Upgrade License) on an ASA prior to 8.4(1) and an ASA with 8.4(1) is still valid and the correct part number to peform these upgrades for both ASAs.  The description of this part number is throwing me off because it says SSL VPN to Premium User, which was the name prior to 8.4(1).  I could not locate any documentation regarding this part number or upgrading 10 users to 25 users for both ASAs.

View 4 Replies View Related

Cisco VPN :: ASA5510 Anyconnect Permission With NT Domain User

Aug 21, 2012

I am trying to setup a VPN with AnyConnect on my ASA5510 and it works fine.  I have setup an AAA server group for my Active Directory with the "NT Domain" protocol".  Right now, every user is able to connect with their Active Directory credentials.  I would like to restrict access to the Anyconnect VPN to only a few users in AD.

View 1 Replies View Related

Cisco VPN :: 5510 Anyconnect SSL VPN Authentication Failure

Dec 26, 2012

I have configured an Asa 5510 as SSL vpn gataway ver 8.2(4) Anyconnect Essential. The clients are authenticated via Radius and OTP password.All work well since yesterday. When I have did same configuration changes. My objective was has that the clients accept the self signed certificate issued by the Asa whitout give the warning about the private cert.
 
So I have try to generaste a new certificate with FQDN equal to myasa.mydomain.com and also a CN=myasa
 
Then I have change the profile XML file of my anyconnect in this way: [code]

View 1 Replies View Related

Cisco VPN :: AnyConnect 3.0 - No Valid Certificates Available For Authentication

Dec 18, 2012

Recently we updated to the Anyconnect 3.0 client. I see the new 3.1 client is out and we are currently testing it for production. My question though is since updating to 3.0 our end users receive a message at the bottom of their client stating "No valid certificates available for authentication" They can still VPN in since we dont do certificate based authentication but we have been getting tons of questions on this. I would like to stop these messages from appearing and I am not sure if its just how the new client behaves or if its something configured on our ASA's.

View 1 Replies View Related

Cisco VPN :: ASA 5520 - Getting AnyConnect Authentication Timeout?

Jul 8, 2012

I have an ASA 5520 and I am having trouble getting the AnyConnect VPN authentication timeout feature to work properly. I thought I did have it working a couple of months ago, but right now it is not giving me more than the default 12 seconds. I have tried intervals of anywhere from 25 seconds up to 120. I am currently runnign version 6.4 on the ASA and AnyConnect 2.5.3055.

View 8 Replies View Related

Cisco VPN :: ASA 8.2.2 Locking Down Anyconnect Authentication To AD Group

Nov 28, 2011

I can't seem to find any documentation to how to get this working. I'm trying to make it so that only users of a certain AD group are authenticated for my Anyconnect VPN on my ASA 8.2.2
 
I've found the documentation on how to prevent logins using the  msNPAllowDialin attribute, but not how to base it on group membership (memberOf) [code] I need to do any kind of restrictions inside the actual group-policy TESTGROUP ?

View 2 Replies View Related

Cisco VPN :: ASA 5520 / Restricting End User To One Specific Group With AnyConnect?

Feb 6, 2013

I just started configuring AnyConnect with ASA 5520 that uses Cisco SecureACS to pass radius authentication.  I configured two profiles with different split tunnel restrictions and what I discovered is that when the client connects to the ASA, they are provided a choice of these two groups (I guess there is no way to restrict this) and I can log into either one with any user account.  How do I restrict this so that the user can only use one profile?  Currently users capable of VPN would be placed in one specific AD group so that is what SecureACS checks.  Is there a sample configuration guide to handle multiple profiles with different levels of access?

View 3 Replies View Related

Cisco VPN :: AnyConnect Error User Not Authorized For Client In 5505

Jan 9, 2013

it's probably just me but I have tried real hard to get a simple AnyConnect setup working in a lab environment on my ASA 5505 at home, without luck. When I connect with the AnyConnect client I get the error message "User not authorized for AnyConnect Client access, contact your administrator". I have searched for this error and tried some of the few solutions out there, but to no avail. I also updated the ASA from 8.4.4(1) to 9.1(1) and ASDM from 6.4(9) to 7.1(1) but still the same problem.

The setup of the ASA is straight forward, directly connected to the Internet with a 10.0.1.0 / 24 subnet on the inside and an address pool of 10.0.2.0 / 24 to assign to the VPN clients. Please note that due to ISP restrictions, I'm using port 44455 instead of 443. I had AnyConnect working with the SSL portal, but IKEv2 IPsec is giving me a headache. I have stripped down certificate authentication which I had running before just to eliminate this as a potential cause of the issue. When running debugging, I do not get any error messages - the handshake completes successfully and the local authentication works fine as well.

ASA Version 9.1(1)
!
hostname ASA
domain-name ingo.local
enable password ... encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
[Code] .....

View 9 Replies View Related

Cisco VPN :: ASA 5545-X / Cert And AD Authentication Using AnyConnect 3.0.xxxx?

May 29, 2012

I have a need to utilize two factor authentication using a machine certificate and users AD crednetials.  What we would like to do is to have the ASA and AnyConnect verify the certificate exists, check against our in house CA for validity, if valid pass the user credentials to the AD servers and establish the tunnel. If not valid quarantine the session and pop a message to the user to contact the help desk ASAP.  My guess is the following (using ASDM 6.6, ASA 8.6.1, ASA 5545-X):
 
1. under the connection profile I have select BOTH for authentication and added a AAA server group.

2. under Cert Management I have added the 3 certs that are present on all company mobile assets

     - Cert America
     - Cert Europe
     - Cert Root

3. I have an identity cert installed from the company CA and it is selected as the device cert under connection profiles

4.Local Cert Authority is Disabled

5.Under Remote Access>Advanced>Certs for AnyConnect>

- I have mapped DefaultCertifiateMap pri 10 to Company_Cert connection profile

- The mapping is looking for Subject: CN: <Contains> (string) ----where string is a common component of each Cert listed in #2.
 
Question #1 - Is this correct for utilizing certs and AD auth or have a missed any steps?
 
Users are directed to a an initial installation URL - where the AnyConnect client performs the installation and passes down the intial AC profile which auths using only AD creds.  On subsequent connections users who pass the certificate mapping check are migrated to the connection profile which uses the dual authentication method. 
 
Question #2 - When I attempt a new installation of AnyConnect using the two factor URL . I receive an error "certificate validation error" and the installation fails - for the life of me I can not figure out why????  The machine has all three certs, using IE9 as the browser.

View 3 Replies View Related

Cisco VPN :: ASA 5540 AnyConnect Client Certificate Authentication

Jan 22, 2012

I want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see:aaa-server LDAP protocol ldap aaa-server LDAP (inside) host ldap.com ldap-base-dn DC=x,DC=x,DC=x,DC=com ldap-scope subtree ldap-login-password ***** ldap-login-dn ***** server-type microsoft ,I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = DomainMember I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.

View 2 Replies View Related

Cisco VPN :: ASA 8.2(5) / AnyConnect Fails At First Attempt (certificate Authentication)

Jan 25, 2012

I'm trying to set up vpn with ASA 8.2(5) and Anyconnect 3.0.4235. The goal is  to force user to connect from registered machines only (winXP & win7 x32 and  x64). To do this, I used machine certificates issued by own CA. Certificate  is installed in machine store. I use double authentication (aaa & certificates). Everything works fine, AnyConnect browses cert store, ASA  validating machine certificate, then user is prompted for username/password  and finally if all is correct - connection is established.My problem is, that for new installation (new host), AnyConnect fails at first connection attempt. If I use aaa authentication only, connection is established, but if I use aaa & certificates - connection fails. The  appropriate .xml profile is predeployed at client host asa well as machine and root certificates.Important: When first try (aaa auth) succeded, others are always OK (with aaa. certificate or aaa & certificate authentication). Only the first one fails.The goal is to succesfuly establish connection with aaa & cert.
 
With DART i get:
******************************************
Type        : Error
Source      : acvpnagent 
Description : Function: CTransportWinHttp::WinHttpCallback
File: .CTransportWinHttp.cpp
Line: 2150

[code]....
 
Certificate is valid for sure, and as I mentioned before, if first use aaa only, the second try is OK. At ASA with debug crypto ca 255 can't see any certificate from client.

View 3 Replies View Related

Cisco VPN :: 5505 Certificate Only Authentication Method With AnyConnect

Jul 7, 2011

Any instructions to configure an ASA to allow authentication by certificate only on an AnyConnect vpn?I'm running an ASA 5505 with 8.4(1) and AnyConnect 2.4.7030 on an Android phone.I currently have the AnyConnect client connecting ok using username / password for authentication.
 
I have loaded the company root certificate (internally generated) into the ASA "CA Certificates" and generated an Identity Certificate for the ASA.

View 1 Replies View Related

Cisco VPN :: 5540 ANyConnect Client Certificate Authentication

Jul 13, 2011

want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.
 
Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see: [code]I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = Domain Member I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.

View 3 Replies View Related

Cisco VPN :: ASA5510 / AnyConnect Active Directory User Password Expiration?

May 20, 2012

I have a Cisco ASA5510 firewall that  has SSL Web VPN functionality and is utilizing AD Server as  Authentication server for users.However, we have a policy to change  password at certain point of time. Users in the office have no problem.  They just login their PC and change password. Users outside of office is  a pain when their password is expired. Is it posible for them to change  their AD password thru VPN using Cisco Anyconnect?

View 2 Replies View Related

Cisco :: ASA5510 - AnyConnect VPN Active Directory User Password Expiration

May 19, 2012

I have a Cisco ASA5510 firewall that has SSL Web VPN functionality and is utilizing AD Server as Authentication server for users. However, we have a policy to change password at certain point of time. Users in the office have no problem. They just login their PC and change password. Users outside of office is a pain when their password is expired. Is it posible for them to change their AD password thru VPN using Cisco Anyconnect? If yes, can you show me how?

View 1 Replies View Related

Cisco VPN :: 5520 AnyConnect Authentication With RADIUS Secure Method

Nov 6, 2012

I have been successfully able to setup Cisco AnyConnect VPN on ASA 5520 with 8.4 code.  I have set it to authenticate against the RADIUS Server (Microsoft Windows 2008 NPS server).  I have noticed one thing, on the server under "Constraints and Authentication Method".  I picked MS-CHAP-v2, but it is considered Less secure authentication methods.  I can click on Add and choose other Authentication methods like Smart Card or other Certificate, PEAP, EAP-MSCHAP v2.  I picked PEAP but then the VPN does not work.
 
So first of all does it really matter if I just leave it to MS-CHAP-v2?  Because from my understanding is that AnyConnect will authenticate to ASA and then ASA in the backend talks to the RADIUS server so from a security stand point this scenario shouldn't it be sufficient as no un encrypted or less secure information is available to the outside world? Secondly is there any documentation on using PEAP with Cisco AnyConnect?

View 4 Replies View Related

Cisco VPN :: ASA 5510 VPN User Authentication

Apr 5, 2011

We are changing our old Pix 515e this weekend and for brand new ASA 5510.With this new installation, I would like to implement the Radius authentication for remote vpn user. Changing the firewall of the company has many impact and for the first phase the user will keep authenticating locally but I need that in phase 2, they will be authenticated via a radius server.Is there a way to configure both authentication for remote vpn user?
 
All user will be authenticated locally except the member of the IT Department who will be authenticated by the radius server for testing.I have remote vpn users around the world so I do not want these users to be blocked by the testing of the radius authentication. What I want is that users in group1 will be authenticated locally on the ASA and users in group2 will be authenticated by the radius. When testing will be done, all users will be transfer to the radius authentication gradually.

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved