I have 4-5 machines connected to each other in network which are in workgroup. Now I want to change one group policy on remote machine. The name of that policy is " Network access: sharing and security model for the local accounts :- Guest only" . How can I change this policy from remotely?
View 1 Replies
I have configured ASA 5510 With IPsec Remote VPN.With local database users(Users are created in ASA).
Internal network has 4 VLANS. Need solution for below.
There are 25 Users created in ASA. where only 5 tp 6 users wants to grant access to Particualr IP and Subnets and rest of the users can access entire lan.
Is it possible to configure Group policy in ASA for IPsec Remote VPN.
I try to map LDAP Group to ASA Group policy following documentation:
[URL]
This is a config for ASA 8.0. I would have expected it to work on 8.4 as well but I do run into problems. The mapping as shown in LDAP Debug and ASA Log will actually happen but it is overwritten by the "GPnoAccess" Group Policy configured locally in the Tunnel Group. From earlier works with RADIUS I would have expected the user specific Attribute to be "stronger"?
ASA Log:
AAA retrieved user specific group policy (correct Policy) for user = XXX
AAA retrieved default group policy (GPnoAccess) for user = XXX
dell 3000 xl os 149gb I set up a home office. to try to transfer files to my new one.oce i found out you can't do it. there was a group policy in place.how do i get rid of it. it's interfering with a lot of stuff, including my firewall. had to buy another.
View 3 Replies View Relatedhow to disable usb using group policy
View 1 Replies View RelatedWe are migrating our ACS 5.1 to ISE 1.0.4.
- On ACS we were doing 802.1x Authentification over an Activedirectory, assigning Vlan according to computer/user group. In some case the user vlan could be different from the computer vlan (ex admin account connecting to a user account). This works great with ACS.I tested the same function with ISE and the behaviour is a bit different :
- When the computer boot, I can see the computer account being authenticated on ISE. The logs show the AD groups the computer belongs to and the Authorization profile is well applied according to the AD group.
- When the user login, I can see the user account being authenticated on ISE, BUT the logs show the AD groups of the previous authentication, the one belonging to the computer not the user. So the authorization profile is the one from the computer not the user.
It seems that the AD group attributes are not well updated :
- AD logs show the second authentication doesn't engage a new group parsing from AD
- Shutting down the switch port when user is logged engage a new authentication a AD group are well updated.
- Bug toolkit reference the same bug but for WLC CSCto83897 so I suspect it's present in other case.
I want to block a website timely using group policy on window server 2008.
View 1 Replies View RelatedIs it possible via Group Policy to prevent the domain computers from automatically creating default favorites when the users log in? Currently on the Favorites Bar it creates "Web Slice Gallery" and "Suggested Sites", as well as a "Websites for United Kingdom" folder. The domain controller is running Windows Server 2008 R2, and the clients are running Windows 7.
View 4 Replies View RelatedI have a Cisco ASA (8.2) with several group-policies setup. By default, I can hit the SSL page, and have a selection of available group-policies for a user to login to. I want to have different ACLs for each group, to go along with the subnet that each particular group hands out. Right now, as long as a user is authenticated through AAA, they can log in to any group they select, and therefore, have more permissions than another group.
I know how to hide the list, but I need to be able to assign a specific group to a user based on an attribute in ACS.
I've setup ACS to use the "CVPN3000/ASA/PIX7.x-Tunnel-Group-Lock" Atttribute, to which I match the group-policy name in the ASA, to the attribute on the user account in ACS.This doesn't seem to work, and it just throws the user into DfltGrpPlcy, which doesn't give the user anything. So it's either wide-open, or it's broken.
I'm using RADIUS authentication and not TACACS, so it should retrieve the attributes, and according to the ACS, it grabs the attribute during the authentication process.
How to check applied group policy on the domain clients
View 1 Replies View RelatedI am interested in knowing how to check on my 2003 Server what usernames are blocked from downloading. Many of the clients seemed to have downloaded Google Talk and also Spotify. I was wondering if I can check -where it is located and how to enforce this policy. (or create it if it isn't in effect correctly)
View 2 Replies View RelatedHow to limit maximum SSL VPN sessions per group-policy on ASA5510?
There are 2 group-policy: in one maximum of 10 connections, in the second - 15 (In total licenses for SSL VPN 25 connections).
I'm running a Windows Server 2008 Enterprise Edition server that is currently the domain controller, and a Windows 7 Ultimate client. I have a 'Test' user for messing around with group policy - anyway, on the client Start Menu it has 'Test User' which leads to some form of libraries folder. Is it possible to restrict the link without removing their name?
View 3 Replies View Relatedinstalling the Cisco NAC agent through the Active Directory Group Policy. (Windows 2008 R2)Currently Cisco NAC CAS servers has been installed, configured and the switches are added. But the ports are not active. Currently users are not passing through the NAC. When the ports are active and the users trying to access the network, the browser will ask the users to install the Cisco NAC Agent.I need t by pass this by installing the Cisco NAC agent through the active directory Group Policy. How to install the Cisco NAC agent (4.9.1) to all the users in the Network (Windows XP / 7 )through Active Directory so that the users will not know that the Cisco NAC agent has been installed in their computers. By this way the users need not install the Cisco NAC agent through the Web browser and will just login their user name and password and get into the network.
View 1 Replies View RelatedWhen you use Group Policy to determine whether a link is fast or slow, fast links may be incorrectly flagged as slow links.
This problem may occur when a network that you are trying to detect a slow link to is configured to control the size and flow of Internet Control Message Protocol (ICMP) packets. For example, if a router allows for only ICMP ping packets that have a size of 1,024 bytes, the slow-link detection feature may flag the connection as a slow link. This is because the router discards ICMP packets that are larger than 1,024 bytes. If the router discards the packet because it exceeds the allowed size, fast links may be reported as slow links.
According to Microsoft, the default ICMP ping packet size of 2048 is used.Microsoft recommends changing every single Windows machine's ICMP size...but my customer would rather just change the router. It is a 2821 router, running 12.4(24)T4, using MLPPP to bundle two T1s.
I have a PC behind a DSL router. In my PC (WinXP SP3) I have a virtual machine also running WinXP SP3. I would like to access the VM via remote desktop. Since I have a dynamic IP, I use the(url)tool to solve the problem. I installed the no-ip sync tool in the VM. Now when I write my no-ip address in the remote desktop from my office, I will access my host system, and not the hosted VM. Does any knows how I should configure things in order to get access to the virtual machine and not to the host machine
View 5 Replies View RelatedI have to connect client machine using Modem. They Have their Telephone number and they are saying that by dialing that number I have to connect their machine using that number from modem. How can I do this and which hardware, software I need i.e requirement of things to do this
View 2 Replies View RelatedI have a Win 7 machine with Win SBS 2011 in my office and an iMac. The Win machine is being setup for Exchange 2010. My problem is this: I can't Remote Desktop in from my iMac into the Win machine, but CAN when outside the network.The Win7 machine has a static IP, the iMac a dynamic. When I access the internal part of my router I can only see my iMac. I get a "can't connect to win-based machine" error when I try to Remote Connect.The only thing I can think is that using the same gateway is somehow messing things up? I've had two techs try to figure this out and they're both stumped.I was maybe thinking that since both comps are going out the same gateway that I should try anc configure the iMac to try and RDC on a different port, since maybe the iMac is listening on 3389 and sending the RDC back to itself?
View 4 Replies View RelatedIf I am not able to start remote desktop services on windows 7 machine, will machine can be accessible by RDP?
View 1 Replies View RelatedI have an GRE Tunnel across my head office and remote site with multiple subnets using cisco 1841 routers.I can ping most of the devices on the remote side, but I can not ping certain devices.These devices respond to ping requests on the local LAN, but not through the WAN link. If I change the IP of device than it start responding. I am using same gateway and mask on these devices.The remote site is running classic STP on switches with distribution switch being the root bridge.
View 4 Replies View RelatedI have Cisco RVS4000 and Linksys Befsx41.I can make a VPN connection when bought are in Static ip-address.RVS in static ip and Linksys in ISP changing ipconnection is not made.
Here is some log:
Feb 9 20:48:17 - [VPN Log]: "xxxxx"[1] xxx.xxx.xxx.185 #4: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
Feb 9 20:48:17 - [VPN Log]: "xxxxx"[1] xxx.xxx.xxx.185 #4: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
Feb 9 20:48:17 - [VPN Log]: "xxxxx"[1] xxx.xxx.xxx.185 #4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
[code]....
I just update my cisco 7609 to Version 12.2(33)SRD6. I encounter a strange problem with this version, everytime i change BGP policy ( input or output ) this will take effect immediately without "clear ip bgp neighbor <address> soft". Are there anyway not to take BGP policy affect unless command "clear ip bgp neighbor <> soft" ?
View 7 Replies View Related802.1x is working properly, 802.1x port is up,but;when I do a remote desktop to machine that is 802.1x authenticated by an user(Wired), first, login to pc successfuly then(3 minutes) is switch port down..
Debug radius authentication
Debug aaa authentication
Does not appear in the log only message port is down
Equipment;
Cisco 2960, Cisco ACS 4.2 ,MS Active Directory Authentication
Client:windows xp, windows 7
Cisco 2960 Port Config
switchport mode access
dot1x pae authenticator
dot1x port-control auto
spanning-tree portfast
spanning-tree guard loop
I'm trying to set up a VPN tunnel between a Linux machine and a RVS4000 at a remote site (served via satellite connection). After many efforts, I finally succeeded (based on Openswan). However, while PINGing is OK, big packets (from the RVS4000 LAN to the Linux box) arrive corrupted.
I lowered the WAN MTU, with no success. What finally did the trick is to lower the MTU at the RVS4000 LAN interface. Since this is not possible via the Web I/F, I did it via telnet ("ifconfig eth0 mtu 1400"). However, this change is lost after router reboot. How can I make the LAN MTU setting permanent?
I recently replaced a Netgear router with a RV042 because I figured out my Netgear was choking my 24MB Uverse connection down to about 6MB. I had VPN setup with my business partner who was already using an RV042 and everyting works fine. However after I setup the RV042 on my side we have not been able to get the VPN up. The settings are as follows
Local Group
Local Security Gateway Type: IP Only
Local Security Group Type : Subnet
IP Address: 192.168.0.0
Subnet: 255.255.255.0
Remote Group
Remote Security Gateway Type: IP Only
remote Security Group Type : Subnet
IP Address: 10.0.0.0
[Code]....
Last time, i´ve implemented a Remote Access VPN to my network with ASA 5510 I´ve allowed to my VPN an acces to all my Internal LAn But i want to configure a group of vpn in the CLI for have different group of user which can access to different server or different network on my LAN.
Example : informatique group------access to 10.70.5.X Network
Consultor group -------- access to 10.70.10.X Network
I need to know how can i do that , and if you can give me some eg script for complete this Here is my configuration :
ASA Version 8.0(2)!hostname ASA-Vidruldomain-name vidrul-ao.comenable password 8Ry2YjIyt7RRXU24 encryptednamesdns-guard!interface Ethernet0/0 nameif outside security-level 0 ip address X.X.X.X 255.255.255.X!interface Ethernet0/1 nameif inside security-level 100 ip address X.X.X.X 255.255.255.X!interface Ethernet0/2 shutdown no nameif no security-level no ip address!interface Ethernet0/3 shutdown no nameif no security-level no ip address!interface Management0/0 description Port_Device_Management nameif Management security-level 99 ip address X.X.X.X 255.255.255.X management-only!passwd 2KFQnbNIdI.2KYOU encryptedftp mode passivedns server-group DefaultDNS domain-name vidrul-ao.comaccess-list 100 extended
[code]....
We have ASA5500's deployed for remote access concentration.We use Cisco IPsec vpn client with a group policy the chacks for Network ICE BlackIce ersonal firewall.The powers-that-be wish to change to McAfee presonal Firewall ok..Now the Group Policy allows you to check for several pre- configured Firewalls, Cisco Integrated, Sygate, Zone Labs etc.So as McAfee are no listed then I am to assume we go for "Custom Firewall" and this is where I am struggling.To configure checking for a Custom Firewall I must have the Vendor ID and the Product ID.McAfee haven't the faintest idea what we're talking about when we ask them for these details.Or is there a way to extract them from the registry of a machine with the McAfee product installed?
View 3 Replies View RelatedWhat happen to my router linksys e1200, after i update the firmware to the latest version "Access Restrictions" is change to "Access Policy". how can i revert it back to "Access Restrictions" do i need to downgrade the firmware?
View 2 Replies View RelatedI have a strange error on my home network that I cannot find a solution to.I have an Huawei SmartAX MT882 from TalkTalk acting as a modem connected to a D-Link DSL-G624T acting as a router/switch. Connected to the D-Link I have a Windows 7 Pro machine (64-bit, SP1) and an XP (home i think) machine (sp 2 i think).The SmartAX modem is set up to perform DHCP and DNS relaying and the D-Link has DHCP turned off and DNS relay turned off.The Win7 machine can access the network, get an IP address and access the internet without problems, regardless as to the status of the XP machine.The XP machine can access the network, get an IP address and access the internet with no problems ONLY of the win7 is powered up. When the win7 machine is off, the XP machine seems to drop about 25% of the ping packets between it and the D-Link router and has no internet access (because of this i assume). [code]
View 8 Replies View RelatedNew Win-7 machine set up. I used the printer set-up wizard to install a networked printer in the new machine with absolutely no problem. Proved it would print from that machine.Now, I get a call informing me that her old XP machine, which had been printing to the network printer with no problems, will no longer print.Documents go into the print queue, but they don't get printed.No error messages show up.I did some messing around via remote access, and finally removed the printer with the intention of reinstalling it.Scanning for network printers turned up several redundant instances of the same printer with different names. Some are identified as "invalid" some a "access denied". Bottom line. I can't get any of the selections to install.On the Win-7 machine I did find a window that indicated that the printer is designated as being shared, but I didn't explicitly set it for sharing when I installed it. Also, I somehow got to a window that told me that for printers that were to be shared with other versions of windows I could optionally install drivers to support such machines. Didn't have the driver disk handy and took the window down. Now I can't even find it again.I need sorting this all out.Part of the problem is that out there in "network land" there are redundant remnants of previous installations that are being remembered inappropriately.
View 11 Replies View RelatedThere is a site I oversee that is moving to a new ISP. The drive is 2 hours round trip and I need to do is change an IP. DHCP is being handed out by the internal Domain Controller and all the workstations point to the server for DNS. Will the following commands inputted over an SSH putty session into the current WAN IP change the IP and allow me to hookup to the new ISP? The plan is to copy and paste the following commands into global config mode. Currently they are using DHCP on the WAN side which I do not approve of and their external route is pointing to the internal IP of 192.168.1.1. Things still work but I want to do away with this. Will these commands get the job done?
interface vlan 2ip address 68.x.x.2 255.255.255.240exitno route outside 0.0.0.0 0.0.0.0 192.168.1.1route outside 0.0.0.0 0.0.0.0 68.x.x.1
I have a cisco ASA 5510 at the branch here. It terminates about 8 vpn tunnels and also it supports remote access clients. I just have a quick question. Can my remote sub-net group access the other remote access site-site VPN subnet group. If yes then how should i configure it.
View 6 Replies View RelatedI have an ASA 5520 with multiple site-to-site VPN's. A remote customer has changed their Public IP address and now the VPN has gone down. How can I easily change the peer IP of the remote site to the new one without have to put the pre-shared key in again as we don't know what it is and they don't manage their firewall.
View 7 Replies View Related
