Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Enabling RDP to CSA MC using user state

I am trying to enable an administrator remote access to the MC via RDP. The rule that is triggered and denies this action is #262. Is there a way to allow RDP access to the box based upon user state? I need this as the admin group is part of a DHCP pool so I cannot nail it down to just his address. The documentation is not very clear in applying user states.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Enabling RDP to CSA MC using user state

Sorry for the long response...I hope this helps...

YES it is absolutly possible to do this. Lets say your MC is in a group called "CSA MC Group". In that group you have policies applied. In side of the policies are your rule moduels etc... So what you need is to create a new policy (set it for Windows, or Linux, as needed). Next you will need to create a new "Rule Module" that you will attach to the new policy you just created. When you create the new Rule Module, you will see a section that says "State Conditions". Select the option "Apply this rule module only if the following state conditions are met: " Click the check box next to "User State Conditions:". In the user state pick list, click "NEW". Here you will need to create a user state based on what user you want to be able to RDP to the CSA MC. Give the new user state a name. Here you have a choice, you can either create a specific user (i.e. if only one domain user id needs access), or you can use a Domain or Local Group. (I.e. If Domain Admins will need RDP access to the CSA MC). Lets say you want to use "Domain Admins" Active directory group... In the "Groups Matching" box type the EXACT name of the Domain group (Ex: MYDOMAIN\MYGROUP). Click Save. Then select the new user state and save the new rule module. Assign the new rule module to the new policy and apply the new policy to the CSA MC group. Last you need to navigate to the new rule module you created, and add a NETWORK ACCESS CONTROL RULE. Create an allow rule that will allow termsrv.exe as server TCP/3389. Any Host (you said they were on DHCP. I recommend creating a specific DHCP scope for those users so you can lock it down more). Save the rule and generate.

1 REPLY
New Member

Re: Enabling RDP to CSA MC using user state

Sorry for the long response...I hope this helps...

YES it is absolutly possible to do this. Lets say your MC is in a group called "CSA MC Group". In that group you have policies applied. In side of the policies are your rule moduels etc... So what you need is to create a new policy (set it for Windows, or Linux, as needed). Next you will need to create a new "Rule Module" that you will attach to the new policy you just created. When you create the new Rule Module, you will see a section that says "State Conditions". Select the option "Apply this rule module only if the following state conditions are met: " Click the check box next to "User State Conditions:". In the user state pick list, click "NEW". Here you will need to create a user state based on what user you want to be able to RDP to the CSA MC. Give the new user state a name. Here you have a choice, you can either create a specific user (i.e. if only one domain user id needs access), or you can use a Domain or Local Group. (I.e. If Domain Admins will need RDP access to the CSA MC). Lets say you want to use "Domain Admins" Active directory group... In the "Groups Matching" box type the EXACT name of the Domain group (Ex: MYDOMAIN\MYGROUP). Click Save. Then select the new user state and save the new rule module. Assign the new rule module to the new policy and apply the new policy to the CSA MC group. Last you need to navigate to the new rule module you created, and add a NETWORK ACCESS CONTROL RULE. Create an allow rule that will allow termsrv.exe as server TCP/3389. Any Host (you said they were on DHCP. I recommend creating a specific DHCP scope for those users so you can lock it down more). Save the rule and generate.

102
Views
5
Helpful
1
Replies
CreatePlease login to create content