Centralized authentication through insecure net, ASA

Similar Messages

• How to capture userinfo after a partner application is authenticated through SSOSDK?

  I have successfully installed and deployed the Partner application for Portal using SSOSDK. My question is, once the user is authenticated through SSOPartnerServlet.java and gets thrown back to the partner app(PAPP), how do we get the user info(i.e. username) from the PAPP?
  Is there an API?
  I have already asked this question from oracle tech and they told me to post it
  Thanks,
  Hamid

  Pass the name of a subrotine to handle your user commands to the fm parameter.
  I_CALLBACK_USER_COMMAND = 'USER_COMMAND'.
  Then code for the user command function,
  form user_command using r_ucomm type sy-ucomm.
  case r_ucomm.
  when '<FCODE of your button>'.
  Code your logic....
  endcase.
  endform.
  To add your button using your own pf-status, you should copy a standard gui status and modify it.
  To trigger this pf-status you should pass routine name to I_CALLBACK_PF_STATUS_SET.(I_CALLBACK_PF_STATUS_SET = 'SET_PF_STATUS..)
  form set_pf_status.
  set pf-status 'ZSTAT'.  "THis ZSTAT must be created by copying a STANDARD pf-status of say some std program like SAPLKKBL. and then modifying it.
  endform.

• Cannot use SASL Authentication Through GSSAPI on DS 6.3

  I try to kerberized DS 6.3. I do step by step instruction from "Sun Java System Directory Server Enterprise Edition 6.3" and it doesn't work.
  When I try to configure the Directory Server to Enable GSSAPI I get an error:
  modifying entry cn=SASL,cn=security,cn=config
  ldap_modify: DSA is unwilling to perform
  ldap_modify: additional info: Modification not allowed on attribute dsSaslPluginsPath
  After all when I try to authenticate to the Directory Server i get response:
  ldap_sasl_interactive_bind_s: Authentication method not supported
  ldap_sasl_interactive_bind_s: additional info: sasl mechanism not supported
  Logs file:
  +[22/Sep/2008:10:28:11 +0200] conn=2 op=-1 msgId=-1 - fd=22 slot=22 LDAP connection from 10.3.233.4:33054 to 10.3.233.4+
  +[22/Sep/2008:10:28:11 +0200] conn=2 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=GSSAPI+
  +[22/Sep/2008:10:28:11 +0200] conn=2 op=0 msgId=1 - RESULT err=7 tag=97 nentries=0 etime=0, sasl mechanism not supported+
  +[22/Sep/2008:10:28:11 +0200] conn=2 op=1 msgId=2 - UNBIND+
  +[22/Sep/2008:10:28:11 +0200] conn=2 op=1 msgId=-1 - closing from 10.3.233.4:33054 - U1 - Connection closed by unbind client -+
  +[22/Sep/2008:10:28:12 +0200] conn=2 op=-1 msgId=-1 - closed.+
  system specyfication:
  Solaris 10 x86 64-bit
  DS 6.3 B2008.0311.0212 NAT

  See http://forums.sun.com/thread.jspa?forumID=761&threadID=5202246 for a description of the problem and a workaround.
  If you have a Sun support contract, you can request an escalation of CR 6637404.
  Also, note that it looks like part of the documentation went missing. In DS5.2 the docs included an additional step
  Chapter 11 Implementing Security
  Configuring Client Authentication
  SASL Authentication Through GSSAPI (Solaris Only)
  http://docs.sun.com/source/816-6698-10/ssl.html#18500
  ldapmodify -D 'cn=directory manager'
  dn: cn=SASL,cn=security,cn=config
  changetype: modify
  add: dsSaslPluginsEnable
  dsSaslPluginsEnable: GSSAPI
  replace: dsSaslPluginsPath
  dsSaslPluginsPath: /usr/lib/mps/sasl2/libsasl.so
  modifying entry cn=SASL,cn=security,cn=config
  ldap_modify: DSA is unwilling to perform
  ldap_modify: additional info: Adding attributes is not allowed
  -------------------------------------------------------------

• PL SQL Web Service Authentication through LDAP

  I have created one PL SQL Web Service and I would like to provide token security through LDAP.
  I have configured LDAP for deployed webservice in oracle IAS 10.1.3 Service.
  Problem Description: <?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://dbconnection1/MobileWebService.wsdl/types/"><env:Body><env:Fault><faultcode>env:MustUnderstand</faultcode><faultstring>SOAP must understand error: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security</faultstring></env:Fault></env:Body></env:Envelope>
  I have provided LDAP authentication through oracle iAS Setup.
  Please help

  Hi I am looking out for a good friend of mine, Rajeev Dave from Vijaywada, if your the one, please email me [email protected]
  thanks,

• Integrate Central Authentication Service (CAS) in SharePoint 2010

  Hi All,
  Going to implement Single sign one, with all internal application,
  Also some application is running in SharePoint, I want to integrate Central Authentication Service (CAS)
  in SharePoint 2010.
  Pls give me some idea. 
  Deepak

  You can do CAS and SharePoint auth using below
  Check below
  http://webcache.googleusercontent.com/search?q=cache:EhC3JLvqDWwJ:balendrant.blogspot.com/2013/05/external-authentication-providers-for.html+&cd=4&hl=en&ct=clnk&gl=in&client=firefox-beta
  http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=9&ved=0CFEQFjAI&url=http%3A%2F%2Fdownload.microsoft.com%2Fdocuments%2FFrance%2FInterop%2F2010%2FFederated_Collaboration_With_Shibboleth_2_0_and_SharePoint_2010_technologies-1_0.docx&ei=i0u1U6bVB4KMuATP94II&usg=AFQjCNF09JusWUS97-em12JFpaH64Pxa3A&bvm=bv.70138588,d.c2E&cad=rja
  If this helped you resolve your issue, please mark it Answered

• How to do .1x port based network access authentication through ACS

  How to do .1x port based network access authentication through ACS.

  Hi,
  802.1x can authenticate hosts either through the username/password or either via the MAC address of the clients (PC's, Printers etc.). This process is called Agentless Network Access which can be done through Mac Auth Bypass.
  In this process the 802.1x switchport would send the MAC address of the connected PC to the radius server for authentication. If the radius server has the MAC address in it's database, the authentication would be successful and the PC would be granted network access.
  To check the configuration on the ACS 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/noagent.html
  To check the configuration on an ACS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/common_scenarios.html#wp1053005
  Regards,
  Kush

• OBIEE 11.1.1.6.2 BP1 authentication through Shared Services EPM 11.1.2 .2

  Hi,
  Any idea how to get the authentication in OBIEE through Shared Services to work?
  We use Native Directory and MSAD in SS, hence we need to get the authentication through Shared Services.
  We were able to run this on EPM 11.1.1.3 through LDAP server of Shared services port 28089, surely not working now.
  I've tried both of the following but still no luck:
  http://gerdpee.wordpress.com/2011/06/17/oracle-weblogic-and-hyperion-shared-services-11-1-1-3/
  http://gerdpee.wordpress.com/2011/06/17/integration-sort-of-of-obiee-11-1-1-5-and-hyperion-shared-services-11-1-1-3/
  Please help. Many thanks!!!
  Cheers,
  Steve

  Hi Steve,
  I have not been through this, but hope this helps you though. While we run the System configurator Wizard (EPM 11.1.1.2), we are now having an option to integrate EPM with OBIEE. Have you given it a shot?
  I am just thinking, if we could had it configure for us, we could directly access the Subject Areas from OBIEE, just like what Mark had mentioned here : http://www.rittmanmead.com/2009/01/epm-workspace-111-and-obiee-10134-updated/
  You could further look into the "SSO using CSS Token" field in the connection pool, too.
  Hope this helps and I will let you know, if I have any other information.
  Thank you,
  Dhar

• Authentication of inside users ASA (EasyVPN)

  Greetings All
  Authentication of users behind ASA 5505 connected to VPN3000 Concentrator with EasyVPN
  According to the law in a certain country, we need to log the following:
  Time & Datestamp
  Username/ip address of the pc inside
  Which sites they have visited (ip's, URL's etc..)
  Eg. 11/4-2008 domain\john ip 192.168.2.23 visited ip 212.232.232.21/80
  I would like to achieve this with using the ASA 5505 and my Cisco ACS 4.1 on my LAN behind the VPN3000 Concentrator.
  Im trying to setup forced authentication for the users on the inside interface (lan) of the ASA5505. I need to force them to authenticate before they will be able to get any access outside their lan.
  I have read on the forum, and tried som different solutions, but not been able to get any solution to work with all the needed info and also to work in conjunction with EasyVPN (Network Extension-Mode).
  I tried with cut-thru proxy solution from the guide here:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml
  It does not work, because the include/exclude statements is not allowed in conjunction with EasyVPN.
  Error: WARNING: <_vpnc_nwp_acl> found duplicate element
  WARNING: <_vpnc_nwp_acl> found duplicate element
  Hybrid configurations using 'match' and 'include|exclude' are not supported
  I have then looked at enabling "Individual User Authentication (IUA)", but since Im using split-tunneling, it seemes like its only for the
  tunnelled networks authentication is enforced. And I dont want to tunnell all- hence the repsone-times to the remote site is very high.
  Last I tried to make som HTTP redirect with aaa authentication listener http[s] interface_name [port portnum] [redirect], but thats also not
  allowed in conjunction with EasyVPN.
  Error:
  * Remove 'aaa authentication listener' configuration
  CONFIG CONFLICT: Configuration that would prevent successful Cisco Easy VPN Remote
  operation has been detected, and is listed above. Please resolve the
  above configuration conflict(s) and re-enable.
  The ASA is currently running IOS 7.2(4), but there's no problem in upgrading it to 8.0(4) if that could help me make a solution.
  Is it possible to make this work somehow ?
  /Claus

  Hello Claus,
  Have you tried downloadable access lists in combination with the ACS for the authentication? You can then use the accounting options of that downloadable access list to register who has done what.
  You can do this in combination with the virtual http listener or the virtual telnet listener.
  Check out: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/fwaaa.html
  Hope this helps
  Regards
  P-J Nefkens

• ACS user authenticating through Windows Database

  Hello,
  Please, i need a document/ guideline on how to configure ACS 4.2 user authenticating through Windows Database and the ACS server is running on an appliance.
  Please, help.
  Regards,
  Ethelbert

  Hi,
  If you delete the user in AD, then it would not authenticate the user even if the dynamic mapped user exists in the ACS database, as the password would not be verified from the AD for the user.
  The dynamically mapped user entry would still exist in ACS and would not get deleted if the user is deleted from AD.
  tnx
  somishra

• EDQ authentication through Novell

  We are currently using AD as our authentication platform for EDQ. We need to set up additional configurations for authentication through Novell. Has anybody done this? What is different from the AD configuration?
  Thanks
  Craig

  Hi Craig,
  Apologies for the late response on this. I believe an SR has been logged, and a response will be available on the SR very shortly.
  Some basic notes are as follows. The examples files are missing below (but will be on the SR):
  EDQ does not have out of the box support for Novel eDirectory. However it can be configured easily. To do this, you need to define a ‘realm’ with connection details for the eDirectory server and an associated ‘profile’ defining the LDAP search filters and attributes to use with the eDirectory.
  All this information can be added to the login.properties file but it is sometimes simpler to define the information in separate files. Realm information can be define in files in the realms subdirectory of the security directory and profile information can be stored in the profiles subdirectory.
  These are the steps:
  1. In the login.properties file, add a realm ‘edir’ to the realms list:
  realms = internal,...,edir
  2. Create a directory realms in the security directory and store the attached edir.properties there. Amend the file with:
  •     The LDAP server address. The example file has 10.8.1.182.
  •     The correct LDAP domain information. The example file users the domain o=rde
  •     The DN and password of the user used to connect to LDAP. The example has cn=rde,ou=users,o=rde
  •     The LDAP group used to contain EDQ users. The example has testgroup
  •     If the server has a certificate installed, uncomment the ‘ldap.security’ line to enable SSL connections
  3. Create a directory profiles in the security directory and save the attached novell.properties there. This file is suitable for a standard eDirectory setup and should not need any changes. It assumes:
  •     An objectClass of inetOrgPerson for users
  •     An objectClass of groupOfNames for groups
  •     The unique ID of user and group entries is the GUID attribute
  The profile can be tweaked if these assumptions are not correct.
  Regards,
  Mike

• My Apple TV is slow and disconnects after the latest update (5.1). It seems to effect both home sharing and through the net. Is there a known problem?

  My Apple TV is slow and disconnects after the latest update (5.1). It seems to effect both home sharing and through the net. Is there a known problem?

  Hi Scott.
  There is a problem - but Apple have not acknowledged it. Many people on these forums are experiencing the same issue.
  To get something done, you should report it here. The more of us that tell Apple about it, the more likely they are to fix it. You could also send a short email headed 'Apple TV update problems' to
  <Email Edited by Host>

• Enable Single Sign On in Share point 2013 with external IDP like CAS (Central Authentication Service)

  Hi,
  We need to configure our share point 2013 web application to work with third party site using Single Sign On (SSO) service.
  Currently we are using CAS (Central Authentication Service) as third party site. Trying to accomplish this from the last few days didn't found anything helpful.
  Please let us know is share point 2013 support authentication with any external site and if not is there any alternative to achieve this e.g. via ADFS or something else. Please help.
  Neetu Tanwar Software Developer

  You can do CAS and SharePoint auth using below
  Check below
  http://webcache.googleusercontent.com/search?q=cache:EhC3JLvqDWwJ:balendrant.blogspot.com/2013/05/external-authentication-providers-for.html+&cd=4&hl=en&ct=clnk&gl=in&client=firefox-beta
  http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=9&ved=0CFEQFjAI&url=http%3A%2F%2Fdownload.microsoft.com%2Fdocuments%2FFrance%2FInterop%2F2010%2FFederated_Collaboration_With_Shibboleth_2_0_and_SharePoint_2010_technologies-1_0.docx&ei=i0u1U6bVB4KMuATP94II&usg=AFQjCNF09JusWUS97-em12JFpaH64Pxa3A&bvm=bv.70138588,d.c2E&cad=rja
  If this helped you resolve your issue, please mark it Answered

• How to copy a .bak-File through the Net with a Job?

  Hi all,
  I have create with
  ALTER DATABASE BACKUP CONTROLFILE TO 'c:\Temp\test_control.bak';
  my the binary copy of my controlfile.
  But I don't understand:
  In the database there are 3 control files: Control01.ctl,
  Control02.ctl and Control03.ctl. After I implemented ALTER DATABASE BACKUP CONTROLFILE TO 'C:\Temp\test_control.bak';, I have
  only one copy. Is that the copy of all 3 controlfiles? Still another question:
  How can I copy this file now with a job on another computer through the net?
  Regards
  Leonid Pavlov

  i use streams to read the binary file. The problem is I don't know when the transfered stream finished. With text file I can recognize the end of the transfer by a special string, but how to deal with the end of a stream? should the server send an "EOF" or something else to the client to notify the end?

• WLAN connection: authentication through captive po...

  Access to some Wifi hotspots requires an authentication through captive portal (ID and password must be entered on a special web page). Everything works on my E65 except that I did not find the method to avoid to retype my ID and password every time I try to connect. Any idea ?

  Hello,
  I've a e61i and I experience a similar problem. My phone work very well on WiFi network with no encryption as well as 64-bit wep.
  At home I've 2 wireless routers, both encrypted at 128 bits, one with WEP and the other with WPA. On both of them I can correctly obtain an IP thru DHCP, but the traffic do not go thru.
  By using IfInfo I think I discovered the reason of the problem (unless IfInfo is not working properly...) and it seems a bug related to the netmask, broadcast and gateway settings. The router is 192.168.15.1 and this is what I get:
  1) DHCP case -- I get two IP adresses: the 169.254.x.x and the one assigned to the router. DNS is also set properly, but both gateway, broadcast and netmask are set to 0.0.0.0 for both IPs.
  IP Addr: 169.254.162.106
  Netmask: 0.0.0.0
  Broadcast: 0.0.0.0
  Gateway: 0.0.0.0
  DNS1: 192.168.15.1
  IP Addr: 192.168.15.100
  Netmask: 0.0.0.0
  Broadcast: 0.0.0.0
  Gateway: 0.0.0.0
  DNS1: 192.168.15.1
  2) Static IP 192.168.15.64, netmask set to 255.255.255.0 and gateway and DNS set to 192.168.15.1. The 169.254.x.x disappears and I get only one IP which is set to:
  IP Addr: 192.168.15.64
  Netmask: 0.0.0.0
  Broadcast:192.168.15.255
  Gateway: 192.168.15.1
  DNS1: 192.168.15.1
  So in conclusion, it seems that with 128bit encryption, in the DHCP case gateway, broadcast and netmask are not assigned correctly! While in the Static IP case the netmask is still not assigned correctly!!!
  Hope this can help...
  --AP

• Cut-Through Proxy / Authentication Proxy on Cisco ASA using ISE as AAA Server for allocating SGTs

  Hi,
  We are trying to setup ASA to do cut-through authentication proxy, and use ISE as RADIUS. We can successfully authenticate the user from Radius on the ASA, while he opens a web-page, but then it displays the error: authorization denied.
  What we want:
  ISE to allocate a security group tag to the user session when he logs in, that tag would carried within out cisco network infrastrucutre to define the access
  policy for that user.
  Can someone please help me with a sort of step by step thing for ISE configuration to allocate SGTs/SGACL for the user session after authentication is completed.
  Thanks
  Lovleen

  Please refer to below step by step config guide for security group access policies
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_sga_pol.html