AAA and local user authentication

Similar Messages

• Nexus 7000 aaa and local authentication

  Hello,
  I tried to configure aaa (with radius) and local user authentication on a Nexus 7004 (Version 6.2(6a)), but did not get it to work.
  Radius authentication is working fine(!), but I can't Login with a local created user (role vdc-Operator).
  Any help is highly appreciated.
  Kind regards,
  Andreas

  Hi,
  yes, I know that the fallback will jump in when no radius-Server responds, but I need the behaviour like the 6500'er (or 4500) act.(btw. local login works if radius is disabled, or local is the default, but if local is the default, radius Login no longer works) - Only one of the method at a time works.
  On the 6500 I configured aaa with Windows NPS-Server and a local user (e.g. for the Cisco-LMS). This works fine. Even if the radius server is available, i can log into the device (via ssh) with the locally defined user-account.
  What I miss is a kind of the command:
  "aaa authentication login default local group radius"
  "aaa authentication enable default enable"
  (which works on the WS-C6509 or  WS-C4500X).
  Is there any chance to get this work on the Nexus7000?
  Kind regards,
  Andreas

• CSM 3.1 local user authentication problem

  Hi every one.i have strange problem with local user authentication.in our csm i have configured csm to auhenticate users using TACACS+ from our acs server which every thing is ok about this configurtion but also i have configured fall back authentication for user admin.here is the problem even when connection to ACS server is ok and server can send authentication requests to ACS we can authenticate with ACS and Local admin which i think this is wrong because using local admin is configured as fallback.so what do you think about this problem which CSM authenticates users with ACS and local database same time??

  You probably need to go under the system context and create the interface and also allocate vlans to it in CSM before you configure the context itself.
  I hope it helps.
  PK

• Difference between AD domain user and local user

  Hello, I think the title is self explanatory. I am trying to figure out difference between AD domain user and local user. SAP Help wasnt very helpful.
  Thanks.

  Hi,
  It's about where the user accounts are kept. Domain users are users that are entered into the domain users group on a domain controller. These domain users can be centrally managed at the server. Whereas the local users are the users created in the local system.
  In BPC, you can select users from either of them or in combination as well. However, If you want to make change in the local user credentials, you need to login to the system in which the user has been created and make the changes there. On the other hand, changes to domain users can be made from any domain connected machine with the right software and the necessary rights. The changes only need to be made once.
  Hope this helps.

• How can I use PowerShell 3.0 cmdlets or script to list all the local groups and local users of a server?

  Using PowerShell 3.0 (And if possible the CIM, not WMI cmdlet), how can I script with | out-file C:\<filename>.txt or .csv option to list all local user accounts & local groups
  on remote computers? 
  Thank You!

  I don't recall PowerShell V3 introducing anything new to handle local users and groups. You need to use PowerShell V1 methods, using the [ADSI] accelerator and the WinNT: provider. The scripts linked above show this. No need to use WMI (which would probably
  be slower).
  Here is a script I've used to enumerate all local groups and their members:
  $Computer
  = "MyServer"
  $Computer =
  [ADSI]"WinNT://$Computer"
  $Groups =
  $Computer.psbase.Children | Where {$_.psbase.schemaClassName
  -eq "group"}
  ForEach ($Group
  In $Groups)
      "Group: "
  + $Group.Name
      $Members
  = @($Group.psbase.Invoke("Members"))
      ForEach ($Member
  In $Members)
          $Class
  = $Member.GetType().InvokeMember("Class",
  'GetProperty', $Null,
  $Member, $Null)
          $Name
  = $Member.GetType().InvokeMember("Name",
  'GetProperty', $Null,
  $Member, $Null)
          "-- Member: $Name ($Class)"
  A similar script to enumerate all local users would be:
  $Computer
  = "MyServer"
  $Computer =
  [ADSI]"WinNT://$Computer"
  $Users =
  $Computer.psbase.Children | Where {$_.psbase.schemaClassName
  -eq "user"}
  ForEach ($User
  In $Users)
      "User: "
  + $User.Name
  Richard Mueller - MVP Directory Services

• Domain users and local users can't login to reporting service web environment

  Hello,
  We installed reporting services at one of our customers but aren't able to use domain users to login. We've tried to login with a domain user, a local user but both aren't working. We set the proper permissions for the users on the reports folders.
  We can only login with the buildin/administrator account on the local url: http://servername/reports
  How can we allow login with domain users on other report manager url's?

  Below link may be helpful,
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/623da309-21fa-42a8-905f-1424144a347d/setting-up-a-user-in-ssrs?forum=sqlreportingservices
  Regards, RSingh

• Vsftpd: How to mix virtual and local users for pam?

  Hello,
  I've been stumped on this for many days, hope someone could shed some light for me.
  vsftpd.conf
  pam_service_name=ftp
  local_enable=YES
  chroot_local_user=YES
  guest_enable=YES
  guest_username=virtual
  virtual_use_local_privs=YES
  /etc/pam.d/ftp
  auth sufficient pam_userdb.so db=/etc/vsftpd_login crypt=hash
  account sufficient pam_userdb.so db=/etc/vsftpd_login crypt=hash
  auth required pam_unix.so
  account required pam_unix.so
  since /etc/pam.d/vsftpd is missing, I've grabbed some from /etc/pam.d/login
  The thing is that, when I login with local user, I got chrooted to virtual home instead. If anyone can give me some advice, that would be great, thanks.

  *bump*
  cookies for anyone who can answer

• ACS AAA and LOCAL AAA database...

  Hello,
  We have implimented an 5520 device and configured it for ACS successfully. I want to also have a local database with a few accounts in the event our ACS server went down. I am having trouble finding documentation for the syntax I need to enter on this 5520 device configuration so I can have redundacy for AAA...can some help with this? TIA, Gary

  Hi ,
  Check this example
  aaa-server SERVER protocol tacacs+
  aaa-server SERVER host 1.1.1.1
  key $har3dK3y
  This command applies the server group to the vty or
  console lines:
  ==========
  aaa authentication ssh console SERVER LOCAL <---
  For SSH sessions
  aaa authentication serial console SERVER LOCAL
  <--- For console access
  Hope that helps
  Regards,
  JG~
  Please rate helpful posts

• Problem with Afaria and LDAP user authentication in Android device

  Hi all,
  I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
  I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
  I follow the next steps:
  1-Create a new tenant
  2- Configure LDAP integration
  3-Create a inventory policy with authentication required
  4-Create a static group associated to the inventory policy
  5-Create a enrolment policy associated to the static group.
  When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
  I have seen the log and seem the problem is that Afaria can't authenticate this user.
  I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
  The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
  Could you please help to solve this problem?
  Thanks in advance.  

  Hi all,
  I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
  I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
  I follow the next steps:
  1-Create a new tenant
  2- Configure LDAP integration
  3-Create a inventory policy with authentication required
  4-Create a static group associated to the inventory policy
  5-Create a enrolment policy associated to the static group.
  When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
  I have seen the log and seem the problem is that Afaria can't authenticate this user.
  I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
  The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
  Could you please help to solve this problem?
  Thanks in advance.  

• INTERNAL and EXTERNAL users authentication via OAM

  Hi ,
  We have a scenario where in a resource is protected by OAM and we want the internal users in the system to access the resource w/o and authentication , However at the same time we want the external users should be challenged by OAM for credentials .
  How to implement such a scenario ?
  Any ideas would be helpful ..
  Thanks
  Sid

  More details (architecture etc) would be needed to suggest any kind of solution.
  Also content served is static or dynamic ? If content is dynamic then backend component (app) would expect identity to be propagated to it. This could be potential issue if internal user wont authenticate.
  If it is static content then you can make use of rewrite rules / rewrite conditions to filter ip address (internal users should have some ip address range). Although you may have to do multiple url rewrite at apache level to by pass authentication.
  One another solution is to implement zero sign on experience via WNA for internal users. WNA would take advantage of user's login to desktop. Hope this helps.

• WLSM and wireless user authentication.

  I'm attempting to put together a solution to wireless security which does NOT include any kind of client configuration or installed supplicant. I want the wifi network to be wide open, no wep. When users attempt to get on the network they are directed to a ssl encrypted web interface to enter credentials checked against a radius server. I've been told the new WLSM for the 6500 along with 12.2.15+ code on the WAP's might have this feature. Can anyone confirm this? I've heard about this in the past, as something that cisco is working on, but didn't think anything had come to fruition yet..
  Thanks,
  -Kyle

  Responding to my own post..
  The solution I was fishing for is a combonation of IP Mobility enabled WAP's with the SLSM in a central location then routing them to a SESM enabled gateway.

• What is involved in going from local user accounts to active directory accounts with CCM 9.1.2?

  We are currently using local user accounts with CUCM 9.1.2 and are looking at integrating it into the active directory structure.
  We do utilize the same structure for user ID's.
  I am looking to find out what the changeover will entail and if anything else needs to be done prior to the integration.
  We also have Unity syncing up with CUCM for users as well as Contact Center sync'ed up for our ACD system.
  Thanks
  Mike

  Hey Mike,
  The process is pretty straight forward.  CUCM 9.X supports the coexistence of AD integrated users and local users so you don't have to worry about local accounts disappearing if they don't have an AD account.  The biggest thing to watch out for is that if you decide to revert back for whatever reason then the accounts that were in AD will be marked for deletion (from the CUCM, not AD) and will be removed after approximately 24 hours.  
  I recommend the following if you'd like to move to AD.
  Run a DRS backup of CUCM.  This is not necessary for the integration but is good practice in my opinion.  I'd also do a full export of your users using the BAT so you can reimport users to how they were before the integration should you decide to revert for any reason.
  Determine if you want to put the user's extensions in the telephonenumber field or ipPhone field in AD.  Once you make a decision, I recommend populating that information in AD so it is available when you do the integration.  
  Make sure your local CUCM user accounts usernames are exactly the same as your domain accounts.  That way when you do the integration the local users become AD users and keep all of their phone associations, group memberships, etc.  If you need to change the usernames then be sure to notify your users ahead of time so they can start logging into UCCX or UCM user pages, etc. using their new username. 
  Create an account in AD that has read-only rights to your directory.  Set the password to never expire.  You will use this account later for the integration.  
  In CUCM, go into Serviceability and make sure the "Cisco DirSync" service is activated on the Publisher server.
  Also in CUCM, navigate to the administration page and do the following:
  Go to System > LDAP > LDAP System and Check the box to enable Synchronizing.  Confirm the LDAP server type and attribute for User ID is accurate.  This is typically Microsoft Active Directory and sAMAccountName respectively.
  Go to System > LDAP > LDAP Directory
  Click Add New
  Give it a name (whatever you want).
  Put in the Distinguished Name of the AD integration account you created earlier. For example, if you created an account called ciscoldap in the Service Accounts OU in the abc.com domain then it would look something like this... CN=ciscoldap,OU=Service Accounts,DC=abc,DC=com
  Enter the password for the account.
  Enter the search base.  This can be a specific OU where your users exist, a parent OU which contains other OUs which contain all of your users or the entire domain.  If you do the entire domain then in the abc.com example you would specify DC=abc,DC=com.
  Select the option to perform a sync with AD on periodic intervals.  The lowest interval you can set is every 6 hours.
  Select either the telephonenumber or ipPhone field to be used for the user's extensions.  This will be whatever you decided and populated in AD in an earlier step.
  Add your primary and any backup domain controllers and ports.  If they are just domain controllers and you are not using SSL then specify port 389.  If they are also global catalog servers then you can do port 3268.
  Click Save and Click the "Perform Full Sync Now" button.
  I recommend that you also use LDAP for authentication as well so you only have one username and password to remember which is all controlled by AD.  To add this do the following:Go to System > LDAP > LDAP Authentication.
  Click Add New
  Check the box to use LDAP Authentication
  Add the same Distinguished name, passwords and user seach base that you used for your integration account earlier under the synchronization section.  Also add the same primary and secondary LDAP servers and ports you used earlier.  
  Click Save
  You can go a step further and create a filter to only pull in the users within the search base you specified and apply that.  For example, maybe only pull in users that have their ipPhone field populated.  Let me know if you have any questions on that or any of the above.
  I hope this helps!

• Cisco ip phone and wired user authenticate form ISE

  Hi dears,
  I configurate wired users from Cisco ISE. The authentication protocol is Eap-fast, the external device is DC. The wired user authenticate from ISE normally. I use labminutes web sites for configuration video.
  Now the customer also want the cisco phone is authenticate from ISE. the physical connection is that: the cable connect to phone from switch. and one cable is connec from phone to pc.(standard physiacl connection.)
  I create new authentication policy and use mab, and  new authorization police.
  The problem is : the phone is authenticate is normally but the wired user want to authenticate but it can not authenticate.
  Can someone provide me a best practice configuration on ise and switch for phone and wired user authentication. or please say the source of problem.
  Thanks.

  interface GigabitEthernet1/0/48
   switchport access vlan 10
   switchport mode access
   switchport voice vlan 14
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize vlan 20
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  do you need ISE configuration??

• Basic User Authentication

  I'm a Dreamweaver beginner, and am trying to create a user account creation page.  I've created the basic form and applied "User Authentication->Check New Username" (checking for username field in my database).  The problem I'm having is that while I was able to successfully create one account, all subsequent account creation attempts are unsuccessful and take me back to my "If already exists..." page.  This seems like a simple thing, and in fact, there're aren't too many options that I can try to get this working.  Yet I'm still stumped.
  Any ideas?

  Sorry for not including this initially.  Here's the full code module for my Sign Up page.
  <?php require_once('Connections/iband_db.php'); ?>
  <?php
  if (!function_exists("GetSQLValueString")) {
  function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
    if (PHP_VERSION < 6) {
      $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
    $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
    switch ($theType) {
      case "text":
        $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
        break;   
      case "long":
      case "int":
        $theValue = ($theValue != "") ? intval($theValue) : "NULL";
        break;
      case "double":
        $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
        break;
      case "date":
        $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
        break;
      case "defined":
        $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
        break;
    return $theValue;
  // *** Redirect if username exists
  $MM_flag="MM_insert";
  if (isset($_POST[$MM_flag])) {
    $MM_dupKeyRedirect="taken.php";
    $loginUsername = $_POST['username'];
    $LoginRS__query = sprintf("SELECT id FROM user_profile WHERE id=%s", GetSQLValueString($loginUsername, "int"));
    mysql_select_db($database_iband_db, $iband_db);
    $LoginRS=mysql_query($LoginRS__query, $iband_db) or die(mysql_error());
    $loginFoundUser = mysql_num_rows($LoginRS);
    //if there is a row in the database, the username was found - can not add the requested username
    if($loginFoundUser){
      $MM_qsChar = "?";
      //append the username to the redirect page
      if (substr_count($MM_dupKeyRedirect,"?") >=1) $MM_qsChar = "&";
      $MM_dupKeyRedirect = $MM_dupKeyRedirect . $MM_qsChar ."requsername=".$loginUsername;
      header ("Location: $MM_dupKeyRedirect");
      exit;
  $editFormAction = $_SERVER['PHP_SELF'];
  if (isset($_SERVER['QUERY_STRING'])) {
    $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
  if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
    $insertSQL = sprintf("INSERT INTO user_profile (id, first_name, last_name, username, password, email_address) VALUES (%s, %s, %s, %s, %s, %s)",
                         GetSQLValueString($_POST['username'], "int"),
                         GetSQLValueString($_POST['first_name'], "text"),
                         GetSQLValueString($_POST['last_name'], "text"),
                         GetSQLValueString($_POST['username'], "text"),
                         GetSQLValueString($_POST['password'], "text"),
                         GetSQLValueString($_POST['email_address'], "text"));
    mysql_select_db($database_iband_db, $iband_db);
    $Result1 = mysql_query($insertSQL, $iband_db) or die(mysql_error());
    $insertGoTo = "index.php";
    if (isset($_SERVER['QUERY_STRING'])) {
      $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
      $insertGoTo .= $_SERVER['QUERY_STRING'];
    header(sprintf("Location: %s", $insertGoTo));
  ?>
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <title>Sign Up Page</title>
  </head>
  <body>
  <h1>Sign Up!</h1>
  <form id="form1" name="form1" method="POST" action="<?php echo $editFormAction; ?>">
    <p>
      <label>First Name:
        <input type="text" name="first_name" id="first_name" />
      </label>
  </p>
    <p>
      <label>Last Name:
        <input type="text" name="last_name" id="last_name" />
      </label>
    </p>
    <p>
      <label>Username:
        <input type="text" name="username" id="username" />
      </label>
    </p>
    <p>
      <label>Password:
        <input type="password" name="password" id="password" />
      </label>
    </p>
    <p>
      <label>Email:
        <input type="text" name="email_address" id="email_address" />
      </label>
    </p>
    <p>
      <label>
        <input type="submit" name="button" id="button" value="Sign Up" />
      </label>
    </p>
    <input type="hidden" name="MM_insert" value="form1" />
  </form>
  <p> </p>
  </body>
  </html>

• My start up disk not displayed nor is my local(user) in my Finder OSX 10.8???

  I started my Mac Pro like always and today my OS disk and local user fole is not in my Finder under users or devices...really confused as to why. I did not do a thing to the system and should not be klike this. I even ran a verify disk in disk utility and of course all fine as well as the disk is there. ANY help much appreciated!

  Backup / Clone the system (ideally you have a clone of your boot system drive from before) / Used ML Recovery Mode?
  Don't just verify from the disk you are working running off.
  Do a Safe Boot as well.
  General Tips on cloning
  Using Cloning as a Backup Strategy
  http://www.macupdate.com/app/mac/7032/carbon-copy-cloner
  http://www.bombich.com/software/updates/ccc-3.5.html
  OS X Lion Install to Different Drive
  How to create an OS X Lion installation disc MacFixIt
  Migration Assistant Update for Mac OS X Snow Leopard
  http://www.apple.com/support/lion/installrecovery/
  Create an OS X Lion Install disc
  http://reviews.cnet.com/8301-13727_7-20080989-263/how-to-create-an-os-x-lion-ins tallation-disc
  How to clone your system:
  http://macperformanceguide.com/Mac-HowToClone-backup.html
  http://macperformanceguide.com/Mac-HowToClone.html
  http://www.macupdate.com/app/mac/7032/carbon-copy-cloner
  http://www.macperformanceguide.com/blog/2012/20120711_2-MacPro-internal-clone-ba ckup.html