AAA and local user authentication
Hi,
I already have AAA authentication setup on my switch. And I can use local users to login when the AAA server is unreachable.
But I want to know if it is possible to use local users even when the AAA server is reachable. Something like first it checks the local users databse and if the user does not exists then fallback to AAA or vice versa.
Thanks.
Ismail, the authentication method you define act as a service. So only when the service is not avilable the method fallback to the next methond you define.
So in your case if the user account is not present in the local data base it will not fallback to aaa server.
aaa authentication login default local group radius
The same holds true if the user account is not there in the aaa server
aaa authentication login default group radius local
Only when the aaa server is not responding (service downe or not reachable) it will fallback to the local database.
Hope this helps!
Similar Messages
-
Nexus 7000 aaa and local authentication
Hello,
I tried to configure aaa (with radius) and local user authentication on a Nexus 7004 (Version 6.2(6a)), but did not get it to work.
Radius authentication is working fine(!), but I can't Login with a local created user (role vdc-Operator).
Any help is highly appreciated.
Kind regards,
AndreasHi,
yes, I know that the fallback will jump in when no radius-Server responds, but I need the behaviour like the 6500'er (or 4500) act.(btw. local login works if radius is disabled, or local is the default, but if local is the default, radius Login no longer works) - Only one of the method at a time works.
On the 6500 I configured aaa with Windows NPS-Server and a local user (e.g. for the Cisco-LMS). This works fine. Even if the radius server is available, i can log into the device (via ssh) with the locally defined user-account.
What I miss is a kind of the command:
"aaa authentication login default local group radius"
"aaa authentication enable default enable"
(which works on the WS-C6509 or WS-C4500X).
Is there any chance to get this work on the Nexus7000?
Kind regards,
Andreas -
CSM 3.1 local user authentication problem
Hi every one.i have strange problem with local user authentication.in our csm i have configured csm to auhenticate users using TACACS+ from our acs server which every thing is ok about this configurtion but also i have configured fall back authentication for user admin.here is the problem even when connection to ACS server is ok and server can send authentication requests to ACS we can authenticate with ACS and Local admin which i think this is wrong because using local admin is configured as fallback.so what do you think about this problem which CSM authenticates users with ACS and local database same time??
You probably need to go under the system context and create the interface and also allocate vlans to it in CSM before you configure the context itself.
I hope it helps.
PK -
Difference between AD domain user and local user
Hello, I think the title is self explanatory. I am trying to figure out difference between AD domain user and local user. SAP Help wasnt very helpful.
Thanks.Hi,
It's about where the user accounts are kept. Domain users are users that are entered into the domain users group on a domain controller. These domain users can be centrally managed at the server. Whereas the local users are the users created in the local system.
In BPC, you can select users from either of them or in combination as well. However, If you want to make change in the local user credentials, you need to login to the system in which the user has been created and make the changes there. On the other hand, changes to domain users can be made from any domain connected machine with the right software and the necessary rights. The changes only need to be made once.
Hope this helps. -
Using PowerShell 3.0 (And if possible the CIM, not WMI cmdlet), how can I script with | out-file C:\<filename>.txt or .csv option to list all local user accounts & local groups
on remote computers?
Thank You!I don't recall PowerShell V3 introducing anything new to handle local users and groups. You need to use PowerShell V1 methods, using the [ADSI] accelerator and the WinNT: provider. The scripts linked above show this. No need to use WMI (which would probably
be slower).
Here is a script I've used to enumerate all local groups and their members:
$Computer
= "MyServer"
$Computer =
[ADSI]"WinNT://$Computer"
$Groups =
$Computer.psbase.Children | Where {$_.psbase.schemaClassName
-eq "group"}
ForEach ($Group
In $Groups)
"Group: "
+ $Group.Name
$Members
= @($Group.psbase.Invoke("Members"))
ForEach ($Member
In $Members)
$Class
= $Member.GetType().InvokeMember("Class",
'GetProperty', $Null,
$Member, $Null)
$Name
= $Member.GetType().InvokeMember("Name",
'GetProperty', $Null,
$Member, $Null)
"-- Member: $Name ($Class)"
A similar script to enumerate all local users would be:
$Computer
= "MyServer"
$Computer =
[ADSI]"WinNT://$Computer"
$Users =
$Computer.psbase.Children | Where {$_.psbase.schemaClassName
-eq "user"}
ForEach ($User
In $Users)
"User: "
+ $User.Name
Richard Mueller - MVP Directory Services -
Domain users and local users can't login to reporting service web environment
Hello,
We installed reporting services at one of our customers but aren't able to use domain users to login. We've tried to login with a domain user, a local user but both aren't working. We set the proper permissions for the users on the reports folders.
We can only login with the buildin/administrator account on the local url: http://servername/reports
How can we allow login with domain users on other report manager url's?Below link may be helpful,
http://social.msdn.microsoft.com/Forums/sqlserver/en-US/623da309-21fa-42a8-905f-1424144a347d/setting-up-a-user-in-ssrs?forum=sqlreportingservices
Regards, RSingh -
Vsftpd: How to mix virtual and local users for pam?
Hello,
I've been stumped on this for many days, hope someone could shed some light for me.
vsftpd.conf
pam_service_name=ftp
local_enable=YES
chroot_local_user=YES
guest_enable=YES
guest_username=virtual
virtual_use_local_privs=YES
/etc/pam.d/ftp
auth sufficient pam_userdb.so db=/etc/vsftpd_login crypt=hash
account sufficient pam_userdb.so db=/etc/vsftpd_login crypt=hash
auth required pam_unix.so
account required pam_unix.so
since /etc/pam.d/vsftpd is missing, I've grabbed some from /etc/pam.d/login
The thing is that, when I login with local user, I got chrooted to virtual home instead. If anyone can give me some advice, that would be great, thanks.*bump*
cookies for anyone who can answer -
ACS AAA and LOCAL AAA database...
Hello,
We have implimented an 5520 device and configured it for ACS successfully. I want to also have a local database with a few accounts in the event our ACS server went down. I am having trouble finding documentation for the syntax I need to enter on this 5520 device configuration so I can have redundacy for AAA...can some help with this? TIA, GaryHi ,
Check this example
aaa-server SERVER protocol tacacs+
aaa-server SERVER host 1.1.1.1
key $har3dK3y
This command applies the server group to the vty or
console lines:
==========
aaa authentication ssh console SERVER LOCAL <---
For SSH sessions
aaa authentication serial console SERVER LOCAL
<--- For console access
Hope that helps
Regards,
JG~
Please rate helpful posts -
Problem with Afaria and LDAP user authentication in Android device
Hi all,
I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
I follow the next steps:
1-Create a new tenant
2- Configure LDAP integration
3-Create a inventory policy with authentication required
4-Create a static group associated to the inventory policy
5-Create a enrolment policy associated to the static group.
When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
I have seen the log and seem the problem is that Afaria can't authenticate this user.
I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
Could you please help to solve this problem?
Thanks in advance.Hi all,
I have a server with Afaria 7 (SP4, hotfix3) installed. In this Afaria there is a tenant (system) without LDAP/AD integration working correctly. I need to have other tenant with LDAP integration in which the users must be authenticated.
I know that for iOS devices is necessary reinstall the iphoneserver selecting "Afaria Server managed authentication" but at first I want to make run the Android devices. For this reason I don't do this yet.
I follow the next steps:
1-Create a new tenant
2- Configure LDAP integration
3-Create a inventory policy with authentication required
4-Create a static group associated to the inventory policy
5-Create a enrolment policy associated to the static group.
When I launch the Afaria agent on the device, the user/password parameters are required. After fill the user/password parameters, the device connect to the server and then is show the message "user or password incorrects".
I have seen the log and seem the problem is that Afaria can't authenticate this user.
I validate that Afaria can "see" the LDAP users creating a user group that contains this user(JimenM99)
The problem is autentication, because if I remove "autentication required" of the inventory policy, the device enrol correctly.
Could you please help to solve this problem?
Thanks in advance. -
INTERNAL and EXTERNAL users authentication via OAM
Hi ,
We have a scenario where in a resource is protected by OAM and we want the internal users in the system to access the resource w/o and authentication , However at the same time we want the external users should be challenged by OAM for credentials .
How to implement such a scenario ?
Any ideas would be helpful ..
Thanks
SidMore details (architecture etc) would be needed to suggest any kind of solution.
Also content served is static or dynamic ? If content is dynamic then backend component (app) would expect identity to be propagated to it. This could be potential issue if internal user wont authenticate.
If it is static content then you can make use of rewrite rules / rewrite conditions to filter ip address (internal users should have some ip address range). Although you may have to do multiple url rewrite at apache level to by pass authentication.
One another solution is to implement zero sign on experience via WNA for internal users. WNA would take advantage of user's login to desktop. Hope this helps. -
WLSM and wireless user authentication.
I'm attempting to put together a solution to wireless security which does NOT include any kind of client configuration or installed supplicant. I want the wifi network to be wide open, no wep. When users attempt to get on the network they are directed to a ssl encrypted web interface to enter credentials checked against a radius server. I've been told the new WLSM for the 6500 along with 12.2.15+ code on the WAP's might have this feature. Can anyone confirm this? I've heard about this in the past, as something that cisco is working on, but didn't think anything had come to fruition yet..
Thanks,
-KyleResponding to my own post..
The solution I was fishing for is a combonation of IP Mobility enabled WAP's with the SLSM in a central location then routing them to a SESM enabled gateway. -
We are currently using local user accounts with CUCM 9.1.2 and are looking at integrating it into the active directory structure.
We do utilize the same structure for user ID's.
I am looking to find out what the changeover will entail and if anything else needs to be done prior to the integration.
We also have Unity syncing up with CUCM for users as well as Contact Center sync'ed up for our ACD system.
Thanks
MikeHey Mike,
The process is pretty straight forward. CUCM 9.X supports the coexistence of AD integrated users and local users so you don't have to worry about local accounts disappearing if they don't have an AD account. The biggest thing to watch out for is that if you decide to revert back for whatever reason then the accounts that were in AD will be marked for deletion (from the CUCM, not AD) and will be removed after approximately 24 hours.
I recommend the following if you'd like to move to AD.
Run a DRS backup of CUCM. This is not necessary for the integration but is good practice in my opinion. I'd also do a full export of your users using the BAT so you can reimport users to how they were before the integration should you decide to revert for any reason.
Determine if you want to put the user's extensions in the telephonenumber field or ipPhone field in AD. Once you make a decision, I recommend populating that information in AD so it is available when you do the integration.
Make sure your local CUCM user accounts usernames are exactly the same as your domain accounts. That way when you do the integration the local users become AD users and keep all of their phone associations, group memberships, etc. If you need to change the usernames then be sure to notify your users ahead of time so they can start logging into UCCX or UCM user pages, etc. using their new username.
Create an account in AD that has read-only rights to your directory. Set the password to never expire. You will use this account later for the integration.
In CUCM, go into Serviceability and make sure the "Cisco DirSync" service is activated on the Publisher server.
Also in CUCM, navigate to the administration page and do the following:
Go to System > LDAP > LDAP System and Check the box to enable Synchronizing. Confirm the LDAP server type and attribute for User ID is accurate. This is typically Microsoft Active Directory and sAMAccountName respectively.
Go to System > LDAP > LDAP Directory
Click Add New
Give it a name (whatever you want).
Put in the Distinguished Name of the AD integration account you created earlier. For example, if you created an account called ciscoldap in the Service Accounts OU in the abc.com domain then it would look something like this... CN=ciscoldap,OU=Service Accounts,DC=abc,DC=com
Enter the password for the account.
Enter the search base. This can be a specific OU where your users exist, a parent OU which contains other OUs which contain all of your users or the entire domain. If you do the entire domain then in the abc.com example you would specify DC=abc,DC=com.
Select the option to perform a sync with AD on periodic intervals. The lowest interval you can set is every 6 hours.
Select either the telephonenumber or ipPhone field to be used for the user's extensions. This will be whatever you decided and populated in AD in an earlier step.
Add your primary and any backup domain controllers and ports. If they are just domain controllers and you are not using SSL then specify port 389. If they are also global catalog servers then you can do port 3268.
Click Save and Click the "Perform Full Sync Now" button.
I recommend that you also use LDAP for authentication as well so you only have one username and password to remember which is all controlled by AD. To add this do the following:Go to System > LDAP > LDAP Authentication.
Click Add New
Check the box to use LDAP Authentication
Add the same Distinguished name, passwords and user seach base that you used for your integration account earlier under the synchronization section. Also add the same primary and secondary LDAP servers and ports you used earlier.
Click Save
You can go a step further and create a filter to only pull in the users within the search base you specified and apply that. For example, maybe only pull in users that have their ipPhone field populated. Let me know if you have any questions on that or any of the above.
I hope this helps! -
Cisco ip phone and wired user authenticate form ISE
Hi dears,
I configurate wired users from Cisco ISE. The authentication protocol is Eap-fast, the external device is DC. The wired user authenticate from ISE normally. I use labminutes web sites for configuration video.
Now the customer also want the cisco phone is authenticate from ISE. the physical connection is that: the cable connect to phone from switch. and one cable is connec from phone to pc.(standard physiacl connection.)
I create new authentication policy and use mab, and new authorization police.
The problem is : the phone is authenticate is normally but the wired user want to authenticate but it can not authenticate.
Can someone provide me a best practice configuration on ise and switch for phone and wired user authentication. or please say the source of problem.
Thanks.interface GigabitEthernet1/0/48
switchport access vlan 10
switchport mode access
switchport voice vlan 14
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 20
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
do you need ISE configuration?? -
I'm a Dreamweaver beginner, and am trying to create a user account creation page. I've created the basic form and applied "User Authentication->Check New Username" (checking for username field in my database). The problem I'm having is that while I was able to successfully create one account, all subsequent account creation attempts are unsuccessful and take me back to my "If already exists..." page. This seems like a simple thing, and in fact, there're aren't too many options that I can try to get this working. Yet I'm still stumped.
Any ideas?Sorry for not including this initially. Here's the full code module for my Sign Up page.
<?php require_once('Connections/iband_db.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
return $theValue;
// *** Redirect if username exists
$MM_flag="MM_insert";
if (isset($_POST[$MM_flag])) {
$MM_dupKeyRedirect="taken.php";
$loginUsername = $_POST['username'];
$LoginRS__query = sprintf("SELECT id FROM user_profile WHERE id=%s", GetSQLValueString($loginUsername, "int"));
mysql_select_db($database_iband_db, $iband_db);
$LoginRS=mysql_query($LoginRS__query, $iband_db) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
//if there is a row in the database, the username was found - can not add the requested username
if($loginFoundUser){
$MM_qsChar = "?";
//append the username to the redirect page
if (substr_count($MM_dupKeyRedirect,"?") >=1) $MM_qsChar = "&";
$MM_dupKeyRedirect = $MM_dupKeyRedirect . $MM_qsChar ."requsername=".$loginUsername;
header ("Location: $MM_dupKeyRedirect");
exit;
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
$editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
$insertSQL = sprintf("INSERT INTO user_profile (id, first_name, last_name, username, password, email_address) VALUES (%s, %s, %s, %s, %s, %s)",
GetSQLValueString($_POST['username'], "int"),
GetSQLValueString($_POST['first_name'], "text"),
GetSQLValueString($_POST['last_name'], "text"),
GetSQLValueString($_POST['username'], "text"),
GetSQLValueString($_POST['password'], "text"),
GetSQLValueString($_POST['email_address'], "text"));
mysql_select_db($database_iband_db, $iband_db);
$Result1 = mysql_query($insertSQL, $iband_db) or die(mysql_error());
$insertGoTo = "index.php";
if (isset($_SERVER['QUERY_STRING'])) {
$insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
$insertGoTo .= $_SERVER['QUERY_STRING'];
header(sprintf("Location: %s", $insertGoTo));
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Sign Up Page</title>
</head>
<body>
<h1>Sign Up!</h1>
<form id="form1" name="form1" method="POST" action="<?php echo $editFormAction; ?>">
<p>
<label>First Name:
<input type="text" name="first_name" id="first_name" />
</label>
</p>
<p>
<label>Last Name:
<input type="text" name="last_name" id="last_name" />
</label>
</p>
<p>
<label>Username:
<input type="text" name="username" id="username" />
</label>
</p>
<p>
<label>Password:
<input type="password" name="password" id="password" />
</label>
</p>
<p>
<label>Email:
<input type="text" name="email_address" id="email_address" />
</label>
</p>
<p>
<label>
<input type="submit" name="button" id="button" value="Sign Up" />
</label>
</p>
<input type="hidden" name="MM_insert" value="form1" />
</form>
<p> </p>
</body>
</html> -
I started my Mac Pro like always and today my OS disk and local user fole is not in my Finder under users or devices...really confused as to why. I did not do a thing to the system and should not be klike this. I even ran a verify disk in disk utility and of course all fine as well as the disk is there. ANY help much appreciated!
Backup / Clone the system (ideally you have a clone of your boot system drive from before) / Used ML Recovery Mode?
Don't just verify from the disk you are working running off.
Do a Safe Boot as well.
General Tips on cloning
Using Cloning as a Backup Strategy
http://www.macupdate.com/app/mac/7032/carbon-copy-cloner
http://www.bombich.com/software/updates/ccc-3.5.html
OS X Lion Install to Different Drive
How to create an OS X Lion installation disc MacFixIt
Migration Assistant Update for Mac OS X Snow Leopard
http://www.apple.com/support/lion/installrecovery/
Create an OS X Lion Install disc
http://reviews.cnet.com/8301-13727_7-20080989-263/how-to-create-an-os-x-lion-ins tallation-disc
How to clone your system:
http://macperformanceguide.com/Mac-HowToClone-backup.html
http://macperformanceguide.com/Mac-HowToClone.html
http://www.macupdate.com/app/mac/7032/carbon-copy-cloner
http://www.macperformanceguide.com/blog/2012/20120711_2-MacPro-internal-clone-ba ckup.html
Maybe you are looking for
-
Shell Script or Applescript to run disk permissions repair
Tried doing this Applescript in Automator: do shell script "sudo diskutil repairPermissions /" ¬ password "yourAdminPassword" with administrator privileges This works, but the process appears to run without shutting down when it's done. Can anybody
-
How To create new Tabs in Dynamic Region
Hi to All, Im a newbie please help me .Consider I have a two buttons or links on left side of Panel splitter and on right side im having Region/Dynamic Region.My aim is by clicking first button a new Tab should be appeared inside which a bounded task
-
OC4J_HOME and J2EE_HOME settings
hello, i use oracle 10g enterprise edition and oracle application server 10g. i am not able to view the demos in datasource named mvdemo. probably, my problem is classpath settings. i have to configure the classpath settings for OC4J_HOME and J2EE_HO
-
Contact does not show up as imessage
Hey I got an iphone 6 with ios 8.1.3 but never had any problems with imessage. It always works fine. My colleague, who has an iphone 5s (software i'm assuming up to date, both work for a tech company), cannot seem to send me imessages and vice versa.
-
An "error during rendering/encoding" message
Hello, can someone help me? I'm trying to burn a dvd using idvd through imovie. I start to end the rendering of my menus and the message pops up: Error during rendering/encoding There was an error during rendering/encoding of the menus/slideshows. Bu