ACE and TACACS+ auth

I'm having to use the free TACACS+ in an environment to configure authentication for all the network devices.  I have all the routers and switches working just fine, but am having issue with getting the ACE to use TACACS.  I've configured ACE to authenticate to an ACS server by adding the additional shell custom attributes (shell:Admin*Admin default-domain) and this worked fine.  I found in some documentation on TACACS+ that described how to add this similar attribute to the tac_plus.conf file, but it doesn't seem to want to work. My aaa config from the ACE as well as the tac_plus.conf file content below.  I know the AAA is working with this TACACS server as the accounting functions properly.
ACE AAA
tacacs-server host 10.1.0.202 key 7 <removed>
aaa group server tacacs+ TAC_AUTH
  server 10.1.0.202
aaa authentication login default group TAC_AUTH local
aaa authentication login console group TAC_AUTH local
aaa accounting default group TAC_AUTH local
tac_plus.conf
# Accounting Logs
accounting file = /data/tacacs.log
# Server Key
key = <removed>
# ACL
acl = auth_routers {
                      permit = .*
# Groups
group = admin {
    login = file /etc/passwd
    acl = auth_routers
    service = exec {
                     optional shell:Admin = "Admin default-domain"
# Users
user = admin1 {
     default service = permit
     member = admin
user = admin2 {
     default service = permit
     member = admin
user = admin3 {
     default service = permit
     member = admin

Anyone?

Similar Messages

  • ACS SE and TACACS auth

    Hi,
    I have added the ACS SE 4.2 to MARS 6.2 using the device template included but when I go to use it in the AAA authentication configuration page it is not listed, I can not add it again as it says the object already exists, any ideas.

    If you have MacOS X Server, you could simply configure ACS to talk to the OS X LDAP server.
    Too easy. :-)
    -colin.

  • Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)

    Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
    So I am trying to get TACACS+ auth to work for my ACE.
    The command string that I have on the ACE is as follows:
    tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15
    aaa group server tacacs+ tacacs+
      server 172.16.101.4
    aaa authentication login default group tacacs+ local
    aaa authentication login console local
    aaa accounting default group tacacs+ local
    But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.
    I do not know how to do this on the ACS 5.1.0.44.
    Anyone know?
    TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.
    Thanks for your reply. About this question:
    shell:<Context>*<Role> <Domain>
    What I meant is that you need to check the following couple of things on
    your ACS server in order to have AAA Tacacs users to login into the
    ACE over the context with superuser ritghts.
    Group setup ‑> users ‑> TACACS + Settings ‑> enable Shell(exec)
    ‑> enable Custom attributes ‑> right below this part you need to
    use the following sintax to link the ACE context that this user
    has access to.
    For example:
    shell:<Context>*<Role> <Domain>
    shell:Admin*Admin default‑domain
    Where this user will have access to the Admin context with the role
    admin using the 'default‑domain'

    Wilfred,
    What you will have to do on your version of ACS is modify the shell profile that your admins are hitting for other IOS devices or you can create another shell profile under Policy Elements -> Device Administration ->
    Once you get into this shell profile select the Custom Attributes tab and put in the following fields close to the bottom of the screen, from the example you provided type shell:Admin for the attribute field and then default-domain for the value field, and make sure you select this requirement as optional, if you select mandatory and other IOS devices use this same shell profile you will force this av pair to these devices also which will impact the priv levels that then need for authentication.
    After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.
    Thanks,
    Tarik Admani

  • RDP with 802.1x, machine and user auth and dynamic VLAN

    Hi,
    we have 802.1x implemented with machine and user auth. We also use dynamic VLAN assignment. Our client is AnyConnect 3.1. Operating system is Windows 7. With Windows XP, it works just fine.
    When we try to connect to the 802.1x auth desktop with RDP (desktop is machine authenticated, no user is logged in), we are able to authenticate but as soon as VLAN and IP address changes according to user authentication profile, RDP session is terminated. It is not just disconnected but remote user is logged out and AnyConnect reverts 802.1x session back to machine VLAN. We cannot login with RDP and just loop between machine-user-machine authentication.
    With this behavior the TermDD message (ID 56) can be seen in system log. Following the response 
    http://social.technet.microsoft.com/Forums/windows/en-US/b7814ec3-6a49-469c-8773-909c50415942/the-rdp-protocol-component-x224-detected-an-error-in-the-protocol-stream-and-has-disconnected-the
    , I was able to get rid of TermDD message but I still loop in machine-user-machine authentication.
    The following is TermDD message:
    +
    System
    Provider
    [  Name]
    TermDD
    EventID
    56
    [  Qualifiers]
    49162
    Level
    2
    Task
    0
    Keywords
    0x80000000000000
    TimeCreated
    [  SystemTime]
    2013-06-10T09:25:28.515308700Z
    EventRecordID
    26643
    Channel
    System
    Computer
    XTCSSPWA03.cen.csint.cz
    Security
    EventData
    \Device\Termdd
    10.190.64.208
    0000040002002C000000000038000AC00000000038000AC000000000000000000000000000000000410200D0
    Binary data:
    In Words
    0000: 00040000 002C0002 00000000 C00A0038 
    0008: 00000000 C00A0038 00000000 00000000
    0010: 00000000 00000000  D0000241
    In Bytes
    0000: 00 00 04 00 02 00 2C 00    ......,.
    0008: 00 00 00 00 38 00 0A C0   ....8..À
    0010: 00 00 00 00 38 00  0A C0   ....8..À
    0018: 00 00 00 00 00 00 00 00   ........
    0020: 00 00 00  00 00 00 00 00   ........
    0028: 41 02 00 D0               A..Ð
    Also AnyConnect shows that upon successful authentication and DHCP operation, it catches some exception and reverts back from user to machine VLAN:
    3876: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-6-INFO_MSG: %[tid=1436][mac=1,6,d4:85:64:b8:43:61]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: Authentication Success
    3877: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} canceling existing DHCP work
    3878: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ipv4: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} stop
    3879: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: CDI_8023_FRAME_IO_ECHO, ifIndex(1), pData(0x0103FA38), dataLen(0) (cimdIo.cpp 2156)
    3880: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: echo (cimdIo.cpp 2270)
    3881: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} creating a new DHCP work
    3882: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: CancelCmd [state: COMPLETE]
    3883: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-6-INFO_MSG: %[tid=1436][mac=1,6,d4:85:64:b8:43:61]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: DHCP: Sending DHCP request
    3884: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: queueing DHCP work
    3885: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ipv4: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} start
    3886: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: CDI_8023_FRAME_IO_ECHO, ifIndex(1), pData(0x0103FA3C), dataLen(2) (cimdIo.cpp 2156)
    3887: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3)  data follows ... (cimdIo.cpp 2159)
    3888: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3)      08 06                                                .. (cimdIo.cpp 2159)
    3889: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: echo (cimdIo.cpp 2270)
    3890: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3)  pEthTypes data follows ... (cimdIo.cpp 2273)
    3891: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3)      06 08                                                .. (cimdIo.cpp 2273)
    3892: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv6 Connect {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} starting
    3893: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: StartCmd [state: COMPLETE]
    3894: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) S_ndisIoControl: returning cached xmitLinkSpeed: 100000000 bps (cimdIo.cpp 3558)
    3895: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) NDIS OID: ifIndex=1 GET OID_GEN_LINK_SPEED(0x10107) datalen=4, cbRW=4 cbNeeded=0 acErr=0 winErr=0 (cimdIo.cpp 3686)
    3898: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Network CS-wired-pass: AccessStateMachine current state = ACCESS_CONNECTED, received adapterState = authenticated
    3899: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Network CS-wired-pass: port authentication succeeded
    3900: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Network CS-wired-pass: AccessStateMachine new state = ACCESS_CONNECTED
    3901: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: received Cancel event [state: COMPLETE]
    3902: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: state: COMPLETE -> INIT
    3903: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: received Get-Connectivity event [state: INIT]
    3904: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: state: INIT -> WAIT_FOR_CONNECTIVITY
    3905: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 Connectivity Result: IN_PROGRESS
    3906: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: GetConnectiviyCmd [state: WAIT_FOR_CONNECTIVITY]
    3907: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv6 Connectivity Result: FAILURE
    3908: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: received Check-Connectivity event [state: WAIT_FOR_CONNECTIVITY]
    3909: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: (initial) ipCfg: IP:10.190.95.74(255.255.255.248) GW:10.190.64.1
    3910: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: TestConnectivityCmd [state: WAIT_FOR_CONNECTIVITY]
    3911: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: API (3) event: complete (portWorkList.c 130)
    80: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAMSSO-7-DEBUG_MSG: %[tid=1524]: Tx CP Msg: <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ssc="http://www.cisco.com/ssc" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body>  <networkStateEvent>   <sequenceNumber>19</sequenceNumber>   <groupName>Local networks</groupName>   <networkName>CS-wired-pass</networkName>   <networkState>AcquiringIpAddress</networkState>   <adapterName>Broadcom NetXtreme Gigabit Ethernet</adapterName>   <serverVerifiedName>ise-2.csint.cz</serverVerifiedName>  </networkStateEvent> </SOAP-ENV:Body></SOAP-ENV:Envelope>
    3912: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: PORT (3) port: ARP_REQ (portMsg.c 731)
    3913: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: NET (3) cdiOsIoctlSet: CDI_8023_FRAME_IO_SEND, ifIndex(1), pData(0x024EEB40), dataLen(64) (cimdIo.cpp 2156)
    3914: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: NET (3)  data follows ... (cimdIo.cpp 2159)
    3915: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: NET (3)      00 00 00 00 FF FF FF FF  FF FF D4 85 64 B8 43 61     ........ ....d.Ca      08 06 00 01 08 00 06 04  00 01 D4 85 64 B8 43 61     ........ ....d.Ca      0A BE 5F 4A 00 00 00 00  00 00 0A BE 40 01 00 00     .._J.... ....@...      00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00     ........ ........ (cimdIo.cpp 2159)
    3941: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: echo (cimdIo.cpp 2270)
    3942: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 Connectivity Result: SUCCESS
    3943: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv6 Connectivity Result: FAILURE
    3944: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ACE: adapter SM current: state(STATE_AUTHENTICATED), event(EVENT_IP_CONNECTIVITY)
    3945: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ACE: adapter SM state change: STATE_AUTHENTICATED -> STATE_CONNECTED
    3946: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: handleEventAndDoStateTransitionAction action : ACTION_IP_CONNECTIVITY
    3947: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) S_ndisIoControl: returning cached xmitLinkSpeed: 100000000 bps (cimdIo.cpp 3558)
    3948: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) NDIS OID: ifIndex=1 GET OID_GEN_LINK_SPEED(0x10107) datalen=4, cbRW=4 cbNeeded=0 acErr=0 winErr=0 (cimdIo.cpp 3686)
    1: XTCSSPWA03: 6 10 2013 11:24:54.007 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {25CBB996-92ED-457E-B28C-4774084BD562} LogLevel=0xF
    2: XTCSSPWA03: 6 10 2013 11:24:54.007 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
    3: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({25CBB996-92ED-457E-B28C-4774084BD562}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
    4: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000001FC050) instantiated for CLSID:{25CBB996-92ED-457E-B28C-4774084BD562}
    5: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {3DD6BEC0-8193-4FFE-AE25-E08E39EA4063} LogLevel=0xF
    6: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
    7: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({3DD6BEC0-8193-4FFE-AE25-E08E39EA4063}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
    8: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000001FC850) instantiated for CLSID:{3DD6BEC0-8193-4FFE-AE25-E08E39EA4063}
    9: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {503739D0-4C5E-4CFD-B3BA-D881334F0DF2} LogLevel=0xF
    10: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\System32\VaultCredProvider.dll.
    11: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({503739D0-4C5E-4CFD-B3BA-D881334F0DF2}): Attempting to load Dir=C:\windows\System32, FileName=VaultCredProvider.dll
    12: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003A30B0) instantiated for CLSID:{503739D0-4C5E-4CFD-B3BA-D881334F0DF2}
    13: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {6F45DC1E-5384-457A-BC13-2CD81B0D28ED} LogLevel=0xF
    14: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
    15: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({6F45DC1E-5384-457A-BC13-2CD81B0D28ED}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
    16: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003AF710) instantiated for CLSID:{6F45DC1E-5384-457A-BC13-2CD81B0D28ED}
    17: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {8BF9A910-A8FF-457F-999F-A5CA10B4A885} LogLevel=0xF
    18: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved SmartcardCredentialProvider.dll.
    19: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({8BF9A910-A8FF-457F-999F-A5CA10B4A885}): Attempting to load Dir=, FileName=SmartcardCredentialProvider.dll
    20: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003B7D70) instantiated for CLSID:{8BF9A910-A8FF-457F-999F-A5CA10B4A885}
    21: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {94596C7E-3744-41CE-893E-BBF09122F76A} LogLevel=0xF
    22: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved SmartcardCredentialProvider.dll.
    23: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({94596C7E-3744-41CE-893E-BBF09122F76A}): Attempting to load Dir=, FileName=SmartcardCredentialProvider.dll
    24: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003C03D0) instantiated for CLSID:{94596C7E-3744-41CE-893E-BBF09122F76A}
    25: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {AC3AC249-E820-4343-A65B-377AC634DC09} LogLevel=0xF
    26: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\System32\BioCredProv.dll.
    27: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({AC3AC249-E820-4343-A65B-377AC634DC09}): Attempting to load Dir=C:\windows\System32, FileName=BioCredProv.dll
    28: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003CABC0) instantiated for CLSID:{AC3AC249-E820-4343-A65B-377AC634DC09}
    29: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {B12744B8-5BB7-463A-B85E-BB7627E73002} LogLevel=0xF
    30: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CClassFactory(00000000001FFF00)  CreateInstance calling CoCreateInstance on MS password cred prov
    31: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {6F45DC1E-5384-457A-BC13-2CD81B0D28ED} LogLevel=0xF
    32: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
    33: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({6F45DC1E-5384-457A-BC13-2CD81B0D28ED}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
    34: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003D3220) instantiated for CLSID:{6F45DC1E-5384-457A-BC13-2CD81B0D28ED}
    35: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003DB880) instantiated for CLSID:{B12744B8-5BB7-463A-B85E-BB7627E73002}
    36: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435} LogLevel=0xF
    37: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\certCredProvider.dll.
    38: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435}): Attempting to load Dir=C:\windows\system32, FileName=certCredProvider.dll
    39: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003E3EE0) instantiated for CLSID:{E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435}
    3963: XTCSSPWA03: 6 10 2013 11:24:59.247 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\os\win\osAsync_win.c:233: => SL_STATUS_NO_CONNECTION
    3964: XTCSSPWA03: 6 10 2013 11:24:59.247 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\ipc\win\ipcPipeBase_win.c:102: => SL_STATUS_NO_CONNECTION
    3965: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\ipc\win\ipcPipeBase_win.c:194: => SL_STATUS_NO_CONNECTION
    3966: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\ipc\ipcFuncs.c:105: => SL_STATUS_NO_CONNECTION
    3967: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: CAUGHT: NoConnectionException
    3968: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: CoreLib:TRACE: context=acnam, thread join, ThreadImpl.cpp:58, m00585050, err=0(OS_OK), thread_id=2460
    3969: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: CoreLib:TRACE: context=acnam, thread join, ThreadImpl.cpp:58, m00585838, err=0(OS_OK), thread_id=3692
    89: XTCSSPWA03: 6 10 2013 11:25:06.367 -0100: %NAMSSO-7-DEBUG_MSG: %[tid=1228]: ServiceControlHandlerEx:WTS_SESSION_LOGOFF, Session ID: 1
    If we do not change VLAN from machine to user, it works just fine.
    Have anybody seen this problem? Have anybody fixed it?
    Thanx, Martin

    Hi,
    unfortunately not.
    I have gone through extensive troubleshooting from Microsoft and Cisco sides twice and the result is:
    1) AnyConnect performs EAPol logoff when it detects RDP session termination. So it goes from user to machine authentication
    2) Windows 7 performs RDP session termination when IP address changes due to the change of VLAN (from machine VLAN to user VLAN)
    Cisco claims that AnyConnect behavior is correct and Microsoft claims that they do not want to change this behavior (reset of RDP session).
    I can imagine that Cisco can detect whether RDP session was terminated due to the IP address change or not and do not revert back to machine authentication in such a case.
    In fact there was nobody at Cisco that was willing to listen to me or accept this like something that needs a fix. The only thing you can do is to enable "Extend connection beyond logoff". AnyConnect does not send EAPol logoff if it detects RDP session termination and you can establish another RDP session which does not fail and you stay connected with RDP.
    Martin

  • ACE with TACACS+ Issue

    Trying to get ACE module and IOS devices to work with TACACS+. I have ACS v3.2.
    The "optional" syntax does not work. Any idea if the argument is valid for the ACS version ?
    service=exec
    optional shell:Admin=Admin domain
    Tried it with quotations but that didn't work either.

    Hi,
    Here is a reference doc for configuring ACE for Tacacs+ authentication,
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.0
    0_A1/configuration/security/guide/aaa.html#wp1321891
    Under custom attribute for Tacacs+ we need to specify attribute as,
    shell:Admin*ADMIN MYDOMAIN1
    = means mandatory attribute
    * means optional
    Information on context/role/domain (Virtualization on ACE):
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.0
    0_A1/configuration/virtualization/guide/ovrview.html
    Default "role" on ACE:
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.0
    0_A1/configuration/virtualization/guide/ovrview.html#wp1051297
    HTH
    JK
    Plz rate helpful posts-

  • ACE ACS TACACS+ Key Mismatch issue

    Goodday,
    I have an issue when trying to setup ACE Modules for TACACS+ and AAA autentication whereby the Failed Authentication reports, state the reason as "Key Mismath".
    We have confirmed that the key we are using is the same on the ACE and on the ACS.
    The question I have is as follows:
    Should the key we enter on the ACE remain as we have typed it, so if we enter mysharedkey as the key should this show as such in the running config or should it show as encrypted? Currently it shows in the running as we have entered it but just adds the 7 before the key and places the key in inverted commas.
    So config entered something like this:
    tacacs-server host 10.10.10.10 key mysharedkey
    aaa group server tacacs+ acs_pri
    server 10.10.10.10
    aaa authentication login default group acs_pri local none
    BTW, we are running version 2.1.4(a).
    Thanks for any assitance with this.
    Paul

    Hi Kevin,
    Thanks for the reply. I can confirm we have the "ssh key rsa 1024 force". I even tried removing and re-issueing the command.
    On the point of the show run revealing the something encrypted instead of the actual TACACS key, this is not what we see, we see the actual key we entred.
    This is my concern.
    We managed to get his working by checking on the production ACE modules and production ACS, using the "encryped" key we see in that "show run" and locating the key in the production ACS config (which was not under the ACE NDG, but under the ACS server itself's config, which also looks like something encrypted) and using this in the NDG config as the key for our ACE NDG on the test ACS.
    The problem arises that every six months or so, securiy requirement, the keys change, and how will we then know what to apply on the ACE if it does not apply the encyption of the key we enter itself.
    See my problem...
    Thanks again for the assistance and any further guidance would be appreciated.
    Paul.

  • TACACS AUTH with SSR on SRW

    I have an SRW2008 and i'm using the super-secret lcli interface. I have tacacs+ auth working with the ip https interface and I have SSH working, but I can't seem to authenticate the SSH via tacacs. Here's the config:
    ip http authentication tacacs local
    ip https authentication tacacs local
    enable password level 15 *** encrypted
    username admin password *** level 15 encrypted
    username localuser password *** encrypted
    ip ssh server
    no ip http server
    tacacs-server host x.x.x.x key *** source y.y.y.y
    tacacs-server source-ip x.x.x.x
    Adding this line breaks authentication via the menu system altogether:
    aaa authentication login default tacacs local
    Anyone have this working?

    I can login via LCLI when the tacacs+ doesn't respond, but with tacacs up, i can't get the enable password to authenticate:
    aaa authentication enable default tacacs enable
    aaa authentication login default tacacs local
    enable password level 15 *** encrypted
    username admin password *** level 15 encrypted
    username localuser password *** encrypted
    anyone know how to get this to work?
    Message Edited by chunt on 09-14-2008 03:48 PM

  • Urgent!!! Cisco ACE and asymetric routing assistance needed

    I am wondering if someone can give me pointers on the cisco ACE
    and asymetric routes. I've attached the diagram:
    -Cisco IOS IP address is 192.168.15.4/24 and 4.1.1.4/24
    -Firewall External interface is 192.168.15.1/24,
    -Firewall Internal interface is 192.168.192.1/24,
    -F5_BigIP External interface is 192.168.192.4/24,
    -F5_BigIP Internal interface is 192.168.196.1/24 and 192.168.197.1/24,
    -host_y has IP addresses of 192.168.196.10/24 and 192.168.197.10/24,
    -Checkpoint has static route for 192.168.196.0/24 and 192.168.197.0/24
    pointing to the F5_BigIP,
    -host_y is dual-home to both VLAN_A and VLAN_B with the default
    gateway on host_y pointing to VLAN_A which is 192.168.196.1,
    -host_x CAN ssh/telnet/http/https to both of host_y IP addresses
    of 192.168.196.10 and 192.168.197.10.
    In other words, from host_x, when I try to connect to host_y
    via IP address of 192.168.197.10, the traffics will go through VLAN_B
    but the return traffics will go through VLAN_A. Everything
    is working perfectly for me so far.
    Now customer just replaces the F5_BigIP with Cisco ACE. Now,
    I could not get it to work with Asymetric route with Cisco ACE. In
    other words, from host_x, I can no longer ssh or telnet to host_y
    via IP address of 192.168.197.10.
    Anyone knows how to get asymetric route to work on Cisco ACE?
    Thanks in advance.

    That won't work because ACE uses the vlan id to distinguish between flows.
    So when the response comes back on a different vlan, ACE can't find the flow it belongs to and it drops it.
    Even if we could force it to accept the packet, ACE would then try to create a new flow for this packet and it will collide with the flow already existing on the frontend.
    You would need to force your host to respond on the same vlan the traffic came in.
    This could be done with client nat on ACE using different nat pool.
    Gilles.

  • 802.1x Machine and User Auth Vlan assignments

    I have machine and user auth working between Win2K PC and ACS 3.3 but not sure how to best use the Vlan assignment feature. I use Vlans for different departments and if I assign a vlan in ACS to a machine when it authenticates but the user is assigned to a different Vlan, I don't get a renewed IP.
    Here is how it's working now:
    1. Machine authenticates to ACS and assigned to a Vlan
    2. User logs in and if they are assigned to the same Vlan as the machine, works fine. If assigned to another vlan, the switchport does get changed but the PC still has an IP from the initial Vlan it was assigned to. Releasing and renewing doesn't work but I really don't expect it to.
    So, I figure the solution to this is just not set a per user vlan and only set it per machine. But, the group mapping in ACS looked like a great way to assign Vlans based on a user's Active Directory group but it doesn't appear to recognize the different computer OU's we have. So I can assign vlan's based on user groups but not computer groups. As machines are added to ACS, I could change them to an ACS group with the Vlan set but this would be a lot more work than an automated method like unknown user policy.
    So, how are others assigning machines to vlans in large multi-vlan networks using ACS and 802.1x?

    By default users and computers belong to different global groups. "Domain Users" vs. "Domain Cmpouters" for example.
    As for your example, it seems like you have a misbehaving supplicant, and authentication is attempting and then timing out and starting over .. that never actually gets to fail, so the auth-fail stuff won't help.
    Note: A good way to troubleshoot this is to notice it in action via show command:
    Here's an example of what you should see on a switch port.
    AuthSM State = State of the 802.1X Authenticator PAE state machine
    VALUES:
    AUTHENTICATED -- Auth Succeeded
    AUTHENTICATING -- Auth is attempting
    CONNECTING -- Dot1x is up and configured and trying to locate a supplicant.
    HELD -- Auth probably failed.
    BendSM State = State of the 802.1X back-end authentication state machine
    VALUES:
    IDLE -- Nothing is happening.
    REQUEST -- Switch sent some EAP data to AAA, and is waiting to get something back.
    RESPONSE -- AAA sent the switch back some data, and the switch in turn asked the supplicant for more data.
    NOTE: You should rarely see the RESPONSE state above. If you see it for more than a second or so i nthe middle of an auth attempt, that's a smoking gun that you might have a mis-behaving supplicant, b/c it shouldn't take that long to send an EAPOL frame. The switch will eventually time out, and start auth over.
    Hope this helps,

  • Guest WLAN and Web Auth?

    Hi Guys,
    Maybe someone can help me out?
    I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
    "Cisco Wireless Controller" with the exception of having 2 ports.  Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN.  When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page. 
    What I tried so far is..
    add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
    changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
    changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
    I've attached some screenshots of our configuration.

    Troubleshooting Web Authentication
    After you configure web authentication, if the feature does not work as expected, complete these
    troubleshooting steps:
    Check if the client gets an IP address. If not, users can uncheck
    DHCP Required
    on the WLAN and
    give the wireless client a static IP address. This assumes association with the access point. Refer to
    the
    IP addressing issues
    section of
    Troubleshooting Client Issues in the Cisco Unified Wireless
    Network for troubleshooting DHCP related issues
    1.
    On WLC versions earlier than 3.2.150.10, you must manually enter
    https://1.1.1.1/login.html
    in
    order to navigate to the web authentication window.
    The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
    connects to a WLAN configured for web authentication, the client obtains an IP address from the
    DHCP server. The user opens a web browser and enters a website address. The client then performs
    the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
    website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
    authentication login page.
    2.
    Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
    Windows, choose
    Start > Run
    , enter
    CMD
    in order to open a command window, and do a  nslookup
    www.cisco.com" and see if the IP address comes back.
    On Macs/Linux: open a terminal window and do a  nslookup www.cisco.com" and see if the IP
    address comes back.
    If you believe the client is not getting DNS resolution, you can either:
    Enter either the IP address of the URL (for example, http://www.cisco.com is
    http://198.133.219.25)

    Try to directly reach the controller's webauth page with
    https:///login.html. Typically this is http://1.1.1.1/login.html.

    Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
    be a certificate problem. The controller, by default, uses a self−signed certificate and most web
    browsers warn against using them.
    3.
    For web authentication using customized web page, ensure that the HTML code for the customized
    web page is appropriate.
    You can download a sample Web Authentication script from Cisco Software Downloads. For
    example, for the 4400 controllers, choose
    Products > Wireless > Wireless LAN Controller >
    Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
    LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
    Bundle−1.0.1
    and download the
    webauth_bundle.zip
    file.
    These parameters are added to the URL when the user's Internet browser is redirected to the
    customized login page:
    4.
    ap_mac The MAC address of the access point to which the wireless user is associated.

    switch_url The URL of the controller to which the user credentials should be posted.

    redirect The URL to which the user is redirected after authentication is successful.

    statusCode The status code returned from the controller's web authentication server.

    wlan The WLAN SSID to which the wireless user is associated.

    These are the available status codes:
    Status Code 1: "You are already logged in. No further action is required on your part."

    Status Code 2: "You are not configured to authenticate against web portal. No further action
    is required on your part."

    Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
    already logged into the system?"

    Status Code 4: "You have been excluded."

    Status Code 5: "The User Name and Password combination you have entered is invalid.
    Please try again."

    All the files and pictures that need to appear on the Customized web page should be bundled into a
    .tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
    login.html. You receive this error message if you do not include the login.html file:
    Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
    Authentication Configuration Example for more information on how to create a customized web
    authentication window.
    Note:
    Files that are large and files that have long names will result in an extraction error. It is
    recommended that pictures are in .jpg format.
    5.
    Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
    Other browsers may or may not work.
    6.
    Ensure that the
    Scripting
    option is not blocked on the client browser as the customized web page on
    the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
    7.
    Note:
    The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
    messages for the user.
    Note:
    If you browse to an
    https
    site, redirection does not work. Refer to Cisco bug ID CSCar04580
    (registered customers only) for more information.
    If you have a
    host name
    configured for the
    virtual interface
    of the WLC, make sure that the DNS
    resolution is available for the host name of the virtual interface.
    Note:
    Navigate to the
    Controller > Interfaces
    menu from the WLC GUI in order to assign a
    DNS
    hostname
    to the virtual interface.
    8.
    Sometimes the firewall installed on the client computer blocks the web authentication login page.
    Disable the firewall before you try to access the login page. The firewall can be enabled again once
    the web authentication is completed.
    9.
    Topology/solution firewall can be placed between the client and web−auth server, which depends on
    the network. As for each network design/solution implemented, the end user should make sure these
    ports are allowed on the network firewall.
    Protocol
    Port
    HTTP/HTTPS Traffic
    TCP port 80/443
    CAPWAP Data/Control Traffic
    UDP port 5247/5246
    LWAPP Data/Control Traffic
    (before rel 5.0)
    UDP port 12222/12223
    EOIP packets
    IP protocol 97
    Mobility
    UDP port 16666 (non
    secured) UDP port 16667
    (secured IPSEC tunnel)
    10.
    For web authentication to occur, the client should first associate to the appropriate WLAN on the
    WLC. Navigate to the
    Monitor > Clients
    menu on the WLC GUI in order to see if the client is
    associated to the WLC. Check if the client has a valid IP address.
    11.
    Disable the Proxy Settings on the client browser until web authentication is completed.
    12.
    The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
    RADIUS server for this to work. In order to check the status of client authentication, check the
    debugs and log messages from the RADIUS server. You can use the
    debug aaa all
    command on the
    WLC to view the debugs from the RADIUS server.
    13.
    Update the hardware driver on the computer to the latest code from manufacturer's website.
    14.
    Verify settings in the supplicant (program on laptop).
    15.
    When you use the Windows Zero Config supplicant built into Windows:
    Verify user has latest patches installed.

    Run debugs on supplicant.

    16.
    On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
    > Run > CMD:
    netsh ras set tracing eapol enable
    netsh ras set tracing rastls enable
    In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
    will be located in C:\Windows\tracing.
    17.
    If you still have no login web page, collect and analyze this output from a single client:
    debug client
    debug dhcp message enable
    18.
    debug aaa all enable
    debug dot1x aaa enable
    debug mobility handoff enable
    If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
    Service Request Tool (registered customers only) in order to open a Service Request.
    debug pm ssh−appgw enable
    debug pm ssh−tcp enable
    debug pm rules enable
    debug emweb server enable
    debug pm ssh−engine enable packet

  • It's my 3000 post – Oracle ACE and Oracle employees

    Hello,
    So, this is my post number 3000. In this forum, it’s not so unique, but still I decided to dedicate it to the subject of Oracle ACE and Oracle employees.
    Recently, Joel blogged about Carl awarded Oracle ACE (http://joelkallman.blogspot.com/2009/02/carl-backstrom-oracle-ace.html), after special efforts made by Sharon, because “the folks at the Oracle Technology Network decided that Oracle employees could no longer be awarded the ACE designation”. I truly wish I could write that Carl is a living proof of this decision being misguided. Unfortunately, I can’t. However, Carl’s case paints the situation in strong colors. Only after his death, Carl was honored with something that I’m sure seems so obvious to most of us.
    I’m thinking that if this decision, not to award Oracle employees with Oracle ACE, was made sooner, people like Scott and Joel would not have awarded Oracle ACE, not to mention Tom Kyte, and probably others I’m not familiar with. Scott and Joel deals with APEX all day long, as part of their job, and this forum is not part of their day job description. Still, they find the time to help us all. Just look at the post counter of Scott. I’m amazed each time I see it. Scott, with all his experience, doesn’t limit himself to only the most complicated issues. You can see his replies, to the most basic issues, almost every day. Joel never failed helping me, and many others on this forum, every time there is an issue only he can help with. Scott and Joel were lucky, and have been awarded Oracle ACE, prior to this decision. Carl was less lucky, and as Joel wrote, I can’t think of anyone who better represent the true meaning and spirit of the Oracle ACE program.
    The point I’m trying to make is that Oracle ACE should not be left for luck and timing, or place of work, for that matter. I’m sure that the OTN folks had best intensions when making this decision. I can understand that people might suspect favoritism toward Oracle employees; however, the solution shouldn’t be the easy one – no to every Oracle employee.
    While writing, I can think of Tyler. He’s no longer a member of the APEX team, but we can still enjoy his wisdom and experience on this forum, not to mention his APEX dedicated blog entries, were he covers special and more complex aspects of working with this tool. I don’t know if Tyler qualifies to become Oracle ACE (and, of course, I’m only using him as an example) but it seems wrong to me not to even consider it, just because he happens to work for Oracle. I’m sure there are others like Tyler, in the other forums. I believe that this kind of behavior, by Oracle employees, should be encouraged, and not taken for granted. Certainly, they shouldn’t be penalized.
    So, what all of this has to do with my 3000 posts? I believe I earned the right to call myself a frequent poster on this forum. As such, I know how time consuming this forum can be, not to mention the hard and tedious job of keep repeating the same answers to the same questions, keep pointing to old references, and such. So, I want to take this opportunity to thank all the active participants of this forum, Oracle employees and others. In spite of all the hardship, this forum can also be very rewarding, and at least for me, a very educated experience. I learned a lot in my attempts to help others. I can all heartedly recommend it to everyone who enjoys helping others, and enriching him /her self in the process.
    Regards,
    Arie.

    If I understand you correctly, you ought to reinstall. At this point, even if you're able to resurrect this installation, it might be severely unstable. Mostly because of my proclivity for messing around with settings until I screw something up, I have a tremendous amount of experience with the recovery console, and my success rate is not inspiring. If you have data you need on the drive, your best course of action is to reinstall to a different boot drive, and once you’re able to boot, archive the files you want from the corrupted installation. Then you can wax both drives, restore the data and get everything back the way you want it. Getting your data back from the recovery console is basically a lost cause since it doesn't support wildcards (as in, you'd have to copy every freaking file one at a time).
    I re-read the above paragraph, and it's not the clearest thing I've ever written, so if you need clarification on anything, let me know.

  • HTTP Basic Auth and Proxy Auth

    Hi,
    i have a problem with the authentication against a proxy server and against a content provider. At first I have to authenticate against the proxy to get "free internet". The next step is to authenticate against the content provider to get a html or xml file.
    The following source code runs very good in Eclipse, i.e. as JUnitTest. But If I execute the same code within a weblogic server, I will get an error (not authenticated). I believe I get this message from the content provider and not from the proxy because If I test this code within the weblogic server and with no authentication (i.e. google needs no authentication), I will get a valide xml/html file.
    StringBuffer sb = new StringBuffer();
              SimpleAuthenticator simple = new SimpleAuthenticator("joeuser","a.b.C.D"); //from openbook
              Authenticator.setDefault(simple);
              String strUrl = "http://www.rahul.net/joeuser/";
              URL url = null;
              try {
                   url = new URL(strUrl);
              } catch (MalformedURLException e) {
                   // TODO Auto-generated catch block
                   e.printStackTrace();
              URLConnection conn = null;
              InetSocketAddress addr = new InetSocketAddress("proxy.domain",8080);
              Proxy proxy = new Proxy(Proxy.Type.HTTP, addr);
              try {
                   conn = url.openConnection(proxy);
              } catch (IOException e) {
                   // TODO Auto-generated catch block
                   e.printStackTrace();
              String proxyStr = "username" + ":" + "passwordl";
              String encoded = new String(Base64.encodeBase64(proxyStr.getBytes()));
              conn.setRequestProperty("Proxy-Authorization", "Basic " + encoded);
              // get http status code which is located in header field 0
              String status = conn.getHeaderField(0);
              if (status.contains("200")) {
                   BufferedReader in = null;
                   try {
                        in = new BufferedReader(new InputStreamReader(conn.getInputStream(),
                                  "ISO-8859-1"));
                        String inputLine;
                        while ((inputLine = in.readLine()) != null) {
                             sb.append(inputLine);
                        in.close();
                   } catch (UnsupportedEncodingException e) {
                        // TODO Auto-generated catch block
                        e.printStackTrace();
                   } catch (IOException e) {
                        // TODO Auto-generated catch block
                        e.printStackTrace();
              else {
                   System.out.println("Error");
              System.out.println(sb.toString());
    public class SimpleAuthenticator
    extends Authenticator
         private String username,
         password;
         public SimpleAuthenticator(String username,String password)
              this.username = username;
              this.password = password;
         protected PasswordAuthentication getPasswordAuthentication()
              return new PasswordAuthentication(
                        username,password.toCharArray());
    Does somebody know a solution? I need the authentication against proxy and content provider in "one application".
    Thank you very much,
    André

    I typically have used Apache Commons HttpClient for anything but trivial URL connections, and especially when combining both basic auth and proxy auth. When you use it, be aware of the "preemptive authentication" flag. One server I worked with didn't send the correct parameters back on particular requests, so I had to turn on this flag to get it to work.

  • AP350 with LEAP and MAC-Auth

    Hi,
    is there any solution for this?
    I'd like to do LEAP and MAC-Auth with Microsoft IAS-Server instead of Cisco ACS.
    With ACS everything works fine but i have to buy the licences. For IAS i already have them but always 'EAP authentication method is unrecognized'.
    The clients all use W2K Prof.- no XP anywhere, so i can't go to EAP-TLS.
    thanks in advance
    Thomas / Networking admin

    Sorry, but LEAP is today only available on :
    Cisco Secure ACS
    Cisco Access Registrar
    Funk Software Radius
    Interlink Radius

  • AAA and TACACS servers

    Hello All,
    I want to download a free, yet reliable AAA and TACACS servers, can you guide me? Also, I need help with configuring them for study purpose.

    You may download the eval version ACS 4.2.0.124, if you've access to cisco.com
    ACS v4.2.0.124 90-Days Evaluation Software
    eval-ACS-4.2.0.124-SW.zip
    http://tools.cisco.com/squish/9B37e
    Path:
    Cisco.com > Downloads Home > Products > Cloud and Systems Management > Security and Identity Management
    > Cisco Secure Access Control Server Products > Cisco Secure Access Control Server for Windows > Cisco Secure ACS 4.2 for Windows > Secure Access Control Server (ACS) for Windows-4.2.0.124
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Few people are "Oracle ACE" and "Java Champion"

    Few people are "Oracle ACE" and "Java Champion"
    What's whose icon ?:|
    I think that icon should not be only one.
    For instance,I am Pro (I have 570 points) and "Oracle ACE".
    Therefore I hope that My icons are "Pro" and "Oracle ACE".

    BluShadow wrote:
    can't you create an icon with the Java character holding an Ace?It reminds me of award icons (achievements) one gets on Steam and Xbox Live. My favourite - the award of getting a fair number of WW2 tank commanders that pop head-out-of-turret, as an infantry rifleman (with a puny bolt action rifle). Satisfaction getting the commander of a crew that that hides inside the belly of an armoured beast, that tries to turn my comrades and me into roadkill or a 1000 pieces exploding bits (or pixels to be more accurate)... ;-)
    One option here could be a signature line - that lay bares one's claim to fame, knowledge and experience. This is often standardise by community agreement on some web forums (the gamer ones often include clan tags and titles with h/w specs). Or something like GeekCode.
    Never really fancied that myself - but it could be fun putting an Oracle based geekcode together. ;-)

Maybe you are looking for

  • Problem in UD of Inspection Type 04

    Hi Everybody ! When I tried taking UD for some of the lots of type 04, the Inspection Lot Stock tab is not available on the UD screen. I also observed that the Actual Lot Quantity is zero for these lots. If I take UD for these kind of lots, the stock

  • Download error 82...how do I close adobe app. manager?

    I am new to photoshop and after purchasing cc, it will not let me download further because of error code 82 to close Adobe Application Manager. How do I close it? Thanks!

  • Inbox won't display senders names from Contacts list?

    Is there a way to get the iPhone email Inbox to display the sender's name from my Contacts list when the user is on my Contact's list? As it is now, when I go to my Inbox on the iPhone, it shows a list of email addresses instead of the name's of the

  • Sample received from an external agency for testing

    Hi folks, My client is a testing laboratory where they receive samples from external company. Tested results are sent back to the customer along with a test certificate and is billed for the testing carried out. I have two things to clarify 1) how is

  • 11g New features to restore entire schema for 4 to 5 days back.

    please help with 11g New features to restore entire schema for 4 to 5 days back by enabling FRA or FRA with archive in 11.2.0.2 database.