ACS 4.2 authentication and Privelged exec mode on Test Router.

Similar Messages

• Tacacs+ and User EXEC mode

  I am running tac_plus on linux. I have basic configs in place and operating, but every time I telnet into a device I am presented with the User Exec prompt (router>) and I have to issue the enable command. I want to get set up so that I go straight to my aaa authentication username prompt. My aaa config is:
  aaa new-model
  aaa authentication login default group tacacs+ none
  aaa authentication enable default group tacacs+ enab
  aaa authorization config-commands
  enable secret xxxx
  TIA,
  John

  John
  I have a couple of comments/questions about your situation.
  - have you got a TACACS server configured on the router? if so could you post that part of the config also?
  - is there any sign on the TACACS server that it is getting any authentication request from the router?
  - with this configuration I am surprised that you can access the router. when you configure aaa authentication login default group tacacs+ none, the none means that there is no backup method and if you are not authenticated by the server, I would expect that you would be denied access to the router. I would suggest that it would be better to use aaa authentication login default group tacacs+ line. This will give you the backup method of using the line passwords on console or vty ports.
  - it is possible to configure a different authentication method on the console port or on the vty ports. could you post your configuration of the console and vty ports?
  - it looks like there was a problem with cut and paste on the aothorization command. perhaps you could repost the config with the complete line.
  - if you would run debug tacacs authentication and debug aaa authentication and post any output it might help figure out what is happening in your situation.
  HTH
  Rick

• CISCO 700 and privileged EXEC mode

  Hi!
  I have a CISCO 765 and trying to connect to another 765 and the result of the dailing is
  "L08 1 0498291725 Call Connected
  Connection 11 Add Link 1 Channel 1
  Connection 11 Remove Link 1 Channel 1
  L13 1 Disconnecting Call
  L27 1 Disconnected"
  This dosent say so much so I need to enter the debug mode. But how do I do that on the 765?

  Are you getting any other error messages through the console. Try enabling "debug isdn q931" on the router and check for the reason the call is getting disconnected. Check which end is disconnecting the call. Whether it is the calling side or the called side. This will help in narrowing down the issue.

• ACS 5.1 command authorization in config mode

  Hello all,
  I have setup an ACS 5.1 system and a Cisco 3560 as test device. On the ACS system I have defined a user that will have limited access to Cisco CLI commands (privilege 15 through Shell Profile and limited commands through Command Sets). While this is working great for commands run under enable mode (meaning that the authorization denied the commands that I've specified in the Command Sets), it seems that it's not working under configure mode (e.g. I have denied commands like "router ospf" , "router bgp" , but the user can still apply them).
  Before I've search this forum and found 2 posts:
  https://supportforums.cisco.com/thread/2041611
  https://supportforums.cisco.com/message/3057298
  that suggest to have the AAA configured with:
  aaa authorization config-commands
  I already have this command and it still doesn't work. Actually my entire AAA config looks like this:
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ local
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  Did I miss something? Do you have any suggestion for me?
  Thank you!
  Calin

  can you run a "debug aaa authorization" to see what happens?

• Machine authentication and MAR not working.

  Hi, I'm using ACS 4.1.23 with MS AD for authentication in a wireless network environment. Users connect to one of the (Suppliers and Employees) SSID's and based on group authorization in AD are allowed to access. The SSID to the Employees network has an additional policy: only registered hosts in AD are allowed. For authentication is the standard MS supplicant used with PEAP-MSCHAPV2 configured.
  According to the Cisco documentation ACS supports Machine Authentication and in combination with MAR, authenticated hosts required before user authentication, is possible.
  BUT, it doesn't work. I do see successful host and user authentication, but the MAR policy doesn't kick in when a user authenticates without host authentication. I was able to turn debug logging for the CSAuth service, giving me the extra information in the AUTH.log.
  I have no clue what is missing or how to troubleshoot from this point on.
  Has anyone got this setup working or help me a step further ?

  Found it !
  Within the MAR configuration, the "host/" definition is required for ACS to identify hosts.
  ACS has the worst GUI of all software I know of ... :-(

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• ACS 5.3 Different password for privilege exec mode

  This is what I would like to do for our Core Routers. Not too familiar with ACS, so please excuse me if I don't provide you will all the details.
  Right now I have ACS 5.3 which is tide to Active Directory. When a user logs in they use there AD credentials to access the CLI and use that same password to access privileged exec mode.
  What I want to do is have users log in using their AD credentials like normal but have a unique password to access privileged exec mode, different for each user.
  So far this is what I have done:
  1) Created a test user (same as AD user name) in the Internal Identity Store
  Password Type: Internal Users
  normal password set differently that Enable Password (I think Enable Password will only be relevant)
  2) Created a rule under Access Policies > Device Admin - Commands > Identity
  - Created Rule with Current Condition Set    (TACACS+:Authen-Type match ASCII And (TACACS+:Action match Login AND TACACS+Service match Enable))
  - Identity Source: Internal Users
  When I enable the rule. I can login with my AD credentials, but when I try to access privilege exec mode the password that I created for the local user (regular and enable) does not work.
  Question: Do I need to create a shell profile with Maximum privilege value set to something under 15 for the authorization policy and apply it so it will try and use the internal user's enable password?
  Not to familiar with how this works. One of my co-workers said I needed to demote the users in order for my rule to work.

  Hey Tushar,
  That is our current setup. Right now each user logs in with their AD credentials to get into user exec mode and the same password to get into privileged exec mode. I would like to have a user login with their normal AD credentials to get into user exec mode and a different password (specific to each user, not locally on the device) to login to privileged exec mode. We are doing this for security reasons. Hopefully that clarifys what I'm trying to do.
  Thanks

• Machine Authentication and User Authentication with ACS v5.1... how?

  Hi!
  I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
  This is the goal:
  On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
  Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
  I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
  I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
  "Certificate Dictionary:Common Name contains .admin.testdomain.lan"
  But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
  I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
  Thank you.

  Hello again.
  I found out how to do this now..
  What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
  After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
  You must also remember to change the AuthMode option in Windows XP Registry to "1".
  What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
  That would have plugged a few security holes for me.

• RSA SecurID authentication and privilege level

  Hello,
  I'm new working with Cisco ACS, learning by seat of pants; most of the documentation on Cisco's website is fairly cryptic and does not use many pictures. Therefore,I would appreciate some help setting up privileges. We have ACS v5.2 which I have set up using RSA SecurID and appears to be working correctly. However, I'm having problems with the privilege level when I access a router it lands me in user mode. I'm trying to set up a administrator group for the routers and switches to have each member dropped in privilege level 15, exec mode but I'm having difficulty doing this.
  Unfortunately, I'm unable to find any real useful information in reference to setting up RSA SecurID. It seems more of the information is geared around radius servers. Any help would be greatly appreciated. Thank you much!

  Hello.
  Remember AAA means authentication, authorization and accounting. In your case you authenticate with RSA , but you authorize with ACS policies. For TACACS+ and traditional IOS from routers and switches you can use a ACS policy element called "shell profile" which you can use to specify some attributes like privilege level. Then you can use the "shell profile" to create an authorization policy.
  I'm attaching some screenshots. In this example I'm using AD instead of RSA because I don't have a RSA available. Please rate if it helps.

• Allow privilleged users to enter into EXEC mode on login not working with public keys

  Hi,
  I have recently updated one of my Cisco ASA to v9.2(1) and noticed a function to get the perform authorization for exec shell access can do a auto-enable when logging in from ssh.
  The problem is that if I use a private/public key authentication with a user it won't do the auto-enable feature. If I login without keys and using my password, it jumps into privilleged exec mode as it should.
  Anyone else had this issue?
  Config:
  aaa authentication ssh console LOCAL
  aaa authorization exec LOCAL auto-enable
  username user password xxxxxx encrypted privilege 15
  username user attributes
   ssh authentication publickey 22:af:xxxxxx hashed
  Any answer will be highly appreciated. 
  P.S I'm totally new in this forum.

  Would you be able to open a TAC SR and once you do , Email me the SR no and i will look into this issue.
  [email protected]
  Thanks and Regards,
  Vibhor Amrodia

• Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

  Hi,
  I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
  ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
  Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
  I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
  tacacs-server key 7 "xxxxxxxxxxxxx"
  aaa group server tacacs+ tac_admin
    server xx.xx.xx.xx
  aaa authentication login default group tac_admin local
  aaa authentication login console group tac_admin local
  aaa accounting default group tac_admin

  Hi,
  Since the ACS is receiving the request.
  Could you please ensure that In ACE on every context (including Admin and other) you have  following strings:
  tacacs-server host x.x.x.x key 7 "xxx"
  aaa group server tacacs+  tac_admin
     server x.x.x.x
  aaa authentication login default group  tac_admin local
  aaa authentication login console group  tac_admin local 
  aaa accounting default group x.x.x.x
  On ACS side for group named "Network  Administrators" you should configure in TACACS settting:
  1. Shell  (exec) enable
  2. Privilege level 15
  3. Custom attributes:
             shell:Admin*Admin default-domain
      if you have additional  context add next line
            shell:mycontext*Admin  default-domain
  After  loging to ACE and issuing sh users command you should see following
  User             Context                                                                  Line     Login Time   (Location)        Role   Domain(s)   
  *adm-x        Admin                                                                    pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.

• Two standalone ACS for TACacs authentication

  Dear All,
  I am having a network consists of some 30 routers and I have 2 ACS 5.3 appliances.
  I am planing to configure the acs (a,b) boxes in the standalone mode .
  and i want to configure both the acs as the TACACS server in all my routers
  with ACS A as the primary in some routers and ACS B as the primary in some routers.
  and there is no configuration sync between the ACS boxes.
  Does this setup will have any issue in authentication in case if any of the acs fails ....
  thanks in advance ...
  Selva

  There will be no issue, unless the configuration is not same. My personal opinion distributed deployment is the best method if you are planning to keep more than one ACS with in a domain.

• An issue with authentication and authorization on ISE 1.2

  Hi, I'm new to ISE.
  I have an issue with authentication and authorization.
  I have ISE 1.2 plus patch 6 installed on VMware.
  I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
  On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
  I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
  I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
  I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
  What  should I do to resolve this issue?
  Switch configuration:
   testISE#sh runn
  Building configuration...
  Current configuration : 7103 bytes
  ! Last configuration change at 12:20:15Tue Apr 15 2014
  ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname testISE
  boot-start-marker
  boot-end-marker
  no logging console
  logging monitor informational
  enable secret 5 ************
  enable password ********
  username radius-test password 0 ********
  username admin privilege 15 secret 5 ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
   client 172.16.0.90 server-key ********
  aaa session-id common
  clock timezone 4 0
  system mtu routing 1500
  authentication mac-move permit
  ip dhcp snooping vlan 1,22
  ip dhcp snooping
  ip domain-name elauloks
  ip device tracking probe use-svi
  ip device tracking
  epm logging
  crypto pki trustpoint TP-self-signed-1888913408
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1888913408
   revocation-check none
   rsakeypair TP-self-signed-1888913408
  crypto pki certificate chain TP-self-signed-1888913408
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  ip ssh version 2
  interface FastEthernet0/5
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/6
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/7
  interface Vlan1
   ip address 172.16.0.204 255.255.240.0
   no ip route-cache
  ip default-gateway 172.16.0.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   deny   icmp any host 172.16.0.1
   permit ip any any
  ip radius source-interface Vlan1
  logging origin-id ip
  logging source-interface Vlan1
  logging host 172.16.0.90 transport udp port 20514
  snmp-server community public RO
  snmp-server community ciscoro RO
  snmp-server trap-source Vlan1
  snmp-server source-interface informs Vlan1
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host 172.16.0.90 ciscoro
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  radius server ISE-Alex
   address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key ******
  ntp server 172.16.0.1
  ntp server 172.16.0.5
  end

  Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

• How to get ADF authentication and authorization working on server

  I am having an issue with deployment & ADF authentication and authorization.
  From the below testing results, you can see that I am unable to log in when I have deployed my app to my standalone server with both ADF security authentication and authorization turned on. I have included web.xml, jazn-data.xml and the page/server error I am receiving.
  When making an attempt to log in I get the following results:
  Running Locally with ADF Authentication:                                           Works Fine
  Running Locally with ADF Authentication & Authorization:         Works Fine
  Deployed to server with ADF Authentication:                                    Works Fine
  Deployed to server with ADF Authentication & Authorization:  Doesn’t Work
  What I have already tried: Removed all anonymous grants, using the same database credentials as the app user, deploying app twice (on the redeploy not including the login credentials & app policies at the application properties). Various modifications to web.xml e.g. welcomefilelist etc
  JDeveloper Version: 11.1.2.4
  Server Web Logic: 10.3.6
  Server ADF: 11.1.1.16
  Page Error when trying to log in:
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.2 401 Unauthorized
  The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
  Server error when trying to log in:
  Servlet failed with Exception oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'wpd.mobility.view.pageDefs.homePagePageDef' 'VIEW'.
  at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:182)
          at oracle.adf.controller.internal.security.AuthorizationEnforcer.internalCheckPermission(AuthorizationEnforcer.java:162)
          at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:116)
          at oracle.adfinternal.controller.state.ControllerState.checkPermission(ControllerState.java:663)
          at oracle.adfinternal.controller.state.ControllerState.initializeUrl(ControllerState.java:700)
          at oracle.adfinternal.controller.state.ControllerState.synchronizeStatePart2(ControllerState.java:531)
          at oracle.adfinternal.controller.application.SyncNavigationStateListener.afterPhase(SyncNavigationStateListener.java:59)
          at oracle.adfinternal.controller.lifecycle.ADFLifecycleImpl$PagePhaseListenerWrapper.afterPhase(ADFLifecycleImpl.java:530)
          at oracle.adfinternal.controller.lifecycle.LifecycleImpl.internalDispatchAfterEvent(LifecycleImpl.java:120)
          at oracle.adfinternal.controller.lifecycle.LifecycleImpl.dispatchAfterPagePhaseEvent(LifecycleImpl.java:168)
          at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$PhaseInvokerImpl.dispatchAfterPagePhaseEvent(ADFPhaseListener.java:131)
          at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.afterPhase(ADFPhaseListener.java:74)
          at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.afterPhase(ADFLifecyclePhaseListener.java:53)
          at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:447)
          at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:202)
          at javax.faces.webapp.FacesServlet.service(FacesServlet.java:508)
          at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
          at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
          at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
          at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:125)
          at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
          at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
          at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:468)
          at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:293)
          at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:199)
          at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
          at java.security.AccessController.doPrivileged(Native Method)
          at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
          at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
          at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
          at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
          at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
          at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
          at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
          at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
          at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
          at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
          at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
          at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
          at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
          at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
          at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
  Web.xml
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
           version="2.5">
    <context-param>
      <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
      <param-value>client</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.PARTIAL_STATE_SAVING</param-name>
      <param-value>false</param-value>
    </context-param>
    <context-param>
      <description>If this parameter is true, there will be an automatic check of the modification date of your JSPs, and saved state will be discarded when JSP's change. It will also automatically check if your skinning css files have changed without you having to restart the server. This makes development easier, but adds overhead. For this reason this parameter should be set to false when your application is deployed.</description>
      <param-name>org.apache.myfaces.trinidad.CHECK_FILE_MODIFICATION</param-name>
      <param-value>false</param-value>
    </context-param>
    <context-param>
      <description>Whether the 'Generated by...' comment at the bottom of ADF Faces HTML pages should contain version number information.</description>
      <param-name>oracle.adf.view.rich.versionString.HIDDEN</param-name>
      <param-value>false</param-value>
    </context-param>
    <context-param>
      <description>Security precaution to prevent clickjacking: bust frames if the ancestor window domain(protocol, host, and port) and the frame domain are different. Another options for this parameter are always and never.</description>
      <param-name>org.apache.myfaces.trinidad.security.FRAME_BUSTING</param-name>
      <param-value>differentOrigin</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_SKIP_XML_INSTRUCTIONS</param-name>
      <param-value>true</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>
      <param-value>true</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_DECORATORS</param-name>
      <param-value>oracle.adfinternal.view.faces.facelets.rich.AdfTagDecorator</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.FACELETS_RESOURCE_RESOLVER</param-name>
      <param-value>oracle.adfinternal.view.faces.facelets.rich.AdfFaceletsResourceResolver</param-value>
    </context-param>
    <filter>
      <filter-name>JpsFilter</filter-name>
      <filter-class>oracle.security.jps.ee.http.JpsFilter</filter-class>
    </filter>
    <filter>
      <filter-name>trinidad</filter-name>
      <filter-class>org.apache.myfaces.trinidad.webapp.TrinidadFilter</filter-class>
    </filter>
    <filter>
      <filter-name>adfBindings</filter-name>
      <filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
    </filter>
    <filter-mapping>
      <filter-name>JpsFilter</filter-name>
      <url-pattern>/*</url-pattern>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
      <dispatcher>INCLUDE</dispatcher>
    </filter-mapping>
    <filter-mapping>
      <filter-name>trinidad</filter-name>
      <servlet-name>Faces Servlet</servlet-name>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
      <dispatcher>ERROR</dispatcher>
    </filter-mapping>
    <filter-mapping>
      <filter-name>adfBindings</filter-name>
      <servlet-name>Faces Servlet</servlet-name>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
    <filter-mapping>
      <filter-name>adfBindings</filter-name>
      <servlet-name>adfAuthentication</servlet-name>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
    <listener>
      <listener-class>oracle.adf.mbean.share.connection.ADFConnectionLifeCycleCallBack</listener-class>
    </listener>
    <listener>
      <listener-class>oracle.adf.mbean.share.config.ADFConfigLifeCycleCallBack</listener-class>
    </listener>
    <listener>
      <listener-class>oracle.bc4j.mbean.BC4JConfigLifeCycleCallBack</listener-class>
    </listener>
    <servlet>
      <servlet-name>Faces Servlet</servlet-name>
      <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
      <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
      <servlet-name>resources</servlet-name>
      <servlet-class>org.apache.myfaces.trinidad.webapp.ResourceServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>BIGRAPHSERVLET</servlet-name>
      <servlet-class>oracle.adf.view.faces.bi.webapp.GraphServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>BIGAUGESERVLET</servlet-name>
      <servlet-class>oracle.adf.view.faces.bi.webapp.GaugeServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>MapProxyServlet</servlet-name>
      <servlet-class>oracle.adf.view.faces.bi.webapp.MapProxyServlet</servlet-class>
    </servlet>
    <servlet>
      <servlet-name>adfAuthentication</servlet-name>
      <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
      <init-param>
        <param-name>success_url</param-name>
        <param-value>/faces/Pages/homePage.jspx</param-value>
      </init-param>
      <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
      <servlet-name>Faces Servlet</servlet-name>
      <url-pattern>/faces/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>resources</servlet-name>
      <url-pattern>/adf/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>resources</servlet-name>
      <url-pattern>/afr/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>BIGRAPHSERVLET</servlet-name>
      <url-pattern>/servlet/GraphServlet/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>BIGAUGESERVLET</servlet-name>
      <url-pattern>/servlet/GaugeServlet/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>MapProxyServlet</servlet-name>
      <url-pattern>/mapproxy/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>resources</servlet-name>
      <url-pattern>/bi/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>adfAuthentication</servlet-name>
      <url-pattern>/adfAuthentication</url-pattern>
    </servlet-mapping>
    <mime-mapping>
      <extension>swf</extension>
      <mime-type>application/x-shockwave-flash</mime-type>
    </mime-mapping>
    <mime-mapping>
      <extension>amf</extension>
      <mime-type>application/x-amf</mime-type>
    </mime-mapping>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>test</web-resource-name>
        <url-pattern>/faces/pages/*.</url-pattern>
        <url-pattern>/faces/*.</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>valid-users</role-name>
      </auth-constraint>
    </security-constraint>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>adfAuthentication</web-resource-name>
        <url-pattern>/adfAuthentication</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>valid-users</role-name>
      </auth-constraint>
    </security-constraint>
    <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
        <form-login-page>/login.html</form-login-page>
        <form-error-page>/error.html</form-error-page>
      </form-login-config>
    </login-config>
    <security-role>
      <role-name>valid-users</role-name>
    </security-role>
  </web-app>
  Jazn-data.xml
  <?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
  <jazn-data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-data.xsd">
    <jazn-realm default="jazn.com">
      <realm>
        <name>jazn.com</name>
        <users>
          <user>
            <name>*****</name>
            <display-name>*******</display-name>
            <description>******</description>
            <credentials>********<credentials>
          </user>
        </users>
        <roles>
          <role>
            <name>support</name>
            <display-name>support</display-name>
            <members>
              <member>
                <type>user</type>
                <name>mobile</name>
              </member>
            </members>
          </role>
        </roles>
      </realm>
    </jazn-realm>
    <policy-store>
      <applications>
        <application>
          <name> myapp </name>
          <app-roles>
            <app-role>
              <name>mob_mobile_support</name>
              <class>oracle.security.jps.service.policystore.ApplicationRole</class>
              <display-name>mob_mobile_support</display-name>
              <description>support role</description>
              <members>
                <member>
                  <name>mobile</name>
                  <class>oracle.security.jps.internal.core.principals.JpsXmlUserImpl</class>
                </member>
              </members>
            </app-role>
          </app-roles>
          <jazn-policy>
            <grant>
              <grantee>
                <principals>
                  <principal>
                    <name>SUPPORT</name>
                    <class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>
                  </principal>
                </principals>
              </grantee>
              <permissions>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name> myapp.view.pageDefs.*</name>
                  <actions>view</actions>
                </permission>
              </permissions>
            </grant>
            <grant>
              <grantee>
                <principals>
                  <principal>
                    <name>mob_mobile_support</name>
                    <class>oracle.security.jps.service.policystore.ApplicationRole</class>
                  </principal>
                </principals>
              </grantee>
              <permissions>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name> myapp.view.pageDefs.addapplicationPageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name>Pages.addappmsgtypPageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name>Pages.addoperationPageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name> myapp.view.pageDefs.homePagePageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name> myapp.view.pageDefs.loggingSearchPageDef</name>
                  <actions>view</actions>
                </permission>
                <permission>
                  <class>oracle.adf.share.security.authorization.RegionPermission</class>
                  <name>myapp.view.pageDefs.workHistoryPageDef</name>
                  <actions>view</actions>
                </permission>
              </permissions>
            </grant>
          </jazn-policy>
        </application>
      </applications>
    </policy-store>
  </jazn-data>

  Read Frank's article http://www.oracle.com/technetwork/issue-archive/2012/12-jan/o12adf-1364748.html
  Then you have to check if the user use use to login are defined in the stand alone server. If you server is running in production mode there is no automatic user or role migration. You have to to this by yourself.
  Once you have check that the users are present, you have to check if the enterprise roles are mapped to the corresponding application roles.
  Timo

• EAP-FAST, local Authentication and PAC provisioning

  Hi everybody,
  I have a litte understanding problem with the deployment of EAP-FAST.
  So here's the deal:
  I want to the deploy EAP-FAST with autonomous APs with an ACS as Authentication server. So far so good.
  When the ACS is not reachable, the autonomous AP should act as local Authenticator for the clients as backup. Is this possible when doing manual PAC provisioning? I guess not, because the PAC master key is not synced between ACS and the AP local Authenticator.
  Would automatic PAC provisioning resolve that issue? If the ACS server fails, the local Authenticator AP will create new PACs for the clients, right?
  But - I have doubts regarding automatic provisioning of PACs. From my understanding the Phase-0 is just performed in MS-CHAPv2, which is dictionary attackable. Furthermore a MITM attack could be possible during phase-0.
  Would server sided certificates resolve my concerns here?
  I would prefer PEAP, but the autonomous APs don't support this EAP type as local authenticator method, right?
  Btw. .... is there any good document regarding FAST on CCO? I couldn't find anything. The Q&A page is just scratching the surface. The best document I could find so far is the ACS user configuration page. But I'm not 100% happy with this. Is there some kind of EAP-FAST deployment guide out there? I need best practices regarding PAC provisioning and so on :-)
  Thanks in advance!

  From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
  Is that what you are trying to get clarification on.
  Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
  Sent from Cisco Technical Support iPad App