ACS 5.x with either AD or RSA Authentication depending on user

Similar Messages

• Is it possible to connect a wireless keyboard so that it works automatically with either macbook pro or iPad depending on which is turned on or do I have to go through the delete one and re-pair the other process every time?

  Is it possible to connect a wireless keyboard so that it automatically connects to whichever previously paired device is turned on?

  Grant Bennet-Alder West of Boston, USA 
  A new 1TB External drive (suitable to replace your current Internal drive if you choose to) and enclosure can be had for under US$160
  Ehh, you meant $60 ,  not $160
  CassHeger 
  I do need to buy an external HD to be used solely for that purpose.
  Yes, quality HD are cheap as dirt.
  however a likewise Toshiba Internal HD 1TB is $70   (same as used by Apple)
  http://www.ebay.com/itm/TOSHIBA-MQ01ABD100-1TB-5400-RPM-8MB-Cache-2-5-SATA-3-0Gb   -s-Internal-Notebook-/121107538930?pt=US_Internal_Hard_Disk_Drives&hash=item1c3 2 9263f2
  best options for the price, and high quality HD:
  Quality 1TB drives are $50 per TB on 3.5" or  $65 per TB on 2.5"
  Perfect 1TB for $68
  http://www.amazon.com/Toshiba-Canvio-Portable-Hard-Drive/dp/B005J7YA3W/ref=sr_1_ 1?ie=UTF8&qid=1379452568&sr=8-1&keywords=1tb+toshiba
  Nice 500gig for $50. ultraslim and perfect
  http://www.amazon.com/Toshiba-Canvio-Portable-External-Drive/dp/B009F1CXI2/ref=s r_1_1?s=electronics&ie=UTF8&qid=1377642728&sr=1-1&keywords=toshiba+slim+500gb
  2.5" USB portable High quality BEST FOR THE COST, Toshiba "tiny giant" 2TB drive (have several of them, LOT of storage in a SMALL package)    $117
  http://www.amazon.com/Toshiba-Canvio-Connect-Portable-HDTC720XK3C1/dp/B00CGUMS48 /ref=sr_1_4?s=electronics&ie=UTF8&qid=1379182740&sr=1-4&keywords=2tb+toshiba
  *This one is the BEST portable  external HD available that money can buy:
  HGST Touro Mobile 1TB USB 3.0 External Hard Drive  
  $88
  http://www.amazon.com/HGST-Mobile-Portable-External-0S03559/dp/B009GE6JI8/ref=sr _1_1?ie=UTF8&qid=1383238934&sr=8-1&keywords=HGST+Touro+Mobile+Pro+1TB+USB+3.0+72 00+RPM
  Most storage experts agree on the Hitachi 2.5"

• ACS 4.2 with multiple RSA secure ID token servers

  Hi all,
  I have a question which I couldn't find an answer to so far.  Below is a very brief explaination of what I have and what I need to do.
  What I have:
  1- An ACS 4.2 server installed on win 2003 with RSA agent installed.
  2- A RSA Secure ID Token Authentication manger 7.1
  The problem:
  Due to lost RSA master password I am unable to back the DB up and upgrade RSA AM 7.1 to 7.1 SP4.
  So far all the solution I have found and been told to do by RSA support have not enabled me to recover the lost password.
  What I want to do:
  I want to install a fresh copy of RSA AM 7.1 SP4 on Win 2008 R2
  Since I can't make a DB backup from the running RSA, once I install the fresh copy I will migrate users one by one
  My question:
  This is a very busy production environment and users can't tolorate down time at all.
  I need to keep everything running, I need to know if it is possible to have 2 RSA data sotres setup within ACS 4.2 or not?
  And if so, will migrated users to the new RSA installation be still able to authenticate or not?
  Can ACS send multiple authentication request simultaneously or not? And what happenes if a user is present in both instances of RSA, old and new?
  Thanks,
  Khash

  I have this setup and working. Set up an external database connection on the ACS for a RADIUS server (not RSA) and setup your RSA server with the RADIUS shared secret. Check IP connectivity between both,and make sure that the RSA server is the first database to be queried. Here you are just using Radius to pass through the auth from the ACS to the RSA server.

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• Best Way To Setup SGD With RSA Authentication

  At the moment, I've got RSA Authentication working with SGD 4.60-911. Now under my setup, I've manually created a user profile and assigned a couple of Terminal Server sessions to it and everything is working. I'm not sure if this is the best or, more importantly, the most efficient way to be setting up users for SGD use.
  Is it possible to still have RSA Authentication in place and also have the SGD users profile being accessible from AD/LDAP queries? What I'm thinking is that I could set up a SGD "dial-in" group within AD and assign the users to it, again within AD. I could then assign the applications to that group within SGD and hence filter this down to the individual users. This would stop me having to create a SGD user profile for every user we want to access SGD.
  Hope this makes sense.
  TIA.

  The thing to understand about what Arno suggests is that the SecurID profile is not used at all.
  With third-party authentication, there are two stages: authentication (nothing to do with SGD) and search for an identity and profile (perfomed by SGD).
  Arno's posting tells you about the authentication set-up, and by the way, this is definitely the way to go because of the announcement here http://docs.sun.com/source/821-1928/z40000061616182.html
  The result of the authentication stage is a username, usually stored in the REMOTE_USER environment variable. All of this happens independently of SGD.
  With the search stage, SGD looks the the value of REMOTE_USER and performs a search for the user identity and user profile.
  How SGD does this is configurable, see http://docs.sun.com/source/821-1926/z400007d1322324.html#z400007d1323983
  The basic choice is to use LDAP or not.
  If you don't use LDAP, then the user profile is either a user profile object you have created specifically for the user or the default Third-Party Profile (in System Objects).
  If you do use LDAP, the user profile is either a user profile object you have created specifically for the user, an LDAP Profile object you create to apply settings to a group of users, or the default LDAP Profile (in System Objects).
  Note: you can enable both methods at the same time.
  If possible, use LDAP for the search stage. It reduces the number of user profile objects you need to create (you might not have to create any) and it means you can assign applications to users dynamically by searching the LDAP directory (less admin).
  Hope this helps.

• Only one UPN suffix works with OAM plugin for RSA-integrated Authentication

  Only one UPN suffix works with OAM plugin for RSA-integrated Authentication while others give "CredentialsRejected" error
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-
  Has anyone seen this before and might know the answer? Any suggestions? Thanks!
  I have setup an OAM authentication scheme that uses a custom plugin to use RSA ACE server - all pretty much exactly as it is outlined in the chapter called "Integrating the RSA SecurID Authentication Plug-in" in Oracle Access Manager Integration Guide. Here's the problem:
  Everything works fine when I use a particular UPN suffix to login to the RSA Securid Login form that is presented, eg. [email protected], but if I create another user that uses a different UPN suffix as defined in Active Directory, (eg. [email protected]), the credentials are rejected. This happens before the secuirid.pl script even gets a chance to run. After hitting "POST" the user is present with the same login screen he was just at, as expected during an authentication failure.
  More info:
  - I have performed successful anonymous ldap queries for both users in Active Directory using LDP. Both users exist in the same domain and in the same OU. If I change the UPN (in AD and the RSA database) to something different from the "good" one, on either user, it fails. If I change the UPN to the "good one" on either user (in AD and the RSA database) it works.
  - if I test users with either the "good" or the "bad" UPN via the RSA agent tester that sits on the OAM box, both of them show as authenticating successfully. However, it doesn't work for the "bad" UPN when I try to access via a web browser on a remote client (but does work with the "Good" UPN)
  - I am not using SSL in any of this yet, it's all http://
  - yes, I already got rid of the "-w" parameter in the first line of the perl script, as per the "login can fail if the Login Attribute Contains an "@" Character in Integration Guide Troubleshooting section
  - here's an example of the settings in rsa securid authentication scheme:
  action:/OracleAccessManager/securid-cgi/securid.pl
  form:/OracleAccessManager/securid-forms-adforest/securid-std-login.html
  creds:login password domain newpin newpin2
  passthrough:yes
  authn_securid fullformdir="C:\apache\Apache2\htdocs/OracleAccessManager/securid-forms-adforest/",machine="MyComputer.mydomain.com:80"
  credential_mapping obMappingBase="%domain%",obMappingFilter="(&(objectclass=user)(userPrincipalName=%login%))"
  Environment:
  OAM 7.0.4.3
  RSA Ace Server 5.2
  Windows 2003 domain with multiple UPNs defined in Active Direcory Domains and Trusts
  Error as seen in the oblog.log for the webgate on the server that holds the RSA login pages and perl script:
  Message^A plugin for the authentication scheme SecurID Authentication has denied authentication for credentials ([email protected]
  password=(omitted) domain=dc=ourdomain,dc=com newpin= newpin2= Resource=/OracleAccessManager/securid-cgi/securid.pl RequesterIP=10.250.1.2 Operation=POST).
  ReqReq^POST /OracleAccessManager/securid-cgi/securid.pl HTTP/1.1 ReqProto^HTTP/1.1 ReqHost^www.MyComputer.mydomain.com. ReqStatLine^
  ReqStatus^200 ReqRawUri^/OracleAccessManager/securid-cgi/securid.pl ReqUri^/OracleAccessManager/securid-cgi/securid.pl
  ReqFilename^C:/apache/Apache2/htdocs/OracleAccessManager/securid-cgi/securid.pl ReqPath^ ReqArgs^
  2009/07/13@15:19:49.665000 45688 46472 AUTHENTICATION ERROR 0x00001515
  \Oblix\coreid\palantir\webgate\src\authentication_event_handler.cpp:1361 "Authentication failed" HTTPStatus^401
  authenticationSchemeName^SecurID Authentication AuthenticationStatus^majorCode = 11[CredentialsRejected], minorCode = 47[AuthnPluginDenied],
  StatusMsg = , GSN = 0, needInfo = NONE Creds^[email protected] password=(omitted) domain=dc=ourdomain,dc=com newpin= newpin2=
  Resource=/OracleAccessManager/securid-cgi/securid.pl RequesterIP=10.250.1.2 Operation=POST
  Only error seen in log produced by the RSA agent that sits on the Access server:
  [20804] 12:27:08.915 File:ACNETSUB.C Line:326 # CheckServerAddress: server 0 detected from address 10.250.88.100
  [20804] 12:27:08.915 File:udpmsg.c Line:968 # Entering decrypts_ok_legacy()
  [20804] 12:27:08.915 File:udpmsg.c Line:999 # decrypts_ok_legacy: decrypt() wpcode1 failed; wpcode0 next ***********
  [20804] 12:27:08.915 File:udpmsg.c Line:1089 # Leaving decrypts_ok_legacy(), result=1
  [20804] 12:27:08.915 File:ACEXPORT.C Line:820 # Entering AceGetUserData()
  [20804] 12:27:08.915 File:ACEXPORT.C Line:833 # Leaving AceGetUserData() return: ACE_SUCCESS
  [20804] 12:27:08.915 File:ACEXPORT.C Line:579 # Entering AceGetAuthenticationStatus()
  [20804] 12:27:08.915 File:ACEXPORT.C Line:592 # Leaving AceGetAuthenticationStatus() return: ACE_SUCCESS

  What are the logs you see at the ACE server end? You can try passing an additional parameter debug="true" to the authn_securid plug-in - it should generate some more logs at the access server - I think in apps\common\bin.
  Also does "ReqHost^www.MyComputer.mydomain.com" look right in the logs?
  -Vinod

• ACS any Version with Domain Controller on Windows Server 2008 R2 64bit

  Hi All
  Is there currently any ACS version working with Windows Server 2008 R2 domain controllers?
  Our server stuff has recently upgraded the Domain Controllers to 2008r2 and turned off the 2003 servers. This didn't make our ACS 4.1.4 really happy.
  I've read now serveral posts regarding issues with ACS and Server 2008r2 and hope to find a solution (besides switching to LDAP, yukk).
  Thanks
  pato

  Hi AllIs there currently any ACS version working with Windows Server 2008 R2 domain controllers?Our
  server stuff has recently upgraded the Domain Controllers to 2008r2 and
  turned off the 2003 servers. This didn't make our ACS 4.1.4 really
  happy.I've read now serveral posts regarding issues with ACS and
  Server 2008r2 and hope to find a solution (besides switching to LDAP,
  yukk).Thankspato
  Hi Pato,
  Just check out the below link hope that help.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html
  As per the link it says The support for Windows Server 2008 is applicable for ACS 4.2 Patch 4 onwards.
  Hope to Help !!
  Remember to rate the helpful post
  Ganesh.H

• HT201240 This process does not appear to work for me.  I'm running 10.8.3.  I created a new user for a guest staying with me.  They have gone now and I am attempting to either change the password or delete the user.  It won't allow me to choose the user I

  This process does not appear to work for me.  I'm running 10.8.3.  I created a new user for a guest staying with me.  They have gone now and I am attempting to either change the password or delete the user.  It won't allow me to choose the user I created.  I am logged in as myself and it states that I am an "Admin".  The user I'm attempting to change is listed as a "standard" user and there is a white checkmark inside an orange circular background on the user pic in the list of users. 
  Can someone help me?  I am having a hard time believing that OSx will allow me to create users and allow them use of my computer and it's drives, yet it will not allow me to change the password so I can monitor what they might have been doing while logged on?  What if this were my child?  This guest left under sketchy circumstances, and I'd really like to be able to ensure they were not using my computer to do illegal things or to have illegal communications.
  Any help would be appreciated.  (It's odd that it was so simple to "create" a user and set a password for them.......but it's complicated or a little known process to reverse.
  Thanks.

  Here are two screen shots to show you what I am seeing.  The first screen shot shows it allowing me to select (highlighted in blue) my admin user (which is what I am locced in as).  The second screen shot shows it allowing me to select the "Guest" user (highlighted in blue).  However when I click on the user "Orion" nothing happens.  It will not change to highlight that user.

• I Have a Mac 10.9.5 I have Photoshop CS 5.. Also have Photoshop CC. As of last month was able to edit any image with either program,as of today I can't edit images in either program. I can't see and editing I've done ,but when close the image both program

  I Have a Mac 10.9.5 I have Photoshop CS 5.. Also have Photoshop CC. As of last month was able to edit any image with either program,as of today I can't edit images in either program. I can't see and editing I've done ,but when close the image both program ask (do you want to save changes) I look at the image I don't see any changes to save. Please help Thanks for time in advance

  Please describe the steps involved in the issue exactly (with screenshots maybe).
  What have you done for trouble-shooting so far?
  http://blogs.adobe.com/crawlspace/2012/07/photoshop-basic-troubleshooting-steps-to-fix-mos t-issues.html

• Error message: "Warning: unresponsive script". Afterward, the system freezes and will then crash. Crash reports have been submitted many, many times without response. I have tried the fore-mentioned solutions with either no results or very bad results

  Error message: "Warning: unresponsive script". Afterward, the system freezes and will then crash. Crash reports have been submitted many, many times without response. I have tried the fore-mentioned solutions with either no results or very bad results which I filed a report but did not receive an answer. The application to block scripts actually worsened the problem and I could not correct the situation for a while (no response from Firefox, at all). I have also been through this procedure without any one contacting me, AT ALL.
  == URL of affected sites ==
  http://http://www.facebook.com (always) and www.YouTube.com (sometimes)

  There does appear to be any support whatsoever from mighty "non caring" FIREFOX & people are getting fed up. We may as well try another system, if they can't be bothered to provide any support for their system, we can't be bothered to use their system.
  Brianeng

• Why can I no longer access google from my mac with either Firefox or Safari

  why can I no longer access google from my mac with either Firefox or Safari — both with latest updates loaded. My PC is fine.

  What was before? And what is now?
  It is a good idea to include the machine type and OS version in your problem posts.

• Raw files from the new Nikon D810 will not open with either Photoshop CS5.1 or Lightroom 4.  When will a real Adobe solution be available to work with Raw (NEF) files in their native format, using CS5.1 and LR4?

  Raw files from the new Nikon D810 will not open with either Photoshop CS5.1 or Lightroom 4.  When will a real Adobe solution be available to work with Raw (NEF) files in their native format, using CS5.1 and LR4?

  Clarification: this is a user forum; you are not addressing Adobe here.
  The answer to your question as phrased is: never.
  CS5 is history and it is not longer supported.  There will not be any updates or bug fixes for CS5.
  You need to convert the raw NEF files from your D810 to raw DNGs using the free, standalone Adobe DNG Converter 8.6 RC (beta), the first version ever to support that camera.. 

• I cannot ope PDF files that are within a web link.  Neither Safari nor Firefox will work.  If I receive a PDF file as an email attachment, I can open it with either Adobe or Preview.  I'm running 10.6.8 on an iMac.

  I'm going to re-state this.  Several weeks ago, I had installed Security Update 2012-004 on my iMac.  I'm running Snow Leopard 10.6.8.  Immediately afterwards, my Mail 4.6 was GONE.  Mail 4.2 was there, but the system would not open it.  The Apple Support Communites quickly solved my problem.  The problem lay within the Update.  Now, I cannot open PDF files that are contained within a website, i.e. a lunch menu that is on a restaurant website.  This happens on both Safari and Firefox.  If someone sends me an email with an attached PDF file, I can open the file with either Adobe or Preview.  This is happening only on my iMac.  My MacBook Pro, also running Snow Leopard 10.6.8 has not experienced either the first or second problem.  Thanks for any help you can offer.

  fomamac2guy wrote:
  Now, I cannot open PDF files that are contained within a website, i.e. a lunch menu that is on a restaurant website.
  Does this help with Firefox?

• I have just bought four songs from iTunes store using my iMac. I can play the music on my iMac and throughout my Apple TV. However after several restarts and double checks I can't get the four tunes to sync with either my iPhone or my iPad.

  I have just bought four songs from iTunes store using my iMac. I can play the music on my iMac and throughout my Apple TV. However after several restarts and double checks I can't get the four tunes to sync with either my iPhone or my iPad. All the software is up to date.

  do you use the same Apple ID on your iMac, your iPhone and iPad? This is a requirement.

• HT204053 I changed my AppleID in System Preferences, but the old ID comes up under iCloud and I get an error box saying my "ID or password are incorrect".  How do I get rid of the old ID which now doesn't work with either my old or new password??

  I changed my AppleID in System Preferences, but the old ID comes up under iCloud and I get an error box saying my "ID or password are incorrect".  How do I get rid of the old ID which now doesn't work with either my old or new password??

  Yes that makes sense, however have you updated it at My Apple ID before trying to change it in your system preferences > iCloud settings, you must do that first.