ACS in Multitenant environment
What's the best practice for deploying ACS in a multitenant environment. I see some people are using an open source version of TACACS+ for this purpose.
Any thoughts?
We have multiple entities within a state agency that we provide shared services for. I need guidance on how to provide AAA to the multiple ASA Contexts we've created for the tenants. Currently they are using local login credentials. I've been tasked with creating one universal context that will provide tenants with shared TACACS so we can monitor what command caused whatever mischief. We had a rev of ASA code recently that would crash the device when the tenants issued NAT commands. I need to know how others are deploying their ACS's in this sort of environment.
Similar Messages
-
Attendant Console in Multitenant Environment
Hi
Hopefully a quick question. A customer trades under multiple company names. They wish to have all four of the main DIDs coming to one Receptionist, using Attendant Console. Apparently, they have been told from someone at Cisco that it is possible to have AC show them which company is being called, i.e. which DID was originally called (obviously the translated to a DN), so as to allow the receptionist to answer the phone with an appropriate greeting for each firm.
I know that ARC Console does this very nicely, but the last time I looked at Attendant Console all it showed on each line was the calling number, not the called number!
Can anyone shed any light on this?
Many thanks
MarcHi Aaron
Many thanks for your reply. Can I make sure I have this correct in my mind? With broadcast hunting, and with multiple pilot points and associated hunt groups enabled, and the operator/s user ID being a member of all of such, then when a call comes in to any of these pilot points, they will display the calling number and the pilot point from which the call came to and was passed from to the Attendant Console? Without broadcast hunting, it would not be possible to see the origination point of the inbound call?
Am I correct on the above.
Many thanks for your clarification in advance. I will rate the post after this, I promise!
Rgds
Marc -
IDS in multitenant environments
Where do I need IDS in a secure hosted multitenant environment - on the exterior firewall only, or also with port-mirroring on virtual switches to monitor inter-vm traffic on ESXI virtual switches? Or do I always need both?
This topic was disccussed in this thread from last week:
(too bad we can't merge threads)
https://supportforums.cisco.com/thread/2092838?tstart=30
- Bob -
Database encryption in multitenant
Hi,
We need to implement database encryption TDE on certain columns for SAP in multitenant environment.
We have unique client id per customer.
How does the 'database' encryption work in an multi-tenant environment? What if one company want certain fields encrypted and other does not.
Regards,Yes Bitlocker
http://technet.microsoft.com/en-us/library/ee832792(v=exchg.150).aspx
Windows BitLocker (volume encryption)
Windows BitLocker is a data protection feature in Windows Server 2008. BitLocker protects against data theft or exposure on computers that are lost or stolen, and it offers more secure data deletion when computers are decommissioned.
Supported: All Exchange database and log files.
Supported: All Exchange database and log files. Windows failover clusters require Windows Server 2008 R2 or Windows Server 2008 R2 SP1 and the following hotfix:
You cannot enable BitLocker on a disk volume in Windows Server 2008 R2 if the computer is a failover cluster node. Exchange volumes with Bitlocker enabled are not supported on Windows
failover clusters running earlier versions of Windows.
For more information about Windows 7 BitLocker encryption, see
BitLocker Drive Encryption in Windows 7: Frequently Asked Questions.
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied. -
Clustering/HA for Content Server
Hi.
Is it possible to run ACS in clustered environment (providing for all nodes a shared database and storage)? I'd like to prepare a HA solution for ACS and would like to know if I can have two tomcats on two nodes running simultaneously, or in hot stand-by cluster?
TIA,
R.Yes although you problably only want to do this for the fulfillment service. The operatorURL that you use (configure, get a cert for, etc...) must be the public URL - the one for the load balancer - and not the individual node URLs.
-
How to set MinGALSearchLength on Exchange Online
I read that I can set
MinGALSearchLength in web.config at
\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Sync\ .
But how can I set this parameter in case of Exchange Online?I doubt you will really be surprised if you hear the answer: you cant. Any setting that is controlled on the server level is not configurable with EO, as it will affect other customers as well. One of the benefits of using a multitenant environment :)
-
Does anybody have experience setting up PEAR with ACS in Windows environment? I really got headache.
I used CA services in Windows issue 2 user certificates to a user account and a computer (XP with SP2). Then I issued a certificate to ACS. I also installed the CA root to ACS. I think I did everything following Cisco document. However, I got "EAP-TLS or PEAP authentication failed during SSL handshake"
in failed attempts log and
"PEAP: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:certificate unknown)"in CSAuth logs.
Have worked on this issue for 2 weeks but no clue at all. Please help me out.I don?t think MIM is possible. Even if you do not check validate server certificate. In PEAP, still supplicant uses the certificate offered by Server as to create an SSL tunnel.
Validating server certificate is just an additional security, where you ensure that you are connecting to correct Radius server, if you have many in your network...
Regards,
Prem -
Implementing TDE on a PDB while cloning.
Hi,
My requirement is to clone a PDB and implement the TDE on the target PDB.
I am trying to find a way to enable TDE during the cloning of PDB.
After browsing through Oracle docs, I am not able to find anything regarding that.
I want to know if anybody has tried doing the same or is it possible?
Also if it is not possible then is there any way where we can encrypt existing tablespaces data?
Looking forward for suggestions,
AnshajMy requirement is to clone a PDB and implement the TDE on the target PDB.
I am trying to find a way to enable TDE during the cloning of PDB.
After browsing through Oracle docs, I am not able to find anything regarding that.
I want to know if anybody has tried doing the same or is it possible?
Also if it is not possible then is there any way where we can encrypt existing tablespaces data?
No - that is NOT possible.
You will need to clone the PDB and then implement TDE.
Also, for multenant the keystore needs to be created on the root not the PDB.
If all you want to do is encrypt existing data then you need to MOVE the data. You can move the data to an encrypted tablespace if you want all tables/columns encrypted. But no matter how you do it the data needs to be moved.
See the Oracle doc for TDE in a multitenant environment
http://docs.oracle.com/database/121/ASOAG/asotrans_other.htm#CHDBBCDF
How Transparent Data Encryption Works in a Multitenant Environment
In a multitenant environment, the Transparent Data Encryption operations that you perform will depend on whether you are in the root or a PDB.
Topics:
About Using Transparent Data Encryption in a Multitenant Environment
Operations That Must Be Performed in Root
Operations That Can Be Performed in Root or in a PDB
Exporting and Importing TDE Master Encryption Keys for a PDB
Unplugging and Plugging a PDB with Encrypted Data in a CDB
Opening and Closing a Keystore in a Multitenant Environment
Finding the Keystore Status for All of the PDBs in a Multitenant Environment -
Compliance and Storage Network Isolation
I have two tenants in a multitenant environment that access the same iSCSI array. The iSCSI array has a limitation in that can only use one IP address on one vLAN. the result of this is that using this array means sharing a vLAN between two tenants, even though it is a non-routed vLAN dedicated to iSCSI. (ESXi vmkernel adapters from HA clusters in both tenants connect to the same iSCSI array). Tenant A has no special compliance requirements, but Tenant B does. The LUNs in the storage array are mapped only to the appropriate IPs for the appropriate ESXi servers in the respective environments to access. But will sharing this vLAN among iSCSI vmkernel ports in both tenants mean that Tenant B will be non-compliant with respect to a standard such as HIPAA? The vmkernel ports would be in the same broadcast domain.
It matters if the traffic is routed or not. "Routing" traffic and "switching" traffic are two different things and the "bandiwidth" rating on "routing" traffic versus "switching" traffic are considerably lower. More takes place when a "packet" is routed than when it just uses layer 2 traffic. This must be taken in consideration when planning traffic between your VM servers and its respective "storage, VMs and etc. Personally, I would never have that traffic "routed". Never. Do it if you like. I wouldn't recommend it. Any time your "hop" to a target... you introduce latency. Maybe your network fabric can handle it now... But what will happen when you start adding to your environment?
Remember the maximumn throughput on a 1 GB connection is 125mbs. Even creating a 2 member bond just gives you 250/mbs. Throw a "hop" in the mix....... I just don't like the numbers. Especially if you're going to run several VM guests on one server.
I feel your pain. Oracle VM can be a complicated product to use if you don't understand its full functionality. If you don't have your system in production.... then change it. Go through the headache now. Oracle VM works very well when it is setup properly. Very well. I just implemented a RAC environment running Oracle's ERP systems for several hundred users. It works great. Haven't had one problem since the migration. Performance is spectacular... -
Separating AD domains in mulitenant environments
I'm in a multitenant environment. Some tenants live together in a true cloud infrastructure, where resources are pooled together, and separation is enforced in the virtualization layer, not the physical layer (i.e. shared physical networking infrastructure). Due to tighter security restrictions, other tenants have a dedicated managed hosting platform with their own hardware at the physical layer (i.e., their own physical switches). Still other tenants have specialized custom-made arrangements to fit a security model half-way in between having totally separated resources and totally pooled resources. Everything is in one datacenter. (Everything is vCenter 5.1 or later so SSO is also used everywhere)
The question is, when is it appropriate to dedicate a separate AD domain to a tenant?
When should I group tenants with different AD domains in a single AD forest, and when should they have a separate forest?Hello,
This depends on who the tenants are actually. If it is truly multi-tenant then your tenants will have their own AD services that will be completely separate. The only ones that will not be separate from yours are your authentication and authorization for their portal access. Tenants should never have access to SSO, they do not need it to access VMs. THey should not have access to the hosts either.
Now, if they have their own hardware and control everything up and down the stack then they need a separate domain I would think so that auth does not overlap.
This really does depend on whom your tenants are and how separate things are now and the policy you are trying to enforce. Start there then choose how best to do things based on that.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast -
Author Service denied on service=shell
Hello,
in a ACS 3.3 environment, a service shell (exec) is enable to check user's authorization commands (outbound direction).
Normally commands are permitted or denied according to users/groups config.
Sometimes... the service seems disable and all authorizations fail... !
When it happens, the Failed Attempts Log Example is as below:
27/04/2010,10:11:35,Author failed,user1,Group1,10.1.50.21,,Command denied,service=shell cmd=http 66.xx.xx.xx,80 ----> Correct
27/04/2010,10:11:36,Author failed,user1,Group1,10.1.50.21,,Service denied,service=shell cmd=http 66.xx.xx.xx,80 ---> Wrong, "Cmd denied" as above
27/04/2010,10:12:10,Author failed,User2,Group2,10.1.50.22,,Service denied,service=shell cmd=https 213.xx.xx.xx,443 ---> Wrong, normally it's permit
27/04/2010,10:12:32,Author failed,User3,Group3,10.1.50.24,,Service denied,service=shell cmd=https 212.xx.xx.xx,443 ---> Wrong, normally it's permit
27/04/2010,10:12:32,Author failed,User4,Group4,10.1.50.26,,Service denied,service=shell cmd=https 212.xx.xx.xx,443 ---> Wrong, normally it's permit
To restore the normal condition about authorization's check, we restart CSTacacs service, below Tacacs service's Log:
TCS 27/04/2010 10:11:36 E 0155 4060 AAAClient1: user 'user1' using an invalid service: shell
TCS 27/04/2010 10:12:10 E 0155 4060 AAAClient1: user 'user2' using an invalid service: shell
TCS 27/04/2010 10:12:32 E 0155 4060 AAAClient1: user 'user3' using an invalid service: shell
TCS 27/04/2010 10:12:32 E 0155 4060 AAAClient1: user 'user4' using an invalid service: shell
TCS 27/04/2010 10:12:34 A 0651 2864 Server stop requested
TCS 27/04/2010 10:12:34 A 1256 0348 Release Host Cache
TCS 27/04/2010 10:12:34 A 1262 0348 Close Proxy Cache
TCS 27/04/2010 10:12:34 A 1285 0348 Calling CMFini()
TCS 27/04/2010 10:12:35 A 1287 0348 CMFini() Complete
TCS 27/04/2010 10:12:35 A 1301 0348 Closing Password Aging
TCS 27/04/2010 10:12:35 A 1314 0348 Closing Finished
TCS 27/04/2010 10:12:37 A 5020 0520 CSTacacs server starting ==============================
TCS 27/04/2010 10:12:37 A 5026 0520 Running as NT service.
TCS 27/04/2010 10:12:38 E 1051 0520 Doing Stats
TCS 27/04/2010 10:12:38 A 1092 0520
**** Registry Setup ****
TCS 27/04/2010 10:12:38 A 1119 0520 Single TCP connection operation enabled
TCS 27/04/2010 10:12:38 A 1129 0520 Base Proxy enabled.
TCS 27/04/2010 10:12:38 A 1196 0520 ************************
TCS 27/04/2010 10:12:38 E 1083 0520 TACACS+ server started
Any idea/suggest about this problem ? Is it a known "bug" ?
Thanks a lot in advance!Jan,
It seems you have command authorization configured in acs. Make sure you have shell exec checked on acs --->group set.
Regards,
~JG
Do rate helpful posts -
Excuse me, does any body can help me?
Wich is better the ACS Server with VMware ESX or the Appliance for a multitenant environmet with ip overlaping
I need to know if the ACS support the AAA functions but from equal ip segments (ip overlaping) on diferent places.... with diferent client networks.
We are implementing the ACS on a central site (our NOC), so each field engineer will be AAA from diferent sites, same ip networks and diferent places....
We need to implement support activities where our field engineer get access on a cisco device on the client premises, but the point is that we have a field engineer force wich get access on each device on diferent places.
With this scenary we need to decide wich is better: The appliance or the ACS Server with VMware ESX
ACS Server with VMware ESX
CSACS-5.1-VM-K9
CSACS-5-ADV-LIC
CSACS-5-LRG-LIC
CSACS-5-BASE-LIC
CON-CSSPS-5ADVLI
CON-CSSPS-5LRGLC
CON-CSSPS-51VMK
APPLIANCE
CSACS-1120-K9
CAB-AC
CSACS-5-BASE-LIC
CSACS-5.0-SW-K9
CON-OSP-CS1120K9Just a quick question - have you looked at superwaba
and wabajump? Superwaba is basically Java for pocket
pc and palm, but wabajump allows you to compile to
palm (not pocket pc). You can also use Eclipse for
development in an applet - much quicker than deploying
to device/virtual device. Small memory footprint as
well.
Cheers
Andy StrattonThank you Andy. I'll try it. Have you tried to use Websphere Studio Device Developer ?
I've tried version 5.5 but i found it not too comfortable.
I'd like to know personal experiences of the whole stack of components and tools involved
in the development process. We're trying to design the best environment for it.
Kind Regards
J.L Perez -
ACS and CA in a wireless environment
When setting up a ACS server to work with a CA to authenticate wireless clients via machine authentication, does the CA need to be an Enterprise CA or can I do it with a standalone CA?
Note that for machine authentication, I need to push down group policies to the wireless machines on the Active Directory.Machine authentication will only work with Enterprise certificate as auto-enrolement is mandatory for the Machine authentication to take place.
-
Urgent - NAC+ACS+Web-Auth in Wired environment - https redirection - Certificate Issue
Hi everyone.
I'm seting up an environment which uses Web-Auth for my wired and wireless networks. I have followed the exact same steps in this Cisco page to get it working:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577490.html
I'm only testing the wired environment right now.
I plug a PC to a port, and I try to get access to a randon internet page (for example www.cisco.com) . It is automatically redirected to authentication page. I type the username and password, but, when authentication passes, it goes automatically to https version of the page, which brings me to the problem. I have to add an exception (continue on this webpage option on IE) to that page in order to continue with the authentication and get the access to the internet. I'm attaching the steps I have to perform:
I think it is related to Certificate, but I'm not quite sure which or where. I'd like to have some advices from you to avoid this problem. I'm not planning to buy any certificates, so if I could skip the https would be great.
Thanks a bunch for your help
Victor AlvesYou need a certificate that your client will trust.
Easy way is to buy one from an official source. All PC browsers have a list of the major cert vendors so that's automatically trusted.
You could issue the certificate yourself also, for free :
-Self signed : the signing authority is the switch ... That means you need all your PCs to trust all your switches. Manual operation ...
-You create an enterprise CA and create a certificate for all your switches : you just need your clients to trust your enterprise CA so that's still a manual task but a simpler one.
When laptops are integrated in a domain, it's usually easier to create your CA on windows server and push the certificates to the clients automatically -
Exchange 2010 Domain Name change in a multitenant (hosted) environment
Is there a way to change a domain name from one of our domains?
We have exchange 2010 SP1 in hosted mode so we have several domains we deliver to our customers.
However, now 1 of our customers would like to change their domain name.
For example abc.com should become 123.com
To make it even a litle bit more complicated, in the first instance they want to add the 123.com domain so they receive emails on both domains. After a month they want to delete the old domain ( abc.com ) and keep on receiving emails on the new domain
( 123.com ).
Please keep in mind that the other domain that we also provide must not be affected.
Any help would be grate as I am stuck on this one.
I simply don't know the correct powershell commands.Hi Peter,
I read the email and as I was writing a reply I thought by myself, why not share it with the rest.
I am sure other people need this to so I copy paste it in here :-):
===================================
Hi Peter,
If this helps you out, the only thing I want back is for you to help 3 others and share this message so they help out other people aswell. :-D peace
Unfortunately there is no way according to microsoft ( as far as I am aware ) to make a domain change in the hosted edition and for this reason I had to figure it all out myself.
I am no scripter so I didn't build a tool for it, sorry.
I will send you all the information you need.
1- add the accepted domain: New-AcceptedDomain -Name NameOfOrg -Organization ForWhichDomainWillThisBeTheAcceptedDomain -DomainName NewDomain.Eu -DomainType Authoritative
2- to create an alias ( tenant admin )
Import-CSV name-of-textfile.txt | foreach-object {Set-Mailbox $_.alias -EmailAddresses @{add=$_.smtp1}}
The text file has to be in the following format:
alias,smtp1
firstalias,newemailaddress
secondalias,newemailaddress
etc.
3- Make the new alias the primarysmtpaddress ( main exchange admin ):
Import-CSV name-of-textfile.txt | foreach-object {Set-Mailbox $_.alias -primarysmtpaddress $_.smtp1 -emailaddresspolicyenabled $false}
The txt file should be in the following format:
alias,smtp1
domain\alias1,newemailaddress
domain\alias2,newemailaddress
etc.
4- Rename the alias ( tenant admin ):
Import-CSV name-of-textfile.txt | foreach-object {Set-Mailbox $_.alias -alias $_.smtp1}
The txt file should be in the following format:
alias,smtp1
alias1,newalias1
alias2,newalias2
etc.
5- Change UserPrincipalName (main exchange admin ). This is the username to sign in to OWA
Import-CSV name-of-textfile.txt | foreach-object {Set-Mailbox $_.alias -userprincipalname $_.smtp1}
The txt file should be in the following format:
alias,smtp1
domain\alias1,newemailaddress
domain\alias2,newemailaddress
etc.
6- Change displayname (tenant admin ):
Import-CSV name-of-textfile.txt | foreach-object {Set-Mailbox $_.alias -displayname $_.smtp1}
The txt file should be in the following format:
alias,smtp1
alias1,displayname
After a while you might to remove the previous email address ( i waited for this for 3 months! 1 month is way to short for people to communicate it, trust me.. ):
7- Import-CSV name-of-textfile.txt | foreach-object {Set-Mailbox $_.alias -EmailAddresses @{remove=$_.smtp1}}
The txt file should be in the following format:
alias,smtp1
alias1,OldEmailAddress1
alias2,OldEmailAddress2
Andre
Peace
Maybe you are looking for
-
When I am at a website that contains a button for printing (Gmail, for example), is there a way to change the way that functions, so that when I click "Print", Firefox will open Print Preview instead of taking me to the default system printer?
-
Can't hear audio when manually moving playhead
This is a very basic question, but I can't seem to find an answer through either the discussion forums or through HELP. I'd like to be able to hear an audio track in the editor by manually moving the playhead (not by selecting the PLAY button) back a
-
hi, i could not find any example of in expression of toplink, can anyone help about the syntax? i tried Query q= em.createQuery("select o from Ozluk o where o.personelNo in :perNo and o.accessDate in :accessDate"); q.setParameter(....) Edited by: 787
-
Transfering a file through Socket programming
Hi all, I want to return a file from server to client through a socket. I tried using ObjectOutput Stream where in I returned a java.io.File from server. But at client side when I say file.getLeangth() it comes as 0 and if I try to assign FileInputSt
-
Mission control inactive after waking from sleep
Having an intermittant issue where the mission control functions are no longer working after waking from sleep. I can't swipe between desktops, or activate mission control by clicking on the dock icon. The only way to get it back is to use the Acti