ACS issue - External unknown user policy database

HI all,
Is there any way I can get back information from an external user database into ACS:
I have 2 ssids, both on seperate IP address ranges. I have an external unknown user policy to pass username and passwords to. In the database there are flags which distinguish between two different types of users. Can I pass this 'flag' back to ACS somehow. When a user tries to logon to one SSID I want ACS to somehow check this flag and decide if that user can access that SSID.
Any ideas ??

What is your external database?

Similar Messages

802.1x auth via ACS through unknown user policy - multiple directories?

A customer has an LDAP directory as well as a Novell NDS directory.
MAC clients authenticate to IPlanet LDAP.
Windows users authenticate to Novell NDS.
Is there any way to use multiple SSIDs and the unknown user policy to authenticate users against their appropriate directories?
Thanks,
Tim

Actually, you can. You can manually add users to the ACS database and specify which external database to use. Take a look at the URL below. It is on adding users to the ACS database using the CSUtil.exe program on the ACS server. The import file that is read allows you to specify which external database type to query for the users authentication.
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/ae.htm#wp365101
Steve

EAP-TLS & Unknown User Policy

I setting up an WLC with the client using EAP-TLS (machine authentication only). We are using ACS 3.2 which is part of AD. The problem is that the ACS is being used to authorize users for Internet Access also.
So if I enable the Unknown User Policy to AD for EAP-TLS machine authentication, this will break what is being done for Internet Access.
Any ideas that don't include entering every machine and user name in the local database? I was wondering if I could setup a wildcard user of host/* that points to AD.
Is there a way to make this work without configuring the Unknown user policy to point to AD?
Thank you!

Log onto the ACS server itself as the local administrator.
Browse to the Bin directory in the ACS program directory.
Run the program there called CSSupport.
Select "Run Wizard" and click Next.
Check all the boxes and create the file for last 3 days and clickNext.
Again click Next.
Select "Set Diagnostic Log Verbosity to Maximum." and click Next.
Click Next, then click Finish.
In an environment where there is more than one global catalog server for the domain, ACS will not search for the secondary" catalog server if the "primary" goes down.
Condition: ACS is installed on a domain member server.
Workaround: Re-start csauth.exe.Let me know if restarting CSAuth makes any difference

Issue with "unknown user type 6" on Coherence 3.5.2

Having an issue with a cluster which is running using an internally developed cluster starter tool. This tool, and the associated cluster, all use POF, and upon attempting to connect a non-storing member to the cluster from java, the following exception is raised...
2011-07-11 15:54:58.338/2.469 Oracle Coherence GE 3.5.2/463p2 <Error> (thread=Cluster, member=n/a): This cluster node is
configured to use serializer com.tangosol.io.pof.ConfigurablePofContext {location=application-pof-config.xml}, which ap
pears to be different from the serializer used by Member(Id=1, Timestamp=2011-07-11 15:34:30.779, Address=10.74.82.193:8
088, MachineId=11188, Location=site:INTRANET.BARCAPINT.COM,machine:ldnpsm020006423,process:80976,member:ldnpsm020006423:
cacheserver:1).
java.io.StreamCorruptedException: unknown user type: 6
at com.tangosol.io.pof.PofBufferReader.readAsObject(PofBufferReader.java:3289)
at com.tangosol.io.pof.PofBufferReader.readObject(PofBufferReader.java:2600)
at com.tangosol.io.pof.ConfigurablePofContext.deserialize(ConfigurablePofContext.java:348)
at com.tangosol.coherence.component.util.daemon.queueProcessor.Service.readObject(Service.CDB:4)
at com.tangosol.coherence.component.util.daemon.queueProcessor.service.Grid$ServiceConfigMap.readObject(Grid.CDB
:1)
at com.tangosol.coherence.component.util.daemon.queueProcessor.service.Grid$MemberConfigResponse.read(Grid.CDB:1
3)
at com.tangosol.coherence.component.util.daemon.queueProcessor.service.Grid.onNotify(Grid.CDB:123)
at com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.ClusterService.onNotify(ClusterServi
ce.CDB:3)
at com.tangosol.coherence.component.util.Daemon.run(Daemon.CDB:42)
at java.lang.Thread.run(Thread.java:619)
There is no serialiser configured in the cache config, instead we just set tangosol.pof.enabled=true, and set the pof config file to what is seen above. The thing which is very confusing about this error is that unlike other clients which we connect, and in fact the servers they connect to, this client never attempts to load the cache configuration file. The point at which this should happen, prior to pof loading, shows:
2011-07-11 15:54:57.260/1.391 Oracle Coherence GE 3.5.2/463p2 <Info> (thread=Main Thread, member=n/a): Loaded cache conf
iguration from "jar:file:/C:/Program%20Files/Oracle/coherence/3.5.2b463P2/lib/coherence.jar!/reports/report-group.xml"
I have tried every combination of classpath entries I can think of, and no matter what, it never shows an attempt to load the application-cache-config.xml supplied in the startup. Does anyone have any experience with something like this?

I guess your non-storing JAVA code does not specify -Dtangosol.pof.enabled=true and the -Dtangosol.pof.config =<POF file location> on joining the cluster. Post the startup java command and the complete logs.
If application-cache-config is not loaded then coherence-cache-config.xml should be loaded by default and set -Dtangosol.coherence.cacheconfig=<application-cache-config>
Cheers,
NJ

TACACS "fail unknown users" after upgrade to ACS 3.3

Basic config issue is :
1) User Account is added to ACS 3.3
2) User Account is added to Group with correct Privilege Levels
3) User Password Authentication: is listed as "Windows Database"
4) TACACS+ Enable Control: is set to user group settings
5) And TACACS+ Enable is also set to "Windows Database"
In External DB all windows Domains are listed (but not down to specific group mapping)
Here is the problem, every thing works fine.
Users can log onto router in User mode (using domain password) & change to EN mode (using domain password)
As long as the "Unknown user policy" is set to check against "Windows". this works.
But if it is set to "fail Unknown users" then no one can gain access

Hi Michael,
We opened a TAC case ans was given the following info;
CSCef84196
First Found-in Version 3.3(1)
Symptom:
users created on acs but mapped to external DB manually fail authentication
Condition:
-this happens when unkown user policy is set to fail authentication attempt.
Workaround:
- set unkown policy to check external database.
if dynamic users aren't desired to authenticate, you can map the external DB to a disabled group.
and put the manually mapped users in an enabled group.
Ther is no fix available yet!

Proxy login from externally authenticated user

Hi Experts,
I created an externally authenticated user in database. And can login without password with below syntax.
SQL> connect / @TESTDB
Connected.
SQL> show user;
USER is "SCOTT"
This scott user has a proxy permission to another DBuser PROXY_USER.
I got the syntax but that works only from Database OS.
sqlplus [proxy_user]/
SQL*Plus: Release 11.1.0.6.0 Production on Mon Nov 15 16:28:47 2010
Copyright (c) 1982, 2010, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Release 11.1.0.6.0 - 64bit Production
I can connect as externally authenticated user from windows CLIENT running on Release 10.2.0.1.0
SQL> connect / @TESTDB
Connected.
But the above mentioned Proxy connectivity syntax fails with below from CLIENT
SQL> connect [proxy_user]/ @TESTDB
SP2-0306: Invalid option.
Usage: CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
where <logon> ::= <username>[<password>][@<connect_identifier>] | /
But the same syntax works from Database OS!
I can login from TOAD but can't login from SQLDEVELOPER or SQLPLUS
My sqldeveloper version is:
Version 2.1.1.64
Build MAIN-64.45
and sqlplus is:
SQL*Plus: Release 10.2.0.1.0
Any idea?
Thanks.
Edited by: Nadvi on Nov 18, 2010 3:09 PM

Hi Nadvi
If you get SQLPLUS working SQLDeveloper (thick jdbc/oci/instant client) is certainly worth trying.
I am not sure what is the issue with your setup the proxy usecases I am familiar with are:
Through the SQLDeveloper ui
There are two ways of doing proxy logins:
where p1 is proxy user and c1 is proxy client:
1/single session method (if no 2nd password or distinguished name required)
on main connection popup
user: p1[c1]
password: p1
2/Two session method
Main Connection popup
user: p1
password p1
popup connection authentication
proxy client: c1
none or password or distinguished name
-Turloch
SQLDeveloper Team

Best Practises with ACS Replication & external databases

I am looking for a best practise with the following scenario:
2 ACS Servers in 2 separate locations, each providing mutual backup to each other - i.e. all devices/users in Site X point to local ACS Server X 1st and remote ACS Server Y 2nd. In Site Y the devices/users point to the local ACS Server Y 1st and remote ACS Server X 2nd. This works fine; currently Server X replicates the Database to Server Y.
In the future we will be implementing a remote LDAP database and will forward unknown users to this database for authentication. As I understand it if an unknown user exists on the LDAP database then the ACS Server will create a local account (depending the mapping policy etc) and point the password at the remote LDAP server. If we replicate from Server X to Server Y, but Server Y has created an account for an unknown user will this get deleted on replication? Is there a best practise to handle this scenario?
Andy

I could not find a best practices document as such but a lot of ground is covered in the document 'CiscoSecure Database Replication' at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/sad.htm#wp755988.

ACS and Windows 2000 user database communication port

Could my Windows 2000 SP4 + ACS v3.23 can install any new Windows 2000 service pack ?
I'm affraid to infect ACS Service.
So, I want to install firewall on this server to block malicious traffic.
However, my ACS used external user database Windows 2000 for authentication.
Who can tell me What protocols or port list they are communication?
I have to avoid these traffic on my firewall.

Hi cheng
I think you can install any servie pack without problem and the SP4 is the latest one for WIN2000 and you server already has this SP
For your second question you need to specify many protocols according to your active directory config in this link you can find a list of this protocols and the best way is to make debug or logging or use a siniffer to know the exactly protocols flow between your ACS and AD server
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx
Best Regards

Disk Utility & Repair Disk Permissions & Unknown User on External Seagate

I have a new iMac running Leopard and don't do stupid things to my mac. I have a couple external Seagate Freeagent drives but 1 of them is giving me a little trouble. So I figure, I'll try to repair disk permissions on it but the problem is when I go into Disk Utility, the Repair Disk Permissions option is NOT available. It's there, I just can't select it; it's grayed out. Why? I'm an admin! The other externals have this option available but not this one, so I'm not really sure what to do. I've about 300gb of family movies on it that I'd rather not wipe out just to be able to do a disk permission repair.
Whenever I do a command+i on the drive I do see an UNKNOWN user but this article, http://www.pcworld.com/article/145425-1/quickand_easy_folder_sharing_in105.html, leads me to believe that Apple hasn't done jack squat to allow us to fix the problem.
Thoughts? Suggestions? Thanks in advance!

mrpeepers wrote:
I don't think that statement is true.
I have 3 externals and can repair disk permission on all but 2. All my externals are for storage purposes and non have OSX installed, so that fact that I can repair disk permissions on them sort of contradicts what you say, however, the effectiveness of running a repair disk permission on a drive that doesn't have OSX may be nothing.
I don't know how you manage to repair permissions on externals without system files on them but what I said is quite true. Repair permissions ONLY checks permissions of system files against the database of correct permissions. It wouldn't know what to do with any other files and never touches them. It should also not be possible on non OS X drives. I've never seen it enabled on any of my external or secondary drives. I really wonder why and how it was enabled on your external drives.
I did have Tiger installed for 3 months before I got Leopard, but my externals have known nothing but Leopard.
That doesn't matter. the ownership of files on your external were set in Tiger and it remains in leopard. that's what causes the "unknown" user to show up.
The problem I'm having with one of the drives is that starting yesterday it's having difficulties mounting. Sometimes I restart the computer and the drive doesn't show. So in order to get it to show, I have to power down the external (which is and appears to be running) and then power it back up, and if that doesn't work, usually reseating the USB works.
Then again... My problems started happening after I installed CandyBar and applied some folder changes. I have since dumped it.
whatever problems you have with that external they have absolutely nothing to do with Candy bar. all candy bar does is change a few icon files on your main hard drive. that can have no effect on mountability of anything.
This sounds to me like a hardware problem with your external. the drive could be failing. the USB bus could be failing either on the drive or on the computer. One thing you could do is check to see if there are any firmware upgrades for that drive. Look at the manufacturer's website. also try testing the drive with another computer if you can.
On another note... Anyone use CandyBar and NOT have any problems or really like it? Maybe it was just a coincidence.
yes, I use it and REALLY like it. no problems whatsoever.

IPad2 Safari or iCloud Privacy Issue, unknown user's history appears

After turning the new iCloud on, my iPad2's Safari shows browsing "history" of unknown user. Just today, in the morning I cleared my history and cache before I left home. When I returned home this evening and opened Safari, it started with google image page showing offensive images. I checked history and it showed dozen google images search links. The content include baby poops, touching elephants, and injured nipples and so forth that are very obscene.
I am suspecting this to be iCloud bug. APPLE! Please look into this as I do not want my little child to accidentally hit Safari and see these unacceptable photographs!!!! This is very serious privacy violation matter!

We were all out all day today, and this is what happened first thing after we came home. I am aware that Apple is not going to necessarily see this, and the point is everyone should know this potential issue. Besides, there are other better ways to spread the words like Twitter, FB, etc. The fact that someone already saw the posting within a few minutes is amazing.

Unknown User/Incorrect Password when trying to access external drive

I just set up my airport extreme base station, plugged in USB hub with two printers, and all worked excellent. Then I hooked up an external hard drive, again no problems at all. I was able to access the hard drive on my MacBook Pro with the password I set up and everything was great. When I try to access the hard drive on my windows computer, I keep getting a message saying "unknown user, incorrect password, contact administrator" I am using the same password I used on my MacBook. The drive was formatted in Fat32 and works on my MacBook and on my windows PC when connected directly via USB. The only problem seems to be when I try to access the drive on the windows PC. The drive shows up no problem and the dialogue box opens and asks for the password, but then I keep getting that error message. I contacted apple tech support and they pretty much told me they have nothing to do with windows, even though the product can by run entirely on windows machines with no macs at all. Has anyone else had any problems like this, or have any clue what I might be able to do???
Thanks

Will windows recognize a drive formatted in Mac OS
Extended? I had originally tried that, and my
windows pc wouldnt even recognize it.
Well XP/Vista will not play nice with it unless you buy and install a Windows shareware/boxware program called MacDrive. This way you can make that PC read/write a Mac OS X Extended formatted drive. Bonus is you can use that drive for a central iTunes Library that both machines can use.
Rev A. Dual 1.8 G5 Mac OS X (10.4.9)

*** ERROR = Connect to database failed, rc = -4008 (POS(1) Unknown user na

Hello
I have just finished a dbcopy of Maxdb 7.6 to a new system with initilization.i can bring the db online. I have ran the xuser command to fix the db users as below command as per note 39439
i changed them in home dir of sidadm,sqdsid
                      xuser -U DEFAULT -u SAP<SID>,<password> -d <database_name> -n <database_server> -S SAPR3 -t 0 -I 0 set
c) DBM user: for example, CONTROL.
                       xuser -U c -u CONTROL,<password> -d <database_name> -n <database_server> -S INTERNAL set
d) SYSDBA user: for example, SUPERDBA.
                       xuser -U w -u SUPERDBA,<password> -d <database_name> -n <database_server> -S INTERNAL set
But iam having the below error now when trying to bring the SAP system up in dev_w0
C Try to connect (DEFAULT) onconnection 0 ...
C
C Mon Dec 19 21:46:11 2011
C *** ERROR => Connect to database failed, rc = -4008 (POS(1) Unknown user name/password combinati
on)
[dbsdbsql.cpp 137]
B ***LOG BY2=> sql error -4008 performing CON [dbsh#3 @ 1208] [dbsh    1208 ]
B ***LOG BY0=> POS(1) Unknown user name/password combination [dbsh#3 @ 1208] [dbsh    1208 ]
B ***LOG BY2=> sql error -4008 performing CON [dblink#8 @ 433] [dblink 0433 ]
B ***LOG BY0=> POS(1) Unknown user name/password combination [dblink#8 @ 433] [dblink 0433 ]
M ***LOG R19=> ThInit, db_connect ( DB-Connect 000256) [thxxhead.c   1537]
M in_ThErrHandle: 1
M *** ERROR => ThInit: db_connect (step 1, th_errno 13, action 3, level 1) [thxxhead.c   10837]
M
is there something that i missed somewhere?
Any ideas welcome

erpsyscs1:cs1adm 46> xuser list
XUSER Entry 1
Key         :DEFAULT
Username    :SAPCS1
UsernameUCS2:S.A.P.C.S.1. . . . . . . . . . . . . . . . . . . . . . . . . . .
Password    :?????????
PasswordUCS2:?????????
Dbname      :CS1
Nodename    :erpsyscs1
Sqlmode     :SAPR3
Cachelimit :-1
Timeout
Isolation
Charset     :<unspecified>
XUSER Entry 2
Key         :c
Username    :CONTROL
UsernameUCS2:C.O.N.T.R.O.L. . . . . . . . . . . . . . . . . . . . . . . . . .
Password    :?????????
PasswordUCS2:?????????
Dbname      :CS1
Nodename    :erpsyscs1
Sqlmode     :INTERNAL
Cachelimit :-1
Timeout     :-1
Isolation   :-1
Charset     :<unspecified>
XUSER Entry 3
Key         :c_J2EE
Username    :CONTROL
UsernameUCS2:C.O.N.T.R.O.L. . . . . . . . . . . . . . . . . . . . . . . . . .
Password    :?????????
PasswordUCS2:?????????
Dbname      :CS1
Nodename    :erpsyscs1
Sqlmode     :SAPR3
Cachelimit :-1
Timeout
Isolation
Charset     :<unspecified>
XUSER Entry 4
Key         :w
Username    :SUPERDBA
UsernameUCS2:S.U.P.E.R.D.B.A. . . . . . . . . . . . . . . . . . . . . . . . .
Password    :?????????
PasswordUCS2:?????????
Dbname      :CS1
Nodename    :erpsyscs1
Sqlmode     :INTERNAL
Cachelimit :-1
Timeout     :-1
Isolation   :-1
Charset     :<unspecified>

Making database connection to externally identified user

I try to make a database connection using an externally identified user.
I have not succeeded so far.
In Oracle Designer it is possible to just fill in /@SID in the username field.
Somebody knows a workaround ?
regards,
Timo Schijf

Timo,
This question is not related to JHeadstart. Can you please post the question on the JDeveloper forum?
Thank you,
Steven Davelaar,
JHeadstart Team.

ACS Unknown User Discovery

All,
Can ACS send an event/snmp trap when it discovers unknown users?
How will ACS administrators get notified when ACS discovers unknown users?
Stephanie

Hi Stephanie,
Unfortunately there is no way to do this ACS use SNMP only for logging.
ACS does not have this kind of alert. I will suggest to contact your account manager and open a new feature request.
Regards,

Unknown user name or bad password issue while creating AD accounts

Hi All,
While creating accounts on AD through IdM, I am getting below error. Sometimes I don't see this error while sometimes I do. What could be the actual reason ?
com.waveset.util.WavesetException: Error opening object 'LDAP://cn=ut9778ug,ou=Employee USA,ou=Users,ou=CorpHQ,dc=corpz,dc=utcz,dc=com': ADsOpenObject(): 0X8007052E: , , Logon failure: unknown user name or bad password.
Please help me out.
Thanks,

Hi,
I just faced the same problem while provisionning account on AD through Sun Identity Manager Gateway. (I'm in Oracle Waveset 8 patch 6)
When I test configuration on the configuration page of my AD resource, everything was ok, but when i tried to create / update account on AD, i had the same error. (when i forced a bad password for example, the test configuration was in error, so i know that was ok)
I resolved the problem using IP address in "LDAP Server Name" instead of url or host name. I don't understand because 'ping' on url and test configuration on resource were ok.
I hope it will be usefull for you
Nicolas

ACS issue - External unknown user policy database

Similar Messages

Maybe you are looking for