ACS Radius Question about Request Authenticator Field

Hi, I did a little bit reading about Radius to understand more in deepth
if I understand correctly the Request-Authenticator-Field in the Radius-Request Packet is just a random number and has nothing to do with the configured shared secret on AAA-Client.
That would mean that ACS does not check the shared secret in an incoming request.
So in case of CHAP Authentication the password in the request is not encrypted with the shared secret, ACS can successfully check the credentials from the request , though the shared secret between ACS and AAA-client does not match and will send a Radius Accept packet
The Response-Authenticator-Field in the Radius-Accept Packet is a MD5 over (Code+ID+Length+RequestAuth+Attributes+SharedSecret)
So if the the shared secret does not match the AAA-Client will recongize this and will not grant access.
Is that true so far.
I always thougth that shared secret must match, otherwise the ACS will not accept any radius-request?
Thx
hubert

Hi Nicholas,
pls see attached a packet-capture from 6 Radius-request of a AAA-Client (small Radius-Test-SW) and the answer from ACS
1 PAP wrong key correct Password -> ACS logs failed auth
2 PAP correct key correct Password -> ACS logs success auth
3 CHAP wrong key correct Password -> ACS logs success auth
4 CHAP correct key correct Password -> ACS logs success auth
5 CHAP wrong key wrong Password -> ACS logs failed auth
6 CHAP correct key wrong Password -> ACS logs failed auth

Similar Messages

  • Question about the MAKZN field in the RBKP table

    Hello all.
    I have a question about the MAKZN field. Does anyone know what field in MIRO is assigned to this field? We have an issue where a line item amount was not selected invoice was out of balance but the agent selected accept and post. And invoice posted. but I am interested in knowing where the amount if keyed in because when I go to the RBKP table I see an amount entered in the MAKZN (manually accept net difference amount)

    Hi,
    it seems as if the value was calculated internally:
    program SAPLMR1M
    dynpro 6000
    PAI module fcode_6000
    Include LMR1MI3W
    *-------- buchen ------------------------------------------------------*
        WHEN fcobu OR fcomanak.
    *--- identical code in PAI Module FCODE_6250 --------------------------*
          PERFORM ota_check USING vf_kred-xcpdk rbkpv-xcpdd
                            CHANGING rc.
          IF rc NE 0.
            CLEAR ok-code.
            EXIT.
          ENDIF.
          IF ok-code = fcomanak.
            PERFORM diff_akzeptieren.
            ok-code = fcobu.
          ENDIF.
    where:
    fcomanak          LIKE ok-code VALUE 'MANAK', " Manuell akzeptiert
    *&      Form  DIFF_AKZEPTIEREN
    *       Differenz manuell akzeptieren
      FORM diff_akzeptieren.
    *       Manuell akzeptierter Betrag
        rbkpv-makzn  = rbkpv-makzn + rbkpv-diffn.
        rbkpv-makzmw = rbkpv-makzmw + rbkpv-diffmw.
    *       Differenzbeträge
        CLEAR: rbkpv-diffn, rbkpv-diffmw.
      ENDFORM.                             " DIFF_AKZEPTIEREN
    maybe it´s happenning when releasing manually the invoice in MRBR?
    Best regards.

  • A question about keeping screen field unchangable in selection screen

    Hello Expert,
    I have a program as below.
    REPORT Z_TEST.
    SELECTION-SCREEN BEGIN OF BLOCK b1 WITH FRAME TITLE text-i01.
    SELECT-OPTIONS: s_kappl FOR a017-kappl DEFAULT 'M' NO INTERVALS.
    SELECTION-SCREEN: END OF BLOCK b1.
    INITIALIZATION.
      LOOP AT SCREEN.
        IF screen-name CS 'KAPPL'.
          screen-input = 0.
          MODIFY SCREEN.
        ENDIF.
      ENDLOOP.
    When I executed the report, the field for S_KAPPL is unchangable. This is as expected. But if I select one variant,  the filed will change back to changable.
    My question is how can I keep the field unchangable after I select variant?
    Thanks in advance,
    Regards, Johnny

    Hello Johnny,
    When you're creating the variant you've to mark the check-box "Protect field" as true.
    This will make the field as output only.
    BR,
    Suhas

  • New to the product - question about validating multiple fields as a group

    I have a static form that I'm building from a word document.  Part of that form requires a person to fill any 3 out 5 text fields.
    Since it looks like scripts are applied on a field by field basis, is it possible to have a script that encompasses multiple fields? 
    Would any script need to be applied to each field in turn?
    Assuming the answer to question 1 is a yes, how would you script it to require x number of fields out of a total of y to have some sort of content in order to validate?
    I'm pretty familiar with JavaScript and am looking at the Scripting reference guides but was hoping for a helping hand to get me there quicker as I'm in a bit of a time crunch - doing 18 forms with validation and database connectivity by January 15 certainly qualifies in my book.
    I would assume you'd do something like this but am unsure of the syntax...
    Get values of each field
    Set a valid counter variable for the number of fields with content
    If field 1 is not empty, increment the valid counter
    (rinse and repeat)
    if the valid counter is less than 3 throw an error message
    Many thanks in advance for any help offiered

    1). Yes, scripting within Livecycle can be for a single field or even static text, images and other artifacts within the PDF. Really anything, within Adobe's reason, when it comes to scripting.
    2). It depends on what you want to do. Things like field validations, calculations and other instances where fields are tied togther really dictate how the script runs.
    3). Fields that have calculations or validations with them work in the same, I believe. So for example I have a PDF that I made that is an Excel-type sheet that contains a few hundred cells and every single one has some type of validation or calculation associated with it. I generally run the calculations/validations from the user inputting the data and then after that the script runs, but again, it really dpeneds on what you are doing and with what, so answering some of your questions are a bit difficult.
    Javascrip/Formcalc are wonderful tools within PDF, but don't forget the Action Builder (Tools -Action Builder). It is a set of preloaded actions that are turn-key. Just select the cells that will have the action and select the result you want from the preloaded list of actions, using those actions can get you very far, and most of all; they are quick to implement without researching code. So for example, you could use the Action Builder to create an action that checks certain fields and if they are null to return a 1 value to a specific numericField (these could be hidden). Then have a "total" numericField (this would be your counter) that adds all of those fields with the 1 in it. Then create another Action Builder for that "total" numericField and if it is less than 3, display a message box that is a warning.

  • Questions about ADF Authentication

    hello guys, first of all.. am wondering, is it possible to connect the adf authentication system with the database, to be able to add users programmatic ?? , the second question is, can i make the authentication on 2 levels??, in my case am having more that company uses our application and each company has many users.. i want the client to log in into the company account, then to his account.. is it possible using the ADF Authentication system ? am using Jdev 12.c thanks in advanced

    Hi,
    first of all.. am wondering, is it possible to connect the adf authentication system with the database, to be able to add users programmatic ?? ,
    something like this. ADF security for dynamic users.
    user can able to do two level of authentication :
    1.configure username and password(encrypted) db. that is DB Authentication.
    2.ADF-security Authentication.
    thanks.

  • Urgent questions about NTLM authentication

    Hi all.
    In our customers side, we have this scenario.
    One windows 2000 active directory as domain controller - server1
    One WAS EP - server2
    WAS EP user database is point to the server1.
    When end user login in windows domain, user open the IE, write on the WAS EP url, user will login in WAS EP automatically and do not needs to input password.
    The problem is now windows AD ldap field - officeName is mapped with WAS EP userid, not windows AD ldap field - userid is mapped with WAS EP userid.
    But currently user login in windows domain using their windows AD ldap field - userid and password, not officeName.
    How can I implement it ?
    When user login in windows domain, the authentication will transfer it to officeName and login in Portal, is this solution can be implemented ?
    Thanks a lot.

    This may not be the exact answer but may put you in the right direction.
    http://help.sap.com/saphelp_nw04/helpdata/en/98/9b2f41893a6e24e10000000a155106/frameset.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/0b/d82c4142aef623e10000000a155106/frameset.htm
    Regards
    Juan

  • Question about Container Authentication

    I have a very simple question. All the Authentication methods provided by the container requires modification of web.xml or other xml files to add new users, roles etc.lots So it seems unsuitable for a very dynamic application wherein lots of user either join or leave. I wish to know whether it is possible to use database or other sources (other than xml files) in tandem with container authentication thereby eliminating use of xml files for authentication.
    regards,
    nirvan.

    You can use user groups in those XML instead of using directly user names, then even users join or leave you application they will inherite the group autorizations

  • Question about request

    Dear Programmers
    is it possible to hold value on request scope permanently?
    For exmple, I have a bean called Person on the request scope.
    After submiting the jsp which is connected to that bean I lose it (the bean). Next time that I'll use this JSP this bean will be created again. How can I solve it?
    The tag <t:saveState> of MyFaces doesn't help me in this case.

    I am in the same situation. I want to be able to have to windows open in the same session editting different things. The only way I could see how to do this was to have every page have a hidden field with a unique ID. Then you could grab this ID at the beginning of the submission, possibly in a custom view handler and set something so all subsequent calls during the processing of your request could operate on the correct objects.
    I haven't been able to get it to quite work...in the view handler when I try and pick the field off the request object manually, I can't seem to find it...although the field was on the page as a hidden field in the form that was submitted. Not sure why, so I left it to revisit later. Let me know if you figure something out.

  • A question about editing ALV fields

    Hello Expert,
    In my project, we need to read data from DB and display in the ALV. In the ALV output, we should be able to edit the records, and after user clicks the "Save" button in the applicaiton toolbar, the program should be able to save the changed data into DB.
    Currently, I can display the data in ALV and all fields are editable. After I change some data and click "Save", the program will go into subroutine 'F_ALV_USER_COMMAND',  but the data in the internal table GT_OUTTAB is not changed.
    I generate the ALV output by the following calling:
    call function 'REUSE_ALV_GRID_DISPLAY'
          exporting
            i_callback_program = wf_pgm
            is_layout          = gs_layout
            it_fieldcat        = gt_fieldcat[]
            i_callback_pf_status_set     = 'F_PF_STATUS_SET'
            i_callback_user_command = 'F_ALV_USER_COMMAND'
            is_variant         = g_variant
          tables
            t_outtab           = gt_outtab
          exceptions
            program_error      = 1
            others             = 2.
    In the subroutine 'F_PF_STATUS_SET', I call a GUI Status defined by myself.
    But if I call as below
    call function 'REUSE_ALV_GRID_DISPLAY'
          exporting
            i_callback_program = wf_pgm
            is_layout          = gs_layout
            it_fieldcat        = gt_fieldcat[]
           i_callback_pf_status_set     = 'F_PF_STATUS_SET'
            i_callback_user_command = 'F_ALV_USER_COMMAND'
            is_variant         = g_variant
          tables
            t_outtab           = gt_outtab
          exceptions
            program_error      = 1
            others             = 2.
    GT_OUTTAB is changed accordingly after clicking the "Save".
    Can any expert tell me why Internal table is not changed in the case I use user-defined GUI Status?
    Thanks & Regards, Johnny
    Edited by: Yongbo Wu on Jun 10, 2011 10:51 AM

    Hi Yongbo;
    Unfortunately REUSE_ALV_GRID_DISPLAY has update problem.
    REUSE_ALV_LIST_DISPLAY FM is making automatic update/change itab.
    You can change REUSE_ALV_GRID_DISPLAY FM with REUSE_ALV_LIST_DISPLAY FM.
    Best Regards.
    call function 'REUSE_ALV_LIST_DISPLAY' "'REUSE_ALV_GRID_DISPLAY'

  • Question about making mandatory fields hidden

    If I make an empty mandatory field hidden, do I have to set the mandatory property to "disabled" to prevent it from triggering the error message since it's empty?

    You are calling it a problem and I say works as designed. When you make a field mandatory you are indicating that the field must have a value (in the data file). When the submit is pressed, the mandatory fields are checked and if a value for that field is not in the data dom (in the bound node) then the message s displayed (whether the field is visible or not the binding still exists). You should make the field not mandatory by default, then make it mandatory when you make it visible.

  • Question About Requesting a Genius at the Bar

    I found the person very helpful and nice when visiting at the bar for replacement. I'm trying to find out his name since I don't know. Is there any way I can find out by calling their shop I went to? So I can request him for future reference? I'm asking because I had bad experience with previous genius before this person.

    iBenjaminCrowley wrote:
    To get an Apple Store Genius Bar go to this Link: http://concierge.apple.com/reservation/us/en/techsupport/
    Click on your closest store and then select Genius Bar. All you will then need to do is sign in and arrive 10 mins before the scheduled appointment. Be aware that Apple has a 10 mins lee way so if you are more than 10 mins late, expect not to get seen.
    The OP apparently already knows how to do that as they report they already had an appointment. They're trying to find out the name of the Genius who helped them during that appointment.

  • Question about Message Authentication Code (MAC)

    Can a MAC detect if someone altered or replace a message? Also, can someone delete a message?

    A MAC can detect tampering, assuming it's a strong MAC (like SHA1), and assuming you use it correctly.
    Frankly, it's the second part that is most likely to stymy you. It's easy to get strong algorithms; using them well is much, much more difficult.
    A MAC is absolutely useless for detecting if a message has been deleted. In fact, detecting missing messages is an intractible problem. You can increase the odds of noticing a missing message, but you can never guarantee it.

  • FWSM user and administrator multi-contexts authentication under ACS radius

    Hi,
    I’m preparing the setup of an ACS radius server for FWSM-related authentication operations.
    FWSMs will be in release 2.2, inserted in Catalyst 6500 (MSFC – IOS), in routed mode, in multi-switch active / standby setup, with multiple contexts configured.
    User and administrator access management will be performed thanks to a radius ACS server.
    I intend to install ACS onto an armored windows 2000 server SP4 , using a local database.
    PDM 4.0 is needed in order to manage multiple-contexts on FWSMs.
    Are there any points I should be aware about such a configuration, especially regarding the user and administrator authentication access management setup ?
    The fact is that administrators will have to be defined and restricted to their own context, without privileges onto other contexts. Do you have feedback about such a setup or relevant information to point to me ?
    Many thanks in advance for your attention.
    Best regards,
    Arnaud

    Each of the contexts will behave like individual firewalls for your purposes here. So, they each get a AAA config, and you could put them into their own groups for access control. Protect the Admin context especially well, it controls system resources for the others. Depending on how many FWSMs you have, you may want to look into the Pix MC, which is similar to PDM, but works for multiple FWSMs. It is a part of CiscoWorks VMS.
    -Paul

  • Plug-in Request Group field into the external authentication plug-in

    Hi all,
    I'd like to know if anyone has already tried to filter who can have the permission to call the external authentication plug-in setting it into Plug-in Request Group field.
    I've made some tests adding some users into groups OracleDASAdminGroup, OracleUserSecurityAdmins and groups that I've created under my DC settings. Unfortunatly, I've had no success.
    Is possible to do this?
    Thank you.
    Message was edited by:
    user571491

    Hi all,
    I'd like to know if anyone has already tried to filter who can have the permission to call the external authentication plug-in setting it into Plug-in Request Group field.
    I've made some tests adding some users into groups OracleDASAdminGroup, OracleUserSecurityAdmins and groups that I've created under my DC settings. Unfortunatly, I've had no success.
    Is possible to do this?
    Thank you.
    Message was edited by:
    user571491

  • Question about setting cookies and custom authentication

    I have a question about setting cookies.
    I have two different 'projects' in HTMLDB - we will call them App1 and App2.
    I also have two different connection configurations setup in the DADs.conf file. - we will call them Connect1 and Connect2.
    App1 is setup to use database authentication (no user is specified in the DAD) and uses Connect1. Once the user successfully logs in, we set a username cookie (this is a persistent connection).
    We created a custom authenticatoin scheme for App2 - this scheme checks for the username cookie (set by App1). We would like for App2 to use Connect2 (HTMLDB_PUBLIC_USER is the default user specified and it uses connection pooling).
    Is it possible to set a cookie from App1, Connect1 for App2, Connect2 - then redirect to App2 and pick up that cookie?
    Here is an example of what we are trying to accomplish:
    A user loggs into App1, we set a cookie, and the user is redirected to App2. If the cookie exists, we allow them access to the home page in App2, if no cookie, we redirect back to a 'Login Failed' page in App1. We don't want App2 to use the same database connection as App1 though, we need App2 to use connection pooling.
    Is this possible? OR...Is there a better way to accomplish what we want to do?
    This is an enhancement to an existing app. Our requirements are to use Database Authentication (setup where pass expires after 60 days or so, cannot reuse last 3 passwords, etc.) - which is already setup and being used by other applications in our organization. All of our users have accounts in the database. We don't want users to have a new username/pass - and we don't want to manage a separate group for HTMLDB apps.
    The existing application uses HTMLDB's built in authentication - which uses database username/pass, and it uses connection pooling, but we cannot handle the pass expire stuff in it, unless there's something we're not seeing or understanding - at least that's how our DBA explained it to us.
    Any help with this will be appreciated so much. I can send you the code we have if needed.
    Thanks!

    Same problem here.  I have so many problems with this remote app.  Is there an iTunes API? I would like to write my own remote app that actually works.

Maybe you are looking for

  • I have deployed one application containing youtube video but it is not working pls help

    I have deployed one application containing youtube video but it is not working pls help Application is build using struts2 and is deployed in oracle cloud, login page works fine but the success page is not displayed please help

  • AddIndiex on multiple nodes

    Hi, We all know addindex command for adding an index, what I want to learn is how can I use this command to make a unique index on multiple elements. My CityList.xml file has CityID and CountryID. I want both as one Index that is unique so that queri

  • MacBook Pro and iMovie Incredibly Slow

    So my MacBook Pro is excruciatingly slow.  I keep getting hung up on iMovie in particular.  Every time I move the curson just a centimeter the beachball comes on and starts a spinnin'.  You cannot scroll throughout the movie project I am putting toge

  • Help for saveing

    Hi, I've one quesiton if i'm on web and have one form that have button when user click on that button it take that url in when-button-pressed I do have web.show_document(url/target) EXAMPLE: web.show_document(http://(ipaddress)/dev60cgi/runrep.sh?ser

  • Best way to assign timestamp in coherence?

    What is the best way to assign a timestamp to an object when it is added to a cache? Should I just do this or is there something more efficient? public class NewOrderTrigger implements MapTrigger {     public NewOrderTrigger() {     public void proce