ACS v5.2 and Citrix Repeater - Configuring shell (exec)

Hi
     I am trying to get a Citrix Repeater 8540 authenticating with a v5.2 ACS. I can get the authentication via TACACS+ to work OK but I do not have access to some the configuration options in the GUI (like logging) - It is saying I do not have the proper rights.
Googling around I have found that on a version 4.x ACS all you need to do is tick shell (exec) and set privilege 15 to get it to work (see screen shot) but I am having trouble with a v5.2 ACS. I can assign privilege 15 in the shell profile and assign execed to attribute shell but it is still not working.
I have configured the following shell profile but I can still not access most of the menu options:
This is the error when trying to access Admin Config on the Citrix Repeater
Any ideas please

Have you created individual user accounts in the Central Manager that match the user ID on you ACs system?  If the user does not have an account in the CM under Admin>AAA>Users then they will probalby get logged in to the CM but will have no privileges.

Similar Messages

  • ACS 4.0 and RSA Token Server problem

    Hi,
    We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
    Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
    I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
    When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
    After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
    Any help or advice appreciated.
    Thanks

    Hi,
    The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
    Following link talks about the same.
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
    Regards,
    ~JG

  • ACS Shell Command Authorization Sets on IOS and ASA/PIX Configuration

    Hi,
    I need to activate a control privileges of users on various devices.
    I found this interesting document:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    and using a router with IOS 124-11.XV1 work normally while using a switch 2960-24TC with IOS 12.2.25SEE3 not working.
    All users (read and full access) access on a not priviledge mode.
    WHY?
    I have a ACS v3.3 build 2
    I have a 2960-24TC with IOS 12.2.25SEE3
    I tried with a acs v4.1 without success.
    Thanks.

    If you want user to fall directly in enable mode,then you should have this command,
    aaa authorization exec default group tacacs+ if-authenticated
    Bring users/groups in at level 15
    1. Go to user or group setup in ACS
    2. Drop down to "TACACS+ Settings"
    3. Place a check in "Shell (Exec)"
    4. Place a check in "Privilege level" and enter "15" in the adjacent field
    Regards,
    ~JG

  • Cisco ACS v4.2 and WAAS CM

    I have been mulling over this issue on and off for some time now.  I have an ACS server which i am using to authenticate both the AE units and the central manager.  TACACS+ works perfectly with regards to authenticating via the CLI, but i am having trouble with getting the web GUI access to that same group in the ACS server.  I am running 4.1.5c on the WAAS CM.
         I have read through the configuration documents and have made a user group named exactly as it is on the ACS server, and have assigned that group an admin role and privileges over all of my units including the CM.  So far i have enabled these options in my TACACS+ settings:
    shell(exec)
    Privilege level (assigned to 15)
    I am assuming that i have to add a web command under "Unmatched Cisco IOS commands," but I cannot find any documentation as to which arguments i need to pass to it.
    If anyone could help me with this i would appreciate it.

    Have you created individual user accounts in the Central Manager that match the user ID on you ACs system?  If the user does not have an account in the CM under Admin>AAA>Users then they will probalby get logged in to the CM but will have no privileges.

  • Cannot get restricted command set to work with ACS 5.5 and HP Procurve switches - Can anyone assist?

    I have AAA authentication working with no restrictions and I have TACACS working with command restrictions for my Cisco gear.

    Hi... I have created a shell profile in Policy Elements -> Authorization and Permissions -> Device Administration -> Shell Profiles which has a assigned privilege level of 15 and a max privilege level of 15.  Further to this I have added a new commands set via Policy Elements -> Authorization and Permissions -> Device Administration -> commands sets. 
    I have referenced the shell profile via Access Policies -> Access Services -> Default Device Admin -> Authorization. And this part of it seems to work fine, but the command set I am using to restrict the commands allowed is not being used...do I need to reference the command set somewhere else within the ACS platform as well?  The configuration I have added on to the Network Device is as follows: -
    aaa new-model
    aaa authentication login default group tacacs+
    aaa authentication enable default group tacacs+
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ none
    Can you advise what it is I am missing?

  • Looking for successful auth debug between cisco 1113 acs 4.2 and Active Directory

    Hello,
    Does anyone have a successful authentication debug using cisco 1113 acs 4.2 and Active Directory?  I'm not having success in setting this up and would like to see what a successful authentication debug looks.  Below is my current situation:
    Oct  6 13:52:23: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:23: TPLUS: processing authentication start request id 444
    Oct  6 13:52:23: TPLUS: Authentication start packet created for 444()
    Oct  6 13:52:23: TPLUS: Using server 110.34.5.143
    Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
    Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: socket event 2
    Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
    Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 26 (0x1A)
    Oct  6 13:52:23: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
    Oct  6 13:52:23: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
    Oct  6 13:52:23: T+: user: 
    Oct  6 13:52:23: T+: port:  tty515
    Oct  6 13:52:23: T+: rem_addr:  10.10.10.10
    Oct  6 13:52:23: T+: data: 
    Oct  6 13:52:23: T+: End Packet
    Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: Would block while reading
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 28 bytes response
    Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
    Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
    Oct  6 13:52:23: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
    Oct  6 13:52:23: T+: msg:  Username:
    Oct  6 13:52:23: T+: data: 
    Oct  6 13:52:23: T+: End Packet
    Oct  6 13:52:23: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:23: TPLUS: Received authen response status GET_USER (7)
    Oct  6 13:52:30: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:30: TPLUS: processing authentication continue request id 444
    Oct  6 13:52:30: TPLUS: Authentication continue packet generated for 444
    Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
    Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
    Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 15 (0xF)
    Oct  6 13:52:30: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
    Oct  6 13:52:30: T+: User msg: <elided>
    Oct  6 13:52:30: T+: User data: 
    Oct  6 13:52:30: T+: End Packet
    Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE: wrote entire 27 bytes request
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 28 bytes response
    Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
    Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
    Oct  6 13:52:30: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
    Oct  6 13:52:30: T+: msg:  Password:
    Oct  6 13:52:30: T+: data: 
    Oct  6 13:52:30: T+: End Packet
    Oct  6 13:52:30: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:30: TPLUS: Received authen response status GET_PASSWORD (8)
    Oct  6 13:52:37: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:37: TPLUS: processing authentication continue request id 444
    Oct  6 13:52:37: TPLUS: Authentication continue packet generated for 444
    Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
    Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
    Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
    Oct  6 13:52:37: T+: AUTHEN/CONT msg_len:11 (0xB), data_len:0 (0x0) flags:0x0
    Oct  6 13:52:37: T+: User msg: <elided>
    Oct  6 13:52:37: T+: User data: 
    Oct  6 13:52:37: T+: End Packet
    Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE: wrote entire 28 bytes request
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 33bytes data)
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 45 bytes response
    Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
    Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 33 (0x21)
    Oct  6 13:52:37: T+: AUTHEN/REPLY status:7 flags:0x0 msg_len:27, data_len:0
    Oct  6 13:52:37: T+: msg:  Error during authentication
    Oct  6 13:52:37: T+: data: 
    Oct  6 13:52:37: T+: End Packet
    Oct  6 13:52:37: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:37: TPLUS: Received Authen status error
    Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: timed out
    Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: No sock_ctx found while handling request timeout
    Oct  6 13:52:37: TPLUS: Choosing next server 101.34.5.143
    Oct  6 13:52:37: TPLUS(000001BC)/1/NB_WAIT/46130160: Started 5 sec timeout
    Oct  6 13:52:37: TPLUS(000001BC)/46130160: releasing old socket 0
    Oct  6 13:52:37: TPLUS(000001BC)/1/46130160: Processing the reply packet
    Oct  6 13:52:49: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:49: TPLUS: processing authentication start request id 444
    Oct  6 13:52:49: TPLUS: Authentication start packet created for 444()
    Oct  6 13:52:49: TPLUS: Using server 172.24.5.143
    Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
    Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: socket event 2
    Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
    Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 26 (0x1A)
    Oct  6 13:52:49: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
    Oct  6 13:52:49: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
    Oct  6 13:52:49: T+: user: 
    Oct  6 13:52:49: T+: port:  tty515
    Oct  6 13:52:49: T+: rem_addr:  10.10.10.10
    Oct  6 13:52:49: T+: data: 
    Oct  6 13:52:49: T+: End Packet
    Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: Would block while reading
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 43bytes data)
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 55 bytes response
    Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
    Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 43 (0x2B)
    Oct  6 13:52:49: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
    Oct  6 13:52:49: T+: msg:   0x0A User Access Verification 0x0A  0x0A Username:
    Oct  6 13:52:49: T+: data: 
    Oct  6 13:52:49: T+: End Packet
    Oct  6 13:52:49: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:49: TPLUS: Received authen response status GET_USER (7)
    The 1113 acs failed reports shows:
    External DB is not operational
    thanks,
    james

    Hi James,
    We get External DB is not operational. Could you confirm if under External Databases > Unknown User           Policy, and verify you have the AD/ Windows database at the top?
    this error means the external server might not correctly configured on ACS external database section.
    Another point is to make sure we have remote agent installed on supported windows server.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp289013
    Also provide the Auth logs from the server running remote agent, e.g.:-
    AUTH 10/25/2007 15:21:31 I 0376 1276 External DB [NTAuthenDLL.dll]:
    Attempting Windows authentication for user v-michal
    AUTH 10/25/2007 15:21:31 E 0376 1276 External DB [NTAuthenDLL.dll]: Windows
    authentication FAILED (error 1783L)
    thanks,
    Vinay

  • Dacl on ACS 5.1 and Catalyst switch 3560

    Dear all
    I have ACS 5.1 and Catalyst switch 3560 with version 12.2(53)SE. I configure a dacl on the ACS and I use it on authorization profile.
    This authrization profile is used on access policy.
    I tried the authentication but it doesn't work. I checked the ACS logs and I found that the user is authenicated successfuly but the dacl gives this error (The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected)
    Steps:
    11001  Received RADIUS Access-Request
    11017  RADIUS created a new session
    11025  The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected
    11003  Returned RADIUS Access-Reject
    DACL:
    deny ip host 1.2.3.4 1.2.3.0 0.0.0.255 log
    permit ip any any log
    Thanks on advance,

    Dear Tiago
    I applied the command "radius-server vsa send". Now I can see the dacl is applied but I can't see it on the switch and even the authentication is succueeded ont the ACS logs but it give me unauthoized on the switchport. You can see the logs( started with the username acstest and the access-list is applied but it doesn't work and you can see theat it goes for mab after eap timed out). I hope you can help on this issue.
    Dec 13,10 10:29:00.513 AM
    00-23-AE-7A-58-A6
    00-23-AE-7A-58-A6
    Default Network Access
    Lookup
    Dot1x-3560-Switch
    1.2.3.4
    FastEthernet0/5
    TESTACS
    22056 Subject not found in the applicable identity store(s).
    Dec 13,10 10:28:29.186 AM
    #ACSACL#-IP-Guest-4cfcc14d
    Dot1x-3560-Switch
    1.2.3.4
    TESTACS
    Dec 13,10 10:28:28.726 AM
    acstest
    00-23-AE-7A-58-A6
    Default Network Access
    PEAP (EAP-MSCHAPv2)
    Dot1x-3560-Switch
    1.2.3.4
    FastEthernet0/5
    TESTACS
    Thanks,

  • Cisco Trustsec using only ACS 5.2 and a 65k SXI with 802.1X

    Hi
    I hope that this is the correct place for this Q.
    I have setup an ACS 5.2 Server and enaled 802.1X authentication on a 65k running SXI5, as per the following section; Assigning SGT Using IEEE 802.1X User Authentication
    The link can be found below;
    http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/guide_c07-608226.html
    I can sucessfully get a PC to authenticate using dot.1x and according to the monitoring on the ACS box, the SGT is passed to the 65k, however when I do a "sho cts role-based sgt-map all", I can't see the SGT passed to the 65k. Is this because I don't have a Nexus to create the sxp link to?
    Sorry if this is a noddy Q, but I'm trying to do my best to get to grips with trustsec, but not having a 7k means I'm really struggling.
    many thanks

    Hi Nicolas
    Thanks for taking the time to respond. Although Nexus is needed, if a device authenticates using 802.1x and this is configured for SGT, should the SGT configuration not update on the 65k? This is something that I would presume would happen without the need for the Nexus.
    Once again, sorry if this is vague and a very newbie Q.
    Many thanks

  • Configuring Shell Script

    I am a newbie to Shell Scripting.
    I am trying to set up a Unix Resource on my IDM system.
    I have a Test Machine (which is Remote, of course). Naturally, the machine is Unix-based. Within this machine is a Unix Database, which is MySql-based.
    On this machine, I created a User (complete with full Administrator rights and privileges).
    And, to this user's Home Directory, I added certain a scripts which is meant for "*Creating a new User"* in the Unix Database. This script is written in PERL language.
    I created the Shell Resource, by using the IDM sample Shell Script files (the ones located in the IDM sample-folder). Naturally, I modified certain attributes, removed others, etc, etc.
    My problem is : the Get Resource Action and Get Result Handler.
    These two things are MANDATORY when configuring Shell Script. I have absolutely no idea how to write those scripts.
    I have searched everywhere online (sun docs, forums, even google).
    Could anyone please give me an idea of how to code/write the script for those Actions?
    Thanks

    Thanks for your replies.
    I was able to get the "Create User" process to work. What I did was design a custom-script which is suited to my own Unix environment.
    t worked (or, it seemed to work).
    In IDM, i got the following error :
    *Error detected: [Adding account to hosts and creating quotas]&amp;amp;amp;#xD;&amp;amp;amp;#xA;Default shell for netpasswd is /usr/alt/uadm2/bin/nologin. This can be changed later.&amp;amp;amp;#xD;&amp;amp;amp;#xA;Default shell for sui-dev is /usr/alt/uadm2/bin/nologin. This can be changed later.&amp;amp;amp;#xD;&amp;amp;amp;#xA;Default home path for sui-dev is /home. This can be changed later.Default shell for ssl3 is /usr/alt/uadm2/bin/nologin. This can be changed later.&amp;amp;amp;#xD;&amp;amp;amp;#xA;Default shell for sui-test is /usr/alt/uadm2/bin/nologin. This can be changed later.&amp;amp;amp;#xD;&amp;amp;amp;#xA;Default home path for sui-test is /home. This can be changed later.[Adding user to groups]&amp;amp;amp;#xD;&amp;amp;amp;#xA;[Creating home directory]&amp;amp;amp;#xD;&amp;amp;amp;#xA;DUMMY - ssh -2 -l root sui-dev "/usr/alt/uadm2/libexec/mkhome sui-dev /users1/u1/mjerome 44444 500 550 mjerome"&amp;amp;amp;#xD;&amp;amp;amp;#xA;DUMMY - ssh -2 -l root sui-test "/usr/alt/uadm2/libexec/mkhome sui-test /users1/u1/mjerome 44444 500 550 mjerome"&amp;amp;amp;#xD;&amp;amp;amp;#xA;[all done].*
    Result Code = 120.
    Error
    *com.waveset.util.WavesetException: An error occurred adding user 'mjerome' to resource 'Unix Administration'. com.waveset.util.WavesetException: Error detected: . com.waveset.util.WavesetException: Error detected: [Adding account to hosts and creating quotas] Default shell for netpasswd is /usr/alt/uadm2/bin/nologin. This can be changed later. Default shell for sui-dev is /usr/alt/uadm2/bin/nologin. This can be changed later. Default home path for sui-dev is /home. This can be changed later.Default shell for ssl3 is /usr/alt/uadm2/bin/nologin. This can be changed later. Default shell for sui-test is /usr/alt/uadm2/bin/nologin. This can be changed later. Default home path for sui-test is /home. This can be changed later.[Adding user to groups] [Creating home directory] DUMMY - ssh -2 -l root sui-dev "/usr/alt/uadm2/libexec/mkhome sui-dev /users1/u1/mjerome 44444 500 550 mjerome" DUMMY - ssh -2 -l root sui-test "/usr/alt/uadm2/libexec/mkhome sui-test /users1/u1/mjerome 44444 500 550 mjerome" [all done]. com.waveset.util.WavesetException: Result Code = 120.*
    From what is written there, I could see that the user was INDEED created. (Just to be sure, I checked my Unix machine. And, yes, the user was created. I also checked the MySQL database, and the user is there, too)
    However, I keep getting the above error in IDM.
    I can't figure out any explanation besides the fact that, perhaps, this is because I do not have a RESULT HANDLER script in place yet.
    And, this is where my problem is : some documentation on Shell Script say that Result Handlers are needed only for two Actions : GetUser and GetAllUsers.
    However, other documents claim that Result Handlers are needed for ALL resource actions. (In other words, if you have a Create User resource action, then you must have a Create-User result handler).
    I don't even know which of these claims is true.
    Any help, please?

  • How to configure Team explorer 2010 command-line tool in Mac x os. configure shell or system path to include the folder to which (TF client) unzipped archive available.

    How to configure Team explorer 2010 command-line tool in Mac x os.
    Hot to configure shell or system path to include the folder to which (TF client) unzipped archive available. I am new to Mac X OS. Please help.

    Dmitry,
    Thanks for the great writeup!
    I think I've got my universal instant client libraries built correctly.
    I too am using MacBook Pro but I'm getting stuck at building the 32 bit oci8.so
    First problem is my pecl download (ver 1.4.1) did not contain a "configure" file so ./configure failed.
    I used configure from /sw/....... to try to continue.
    Second problem. Using existing configure from /sw/.... I used an appropriate variation of your example command
    (./configure --with-oci8=instantclient,/usr/local/oracle/instantclient_10_2 && make).
    Things look like everything ran OK but The output does NOT include an oci8.so file
    So I guess my question is: Which "configure" should I be using? And if it is not the one on the system under /sw/...
    where would I get it since it doesn't come in the pecl download?

  • ACS Group mapping and restrictions

    hi,
    I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
    ACS Groups
    Netadmin - need telnet/ssh/vpn/wireless
    wireless - only wireless authentication
    vpn - only vpn authenticaiton
    I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
    Also please note that one user can be belongs to all three groups in ACS/AD.
    thanks in advance.

    In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
    In this scenario, it is very important to understand how ACS group mapping works.
    Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
    Select the AD group NetworkAdmin and map it to ciscosecure group 1
    select the AD group RouterAdmin and map it to ciscosecure group 2
    select the AD group Wireless and map it to ciscosecure group 3
    Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
    Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
    You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
    SCENARIO:
    Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
    NOTE:
    If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
    routers and switches.
    IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
    username is to go to usersetup find that user and delete it manually.
    ACS will not support the following configuration:
    *An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
    *The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
    However there if your mappings are in below order...
    NT Groups ACS groups
    A,B,C =============> Group 1
    A =============> Group 2
    B =============> Group 3
    C =============> Group 4.
    You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
    This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
    You can create a rule for users in group A (Group 2)
    You can create a rule for users in group B (Group 3)
    You can create a rule for users in group C (Group 4)
    Regards,
    ~JG
    Do rate helpful posts

  • Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)

    Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
    So I am trying to get TACACS+ auth to work for my ACE.
    The command string that I have on the ACE is as follows:
    tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15
    aaa group server tacacs+ tacacs+
      server 172.16.101.4
    aaa authentication login default group tacacs+ local
    aaa authentication login console local
    aaa accounting default group tacacs+ local
    But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.
    I do not know how to do this on the ACS 5.1.0.44.
    Anyone know?
    TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.
    Thanks for your reply. About this question:
    shell:<Context>*<Role> <Domain>
    What I meant is that you need to check the following couple of things on
    your ACS server in order to have AAA Tacacs users to login into the
    ACE over the context with superuser ritghts.
    Group setup ‑> users ‑> TACACS + Settings ‑> enable Shell(exec)
    ‑> enable Custom attributes ‑> right below this part you need to
    use the following sintax to link the ACE context that this user
    has access to.
    For example:
    shell:<Context>*<Role> <Domain>
    shell:Admin*Admin default‑domain
    Where this user will have access to the Admin context with the role
    admin using the 'default‑domain'

    Wilfred,
    What you will have to do on your version of ACS is modify the shell profile that your admins are hitting for other IOS devices or you can create another shell profile under Policy Elements -> Device Administration ->
    Once you get into this shell profile select the Custom Attributes tab and put in the following fields close to the bottom of the screen, from the example you provided type shell:Admin for the attribute field and then default-domain for the value field, and make sure you select this requirement as optional, if you select mandatory and other IOS devices use this same shell profile you will force this av pair to these devices also which will impact the priv levels that then need for authentication.
    After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.
    Thanks,
    Tarik Admani

  • I want to set up the Time Machine and I would love to use the Time  Capsule but since I already have a wireless router I need suggestions on  what other external disks Apple could recommend to use with the Time Machine and  how to configure that disk

    I want to set up the Time Machine and I would love to use the Time
    Capsule but since I already have a wireless router I need suggestions on
    what other
    external disks Apple could recommend to use with the Time Machine and
    how to configure that disk.
    A complication that I need to resolve is the fact that I am using Vmware
    Fusion to be able to use Windows on my Mac. Now it seems that Time
    Machine is not backing up my files
    on that virtual Windows without additional configuration and my question
    is whether you can advise me here or whether this is only a matter for
    the Fusion virtual machine.

    If you want to use Time Capsule you can.. you simply bridge it and plug it into the existing router.. wireless can be either turned off or used to reinforce the existing wireless.. eg use 5ghz in the TC which is much faster than your 2.4ghz.
    You can also use a NAS.. many brands available but the top brands are synology, qnap and netgear readynas  series. These will all do Time Machine backups although how well always depends on Apple sticking to a standard. There are cheaper ones.. I bought a single disk zyxel which was rebadged and sold through my local supermarket. It actually works very well for TM at least on Snow Leopard. Major changes were made in Lion and again ML so do not instantly think it will work on later versions. I haven't tried it yet with those versions.
    Any external drive can be plugged into the mac. Use the one with the fastest connection or cheapest price according to your budget. USB2 drives are cheap and plentiful. But no where near as fast as USB3 or FW800. So just pick whichever suits the ports on your Mac. Interesting Apple finally moved to USB3 on their latest computers.
    TM should exclude the VM partition file.. it is useless backing it up from Mac OS side.. and will slow TM as it needs to backup that partition everyday for no purpose.. TM cannot see the files inside it to backup just the changes.
    You need to backup windows from windows. Use MSbackup to external drive.. if you have pro or ultimate versions you can backup to network drive. But MSbackup is a dog.. at least until the latest version it cannot restore the partition without first loading windows. There are about a zillion backup software versions for windows.. look up reviews and buy one which works for you. I use a free one Macrium Reflect which does full disk backups and is easy to restore.. to do incremental backups though you have to pay for it.

  • Does anyone know how to select text in Appleworks, click on the font button and then be able to scroll thru all the font so that one can see the text change as you scroll down the list, at present  I have to do it one font style at a time and then repeat

    does anyone know how to view text in Appleworks, to be able to click on the font button and then be able to scroll thru all the font so that one can see it change as you scroll down the list, at present  I have to do it one font style at a time and then repeat? Thanks jl

    Welcome to the Apple forums
    Your question really belongs in the AppleWorks community/forum.
    You can turn on fonts in actual type in the AppleWorks preferences.

  • Firefox 4 is freezing on GMail tab at frequent intervals on Windows 7, resulting in a message "Program not responding". Remains open but becomes unresponsive for a fill minutes or seconds. And problem repeat, repeat...

    Firefox 4 is freezing on GMail tab at frequent intervals on Windows 7, resulting in a message "Program not responding".
    Remains open but becomes unresponsive for a fill minutes or seconds. And problem repeat, repeat...

    Check this out;
    http://www.clamxav.com/ free malware scanner for Mac OS X
    https://discussions.apple.com/docs/DOC-3291

Maybe you are looking for

  • How do I get dates pulled from database to display in Spanish?

    I'm pulling a date from a MySQL database and need to have it display in Spanish. If it were in English, these are the two statements I would be using: #DateFormat(event_date,"mmmm")# #DateFormat(event_date,"mmm d")# I tried using <cfset SetLocale("Sp

  • Mac Pro ATI 5770: HDMI to Panasonic plasma TV

    I have a Mac Pro 2x2.4 Quad Core with original ATI Radeon HD 5770 graphics card. I use the computer for Final Cut Pro X and Pro Tools HD Native. My monitor is an HP 2711x. I would like to run a Category 2 HDMI cable from the 5770 to a Panasonic VIERA

  • BT Yahoo Home Page access

    Now that the Bt Yahoo login has now changed to BT.com I have lost access to my old BT Yahoo home page. This was a useful home page which was customisable with feeds etc. Now it just re-directs to the BT.com portal home page instead. Is there any way

  • Change an Icon in the Dock?

    Is there a way to change the icon of a program in the dock? More specifically, I'd like to change the icon of my Intel Mac Firefox build to the actual Firefox icon (to make it easy on other people who may use my compture and because it looks cool :D)

  • For those with 3G...

    How often do you find yourself connecting to the service and when? ie on train, at friends house? Im trying to decide whether its worth it to buy the 4G model considering the number of wifi hot spots available these days.