AD Groups and VCS Authentication

Similar Messages

• Mobilty Group and re-authentication

  Hello All
  I have to WLC's a 4402 and 5508   in a mobilty group. they are both running 7.0.116.0. They are configured to use Web Authentication. We are having complaints that Users are having to re-authenticate when moving around the office. My theory is they are moving from one WLC to the other and then requiring to re-authenticate. Is this what others are seeing? and is this working as designed.?
  thanks for your help
  Dan

  I would do what nikhilcherian posted, because devices in the run state will be able to roam to another wlc (mobility and interface the same) without having to re-authenticate. But like George mentioned, test it out yourself... Don't listen to users:)
  Sent from Cisco Technical Support iPad App

• Everyone Group vs. Authenticated Users Group

  Two questions.....
  1.) What is the difference between the "Everyone" group and the "Authenticated Users" group.
  2) We are starting to use some new BI content (NW04s) in our federated portal and have found that we have to grant permissions to "Authenticated Users" instead of the "Everyone" group. Any ideas why?
  Regards,
  Diane

  Diane,
  The following asnwer is not a SAP answer but I did a quick check on our system and:
  1. the difference between the group Everyone and Authenticated users is exactly 1 user assignment.. I looked further and see that it has to do with the J2EE_GUEST user. this user is member of the group Everyone but NOT of the group Authenticated users.
  2. Can not give you a sure anser on this question but maybe it has to do with security that this is needed?!?!\
  Hopfully another SDN community member can fill me in here...
  Good luck and Kind Regards,
  Benjamin Houttuin

• Call/video not working between Cisco jabber for Windows and VCS control C40s

  Hello,
  I've been struggling with no luck how to make a call using Cisco Jabber for Windows 9.6.0 registered to CM 8.6.2 with intercluster ICT to another CM 8.6.2 where we have a VCS Control 7.0.2 via GK H225, and all C40s are registered as H.323.
  The VCS has interworking between H323 and SIP, however not sure if there is any problem with that. Assuming it is ok, not sure either if I'm facing any interoperability issue because in my remote site I have C40 (H323 registered at VCS and SIP listening mode) and cisco jabber for windows which is SIP based.
  If is not possible, would I be able to change my C40 from H323 to SIP at VCS, or have both H323/SIP registered at VCS? If so, will I need to change as well instead of GK I'll have to establish a SIP Trunk between the CM and VCS?
  Another thing I do not believe either I would be able to have one VCS connected with two clusters, right?
  I'm just trying to find a solution in case my current topology is not compatible, but feel free if you have any better idea to make it work.
  Anyway here is what is happening:
  When I make a call from my cisco jabber windows to C40 using alias number. The call is being redirected just fine to the C40 and it rings, however when someoene or the auto answer picks it up, the call dropped right away.
  However, if I enabled the MTP in my CSF device, the call gets longer before dropping. I was even able to see my jabber " start video" turns green, before was grayed out all the time and the call dropped faster. I hear a fast busy tone. 
  I'm able to provide SDI traces, logs, diagnostic sip/h323 calls from VCS in order to know for sure if this is an incompatible issue or something I can workaround.
  Let me know if someone of you are interested in read these logs or could point me on the right direction.
  Thanks!

  Ok,
  I have looked at both logs. I have to mentinon though that you didnt
  provide the log that shows the h323 setup between cucm and the VCS. This
  is  most likely because the call originated from a different cucm than
  the ones you provided the logs from.
  The call would have orginated from the first cucm in the cucm group of
  this trunk: Name=RL_TRUNK_VIDEO
  The cucm ip will be : 10.252.53.10.
  This is the VCS log that confirms where the h323 request originated
  from:
  pr 10 22:50:29 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:29,187"
  Module="network.h323" Level="DEBUG":  Src-ip="10.252.53.10"  Src-
  port="54000"
   Received RAS PDU:
  Having said that here is my analysis of the logs that you sent..
  Jabber sent an INVITE to CUCM and advertised all the codecs (audio and
  video it can support)..
  Observer that Jabber says it doesnt support G729 anexB
  21:55:16.576 |//SIP/SIPTcp/wait_SdlReadRsp: Incoming SIP TCP message
  from 10.223.20.73 on port 54677 index 90661 with 2220 bytes:
  [862370,NET]
  INVITE sip:[email protected];user=phone SIP/2.0
  Via: SIP/2.0/TCP 10.223.20.73:54677;branch=z9hG4bK000029d3
  From: "4122107" <sip:[email protected]>;tag=00059a3c78000011000070b0
  -00000e65
  To: <sip:[email protected]>
  Call-ID: [email protected]
  Max-Forwards: 70
  Date: Fri, 11 Apr 2014 01:55:16 GMT
  CSeq: 101 INVITE
  User-Agent: Cisco-CSF/9.4.1
  m=audio 19252 RTP/AVP 0 8 18 105 104 101
  c=IN IP4 10.223.20.73
  a=rtpmap:0 PCMU/8000
  a=rtpmap:8 PCMA/8000
  a=rtpmap:18 G729/8000
  a=fmtp:18 annexb=no
  a=rtpmap:105 G7221/16000
  a=fmtp:105 bitrate=24000
  a=rtpmap:104 G7221/16000
  a=fmtp:104 bitrate=32000
  a=rtpmap:101 telephone-event/8000
  a=fmtp:101 0-15
  a=sendrecv
  m=video 28878 RTP/AVP 97
  c=IN IP4 10.223.20.73
  ++++Now lets observer the capabilites exchange during h245 negotiation
  between cucm and VCS++++
  Here CUCM advertises its caps to VCS (afterreceiving caps from VCS)
  Note that G729A, G729AB, G729 is all advertised..
  Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,017"
  Module="network.h323" Level="DEBUG":  Src-ip="10.252.53.10"  Src-
  port="45660"
   Received H.245 PDU:
   value MultimediaSystemControlMessage
  ::= request : terminalCapabilitySet
   capabilityTableEntryNumber 2,
         capability receiveAudioCapability :
  g729wAnnexB : 6
         capabilityTableEntryNumber 3,
     capability receiveAudioCapability : g729AnnexAwAnnexB : 6
         capabilityTableEntryNumber 4,
         capability
  receiveAudioCapability : g729 : 6
  capabilityTableEntryNumber 5,
         capability receiveAudioCapability :
  g729AnnexA : 6
  ++++++
  After doing MSD (master slave determination, we move to the OLC phas e..
  Here we see that the far end..c40 wants to use G729AB for media++++
  Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,783"
  Module="network.h323" Level="DEBUG":  Src-ip="10.224.114.11"  Src-
  port="11163"
   Received H.245 PDU:
   value MultimediaSystemControlMessage
  ::= request : openLogicalChannel :
     forwardLogicalChannelNumber 1,
  forwardLogicalChannelParameters
       dataType audioData :
  g729AnnexAwAnnexB : 20,
       multiplexParameters
  h2250LogicalChannelParameters :
  +++Next VCS sends G729AB as the codec to use to CUCM+++
  Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,784"
  Module="network.h323" Level="DEBUG":  Dst-ip="10.252.53.10"  Dst-
  port="45660"
   Sending H.245 PDU:
   value MultimediaSystemControlMessage
  ::= request : openLogicalChannel :
     forwardLogicalChannelNumber 1,
  forwardLogicalChannelParameters
       dataType audioData :
  g729AnnexAwAnnexB : 20,
       multiplexParameters
  h2250LogicalChannelParameters :
  ++++The next thing we get is an OLC reject from CUCM and this is where
  th call drops++
  Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,790"
  Module="network.h323" Level="DEBUG":  Src-ip="10.252.53.10"  Src-
  port="45660"
   Received H.245 PDU:
   value MultimediaSystemControlMessage
  ::= response : openLogicalChannelReject :
  forwardLogicalChannelNumber 1,
     cause dataTypeNotSupported : NULL
  Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,790"
  Module="network.h323" Level="INFO":  Dst-ip="10.224.114.11"  Dst-
  port="11163"
    Detail="Sending H.245 OpenLogicalChannelRejResponse
  +++We then receive a call release from cucm with cause code of 47:
  resource unavailable++++
  Apr 10 22:50:32 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:32,365"
  Module="network.h323" Level="DEBUG":  Src-ip="10.252.53.10"  Src-
  port="50913"
   Received H.225 PDU:
   Q931
     Message Type: Release
  Complete
     Call reference flag: Message sent from originating side
  Call reference value: 0x7b
     Info Element : Cause
       Location: Usr
     Cause Value: Resource unavailable
     Info Element : User User
     Length = 22
  Suggestions:
  Change the region setting between the ICT trunk to VCS and Jabber to use
  G711 and test again.

• ISE 1.2: Remove unused Sponsor Group and Identity Group

  Hi
  I started with ISE 1.1.2 and now upgrade to 1.2.
  There are 1. Sponsor Groups and 2. Identity Groups which are no more in use, but I am not able to remove them anymore.
  1. One is a special Sponsor group which sponsor group policy I already removed. The I go to Aministration>Web Portal Management>Sponsor Groups and select the appropriate Group ans click delete and ok to confirm, the following error is displayed:
  com.cisco.cpm.nsf.api.exceptions.NSFEntityDeleteFailed: java.rmi.RemoteException: Failed to execute the Query : DELETE_USERONAPP ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found ; nested exception is: java.sql.SQLIntegrityConstraintViolationException: ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found
  2. The same happens with one Identity Group. I do not have it active anymore. Not in authentication, and not in authorization policy. I go to Administration>Identity Management>Groups>  and select te group to remove, and click "Delete selected" and confirm with ok, the following error occured:
  Cannot delete selected Identity Group(s) because there are resources which are mapped to these or its child identity group(s)
  Is there any reason for any of these issue?
  Many thanks

  Hi ,
  Please open service request with cisco. These kind of issues may happen when the dependencies are deleted from UI but there is a chance that some of the dependencies may not be deleted completely and are not visible from UI as well.  These kind of issues can be resolved under cisco guidance.
  Thanks,
  Naresh

• OS and Database Authentication

  Hi everyone,
  I use Oracle 10g on Fedora Core 4.
  Here is the question:
  I've created an account for my OS user (oracle) in the database named ops$oracle (ops$ is the value of OS_AUTHENT_PREFIX parameter). The oracle user in OS is member of "dba" group and in database is member of "sysdba".
  I also have created a password file for this database.
  There is no problem if I connect from a remote windows client like this:
  sqlplus "ops$oracle/secret@testDb as sysdba"
  but I get "ORA-01031: insufficient privileges" if I login to the OS as oracle and try this:
  sqlplus "ops$oracle/secret@testDb as sysdba"
  I don't get why?
  I tried "ops$oracle/secret as sysdba" (when I was logged in to the OS as oracle) and it worked fine which I think it's alright. Because when I take "@testDb" out means I'm using OS Authentication, because it takes precedence over password file authentication. right?
  Thanks in advance
  Amir Gheibi

  but I get "ORA-01031: insufficient privileges" if I login to the OS as oracle and try this:sqlplus "ops$oracle/secret@testDb as sysdba"
  On the server running the db, you should also be able to connect just with:
  export ORACLE_SID=testDB
  sqlplus /Does this work ?
  Did you run any CREATE USER statement for "oracle" account ?
  If yes, which one ?
  Bcause when I take "@testDb" out means I'm using OS Authentication, because it takes precedence over password file authentication. right?No, taking out @testDB will just connect to the instance defined by ORACLE_SID environment variable.

• Anyconnect tunnel-group and group-policy from LDAP

  Recently we've changed from LOCAL to LDAP authentication and added additional group-policies for different users to increase security.
  To prevent users from selecting an incorrect group-policy, the LDAP server provides a IETF-Radius-Class value which matches the different group-policy names.
  It is my understanding that the authentication method is provided by the tunnel-group.
  tunnel-group DefaultWEBVPNGroup general-attributes
   authentication-server-group LDAP_AD
  This all works, but for _one_ of the group policies i'd like to enable (external) two factor authentication. Two enable two factor auth a 'secondary-authentication-server-group' needs to be set in the tunnel-group.
  Creating a tunnel-group which maches the name of the group-policy doesn't seem to have any effect.  When listing the connected users via "show vpn-sessiondb anyconnect", it always states the correct Group Policy but also always DefaultWEBVPNGroup.
  When enabling the listing of tunnel-groups for webvpn, thus allowing users to select their own tunnel-group, the two factor auth does work.
  To summarize, is it possible to let LDAP decide which tunnel-group is used or is there another way to have different group policies without users being able to choose ?

  Fabian, 
  Your connection lands on a tunnel group and picks a group policy. 
  A typical way to overcome the problem you're indicating is by using group-url. 
  a URL is bound to a specific tunnel-group and allows you to land directly on the one you desire. 
  vide:
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
  M.

• EAP-TLS User and machine authentication question

  Hello,
  i have a question regarding EAP TLS authentication in a wireless environment. We use Cisco AnyConnect NAM client and an ACS 5.1 to do EAP-TLS authentification. The Laptop and the user can be successfully authenticated using a certificate from our internal CA. i can also check the in our corporate AD if the user and machine are member of a certain group and based on the membership a can grant access to the network.
  i can see in the ACS when the laptops after a reboot logs on to the network, but i don't see a log when the laptop comes back from hibernate mode, i guess this is normal because the laptop sends only the autentication equest after rebooting.
  What i'd like to achive is, when a user logs on the it should always be checked if the machine was authenticated prior the user can get access to the network. Is there a way to do this with EAP-TLS and a LDAP connection to Active Directory.
  thanks in advanced
  alex

  Sounds like you rather want to use PEAP/MSChapV2

• User Groups and non Developers users

  Hi,
  two questions.
  1) How do I create users groups.
  I want to divide specific users to specific groups.
  2) I created users not as developer and not as a administrator.
  When I logged on with that users I didnt see any of the applications, why?
  Thanx.

  1. You asked "how do I assign users to that group and later attach the group..." I think your question is not about how to assign users to a group but rather how to attach the group... Use the function wwv_flow_fnd_user_api.user_in_group in an authorization scheme (desc wwv_flow_fnd_user_api). Attach the scheme to a region, button, etc. to control access. Please read about authorization schemes in the user guide and search this forum for "authorization" and "groups" for useful threads.
  2. A user account without development privilege will be useful for authenticating to an application you create. It will not be useful for developing any applications in the Application Builder.
  Scott

• WPA2 and mac authentication

  I am currently using WPA2-spk. I want to add another layer of security. I know I could do EAP. I am also looking at mac authentication. But I want to host the mac list on an ACS server. Setting the the mac addresses on the ACS server is pretty cut and dry, but how can I configure the ap to look to the ACS server for its mac list? And, how can I get WPA-spk and mac authentication to work together?

  Hi Jared,
  you can do this by setup the following:
  Webinterface:
  1. Securtiy -> Server Manager
  Setup the ACS IP in the list "MAC Authentication" in the section "Default Server Priorities".
  2. Securtiy -> Advanced Securtiy
  In the section "MAC Address Authentication" use the radio button "Authentication Server Only" or "Local List if no response from Authentication Server" for a fallback configuration!
  IOS Interface from config mode:
  aaa group server radius rad_mac
  server 10.20.40.37 auth-port 1645 acct-port 1646
  and
  aaa authentication login mac_methods group rad_mac
  or
  aaa authentication login mac_methods group rad_mac local (for local fallback)
  I have not tested this, cause the MAC of the supplicants is to easy to sniff and any medium skilled person may used a sniffed MAC to enter the first authentication stage!
  Better use a setup with EAP-FAST or PEAP!
  I hope that helps.
  Best regards,
  Frank
  I hope that helps.

• Async Dial with mutiple groups and ACS

  has anyone else tried / managed to have multiple dialer mappings on a remote access router with the user dynamically allocated to the correct one based upon the details they provide as part of the PPP process?
  In my case I have an ACS server 3.3 which deals with the authentication through AAA passed on by the router running 12.2 mainline. This works fine but the end user now wants to have an 802.1q trunk from the router onto the network with the dial in users IP address allocated by the ACS server and the user placed in the relivant dialer group and therfore VLAN mapping to give them access to the services they would have if there where on the LAN normally.
  I guess the IP address allocation could be dealt with via pools on the RAS box but this would still leave me with the problem of dialer interface allocation based upon an authentication process which happens away from the router.

  Check out the following sample configurations for various scenarios (including dial-up using Windows NT or domain database) and for dial-up using ACS user database for both RADIUS and TACACS+, see if it helps :
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/tsd_products_support_series_home.html
  http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800fa54a.shtml

• Pt:tree of community groups and users

  I am creating a community emailer portlet for emailing the users of a community. I want to use a pt:tree that lists the groups and users who have membership in the community. I want the individual users, groups and users in groups to be checkable. I've been playing with the pt:tree for a while now without success. Can anyone help? This seems like it would be a common question, but I can not find any answeredthreads on this. Thank you!

  "Vikram" <[email protected]> wrote in message
  news:3eb6f601$[email protected]..
  >
  Hi,
  We are having problems seeing users or groups in our LDAP repository, thruWLS(7.0
  sp2) console. I created a Custom Security Realm(myRealm) in which I addedthe
  Novell LDAP Authentication provider as one of the authentication providersbesides
  a Default Weblogic Authentication Provider (for system user account). WhenI click
  on Users or Groups, I see either the "system" user account or"Administrators,
  Deployers, Operators, Monitors" groups.These groups and user accounts areprovided
  by the Weblogic Default Authentication provider. I am unable to see any ofour
  LDAP groups or User accounts. If I try to login to the WLS console with anLDAP
  user account, the authentication goes successfully. So WLS isauthenticating the
  user correctly but is not displaying the User and Group information in theconsole.
  We need to be able to look at the Group information in order to configurea Group
  Portal.
  Just out of curiosity, I configured an LDAP authentication provider in theCompatibility
  Security Realm and I was not able to see any of our LDAP users or groupsin the
  Compatibility Secyrity Realm also. I did reboot the WLS after configuringthe
  LDAP authentication provider in both the cases.
  I would appreciate if anybody can suggest probable reasons or workaroundsto list
  the LDAP groups in the WLS 7.0 console.
  I believe this is fixed in the latest 7.0 sp.

• Mapping Default Profiles of PT groups and folders for automating subportal experience

  I need to automate the subportal experience by adding the users to the folders. These folders will correspond to the Plumtree groups that we create.
  We are already planning on automating the maintainence of these PT groups by authentication source by applying custom business logic in Java program. I believe I can do the folder maintainence in the same program as well. However to make iot more effeicient and maintainable, I have the following questions.
  Is there a way to map the PT groups to the folders by using Default profiles(by auth source?)? I think this would help me avoid hard coding which users belonging to certain groups go in which folders. Is there another better approach? Any help would be appreciated.
  Thanks.
  Vanita
  Staples

  Thanks a lot for you reply Mark. I tried to add the Plumtree only groups to the Auth source and I am not allowed. It seems like this works only for the Auth Sorce(NTLM, AD etc.) groups not Plumtree only groups. Is there a way to do this kind of mapping for Plumtree only groups (to avoid doing this programmatically)?
  Regards
  Vanita
  ------- Mark Dimas wrote on 1/28/05 10:41 AM -------
  You can have users placed directly in folders based off of group membership by using the Partial Users Synchronization mode.
  On the auth source select Partial Users Synchronization and run a synch job. This will import all the groups. Then go back to the auth source, on the first page under Default Profiles add the groups, and for each group you can select the destination folder for members of that group. Then, on the Fully Sychronized Groups page you can add all the groups you want to import members from. Run the job again and all the users that are members of the selected groups will be imported and placed in the correct folder.

• Cisco aironet 1040: create wireless with wpa2 and mac authentication

  Hi,
  I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
  I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
  Can anyone help me? thanks
  Hi,
  I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
  I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
  Can anyone help me? thanks

  ap#show configuration
  Using 2085 out of 32768 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  logging rate-limit console 9
  aaa new-model
  aaa group server radius rad_eap
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login default local
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 syslog
  dot11 ssid Svez
     authentication open mac-address mac_methods
     authentication key-management wpa version 2
  username 00907a0f2a55 password 7 1249554E425C0D542C79257D66
  username 00907a0f2a55 autocommand exit
  username administrator privilege 15 password 7 033449040A0620425A0D15564F42
  username 0025d3db778b password 7 055B565D74481D0D1B52404A09
  username 0025d3db778b autocommand exit
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers tkip
  ssid Svez
  antenna gain 0
  station-role root
  world-mode legacy
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface GigabitEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  no keepalive
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address dhcp client-id GigabitEthernet0
  no ip route-cache
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server attribute 32 include-in-access-req format %h
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 0 4
  end
  ap#

• Is it possible to do machine and user authentication in same Authorization profile?

  Hi,
  I want to know is it possible to do machine authenticaiton and user authentication happen at the same time? Some thing like this...
  Condition
  IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
  Permissions
  then Vlan x
  Basically i am trying to check a machine is part of domain and user is valid only then he should be able to have full access.
  Any help will be of great value.

  Hi,
  IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
  - Not possible
  As user and machine authentication occur at different contexts.
  ACS cannot verify the both at the same time.
  Using MAR, you can, though club the both together and achieve:
  "machine is part of domain and user is valid only then he should be able to have full access"
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978
  Tips for configuring MAR:
  1) Set the client to perform user or computer authentication.
  2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).
  3) Enable MAR under the AD configuration page on ACS and set the aging time.
  4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.
  Rate if useful