ASA - logging via radius with group name passed.

Hi,
I'm trying to setup ASA5520 with Radius to authenticate users with group
privileges.
Useing Radius with ASA to authenticate users is quite simple. When I try
to pass from asa tunnel-group name (with group-policy and attributes
attached) there is a problem that ASA dosn't pass any group name to
radius.
Is there any way to overcome it?
What I want to do is to apply different policies to username depending
with what tunnel-group name he logs in to webvpn. I assume one user may
be member of different groups.
br
Marcin

It's possible.
Differentiate your privileges and restrictions based off of group-policy, not the tunnel-group. Keep your default WebVPN tunnel-group, and do not specify a default group policy for this tunnel-group.
Create separate group-policies that differentiate what links different groups of users should be presented with. If you're using ACS, link your Cisco Secure Groups to groups in Active Directory (or other method of directory services). The Cisco Secure Groups should then be configured to pass specific RADIUS attributes, such as the "Class" attribute #25. ACS will then tell the ASA to place the user (from Active Directory) into a specific group-policy, which you can then limit URL's shown with the url-list command.
Long winded, I know...any questions, please ask.

Similar Messages

Create an object with the name passed in as a string argument to a method

Hi,
I am sorry if it's too trivial for this forum , but I am stuck with the following requirements.
I have a method
void abc(String object_name, String key, String value)
method abc should first check if there exists in memory a hashmap object with the name passed in as argument object_name.
If yes ..just put the key and value there.
if not , then create the hashmap object called <object_name> and insert the key/value there.
Can anybody help me in the first step i.e, how to check if an object exists with the name passed in and if not then create it.
Will getInstance method be of any help?
Thanks in advance for your response.
-Sub-java

Dear Cotton.m,
Thanks for your suggesstion. I will remember that.
But somehow I have a strong belief that you still need to consult dictionary for exact meaning of the words like "upset" , "frustration" etc. Not knowing something in a language , that too as a beginner, does not yield frustration, but increases curiosity. And people like petes1234 are there to diminish that appetite.
To clarify above, let me compare jverd's reply to my doubt with petes1234's.
jverd said it cannot be done and suggested a work around (It was perfect and worked for me) While petes1234 , having no work in hand probably, started analysis of newbies mistakes.
jverd solved my problem by saying that it cannot be done. petes1234 acted as a worthless critic in my opinion and now joined cotton.m.
Finally, this is a java forum and I do not want to discuss human characteristics here for sure.
My apologies if I had a wrong concept or if I chose a wrong forum to ask, where people like petes1234 or Cotton.m show their geekdom by pointing out "shortfalls" rather than clearing that by perfect examples and words.
Again take it easy and Cotton.m , please do not use this forum to figure out others' frustration but be a little more focussed on solving others "Java related" problems :)
-Sub-java

Firewall logging only showing object group names

Hey guys,
We are having out logs from the firewalls sent to a syslog server, however the issue is that when the logs get sent for a specific group of IP's we're not seeing the IP addresses we're seeing the name of the object group.
Is there a way to turn this off? We'd like to see the IP addresses and not the object group names.
Thanks,
BR

Hi,
Are you sure the names you are seeing are "object-group" names? I can't remember seeing logs messages that mention "object-group" names. Might be mistaken though.
Can you share some log messages?
One possibility is that you are actually seeing names configured with the "name" configuration command
You can check those with the command
show run names
If you would like to disable that IP/name pairing you can issue the command
no names
It should not remove the original "name" configurations but rather toggle (disable) the view setting
- Jouni

For 14 hours now Yahoogroups replaces msg author with group name; not happening to others

Msg folder for my yahoogroup normally contains user ID of sender in messages routed to me, with a separate field, Reply to, of my group name, USNA1957. Since late Friday night, the sender user ID is replaced with the nickname for my group "57".
Other classmates are not having this problem. When one replies to a message the sender information is correctly applied to the response.

I've seen other users complaining about this, but it doesn't seem to happen to all Yahoo Groups users consistently (or may be not yet).<br>
In any case, this is a Yahoo issue and has got nothing to do with Thunderbird.

I think I finished installing Mountain Lion, and am at the "log in" page with my name and the Lion icon, but I cannot do any of the functions on screen. That is, I cannot log in, sleep, restart, or shut down. I am running it on an Early 2009 Macbook Pro

I think I finished installing Mountain Lion, and am at the "log in" page with the Mountain Lion icon, but I cannot do any of the functions on screen. That is, I cannot log in, sleep, restart, or shut down. I am running it on an Early 2009 Macbook Pro, which is said to have the capabilities of running Mountain Lion.

BrettGoudy wrote:
...Is there any way I can install a partition that runs snow leopard on my early 2011 MB pro with what I have (new SSD, New RAM, Current version Lion running, no external drive, lack of original snow leopard disks [I lost them ] and the general 10.6.3 snow leopard boot disks)...
As the last post suggests, call Apple and order a replacement original disc for about $17. They will ask you the model and serial numbers.
Your retail version of Snow Leopard OS 10.6.3 will not work on that Mac as it requires a minimum of OS X 10.6.7 to boot and operate.
Another alternative is to again borrow another Mac to install your retail Snow Leopard into an external HD or partition, upgrade it to 10.6.8 and then clone it back to a partition on your MBP.

Send vlan via Radius with 802.1x Authentication

Hi all.
I am trying to set up 802.1x authentication using Windows XP Supplicant, Catalyst 2950 and FreeRadius as radius server.
I can login correctly so I have the port in Authorized mode, but I can't download the vlan id through the radius server.
Reading docs, I have found these attributes:
cisco-avpair="tunnel-type(#64)=VLAN(13)"
cisco-avpair="tunnel-medium-type(#65)=802 media(6)"
cisco-avpair="tunnel-private-group-ID(#81)=2" (2 is my vlan id)
but when I insert these into radius DB (I have also tryed with text file config...) I can see from Radius debugs that only the first one (cisco-avpair="tunnel-type(#64)=VLAN(13)" is passed in the access-accept packet.
Here are some outputs:
Sending Access-Challenge of id 80 to 128.0.0.21:1812
Cisco-AVPair = "tunnel-type=VLAN"
EAP-Message = 0x0101001604103ee52f729eb199689ef4fc77a18a6a08
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf88b9673c199cb13def96563250cf8a7
I issued a "debug radius" on the switch Catalyst 2950 also, and the output is:
02:49:39: RADIUS: Received from id 73 128.0.0.243:1812, Access-Accept, len 129
02:49:39: Attribute 26 75 0000000901457475
02:49:39: Attribute 79 6 03010004
02:49:39: Attribute 80 18 1ABB3507
02:49:39: Attribute 1 10 74657374
02:49:39: RADIUS: EAP-login: length of eap packet = 4
02:49:39: RADIUS: EAP-login: radius didn't send any vlan
so I can see that radius is not sending anything about vlan...
Has anyone alredy tried this set up?
Thank you in advance.
Massimo Magnani.

OK, so I may have glossed over that before. From your debug post, you had:
Cisco-AVPair = "tunnel-type=VLAN"
Unless I'm missing something, that looks like a VSA (or RADIUS Attribute [26\9\1].
You don't need VSAs for VLAN Assignment. You can do this with three standard RADIUS Attributes. Here they are (and an example of what they should look like):
[64] Tunnel-Type VLAN (13)
[65] Tunnel-Medium-Type 802 (6)
[81] Tunnel-Private-Group-ID - "" OR ""
They are defined in RFC 2868.
Hope this helps,

Skype logging me in with wrong name

Hi guys,
When I try to login to my Skype account with my user name it works fine on my computer (can't do this on XBOX one), but when I login with my Microsoft account email, it says that my name is Gabby Mobley and I have all of her friends on my friends list and mine arent'there.
I can't sign in on my xbox because of this and I've called Microsoft 3 times and none of them know how to fix this.
Again, when I login to Skype via my computer with my user name it works fine. When I log in with my Microsoft account, it logs me in as a person named Gabby Mobley.
Skype for Xbox One makes you login with your microsoft account so I can never actually get into my account with my friends and only have access to hers. Seems like a huge security issue.
Thanks and sorry for the confusion!
Mike

Liquidzero007,
This sounds strange.
From what I read, you ended up with two Skype accounts (Original and automatically created in Skype for Xbox One) linked to one MSA. If it is indeed so, then this is a bug.
Can you please tell me what exactly you see in upper right corner when you log into your Skype.com account using MSA credentials [email protected]? Is your original Skype username mentioned there or something like "live:xxxx"?
Thanks!
Добавляйте баллы, если моё сообщение вам помогло. Спасибо!
Возврат денег | Система обновления подписок | Заблокировали/взломали аккаунт? | Пропали контакты? | Не зайти в Skype/не добавляются контакты? | Не удалось загрузить базу данных?
Подписки | Цены

Insufficient privileges wirh JDBC & somet. with name/pass@db

SuseLinux 5.3 & Oracle 8.0.5:
code-statement in a package (within the package is important!)
cid := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE('some statement');
DBMS_SQL.CLOSE_CUSOR(cid);
works alwyas with sqlplus name/pass
works sometimes with sqlplus name/pass@db
works never with JDBC:
Message: #ORA-01031: insufficient privileges ORA-06512: at xyz,
line 1776
What is wrong?
null

Create a new user account called "usr", avoid user account
called "user". connect to system and grant execute on the
package to the new user "usr"..
Ken
OH (guest) wrote:
: Some more test-results:
: It works also never with user/passw@db
: DBMS_SQL.PARSE was called with dbms_sql.v7
: It works every time on NT with Personal Oracle 8
: DBMS_SQL grant as sys/change_on_install:
: grant all on dbms_sql to user;
: What went wrong when i call a granted Package over SQL*NET??
null

Connection to internet via ADSL with password login - using airport extreme

my connection to internet is via ADSL with account name and password login. i was able to set up the PPPoE settings of my new macbook properly to connect to the internet via an Ethernet cable. however, when i was trying to set up the airport extreme base station, the amber light was on all the time and has been giving me the error message "no connection to internet" - can someone pls help?
thanks
macbook Mac OS X (10.4.9) new to mac and airport extreme base station
macbook Mac OS X (10.4.9)

btam, Welcome to the discussion area!
The first thing to do is DISABLE PPPoE on your Mac. Since your AirPort Extreme base station (AEBS) will be handling PPPoE, your Mac doesn't need to do it.
Next configure the AEBS to connect to your ISP using PPPoE. You can see where to enter the PPPoE information by looking at Page 33 in the "Designing AirPort Networks" (http://manuals.info.apple.com/en/DesigningAirPortNetworks.pdf).

Can't log in to yahoo groups with NEO via hughesnet satellite, but can on other dsl-help!

Problem is new-just started ~2 wks ago-no changes to my platform.
Get "the connection was reset" message only when trying to log in to yahoo groups NEO version via hughesnet satellite (not gen4!)-problem not present via at&t/yahoo dsl log in.
Can log into non NEO version of yahoo groups on same satellite without any problem-note: "https" not present in URL that functions fine.
Same issue occurs with all 4 of my machines, win7 64bit and xp 32 bit. (All with latest sp's.)
All machines updated to latest firefox and java plug in (#U51), cookies and cache dumped, every possible network access to internet setting tried, tried disabling add-ons (firefox run in safe mode tried)-everything!
No change....and zero problem on anything else.
The issue is NEO on satellite, without doubt-but how to work around this latest of yahoo lunacy?
Thank you for any help!

Thanks anotheroz....but:
Such is not the case for me.
I AM a moderator of only one group.
When I joined myself to said group at another e-mail address, I found I had the old yahoo group layout (hurray!).
I then used a dsl line with my original group owner account to set that "new" member up as a moderator-and it all worked fine from that new account via satellite.....'''UNTIL TODAY when yahoo scrubbed the old layout and forced that account into NEO.'''
As soon as NEO is forced-'no more group access ability via satellite'....and I get this (again):
"The connection was reset
The connection to the server was reset while the page was loading.
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web."
The problem is clearly NEO via satellite....question is-how to fix it?
How can I reset the timeout function?
Oy.....yahoo is just the worst!

Anyconnect authentication via Radius (IAS) using AD groups

Hi all,
I'm trying to figure out how to setup our ASA to use AD group membership to assign users a profile using Radius. The goal is to setup different access into the network.
For instance, one group would be allowed full access to the network, including access to infrastructure elements (ASA, routers, etc.)
Another group will be given basic access to the network, but no access to the DMZ.
Another group will be allowed access to the DMZ server, but not to the infrastructure.
We're currently using Radius (IAS) on Windows Server 2003. Is there a way to check group membership in AD using Radius?
I'd like to keep this as simple as possible, so I'm thinking of each profile using a different VPN Pool, then using split-tunneling to put routes, or not, to the required networks on the users device. The users would only belong to one group in AD. They will be able to choose their group, but if they're not a member they should be denied.
I've done LDAP authentication using group membership, but we need good accounting and logging so we'd like to use the Radius server. I've looked for this info everywhere, but it's pretty elusive.
Thanks for any suggestions, links, step-by-step instructions or volunteers to come on-site and help

It's significantly easier with security products like Cisco Identity Services Engine, but you're adding infrastrcture and cost. Next best thing is DAP. DAP is actually pretty easy, don't let the config guide scare you away from it. IMO MS Radius stinks for anything other than basic authentication so I never use it for anything else.

LabVIEW 8.0:: How to get the group name of a user logged to a NI Security Domain?

Hello all,
I am using LabVIEW 8.0 PDS.
I created a new local domain called "MyDomain" in the "NI Domain Account Manager" . I added a new User called "MyUser" and a new group called "Maintenance". I set "MyUser" to be a member of the "Maintenance" group. Then, I configured LabVIEW to invoke the login dialog at start-up in order to log "MyUser" with the correct password.
I would like to get the group name of the current user logged programmatically in a VI. I tried with the VI Server >> Application >> Security properties and methods and also with the properties and methods of the NI Security Class but it seems to be not so simple as I believed at start.
I do not find any informations or KB on this (all the documents I found deal with LV DSC or TestStand).
The final goal is to be able to manage a list of user for my application. Each user is a member of a group ("Administrator", "Operator", "Maintenance") and depending on the group, the user can or cannot access to some parts of the application.
Thanks for your help.
Matthieu
Eurilogic

Re,
Here is a screenshot of this functions...
If you really own LV DSC 8.2 the best thing to do is to reinstall it.
Regards,
Message Edité par Richard K. le 04-02-2007 04:00 AM
Richard Keromen
National Instruments France
#adMrkt{text-align: center;font-size:11px; font-weight: bold;} #adMrkt a {text-decoration: none;} #adMrkt a:hover{font-size: 9px;} #adMrkt a span{display: none;} #adMrkt a:hover span{display: block;}
>> Découvrez, en vidéo, les innovations technologiques réalisées en éco-conception
Attachments:
security.jpg ‏3841 KB

Passing multiple URL parameters with same name

Hi,
I have a question which is not entirely related to Java. But although its related HTTP calls, so I thought I might get some ideas here.
Background:
I am making HTTP URL call from SAP ABAP code. Its pretty much similar to Java (creating URL connection, setting HTTP headers, connecting, receiving response and everything)
For example,
http://service_server:8080/a7/extension.services.SearchRequirements.a7x?RequestStatus=CR&RequestStatus=RR
Now, this service_server runs a query to database where it uses both these values of "RequestStatus" to form 'OR' condition for a field.
Issue:
When I run this URL from browser, it shows XML response containing results for both values. In short, this is the ideal response.
(I am using getParameterValues(string) at service_server to read multiple values for same parameter)
But when I see response in SAP system, I see that it is returning data for only one value of 'RequestStatus'.
I checked the logs of service_server, and I see that it has received only one parameter, not two.
Question:
It seems like SAP systems web server is truncating both parameters with same name and passing just one of them to outside server(??)
Is there any configuration at Web Server side or any HTTP headers to be set so as to avoid this?
Can anybody suggest something on this?

I managed to resolve this issue by using HTTP 'Post' method to send the data.
CALL METHOD CL_HTTP_CLIENT=>CREATE_BY_URL
    EXPORTING
      URL                = L_URL
    IMPORTING
      CLIENT             = L_HTTP_CLIENT
    EXCEPTIONS
      ARGUMENT_NOT_FOUND = 1
      PLUGIN_NOT_ACTIVE = 2
      INTERNAL_ERROR     = 3
      OTHERS             = 4 .
"STEP-2 : AUTHENTICATE HTTP CLIENT
CALL METHOD L_HTTP_CLIENT->AUTHENTICATE
EXPORTING
    USERNAME             = 'name'
    PASSWORD             = 'password'.
"STEP-3 : SET HTTP HEADERS
CALL METHOD L_HTTP_CLIENT->REQUEST->SET_HEADER_FIELD
      EXPORTING NAME = 'Accept'
                VALUE = 'text/xml'.
CALL METHOD L_HTTP_CLIENT->REQUEST->SET_HEADER_FIELD
    EXPORTING NAME = '~request_method'
               VALUE = 'POST' .
CALL METHOD L_HTTP_CLIENT->REQUEST->SET_CONTENT_TYPE
    EXPORTING CONTENT_TYPE = 'application/x-www-form-urlencoded' .
"SETTING REQUEST DATA FOR 'POST' METHOD
IF L_PARAMS_STRING IS NOT INITIAL.
   CALL FUNCTION 'SCMS_STRING_TO_XSTRING'
     EXPORTING
         TEXT   = L_PARAMS_STRING
     IMPORTING
           BUFFER = L_PARAMS_XSTRING
     EXCEPTIONS
        FAILED = 1
        OTHERS = 2.
CALL METHOD L_HTTP_CLIENT->REQUEST->SET_DATA
    EXPORTING DATA = L_PARAMS_XSTRING .
ENDIF.
"STEP-4 : SEND HTTP REQUEST
CALL METHOD L_HTTP_CLIENT->SEND
    EXCEPTIONS
      HTTP_COMMUNICATION_FAILURE = 1
      HTTP_INVALID_STATE         = 2.
"STEP-5 : GET HTTP RESPONSE
    CALL METHOD L_HTTP_CLIENT->RECEIVE
      EXCEPTIONS
        HTTP_COMMUNICATION_FAILURE = 1
        HTTP_INVALID_STATE         = 2
        HTTP_PROCESSING_FAILED     = 3.
"STEP-6 : READ RESPONSE DATA
CALL METHOD L_HTTP_CLIENT->RESPONSE->GET_CDATA
        RECEIVING DATA = L_RESULT .
"STEP-7 : CLOSE CONNECTION
CALL METHOD L_HTTP_CLIENT->CLOSE
EXCEPTIONS
    HTTP_INVALID_STATE = 1
    OTHERS             = 2   .
{code}

Event Viewer cannot open the event Log or Custom view. Verify that the Event log service is running or query is too long. The instance name passed was not recognized as valid by a WMI data provider(4201).

"Event Viewer cannot open the event Log or Custom view. Verify that the Event log service is running or query is too long. The instance name passed was not recognized as valid by a WMI data provider(4201)"
This error keeps cropping up now and again on most of our domain controllers (OS-2008 AND 2008R2)...Usually a restart fixes the issue however the issue repeats and security logs don't generate.
Any advice on how to fix this issue permanently would be greatly appreciated.

Please see this: https://social.technet.microsoft.com/Forums/windows/en-US/95987ca3-a1b2-4da6-95b7-d825d06cdac7/error-code-4201-the-instance-name-passed-was-not-recognized-as-valid-by-a-wmi-data-provider?forum=w7itprosecurity
You can also try rebuilding the WMI repository: http://blogs.technet.com/b/askperf/archive/2009/04/13/wmi-rebuilding-the-wmi-repository.aspx
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

"404: No group with that name (wikigroupname) hosted on this server"

I am running 10.6.8 as our wiki server. After rebooting the server, one of the wiki group seems to be not accessible. When try to access the web page it gives error "404: No group with that name (wikigroupname) hosted on this server", though it still exists in /Library/Collaboration/Groups/wikigroupname
Do you know how to make it viewable again? I tried to create a new wiki "test" and then rsync /Library/Collaboration/Groups/wikigroupname to /Library/Collaboration/Groups/test, yet still can not see the old wiki group.
Thank you in advance for you help.

In all due respect Antonio, I believe that Francesc43 is fighting a flakey system. The 404 No Group is a problem that is confirmed by Apple according to others and very prevalent. At this point the only remediation appears to be a complete server rebuild and to avoid going beyond the "default" configuration for web domains.
I have personally used only the 'any domain' default config, had the server working fairly well. I then added a FQDN and the server started giving 404s for all groups which previously worked and have data in the wiki. At the same time the simple web sites worked with and without the FQDN as expected. Then removing (not disabling) the default web domain config relieved the wiki 404s. Adding a new default domain config back in (via just hitting the "+" and "Save") recreated the 404's for the previously working wikis with no change to the groups. Removing the system created default domain config it alleviated the 404s.
Adding a system generated default and a 3rd FQDN re-created the issue and then afterwords, removing all but the FQDN that worked could not alleviate the 404s. Regardless of the permutation of turning things on and off, deleting groups, removing webservices settings, putting them back in, restarting the server.. nothing. 404-DOA
While the mystery seems to be related to a very fragile relationship with DNS on the server, the solution is again to erase the disk and start over. Wikis in 10.5 thus far are neither a robust nor a stable solution from 10.5 thru 10.5.5 in my experience.

ASA - logging via radius with group name passed.

Similar Messages

Maybe you are looking for