ASA to ACS: how to distinguish different authentication methods?

Similar Messages

• How to reset endeca authentication method?

  Hi there, I'm using endeca 3.1 on Windows and my endeca Portal just had the admin user ([email protected]) created.
  I've incorrectly changed the authentication method to ID instead of the email (which was the default) and now when I try to login with admin, it gives a message that the user is invalid...
  Is there any way to reset the authentication method back to the default?
  Thanks
  Ygor

  For the default user, "admin" is the user's screen name, not the user ID. That's why you couldn't log in using "admin".
  The user ID is a number.
  I don't know the exact structure of the Studio database, but would it be possible for you to get the user ID for the admin user out of the user table so that you can log in and change the setting back?
  Unless you are logged in to Studio, I don't know how you can could change the setting.

• How to distinguish backing bean method invoker like struts *.do

  I want to monitor request and response time of application via access log of httpd . But the urls are the same in one backing bean.
  how should i do about this?

  Hello,
  May know how to submit a button autoamtically on onload of page with clicking a welcome alert box. the submit button has managed button too to show a message on console using SOP.
  the problem is.
  1. before loading the page a javascript comes on which i clicked ok
  2. the page gets loaded and the button is there which gets automatically clicked and the managed bean associated with prints a message on console using SOP.
  I m trying to do this through server listener and click listener. the code is(adf jspx page)
  <?xml version='1.0' encoding='UTF-8'?>
  <jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="2.1"
  xmlns:f="http://java.sun.com/jsf/core"
  xmlns:h="http://java.sun.com/jsf/html"
  xmlns:af="http://xmlns.oracle.com/adf/faces/rich">
  <jsp:directive.page contentType="text/html;charset=UTF-8"/>
  <f:view>
  <af:document id="d1" binding="#{backingBeanScope.backing_check4.d1}">
  <af:form id="f1" binding="#{backingBeanScope.backing_check4.f1}">
  <af:commandButton text="commandButton 1"
  binding="#{backingBeanScope.backing_check4.cb1}"
  id="cb1" action="#{beanCheck4.submit1}"/>
  <af:clientListener type="click" method="delRow"/>
  <af:serverListener type= "jsServerListener"
  method="#{backingBeanScope.backing_check4.submit1}"/>
  <f:facet name="metaContainer">
  <af:resource type ="javascript">
  x=confirm("hi");
  // if(x){
  delRow = function(event){
  AdfCustomEvent.queue(event.getSource(), "jsServerListener", {}, false);
  return true;
  </af:resource>
  </f:facet>
  </af:form>
  </af:document>
  </f:view>
  <!--oracle-jdev-comment:auto-binding-backing-bean-name:backing_check4-->
  </jsp:root>
  the backing bean code is -----
  public class classCheck4 {
  public classCheck4() {
  public String submit1() {
  System.out.println("hello");
  return null;
  }

• Container Managed Security on Tomcat - configuring different auth-methods

  I am trying to configure the container managed security on tomcat4. Or rather I am trying to add a further dimension to the configuration that already exists.
  At the moment the entire application uses LDAP authentication and I would like to separate an area that requires further authentication. That is to say I would like everyone using the web application to authenticate using the existing Form-Based LDAP authentication but I would like only certain users to be able to use the data upload facility (whose code is stored in it's own directory).
  This is the authentication bit of my web.xml:
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>qmrae</web-resource-name>
        <url-pattern>*.do</url-pattern>
        <url-pattern>*.jsp</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>*</role-name>
      </auth-constraint>
    </security-constraint>
    <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>Form-Based Authentication Area</realm-name>
      <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/loginError.jsp</form-error-page>
      </form-login-config>
    </login-config>My first hurdle is in understanding exactly how the application knows where to go for its authentication.
  I had guessed that the realm-name would map "areas" of my application to realm configuration defined in my application's context area in Tomcat's web.xml but this doesnt seem to be the case. In fact I have read conflicting explanations as to what the realm-name is for. One source has said that this is only used for BASIC authentication as a way of naming the resulting pop up window - many others say it maps the login-config to the web-resource-name. However the latter doesnt make sense because the authentication works in my application at the moment even though those values are completely different (and indeed are different in most of the examples i've read on the web). Furthermore I can find any other mention of the defined realm-name in any other file (which of course be because i'm looking in the wrong place).
  I was prepared to accept that the realm-name might not actually do anything and so I've been looking for examples of defining a different auth-method for different url-patterns but i've had no luck.
  I know a user can have one or more roles but I dont have access to the LDAP server to set these up and haven't found anything about defining different auth-methods other than one thread in this forum suggesting that is wasnt possible on AIS.
  This thread suggests that you can have more than one security-constraint but again i'm not sure about the auth methods and how you map an auth method to a security-constraint
  http://forum.java.sun.com/thread.jspa?forumID=33&threadID=320918
  To summarise my questions:
  1) What are the functions of the realm-name and web-resource-name? Are they related?
  2) Is it possible to configure different areas of an application to use different authentication methods? and if so, could you point me in the direction of relevant documentation
  3) If (2) is not possible and I have to assign a new role to the privileged LDAP users, is it enough to define a new security-constraint? Could you describe the behaviour I could expect for users that have authenticated once and try to access this super-security area, will they be shown another login form or will it just let them in because the container is already aware of their permissions.
  Many thanks for your attention,
  Rachel

  If you create your own Realm classes - look at JAAS - you can sort out your last login time, just wrap them around the DataSourceRealm.
  As far as 'remind' him is concerned - I'm guessing you mean provider a reminder for the password based on the user name. If you use form based authentication you can put what ever you like on the page.

• Different auth methods for Clientless & AnyConnect?

  The goal: To allow Clientless(portal) connections with only username/password authentication (LDAP in this case) while requiring two-factor (LDAP & Certificate) authentication for AnyConnect connections.
  The config: Since the auth methods are configured within connection profiles/tunnel groups, I am using two different profiles, one requiring only LDAP auth for use with clientless and one requiring both LDAP and client certificate authentication for AnyConnect. I have not enabled the option to allow users to choose their connection profile.
  The only way I have been able to get the AnyConnect client to use anything other than the "DefaultWEBVPNGroup" profile was to use a URL mapping for the AnyConnect tunnel group, a custom AnyConnect client profile (to specify the custom URL), and a DAP policy to deny AnyConnect connections on the "DefaultWEBVPNGroup" tunnel group.
  Resulting behavior: Web portal requires only username and password. Stand-alone AnyConnect connections require username/password & client certificate.
  The problem: Weblaunch (launching AnyConnect from the portal) installs the client, but throws an error and disconnects (see attached). Subsequent stand-alone AnyConnect connection attempts work fine.
  I assume this issue is related to the different tunnel groups using different authentication methods. If I disable the DAP policy, weblaunch works without erros, but it connects without requiring two-factor authentication.
  Does anyone know if what I am trying to do is possible and/or supported? I am open to alternative suggestions as well.
  Thanks,
  Aaron

  Sounds like you are 95% of the way there. You can definitely get this to work. Based on your description of the problem when trying to web launch AnyConnect, it sounds like you are not matching the correct tunnel group. As you stated, when using more specific connection profiles, you need to give users a means to identify which TG they want to connect to. This is typically achieved via a drop down selection box, group URL, or certificate attribute map. In your case, it sounds like you are using group URLs. With this approach, you will have two more specific URLs for your users to access. For web launch and standalone AnyConnect clients, they may access https://vpn.vpn.com/anyconnect while your clientless users may access https:/vpn.vpn.com/webvpn. The catch as you found is what happens when a user tries to go to the root https://vpn.vpn.com? In this case, the user will hit the default WebVPN TG. I would have to see your DAP policy to understand what policies you have implemented. If you take DAP out of the picture for a moment, a few quick workarounds to preventing AnyConnect users from being able to log into the default WebVPN group is to remove the corresponding tunneling protocol from the default group policy. Alternatively, you could set the simultaneous logins to 0 in the default group policy. You may also want to look into configuring group locking to prevent users from logging into a TG that they don't belong to. With respect to your certificate requirement, ASA 8.2.1 code allows you to configure client certificate authentication on a TG by TG basis. This is more flexible than 8.0 where this is enabled globally.

• One SSID with muptiple authentication methods

  Have received a request from a customer to run both TKIP and AES encryption on the same SSID
  From reading I believe this is not possible but can anyone confirm this please
  Currently the config looks thus
  dot11 ssid HELP
  vlan 20
  authentication open eap eap_methods
  authentication network-eap eap_mtheods
  authentication key-management wpa
  authentication key-management wpa version 2  <<<<<<<<<<<<<<<<<<
  <<<<< Trying to add wpa version 2 overwrites uithentication key-management wpa so presume this confirms it can't be done >>>>>
  Interface Dot11Radio0
  encryption mode ciphers tkip
  encrytption vlan 20 mode ciphers aes-ccm tkip
  Many Thanks

  Hello
  Cisco wireless products have the option to offer to the wireless clients both encryption methods, TKIP and AES and even WEP on the same SSID. This can be configured on the GUI and CLI but what you have to be aware and be careful is that this is not the standard. Even though Cisco can offer this, some clients won't understand that, they will get confused and disconnect or just not be able ro connect at all.
  We are talking about encryption here not authentication so to answer your question: yes, you can configure several encryption methods on the same vlan but it is not a best practice and regarding authentication, it is not possible to configure different authentication methods on the same SSID.
  Regards,
  Sent from Cisco Technical Support Android App

• How to add a switch to acs for login and ads authentication

  Hi all
  I want to add my switch so that it authenticates to my acs for login auth, I have done the switch end, using radius, also added the switch on the acs, how do I force the acs to use windows auth for this login?  do i just go under the network config where the device is and tick the box saying use windows database for authentication, and then do a group mapping ?
  cheers

  Hi,
  Easiest way is to download the table eg into an Excel table (if possible) or text table. Drop the table from the database. Build your table with the new key field. Build the database table again and fill it.
  You can do it also over the database into a new table. Drop the old one. Build the enhanced one and fill it. Afterwards drop your (temporary) table.
  Maybe there are other ways, but this works.
  Success,
  Rob

• Dynamic User Group Role for ASA 8 ACS 4 External Windows DB

  1. I've successfully got a Win2003 AD user to authenticate to the ASA via an ACS but the default group settings the dynamic user becomes part of don't get transfered to the user. How do I get the user to adopt the group settings?
  2. ASDM recommends nabling authentication for admin console sessions so you don't ssh into a box then have to login as the enable password which isn't logged. When I check the box for this feature I can ssh to the ASA but my password is denied ASA. How do I keep the user credentials all the way to the privilege exec mode?
  3. Back in the day I could configure the ACS shell, privilege 15, custom attributes cisco-av-pair "priv-lvl-15" to get a user to jump directly to privilege exec mode. This doesn't work now. Is there a different way to do this on ACS v 4?
  Thanks in advance,
  Matt

  Try this:
  aaa authentication enable console
  aaa authorization command
  on ACS go to the user or group that the user is in and go to enable options and click on "Max Privilege for any AAA client" and set it to "15". Then go to the "tacacs+" section on click on "Shell(exec)" and click on "Privilege leve" and enter 15. Then go to the "Shell command authorization set" and set the default to permit any commands not listed. This will get the user into privilege mode. In ASA/Pix it requires command authorization and authentication for enable console. On IOS it requires that you use aaa authentication exec and then the aaa authorization exec/command. This will allow the user to go straight into privilege mode instead of user mode.

• How to create a Platinum,Gold and Silver Customer and how to set different price for a single material based on customer?

  Hi All,
  How to create a Platinum,Gold and Silver Customer and how to set different price for a single material based on customer?
  Assume Material is Pen.
  While creating Sales Order in VA01 how to bring different price for the same material for Platinum,Gold and Silver Customers.
  Kindly help me out.
  Thanks,
  Renjith Jose

  A good place to start is http://www.javaworld.com/javaworld/javatips/jw-javatip34.html
  Also, do a search in this forum on HttpURLConnection. That class allows you to use POST method to send form data to a web server.
  "Hidden" variables are only hidden in HTML. The HTTP that gets POSTed to the web server doesn't distinguish between hidden and not hidden. That is, the content you would write to the HttpURLConnection.getOutputStream() would be something like:
  hidden=1&submit=ok(Of course, the variable names would depend on what the web server was expecting from the form.)
  Also, be sure to set the Content-Type request parameter to "application/x-www-form-urlencoded"

• Is it possible to have different authentication mode for SQL Server Database Engine and corresponding SQL Server instance?

  Hi,
  I have installed the x64 SQL Server 2008 R2 Express with default settings and run MBSA 2.3 (using default settings too). It shows three SQL Server instances: MSSQL10_50.SQLEXPRESS, SQLEXPRESS and SQLEXPRESS (32-bit). For the first, authentication
  mode is Windows, for the rest two - mixed. Here https://social.msdn.microsoft.com/Forums/sqlserver/en-US/03e470dc-874d-476d-849b-c805acf5b24d/sql-mbsa-question-on-folder-permission?forum=sqlsecurity question
  about such multiple instances was asked and the answer is that "MSSQL10.TEST_DB
  is the instance ID for the SQL Server Database Engine of the instance, TEST_DB", so in my case, it seems that MSSQL10_50.SQLEXPRESS is the instance ID for SQL Server Database Engine  of the SQLEXPRESS instance.
  I have two questions:
  1) How can it be that SQL Server DB Engine instance has different authentication mode than corresponding SQL Server Instance?
  2) Why 32-bit instance reported although I installed only 64-bit version?
  Also, this https://social.technet.microsoft.com/Forums/security/en-US/6b12c019-eaf0-402c-ab40-51d31dce968f/mbsa-23-reporting-sql-32bt-instance-is-running-in-mixed-mode-when-it-is-set-to-integrated?forum=MBSA question seems to be related to this
  issue, but there is no answer :(.
  Upd: Tried on clean Windows 8 installation and Windows 7 with the same result.

    Because I DO NOT want the three people who will be having access to the production SQL Server to also have access to the primary host ProductionA.  Since I have to allow them to RDC into the box to manage the SQL Server, I figure why not create
  a separate VM for each one of them and they can RDC into those instead.
  Does this make any sense?
  Any tips are greatly appreciated.  The main reason for doing this is because the three people who will be accessing the box, I need to isolate each one of them and at the same time keep them off of the primary ProductionA.
  Thanks for your help.
  M
  Hello M,
  Since you dont want the 3 guys to have access to Production machine A.You can install SQL Server client .By client i mean SQL server management studio(SSMS) on there local desktop and then create login for them in SQL Server.Open port on which your SQL server
  is running for three of the machines so that they can connct.Now with SSMS installed on each machine each can connect to SQL server from there own machine.
  I would also like you to be cautious with giving Sysadmin privilege to all three of them ,first please note down what task they would do and then decide what rights to be provided.
  Your option will also work but you need to create 3 VM for that .Which is more tedious task.
  Hope this helps
  Please mark this reply as the answer or vote as helpful, as appropriate, to make it useful for other readers

• Set different authentication mode for OWA (without 2 ip address)

  hi
  http://social.technet.microsoft.com/Forums/office/en-US/fda18a29-a484-4ed5-903b-aa06e8f7a032/set-different-authentication-mode-for-owa?forum=exchangesvrclients
  Step 1: IP Address
  Obtain a second IP address and add it to the NIC of your server.
  Step 2: DNS
  Add a DNS entry for That secondary IP address for the name we will want to use in the new FBA OWA Web site. I have chosen "testwebmail." Be sure there is a valid SSL certificate (recommended to have UC or SAN SSL certs) on the server Which has the
  new name "testwebmail" that will be used in the certificate.
  Step 3: New Web Site
  Create a new web site in IIS on the Client Access Server and bind it to the new IP address used in step 1.
  Step 4: Adding Exchange Virtual Directories
  The web site has been created and bound to the secondary IP address of our server. Also the DNS record That will be used to access the OWA FBA new page was added to DNS. The next step is to go into EMS and begin adding our virtual directories for OWA and ECP.
  Login to the Exchange server and open the Exchange Management Shell. Then run Get-Get-OWAVirtualDirectory and ECPVirtualDirectory to see the default OWA and ECP directories.
  New-OWAVirtualDirectory -WebSiteName FBA -InternalUrl https://url/owa
  New-ECPVirtualDirectory -WebSiteName FBA -InternalUrl https://url/ecp
  Step 5: Configure the Virtual Directories
  To configure the virtual directories we will disable FBA on the Default Web Site OWA and ECP virtual directories
  New-OWAVirtualDirectory -WebSiteName "FBA"
  Enable the Basic authentication via running the following command:
  Set-OWAVirtualDirectory -Identity "yourservername\owa (FBA)" -BasicAuthentication $true
  Set-OWAVirtualDirectory -Identity "OWA (Default Web Site)" -WindowsAuthentication $true -BasicAuthentication $false  -FormsBasedAuthentication $true
  Step 6: iisreset
  I want to set this settings; but I don't have 2 ip address and I want to set whit one ip address.
  can please tell me how can set this settings with one ip address?
  and please tell me about publishing whit tmg.
  thanks

  Hi,
  Based on my research on Host Header, it seems using Host Header can achive your goal.
  More details on Host Headers:
  1. Host headers let you assign more than one site to a
  single IP address on a Web server.
  2. To host more than one Web site on a Web server, you can assign a unique IP address to each Web site, designate a non-standard TCP port number for a Web site,
  or use host headers. Of the three methods, it is more common to use host headers than to assign unique IP addresses to Web sites or to use non-standard TCP port numbers.
  Configure a Host Header for a Web Site (IIS 7)
  http://technet.microsoft.com/en-us/library/cc753195(v=ws.10).aspx
  Please correct me if there is anything misunderstand.
  However, Microsoft recommends creating the second OWA/ECP virtual directories in a new IIS web site with a different IP address, and using it for internal client access.
  Thanks
  Mavis Huang
  TechNet Community Support

• ACS with CAC/Smart Card Authentication

  I have configured ACS 5.1 to authenticate a wireless user via EAP-TLS using the predefined Certificate Authentication Profile within ACS, but I don't understand how it is successfuly authenticating users. Is it simply trusting any user that presents a certificate signed by the root certificate I imported into the ACS certificate authority?
  Thanks.

  I have configured ACS 5.1 to authenticate a wireless user via EAP-TLS using the predefined Certificate Authentication Profile within ACS, but I don't understand how it is successfuly authenticating users. Is it simply trusting any user that presents a certificate signed by the root certificate I imported into the ACS certificate authority?
  Thanks.

• Web-auth using ASA and ACS 5.1

  In order to restrict access to websites on our internal network, would we be able to put an ASA in front of the web server and force users to authenticate through the ASA and, once authenticated, allow only port 80 or 443 traffic for that use?  The ASA would query the ACS 5.1 server for authentication/authorization using AD as the identity store.  Is this even possible with TACACS? 

  Hello,
  You might want to look for "Cut through proxy" on Cisco.com. That feature would allow you to accomplish the described scenario! Also, you might want to use RADIUS instead of TACACS+.
  Regards.

• Distinguish different exceptions from server?

  hi,
  In my application, there is a remote call:
  public Object getXXXX
  throws RemoteException, MyExceptionA, MyExceptionB;
  (where MyExceptionA and MyExceptionB are both child class of RemoteException)
  I have two related questions.
  1. On the client side, it will always get the java.rmi.ServerException
  NO MATTER what the server code actually throws, i.e, EVEN IF server
  throws MyExceptionA (or B), the client will still get ServerException.
  Is that always the case?
  2. If it is always the case, then in client code, what is the best
  practise to distinguish different exceptions?
  Do I have to catch ServerException first and then use
  ServerException.getCause() and then use instanceof to know exactly
  which exception was actually thrown by the server? That seems to
  be a little bit clumsy. Are there any other elegant ways to know
  the EXACT exception thrown by server?
  Thanks in advance for the help.
  JK

  The above argument makes perfect sense to me. But, it
  seems
  to me, no matter how many kinds of exceptions you
  declare in
  the signature of your remote call, assuming the remote
  call gets
  to the server and gets executed on the server, if any
  exception
  occurs on the server, the client will ONLY get ONE
  exception:
  java.rmi.ServerException (see my original question 1)
  Is that REALLY the case or NOT?No, it is not the case. You only get a ServerException if a RemoteException happens on the server: 'A ServerException is thrown as a result of a remote method invocation when a RemoteException is thrown while processing the invocation on the server, either while unmarshalling the arguments, executing the remote method itself, or marshalling the return value'. In other words you only get a ServerException because of either a failure inside the RMI runtime in the server while setting up or tearing down the call, or if the remote method in the server calls another remote method itself (i.e. calls another server) and gets a RemoteException from that.
  If your server deliberately throws an exception because you coded it that way, the client gets the exception thrown. If the server trips an Error you get a ServerError at the client. If the server trips a RuntimeException you get a RuntimeException at the client.
  EJP

• Distinguishing different objects

  Hi,
  I'm unsuccessfully trying to find out how to distinguish between method callers. What I mean is:
  class MyCaller {
       public MyClass mc;
       public MyCaller( MyClass mc ){
            this.mc = mc;
       public void callIt(){
            System.out.println(mc.whoCallsMe());
  class MyClass {
       private Map<Integer,Integer> numbs;
       private int number;
       public MyClass(){
            numbs = new HashMap<Integer,Integer>();
            number=1;
       public int whoCallsMe() {
           if (numbs.containsKey(??_the_callers_identification_??))
                return numbs.get(??_the_callers_identification_??);
           else
                numbs.put(??_the_callers_identification_??, number++);
                return 0;
  class HereItWorks {
         public static void main(String[] args){
              MyClass mcls = new MyClass();
              MyCaller obj1 = new MyCaller(mcls);
              MyCaller obj2 = new MyCaller(mcls);
              obj1.callIt();
              obj1.callIt();
              obj1.callIt();
              obj2.callIt();
              obj2.callIt();
              obj1.callIt();
  }output:
  0
  1
  1
  0
  2
  1
  I'm quite sure this is able to do, there has to be the reference in the jvm bytecode...
  Any idea what to google or how to do it?
  Thanks a lot, folks.

  Why do you think you need this? What are you trying to accomplish?
  You're saying you're writing method(), but not its callers, and you want method() to do something based on which instance is calling it? That's not good. Either have the different instances call different methods, or define your class as an interface instead, have the callers make calls on that, and just instantiate different implementation classes for the callers to use.