ASDM Access and local username/PW
Ok, I happened upon this today and thought it was a bit weird. We have a pair of ASA5520 as our primary firewalls.
We are using EasyVPN,and the usernames authenticate via the local username / PW configured on the firewall. All of these usernames have Privilege 0, however, these usernames are able to log into the firewall via SSH, AND when I use one of them to log into ASDM, they can go in and make config changes. I don't like that.I'm sure you can see why... How do I make it so that only my level 15 priv username can get logged in via ASDM? I've looked into AAA command authorization, but I don't see how that would apply to ASDM access.
Firewall setup:
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
username user password password priv 15
username user1 password password1 priv 0
username user2 password password2 priv 0
username user3 password password3 priv 0
To achieve this you need to enable authorization.
aaa authorization command LOCAL
Let me know if you have any questions.
Regards,
~JG
Do rate helpful posts
Similar Messages
-
AAA confusion - local username access
Hey all,
I am a little confused.
I have the following commands on my device:
username blah privilege 15 secret 5 blah!@#$%%
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default stop-only group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
Everything works fine.
However when I bring down the TACACS server I am able to login into the device with the local username but it fails when I enter the enable command. How can I have access when in case of emergency that TACACS fails? I have researched online and have tried multiple commands. Is there anything I am missing? I do have an enable secret password configured as well. But don't even get a chance to enter. when entering "en" at > prompt:
% Authentication failed.
Thanks in advance for your help.
My testing has led to frustration.Hi Geo,
First please give the fall back method for command 0.
aaa authorization commands 0 default group tacacs+
add local
aaa authorization commands 0 default group tacacs+ local
Make sure you are putting in right enable password, try to reset it and give it a shot.
If issue is there then get the output of debug tacacs and debug aaa authentication
Regards,
~JG
Do rate helpful posts -
Greetings all,
I am needing assistance in how to lockdown access to Local Computer Management and Windows Backup via Group Policy for users that access RDS service. I have followed this awesome guide - h t t p://w w w.it.ltsoy.com/windows/lock-down-remote-desktop-services-server-2012/
- but it is missing two important resources that I would like to lock down.Currently, I have successfully locked down Control Panel for users via Group Policy, but I cannot find any group policy or guide on how to restrict user access
to Computer Management (different to Server Manager). When using Win-X shortcut to open the 'Administrator's shortcuts' near the windows icon, I have locked down everything except Computer Management. Computer Management gives direct access to Disk Management,
Shares etc, which are locked down for users. But Windows Server Backup is still accessible. Can someone please guide me on how to restrict access to both Computer Management and Windows Server Backup.
Thanks in advance.
Terry.Prevent running of Windows Server Backup
Computer Configuration\Policies\Windows Settings\Security Settings\File System
Right click on File System - Add File - Drill down to \System32\wbadmin.msc
On the Database Security ACL that pops up - Remove Creator Owner, Remove Users and check Adminstrators have Full Access.
On the Object window - choose Propagate inheritable permissions to all... (Default) -
Transparent Tunneling and Local Lan Access via VPN Client
Remote users using Cisco VPN 4.2 connect successfully to a Cisco Pix 515 (ver. 6.3). The client is configured to allow Transparent Tunneling and Local Lan access, but once connected to the Pix, these two options are disabled. What configuration changes are required on the Pix to enable these options? Any assistance will be greatly appreciated.
Mike BowyerHi Mike,
"Transparent Tunneling" and "Local Lan Access" are two different things. "Transparent Tunneling" is dealing with establishing an IPSec Tunnel even if a NAT device is between your client and the VPN-Headend-Device. "Local LAN Access" is dealing with access to devices in the LAN your VPN-Client-Device is connected to.
What do you mean exactly with "disabled once the connection is made" ?
You can check the local LAN Access by having a look at the Route-Table of the VPN-Client:
Right Click the yellow VPN-lock Icon in System-Tray while the VPN-Connection is active and select "Statistics ...". Have a look at the second register page "route details".
Are any local LAN routes displayed when your are connected ?
And - always remember two important restrictions the Online Help of the VPN-Client is mentioning:
1: This feature works only on one NIC card, the same NIC card as the tunnel.
2: While connected, you cannot print or browse the local LAN by name; when disconnected, you can print and browse by name.
Carsten
PS: Removing Split Tunnel won't enable local LAN access as all traffic would be sent into the IPSec tunnel. -
Why doesn't Photoshop touch ask for access to local photos on my iPad so I can grant access and edit?
That's odd. Does this mean that you want to have the request or that you can't see the photos even though you enabled it over the privacy/photos?
If you enable it - it's not necessary to get the request. If you want the request the safest way to get it back is to reset the privacy settings by going to iPad settings/General/Reset/Reset Location & Privacy
thanks,
Ignacio -
while trying to access my local network I get the message..."The page could not be opened because server cannot be found." This, after updating to Yosemite and paying (again) for the server app.
It's absolutley scandalous that a company with Apple's resources can let this happen. They should have staggered the release by region rather than opening the flood gates. The upgrade itself took me about 10 attempts to download it, and then I thought I was home free. That was until it rebooted and won't activate. It's over 2 hours now.
Scandalous! -
I have AAA running on my router and I can authenticate/authorize using the ACS server. I wanted test my config so I turned off the ACS server and tried logging in using the local username and password, I authenticate fine but then I get %Authentication failed. And then the username prompt comes up. This concerns me because I have to have a back door into my routers in case the ACS server goes down for whatever reason.
I am sorry it does say AUTHORIZATION FAILED. I am also posting my config.
Building configuration...
Current configuration : 1384 bytes
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname BIZNESS
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization commands 5 default none
enable password xxx
username xxx password xxx
ip subnet-zero
call rsvp-sync
interface FastEthernet0/0
ip address 165.x.x.x 255.255.255.0
duplex auto
speed auto
interface Serial0/0
no ip address
shutdown
ip classless
no ip http server
menu ADMIN1 prompt ^CSELECT AN OPTION PUNK^C
menu ADMIN1 text 1 SHO IP INTERFACE BRIEF
menu ADMIN1 command 1 SHOW IP INTERFACE BRIEF
menu ADMIN1 text 2 SHOW INTERFACE FA0/0
menu ADMIN1 command 2 SHO INT FA0/0
menu ADMIN1 text 3 SHOW RUN INTERFACE FA0/0
menu ADMIN1 command 3 SHOW RUN INT FA0/0
menu ADMIN1 text 4 SHOW ARP
menu ADMIN1 command 4 SHOW ARP
menu ADMIN1 text 5 EXIT
menu ADMIN1 command 5 LOGOUT
tacacs-server host 165.110.30.15 key 7 00071A1507545A545C
tacacs-server directed-request
dial-peer cor custom
privilege exec level 5 show ip interface brief
privilege exec level 5 show interface fa0/0
privilege exec level 5 show show run interface fa0/0
privilege exec level 5 show show arp
line con 0
line aux 0
line vty 0 4
password xxx
end -
I got a new computer, and now i cannot access the local files for my website (Dreamweaver)...
the new computer is a Mac.
I see the site on my computer files, but it will not connect with Dreamweaver on this new computer.
can anyone help with this?
thanks,
Margaretno special characters...
see if this gives you any info... -
How do I access and use my main computer over my local network ?
I have a wireless internet connection that currently runs from the outside antenna into the house via ethernet. My internet provider is setting up a second wireless system so that a computer 1/2 mile away can share the connection. I believe they are going to run the signal from my existing antenna into a router that will connect to the ethernet wire to my house and to an access point that will shoot a signal from a second antenna to my computer 1/2 mile away.
I'd like to know the best way to access the computer in my house from the one 1/2 mile away.
I'd like to be able to access and use files on my home computer so that all changes are kept on it. I'd also like to access any e-mail messages that Mail has recieved.
My ISP said that they would have to enable VPN.
I'd like to know if enabling file sharing would be enough, or do I need this Vine program I've read about on this forum, or do I need to set my home computer up as a server, or do I need to do something else ?
I've read about lots of stuff but don't understand any of it very well.
Any suggestions would be appreciated.
Thanks
1.3 Mhz Cube Mac OS X (10.4.9)But why pay for a solution. You can do the same thing with "Share My Desktop" and "Chicken of the VNC".
-
ASA 5505 & VPN Client blocking access to local lan
I have setup a IPSec vpn client connection to a Cisco ASA 5505, when I connect to the unit it fully authenticates and issues me an ip address on the local lan however when I attempt to connect to any service on the local lan the following message is displayed in the log can you help:
Teardown UDP connection 192.168.110.200 53785 192.168.110.21 53 outside:192.168.110.200/53785(LOCAL\username) to inside 192.168.110/53
See the attached file for a sanitised version of the config.This is a sanitised version of the crypto dump, I have changed the user and IP addresses
ASA5505MAN# debug crypto ikev1 7
ASA5505MAN# debug crypto ipsec 7
ASA5505MAN# Jul 24 15:49:03 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=fbc167de) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing hash payload
Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing notify payload
Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0xa6dcb72)
Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa6dcb72)
Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing blank hash payload
Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing qm hash payload
Jul 24 15:49:03 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=515fbf7e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jul 24 15:49:18 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=2fe7cf10) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing hash payload
Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing notify payload
Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0xa6dcb73)
Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa6dcb73)
Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing blank hash payload
Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing qm hash payload
Jul 24 15:49:18 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=e450c971) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jul 24 15:49:28 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=e6c212e7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing hash payload
Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing notify payload
Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0xa6dcb74)
Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa6dcb74)
Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing blank hash payload
Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing qm hash payload
Jul 24 15:49:28 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=af5953c7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
This is the isakmp dump
ASA5505MAN# show crypto isakmp
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: x.x.x.x
Type : user Role : responder
Rekey : no State : AM_ACTIVE
There are no IKEv2 SAs
Global IKEv1 Statistics
Active Tunnels: 1
Previous Tunnels: 40
In Octets: 322076
In Packets: 2060
In Drop Packets: 84
In Notifys: 1072
In P2 Exchanges: 35
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 24
Out Octets: 591896
Out Packets: 3481
Out Drop Packets: 0
Out Notifys: 2101
Out P2 Exchanges: 275
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 284
Initiator Tunnels: 231
Initiator Fails: 221
Responder Fails: 76
System Capacity Fails: 0
Auth Fails: 54
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 30
Global IKEv2 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Drop Fragments: 0
In Notifys: 0
In P2 Exchange: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 0
Out P2 Exchange: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 0
SAs Remotely Initiated: 0
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 0
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 0
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 0
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0
IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 12
Cookie Challenge Threshold: Never
Active SAs: 0
In-Negotiation SAs: 0
Incoming Requests: 0
Incoming Requests Accepted: 0
Incoming Requests Rejected: 0
Outgoing Requests: 0
Outgoing Requests Accepted: 0
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0
Global IKEv1 IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
ASA5505MAN#
and this is the ipsec dump
ASA5505MAN# show crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: x.x.x.x
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.110.200/255.255.255.255/0/0)
current_peer: x.x.x.x, username: username
dynamic allocated peer ip: 192.168.110.200
#pkts encaps: 778, #pkts encrypt: 778, #pkts digest: 778
#pkts decaps: 1959, #pkts decrypt: 1959, #pkts verify: 1959
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 778, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x/4500, remote crypto endpt.: x.x.x.x/54599
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 532B60D0
current inbound spi : 472C8AE7
inbound esp sas:
spi: 0x472C8AE7 (1194101479)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 241664, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 26551
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x532B60D0 (1395351760)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 241664, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 26551
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map0, seq num: 1, local addr: x.x.x.x
access-list outside_cryptomap_1 extended permit ip 192.168.110.0 255.255.255.0 192.168.0.0 255.255.0.0
local ident (addr/mask/prot/port): (192.168.110.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
current_peer: x.x.x.x
#pkts encaps: 39333117, #pkts encrypt: 39333117, #pkts digest: 39333117
#pkts decaps: 24914965, #pkts decrypt: 24914965, #pkts verify: 24914965
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 39333117, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x/0, remote crypto endpt.: x.x.x.x/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: F6943017
current inbound spi : E6CDF924
inbound esp sas:
spi: 0xE6CDF924 (3872258340)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 163840, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (3651601/15931)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xF6943017 (4136906775)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 163840, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (3561355/15931)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA5505MAN# -
Errors when accessing Encrypted Local Storage
Hi there,
I develop an AIR application and some of the users of the application are running into an issue when accessing Encryped Local Storage. Sometimes, when the application tries to put or retrieve an item from Encrypted Local Storage, these errors are reported:
Error: general internal error
EncryptedLocalStore database access error
I've searched around a little and it appears that these errors occur for a variety of reasons. Sounds like corruption to the user's keychain can result in this error being thrown (repairing the keychain was mentioned as a possible solution in one blog post). This same error happens to some Linux users (http://kb2.adobe.com/cps/492/cpsid_49267.html) when switching between Gnome and KDE desktops too. http://blogs.adobe.com/koestler/2009/07/unreadable_encrypted_local_sto.html seems to suggest that changing of usernames on the machine can have an impact on how the ELS is accessed.
In terms of a solution to this issue, I've seen multiple posts online asking the user to delete the ELS directory on their computer. While this 'solution' works for some users of the application I develop, it doesn't work for other users. http://forums.adobe.com/thread/239605 seems to suggest that a full factory reset of a user's OS gets everything back to square one and the ELS is now usable again - that's not really something that I can suggest to a user of an application. It seems a bit drastic and most users will (understandably) baulk at the idea of a full factory reset.
So, I'm in a position with AIR development where I have to provide a fallback to ELS. Thankfully, I don't use ELS in the application too much, but I imagine anyone that has to make meaningful use of it would be pretty handicapped by the issues above. I guess I have a few questions:
1. Has anyone been able to reproduce the errors listed above? Are you able to get your system into a state where 'Error: general internal error' appears consistently when you try to access ELS? I've tried the suggestions listed in the articles I outlined above, but have so far failed in reproducing these errors.
2. If you have managed to get your machine into this state, what is the most advisable remedial action? As I mentioned above, deleting the ELS directory to start anew seems to work for some users but not for others.
3. Is there anything that someone has tried where they've found a programmatic solution to avoid this issue altogether?
4. Can someone in AIR engineering comment on concrete efforts to avoid these sort of scenarios in future versions of the runtime? Is there any debug information that I can provide from users of this application that could help diagnose this issue further and possibly feed back to the AIR development team?
FWIW, my application descriptor file is pointing at the 1.5.3 version of the runtime. We've seen this happen to users that are running this application with both the 1.5.3 version of AIR and the 2.0.3 version of AIR. We've seen this happen on both Mac and Windows. I've seen this happen with initial installs of the application and with upgrades to new versions too.
SeanHi Sean,
Thanks for reporting the issue. As you pointed out (via the blogs and weblinks), we are aware of this issue. And the following blog post talks about the problem in detail:
http://kb2.adobe.com/cps/492/cpsid_49267.html
As mentioned there, this issues arises because of corruption of keyring database, which in turn could happen becuase of user migration, switching desktops, ELS data migration to a different machine etc In such a scenario, even native applications are not able to access the ELS store (gnome-keyring or kde-kwallet). So there is little that we could do here. We have never experienced a scenario where an AIR application resulted into the corruption of database.
Having said that, if you can provide us a constantly reproducible case (a list of steps which can always get us hit the issue), then we can definitely try to do the best possible in this regard.
Thanks,
-romil
(AIR Engineering) -
How to see and add usernames from other forest in User Profile Synchronization
Hello Community
Using Sharepoint 2010 Server there are 2 forests each containing their
domain users, lets call them Forest1/Domain1 and Forest2/Domain2 and their
is a one-way trust relationship between the two forests.
The users are in Forest2/Domain2 but Sharepoint is on Forest1/Domain1. The
only way I have been able to add the users from Forest2\Domain2 to the Forest1\Domain1
has been to create a domain local group and an OU in Forest1\Domain1 and then put the
domain local group into the OU so that I can perform a UPS Synchronization on those
users (I also create a group on the Sharepoint 2010 Server add the users there too).
The problem is that when I run the UPS Synchronization I can select the
checkbox for the domain local group but the individual usernames are not displayed in the
Synchronization process of populate container.
The only names that get Synchronized are the Sharepoint Service Accounts and
the usernames that were created in Forest1\Domain1 AD.
Consequently when users in Forest2\Domain2 logon they can access the intranet web appl
in Forest1\Domain1 by entering the url in the address box, but they cannot create a
My Site when the click their username because they get an error stating:
"This page can't be displayed".
But username created in Forest1\Domain1 can access the intranet web appl and
can create a My Site.
I noticed that the difference is when users from Forest2\Domain2 get the error message
in the address box I see the My site url but it is missing "default.aspx" page which is
the page that contains My Content and My Profile and is the page that can't be displayed.
But the users from Forest1\Domain1 have the My Site url in the address box with
"default.aspx" appended and therefore can create their My Site.
The other problem is that when I go to the My Site url page and I go to People
and groups, I can add the OU that was Synchronized but I guess since I didn't see the
individual usernames I can't add the users from Forest2\Domain2 from the people picker
because the people picker error says:
"no match found".
But the people picker finds the users created in Forest1\Domain1.
How do I make usernames visible when Synchronizing those usernames in the UPS Synchronization
process and be able to find them in people picker?
Thank you
Shabeautstsadm -o setapppassword -password<password
stsadm -o setproperty -url <url> -pn “peoplepicker-searchadforests” -pv “forest:<source forest>;domain:<trusted domain>,<trusted domain>\<account>,<password>“ -
Pix 501 IPSec VPN no LAN access and no ping
Hello,
I am attempting to setup an IPSec VPN in a basic small business scenario. I am able to connect to my pix 501 via IPSec VPN and browse the internet but I am unable to ping or connect to any devices in the remote LAN. Here is my config
show config:
nterface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxx encrypted
passwd xxxxxx encrypted
hostname pixfirewall
domain-name domain.local
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 195.7.x.x BLR-Quadria
name 176.76.1.0 LAN-CEPIC
name 176.76.1.40 ADMIN
name 176.76.1.253 SRV-Linux
name 212.234.98.224 ADSL-Quadria
name 81.80.252.129 sylob
name 176.76.1.33 poste-pcanywhere
name 176.76.1.179 TEST
name 10.1.1.0 VPN_CLIENT
name 176.76.1.100 SRVSVG01
name 176.76.1.116 SRV-ERP01
name 176.76.1.50 SRV-ERP00
object-group network WAN-Quadria
network-object BLR-Quadria 255.255.255.248
network-object ADSL-Quadria 255.255.255.248
object-group network SRV-CEPIC
network-object SRV-Linux 255.255.255.255
network-object ADMIN 255.255.255.255
network-object SRVSVG01 255.255.255.255
network-object SRV-ERP00 255.255.255.255
network-object SRV-ERP01 255.255.255.255
object-group service TCP-Linux-Quadria tcp
port-object eq 1812
port-object eq 222
port-object eq 10000
object-group service TCP-TSE-Quadria tcp
port-object eq 3389
object-group service PCAnywhereUDP udp
port-object range pcanywhere-status pcanywhere-status
access-list outside_access_in permit tcp object-group WAN-Quadria host 195.7.x.x object-group TCP-Linux-Quadria
access-list outside_access_in permit tcp object-group WAN-Quadria interface outside object-group TCP-TSE-Quadria
access-list outside_access_in permit tcp any host 195.7.x.x eq pcanywhere-data
access-list outside_access_in permit udp any host 195.7.x.x object-group PCAnywhereUDP
access-list outside_access_in permit tcp any host 195.7.x.x eq smtp
access-list inside_outbound_nat0_acl permit ip LAN-CEPIC 255.255.255.0 VPN_CLIENT 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any VPN_CLIENT 255.255.255.224
access-list inside_access_in permit icmp LAN-CEPIC 255.255.255.0 any
access-list inside_access_in permit ip VPN_CLIENT 255.255.255.0 any
access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
access-list outside_cryptomap_dyn_40 permit ip any VPN_CLIENT 255.255.255.224
pager lines 24
logging on
logging console debugging
logging buffered debugging
logging trap debugging
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 176.76.1.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name attaque attack action alarm drop reset
ip audit name info info action alarm drop reset
ip audit interface outside info
ip audit interface outside attaque
ip audit interface inside info
ip audit interface inside attaque
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip audit signature 2003 disable
ip local pool VPN_POOL 10.1.1.10-10.1.1.20
pdm location ADMIN 255.255.255.255 inside
pdm location SRV-Linux 255.255.255.255 inside
pdm location BLR-Quadria 255.255.255.248 outside
pdm location ADSL-Quadria 255.255.255.248 outside
pdm location LAN-CEPIC 255.255.255.0 inside
pdm location poste-pcanywhere 255.255.255.255 inside
pdm location sylob 255.255.255.255 outside
pdm location TEST 255.255.255.255 inside
pdm location 10.10.10.0 255.255.255.224 outside
pdm location VPN_CLIENT 255.255.255.0 inside
pdm location VPN_CLIENT 255.255.255.224 outside
pdm location SRVSVG01 255.255.255.255 inside
pdm location SRV-ERP00 255.255.255.255 inside
pdm location SRV-ERP01 255.255.255.255 inside
pdm group WAN-Quadria outside
pdm group SRV-CEPIC inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 195.7.x.x 81 SRV-Linux www netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 222 SRV-Linux ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 10000 SRV-Linux 10000 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 1812 SRV-Linux 1812 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 3389 ADMIN 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x smtp SRV-Linux smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x pcanywhere-data poste-pcanywhere pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp 195.7.x.x pcanywhere-status poste-pcanywhere pcanywhere-status netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp server 193.55.130.2 source inside
ntp server 80.67.179.98 source outside
ntp server 194.2.0.28 source outside prefer
http server enable
http BLR-Quadria 255.255.255.248 outside
http ADSL-Quadria 255.255.255.248 outside
http ADMIN 255.255.255.255 inside
http LAN-CEPIC 255.255.255.0 inside
snmp-server host inside SRV-Linux
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp outside
sysopt noproxyarp inside
service resetinbound
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup CEPIC_VPN_CLIENT address-pool VPN_POOL
vpngroup CEPIC_VPN_CLIENT dns-server 176.76.1.2 ADMIN
vpngroup CEPIC_VPN_CLIENT wins-server ADMIN
vpngroup CEPIC_VPN_CLIENT default-domain domain.local
vpngroup CEPIC_VPN_CLIENT split-tunnel CEPIC_VPN_CLIENT_splitTunnelAcl
vpngroup CEPIC_VPN_CLIENT idle-time 1800
vpngroup CEPIC_VPN_CLIENT password ********
telnet timeout 5
ssh BLR-Quadria 255.255.255.248 outside
ssh ADSL-Quadria 255.255.255.248 outside
ssh LAN-CEPIC 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxx
vpdn group pppoe_group ppp authentication chap
vpdn username xxxx password xxxxx store-local
username vg_vpn password xxxxx encrypted privilege 3
username test password xxxxxx encrypted privilege 3
username quadria password xxxxx encrypted privilege 15
username jml_vpn password xxxxx encrypted privilege 3
username jr_vpn password xxxxx encrypted privilege 3
username js_vpn password xxxxx encrypted privilege 3
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:
I know this is a basic question but I would really appreaciate the help!
Thanks so much,Hi,
You could try to change the Split Tunnel ACL to Standard ACL
First removing it from the VPN configuration and then removing the ACL and creating it as Standard type ACL
Current
access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
New
access-list CEPIC_VPN_CLIENT_splitTunnelAcl standard permit LAN-CEPIC 255.255.255.0
You could also try adding
fixup protocol icmp
fixup protocol icmp error
Have you monitored the logs while you are attempting to connect to the LAN network?
- Jouni -
Ability to add secret password to local usernames 2511
We have a 2511 that I have been tasked with setting up as our access server. I was not comfortable using telnet and making it publicly accessible so I searched for an IOS that had the SSH feature.
Originally, the IOS version was 12.3 (c2500-is-l.123.3.bin). With this version, there was no SSH. However, I could assign a secret to local usernames (i.e. username jsmith privilege 15 SECRET 5 <&#(sSJ*((#*&@> )
Now that I have loaded the latest available version that has SSH (c2500-ik8os-l.122-29b.bin) I cannot assign secrets to the usernames. I can only assign passwords with the level 7 encryption. (i.e. username jsmith privilege 15 PASSWORD 7 <password> )
I was under the impression that anything above 12.2 had md5 password capabilities (the enable secret is encrypted at level 5, but I cannot do the same to my username accounts for local logins)
Question: Is there a version that has both? I am not turning something on where I should be? What is the name of the feature that enables local login username/password level 5 secret encryption?
Thank you for your attention.Hi Steven,
I apologize, as I do not have an IOS device in front of me to test this. However, does your device have the 'service password-encryption' command? If so, this should encrypt the passwords in your configuration using MD5.
Let me know if that works.
-Mike -
let say that i access a oracle form through the web and that form access data from two distributed databases, then will there be a remote database and local database for the user or all the databases will be remote databases to the user
In my opinion.
using local databases -- access tables without DB_link
using Remote databases -- access tables through DB_link
Maybe you are looking for
-
Design Bar in the Top Level Navigation
hi, How to get rid of the Design Bar in the Top Level Navigation, Design Bar is the small space before Home tab in the Portal ? Thanks in advance....
-
"Can't find recent OpenSSL libcrypto" error when configuring openssh 4.3p2
This is being done on a new install of Solaris 9 (patched) with Studio 11 installed. I complied openssl 0.9.8a with the following: config --prefix=/usr/local shared openssl builds fine and the output of openssl version is Openssl 0.9.8a. When I try a
-
i have a new imac how do i connect my phone to this computer if its registered with another without deleting all my content. when i go on itunes it says that i can sync but will erase all the content and replace it with whats on the mac.
-
Hi , We are sending some data from CRM to XI system.Is there any way or transaction code by which we can check that on particular date what data has been sent by CRM system to XI. its an argent requirement so if any one have any idea , it would be
-
When I restore my phone from a backup, isn't it suppose to give me back all my apps as well?