Authenticating via CAS (i.e. w/o Oracle SSO or Page 101)?

Similar Messages

• Wireless Alerting APIs & Oracle SSO

  We have a severe problem regarding Wireless Alerting APIs, We need to provide callable service (Web Service) for a 3rd Party Web Front End for users to subscribe for the Wireless Engine Alerts, We found that the authentication Model for the Alerting APIS requires Authentication through passing the Request Object to Oracle SSO and for the RequestController to Authenticate and use the APIs, can there be another way? Why can't the alerting APIS authentication user Normal LDAP authentication using JNDI?

  What version of the SSO server are you using?

• Cisco Prime Infrastructure 2.1 GUI authentication via RADIUS server (Cisco ISE 1.2 integrated with AD)

  Hi,
  I want to access Cisco PI 2.1 GUI using my AD credentials, so on PI I've enabled RADIUS AAA Mode and added RADIUS servers (two ISE nodes in our case). On ISE I added PI as RADIUS client and configured the same keys. Next, on ISE I created authorization profile PRIME_ADMIN_ACCESS with only attribute settings defined:
  My authentication and authorization rules relating that case are as on following screenshots:
  So when I open GUI of PI and enter my AD credentials to log in I have no success and I receive following message:
  Looking in ISE's Authentication section I can see following:
  Time difference between these two authentication/authorizations is just 25 msecs and clicking on each of them reveals following:
  So at first I can authenticate and authorize (authorization profile has necessary attributes defined for PI management access (NCS:role0=Root, NCS:virtual-domain0=ROOT-DOMAIN)) and after 25 msecs I am getting failure. So what could be cause of such things and how I can successfully log in to PI GUI authenticating via ISE using AD credentials?

  Hi,
  -- Please Go to Administration > Logging > set the Message level to TRACE > Click save
  -- Then try to add the ISE.
  -- Once it fails, collect the logs from Administration > Logging > 
  check the "ncs-0-0.log"  & search the file for "ERROR" & paste the results here. This will give us exact reason.
  - Ashok
  Please rate the post or mark as correct answer as it will help others looking for similar information

• AP Authentication via ACS.

  Hi All,
  Just a basic question regarding MAC based authenitcation of AP with ACS.
  The scenario is - If I have a ACS installed and I want all my Cisco 3502 APs to be authenticated on MAC basis via ACS. I know that AP mac is used as a username and password at ACS so that whenever we plugin the new AP in the network, it gets authenticated via ACS first and if the AP is authorised to be used in network then only it gets the IP address from DHCP.
  My question is - What will happen, if the AP is connected in local mode on a remote location and the WLC, ACS & DHCP are in Datacenter. The traffic coming from remote location will pass through the Remote-site router and during that pass, it will remove the source mac address of AP and put the router interface MAC address as source, so how will the ACS authenticate the AP in that case.
  When working in a LAN I know its possible, but how will it work over the WAN.
  Pls. suggest ASAP.
  Thanks in Advance.
  Regards
  Harish

  Harish:
  As you may know that traffic between WLC and APs is encapsulated in CAPWAP tunnel.
  The information insdie the CAPWAP should tell the WLC what MAC address the AP uses.
  CAPWAP RFC metniones that you can do AP authorization by two ways:
  - with certificates
  - with PSK.
  The standards does no imply what the PSK should be, however, Cisco seems to use it to be the mac address of the AP when the ap authorization is enabled. RFC recommends to use mac address of AP as PSK.
  2.4.4.4.  PSK Usage
     When DTLS uses PSK Ciphersuites, the ServerKeyExchange message MUST
     contain the "PSK identity hint" field and the ClientKeyExchange
     message MUST contain the "PSK identity" field.  These fields are used
     to help the WTP select the appropriate PSK for use with the AC, and
     then indicate to the AC which key is being used.  When PSKs are
     provisioned to WTPs and ACs, both the PSK Hint and PSK Identity for
     the key MUST be specified.
     The PSK Hint SHOULD uniquely identify the AC and the PSK Identity
     SHOULD uniquely identify the WTP.  It is RECOMMENDED that these hints
     and identities be the ASCII HEX-formatted MAC addresses of the
     respective devices, since each pairwise combination of WTP and AC
     SHOULD have a unique PSK.  The PSK Hint and Identity SHOULD be
     sufficient to perform authorization, as simply having knowledge of a
     PSK does not necessarily imply authorization.
     If a single PSK is being used for multiple devices on a CAPWAP
     network, which is NOT RECOMMENDED, the PSK Hint and Identity can no
     longer be a MAC address, so appropriate hints and identities SHOULD
     be selected to identify the group of devices to which the PSK is
     provisioned
  you may spend more time reading the CAPWAP RFC if you are interested
  CAPWAP RFC: http://www.ietf.org/rfc/rfc5415.txt
  Hope this answers your concern.
  Amjad

• Data missing in Crosstab report with calculated field via case when

  I use the Oracle 10g discoverer. When I create a crosstab report with a calculate field via function case when and put it as datapoint, some of the data is not showing. I tried to not use the case when function for the calculate field, then all the data show.
  I really do not the reason. Could anybody help me out with many thanks?

  Let me explain more.
  I have the original data below.
  Work order, Team, Hours_worked, date
  800001, S1, 5, 2012/01/01
  800001, S1, 15, 2012/01/10
  800001, S2, 4, 2012/01/04
  800002, S1, 3, 2012/01/15
  There are multipul records for the same work order, team on the same day or different.
  Finally I want to set the start date and end date as the parameter to create a crosstab report format like
  start date>=2012/01/01 and close date<=2012/01/05
  Team
  Total hours total hours within the range
  Work order S1 S2 ... S1 S2 ...
  800001 20 4 5 4
  800002 3 0 0 0
  in order to do it, I create two parameters independently start date and close date. Then I create a calculate field hours_worked_withinrange via
  Case when date>=:start date and date<=:end date then Hours_worked else 0 end
  This calculated field is correct in the tabular format report in discoverer desktop. But when I duplicate the list as crosstab. Some data is missing in crosstab data point.
  I checked once I change the calculate field defination not use case when. (For example, C1=hours_worked*2). Then everything runs correct.

• Authentication via weblogic security realm

            My servlet needs to access a session bean. The action in the session bean requires
            that a user has been authorized, i.e. at some point the session been calls
            String name = d_ctx.getCallerPrincipal().getName()
            This name may not be null at this time.
            What I would like to have is that the user executing the URL gets authenticated
            by my server realm 'myrealm' and that the associated prinicpal gets passed to
            the session bean. Is this possible. If so, how can the user pass along the username
            and password as this query is executed programmatically?
            markus
            

  http://www.weblogic.com/docs51/classdocs/API_acl.html
  Michael Girdley
  BEA Systems Inc
  "gennot" <[email protected]> wrote in message
  news:[email protected]..
  Could you send me the complete URL of these example, please?
  Thanks
  Enrico
  Michael Girdley <[email protected]> wrote in message
  39b87078$[email protected]..
  The passing of the client's certificate should be automatic to WebLogic.We
  have an example of getting the client side certificate from inside of
  WebLogic in our documentation.
  This does not require for SSL to be used from the Web server to
  WebLogic.
  >>
  Thanks,
  Michael
  Michael Girdley
  BEA Systems Inc
  "Bob Simonoff" <[email protected]> wrote in message
  news:[email protected]..
  I have read through the docs and haven't found anything that would
  address
  the following confusion:
  Suppose I want to use Apache or IPlanet as the webserver with WebLogicas
  the back end application server (obviously). I have the need to use 2way
  SSL authentication. As I understand it the following applies:
  Client (browser) has a certificate as does the web server. Theyauthenticate
  each other.
  Now, the web server and weblogic need to communicate. WebLogic, in our
  environment does authentication via the security realm.
  What do I have to do to get the the web server (Apache or IPlanet) to
  communicate the client's certificate to WebLogic so the WebLogic canperform
  the authentication?
  Does the communication between the web server and WebLogic also need
  to
  be
  SSL?
  Thanks
  Bob Simonoff

• Integrate Central Authentication Service (CAS) in SharePoint 2010

  Hi All,
  Going to implement Single sign one, with all internal application,
  Also some application is running in SharePoint, I want to integrate Central Authentication Service (CAS)
  in SharePoint 2010.
  Pls give me some idea. 
  Deepak

  You can do CAS and SharePoint auth using below
  Check below
  http://webcache.googleusercontent.com/search?q=cache:EhC3JLvqDWwJ:balendrant.blogspot.com/2013/05/external-authentication-providers-for.html+&cd=4&hl=en&ct=clnk&gl=in&client=firefox-beta
  http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=9&ved=0CFEQFjAI&url=http%3A%2F%2Fdownload.microsoft.com%2Fdocuments%2FFrance%2FInterop%2F2010%2FFederated_Collaboration_With_Shibboleth_2_0_and_SharePoint_2010_technologies-1_0.docx&ei=i0u1U6bVB4KMuATP94II&usg=AFQjCNF09JusWUS97-em12JFpaH64Pxa3A&bvm=bv.70138588,d.c2E&cad=rja
  If this helped you resolve your issue, please mark it Answered

• OracleAS SSO - Microsoft Active Directory External Authentication Plug-in

  hi ,
  I recently inherited support of a Oracle SSO/OID environment where we use AD and a external Authentication Plug-
  in to talk to it as user credentials are managed in AD,
  We have a lot of domain controllers for AD in our env , so my questions is
  1) How do I find out which AD server is the plugin currently referring to ,
  I need to know this info ASAP as lot of AD servers are getting decomissioned and I want to make sure the SSO env
  is not talking to a AD server that would get decomissioned soon

  hi,
  Look in the integration part in oidadmin. ActiveChgImp
  $ORACLE_HOME/bin/oidadmin
  or look for ad2oid.properties
  or look at this URL http://www.oracle.com/technology/obe/obe_as_10g/im/ads_import/import.htm
  is what I used to configure ours
  Regards

• 802.1x wired authentication via PEAP, MD5

  Hi everyone,
  Thank you for taking the time for reading this, I am implementing a security solution and wanted to take th benefit of implementing 802.1x over wire. I have been searching a bit but no much info from start to finish on how to implementing this solution,
  i would really appreciate if someone could point me some where  to find  detailed instruction on how to do this, as so far i have been configuring in multiple way bit no result out of it. Still a orange port color on my switch, that means the first
  hop of security work but the next no.
  Thank you in advance to read this.

  Hi,
  According to your description, my understanding is that you want to deploy 802.1x wired authentication via PEAP, MD5 and need instructions about this.
  Some articles and just for your reference:
  802.1X Authenticated Wired Access Overview
  https://technet.microsoft.com/en-us/library/hh831831.aspx
  802.1X Authenticated Wired Access Design Guide
  https://technet.microsoft.com/library/dd378864(WS.10).aspx
  IEEE 802.1X Wired Authentication
  https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Self Assigned IP even though I am Authenticated via PEAP(MSCHAPv2) to WPA2

  Help!
  After installing Snow Leopard 10.6.1 on my 2.16 GHz Core Duo MacBook Pro running OS 10.5, I can no longer connect to the WPA2 Enterprise network at the University of Ottawa. I can still connect to other encrypted networks, such as my home WEP encrypted network. Before the installation I was able to connect to the WPA2 enterprise network.
  When attempting to connect, under network preferences I can see that my computer is Authenticated via PEAP(MSCHAPv2) and a timer showing my time connected is running. However under status, it says that I have a self assigned IP and that I cannot connect to the internet. As a result I cannot connect to the internet.
  I have included a picture that describes my problem exactly:
  Does anyone have this problem? Can anyone help me?
  Thanks!

  The thing you and many others forget is that these forums are for those with problems. Those for whom the installs works without fault do not visit here. They do not post. There are about 9,000 topics in the Installation and Using forums (the largest two) and even if every topic were an unique fault, this would mean a small fraction of the installed base.
  According to AppleInsider the Q1 sales of SL would be circa 5 million copies, and other reports indicate these numbers have been surpassed in the early months. So lets go for one months sales at only 1.5 million copies. 9,000 faults in 1.5 million copies is only a 0.6% rate and that's if every topic is a different fault (which it plainly isn't).
  So I'm afraid your argument is even less convincing - a few people report your fault, and even if only 1% of the installed base uses it, its still infinitesimal. IMO, the vast majority of problems arise from an initial Leopard installation that had enough variability of build to make enhancements problematical. I'd be the first to admit its not Apples finest hour, but its certainly not bad for the overwhelming majority.
  Perhaps you could apply to be an Apple tester, to help solve this issue ? Its better than standing on the sidelines complaining about everyone elses work for certain.
  Or log a fault request as it will get looked at I can assure you, but only if there is a tester who is actually able and willing to test that particular piece of functionality.

• Sshd authentication via pam_userdb

  Hello
  I would like to configure ssh to authenticate against a database file which I've created.
  This is what I have done so far:
  1. Generate the database file out of a text file:
  db_load -T -t hash -f logins.txt /etc/vpasswd.db
  I have modified /etc/pam.d/sshd to be the below:
  %PAM-1.0
  auth requisite pam_securetty.so #Disable remote root
  auth sufficient pam_unix.so
  auth sufficient pam_userdb.so db=/etc/vpasswd crypt=hash use_first_pass
  auth required pam_nologin.so
  auth required pam_env.so
  account sufficient pam_unix.so
  account sufficient pam_userdb.so db=/etc/vpasswd crypt=hash use_first_pass
  account required pam_time.so
  password required pam_unix.so
  session required pam_unix_session.so
  session required pam_limits.so
  When I log is as a user specified in the database file the following logs are returned:
  Apr 1 00:29:47 dopey sshd[13778]: Failed none for invalid user testuser from 57.62.62.102 port 31794 ssh2
  Apr 1 00:29:52 dopey sshd[13778]: Failed password for invalid user testuser from 57.62.62.102 port 31794 ssh2
  Apr 1 00:29:55 dopey sshd[13778]: Failed password for invalid user testuser from 57.62.62.102 port 31794 ssh2
  What I'd like to happen is if the user exists as a Linux account then let them in as normal, but if not then check the vpasswd.db database file.
  Can anyone point me in the right direction? Is it possible to configure this?
  Thanks
  - eskay
  Last edited by eskay (2009-04-01 03:18:55)

  It looks like RADIUS authentication via the PAM module does work. We compiled the pam_radius module using the -bundle option to the linker. That seems to have fixed it. The link line ends up being
  gcc -bundle pamradiusauth.o md5.o -lpam -o pamradiusauth.so
  We'll send these simple changes to the pam radius developers.
  What this has allowed us to do is use RADIUS authentication for logging in remotely via ssh. However, we have yet to figure out how to get the main login "window" for OS X to allow PAM to be used.
  Pete

• NAC authentication via Windows AD

  Hi,
  we have a Nac enviroment with users that are defined on the ACS. Also the groups are defined on this machine.
  The problem is that we have to move all the users from the ACS to the domain controller, so all the users will become AD users.
  In which way we have to configure the NAC enviroment to permit the authentication via Active Directory instead of Radius that runs on the ACS?
  Thanks a lot!
  Leonardo

  You have to create a map rule if you have two or
  more Roles authenticating in the same LDAP Auth Server
  and not if you have two or more auth servers
  If the users authenticating today in Radius Server ACS is associated with a single Role XYZ, then you can configure the LDAP Server linking users to the same Role XYZ.
  You will have two providers for the same Role.

• Kerberos authentication via Apache ...

  Hi all !
  we use SAP NW Portal 7.0; we can access the portal from internet via Apache as reverse proxy;
  our internal and external users access the portal via the Apache reverse proxy;
  now we want to use kerberos to authenticate against J2EE of Portal;
  Kerberos is working when ich access the Portal directly via http://<fqdn>:<port>/irj;
  but when we want to access the portal via Apache reverse proxy e.g. http://portal.test.com authentication via Kerberos don't work; Apache doesn't pass the kerberos ticket;
  is there any solution ?
  the Apache reverse proxy should be the 'single point of contact' for portal access;
  Thanks
  Oliver

  to use the portal, all users ( internal or external ) have to use the URL to our apache reverse proxy; the URL is the same for internal or external users
  ==> http://portal.test.com;
  for the internal users, it would be nice if the apache reverse proxy could pass the kerberos ticket to the portal server so that the login page doesn't appear;
  how to ?
  Thanks
  Oliver

• HTTP authentication via ACS TACACS+.

  Hi.
  I configure a router for tacacs+ access and the console and CLI work fine.
  HTTP access continually prompts for password and I can never gain access via web.
  I have tried the various cli combinations of IP HTTP AUTHENTICATION, but still does not seem to work with tacacs+.
  Debug authentication and authorization are ok (PASS)!
  Any suggestions??
  Thanks.
  Andrea.

  Hi Andrea,
  Make sure that you have privilege level 15, for your account, as telnet can work without it, but for http its a must.
  You can configure it for Group, under whihc you have your user account or per user basis too.
  Select group > Edit Settings > TACACS+ section
  Check "Shell" and "Privilege level" and in box in front of privilege level, put number "15".
  Also if you have configured enable authentication via TACACS+ ,amake sure under your user account you have selected "Use CiscoSecure..." option under TACACS+ enable password if you have your account configured on ACS, of select other as appropriate.
  Let me know if it helps :)
  I suppose you have "ip http authentiaction aaa" command configured.

• Oracle JAAS with roles from database tables and Oracle SSO integration

  I have the following requirement for user authentication and authorization. The applications are build using ADF Faces and BC4J. User authentication should be done using Oracle SSO. User roles and functions will be stored in custom tables. These roles will be used on ADF application pages to restrict access to the UI components on a page. Example: User will "Employee" role cannot create a new employee; however, user with "HR" role can create a new employee.
  In this case, "Create" button will be visible on the ADF page.
  1. How can we use Oracle JAAS to use custom tables for roles instead of using flat XML files?
  2. How does ADF applications use these roles to restrict components on a page?
  3. For authentication, I guess we should be able to use SSO and integrate with Oracle JAAS?
  Thanks.

  Hi,
  I can give you the answers to 1 and 2 but haven't tried 3.
  1) Oracle OC4J since 10.1.3.1 has a database LoginModule that is explained in the OC4J security guide.
  I have a how-to document in review that will be published probaby next week and that explains how to set this LogiNModule up for JDeveloper and stand alone OC4J, though the OC4J documentation is pretty good as well
  http://download-west.oracle.com/docs/cd/B32110_01/web.1013/b28957/loginmod.htm#BABCDDAI
  2) Create a managed bean with boolan methods like isUserManager, isUserEmployee, isUserTechnician etc. In this methods check for the security role on teh request object's isUserInRole() method. Then access this methods from the disabled or rendered property using ExpressionLanguage
  A custom Login ModuleDoesn't use Oracle JAAS but plugs into it. So I am not sure if SSO would work with this because the custom LoginModule wouldn't get a username password pair but only a username that it has to trust.
  Frank