Authorization using DAP
How can we use DAP in Anyconnect VPN to authorize network access to remote users by validating domain-name in machine certificates against an AD and ISE as a radius server ?
Any progress?
Similar Messages
-
LDAP (openldap) authorization with DAP (dymamic access policy)
Hello,
We have a asa 5520 and we try to make a ldap (openLdap) authorization with DAP (Dynamic Access Policy). We have problem with logical expression. We need more example of logical expression and we need to know how debug logical expression. We try to use de Debug dap trace and debug dap error but we need more debug informations.Hi
I guess you are using an ldap attribute map, to map the ad group to a group policy. This does not work as you may expect when the user is part of multiple groups, I.e. the user will always be mapped to the same group (first or last in the list, not sure).
Possible solution : remove the ldap attribute map, and configure dap rules that check the ldap.memberOf attribute instead
Hth
Herbert
Sent from Cisco Technical Support iPad App - sorry for the brief explanation, if you need more details let me know. -
Web Authorization using Jrun 4 Updater 7
Hi
I'm trying to implement Web Security Authorization using JRUN 4 updater 7. When I start the server, I'm getting an error.
06/03 15:46:24 error An exception was thrown when initializing the security filters.
java.lang.NullPointerException
at jrun.servlet.security.StandardSecurityFilter.<init>(StandardSecurityFilter.java:59)
at jrun.servlet.security.WebAppSecurityService.createSecurityFilters(WebAppSecurityService.java:462)
at jrun.servlet.security.WebAppSecurityService.start(WebAppSecurityService.java:95)
at jrun.servlet.WebApplicationService.start(WebApplicationService.java:223)
at jrun.ea.EnterpriseApplication.start(EnterpriseApplication.java:194)
at jrun.deployment.DeployerService.initModules(DeployerService.java:708)
at jrun.deployment.DeployerService.createWatchedDeployment(DeployerService.java:243)
at jrun.deployment.DeployerService.deploy(DeployerService.java:428)
at jrun.deployment.DeployerService.handleEvent(DeployerService.java:382)
at jrunx.kernel.JRunServiceDeployer.fireEvent(JRunServiceDeployer.java:710)
at jrunx.kernel.JRunServiceDeployer.deployServices(JRunServiceDeployer.java:111)
at jrunx.kernel.DeploymentService.loadServices(DeploymentService.java:46)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:414)
at com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:815)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)
at jrunx.kernel.JRun.startServer(JRun.java:575)
at jrunx.kernel.JRun.<init>(JRun.java:493)
at jrunx.kernel.JRun$1.run(JRun.java:346)
at java.security.AccessController.doPrivileged(Native Method)
Code:
===========
My Web.xml has the configuration
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>mywebapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>viewer</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>editor</role-name>
<role-name>manager</role-name>
<role-name>supereditor</role-name>
<role-name>viewer</role-name>
</security-role>
</web-app>CFMX 7.0.2 is a separate application from JRun. If you have
the multiserver or j2ee install of CFMX on JRun then you should
install Updater 6. Also there are hot fixes on top of U6 that you
might want to install. The following is a link to the JRun 4 hot
fixes:
http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_18526
You should check each one individually to see if it applies
to Updater 6.
Ted Zimmerman -
All
I'm trying to implement Web Security Authorization using JRUN
4. When I start the server, I'm getting an error. Your help is much
appreciated
06/03 15:46:24 error An exception was thrown when
initializing the security filters.
java.lang.NullPointerException
at
jrun.servlet.security.StandardSecurityFilter.<init>(StandardSecurityFilter.java:59)
at
jrun.servlet.security.WebAppSecurityService.createSecurityFilters(WebAppSecurityService.j ava:462)
at
jrun.servlet.security.WebAppSecurityService.start(WebAppSecurityService.java:95)
at
jrun.servlet.WebApplicationService.start(WebApplicationService.java:223)
at
jrun.ea.EnterpriseApplication.start(EnterpriseApplication.java:194)
at
jrun.deployment.DeployerService.initModules(DeployerService.java:708)
at
jrun.deployment.DeployerService.createWatchedDeployment(DeployerService.java:243)
at
jrun.deployment.DeployerService.deploy(DeployerService.java:428)
at
jrun.deployment.DeployerService.handleEvent(DeployerService.java:382)
at
jrunx.kernel.JRunServiceDeployer.fireEvent(JRunServiceDeployer.java:710)
at
jrunx.kernel.JRunServiceDeployer.deployServices(JRunServiceDeployer.java:111)
at
jrunx.kernel.DeploymentService.loadServices(DeploymentService.java:46)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at
com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:414)
at
com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220)
at
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerIntercepto r.java:815)
at
com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)
at jrunx.kernel.JRun.startServer(JRun.java:575)
at jrunx.kernel.JRun.<init>(JRun.java:493)
at jrunx.kernel.JRun$1.run(JRun.java:346)
at java.security.AccessController.doPrivileged(Native
Method)Any progress?
-
Nexus, command authorization using TACACS.
Hello.
Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
Thanks.
Regards.
AndreaHi Andrea,
We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
username admin password role network-admin ; local admin user
feature tacacs+ ; enable the tacacs feature
tacacs-server host key ; define key for tacacs server
aaa group server tacacs+ tacacs ; create group called 'tacacs'
server ;define tacacs server IP
use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
source-interface mgmt0 ; ...and send them from the mgmt interface
aaa authentication login default group tacacs ; use tacacs for login auth
aaa authentication login console group tacacs ; use tacacs for console login auth
aaa authorization config-commands default group tacacs local ; use tacacs for config command authorization
aaa authorization commands default group tacacs local ; use tacacs for normal command authorization
aaa accounting default group tacacs ; send accounting records to tacacs
Hope that works for you!
(That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
Rob... -
AAA Authorization Using Local Database
Hi Guys,
I'm planning to use AAA authorization using local database. I have read already about it, I have configured the AAA new-model command and I have setup user's already. But I'm stuck at the part where I will already give certain user access to certain commands using local database. Hope you can help on this.
FYI: I know using ACS/TACACS+/RADIUS is much more easy and powerful but my company will most likely only use local database.For allowing limited read only access , use this example,
We need these commands on the switch
Switch(config)#do sh run | in priv
username admin privilege 15 password 0 cisco123!
username test privilege 0 password 0 cisco
privilege exec level 0 show ip interface brief
privilege exec level 0 show ip interface
privilege exec level 0 show interface
privilege exec level 0 show switch
No need for user to login to enable mode. All priv 0 commands are now there in the user mode. See below
User Access Verification
Username: test
Password:
Switch>show ?
diagnostic Show command for diagnostic
flash1: display information about flash1: file system
flash: display information about flash: file system
interfaces Interface status and configuration
ip IP information
switch show information about the stack ring
Switch>show switch
Switch/Stack Mac Address : 0015.f9c1.ca80
H/W Current
Switch# Role Mac Address Priority Version State
*1 Master 0015.f9c1.ca80 1 0 Ready
Switch>show run
^
% Invalid input detected at '^' marker.
Switch>show aaa server
^
% Invalid input detected at '^' marker.
Switch>show inter
Switch>show interfaces
Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is 0015.f9c1.cac0 (bia 0015.f9c1.cac0)
Internet address is 192.168.26.3/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Switch>
Please check this link,
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
Regards,
~JG
Do rate helpful posts -
Hierarchy Authorization using Variable via Customer Exit
Hi experts,
I am wondering if I can do Hierarchy Authorization using Variable via Customer Exit? I know it can be done on normal value authorization by putting $+(the variable name). So can we do the same for Hierarchy authorization?
For my case I have a 0ORGUNIT and I would allow the role to access anything below its node. So do I put $VARORGUNIT in Technical Node Name and Hierarchy name as ORGEH, Type of authorization = 1 and Area of Validity = 3.
Points will be given!
Thanx!Hello Chee Jason,
Are you working with version 3.5 or 7.0
How do you specify Hierarchy variable?
Any advise you can share is very much appreciated.
Thanks,
Patrick -
How to trace the missing authorizations using NWBC at object level
Hi all,
In SAP R/3 any authorization issue can be tracked down till authorization object level using SU53 tcode and ST01 tcode.
1 - I have a super user who has all the roles in Solution manager system and test user which I created with just 1 role Incident management role. But when I login with Super user ID I can see in tcode (WDY_APPLICATION - Incident Management ) I have 4 tabs (Overview,Messages,Reports and Queries) but when I execute the same tcode using test ID I can only see Overview and Messages tab. Report and Query tab were missing . Please advice on how to trace the missing authorizations using NWBC at object level? or how to solve this issue......
2 - How to add a Web dynpro Transaction code (example WDY_APPLICATION - Incident Management )while building a role in PFCG?
Thanks
LAKHi Gurus,
Can anyone please help me with my questions.
In addition here are few more info that I need
How to bring in the new authorizations without logiing off and logging in back in NWBC ( Equivalent to Menu-->Refresh in SAP GUI)
Thanks
LAK -
I was about to update my Firefox browser when it said that my Dap downloader and Speedbit video accelerator wouldn't work with the latest update of firefox. I have had no trouble in the past with these extensions so why now. I use these extensions extensively, So I don't want to update, and by not updating I'll probably have problems, so what do I do??? Thanks for your time this. Jan.
Hi,
I changed the path for some of my files and my application runs from jdeveloper with no problem but when I tried to deploy my application into weblogic server I found that there is some pages that don't open and generate various errors like
1. Why did you change the path ?
2. How and where did you change the path ?
As the system cannot find the DataBindings.cpx file (obviously as it claims to not find the PageDef file) you need to edit the adfm.xml file. Note that adfc-config.xml is never under "model" but always in the public_html/WEB-INF directory. If its not there then you clearly messed up the required infrastructure
Frank -
Authorize use of music on new computer
Hello, I'm new to this forum.
I'm not sure if I'm using the correct verbiage of "Authorize" it to use it.
I have been using iTunes 6 (I believe that was the version) on an old Compaq computer with Windows XP. The computer crashed and after changing hard drives, I now have a new computer, again running Windows XP.
I was able to slave my old drive but have had very poor luck getting my data, songs and such, copied over to my new hard drive. I should say that I've completed the transfer but it's just taken many hours of screwing around to do so. I've had to recover my new computer a couple time when I unhook my slave drive. I now have all my 29 gig of music on my new computer and have downloaded and installed iTunes 7.0.2 on my new computer.
When I started up iTunes the first time it looked for all my music and imported it from my hard drive, or whatever it does to show it up in the library. It all shows up in the library but only a small portion of it is available to me. When I double click a song to play it it says I'm not authorized to use it. These are all CD's I own and have copied to my computer. I've been using these for my iPod for about a year. I have 40 gig monochrome music only, I think it's a third generation. My iPod is still working fine with about 5,700 song loaded. I really don't want to have to import all these CD's.
How do I set my new computer to use the music I own and have located on my new hard drive?
Thanks in advance for your help.
Dan
HP e7560n Windows XPI'm presuming you still have the old iTunes folder intact on your old (slave) hard drive? If so, you haven't imported anything new since that folder was in use, and you have iTunes 7 installed and running, try this:
Locate the iTunes folder in your My Documents -> My Music folder on your primary (new) hard drive and delete it.
Drag the entire iTunes folder (containing the iTunes Library and iTunes.xml files and the iTunes Music folder) from your old drive to the My Documents -> My Music folder on your main drive.
Hold down the Shift key and launch iTunes. When you get the dialog box that says "Choose iTunes Library", navigate to the iTunes folder in My Documents -> My Music and select it.
With luck, you'll be back in business.
Hope this helps.
BTW, the fact that you say you keep having to recover your computer when you disconnect the slave drive might indicate that you have things misset when you're connecting the old drive. Make sure that the jumpers are correctly set, and of course that you're not disconnecting the slave with the power on. -
Authorization using user_id/password
Hi All,
I am writing a web service to access data thru an
EJB running on S1As7 (Sun ONE App Server7) from a
database and send it to the client in XML format.
The client (another application) request comes in
a SOAP message over HTTP. The message contains arg_1,
user_id and password. At this point, I want to
authorize the user against my s1DS) Sun ONE Directory
server before I instantiate the EJB.
My problem is, how am I going to pass the user_id
and password to the S1DS? Can I configure S1AS7
such that it automatically passes the user_id
and password to the S1DS?
Or do I need to make these calls to the S1DS using
JAX-RPC API?
Please suggest any other better ways of handling this.
Any help in this issues is greatly appreciated.
ThanksYou can use LDAP realm provided by SunONE Appserver.
Following document will help you to understand this realm.
http://docs.sun.com/source/816-7149-10/dgsecure.html#13396 -
Populate user exit Variable with User Authorizations using ABAP?
Hi, Does anyone know of a way to populate a user exit variable (with ABAP) with the Authorization Values for a user running a report? I am turning off authorizations for our InfoProvider using RSSM and want to populate a variable instead and use the variable as a filter.
Hi Kenneth ,
You need dynamic authorization in your report .This can be done at query runtime by using exit variable and writing cmod code for the same .
This code will read authorization maintained at runtime of query in i_step = 1 and will pass input var values accordingly .
For step by step information you can access this document .
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0f9f33c-0f17-2d10-d3a2-ae52ccd00780?quicklink=index&overridelayout=true
Hope this will be helpful .
Regards,
Jaya Tiwari -
T-code CJ88 role authorization using company code?
Hi expert!
who can tell me how to control CJ88 T-code using company code .
the business is below:
1, the user have 10 company code and only one control ares.
2, one employee cannot use CJ88 to settlement the project of the other company code.
can any one tell me how can i control
Please explain me all the steps to be required.
Thanks in advance!I am not sure about CoCode wise authorization for CJ88...you said you have 10Cocodes, if the Person Responsible of the projects are different for each cocode, then use authorization object C_PROJ_VNR (Project Manager for Proj Def) or C_PRPS_VNR(project manager for WBSE) for running CJ88, so that person repsonsible of other company code project cannot run settlement of other projects.
-
Weblogic 103 Authentication & Authorization using extenal openldap
Can somebody point to a documentation for implementing Authentication & Authorization for Weblogic 10.3 web app using openLdap ?
ThanksThis is what I did. My environment is openldap, weblogic 10.3 on a windows machine. Still having trouble
dn: cn=fd_user1,ou=people,dc=example,dc=com
objectClass: person
cn: fd_user1
dn: cn=FD,ou=groups,dc=example,dc=com
objectClass: groupOfNames
cn: FD
member: cn=fd_user1,ou=people,dc=example,dc=com
Here is my weblogic.xml entries
<wls:security-role-assignment>
<wls:role-name>FD</wls:role-name>
<wls:externally-defined/>
</wls:security-role-assignment>
My web.xml
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>SecuredArea</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>FD</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>myrealm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>FD</role-name>
</security-role>
Inside the login.jsp I do have the j_security_check as the action parameter value. I am able to view the ldap users in the admin console too. Still not able to access the resource. I am in the process of debugging the ldap messages on the openldap console.
Thanks -
Slow response of Authorization using ACS4.2
We had encountered a slow respone of command authorization with Cisco 3750 using TACACS+ protocol communicate with Cisco ACS 4.2. When we copy and paste more than 20 command lines, it is required more than 15s to complete and sometimes with "authorization failed". It seems that single connection can help, but the TACACS connection is keep connected in between ACS and switch. Not sure any performance impact to the Cisco ACS 4.2 and the maximum session to handle.
Any advice???
lautAnyone can share the experience of Authorization with Cisco 3750 & ACS4.2?
Thanks.
laut
Maybe you are looking for
-
I cannot open my photos in finder... because I can't open them in finder, I can't open them with any other program. Any ideas as to why, or how I can fix this? Thank you!
-
Hi, after an upgrade from ERP2004 to ERP2005 I find that my BSPs are displayed (and enabled) but nothing happens when I press buttons and some MIME objects are not displayed. Have I missed something in SICF? What could be the cause of this problem? T
-
Using Javadoc from the SDK1.4 rc-1, I run into a problem when trying to create documentation on a directory that exists twice in my classpath. As an example: CLASSPATH=.;D:\Computer\JavaPrograms If I go to directory D:\Computer\JavaPrograms and run j
-
hi, where should i change url for sender http symbols like / by %2F and . by %3E in the url generated by the HTTP client ? where i i find this url http://xxxxx:8000/sap/xi/adapter_plain?namespace=http%3A//sap.com/xi/yyyyy&interface=abcd&service=gh
-
Locattions of Uploaded File In ECC ?
Hiiiiiiii.... Experts, Can anyone tell me about each & every location of an uploaded file (PDF, Spredsheet,Word) in ECC server, where it exists in ECC database & DMS Server ? Please tell the table name with full path. Thanks in advance VIjay