Configuring AAA in ACE using ANM

Similar Messages

• ACE and ANM RBAC - Single user with Admin access

  Goodday,
  I would like to confirm if one can only assign a single user Admin access to a context via RBAC (either on ANM or ACE native RBAC through ACS). So is this true or not?
  If so, would I be correct in assuming this excludes the default Admin user.
  Also, what do you do if you need to provide Admin access to more that one user? Can it be done?
  Thanks
  Paul

  Actually multiple users can assinged to the pre-defined ADMIN role in ACE RBAC such as the following:
  myaceisnamedthis/Admin(config)# username Bob password weakpass role Admin domain default-domain
  This is also true in ANM, where the user's RBAC is a cross product of the ANM defined role and domains (which is at the ANM level so that it can span multiple ACE devices and contexts).
  In both cases, the AAA can be used for authentication, though authorization is performed by ACE/ANM themselves.
  Cheers,
  David K.

• Shutdown service in ACE using SNMP

  Dear Mister
  Is possible to configure, shutdown a service using SNMP? More than this, in a context???
  I am searching the OIDs about it, but, I am not lucky.
  Regards and thank in advance

  Hi,
  I don't think so. You have list of MIB's available which can fetch data from ACE but there is no such provision to shut down the service using SNMP. The ACE supports traps and SNMP get requests but does not support set requests to configure values on the device. Please visit the below link for more information:
  http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/administration/guide/admgd/snmp.html
  Regards,
  Kanwal

• Configuring AAA Authorization on ACS 4.1

  Hi,
  Can anybody provide me links to any good documentation on how to configure AAA Authorization using Command Shell on the ACS 4.1 ? I would be really grateful if someone one can point me few links.
  Thanks,
  Meet

  Hi
  I would try looking at this link:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a0080088893.shtml
  This describes how to plan, design and build shell cmd auth config in ACS.
  Darran

• Configuring aaa local command authorization

  i am a bit struggling with how to configure aaa local command authorization, i am not getting any material also for configuring it. Please tell me how to configure aaa local command authorization.. or possible give me some useful links for that..

  Hi,
  For aaa authorization command set.Kindly refer to link.
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_command_reference_chapter09186a00800ca5d4.html
  I hope this help.Please rate this post.
  cheers
  Sachin

• AAA on ACE

  Dear experts,
  I need to enable aaa authentication on Cisco ACE 4710 and unable to do that. Please help me with this.
  Here is the config i have done on the ACE.
  tacacs-server key 7 "vdepw@cffgG1tplDU"
  tacacs-server host 172.18.124.20 key 7 "vdepw@cffgG1tplDU"
  tacacs-server host 172.18.124.21 key 7 "vdepw@cffgG1tplDU"
  aaa group server tacacs+ TACACS+_Server_Group1
  server 172.18.124.20
  server 172.18.124.21
  aaa authentication login default group TACACS+_Server_Group1 local
  aaa authentication login error-enable
  I added the entry for ACE in ACS but still its not authenticating.
  Regards,
  Akhil

  You have to use a custom AV pair on TACACS server under user setup to make it work. ACE uses RBAC (role based Access Control) and for that you have to pass the context and User Role from Tacacs server to ACE to make it work.If there is no RBAC info is pushed from Tacacs server and user just get authenticated then the default role assigned by ACE is Network-Monitor.
  Following steps (On tacacs server) will make it work
  1. Select your user
  2. goto tacas+ settings
  3. Select " shell (exec)" checkbox
  4. Select "custom attributes" checkbox
  5. Type your context and role information in custom attrib box, using following format
  shell:*
  for e.g (if context name is Admin, domain is default-domain and you want to assign role "Admin" to this user )
  shell:Admin*Admin default-domain
  For more information
  Please read One of my old post on this topic.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&topicID=.ee71a04&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc10b80/3#selected_message
  Hope it helps
  Syed Iftekhar Ahmed

• How-do-i-configure-guest-wifi-access-using-2504-wlc-fortigate-utm-l3-device

  Dear All
  I have a 2504 Wireless Controller with multiple radios attached. I currently have a "private" WLAN configured (taking ip from windows server based DHCP of Range 192.1681.0/24 ) and working, but I need to add a Guest/Public WLAN which should take the IP from Other DHCP Configured on Fortigate UTM of range 172.16.0.0/24.
  We have one SG300 switch in the office and the rest are basic switches.
  Our firewall/router is a Fortigate UTM 240D
  Find the attached network diagram for the issue.
  Is there a SIMPLE way to enabling guest access that doesn't require VLANS (or are VLANS easier than I'm making them)? 
  Thanks.
  - See more at: https://supportforums.cisco.com/discussion/12473186/how-do-i-configure-guest-wifi-access-using-2504-wlc-fortigate-utm-l3-device#sthash.aj1XcWI0.dpuf

  Complete these steps in order to configure the devices for this network setup:
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/70937-guest-internal-wlan.html
  Configure Dynamic Interfaces on the WLC for the Guest and Internal Users
  Create WLANs for the Guest and Internal Users
  Configure the Layer 2 Switch Port that Connects to the WLC as Trunk Port

• I gave my old iPad to my daughter without restoring it to original configuration, how can she use it with her iTunes?

  I gave my old iPad to my daughter without restoring it to original configuration, how can she use it with her iTunes?

  try
  http://support.apple.com/kb/ht2589

• How to configure Oracle 10g to use 4GB memory

  I'm trying to configure Oracle 10g to use >4GB memory. Have configured server boot.ini with required flags (/3GB /PAE). Rebooted server then created standard database, then connected to db instance and changed oracle parameters DB_BLOCK_BUFFERS, USE_INDIRECT_DATA_BUFFERS as required. Restarted DB instance, DB fails to restarted with SGA memory error. According to oracle user docs the SGA is nolonger in effect due to previous settings. Can you provide example of SPFILE with parameters settings that do work and use >4GB memory. Current server has 8GB, 2 x Dual XEON core/processors (i.e. 8 processors)

  The recommended /3GB switches in the boot.ini file can only be used with the following operating systems editions (KB article 291988):
  Microsoft Windows 2000 Advanced Server
  Microsoft Windows 2000 Data Center Server
  Microsoft Windows Server 2003, Enterprise Edition
  Microsoft Windows Server 2003, Data Center Edition
  Microsoft Windows Small Business Server 2003
  Important: Windows 2000 and 2003 Server Standard Editions DO NOT SUPPORT /3GB Switch.
  So if your OS is listed above, then you cannot have a larger SGA.

• [svn] 3519: Fix typo in error string for situations where there are advanced messaging configuration settings from LCDS used in the configuration files but no AdvancedMessagingSupport service .

  Revision: 3519
  Author: [email protected]
  Date: 2008-10-08 04:17:40 -0700 (Wed, 08 Oct 2008)
  Log Message:
  Fix typo in error string for situations where there are advanced messaging configuration settings from LCDS used in the configuration files but no AdvancedMessagingSupport service. The error string said that there was no flex.messaging.services.AdvancedMessagingService registered but it is the flex.messaging.services.AdvancedMessagingSupport service that needs to be registered.
  Add configuration test that starts the server with a destination that has the reliable property set which is an advanced messaging feature but there is no AdvancedMessagingSupport service registered.
  Modified Paths:
  blazeds/trunk/modules/common/src/flex/messaging/errors.properties
  Added Paths:
  blazeds/trunk/qa/apps/qa-regress/testsuites/config/tests/messagingService/ReliableDestina tionWithNoAdvancedMessagingSupport/
  blazeds/trunk/qa/apps/qa-regress/testsuites/config/tests/messagingService/ReliableDestina tionWithNoAdvancedMessagingSupport/error.txt
  blazeds/trunk/qa/apps/qa-regress/testsuites/config/tests/messagingService/ReliableDestina tionWithNoAdvancedMessagingSupport/services-config.xml

  Hi,
  Unfortunately I already tried all kinds of re-installs (the full list is in my original message). The only one remaining is the reinstall of Windows 8 itself, which I would really like to avoid.
  What I find really strange is the time it takes for the above error message to appear. It's like one hour or even more (never measured exactly, I left the computer running).
  What kind of a timeout is that? I would expect that, if ports are really used by some other application, I get the message in less than a minute (seconds, actually). To me this looks like the emulator itself for some reason believes there's a problem with
  some port while in reality there isn't.
  I'll eventually contact Microsoft Support, thanks for the suggestion.
  ▼
  ▲

• Problem configuring SOA suite to use OID for authentication

  We are in the process of rebuilding our environment to use the full SOA suite with our OID server for authentication (was previously just BPEL using AD directly), and have encountered several problems (below). We have rebuilt the OID server, and reinstalled the SOA suite into a clean ORACLE_HOME to no avail.
  We first rebuilt the OID server using the following steps (derived from Oracle® Internet Directory Administrator's Guide):
  1)     Create the Import and Export profiles for AD synchronization. We did this using the Directory Integration and Provisioning Server Administration tool under “Active Directory Configuration”
  2)     Modify the map file to specify the correct OU mappings between AD and OID.
  3)     Update the profile with the new map file using “dipassistant.bat mp”
  4)     Bootstrap the import profile using “dipassistant.bat bootstrap”
  5)     Start a new instance of the Integration server (odisrv) running on config set 1 (the config set containing the Active Directory import/export profiles) using “oidctl”
  6)     Set the Import profile to Enable. The OID server does not export changes to AD in our current configuration, so the Export profile is left on disable (and not bootstrapped)
  At this point it appears that the AD synchronizes correctly into our new OID server.
  Next we installed the SOA suite:
  1)     We ran “irca.bat” on our database server to create the ORABPEL, ORAESB, and ORAWSM schemas and associated integration repository structure.
  2)     After launching the SOA suite installer, we selected Advanced Install.
  3)     On the next screen, we selected J2EE Server, Web Server, and SOA Suite.
  4)     We then provided the credentials for our Oracle database, and the passwords for ORABPEL, ORAESB, and ORAWSM.
  5)     We configured our new AS instance as an administration instance, but did not opt to use from a separate HTTP server, and did not make this instance part of an OAS cluster topology.
  And finally, we configured our new SOA suite instance to use OID for authentication (using the instructions in Oracle® BPEL Process Manager Administrator's Guide section 2.1.3):
  1)     Used the configure_oid.bat command to seed OID with required users only.
  2)     Logged into the OracleAS Control Console
  3)     Chose the oc4j_soa instance, then Administration->Security->Identity Management
  4)     Configured the OID server using a non-ssl connection and the cn=orcladmin account.
  5)     When prompted, chose to reconfigure all applications in the oc4j_soa instance to OID, but not to use SSO for any of them.
  6)     Copied the contents of ORACLE_HOME\j2ee\home\config\jazn.xml to ORACLE_HOME\j2ee\oc4j_soa\config\jazn.xml
  7)     Restarted the application server.
  After this procedure, we encountered the following issues:
  1)     The BPEL console appears to authenticate users correctly out of OID, but no users have access to the default domain, including bpeladmin and oc4jadmin. All users receive a similar access denied message when attempting to log into the BPEL Admin Console.
  2)     We cannot upload a BPEL process to our new server via JDeveloper’s standard BPEL deployment mechanisms. The connection appears to be working properly and passes all tests, but on uploading a process we get a Java AccessDeniedException. ESB appears to be functioning properly, and accepts uploaded projects without issue.

  Bassman,
  We recently configured our SOA Suite to use OID and SSO. We had the same issues you are having, and we found the resolutions in a blog from Jaas Poot (http://blog.jpoot.com/category/oracle-appserver/oid-ldap/). For the BPEL domain access, this involved going to the data-sources.xml file and changing the database passwords from using ->pwForOrabpel for the orabpel schema and ->pwForOraesb for the oraesb schema to the real passwords; the blog explains more about this.
  The blog also covers the JDeveloper deployment issue, and another issue we encountered, where we couldn't access the BPEL Admin console. All of these were resolved following the steps in the blog.
  Hope this helps
  Candace

• Configuration Scenario for BPM Using Integration Scenario

  hi All,
  I Have an Scenario where i am using BPM. Most of the blog tells about manually creating all Configuration objects. I had created an Integration Scenario for this scenario by referring to the earlier threads available for same.
  Hoe to Create Integration Scenario for BPM Scenario
  Integration Scenario in BPM  and few more.
  My IS looks like
  Sender App Component - Integration Process - Receiver App Component
  Now when i am trying to create Configuration scenario for same using model configurator, i am getting Model as "Not Configurable"
  And when i click "Configurability Check" Button, i am getting below as status:
  Component view IS_POC_BPM: Connection from receivePayload to getABSPayload does not have an inbound service interface
  Component view IS_POC_BPM : Connection from sendABSPayload to getPayload has no outbound interface
  getABSPayload and sendABSPayload are actions for Abstract interfaces.
  IS_POC_BPM is the Integration Process Name.
  Also in Integration Scenario, when i create connection between sender action to BPM action there is no inbound interface coming. And viceversa.
  Please help me in identifying if i am doing any thing wrong in creating this scenario.
  Is it possible to create Configuration Scenario for BPM Using Integration Scenario?
  Thanks,
  Mayank
  Edited by: Mayank  Gupta on Apr 21, 2010 6:35 AM

  I think you shoudl refer the available Integration Scenarios created for BPMs in IR --> SAP BASIS --> http://sap.com/xi/XI/System/Patterns
  Sender template will have the Action with Outbound Service Interface and then in the BPM Template the action will have Inbound Interface.....then within the BPM itself this inbound will be mapped to Action with Abstract Interface
  may be after looking the Integration scenarios you will get more idea
  Regards,
  Abhishek.

• Anyone succesfully configured a LinkSys WRT54G using a G5 tower for the IPh

  Hi,
  Anyone succesfully configured a LinkSys WRT54G using a G5 tower for the IPhone?
  If so please, could you give megive me the router configurations?
  As my wi-fi network won't even showup on IPhone.
  Thanx
  SvK

  I have that same router and the iPhone found it with no prolblem..
  I wish I could be mroe of a help try accessing your routers settings.

• Configuring FT on ACE Modules

  Hi,
  I am trying to configure FT on ACE modules, with the following commands
  ft interface vlan 20
    ip address 172.16.20.1 255.255.255.252
    peer ip address 172.16.20.2 255.255.255.252
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 20
  ft group 1
    peer 1
    priority 150
    associate-context Admin
    inservice
  The moment I enter the command 'ft interface vlan 20', it gives a prompt that 'interface vlan20 is not associated with ft', how do I resolve this ? Do I need to enable something ?

  Hi have the following config which seems to be working fine for me...  check your vlan20 interface is up
  ft interface vlan 212
    ip address 172.31.1.221 255.255.255.252
    peer ip address 172.31.1.222 255.255.255.252
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 20
    ft-interface vlan 212
  ft group 2
    peer 1
    priority 50
    peer priority 150
    associate-context Admin
    inservice
  HQ-ACE1/Admin# sh int
  vlan212 is up, administratively up
    Hardware type is VLAN
    MAC address is 00:23:5e:25:72:f1
    Mode : routed
    IP address is 172.31.1.221 netmask is 255.255.255.252
    FT status is standby
    Description:not set
    MTU: 1500 bytes
    Last cleared: never
    Last Changed: Tue Sep  6 12:46:06 2011
    No of transitions: 1
    Alias IP address not set
    Peer IP address is 172.31.1.222 Peer IP netmask is 255.255.255.252
    Assigned from the Supervisor, up on Supervisor
       8654909 unicast packets input, 735611030 bytes
       1151150 multicast, 161 broadcast
       0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
       13020418 unicast packets output, 1672055521 bytes
       0 multicast, 163 broadcast
       0 output errors, 0 ignored

• EPM System Configurator not prompting to use existing tables

  Planning 11.1.1.3.
  Oracle Database
  Planning database configured using advanced jdbc URL with alternative servers.
  Above is what we have installed and configurations settings we are using.
  In the short of it, Our Oracle DBA changed the servicename for the Oracle database to go from <SERVICENAME> to <SERVICENAME.world>. Even going thru TOAD we have to use <SERVICENAME.world> now. When they did this our QA environment is now down and we have to reconfigure all of the databases to account for the new servicename.
  We successfully reconfigured the SharedServices database just using the option to connect to an existing configured database and correcting the servicename, and it is working normally.
  For all other products we will have to use the configure for first time option to be able to change the properties.
  HOWEVER, when we use the 1st-time configuration for planning we are able to correct the properties for the connection and set the new servicename, but when we click next I would expect to be asked whether to reuse the existing tables or drop/recreate them, however, the screen just steps forward to the confirmation screen. In the configtool.log I have the following message:
  (Oct 28, 2010, 11:18:12 AM), com.hyperion.planning.HspDBConfigurator, DEBUG, Planning tables exist already but will reuse it as upgrade now -- should be 9.3.X upgrade.
  We want to be assured that performing the step without having the option to reuse tables will not wipe and recreate the planning system database.
  So:
  1. Why do we get this error when trying to reconfigure the planning database? Can we ignore it?
  2. What steps do we have to take to ensure that the Servicename is updated in all configuration files, and database locations it is in?
  3. Is there any viable way to do this outside of the configuration utility? (For example only editing files and registry)? If so what steps are required?
  I would greatly appreciate it!
  Robert

  I am on 11.1.2.1. I was able to find the solution. I went to the C:\Users directory and copy the oracle.instances file from the original temp ID that had performed the installation onto the account that I want to use going forward. That resolved my issue and I am now able to start EPM configurator for update as well.