ESA - External Auth - Spam Quarantine

I'm looking to see if anyone has a workaround for admins logging into Spam Quarantine and not being able to set their safelist / block list.  I'm using AD accounts for TACACS+ / Radius on my ACS 5.4 appliance and I found an issue when using Radius for admin access to my ESA.  After enabling Radius, admins who log into the spam quarantine site have access to everyone's spam which is correct, but they no longer have the option field to setup their safelist / block list.
Thx
-Kevin

I also have the same issue.  The only way around it for me was to use different accounts for administrating the IronPort appliances.   This fell into alignment with my organizations practice of setting up seperate Admin accounts for server/workstation administration that is seperate from a server admin's user account. 
I think the appliance is confused, because when you login with an administrative level account you see the quarantine of all users, so it can't add safelist/blocklist addresses because it doesn't know what mailbox to add these to.
Be interested to hear what Cisco has to say about it.

Similar Messages

  • IronPort SMA: External Spam Quarantine SSO Login

    Can external spam quarantine accomodate SSO login, if it's tied with AD? As far as I know- it cannot.

    Found the answer:
    Accessing the Quarantine via the Quarantine URL
    If LDAP Auth is configured, then the users AD username and password get them into the quarantine. There is no SAML SSO integration at this time.
    Accessing the quarantine via the Notifcation Digest
    When the user clinks on the link of a notification email, the URL has an auth token in it which authenticates the user to the quarantine. No popup login required.
    https://sma.quarantine.com:83/Search?h=8d392bb51780c3f7ebe0fa388eb9db2a&email=[email protected]

  • Adding external SPAM quarantine on C370

    Hi,
    I have C370 with Internal SPAM quarantine up and working.
    Now, we need to use M160 as external SPAM, I have configured both devices and we are waiting for maintenance window to cutover.
    I have one question about it:
    Documents are saying that I need to disable local one (easy, under C370 quarantines, I will go to SPAM and uncheck enable box) but it is a little unclear what comes after that.
    My mail policy will change to deliver or not? If it does, should I put IP address of M160 to Alternate Host, and if I do, will it use port 6025 as configured or 25 for SMTP?
    Since I have external SPAM already configured, shouldn't my mail policy stay that all SPAM & SPAM suspected should still be quarantined?
    Bottom line is, what should be in my mail policy?
    Thanks.
    David

    Hello David,
    Before configuring an external spam quarantine please ensure that the Security Management Appliance (M160)
    is configured to receive quarantined spam messages from this appliance. Once that has been configured, not only will you disable the local Spam Quarantine in your C370(GUI: Monitor tab > Quarantines), but you will need to add an External Quarantine(C370 GUI: Network tab). The IP address that you add as the External Quarantine will be the IP address of the Interface that you would have configured on your Security Management Appliance-as the default Spam Quarantine interface.
    You will not need to change your Mail Policies' Ant-Spam settings. Spam, Suspect Spam, Etc. - will continue to be routed to which ever quarantine the C370 is currentlt set to use. The port number that is used(6025, by default) was determined when you configured an Interface on your Security Management Appliance to accept spam from C370.
    Regards,
    -Jerry Orona

  • Ironport C170 Unable to view the Spam Quarantine messages

    I'm new to the Ironport appliance. When I click on Monitor-->Spam Quarantine, then click on Messages a new window appears and I should see all of the emails that were marked "spam". For some reason when the second window opens, I receive a blank page. Everything works fine on my other C170 appliance.

    Hi Billy, if you move mouse cursor over the number of spam messages on page Monitor>Spam quarantine, what URL address you see?
    Something like https://www.domain.com:83/Search?auth=13900f1d2a029b017464c596a88bb7a8?
    Can you resove "www.domain.com" to correct IP address of your ESA server?
    Are Spam Quarantine>Spam Quarantine HTTP & Spam Quarantine HTTPS enabled at Network>IP Interfaces>Interface page? Do interface's IP address & spam quarantine ports match to URL address (does www.domain.com resolve to this IP address) at Monitor>Spam quarantine?
    Is there any firewall blocking this connection?

  • End User SPAM Quarantine checkbox to select all messages not working

    We are running SPAM Quarantine on M670 running 8.1.0-476 and accessing with Internet Explorer 9.0.   After logging into the SPAM Quarantine there is a top row check box that normally we can check to select all messages.  This stopped working in IE for us, any idea what setting/option we could adjust to enable it again?
    In Chrome 29, FireFox 23 it works as expected.
    Jason

    I think this is a know bug in 8.0, see below:
    CSCuj42166
    Selecting all messages in ISQ at once not possible with IE 8.0/7.0/6.0
    Symptom:
    When accessing the spam quarantine on ESA using IE 8.0/7.0/6.0 and trying to select all messages at once, an error occurs and no message is checked. At the bottom of the browser we see an "Error on page"
    Conditions:
    ESA running 8.0.0-671 and Internet Explorer 8.0 (same valid for 6.0 and 7.0)
    Workaround:
    Using a different browser to access the Centralized Spam Quarantine like for example Safari, Mozilla Firefox, Google Chrome, Internet Explorer 9
    Further Problem Description:
    Details
    Known Affected Releases: (2)
    8.0.0(Venetian)-671 | 8.5.0(FourQueens)-0
    Known Fixed Releases: 0
    Release Pending
    Product: Cisco Email Security Appliance

  • Incoming Mail Policy is not working - SPAM quarantine

    I have configured a Mail Policy that has the Antispam disabled. I have done this because of an specific mail user that wants to receive all the emails, including the ones the ESA consider spam.
    I usually works fine but now I have 4 emails in the spam quarantine.  All of them are from the same sender. I have the details and there is this one line that "explains" why the email is send to quarantine:
    "Remote procedure call connection (RCID 13) started for message 65161521 to local Spam Quarantine.".
    Can you please give me some advice in order to know what causes this Remote call procedure connection?
    Thanks!!
    MAIL POLICY "No-spam-check" MATCHED THESE RECIPIENTS: [email protected]
    19 Nov 2014 09:52:21 (GMT +05:00)
    Protocol SMTP interface in.perulng (IP 129.39.179.38) on incoming connection (ICID 59143385) from sender IP 104.200.16.96. Reverse DNS host mta11.avanzaperu.pe verified yes.
    19 Nov 2014 09:52:21 (GMT +05:00)
    (ICID 59143385) ACCEPT sender group UNKNOWNLIST match sbrs[none] SBRS unable to retrieve
    19 Nov 2014 09:52:24 (GMT +05:00)
    Start message 65161521 on incoming connection (ICID 59143385).
    19 Nov 2014 09:52:24 (GMT +05:00)
    Message 65161521 enqueued on incoming connection (ICID 59143385) from [email protected].
    19 Nov 2014 09:52:24 (GMT +05:00)
    Message 65161521 on incoming connection (ICID 59143385) added recipient ([email protected]).
    19 Nov 2014 09:52:24 (GMT +05:00)
    Message 65161521 contains message ID header '<6C67A08179394CEA891EBF61D105B938@User-PC>'.
    19 Nov 2014 09:52:24 (GMT +05:00)
    Message 65161521 original subject on injection: Envasado y Empaque de Alimentos y Bebidas
    19 Nov 2014 09:52:24 (GMT +05:00)
    Message 65161521 (29275 bytes) from [email protected] ready.
    19 Nov 2014 09:52:24 (GMT +05:00)
    Message 65161521 matched per-recipient policy No-spam-check for inbound mail policies.
    19 Nov 2014 09:52:24 (GMT +05:00)
    Message 65161521 scanned by Anti-Spam engine: SLBL. Interim verdict: Positive
    19 Nov 2014 09:52:24 (GMT +05:00)
    Message 65161521 scanned by Anti-Spam engine: SLBL. Final verdict: Positive
    19 Nov 2014 09:52:24 (GMT +05:00)
    Message 65161521 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
    19 Nov 2014 09:52:24 (GMT +05:00)
    Message 65161521 scanned by Anti-Virus engine. Final verdict: Negative
    19 Nov 2014 09:52:25 (GMT +05:00)
    Message 65161521 scanned by Outbreak Filters. Verdict: Negative
    19 Nov 2014 09:52:25 (GMT +05:00)
    Message 65161521 queued for delivery.
    19 Nov 2014 09:52:27 (GMT +05:00)
    Remote procedure call connection (RCID 13) started for message 65161521 to local Spam Quarantine.
    19 Nov 2014 09:52:28 (GMT +05:00)
    Message 65161521 quarantined in Spam Quarantine.

    That message got spam checked, was declared spam, so the RPC call happens to put it in the Quarantine.
    19 Nov 2014 09:52:24 (GMT +05:00)
    Message 65161521 scanned by Anti-Spam engine: SLBL. Interim verdict: Positive
    19 Nov 2014 09:52:24 (GMT +05:00)
    Message 65161521 scanned by Anti-Spam engine: SLBL. Final verdict: Positive
    If you want to deliver this, either don't scan it by setting the Anti-Spam scanning to disabled, or set the action to Deliver, and maybe add something to the subject?

  • Finally using SPAM quarantine and want to know how many e-mails are being released

    We have two C660s and one M660 and we are finally using the SPAM quarantine functionality on the M660 and so far it has been awesome.   For my pilot group I have the spam thresholds set as low as recommended by the GUI at 50 (positive) and 25 (suspected)...   First off, if I change these numbers will I see noticiable differences in what is allowed through and what isn't?
    My real question is, is there an easy way to see what mail is being released by users from the SPAM quarantine?  Originally I had a content filter setup that was working..   but now it appears that when users are releasing e-mails from the quarantine it is skipping any type of content filtering..  From what I can tell, e-mails are still being routed from the M660 to one of the two C660s for delivery..  but in the mail logs I see information like:
    Wed Aug 15 09:34:32 2012 Info: ISQ: Delivering MID 1592784 to ISQ (skipping work queue)
    And in Message Tracking I see:
    15 Aug 2012 09:32:23 (GMT -05:00)
    Message 116381462 was released from Spam Quarantine, IP address 10.25.211.100.
    15 Aug 2012 09:32:23 (GMT -05:00)
    Message 116381462 released from Spam Quarantine. Work queue skipped.
    15 Aug 2012 09:32:23 (GMT -05:00)
    Message 116381462 queued for delivery.
    15 Aug 2012 09:32:23 (GMT -05:00)
    (DCID 40556495) Delivery started for message 116381462 to
    My outgoing content filter is setup like:
    Conditions
    Apply rule: If one or more conditions match Only if all conditions match
    Order
    Condition
    Rule
    Delete
    1
    Remote IP/Hostname
    remote-ip == XXXXXXXX
    2
    Envelope Sender
    mail-from !=XXXXXXXXXX
    Actions
    Order
    Action
    Rule
    Delete
    1
    Add Log Entry
    log-entry("ReleasedFromSpamQuarantine")
    XXXXXXX = the IP address of our M660..  
    XXXXXXXX = the e-mail address used by our M660 to send out reports/alerts etc..
    Appreciate any input/feedback...
    Jason

    Hello Jason,
    one thing about the trhesholds, the defaults are 50/90 for suspected and positive spam, and that usually works for most customers, in some cases if still spam gets trough we suggest to modify that to 40/80, but you should not get any lower, as this will just increase the number of false positives. In general, the antispam engine delivers a value way above or below the thresholds, means scores are always either below 10 (no spam) or above 90 (spam), very few are inbetween this range, so usually the default setting works.
    About the information of which user released a message, there is unfortunately no direct way to get this done. You might try this approach:
    1. mail_logs: Look for the MID of the message when its getting injected to the SMA, note that this is not the same MID as in message tracking.
    2. mail_logs: Look for the message getting released, and note the time stamp:
    6 Aug 2012 13:29:21 (GMT) Start Message 10054459 ICID 0 release from Spam Quarantine
    3. Do a
    CLI: grep timestamp euqgui_logs
    with the timestamp you retreived  from the mail logs (just use the Day, hour, and minute part), this should get you the log lines for the particular minute, check them for the name of the user who was accessing the GUI at that time.
    Hope that helps,
    Andreas

  • Proxy user getting to the SPAM Quarantine

    I have finally setup the spam quarantine after a year of use. My problem is I have several resources that get email and a several users that monitor those resources. How do I allow them to see the quarantined email of another account?
    Thanks

    If you are sending out spam notifications this is already working. The original recipient(s) will simply get a notification which contains a link to the spam quarantine. This link contains an authentication token so that they do not need to enter a username or password to view the mail in the quarantine.

  • Manually released mail moving from Policy Quarantine to SPAM Quarantine

    We have configured content filter to quarantine mails which are categorized as a 'Suspected Spam'
    hence all mails quarantined by suspected spam content filter are getting quarantined under 'Policy quarantine'
    I have observed that whenever we release mail from Suspected spam content filter, it is moving from Policy quarantine to Spam quarantine instead of getting delivered to the end user. (behavior is only for suspected spam mails. rest of the filters are working fine)
    has anyone experienced such kind of behavior ?? please suggest

    Hi Don,
    Indeed there are two ways to send to ISQ.
    a)  alt-mailhost('the.euq.queue')
    b)  Insert-Header ('X-Ironport-Quarantine: somevalue')
    But both will send the mail to quarantine and stop, even if I have an action such as duplicate-quarantine. No mail is sent to recipient.
    It may sound weird to most because why would we need to ISQ an email but at the same time want to mail be delivered.
    My goal is to just copy it, and send it to ISQ, while let the mail be delivered.
    At this moment, I can't get both done at the same message/content filter.
    MonitorUserADGroupFilter: if mail-from-group == "CN=somegroup, OU=XX, DC=company, dc=com" {
                                   deliver();
                                   alt-mailhost ("the.euq.queue");
    deliver() is now called "skip-filters()", btw.
    The above wont work because once delivered, the message is no long exist and quarantine to 'the.euq.queue' do no effect.
    If I put alt-mailhost higher than deliver, then the message does not deliver.
    Also replaced with "duplicate-quarantine" to deliver(). Same behavior.
    What's the best way to "deliver and copy to ISQ"?
    Regards,
    Chris

  • [Question!!] How to satisfied security status after External Auth. ??

    Situation :
    I want to do Post Issuance functions on card , the card has personalized , and card
    status is been set to 'Secured'.
    Card Status :
    The Card is in secured status when has perso. from card manufacturer.
    First : External auth.
    External auth. is OK and response no error.
    (APDU 's P1 set to '0x03')
    Second: Try to delete existd applet(ex:VSDC applet) from card.
    According to the Card Spec. , APDUs after secured channel has opened must
    add MAC and encipher , so use first step 's C-MAC value as initial value to caculate
    new MAC and do encipher , then send command to IC Card , it return SW in '0x6982'
    Questions :
    Why it return 'Security level not satisfied' after pass the card ext. auth. ?
    Do I get error in caculate MAC or do Encipher the command ?
    If really got the error in my MAC or cipher step , IC Card check it and return '6982' ,
    is it correct ?
    APDU results are as follows:
    KMC Key = "FDA1DAF3CC95D48C7B891DCA1F7C5769"(Hex dump)
    16 bytes 2Des Key
    Detect Reader :
    0 - [ CASTLES EZ100PU 1 ]
    Send APDU >> 00A4040007A0000000030000
    Response APDU << 6F198408A000000003000000A50D9F6E0640512179100E9F6501FF9000
    Send APDU >> 80CA00CF00
    Response APDU << 00CF0A000049381701100101629000
    Send APDU >> 80500000080000000000000000
    Response APDU << 00004938170110010162010152BD13F4BB10ECF64875DAFF86BF89299000
    -- External Authenticate
    Plantext APDU : 848203000807556D1359960AD3
    IV : 0000000000000000
    C-MAC : 766F793916F59ABD
    APDU After C-MAC : 848203001007556D1359960AD3766F793916F59ABD
    Send APDU >> 848203001007556D1359960AD3766F793916F59ABD
    Response APDU << 9000
    -- Delete Instance AID
    Plantext APDU : 84E40000094F07A0000000031010
    IV : 766F793916F59ABD
    C-MAC : 21E59ADBCE506D20
    APDU After C-MAC : 84E40000114F07A000000003101021E59ADBCE506D20
    APDU After Cipher : 84E40000180CC8DE40AB34AC8C66285D6A2B0B4C5421E59ADBCE506D20
    Send APDU >> 84E40000180CC8DE40AB34AC8C66285D6A2B0B4C5421E59ADBCE506D20
    Response APDU << 6982
    Delete Instance AID fail ! (SW:6982)

    hi! Bennel,
    what kind of your card?

  • SPAM Quarantine and Local Quarantine

    Hi All,
    In my C670 I have enabled Enable Anti-Spam Scanning.
    For positively - Identified Spam Setting: I have choosen Action as SPAM QUARANTINE
    FOr Suspected SPAM Scanning: Spam Quarantine
    Now even though the above is done, I could see the email still goes to the Content Filter checks where in I have enabled the Local Quarantine.
    Does the emails are getting stored at both SPAM and LOCAL quarantine. This is done because I could see that Ceratin text has been added by the Iron port in the subject line while it identifies the spam and suspected spam and in the content filter we have a filetr monitoring the subject line.
    My question is why does an email which has been span quarantine still have to go for content filter check, unless an administrator defines so.
    Thanks

    please help. is it possible that if an email is already quarantined by spam engine then it wont go for filter check

  • Change central spam quarantine cert?

       We have an internal certificate that I would like to assign to the Central Spam Quarantine on our M670 so that users don't get the self-signed cert error. I don't see anything in the documentation about this, does anyone have any pointers as to how this is done and potential pitfalls? Thanks.

    That post does apply to the SMA.
    Correct - there is not a GUI option on the SMA.  You will need to run the 'certconfig' command on the CLI, and import the certficate --- either one you have, or once you receive this back from the CA.
    http://tools.cisco.com/squish/9b9c9
    How do I install certificates on an Cisco Content Security Management Appliance (SMA)?
    Prerequisites:
    You must have the following items available in PEM format:
    X.509 certificate
    Private key that matches your certificate
    Any intermediate certificates provided by your Certificate Authority
    Certificates can be used for 4 different services:
    Inbound TLS
    Outbound TLS
    HTTPS
    LDAPS
    You can choose to either use the same certificate for all 4 services or use separate certificates for each.
    Installing the Certificates:
    To begin, you will first need to access your IronPort via the Command Line Interface. This can be done either
    via telnet or an SSH client such as PuTTY.
    Once logged into the CLI, please use the following steps:
    Issue the command 'certconfig'
    Issue the command 'setup'
    Choose whether to use the same certificate for all features or separate certificates
    When prompted paste each item into the CLI window
    Enter a '.' on it's own line to indicate that you are done pasting the current item (see example below)
    Be sure to enter any intermediate certificates when prompted to do so
    When you are done, return to the main prompt by hitting enter
    Issue the 'commit' command
    Notes:
    When performing a certificate install on Microsoft Windows you may need to open your certificates with Wordpad instead of Notepad.
    Do not exit the certconfig command with Ctrl+C since this will immediately cancel your changes.
    Example:
    sma.example.com> certconfig
    Currently using one certificate/key for receiving, delivery, HTTPS management access, and LDAPS.
    Choose the operation you want to perform:
          - SETUP - Configure security certificates and keys.
          - PRINT - Display configured certificates/keys.
          - CLEAR - Clear configured certificates/keys.
    []> setup
    Do you want to use one certificate/key for receiving, delivery, HTTPS management access, and LDAPS? [Y]>
    paste cert in PEM format (end with '.'):
    -----BEGIN CERTIFICATE-----
    MIIDmTCCAwKgAwIBAgIJAP3xcsDFYVsFMA0GCSqGSIb3DQEBBQUAMIGQMQswCQYD
    VQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBCcnVubzEiMCAGA1UE
    ChMZSXJvblBvcnQgQ3VzdG9tZXIgU2VydmljZTEXMBUGA1UEAxMOQ2lzY28gSXJv
    blBvcnQxIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRAaXJvbnBvcnQuY29tMB4XDTA5
    MTAwMjE5NDkxOVoXDTEwMTAwMjE5NDkxOVowgZAxCzAJBgNVBAYTAlVTMQswCQYD
    VQQIEwJDQTESMBAGA1UEBxMJU2FuIEJydW5vMSIwIAYDVQQKExlJcm9uUG9ydCBD
    dXN0b21lciBTZXJ2aWNlMRcwFQYDVQQDEw5DaXNjbyBJcm9uUG9ydDEjMCEGCSqG
    SIb3DQEJARYUc3VwcG9ydEBpcm9ucG9ydC5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
    gY0AMIGJAoGBAMHw08rHx1a2NeJpwzTeVQH09g77zQelp6vrcVxijhOH4+k3LrfD
    wd+g94X+T6/ZJ/pJNgkjrncEw0I96yvlCwpAeReaWX4rLCyMyU/BGdKfCVNPWK/b
    oNioS91ADh1L+XRyPeBG1YIM+EEK5wuQzOP8NQH3uf7jq1aigsOgV9sHAgMBAAGj
    gfgwgfUwHQYDVR0OBBYEFEYsbf9JvO+AvNalXiORrA3x4D8VMIHFBgNVHSMEgb0w
    gbqAFEYsbf9JvO+AvNalXiORrA3x4D8VoYGWpIGTMIGQMQswCQYDVQQGEwJVUzEL
    MAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBCcnVubzEiMCAGA1UEChMZSXJvblBv
    cnQgQ3VzdG9tZXIgU2VydmljZTEXMBUGA1UEAxMOQ2lzY28gSXJvblBvcnQxIzAh
    BgkqhkiG9w0BCQEWFHN1cHBvcnRAaXJvbnBvcnQuY29tggkA/fFywMVhWwUwDAYD
    VR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCKcMkd1+SMIGs9JcN1IT/o1Qan
    9zd5BkrRAVKq47pJnHbkFpDnGoHGEo2hRhXYXfrCFwpOkkd2b/iRl54ghcK6xwnH
    tF3tvznyBIWBUvt+vPIqHfNlmTCdIVhawz6YVs+0YAQanxObdbCM0T6tI3CaAjul
    0oL+HfZjR4m900PG8A==
    -----END CERTIFICATE-----
    cert = -----BEGIN CERTIFICATE-----
    MIIDmTCCAwKgAwIBAgIJAP3xcsDFYVsFMA0GCSqGSIb3DQEBBQUAMIGQMQswCQYD
    VQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBCcnVubzEiMCAGA1UE
    ChMZSXJvblBvcnQgQ3VzdG9tZXIgU2VydmljZTEXMBUGA1UEAxMOQ2lzY28gSXJv
    blBvcnQxIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRAaXJvbnBvcnQuY29tMB4XDTA5
    MTAwMjE5NDkxOVoXDTEwMTAwMjE5NDkxOVowgZAxCzAJBgNVBAYTAlVTMQswCQYD
    VQQIEwJDQTESMBAGA1UEBxMJU2FuIEJydW5vMSIwIAYDVQQKExlJcm9uUG9ydCBD
    dXN0b21lciBTZXJ2aWNlMRcwFQYDVQQDEw5DaXNjbyBJcm9uUG9ydDEjMCEGCSqG
    SIb3DQEJARYUc3VwcG9ydEBpcm9ucG9ydC5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
    gY0AMIGJAoGBAMHw08rHx1a2NeJpwzTeVQH09g77zQelp6vrcVxijhOH4+k3LrfD
    wd+g94X+T6/ZJ/pJNgkjrncEw0I96yvlCwpAeReaWX4rLCyMyU/BGdKfCVNPWK/b
    oNioS91ADh1L+XRyPeBG1YIM+EEK5wuQzOP8NQH3uf7jq1aigsOgV9sHAgMBAAGj
    gfgwgfUwHQYDVR0OBBYEFEYsbf9JvO+AvNalXiORrA3x4D8VMIHFBgNVHSMEgb0w
    gbqAFEYsbf9JvO+AvNalXiORrA3x4D8VoYGWpIGTMIGQMQswCQYDVQQGEwJVUzEL
    MAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBCcnVubzEiMCAGA1UEChMZSXJvblBv
    cnQgQ3VzdG9tZXIgU2VydmljZTEXMBUGA1UEAxMOQ2lzY28gSXJvblBvcnQxIzAh
    BgkqhkiG9w0BCQEWFHN1cHBvcnRAaXJvbnBvcnQuY29tggkA/fFywMVhWwUwDAYD
    VR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCKcMkd1+SMIGs9JcN1IT/o1Qan
    9zd5BkrRAVKq47pJnHbkFpDnGoHGEo2hRhXYXfrCFwpOkkd2b/iRl54ghcK6xwnH
    tF3tvznyBIWBUvt+vPIqHfNlmTCdIVhawz6YVs+0YAQanxObdbCM0T6tI3CaAjul
    0oL+HfZjR4m900PG8A==
    -----END CERTIFICATE-----
    paste key in PEM format (end with '.'):
    -----BEGIN RSA PRIVATE KEY-----
    MIICXgIBAAKBgQDB8NPKx8dWtjXiacM03lUB9PYO+80Hpaer63FcYo4Th+PpNy63
    w8HfoPeF/k+v2Sf6STYJI653BMNCPesr5QsKQHkXmll+KywsjMlPwRnSnwlTT1iv
    26DYqEvdQA4dS/l0cj3gRtWCDPhBCucLkMzj/DUB97n+46tWooLDoFfbBwIDAQAB
    AoGAM/hvKNXkSw5E3kltMAusR/v2vAkp5jSz+9P56sHWRNGTd3l8IW5p05109wkx
    HXRZzC42NrjDFc3G7Udeb8LO9BbVicBzXVW1CRIrfxGr7d/ekkghyN1nBiAbUCaf
    6jUGNItT1ACRdV++aNzESO6JdGBirW/pw0neMgmtRuf0rIECQQDnX/9zUxZuswJN
    0hvEzaVAx2pkpJ6v3us8bG7o5Ce3vDWR9ja3TUH6faOw2azfLv0ND1sLj6USx2j5
    rC8Kj2HhAkEA1pTm+FVbY3YQOSBol1o0831SvCxA/r7fhxTdxHXzhkw1NC3mbZrh
    ZGATaGETM9doyatESVLbcHxu/OYU7nmp5wJBAMbT6fMyjW5nii1RxuciSUYXl8gQ
    5wT/LWrpS436sl7j760UxgRS8cXOPeJ1zGamPHMCpRyUPiibEAyt+Ga8vEECQQC8
    9gMvTHtd6un+ZHu2TMm0YfgpnQ7fRlaxLb7c8sGw0gtIF+ODQZCaQ8DTeijeziKI
    9Tj9GOoE9I8IRdTI7HqhAkEAnXk9GOp201cPK8E7SDgseuSdxuziQH4Tl595wXQX
    CbCI1aqiMwrg5b/B1ZfISxyD1Vth6BARQuuqYvdnstlSkQ==
    -----END RSA PRIVATE KEY-----
    key = -----BEGIN RSA PRIVATE KEY-----
    MIICXgIBAAKBgQDB8NPKx8dWtjXiacM03lUB9PYO+80Hpaer63FcYo4Th+PpNy63
    w8HfoPeF/k+v2Sf6STYJI653BMNCPesr5QsKQHkXmll+KywsjMlPwRnSnwlTT1iv
    26DYqEvdQA4dS/l0cj3gRtWCDPhBCucLkMzj/DUB97n+46tWooLDoFfbBwIDAQAB
    AoGAM/hvKNXkSw5E3kltMAusR/v2vAkp5jSz+9P56sHWRNGTd3l8IW5p05109wkx
    HXRZzC42NrjDFc3G7Udeb8LO9BbVicBzXVW1CRIrfxGr7d/ekkghyN1nBiAbUCaf
    6jUGNItT1ACRdV++aNzESO6JdGBirW/pw0neMgmtRuf0rIECQQDnX/9zUxZuswJN
    0hvEzaVAx2pkpJ6v3us8bG7o5Ce3vDWR9ja3TUH6faOw2azfLv0ND1sLj6USx2j5
    rC8Kj2HhAkEA1pTm+FVbY3YQOSBol1o0831SvCxA/r7fhxTdxHXzhkw1NC3mbZrh
    ZGATaGETM9doyatESVLbcHxu/OYU7nmp5wJBAMbT6fMyjW5nii1RxuciSUYXl8gQ
    5wT/LWrpS436sl7j760UxgRS8cXOPeJ1zGamPHMCpRyUPiibEAyt+Ga8vEECQQC8
    9gMvTHtd6un+ZHu2TMm0YfgpnQ7fRlaxLb7c8sGw0gtIF+ODQZCaQ8DTeijeziKI
    9Tj9GOoE9I8IRdTI7HqhAkEAnXk9GOp201cPK8E7SDgseuSdxuziQH4Tl595wXQX
    CbCI1aqiMwrg5b/B1ZfISxyD1Vth6BARQuuqYvdnstlSkQ==
    -----END RSA PRIVATE KEY-----
    Do you want to add an intermediate certificate? [N]> n
    Currently using one certificate/key for receiving, delivery, HTTPS management access, and LDAPS.
    Choose the operation you want to perform:
          - SETUP - Configure security certificates and keys.
          - PRINT - Display configured certificates/keys.
          - CLEAR - Clear configured certificates/keys.
    []>
    sma.example.com> commit
    Please enter some comments describing your changes:
    []> Installed Certificate
    Changes committed: Fri Oct 02 12:50:47 2009 MST
    sma.example.com>
    Hope that helps, is a little more clear...
    -Robert

  • ACS appliance External Auth to NT 4.0

    Hi
    I am installing the ACS appliance to do external database authentication to NT 4.0 PDC. It appears with the appliance you have to install a remote agent to make this work. It is my understanding this agent must run on a win2k box. Does the agent have to be installed on the PDC or can it go on any windows server box?
    Is there a work around if you do not have a win2k server. This network is still NT4 with now win2k boxes
    Thanks

    The remote agent was not tested on NT4 and probably wouldn't even install properly. Even if it did work, you would be very limited in the support you'd get if you had strange problems because it is an unsupported configuration.
    It doesn't have to go on a PDC, but things just seem to work better if it is on a DC of some sort. At the very least it needs to be on a member server, but as I said, I'd recommend putting it on a BDC from experience.
    The release notes/install guide for it is here:
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/raig/index.htm

  • Is RADIUS and other external auth unsecure?

    I just finished setting up RADIUS on our database. As best as I can tell, the client is the one doing the authentication...I'm guessing this because if I have my SID setup for the RADIUS controlled database (with user identified externally) with the sqlnet.ora that has the radius settings, then I can connect.
    If I try to connect from another machine that has the TNSNAMES.ORA entry for the database, but a standard sqlnet.ora (ie. no radius entries) it tells me invalid login.
    To me, this says that it is not the database doing the actual RADIUS calls and authentication, but instead the client, which would then make it easy for someone to setup their own radius server with their own sqlnet.ora that would let them "authenticate" for a particular user against their own controlled passwords and trick the database server.
    If this is not the case, then how come I can not just do, from anywhere with the proper tnsnames.ora, sqlplus userid/password@TNSNAME??? Should the server not also read sqlnet.ora at startup and then itself use BEQ or RADIUS for authentication methods?
    Thanks for any pointers...sorry if it seems a little run on, but it's late and I'm tired.

    server is doing the authentication. client setup is needed because somebody needs to hint to server the connection is supposed to use radius.

  • External Auth Problems w/LDAP

    Rich or Paul,
    I have turned on the LDAP authentication. It seems to work great. We have been very happy with this. However, I have one user that cannot login. This one person gets the following message.
    There is an error in the setup of the external authentication mechanism. Please contact the administrator to make sure the external repository is setup appropriately. (WWC-41655)
    My user account exists in the same container as this user. We have checked that the password is not expired, that the grace login are not to zero.
    Can you give me some help on what might be happening with this user?
    Thanks,
    Mark

    Mark,
    Do a command line ldapsearch for this user, using the same search root and search DN that you specified in ssoldap.sql. This will show you what the login server is getting when it is trying to do the search to get the user's DN for bind checking.
    My guess is that for that particular user, you are not getting a unique hit, and the "DN mapping" is failing, hence the error message that is warning you that the requirements for the external authentication module are not being met. We require that you define a search root and unique attribute such that you will only get a unique hit when you search for a users ssousername on the specified attribute under that search root.
    Let us know what you find.
    Oh, if you need the ldapsearch syntax, it would be something like ...
    ldapsearch -h hostname -p port -D bind_dn -w bind_password -b search_base -s sub filter
    For example, searching on my LDAP server at ats-labgues19.us.oracle.com, I provide the following:
    ldapsearch -h ats-labguest19.us.oracle.com -p 389 -D cn=orcladmin -w welcome -b 'cn=Login Server (portal30_sso)' -s sub 'cn=PENCARNA'
    And on a unique hit, I get the following:
    cn=pencarna, cn=Login Server (portal30_sso)
    objectclass=top
    objectclass=person
    userpassword=03E71AF8A4169D43E3947B69D9CA7547
    sn=Encarnacion
    cn=pencarna
    The first line is the DN that the Login Server will use to attempt the authentication (bind) with the password the user provided to the Login Server.
    null

Maybe you are looking for