Exec authorization with radius..

Hi guys, i was configuring auth-proxy . i had a
m/c---(inside)router(outside)---internet
now i want that a normal user is not able to get the telnet access of my router, only certain users can have the telnet access fromt the inside. i dont want to use NAR. i want to do this only with radius authorization.
i was looking for controlling the access of the users to the router with the help of radius,
aaa authorization exec default group tacacs+
when i use the above command i knw that i can control the shell access by checking shell box,but when i use the below command
aaa authorization exec default group radius
i was not able to find any particular radius av-pair which can control the exec shell access in respect to the above one.

Hi,
Make use of this,
shell:priv-lvl=15
shell:autocmd=exit
So what will happen with this is, as soon as user tries to log into shell, BOOM!, user will exit out.
NOTE: I have not tried this exactly, but should work, you might be required to use separator, ";" i.e.,
shell:priv-lvl=15;
shell:autocmd=exit
Regards,
Prem

Similar Messages

  • AAA Authorization with RADIUS and RSA SecurID Authentication Manager

    Hi there.
    I am in the process of implementing a new RSA SecurID deployment, and unfortunately the bulk of the IOS devices here do not support native SecurID (SDI) protocol. With the older RSA SecurID deployment version, it supported TACACS running on the system, now in 8.x it does not.  Myself, along with RSA Support, are having problems getting TACACS working correctly with the new RSA Deployment, so the idea turned to possibly just using RADIUS
    I have setup the RADIUS server-host, and configured the AAA authentication and authorization commands as follows:
    #aaa new-model
    #radius-server host 1.1.1.1 timeout 10 retransmit 3 key cisco123!
    #aaa authentication login default group radius enable
    #aaa authorization exec default group radius local
    I have also tried
    #aaa authorization exec default group radius if-authenticated local
    I can successfully authenticate via SSH to User Mode using my SecurID passcode -- however, when I go to enter Priv Exec mode, it wont take the SecurID passcode - I just get an "access denied"
    I've ran tcpdump on the RSA Primary Instance, looking for 1645/1646 traffic, and I dont get anything
    I've turned on RADIUS debugging on the IOS device, and I dont get anything either
    I did see this disclaimer in a Cisco doc: "The RADIUS method does not work on a per-username basis."  -- not sure if this is related to my issue?
    I'm beginning to wonder if IOS/AAA cant pass authorization-exec process to RSA SecurID

    I don't have a solution, but can confirm I have the same problem and am also trying to find a solution.
    I see no data sent to the RSA server when using the wireless AP. With other equipment on the same ACS, I do see the attempts going to the RSA server.
    The first reply doesn't seem to apply to me, since it's not sending a request from the ACS machine to the RSA machine.

  • ISDN Authorization with RADIUS using ISE 1.1.2

    Hi,
    I am trying to move my ISDN dialup branches authentication/authorization from old ACS 4.1 to ISE appliance. Before it was through ACS 4.2 with TACACS protocol but now since we are moving to ISE we are moving them to ISE with radius.
    Problem is that isdn client gets authenticated and authorized but calls get dropped and they dont able to communicate with HO. IP address is assigned by Head End router to all remote isdn dialing branches..
    I have used default "PermitAccess" in authorization policy and authentication policy is also default. I dont understand where I am going wrong as authentication and authorization is sucessful.
    aaa authentication ppp default group radius local
    aaa authentication network default group radius
    aaa accounting network default start-stop group radius
    radius-server host 12.18.22.41
    radius-server key *****
    below is the router configuration for AAA
    can any one help in this

    CoA is not needed, nor supported for ISDN aaa, i used ACS 3.3 for this a long time ago. I think you should do some debugging if ise does not give you any errors.
    try doing some debug aaa / debug radius & deb ppp nego  if your calls are authenticated and ip is assigned to the calling router, you should see some disconnect reason in the debug.

  • Configuring Cisco ISE for Authorization with External Radius Server attribute

    Hi,
    I'm trying to integrate an external radius server with Cisco ISE.
    I created an External Identity Store>Radius Token Server.
    I created a Identity Store sequence with just one identity store just as creadted above.
    And I was able to authenticate successfully.
    But when it comes to authorization.
    I observed we just have one tab named Authorization while creating Radius Token server.
    And it always refers to ACS:attribute_name.
    If I want to define a IETF radius attribute, (lets say class with attribute id as 25), how could I do it.
    In Cisco ACS we have a direct entry option in authorization tab where we can define the radius (IETF) attribute within Radius token server creation (within radius token server>Directory attribute tab).
    How ever I try to define the IETF attribute here (class,IETF:Class) I am not able to authorize with this attribute value.
    I tried with just one single authorization rule where it could hit.But observed it to go the default(as none of the rules defined matches the condition).
    Can anyone guide me how can we define a IETF radius attribute for authorization within Cisco ISE and what policy could we set it to work as authorization.
    Thanks in advance
    Senthil K

    This is the step of Creating and Editing RADIUS Vendors
    To create and edit a RADIUS vendor, complete the following steps:
    Step 1 From the Administration mega menu, choose Resources > RADIUS  Vendors.
    The RADIUS Vendors page appears with a list of RADIUS vendors that ISE  supports.
    Step 2 Click Create to create a new RADIUS vendor or click the radio  button next to the RADIUS vendor that
    you want to edit and click Edit.
    Step 3 Enter the following information:
    • Name—(Required) Name of the RADIUS vendor.
    • Description—An optional description for the vendor.
    • Vendor ID—(Required) The Internet Assigned Numbers Authority  (IANA)-approved ID for the
    vendor.
    • Vendor Attribute Type Field Length—(Required) The number of bytes  taken from the attribute value
    to be used to specify the attribute type. Valid values are 1, 2, and 4.  The default value is 1.
    • Vendor Attribute Size Field Length—(Required) The number of bytes  taken from the attribute value
    to be used to specify the attribute length. Valid values are 0 and 1.  The default value is 1.
    Step 4 Click Submit to save the RADIUS vendor.

  • Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008

    Hi Guys,
    I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser  
    This is my Configure file on Aironet 2702i
    Aironet2702i#show run
    Building configuration...
    Current configuration : 8547 bytes
    ! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
    version 15.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname Aironet2702i
    logging rate-limit console 9
    aaa new-model
    aaa group server radius rad_mac
    aaa group server radius rad_acct
    aaa group server radius rad_admin
    aaa group server tacacs+ tac_admin
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login default local
    aaa authentication login DTSGROUP group radius
    aaa authentication login webauth group radius
    aaa authentication login weblist group radius
    aaa authentication dot1x default group radius
    aaa authorization exec default local 
    aaa session-id common
    clock timezone +0700 7 0
    no ip source-route
    no ip cef 
    ip admission name webauth proxy http
    ip admission name webauth method-list authentication weblist 
    no ip domain lookup
    ip domain name dts.com.vn
    dot11 syslog
    dot11 activity-timeout unknown default 1000
    dot11 activity-timeout client default 1000
    dot11 activity-timeout repeater default 1000
    dot11 activity-timeout workgroup-bridge default 1000
    dot11 activity-timeout bridge default 1000
    dot11 vlan-name DTSGroup vlan 46
    dot11 vlan-name L6-Webauthen-test vlan 45
    dot11 vlan-name NetworkL7 vlan 43
    dot11 vlan-name SGCTT vlan 44
    dot11 ssid DTS-Group
       vlan 46
       authentication open eap DTSGROUP 
       authentication key-management wpa version 2
       mbssid guest-mode
    dot11 ssid DTS-Group-Floor7
       vlan 43
       authentication open 
       authentication key-management wpa version 2
       mbssid guest-mode
       wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
    dot11 ssid L6-Webauthen-test
       vlan 45
       web-auth
       authentication open 
       dot1x eap profile DTSGROUP
       mbssid guest-mode
    dot11 ssid SaigonCTT-Public
       vlan 44
       authentication open 
       authentication key-management wpa version 2
       mbssid guest-mode
       wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
    dot11 arp-cache optional
    dot11 adjacent-ap age-timeout 3
    eap profile DTSGROUP
     description testwebauth-radius
     method peap
     method mschapv2
     method leap
    username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
    username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
    ip ssh version 2
    bridge irb
    interface Dot11Radio0
     no ip address
     encryption vlan 44 mode ciphers aes-ccm 
     encryption vlan 46 mode ciphers aes-ccm 
     encryption mode ciphers aes-ccm 
     encryption vlan 43 mode ciphers aes-ccm 
     encryption vlan 1 mode ciphers aes-ccm 
     ssid DTS-Group
     ssid DTS-Group-Floor7
     ssid L6-Webauthen-test
     ssid SaigonCTT-Public
     countermeasure tkip hold-time 0
     antenna gain 0
     stbc
     mbssid
     packet retries 128 drop-packet
     channel 2412
     station-role root
     rts threshold 2340
     rts retries 128
     ip admission webauth
    interface Dot11Radio0.1
     encapsulation dot1Q 1 native
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Dot11Radio0.43
     encapsulation dot1Q 43
     bridge-group 43
     bridge-group 43 subscriber-loop-control
     bridge-group 43 spanning-disabled
     bridge-group 43 block-unknown-source
     no bridge-group 43 source-learning
     no bridge-group 43 unicast-flooding
    interface Dot11Radio0.44
     encapsulation dot1Q 44
     bridge-group 44
     bridge-group 44 subscriber-loop-control
     bridge-group 44 spanning-disabled
     bridge-group 44 block-unknown-source
     no bridge-group 44 source-learning
     no bridge-group 44 unicast-flooding
     ip admission webauth
    interface Dot11Radio0.45
     encapsulation dot1Q 45
     bridge-group 45
     bridge-group 45 subscriber-loop-control
     bridge-group 45 spanning-disabled
     bridge-group 45 block-unknown-source
     no bridge-group 45 source-learning
     no bridge-group 45 unicast-flooding
     ip admission webauth
    interface Dot11Radio0.46
     encapsulation dot1Q 46
     bridge-group 46
     bridge-group 46 subscriber-loop-control
     bridge-group 46 spanning-disabled
     bridge-group 46 block-unknown-source
     no bridge-group 46 source-learning
     no bridge-group 46 unicast-flooding
    interface Dot11Radio1
     no ip address
     shutdown
     encryption vlan 46 mode ciphers aes-ccm 
     encryption vlan 44 mode ciphers aes-ccm 
     encryption vlan 1 mode ciphers aes-ccm 
     encryption vlan 43 mode ciphers aes-ccm 
     encryption vlan 45 mode ciphers ckip-cmic 
     ssid DTS-Group
     ssid DTS-Group-Floor7
     ssid SaigonCTT-Public
     countermeasure tkip hold-time 0
     antenna gain 0
     peakdetect
     dfs band 3 block
     stbc
     mbssid
     packet retries 128 drop-packet
     channel 5745
     station-role root
     rts threshold 2340
     rts retries 128
    interface Dot11Radio1.1
     encapsulation dot1Q 1 native
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Dot11Radio1.43
     encapsulation dot1Q 43
     bridge-group 43
     bridge-group 43 subscriber-loop-control
     bridge-group 43 spanning-disabled
     bridge-group 43 block-unknown-source
     no bridge-group 43 source-learning
     no bridge-group 43 unicast-flooding
    interface Dot11Radio1.44
     encapsulation dot1Q 44
     bridge-group 44
     bridge-group 44 subscriber-loop-control
     bridge-group 44 spanning-disabled
     bridge-group 44 block-unknown-source
     no bridge-group 44 source-learning
     no bridge-group 44 unicast-flooding
     ip admission webauth
    interface Dot11Radio1.45
     encapsulation dot1Q 45
     bridge-group 45
     bridge-group 45 subscriber-loop-control
     bridge-group 45 spanning-disabled
     bridge-group 45 block-unknown-source
     no bridge-group 45 source-learning
     no bridge-group 45 unicast-flooding
     ip admission webauth
    interface Dot11Radio1.46
     encapsulation dot1Q 46
     bridge-group 46
     bridge-group 46 subscriber-loop-control
     bridge-group 46 spanning-disabled
     bridge-group 46 block-unknown-source
     no bridge-group 46 source-learning
     no bridge-group 46 unicast-flooding
    interface GigabitEthernet0
     no ip address
     duplex auto
     speed auto
     dot1x pae authenticator
     dot1x authenticator eap profile DTSGROUP
     dot1x supplicant eap profile DTSGROUP
    interface GigabitEthernet0.1
     encapsulation dot1Q 1 native
     bridge-group 1
     bridge-group 1 spanning-disabled
     no bridge-group 1 source-learning
    interface GigabitEthernet0.43
     encapsulation dot1Q 43
     bridge-group 43
     bridge-group 43 spanning-disabled
     no bridge-group 43 source-learning
    interface GigabitEthernet0.44
     encapsulation dot1Q 44
     bridge-group 44
     bridge-group 44 spanning-disabled
     no bridge-group 44 source-learning
    interface GigabitEthernet0.45
     encapsulation dot1Q 45
     bridge-group 45
     bridge-group 45 spanning-disabled
     no bridge-group 45 source-learning
    interface GigabitEthernet0.46
     encapsulation dot1Q 46
     bridge-group 46
     bridge-group 46 spanning-disabled
     no bridge-group 46 source-learning
    interface GigabitEthernet1
     no ip address
     shutdown
     duplex auto
     speed auto
    interface GigabitEthernet1.1
     encapsulation dot1Q 1 native
     bridge-group 1
     bridge-group 1 spanning-disabled
     no bridge-group 1 source-learning
    interface GigabitEthernet1.43
     encapsulation dot1Q 43
     bridge-group 43
     bridge-group 43 spanning-disabled
     no bridge-group 43 source-learning
    interface GigabitEthernet1.44
     encapsulation dot1Q 44
     bridge-group 44
     bridge-group 44 spanning-disabled
     no bridge-group 44 source-learning
    interface GigabitEthernet1.45
     encapsulation dot1Q 45
     bridge-group 45
     bridge-group 45 spanning-disabled
     no bridge-group 45 source-learning
    interface GigabitEthernet1.46
     encapsulation dot1Q 46
     bridge-group 46
     bridge-group 46 spanning-disabled
     no bridge-group 46 source-learning
    interface BVI1
     mac-address 58f3.9ce0.8038
     ip address 172.16.1.62 255.255.255.0
     ipv6 address dhcp
     ipv6 address autoconfig
     ipv6 enable
    ip forward-protocol nd
    ip http server
    ip http authentication aaa
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1 
    radius-server attribute 32 include-in-access-req format %h
    radius server 172.16.50.99
     address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
     key 7 104A1D0A4B141D06421224
    bridge 1 route ip
    line con 0
     logging synchronous
    line vty 0 4
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     transport input ssh
    line vty 5 15
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     transport input ssh
    end
    This is My Logfile on Radius Win 2008 : 
    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
    Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
    Account Name: xxxxxxxxxxxxxxxx
    Account Domain: xxxxxxxxxxx
    Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
    Client Machine:
    Security ID: S-1-0-0
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: -
    Calling Station Identifier: -
    NAS:
    NAS IPv4 Address: 172.16.1.62
    NAS IPv6 Address: -
    NAS Identifier: Aironet2702i
    NAS Port-Type: Async
    NAS Port: -
    RADIUS Client:
    Client Friendly Name: Aironet2702i
    Client IP Address: 172.16.1.62
    Authentication Details:
    Connection Request Policy Name: Use Windows authentication for all users
    Network Policy Name: DTSWIRELESS
    Authentication Provider: Windows
    Authentication Server: xxxxxxxxxxxxxx
    Authentication Type: PAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 66
    Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
    So i will explain problems what i have seen:
    SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
    SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
    => I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
    Any idea or recommend for me ?
    Thanks for see my case  

    Hi Dhiresh Yadav,
    Many thanks for your reply me,
    I will explain again for clear my problems.
    At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
    I had login SSID by Account create in AD =>  It's work okay with me. Done
    Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
    dot11 ssid L6-Webauthen-test
       vlan 45
       web-auth
       authentication open 
       dot1x eap profile DTSGROUP
       mbssid guest-mode
    After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
    This is My Logfile on Radius Win 2008 : 
    Network Policy Server denied access to a user.
    NAS:
    NAS IPv4 Address: 172.16.1.62
    NAS IPv6 Address: -
    NAS Identifier: Aironet2702i
    NAS Port-Type: Async
    NAS Port: -
    RADIUS Client:
    Client Friendly Name: Aironet2702i
    Client IP Address: 172.16.1.62
    Authentication Details:
    Connection Request Policy Name: Use Windows authentication for all users
    Network Policy Name: DTSWIRELESS
    Authentication Provider: Windows
    Authentication Server: xxxxxxxxxxxxxx
    Authentication Type: PAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 66
    Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
    Im  think ROOT CAUSE is :
    PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet

  • Aaa authorization with Funk SBR EE

    Hello,
    I do not get aaa authorization with Funk SBR EE to work.
    On our cisco switches I configure:
    aaa authentication default group radius local
    aaa authorization exec default radius local
    On the Funk radius server I return
    service-type login
    Cisco-AVPAIR shell:priv-lvl=15
    Authorization always fails and the debug output shows:
    1063433: 46w0d: CLUSTER_MEMBER_1: RADIUS: ustruct sharecount=1
    1063434: 46w0d: CLUSTER_MEMBER_1: RADIUS: Initial Transmit tty3 id 60 [**radius-ip**}:1812, Access-Request, len 82
    1063435: 46w0d: CLUSTER_MEMBER_1: Attribute 4 6 C3A976E2
    1063436: 46w0d: CLUSTER_MEMBER_1: Attribute 5 6 00000003
    1063437: 46w0d: CLUSTER_MEMBER_1: Attribute 61 6 00000005
    1063438: 46w0d: CLUSTER_MEMBER_1: Attribute 1 9 66726974
    1063439: 46w0d: CLUSTER_MEMBER_1: Attribute 31 17 3139352E
    1063440: 46w0d: CLUSTER_MEMBER_1: Attribute 2 18 8772DAFD
    1063441: 46w0d: CLUSTER_MEMBER_1: RADIUS: Received from id 60 [**radius-ip**]:1812, Access-Accept, len 87
    1063442: 46w0d: CLUSTER_MEMBER_1: Attribute 25 67 53425232
    1063443: 46w0d: CLUSTER_MEMBER_1: RADIUS: saved authorization data for user 111BFD8 at D4E310
    1063444: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): Port='tty3' list='' service=EXEC
    1063445: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR/EXEC: tty3 (3848954035) user='username'
    1063446: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): send AV service=shell
    1063447: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): send AV cmd*
    1063448: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): found list "default"
    1063449: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): Method=radius (radius)
    1063450: 46w0d: CLUSTER_MEMBER_1: RADIUS: no appropriate authorization type for user.
    1063451: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR (3848954035): Post authorization status = FAIL
    1063452: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR/EXEC: Authorization FAILED
    1063453: 46w0d: CLUSTER_MEMBER_1: AAA/MEMORY: free_user (0x111BFD8) user='username' ruser='' port='tty3' rem_addr='[**client-ip**]' authen_type=ASCII service=LOGIN priv=1
    What do I need to add to the radius server to make it work?
    --Joerg

    The document Common Problems in Debugging RADIUS, PAP and CHAP has more information on the debug outputs.
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093f4b.shtml#radnpap

  • How to configure ACS to authenticate Modem with radius

    Hi,
    How do I configure ACS to authenticate and authorize modem users with radius. My problem is with authorization(authentication is ok in the debug). Do I need to configure specific Av pairs (006 and 007 in IETF)

    Hi Dominic,
    Are we have Microsoft radius server or ACS?
    Yes, these attributes should be configured.
    006-service-type: login
    007-framed-protocol: PPP
    HTH
    JK

  • ASA , Cisco VPN client with RADIUS authentication

    Hi,
    I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
    All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
    Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
    Thank you.
    Kind regards,
    Alex

    Hi Alex,
    It is working as it should.
    You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
    thanks
    John

  • HT204074 If I have additional music on my second computer that I authorize with iTunes Match, How do I upload it to iCloud?

    If I have additional music on my second computer that I authorize with iTunes Match, How do I upload it to iCloud?

    check out this post by Zevoneer.

  • Transport roles and analysis authorization with user assigned

    Hi expert,
    I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
    Thanks for your time,
    Luis

    Hi,
    In role administration, you have the following options for transporting roles:
    You can download the roles from one system and upload them into another  
    You can import the role from a remote system using RFC  
    You can transport the roles with the transport function.
    Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
    Transporting Roles with the Role Transport Function
           1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
           2.      Enter the role to be transported and choose Transport Role.
    The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
    You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
    For more information go thrpugh the below link
    http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
    Regards,
    Marasa.

  • How can I authenticate and authorize with Web Service on ESB ?

    Hello,
    I want to authenticate and authorize client with Web Service published
    by HTTP/SOAP BC.
    Simply if it is an Web Service as J2EE application, I will use
    Basic Authentication with JAX-RPC and Realm.
    But I think that Web Service published by HTTP/SOAP BC is not belong
    to J2EE Application. Threre is no place to describe security role mapping
    (like web.xml).
    JBI 1.0 the section "5.5.1.1.3 Normalized Message Properties" comments
    JAAS Subject is given in the NM Properties. Really in this package
    com.sun.jbi.internal.security.*
    implements JAAS autentication and authorization (at JaasAuthenticator).
    But I can't see how to configure my Service to use this.
    How can I authenticate and authorize with Web Service on ESB ?
    I referred to the resources.
    Mutual Authentication for Web Services: A Live Example
    http://developers.sun.com/prodtech/appserver/reference/techart/mutual_auth.html
    XML and Web Services Security
    http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security7.html
    JAAS Authentication Tutorial
    http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnOnly.html
    Thanks,
    Takurou
    - environment ---------------------------------------------
    OpenESB : Project Open ESB Starter Kit
    AppServer : Sun Java Systems Application Server 9.0 PE
    OS : Windows XP
    I don't assume to use SSL (if It's necessary I will try).
    User information is stored in a LDAP Server.
    -----------------------------------------------------------

    Hello,
    I read this resource.
    SecurityDesign
    http://www.glassfishwiki.org/jbiwiki/Wiki.jsp?page=SecurityDesign
    Then I think [non-ssl and ssl/tls and so on] securing by basic authentication is ongoing feature at this time.
    But I can't see well why this page comments 'HTTP over SSL, TLS'.
    HTTP/SOAP Binding Component Overview
    http://download.java.net/general/open-esb/docs/jbi-components/httpsoap-bc.html
    Does BC support only "SSL server authentication" ?
    Doesn't BC support "SSL client authentication" by username/password ?
    Thanks,
    Takurou

  • Cisco PI 1.3 - Internal Server Error with RADIUS-authentication

    Hi,
    I have a problem with a Cisco Prime Infrastructure 1.3 (Appliance, fully patched) that I'm trying to authenticate against a Radiator RADIUS-server.
    From the RADIUS-server's point of view it looks fine, but I just get an HTTP Status 500 internal error (see attached image) when trying to log in.
    I'm not the one managing the RADIUS-server but I got the following debug sent from them:
    Wed Oct 30 08:52:06 2013: DEBUG: Packet dump:
    *** Received from 10.36.0.132 port 17235 ....
    Code:       Access-Request
    Identifier: 102
    Authentic:  REMOVED
    Attributes:
            User-Name = "test-user"
            User-Password = REMOVED
            NAS-IP-Address = 10.36.0.132
            Message-Authenticator = REMOVED
    Wed Oct 30 08:52:06 2013: DEBUG: Handling request with Handler 'Client-Identifier=/^prime[.]net[.]REMOVED[.]se$/', Identifier 'Network-Prime-AAA'
    Wed Oct 30 08:52:06 2013: DEBUG:  Deleting session for test-user, 10.36.0.132,
    Wed Oct 30 08:52:06 2013: DEBUG: Handling with Radius::AuthUNIX:
    Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthUNIX looks for match with test-user [test-user]
    Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthUNIX ACCEPT: : test-user [test-user]
    Wed Oct 30 08:52:06 2013: DEBUG: AuthBy UNIX result: ACCEPT,
    Wed Oct 30 08:52:06 2013: DEBUG: Handling with Radius::AuthFILE:
    Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthFILE looks for match with test-user [test-user]
    Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthFILE ACCEPT: : test-user [test-user]
    Wed Oct 30 08:52:06 2013: DEBUG: AuthBy FILE result: ACCEPT,
    Wed Oct 30 08:52:06 2013: DEBUG: Access accepted for test-user
    Wed Oct 30 08:52:06 2013: DEBUG: Packet dump:
    *** Sending to 10.36.0.132 port 17235 ....
    Code:       Access-Accept
    Identifier: 102
    Authentic:  REMOVED
    Attributes:
            cisco-avpair = "NCS:virtual-domain0=ROOT-DOMAIN"
            cisco-avpair = "NCS:role0=Admin"
            cisco-avpair = "NCS:task0=View Alerts and Events"
            cisco-avpair = "NCS:task1=Device Reports"
    ..the rest of the AV-pairs removed
    Does anyone have any idea on what the the problem is, or some tips on how to troubleshoot? (rebooting and ncs stop/start has no impact on the issue)
    //Charlie

    I ran into a similar issue this morning in my lab.  After I issued ncs status - the database service came back as not running.  I stop/started the Prime services and it came up.  Once all the services were running my WLC imported with no issues.  I also deployed another server for another lab and it had issues with the clocking being out of sync. 

  • WLC- dynamic Vlan assignment with Radius

    Hello, we would like to use this feature in our company and because of that I am now testing it. But I found one problem.
    I created one testing SSID and two Vlans on WLC. On ACS I use an IETF atributes (064,065,081) for my account and I am changing Vlan ID (081) during testing.
    It works with LEAP but when I use PEAP-GTC (which we use commonly in our company) the ip address is not assigned properly (ip which was assigned before remains).
    Could you please help me?

    There is good document which explains how to configure Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller. This will help you. You will find the document at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

  • NAC guest server with RADIUS authentication for guests issue.

    Hi all,
    We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
    The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
    https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
    -----START QUOTE-----
    Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
    •Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
    •Self Service—This option allows guest self service. After selection proceed to Step 8.
    •Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
    ----- END QUOTE-----
    Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
    Regards
    Kevin Woodhouse

    Well I will try to answer your 2nd questions.... will it work... yes.  It is like any other radius server (high end:))  But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD.  Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
    Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right.  Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that.  That is my opinion.

  • LDAP (openldap) authorization with DAP (dymamic access policy)

    Hello,
    We have a asa 5520 and we try to make a ldap (openLdap) authorization with DAP (Dynamic Access Policy). We have problem with logical expression. We need more example of logical expression and we need to know how debug logical expression. We try to use de Debug dap trace and debug dap error but we need more debug informations.

    Hi
    I guess you are using an ldap attribute map, to map the ad group to a group policy. This does not work as you may expect when the user is part of multiple groups, I.e. the user will always be mapped to the same group (first or last in the list, not sure).
    Possible solution : remove the ldap attribute map, and configure dap rules that check the ldap.memberOf attribute instead
    Hth
    Herbert
    Sent from Cisco Technical Support iPad App - sorry for the brief explanation, if you need more details let me know.

Maybe you are looking for