How to use tacacs+ authentication to assign a group policy at login in Cisco ASA
Hi everyone
As title, anyone knows how it works?
I only found it can work with LDAP authentication, but not in TACACS+
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html#noaccessgp
please give me a hand, thanks.
Hi Karten,
I have the similar requirement and I used the ACS and configure Auth profile and map the RADIUS class (25) value as ASA group-policy name (even tried with tunnel-group name), but it does not work. It allows whatever vpn group that user select regardless of the user groups he belongs to.
I use two ACS local users and put them in two different groups and maped those two groups with two different Access rules in the ACS and pointed to correct Auth profile etc.
I am not sure what could be the issue and appreciate if you can advise.
thanks in advance.
Similar Messages
-
How to use an authenticated user for a proxy call
Dear all,
I am currently working on a JEE application where the user needs to authenticate (for this I have configured the web.xml).
Now inside this application I need to do a proxy call to a PI webservice.
I would like to use the user credentials of the already logged in user in order to call the proxy.
What I don't want to do is to use a service user for the proxy call.
The code I am trying to call looks something like this:
private IntegratedConfigurationIn getPort() throws Exception{
IntegratedConfigurationIn port = null;
try {
IntegratedConfigurationInService service = null;
service = new IntegratedConfigurationInService();
port = (IntegratedConfigurationIn) service.getIntegratedConfigurationIn_Port();
BindingProvider bp = (BindingProvider)port;
bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, user);
bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, password);
if (url.length() != 0)
bp.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, url);
catch (Exception ex){
ex.printStackTrace();
return port;
The examples I found to retrieve the userdata pointed to codes similar to this one:
public HttpServletRequest getHttpRequest() throws Exception {
// Get runtime context
Properties props = new Properties();
props.put("domain", "true");
Context initialContext = new InitialContext(props);
ApplicationWebServiceContext wsContext = (ApplicationWebServiceContext) initialContext
.lookup(" /wsContext/ApplicationWebServiceContext");
HttpServletRequest req = wsContext.getHttpServletRequest();
return req;
com.sap.security.api.IUser sapUser = com.sap.security.api.UMFactory.getAuthenticator().getLoggedInUser(getHttpRequest(), null);
IUser ep5User = com.sapportals.wcm.util.usermanagement.WPUMFactory.getUserFactory().getEP5User(sapUser);
Now I don't know how to bring it togehter and how to use an authenticated user for the BindingProvider.
I would appreciate any hints or ideas.Peter,
from the first screenshot, what I understood is that, you are calling an inbound PI web service that is intended to create an integrated configuration object (this is used for whole lot of other reason completely) but not actually calling a development web service.
For this, you would have to generate your client classes from the WSDL provided by the PI developer for that particular service. Once you get those client classes generated, you could used the method provided in the other screenshot to extract the user and password and call the intended web service.
Vijay Konam -
How to stop the sending attachment through mail group policy
HI ,.,,,
Our employees using the gmail and yahoo accounts sometimes . Due to security issues they dont send attachements how is possible to deny sending attachments in group policy
rankiHi,
How do your employees using their personal mailbox? If they access it via Outlook, please refer to the suggestions Maffiow provided. If they access it via IE, we could not prevent them attaching
file to their mailbox via Group Policy. As a workaround, you may prevent them accessing the third party mailbox webpage via Group Policy.
For details, please refer to the following article.
How to use Group Policy to Allow or Block URL’s
http://www.grouppolicy.biz/2010/07/how-to-use-group-policy-to-allow-or-block-urls/
Hope this helps.
Best Regards,
Andy Qi
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Andy Qi
TechNet Community Support -
How to use Basis Authentication in Sender SOAP Adapter
We implemented one Sender SOAP Adapter and we had to implement the modified WEB.XML method to remove the security specification. We have now asked the developer to correct this situation so we can remove this modification. The Interface developer would like to use Basic Authentication. If you have an automated interface sending in a SOAP Message, how do you do Basic Authentication?
I've tried using:
http://host:port/XISOAPAdapter/MessageServlet?channel=:<Service>:<Channel>&sap-user=xiappluser&sap-password=<Password>&sap-language=EN&sap-client=<Client>
When I do this, I still get the Authentication Pop-Up Window.
How does the Sending Interface either supply the ID and Password on the incoming SOAP Message or respond to the Authentication Pop-Up?
Thanks,
AnneBy Defualt the web service exposed by you will use Basic Authentication mode only.
But the way you do Basic Authentication in the web client is platfrom dependent.
This is not the way to do Basic authentication
http://host:port/XISOAPAdapter/MessageServlet?channel=:<Service>:<Channel>&sap-user=xiappluser&sap-password=<Password>&sap-language=EN&sap-client=<Client>
I am providing you a code snippet on how to Basic Authentication in Java when making the Web Service Call.
If the client is on some other platform just look for the corresponding api.
Please award points if you find this answer useful.
Code Snippet
URL url = new URL(URL);
URLConnection connection = url.openConnection();
if( connection instanceof HttpURLConnection )
((HttpURLConnection)connection).setRequestMethod("POST");
//connection.setRequestProperty("Content-Length",Integer.toString(content.length()) );
connection.setRequestProperty("Content-Type","text/xml");
connection.setDoOutput(true);
String password = User + ":" + Password ;
//Where con is a URLConnection
connection.setRequestProperty ("Authorization", "Basic " + encode(User + ":"+ Password));
connection.connect();
Encode Method
public static String encode (String source) {
BASE64Encoder enc = new sun.misc.BASE64Encoder();
return(enc.encode(source.getBytes())); -
Bit Locker Implementation in Windows 8.1 machine using Windows server 2008 r2 server group policy.
is it possible to enable the bit locker only for windows 8.1 machines through windows 2008 r2 server group policy ?
Thanx and Regards,
ShanifHi Shanif,
Yes, we can do this.
Regarding how to enable Bitlocker via group policy, the following article can be referred to as reference.
Cannot Save Recovery Information for Bitlocker in Windows 7
http://blogs.technet.com/b/askcore/archive/2010/02/16/cannot-save-recovery-information-for-bitlocker-in-windows-7.aspx
After configuring the settings, we can use security filtering or WMI filtering to apply the policy to specific computers.
Regarding this point, the following blog can be referred to for more information.
Security Filtering, WMI Filtering, and Item-level Targeting in Group Policy Preferences
http://blogs.technet.com/b/grouppolicy/archive/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences.aspx
Best regards,
Frank Shen -
How to disable attachment preview in Outlook 2013 - group policy
How do I disable attachment preview in Outlook 2013 in GPO?
Hi,
We may follow the steps below to disable attachment preview in Outlook 2013:
1. Download
Office 2013 Administrative Template files, and then follow the instructions in the "Loading the ADMX templates" section of the
Use Group Policy to enforce Office 2010 settings article to load the ADMX templates.
2. Navigate to User Configuration > Administrative Templates > Microsoft Outlook 2013 > Outlook Options > Preferences > Email Options
3. Double-click Do not allow attachment previewing in Outlook from the right pane.
4. Select Enable bullet.
5. Click OK.
6. Run gpupdate /force command to force an update of GPO settings.
7. Start Outlook and you should see the attachment previewing feature is disabled.
Regards,
Steve Fan
TechNet Community Support
It's recommended to download and install
Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
programs. -
How to roll back settings applied by a Group Policy Custom Administrative Template
Hi,
I have disabled USB port on a number of workstations using a Group Policy Custom Administrative Template. Now I need to enable it again. Is it possible to do it through Group Policy Custom Administrative Template again? If not how can I enable the USB ports?
TIA
BijanWhat I have exactly done is adding a custom administrative template which through it I can disable the removable medias. Sorry for the mistake, I was working on another issue and that made me confused. Anyway I put the content of adm file here to be inspected.
Disableportable.adm content:
CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynameusb
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
EXPLAIN !!explaintextusb
PART !!labeltextusb DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamecd
KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
EXPLAIN !!explaintextcd
PART !!labeltextcd DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 1 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynameflpy
KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
EXPLAIN !!explaintextflpy
PART !!labeltextflpy DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamels120
KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
EXPLAIN !!explaintextls120
PART !!labeltextls120 DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY
[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"
explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"
explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"
labeltextusb="Disable USB Ports"
labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive"
labeltextls120="Disable High Capacity Floppy Drive"
Enabled="Enabled"
Disabled="Disabled"
Bijan -
How can I disable IPv6 EUI randomization with group policy?
I need to turn off IPv6 EUI address randomization. It can be done in netsh (a few commands) or powershell (Set-NetIPv6Protocol -RandomizeIdentifiers Disabled). How can I do this in group policy without scripting?
Hi Jordan,
Before going further, I hope that the suggestion provided by Martin can be helpful.
It seems that we can't configure this setting via native policy.To configure IPv6 settings,
we need to download ADMX files for IPv6. However, per the following article, the IPv6 settings that can be configured are:
Enable all IPv6 components
(Windows default)
Disable all IPv6
components (the setting you probably want)
Disable 6to4
Disable ISATAP
Disable Teredo
Disable Teredo and 6to4
Disable all tunnel
interfaces
Disable all LAN and PPP
interfaces
Disable all LAN, PPP and tunnel
interfaces
Prefer IPv4 over IPv6
How to Disable IPv6 through Group Policy
http://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx
TechNetSubscriber Support
If you are TechNetSubscription user and have any feedback on our support quality, please
send your feedback here
Best regards,
Frank Shen
Please read the question before marking things as answers. -
How to use LDAP authentication in Oracle Linux
Hi All,
In Oracle Linux 2.6.18-194 el5, goes to system->Administration->Authentication, enabled LDAP in both User Information and Authentication, tried to use network user account information to log in the linux machine but it did not work.
The login screen waits over 10 minutes after enter username and password each and then says usename and password is not corrent.
LDAP Settings only asked two information LDAP Search Base on and LDAP Server. We have another application which uses same LDAP server works fine.
How to make Oracle linux server as LDAP client for user longin?
Tanks in advance for yur help.I have no idea, but you might find it helpful to read Redhat's documentation concerning this subject:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-ldap.html -
I try to use validation of NT authentication every time a user log on to our NT intranet system. That means all of users in our intranet will use same database user name and password to start our forms.
Can someone tell me how to get value from NT authentication?
ThanksPierre Abramovici <[email protected]> wrote in message news:<3be85bad$[email protected]>...
to be able to seamlessly log onto our Intranet (on PS 3.5) without having to provide their credentials (loginand password). Has anyone acheived this?I thought this is SSO. From my readings, with IIS, if you were to
setup your system to use NTLM or Integrated Windows Authentication
instead of basic, your IE browser (not Netscape) can do the job for
you for free.
If however if you are using Weblogic, then you are in the same boat as
I am currently (still trying to find a better solution - I have
thought of an unsecure solution :-().
Good luck,
drit
Freelance Java developer/Code Inspector - No job too small or
difficult!
http://www.geocities.com/doc_i_t/resume2001.html -
WLS 10.3.4: How to use OS authentication for JDBC Data Source
Hello all,
As a preface, I've tried searching the forum/Google for "OS authentication" and reading the WLS JDBC doc to no avail - if it's documented somewhere, a RTFM link would be much appreciated.
I'm trying to set up a JDBC data source on WLS that leverages the OS Authentication capability of the Oracle database. If it would help, I can go into the reasoning behind why I want to do this, but basically, it's to simplify the config/deployment of a COTS application. What I have in the database is an "identified externally" user that corresponds to the OS user that is running the WebLogic Server. Normally, in tools such as SQL*Plus, I would use "/@db" as the username/password (in other words, no username and no password specified), and I would be logged in as the "idenfitied externally" user. I want to configure the same thing for a WebLogic Data Source, but if I leave the username/password blank, testing the connection in the WLS console gives me "invalid username/password, login denied" I've also tried using "/" as the username, as was documented in a quite old WLS faq, but that gives me the same result.
Is there some magic switch I need to flip?
Thanks,
JohnHi John, there's no way to do that with connection pools, which is how WLS datasources get their
connections, or middleware in general. WebLogic would have no way of knowing which if any of the
pooled connections was appropriate for the current 'user', which is not the application user, but
instead is the OS identity of the person who started the WebLogic server! If you start up your
WebLogic server, and people start pointing their browsers to it, doing various stuff, the OS knows
you started WebLogic, and maybe with the help of OCI, Oracle's JDBC might know it was you who
started WebLogic's OS process, but what does the OS know about any user that may be running
a browser or application elsewhere (even if on this same machine), when that browser or application
connects to your WebLogic server process?
HTH,
Joe -
How to use kerboros authentication in nfs sharing on windows
I have windows Nfs server role installed on my 2k12r2 machine(Nfs server) and windows nfs client role installed on my other 2k12r2 machine(Nfs client).
Now I have created a NFS share on my server machine with only krb5 and krb5i authentiacation options selected from the authentication wizard(no server authentication is not selected) and provided readwrite access to all machines.(
New-NfsShare -Name shareName -Path e:\share -Permission Readwrite -Authentication krb5,krb5i -EnableUnmappedAccess $false
I am logged in with domain administrator on both server and client machines.
Now when I try to mount the share from the client using following command
mount -o sec=krb5 \\servername\sharename *
I receive the error "Network Error - 1450".
What I am missing?Hi puneDev,
Could you please post the full error message ?
I tested it in my lab , it works .
You may try to restart the server and client and try again .
Any further information please feel free to let us know .
Best Regards
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
How to use windows authentication to MSSQL2008 from oim running in Linux
Hi All,
We have developed the code (in eclipse) in local windows machine to call sample stored procedures in MSSQL.The code works fine from client and are able to create, update users in MSSQL from windows.
We have OIM 11g R2 installed in Linux 6 on local VM. The question is while building the jar from the code and placing it in Java task directory of OIM, calling thr Code we need sql.dll file to implement the windows authentication(no user name & pwd) to connect to MSSQL, but this is not possible in Linux since the jar don't support.
Can any one please give suggestions on this to implement windows authentication from Linux through OIM server.
Edited by: 970422 on Nov 8, 2012 11:39 PMI have no idea, but you might find it helpful to read Redhat's documentation concerning this subject:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-ldap.html -
How to use UME API to assign user to group ?
Hi all:
I would like to write one jsp/ webservice to assign user to one group . Is there some example code ?
the function can have 2 import parameter, userid, groupid, after the function is executed, the user and group is assigned
Thanks a lot.Hi,
Code is IGroupFactory grpfact = UMFactory.getGroupFactory();
IUserFactory userfact = UMFactory.getUserFactory();
IGroup group = grpfact.getGroup("GRUP.PRIVATE_DATASOURCE.un:Leave Pilot");
IGroupFactory grpFact = UMFactory.getGroupFactory();
int nUserListSize = strUsersList.length;
for(int i=0;i<nUserListSize;i++)
IUser objUser = userfact.getUserByLogonID(strUsersList<i>);
grpFact.addUserToGroup(objUser.getUniqueID(),group.getUniqueID()); -
How to use a 'Percentofsum' function with a group selection
Hi All!
I have created a report using CR XI in which I select on certain records in a database and then further select on those records using a group selection. The displayed records in the subgroup are correct. I sum these totals of the grouping using a formula (Basically 3 formulas, one for Reset, another for the calculation, and the third for the display) since if I just use the 'built in' summary function it will still total all records that were selected before the group selection. My dilemma is that I need to get a percentage of the subtotal based on the total of that grouping. Below is an example of the layout of the report:
__Dept %_ Program Bugt Prgm % of Dept Bud Cost of %_
GH#1 ADMIN 100%
GF#2 LEGAL 448694 4.22% 12382
GF#2 CITY MGR 445414 4.19% 12294
GF#2 CITY CLERK 113075 1.06% 3110
GF#2 COM PROMO 391657 3.69% 10827
GF#2 CENTRAL 1430570 13.46% 39492
GF#1 293406 2829410 78105
The "2829410" is the Display formula I used to accurately calculate the listed program budget numbers. The 3 formulas I used to get that number is a Reset formula (whileprintingrecords;Numbervar W := 0;) located in GH#1, a Calculation formula (whileprintingrecords;Numbervar W := w + Sum ({@Next Year Budget Amount}, {gl_master.a_org}); ) located in GF#2, and a Display formula (whileprintingrecords;Numbervar W;W) located in GF#1. The percentages that currently display in the "Prgm % of Dept Bud" are wrong as they use the 'built in' PercentofSum function when you right click on the filed in the details section and select summary as a percentage of. I need a formula that would do the following calculation: 448694/2829410 = 15.85% and thus the "Cost of %" formula that would do the following calculation: 293406*.1585 = 12382.
I tried using a similar "Reset", "Calculation", and "Display" formulas but I cannot get to work correctly. Any help would be greatly appreciated.
Thanks!
P.S. The reason I am using a group selection is because it is easier than listing out all the accounts (departments) that I do not want in the report and that selection could change from time to time where as what is in the group selection would never change.
Sorry for long winded explanation.Read all about it.
You'd probably have to write a little wrapper (using JNI) that passes
parameters and return values around between your C function and
the JVM.
kind regards,
Jos
Maybe you are looking for
-
I need a vi converted from LabVIEW 9.0 to 8.6 or 7.1
I have a few vis that need to be saved to an earlier version. These are in version 9.0 and I need them in 8.6 to open them. It would be better if I could get them in 7.1. Solved! Go to Solution. Attachments: Grab_continuously_new.vi 380 KB Mikrotron
-
While applying the patch 10270433
While applying the patch 10270433 i got this error The fix for Patch 7426842, are included in the patch currently being installed (10270433) Patch(es) 7140405, 8602992, conflict with the patch currently being installed (10270433) If you continue, all
-
How do I remove a photo from iPad camera roll taken by the camera?
How do I remove a photo from iPad air camera roll taken by the camera?
-
Ensuring Oracle caches an in() clause
How do I post a select statement against Oracle that includes an IN(...) clause with varying lengths and make sure it gets cached in the SQL-Area. Joinig to a temporary tables seems too expensive to me since I must handle lots of HTTP-Sessions concur
-
When attempting to air print I only get the border and not the body of the message?
My ipad and iphone both print to my hp 6500 but when I attempt to print a message I only get the border of the mailbox and no the message content?