LDAP authorization for VPN
I am having problems getting the LDAP authorization to work. None of the instructions I find seem to coincide with my version of ASDM 5.0(7) and ASA 7.0(7).
SO if anyone has the right instructions for these version can you send me a link?
I get as far of testing it and it fails. When I test it asks for a user name but never a password. so I am not sure what I am doing wrong.
Any help appreciated.
Post your AAA & VPN profile config from the device please?
Similar Messages
-
LDAP Authorization for OBIEE 10.1.3
Hello,
We have setup LDAP authentication (ADSI LDAP) using OBIEE standalone.
I'm trying to figure out the best way to manage Authorization - user to group assignment in OBIEE.
Options:
1. Using external table
Challange: The client doesn't have other application that manages user to group assignment. If I am using external table authorization, how will they manage changes to user to group or add new user to group?? This will require IT admin to modify table directly in production. They would like to have business super user to handle new user to group assignment.
2. Import user to LDAP
This is unfortunately doesn't work with ADSI LDAP. I got error message: This function is not supported for all LDAP type..
3. I read something about using database DBMS_LDAP package. Basically: Define user to group assignment in LDAP. Define a db function to get db to group assignment. Call this db function in OBIEE.
I am not sure if this DBMS_LDAP package will work with DB2. Any comments will be helpful.
4. I thought about using Microsoft Excel to maintain user to group assignment and use the excel connection pool in Authorization init block. However, the OBIEE server is configured in AIX environment, and there is no excel driver for UNIX that's available...
Has anyone seen this scenario before? Any suggestions will be greatly appreciated..When we were asked to combine OBIEE 10g with Active Directory, we chose external Table Authorization to get information on the groups, a user is part of.
In general, one could follow these articles to achieve AD Authentication:
[http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/|http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/]
[http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/|http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/]
To sum it up: Read User-information from AD. Knowing a user's login-name then, one could query an external table, which consists of user and group information. Everything is setup within initializationBlocks, which could be created in the administration tool.
Problem: As you already said, the problem is, that this external user--group table has to be filled and updated "manually". That is, someone has to input new users or at least assign them to the existing groups.
In our case, there's an admin who knows what sql is and how to work with it.
Another solution could be, to prepare a xml-file, containing user and group information and add it to your repository. The tables could then be queried, too. Although, xml files can become quite unhandy, if a lot of information is held within it, they can be edited via external tools or at least with a standard text editor. -
Help with ios LDAP setup for VPN access
I am trying to move Microsoft LDAP for my vpn setup to an ISR router with 15.1 code . It has support but very little doccumentation. Anyone configured this before? i need some help or basic config.
Ldap authentication started from 7.1 if I recall correctly along with LDAP mapping which helps you validate whether the user has the dial in attribute on or of. I would say starting from 7.1 till the latest 8.X version.
Version 6.X does not have this feature. -
Hello;
Does anyone have a good example of an LDAP authorization script? The examples on the Cisco website don't provide enough detail. This version of LDAP is Windows 2003 Active Directory.
Thank YouRefer this document to Configuring an LDAP Server for VPN Concentrator User Authorization
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_0/config/ldapapp.htm#1533072 -
Using OWSM for SAML verification and LDAP authorization
I can verify SAML tokens by using EM security (verifying SAML tokens) but when I use OWSM I get this error at the proxy (by adding the step : SAML - Verify WSS 1.0 Token to the policy of a server agent)
Exception in thread "main" java.lang.NoSuchMethodError: oracle.security.wss.saml.SAMLAssertionIssuer.<init>(Ljavax/xml/rpc/handler/soap/SOAPMessageContext;Lorg/w3c/dom/Document;Loracle/security/wss/config/SamlTokenConfigType;Z)V
Also I need to LDAP authorize the subject of SAML after verification of SAML token. Is it just enough to put the LDAP authorize step after SAML verification?
Won't I need any EXTRACT CREDENTIAL step?
Regards
FarbodWhen we were asked to combine OBIEE 10g with Active Directory, we chose external Table Authorization to get information on the groups, a user is part of.
In general, one could follow these articles to achieve AD Authentication:
[http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/|http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/]
[http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/|http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/]
To sum it up: Read User-information from AD. Knowing a user's login-name then, one could query an external table, which consists of user and group information. Everything is setup within initializationBlocks, which could be created in the administration tool.
Problem: As you already said, the problem is, that this external user--group table has to be filled and updated "manually". That is, someone has to input new users or at least assign them to the existing groups.
In our case, there's an admin who knows what sql is and how to work with it.
Another solution could be, to prepare a xml-file, containing user and group information and add it to your repository. The tables could then be queried, too. Although, xml files can become quite unhandy, if a lot of information is held within it, they can be edited via external tools or at least with a standard text editor. -
Problem with LDAP authentication for users in a group
I've gone through several forums attempting to find a solution, but I still can't get authentication to work for users in a particular group within AD. Our ASA is running 9.1(2), and the domain controller is a Windows Server 2012 R2.
I can configure the VPN connection, so that all users can authenticate just fine; however, when I setup the group, there appears to be success, but I'm reprompted to authenticate, and it eventually fails:
[6707] memberOf: value = CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com
[6707] mapped to IETF-Radius-Class: value = GroupPolicy_COMPANY_SSL_VPN
[6707] mapped to LDAP-Class: value = GroupPolicy_COMPANY_SSL_VPN
[6707] msNPAllowDialin: value = TRUE
I'd be grateful if anyone can point me into the right direction and show me what I'm doing wrong. Thank you.
ldap attribute-map AuthUsers
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com" GroupPolicy_COMPANY_SSL_VPN
aaa-server LDAP protocol ldap
aaa-server LDAP (COMPANY_PROD_INTERNAL) host 10.10.100.110
ldap-base-dn DC=COMPANY,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=LDAPAuth,CN=Users,DC=COMPANY,DC=com
server-type microsoft
ldap-attribute-map AuthUsers
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
webvpn
anyconnect ask none default anyconnect
group-policy GroupPolicy_COMPANY_SSL_VPN internal
group-policy GroupPolicy_COMPANY_SSL_VPN attributes
wins-server none
dns-server value 10.10.100.102
vpn-tunnel-protocol ikev1 ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value net.COMPANY.com
webvpn
anyconnect profiles value COMPANY_SSL_VPN_client_profile type user
tunnel-group COMPANY_SSL_VPN type remote-access
tunnel-group COMPANY_SSL_VPN general-attributes
address-pool COMPANY-SSL-VPN-POOL
authentication-server-group LDAP
authorization-server-group LDAP
authorization-server-group (COMPANY_PROD_INTERNAL) LDAP
default-group-policy NOACCESS
authorization-required
tunnel-group COMPANY_SSL_VPN webvpn-attributes
group-alias COMPANY_SSL_VPN enable
tunnel-group COMPANY_SSL_VPN ipsec-attributes
ikev1 pre-shared-key *****I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.
-
Hello
looking for documenation how to setup ISE to authenticate VPN users. Right now we are usign ACS 4.2 to provide dACL and authetnication but would like to migrate this feature to ISE. Wea re using microsoft AD.
Any good docs, white papers, field notes, how-to that can address this issue will be appreciated.
ThanksWe use the ISE for VPN (connection with openldap). On the authentication policy you have multiple options. We used the network access - device ip address option. On the Authorization tab we used again the ip address option in combination with an ldap attribute where there was a definition of the status of the person (student, teacher, admin,...). On the policy elements tab we made some authorization profiles in results - authorization - authorization profiles. When you make a new profile you can select under Common tasks the asa vpn attribute. There you can for example insert admin.
So if you have an admin user that wants to login:
authentication: user found in ldap (or ad)
authorization:
-user is coming from asa ip address
-user attribute is admin
= user is authorized for the admin class on your asa vpn device. -
Can I use ISE IPN without posture for VPN with Base license only?
I'm looking at ISE licensing, and both Base and Advanced licenses have VPN listed. I could not find any document that provides guideline for VPN implementation using ISE Base license only.
1. Can I use ISE IPN (Inline Posture Node) functionality without posture assessment with ISE Base license only? (I know it has to be ISE hardware appliance, and I know that Posture assessment requires ISE Advanced license.)
2. Do I have to use IPN for VPN deployment using ISE as the Radius server?
3. If I do not have to use IPN for VPN, can I use ISE for Authentication and Authorization in the same way as I use ACS?
Thanks,
Val RodionovVal,
There is no need to consider IPN if you are not using posturing. You can use ISE much like ACS for radius authentication for vpn users.
If posturing is down the road and your hope is to have an architecture in place and license later, then I am sure that you can use the ipn with base licensing, however I would strongle recommend working with the PDI (for partners) for help and confirmation.
Thanks,
Tarik Admani
*Please rate helpful posts* -
LDAP realm for authentication and ACL in Database
We are thinking of using LDAP realm for authentication and we want to use ACL from a Database. But the documentation says: "WebLogic Server defers to the LDAP realm for authentication, but not for authorization. Authorization is accomplished with access control lists (ACLs), which are defined in the weblogic.properties file"
Can we use LDAP realm for authentication and manage our ACL from a Database? or do we have to use the weblogic.properties file? Do the weblogic security API help in the above scenario? Thanks RamUnfortunately, there is no easy way to do this in wls 6.0.
The only way to handle it is to write your own custom realm
that uses ldap for users and groups and a database for acls -
probably not a viable alternative.
-Tom
"kevin doherty" <[email protected]> wrote:
>
Jeffrey Hirsch <[email protected]> wrote:
You should be able to use the DelegatedRealm interface to utilize the authentication methods from LDAP and the authorization methods from RDBMSRealm...
I'm trying to do this too, but we are using WL6 and I see that the DelegatedRealm interface has been deprecated in this version. I'd greatly appreciate more information on doing this in WL6.
Thanks!
-kd -
Using ISE to assign ACL's for VPN users
Hi,
I've just implemented ISE into our environment using various documents and videos found online but have not been able to find anything about using ISE to Authenticate remote users via VPN and assigning them the ACL's created for thewir level of network access.
Does anyone know of a good document or training video knocking about that I can use?
Thanks
JasonJason,
If the ACL is present on the ASA you can use the "filter-id" radius attribute to reference the acl to the user's session. You can make this work by configuring an authorization profile and tying this in with your authorization policy for vpn users.
If you want to push an acl then my recommendation is to use the cisco-av-pairs to push the acls since the username is associated with the acl that is applied to the username of the vpn session.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1763743
Thanks,
Tarik Admani
*Please rate helpful posts* -
Problem with Authorization for Planning folder
Hi an having a problem with providing authorization for a planning folder
i am getting the following error when i test it with test user
Error while calling up RFC
Message no. UPC202
Diagnosis
You have selected a function, to execute this the system must set up an RFC connection to another SAP System. However, setting up this connection was not successful. The following internal error message was generated:
"You do not have authorization for InfoCube ZT_MR_T "
Procedure
Inform the system administrator.
we are not pulling the data from any other server, all the data is on the sif any one has faced the same issue let me know.
Regards,
AbrahamCalling Thru Trans code: BPS0 in ECC 6
getting this error:
Error while calling up RFC
Message No. UPC202
Diagnosis
You have selected a function, to execute this the system must set up an RFC connection to another SAP System. However, setting up this connection was not successful. The following internal error message was generated:
"An error occurred during the receipt of a complex parameter."
after i check in bw trans code:st22
Following this error message:
Category Internal Kernel Error
Runtime Errors PARAMETER_CONVERSION_ERROR
Application Component BC-MID-RFC
Short text
An error occurred during the receipt of a complex parameter.
What happened?
During a remote function call, an error occurred while converting
a complex parameter.
What can you do?
Note which actions and input led to the error.
For further help in handling the problem, contact your SAP administrator
You can use the ABAP dump analysis transaction ST22 to view and manage
termination messages, in particular for long term reference.
Error analysis
An error occurred during the conversion of a complex parameter. -
Problem with Authorization for BW BPS planning Folder
Hi an having a problem with providing authorization for a planning folder
i am getting the following error when i test it with test user
Error while calling up RFC
Message no. UPC202
Diagnosis
You have selected a function, to execute this the system must set up an RFC connection to another SAP System. However, setting up this connection was not successful. The following internal error message was generated:
"You do not have authorization for InfoCube ZT_MR_T "
Procedure
Inform the system administrator.
if any one has faced the same issue let me know.
Regards,
AbrahamHI ,
I Checked it out we dont have that cube in our system.
Regards,
Abraham -
Authorization for opening & Closing posting periods - OB52
Hi,
Is there any way to set authorization for opening & closing of posting periods in OB52?
My scenario:
I have 2 company codes - A & B assigned to 2 different posting period variant - say PPA & PPB.
The user belonging to CoCd A should not be able to open/close posting period of CoCd B and vice versa.
Is this possible through any authorization settings?
Request your help on this.
Regards,
SrideviHi Sridevi
Please go through the following:
You can assign authorization groups for permitted posting periods. This means that, for example, some posting periods can only be opened for particular users within monthly or annual closing. You can only assign the authorization group at document header level and it only affects period 1. The authorization object is called F_BKPF_BUP (Accounting document: Authorizations for posting periods). Read the corresponding chapter on "User maintenance" in the "Assigning authorizations" topic.
"User maintenance"
Due to the modular authorization concept of the system, you can define authorization profiles which are tailored to the workplace of your employees. You can, for example, assign authorization to a workplace in the Accounts Receivable, Accounts Payable or General Ledger Accounting areas.
By assigning authorizations you define which business-related objects your employees are allowed to process and which editing functions are allowed.
In the following activities for authorization management, you must carry out the following for employees who are to work with the system:
Assign authorizations
The authorizations are assigned by specifying permitted values for the pre-defined objects.
Define profiles
In the SAP system, authorizations are grouped together in workplace profiles. Therefore one or more profiles must be allocated to the individual employee in the master record.
I hope this helps.
Regards
Kavitha -
Authorizations for materials and material groups
Hello experts,
Is it possible to limit the authorization to make purchase requerisiton of some materials or material groups depending on the user?
I heard that it is possible be able to update some materials using the authorization M_MATE_MAT and including them in the material master, material group and user. But this also works for the creation of purchasing documents (PR,PO,RFQ,...)? Do I have to include this authorization for all the materials? If they do not have I understand that works for every people.
Thanks in advance for your help
Best regards,Hi Madii,
actually Authorization works at the object level, i.s if you have provided the authorization for the user to makePR with certain Material Grp, then if you dont define that grp in the PO role, but still user will get the authorization from the PR role.
why you want to allow the user to make the PR of certain Mtrl Grp for which he should not be making the PO.
or let a different Body take care of the other mtrl Grp.
Hope it helps.
Regards,
Yawar Khan -
Authorization for certain warehouse in stock transfer
I'm trying to create an authorization for stock transfer when To Warehouse equals a certain value. Is there a way to do it?
Hi,
How could I do it with an approval procedure?
You can create approval stages and template by using query
Is it with a query?
Yes
Will it be similar to a formatted search?
Yes
Try this query for row level with only one item.
Select Distinct 'True' FROM OWTR T0 inner join WTR1 T1 on T0.docentry = T1.docentry
Where $[$23.5.0] = 'ExScrap'
Note: Replace Exscrap with your warehouse name.
Thanks & Regards,
Nagarajan
Maybe you are looking for
-
3rd Gen Ipod Windows formatted transfer contents to Mac
I have a 3rd Generation Ipod that I used with my old Sony laptop. The laptop died along with everything on it. The only thing I have left are the tunes I have on this Ipod. I don't want to have to re-rip all of them, is there a way to transfer them t
-
ISE, Windows 7, Machine AuthZ
I'm running into an issue that has me dead in the water on the completion of a roll out of ISE for Wireless. The enterprise has two SSIDs, one internal, and one open, which is essentially an internet-only conduit. No internal resources (other than
-
I just purchased a mac mini with an intel i7 quad processor running on mac OS 10.9. While listening to a music video on You Tube the audio stopped working. How do I get it to work?
-
Acrobat 9 Find Function Needs to Highlight the found text
Searching existing documents for a word using "Find" sometimes results in the word being highlighted and sometimes only the cursor is placed at the found word with no highlight. This is a problem because the cursor is very hard to locate without high
-
Inbound IDOC basic type HRMD_A07: Why no validation available?
I am using a standard inbound IDOC basic type HRMD_A07 to update employee master data (IT0000 & IT0001). However, i found out that this IDOC just directly updates to the infotypes without any validation. For example, i provide an invalid company code