Mobilty Group and re-authentication

Similar Messages

• AD Groups and VCS Authentication

  I am thinking about setting up my VCS with direct AD authentication for MOVI users.   I have a group in the AD containing all our MOVI users. The problem is I do not see how to restrict authentication to only that group. I do not see a setting on the VCS authentication config page.  Am I missing something?

  Hello Eli -
  It's not possible to specify a base DN for users or groups when setting up Active Directory Services for device authentication on the VCS, as the VCS is just used to authenticate the user's password when they try to sign in.  What determines if they can attempt to sign in using ADS is if they have an account within TMSPE, if they don't have an account, they won't authenticate to AD via the VCS.  With that said, you can limit who gets imported into TMSPE by specifying AD groups.  Starting on bottom of pg 26 of the Cisco-TMSPE-with-VCS-Deployment-Guide-1-2, covers how to setup importing users into TMSPE using AD.

• Everyone Group vs. Authenticated Users Group

  Two questions.....
  1.) What is the difference between the "Everyone" group and the "Authenticated Users" group.
  2) We are starting to use some new BI content (NW04s) in our federated portal and have found that we have to grant permissions to "Authenticated Users" instead of the "Everyone" group. Any ideas why?
  Regards,
  Diane

  Diane,
  The following asnwer is not a SAP answer but I did a quick check on our system and:
  1. the difference between the group Everyone and Authenticated users is exactly 1 user assignment.. I looked further and see that it has to do with the J2EE_GUEST user. this user is member of the group Everyone but NOT of the group Authenticated users.
  2. Can not give you a sure anser on this question but maybe it has to do with security that this is needed?!?!\
  Hopfully another SDN community member can fill me in here...
  Good luck and Kind Regards,
  Benjamin Houttuin

• ISE 1.2: Remove unused Sponsor Group and Identity Group

  Hi
  I started with ISE 1.1.2 and now upgrade to 1.2.
  There are 1. Sponsor Groups and 2. Identity Groups which are no more in use, but I am not able to remove them anymore.
  1. One is a special Sponsor group which sponsor group policy I already removed. The I go to Aministration>Web Portal Management>Sponsor Groups and select the appropriate Group ans click delete and ok to confirm, the following error is displayed:
  com.cisco.cpm.nsf.api.exceptions.NSFEntityDeleteFailed: java.rmi.RemoteException: Failed to execute the Query : DELETE_USERONAPP ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found ; nested exception is: java.sql.SQLIntegrityConstraintViolationException: ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found
  2. The same happens with one Identity Group. I do not have it active anymore. Not in authentication, and not in authorization policy. I go to Administration>Identity Management>Groups>  and select te group to remove, and click "Delete selected" and confirm with ok, the following error occured:
  Cannot delete selected Identity Group(s) because there are resources which are mapped to these or its child identity group(s)
  Is there any reason for any of these issue?
  Many thanks

  Hi ,
  Please open service request with cisco. These kind of issues may happen when the dependencies are deleted from UI but there is a chance that some of the dependencies may not be deleted completely and are not visible from UI as well.  These kind of issues can be resolved under cisco guidance.
  Thanks,
  Naresh

• OS and Database Authentication

  Hi everyone,
  I use Oracle 10g on Fedora Core 4.
  Here is the question:
  I've created an account for my OS user (oracle) in the database named ops$oracle (ops$ is the value of OS_AUTHENT_PREFIX parameter). The oracle user in OS is member of "dba" group and in database is member of "sysdba".
  I also have created a password file for this database.
  There is no problem if I connect from a remote windows client like this:
  sqlplus "ops$oracle/secret@testDb as sysdba"
  but I get "ORA-01031: insufficient privileges" if I login to the OS as oracle and try this:
  sqlplus "ops$oracle/secret@testDb as sysdba"
  I don't get why?
  I tried "ops$oracle/secret as sysdba" (when I was logged in to the OS as oracle) and it worked fine which I think it's alright. Because when I take "@testDb" out means I'm using OS Authentication, because it takes precedence over password file authentication. right?
  Thanks in advance
  Amir Gheibi

  but I get "ORA-01031: insufficient privileges" if I login to the OS as oracle and try this:sqlplus "ops$oracle/secret@testDb as sysdba"
  On the server running the db, you should also be able to connect just with:
  export ORACLE_SID=testDB
  sqlplus /Does this work ?
  Did you run any CREATE USER statement for "oracle" account ?
  If yes, which one ?
  Bcause when I take "@testDb" out means I'm using OS Authentication, because it takes precedence over password file authentication. right?No, taking out @testDB will just connect to the instance defined by ORACLE_SID environment variable.

• Anyconnect tunnel-group and group-policy from LDAP

  Recently we've changed from LOCAL to LDAP authentication and added additional group-policies for different users to increase security.
  To prevent users from selecting an incorrect group-policy, the LDAP server provides a IETF-Radius-Class value which matches the different group-policy names.
  It is my understanding that the authentication method is provided by the tunnel-group.
  tunnel-group DefaultWEBVPNGroup general-attributes
   authentication-server-group LDAP_AD
  This all works, but for _one_ of the group policies i'd like to enable (external) two factor authentication. Two enable two factor auth a 'secondary-authentication-server-group' needs to be set in the tunnel-group.
  Creating a tunnel-group which maches the name of the group-policy doesn't seem to have any effect.  When listing the connected users via "show vpn-sessiondb anyconnect", it always states the correct Group Policy but also always DefaultWEBVPNGroup.
  When enabling the listing of tunnel-groups for webvpn, thus allowing users to select their own tunnel-group, the two factor auth does work.
  To summarize, is it possible to let LDAP decide which tunnel-group is used or is there another way to have different group policies without users being able to choose ?

  Fabian, 
  Your connection lands on a tunnel group and picks a group policy. 
  A typical way to overcome the problem you're indicating is by using group-url. 
  a URL is bound to a specific tunnel-group and allows you to land directly on the one you desire. 
  vide:
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
  M.

• EAP-TLS User and machine authentication question

  Hello,
  i have a question regarding EAP TLS authentication in a wireless environment. We use Cisco AnyConnect NAM client and an ACS 5.1 to do EAP-TLS authentification. The Laptop and the user can be successfully authenticated using a certificate from our internal CA. i can also check the in our corporate AD if the user and machine are member of a certain group and based on the membership a can grant access to the network.
  i can see in the ACS when the laptops after a reboot logs on to the network, but i don't see a log when the laptop comes back from hibernate mode, i guess this is normal because the laptop sends only the autentication equest after rebooting.
  What i'd like to achive is, when a user logs on the it should always be checked if the machine was authenticated prior the user can get access to the network. Is there a way to do this with EAP-TLS and a LDAP connection to Active Directory.
  thanks in advanced
  alex

  Sounds like you rather want to use PEAP/MSChapV2

• User Groups and non Developers users

  Hi,
  two questions.
  1) How do I create users groups.
  I want to divide specific users to specific groups.
  2) I created users not as developer and not as a administrator.
  When I logged on with that users I didnt see any of the applications, why?
  Thanx.

  1. You asked "how do I assign users to that group and later attach the group..." I think your question is not about how to assign users to a group but rather how to attach the group... Use the function wwv_flow_fnd_user_api.user_in_group in an authorization scheme (desc wwv_flow_fnd_user_api). Attach the scheme to a region, button, etc. to control access. Please read about authorization schemes in the user guide and search this forum for "authorization" and "groups" for useful threads.
  2. A user account without development privilege will be useful for authenticating to an application you create. It will not be useful for developing any applications in the Application Builder.
  Scott

• WPA2 and mac authentication

  I am currently using WPA2-spk. I want to add another layer of security. I know I could do EAP. I am also looking at mac authentication. But I want to host the mac list on an ACS server. Setting the the mac addresses on the ACS server is pretty cut and dry, but how can I configure the ap to look to the ACS server for its mac list? And, how can I get WPA-spk and mac authentication to work together?

  Hi Jared,
  you can do this by setup the following:
  Webinterface:
  1. Securtiy -> Server Manager
  Setup the ACS IP in the list "MAC Authentication" in the section "Default Server Priorities".
  2. Securtiy -> Advanced Securtiy
  In the section "MAC Address Authentication" use the radio button "Authentication Server Only" or "Local List if no response from Authentication Server" for a fallback configuration!
  IOS Interface from config mode:
  aaa group server radius rad_mac
  server 10.20.40.37 auth-port 1645 acct-port 1646
  and
  aaa authentication login mac_methods group rad_mac
  or
  aaa authentication login mac_methods group rad_mac local (for local fallback)
  I have not tested this, cause the MAC of the supplicants is to easy to sniff and any medium skilled person may used a sniffed MAC to enter the first authentication stage!
  Better use a setup with EAP-FAST or PEAP!
  I hope that helps.
  Best regards,
  Frank
  I hope that helps.

• Async Dial with mutiple groups and ACS

  has anyone else tried / managed to have multiple dialer mappings on a remote access router with the user dynamically allocated to the correct one based upon the details they provide as part of the PPP process?
  In my case I have an ACS server 3.3 which deals with the authentication through AAA passed on by the router running 12.2 mainline. This works fine but the end user now wants to have an 802.1q trunk from the router onto the network with the dial in users IP address allocated by the ACS server and the user placed in the relivant dialer group and therfore VLAN mapping to give them access to the services they would have if there where on the LAN normally.
  I guess the IP address allocation could be dealt with via pools on the RAS box but this would still leave me with the problem of dialer interface allocation based upon an authentication process which happens away from the router.

  Check out the following sample configurations for various scenarios (including dial-up using Windows NT or domain database) and for dial-up using ACS user database for both RADIUS and TACACS+, see if it helps :
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/tsd_products_support_series_home.html
  http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800fa54a.shtml

• Pt:tree of community groups and users

  I am creating a community emailer portlet for emailing the users of a community. I want to use a pt:tree that lists the groups and users who have membership in the community. I want the individual users, groups and users in groups to be checkable. I've been playing with the pt:tree for a while now without success. Can anyone help? This seems like it would be a common question, but I can not find any answeredthreads on this. Thank you!

  "Vikram" <[email protected]> wrote in message
  news:3eb6f601$[email protected]..
  >
  Hi,
  We are having problems seeing users or groups in our LDAP repository, thruWLS(7.0
  sp2) console. I created a Custom Security Realm(myRealm) in which I addedthe
  Novell LDAP Authentication provider as one of the authentication providersbesides
  a Default Weblogic Authentication Provider (for system user account). WhenI click
  on Users or Groups, I see either the "system" user account or"Administrators,
  Deployers, Operators, Monitors" groups.These groups and user accounts areprovided
  by the Weblogic Default Authentication provider. I am unable to see any ofour
  LDAP groups or User accounts. If I try to login to the WLS console with anLDAP
  user account, the authentication goes successfully. So WLS isauthenticating the
  user correctly but is not displaying the User and Group information in theconsole.
  We need to be able to look at the Group information in order to configurea Group
  Portal.
  Just out of curiosity, I configured an LDAP authentication provider in theCompatibility
  Security Realm and I was not able to see any of our LDAP users or groupsin the
  Compatibility Secyrity Realm also. I did reboot the WLS after configuringthe
  LDAP authentication provider in both the cases.
  I would appreciate if anybody can suggest probable reasons or workaroundsto list
  the LDAP groups in the WLS 7.0 console.
  I believe this is fixed in the latest 7.0 sp.

• Mapping Default Profiles of PT groups and folders for automating subportal experience

  I need to automate the subportal experience by adding the users to the folders. These folders will correspond to the Plumtree groups that we create.
  We are already planning on automating the maintainence of these PT groups by authentication source by applying custom business logic in Java program. I believe I can do the folder maintainence in the same program as well. However to make iot more effeicient and maintainable, I have the following questions.
  Is there a way to map the PT groups to the folders by using Default profiles(by auth source?)? I think this would help me avoid hard coding which users belonging to certain groups go in which folders. Is there another better approach? Any help would be appreciated.
  Thanks.
  Vanita
  Staples

  Thanks a lot for you reply Mark. I tried to add the Plumtree only groups to the Auth source and I am not allowed. It seems like this works only for the Auth Sorce(NTLM, AD etc.) groups not Plumtree only groups. Is there a way to do this kind of mapping for Plumtree only groups (to avoid doing this programmatically)?
  Regards
  Vanita
  ------- Mark Dimas wrote on 1/28/05 10:41 AM -------
  You can have users placed directly in folders based off of group membership by using the Partial Users Synchronization mode.
  On the auth source select Partial Users Synchronization and run a synch job. This will import all the groups. Then go back to the auth source, on the first page under Default Profiles add the groups, and for each group you can select the destination folder for members of that group. Then, on the Fully Sychronized Groups page you can add all the groups you want to import members from. Run the job again and all the users that are members of the selected groups will be imported and placed in the correct folder.

• Cisco aironet 1040: create wireless with wpa2 and mac authentication

  Hi,
  I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
  I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
  Can anyone help me? thanks
  Hi,
  I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
  I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
  Can anyone help me? thanks

  ap#show configuration
  Using 2085 out of 32768 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  logging rate-limit console 9
  aaa new-model
  aaa group server radius rad_eap
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login default local
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 syslog
  dot11 ssid Svez
     authentication open mac-address mac_methods
     authentication key-management wpa version 2
  username 00907a0f2a55 password 7 1249554E425C0D542C79257D66
  username 00907a0f2a55 autocommand exit
  username administrator privilege 15 password 7 033449040A0620425A0D15564F42
  username 0025d3db778b password 7 055B565D74481D0D1B52404A09
  username 0025d3db778b autocommand exit
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers tkip
  ssid Svez
  antenna gain 0
  station-role root
  world-mode legacy
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface GigabitEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  no keepalive
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address dhcp client-id GigabitEthernet0
  no ip route-cache
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server attribute 32 include-in-access-req format %h
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 0 4
  end
  ap#

• Is it possible to do machine and user authentication in same Authorization profile?

  Hi,
  I want to know is it possible to do machine authenticaiton and user authentication happen at the same time? Some thing like this...
  Condition
  IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
  Permissions
  then Vlan x
  Basically i am trying to check a machine is part of domain and user is valid only then he should be able to have full access.
  Any help will be of great value.

  Hi,
  IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
  - Not possible
  As user and machine authentication occur at different contexts.
  ACS cannot verify the both at the same time.
  Using MAR, you can, though club the both together and achieve:
  "machine is part of domain and user is valid only then he should be able to have full access"
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978
  Tips for configuring MAR:
  1) Set the client to perform user or computer authentication.
  2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).
  3) Enable MAR under the AD configuration page on ACS and set the aging time.
  4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.
  Rate if useful

• Nexus 7000 aaa and local authentication

  Hello,
  I tried to configure aaa (with radius) and local user authentication on a Nexus 7004 (Version 6.2(6a)), but did not get it to work.
  Radius authentication is working fine(!), but I can't Login with a local created user (role vdc-Operator).
  Any help is highly appreciated.
  Kind regards,
  Andreas

  Hi,
  yes, I know that the fallback will jump in when no radius-Server responds, but I need the behaviour like the 6500'er (or 4500) act.(btw. local login works if radius is disabled, or local is the default, but if local is the default, radius Login no longer works) - Only one of the method at a time works.
  On the 6500 I configured aaa with Windows NPS-Server and a local user (e.g. for the Cisco-LMS). This works fine. Even if the radius server is available, i can log into the device (via ssh) with the locally defined user-account.
  What I miss is a kind of the command:
  "aaa authentication login default local group radius"
  "aaa authentication enable default enable"
  (which works on the WS-C6509 or  WS-C4500X).
  Is there any chance to get this work on the Nexus7000?
  Kind regards,
  Andreas