Mobilty Group and re-authentication
Hello All
I have to WLC's a 4402 and 5508 in a mobilty group. they are both running 7.0.116.0. They are configured to use Web Authentication. We are having complaints that Users are having to re-authenticate when moving around the office. My theory is they are moving from one WLC to the other and then requiring to re-authenticate. Is this what others are seeing? and is this working as designed.?
thanks for your help
Dan
I would do what nikhilcherian posted, because devices in the run state will be able to roam to another wlc (mobility and interface the same) without having to re-authenticate. But like George mentioned, test it out yourself... Don't listen to users:)
Sent from Cisco Technical Support iPad App
Similar Messages
-
AD Groups and VCS Authentication
I am thinking about setting up my VCS with direct AD authentication for MOVI users. I have a group in the AD containing all our MOVI users. The problem is I do not see how to restrict authentication to only that group. I do not see a setting on the VCS authentication config page. Am I missing something?
Hello Eli -
It's not possible to specify a base DN for users or groups when setting up Active Directory Services for device authentication on the VCS, as the VCS is just used to authenticate the user's password when they try to sign in. What determines if they can attempt to sign in using ADS is if they have an account within TMSPE, if they don't have an account, they won't authenticate to AD via the VCS. With that said, you can limit who gets imported into TMSPE by specifying AD groups. Starting on bottom of pg 26 of the Cisco-TMSPE-with-VCS-Deployment-Guide-1-2, covers how to setup importing users into TMSPE using AD. -
Everyone Group vs. Authenticated Users Group
Two questions.....
1.) What is the difference between the "Everyone" group and the "Authenticated Users" group.
2) We are starting to use some new BI content (NW04s) in our federated portal and have found that we have to grant permissions to "Authenticated Users" instead of the "Everyone" group. Any ideas why?
Regards,
DianeDiane,
The following asnwer is not a SAP answer but I did a quick check on our system and:
1. the difference between the group Everyone and Authenticated users is exactly 1 user assignment.. I looked further and see that it has to do with the J2EE_GUEST user. this user is member of the group Everyone but NOT of the group Authenticated users.
2. Can not give you a sure anser on this question but maybe it has to do with security that this is needed?!?!\
Hopfully another SDN community member can fill me in here...
Good luck and Kind Regards,
Benjamin Houttuin -
ISE 1.2: Remove unused Sponsor Group and Identity Group
Hi
I started with ISE 1.1.2 and now upgrade to 1.2.
There are 1. Sponsor Groups and 2. Identity Groups which are no more in use, but I am not able to remove them anymore.
1. One is a special Sponsor group which sponsor group policy I already removed. The I go to Aministration>Web Portal Management>Sponsor Groups and select the appropriate Group ans click delete and ok to confirm, the following error is displayed:
com.cisco.cpm.nsf.api.exceptions.NSFEntityDeleteFailed: java.rmi.RemoteException: Failed to execute the Query : DELETE_USERONAPP ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found ; nested exception is: java.sql.SQLIntegrityConstraintViolationException: ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found
2. The same happens with one Identity Group. I do not have it active anymore. Not in authentication, and not in authorization policy. I go to Administration>Identity Management>Groups> and select te group to remove, and click "Delete selected" and confirm with ok, the following error occured:
Cannot delete selected Identity Group(s) because there are resources which are mapped to these or its child identity group(s)
Is there any reason for any of these issue?
Many thanksHi ,
Please open service request with cisco. These kind of issues may happen when the dependencies are deleted from UI but there is a chance that some of the dependencies may not be deleted completely and are not visible from UI as well. These kind of issues can be resolved under cisco guidance.
Thanks,
Naresh -
OS and Database Authentication
Hi everyone,
I use Oracle 10g on Fedora Core 4.
Here is the question:
I've created an account for my OS user (oracle) in the database named ops$oracle (ops$ is the value of OS_AUTHENT_PREFIX parameter). The oracle user in OS is member of "dba" group and in database is member of "sysdba".
I also have created a password file for this database.
There is no problem if I connect from a remote windows client like this:
sqlplus "ops$oracle/secret@testDb as sysdba"
but I get "ORA-01031: insufficient privileges" if I login to the OS as oracle and try this:
sqlplus "ops$oracle/secret@testDb as sysdba"
I don't get why?
I tried "ops$oracle/secret as sysdba" (when I was logged in to the OS as oracle) and it worked fine which I think it's alright. Because when I take "@testDb" out means I'm using OS Authentication, because it takes precedence over password file authentication. right?
Thanks in advance
Amir Gheibibut I get "ORA-01031: insufficient privileges" if I login to the OS as oracle and try this:sqlplus "ops$oracle/secret@testDb as sysdba"
On the server running the db, you should also be able to connect just with:
export ORACLE_SID=testDB
sqlplus /Does this work ?
Did you run any CREATE USER statement for "oracle" account ?
If yes, which one ?
Bcause when I take "@testDb" out means I'm using OS Authentication, because it takes precedence over password file authentication. right?No, taking out @testDB will just connect to the instance defined by ORACLE_SID environment variable. -
Anyconnect tunnel-group and group-policy from LDAP
Recently we've changed from LOCAL to LDAP authentication and added additional group-policies for different users to increase security.
To prevent users from selecting an incorrect group-policy, the LDAP server provides a IETF-Radius-Class value which matches the different group-policy names.
It is my understanding that the authentication method is provided by the tunnel-group.
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LDAP_AD
This all works, but for _one_ of the group policies i'd like to enable (external) two factor authentication. Two enable two factor auth a 'secondary-authentication-server-group' needs to be set in the tunnel-group.
Creating a tunnel-group which maches the name of the group-policy doesn't seem to have any effect. When listing the connected users via "show vpn-sessiondb anyconnect", it always states the correct Group Policy but also always DefaultWEBVPNGroup.
When enabling the listing of tunnel-groups for webvpn, thus allowing users to select their own tunnel-group, the two factor auth does work.
To summarize, is it possible to let LDAP decide which tunnel-group is used or is there another way to have different group policies without users being able to choose ?Fabian,
Your connection lands on a tunnel group and picks a group policy.
A typical way to overcome the problem you're indicating is by using group-url.
a URL is bound to a specific tunnel-group and allows you to land directly on the one you desire.
vide:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
M. -
EAP-TLS User and machine authentication question
Hello,
i have a question regarding EAP TLS authentication in a wireless environment. We use Cisco AnyConnect NAM client and an ACS 5.1 to do EAP-TLS authentification. The Laptop and the user can be successfully authenticated using a certificate from our internal CA. i can also check the in our corporate AD if the user and machine are member of a certain group and based on the membership a can grant access to the network.
i can see in the ACS when the laptops after a reboot logs on to the network, but i don't see a log when the laptop comes back from hibernate mode, i guess this is normal because the laptop sends only the autentication equest after rebooting.
What i'd like to achive is, when a user logs on the it should always be checked if the machine was authenticated prior the user can get access to the network. Is there a way to do this with EAP-TLS and a LDAP connection to Active Directory.
thanks in advanced
alexSounds like you rather want to use PEAP/MSChapV2
-
User Groups and non Developers users
Hi,
two questions.
1) How do I create users groups.
I want to divide specific users to specific groups.
2) I created users not as developer and not as a administrator.
When I logged on with that users I didnt see any of the applications, why?
Thanx.1. You asked "how do I assign users to that group and later attach the group..." I think your question is not about how to assign users to a group but rather how to attach the group... Use the function wwv_flow_fnd_user_api.user_in_group in an authorization scheme (desc wwv_flow_fnd_user_api). Attach the scheme to a region, button, etc. to control access. Please read about authorization schemes in the user guide and search this forum for "authorization" and "groups" for useful threads.
2. A user account without development privilege will be useful for authenticating to an application you create. It will not be useful for developing any applications in the Application Builder.
Scott -
I am currently using WPA2-spk. I want to add another layer of security. I know I could do EAP. I am also looking at mac authentication. But I want to host the mac list on an ACS server. Setting the the mac addresses on the ACS server is pretty cut and dry, but how can I configure the ap to look to the ACS server for its mac list? And, how can I get WPA-spk and mac authentication to work together?
Hi Jared,
you can do this by setup the following:
Webinterface:
1. Securtiy -> Server Manager
Setup the ACS IP in the list "MAC Authentication" in the section "Default Server Priorities".
2. Securtiy -> Advanced Securtiy
In the section "MAC Address Authentication" use the radio button "Authentication Server Only" or "Local List if no response from Authentication Server" for a fallback configuration!
IOS Interface from config mode:
aaa group server radius rad_mac
server 10.20.40.37 auth-port 1645 acct-port 1646
and
aaa authentication login mac_methods group rad_mac
or
aaa authentication login mac_methods group rad_mac local (for local fallback)
I have not tested this, cause the MAC of the supplicants is to easy to sniff and any medium skilled person may used a sniffed MAC to enter the first authentication stage!
Better use a setup with EAP-FAST or PEAP!
I hope that helps.
Best regards,
Frank
I hope that helps. -
Async Dial with mutiple groups and ACS
has anyone else tried / managed to have multiple dialer mappings on a remote access router with the user dynamically allocated to the correct one based upon the details they provide as part of the PPP process?
In my case I have an ACS server 3.3 which deals with the authentication through AAA passed on by the router running 12.2 mainline. This works fine but the end user now wants to have an 802.1q trunk from the router onto the network with the dial in users IP address allocated by the ACS server and the user placed in the relivant dialer group and therfore VLAN mapping to give them access to the services they would have if there where on the LAN normally.
I guess the IP address allocation could be dealt with via pools on the RAS box but this would still leave me with the problem of dialer interface allocation based upon an authentication process which happens away from the router.Check out the following sample configurations for various scenarios (including dial-up using Windows NT or domain database) and for dial-up using ACS user database for both RADIUS and TACACS+, see if it helps :
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/tsd_products_support_series_home.html
http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800fa54a.shtml -
Pt:tree of community groups and users
I am creating a community emailer portlet for emailing the users of a community. I want to use a pt:tree that lists the groups and users who have membership in the community. I want the individual users, groups and users in groups to be checkable. I've been playing with the pt:tree for a while now without success. Can anyone help? This seems like it would be a common question, but I can not find any answeredthreads on this. Thank you!
"Vikram" <[email protected]> wrote in message
news:3eb6f601$[email protected]..
>
Hi,
We are having problems seeing users or groups in our LDAP repository, thruWLS(7.0
sp2) console. I created a Custom Security Realm(myRealm) in which I addedthe
Novell LDAP Authentication provider as one of the authentication providersbesides
a Default Weblogic Authentication Provider (for system user account). WhenI click
on Users or Groups, I see either the "system" user account or"Administrators,
Deployers, Operators, Monitors" groups.These groups and user accounts areprovided
by the Weblogic Default Authentication provider. I am unable to see any ofour
LDAP groups or User accounts. If I try to login to the WLS console with anLDAP
user account, the authentication goes successfully. So WLS isauthenticating the
user correctly but is not displaying the User and Group information in theconsole.
We need to be able to look at the Group information in order to configurea Group
Portal.
Just out of curiosity, I configured an LDAP authentication provider in theCompatibility
Security Realm and I was not able to see any of our LDAP users or groupsin the
Compatibility Secyrity Realm also. I did reboot the WLS after configuringthe
LDAP authentication provider in both the cases.
I would appreciate if anybody can suggest probable reasons or workaroundsto list
the LDAP groups in the WLS 7.0 console.
I believe this is fixed in the latest 7.0 sp. -
Mapping Default Profiles of PT groups and folders for automating subportal experience
I need to automate the subportal experience by adding the users to the folders. These folders will correspond to the Plumtree groups that we create.
We are already planning on automating the maintainence of these PT groups by authentication source by applying custom business logic in Java program. I believe I can do the folder maintainence in the same program as well. However to make iot more effeicient and maintainable, I have the following questions.
Is there a way to map the PT groups to the folders by using Default profiles(by auth source?)? I think this would help me avoid hard coding which users belonging to certain groups go in which folders. Is there another better approach? Any help would be appreciated.
Thanks.
Vanita
StaplesThanks a lot for you reply Mark. I tried to add the Plumtree only groups to the Auth source and I am not allowed. It seems like this works only for the Auth Sorce(NTLM, AD etc.) groups not Plumtree only groups. Is there a way to do this kind of mapping for Plumtree only groups (to avoid doing this programmatically)?
Regards
Vanita
------- Mark Dimas wrote on 1/28/05 10:41 AM -------
You can have users placed directly in folders based off of group membership by using the Partial Users Synchronization mode.
On the auth source select Partial Users Synchronization and run a synch job. This will import all the groups. Then go back to the auth source, on the first page under Default Profiles add the groups, and for each group you can select the destination folder for members of that group. Then, on the Fully Sychronized Groups page you can add all the groups you want to import members from. Run the job again and all the users that are members of the selected groups will be imported and placed in the correct folder. -
Cisco aironet 1040: create wireless with wpa2 and mac authentication
Hi,
I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
Can anyone help me? thanks
Hi,
I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
Can anyone help me? thanksap#show configuration
Using 2085 out of 32768 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
logging rate-limit console 9
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 syslog
dot11 ssid Svez
authentication open mac-address mac_methods
authentication key-management wpa version 2
username 00907a0f2a55 password 7 1249554E425C0D542C79257D66
username 00907a0f2a55 autocommand exit
username administrator privilege 15 password 7 033449040A0620425A0D15564F42
username 0025d3db778b password 7 055B565D74481D0D1B52404A09
username 0025d3db778b autocommand exit
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers tkip
ssid Svez
antenna gain 0
station-role root
world-mode legacy
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
end
ap# -
Is it possible to do machine and user authentication in same Authorization profile?
Hi,
I want to know is it possible to do machine authenticaiton and user authentication happen at the same time? Some thing like this...
Condition
IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND AD:exteranalgroup EQUAL Some_domain_user_group )
Permissions
then Vlan x
Basically i am trying to check a machine is part of domain and user is valid only then he should be able to have full access.
Any help will be of great value.Hi,
IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND AD:exteranalgroup EQUAL Some_domain_user_group )
- Not possible
As user and machine authentication occur at different contexts.
ACS cannot verify the both at the same time.
Using MAR, you can, though club the both together and achieve:
"machine is part of domain and user is valid only then he should be able to have full access"
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978
Tips for configuring MAR:
1) Set the client to perform user or computer authentication.
2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).
3) Enable MAR under the AD configuration page on ACS and set the aging time.
4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.
Rate if useful -
Nexus 7000 aaa and local authentication
Hello,
I tried to configure aaa (with radius) and local user authentication on a Nexus 7004 (Version 6.2(6a)), but did not get it to work.
Radius authentication is working fine(!), but I can't Login with a local created user (role vdc-Operator).
Any help is highly appreciated.
Kind regards,
AndreasHi,
yes, I know that the fallback will jump in when no radius-Server responds, but I need the behaviour like the 6500'er (or 4500) act.(btw. local login works if radius is disabled, or local is the default, but if local is the default, radius Login no longer works) - Only one of the method at a time works.
On the 6500 I configured aaa with Windows NPS-Server and a local user (e.g. for the Cisco-LMS). This works fine. Even if the radius server is available, i can log into the device (via ssh) with the locally defined user-account.
What I miss is a kind of the command:
"aaa authentication login default local group radius"
"aaa authentication enable default enable"
(which works on the WS-C6509 or WS-C4500X).
Is there any chance to get this work on the Nexus7000?
Kind regards,
Andreas
Maybe you are looking for
-
Hello Gurus, I would like your take on the practice of publishing BW queries to roles? For an example there are 10 sets of queries and these 10 are published into a role for each company that exists. So in essence if there were 20 company codes we wi
-
InfoPath 2010 does not work in claims authentication mode on SharePoint 2010
Hi everyone, I created an Infopath 2010 Forms published on a Claims-based authentication site collection. This form has an external datasource plugged on the _vti_bin/UserProfileService.asmx webservice (within the same site collection). This datasour
-
Passing field symbol value to a variable
Hi All, I have a value in Field Symbol declared as <FS-STATUS> TYPE STANDARD TABLE. I want to use the value <fs-status> -low in a case statement. For this i think i have to pass the <fs-status> -low into a variable and then use in case statemen
-
My mail smart groups are too large for server - How do I make smart groups smaller e.g. A-F, G-L, M-S T-Z? Any help appreciated
-
Hi, I want to show <af:breadcrumbs> in my application.I create a rootmenu and put <af:breadcrumbs> in my template.problem is that when different users login jsf pages are shown according to his rights. there is a table that stores menu navigation det