NK5 AAA multiple authentication methods??

It looks Nexus support only one type of authentication at same time
aaa authentication login default group radius
Doest it mean we cannot chain various types authentication like
aaa authentication login default group radius group tacasc+ none
Is there any way how to do this??
It would be bit strange not having this feature
M.

Hi,
I've tried this before, but the ssh connection should go through one by one. line vty 0 -> 1 -> 2 -> 3 -> 4. If no one make the ssh connection before, the connection should on line vty 0. How to make the ssh conenction to specific line vty for particular authentication method? As mentioned before, the router can provide the solution to assiocate the line vty to rotary with different ssh listening ports. As similar solution or other approach for the switch to provide the same kind of services.
Thanks.
TL

Similar Messages

AAA login authentication methods

Hello guys,
I've noticed a strange behaviour with AAA authentication login.
My AAA configuration for login authentication is: aaa authentication login default group tacacs+ local
No tacacs server exists, but username and password in local database does. Indeed everything works fine when I log in: aaa authentication login default group tacacs+ local line none
The problem comes up when I add to the method list line and none authentication methods.
In this case, when I log into the switch (via console for example), and I'm asked for username, there is no validation of the username, I mean to say, I can put whatever username and been granted access.
Conclusion: According to my aaa authentication list, method line or none should not be used unless tacacs and local are not available. In this case, local method is available and should fail so login should be rejected, but it jumps to the next method, finally giving access.
Is this a bug in AAA? or am I misunderstanding something.
Thanks a lot.

Only exec-timeout command, so it applies the default list defined by aaa.
When I remove the none, authentication fails. I've debugged AAA authentication and shows:
User Access Verification
Username:
Jul 5 18:16:48.329 METDST: AAA/BIND(00000035): Bind i/f
Jul 5 18:16:49.493 METDST: AAA/AUTHEN/LOGIN (00000035): Pick method list 'default' adsf
Jul 5 18:16:56.382 METDST: AAA/AUTHEN/LINE(00000035): FAIL - Line password not found
% Authentication failed
Username:
Local authentication method is being bypassed.
If I configure a password under line con 0, I've access regardless of the username, so no local authentication is being enforced as well.
Thanks.

Cisco ISE multiple EAP authentication methods question

With Cisco ISE can you have various clients each using different EAP methods, such as PEAP for Windows machines, MD5 for legacy and TLS for others?
My current efforts seem to fail as if a device gets a request from the ISE for an EAP method it doesnt understand it just times out.
Thanks in advance.

Multiple EAP Methods work fine. If your Clients are being crap you could try forcing then to use a specific set of Allowed Authentication Method by creating more specific Authentication rules.
Sent from Cisco Technical Support iPad App

ASA to ACS: how to distinguish different authentication methods?

I have SSL VPN Clients connecting to an ASA 5520 using RADIUS to a backend Cisco ACS. I want to support two authentication options for the clients. The first is a certificate combined with an Active Directory username & password. The second is a token-name & one-time-password.
Setting these two authentication methods up on the ASA is no problem ... I can configure user selectable connection profiles that have the wanted authentication settings. The ACS can handle both the AD and token credentials.
Here's the problem. I need to be able to distinguish on the ACS if a connection request was certificate authenticated or not. I don't want users choosing to do a token/OTP connection and then entering in their AD credentials instead. the ACS won't know that this AD authentication request wasn't properly combined with a certificate.
I've used NAR settings in the past to control what user databases an AAA client can authentication against, however, if the two authentication methods are coming from the same AAA client (the ASA), what can I do?

I guess this should be possible with a feature called NAP,( network access profiles). Here you can define which database to use for any specific request. We can filter request on the basis of attributes sent in the authentication request.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NAPs.html
Regards,
~JG

AAA Radius Authentication Queries

Have quite a few questions for Implementing Radius for my network devices :
Q.1.) How to safely implement aaa Radius authentication to make sure users have login using LOCAL database incase the Radius fails.
Q.2.) How to provide only read access for few users and full access to Adminstrators.
Q 3.) Incase if I save the config ..will it be possible to login to devices through any other alternative way ( assuming both the radius and Local credentials are not working).
Q 4.) How to recover the password for devices especially firewalls.
GReat it would be if someone can help me on these queries.. Thanks in advance.
Regards,
gHP.

VSAs are collected by the RADIUS server during the accounting process when AAA is configured with the Debit Card feature. Data items are collected for each call leg created on the gateway. A call leg is the internal representation of a connection on the gateway. Each call made through the gateway consists of two call legs: incoming and outgoing. The call leg information emitted by the gateways can be correlated by the connection ID, which is the same for all call legs of a connection.
Use the H.323 VSA method of accounting when configuring the AAA application.
There are two modes:
â¢Overloaded Session-ID
Use the gw-accounting h323 syslog command to configure this mode.
â¢VSA
Use the gw-accounting h323 vsa command to configure this mode.

Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71

This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL>

Multiple authentication sources with the same category

Quote from portal help:
"Multiple authentication sources can use the same category. However, because the prefix is prepended to the user and group names, you need to be certain that the domains involved do not have different users or groups with the same name. That is, if a LizaR user exists on one domain, and a LizaR user exists on another domain, they must be the same user because only one user will be created."
Fine, let's say I am "certain that the domains involved do not have different users or groups with the same name".
But there is other concern I have here. I want to know how portal will RECOGNIZE which authentication source to use?
Let's say I have 2 auth sources AS1 and AS2 with the same category MyAuth. AS1 use WS1 to authenticate against LDAP1 and AS2 use WS2 to authenticate against LDAP2.
Now, I have a user - Dmitry. I am trying to login into portal and I selected AS1 to do actual authentication. My question is how portal will CHOOSE which auth source to use because all portal knows about me is <MyAuth\Dmitry> that is came from portal login screen? Both auth sources match this pattern so seems like portal may choose any of them.
Does it mean that portal will try to authenticate again AS1 and if this attempt failed then you AS2?
I didn't find any explanation in portal documentation.
Thank you.
Edited by Bryazgin at 12/12/2007 10:42 AM

Yes, it seems you are right. As soon as portal have found CORRECT user there is no issue anymore because user is bind to unique auth source that actually has been used to created this user.
I think my main confusion come from the fact that having <Category> and <UserName> is not enough to UNIQUE identify user in portal as soon as <Category> can be the SAME for different auth sources.
Let's have you have user created by AS1. According API this user created by this AS1 will have 4 different names, like sUniqueName, sAuthenticationName, sLoginName and sDisplayName. But portal is going to search user in portal database BASED on information that is available in login form - <Category> and <User Name>. At this point portal has no idea about sUniqueName and all this things.
Now if there were 2 users in database that have been created by 2 different auth sources with the same <category> and <User Name> then I don't understand how portal will figured out which user to choose from. I guess <Category> value somehow MUST participate in sUniqueName value. <Category> has to be involve in process of finding user in database. In this scenario 2 users will be retrieved from database and what is important these 2 users are different, they have been created by different auth sources. Now question became which user is CORRECT one?
Edited by Bryazgin at 12/12/2007 1:34 PM

What do IPSEC mean under Security - AAA - Radius - Authentication

I can't find exact information regarding the IPSec checkbox in Security -> AAA -> Radius -> Authentication.
On the Cisco Wireless LAN Controller Configuration Guide 5.1, it says "Check the IPSec check box to enable the IP security mechanism, or uncheck it to disable this feature.
The default value is unchecked."
What is exactly mean by IP security mechanism?
Does this mean that I can terminate VPN client over my WLC?
Take note that this options appeared even though no crypto card installed in my controller.

This is old code from the Airespace days. There used to be a VPN module that would ride in the WLC. No longer supported, well can't buy it new, but if you had one already...you get the idea.
HTH,
Steve

Authentication failed because Outlook doesn't support any of the available authentication methods.

When attempting to check and send email from my Mac via iCloud, I keep getting the error "Authentication failed because Outlook doesn't support any of the available authentication methods." I have change just about everything I can see available, but continue to get this message.
I am able to send email via iCloud using my .Me and .Mac adresses, and that tells me that it is not able to store "sent emails" on iCluud and will store them loaclly on my computer. I can handle this, but whem going to iCloud Web page haave nothing withing the "sent" mailbox.
Using OS 10.7.2, and Outlook 2011 version 14.1.3
Thanks in advance......

I got the following from the microsoft Web site. Also, the SMPT port must be overwriten. Use port 587
This article contains information about the compatibility of Microsoft Outlook for Mac 2011 and Apple iCloud. Outlook for Mac 2011 does not support Apple iCloud calendar (CalDAV) and contact (CardDAV) synchronization. Outlook for Mac 2011 does support iCloud Mail. For steps on how to configure your iCloud email account in Outlook for Mac 2011, go to the "More Information" section of this article.
To configure your Apple iCloud email account in Microsoft Outlook for Mac 2011, follow these steps:
Start Outlook 2011.
On the Tools menu, click Accounts.
Click the plus sign in the lower-left corner, and then select E-mail.
Enter your E-mail Address and Password, and then click Add Account.
Note: The new account will appear in the left navigation pane of the Accounts dialog box.
Enter one of the following in the Incoming server box:
mail.me.com (for me.com mail addresses)
mail.mac.com (for mac.com mail addresses)
Click to select Use SSL to connect (recommended) under the Incoming server box.
Enter one of the following in the Outgoing server box:
smtp.me.com (for me.com mail addresses)
smtp.mac.com (for mac.com mail addresses)
Click to select Use SSL to connect (recommended) under the Outgoing server box.
After you have entered the incoming and outgoing server information, Outlook 2011 will start to receive your email messages.
Note: You can click Advanced to enter additional settings, such as leaving a copy of each message on the server.

Oracle Access manager 10.1.4 (coreid) multiple authentication for same URL

I am evaluating oracle access manager hence new to this product.
I have a requirement where i have a /wps URL.
Users coming externally go through reverse proxy server to the final IIS web server. Internal user access IIS directly.
/wps should be protected by reverse proxy using forms authentication
while IIS server also protect /wps but should use basic authentication.
Looks like policy is shared by all webgates so i can define one authentication method for /wps.
Comparing this with CA Siteminder each agent have their own URLs to protect and so two agents can protect the same URL but with different authentication method. The single signon works as the protection level is same.

I have not done what you are speaking of; so I would assume that Boland is correct. One thing that you may want to consider is making the external users log into another resource before they hit the /wps. If the other resource is forms protected and at the same authentication level (number on auth scheme), then they can hit the external login resource, get their OBSSO cookie, then slide right thru the basic authentication request of the current policy domain.
Another idea would be to get a little more granular with your current policy domain. Have a file that's protected with forms auth in your policy domain that the external users authenticate to. Remember, this could be as simple as a dummy page that just does an HTTP redirect.
Good luck.
--Aaron

Authentication method for JCo connection in XSS installation

Hi All,
I have a query which perplexes me. I am implementing XSS (ESS/MSS) on SAP Portal EP6 SR1 with an ECC5 backend for prototype purposes.
When I follow SAP's help steps to setup JCo connections, it states that for the metadata connection you should use a security authentication method of 'User/Password', but for the application data connection you should use a security authentication method of 'Ticket'.
Does anyone know why the difference in methods here? Is it possible to use 'User/Password' for both? Any thoughts would be appreciated.

Hi john,
User -ID /Pwd method can be used to access the backend for both types of Data as per your scenario.
User -ID /Pwd method and logon tickets both can be used to access data in backend.
The difference lies in the scenario with which you are accessing the back-end.
If all your portal users are same as backend users then you can select Logon ticket methods.
If they are going to be different then you need User-ID /Pwd method .
Check the following link to get a clear picture:
<a href="http://help.sap.com/saphelp_ep50sp2/helpdata/en/4d/dd9b9ce80311d5995500508b6b8b11/frameset.htm">Scenario to use type of SSO</a>
Hope it helps.
Regards,
Vivekanandan

NPS Authentication Methods - EAP Types

We are moving from IAS to NPS and are configuring the policy like it was in IAS. When we click on the Constraints tab > Authentication Methods > and then highlight Microsoft: Protected EAP (PEAP) and click Edit we get an error "The data is
invalid". How do we fix this error? There are no errors in the event viewer for NPS.

Hi MarkNDOR,
Thanks for posting here.
We’d suggest to smoothly migrate IAS to NPS with following the guide in the link below without manually recreate all polices, it was also included the
Iasmigreader.exe utility which will help to transfer the IAS policies to NPS compatible file type:
NPS Migration Guide
http://technet.microsoft.com/en-us/library/ee791849(WS.10).aspx
Thanks.
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

User Authentication Method not found?

I'm using OSX but a co-worker is running 9.2.2 and is having trouble accessing a server on the corporate Microsoft network.
I can get to the server using OSX but when she selects the server (which does show up in the Chooser list) she gets an error message saying that "the User Authentication Method could not be found" and she should check the AppleTalk folder in her extensions folder. AppleTalk folder? Check it for what?
What must we do to get access to the new server?
Thanks.

For OS 9 to talk to an MS server requires that the server has Client Services for Macintosh fired up and yes, sometimes also that the client Mac has a Microsoft User Authentication Module installed and configured.
Microsoft says that without the MS UAM, she should still be able to
Log on to the special Microsoft UAM Volume on the computer running Windows 2000 Server to access the MS UAM file.
If she can't get that far and there are no other symptoms, the network administrator needs adjust the security settings on the server, or reinstall Client Services for Macintosh…
Then drag the MS UAM file to your AppleShare(c) Folder in your System Folder. Instructions follow. (Users outside North America, see the "International Concerns" section later in the Release Notes before proceeding.)
To gain access to the Microsoft Authentication files on the computer running Windows 2000 Server
1. On the Macintosh Apple menu, click Chooser.
2. Double-click the AppleShare icon, and then click the AppleTalk(c) zone in which the computer running Windows 2000 Server, with Services for Macintosh, resides. (Ask your system administrator if you're not sure of the zone.)
3. From the list of file servers, select the Windows 2000 Server computer, and then click OK.
4. Click the Registered User or Guest option, as appropriate, and then click OK.
5. Click the Microsoft UAM Volume, and then click OK.
6. Close the Chooser dialog box.
To install the authentication files on the Macintosh workstation
1. On the Macintosh Desktop, double-click the Microsoft UAM Volume.
2. Locate the "MS UAM Installer" file on the Microsoft UAM Volume, then double-click it.
3. Click Continue in the installer welcome screen.
The installer will report whether the installation succeeded.
If the installation has succeeded, when Macintosh users of this workstation connect to the Windows 2000 Server computer, they will be offered Microsoft Authentication.

OAM - Authorization based on the authentication method

We are using OAM 10g for a customer to protect a large number of web application. In order to access those applications a user can chose from several authentication methods (e.g. client certificate, SecureId and mobile TAN). All applications use the same cookie domain and OAM provides SSO to the user. The customer now wants to define access rules for each of the applications based on the chosen authentication method.
In other words, he wants to have the flexibility to define rules such as the following:
Application A: Only accessible with client certificates
Application B: Only accessible with mobile TAN
Application D: Only accessible with SecureId or mobile TAN
Application E: Accessible with any authentication method
In order to implement this with OAM we would have assign each authentication method a different authentication level and define authorization rules that depend on those authentication levels (maybe using a custom authorization plug-in). According to the OAM documentation it doesn't seem possible to reference the authentication level in a authorization rule.
Does anyone know a way to implement these requirements.
Any help is appreciated.
Best regards,
Donat

This is how I think we can do this.
Write Authentication plug-in which adds which authentication scheme was used to login to the application in one of the multivalued attribute in OID. Write Authorization plug-in also which checks this value and makes authentication decision.
One more approach is, Create as many attributes in OID as number of authentication schemes you have. Each of them is a flag representing whether user is logged in with the authentication scheme or not. When user authenticates using an authentication scheme, turn on that flag. Also flush access server user profiles cache. In the authorization rule, use this flag to make authorization decisions. Using this approach, you do not have to write authorization plugin but this may not be scalable approach as you might have to create a new attribute in OID when new authentication scheme is added.
You can also keep this information somewhere in database or flat file and use that information in authentication and authorization plugin.
I hope one of this solutions will help you.
Thanks
Kiran Thakkar

Wireless Security & Authentication methods

Hi,
I've some experience on WLAN Networks, but I would like to have your opinion around Wireless Security implemenations.
We have several sites where we have some Cisco Access points running IOS. We are currently doing WEP 128b, with Mac-Authentication against a central ACS Server.
But having fixed WEP, and mac registrations is not very practical.
Do you know about any method to have authentication against Active Directory (passing through the Cisco ACS), and Dynamic WEP Keys ?
Any recommendation is welcome.
Of course with this we would like to bring up our level of security.
Thanks a lot for all,
Best Regards,
Jorge

802.1x/EAP authentication is the most popular authentication method in wireless. The following documents explain how to configure EAP authentication.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a13.shtml

NK5 AAA multiple authentication methods??

Similar Messages

Maybe you are looking for