One SSID with muptiple authentication methods

Have received a request from a customer to run both TKIP and AES encryption on the same SSID
From reading I believe this is not possible but can anyone confirm this please
Currently the config looks thus
dot11 ssid HELP
vlan 20
authentication open eap eap_methods
authentication network-eap eap_mtheods
authentication key-management wpa
authentication key-management wpa version 2 <<<<<<<<<<<<<<<<<<
<<<<< Trying to add wpa version 2 overwrites uithentication key-management wpa so presume this confirms it can't be done >>>>>
Interface Dot11Radio0
encryption mode ciphers tkip
encrytption vlan 20 mode ciphers aes-ccm tkip
Many Thanks

Hello
Cisco wireless products have the option to offer to the wireless clients both encryption methods, TKIP and AES and even WEP on the same SSID. This can be configured on the GUI and CLI but what you have to be aware and be careful is that this is not the standard. Even though Cisco can offer this, some clients won't understand that, they will get confused and disconnect or just not be able ro connect at all.
We are talking about encryption here not authentication so to answer your question: yes, you can configure several encryption methods on the same vlan but it is not a best practice and regarding authentication, it is not possible to configure different authentication methods on the same SSID.
Regards,
Sent from Cisco Technical Support Android App

Similar Messages

Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71

This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL>

1141n multiple AP's one SSID with Radius

I have two 1141n APs.
I have the first one configured as a root AP using the built in Radius feature (LEAP)
I also have this thing configured using AES CCM.
My clients are connecting to it with WPA2-Enterprise, getting 144Mbps. Perfect.
The question is this second AP.
How do I set it up so my users can wander semlessly between the two AP's?
Do I need to config it with the Radius feature as well? That would be a pain
Any help would be great!
Jeff

Hi,
All you need to do is configure the second AP to point to the first one IP address as its Radius serveur but bear in mind that if you do so and the primary AP fails, the second cannot authenticate users because the Radius seveur will be unvailable!
Configuring the two AP's to backup each will of course be tedious but a more resilient approach.

OAM - Authorization based on the authentication method

We are using OAM 10g for a customer to protect a large number of web application. In order to access those applications a user can chose from several authentication methods (e.g. client certificate, SecureId and mobile TAN). All applications use the same cookie domain and OAM provides SSO to the user. The customer now wants to define access rules for each of the applications based on the chosen authentication method.
In other words, he wants to have the flexibility to define rules such as the following:
Application A: Only accessible with client certificates
Application B: Only accessible with mobile TAN
Application D: Only accessible with SecureId or mobile TAN
Application E: Accessible with any authentication method
In order to implement this with OAM we would have assign each authentication method a different authentication level and define authorization rules that depend on those authentication levels (maybe using a custom authorization plug-in). According to the OAM documentation it doesn't seem possible to reference the authentication level in a authorization rule.
Does anyone know a way to implement these requirements.
Any help is appreciated.
Best regards,
Donat

This is how I think we can do this.
Write Authentication plug-in which adds which authentication scheme was used to login to the application in one of the multivalued attribute in OID. Write Authorization plug-in also which checks this value and makes authentication decision.
One more approach is, Create as many attributes in OID as number of authentication schemes you have. Each of them is a flag representing whether user is logged in with the authentication scheme or not. When user authenticates using an authentication scheme, turn on that flag. Also flush access server user profiles cache. In the authorization rule, use this flag to make authorization decisions. Using this approach, you do not have to write authorization plugin but this may not be scalable approach as you might have to create a new attribute in OID when new authentication scheme is added.
You can also keep this information somewhere in database or flat file and use that information in authentication and authorization plugin.
I hope one of this solutions will help you.
Thanks
Kiran Thakkar

WLC and AAA - one SSID and more VLANs

hi,
i have an ACS 4.1, AP1242, WLC4404 and Catalyst 3750, and an Win2003 DHCP Server
Switch Interface Config:
interface Vlan10
ip address 10.70.170.1 255.255.255.0
ip helper-address 192.168.12.10
interface Vlan20
ip address 10.70.171.1 255.255.255.0
ip helper-address 192.168.12.10
at the WLC i have configured one SSID with
- Allow AAA Override
- Layer2 Sec: [WPA1,TKIP+WPA2,AES]
- ACS 4.1 AAA
- Key Management: 802.1x
one SSID mapped to the management interface. and 2 VLANS with different interfaces:
VLAN-ID1: 10
Interface-1:
IP Address 10.70.170.2
Netmask 255.255.255.0
Gateway 10.70.170.1
DHCP: 192.168.12.10
VLAN-ID2: 20
Interface-2:
IP Address 10.70.171.2
Netmask 255.255.255.0
Gateway 10.70.171.1
DHCP: 192.168.12.10
at the acs i have 2 users and two groups. Group1-User1 and Group2-User2 with the aaa attributes to change the vlan on login.
[006] Service-Type: Authenticate only
[064] Tunnel-Type: VLAN
[065] Tunnel-Medium-Type: 802
[081] Tunnel-Private-Group-ID: <VLAN-ID-1> or <VLAN-ID-2>
my problem is, that the user will authenticate successfully, and also the Vlan and Interface assignment is correct,
but the ip-address that the user will get is always the IP-Range from Interface2 (VLAN20). So when the USER2 authenticates, he get the VLAN2,
and the right interface and the right IP Adress and the communication is right.
but the USER1 gets the interface1 and VLAN10, but the IP from Interface2 (VLAN20).
what can it be?
thx

FYI - If you're using ACS v4.1, you can also achieve this using the Airespace Attributes, by specifying the WLC interface name in the appropriate section.

802.1x per host authentication under one port with multi-host access by hub

Dear,
While multi-host connect to one port by hub, it seems that in multi-host mode, after one host passed the authentication, the port change state to up, and the other hosts do not need to authenticate any more. And in single host mode, only one host could access to the network under one port.
In the situation with multi-host access to one port by hub, is it possible that we could control per user access by authentication for each?
We did some test on 3550, it seems that the 3550 doesnot support what we need. And what about 4506?
Thanks!

Multiauthentication Mode
Available in Cisco IOS Release 12.2(33)SXI and later releases, multiauthentication (multiauth) mode allows one 802.1X/MAB client on the voice VLAN and multiple authenticated 802.1X/MAB/webauth clients on the data VLAN. When a hub or access point is connected to an 802.1X port (as shown in Figure 60-5), multiauth mode provides enhanced security over the multiple-hosts mode by requiring authentication of each connected client. For non-802.1X devices, MAB or web-based authentication can be used as the fallback method for individual host authentications, which allows different hosts to be authenticated through different methods on a single port.
Multiauth also supports MDA functionality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN depending on the data that the VSAs received from the authentication server.
Release 12.2(33)SXJ and later releases support the assignment of a RADIUS server-supplied VLAN in multiauth mode, by using the existing commands and when these conditions occur:
•The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.
•Subsequent hosts are authorized with a VLAN that matches the operational VLAN.
•A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no VLAN assignment, or their VLAN information matches the operational VLAN.
•The first host authorized on the port has a group VLAN assignment, and subsequent hosts either have no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent hosts must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all hosts are subject to the conditions specified in the VLAN list.
•After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port.
•The behavior of the critical-auth VLAN is not changed for multiauth mode. When a host tries to authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured VLAN.
NOTE :
•Only one voice VLAN is supported on a multiauth port.
•You cannot configure a guest VLAN or an auth-fail VLAN in multiauth mode.
for more information :
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html

Prioritize data on one SSID on an autonomous AP with multiple SSIDs

Hello,
I have a standalone AP(AP1261N) which is configured with 3 SSIDs.I would like to prioritize any data flow on SSID 1 for example so that users on SSID 1 are always functional independent on what is happening on the other SSIDS.
Then have the SSID 2 with a lower priority and SSID 3 lowest priority.
Each SSID is associated with a vlan.
I have seen some posts describing that this can be done using QOS associated with the different vlans.
Could someone please explain how I could configure the AP to do so?
I am using Command line.
Thank you

Hi Kavi,
Here are the few important points you need to understand when it comes to Autonomous AP QoS (this is extract from the link provided by Scot in above).
The QoS implementation for wireless LANs differs from QoS implementations on other Cisco devices. With QoS enabled, access points perform the following:
•They do not classify packets; they prioritize packets based on DSCP value, client type (such as a wireless phone), or the priority value in the 802.1q or 802.1p tag.
•They do not construct internal DSCP values; they only support mapping by assigning IP DSCP, Precedence, or Protocol values to Layer 2 COS values.
•They carry out EDCF like queuing on the radio egress port only.
•They do only FIFO queueing on the Ethernet egress port.
•They support only 802.1Q/P tagged packets. Access points do not support ISL.
•They support only MQC policy-map set cos action.
•They prioritize the traffic from voice clients (such as Symbol phones) over traffic from other clients when the QoS Element for Wireless Phones feature is enabled.
•They support Spectralink phones using the class-map IP protocol clause with the protocol value set to 119.
Also it is important to understand what type of traffic get impacted by AAP QoS. When you configure AAP for QoS it will primarily affect downstream traffic from AP to Client (No control over traffic coming from wireless client to AP - where priority will determine by WMM UP of clients traffic)
As you can see in the above, only FIFO available on ethernet egress (from AP to rest of your network) & then depend on how do you configure network switch ports connected to these AP (either trust DSCP or COS) it will determine how QoS maintain within your wired network.
In unified wireless enviroment you can classify each SSID with different QoS profile (Platinum, Gold, Silver & Bronze) & control what is the max level of QoS priority packets will get in each SSID. But in autonomous world it is not straightforward like that.
HTH
Rasika

Public-facing on-premises SharePoint with NTLM authentication

I've been searching for authentication best practices for public-facing SharePoint site but I didn't find any useful resources on the issue that is troubling me.
Assume I set up a web application with Classic NTLM authentication. On that web application I enable
Anonymous access. This means that users inside organization's network will be able to authenticate (actually use SSO) using organization's DC. They will be able to access and administer all content. All other anonymous users will be able to see
published content only i.e. content which is permitted to anonymous users.
My question is: Is this kind of setup a security issue because if a potential attacker hacks a WFE then he has direct access to DC?
Is FBA maybe a better solution for public-facing sites? Or maybe use NTLM, but create a separate domain with one-way trust to organization's domain?

There are many variations you can take with this - and really you need to consider more than just your content. For true separation:
I would have a dedicated DC to manage service accounts.
I would break up my DMZ behind firewall contexts with a reverse proxy publishing SharePoint at the edge.
proxy/firewall -- SP Server -- Firewall -- SQL/DC
For true separation you don't want to share any underlying infrastructure with internal either, although in reality logical separation is usually enough.
Now you have to deal with internal user authentication and how to handle that. The first thing is I would have at minimum two webs available, your primary for editing and the extended version for public access.
While a one way trust would work - you still do expose user info out to the public which you may not want. With this configuration you could configure people picker to only select from a particular OU to minimize this.
Another option however is to look at using ADFS between your domains and create the trust there. You would have to configure the farm for claims auth to make this work, but this would eliminate the possibility of probing all the users in AD or the OU you expose.
With the ADFS method when you update documents you user name is still tagged to content - however if you don't populate the user profiles this will be the only information available about any internal user.
You may even want to go a step further and when you extend the public site, use forms authentication but don't provide any users. Then there is no authenticated access from the public URL. And with ADFS/Reverse Proxy may you even be able to configure some pre
authentication for your internal users before they can even reach the internal SharePoint pages.
I would strongly consider moving to SharePoint 2013 and looking at the cross site publishing (2010 and below have the content publishing - but stay away from that, when it works it's great, but when it doesn't it's a PITA to get back in sync). with cross site
publishing you have an editing site and the publishing site pulls from the Search index and the permissions are completely separate.

How do I protect my JNLP, my JARs etc. (with Basic Authentication)???

hi all,
i know that there is a FAQ ( [see here|http://lopica.sourceforge.net/faq.html#obfuscate] ) answering a related question with "You can use an obfuscator...". ok, but is there really no other solution?
this is the simplified folder structure of my application on the server:
[application]
[etc]
    xyz.xml
[jars]
    myapp.jar
launch.jnlp
website.jsp
initial start and basic authentication:*
my first idea was to secure everything underneath "application" with basic authentication via my web.xml (yes, i'm aware of the security concerns). this means everybody can access my website (here: website.jsp) which contains a start button that links to "launch.jnlp". as soon as the user clicks on it, the browser opens its standard authentication dialog since launch.jsp is in a protected area. after entering the correct credentials the jnlp-file is downloaded and java web start takes over control. first of all it seems as it tries to access the same jnlp-file again (??? --> probably in order to check for changes in the jnlp file --> this is certainly not the case for the initial startup) and then wants to download the relevant jar (myapp.jar). because both resources are protected jws opens its own basic authentication dialog where i have to enter the same credentials the second time. as far as i know, there is no solution to pass the credentials between the browser and the jvm.
second start and basic authentication:*
if the user starts my application for the 2nd, 3rd, ... time via desktop-link (set in jnlp-file) there is no need for accessing my website with a browser. therefore only the authentication dialog of jws gets displayed. so far, so good!
and now the actual problem:*
during runtime my application (signed with verisign certificate and having all permissions) uses commons-vfs and commons-httpclient to access resources on the same server (e.g. etc/xyz.xml). since they're underneath the protected "application" directory as well, my application needs the same credentials the user already entered in the authentication dialog of jws. now i could retrieve these credentials by calling Authenticator.requestPasswordAuthentication() within my application and passing them to vfs and httpclient. however, doing so opens up jws' authentication dialog again. grrr!!! is there a way to prevent this?
related thougts:*
i know i could disable jws' default Authenticatior and set my own Authenticator which might be able to return already entered credentials without opening the dialog a second time. however, it seems that even with <property name="javaws.cfg.jauthenticator" value="none" /> jws still opens its own dialog when acessing the JNLP file and the relevant JARs during the startup/download phase. of course, who else if not jws could handle that phase? my application might not even be downloaded at this point. so i guess setting my own Authenticator would not be a solution either (at least not if i want to secure my jnlp and my jars, too). quite the contrary, it would have to open another dialog... :-(
my current solution:*
for the moment i use jws' default Authenticatior which allows me to easily protect all my stuff on the server side (jnlp, jar, etc). i can live with the two login dialogs at the initial startup. and instead of querying the credentials from jws' default Authenticatior at runtime, i set two system properties for username and password in the (protected) jnlp-file, query them at runtime and hand it to vfs and httpclient. this prevents the 2nd (or 3rd) dialog but is definitely not a great solution. most of all i'm not happy with the fact that this somehow "destroys" the container-based security advantage of easily configuring authorized users via a separate mechanism e.g. tomcat-users.xml. now there has to be one master-password that has to be set in the jnlp-file! grrr!
a possible alternative:*
i'm not sure but would it be better to secure everything with form-based authentication on the website, and dynamically generate username and password into the jnlp-file? but what happens when the admin changes the password on the server and the user starts its application via desktop-link??? in case of basic authentication i think jws would popup the login dialog again. however, if i use the old username and password generated into the jnlp it won't work. i think the user then has to access the website again. this is not good at all! :-(
the only real solution:*
should i write a small application which can be downloaded by everybody and on startup queries the user's credentials, validates them with the help of our server, and uses the javax.jnlp-api to download the secured JARs of my real application? this seems so much overkill! does anybody have experiences with this approach? how difficult is it to implement the whole download/update stuff with javax.jnlp?
WHAT HAVE I MISSED???
AM I COMPLETELY WRONG???
WHAT IS THE EASIEST WAY???
AND WHAT IS THE BEST WAY???
thank you so much,
stephan

Not sure, whether I understood correctly, what you wanna do - but up to now I can't see any problem.
if you have a structure like this:
/ctxroot/
       launch.jnlp
       /app/
           *.jar
           *.whateveryou may use in your web.xml:
     <servlet>
          <servlet-name>JnlpDownloadServlet</servlet-name>
          <servlet-class>jnlp.sample.servlet.JnlpDownloadServlet</servlet-class>
     </servlet>
     <servlet-mapping>
          <servlet-name>JnlpDownloadServlet</servlet-name>
          <url-pattern>*.jnlp</url-pattern>
          <url-pattern>/app/*</url-pattern>
     </servlet-mapping>
     <security-constraint>
          <web-resource-collection>
               <web-resource-name>Application</web-resource-name>
               <url-pattern>/app/*</url-pattern>
               <http-method>GET</http-method>
               <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
               <role-name>bla</role-name>
               <role-name>fahsel</role-name>
          </auth-constraint>
          <user-data-constraint>
               <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </user-data-constraint>
     </security-constraint>
     <security-constraint>
          <web-resource-collection>
               <web-resource-name>Subscription</web-resource-name>
               <url-pattern>*.jnlp</url-pattern>
          </web-resource-collection>
          <user-data-constraint>
               <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </user-data-constraint>
     </security-constraint>
     <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>whatever-realm</realm-name>
     </login-config>
     <security-role><role-name>bla</role-name></security-role>
     <security-role><role-name>fahsel</role-name></security-role>
...Than you may use the Service stuff like:
     BasicService bs = (BasicService)ServiceManager.lookup("javax.jnlp.BasicService");
     URL codeBase = bs.getCodeBase();
     URL pu = new URL(codeBase.toString() + "whatever.bla");
     HttpURLConnection res = (HttpURLConnection) pu.openConnection();
     res.setInstanceFollowRedirects(true);
     res.setRequestMethod("GET");
     res.setConnectTimeout(10 * 60 * 1000);
     res.connect();
     String enc = res.getContentType();
...Where is the problem? If you wanna intercept certain "calls" to an app resource, just use a filter, which decides, whether to answer the request directly by itself or to pass it to the JnlpDownloadServlet ...

Invoking an external web service through a JCD with Basic Authentication

Group,
I am trying to invoke an external web service (written in ASP.Net) from a jcd (5.1.2). The web service is guarded by Basic Authentication. I have entered the crudentials into the External Web service environment component and deployed the project. I receive the following error from the .invoke() method:
request requires HTTP authentication: Unauthorized
I have tried the same request through SoapUI using the same crudentials and get back the response correctly. Has anyone tried invoking an external web service with basic authentication through a jcd in 5.1.2 before?
One other item of note. I have another jcd calling a different external web service deployed on the same domain. I hope that this isn't interfering with the execution of this service as it doesn't require any crudentials to execute.

Hey Chris.
I am just starting to write a jcd that calls an external web service but cannot find any sample code nor instructions on how to do it in the supplied documentation. Could you send me a code sample from your one?
Cheers
Matt

Authentication failed because Outlook doesn't support any of the available authentication methods.

When attempting to check and send email from my Mac via iCloud, I keep getting the error "Authentication failed because Outlook doesn't support any of the available authentication methods." I have change just about everything I can see available, but continue to get this message.
I am able to send email via iCloud using my .Me and .Mac adresses, and that tells me that it is not able to store "sent emails" on iCluud and will store them loaclly on my computer. I can handle this, but whem going to iCloud Web page haave nothing withing the "sent" mailbox.
Using OS 10.7.2, and Outlook 2011 version 14.1.3
Thanks in advance......

I got the following from the microsoft Web site. Also, the SMPT port must be overwriten. Use port 587
This article contains information about the compatibility of Microsoft Outlook for Mac 2011 and Apple iCloud. Outlook for Mac 2011 does not support Apple iCloud calendar (CalDAV) and contact (CardDAV) synchronization. Outlook for Mac 2011 does support iCloud Mail. For steps on how to configure your iCloud email account in Outlook for Mac 2011, go to the "More Information" section of this article.
To configure your Apple iCloud email account in Microsoft Outlook for Mac 2011, follow these steps:
Start Outlook 2011.
On the Tools menu, click Accounts.
Click the plus sign in the lower-left corner, and then select E-mail.
Enter your E-mail Address and Password, and then click Add Account.
Note: The new account will appear in the left navigation pane of the Accounts dialog box.
Enter one of the following in the Incoming server box:
mail.me.com (for me.com mail addresses)
mail.mac.com (for mac.com mail addresses)
Click to select Use SSL to connect (recommended) under the Incoming server box.
Enter one of the following in the Outgoing server box:
smtp.me.com (for me.com mail addresses)
smtp.mac.com (for mac.com mail addresses)
Click to select Use SSL to connect (recommended) under the Outgoing server box.
After you have entered the incoming and outgoing server information, Outlook 2011 will start to receive your email messages.
Note: You can click Advanced to enter additional settings, such as leaving a copy of each message on the server.

ISE/Wireless NAC...One SSID for MAB and Dot1X?

Hi,
I am running ISE 1.2 and WLC 7.5.102.
I would really like to have one SSID that can do a few different things in the following order...
1) A device could connect, hit the MAB rule, and be granted access without any type of authentication (Other than MAB) and be placed in VLAN x.
2) A device would be checked for the appropriate certificate. If this cert exists, the device is granted access.
3) If a device is not allowed in MAB, it will hit the next rule, which is the dot1x rule. The user will then be authenticated against the AD server.
4) Everything else hits default rule and is sent to web-auth portal.
I can't really think of a way to make this work with one SSID because from what I understand, you would need dot1x disabled on the SSID in order for MAB to work.
Any suggestions?
Thanks.

two ssid's. no way around it

Using multiple SSID with AP 1100 (standalone mode).

Hi, need to configure 2 SSID on the same 1100 AP: open authentication and WPA2. It's possible to configure these 2 SSID without configuring VLAN's ?
On CCO I've read the following:
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a008009483e.shtml
Q. How many service set identifiers (SSIDs) can you have per VLAN?
A. You can have only one SSID per VLAN. The use of multiple SSIDs over a single VLAN is not supported with Aironet APs.
It's also true with the latest IOS release ?

Hi Roberto,
Hopefully the attached docs will answer your question:
Cisco Aironet 1100 Series
Using VLANs with Cisco Aironet Wireless Equipment
Deprecated versions of Cisco Aironet software permit binding multiple SSIDs to one VLAN. Current versions do not.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points, 12.2(15)JA
Configuring Multiple SSIDs
vlan vlan-id
(Optional) Assign the SSID to a VLAN on your network. Client devices that associate using the SSID are grouped into this VLAN. You can assign only one SSID to a VLAN.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a00802085c4.html
Hope this helps!
Rob
Please remember to rate helpful posts.......

WLC 5760 multiple SSIDs with MAC filtering

Dear All,
I am implementing a wireless network with 5760 WLCs. The client requires a few SSIDs with MAC-based authentication. So I created different MAC filters using the commands "aaa authorization network MAC_FILTER01 local", "aaa authorization network MAC_FILTER02 local" etc
These filters are bound to different SSIDs using the commands "mac-filtering MAC_FILTER01" "mac-filtering MAC_FILTER02" etc. and users are added to their required MAC filters using the commands "username <mac-address> mac aaa attribute list MAC_FILTER01", "username <mac-address> mac aaa attribute list MAC_FILTER02" etc.
Now I am facing a serious issue - users belonging to any one MAC filter can connect to the all SSIDs. It seems like the MAC addresses added to the controller under different filter names are going to a common database, thereby providing access to users to all SSIDs irrespective of their MAC filter.
Is it a limitation of local database of 5760? Has anyone faced the same issue? How can I implement independent MAC filters bound to different SSIDs?
Thanks,
Arun John

Hi Arun,
this feature currently does not exist on the 5760. it is due to release in one of the MR's of 3.6
-Joseph

ASA to ACS: how to distinguish different authentication methods?

I have SSL VPN Clients connecting to an ASA 5520 using RADIUS to a backend Cisco ACS. I want to support two authentication options for the clients. The first is a certificate combined with an Active Directory username & password. The second is a token-name & one-time-password.
Setting these two authentication methods up on the ASA is no problem ... I can configure user selectable connection profiles that have the wanted authentication settings. The ACS can handle both the AD and token credentials.
Here's the problem. I need to be able to distinguish on the ACS if a connection request was certificate authenticated or not. I don't want users choosing to do a token/OTP connection and then entering in their AD credentials instead. the ACS won't know that this AD authentication request wasn't properly combined with a certificate.
I've used NAR settings in the past to control what user databases an AAA client can authentication against, however, if the two authentication methods are coming from the same AAA client (the ASA), what can I do?

I guess this should be possible with a feature called NAP,( network access profiles). Here you can define which database to use for any specific request. We can filter request on the basis of attributes sent in the authentication request.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NAPs.html
Regards,
~JG

One SSID with muptiple authentication methods

Similar Messages

Maybe you are looking for