RADIUS authentification via RDBMS authentification

Does anybody know whether RADIUS can used Oracle RDBMS authentification for RADIUS authentification.
The idea is to use Oracle DB users list and passwords for RADIUS users management. In other words - is it possible RADIUS and Oracle DB users to be the same?

Yes...it's about OAS - Oracle Advanced Security...(from 8.1.7). You can use even Cistron Radius Server (a free radius server from ftp://ftp.radius.cistron.nl/pub/radius/ or http://www.freeradius.org/)
and minimal changes:
sqlnet.authentication = IP-address-of-RADIUS-server
Regards,
Paul Breniuc
Message was edited by:
user468540
Message was edited by:
user468540

Similar Messages

Can not do radius authentication via WLC 4400... Please help!

Hey,
I am configuring an old WLC4400 with V4.2.130.0. I added a new sub-interface for VLAN 50 with proper IP for the subnet and then add the Radius server(Windows server 2008 with NPS) onto WLC4400. I then created new WLAN with WPA+WPA2 Encryption and 802.1x key management and selected the Radius server under AAA for authentication.
Configured the test XP with WPA-Enterprise and PEAP as EAP method. I purposely configured computer to prompt for username and password.
When I try to connect, I did get prompt for username and password. However after that nothing happens. It seems like laptop just keep trying to authenticate.
I checked windows event log and do not see anything under NPS. I know this windows server NPS setup works as it is also the authentication server for our remotevpn.
So my question: is there any special option I need to turn on for WLC in order for Radius authentication work? Or is there any known bug with V4.2.130 (I searched bug toolkit but did not see anything).
Any suggestion is appeciated!
Thanks,
/S

Configuration
Open Network Connections by clicking on the Windows Start button, right-clicking on My Network Places, Properties, or Start > Control Panel then double-click on Network Connections.
Right-click on your wireless network adaptor and choose Properties.
Note: If your wireless connection is part of a Network Bridge you must remove it from the Bridge before continuing.
Click on the Wireless Networks tab at the top of this dialog box.
In the Preferred Networks section click Add...
Enter "Imperial-WPA" as the Network Name (ssid). Note: this is case-sensitive.
Either select WPA2 for Network Authentication: and AES for Data Encryption:
or select WPA for Network Authentication: and TKIP for Data Encryption:
(WPA2 + AES is more secure)
Check that the This is a computer-to-computer (adhoc) network check-box is not ticked.
Then click on the Authentication tab at the top of this dialog-box.
For EAP type: select Protected EAP (PEAP).
Check that the Authenticate as computer... and Authenticate as guest... check boxes are not checked.
Then click on the Properties button.
Then click on Configure...
Un-tick the Automatically use my Windows logon name... check box.
Click OK, then click OK on the previous two dialog boxes to exit.
First connection
Once you are within range of the wireless network a balloon should appear on the task bar prompting you for credentials.
Click on this balloon and you will be prompted for your logon credentials
Enter your college username, password and "IC" for the Logon domain. Then click on OK.
You should also be prompted to accept the server certificate.
Note: If you change your college password at any time you will be prompted to enter your new password when you next connect to the network.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

Which Apple servers are used for authentification?

Hello.
I use iPad in corporate network via WiFi.
Network is secured by gateway, which stands as a proxy for any inside/outside traffic.
I have an issue - while using AppStore on iPad, after pressing Install button on any application, I got error message:
'Couldn't connect to Store. Unable to setup secure connection to server. Check time settings' (the message is in Russian, so it's not 100% accurate translation).
The issue is solved very easy - if I would press Install while I'm on GSM network internet (3G), app is starting to download. Then I presson app to pause, turn on WiFi and press app to continue - voila, it's downloaded with no problems. So the issuer is narrowed only to failed authentification via gateway, because downloading itself is going OK.
Admins have to add iTunes servers to white list in order to provide working authentification, but couldn't finf exact list of what Apple servers' IP / domain names to add. Does anybody have this info?

Hi,
For general ledger :
http://help.sap.com/saphelp_nw70/helpdata/en/57/dd153c4eb5d82ce10000000a114084/frameset.htm
This is the best how-to guide on AP,AR,GL and TAX.
http://help.sap.com/saphelp_nw04/helpdata/en/af/16533bbb15b762e10000000a114084/frameset.htm
Hope it helps.
Regards,
Srikanth.

JBossWS 3 and authentification problem

I downloaded and successfully installed jbossws-cxf-3.0.2.GA on my jboss 4.2.2.
I am trying to do a simple authentification via a web service, exactly the way it is described in the following example [http://jbws.dyndns.org/mediawiki/index.php?title=Authentication|http://jbws.dyndns.org/mediawiki/index.php?title=Authentication]
My jboss login-config is configured as in the example, I haven't changed anything.
And here is my stack trace when I try to invoke web service method from my client.
18:31:54,697 INFO [ReflectionServiceFactoryBean] Creating Service {http://www.azry.com/WSProject}SecureService from WSDL: http://127.0.0.1:8080/WSProject/SecureService?wsdl
18:31:54,728 INFO [LoggingOutInterceptor] Outbound Message
Encoding: UTF-8
Headers: {Authorization=[Basic ZmVyZndlOmZ3ZWZ3ZWY=], SOAPAction=[""], Accept=[*]}
Messages:
Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns2:squareNumber xmlns:ns2="http://www.azry.com/WSProject"><a>8</a></ns2:squareNumber></soap:Body></soap:Envelope>
18:31:54,759 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
     at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315)
     at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
     at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
     at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:585)
     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
     at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
     at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
     at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
     at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
     at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
     at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:180)
     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
     at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
     at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
     at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
     at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
     at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
     at java.lang.Thread.run(Thread.java:595)
18:31:54,759 INFO [PhaseInterceptorChain] Interceptor has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Could not send Message.
     at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
     at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:221)
     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
     at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
     at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:177)
     at $Proxy123.squareNumber(Unknown Source)
     at com.azry.WSClient.SecureServiceConsumer.service(Unknown Source)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
     at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
     at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
     at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
     at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
     at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
     at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
     at java.lang.Thread.run(Thread.java:595)
Caused by: java.net.HttpRetryException: cannot retry due to server authentication, in streaming mode
     at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1008)
     at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:367)
     at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1896)
     at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1824)
     at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
     at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:159)
     at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
     at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:583)
     at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
     ... 26 moreHave anyone got this exception?

I found my mistake, I was importing different annotation instead of importing org.jboss.annotation.security.SecurityDomain I imported something else. So when jboss can't find security domain, he uses "other" security domain that by itself uses the files that are in the exception, so that was the problem :).

Acs 4.2 PEAP machine authentification wireless

Hi,
here at work, we have acs 4.2 as our radius server, and 2 wlc 4404 with a wism2 for our wireless network. we have 2 SSID network, lets call them SSID A and B. A have a more restricted access to server than B.
PEAP machine authentification is authorize on both network, to let our users laptop connect before the user login, this enable us to have our computer gpo deploy before the user logon, or have network access to authenticate a user to our directory if he had not logon previously on the laptop.
Users from group A can't logon to SSID B, they can only logon to SSID A, but we have some clever users from group A who have change they wireless setting to only send machine authentification (this can be done in the advance setting of a wireless network in windows 7) to connect to SSID B
We can't force the wireless config by GPO because we don't have an ad 2008 domain, we are still in 2003 soo we can't change the gpo for windows 7 wireless setting (I'm a network guy, I'll have to check more on this to be sure...)
I can't force user to require machine authentification and user authentification because we have a lot of ipad and iphone, and other mobile device that connect using only their user credentials.
Is there a way I could configure this without having to disable machine authentification for SSID B?
thank you

hi thank you for the quick answer,
however we don't have machine access restriction, in the windows eap setting we only have enable PEAP machine authentification.
this is ok because we want our notebook to be able to have access to the wifi (for gpo) before the user logon and we want any user to be able to use their own device. we are a educationnal institute, we don't want to force the teachers and student to only use the equipement we provide we want to give them more power over their choice of equipement.
SSID A is the student network, and SSID B is the teachers network.
the problem we have is some student use their active directory joined computer to get access to the SSID B. If they use their user credentials they won't have access. and as user bring their own device we can't force an peap machine authentification because students and teachers are allowed to BYOD.
is there a way to restrict machine (let's say in an OU) access to an SSID?

WLC Applying cached RADIUS Override values for mobile

Hello!
We have a WiSM2 (version 7.4.110.0) with approx 200 APs. We are doing RADIUS authentication via a PacketFence backend. Everything usually works fine, but we are having an intermittent issue...
The WiSM2 gets its VLAN assignment for a client from the PacketFence server and does AAA override. If a client has not registered their device, go on one VLAN. Once they register, PacketFence disconnects them via RADIUS to the WiSM2, and then they should get their new VLAN assignment. This works fine in the majority of cases, but occasionally, after registering, the client disconnects and reconnects but is still put back on registration VLAN.
debug client mac shows this in the logs:
Applying cached RADIUS Override values for mobile 00:25:56:3d:f6:7b (caller pem_api.c:2210)
And I do not see the WiSM2 asking the PacketFence server for a VLAN assignment in the PacketFence logs.
Eventually, if the client stays disconnected long enough (5+ minutes), they can reconnect and get the proper VLAN assignment. I had previously opened a TAC about this, and they suggested a WiSM2 software upgrade and setting the Session Timeout on the WLAN to 900 seconds, which I did. This issue then disappeared for several weeks, but it has started happening again today (we saw it happen to about 15 clients throughout the day).
Anyone have any ideas on why this is happening, and how to stop the caching? Any thoughts would be greatly appreciated.
Here is the output from a show wlan of one of our WLANs we have seen this on:
WLAN Identifier.................................. 2
Profile Name..................................... BlitzNet
Network Name (SSID).............................. BlitzNet
Status........................................... Enabled
MAC Filtering.................................... Enabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Enabled
Network Admission Control
Client Profiling Status ....................... Disabled
   DHCP ......................................... Disabled
   HTTP ......................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 538
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 900 seconds
User Idle Timeout................................ 300 seconds
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... WISM2_SDC
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ blitznet
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream          Downstream
Average Data Rate................................   0                      0
Average Realtime Data Rate.......................   0                      0
Burst Data Rate..................................   0                      0
Burst Realtime Data Rate.........................   0                      0
Per-Client Rate Limits........................... Upstream          Downstream
Average Data Rate................................   0                      0
Average Realtime Data Rate.......................   0                      0
Burst Data Rate..................................   0                      0
Burst Realtime Data Rate.........................   0                      0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Drop
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ ipofradiusserver 1812
   Accounting.................................... Global Servers
      Interim Update............................. Disabled
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security
   802.11 Authentication:........................ Open System
   FT Support.................................... Disabled
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Disabled
   WAPI.......................................... Disabled
   Wi-Fi Direct policy configured................ Disabled
   EAP-Passthrough............................... Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   FlexConnect Local Switching................... Disabled
   flexconnect Central Dhcp Flag................. Disabled
   flexconnect nat-pat Flag...................... Disabled
   flexconnect Dns Override Flag................. Disabled
   FlexConnect Vlan based Central Switching ..... Disabled
   FlexConnect Local Authentication.............. Disabled
   FlexConnect Learn IP Address.................. Disabled
   Client MFP.................................... Optional but inactive (WPA2 not configured)
   PMF........................................... Disabled
   PMF Association Comeback Time................. 1
   PMF SA Query RetryTimeout..................... 200
   Tkip MIC Countermeasure Hold-down Timer....... 60
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID     IP Address            Status
802.11u........................................ Disabled
MSAP Services.................................. Disabled

There is nothing in the RADIUS server logs. It is as if the WiSM2 does not talk to it for the 2nd request. The flow for a problem client is like this:
1. New client associates
2. WiSM asks RADIUS server for VLAN
3. RADIUS Server hasn't seen it, so it puts it on VLAN 84 (our registration VLAN)
4. Client goes through captive portal
5. RADIUS server sends disconnect client message to WiSM
6. Client disconnects, reconnects
7. WiSM2 puts it back on VLAN 84, when it should put it on a VLAN determined by the SSID. The WiSM2 never asks the RADIUS server for the VLAN again, until the client has stayed disconnected for 5+ minutes, and I see the message in the wism2 log that I wrote above.
In the vast majority of cases, step 7 works properly. That is, when the client reconnects, it asks the RADIUS server what VLAN to put it on (I see it in the RADIUS server logs). I see the second request come in, and the RADIUS server replies with appropriate VLAN for the SSID.
After they get their proper VLAN, this doesn't occur again. It is as if the RADIUS server caches the client's VLAN override attribute somewhere and uses that, rather than asking the RADIUS server.

RADIUS Authentication for Guest users

Hi,
I currently use a 4402 WLC located in our DMZ to authenticate Guest users - local authentication is in place. I would not like to setup RADIUS authentication via a Cisco NAC server. In order not to affect current guest users, I created a new WLAN and configured with RADIUS server details under WLANs->Edit->Security. I can associate to new WLAN and obtain a DHCP address no problem, but when I browse to an external website, I do not get prompted for authentication from the RADIUS server. I don't see any auth requests hitting our firewal, so am assuming the problem is with the WLC config.
Can anyone provide any details of what config is required?
Security Policy - Web-Auth
Security-> L2 - None
Security-> L3 - Authentication
Security-> AAA Servers - Auth and Acc server set
Many thanks
Liam

your setup sounds pretty okay. have you got local user accounts set up on the WLC for the test WLAN? if you do, check to see that the priority order for web authentication for the test WLAN prefers the AAA account. you will have to do it directly on your controller as i do not think you have that option in WCS.
hope that helps

Urgent RADIUS question

Hi,
At a customer we have our WAAS appliances enabled for Radius authentication (via via to Active Directory). The authentication it self works. But when the AD password policy requests users to change credentials the AD accounts start locking-out.
We found out that CM is pushing user accounts to the appliances. When saving the account to the CLI config the appliance, the appliance does a radius authentication request. Because CM is configured with old/expired passwords this action locks our accounts quickly (100+ appliances).
How can we fix this? Can we configure the system not to store our old accounts and push them out to the remote appliances??
Regards,
Erik
We see the following passing in the logs for every user every once in a while.
2012 Nov 12 14:58:58 wae01-sitea config: %WAAS-PARSER-6-350232: CLI_LOG log_cli_command: username "etam" passwd
2012 Nov 12 14:58:58 wae01-sitea cfg_bin_users: %WAAS-UNKNOWN-5-899999: ***pam_radius pam_sm_authenticate: Got user name #####
2012 Nov 12 14:58:58 wae01-sitea cfg_bin_users: %WAAS-UNKNOWN-5-899999: ***pam_radius pam_sm_authenticate: Sending RADIUS request code 1
2012 Nov 12 14:58:58 wae01-sitea cfg_bin_users: %WAAS-UNKNOWN-5-899999: ***pam_radius pam_sm_authenticate: Got RADIUS response code 3
2012 Nov 12 14:58:58 wae01-sitea perl: %WAAS-CMS-5-700001: Done with usercreation username :: "etam" process return value :: 0

Hello,
You're on the right track with CSM (Cisco Security Manager). CSM would fit perfectly in this role. We use it to maintain 6 ASAs and about 120 PIX firewalls. It is great for policy-based firewall administration. Compared to other CiscoWorks products, CSM is very stable and performs ideally in the situation you describe above. If you have anymore questions, let me know.
-Mike
http://cs-mars.blogspot.com

RDBMS functionalities

Hi All,
Is it possible to create an LDAP database configuration and the related db group mapping via RDBMS on ACS windows version (Release 4.0(1) Build 27)?
What I'm trying to do is maintaing the ACS configuration dynamically up to date with an external Oracle DB.
Thank and Best Regards,
Leo

In our environment we'll be having users authenticating via the internal ACS DB and others via LDAP.
The ones authenticating via LDAP will be divided in different groups and for each group we'll have an LDAP DB config in ACS.
LDAP sends the OK to ACS only if the user to be authenticated exists in the "User Directory Subtree" AND belongs to the "Group Directory Subtree", right? But once ACS got the OK it has to know how to deal with the user, giving him access to devices he can access, and rights. This task is done with "External User Databases -> Database Group Mappings", and it's what I'd like to do automatically with RDBMS.
Is my understanding of the LDAP authentication process wrong? If yes, what do I exaclty do wrong?
If I'm not wrong, will this work with RDBMS?
Thanks

RDBMS Synchronization

The user guide for ACS for Windows ver4.0 states that Cisco ACS can use RDBMS to synchronize its database with a third party RDBMS system and only one primary ACS server needs to interact with the third party system and the other ACSs in the network can be updated by this primary ACS using RDBMS synchronization.
However, like many other features that suppose to work (e.g. domain stripping for MS AD) this too does not seem to work and there is no detailed documentation on how it actually does it.
The procedure stated in user guide fails and there are gaps in the documentation.
Can someone refer to any documentation other than the User Guide for instructions/details of this functionality?
Thanks in advance.

I think the easiest solution is to have a single ACS that is populated via RDBMS Sync. This ACS becomes the replication "master" that then pushes its config down to a set of "slaves".
That is the easiest method but replication is a destructive write onto the slave - so you may choose not to do this.
An alternative is to use the Sync Partners config (part of RDBMS Sync) which attemtps to process actions in the sync table on multiple ACSs. For this to work you need the "other" ACSs to have the RDBMS Sync'ing ACS server in their network config db.
You need to make sure that ACS can write to the transaction table too (note CSV datasources no good) in case one of the other ACSs is down.
If you're having problems check the rdbms sync CSV & service log on the "master" ACS and the csauth service log on the "slave" for errors.

Sshd authentication via pam_userdb

Hello
I would like to configure ssh to authenticate against a database file which I've created.
This is what I have done so far:
1. Generate the database file out of a text file:
db_load -T -t hash -f logins.txt /etc/vpasswd.db
I have modified /etc/pam.d/sshd to be the below:
%PAM-1.0
auth requisite pam_securetty.so #Disable remote root
auth sufficient pam_unix.so
auth sufficient pam_userdb.so db=/etc/vpasswd crypt=hash use_first_pass
auth required pam_nologin.so
auth required pam_env.so
account sufficient pam_unix.so
account sufficient pam_userdb.so db=/etc/vpasswd crypt=hash use_first_pass
account required pam_time.so
password required pam_unix.so
session required pam_unix_session.so
session required pam_limits.so
When I log is as a user specified in the database file the following logs are returned:
Apr 1 00:29:47 dopey sshd[13778]: Failed none for invalid user testuser from 57.62.62.102 port 31794 ssh2
Apr 1 00:29:52 dopey sshd[13778]: Failed password for invalid user testuser from 57.62.62.102 port 31794 ssh2
Apr 1 00:29:55 dopey sshd[13778]: Failed password for invalid user testuser from 57.62.62.102 port 31794 ssh2
What I'd like to happen is if the user exists as a Linux account then let them in as normal, but if not then check the vpasswd.db database file.
Can anyone point me in the right direction? Is it possible to configure this?
Thanks
- eskay
Last edited by eskay (2009-04-01 03:18:55)

It looks like RADIUS authentication via the PAM module does work. We compiled the pam_radius module using the -bundle option to the linker. That seems to have fixed it. The link line ends up being
gcc -bundle pamradiusauth.o md5.o -lpam -o pamradiusauth.so
We'll send these simple changes to the pam radius developers.
What this has allowed us to do is use RADIUS authentication for logging in remotely via ssh. However, we have yet to figure out how to get the main login "window" for OS X to allow PAM to be used.
Pete

TACACS=admin RADIUS=802.1x same ACS?

I have an ACS appliance set up for TACACS auth for administrative users. I need to configure 802.1x with RADIUS as I'm sending the VLAN ID back down when the user authenticates. Is this possible? Doesn't seem to be working for me. Also, I am doing this on both CatOS and IOS so IOS only solutions won't help.
Thanks!

Yes, it's possible. You need to set the following stndard RADIUS attributes via a per-group or per-user basis:
[64] Tunnel-Type ? ?VLAN?
[65] Tunnel-Medium-Type ? ?802?
[81] Tunnel-Private-Group-ID - ""
Hope this helps.

Select AVC profile on WLC based via ACS

Hi there
I just saw the AVC feature in WLC version 7.4.100.0 and wonder, if there is a possibility to select a AVC profile per user, based on it's RADIUS authentication via ACS.
For example:
- A user in group teacher can access youtube on SSID A
- A user in group student can not access youtube on SSID A
Thanks a lot in advance and best regards
Dominic

Well I don't know if this will come in the future for ACS or ISE, but in order for this to work also in other radius servers, it would have to be a new radius standard attribute others have to implement and also the WLC would have to be able to see that attribute. So if its anytime soon, well.... Maybe not:)
Sent from Cisco Technical Support iPhone App

JAAS to RSA RADIUS Server

I need to write a JAAS module that will validate passwords against an RSA RADIUS Server (via RSA's Authentication Manager).
I'm not seeing the sort of api's I saw when I did a similar module for Siteminder, so a couple of questions:
- Is there a Java API for RSA Authentication Manager? (I'm not finding one on their website or via Google)
- If I need to use a RADIUS client what's the best (open source) choice?
Thanks in advance-- Mike

If I got your right, they provide you a RADIUS Server, so you don't need a special API. just go on sourceforge (www.sf.net) and try one of the available java radius client APIs to do the authentication as a proxy between your user and the RADIUS server.
I wrote a very simple one back in 2001 for the authentication against a RADIUS server only and not a full implmenetation of standard, but I think now on sf you will find much more mature ones.

Radius communication

Hi all,
I have two 3750s, one is connected to the radius server (ACS), and the other is connected to clients. There's a trunk connection between the two switches.
By the way, radius works fine. However my problem is that the switch that is connected to clients must relay the 802.3 encapsulated EOPOL frames to the switch at the end of the trunk and that switch must forward those frames encapsulated in radius format.
When a client initiates authentication by sending EAPOL frames with multicast L2 address, the trunk does not appear to be forwarding the frames over the trunk link.
To summarize How am I supposed to implement wired 802.1x authentication with a radius server connected multiple switches away?
Thanks in advance.

If the switch to which the hosts are connected is configured as the AAA Client (Authenticator), this switch communicates with the RADIUS server via RADIUS packets, not EAPOL.
EAPOL is used between the host and the Authenticator.
Configure the switch that the hosts are connected to, as the AAA Client (Authenticator).

RADIUS authentification via RDBMS authentification

Similar Messages

Maybe you are looking for