Radius Authorization question

Similar Messages

• ISE RADIUS authorization NX-OS

  Anybody could confirm if RADIUS authorization is not supported on NX-OS?
  If it's not supported, how should it be configured with ISE once ISE doesn't support TACACS? 
  NX-OS(config)# aaa authorization config-commands default group radius local
  Radius group is not supported for command authorization
  could not update aaa configuration

  Jan is correct, you can't configure NX-OS based device the same way you would IOS based one when it comes to AAA. NX-OS devices do not "understand" privilege level. Instead, they use RBAC (Role Based Access Control). As a result, you have to return a shell role from your Radius server:
  shell:roles=user_role
  For more info take a look at the latest "NX-OS Security Configuration Guide" or this link:
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x_chapter_0110.html#task_1074483
  Hope this helps!
  Thank you for rating helpful posts! 

• Radius authorization for WAAS CM GUI

  Hi,
  We would like to enable radius authorization to the WAAS Central Manager GUI. We are having some problems doing this. Also this is only documented for TACACS and not for Radius.
  We've seen the waas_rbac_groups attribute that can be delivered via Tacacs, can this attribute also travel in the radius attributes? We've already tried: shell:waas_rbac_groups on a Cisco-AV-Pair but that doesn't do it.
  There should be a way; knowning that the TACACS is very rare these days.
  Please help us
  Regards,
  Erik

  Hi Prabnu,
  Google Chrome has the same strange behaviour.;-( See the attachment.
  Roman

• TS1277 i cant remember my 2 authorization questions  answers and when when i click send to email it sends to an email adress thats not mine and now i cant use my $100 what should i do?

  i cant remember my authorization questions answers and when i click send to email it sends to a random email thats not even created but hotmail.
  what should i do???!

  You need to ask Apple to reset your security questions. To do this, click here and pick a method; if that page doesn't list one for your country or you're unable to call, fill out and submit this form.
  (126538)

• Forgot my authorization questions how cani change them

  i got a new computer and i dont remember my itunes authorization questions, how can i change them?

  Click here and search the article for '2 out of 3'. Follow the instructions.
  (74000)

• Complicated Authorization Question

  Complicated Authorization Question
  I had my itunes software on my laptop with the songs on a portable hard drive. The laptop was stolen, the portable hard drive was not. I installed itunes on the new laptop and pointed to the music on the portable hard drive and it is telling me I am not authorized to play certain songs although I have authorized the computer. Also when I try to snyc my iphone it is saying it is going to erase all the songs on the iphone and replace them. I have purchased songs on the phone that are not in my itunes.
  How do I resolve this?

  Have you tried to play one of the songs in iTunes? It should then ask you to authorize them.

• AP Cannot join WLC, i have RADIUS authorization is pending for the AP Error

  Hi Support,
  I'm new in installing WIFI, I have WLC 2504 using 7.4.100.0
  I have AP 1600 (AIR-CAP1602E-E-K9)
  I installed the WLC and AP in a cisco poe switch, wlc and ap are in the same subnet and can ping ap from WLC, but the AP cannot join the wlc. i have this error message
  (Cisco Controller) >show ap join stats detailed 00:06:f6:d6:03:f0
  Sync phase statistics
  - Time at sync request received............................ Not applicable
  - Time at sync completed................................... Not applicable
  Discovery phase statistics
  - Discovery requests received.............................. 124
  - Successful discovery responses sent...................... 124
  - Unsuccessful discovery request processing................ 0
  - Reason for last unsuccessful discovery attempt........... Not applicable
  - Time at last successful discovery attempt................ Jun 11 11:56:46.133
  - Time at last unsuccessful discovery attempt.............. Not applicable
  Join phase statistics
  - Join requests received................................... 62
  - Successful join responses sent........................... 0
  - Unsuccessful join request processing..................... 62
  - Reason for last unsuccessful join attempt................ RADIUS authorization is pending for the AP
  - Time at last successful join attempt..................... Not applicable
  - Time at last unsuccessful join attempt................... Jun 11 11:56:56.606
  Another this is from AP cli, i cannot have the command configure terminal
  Can you please help me

  Thanks Scott, i'm in Gabon (Central Africa) there is no Gabon in coutries list, then i chosen France.
  this is the new status
  (Cisco Controller) >show ap join stats detailed 00:06:f6:d6:03:f0
  Sync phase statistics
  - Time at sync request received............................ Not applicable
  - Time at sync completed................................... Not applicable
  Discovery phase statistics
  - Discovery requests received.............................. 126
  - Successful discovery responses sent...................... 126
  - Unsuccessful discovery request processing................ 0
  - Reason for last unsuccessful discovery attempt........... Not applicable
  - Time at last successful discovery attempt................ Jun 11 13:38:37.411
  - Time at last unsuccessful discovery attempt.............. Not applicable
  Join phase statistics
  - Join requests received................................... 63
  - Successful join responses sent........................... 1
  - Unsuccessful join request processing..................... 62
  - Reason for last unsuccessful join attempt................ RADIUS authorization is pending for the AP
  - Time at last successful join attempt..................... Jun 11 13:38:49.888
  - Time at last unsuccessful join attempt................... Jun 11 11:56:56.606
  Configuration phase statistics
  --More-- or (q)uit
  - Configuration requests received.......................... 0
  - Successful configuration responses sent.................. 0
  - Unsuccessful configuration request processing............ 0
  - Reason for last unsuccessful configuration attempt....... Not applicable
  - Time at last successful configuration attempt............ Not applicable
  - Time at last unsuccessful configuration attempt.......... Not applicable
  Last AP message decryption failure details
  - Reason for last message decryption failure............... Not applicable
  Last AP disconnect details
  - Reason for last AP connection failure.................... Timed out while waiting for ECHO repsonse from the AP
  - Last AP disconnect reason................................ Not applicable
  Last join error summary
  - Type of error that occurred last......................... AP got or has been disconnected
  - Reason for error that occurred last...................... Timed out while waiting for ECHO repsonse from the AP
  - Time at which the last join error occurred............... Jun 11 13:40:31.432
  AP disconnect details
  - Reason for last AP connection failure.................... Timed out while waiting for ECHO repsonse from the AP
  Ethernet Mac : 00:06:f6:d6:03:f0  Ip Address : 172.25.100.84
  --More-- or (q)uit
  (Cisco Controller) >

• IOS SSL VPN WITH RADIUS Authorization

  Hi
  I'm trying to authenitcate and authorize  the users loggining into SSLVPN via ACS and although the ACS loggs and "TEST" command on the router shw succeeful authentication i receive the flollowing debug
  *Jun  6 22:39:50.157: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4346
  Rack1R1(config)#                          
  *Jun  6 22:40:09.409: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4357
  Rack1R1(config)#                          
  *Jun  6 22:40:21.409: WV-AAA: AAA authentication request sent for user: "SSLUSER"
  *Jun  6 22:40:21.409: RADIUS/ENCODE(00000000):Orig. component type = INVALID
  *Jun  6 22:40:21.409: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
  *Jun  6 22:40:21.409: RADIUS(00000000): Config NAS IP: 150.1.1.1
  *Jun  6 22:40:21.409: RADIUS(00000000): sending
  *Jun  6 22:40:21.409: RADIUS(00000000): Send Access-Request to 10.0.0.100:1645 id 1645/27, len 60
  *Jun  6 22:40:21.409: RADIUS:  authenticator AC 16 B3 54 46 72 37 05 - 4C 00 19 21 81 97 40 6E
  *Jun  6 22:40:21.409: RADIUS:  User-Name           [1]   16  "SSLUSER@SSLVPN"
  Rack1R1(config)#                          
  *Jun  6 22:40:21.409: RADIUS:  User-Password       [2]   18  *
  *Jun  6 22:40:21.409: RADIUS:  NAS-IP-Address      [4]   6   150.1.1.1                
  *Jun  6 22:40:21.669: RADIUS: Received from id 1645/27 10.0.0.100:1645, Access-Accept, len 282
  *Jun  6 22:40:21.669: RADIUS:  authenticator 2D 2C B0 39 89 4C 41 88 - 40 32 E2 09 0D 7F 6B 0C
  *Jun  6 22:40:21.669: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255          
  *Jun  6 22:40:21.669: RADIUS:  Vendor, Cisco       [26]  28 
  *Jun  6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   22  "webvpn:svc-enabled=1"
  *Jun  6 22:40:21.669: RADIUS:  Vendor, Cisco       [26]  29 
  *Jun  6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   23  "webvpn:svc-required=1"
  *Jun  6 22:40:21.669: RADIUS:  Vendor, Cisco       [26]  50 
  *Jun  6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   44  "webvpn:split-include=6.6.6.0 255.255.255.0"
  *Jun  6 22:40:21.669: RADIUS:  Vendor, Cisco       [26]  35 
  *Jun  6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   29  "webvpn:keep-svc-installed=1"
  *Jun  6 22:40:21.669: RADIUS:  Vendor, Cisco       [26]  31 
  *Jun  6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   25  "webvpn:addr-pool=SSLVPN"
  *Jun  6 22:40:21.669: RADIUS:  Vendor, Cisco       [26]  41 
  *Jun  6 22:40:21.669: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
  *Jun  6 22:40:21.669: RADIUS:  Class               [25]  36 
  *Jun  6 22:40:21.669: RADIUS:   43 41 43 53 3A 30 2F 34 37 30 2F 39 36 30 31 30  [CACS:0/470/96010]
  *Jun  6 22:40:21.669: RADIUS:   31 30 31 2F 53 53 4C 55 53 45 52 40 53 53 4C 56  [101/SSLUSER@SSLV]
  *Jun  6 22:40:21.669: RADIUS:   50 4E                                            [PN]
  *Jun  6 22:40:21.673: RADIUS(00000000): Received from id 1645/27
  *Jun  6 22:40:21.673: RADIUS(00000000): Unique id not in use
  Rack1R1(config)#                          
  *Jun  6 22:40:21.673: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored
  *Jun  6 22:40:21.673: AAA/AUTHOR (0x0): Pick method list 'RAD'
  Rack1R1(config)#                          
  *Jun  6 22:40:23.673: WV-AAA: AAA Authentication Failed!
  Rack1R1(config)#                          
  *Jun  6 22:40:24.069: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4359
  Rack1R1(config)# 
  router Configuration
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Rack1R1
  boot-start-marker
  boot-end-marker
  ! card type command needed for slot/vwic-slot 0/1
  logging message-counter syslog
  enable password cisco
  aaa new-model
  aaa authentication login RAD group radius
  aaa authorization network RAD group radius
  aaa session-id common
  dot11 syslog
  ip source-route
  ip cef
  no ip domain lookup
  ip domain name INE.com
  ip host cisco.com 136.1.121.1
  ip host www.cisco.com 136.1.121.1
  ip host www.google.com 136.1.121.1
  ip host www.ripe.net 136.1.121.1
  no ipv6 cef
  multilink bundle-name authenticated
  crypto pki trustpoint TP-self-signed-3354934498
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3354934498
  revocation-check none
  rsakeypair TP-self-signed-3354934498
  crypto pki certificate chain TP-self-signed-3354934498
  certificate self-signed 01
    30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33333534 39333434 3938301E 170D3132 30363036 31333030
    32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33353439
    33343439 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100B1E5 889BEB9A 31DFC0D4 7C7F698F 0F52E404 0849263A BD443A96 13C6A440
    DCBD4345 EF301E91 0D4AADD9 3C2A17F2 E26E5E96 90F96809 D8FCCF32 7EB58100
    74E4772C 6395E03C 1B7F1AF5 482F861F DD62D079 F9977FE2 0E544E18 5FAAF290
    DF665B45 EF10D3EC D924E87A 5F827F07 06DE8961 F361C3FA EDBE5F68 452221C8
    B9570203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603
    551D1104 13301182 0F526163 6B315231 2E494E45 2E636F6D 301F0603 551D2304
    18301680 140B00B8 FD9B58CF 8A6F51BE 25DEC6C5 85E14495 05301D06 03551D0E
    04160414 0B00B8FD 9B58CF8A 6F51BE25 DEC6C585 E1449505 300D0609 2A864886
    F70D0101 04050003 81810006 4192E2DB ABAF533E 9C4BF24E DF6BFD45 144A6AE9
    C874E311 27B23E7B E8DB18C3 4FFB4ACA 4B09F63E 62501578 D8F58D73 D08F016F
    49C99B8D DA1073E5 A141C1C7 505BD191 FC58EA7F 54BD9B98 579E1726 7C1CA619
    A45DDABC 8F315EE9 D20A30A8 2BD5D67D B744BD69 353B4670 E5BA4540 47059E60
    9DC4C940 E91AACBB 4EAFFA
          quit
  username admin privilege 15 password 0 admin
  username SSLUSER@SSLVPN password 0 cisco
  archive
  log config
    hidekeys
  crypto ipsec client ezvpn EZVPN_CLIENT
  connect auto
  mode client
  xauth userid mode interactive
  ip tcp synwait-time 5
  interface Loopback0
  ip address 150.1.1.1 255.255.255.0
  interface Loopback6
  ip address 6.6.6.6 255.255.255.0
  interface FastEthernet0/0
  no ip address
  shutdown
  duplex auto
  speed auto
  interface FastEthernet0/1
  no ip address
  duplex auto
  speed auto
  interface FastEthernet0/1.11
  encapsulation dot1Q 12
  ip address 136.1.11.1 255.255.255.0
  interface FastEthernet0/1.121
  encapsulation dot1Q 121
  ip address 136.1.121.1 255.255.255.0
  interface FastEthernet0/0/0
  interface FastEthernet0/0/1
  interface FastEthernet0/0/2
  interface FastEthernet0/0/3
  interface Virtual-Template1 type tunnel
  no ip address
  tunnel mode ipsec ipv4
  interface Vlan1
  no ip address
  router rip
  version 2
  passive-interface FastEthernet0/1.11
  network 136.1.0.0
  network 150.1.0.0
  no auto-summary
  ip local pool SSLVPN 40.0.0.1 40.0.0.254
  ip forward-protocol nd
  ip route 10.0.0.0 255.255.255.0 136.1.121.12
  ip http server
  ip http secure-server
  ip dns server
  ip access-list extended SPLIT
  permit ip 136.1.11.0 0.0.0.255 10.0.0.0 0.0.0.255
  ip radius source-interface Loopback0
  radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO
  control-plane
  line con 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  line aux 0
  exec-timeout 0 0
  privilege level 15
  line vty 0 4
  password cisco
  scheduler allocate 20000 1000
  webvpn gateway SSLVPN
  ip interface Loopback0 port 443
  http-redirect port 80
  ssl encryption rc4-md5
  ssl trustpoint TP-self-signed-3354934498
  logging enable
  inservice
  webvpn install svc flash:/webvpn/anyconnect-win-2.5.3055-k9.pkg sequence 1
  webvpn context SSLVPN
  title "**SSLVPN  **"
  ssl encryption rc4-md5
  ssl authenticate verify all
  aaa authentication list RAD
  aaa authentication domain @SSLVPN
  aaa authorization list RAD
  gateway SSLVPN
  inservice
  end
  Any Idea?

  Hi,
  As I understand , you need to know if you can assign static ip to a user and also is there any other way of assiging a ip other than local pool.
  There are three ways of assinging an ip address to VPN client: using local pool, AAA server,DHCP.
  You can use the following link  for more information:-
  Assigning static ip  for user present locally on ASA:-
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a7afb2.shtml
  For user present on Active Directory:-
  http://technet.microsoft.com/en-us/library/cc786213%28WS.10%29.aspx
  The following is the link for assigning ip address using DHCP:-
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml
  I hope it helps.
  Thanks,
  Shilpa

• Authorization question-Two users on one computer

  My wife and I are going to share a MacBook and all our iTunes purchases are shared under one iTunes account. 
  My questions are...Will iTunes need to be authorized twice? And do both user logins count towards the 5 authorizations?
  Thanks for any help.

  iTunes Store: About authorization and deauthorization - http://support.apple.com/kb/HT1420
  I'm not 100% positive about this but I believe authorization is for a whole machine.

• Multiple Libraries - Authorization Question - For NON-iTune purchased music

  Please help! The questions come at the end.
  I have an extensive classical music iTunes library in AAC format that I ripped from CDs I've purchased over the past 20 years. NON of these were purchased from iTunes. (I have another library on my PC with other music, and I have purchased some iTunes songs for that library). I access one or the other by pressing Shift, etc. No problem.
  Both my son and I listen to classical music, and I wanted to share this library with him by moving my classical iTunes Library to his computer. (I copied the entire folder structure from my PC to his, nearly 50 GB worth). So he now has 2 libraries on his computer. One (the classical library) and his own iTunes library.
  He can access the classical library (hold down shift key, etc.), but gets a message to "AUTHORIZE THE FILE SOURCE" before listening to the music. So my questions:
  ++ Why does he need to authorize music from non-iTunes source? I'm not trying to illegally give him anything from iTunes. My family owns this classical CD collection.
  ++ If he does need to authorize the FILE SOURCE, I suppose he would use MY iTUNES account information to do so. Is this correct? Or should he use HIS account information?
  ++ And if he does use my account info, _will he retain his iTunes account setting for his other iTunes Library_? I.e., He would have a classical music library that's authorized by me (I guess my second computer?), and his regular library with his account information?
  This sounds more complicated than it is (maybe it IS more complicated than I think (sic).
  Any help greatly appreciated.

  I could be wrong, but if that's the exact message he's getting, it sounds more like a file permssions error in Windows rather than the typical iTunes authorization message which brings up an obvious request for an iTunes Store ID and password. I'd suggest he look at the Windows permissions for the folder and it's contents and see if perhaps he doesn't have the correct permissions to access that material.
  Hope this helps.

• Authentication and Authorization question.

  Hi All,
  I require your help in getting validated my understanding on Authentication and Authorization. This is wrt to WebLogic Server and WebLogic Portal.
  Authentication.
  1. The custom authentication provider can authenticate(user and group) against any datastore(LDAP OR DB). The LoginModule is a kind of blockbox and it can return true/false depending on authentication.
  2. The end result of this process is true/false.
  Authorization.
  1. The custom authorization providers can authorize the authenticated user based on role. All these entities ie(user,group,role) can be either in LDAP OR DB.
  2. The end result of this process is true/false.
  Role mapping.
  1. The custom role mapper can put all the roles that a user belongs and returns all Role. This can happen agaist LDAP OR DB.
  2. The end result is list of roles for a user.
  Security policy configuration.
  Is it mandatory that a user/group/role should be existing in WebLogic Server LDAP server(OR Portal LDAP server) to create these policies and authorization rules. What i mean by is that can user,group,role can exist in application specific database and still can be used for creatiing security policies??
  Thanks,
  Prashanth Bhat.

  The Security Providers are useful/can be used for developing a standard j2ee application , which will be deployed as standard j2ee application.
  The DA means Delegated Administrator, which is way how portal components are restricted to different types of administrators.
  The VE means Visitor Entitlemens, which is way how portal components are restricted to end users.
  My question is whether thess(DAs and VEs) can also be put
  our datastore for access rights??
  Thanks,
  Prashanth Bhat.

• Help! Authorization question

  OK, this might be a silly question, but I thought I'd give it a shot.
  I have iTunes installed on two computers. One doesn't have the internet hooked up and to listen to certain songs, it says I need to authorize them. So is there any way I can authorize these songs without being hooked up to the internet?

  You don't need to be connected to the internet in order to authorize the computer ( it's not the songs you are authorizing). Just play a few seconds of one of them.
  See this.
  About computer authorization.

• Analysis Authorization questions

  How does Analysis Authorizations work in below cases
  1)Infoobject "A" set as Authorization relevant (In Bex explorer tab)
  2)Infoobject "B" which is ATTRIBUTE of infooobject "A" set as Authorization relevant
  3)Infoobject "A" and "B" both set as Authorization relevant
  How to design query in each of the cases above with or without authorization variables and what parameters to be set in the RSECADMIN for infoobject "A" and "B" in each case like ":", "*" and what would be the behaviour after setting the above behaviour .
  can any one give example above with demonstration please

  Hi John,
  please search first the forum and read the online documentation before posting these kind of questions. You should find more than enough information via the above mentioned channels. You save time and effort of your peers.
  To answer your questions briefly:
  1. 0COUNTRY is in the free characteristics (not in the drilldown) without any selections
  ==> You need the ':' value, since whenever you ommit a characteristic you basically see want to see the summary value (you summarize / accumulate over the specific characteristics). Nevertheless, as soon as you drilldown on the characteristic you need the specfic values of the drilldown.
  - or-
  2. 0COUNTRY is not used in the query.
  ==> You need ':', too.
    Cheers
      SAP NetWeaver BI Organisation

• 10.6.4 Server L2TP VPN using external RADIUS - Authorization Failed

  I'm using 10.6.4 with VPN L2TP configured successfully using local user database for authentication. Now i want to configure the VPN to use Steel Belted Radius server for authentication (that hooked up to another LDAP server) for authentication.
  I've configured the VPN service to use the radius server, authentication to radius is occurring but i'm getting errors that the user is not authorized to use the VPN service.
  Is there a way to configure 10.6's VPN service to authorize any user that successfully authenticates against Radius?
  NOTE: I've played around with Server Admin's access for VPN, with it set to all users, everyone ect, this did not make any difference to the error i'm getting from the vpn service.
  Here's the log out put when the connection fails.
  2010-08-27 12:52:34 PDT Loading plugin /System/Library/Extensions/L2TP.ppp
  2010-08-27 12:52:34 PDT Listening for connections...
  2010-08-27 12:52:39 PDT Incoming call... Address given to client = 192.168.105.1
  Fri Aug 27 12:52:39 2010 : Directory Services Authorization plugin initialized
  Fri Aug 27 12:52:39 2010 : L2TP incoming call in progress from '[ip address redacted]'…
  Fri Aug 27 12:52:39 2010 : L2TP received SCCRQ
  Fri Aug 27 12:52:39 2010 : L2TP sent SCCRP
  Fri Aug 27 12:52:39 2010 : L2TP received SCCCN
  Fri Aug 27 12:52:39 2010 : L2TP received ICRQ
  Fri Aug 27 12:52:39 2010 : L2TP sent ICRP
  Fri Aug 27 12:52:39 2010 : L2TP received ICCN
  Fri Aug 27 12:52:39 2010 : L2TP connection established.
  Fri Aug 27 12:52:39 2010 : using link 0
  Fri Aug 27 12:52:39 2010 : Using interface ppp0
  Fri Aug 27 12:52:39 2010 : Connect: ppp0 <--> socket[34:18]
  Fri Aug 27 12:52:39 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : lcp_reqci: returning CONFACK.
  Fri Aug 27 12:52:39 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : sent [LCP EchoReq id=0x0 magic=0x55fc9b88]
  Fri Aug 27 12:52:39 2010 : sent [CHAP Challenge id=0xc8 <086a03234947113037497f4326585a1f>, name = "OSX SERVER"]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoReq id=0x0 magic=0x7e9db3cb]
  Fri Aug 27 12:52:39 2010 : sent [LCP EchoRep id=0x0 magic=0x55fc9b88]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoRep id=0x0 magic=0x7e9db3cb]
  Fri Aug 27 12:52:39 2010 : rcvd [CHAP Response id=0xc8 <5ad3c0cb063694e473f51c9252e007f400000000000000003701b4fa8e7b844e072cddeceefa73 173d7415c85cae976700>, name = "USERNAME"]
  Fri Aug 27 12:52:40 2010 : sent [CHAP Success id=0xc8 "S=934D6E79F45791A61C378789A4D719BC6F249574"]
  *Fri Aug 27 12:52:40 2010 : CHAP peer authentication succeeded for USERNAME*
  *Fri Aug 27 12:52:40 2010 : DSAccessControl plugin: User 'USERNAME' not authorized for access*
  *Fri Aug 27 12:52:40 2010 : sent [LCP TermReq id=0x2 "Authorization failed"]*
  Fri Aug 27 12:52:40 2010 : Connection terminated.
  Fri Aug 27 12:52:40 2010 : L2TP disconnecting...
  Fri Aug 27 12:52:40 2010 : L2TP sent CDN
  Fri Aug 27 12:52:40 2010 : L2TP sent StopCCN
  Fri Aug 27 12:52:40 2010 : L2TP disconnected
  2010-08-27 12:52:40 PDT --> Client with address = 192.168.105.1 has hungup
  Message was edited by: sarah mays

  I'm using 10.6.4 with VPN L2TP configured successfully using local user database for authentication. Now i want to configure the VPN to use Steel Belted Radius server for authentication (that hooked up to another LDAP server) for authentication.
  I've configured the VPN service to use the radius server, authentication to radius is occurring but i'm getting errors that the user is not authorized to use the VPN service.
  Is there a way to configure 10.6's VPN service to authorize any user that successfully authenticates against Radius?
  NOTE: I've played around with Server Admin's access for VPN, with it set to all users, everyone ect, this did not make any difference to the error i'm getting from the vpn service.
  Here's the log out put when the connection fails.
  2010-08-27 12:52:34 PDT Loading plugin /System/Library/Extensions/L2TP.ppp
  2010-08-27 12:52:34 PDT Listening for connections...
  2010-08-27 12:52:39 PDT Incoming call... Address given to client = 192.168.105.1
  Fri Aug 27 12:52:39 2010 : Directory Services Authorization plugin initialized
  Fri Aug 27 12:52:39 2010 : L2TP incoming call in progress from '[ip address redacted]'…
  Fri Aug 27 12:52:39 2010 : L2TP received SCCRQ
  Fri Aug 27 12:52:39 2010 : L2TP sent SCCRP
  Fri Aug 27 12:52:39 2010 : L2TP received SCCCN
  Fri Aug 27 12:52:39 2010 : L2TP received ICRQ
  Fri Aug 27 12:52:39 2010 : L2TP sent ICRP
  Fri Aug 27 12:52:39 2010 : L2TP received ICCN
  Fri Aug 27 12:52:39 2010 : L2TP connection established.
  Fri Aug 27 12:52:39 2010 : using link 0
  Fri Aug 27 12:52:39 2010 : Using interface ppp0
  Fri Aug 27 12:52:39 2010 : Connect: ppp0 <--> socket[34:18]
  Fri Aug 27 12:52:39 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : lcp_reqci: returning CONFACK.
  Fri Aug 27 12:52:39 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
  Fri Aug 27 12:52:39 2010 : sent [LCP EchoReq id=0x0 magic=0x55fc9b88]
  Fri Aug 27 12:52:39 2010 : sent [CHAP Challenge id=0xc8 <086a03234947113037497f4326585a1f>, name = "OSX SERVER"]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoReq id=0x0 magic=0x7e9db3cb]
  Fri Aug 27 12:52:39 2010 : sent [LCP EchoRep id=0x0 magic=0x55fc9b88]
  Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoRep id=0x0 magic=0x7e9db3cb]
  Fri Aug 27 12:52:39 2010 : rcvd [CHAP Response id=0xc8 <5ad3c0cb063694e473f51c9252e007f400000000000000003701b4fa8e7b844e072cddeceefa73 173d7415c85cae976700>, name = "USERNAME"]
  Fri Aug 27 12:52:40 2010 : sent [CHAP Success id=0xc8 "S=934D6E79F45791A61C378789A4D719BC6F249574"]
  *Fri Aug 27 12:52:40 2010 : CHAP peer authentication succeeded for USERNAME*
  *Fri Aug 27 12:52:40 2010 : DSAccessControl plugin: User 'USERNAME' not authorized for access*
  *Fri Aug 27 12:52:40 2010 : sent [LCP TermReq id=0x2 "Authorization failed"]*
  Fri Aug 27 12:52:40 2010 : Connection terminated.
  Fri Aug 27 12:52:40 2010 : L2TP disconnecting...
  Fri Aug 27 12:52:40 2010 : L2TP sent CDN
  Fri Aug 27 12:52:40 2010 : L2TP sent StopCCN
  Fri Aug 27 12:52:40 2010 : L2TP disconnected
  2010-08-27 12:52:40 PDT --> Client with address = 192.168.105.1 has hungup
  Message was edited by: sarah mays

• Authorization questions PFCG...

  Hi Guys
  A Couple of questions...
  We are upgrading from an older version of CRM without WEB UI to 7.0, we have composite roles on all our user, i.e. more than 1 role per user. As I have understood it you only have the possibility to assign on PFCG ROLE ID to a specific Business Role in the WEBGUI.
  I know how to set up the business roles etc, these questions are more "how did they intend it to work"...
  1. Overall Question, How should we use this PFCG role?  
  2. I have heard that you can leave it blank, what does this mean, that it the users authorization is as before i.e. as defined with the multiple composite roles stored directly on the user?
  3. How does this PFCG Role on the Business Role work together with the PFCG Roles you have on the users directly? What is the  meaning of the PFCG ROLE on the business role in relation to the ones on the user?
  4. Should we delete the roles on the users and add them directly on the business role, we might have a problem there as many users work as "SALESPRO" but they have different authorizations, some are more senior than others. Would we then have to have several busines roles (SALESPROJR,SALESPROSR etc) as we can only have 1:1 between business role and pfcg role id.
  5. What we would like to have basically is 2 or 3 Business roles that sets the layout and basic worksets, the authorization should behave as before per user not per business role. 
  Any relevant input on these questions will be greatly rewarded.
  /Jabba

  UGLY for some reason there are no line breaks... I will try to fix it so it is readable after lunch....
  Thanks,  Very Grateful for your comments but I think we have to be abit more specific. I will try to clarify
  I understand how the standard roles work together with the standard PFCG ROLE IDs assigned to them. However we already have a structure for our authorization roles that is on user level via su01 and each user has several composite roles. To merge these roles into one PFCG role and assign it to a business role is unrealistic, this will create too many business roles for the user as there can be only a 1:1 relation between a Business role and PFCG ROLE assigned to the business role.
  With that said I have been recommended to leave the PFCG ROLE id on the business role blank, this will lead to that the authorization on the user level kicks in.  
  However this raises some additional questions...
  1 The authorizations in our old CRM system could not possibly cover the authorizations in the WEB GUI as we don't have a   WEBGUI today so are there any special authorizations we need to setup for the WEBGUI itself. Example: Lets say that in the old CRM system the user had authorization to create a service order. If the user keeps this authorization on su01 do we need to add any additional authorizations on the user or to the business role so he can access the workset and trigger create service order from the WEBGUI?
  2 IF we had both a PFCG ROLE ID assigned to the Business Role and Composite roles directly on the user which one will actually be used? Will they both be used? What happens if the authorization on the Business role says "NO" and the authorization on su01 says "YES" Or is it really as it is stated above answer that if we specify a PFCG ROLE ID on the business role this will be used and nothing else?
  3  What about our own authorization objects, is there a way to scan these and see if they are valid for CRM 7.0? How should we go about verifying our old authorizations in the new 7.0 system? Is there a report you can run? I guess also that some authorizations are not valid anymore, or how does the authorizations per transaction work. I mean we have in our roles added certain transactions, people will no longer use CRMD_ORDER how does this translate to the webgui?
  4 We are using the salesorg structure today and the plan is based on what we know so far to assign business roles to the positions and not to assign a PFCG ROLE id at all to business role. Can anyone see any problems with this?
  5 What is UIU_COMP is that a new auth object? What new auth objects are delivered in webgui?
  Again thanks for any input on the above. Perhaps more people will be interested if we make this investigation thorough.
  BTW I found this post Re: Reg: Business Role but it still leaves some questions unanswered.
  Edited by: jabba hut on Nov 10, 2009 1:52 PM