Role of Appliances?
Do appliances have a role in your integration strategy? If so, for what purpose? Will appliances displace ESB’s as integration hubs? If so, why?
We use datapower in the DMZ to handle the WS-Security functionality. Authenticated requests then get forwarded through the firewall to our SOA servers. The datapower device has XSL capability also but we don't use it. Since we don't have direct development access to the datapower device, we're still using SOA Suite ESB. But I would highly recommend using BPEL to route instead of ESB if you're starting from scratch. The 10.1.3.3 version of ESB that isn't Aqualogic based has alot of things that I don't like. One of the main flaws is that it can't handle multipart wsdl. Also, deploying it can be a real nuisance. Deploying a thin BPEL project that handles the routing and transformations is much easier. And best of all, BPEL can handle multipart wsdl via the Pick component.
Similar Messages
-
¿How to use user-roles in Ironport WSA (7.6) using ACS 4.1?
Hello,
I want to give a client access to a S370 WSA quarantine and I am using an ACS 4.1 for external authentication; that would be used for administrators and for the client access (non-administration access).
I have created a user-role in the WSA that has access to the quarantine I want, but I need the user to be in the ACS. I created the user in ACS but my question is, what should I configure or change in the ACS in order for the WSA to recognize the user with the specific role I created and not like an administrator role.
Thanks for your help!
SergioHi,
This can be done by configuring the Radius Class attribute on the ACS and mapping it with the user roles on the WSA.
"To map RADIUS users to different Web Security appliance user role types, you assign a role type, such
as Administrator and Operator, to a RADIUS CLASS attribute. Mapping different role types lets you
specify the authorization level for each RADIUS user."
Please go to Page 26-12 of the WSA user guide http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-5/user_guide/WSA_7-5-0_UserGuide.pdf for more information under the section "Using External Authentication".
Regards,
Kush -
NAC 4.7.1 L3 OOB - Temporary Role bugs ?
Hi
We have a L3 OOB routed gateway configuration (with redundant CAS and CAM), We are currently running 4.7.1 on the appliances and the agent is 4.7.10.
We have experienced two problems:
1. On several occasions we can abort a valid logon, but can still be allowed access to the network 'silently' ;
a - without any indication on the CAM i.e. no online users, no certified devices
b - the switch is still in the 'unauthenticated vlan' and the
c - ip address of the client is on the 'untrusted' subnet.
d - the 'unauthenticated' policy DOES NOT ALLOW web traffic.
It would seem that the user is able to trick the system by aborting the logon with the agent i.e. closing the window etc, (the login credentials are
correct and posture fails on an optional check and so amber) but the system DOES NOT show the user at all.
The Temporary role does allow full access, if I disable the policy rule the traffic is stopped.
The problem is there is no indication of this user on the system at all, this happens a couple of times a week.
2. When a user is genuinely placed into a TEMPORARY role (as indicated by the system, note: not the same as above),
about 50% of the time communication is blocked even though the policy allows it (repeated challenges by NAC).
Close the agent and do it the second time and it will work.
I think the symptoms are related as they both seem to be related to the usage of the TEMPORARY ROLE - has anyone else seen this bug ?Hi,
You said not to configure a quarantine vlan, but by the time the users get connected how is gonna be the process for authentication (quarantine) and access vlan??? I mean how is it going to perform the nac process and how to control what happens if it fails (not in compliance) or if it suceed??
It seems that the version 4.9(1) has the integration, but is not so clear:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cam/m_woob.html#wp1139585
What versions were you running in your deployment. -
Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed
Hi,
I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
tacacs-server key 7 "xxxxxxxxxxxxx"
aaa group server tacacs+ tac_admin
server xx.xx.xx.xx
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group tac_adminHi,
Since the ACS is receiving the request.
Could you please ensure that In ACE on every context (including Admin and other) you have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ tac_admin
server x.x.x.x
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
shell:Admin*Admin default-domain
if you have additional context add next line
shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User Context Line Login Time (Location) Role Domain(s)
*adm-x Admin pts/0 Sep 21 12:24 (x.x.x.x) Admin default-domain
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts. -
Integrate NAC Appliance with Active Directory
We try to implement on our customer, NAC appliance integrating with Active Directory Single sign on.
The NAC configured with L2 OOB. User first connect to switch and got the authentice Vlan, then the user will be authenticate using their domain account login, if success the user will be mapping to the Vlan assign to them.
The agent SSO installed on Active Directory is running well, and at the CAS also the service SSO started.
Let say i've this situation:
1. User A has been assign to Vlan 15 Employee
2. User A plug to switch and got dummy vlan and will authenticate using Domain account on AD, If succeded than, the port will be bounce, the user running an cisco agent on background
3. Now user A has their on Vlan ID 15
I've created the Authentication server on CAM for the Active Directory, but i've find it's so difficult to config mapping rules between user roles to Active directory. The guidance pdf how to implement NAC i've downloaded from cisco, not mention it how to mapping user roles to Active Directory...
Has any one has been configured mapping rules user roles to Active directory?So you would create a mapping rule against your lookup server like so.
Say the AD group membership is "Finance"
for ADSSO you would apply the mapping rule to your LOOKUP Server
where the expression is
memberOf contains CN=Finance and apply it to role employee if VLAN 15 is your employee vlan then you would designate vlan 15 in your Employee role under user role configuration
Now you cant test this with ADSSO with the test auth function so what I like to do is create an AD authentication server and test against that as long as you have some form of mapping configured the auth results will return all memberships for the userename you login with so you can get the syntax exactly right. -
Location Appliance not detecting elements after upgrade
Hi
Our loacation appliance had version 2.1.42.0. After upgrading it to version 3.1.36 there are no clients been discovered.
I must admit we don't have read-write access to the WLAN Controller 4400, and read somehwere that ntp plays a big role from AppLoc ver 3.0 upwards in this. The WCS , Location Appliance and the WLC is syncing to the same NTP server.
Some errors I have noticed:
5/15/08 00:12:38 ERROR[locp] [13] Error in ConnectHandler(endPoint) <LocpSessionTarget mode=CLIENT><LocpEndPoint status=HANDSHAKE t
otalBytesSent=19740 totalBytesReceived=16730><LocpEndPoint.Key host=10.1.30.10 port=16113/></LocpEndPoint></LocpSessionTarget>
5/15/08 00:12:38 TRACE[com.aes] [13] [ConnectHandler:handle-09] THROW
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(Unknown Source) at om.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(Unknown Source) at javax.net.ssl.SSLEngine.unwrap(Unknown Source) at com.aes.server.locp.transport.IOChannelSecure.doHandshake(Unknown Source) at com.aes.server.locp.transport.LocpTransportService$ConnectHandler.handle(Unknown Source) at com.aes.server.locp.transport.ChannelEventDispatcherImpl$HandlerTask.run(Unknown Source)
The WCS is Version 5.0.56.2 , Type: Base + Location; Licensed APs: 1000.
I have reverted back to the old version and its working fine now. And we have only a few hours of change control to get this upgrade right.
Any ideas? Much appreciated.Have you verified that the times are all correct on the devices?
I had an AP issue with time+certificates and even though all my controllers were set to sync to the same ntp server, the times were off. I manually set the times and that fixed it. -
I have a customer with a central site and two branch office. Routing is configured on the WAN to connect all three locations. All servers and internet access are on the central site.
Customer wants to install NAC appliance. Do I need a NAC apliance at each location? Or do I just install it at the central location and use that NAC appliance for access control to the two remote sites as well.
Also how does NAC appliance apply access control to users coming into the network via Citrix or Cisco VPN Clients?
ThanksNAC Appliance (CAM & CAS = Clean Access Manager/Server) can be used in a Layer 3 Out Of Band design. This will provide you with centralized control.
It works by placing all unauthenticated switch ports into a unathentication VLAN. When a switch port goes up/up, the NAC CAS follows a set of rules you have established on the CAM to make decisions about the computer and user. It then will place that switch port into a VLAN 'dynamically' as dictated by the rules. Your switches must support these features (IOS level) and only Cisco products work with the CAM/CAS (well some others might, but it's a short list). When the port goes down/down the CAS senses this and returns the port to the unauthenticated VLAN.
For instance, if a user is a vendor, only requiring Internet access, you will have a VLAN for this purpose on all your switches and routed/trunked to your Internet Point of Presence. The CAS will see the switch port he/she jacks into come up/up. It will query the user and the computer and based upon the rules in the CAM, dynamically assign the wire port to the VLAN from the go-no-where unauthenticated VLAN.
If it were a company user, you could set it to check Anti-virus, levels of service packs, etc. before they were allowed on the network. It could also be set up to allow the person access to only the 'Finance' VLAN (for example) based upon their role in the company. It can do this remotely.
If you were to remediate VPN users, you could not do this in a dynamic, Out of Band fashion. You would need a second CAS (but not CAM) to operate In Band. This would then allow users in one Interface, traverse the CAS on out another interface on the appropriate VLAN. This is because it's impossible to apply multiple rules to a single port shared by multiple users. You would need a means to make decision on what VLAN the users accesses at the concentrator and move them off dynamically at the virtual interface. It's not supported.
Remember, NAC is performed at the switch port level. Citrix users would be regarded as local users. You could perform certain rule checking to allow them only onto your Citrix VLAN.
There is a Cisco Chalk Talk series on the NAC, use the URL below. It will teach you as much as you can absorb on the NAC appliances, how to use them and recommend their purchase to your clients.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html -
Cisco NAC - How know why a machine is in Temporary Role?
Hello,
In our environment, workstatios that do not conform with the requirements remain under Temporary Role until the remediation is done.
In Event Logs I see that the Workstation is just under Temporary Role, but do not know why it is in Temporary Role.
How can I see this information?
Ex:
Authentication
2011-01-21 11:12:26
[00:21:9B:37:00:F0 ## x.x.x.x] user@domain - Successfully logged in temporary role, Provider: ADSSO, L2 MAC address: 00:21:9B:37:00:F0, Role: Temporary Role, OS: Windows XP Pro/Home
Tanks
Daniel StefaniHi Daniel,
you can check the info about this user/machine on the NAC agent reports:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_report.html#wp1481407
There you get details about what checks failed on the client during the posture assessment phase.
I hope this helps.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it. -
Hello,
I have two CAM in HA and two CAS in HA.
I configure the LDAP Lookup for create rule to role allocation.
In this configuration are only one windows server to make find the user properties.
There are one problem when this Windows servers is down. There are any configuration to mitigation when the server is not there.
Thank you all.The LDAP lookup server configs state it uses the LDAP Authentication Provider. The LDAP Authentication Provider says you can have multiple entries in the single field
LDAP
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_auth.html#wp1158614
You can add redundancy for LDAP Authentication servers by entering multiple LDAP URLs in the Server URL field separated by a space, for example:
ldap://ldap1.abc.com ldap://ldap2.abc.com ldap://ldap3.abc.com -
hi
the question is simply...
can i implement a WAAS accelerator and Central Manager roles on a WAVE 294 appliance at same time, or do i need one appliance for each role?.
thanks!Hi Julio,
Accelerator and Central manager roles are mutually exclusive, you can never implement both at the same time in one single device (regardless of the model)
Regards
Daniel -
Assign roles to SSO integrated users
Hello everyone,
I'm trying to assign roles to SSO users but I can't. I achieved it with local and LDAP users, but not for SSO users (I want to use my AD users but without LDAP config)
My platform is vCenter 5.5 U1 for SSO, vCAC appliance + IaaS server, and vCAD appliance. When you register your vCAD with vCAC you can use SSO integrated authentication of vCAC. But, how can I assign roles to SSO users?
I can access to vCAD with AD users through SSO integrated authentication but all options are read-only.
Best regards,
Jose Luis GomezHello everyone,
Auto-response.
When you've registered your vCAD with vCAC, new roles appears in vCAC. This roles are:
Application Architect
Application Catalog Administrator
Application Cloud Administrator
Application Publisher And Deployer
Application System Administrator
You can apply this roles to users or groups but always from vCAC --> Administration --> Groups/Users
Best regards,
Jose Luis Gomez -
Cisco NAC Appliance SSO AD by OU (Organization Unit) is posible?
Hello, I have a question. it is posible implement NAC Appliance SSO AD VG/Real IP - L2/L3 for OU (Organization Unit), for example; if i have OU sales and OU market in the windows domain X. it is posible restrict the police and assign diferent network (10.1.1.0/24 for OU sales and 10.1.2.0/24 for OU market).
Regards
AlvaroYes that is possible, first you will create a user role for the two seperate OU, then you assign a user role vlan to each role. then you will have to create a ldap lookup server. You will then create a attribute condition which will map users that are a memberOf xxx to user role yyy.
this is for out of band scearios because the clients at first will get the same authenticaiton ip address but after the port is switched over then the ip address they get after will be based off the vlans they land on.
let me know if you need anything else.
Tarik -
User Role empty - Cannot connect to DB2
Hello,
I'm having trouble with a WLSE 2.13 that we have installed. It doesn't let us access via web to the software; the error that appears when trying to do so is "User role is empty". There also appears a moving banner saying "Database failed to respond correctly" after trying to authenticate the user.
however, when trying t oaccess through SSH, it works OK.
This is what I get with a diag all command:
<<< Executing ALL Diagnostics (except SmartMonTools) >>>
DIAG: IMAGE -- [Mon Oct 9 08:27:07 UTC 2006]
(please wait) ... DONE.
*** PASS: Software image verification passed. ***
DIAG: BIOS -- [Mon Oct 9 08:28:03 UTC 2006]
*** Drive model ST340014A, FwRev does not require BIOS patch. ***
DIAG: DMA -- [Mon Oct 9 08:28:03 UTC 2006]
Checking disk for DMA errors (please wait) ...
*** PASS: NO DMA IO errors found. ***
Checking disk sectors for errors (please wait) ...
*** PASS: NO disk sector errors found. ***
DIAG: DB2CLEAN -- [Mon Oct 9 08:32:48 UTC 2006]
*** PASS: No dump files found. ***
DIAG: DB2VERIFY -- [Mon Oct 9 08:32:48 UTC 2006]
*** FAIL: Cannot connect to DB2. Integrity verification failed. ***
DIAG: SERIALNO -- [Mon Oct 9 08:32:49 UTC 2006]
*** No Serial Number obtained for this appliance. ***
So it looks like the DB is corrupt for some reason. We have executed the initdb but no change in the error has been detected.
This is the result of the show version command:
(C) Copyright 2006 by Cisco Systems Inc.
WLSE 1130 Release 2.13.1FCS Mon Aug 14 12:16:20 UTC 2006
(build number 54)
Device Limit = 2550
Build Version (79) Fri Jan 6 23:20:15 UTC 2006
Uptime: 0 days 0 hours 34 mins
Linux version 2.4.32-8_WLSEsmp ([email protected]) (gcc version 2.96 20000731 (Red Hat Linux 7.3 2.96-113
)) #1 SMP Wed Jan 25 13:16:55 PST 2006
I do think that there may be a sector in the hard drive that is not working (you can see why in the bootlog.txt file that I'm also attaching), but it looks a bit strange that it has only affected the access through the web...
Any ideas?Hi Fernando,
This might be related to few things:
- file anisnmp.conf corrupted preventing TomCat to start properly (# reset device-snmp would fix it)
- database corrupted and not accessible at all
(... reiniting the db might be the only solution)
- user roles corrupted
(would need to delete the user roles to reconstruct them)
Opening a shell and hit "#show tomcatlog" would give you a more accurate idea.
In case of broken anisnmp.conf, the error message is pretty explicit.
In case of other problems, that would need more investigation by TAC.
Before doing anything, remind to perform backups!
Pierre -
What is a Cisco NAC appliance used for?
We have a 5508 WLC in use already and have this 3310 lying around unused. I am trying figure out if adding a 3310 would be of any benefit.
From the documentation, the features of a 3310 NAC are,
Recognize users, their devices, and their roles in the network
Evaluate whether machines are compliant with security policies
Enforce security policies by blocking, isolating, and repairing noncompliant machines
Provide easy and secure guest access
Simplify non-authenticating device access
Audit and report whom is on the network
What does enforce security polices by blocking, isolating, repairing really mean?
"Provide easy and secure guest access" I already have a public wireless ssid set on the wlc.
I can recognize users in reports like Solarwinds. I can see the username, IP, MAC, AP location.
I can get an report from my logging traps collector, Solarwinds.Well usually when I have deployed them back in the days, you had a NAC Appliance and another NAC Manager. But what you have read, that is exactly what it does.
What does enforce security polices by blocking, isolating, repairing really mean?
It will block and isolate the device if it doesn't meet the requirements that you have set, but the user has to manually repair the items.
"Provide easy and secure guest access" I already have a public wireless ssid set on the wlc.
I can recognize users in reports like Solarwinds. I can see the username, IP, MAC, AP location.
I can get an report from my logging t
You will not see any username or ap locations. I wouldn't use it as it might be more of a headache to implement unless you know what you are doing.
Sent from Cisco Technical Support iPhone App -
Hi~
Could you please tell me how can I make user access for CLI (shell) on ACS appliance by means of WEB GUI. The point is that I have ACSAdmin as well as another administrator role users, but can't get access to appliance through SSH (Permission denied (publickey,password,keyboard-interactive).). I need to troubleshoot RADIUS requests from my APC Networc Management Cards, by means of some sort of tcpdump, becouse I dont get any logs in ACS from APC cards.then either you need to enable more detailed logging on the ACS applicance
How can I do this?
or the RADIUS requests from the APC cards aren't reaching the ACS applicance
This is what I'm trying to find out.
Are there any firewalls, etc between the two devices that might be blocking RADIUS packets?
No man, there is a clear IP connectivity between, but problem is that I can't troubleshoot RADIUS requests/replies on this part of transmission nor from APC side neither from ACS. I check all possible log records in "Monitoring and Reports" tab, but didn't find any request from APC devices.
Also, if you have any configuration examples for APC (APC9630) devices RADIUS authentication by ACS 5.2 will be appreciated for the information. I have followed this howto to configure VSA and apply policy, but still it doesn't work. I just want to verify are the RADIUS requests reach ACS or not.
Thank you.
Maybe you are looking for
-
Trying to install Illustrator CS3 on Windows 8.1 and get error message-installer database is corrupt
When I try to install Illustrator CS3 on a windows 8.1 machine and get the following error message. " Installer database is corrupt". Have tried rebooting computer etc. and still the same problem, any suggestions?
-
Songs from External Hard Drive to iPod without iTunes
So I have only a quarter or so of my songs in my iTunes library, but I have a large enough iPod where all of my songs can easily fit on it. I want to upload new songs and albums to my iPod, but without deleting all the thousands of songs that are on
-
Is there any way to generate table of contents in adobe for a report output
Hi All, I need to display the output of a report in an PDF and layout needs to be developed in Adobe Print Forms. I want to know if there is a way to generate a table of contents for the output in adobe form on a particular page. Thanks...
-
Sibelius 7.5 can't find "sounds library", I reinstalled and upgraded as Sibelius online help suggested but to no avail. Anyone have any ideas? My display speakers do work. Thanks, Jccnwmac
-
I have a laptop with two users and want to share my musice between the two of them on seperaye id's
I want to share music on my laptop with two different users and two different apple id's but i can find a way of doing this any ideas as you can't have itunes open at the same time on on laptop even in different users