Roles authenticed externally not working

i have created a role OPS$dummy which is authenticated externally..
i have also set the initialization paramters os_roles and remote_os_roles to true
but now when i manually try to set the role at the client side it says
ora 01989 role ops$dummy not authorized by operating system.
please guys can you just guide to solve this problem...

oracle linux 5... any how got the solution... i created groups on teh server and then added the users to that... it worked..
can this os_authent_prefix value be added to the name of the role at the beggining...

Similar Messages

MAC Authentication does not work

My MAC Authentication does not work.
I have a ACS 3.0 server set. the MAC address is set in the user name field and in the password field.
I can ping the ACS, I can ping my AP, I can ping my client.
I don't want WEP and I don't want LEAP just MAC. So I set my authentication to "Open with MAC" My client has WEP set to NO WEP and authentication to OPEN
I have the latest drivers for both AP and my 350 Client.
I see that the client is associating and disassociating back and forth non stop. My AP log is full with the following message:
Station 0009.7c9f.xxxx Authentication failed
this is my config:
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname GOM_1200IOS
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
server 10.1.2.197 auth-port 1812 acct-port 1812
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa group server radius wlccp_rad_infra
aaa group server radius wlccp_rad_eap
aaa group server radius wlccp_rad_leap
aaa group server radius wlccp_rad_mac
aaa group server radius wlccp_rad_any
aaa group server radius wlccp_rad_acct
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login wlccp_infra group wlccp_rad_infra
aaa authentication login wlccp_eap_client group wlccp_rad_eap
aaa authentication login wlccp_leap_client group wlccp_rad_leap
aaa authentication login wlccp_mac_client group wlccp_rad_mac
aaa authentication login wlccp_any_client group wlccp_rad_any
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
aaa accounting network wlccp_acct_client start-stop group wlccp_rad_acct
aaa session-id common
enable secret xxxxxx
username Cisco password xxxx
ip subnet-zero
iapp standby timeout 5
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption key 1 size 40bit 7 9DF1C10BF11A transmit-key
ssid GOM_1230
authentication open mac-address mac_methods
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
rts threshold 2312
channel 2462
station-role root
no cdp enable
dot1x reauth-period server
dot1x client-timeout 600
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no cdp enable
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 172.16.43.45 255.255.240.0
no ip route-cache
ip default-gateway 172.16.47.254
ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
ip radius source-interface BVI1
access-list 700 permit 000a.b74c.e8c9 0000.0000.0000
access-list 700 permit 0009.7c9f.d6e0 0000.0000.0000
access-list 700 permit 0006.25b1.2f79 0000.0000.0000
access-list 700 permit 000a.b78b.2d19 0000.0000.0000
access-list 700 permit 000b.5f6e.77c8 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
access-list 701 deny 000b.5f6e.77c8 0000.0000.0000
access-list 701 permit 0000.0000.0000 ffff.ffff.ffff
no cdp run
snmp-server community GOM_AP1230 RO
snmp-server enable traps tty
radius-server local
group AP1230
user brazil nthash 7 1249523544595F517972017912677A3055325A25770B08770D5C5B4E4478087605 group AP1230
radius-server host 10.1.2.197 auth-port 1812 acct-port 1812 key 7 00233C2B
radius-server retransmit 3
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 5 15
end
What is wrong?
Thanks very much for your help.

I figured out what was wrong so thank you for stopping by.
I will publish the config for other people to see.
Regards,

Dynamic Role -- Group Mapping not working in WebLogic 10

I have an installation I am migrating from 9.2 to 10. It uses Dynamic Role Mapping:
From my Weblogic.xml within the deployment:
    <security-role-assignment>
        <role-name>EELSSystemAdministrator</role-name>
        <externally-defined/>
    </security-role-assignment>I am using SPNEGO SSO, and it is working fine, it retrieves the principles from LDAP and adds them to the subject, so everything is fine there. I have defined the deployment constraint "EELSSystemAdministrator" as a Global Role, and then Added a condition "group" and set it to the LDAP Group (SMS EELSSystemAdministrator) which is one of the three principles being returned from LDAP.
When the Role mapper runs, it returns the following in the logs:
<SecurityRoleMap> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users, SMS EELSSystemAdministrator,SMS EELSReportAnalyst]>
<SecurityRoleMap> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(SMS EELSSystemAdministrator ,[everyone,users,SMS EELSSystemAdministrator,SMS EELSReportAnalyst]) -> false>
<SecurityRoleMap> <primary-rule evaluates to NotApplicable because of Condition>
<SecurityRoleMap> <urn:bea:xacml:2.0:entitlement:role:EELSSystemAdministrator:top, 1.0 evaluates to Deny>
<SecurityRoleMap> <XACML RoleMapper: accessing role EELSSystemAdministrator: DENIEDIn my 9.2 Installation that is working I get the following in the logs:
<SecurityRoleMap> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users,SMS EELSSystemAdministrator,SMS EELSReportAnalyst]>
<SecurityRoleMap> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(SMS EELSSystemAdministrator,[everyone,users,SMS EELSSystemAdministrator,SMS EELSReportAnalyst]) -> true>
<SecurityRoleMap> <Evaluate urn:oasis:names:tc:xacml:1.0:function:or(true) -> true>
<SecurityRoleMap> <primary-rule evaluates to Permit>
<SecurityRoleMap> <urn:bea:xacml:2.0:entitlement:role:EELSSystemAdministrator:type@E@Furl@G@M@Oapplication@EEELSWeb@[email protected]@O$@S@VDSTAMP@S@W@M@OcontextPath@E@UEELS@M@Ouri@E@U, 1.0 evaluates to Permit>
<SecurityRoleMap> <XACML RoleMapper: accessing role EELSSystemAdministrator: GRANTED> I am not sure why my 9.2 deployment lists the role type as a "url" (which points to the right deployment, and 10 lists it as the word "top". Either way, it is not authenticating to my global role based on the Group returned from LDAP.
I'm pretty much out of troubleshooting idea's, having compared every config file/log file etc to find descrepancies in my setup. Anyone have any suggestions, perhaps something that has to be setup differently in 10 then in 9.2?
Thanks in Advance,
John

Update:
I checked a bunch of settings, and it seems to be working now, very odd.

NGS Sponsors authentication does not work in case user has non-English character in his password

Hi,
we are using the NAC Guest Server v 2.0.1 and have Sponsors authentication done through Radius servers. Radius servers are Microsoft IAS using AD.
Sponsors user authentication works okay in case user's password includes English characters, but does not work in case an user uses national characters like for example Umlauts in German.
On Radius server I can see these error messages:
User XXXX was denied access.
Reason = Authentication was not successful because an unknown user name or incorrect password was used.
As soon as an user changes his password and uses English characters only, it resolves.
I guess this might be that NGS uses different coding while sending a password to Radius server, but not sure.
Appreciate if anyone knows a root cause and what could be a workaround. Unfortunately our AD policy allows users to use national characters and we can hardly change it. So a change on NGS or Radius side would be more viable.
Many thanks for your help.

A case has been opened at Cisco and it is now quite clear that it is a problem with coding.
According to Cisco development team NGS uses UTF-8 coding to send the password, of course encrypted, to the Radius server. This cannot be changed within NGS. We use Radius Microsoft IAS Version 5.2.3790.3959 running on VMWare Windows 2003 SP2. More tests are scheduled to be performed.

Authentication function not working in APEX but works in pl/sql

Greetings, Jim here.
I have written a very simple authentication funtion which uses the dbms_ldap package to authenticate using the userid and password from the login page.
I've tested this function thru pl/sql and it returns true and false accordingly.
I've created a custom authentication schema and in the authentication function I have return myfunction;
The problem is, when called thru APEX, it appears to always return true and lets the login proceed, even if the password is correct. I know its using the function due to the fact that if I enter a bogus function as the authentication function, APEX spits up a message saying so.
So, I know the function works, but I don't know why it does not work with APEX. Posting function below.
CREATE OR REPLACE FUNCTION ODBS.CUSTAPEXLOGIN (p_username IN VARCHAR2,p_password IN VARCHAR2)
RETURN BOOLEAN AS
retval PLS_INTEGER;
emp_session DBMS_LDAP.session;
ldap_host VARCHAR2(256);
ldap_port VARCHAR2(256);
ldap_user VARCHAR2(256);
ldap_passwd VARCHAR2(256);
ldap_base VARCHAR2(256);
BEGIN
ldap_host := 'oraldap';
ldap_port := '389';
ldap_user := p_username;
ldap_passwd := p_password;
ldap_base := 'cn=users,dc=company,dc=com';
emp_session := DBMS_LDAP.init(ldap_host,ldap_port);
retval := DBMS_LDAP.simple_bind_s(emp_session,('cn=' || ldap_user || ',' || ldap_base),ldap_passwd);
if retval = 0 then
return true;
else
return false;
end if;
EXCEPTION
WHEN OTHERS THEN
begin
if sqlcode = -31202 then
return false;
end if;
end;
END;
/

Hi Jim,
Can you clarify this -
The problem is, when called thru APEX, it appears to always return true and lets the login >proceed, even if the password is correctThat implies you're saying your authentication function ALWAYS returns true? Is that correct? Also 'even if the password is correct' doesn't read correctly to me, did you mean 'even if the password is incorrect'?
You then say -
now the function works, but I don't know why it does not work with APEX.So by 'does not work' you mean in APEX it is always returning true therefore allowing you to login regardless of the username/password you use? Is that correct?

Role membership rule not working

Hi guys,
When I create a role and assign 'membership rule' to it, the members are shown in preview screen.
But they are not show up in members screen of that role.
My environment is 11gR2 SP1.
It is working nicely in 11gR2 base. But from some bundle pack and after, it is not working.
1. is it right?
2. if then, why is it changed?
3. and how shoul I assign members to role?
(as a workaround I modified the memner arrtibute. => not working
and restart OIM, => still not working
and reboot the server.> still not working...)
can anyone help this?
regards,
dongsu

J,
It has been a critical issue in real customer project this year.
Certainly we informed it to local oracle team and they says it is intentional change and we have to accept it.
(means create role first and read in users by trusted recon from source again.. bra bra..)
But I do not get any documented information about it.
Actually in BP4 (may be..) if I change any attribute value of that user who supposed to belongs to that role, then it works.
But in BP7 and now in PS1, even that approach do not working.

Client Authentication is not working

Hi all..
I have developed a web service with server and client authentication.. I had configured OC4J 10g successfully for client authentication but the problem is: I can NOT access the webservice from the browser the server says: no_certificate. the stub client works properly. I tried to install the certificate into IE explorer but it is not working. please help me ... Thanks in advance
Khaled

Hi
How did you implement your solution to work with a client? I'm trying to authenticate users that try to access a webservice with basic authentication but I can't seem to make it work...
Thanks in advanced
Vitor

CE7305 - Transparent mode authentication does not work.

Hi,
Im doing a trial content engine 7305 for my customer. Everything worked well so far with the box except with the authentication feature.
Authentication work well on proxy mode but when I turned it on with transparent mode it does not work. My customer is using LDAP for user authentication.
I suspect there is something that I did not turn on in the configuration.
Attached herewith is the show tech of the Cisco 7305 content engine.
Please advise!
Thanks in advance,
Raymond Hew

Hi Zach,
My customer is using Novell LDAP.
Right at the moment the CE is already working with the auth. after rebooted the CE 7305. Just can't explain why but it works after rebooting.
Thanks for your fast respond.
Best regards,
Raymond Hew

Pl/sql Custom Authentication is not working. DADs.conf is fine.

Hi All,
We have configured authentication mode to customowa in the dads.conf. same configuration is working in one instance, while it is not working on other instance.
Please advice me to find the solution.
Error message from the error_log is as follows.
mod_plsql: /imguat/mvt_cover_page.Instructions HTTP-403 ORA-0
Enabled the debug on in plsql.conf
the log file shows the following information.
if (owa_custom.authorize = TRUE) then
:authorized := 'yes';
else
:authorized := 'no';
end if;
:realm := owa.protection_realm;
end; successfully executed
<835614824 ms>(wpca.c,389) wpcaexe: function owa_custom.authorize returned no
<835614824 ms>(wpca.c,391) wpcaexe: Auth Realm set to
<835614824 ms>(wpcs.c, 77) Executed 'begin dbms_session.reset_package; end;' (rc=0)
<835614824 ms>(wpca.c,215) wpcauth: authorize returned 0
<835614824 ms>Custom auth failed without setting realm
<835614824 ms>/imguat/MVT_Web_Style.Style2 HTTP-403 ORA-0
Your help is highly appreciated.
Regards
Jaani.

Hi All,
We have configured authentication mode to customowa in the dads.conf. same configuration is working in one instance, while it is not working on other instance.
Please advice me to find the solution.
Error message from the error_log is as follows.
mod_plsql: /imguat/mvt_cover_page.Instructions HTTP-403 ORA-0
Enabled the debug on in plsql.conf
the log file shows the following information.
if (owa_custom.authorize = TRUE) then
:authorized := 'yes';
else
:authorized := 'no';
end if;
:realm := owa.protection_realm;
end; successfully executed
<835614824 ms>(wpca.c,389) wpcaexe: function owa_custom.authorize returned no
<835614824 ms>(wpca.c,391) wpcaexe: Auth Realm set to
<835614824 ms>(wpcs.c, 77) Executed 'begin dbms_session.reset_package; end;' (rc=0)
<835614824 ms>(wpca.c,215) wpcauth: authorize returned 0
<835614824 ms>Custom auth failed without setting realm
<835614824 ms>/imguat/MVT_Web_Style.Style2 HTTP-403 ORA-0
Your help is highly appreciated.
Regards
Jaani.

Autoscaling Application block for Azure worker role console app not working. Get error as The HTTP request was forbidden with client authentication

I have written a console application to test the WASABi(AutoScaling Application Block) for my worker role running in azure. The worker role processes the messages in the queue and I want to scale-up based on the queue length. I have configured and set the
constraints and reactive rules properly. I get the following error when I run this application.
[BEGIN DATA]{}
DateTime=2013-12-11T21:30:02.5731267Z
Autoscaling General Verbose: 1002 : Rule match.
[BEGIN DATA]{"EvaluationId":"4f9f7cb0-fc0d-4276-826f-b6a5f3ea6801","MatchingRules":[{"RuleName":"default","RuleDescription":"The default constraint rule","Targets":["AutoscalingWebRole","AutoscalingWorkerRole"]},{"RuleName":"ScaleUpOnHighWebRole","RuleDescription":"Scale
up the web role","Targets":[]},{"RuleName":"ScaleDownOnLowWebRole","RuleDescription":"Scale down the web role","Targets":[]},{"RuleName":"ScaleUpOnHighWorkerRole","RuleDescription":"Scale
up the worker role","Targets":[]},{"RuleName":"ScaleDownOnLowWorkerRole","RuleDescription":"Scale down the worker role","Targets":[]},{"RuleName":"ScaleUpOnQueueMessages","RuleDescription":"Scale
up the web role","Targets":[]},{"RuleName":"ScaleDownOnQueueMessages","RuleDescription":"Scale down the web role","Targets":[]}]}
DateTime=2013-12-11T21:31:03.7516260Z
Autoscaling General Warning: 1004 : Undefined target.
[BEGIN DATA]{"EvaluationId":"4f9f7cb0-fc0d-4276-826f-b6a5f3ea6801","TargetName":"AutoscalingWebRole"}
DateTime=2013-12-11T21:31:03.7516260Z
Autoscaling Updates Verbose: 3001 : The current deployment configuration for a hosted service is about to be checked to determine if a change is required (for role scaling or changes to settings).
[BEGIN DATA]{"EvaluationId":"4f9f7cb0-fc0d-4276-826f-b6a5f3ea6801","HostedServiceDetails":{"Subscription":"psicloud","HostedService":"rmsazure","DeploymentSlot":"Staging"},"ScaleRequests":{"AutoscalingWorkerRole":{"Min":1,"Max":2,"AbsoluteDelta":0,"RelativeDelta":0,"MatchingRules":"default"}},"SettingChangeRequests":{}}
DateTime=2013-12-11T21:31:03.7516260Z
Autoscaling Updates Error: 3010 : Microsoft.Practices.EnterpriseLibrary.WindowsAzure.Autoscaling.ServiceManagement.ServiceManagementClientException: The service configuration could not be retrieved from Windows Azure for hosted service with DNS prefix 'rmsazure'
in subscription id 'af1e96ad-43aa-4d05-b3f1-0c9d752e6cbb' and deployment slot 'Staging'. ---> System.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Anonymous'. ---> System.Net.WebException:
The remote server returned an error: (403) Forbidden.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory)
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
If anyone know why I am getting this anonymous access violation error. My webrole is secured site but worker role not.
I appreciate any help.
Thanks,
ravi

Hello,
>>: The service configuration could not be retrieved from Windows Azure for hosted service with DNS prefix 'rmsazure' in subscription id **************
Base on error message, I guess your azure service didn't get your certificate and other instances didn't have certificate to auto scale. Please check your upload the certificate on your portal management. Also, you could refer to same thread via link(
http://stackoverflow.com/questions/12843401/azure-autoscaling-block-cannot-find-certificate ).
Hope it helps.
Any question or result, please let me know.
Thanks
Regards,
Will
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

Cisco Wireless AP 2602 - Web Authentication/Pass NOT working?

Product/Model                                       Number:
AIR-CAP2602E-A-K9
Top                                       Assembly Serial Number:
System                                       Software Filename:
ap3g2-k9w7-xx.152-4.JB3a
System                                       Software Version:
15.2(4)JB3a
Bootloader                                       Version:
BOOTLDR: C2600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JA1, RELEASE SOFTWARE (fc1)
When "Web Authentication/Pass" option checked, it is totally unaccessible to internal or external network, any clue/advice?
Thanks in advance.

Thanks, seems I missed the RADIUS part; after I done that it's still no luck, here are some tech support info, are you able to help?
------------------ show version ------------------
Cisco IOS Software, C2600 Software (AP3G2-K9W7-M), Version 15.2(4)JB3a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 23-Dec-13 08:11 by prod_rel_team
ROM: Bootstrap program is C2600 boot loader
BOOTLDR: C2600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JA1, RELEASE SOFTWARE (fc1)
WuGa-CiscoAP uptime is 3 days, 19 minutes
System returned to ROM by power-on
System restarted at 23:18:39 +0800 Mon Feb 10 2014
System image file is "flash:/ap3g2-k9w7-mx.152-4.JB3a/ap3g2-k9w7-xx.152-4.JB3a"
Last reload reason:
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-SAP2602E-A-K9 (PowerPC) processor (revision A0) with 204790K/57344K bytes of memory.
Processor board ID FGL1650Z5X3
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: E0:2F:6D:A3:4D:0B
Part Number                          : 73-14511-02
PCA Assembly Number                  : 800-37898-01
PCA Revision Number                  : A0
PCB Serial Number                    : FOC164889AN
Top Assembly Part Number             : 800-38357-01
Top Assembly Serial Number           : FGL1650Z5X3
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP2602E-A-K9
Configuration register is 0xF
------------------ show running-config ------------------
Building configuration...
Current configuration : 5276 bytes
! Last configuration change at 23:36:14 +0800 Thu Feb 13 2014
! NVRAM config last updated at 23:36:14 +0800 Thu Feb 13 2014
! NVRAM config last updated at 23:36:14 +0800 Thu Feb 13 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname WuGa-CiscoAP
logging rate-limit console 9
enable secret 5
aaa new-model
aaa group server tacacs+ tac_admin
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login webauth group radius
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login web_list group radius
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone +0800 8 0
no ip cef
ip admission name webpass consent
ip admission name webauth proxy http
ip admission name webauth method-list authentication web_list
ip admission name web_auth proxy http
ip admission name web_auth method-list authentication web_list
ip admission name web-auth proxy http
ip admission name web-auth method-list authentication web_list
ip name-server 8.8.8.8
dot11 syslog
dot11 vlan-name GuestVLAN vlan 2
dot11 vlan-name InternalVLAN vlan 1
dot11 ssid Guest
   vlan 2
   web-auth
   authentication open
   mbssid guest-mode
dot11 ssid WuGa-6
   vlan 1
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 0211115C0A555C721F1D5A4A5644
dot11 ssid WuGa-60
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 03084C070900721F1D5A4A56444158
dot11 guest
username wuga lifetime 360 password 7 030D5704100A36594908
username Cisco privilege 15 password 7
bridge irb
interface Dot11Radio0
no ip address
encryption mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid Guest
ssid WuGa-6
antenna gain 2
stbc
mbssid
speed basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
channel 2452
station-role root
dot11 dot11r pre-authentication over-air
dot11 dot11r reassociation-time value 500
ip admission web-auth
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
ip admission webauth
interface Dot11Radio1
no ip address
encryption mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid WuGa-60
antenna gain 4
peakdetect
no dfs band block
stbc
speed basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
power local 5
channel width 40-above
channel dfs
station-role root
dot11 dot11r pre-authentication over-air
dot11 dot11r reassociation-time value 500
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed 1000
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
interface BVI1
ip address 192.168.133.213 255.255.255.0
ip default-gateway 192.168.133.200
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 0.0.0.0 0.0.0.0 192.168.133.200
ip radius source-interface BVI1
ip access-list extended ALL
permit ip any host 0.0.0.0
permit ip any any
permit ip 0.0.0.0 255.255.255.0 any
ip access-list extended All
permit tcp any any established
permit tcp any any eq www
permit ip any any
radius-server local
nas 192.168.133.213 key 7 070C285F4D06
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
radius server 192.168.10.2
address ipv4 192.168.10.2 auth-port 1812 acct-port 1646
radius server local
address ipv4 192.168.133.213 auth-port 1812 acct-port 1813
key 7
bridge 1 route ip
line con 0
terminal-type teletype
line vty 0 4
terminal-type teletype
transport input all
sntp server 128.138.141.172
sntp broadcast client
end

Lync MX -Externally not working

We are having an issue with Lync MX externally.
Lync MX Internally(domain joined) is working fine so is Mobility (external Only-internal not required), Lync 2010/2013 clients are working fine internally and externally.
It is a small deployment 2x FE and 1 x Edge.
When we try logging on from Lync MX externally we get the spinning that never ends. By enabling logging we get :
Direction: outgoing;source="local"Peer:
edge.pool.Mydomain.com:57398Message-Type: responseStart-Line:
SIP/2.0 401 Unauthorized
Looking further into the logs like the external access edge send the SIP/2.0 401 Unauthorized
We are using public certificates on the FE. And
Certificate Revocation List (CRL) Distribution Point (CDP) for the certificates issued to Lync server points to an HTTP resource instead of an LDAP resource as per :
http://technet.microsoft.com/en-us/library/jj823129.aspx
All servers are on CU7.
Please let me know of any suggestions you may have in further troubleshooting this issue. I believed I have covered all troubleshooting steps available, but might
of missed some.
Thanks a lot in advance.
$$begin_record
Trace-Correlation-Id: 4102754091
Instance-Id: 0037822A
Direction: outgoing;source="local"
Peer:
edgeFQDN.MyDomain.com:57398
Message-Type: response
Start-Line: SIP/2.0 401 Unauthorized
From: <sip:[email protected]>;tag=b30bd1e0cf;epid=9a2fefef5c
To: <sip: [email protected] >;tag=C1DDC329DEAF0304014EBB25D437EA2B
CSeq: 1 REGISTER
Call-ID: 11172a5257a14d85a0c7fd2adf6ed9cd
Date: Tue, 18 Dec 2012 11:52:55 GMT
(This timezone is a bit confusing, client and server are in EST -5)
WWW-Authenticate: NTLM realm="SIP Communications Service", targetname="MyFrontEnd.domain.local", version=4
WWW-Authenticate: TLS-DSK realm="SIP Communications Service", targetname="
MyFrontEnd.domain.local ", version=4, sts-uri="https://ExternalWebServicesFQDN:443/CertProv/CertProvisioningService.svc"
Via: SIP/2.0/TLS
192.x.x.x (internal Edge IP):57398;branch=z9hG4bK3B762A20.E711664720C9EC67;branched=FALSE;ms-received-port=57398;ms-received-cid=608E00
Via: SIP/2.0/TLS
10.x.x.x (Lync MX Client):59982;received=63.131.143.173;ms-received-port=3061;ms-received-cid=866600
Server: RTC/4.0
Content-Length: 0
Message-Body: –
$$end_record

Hi Shahan,
Thanks for the reply.
Please see below.
Testing connectivity to the Lync Autodiscover Web Service server for a secure connection on port 443 to obtain the root token.
Connectivity to the Lync Autodiscover Web Service test successful.
Test Steps
Attempting to test Autodiscover Web Service URL
https://lyncdiscover.mydomain.com/Autodiscover/AutodiscoverService.svc/root.
Autodiscover Web Service URL successfully tested.
Test Steps
Attempting to resolve the host name lyncdiscover.mydomain.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 64.27.x.x
Testing TCP port 443 on host lyncdiscover.mydomain.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server lyncdiscover.mydomain.com on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=MyFrontEndPoolFQDN, OU="MyCompany, Inc.", O="MyCompany, Inc.", L=Jersey City, S=New Jersey, C=US, SERIALNUMBER=xxxxxxxxxxx, Issuer: CN=GeoTrust SSL CA, O="GeoTrust, Inc.", C=US.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name lyncdiscover.mydomain.com was found in the Certificate Subject Alternative Name entry.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 4/30/2012 10:20:46 PM, NotAfter = 3/2/2013 3:19:52 AM
Testing HTTP authentication methods for URL
https://lyncdiscover.mydomain.com/Autodiscover/AutodiscoverService.svc/root/user.
HTTP authentication methods successful.
Additional Details
Web Ticket URL found as expected and confirmed anonymous access isn't allowed.
Testing HTTP content for URL
https://lyncdiscover.mydomain.com/Autodiscover/AutodiscoverService.svc/root/domain has McxService.svc.
Http Content is verified
Additional Details
Found as expected McxService.svc and confirmed anonymous access not allowed.
Kind Regards:
Galya

How to identify a role that is not working

In what table or through witch function module can I see that there's a problem with a user's role via ABAP?
I have a role that seems to be fine when I search it with function module PRGN_READ_USERS_FOR_ONE_AGR. But when I search it with SU01, it appears with a red threshold and the user can not acctually access the functionalities of that role.
What I need is to know, though my ABAP code, which users returned by PRGN_READ_USERS_FOR_ONE_AGR do not really have the role working properly.
Any ideas of how can I get this information?
Thanks in advance,
Carol.

I am an ABAP developer, not a role administrator. I am writing a code that assigns roles to users based on other roles that they have. What I am trying to do is to make my program more robust by not assigning a role if this other role have any sort of problem. The standard function I am using, PRGN_READ_USERS_FOR_ONE_AGR, does not identify that there is a problem and neather can it be identified through the table AGR_USERS.
Got it?
Carol

IP Address Changed on my AD - Now Authentication is not Working

I got a new service provider for my home network, and as a result their router provided a new set of IP addresses. My home network is supported by an OD running on Mac OS X Server v 10.4.11. The laptops in the house seem to be OK, but my main machine (Mac Pro) and two others can no longer authenticate, and therefore cannot be used by anyone but their local admin accounts. All of my user info came from the OD. I went through the process of changing the DNS services on the Mac Server, and it seems to be working properly. And I have removed the old LDAP Path on the client computers, and re-initiated it. But I'm not having any success. I'm guessing that the problem may be in the actual data stored in the LDAP database (since I would likely now have a new Kerberos key, but am reluctant to attempt to recreate it, for fear of losing access to critical data under my regular login accounts.
Can anyone point me to some documentation on how to handle a change of IP address on a Mac OS X server (which is my only server on this network).? I have obviously missed something - either on the server - or on the clients - or both.
Thanks,
C.

1. There are No Tickers Available (I assume that any previous ones were wiped, when I removed and then re-created the client's directory entry through the Directory Utility.)
The tickets will be generated the first time that you login to an OD server that has Kerberized services and will be used to access all services on the server that require authentication, if so configured, and will remain until you logout or the ticket expires. If you login to a client Mac as a local user and connect to the server as described previously, do you get the Kerberos login dialog, which will have the realm listed, or the standard login dialog?
2. When I try to create a new ticket, I get the dialog box, but cannot continue because the drop down for the REALM is blank.
The realm would be something on the order of, YOURSERVER.YOURDOMAIN.TLD. If the realm is not showing in Kerberos.app, then the client is not bound -or is incorrectly bound- to the server. Check your Server Admin app to see if Kerberos is running or not. Highlight the 'Open Directory' item under your server -it should show on the right as 'Running' or 'Stopped'.

Client Authentication certificate not working in ADFS3.0

Hi,
I am currently working on integrating ADFS 3.o for Single Sign On to some 3rd party services along with PKI solution. The basic requirement is that I should be able to choose client authentication certificate as an authentication method in ADFS and then
federate user credentials to 3rd party trust for single-sign-on.
I had done this successfully with ADFS 2.0 and that setup is working fine. I have the setup as ADFS 3.0 client authentication method enabled. When I open browser to logon, the ADFS 3.0 page displays a message as "Select a certificate that you want to
use for authentication. If you cancel the operation, please close your browser and try again." but the certificates are not displayed for selection.
The certificates are valid and have valid chaining to CA. Could someone help me resolve this issue?
Thanks!
-Chinmaya Karve

I am also having this problem where the certificate dialog (Windows Security is usually the title) is never prompted to the user. I tried it on several computers which are all part of the domain. The same computers can also login on another ADFS, so I have
working certificates.
I just get a page where a text says I should select a certificate but I never get the dialog to do so.
Any updates on this issue?

Roles authenticed externally not working

Similar Messages

Maybe you are looking for