Shell access required for RADIUS authentication?

Similar Messages

• SBR for RADIUS Authentication

  Hi Everyone,
  Does anybody know if Steel Belt Radius would be able to authenticate both the telnet and enable passwords for RADIUS authentication?
  I have tried IAS, but apparently IAS does not have any understanding of the enable password and therefore returns an error.
  Any help would be great.
  Thanks,
  Dan

  "enable password" authorization is not supported in RADIUS authorization. TACACS+ supports it.

• NMAS based token for radius authentication towards checkpoint firewall

  hi,
  i'm looking for token based access towards a checkpoint firewall. i found
  out about radius, and think that's the way to go.
  our user administration is NW65SP2 & Edir 8.7.3 based.
  has anyone a success story about a token based radius server based on this
  configuration ?
  which token ?
  additional software ?
  anyone ?

  Hi Peter,
  have a look at the RADIUS implementation CookBook (www.vasco.com/novell)
  chris
  > We use Vasco tokens for two things: Checkpoint Firewall-1 VPN
  > authentication, and iChain 2.2 RADIUS authentication. The current
  > RADIUS.NLM that we use is from the iChain authentication CD.
  >
  > The only problem I can think of to mention is the "Unknown RADIUS client"
  > error that we got after NW6 SP5. That was solved by the latest NMAS
  patches
  > and an upgrade from eDir 8.6.2 to 8.7.3.
  >
  >
  > "Peter van de Meerendonk" <[email protected]>
  wrote in
  > message news:JNiQd.595$[email protected]..
  > > > Well, just let me cover my hiney a little. We did have extremely bad
  > > > results with Activcard ACO000 tokens, but that is an old product from
  > > about
  > > > 3-4 years ago. I have no knowledge of the current Activcard tokens.
  > > >
  > > OK, but the licensing policy makes activcard a costly alternative.
  we've
  > got
  > > a good deal on RSA, and are negociating a deal on Vasco. eventually we
  > might
  > > need 250+ tokens.
  > >
  > > I am very interested in configuration details of your setup. do you use
  > the
  > > tokens only for checkpoint authentication, or for novell
  authentication as
  > > well?
  > >
  > >
  > >
  >
  >

• Requirements for user authentication

  In my trials of configuring the software, it seems that the only option of providing user access authentication is via LDAP integration. This seems a heavy requirement for non-enterprise usage.
  I created a default directory service, but cannot enable access control without setting up distributed access, which seems to require LDAP. Installing LDAP has it's own set of prerequisites. Is all this really necessary? Am I misunderstanding the documentation?
  Thanks,
  Sean Wyatt

  Dear sean.wyatt,
  LDAP is not the only option for user-auth. There are key files and digest files. Or you have some reason to use only LDAP.

• Minimum set of ACLs / security access required for getting MBeanHome and Runtime MBeans

  Hi,
  Where can I get information regarding the "minimum set" of ACLs and security access/permission
  required for
  a) Accessing weblogic.management.MBeanHome [Local and Admin interfaces] and RemoteMBeanServer
  interfaces
  b) Use MBeanHome and RemoteMBeanServer interface to look up MBeans [especially
  Runtime MBeans] for Cluster, Server instances, EJBs, JDBC, Execute Queues, etc?
  Any help or hint is appreciated!
  Regards,
  DKV

  "DKV" <[email protected]> wrote in message
  news:3f4e8429$[email protected]..
  >
  Hi,
  Where can I get information regarding the "minimum set" of ACLs andsecurity access/permission
  required for
  I believe this was answered in the management jmx newsgroup.

• Why is Domain Admin access required for NTFS crawling?

  Need some assistance from the experts in here..
  Our company has a policy against granting Domain Admin access to service accounts.
  Oracle states that Domain Administrative priviledges are required for NTFS crawling. However, they aren't able to provide a reasonable explanation as to why such a high level of access is necessary. In theory, Local Administrative privildges on the target file host should suffice if the crawler is grabbing ACL details, but in practice does not seem to work.
  Can anyone point me to some technical documentation on SES NTFS crawling or help me understand what actions are being invoked?
  Many thanks.
  LC

  They do seem confused. I have heard on a few occasions, someone has taken their computer in for some major work and it comes back with the latest OS! I think some Service technicians have the opinion that any OS less than the latest is a kind of defect that they can remedy.
  I suppose they are trying to be helpful, but as you say, compatibility with existing applications can be a pitfall when doing that.
  The main thing is you have your OS backed up. I keep a clone (made by SuperDuper!) of my OS on a backup disk, and if you were really worried about a service technician trawling through your hard drive on their lunch break, having the working clone would allow you to reinstall a fresh OS and hand it to them with nothing of yours on it whatsoever.
  When it comes back fixed, copy the external clone back onto your Mac. This is a bit of trouble, but it ensures the integrity of your data.

• Custom Access Gate for 2FA authentication

  Hello OAM Gurus,
  I am trying to build a custom accessgate which can authenticate user using our 2FA technology for a protected resource accessed initially. I have written a servlet to do this wherein I am expecting somehow when user tries to access the protected resource the user will be redirected to this servlet. The custom AccessGate will be running on a seperate server under a J2EE container. The problem has been 2 folds.
  1. I am unable to figure out how do I protect a resource (create a policy) on a web server which will be protected by my access gate.
  2. In My servlet how will I get the URL for the protected resource. I initially assumed that it should be referer.
  Here is the flow that I am looking at:
  User goes to a protected resource on a web server --> redirected to my servlet --> performs 2FA --> Servlet checks if user is authorised to access the resource --> redirect the user to the resource .
  Can somebody please help.
  Thanks,
  Gunjan

  Henrik,
  there is no SDK for OAM 11g so far, this might come in one of the next patch sets.
  You could resort to integrate with OAAM.
  --olaf                                                                                                                                                                                                                                                                                               

• Hyperion Hub Required for External Authentication?

  Need to use external authentication for three products, Essbase 7.1.2, Analyzer and Reports. Do you have to use Hyperion Hub?

  Also, can you use mixed mode, some users using Essbase Native and some using Active Directory or a combination of Active Directory and NTML?

• Admin access required for downloading e-licenses?

  Hola. Do end users need administrative access to their computers in order to download the e-license during the 30 day grace period?
  Thanks!
  Morgan

  Hola Morgan, Como estas? :-)
  The answer: No, no admin privileges required to download an e-license to the machine.
  Juan-Carlos

• Can't obtain an access token for Translator - Authentication failed.

  Hi,
  I copied the PHP code at http://msdn.microsoft.com/en-us/library/hh454950.aspx, pasted it into a file, and made a simple AJAX call to it. I have checked to make sure that the client id and client secret are correct. Somehow it returned an error message
  saying: Exception-ACS50012: Authentication failed.
  I read somewhere here that we can only use numeric digits for the client id so I changed the client id to a number. However that still didn't work.
  Please help.

  Hi,
  I'm glad to hear that you have solved your issue, if you have any issues later, welcome to our forum again.
  Best Regards
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Power Shell help required for Windows Server

  Hi,
  Need powershell script help !!
  I have 100+ servers, I wanted to findout, How many IP addresses are registered in DNS for respective hostname,
  I wanted to findout below parameters for each servers,
  ping <Server name>
  ping -a <IP address>
  nslookup <Servername>
  nslookup <IP address>
  and it should generate a report.
  Script should fetch server list from local drive (txt format).
  Note : For some servers, We have multiple IP address registered as alias (CNAME).
  Thanks in advance.
  Regards,
  Manjunath Sullad

  You can use
  Test-Connection -ComputerName server.com -Quiet
  to replace ping.  Test-Connection -Quiet   return  $true  if server.com is pingable, otherwise $false.
  Instead of  ping  you could use a .NET class:
  $p = new-object System.Net.NetworkInformation.Ping
  ($p.Send("server.com")).Status
  It returns "Success" if pingable or something else if not. In  $p.Send($Server) $Server can be a hostname as well as an IP address.
  You can also use a .NET class as replacement of nslookup:
  ([System.Net.Dns]::GetHostAddresses("server.com"))
  [System.Net.Dns]::GetHostbyAddress("10.10.10.10")
  The GetHostAddresses will return an array.
  HTH
  Walter

• Radius authentication for wifi users

  Hi all,
  I have a aeronet 1250 access point and i have a windows 2003  radius server configured to authenticate users.
  I need to configure the access point for radius authentication .
  Can anyone please help me to configure the access point .
  thanks in advance ,
  Selva

  See here for configuration examples, look for the autonomous examples:
  http://www.cisco.com/en/US/products/ps6087/prod_configuration_examples_list.html
  Thanks
  Chris

• Radius authentication for privileged access

  Hello,
            I have configured Cisco 6513 for radius authentication with following commands.
  aaa new-model
  aaa authentication login authradius group radius line
  aaa accounting exec acctradius start-stop group radius
  radius-server host <radius-ip> auth-port 1812 acct-port 1646 key 6912911
  line vty 0 4
  accounting exec acctradius
  login authentication authradius
       This is working pretty fine. I want to configure radius authentication for priviledged access / for enable access.
       I am using TeKRadius as Radius server.
       Please help.
  Thanks and Regards,
  Pratik

  Hi Pratik
  Sorry I mostly use only TACACS+ for AAA as it provides better granularity of access controls.
  You'll need to make some specific changes to your RADIUS config so that nominated users ( the ones you want to be able to go to enable mode ) get put straight into enable mode upon login.
  There's a guide here http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ which details the steps if you're using the Microsoft IAS radius server - you should be able to figure out that changes you need to make to your own server from there.
  Nick
  Message was edited by: NickNac79 - Spelt the OP's name wrong, sorry.

• Radius authentication for the browser-based webtop

  Hiya all,
  With help of the radius-authentication module for apache (http://www.freeradius.org/mod_auth_radius/) and web-authentication it is possible to use radius-authentication for the classic-webtop. Has anyone got Radius authentication working for the browser-basedwebtop?
  SSGD version:
  Sun Secure Global Desktop Software for Intel Solaris 10+ (4.30.915)
  Architecture code: i3so0510
  This host: SunOS sgd1.<removed> 5.10 Generic_118855-36 i86pc i386 i86pc
  I have the radius-module running for authentication of a single directory with the apache-config-lines:
  SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
  <LocationMatch "/secure">
  Order Allow,Deny
  Allow from env=sgd_noauth_ok
  AuthName "Radius authentication for SGD"
  Authtype Basic
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 540
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  When changing the line <LocationMatch "/secure"> to <LocationMatch "/sgd"> the browser asks for a authentication and then a 'Not Found' page is being displayed.
  When using the config-lines from http://docs.sun.com/source/819-6255/webauth_config_browser.html the login-page is being displayed normally and SSGD works.
  The main difference I can find between the location /secure and /sgd is: /secure is a simple directory and /sgd is a JkMount to Tomcat.
  Changing the JkLogLevel to debug gives the following info in the JkLogFile:
  Radius authentication:
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd' from 5 maps
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (486): Found an exact match tta -> /sgd
  With the password-authentication file:
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd/' from 5 maps
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (475): Found a wildchar match tta -> /sgd/*
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_get_worker_for_name::jk_worker.c (111): found a worker tta
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker axis
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker tta
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker examples
  It seems that the JkMount is not being evaluated correctly after using the radius-authentication.
  Any help will be usefull since I am allready stuck on this problem for a couple of days :(
  Thanks,
  Remold | Everett

  I got response from the Fat Bloke on the mailing list.
  Adding the following line in the apache httpd.conf seams to help and resolved my problem:
  Alias /sgd "/opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
  Thanks The Fat Bloke !!
  - Remold
  These instructions are for a 4.2 SGD installation using SGD's third
  party web authentication with mod_auth_radius.so (www.freeradius.org).
  With 4.2 Sun didn't distribute enough of the Apache configured tree
  to enable the use of axps to build the mod_auth_radius module, 4.3 is
  better - Sun now install a modified axps and include files, I haven't
  tried this with 4.3 yet though.
  I built the mod_auth_radius module for Apache 1.3.33 (shipped with 4.2)
  So, this is how we got this working with Radius (tested with SBR
  server and freeradius.org server.)
  Install SGD in the usual way.
  Enable 3rd party authentication:
  According to:
  http://docs.sun.com/source/819-4309-10/en-us/base/standard/
  webauth_config_browser.html
  Configure the Tomcat component of the Secure Global Desktop Web
  Server to
  trust the web server authentication. On each array member, edit the
  /opt/tarantella/webserver/tomcat/version/conf/server.xml file. Add the
  following attribute to the connector element (<Connector>) for the
  Coyote/JK2 AJP 1.3 Connector:
  tomcatAuthentication="false"
  # cat /opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/
  conf/server.xml
  <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
  <Connector port="8009" minProcessors="5" maxProcessors="75"
  tomcatAuthentication="false"
  enableLookups="true" redirectPort="8443"
  acceptCount="10" debug="0" connectionTimeout="0"
  useURIValidationHack="false"
  protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
  "By default, for security reasons, Secure Global Desktop
  Administrators can't
  log in to the browser-based webtop with web server authentication.
  The standard
  login page always displays for these users even if they have been
  authenticated
  by the web server. To change this behavior, run the following command:"
  # tarantella config edit --tarantella-config-login-thirdparty-
  allowadmins 1
  Without this, after authenticating via webauth, the user will be
  prompted for a
  second username and password combination.
  # /opt/tarantella/bin/tarantella objectmanager &
  # /opt/tarantella/bin/tarantella arraymanager &
  In Array Manager:
  Select "Secure Global Desktop Login" on left side and click
  "Properites" at bottom
  Under "Secure Global Desktop Login Properties"
  cd /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/conf
  edit httpd.conf:
  ### For SGD Apache based authentication
  Include conf/httpd4radius.conf
  at the end of httpd.conf add:
  Alias /sgd "/opt/tarantella/webserver/tomcat/
  5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
  # cat httpd4radius.conf
  LoadModule radius_auth_module libexec/mod_auth_radius.so
  AddModule mod_auth_radius.c
  # Add to the BOTTOM of httpd.conf
  # If we're using mod_auth_radius, then add it's specific
  # configuration options.
  <IfModule mod_auth_radius.c>
  # AddRadiusAuth server[:port] <shared-secret> [ timeout [ : retries ]]
  # Use localhost, the old RADIUS port, secret 'testing123',
  # time out after 5 seconds, and retry 3 times.
  AddRadiusAuth radiusserver:1812 testing123 5:3
  # AuthRadiusBindAddress <hostname/ip-address>
  # Bind client (local) socket to this local IP address.
  # The server will then see RADIUS client requests will come from
  # the given IP address.
  # By default, the module does not bind to any particular address,
  # and the operating system chooses the address to use.
  # AddRadiusCookieValid <minutes-for-which-cookie-is-valid>
  # the special value of 0 (zero) means the cookie is valid forever.
  AddRadiusCookieValid 5
  </IfModule>
  <LocationMatch /radius >
  Order Allow,Deny
  AuthType Basic
  AuthName "RADIUS Authentication"
  AuthAuthoritative off
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 5
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
  <LocationMatch /sgd >
  Order Allow,Deny
  Allow from env=sgd_noauth_ok
  AuthType Basic
  AuthName "RADIUS Authentication"
  AuthAuthoritative off
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 5
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  Put appropriate mod_auth_radius.so into
  /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/libexec
  # mkdir /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/radius/
  # cat /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/htpasswd/index.html
  <HTML>
  <HEAD>
  <TITLE> Test Page for RADIUS authentication </TITLE>
  </HEAD>
  <BODY>
  <B> You have reached the test page for RADIUS authentication.
  </BODY>
  </HTML>
  I hope this helps!
  -FB

• RADIUS Authentication for Enable PW

  Hi Everyone,
  I have my RADIUS authentication working for login passwords but not for the enable password. My config is below;
  aaa new-model
  aaa authentication login default group radius local
  aaa accounting network default start-stop group radius
  When I add the command;
  aaa authentication enable default group radius enable
  I would expect it to allow me to enter my RADIUS pw for the enable one to, but it doesnt. Nor does it allow me to enter the locally configured one?
  Any help would be great,
  Thanks,
  Dan

  Thanks for your reply Rick,
  The debug output is below;
  L2-SW01>
  00:03:02: RADIUS: Authenticating using $enab15$
  00:03:02: RADIUS: ustruct sharecount=1
  00:03:02: RADIUS: Initial Transmit tty0 id 3 x.x.x.x:1812, Access-Request,
  len 72
  00:03:02: Attribute 4 6 AC14024F
  00:03:02: Attribute 5 6 00000000
  00:03:02: Attribute 61 6 00000000
  00:03:02: Attribute 1 10 24656E61
  00:03:02: Attribute 2 18 524FB069
  00:03:02: Attribute 6 6 00000006
  00:03:02: RADIUS: Received from id 3
  x.x.x.x:1812, Access-Reject, len 20
  00:03:02: RADIUS: saved authorization data for user E49424 at 93C6DC
  L2-SW01>
  L2-SW01>
  I am using IAS for RADIUS authentication and I cannot find any option to say "allow enable access".
  Any ideas?
  Cheers,
  Dan