Simulating authentication

Hi,
I've been trying to authenticate users programatically, using the WWSSO_API.authenticate_user('username','password',null,{a_number}) and I keep getting User-defined exception's if the password is correct, and ORASSO.WWSSO_API.AUTH_FAILURE_EXCEPTION if the username and password don't match.
So without adding "if user-defined exception -> valid, else -> invalid" to the code, what would be a better way to do this? is there something i'm doing terribly wrong?
Here's the code i'm testing in sqldeveloper:
DECLARE
v_ret NUMBER;
BEGIN
ORASSO.WWSSO_API.authenticate_user('oaarcladmin','Test1234',null,v_ret);
EXCEPTION
--Snipping catching the exceptions in the package
WHEN others THEN
dbms_output.PUT_LINE(SQLERRM );
END;
Also, I'm expecting to use this in Java, and when I try to call the procedure in java i get:
java.sql.SQLException: ORA-06502: PL/SQL: numeric or value error
ORA-06512: at "ORASSO.WWSSO_API", line 44
ORA-06512: at line 1
Thanks in advance,
-Rob

to simulate that kind of security protocol you don't have to use the smart cards, and i don't recommend it either(it's hard to debug)
My humble advice is: Develop in some other technology and then port it to Java Card.

Similar Messages

Getting error in connecting ios simulator with SMP3.0 server

Hi,
We have configure ODATA service on SMP3.0 server document provided by SAP of "How to configure Application using Security Profile". We are using the SAP Netweaver Gateway DemoSystem for calling the ODATA services-HTTPS (got access of it using http://scn.sap.com/docs/DOC-31221).We also use Server Certificate to get successfully ping to backend steps performed to import the OData Service URL certificate into smp_keystore.(by using Getting Started with Kapsel - Part 1).
Now we are trying to build Native app on ios platform using pdf provided in IOS Development study material with the exercise material provided by SAP to call the app deployed on SMP3.0 server.But we are getting an
Error:- Could not connect to server(screenshot attached) client side
Error:-.
2014 02 27 23:42:07#0-800#WARN#com.sybase.security.http.HttpAuthenticationLoginModule##anonymous#http-bio-8080-exec-4###Anonymous authentication is not supported. |
2014 02 27 23:42:09#0-800#WARN#com.sybase.security.http.HttpAuthenticationLoginModule##anonymous#http-bio-8080-exec-4###Server responded with the status code "401"|
Can anyone please help me out in resolving this issue.
Thanks,
Anjali Agrawal

Hi Brenton,
As I have performed the steps for server certificate exchange with SAP Netweaver Gateway DemoSystem which provides me with Sample OData Service (HTTPS) it does not include any need to use"Allow Anonymous Connection" option even without using that I am able to successfully ping the backend server as shown below..
Know my requirement is to make Native app and get my ios device/simulator to connected to SMP server 3.0.
So I am referring the link Getting Started with Kapsel - Part 8 -- AuthProxy which specifies a need to generate client certificate(which will help in authentication betn the client and server when using HTTPS).
Here also have successfully exchange the client and server certificate but when theirs need to generate the .csr I am getting the following error:-
Error:-keytool error: java.lang.Exception: Alias <sapserverca> has no key
Have stuck here badly and not able to find out solution I think their might be some step missing in this document or some thing which we are not doing correctly.
Can u please help me
-With some material which involves steps to generate the CSR
-Some link which will help in configuring OData Service(HTTPS) in SMP3.0
Any of your guidance regarding this will be helpful to us.Will be waiting for your reply.
Thanks,
Anjali Agrawal

Simulation of smart card

Hi ppl,
I'm a student working on a project of simulation of smart card. It involes no hardware at all so the physical layer transmission is ignored. I'm gonna implement the smart card operation using two programmes "card.c" and "reader.c" in the same computer. Yes, it's C not java, but the idea is the same. I just wanna ask is that the programmes r about the same? I mean what exactly should the reader.c and the card.c do? Is it the reader.c simply sends out commands and then the card.c listens and waits for the commands like the client of a client-server scenario? And then once the card.c receives commands, it extracts the useful data according to the ISO17816-4 and then sends back response and the reader.c again provess the data recoived and sends another commands. And the transmission goes on, is it like that?
Plz give me some hits on these. Desperate for some help really.
Thanz sooo much ppl!!
Franky

Here's what I'm gonna do in the programs.
At the very first, the reader sends a reset RST to teh card and waits for repsonse. The card then responses with answer to reset ATR, this gives all the communications protocol used afterwards, so the card will choose like T=1.
And then the reader sends the GET CHALLENGE command to the card asking for a random number e.g. A and response from the card gives the challenge A to reader.
Reader then sends the encrypted challenge [A] with the EXTERNAL AUTHENTICATE command to card, the card replies with a YES or NO indicating if the challenges match.
Reader sends its challenge B with command INTERNAL AUTHENTICATE, card replies with encrypted challenge .
This finishes the challenge-response operation for mutual authentication. I read from books that the key used to encrypt and decrypt the challenge is the master key. But I have no clue how both entities can get hold of the key beforehand. Maybe there's sth like PKI for that.
And then, should there be a verification by using the PIN? So after this verification, the real data and message exchange should occur rite? And I read from books that some cards require every access to the card to have a PIN verification. Well, I think that's almost it for the security part. And I'll have to find some source on how to make a read application of the smart card, like a payment card or identification card. I think one of the most popular standards for payment card is EMV, and I dunno much for the identification card.

Simulating someone else's session in APEX

Hi,
Just curious if someone has successfully implemented simulating someone else's session in APEX. For example:
Admin logs into their account as user: Admin
Regular user, Bob, calls up and says that he's having problems viewing a report etc...
Admin then goes to the admin section of the application, and clicks on "run application as: " and selects Bob
Admin can then run the entire application "as Bob" (so that he's viewing bob's data) to help debug the problem.
If you have, have you been able to also view the other user's custom interactive reports etc?
Thank you,
Martin
[http://apex-smb.blogspot.com/]

Hello,
>> Modify the authentication scheme to accept a master password …
I don’t like master passwords. It’s too risky, especially if you have several people who need to use them, and as you mentioned yourself, it can create serious auditing problems.
As I mentioned in my previous post, the actual implementation can vary, depends on the privileges of the help desk people, and the nature of their work. If the assistance they provide are only functional (helping others to correctly use the application) they only use remote desktop (or similar software, which just allow them to see the user screen). If they are part of the development team, and they need to verify and correct possible bugs pertains to a specific user, they are changing its original password to their own; within the Application builder, they are login to the application as the end user, and perform all the necessary repairs; Change the end user password to a general password, like ‘1234’ with the “Require Change of Password on First Use” field set to “YES”. The end user will login to the application, using the general password, and will be asked to change it. Now he can enter (back) its original password. This way the end user password remains private, and members of the development team (or other users for that matter) can’t impersonate to be that user. Auditing is also remaining intact.
Regards,
Arie.

Cisco Wireless AP 2602 - Web Authentication/Pass NOT working?

Product/Model                                       Number:
AIR-CAP2602E-A-K9
Top                                       Assembly Serial Number:
System                                       Software Filename:
ap3g2-k9w7-xx.152-4.JB3a
System                                       Software Version:
15.2(4)JB3a
Bootloader                                       Version:
BOOTLDR: C2600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JA1, RELEASE SOFTWARE (fc1)
When "Web Authentication/Pass" option checked, it is totally unaccessible to internal or external network, any clue/advice?
Thanks in advance.

Thanks, seems I missed the RADIUS part; after I done that it's still no luck, here are some tech support info, are you able to help?
------------------ show version ------------------
Cisco IOS Software, C2600 Software (AP3G2-K9W7-M), Version 15.2(4)JB3a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 23-Dec-13 08:11 by prod_rel_team
ROM: Bootstrap program is C2600 boot loader
BOOTLDR: C2600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JA1, RELEASE SOFTWARE (fc1)
WuGa-CiscoAP uptime is 3 days, 19 minutes
System returned to ROM by power-on
System restarted at 23:18:39 +0800 Mon Feb 10 2014
System image file is "flash:/ap3g2-k9w7-mx.152-4.JB3a/ap3g2-k9w7-xx.152-4.JB3a"
Last reload reason:
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-SAP2602E-A-K9 (PowerPC) processor (revision A0) with 204790K/57344K bytes of memory.
Processor board ID FGL1650Z5X3
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: E0:2F:6D:A3:4D:0B
Part Number                          : 73-14511-02
PCA Assembly Number                  : 800-37898-01
PCA Revision Number                  : A0
PCB Serial Number                    : FOC164889AN
Top Assembly Part Number             : 800-38357-01
Top Assembly Serial Number           : FGL1650Z5X3
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP2602E-A-K9
Configuration register is 0xF
------------------ show running-config ------------------
Building configuration...
Current configuration : 5276 bytes
! Last configuration change at 23:36:14 +0800 Thu Feb 13 2014
! NVRAM config last updated at 23:36:14 +0800 Thu Feb 13 2014
! NVRAM config last updated at 23:36:14 +0800 Thu Feb 13 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname WuGa-CiscoAP
logging rate-limit console 9
enable secret 5
aaa new-model
aaa group server tacacs+ tac_admin
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login webauth group radius
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login web_list group radius
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone +0800 8 0
no ip cef
ip admission name webpass consent
ip admission name webauth proxy http
ip admission name webauth method-list authentication web_list
ip admission name web_auth proxy http
ip admission name web_auth method-list authentication web_list
ip admission name web-auth proxy http
ip admission name web-auth method-list authentication web_list
ip name-server 8.8.8.8
dot11 syslog
dot11 vlan-name GuestVLAN vlan 2
dot11 vlan-name InternalVLAN vlan 1
dot11 ssid Guest
   vlan 2
   web-auth
   authentication open
   mbssid guest-mode
dot11 ssid WuGa-6
   vlan 1
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 0211115C0A555C721F1D5A4A5644
dot11 ssid WuGa-60
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 03084C070900721F1D5A4A56444158
dot11 guest
username wuga lifetime 360 password 7 030D5704100A36594908
username Cisco privilege 15 password 7
bridge irb
interface Dot11Radio0
no ip address
encryption mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid Guest
ssid WuGa-6
antenna gain 2
stbc
mbssid
speed basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
channel 2452
station-role root
dot11 dot11r pre-authentication over-air
dot11 dot11r reassociation-time value 500
ip admission web-auth
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
ip admission webauth
interface Dot11Radio1
no ip address
encryption mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid WuGa-60
antenna gain 4
peakdetect
no dfs band block
stbc
speed basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
power local 5
channel width 40-above
channel dfs
station-role root
dot11 dot11r pre-authentication over-air
dot11 dot11r reassociation-time value 500
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed 1000
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
interface BVI1
ip address 192.168.133.213 255.255.255.0
ip default-gateway 192.168.133.200
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 0.0.0.0 0.0.0.0 192.168.133.200
ip radius source-interface BVI1
ip access-list extended ALL
permit ip any host 0.0.0.0
permit ip any any
permit ip 0.0.0.0 255.255.255.0 any
ip access-list extended All
permit tcp any any established
permit tcp any any eq www
permit ip any any
radius-server local
nas 192.168.133.213 key 7 070C285F4D06
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
radius server 192.168.10.2
address ipv4 192.168.10.2 auth-port 1812 acct-port 1646
radius server local
address ipv4 192.168.133.213 auth-port 1812 acct-port 1813
key 7
bridge 1 route ip
line con 0
terminal-type teletype
line vty 0 4
terminal-type teletype
transport input all
sntp server 128.138.141.172
sntp broadcast client
end

Wireless local radius authentication

Greetings,
I have a AIR-AP1121G-A-K9, and I would like to authenticate users with a username and password on the AP using the local radius server.
I used the configuration at http://www.aironet.info/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
and tried a couple other posted configuration, but are running into the same issue regardless of which method I am using.
show ver
Cisco IOS Software, C1100 Software (C1100-K9W7-M), Version 12.3(8)JED1, RELEASE
SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 27-Apr-10 12:52 by alnguyen
ROM: Bootstrap program is C1100 boot loader
BOOTLDR: C1100 Boot Loader (C1100-BOOT-M) Version 12.2(8)JA, EARLY DEPLOYMENT RE
LEASE SOFTWARE (fc1)
ORP_ROOFDECK uptime is 21 hours, 3 minutes
System returned to ROM by power-on
System image file is "flash:/c1100-k9w7-mx.123-8.JED1/c1100-k9w7-mx.123-8.JED1"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-AP1121G-A-K9     (PowerPCElvis) processor (revision A0) with 15138K/12
36K bytes of memory.
Processor board ID FOC08370K83
PowerPCElvis CPU at 197Mhz, revision number 0x0950
Last reset from power-on
1 FastEthernet interface
1 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:12:01:6B:86:46
Part Number                          : 73-7886-07
PCA Assembly Number                  : 800-21481-07
PCA Revision Number                  : A0
PCB Serial Number                    : XXX
Top Assembly Part Number             : 800-22053-04
Top Assembly Serial Number           : XXX
Top Revision Number                  : A0
Product/Model Number                 : AIR-AP1121G-A-K9
Configuration register is 0xF
show run
Current configuration : 4240 bytes
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname XXX
ip subnet-zero
ip domain name XXX!
ip ssh version 2
aaa new-model
aaa group server radius rad_eap
server 172.16.1.35 auth-port 1812 acct-port 1813
aaa group server radius rad_acct
server 172.16.1.35 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 syslog
dot11 ssid YYY
   authentication open eap eap_methods
   authentication network-eap eap_methods
   guest-mode
bridge irb
interface Dot11Radio0
no ip address
ip helper-address 172.16.1.1
no ip route-cache
encryption key 1 size 128bit 7 66061D688B874859701297485642 transmit-key
encryption mode wep mandatory
broadcast-key change 300
ssid YYY
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
channel 2437
station-role root
rts threshold 2312
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 172.16.1.35 255.255.255.0
ip helper-address 172.16.1.1
no ip route-cache
ip default-gateway 172.16.1.1
ip http server
ip http authentication local
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
no authentication eapfast
no authentication mac
nas 172.16.1.35 key 7 VVV
group YYY
    ssid YYY
    block count 3 time 30
    reauthentication time 300
user zzz nthash 7 0225540F2A2429741C162F3C2636455854560E72760A6A667B315E37
5553010B7A group YYY
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.16.1.35 auth-port 1812 acct-port 1813 key 7 VVV
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
access-class 10 in
line vty 5 15
end
Debug Output:
331: AAA/ACCT(00000000): add node, session 4
*Mar 1 21:37:37.331: AAA/ACCT/NET(00000004): add, count 1
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: Create new client 0023.6c85.3
2cd for application 0x1
*Mar 1 21:37:37.331: dot11_auth_initialize_client: 0023.6c85.32cd is added to t
he client list for application 0x1
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: req->auth_type 4
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: auth_methods_inprocess: 2
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: eap list name: eap_methods
*Mar 1 21:37:37.331: dot11_run_auth_methods: Start auth method EAP or LEAP
*Mar 1 21:37:37.331: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar 1 21:37:37.331: dot11_auth_dot1x_send_id_req_to_client: Sending identity r
equest to 0023.6c85.32cd
*Mar 1 21:37:37.332: EAPOL pak dump tx
*Mar 1 21:37:37.332: EAPOL Version: 0x1 type: 0x0 length: 0x0036
*Mar 1 21:37:37.332: EAP code: 0x1 id: 0x1 length: 0x0036 type: 0x1
00ECBA00: 01000036 01010036 01006E65 74776F72 ...6...6..networ
00ECBA10: 6B69643D 4F52505F 5075626C 69632C6E kid=YYY,n
00ECBA20: 61736964 3D4F5250 5F524F4F 46444543 asid=YYY
00ECBA30: 4B2C706F 72746964 3D30               K,portid=0
*Mar 1 21:37:37.333: dot11_auth_send_msg: sending data to requestor status 1
*Mar 1 21:37:37.333: dot11_auth_send_msg: Sending EAPOL to requestor
*Mar 1 21:37:37.333: dot11_auth_dot1x_send_id_req_to_client: Client 0023.6c85.3
2cd timer started for 30 seconds
*Mar 1 21:38:07.333: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TI
MEOUT) for 0023.6c85.32cd
*Mar 1 21:38:07.333: dot11_auth_dot1x_send_client_fail: Authentication failed f
or 0023.6c85.32cd
*Mar 1 21:38:07.333: dot11_auth_send_msg: sending data to requestor status 0
*Mar 1 21:38:07.333: dot11_auth_send_msg: client FAILED to authenticate 0023.6c
85.32cd, node_type 64 for application 0x1
*Mar 1 21:38:07.333: dot11_auth_delete_client_entry: 0023.6c85.32cd is deleted
for application 0x1
*Mar 1 21:38:07.334: %DOT11-7-AUTH_FAILED: Station 0023.6c85.32cd Authenticatio
n failed
*Mar 1 21:38:07.334: AAA/ACCT/HC(00000004): Update DOT11/00A83CE0
*Mar 1 21:38:07.335: AAA/ACCT/HC(00000004): DOT11/00A83CE0 [pre-sess] (rx/tx) b
ase 0/0 pre 6861/188 call 6861/188
*Mar 1 21:38:07.335: AAA/ACCT/HC(00000004): DOT11/00A83CE0 [pre-sess] (rx/tx) a
djusted, pre 6861/188 call 0/0
*Mar 1 21:38:07.335: AAA/ACCT/HC(00000004): Deregister DOT11/00A83CE0
*Mar 1 21:38:07.335: dot11_auth_client_abort: Received abort request for client
0023.6c85.32cd
*Mar 1 21:38:07.335: dot11_auth_client_abort: No client entry to abort: 0023.6c
85.32cd for application 0x1
*Mar 1 21:38:07.335: AAA/ACCT/EVENT/(00000004): CALL STOP
*Mar 1 21:38:07.335: AAA/ACCT/CALL STOP(00000004): Sending stop requests
*Mar 1 21:38:07.336: AAA/ACCT(00000004): Send all stops
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004): STOP
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004): Method list not found
*Mar 1 21:38:07.336: AAA/ACCT(00000004): del node, session 4
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004): free_rec, count 0
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004) reccnt 0, csr TRUE, osr 0
*Mar 1 21:38:07.337: AAA/ACCT/NET(00000004): Last rec in db, intf not enqueued
*Mar 1 21:41:34.645: AAA/BIND(00000005): Bind i/f
*Mar 1 21:41:34.645: AAA/ACCT/EVENT/(00000005): CALL START
*Mar 1 21:41:34.645: Getting session id for NET(00000005) : db=C4EBC0
*Mar 1 21:41:34.645: AAA/ACCT(00000000): add node, session 5
*Mar 1 21:41:34.646: AAA/ACCT/NET(00000005): add, count 1
*Mar 1 21:41:34.646: Getting session id for NONE(00000005) : db=C4EBC0
*Mar 1 21:41:34.646: AAA/AUTHEN/LOGIN (00000005): Pick method list 'Permanent L
ocal'
*Mar 1 21:41:39.002: AAA/AUTHOR (0x5): Pick method list 'default'
*Mar 1 21:41:39.002: AAA/AUTHOR/EXEC(00000005): processing AV cmd=
*Mar 1 21:41:39.003: AAA/AUTHOR/EXEC(00000005): processing AV priv-lvl=15
*Mar 1 21:41:39.003: AAA/AUTHOR/EXEC(00000005): Authorization successful
Any ideas how I can get simple username/password working on an autonomous AP with local radius server?
Thank you,

You could get a better idea of why the auth is being failed with the output of "show radius local-server statistics". You could also run "debug radius local-server client" and "debug radius local-server error".

BO Mobile 4.0 login by SAP Authentication

Hello gurus,
I configured BO mobile 4.0 server and I am able to login in BOE repository using Enterprise authentication.
But when i try to login using SAP authentication, the simulator gives an error:
"The secSAPR3 plugin does not exist (FWM 02016)".
I have configured SSO between BW-BO system, and it works perfectly on BI Launch Pad and CMC.
Regards
Sushant

Hi,
The error message clearly says that the secsap file is missing.
Make sure the file 'secSAPR3.jaru2019 and 'sapjco.jar' exist in the location below
<install dire bo>/mobile 14/common/lib
Regards,
Atul Bhagwat

Cisco AIR-AP1242AG setup and authentication

I have one of these and I'm needing to set it up to use our dhcp server and authenticate off an IAS Radius server.
Can anyone provide some direction? I have it in default mode.
Our local network 10.10.50.0 and our VPN is 10.10.20.0 on a Cisco ASA 5210. Our DHCP / DNS server and Radius server are 10.10.50.90
Do I have to setup the AIR as a bridge?
Cisco IOS Software, C1240 Software (C1240-K9W7-M), Version 12.3(7)JA5, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 27-Jul-07 14:03 by kehsiao
ROM: Bootstrap program is C1240 boot loader
BOOTLDR: C1240 Boot Loader (C1240-BOOT-M) Version 12.4(13d)JA, RELEASE SOFTWARE (fc2)
ap uptime is 21 minutes
System returned to ROM by power-on
System image file is "flash:/c1240-k9w7-mx.123-7.JA5/c1240-k9w7-mx.123-7.JA5"
The IOS seems old, do I need to upgrade this as well?
Many thanks!
Troy

Thank you Surendra, that was extremely helpful.
I've upgraded and at the latest IOS version. We are able to see the WAP and get prompted for uname and pass but still can't authenticate.
I have added EAP to the IAS Radius server policy however am getting an error stating:
Authentication-Type = EAP
EAP-Type =
Reason-Code = 22
Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
In a nutshell, I'd like for our users to be able to authenticate with their Windows AD unames and passes. I'd also like for people to be able to connect without it though and then be prompted with a webpage explaining that this is our network and ask guest for credentials.
Cheers,
Troy
pp-wap#sh run
Building configuration...
Current configuration : 4338 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname pp-wap
logging rate-limit console 9
enable secret 5 $1$G097$3nd1cBPeq7VZYF1IZHAts.
aaa new-model
aaa group server radius rad_eap
server 10.10.50.90 auth-port 1645 acct-port 1646
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
ip domain name personalizedprevention.com
ip name-server 10.10.50.90
dot11 syslog
dot11 ssid wp-wap
   authentication open eap eap_methods
   authentication network-eap eap_methods
   guest-mode
dot11 ids mfp distributor
dot11 ids mfp detector
dot11 ids mfp generator
power inline negotiation prestandard source
crypto pki trustpoint TP-self-signed-3298881700
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3298881700
revocation-check none
rsakeypair TP-self-signed-3298881700
crypto pki certificate chain TP-self-signed-3298881700
certificate self-signed 01
3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323938 38383137 3030301E 170D3032 30333031 30313135
32335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32393838
38313730 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ADC6 CCC03F50 44F76E05 182B9F1B A9F6BA38 E7AD1922 A31C5D13 B65EDB34
0F1360F9 25183C64 7F365DCE 9FA80E6E EB6E4D39 C450FB77 6F2D76A5 59035091
F4EA57D3 312DEC55 443DC6B4 0754EA95 0BEB57A5 E6C8BA7B 5D68AA1C D97F54AF
5EF0D7C0 8552A635 65B55A2F 2A7AEAA0 FE710AA0 9A47AF59 9DC64443 FF410BD9
B0F70203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06
03551D11 04253023 82217070 2D776170 2E706572 736F6E61 6C697A65 64707265
76656E74 696F6E2E 636F6D30 1F060355 1D230418 30168014 A2859BDF 3B23A662
6C68591A E1C371B7 C3C0C0DD 301D0603 551D0E04 160414A2 859BDF3B 23A6626C
68591AE1 C371B7C3 C0C0DD30 0D06092A 864886F7 0D010104 05000381 81002CBB
92394427 4D53003D A6166FB4 A324A7D0 F4A24F60 AC30B3B1 F95A1F9D 863B081D
54D31232 DF2FC5A5 991B1ACC C6371066 B75FEF64 320C1672 8C5005F4 A18B9C44
0407748A D28E5575 E4882C34 D4D9397D 0841F3E0 37F27AB1 386C9540 C20FCC2F
3F881502 EF20B17C A0D052CC 556C4E1B E7CBC3FC DADF5C82 FF4D8AA2 730F
quit
username Cisco password 7 106D000A0618
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode wep mandatory
ssid wp-wap
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
encryption mode wep mandatory
ssid wp-wap
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.10.50.20 255.255.255.0
no ip route-cache
ip default-gateway 10.10.50.1
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.10.50.90 auth-port 1645 acct-port 1646 key 7 100F0C0B02181D0F550A2B3F2720
radius-server vsa send accounting
bridge 1 route ip
line con 0
transport output all
line vty 0 4
transport input all
transport output all
line vty 5 15
transport input all
transport output all
end
pp-wap#sh ver
Cisco IOS Software, C1240 Software (C1240-K9W7-M), Version 12.4(25d)JA, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Thu 09-Dec-10 15:39 by prod_rel_team
ROM: Bootstrap program is C1240 boot loader
BOOTLDR: C1240 Boot Loader (C1240-BOOT-M) Version 12.4(13d)JA, RELEASE SOFTWARE (fc2)
pp-wap uptime is 1 hour, 53 minutes
System returned to ROM by power-on
System image file is "flash:/c1240-k9w7-mx.124-25d.JA/c1240-k9w7-mx.124-25d.JA"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-AP1242AG-A-K9    (PowerPCElvis) processor (revision A0) with 25590K/7168K bytes of memory.
Processor board ID FTX1330B4GD
PowerPCElvis CPU at 262Mhz, revision number 0x0950
Last reset from power-on
1 FastEthernet interface
2 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:24:C4:A0:F0:A4
Part Number                          : 73-9925-07
PCA Assembly Number                  : 800-26579-06
PCA Revision Number                  : A0
PCB Serial Number                    : FOC132605LV
Top Assembly Part Number             : 800-29232-02
Top Assembly Serial Number           : FTX1330B4GD
Top Revision Number                  : A0
Product/Model Number                 : AIR-AP1242AG-A-K9
Configuration register is 0xF

Bo Mobile Authentication Problem

i use MDS 4.1.4 and bb simulator 9530
bo is the same place with mds and bb simulator.
mds and bo in the same server:192.168.1.66 local ip.and machine name is botest(mobile server is in the same place too)
VAS-cluster config:
i added:
[comm]
[comm $ mds]
HOST_PORT =192.168.1.66:8888
VAS-server.config:
i added:
[comm $ external]
ENABLED=mds
[comm $ external $ mds]
EXTERNAL_HOSTNAME=BOTEST
CLIENT_TYPE=mds
VMS-server.config:
i added:
[comm $ external]
ENABLED=mds
[comm $ external $ mds]
EXTERNAL_HOSTNAME=BOTEST
CLIENT_TYPE=mds
in this situation i connect to the cms with a bb simulator..but in a real bb says to me " authentication login...."
what is the problem?
thanks in advance.

Hi,
Also, in a real BB deployment, the request would go through a BES server deployment.
Make sure the settings are apt on teh BES server side ( ip:port)
Also, the VAS and VMS ports are open between BO and BES server.
Regards,
Atul

Can't use iCloud in iOS 8 simulator

I have upgraded to Xcode 6. When I try to use my Apple ID in iOS Simulator (any device) to configure iCloud I will get the following error message: "Device Not Supported Your Apple ID is valid, but this iPhone is not qualified for iCloud". I have enabled the two factor authentication on my Apple ID. Any hints or tips are welcome!

Same here. I tried it with my son's account though, who does NOT have 2-factor set up and got in no problem, so that seems to be the issue.

BlackBerry simulator failed to show data

Hello Experts,
I am using SUP 2.1 for Blackberry application development.
While doing the SUP101 sample project for Blackberry,We followed all the steps as given in the PDF.
But BlackBerry simulator failed to show data in after sychronization.
I checked in the error log,it is hitting the unwired server but in that it is showing that authentication failed 4000 error.
Regards,
Lekhak

The authentication error means that your MBO did not supply correct credentials.
In your eclipse editor, go to the MBO and select your customer MBO.
In the details, you can supply the authentication parameters.
Fill in the credentials for your SUP server and check the "save credentials" box. (for a demo, this is ok, in a real application, you'll have to supply a logon screen or work with client certificates)
If that doesn't solve the problem, it could also be the authentication towards the sample DB.

Flash based exam simulator

Hi,
We have been doing web application development using java
till now. We have a requirement to develop a standalone exam
simulator using flash . However the application would do the
authentication over the net. We would want an exe to reduce the
chances of someone hacking the source code. How should we bundle
the questions with the application? We would want to protect the
content of the questions so that no one can copy and paste the same
Thanks in Advance,
David

Hi,
I also had this problem.
I found that rebooting Flash helped to refresh the Sim Controller.
Then sometimes it works one time in the simulator, sometimes not.
If it works more than once I feel lucky, but it usually fails the next time I test it ( without changing any code ).
This is obviously a bug. I think that there is some kind of connection between the simcntroller app and ADL which is failing. It's probably timing?
Stevee

Running under simulator

Hi everyone,
Is there a code snippet to tell if the application is running in the simulator or on the actual device?
thanks
tony

Yes, thank you...
I implemented it in this way....
NSString *device = [[UIDevice currentDevice] model];
if ([device isEqualToString:@"iPod touch"])
else
thanks for the direction
take care
tony
Message was edited by: alt-088

Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71

This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL>

Authentication - multiple domains with multiple accounts

Dear All,
Consider an environment where a user, Joe Bloggs, has an account on two Windows domains: DOMA and DOMB. DOMA is a domain that all users in the organisation are members of. DOMB is a domain used by a smaller subset of users. The user's
machine is part of the DOMB domain.
I'd like to deploy SharePoint 2013 on DOMA and have the user, logged on to their DOMB machine, seamlessly authenticate (through IWA) with SharePoint 2013.
So far, I've thought of the following solutions:
1. Build a trust between the two domains. Possible, but the AD information in DOMA is more up-to-date than that in DOMB and I'd like to use that to populate SharePoint user profiles. Also, DOMB is likely to be deprecated in the future.
2. Use WorkPlace Join. Unfortunately, devices are running Windows 7 and WorkPlace Join only works for devices running Windows 8.
I've wondered whether it's possible to map two accounts on separate domains together so that a user on DOMB can effectively masquerade as their corresponding user on DOMA when authenticating with SharePoint, but haven't come across a way of doing this, yet.
Any ideas? Or, am I completely mad?!
Thanks in advance.

1) Is your only option for seamless logon with IWA. It is not possible to map accounts "together" so-to-speak. SharePoint stores a reference to the user's SID, which must match the user making the request.
An ADFS trust might be another option, although that increases your deployment footprint and complexity.
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Simulating authentication

Similar Messages

Maybe you are looking for