[ SOLVED] Authentication against two openldap servers.

Similar Messages

• Cisco ACS 5.2 authentication against multiple LDAP servers

  Hi Folks,
  I have a wireless network that uses ACS 5.2 to handle authentication.   The ACS is integrated with an Active Directory LDAP server (my_ldap) and is working correctly at the moment.    The authentication flow looks like this:
   - User tries to associate to WLAN
   - Authentication request is sent to ACS
   - Service selection rule chooses an access-policy (wireless_access_policy)
   - wireless_access_policy is configured to use my_ldap as identity source.
  A sister company is about to move into our offices, and will need access to the same WLAN.    Users in the sister company are members of a separate AD domain (sister_company_ldap).    I would like to modify the wireless_access_policy so that when it receives an authentication request it will query both my_ldap and sister_company_ldap, and return a passed authentication if either attempt is successful.     Is this possible?

  Assuming you're already authenticating using your AD binding and AD1 as your identity source, you can add a further LDAP server as another identity source and add this to your identity store sequence in your access policy to authenticate against both.
  You can also add multiple LDAP servers and add them both to the identity store sequence (if you're not using AD1).

• Authentication against two user lists and knowing the difference?

  I have a security realm that is the standard out-of-the-box security realm with one modification. I created an authentication provider to validate users and groups defined in a 3rd party data store. The control flag for each authentication provider (the default one and mine) is set to 'sufficient' so that there is one user account that allows me to log into the WebLogic console that is not defined in the 3rd party data store.
  If I run my application and log in with the WebLogic admin userid, the security realm successfully authenticates the user (it passes the default authentication provider) and permits entry to my application. Unfortunately, this is not good for me. The application, at startup, goes to the 3rd party data store and retrieves more information about the user that just logged in. For the WebLogic admin account, it will not find the user.
  Is there a way to configure WebLogic security such that a particular application can ensure authentication by a specific provider?
  Another environment I need to handle is having two applications deployed, each needing to authenticate its users with two different data sources containing valid users and groups.
  Thanks! Any help is much appreciated!

  Hi,
  I have found the fnd_web_sec returns a boolean for a valid username / password combination but I'm still not sue how I can integrate this.
  Sorry for being thick but this is what I'm trying to do.
  I have an application built in htmldb that I want to be accessable from the e-business suite applications main menu. I've set this up and a user can select it how ever I have no authentication so even though its not assigned to you you can still goto the app by just entering the url. So when a user goes to that htmldb app I want to check that they have that resp assigned to them, this can be done with the following
  select 1 from apps.fnd_user_resp_groups ur, apps.fnd_user u
  where u.user_name = :APP_USER and u.user_id = ur.user_id
  and ur.responsibility_id = XXXX
  The two problems I have are:-
  If a user goings straight to the htmldb url I need to get them to log in and use the e-business suite login (we dont have SSO)
  Or if they are already in e-business suite and go to the htmldb app via the main menu page I need to pass that authentication across.
  I hope this makes sense.

• ACS 5.1 Authentication against AD problem

  I have a pair of ACS 5.1 virtual appliances in a master/slave configuration, running build 5.1.0.44.  We have it configured to authenticate TACACS against Active Directory, but have run into a problem with the account of one my colleagues.  His account password recently expired and since changing it he is no longer able to authenticate on devices pointing to the master ACS server, but has no issue with devices pointing to the slave ACS server.  Several other users have changed their passwords in AD and have not encountered this problem.
  ACS View shows the following error in the TACACS+ authentication log:  "24421 Change password against Active Directory failed since it is disabled in configuration".  The account we use to connect to active directory does not have permission to send password changes, so I have disabled changing passwords in the AD identity store configuration.  As a test, I enabled password changing and instead saw this error:  "24407 User authentication against AD failed since user is required to change his password". 
  I've had him change passwords numerous times, try different SSH clients, and different PCs.  I also had him lock his account out, and then try logging on and instead was presented with this error: "24415 User authentication against AD failed since user's account is locked out".  So it seems that ACS is correctly querying AD but seems to be caching the fact that his account has expired.
  The only difference between the two ACS servers are that they are querying different AD servers.  I've gotten our AD team to reset his password, check that his account is not locked on a particular AD server, and that replication is functioning.  I've also restarted the services and cold started the ACS virtual machine to no effect.  I have yet to try clearing the AD configuration and re-entering it.
  show logging application acs reveals the following:
  ActiveDirectoryClient,19/10/2011,08:46:25:307,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
  ying to reconnect.,ActiveDirectoryClient.cpp:2429
  ActiveDirectoryClient,19/10/2011,08:46:25:311,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
  led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
  ActiveDirectoryClient,19/10/2011,08:49:27:468,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
  ying to reconnect.,ActiveDirectoryClient.cpp:2429
  ActiveDirectoryClient,19/10/2011,08:49:27:475,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
  led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
  ActiveDirectoryIDStore,19/10/2011,08:49:27:475,ERROR,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,ActiveDirectoryIDStore::onPlainAuthenticateAndQueryEvent - User password expired but change
  password configuration is disabled - authentication failed,ActiveDirectoryIDStore.cpp:525
  I am aware that I can upgrade to 5.1.0.44.6 and intend to do so (although CSCsr81297 concerns me as we make extensive use of AD for authentication), but I don't know that there is any guarantee that this will fix it.
  Any ideas on what might be the cause, and how I can fix this?
  Thanks!

  Hello,
  It is complicated to explain this rule but hopelly you will understand.
  I suggest you to do an identity store sequence that will point to the AD and RSA. this is like the user unknow policy in ACS 4.x
  Once this is done you can create 2 authorization policies 1 based on RSA authentication and another based on AD authentication.
  To give you a better clear example is there any difference between AD and RSA authentication? Do they have the same rights? Please detail what you need to configure besides AD and RSA simultanuos authentication.
  Regards,
  Sebastian Aguirre

• User authentication against LDAP - Non-AD

  Hi,
  We are trying to setup LDAP authentication against an LDAP, Oracle Unified Directory and below are the parameters of ldap.properties file:
  ldapAuthentication.defaultRole = ROLE_AUTHENTICATED_PRINCIPAL
  ldapAuthentication.enabled = true
  ldapAuthentication.tryNextProviderIfNoAuthenticated = true
  ldapAuthentication.stopIfCommunicationError = true
  ldapAuthentication.url=ldap\://localhost:389/
  ldapAuthentication.rootContext=DC=test,DC=com
  ldapAuthentication.securityPrincipal=CN=Directory Manager
  ldapAuthentication.securityCredential.encrypted=password
  ldapAuthentication.keepContextPrefix=false
  ldapAuthentication.isAD=false
  ldapAuthentication.userAccountSearchKey=CN
  ldapAuthentication.firstNameSearchKey=givenName
  ldapAuthentication.lastNameSearchKey=sn
  Still I am getting while I try to login to OIA as an OUD user:
  WARN [UserManagerImpl] RbacxUser with username: 'cn=oiaadmin' not found
  Please help

  Hi Jcorker,
  According to your description, you need to access the SQL Serve Analysis Services database which is configured as cluster for SQL & SSAS from another domain, right?
  In SSAS we can use the solution below achieve the requirement.
  1.Create new domain account and impersonate the web site with that.
  2.Create local user account on the analysis service with same exact username/password as like domain account created in the previous step.
  However, you cannot create a local account with the same name on both servers. I have tested it on my local environemnt, we can create the same local account with the same name on both servers. In your scenario, if DB1 and DB2 on different server, you can
  create a local account with the same name on both servers. Please post the detail errors, so that we can make further analysis.
  Besides, SSAS only allows users of the same domain or trusted domains and it does not allow users from any domain except from these two. You can configure the trust relationship between the domains.
  http://technet.microsoft.com/en-us/library/cc961481.aspx
  Regards,
  Charlie Liao
  If you have any feedback on our support, please click
  here.
  Charlie Liao
  TechNet Community Support

• How to configure time synchronization for two NTP servers

  We have IOSXR 4.2.1 on routers CRS3 and ASR9K with all recomended SMUs; we need to configure the time synchronization for two NTP servers with the configuration below, but the routers became unstable; synchronize with one NTP servers for some time, then switch to other NTP server, and keep doing this. Anyone know why this behavior?
  ntp
  authentication-key 1 md5 encrypted 01070F074F0A05
  authenticate
  trusted-key 1
  server 10.192.32.32 prefer
  server 10.192.32.33
  source Loopback50
  update-calendar
  RP/0/RP0/CPU0:DFCRSDTC1#sh log | i ntp
  Wed Jul 10 09:37:04.621 BRSPO
  RP/0/RP0/CPU0:Jul  4 21:29:18 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.32 : Peer unreachable or clock selection failed
  RP/0/RP0/CPU0:Jul  4 21:29:18 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->15.
  RP/0/RP0/CPU0:Jul  4 21:29:18 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.
  RP/0/RP0/CPU0:Jul  4 21:29:27 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 15->2.
  RP/0/RP0/CPU0:Jul  4 21:30:21 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.32 : Peer unreachable or clock selection failed
  RP/0/RP0/CPU0:Jul  4 21:30:21 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->15.
  RP/0/RP0/CPU0:Jul  4 21:30:21 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.
  RP/0/RP0/CPU0:Jul  4 21:31:36 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 15->2.
  RP/0/RP0/CPU0:Jul  4 21:35:56 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : Peer unreachable or clock selection failed
  RP/0/RP0/CPU0:Jul  4 21:35:56 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->15.
  RP/0/RP0/CPU0:Jul  4 21:35:56 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.
  RP/0/RP0/CPU0:Jul  4 21:40:11 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 15->2.
  RP/0/RP0/CPU0:Jul  4 21:50:52 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : System clock selection failed
  RP/0/RP0/CPU0:Jul  4 21:50:52 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->6.
  RP/0/RP0/CPU0:Jul  4 21:59:26 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 6->2.
  RP/0/RP0/CPU0:Jul  4 22:25:07 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : System clock selection failed
  RP/0/RP0/CPU0:Jul  4 22:25:07 : ntpd[256]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->6.
  RP/0/RP0/CPU0:Jul  4 22:56:16 : ntpd[256]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.192.32.33 : Peer unreachable or clock selection failed
  RP/0/RP0/CPU0:Jul  4 22:56:16 : ntpd[256]: %IP-IP_NTP-5-ALL_CONN_LOST : All NTP peer connections failed.

  Hi Claudio, that ddts is pretty generic to be honest but yes it is filed to address sync issues in the XR NTP algo.
  The thing is that XR ntp clock selection is a bit different then iOS and follows the specs very closely which results in this erroneous loss behavior.
  For instance, you could also see this issue with a sync loss if the update time is only 500msec off what it was before and that will result in a ntp sync loss rather then adjusting to it.
  Also I wanted to mention that the ntp prefer is a bit of a misnomer in XR (since it follows the specs differently then IOS) and this knob was taken over from IOS really.
  You might get some joy if you set it to one server only and see if that helps?
  regards
  xander

• How to set two radius servers one is window NPS another is cisco radius server

  how to set two radius servers one is window NPS another is cisco radius server
  when i try the following command, once window priority is first , i type cisco radius user name, it authenticated fail
  i can not use both at the same time
  radius-server host 192.168.1.3  is window NPS
  radius-server host 192.168.1.1 is cisco radius
  http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/
  conf t
  no aaa authentication login default line
  no aaa authentication login local group radius
  no aaa authorization exec default group radius if-authenticated
  no aaa authorization network default group radius
  no aaa accounting connection default start-stop group radius
  aaa new-model
  aaa group server radius IAS
   server 192.168.1.1 auth-port 1812 acct-port 1813
   server 192.168.1.3 auth-port 1812 acct-port 1813
  aaa authentication login userAuthentication local group IAS
  aaa authorization exec userAuthorization local group IAS if-authenticated
  aaa authorization network userAuthorization local group IAS
  aaa accounting exec default start-stop group IAS
  aaa accounting system default start-stop group IAS
  aaa session-id common
  radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
  radius-server host 192.168.1.2 auth-port 1812 acct-port 1813
  radius-server host 192.168.1.3 auth-port 1645 acct-port 1646
  radius-server host 192.168.1.3 auth-port 1812 acct-port 1813
  privilege exec level 1 show config
  ip radius source-interface Gi0/1
  line vty 0 4
   authorization exec userAuthorization
   login authentication userAuthentication
   transport input telnet
  line vty 5 15
   authorization exec userAuthorization
   login authentication userAuthentication
   transport input telnet
  end
  conf t
  aaa group server radius IAS
   server 192.168.1.3 auth-port 1812 acct-port 1813
   server 192.168.1.1 auth-port 1812 acct-port 1813
  end

  The first AAA server listed in your config will always be used unless/until it becomes unavailable. At that point the NAD would move down to the next AAA server defined on the list and use that one until it becomes unavailable and then move to third one, and so on. 
  If you want to use two AAA servers at the same time then you will need to put a load balancer in front of them. Then the virtual IP (vip) will be listed in the NADs vs the individual AAA servers' IPs. 
  I hope this helps!
  Thank you for rating helpful posts!

• ISE 1.2 - 24492 Machine authentication against AD has failed

  Currently experiencing a machine authentication problem between ISE 1.2 patch 2 and a customer AD installation.
  AuthZ policy is set to match agains /Users/Domain Computers and /Users Domain Users.  User authentication works, machine auth doesnt.
  Machine authentication box is ticked.
  If you try to disable an AD machine, or try a machine not in the domain you get the appropriate different response in the ISE logs which sugests it has the right access into AD to check this info.
  This happens on all computers, both WinXP and Win7 corporate builds.
  I know its not an ISE policy configuration as I have resorted to testing the same ISE against a vanilla lab AD environment with the same AD domain name (just by changing the DNS servers ISE uses) and the computer lookup works!
  Anybody got any ideas?
  thanks.

  24492
  External-Active-Directory
  Machine   authentication against Active Directory has failed
  Machine   authentication against Active Directory has failed.
  Error
  Please check NTP is in sync or not  ISE

• Oracle 10g Reports Server - problem authenticating against DB

  I have a problem with Oracle 10g Reports server authenticating against an Oracle RDBMS.
  When I try to run reports, an authentication form screen is presented, with the password field empty (the URL in explorer that loads this page contains the username and DB instance, but is missing the password) and the following error message:
  REP-51018: Need database user authentication
  When the password is entered into the empty field in the form and submitted, another 2 authentication errors are given.
  REP-51018: Need database user authentication
  REP-12545: java.sql.SQLException: ORA-12545: Connect failed because target host or object does not exist
  When the URL in the browser location field is manually altered to include the DB password, the reports are authenticated fine.
  Any ideas which config file I should be looking in?
  Any pointers would, of course, be much appreciated.
  thanks,
  Brian

  Hello, i finally have discovered what was happening, it has to be with the way FreeBSD passes the password field. By default FreeBSD passes the password field with a '*' while Oracle Linux (and Red Hat clones) expect an 'x' to look into shadow maps (Linux uses the '*' character in the password file to not allow login to that user).
  To solve it the password field served by the NIS server must be substituted, which is accomplished with nsswitch.conf and adding a line to the /etc/password file on the NIS Client, so the final files will look this way:
  # nsswitch.conf (compat directive allows us to use the '+' sintaxis in /etc/passwd file)
  passwd files compat
  # /etc/passwd (just add at the end of file)
  +:x:::::

• VPN Tunnel w/ 802.1X port authentication against remote RADIUS server

  I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X.  The tunnel works fine and comes up if theirs correct traffic.  I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.
  If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work.  I'll see the following.  This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone.  No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.
  *Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.
  *Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.
  *Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.
  *Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.
  If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly.  In this situation, I can ping the RADIUS servers from VLAN10.  If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.
  Current configuration : 6199 bytes
  ! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by
  version 15.2
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname router1
  boot-start-marker
  boot-end-marker
  aaa new-model
  aaa local authentication default authorization default
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa session-id common
  clock timezone EST -5 0
  clock summer-time EDT recurring
  ip cef
  ip dhcp pool pool
  import all
  network 192.168.28.0 255.255.255.248
  bootfile PXEboot.com
  default-router 192.168.28.1
  dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2
  domain-name domain.local
  option 66 ip 192.168.23.10
  option 67 ascii PXEboot.com
  option 150 ip 192.168.23.10
  lease 0 2
  ip dhcp pool phonepool
  network 192.168.28.128 255.255.255.248
  default-router 192.168.28.129
  dns-server 192.168.26.10 192.168.1.100
  option 150 ip 192.168.1.132
  domain-name domain.local
  lease 0 2
  ip dhcp pool guestpool
  network 10.254.0.0 255.255.255.0
  dns-server 8.8.8.8 4.2.2.2
  domain-name local
  default-router 10.254.0.1
  lease 0 2
  no ip domain lookup
  ip domain name remote.domain.local
  no ipv6 cef
  multilink bundle-name authenticated
  license udi pid CISCO892-K9
  dot1x system-auth-control
  username somebody privilege 15 password 0 password
  redundancy
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 5
  crypto isakmp key secretpassword address 123.123.123.123
  crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac
  mode tunnel
  crypto map pix 10 ipsec-isakmp
  set peer 123.123.123.123
  set transform-set pix-set
  match address 110
  interface BRI0
  no ip address
  encapsulation hdlc
  shutdown
  isdn termination multidrop
  interface FastEthernet0
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet1
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet2
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet3
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet4
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  spanning-tree portfast
  interface FastEthernet5
  switchport access vlan 12
  switchport voice vlan 11
  no ip address
  spanning-tree portfast
  interface FastEthernet6
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  spanning-tree portfast
  interface FastEthernet7
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet8
  no ip address
  shutdown
  duplex auto
  speed auto
  interface GigabitEthernet0
  ip address dhcp
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map pix
  interface Vlan1
  no ip address
  interface Vlan10
  ip address 192.168.28.1 255.255.255.248
  ip nat inside
  ip virtual-reassembly in
  interface Vlan11
  ip address 192.168.28.129 255.255.255.248
  interface Vlan12
  ip address 10.254.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source list 101 interface GigabitEthernet0 overload
  ip route 0.0.0.0 0.0.0.0 dhcp
  ip radius source-interface Vlan10
  ip sla auto discovery
  access-list 101 deny   ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 101 permit ip 192.168.28.0 0.0.0.255 any
  access-list 101 permit ip 10.254.0.0 0.0.0.255 any
  access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255
  radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey
  radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey
  control-plane
  mgcp profile default
  line con 0
  line aux 0
  line vty 0 4
  transport input all
  ntp source FastEthernet0
  ntp server 192.168.26.10
  ntp server 192.168.1.100
  end

  I have 802.1X certificate authentication enabled on the computers.  As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication.  It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.

• Oracle Database Authentication against Microsoft Active Directory

  Hello
  Does anyone know if it is possible or can point me in the right direction of some documentation that discuss Oracle database user authentication against and Enterprise Directory Service, in my cases MS AD?
  My environment consists of Oracle RDBMS 10.2.0.3 on Linux Red Hat AS 4. Our users connect in from Window clients. I would like to know if there is a way to autheticate users from Windows to the database using LDAP based (AD) authentication. In oters words how do I configure authentication to be done for "identified globally accounts"? I know that the identified by globally accounts require the use of the CN which I have done, but it seems like there is some piece missing. Perhaps an Oracle schema or modification to Active Directory??
  So my questions are
  1. Is it possible to authenticate users against AD without the implementation of OID?
  2. Is there documentation someone has or can point me to that outlines the required steps?
  3. Anything I should know?
  I appreciate any help. The documentation I have found so far doesn't seem to be what I need... So I am looking for some advice.
  Thanks.

  Sure, two methods to auth from Oracle DB to MSAD:
  OID and OVD
  I am working on our own proof of concept configuring EUS connect to OVD with an MSAD as auth at the moment. OVD basically is presenting the database with OracleSchema and OracleContext info. And when you connect via netca (ldap.ora), you assign it as OID directory authentication type.
  Here's an OVD manual on Integrating with EUS (chapter 7 is for MSAD)http://www.oracle.com/technology/products/id_mgmt/ovds/pdf/e10286.pdf
  And this would be what the EUS config should look like:
  http://www.oracle.com/technology/deploy/security/database-security/howtos/eus-how-to.html
  If you've done everything in the first doc...
  Hope this answers your questions.

• External Authentication Against FND_USER Table

  About a month ago Paul Encarnation posted a question concerning external authentication. One to the methods being used was against the FND_USER table in Oracle Apps. I can see looking up the user account in FND_USER but what about the password? So if you are authenticating against the FND_USER table, please share how you are dealing with the password.
  Thanks.

  Hi,
  I have found the fnd_web_sec returns a boolean for a valid username / password combination but I'm still not sue how I can integrate this.
  Sorry for being thick but this is what I'm trying to do.
  I have an application built in htmldb that I want to be accessable from the e-business suite applications main menu. I've set this up and a user can select it how ever I have no authentication so even though its not assigned to you you can still goto the app by just entering the url. So when a user goes to that htmldb app I want to check that they have that resp assigned to them, this can be done with the following
  select 1 from apps.fnd_user_resp_groups ur, apps.fnd_user u
  where u.user_name = :APP_USER and u.user_id = ur.user_id
  and ur.responsibility_id = XXXX
  The two problems I have are:-
  If a user goings straight to the htmldb url I need to get them to log in and use the e-business suite login (we dont have SSO)
  Or if they are already in e-business suite and go to the htmldb app via the main menu page I need to pass that authentication across.
  I hope this makes sense.

• Authenticating against both RDBMS and LDAP in WL6.0

  Hi,
  We are designing a webapp that will be accessible to both internal and
  external users. For internal users, we would like to authenticate via LDAP;
  for external users we would like to use RDBMS. In WL5.1, this looked to be
  possible with the DelegatingRealm, however this has been removed in WL6.0.
  Two questions:
  1) Why was it removed?
  2) How can we get this functionality in WL6.0?
  Thanks much for your help,
  -jt

  We are currently deployed on WL5.1 with a similar situation as you and in
  the process of migrating to WL6. We are Authenticating against LDAP and
  Authorizing against RDBMS. But I can't see how you could tell it to go
  one way for certain users and another for other users.
  The delegatingrealm in WL5 was intended to split the responsibility of
  Authenticating to one source and Authorization to another. To make this
  work for your Application of splitting internal and external users
  security, I suppose you can do it if you can somehow pass the information
  to the Security Realm the type of the user that is logging in. Maybe you
  can make this code a part of the userid such as ext_uersID or int_userID.
  Doing this will allow you to filter the where the users are coming from
  and Direct them to the appropriate security realm.
  As far as WL6 goes, the Delegating realm class is no longer available
  since the security model for WL6 is different from WL5. But you can take
  a look at what they did with the RDBMSrealm example and use that. This is
  what we did to make our Security work in WL6. However, you can no longer
  store ACLs in the RDBMS realm in WL6.
  Hopes this helps.
  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  You will need to create a Custom Realm which delegates to both your RDBMS
  and LDAP perhaps using the Weblogic supplied RDBMS and LDAP realms
  "Jonathan Thompson" <[email protected]> wrote in message
  news:3accf1a3$[email protected]..
  Hi,
  We are designing a webapp that will be accessible to both internal and
  external users. For internal users, we would like to authenticate viaLDAP;
  for external users we would like to use RDBMS. In WL5.1, this looked tobe
  possible with the DelegatingRealm, however this has been removed in WL6.0.
  >
  Two questions:
  1) Why was it removed?
  2) How can we get this functionality in WL6.0?
  Thanks much for your help,
  -jt
  [att1.html]

• Webservices authentication against local vs. directory integration

  On version CPSC 10.0 (at least), it appears that if you have Directory Integration enabled, the behavior for authentication for web services are as follows:
  -- If calling any Requisition Service web services (that route to Request Center), web service authentication is performed against directory integration, so you are required to use a directory integrated login, and provide the login's LDAP password.
  -- If calling any Task Service web services (that route to Service Link), web service authentication is performed against local person record password, so you are required to provide the login's local person record password.
  Is there a way to use 'other' type of login/password for either web services? i.e. is there a way for me to use locally defined login to call Requisition Service web services, when Directory Integration is enabled, and vice versa for Task Service web services?
  Thank you.

  I don't think having SSH keys has any effect at all over AFP authentication.  Two seperate authentication mechanisms at work here.
  For SSH keys to work, each user ID on our local machines would need a matching network user defined on the server, and the authorized keys stored in that user's ~/.ssh folder on the server.
  Once you get SSH working, you can use scp and rsync to move files around.

• Using rsync w/ two Essbase servers (Primary & Secondary)

  I"m looking for information regarding the use of rsync w/ Essbase. I have two Essbase servers, Primary(Prod), and Secondary(DR) Essbase servers I wish to keep in sync. Essbase is running on Linux OS, and is 931.
  any information would be helpful.
  Thanks

  Hi Ed,
  Thanks very much for your comments...
  My Primary is currently the Log Collector anyway, if I upgrade them both at the same time then this would cause downtime for TACACS authentication.
  Would you advise breaking the pair, leaving the Primary (Log Collector) active, upgrading the Secondary to become the new Primary after the upgrade, restore the Log Collector to the new Primary. Then upgrading the (old Primary/new secondary) and re-registering them both?
  Further input would be appreciated - many thanks...