SSC and Authorization - question

I have 1250 LAP and I want to install my own Sertificate on LAP because I want to have secure LWAPP communication between LAP 1252 and WLC 4400. How to install may own certificate from MS CA to LAP?
I have already installed certificate from my MS CA to WLC in .pem format without any problem
Please help,
Nenad

Not too many organizations will authorize ap against a AAA since it becomes another device they have to manage. Both the ap and wlc has a manufacture installed certificate which is an x509 certificate. This is the mutual authentication method used by the LAP and WLC. You can't change this. The only way you can prevent an LAP to not join a WLC is to use the following methods posted earlier. If someone connects a LAP to your network, but the LAP has no way of joining because you removed dhcp, dhcp option 43, dns, etc, the LAP will not be an issue. Even if the LAP joins your network, you then have full control of that LAP. What you worry about more is when someone connects a fat ap to you network... now this becomes a rouge and you have to find it.

Similar Messages

  • Authentication and Authorization question.

    Hi All,
    I require your help in getting validated my understanding on Authentication and Authorization. This is wrt to WebLogic Server and WebLogic Portal.
    Authentication.
    1. The custom authentication provider can authenticate(user and group) against any datastore(LDAP OR DB). The LoginModule is a kind of blockbox and it can return true/false depending on authentication.
    2. The end result of this process is true/false.
    Authorization.
    1. The custom authorization providers can authorize the authenticated user based on role. All these entities ie(user,group,role) can be either in LDAP OR DB.
    2. The end result of this process is true/false.
    Role mapping.
    1. The custom role mapper can put all the roles that a user belongs and returns all Role. This can happen agaist LDAP OR DB.
    2. The end result is list of roles for a user.
    Security policy configuration.
    Is it mandatory that a user/group/role should be existing in WebLogic Server LDAP server(OR Portal LDAP server) to create these policies and authorization rules. What i mean by is that can user,group,role can exist in application specific database and still can be used for creatiing security policies??
    Thanks,
    Prashanth Bhat.

    The Security Providers are useful/can be used for developing a standard j2ee application , which will be deployed as standard j2ee application.
    The DA means Delegated Administrator, which is way how portal components are restricted to different types of administrators.
    The VE means Visitor Entitlemens, which is way how portal components are restricted to end users.
    My question is whether thess(DAs and VEs) can also be put
    our datastore for access rights??
    Thanks,
    Prashanth Bhat.

  • AAA authentication and authorization question

    Hi Everyone,
    I have a situation that is driving me crazy.
    I am using Cisco Freeware TACACS running on RedHat
    Enterprise Linux 3. I've modified the source code
    so that I can assign each individual users his/her
    own enable password. So far so good.
    I create two groups: group_A and group_S. group_A
    is for advanced users and group_S is for super
    users. Users that belong to group_A can have
    privilege level 15 but there are certain commands
    that they can not perform such as "write mem"
    or "reload". users that belong to group_S can do
    EVERYTHING.
    Here is my configuration on the TACACS configuration
    file:
    user = xyz {
    member = admin
    name = "User X"
    login = des 6.z8oIm9UGHo
    user = $xyz$ {
    member = admin
    name = "User X"
    login = des c2bUC43cmsac.
    user = abc {
    member = advanced
    name = "User abc"
    login = cleartext "cisco123"
    user = $abc$ {
    member = advanced
    name = "User abc"
    login = cleartext "cisco123"
    group = advanced {
    default service = deny
    cmd = show { permit .* }
    cmd = copy { permit flash }
    cmd = copy { permit running }
    cmd = ping { permit .* }
    cmd = configure { permit .* }
    cmd = enable { permit .* }
    cmd = disable { permit .* }
    cmd = telnet { permit .* }
    cmd = disconnect { permit .* }
    cmd = where { permit .* }
    cmd = set { permit .* }
    cmd = clear { permit line }
    cmd = exit { permit .* }
    group = admin {
    default service = permit
    configuration of the router:
    aaa new-model
    aaa authentication login notac none
    aaa authentication login VTY group tacacs+ local
    aaa authentication login web local enable
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec notac none
    aaa authorization exec VTY group tacacs+ if-authenticated none
    aaa authorization commands 0 VTY group tacacs+ if-authenticated none
    aaa authorization commands 1 VTY group tacacs+ if-authenticated none
    aaa authorization commands 15 VTY group tacacs+ if-authenticated none
    aaa authorization network VTY group tacacs+ if-authenticated none
    aaa accounting exec TAC start-stop group tacacs+
    aaa accounting exec VTY start-stop group tacacs+
    aaa accounting commands 0 TAC start-stop group tacacs+
    aaa accounting commands 0 VTY start-stop group tacacs+
    aaa accounting commands 1 TAC start-stop group tacacs+
    aaa accounting commands 1 VTY start-stop group tacacs+
    aaa accounting commands 10 TAC start-stop group tacacs+
    aaa accounting commands 15 TAC start-stop group tacacs+
    aaa accounting commands 15 VTY start-stop group tacacs+
    aaa accounting network VTY start-stop group tacacs+
    aaa session-id common
    line vty 0 15
    exec-timeout 0 0
    authorization commands 0 VTY
    authorization commands 1 VTY
    authorization commands 15 VTY
    authorization exec VTY
    accounting commands 0 VTY
    accounting commands 1 VTY
    accounting commands 15 VTY
    accounting exec VTY
    login authentication VTY
    However, what I would like to do is to assign users
    in group_A the ability to go into "configuration t"
    but I do NOT want them to have the ability to peform
    "no tacacs-server host x.x.x.x key cisco". Furthermore,
    I would like to do everything via TACACS, I don't
    want configure "privilege level" on the router itself.
    Is that possible? Thanks.
    David

    Command Authorization Sets?Command authorization sets provide a centralized mechanism to manage TACACS+ administrative control. Driven by some of the largest enterprise and service provider networks that use Cisco Secure ACS, command authorization sets provide a method to group and name device command profiles that can be paired with users, groups of users, or network device groups. A key benefit of command authorization sets is the ability to remove any requirement of individual privilege level or command restrictions on each AAA client. This feature greatly enhances the scalability and manageability of setting device command authorization restrictions for network administrators.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_note09186a00800ada4c.html

  • TS1277 i cant remember my 2 authorization questions  answers and when when i click send to email it sends to an email adress thats not mine and now i cant use my $100 what should i do?

    i cant remember my authorization questions answers and when i click send to email it sends to a random email thats not even created but hotmail.
    what should i do???!

    You need to ask Apple to reset your security questions. To do this, click here and pick a method; if that page doesn't list one for your country or you're unable to call, fill out and submit this form.
    (126538)

  • Multiprovider and Authorizations

    Multiprovider and Authorizations:
    The challenge is to ensure you do not have more access trough the multiprovider then you have trough the sourcecubes.
    example:
    Multiprovider, Joining sourcecube 1 + 2 ( Heterogeneous MP combining data from different infoareas)
    Sourcecube 1: Authorizations for company code X+Y
    Sourcecube 2: Authorizations for company code Y+Z
    What company codes in which source cubes will you have access to report on trough the multiprovider?
    1) XYZ from both cubes ?
    2) X from cube 1 , Y from cube 1+2, Z from cube 1
    3) only the common Y from cube 1 +2
    The expected results is scenario 2. Basically the same access/restriction you would get, if reporting directly on the sourcecube's.
    This can of course be tested with a test user with limited authorizations. The obstacle here though is that the authorization setup is defined with roles and a business unit hierarchy authorization object (consisting of several company codes) that is not fully in place yet. Hence the test will not give you a 100 % liable verification.
    Has anyone else faced the same question, or can verify the expected results? I have not found any good documentation on authorization and multiprovider .
    (PS, With Support package 2 for BW 3.0B a new authorization object is available used to define authorizations on a Multiprovider level. S_RS_MPRO - Multiprovider. This gives more flexibility , but is not the answer to the general question)
    Best regards Per Roar

    It depends. When you create an authorization object you decide on which InfoProviders the authorization object is valid. So if it's valid on Cube 1 it doesn't say anything about authorization on the Multiprov.
    Best regards
       Dirk

  • How do i sync iphone with multiple macs? and few questions

    Hi
    I would appreciate if anyone would help me.
    1. I would like to know how to sync my iphone with different macs. I have a macbook 13 and a macbook 15 and would like to use BOTH to be able to transfer data without losing them. (address, apps, photos and music)
    would like to use this feature if I were to be suddenly on a trip and a friend would like to share some of his files (audio, apps, photos..etc)
    2. is it possible to use internet tethering on multiple macs or example a "spontanious" mac? (ex. if I were suddenly to use internet through usb on a friends mac while we were on a trip but it were programmed on my mac at home)
    3. my internet tethering is only working on one mac which I usually use to sync everything... i tried just using tethering through usb on the other mac wihtout any sync but somehow it didnt work... usually i just plug and play and start using firefox... by automatic detection...
    4. is there also a way to copy files from iphone onto a mac which would not be one of my libraries?
    5. why cant i use iphone like the ipod as a disk use?
    I am aware that these things are somewhat possible because i have read quiet a few artivles but they are sadly enough not so current... any help appreciated.

    #1: As has been said, you can't get around it. An iPhone cannot be synched to more than one computer for any media content (it can be for contacts and calendar information, I believe).
    #4: You can transfer items purchased from the iTunes Store to another computer but only if you disallow synchronization and authorize that computer to your iTunes Store account. There are third-party utilities that can transfer non-iTunes Store content.
    #5: there is no disk mode in an iPhone and no way to enable one, at least not in the sense of disk mode in earlier iPods. There are third-party apps that allow some file transfer to and from an iPhone.
    I can't help with tethering questions.

  • How can I remove the Apple ID authorization only on one computer and authorize another in his place?

    how can I remove the Apple ID authorization only on one computer and authorize another in his place?

    De-authorize the computer in question.
    Then authorize the new computer.
    Or de-authorize all computers and authorize only the ones that actually exist.

  • I have purchased music with my old apple id, old computer and old email. My old email and computer are not available anymore and I dont remember my password and securtiy question anymore. How can I authorise my old apple id to authorise the new computer?

    Hi, I have a new computer and new apple id. I've purchased music with my old computer, email and apple id.
    I cant access now the previously purchase music, because it wants to authorize the new computer to play the
    music. I cant remember password and security questions for my old id and the old email doest exist anymore.
    What can I do?

    Hi, Carmen. 
    Thank you for visiting Apple Support Communities. 
    If you need to reset you security questions, do not know the answers and no longer have access to that email account, see the last sentence under Note in step 5.
    You'll be asked to answer 2 of your 3 security questions before you can make any modifications. If you are unable to remember your answers, you can choose to send an email to your rescue email to reset your security questions.
    Note: The option to send an email to reset your security questions and answers will not be available if a rescue email address is not provided. You will need tocontact iTunes Store support in order to do so.
    Rescue email address and how to reset Apple ID security questions
    http://support.apple.com/kb/ht5312
    Cheers,
    Jason H.

  • Please guide me for user authentication and authorization in WebDynPro App

    Hi,
        I just study the WebDynPro to develop the SAP Portal. I've ever developed the Web-based App using J2EE. So when i developed the Web-based App i have to develop the control of the user authentication and authorization on each page for example ,checking the session of the user whether they can access this page or whether session is expired or not,. So i have no idea with the WebDynPro and the SAP Portal because i never had experience for both WebDynPro and Portal.
    I need to ask you some question to clarify my doubt :
    1. SAP Portal  is web page that include every enterprise application with in one page and user log-in to them just on time, isn't it?
    2. If i integrate WebDynPro with SAP Portal, which one will do the authentication and authorization?. I mean that, Do i have to develop the code to check authentication and authorization in the WebDynPro App or Let the SAP Portal manage them?
    3.Could you please suggest the best practice for authentication and authorization in webDynPro.
    Many Thanks
    Noppong J

    in most case you don't have to write code to deal with session, authentication and authorization.
    1. yes,
    2. no, no code needed. you just set an attribute to your application, which make the the authentication required. when user access this page, portal will display the logon page
    3 you can put some authorization related code in web dynpro for specific requirement, search this doc "Protecting Access to the Web Dynpro Car Rental Application Using UME Permissions"

  • Roles and authorizations in BI content

    Hi experts,
    I'm trying to define a very simple scheme of roles and authorizations for my queries.
    So, i'm trying to limit the acess by infocube and DSO, but I'm missing the authorizations objects for Cube and DSO.
    I know that authorization object for queries it's S_RS_COMP.
    So my roles would be something like
    BI_ROLE_FI
    Authorization Object                                  Autorization Object Value
    Acess query (S_RS_COMP)                         NA                              
    Infoobject (whats the object???)                   0FIGL_C01
    DSO (whats the object???)                            0FIGL_O14
    BI_ROLE_PUR
    Authorization Object                                  Autorization Object Value
    Acess query (S_RS_COMP)                         NA                              
    Infoobject (whats the object???)                   0PUR_C01
    Can you help me find out whats the missing information
    Thanks and regards
    Joana

    Hi,
    Iu2019ve gave authorization to the object youu2019ve mentioned, but itu2019s still not working.
    Basically what I have is the following:
    One role that allows me to execute queries, workbooks, etc.
    A second role, dependent on the area of work, that should allow me only to have access to queries  from cubes/MP/DSO that are specific to users area.
    I will then give each user role 1 + the adequate role 2, depending on their work area.
    For role 1 I have got:
    S_RFC     
    Activity: 16
    Name of RFC to be protected: *
    Name of RFC object to be protected: *
    S_TCODE     
    Transaction code: RRMX
    S_GUI     
    Activity: 16
    S_USER_AGR     
    Activity: 01, 02, 03
    Role Name: ANLG_BI_01
    S_USER_TCD     
    Transaction code: RRMX
    S_RS_AUTH     
    BI Analysis Authorization: BI_ALL
    S_RS_COMP     
    Activity: 03, 16
    InfoArea:*
    InfoCube: *
    Name (ID) of a reporting component: *
    Type of a reporting component: *
    S_RS_COMP1
    Activity: 03, 16, 22
    Name (ID) of a reporting component: *
    Type of a reporting component: *
    Owner (Person Responsible) for a reporting Component: *
    S_RS_TOOLS
    Logical Command Name: THEMES
    Iu2019ve tested this role, and it works u2013 they can access queries, create workbooks, create permanent model workbooks
    For role 2 u2013 Finance I have     
    S_USER_AGR     
    Activity: 01, 02, 03
    Role Name: ROLE2
    S_RS_ADMWB
    Activity: 03,66
    Data warehousing workbench Object: INFOAREA
    S_RS_ODSO
    Activity: 03
    Infoarea: 0FIGL_ERP
    DataStore Object: 0FIGL_014
    SubObject for ODS Object: *
    S_RS_ICUBE
    Activity: 03, 66
    Infocube SubObject: *
    Infoarea: 0FIAP
    InfoCube: 0FIAP_C02
    S_RS_MPRO     
    Activity: 03
    Infoarea: 0FIN_REP_SIMPL_1_ERP
    MultiProvider: 0FIAP_M20, 0FIAP_M30
    MultiProvider SubObject: *
    I then gave to my test user this 2 roles, and with that user I can still see every infoarea, and access all reports.
    I will have more specific roles u2013 to other areas (SCM, TV, etc), but I chose this one has an example.
    First question I have: can I manage my requirement in 2 different roles: one for action that can be performed (role 1) and other for areas that they can access data from (role 2)?
    What objects/restrictions am I missing in role 2?
    Many thanks
    Joana

  • TS1424 when i try to purchase a movie or tv show from apple tv, the message comes back that I must go to itunes store on my computer and authorize the purchase, which I have done several times but apple tv still won't let it happen

    Question: when i try to purchase a movie or tv show from apple tv, the message comes back that I must go to itunes store on my computer and authorize the purchase, which I have done several times but apple tv still won't let it happen

    Aladane wrote:
    Why is it they claim to sell you something they do NOT intend on allowing you access to for the life of your account?
    It is not Apple that decides this. Since Apple is just the retailer, they do not own the copyrights to the content they sell on the iTunes store, if the copyright owner decides to remove something from the store that you have purchased Apple must abide by the terms of their licenseing agreements and remove it. Regretablly this also removes the items from your purchase history. This is why it is up to you to download and backup all of your purchases if you wish to maintain your investment.
    In the Apple KB article Downloading past purchases from the App Store, iBookstore and iTunes Store, and in many other places, it is clearly stated:
    It is recommended that you always back up your iTunes library in the event that a purchased item is no longer available on the iTunes Store. For more information about backing up your library, see this article.

  • Forgot my authorization questions how cani change them

    i got a new computer and i dont remember my itunes authorization questions, how can i change them?

    Click here and search the article for '2 out of 3'. Follow the instructions.
    (74000)

  • Complicated Authorization Question

    Complicated Authorization Question
    I had my itunes software on my laptop with the songs on a portable hard drive. The laptop was stolen, the portable hard drive was not. I installed itunes on the new laptop and pointed to the music on the portable hard drive and it is telling me I am not authorized to play certain songs although I have authorized the computer. Also when I try to snyc my iphone it is saying it is going to erase all the songs on the iphone and replace them. I have purchased songs on the phone that are not in my itunes.
    How do I resolve this?

    Have you tried to play one of the songs in iTunes? It should then ask you to authorize them.

  • Process Integrator authorization question

    Regarding the API that Process integrator exposes for both the client and server
    is there any authorization performed at the EJB and method level. I haven't found
    any documentation on this. For example, I log in as a non-admin user into Process
    Integrator and use the EJB Admin object to try and create a template definition,
    but I shouldn't have the permission to do this.

    I don't know much about WLPI, but I have forwarded this along internally and
    someone should be contacting you soon.
    Thanks,
    Michael
    Michael Girdley
    BEA Systems Inc
    "Hugo Penafiel" <[email protected]> wrote in message
    news:[email protected]..
    Hi,
    I'm not sure where to ask a Process Integrator question so I have
    decided to ask here. I have been asked to look at business
    process (workflow) automation. I have read the datasheet and your
    whitepaper on Process Integrator and my question at the moment
    is "How do we integrate Process Integrator with existing sets of
    EJB's? How does it tie together with WebLogic 5.1 (is it a bunch
    of EJB's deployed on top of the app server ala Commerce Server)?
    I'm looking for more technical answers so that I have some
    understanding in estimating how much work/effort it would take
    to use this product. I also know that this is your engine for your
    future Collaborate product, however, that product will not be
    available soon enough to tackle our customers current needs.
    Thanks for your patience in reading this long message and
    I would appreciate any answers including "forget about it until
    Collaborate goes to market!". I would like to give an honest
    technical reason to my manager about why we should
    consider using Process Integrator.
    Thanks again!
    Hugo
    408-861-5292
    marchFIRST
    Cupertino, CA 95014

  • SE16 data display and authorizations.

    Hi Experts,
    I had few following questions regarding data display and authorization using SE16 :-
    As example, SAP HCM solution for an enterprise is implemented in say 10 countries :-
    - Is it that using SE16 the user has the authorization to display all data, including the data for different countries employee's?
    - isn't the infotype data based on the country grouping settiings and shouldn't be displayed via SE16?
    - Can the authorization be controlled, using User group or some roles being assigned while creating the user id?
    Thank you for your help in advance.
    Thanks and Regards,
    Puneet Luthra

    Puneet,
    If you assign SE16 tcode to a profile you can set further authorization object S_TABU_DIS - here you can set authorization groups such as PA for HR intptype tables and SC for PD infotype tables,
    I do not believe that you can actually set infotype level access. i.e if you give pa tables then thay can see all pa tables you cannot restrict to just say, 0001 and 0007. This is independent of the P_ORGIN authorizations, so even if you restrict a certain infotype in P_ORGIN, they will be able to see using SE16.
    One of the ways in which we have got around it in the past is to just create custom transctaions for each table they want to see, such as zse16_pa0001 and assign individual tables to those who need it.  Only HR experts and Support users need this kind of access in the production system so it should be relatively easy to maintain individually.
    Hope this helps.

Maybe you are looking for