TACACS+ and Smart Card login

Similar Messages

• Smart card login and sparsebundle password

  Hi,
  I am using a PIV profiled card to login to my mac. I am using Snow Leopard 10.6.2 and have successfully used the card to login to the machine and do signed and encrypted emails. Every login I get prompted after smart card login for the password for my sparsebundle (I had been using filevault prior to introducing the card) and even though I tick the "save password" option I still am prompted on each login. Does anyone know if there is any way to associate my smartcard login with an existing sparsebundle? Also, is there any way to force the machine to use a smart card login only (i.e. remove the password option)?
  Many thanks
  Michael

  I'm guessing that since you are not entering a password, the sparse bundle is not being unlocked. I don't know of a way to tie it to the smart card login. It sounds similar to when you put a different password on your default keychain. It won't unlock on login because you are not entering its password.

• Disabling normal login and only using smart card login?

  I've managed to setup login using BELPIC (Belgian Identity Card (smart card). However I can still login using username/password. Is it possible to restrict the system only using smart card login? (maybe via tweaking the authorize file?)
  Thanks

  The problem isn't with the provider part of the code - it has to do with security privleges. Java code running from the command line has full access to the file-system. Servlets running inside a container do not.
  In order to access cryptographic keystores, the JVM must allow the servlet code to access local files (and through them, the device drivers to the crypto token). Servlet code running inside a web/application server container, by design, are restricted in their ability to access local files on the servlet container machine (other than configuration files and application code under the servlet context root).
  In order to continue with my project, I had to temporarily provide the servlet full access to the machine's file-system in the java.policy file for your JVM, along the lines of the following:
  grant {
  permission java.security.SecurityPermission "authProvider.SunPKCS11-NSS", "getSignerPrivateKey";
  I hope to go back and restrict this access so that only the specific security grants are available to the servlet to access the private key (the above is too lenient).
  You will need to do something similar to your JVM's java.policy to allow the servlet to access the private key. Substitute the "authProvider.SunPKCS11-NSS" with the driver for your own token.

• How to configure smart card login in sunray 2fs??

  Hi all,
  Please help me to configure smart card login using Sun Ray Server Software 4.0... How to assign a smart card for a particular user? Do I need to flash th smart card for user information or any other method exists?

  I'm not sure what you know or don't know about this so I'll give you what I know:
  1. Create a token reader and a token
  * Plugin a Sun Ray DTU/client
  * Check the MAC address of the Sun Ray you just plugged in
  * Access the Sun Ray admin GUI
  * Choose the 'Desktop Units' tab
  * See if your Sun Ray DTU is listed (if it isn't listed you have Sun Ray Server configuration issues...)
  * If it is listed click the identifier
  * Check the status of the DTU to see if this particular unit is already a token reader (normally it is not, i.e. by default a Sun Ray DTU is not)
  * Click 'Edit'
  * Check 'Token Reader'
  * Click 'OK'
  * /opt/SUNWut/sbin/utrestart (I'm not sure if a warm restart is OK or a hard restart is necessary)
  Now insert a shiny new Java card into your token reader's slot
  * In the Sun Ray admin GUI choose the 'Tokens' tab
  * Search for currently used tokens
  * You should see a token identifier such as 'Payflex.blah' under your desktop unit (i.e. the token reader)
  * Click the token identifier and click 'Edit'
  * Assign a username (i.e. Unix username) to the token under 'Owner'
  * Click 'OK' and remove the smart card from the token reader
  2. Assign the Token
  * Insert your smart card from step 1 into the token reader
  * In the Sun Ray GUI click 'Tokens' and 'New'
  * Under 'Identifier' you should see 'Read Identifier from Token Reader' checked
  * Click 'Read Token'
  * Assign an owner (i.e. Unix user account) and a session type (Kiosk or Regular)
  * Click 'OK'
  Item 2 from the notes I used for this looks alot like item 1 so I can't say that it is strictly necessary.
  I don't have a Sun Ray Server accessible to me at the moment to confirm but this procedure should help I hope.

• Smart card login

  Hi Guys,
  I have just enabled smart card login to my mac but want to disable the password login option (i.e. I can login with smart card but if I don't plugin the card reader/card, I am prompted for password login). How can I enforce smart card only login?
  Many Thanks
  Michael

  Are you getting all user icons, plus the smartcard icon, or just the smartcard icon and "Other..." ?
  If the latter, then disable root user (which displays the "Other..." prompt on the login window, even if smartcards login is enabled).

• Smart Card login for ordinary folk

  Hi,
  I used to use the OpenSC project for Smart Card login, but I believe that with changes in OS X 10.8 it's no longer an option.
  What affordable solutions are there for genuine Smart Card login for OS X 10.8?  YubiKey doesn't support anything more than entering a static password pre-stored on the device, and when I last tried Rohos it was abysmal.

  I'm guessing that since you are not entering a password, the sparse bundle is not being unlocked. I don't know of a way to tie it to the smart card login. It sounds similar to when you put a different password on your default keychain. It won't unlock on login because you are not entering its password.

• Cisco ISE Guest portal - smart card login

  Does anyone know if Cisco ISE support smart card login to the guest portal page?                    

  No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.

• Token and smart card reader are not detected on Mavericks if not plugged on a USB port during system boot

  Well, both token and smart card reader are not detected on OS X 10.9 if not plugged on a USB port during system boot. So, if I am already working within the system and need to use my certificates I have to plug the token or smart card reader on a USB port and restart Mavericks.
  Token is a GD Starsign and Smart Card Reader is a SCR3310 v2.
  Thoughts?

  SCS is a very good app, since I've read that Apple has discontinued support for PC/SC interfaces after the release of Mountain Lion.
  (My previous installation was a Mavericks upgrade from Lion)
  However, I don't know what and how to debug using Smart Card Services. Do you know any commands to use?
  Apparently, the SC reader reports no issues: the LED is blinking blue when no smart card is present and becomes fixed blue when a smart card is inserted – according to the manuals, this shows that there is correct communication between the OS and the CCID reader.
  I don't know what to do; I'm beginning to hypothesize it's a digital signer issue. In fact, my smart card only supports one application called File Protector (by Actalis) to officially sign digital documents. This application seems to have major difficulties in identifying the miniLector EVO.
  The generic and ambiguous internal error comes when I try to manually identify the peripheral.
  Athena CNS is one of the Italian smart cards and is automatically recognized and configured (so it's correct – no doubts about this), while "ACS ACR 38U-CCID 00 00" seems to be the real name of the miniLector.
  (I'm assuming this because System Information also returns that the real manufacturer is ACS... bit4id is a re-brander)
  However, when I click on it and then tap OK, it returns internal error.
  As first attempt, I would try to completely erase&clean File Protector files to try a reinstall. Then, if this still doesn't work, I'd debug using the terminal.
  So:
  - Do you know any applications to 100% clean files created by an installer?
  - Do you have in mind any solutions that I might have forgotten?
  Thanks in advance from an OS X fan!

• Issues regarding Smart Card login inside domain and on SmartPhones

  Hi
  i am planning to implemnt at my domain login ONLY with smartcard
  i saw i have some option how to do it , one with GPO that covers all the computers (or some computers with defined groups)
  or i can check the "smart card is  required ...." this could be the easy way but when i check this  box
  the users with the smartphones no longer can authenticate with it to get emails , also the OWA is not availble for them
  is there any solution so the users will have to login with smartcard and still get the emails to the smartphones ?
  thanks
  TK

  Hi Robert Gauthney,
  Could you offer more information about your issue, I found a similar scenario with your issue, if it meet your environment please refer the following KB to fix it, if it not
  meet your scenario please offer us more information such as the error screenshot or related Windows event information:
  Smart card authentication does not work when you use VDI and RD Gateway for RDC client in Windows 7 or in Windows Server 2008 R2
  http://support.microsoft.com/kb/2548538/EN-US
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Smart Card login screen authentication

  Apple don't seem to have updated their documentation on this subject since way back in the Mac OS X Tiger days!
  I would like to have a setup where a user can walk up to a Mac (which is at the login screen), wave an RFID card over a reader connected to that Mac and be able to then login to that Mac. If it is necessary for a PIN/Password to also be entered that might be acceptable. Similarly if the screensaver activates during their login session, waving their RFID card again over the reader should unlock the screensaver.
  An alternative scenerio would be a Mac with a guest login account enabled, and then wanting to use the same card reader to authenticate when requested to a proxy server in order to gain network access.
  The cards to make it clear would be RFID based, not magstripe or chip-and-pin. There are suitable USB readers like this one
  http://www.ers-online.co.uk/o5651/cardman5021-cl-omnikey-omnikey-5021-cl-contact less-smart-card-reader

  Hi Robert Gauthney,
  Could you offer more information about your issue, I found a similar scenario with your issue, if it meet your environment please refer the following KB to fix it, if it not
  meet your scenario please offer us more information such as the error screenshot or related Windows event information:
  Smart card authentication does not work when you use VDI and RD Gateway for RDC client in Windows 7 or in Windows Server 2008 R2
  http://support.microsoft.com/kb/2548538/EN-US
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Remote desktop and smart cards

  I frequently work from home using my mac to access my windows based desktop at the office. I use the microsoft remote desktop v. 1.0.3. for MAC. Now that my agency is moving to smart card identification requirements for access I need to be able to use the smart card at home to sign onto the office desktop.
  The RDC for MAC does not have an option for smart card readers (as opposed to the RDC for windows version). Is there alternative software that would be simple to install on my MAC (I am not an IT sophisticate) that will give me smart card access?

  Microsoft Remote Desktop Connection (RDC) for Mac and Apple Remote Desktop (ARD) are two completely different tools with marginally similar capabilities. Unfortunately, as you've already discovered, neither offers Smart Card capabilities to allow you to authenticate to your Windows computer at work.
  If your Mac is an Intel Mac then you could probably run Windows using Parallels or Boot Camp on your home computer and use the Windows RDC client to make your connection. I don't suggest trying to use VirtualPC if you have a PowerPC Mac simply because your Smart Card reader will most likely be USB and VirtualPC has a bad track record with USB devices.
  Hope this helps!
  bill
    Mac OS X (10.4.10)   1 GHz Powerbook G4

• MS Remote Desktop and smart card reader

  I have installed MS Remote Desktop Conn. on my iMac and connected a smart card reader via the USB. Although my reader energizes when the computer is on, the computer doesn't seem to recognize the reader. When I insert a CAC card into the reader and try to log in remotely, I continue to get a "username/password" box instead of the CAC PIN number. Do I need to install some kind of smart card driver or does Apple already have it? I'm at a loss as to how to fix this.

  I was able to get rdesktop 1.6.0 to install on my Mac and I was able to get CAC log-in to work.
  However, the installation is a little tricky. I downloaded rdesktop 1.6.0 from this link:
  <<http://www.rdesktop.org>>
  My instructions for installation:
  1. Make sure Xcode Tools is installed on your computer. It should be on your OS X install disk.
  2. Find out where your X11 libraries are located:
  -From the Finder menu, selct "Go" >> "Go to Folder..."
  -Type (without the quotes) "/usr/X11", and click "Go"
  You should see a bunch of folders. Make sure the "include" and "lib" folders are there. Otherwise you need to find out where the X11 "include" and "lib" folders are located on your computer.
  3. Download rdesktop and place the (unarchived) rdesktop-1.6.0 folder on your Desktop
  4. Open the X11 application (should be in your Utilities folder)
  5. In the X11 window type the following (without the quotes):
  "cd Desktop/rdesktop-1.6.0 && ./configure --enable-smartcard -x-includes=/usr/X11/include -x-libraries=/usr/X11/lib && make && sudo make install"
  4. Hit enter. When prompted, enter your administrator password and hit enter.
  rdesktop should now be installed in the following folder:
  /usr/local/bin
  So, to launch rdesktop with smartcard log in enabled, open the X11 application (or Terminal application) and type the following (without the quotes, and replace your.server.address with the server address):
  "cd /usr/local/bin && ./rdesktop -r scard your.server.address"
  Hit enter and it should launch a new X11 window that will try to access the remote server where you should be prompted for your PIN.
  To explore more options with rdesktop, open X11 and type the following (without quotes):
  "cd /usr/local/bin && ./rdesktop"
  Hit enter and you should get a list of options available to rdesktop.

• Remote desktop and smart card

  Hi.
  I need to use a smart card while working with remote desktop.
  My office pc runs win XP and have a smart card connected. I can not use that card when working remotly, its not found. Like its disconnected.
  I also have a smart card connected to my Mac at home. The smart card works fine when the VPN connection ask for my code.
  The problem is that it does not get forwarded. I have tried to use MS Remote Desktop for mac and CoRD.
  But none of them supports the smart card.
  It works fine with parallels/win7 on my mac, I can then use my smart card.
  How ever I would like to not use the win/ on my mac.
  Do anybody have a soulution to this? Are there any Remote desktop applications that support forwarding of smart card for Mac OS?
  Thanx for any tips

  You can install rdesktop with Smart Card support.
  It is fairly easy if you use something like MacPorts, Fink, or Homebrew.
  I know MacPorts has a port for it that I used in the past.

• ISE 802.1x EAP-TLS machine and smart card authentication

  I suspect I know the answer to this, but thought that I would throw it out there anway...
  With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card  authentication simultaneously for wired/wireless clients (specifically  Windows 7/8, but Linux or OSX would also be good).  I can find plenty of  information regarding 802.1x machine authentication (EAP-TLS) and user  password authentication (PEAP), but none about dual EAP-TLS  authentication using certificates for machines and users at the same time.  I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end.  For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other.  Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.

  Hope this video link will help you
  http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

• Pkcs#11 and smart card reader

  Hi everybody,
  In my applet code
  i'm trying to implement "attached signature" reading keystore from a smartcard.
  I'm using SunPKCS11 provider and infocamere smart card, so i load SunPKCS11.dll for PKCS#11 standard.
  my code is:
  String pkcs11ConfigFile = "c:\\smartcards\\config\\SI_PKCS11.cfg";
  Provider pkcs11Provider = new sun.security.pkcs11.SunPKCS11(pkcs11ConfigFile);
  Security.addProvider(pkcs11Provider);
  where SI_PKCS11.cfg file contains 2 lines like follow:
  name = test
  library = C:\WINNT\system32\SI_PKCS11.dll
  when I try to sign without smart card in the device reader i catch "PKCS#11 not found" exception, while when I try with smart card inside the device the applet stop on loading the provider and it doesn't continue without any errors in java console. Can anyone help me?
  thanks a lot for every answer
  best reagards

  I should add that I am using Windows 7 and my CSS version is 8.3, I can also verify my smart card works for other applications, only thinkvantage CSS 8.3 does not work.