Urgent RADIUS question
Hi,
At a customer we have our WAAS appliances enabled for Radius authentication (via via to Active Directory). The authentication it self works. But when the AD password policy requests users to change credentials the AD accounts start locking-out.
We found out that CM is pushing user accounts to the appliances. When saving the account to the CLI config the appliance, the appliance does a radius authentication request. Because CM is configured with old/expired passwords this action locks our accounts quickly (100+ appliances).
How can we fix this? Can we configure the system not to store our old accounts and push them out to the remote appliances??
Regards,
Erik
We see the following passing in the logs for every user every once in a while.
2012 Nov 12 14:58:58 wae01-sitea config: %WAAS-PARSER-6-350232: CLI_LOG log_cli_command: username "etam" passwd
2012 Nov 12 14:58:58 wae01-sitea cfg_bin_users: %WAAS-UNKNOWN-5-899999: ***pam_radius pam_sm_authenticate: Got user name #####
2012 Nov 12 14:58:58 wae01-sitea cfg_bin_users: %WAAS-UNKNOWN-5-899999: ***pam_radius pam_sm_authenticate: Sending RADIUS request code 1
2012 Nov 12 14:58:58 wae01-sitea cfg_bin_users: %WAAS-UNKNOWN-5-899999: ***pam_radius pam_sm_authenticate: Got RADIUS response code 3
2012 Nov 12 14:58:58 wae01-sitea perl: %WAAS-CMS-5-700001: Done with usercreation username :: "etam" process return value :: 0
Hello,
You're on the right track with CSM (Cisco Security Manager). CSM would fit perfectly in this role. We use it to maintain 6 ASAs and about 120 PIX firewalls. It is great for policy-based firewall administration. Compared to other CiscoWorks products, CSM is very stable and performs ideally in the situation you describe above. If you have anymore questions, let me know.
-Mike
http://cs-mars.blogspot.com
Similar Messages
-
Urgent SQL question : how to flip vertical row values to horizontal ?
Hello, Oracle people !
I have an urgent SQL question : (simple for you)
using SELECT statement, how to convert vertical row values to horizontal ?
For example :
(Given result-set)
MANAGER COLUMN1 COLUMN2 COLUMN3
K. Smith ......1
K. Smith ...............1
K. Smith ........................1
(Needed result-set)
MANAGER COLUMN1 COLUMN2 COLUMN3
K. Smith ......1 .......1 .......1
I know you can, just don't remeber how and can't find exactly answer I'm looking for. Probably using some analytic SQL function (CAST OVER, PARTITION BY, etc.)
Please Help !!!
Thanx !
Steve.scott@ORA92> column vice_president format a30
scott@ORA92> SELECT f.VICE_PRESIDENT, A.DAYS_5, B.DAYS_10, C.DAYS_20, D.DAYS_30, E.DAYS_40
2 FROM (select t2.*,
3 row_number () over
4 (partition by vice_president
5 order by days_5, days_10, days_20, days_30, days_40) rn
6 from t2) f,
7 (SELECT T2.*,
8 row_number () over (partition by vice_president order by days_5) RN
9 FROM T2 WHERE DAYS_5 IS NOT NULL) A,
10 (SELECT T2.*,
11 row_number () over (partition by vice_president order by days_10) RN
12 FROM T2 WHERE DAYS_10 IS NOT NULL) B,
13 (SELECT T2.*,
14 row_number () over (partition by vice_president order by days_20) RN
15 FROM T2 WHERE DAYS_20 IS NOT NULL) C,
16 (SELECT T2.*,
17 row_number () over (partition by vice_president order by days_30) RN
18 FROM T2 WHERE DAYS_30 IS NOT NULL) D,
19 (SELECT T2.*,
20 row_number () over (partition by vice_president order by days_40) RN
21 FROM T2 WHERE DAYS_40 IS NOT NULL) E
22 WHERE f.VICE_PRESIDENT = A.VICE_PRESIDENT (+)
23 AND f.VICE_PRESIDENT = B.VICE_PRESIDENT (+)
24 AND f.VICE_PRESIDENT = C.VICE_PRESIDENT (+)
25 AND f.VICE_PRESIDENT = D.VICE_PRESIDENT (+)
26 AND f.VICE_PRESIDENT = E.VICE_PRESIDENT (+)
27 AND f.RN = A.RN (+)
28 AND f.RN = B.RN (+)
29 AND f.RN = C.RN (+)
30 AND f.RN = D.RN (+)
31 AND f.RN = E.RN (+)
32 and (a.days_5 is not null
33 or b.days_10 is not null
34 or c.days_20 is not null
35 or d.days_30 is not null
36 or e.days_40 is not null)
37 /
VICE_PRESIDENT DAYS_5 DAYS_10 DAYS_20 DAYS_30 DAYS_40
Fedele Mark 35473 35209
Fedele Mark 35479 35258
Schultz Christine 35700
South John 35253
Stack Kevin 35701 35604 35402 35115
Stack Kevin 35705 35635 35415 35156
Stack Kevin 35706 35642 35472 35295
Stack Kevin 35707 35666 35477
Stack Kevin 35667 35480
Stack Kevin 35686
Unknown 35817 35698 35596 35363 35006
Unknown 35702 35597 35365 35149
Unknown 35724 35599 35370 35155
Unknown 35600 35413 35344
Unknown 35601 35451 35345
Unknown 35602 35467
Unknown 35603 35468
Unknown 35607 35475
Unknown 35643 35508
Unknown 35644
Unknown 35669
Unknown 35684
Walmsley Brian 35725 35598
23 rows selected. -
The only thing i need to do is add a title or label attribute to some of the controls.
One of the ones to begin with that i am fixing is the ADF tag af:selectBooleanRadio. When i add some text to the shortDesc field of the control, the html is produces doesn't have the title attribute.
So i tried to use the corresponding trinidad control tr:selectBooleanRadio, and add some text to the same shortDesc field for the control, and in this case it does add a title attribute in the html that it produces.
Everything else in the code works fine as well when i add the trinidad control, except for one thing. I have a ValueChangeListener that gets called when you click on another tr:selectBooleanRadio. Within that valueChangeListener event handler function, i have a bunch of code which in the end displays a af:popup. The problem i am having when using the trinidad control is that it somehow is not allowing the display of the popup even though it is going through the code that executes display of the popup. When i click on another link or button that is supposed to display a different popup as well, then the popup associated with the tr:selectBooleanRadio also displays at that time, but not originally when the value changed by selecting a different tr:selectBooleanRadio.
So, my question is, are there any other successful ways of adding a title attribute to the these controls. If its the af:selectBooleanRadio how do we make it so that the html it generates has the title attribute, or if its the tr:selectBooleanRadio, what might be happening during the event handling that it is not allowing the af:popup to display?
A quick response to this appreciated since this is very urgent! Thanks very much for your help!JDev version is 11.1.1.5
ok, i will go one step at a time so that it is easy to understand. So i will only mention the first thing right now and then we can try other things later.
i have a af:selectBooleanRadio. After running the page/application, when the user does View Source in the browser for the page that has the radio button, it is in the form of an HTML tag <input> of type for radio button. What i want to do is to have a "title" attribute for the <input> tag for this radio button. I can use the tr:selectRadioButton trinidad control to do that, but then i have other issues with that, and we can talk about those later.
Let me know if it is still not clear.
Thanks very much for your help! -
URGENT : Challenge questions query: Oracle Access Manager 10g
Hi all,
This is a query regarding password challenge questions in Oracle Access Manager 10g. We have created password policies for a specific container in OID (say cn=xxx,cn=users,dc=oracle,dc=com) and it is working fine.
In order to exclude certain set of users (say user ABC ) for password policies, we have set the obpasswordchangeflag to false for those users which are in same container for which password policy is created.
When we try to login to the application with the user say ABC, I am not seeing any reset password page - I am happy till this point. However it is showing Configure Challenge questions page. Is there any way to bypass this page? Or is this the expected behavior?
This is very urgent and prompt reply is very much appreciated.
-MahendraHi Mahendra,
This is expected behaviour. In order to exclude the password policy management for some certains user for particular domain/container. please add the below configuration parameter to your OAM10g password policy.
Password Policy Filter Field (!(|(cn=xxx)(cn=abc)))
----Ajay -
802.1x EAP-PEAP - Radius Question
We're going to be deploying a wireless solution to a customer at some point shortly. So far we have a WLC 2500 Series,
1140 LAPs, and a 2960-S switch. We're going to have Windows 7, iPhone, iPAD devices, and I was going to implement
802.1x EAP-PEAP. I'm going to need a RADIUS server, but I was just wondering is there a cheaper solution than just
getting a Cisco ACS to run a simple RADIUS server which is all I need.
Also, when the Supplicant sends its NAI in a EAP-ResponseIdentity message, what exactly is this username
and how does it differ from the username you provide after the secure TLS tunnel has been configured.Hey John,
Yes, in fact its all about feeling comfortable. So here is a video showing LOCAL PEAP on a WLC.
http://www.youtube.com/watch?v=YIxG4OEfwtY
The 2000 is becuase there is a database limit this includes MACS, LOCAL ACCOUNTS and AP MACs for AP policy. The mac is 2048 .. Here I blogged about this ..
http://www.my80211.com/cisco-wlc-cli-commands/2009/12/27/configure-local-mac-authentication-on-cisco-wlcs.html
So yes it sounds right and you should be good.
Hope this makes you feel a little bit better with your direction. If this helps can you mark the question as answered ?
Thanks John!
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
Urgent constructor question..
I'm trying to call this Flower class in another class called Garden, in which I created a new Flower by using a statement
private Flower lastflower;
and it's saying it cannot find the symbol - constructor Flower.
Can anyone tell me why and help correct this problem?
Below is the code for my Flower class.
Any help is really appreciated, it's for my Java class!
import objectdraw.*;
import java.awt.*;
* Write a description of class Flower here.
* @author (your name)
* @version (a version number or a date)
public class Flower
protected FilledOval dot;
protected FilledRect stem;
protected FilledOval petal1;
protected FilledOval petal2;
protected static final int boundary = 100;
protected RandomIntGenerator colorGen =
new RandomIntGenerator(0,255);
protected Color petalColor;
protected Boolean flowerContains=false;
private DrawingCanvas canvas;
public void changeColor(){
dot = new FilledOval(150,150,15,15, canvas);
dot.setColor(Color.YELLOW);
petalColor = new Color(colorGen.nextValue(),
colorGen.nextValue(),
colorGen.nextValue());
petal1.setColor(petalColor);
petal2.setColor(petalColor);
public void grow(Location point){
stem = new FilledRect (dot.getX()+3, dot.getY()+10, 10, 10, canvas);
stem.setColor(Color.GREEN);
if (dot.getY()>boundary){
dot.move(0,-4);
else{
petal1 = new FilledOval(dot.getX()-12, dot.getY()-25, 40,70,canvas);
petal2 = new FilledOval(dot.getX()-25, dot.getY()-10, 70,40,canvas);
dot.sendToFront();
stem.sendToBack();
petal1.setColor(petalColor);
petal2.setColor(petalColor);
public Boolean flowerContains(Location point){
if (petal1.contains(point)){
return true;
else if (petal2.contains(point)){
return true;
else if (dot.contains(point)){
return true;
else{
return false;
}I don't care how fucking urgent you think it is, it isn't to us. We will answer your question when and how we feel llike it. Have some manners and if you must, then bump your original post. Don't create another time wasting piece of crap!
-
Hi everyone. Hope you all had a good new year. Bring on 2008!
I looking into a wireless network at my school and have previously had real bad experience with wireless. The school I previously worked had wireless and I think the reason why it didnt work properly was because they weren't using Commerical access points and stuck with the home based equipment and dotted lots of these around the building. It was a nightmare to administer because you had to keep note of every IP for each AP if you needed to make a change and login to every AP if it was a global change.
I interested in knowing more about RADIUS server setup but the content I am finding online just seems to confuse me. I have a few questions which I hope someone may be able to answer for me:
1. Am I right in saying that if you have a RADIUS server all AP which are radius compatible can be managed from the server end. So for example if I wanted to change the SSID for the whole wireless network I could simply go onto the RADIUS server make a change there and then the server will broadcast this to all the AP's?
2. The authentication part of radius, does this link in with Active Directory?, so if a user wanted to log onto the network they could use their AD account to authenticate and allow access to the wireless network? or does it run on a separate authentication system.
3. Network access control (NAC) is this a CISCO proprietary thing? and can this work with a RADIUS Server.
I appreciate any help on this. If anyone could also point me out with some good companies who may be able to provide me with a solution that would be great.
Your help is appreciated#1. That would be no. The radius server is used to authenticate the users, not to manage the APs. There can be some interaction with the APs from radius in that some configuations allow you to authenticate mac addresses with radius. That way you could enter the mac once on the radius server instead of doing it on each AP though I have not bothered with that. The nice thing about radius is that when someone tries to hack your wireless, a radius server tied to AD can cause AD account lockout based on your policies, and it is easy to tell if someone is hacking your wireless by checking your radius logs.
2. Radius can point to several external user sources including AD or you can even have user IDs on the radius server itself.
3. NAC should be able to work with radius though I have not used it as of yet.
To manage all of the APs centrally, you would get Cisco's LWAPP APs and a wireless controller such as a 4404. You can also add WCS to manage multiple controllers. It is pretty cool, but I find WCS kind of difficult to navigate if you are used to the autonmous APs. In any case, it does things you can not do with standalone APs.
Randy -
I know this question should be posted on a CSS3 Forum but I can’t seem to find one and thought DW users might have come across an answer.
When the corner radius of an AP Div is defined and an image is placed inside the APD, the rectangular corners of the image are not clipped by the APD box. The image corners actually stick out beyond the rounded corners. Is there a style property that hides the image corners or clips them? I’ve tried setting the overflow to Hidden without success.Actually there is a way to clip images as long as you target the image and not the containing element as in
<!DOCTYPE html>
<head>
<meta charset="UTF-8">
<title>Untitled Document</title>
<style>
#tab1 img {
position:absolute;
left:92px;
top:33px;
width:115px;
height:34px;
z-index:1;
/* border radius and drop shadows */
border-radius: 20px 20px 0px 0px / 20px 20px 0px 0px;
border-top-left-radius: 20px 20px;
border-top-right-radius: 20px 20px;
border-bottom-right-radius: 0px 0px;
border-bottom-left-radius: 0px 0px;
box-shadow: -4px -7px 5px 0px rgba(128,128,128,0.3);
-moz-box-shadow: -4px -7px 5px 0px rgba(128,128,128,0.3);
-webkit-box-shadow: -4px -7px 5px 0px rgba(128,128,128,0.3);
font-family: Arial, Helvetica, sans-serif;
font-size: 18px;
color: #333333;
border-top-width: 1px;
border-right-width: 1px;
border-left-width: 1px;
border-top-style: solid;
border-right-style: solid;
border-bottom-style: none;
border-left-style: solid;
border-top-color: #000000;
border-right-color: #000000;
border-left-color: #000000;
</style>
</head>
<body>
<div id="tab1"><img src="Home1.png" alt="tab1" /></div>
</body>
</html>
Gramps -
Hi,
I was just taking a look at the local radius functionality on a router. I've found a strange problem which doesn't make sense to me and I was wondering if someone could explain what I'm seeing. As a basic lab to learn the ropes with local radius I created a local radius server on my router and got the local vty lines to use it for authentication.
This is my config:
interface Loopback0
ip address 192.168.0.1 255.255.255.255
ip radius source-interface Loopback0
aaa group server radius LOCAL-RADIUS
server 192.168.0.1 auth-port 1812 acct-port 1813
aaa authentication login default group LOCAL-RADIUS
radius-server local
nas 192.168.0.1 key 0 <removed>
user mwhittle nthash 0 <removed>
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key <removed>
radius-server vsa send accounting
Now he's the strange thing... If I configure the radius user to "mwhittle" with the password "mwhittle" it works and I get an Access-Accept. If I configure anything another than the username for the password it doesn't work and I get an Access-Reject. I have tried many combinations but as long as the username and password are the same it works and if they aren't it doesn't. This can't be normal behavior unless I'm missing something.
Any ideas?
Kind regards,
MikeHi,
What kind of RADIUS client application are you using with the IOS local RADIUS server? Please note that this server supports *only* wireless clients,
and only for the LEAP and EAP-FAST EAP types, and also MAC authentication. It does not provide support for other kinds of RADIUS clients.
The fact that username=password happens to seem to work is, I believe, an accidental artifact of the MAC authentication support, where username
is always equal to password.
If we are not using the MAC auth, then please feel free to open up a TAC case and we will help you..
lemme know if this answered your question..
Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull -
I have never configured RADIUS or managed it, but I have done complete rollouts of TACACS.
I know its a loaded question, but how different are the 2 with regard to management, architecture and resources? Client is using RADIUS for aaa on the network devices for management, not remote dial access.
Im asking this question because it takes about 1 minute for me to get authenticated when I telnet to a router. After that, the authorization is quick and the router responds immediately after entering a command.
[EDIT] By the way, all the other network devices I have tried logging onto respond quickly, the problem seems to be located to one L3 switch -- a 6509.
[EDIT 2} I was wrong. The device I thought was authenticating me quickly had the aaa commands removed. I was using local authentication. So, the problem IS network wide.
When I do a sh radius stats, I see:
Auth. Acct. Both
Number of Radius timeouts: 8 112 120
Packets without responses: 1 14 15
Counters are incrementing. What is this telling me?
Thanks
VictorUse this Document : Remote Authentication Dial-In User Service is a distributed client/server system that secures networks against unauthorized access.
http://www.cisco.com/en/US/tech/tk583/tk547/tsd_technology_support_sub-protocol_home.html -
Help please - urgent exam question
I'm having difficulty with the following question for an OU exam:
You will now create a method to enable students to make a list of the books they have read, whether they are on the course�s reading list or not.
Add an instance method to the class, with the header: public Set<String> collectBooksRead()
The method should first declare a local variable of type Set called readBooks capable of holding a set of strings.
The method should then assign to that variable an appropriate set object.
The method should then use a dialogue box to collect the book titles one at a time from the user.
The dialogue box should have the prompt "Please input a book title or * to finish", and should have an empty string as its default reply.
Each entered book title should be added to the set referenced by the local variable readBooks. Finally the method should return readBooks as the message answer.
Here's my code so far but it endlessly loops and I'm unsure how to make it stop.
public Set<String> collectBooksRead()
Set<String> readBooks = new HashSet<String>();
String title;
do
title = OUDialog.request("Please input a book title or * to finish",""); //OUDialog.request displays an input dialogue box as specified by a superclass
readBooks.add(title);
while
(title != "*");
}I'm having difficulty with the following question for
an OU exam:
You will now create a method to enable students to
make a list of the books they have read, whether they
are on the course�s reading list or not.
Add an instance method to the class, with the header:
public Set<String> collectBooksRead()
The method should first declare a local variable of
type Set called readBooks capable of holding a set of
strings.
The method should then assign to that variable an
appropriate set object.
The method should then use a dialogue box to collect
the book titles one at a time from the user.
The dialogue box should have the prompt "Please input
a book title or * to finish", and should have an
empty string as its default reply.
Each entered book title should be added to the set
referenced by the local variable readBooks. Finally
the method should return readBooks as the message
answer.
Here's my code so far but it endlessly loops and I'm
unsure how to make it stop.
unplug the computer. works every time -
hey pals,
I have couple of doubts which are very urgent to be clarified.
1.how to debug the code in fox editor?
2.can we use transactional infocubes in bps?
3.can we use multiprovider for planning?
4.how to fine tune the standard planning functions provided by sap?
5.when exit variables are used?
I need these answers asap.Anyone with suitable answer will be rewarded immediately.Thank you.
Regards,
Rags1.how to debug the code in fox editor?
use break-point in FOX code
2.can we use transactional infocubes in bps?
yes. Transactional cubes are meant for only BPS.
3.can we use multiprovider for planning?
Yes. multiproviders can be used both in basic planning area as well as multi planning area.
4.how to fine tune the standard planning functions provided by sap?
these are not recommended. But, create exit & FOX functions to meet your requirements.
5.when exit variables are used?
If variable1 needs to be derived from variable2. (in which, end user fills only variable2). -
I have a ASA 5510 and I'm currently using it to serve my VPN client (ipsec) users. I want to be able to also use it for the AnyConnect client but limit who can use the client to connect. I'm authenticating my users using a Windows IAS server and I push down ACLs via the AV Pair attribute. Is there a way via radius or on the ASA to specify which users are allowed to use the AnyConnect client? I need to limit access to this. I wasn't able to find anything in the documentation but I may be missing something.
Thanks for the assistance.You can use the IETF Class value (att 25) to pass along a string to the asa, using this string, you can have the ASA to place the user on a specific group-policy that matches that string and in the group-policy you can have the tunnel-protocol svc or webvpn enabled or not. When the user that should not be connecting via anyconect receives the string and the asa places the user on the group-policy that does not have that tunnel protocol enabled, the connection will never happen.
-
Why in the name of God don't you post this sample code here in the newsgroup so everyone can see it instead of just emailing it to a single individual? Can you please post it?
Bryan O'Sullivan <[email protected]> wrote:
b> All docs on the BEA website talk about 2-way authentication with
b> browsers and servlets. Can I use the T3Client (t3s://host:port) in
b> setting up my InitialContext to talk to beans on the server to
b> create the secure connection?
Yes, you can. You need to set up some extra environment parameters to
do this, which unfortunately aren't well-documented in 4.5. I'll send
you a code example that should clarify things.
b> Do I need a specific service pack to enable this functionality?
You need at least 4.5.1sp5. This functionality was documented as
working in earlier 4.5 releases, but embarrassingly enough for us, it
didn't.
b> "Important: Certificates from Microsoft Internet Information Server
b> and Netscape Enterprise Server cannot be used with Weblogic Server,
b> because they are stored in a proprietary format."
b> Does this pertain to Netscape Certificate Server as well?
I don't know; I've never used NCS. However, if NCS can spit out
certificates in X.509 format, using either DER or PEM encoding, then
you should have no problems.
b> Where can I find code samples for doing what I want to do?
If you're using a Java client, we actually don't ship any useful
examples of two-way SSL authentication with WLS 4.5.x. However, I'll
mail you a copy of an example program from Denali beta 2 which should
work with a 4.5.x server.
b> The "Using Weblogic SSL" page is not too useful for implementation
b> details.
I know. We've worked to beef the documentation up for Denali. As you
can imagine, since we documented two-way SSL authentication as working
in 4.5 but never really got any complaints from customers about the
fact that it was broken (I just happened to notice it myself), it's
not a feature that has seen much use yet. I apologise for the
roughness around the edges so far; I hope this information helps you
to find out what you need.
When Denali beta 2 comes out, you might want to download it and look
at its expanded support for two-way SSL authentication. It's really
quite a bit more useful than 4.5 in this regard.
If you have any further questions, please feel free to ask.
<b
Let us pray:
What a Great System.
Please Do Not Crash.
^G^IP@P6 -
URGENT: Unicode questions
Hi experts out there
We need to have a unicode system soon.
At the moment we have a non unicode R/3 Rel. 4.7 Enterprise.
My questions are:
1. Are there patches that upgrade the non unicode R/3 Rel. 4.7 Enterprise to the unicode R/3 Rel. 4.7 Enterprise?
2. Should we better upgrade it to ECC 6.0? What is the effort here?
Any suggestions/responses would be very appreciated.
Thanks
HWThere cant be patches because the data must be converted from a certain code page to unicode.
Maybe you are looking for
-
How to find out which SMB version runns on Lion
Hello, How can i find out which SMB Protocol Version runns on OS X Lion?? We have a small LAN and have bad performance with Macs running Lion (and Mountain Lion) connected to Windows 7 / 8 I am still running Snow Leopard and get better performance th
-
I was wondering if it is possible to use the MacBook Pro display with my Xbox 360. I have tried hooking it up via the vga adapter, however this does not work. Any help is appreciated. Thanks.
-
My regular computer (which has i-tunes installed on it) is broken right now and I plugged my ipod into my temporary Chromebook to charge it. Now the ipod is telling me to Eject before disconnecting and I don't know how. Please help!
-
Excel Upload via Web dynpro ABAP
Hi All, Could any one please explain how to upload MS Excel file in Web Dynpro ABAP? Regards, Surya
-
TP Twist - Storage Errors in Event Viewer
------- UPDATE: Found out the first error was most likely caused by a USB drive since there are only two drives in the system. Still worried about the second error however.. Hey guys, I checked my event viewer today and noticed two different erro