Use Tacacs+ for Admin auth & Radius for user Auth?

Similar Messages

• SP2013 WF works for admin but not end-users

  A simple SP2013 WF calls a SP2010 WF to send email, simple.  Works for me (admin) but when a SP user edits an item on the list (which fires the WF), the WF gets to the 2010 call, and fails with this error...
  RequestorId: f8c56627-e4e5-5a26-0000-000000000000. Details: An unhandled exception occurred during the execution of the workflow instance. Exception details: System.ApplicationException: HTTP 401 {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"X-SP-SERVERSTATE":["ReadOnly=0"],"SPClientServiceRequestDuration":["61"],"SPRequestGuid":["f8c56627-e4e5-5a26-97ee-ad70ca4d3291"],"request-id":["f8c56627-e4e5-5a26-97ee-ad70ca4d3291"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"MicrosoftSharePointTeamServices":["16.0.0.2930"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1;
  RequireReadOnly"],"Cache-Control":["max-age=0, private"],"Date":["Wed, 25 Jun 2014 02:44:54 GMT"],"P3P":["CP=\"ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT
  NAV ONL PHY PRE PUR UNI\""],"Server":["Microsoft-IIS\/7.5"],"WWW-Authenticate":["NTLM"],"X-AspNet-Version":["4.0.30319"],"X-Powered-By":["ASP.NET"]} at System.Activities.Statements.Throw.Execute(CodeActivityContext
  context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager
  bookmarkManager, Location resultLocation) Exception from activity Throw If Sequence Sequence TryCatch Sequence Microsoft.SharePoint.WorkflowServices.Activities.RetryForDurationPolicy HTTPPost_WorkflowInterop_EnableEvents WorkflowInterop DynamicActivity<Guid>
  Then If Working Sequence Flowchart Sequence RCSEmailCst.WorkflowXaml_4f7b53dc_968d_4e22_a812_3178e7b01bad
  Spent an hour on phone with M$ support, only to be told it's my fault and I have to re-design my WF...if my WF gets any simpler I'll have to use carrier pigeons to get messages to customers!
  I've Googled the error message, results suggest that User Profile Syn is out of whack but M$ support swears up & down our sync is working fine.
  Anyone?
  Edit to add: we have a hosted implementation of SP2013, NOT on-prem

  Hi  ,
  According to your description, my understanding is that the SharePoint workflow 2013 does not work for end-users in your environment.
  For your issue, it can be a permission for the user initiating the workflow. Please make sure  site feature Workflows can use app permissions is activated. Go to Site actions > Site Settings >
  Site features > Workflows can use app permissions.  Make sure the user is one member of a SharePoint Group.
  Also please  provide more detail information about the error message  to determine the exact cause of the error. You can have a look at the blog:
  http://ranaictiu-technicalblog.blogspot.com/2013/03/sharepoint-2013-workflow-debugdiagnosis.html
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• Tacacs+ for exec and radius for ppp on the same ras

  Hi, I'm going to implement tacacs+ for exec control and RADIUS for ppp control in a ras router, using the same ACS for tacacs+ and radius sessions.
  Is there any problem with this kind of configuration ?
  thank you in advance
  Renato

  Renato
  I have recently done something very similar at a customer site. On a remote access server we configured it to use TACACS for exec control and to use Radius for ppp. In our case we are using different servers but I do not think that would be an issue. We also are generating aaa accounting records for the ppp sessions and sending the accounting records to the TACACS server. I have not had any particular problems with getting this to work.
  HTH
  Rick

• No text in box asking for admin UN/PW, cannot enter text

  I migrated a user to another machine using Migration Assistant. Two odd things have come up:
  1. His name at the upper right corner is off center in the menu bar. It's a little too high.
  2. A keychain dialog box came up and a dialog box came up for admin UN/PW for something else. There is no text in the boxes and I cannot enter anything.
  It's a new image I have rolled out to about 100 users no problem. It doesn't happen with any other user on the machine so I am sure it's something in his home. Is there a preference or something that could be corrupt that is causing this?
  Thanks

  No can do. Got to be an easier way. HD failing on users old machine. Hardware failure. Deleting profile and moving it over again is the easy way out....if I could do it.

• Aaa-reports! v2.1 supports TACACS+ Device Admin Audit Reporting

  extraxi is proud to announce a new release of aaa-reports! with support for TACACS+ Device Admin (TDA) reports for audit compliance.
  Previous versions had the ability to import the Cisco Secure ACS database dump file and generate reports for group summaries, inactive users, expired and disabled user accounts.
  But in v2.1 we've gone much deeper. In this release we provide new reports to more fully document your TACACS+ Device Administration (TDA) config:
  * Group level Network Access Restrictions (NARs)
  * Shared NARs
  * Group level service & protocol authorization
  * Group level enable authorization
  * Group level shell command authorization
  * Shared Device Command Sets (DCS) for shell & pixshell
  * Network Device Group (NDG) content
  With these additions you will at last be able to document your "policy intent" without having to either take screen dumps of the ACS Admin web pages, or write it down by hand!!
  And the reports don't stop at config documentation... they can also show you
  * Which groups/users have permit access to specific devices (or device group)
  * What commands a group/user is authorised to execute against a specific device (or device group)
  * What groups/users make reference to a given Shared Network Access Restriction (NAR) or Shared Device Command Set (DCS)
  * Which Shared NARs and DCSs are not referenced at all
  aaa-reports! v2.1 now supports several methods for importing the ACS Database:
  * acsdb.cab - via extraxi "getacsdb" utility for v3.x
  * package.cab - via 4.x cssupport/support admin page
  All in all, aaa-reports! v2.1 is what ACS users have been crying out for to make network security auditing less painful!
  Visit http://www.extraxi.com to download a working 60 day trial

  .

• Executed as user: ADMIN\abc-SQLServer. Linked servers cannot be used under impersonation without a mapping for the impersonated login. [SQLSTATE 42000] (Error 7437). The step failed.

  Hi All, 
  We have verified permissions on both sides,current server and linked server, the user has sysadmin.
  Another key piece of information is that this is happening when executing a SQL Job.
  Thanks.

  Related:
  https://social.msdn.microsoft.com/Forums/sqlserver/en-US/328616e9-42cb-40d7-a4b1-671d6a492d8f/linked-servers-cannot-be-used-under-impersonation-without-a-mapping-for-the-impersonated-login?forum=sqldatabaseengine
  https://support.microsoft.com/kb/2492477?wa=wsignin1.0
  http://sshakespeareblog.co.uk/2013/07/31/sql-linked-server-and-sql-server-agent/
  Kalman Toth Database & OLAP Architect
  SQL Server 2014 Database Design
  New Book / Kindle: Beginner Database Design & SQL Programming Using Microsoft SQL Server 2014

• Using Lion Server Radius for authenticating "other" clients

  Hi I've been trying to get the Radius service in Lion Server to authenticate users of my SQUID web proxy. I have followed the squid wiki's instructions to configure the squid server as a radius client and pass authentication requests to the Lion Server Radius (I hope). However I'm trying to configure and test the Lion Server Radius. As Lions Server Admin GUI for radius only lets to add Airport Basestations, I've been trying to dig around for what underlying config files to edit.  I have tried 2 methods of adding the client details to radius:
  1. By editing the /etc/raddb/client.conf, and adding/changing (for example):
  client localhost {
       secret     = mysecretpassphrase
  client 192.168.0.0/24 {
       secret              = mysecretpassphrase
       shortname       = local-lan-clients
  and restarting squid. Nothing seems to get mentioned in the radius log file! So I'm not completely convinced that the Lion Radius took any notice of this!
  2. Instead of above, added the same client info using radiusconfig:
  $ sudo radiusconfig -addclient 192.168.0.0/24 local-lan-clients other <return>
  - then it prompts for the secret. With this command I notice the entry/event is recognised in the radius log file, and also looks like some SQL activity. If I dont specify "other" for the nas-type, it defaults to "Aiport Base Station" or similar.
  OK, so forgetting about SQUID for a minute, I can't even get that far as I'm just trying to test the config using the "radclient" utility from the Lion Server and the squid server:
  $ sudo radclient localhost auth mysecretpassphrase <return>
  and... no response, just hangs, nothing in radius log either.
  The Lion Firewall allows TCP and UDP requests into the Radius authentication port.
  Any ideas what else I need to do? Scratching my head, I'm wondering if it is anything to do with SSL? e.g. do I need to make the authentication using the self-signed certificate that Open Directory has? I presume any Airport Base Stations added to radius will use this certificate to establish a secure connection for authentication.

  The RADIUS server in OS X Server is a standard FreeRADIUS implementation with Apple's own custom GUI frontend for configuring it and which only allows adding AirPort base-stations. In Mountain Lion Server it is even limited to a specific configuration for the AirPort base-station.
  However if you follow the normal command-line instructions and steps for configuring FreeRADIUS then it will be possible to add any type of RADIUS client.
  While as far as I can see by manually configuring the FreeRADIUS server in OS X Server should enable you to do what you want, most people chose to configure Squid to use either a PAM or the LDAP modules for Squid to in this case authenticate directly to Open Directory (which is of course based on LDAP).
  I myself have used a PAM in the past with Squid to successfully configure Squid to authenticate users via Open Directory. I was even able to specific an Open Directory group and only allow members of that group access via the Squid Proxy Server. I then went a bit OTT and set up another open-source tool (which was discontinued and I had to fix to get working) to process the Squid logs and store them in MySQL, and then setup FileMaker Pro to connect to the MySQL database via ODBC to allow producing reports.
  Unfortunately the AFP458 website had a major redesign a while ago and many previous technical articles on it are now hard to find. I had used two articles on that site to guide me through setting up Squid and the PAM on a Mac server. I believe the two articles I used are the ones listed below.
  http://afp548.com/2004/09/08/using-os-x-open-directory-to-authenticate-squid-pro xy-server/
  http://afp548.com/2004/12/13/squid-server-using-ldap-authentication/

• Cisco Nexus 5K + Micrososft Radius for Admin Authentication

  Hi,
  I have cisco 3750 switches configured to use MS radius for administrator authention. however, now I would like to add our cisco nexus switches to MS radius as well so that administrators are authenticated against the Microsoft radius for admin authention.
  I tried it earlier but it won't accept 3750 commands.. Can you please help with me with a configuration example please that I can follow?
  the commands I have used on 3750 are as follows:
  aaa new-model
  aaa authentication login vtylogin group radius local
  aaa authentication login conlogin group radius local
  aaa authentication enable default group radius enable
  aaa authorization console
  aaa authorization exec vtylogin group radius local
  aaa authorization exec conlogin group radius local
  radius-server host x.x.x.x key SECRETE
  line con 0
  exec-timeout 5 0
  authorization exec conlogin
  logging synchronous
  login authentication conlogin
  line vty 0 4
  exec-timeout 0 0
  authorization exec vtylogin
  login authentication vtylogin
  transport input ssh
  line vty 5 15
  exec-timeout 0 0
  authorization exec vtylogin
  login authentication vtylogin
  transport input ssh

  I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
  Attribute: cisco-av-pair
  Requirement: Mandatory
  Value: shell:roles*"network-admin vdc-admin"
  For more information take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
  Hope this helps
  Thank you for rating helpful posts!

• Cisco 3650 tacacs+ with SSH works, not for http to use wireless GUI

  Hi
  Last week I installed a brand new Cisco 3650 switch and the wireless option.
  Everything works fine.
  I also configured tacacs+. Login through SSH works fine.
  Now I want to manage the wireless part from the GUI bij entering https://ip-address/wireless
  Local authentication with priv 15 works fine.
  Now I configured tacacs. After entering username password I received a blank screen.
  After debugging, I got a SSl failed.
  Mar  4 07:35:53.675: eah:  url=/wireless is for us with a secondary connection
  Mar  4 07:35:53.675: eah: Secondary authentication required for realm priv_15_access
  Mar  4 07:35:53.675: Tue, 04 Mar 2014 07:35:53 GMT <source address> /wireless auth_required
          Protocol = HTTP/1.1 Method = GET
  Mar  4 07:35:53.675:
  Mar  4 07:35:53.799: %HTTPS: SSL read fail (-6992)
  Mar  4 07:35:58.400: eah:  url=/wireless is for us with a secondary connection
  Mar  4 07:35:58.401: eah: Secondary authentication required for realm priv_15_access
  Mar  4 07:35:58.401: HTTP AAA Login-Authentication List name: TACACS
  Mar  4 07:35:58.401: HTTP AAA Login-Authentication List name: TACACS
  Mar  4 07:35:58.401: TPLUS: Queuing AAA Authentication request 4673 for processing
  Mar  4 07:35:58.401: TPLUS: processing authentication start request id 4673
  Mar  4 07:35:58.401: TPLUS: Authentication start packet created for 4673(my username)
  Mar  4 07:35:58.402: TPLUS: Using server <tacacs server IP>
  Mar  4 07:35:58.407: TPLUS(00001241)/0/NB_WAIT/3AF752D4: Started 5 sec timeout
  Mar  4 07:35:58.449: TPLUS(00001241)/0/NB_WAIT: socket event 2
  Mar  4 07:35:58.450: TPLUS(00001241)/0/NB_WAIT: wrote entire 37 bytes request
  Mar  4 07:35:58.450: TPLUS(00001241)/0/READ: socket event 1
  Mar  4 07:35:58.450: TPLUS(00001241)/0/READ: Would block while reading
  Mar  4 07:35:58.511: TPLUS(00001241)/0/READ: socket event 1
  Mar  4 07:35:58.511: TPLUS(00001241)/0/READ: read entire 12 header bytes (expect 16 bytes data)
  Mar  4 07:35:58.511: TPLUS(00001241)/0/READ: socket event 1
  Mar  4 07:35:58.511: TPLUS(00001241)/0/READ: read entire 28 bytes response
  Mar  4 07:35:58.511: TPLUS(00001241)/0/3AF752D4: Processing the reply packet
  Mar  4 07:35:58.511: TPLUS: Received authen response status GET_PASSWORD (8)
  Mar  4 07:35:58.512: TPLUS: Queuing AAA Authentication request 4673 for processing
  Mar  4 07:35:58.512: TPLUS: processing authentication continue request id 4673
  Mar  4 07:35:58.512: TPLUS: Authentication continue packet generated for 4673
  Mar  4 07:35:58.512: TPLUS(00001241)/0/WRITE/3AFD3D3C: Started 5 sec timeout
  Mar  4 07:35:58.512: TPLUS(00001241)/0/WRITE: wrote entire 26 bytes request
  Mar  4 07:35:58.566: TPLUS(00001241)/0/READ: socket event 1
  Mar  4 07:35:58.566: TPLUS(00001241)/0/READ: read entire 12 header bytes (expect 6 bytes data)
  Mar  4 07:35:58.566: TPLUS(00001241)/0/READ: socket event 1
  Mar  4 07:35:58.566: TPLUS(00001241)/0/READ: read entire 18 bytes response
  Mar  4 07:35:58.567: TPLUS(00001241)/0/3AFD3D3C: Processing the reply packet
  Mar  4 07:35:58.567: TPLUS: Received authen response status PASS (2)
  Mar  4 07:35:58.656: HTTP: Priv level authorization success priv_level: 15
  Mar  4 07:35:58.690: %HTTPS: SSL read fail (-6992)
  Mar  4 07:35:59.096: eah:  urlhook called for url=/favicon.ico
  Mar  4 07:35:59.096: eah: Not for us
  Mar  4 07:35:59.096: eah:  urlhook called for url=/favicon.ico
  Mar  4 07:35:59.096: eah: Not for us
  Mar  4 07:35:59.096: eah:  urlhook called for url=/favicon.ico
  Mar  4 07:35:59.096: eah: Not for us
  Mar  4 07:35:59.097: eah:  urlhook called for url=/favicon.ico
  Mar  4 07:35:59.097: eah: Not for us
  Mar  4 07:35:59.097: eah:  urlhook called for url=/favicon.ico
  Mar  4 07:35:59.097: eah: Not for us
  Mar  4 07:35:59.097: eah:  urlhook called for url=/favicon.ico
  Mar  4 07:35:59.097: eah: Not for us
  Mar  4 07:35:59.097: eah:  urlhook called for url=/favicon.ico
  Mar  4 07:35:59.097: eah: Not for us
  Mar  4 07:35:59.097: eah:  urlhook called for url=/favicon.ico
  Mar  4 07:35:59.097: eah: Not for us
  So authentication seems fine to me.
  Do I miss something in the ACS server?
  Configuration for ip http login:
  ip http secure-server
  ip http authentication aaa login-authentication TACACS
  ip http authentication aaa exec-authorization TACACS
  ip http authentication aaa command-authorization 15 TACACS
  Thanks!

  hi Erik,
  command auth is not supported for GUI for the IOS-XE boxes.
  Also can you try dong the following to check if this is a config issue.
  I see that you have  used TACACS as a method-list. Can you try using “default”?
  To use “default”, you need to maje the following changes.
  Aaa authentication login default  group  <server-grp>
  Aaa authorization exec default group <server-grp>
  On the http front, remove all the commands that you have configured below and only have this
  Ip http authentication aaa
  Can you paste the o/p of the folllowing commands?
  sh run | sec http
  sh run | sec aaa
  Does http work instead of https?

• Shadow Copy on 2012 R2 Only for Admins or dedicated Users

  Hi,
  is this possible? That only dedicated Users, or Admins are eligible to use Shadow Copy Restore?
  we have many home office users (not in Domain...) connected with VPN and they see the the right click and previos Versions.
  Now im Afraid that someone could set back the whole data directory a feew days back or more...
  would can be done?
  Shadow copy only for admins would be nice 

  there seems no such permission to control previous version...
  this may be helpful...
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/b78896ee-8364-4a02-a082-7f22e6417dc7/server-2008-and-shadow-copy-permissions?forum=winservergen
  Best,
  Howtodo

• Powershell 4.0 How to use Add-Printer to add printer for all users (machine)

  Is there a way I can use Powershell 4.0 Add-Printer cmdlet to add a printer for all users (machine)?  I tried from an admin account but it only adds a printer for the currently logged on user.
  thanks.

  Adding a printer for all users requires having access to their profiles (and registry hive for user) to save the mapped printer information. Your best bet is to either use Group Policy Preferences or write a user logon script that ones when they log in and
  maps the printer if not already mapped. 
  Group Policy Preferences Example
  I wrote an article a while back that shows how to use a GPO logon script to map a printer. It doesn't use V4, but the process would be the same as far as a GPO goes.
  http://learn-powershell.net/2012/11/15/use-powershell-logon-script-to-update-printer-mappings/
  Boe Prox
  Blog |
  Twitter
  PoshWSUS |
  PoshPAIG | PoshChat |
  PoshEventUI
  PowerShell Deep Dives Book

• How to get list of Users under an Auth Group (for executable Programs)?

  Hi experts.  I have a requirement to get a list of all users under a particular Auth Group for Program Objects.
  Goal of this requirement is to identify the users allowed to use/access a program - we're doing some sort of Program Inventory and we'd like to identify the users per program, via the Auth Group. 
  So question is:  Which tables hold data about Program <-> Auth Group <-> Users, and how are they linked?
  I know this is Basis/Security stuff, but I was thinking of developing a report program to output the information needed.
  Thanks in advance.
  Edited by: George Esquerra on Nov 17, 2011 10:24 AM

  This is available in the standard via tx SUIM - user - users by complex selection criteria - by authorization values.
  If you enter auth object = S_PROGRAM and value = auth group, you will get the list of users.
  You can analyse how this program finds the information and incorporate it into your own logic.
  Thomas

• Voucher based guest access for vWLC (time restricted pre created user auth codes)

  Hi all,
  Is it possible to create voucher based user auth tickets for guest wireless on the Cisco WLC?
  We are running the vWLC latest version
  Cheers, Simon

  No you can not create voucher using vWLC But you can create guest access using vWLC.
  For the Guest access deployment ,plesae refer to the document below.
  http://www.cisco.com/c/en/us/td/docs/wireless/technology/guest_access/technical/reference/4-1/GAccess_41.html#wp1000477

• Authorization for User Creation for Admin user

  Dear All,
  We have Cronacle 6.0.2.
  We have a requirement where in we want to create an admin user with all access to Redwood (in order to avoid using SYSJCS). We have and created an admin role with which our criteria is almost met. After assigning this admin role to our newly created admin user, everything work except user & role authorization. I am not able to create, delete or alter any user or role with this user.
  I have seen that we have the oracle system privileges related to user and role authorization (create user, alter role, etc), but when we are trying to assign the same to the admin user, its not allowing us to do so. We have tried the assignment using sysjcs from both RWE and from the shell using the SYJCS, RSI users.
  How can I achieve this? with which user?
  Any pointers on this would be highly appreciated.
  Thanks in advance for your help.
  Warm Regards
  Rajeet

  Hi Rajeet,
  This is because SYSJCS has the privileges to create users and roles in the database, but not the right to actually give out these privileges to other users.
  For that, you need a user with the DBA role in the database, or with the "create user" and "create role" privileges "with admin option". A user with the admin option on a privilege can hand out this privilege to other users.
  If you don't have any own users with these privileges yet, the SYSTEM user will work as well.
  Regards,
  Anton.

• ITunes will launch for specific admin but no other user (including root).

  Mac OS X 10.6.3, iTunes 9.1.1
  I have re-installed iTunes using a different admin user and even as root and the problem persists. I have repaired permissions with root as well (after trying with 2 admin users). Permissions show as being repaired.
  I have never seen an issue on any *nix system where an app won't launch for root but will launch for a user.
  Any ideas on how to fix it or anyone know how to completely uninstall iTunes from the system to try again from scratch?

  The application starts to launch in the Dock but never finishes and I've looked all over Console's logs to try and find an error message but there isn't one. It does not bring up the "Unexpectedly Quit" dialog, either.
  If you are familiar with how apps crash on the iPhone, where they just immediately exit back to SpringBoard, it is like that.
  The strange thing is, my main account which is an administrator, does not have any problems launching iTunes. I only discovered this problem because I can't use the File Sharing feature of any of my iPad apps so I was using a different test login (also an admin) to troubleshoot. Then I thought maybe there was a permissions error I couldn't find so I logged in with root and the problem persisted there, too. I am thinking if I fix this error I will be able to use File Sharing (which works on the same iPad with my VAIO and Win7).
  I would just re-install Mac OS X but my optical drive doesn't work any more.