Use Tacacs+ for Admin auth & Radius for user Auth?
Can I setup my Aironet 1200 to use TACACS+ for authentication back to the cisco ACS server and RADIUS back to same server for user authentication?
If I setup a server in Server Manager under Radius, then add that same server as a TACACS+ server, it deletes the RADIUS server, so I assume no.
dont know about 1200s but you can do this on 1130AGs. Create a aaa group for authentication via radius, and one for tacacs+ then use aaa groups to point console/vty to the tacacs+ aaa group, and EAP authentication to the radius group.
eg:
aaa group server radius rad-group
server x.x.x.x auth-port xxxx acct-port xxxx
aaa group server tacacs+ admin-access
server x.x.x.x
aaa authentication login eap-method group rad-group
aaa authentication login auth-admin-access group admin-access local
aaa authorization exec default group admin-access local
now under the ssid part of the config have:
dot11 ssid yyyyyy
authentication open (or whatever method you use) eap eap-method
under console/vty etc:
login authentication auth-admin-access
you need some more stuff like radius and tacacs server keys, but the above should get you started. On 1130AGs dont use aaa auth for http(s), looks like it overloads the aaa server at the moment - see field notices - probably doesnt apply to 1200s.
Similar Messages
-
SP2013 WF works for admin but not end-users
A simple SP2013 WF calls a SP2010 WF to send email, simple. Works for me (admin) but when a SP user edits an item on the list (which fires the WF), the WF gets to the 2010 call, and fails with this error...
RequestorId: f8c56627-e4e5-5a26-0000-000000000000. Details: An unhandled exception occurred during the execution of the workflow instance. Exception details: System.ApplicationException: HTTP 401 {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"X-SP-SERVERSTATE":["ReadOnly=0"],"SPClientServiceRequestDuration":["61"],"SPRequestGuid":["f8c56627-e4e5-5a26-97ee-ad70ca4d3291"],"request-id":["f8c56627-e4e5-5a26-97ee-ad70ca4d3291"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"MicrosoftSharePointTeamServices":["16.0.0.2930"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1;
RequireReadOnly"],"Cache-Control":["max-age=0, private"],"Date":["Wed, 25 Jun 2014 02:44:54 GMT"],"P3P":["CP=\"ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT
NAV ONL PHY PRE PUR UNI\""],"Server":["Microsoft-IIS\/7.5"],"WWW-Authenticate":["NTLM"],"X-AspNet-Version":["4.0.30319"],"X-Powered-By":["ASP.NET"]} at System.Activities.Statements.Throw.Execute(CodeActivityContext
context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager
bookmarkManager, Location resultLocation) Exception from activity Throw If Sequence Sequence TryCatch Sequence Microsoft.SharePoint.WorkflowServices.Activities.RetryForDurationPolicy HTTPPost_WorkflowInterop_EnableEvents WorkflowInterop DynamicActivity<Guid>
Then If Working Sequence Flowchart Sequence RCSEmailCst.WorkflowXaml_4f7b53dc_968d_4e22_a812_3178e7b01bad
Spent an hour on phone with M$ support, only to be told it's my fault and I have to re-design my WF...if my WF gets any simpler I'll have to use carrier pigeons to get messages to customers!
I've Googled the error message, results suggest that User Profile Syn is out of whack but M$ support swears up & down our sync is working fine.
Anyone?
Edit to add: we have a hosted implementation of SP2013, NOT on-premHi ,
According to your description, my understanding is that the SharePoint workflow 2013 does not work for end-users in your environment.
For your issue, it can be a permission for the user initiating the workflow. Please make sure site feature Workflows can use app permissions is activated. Go to Site actions > Site Settings >
Site features > Workflows can use app permissions. Make sure the user is one member of a SharePoint Group.
Also please provide more detail information about the error message to determine the exact cause of the error. You can have a look at the blog:
http://ranaictiu-technicalblog.blogspot.com/2013/03/sharepoint-2013-workflow-debugdiagnosis.html
Best Regards,
Eric
Eric Tao
TechNet Community Support -
Tacacs+ for exec and radius for ppp on the same ras
Hi, I'm going to implement tacacs+ for exec control and RADIUS for ppp control in a ras router, using the same ACS for tacacs+ and radius sessions.
Is there any problem with this kind of configuration ?
thank you in advance
RenatoRenato
I have recently done something very similar at a customer site. On a remote access server we configured it to use TACACS for exec control and to use Radius for ppp. In our case we are using different servers but I do not think that would be an issue. We also are generating aaa accounting records for the ppp sessions and sending the accounting records to the TACACS server. I have not had any particular problems with getting this to work.
HTH
Rick -
No text in box asking for admin UN/PW, cannot enter text
I migrated a user to another machine using Migration Assistant. Two odd things have come up:
1. His name at the upper right corner is off center in the menu bar. It's a little too high.
2. A keychain dialog box came up and a dialog box came up for admin UN/PW for something else. There is no text in the boxes and I cannot enter anything.
It's a new image I have rolled out to about 100 users no problem. It doesn't happen with any other user on the machine so I am sure it's something in his home. Is there a preference or something that could be corrupt that is causing this?
ThanksNo can do. Got to be an easier way. HD failing on users old machine. Hardware failure. Deleting profile and moving it over again is the easy way out....if I could do it.
-
Aaa-reports! v2.1 supports TACACS+ Device Admin Audit Reporting
extraxi is proud to announce a new release of aaa-reports! with support for TACACS+ Device Admin (TDA) reports for audit compliance.
Previous versions had the ability to import the Cisco Secure ACS database dump file and generate reports for group summaries, inactive users, expired and disabled user accounts.
But in v2.1 we've gone much deeper. In this release we provide new reports to more fully document your TACACS+ Device Administration (TDA) config:
* Group level Network Access Restrictions (NARs)
* Shared NARs
* Group level service & protocol authorization
* Group level enable authorization
* Group level shell command authorization
* Shared Device Command Sets (DCS) for shell & pixshell
* Network Device Group (NDG) content
With these additions you will at last be able to document your "policy intent" without having to either take screen dumps of the ACS Admin web pages, or write it down by hand!!
And the reports don't stop at config documentation... they can also show you
* Which groups/users have permit access to specific devices (or device group)
* What commands a group/user is authorised to execute against a specific device (or device group)
* What groups/users make reference to a given Shared Network Access Restriction (NAR) or Shared Device Command Set (DCS)
* Which Shared NARs and DCSs are not referenced at all
aaa-reports! v2.1 now supports several methods for importing the ACS Database:
* acsdb.cab - via extraxi "getacsdb" utility for v3.x
* package.cab - via 4.x cssupport/support admin page
All in all, aaa-reports! v2.1 is what ACS users have been crying out for to make network security auditing less painful!
Visit http://www.extraxi.com to download a working 60 day trial.
-
Hi All,
We have verified permissions on both sides,current server and linked server, the user has sysadmin.
Another key piece of information is that this is happening when executing a SQL Job.
Thanks.Related:
https://social.msdn.microsoft.com/Forums/sqlserver/en-US/328616e9-42cb-40d7-a4b1-671d6a492d8f/linked-servers-cannot-be-used-under-impersonation-without-a-mapping-for-the-impersonated-login?forum=sqldatabaseengine
https://support.microsoft.com/kb/2492477?wa=wsignin1.0
http://sshakespeareblog.co.uk/2013/07/31/sql-linked-server-and-sql-server-agent/
Kalman Toth Database & OLAP Architect
SQL Server 2014 Database Design
New Book / Kindle: Beginner Database Design & SQL Programming Using Microsoft SQL Server 2014 -
Using Lion Server Radius for authenticating "other" clients
Hi I've been trying to get the Radius service in Lion Server to authenticate users of my SQUID web proxy. I have followed the squid wiki's instructions to configure the squid server as a radius client and pass authentication requests to the Lion Server Radius (I hope). However I'm trying to configure and test the Lion Server Radius. As Lions Server Admin GUI for radius only lets to add Airport Basestations, I've been trying to dig around for what underlying config files to edit. I have tried 2 methods of adding the client details to radius:
1. By editing the /etc/raddb/client.conf, and adding/changing (for example):
client localhost {
secret = mysecretpassphrase
client 192.168.0.0/24 {
secret = mysecretpassphrase
shortname = local-lan-clients
and restarting squid. Nothing seems to get mentioned in the radius log file! So I'm not completely convinced that the Lion Radius took any notice of this!
2. Instead of above, added the same client info using radiusconfig:
$ sudo radiusconfig -addclient 192.168.0.0/24 local-lan-clients other <return>
- then it prompts for the secret. With this command I notice the entry/event is recognised in the radius log file, and also looks like some SQL activity. If I dont specify "other" for the nas-type, it defaults to "Aiport Base Station" or similar.
OK, so forgetting about SQUID for a minute, I can't even get that far as I'm just trying to test the config using the "radclient" utility from the Lion Server and the squid server:
$ sudo radclient localhost auth mysecretpassphrase <return>
and... no response, just hangs, nothing in radius log either.
The Lion Firewall allows TCP and UDP requests into the Radius authentication port.
Any ideas what else I need to do? Scratching my head, I'm wondering if it is anything to do with SSL? e.g. do I need to make the authentication using the self-signed certificate that Open Directory has? I presume any Airport Base Stations added to radius will use this certificate to establish a secure connection for authentication.The RADIUS server in OS X Server is a standard FreeRADIUS implementation with Apple's own custom GUI frontend for configuring it and which only allows adding AirPort base-stations. In Mountain Lion Server it is even limited to a specific configuration for the AirPort base-station.
However if you follow the normal command-line instructions and steps for configuring FreeRADIUS then it will be possible to add any type of RADIUS client.
While as far as I can see by manually configuring the FreeRADIUS server in OS X Server should enable you to do what you want, most people chose to configure Squid to use either a PAM or the LDAP modules for Squid to in this case authenticate directly to Open Directory (which is of course based on LDAP).
I myself have used a PAM in the past with Squid to successfully configure Squid to authenticate users via Open Directory. I was even able to specific an Open Directory group and only allow members of that group access via the Squid Proxy Server. I then went a bit OTT and set up another open-source tool (which was discontinued and I had to fix to get working) to process the Squid logs and store them in MySQL, and then setup FileMaker Pro to connect to the MySQL database via ODBC to allow producing reports.
Unfortunately the AFP458 website had a major redesign a while ago and many previous technical articles on it are now hard to find. I had used two articles on that site to guide me through setting up Squid and the PAM on a Mac server. I believe the two articles I used are the ones listed below.
http://afp548.com/2004/09/08/using-os-x-open-directory-to-authenticate-squid-pro xy-server/
http://afp548.com/2004/12/13/squid-server-using-ldap-authentication/ -
Cisco Nexus 5K + Micrososft Radius for Admin Authentication
Hi,
I have cisco 3750 switches configured to use MS radius for administrator authention. however, now I would like to add our cisco nexus switches to MS radius as well so that administrators are authenticated against the Microsoft radius for admin authention.
I tried it earlier but it won't accept 3750 commands.. Can you please help with me with a configuration example please that I can follow?
the commands I have used on 3750 are as follows:
aaa new-model
aaa authentication login vtylogin group radius local
aaa authentication login conlogin group radius local
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization exec vtylogin group radius local
aaa authorization exec conlogin group radius local
radius-server host x.x.x.x key SECRETE
line con 0
exec-timeout 5 0
authorization exec conlogin
logging synchronous
login authentication conlogin
line vty 0 4
exec-timeout 0 0
authorization exec vtylogin
login authentication vtylogin
transport input ssh
line vty 5 15
exec-timeout 0 0
authorization exec vtylogin
login authentication vtylogin
transport input sshI have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*"network-admin vdc-admin"
For more information take a look at this link:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
Hope this helps
Thank you for rating helpful posts! -
Cisco 3650 tacacs+ with SSH works, not for http to use wireless GUI
Hi
Last week I installed a brand new Cisco 3650 switch and the wireless option.
Everything works fine.
I also configured tacacs+. Login through SSH works fine.
Now I want to manage the wireless part from the GUI bij entering https://ip-address/wireless
Local authentication with priv 15 works fine.
Now I configured tacacs. After entering username password I received a blank screen.
After debugging, I got a SSl failed.
Mar 4 07:35:53.675: eah: url=/wireless is for us with a secondary connection
Mar 4 07:35:53.675: eah: Secondary authentication required for realm priv_15_access
Mar 4 07:35:53.675: Tue, 04 Mar 2014 07:35:53 GMT <source address> /wireless auth_required
Protocol = HTTP/1.1 Method = GET
Mar 4 07:35:53.675:
Mar 4 07:35:53.799: %HTTPS: SSL read fail (-6992)
Mar 4 07:35:58.400: eah: url=/wireless is for us with a secondary connection
Mar 4 07:35:58.401: eah: Secondary authentication required for realm priv_15_access
Mar 4 07:35:58.401: HTTP AAA Login-Authentication List name: TACACS
Mar 4 07:35:58.401: HTTP AAA Login-Authentication List name: TACACS
Mar 4 07:35:58.401: TPLUS: Queuing AAA Authentication request 4673 for processing
Mar 4 07:35:58.401: TPLUS: processing authentication start request id 4673
Mar 4 07:35:58.401: TPLUS: Authentication start packet created for 4673(my username)
Mar 4 07:35:58.402: TPLUS: Using server <tacacs server IP>
Mar 4 07:35:58.407: TPLUS(00001241)/0/NB_WAIT/3AF752D4: Started 5 sec timeout
Mar 4 07:35:58.449: TPLUS(00001241)/0/NB_WAIT: socket event 2
Mar 4 07:35:58.450: TPLUS(00001241)/0/NB_WAIT: wrote entire 37 bytes request
Mar 4 07:35:58.450: TPLUS(00001241)/0/READ: socket event 1
Mar 4 07:35:58.450: TPLUS(00001241)/0/READ: Would block while reading
Mar 4 07:35:58.511: TPLUS(00001241)/0/READ: socket event 1
Mar 4 07:35:58.511: TPLUS(00001241)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Mar 4 07:35:58.511: TPLUS(00001241)/0/READ: socket event 1
Mar 4 07:35:58.511: TPLUS(00001241)/0/READ: read entire 28 bytes response
Mar 4 07:35:58.511: TPLUS(00001241)/0/3AF752D4: Processing the reply packet
Mar 4 07:35:58.511: TPLUS: Received authen response status GET_PASSWORD (8)
Mar 4 07:35:58.512: TPLUS: Queuing AAA Authentication request 4673 for processing
Mar 4 07:35:58.512: TPLUS: processing authentication continue request id 4673
Mar 4 07:35:58.512: TPLUS: Authentication continue packet generated for 4673
Mar 4 07:35:58.512: TPLUS(00001241)/0/WRITE/3AFD3D3C: Started 5 sec timeout
Mar 4 07:35:58.512: TPLUS(00001241)/0/WRITE: wrote entire 26 bytes request
Mar 4 07:35:58.566: TPLUS(00001241)/0/READ: socket event 1
Mar 4 07:35:58.566: TPLUS(00001241)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Mar 4 07:35:58.566: TPLUS(00001241)/0/READ: socket event 1
Mar 4 07:35:58.566: TPLUS(00001241)/0/READ: read entire 18 bytes response
Mar 4 07:35:58.567: TPLUS(00001241)/0/3AFD3D3C: Processing the reply packet
Mar 4 07:35:58.567: TPLUS: Received authen response status PASS (2)
Mar 4 07:35:58.656: HTTP: Priv level authorization success priv_level: 15
Mar 4 07:35:58.690: %HTTPS: SSL read fail (-6992)
Mar 4 07:35:59.096: eah: urlhook called for url=/favicon.ico
Mar 4 07:35:59.096: eah: Not for us
Mar 4 07:35:59.096: eah: urlhook called for url=/favicon.ico
Mar 4 07:35:59.096: eah: Not for us
Mar 4 07:35:59.096: eah: urlhook called for url=/favicon.ico
Mar 4 07:35:59.096: eah: Not for us
Mar 4 07:35:59.097: eah: urlhook called for url=/favicon.ico
Mar 4 07:35:59.097: eah: Not for us
Mar 4 07:35:59.097: eah: urlhook called for url=/favicon.ico
Mar 4 07:35:59.097: eah: Not for us
Mar 4 07:35:59.097: eah: urlhook called for url=/favicon.ico
Mar 4 07:35:59.097: eah: Not for us
Mar 4 07:35:59.097: eah: urlhook called for url=/favicon.ico
Mar 4 07:35:59.097: eah: Not for us
Mar 4 07:35:59.097: eah: urlhook called for url=/favicon.ico
Mar 4 07:35:59.097: eah: Not for us
So authentication seems fine to me.
Do I miss something in the ACS server?
Configuration for ip http login:
ip http secure-server
ip http authentication aaa login-authentication TACACS
ip http authentication aaa exec-authorization TACACS
ip http authentication aaa command-authorization 15 TACACS
Thanks!hi Erik,
command auth is not supported for GUI for the IOS-XE boxes.
Also can you try dong the following to check if this is a config issue.
I see that you have used TACACS as a method-list. Can you try using “default”?
To use “default”, you need to maje the following changes.
Aaa authentication login default group <server-grp>
Aaa authorization exec default group <server-grp>
On the http front, remove all the commands that you have configured below and only have this
Ip http authentication aaa
Can you paste the o/p of the folllowing commands?
sh run | sec http
sh run | sec aaa
Does http work instead of https? -
Shadow Copy on 2012 R2 Only for Admins or dedicated Users
Hi,
is this possible? That only dedicated Users, or Admins are eligible to use Shadow Copy Restore?
we have many home office users (not in Domain...) connected with VPN and they see the the right click and previos Versions.
Now im Afraid that someone could set back the whole data directory a feew days back or more...
would can be done?
Shadow copy only for admins would be nicethere seems no such permission to control previous version...
this may be helpful...
http://social.technet.microsoft.com/Forums/windowsserver/en-US/b78896ee-8364-4a02-a082-7f22e6417dc7/server-2008-and-shadow-copy-permissions?forum=winservergen
Best,
Howtodo -
Powershell 4.0 How to use Add-Printer to add printer for all users (machine)
Is there a way I can use Powershell 4.0 Add-Printer cmdlet to add a printer for all users (machine)? I tried from an admin account but it only adds a printer for the currently logged on user.
thanks.Adding a printer for all users requires having access to their profiles (and registry hive for user) to save the mapped printer information. Your best bet is to either use Group Policy Preferences or write a user logon script that ones when they log in and
maps the printer if not already mapped.
Group Policy Preferences Example
I wrote an article a while back that shows how to use a GPO logon script to map a printer. It doesn't use V4, but the process would be the same as far as a GPO goes.
http://learn-powershell.net/2012/11/15/use-powershell-logon-script-to-update-printer-mappings/
Boe Prox
Blog |
Twitter
PoshWSUS |
PoshPAIG | PoshChat |
PoshEventUI
PowerShell Deep Dives Book -
How to get list of Users under an Auth Group (for executable Programs)?
Hi experts. I have a requirement to get a list of all users under a particular Auth Group for Program Objects.
Goal of this requirement is to identify the users allowed to use/access a program - we're doing some sort of Program Inventory and we'd like to identify the users per program, via the Auth Group.
So question is: Which tables hold data about Program <-> Auth Group <-> Users, and how are they linked?
I know this is Basis/Security stuff, but I was thinking of developing a report program to output the information needed.
Thanks in advance.
Edited by: George Esquerra on Nov 17, 2011 10:24 AMThis is available in the standard via tx SUIM - user - users by complex selection criteria - by authorization values.
If you enter auth object = S_PROGRAM and value = auth group, you will get the list of users.
You can analyse how this program finds the information and incorporate it into your own logic.
Thomas -
Voucher based guest access for vWLC (time restricted pre created user auth codes)
Hi all,
Is it possible to create voucher based user auth tickets for guest wireless on the Cisco WLC?
We are running the vWLC latest version
Cheers, SimonNo you can not create voucher using vWLC But you can create guest access using vWLC.
For the Guest access deployment ,plesae refer to the document below.
http://www.cisco.com/c/en/us/td/docs/wireless/technology/guest_access/technical/reference/4-1/GAccess_41.html#wp1000477 -
Authorization for User Creation for Admin user
Dear All,
We have Cronacle 6.0.2.
We have a requirement where in we want to create an admin user with all access to Redwood (in order to avoid using SYSJCS). We have and created an admin role with which our criteria is almost met. After assigning this admin role to our newly created admin user, everything work except user & role authorization. I am not able to create, delete or alter any user or role with this user.
I have seen that we have the oracle system privileges related to user and role authorization (create user, alter role, etc), but when we are trying to assign the same to the admin user, its not allowing us to do so. We have tried the assignment using sysjcs from both RWE and from the shell using the SYJCS, RSI users.
How can I achieve this? with which user?
Any pointers on this would be highly appreciated.
Thanks in advance for your help.
Warm Regards
RajeetHi Rajeet,
This is because SYSJCS has the privileges to create users and roles in the database, but not the right to actually give out these privileges to other users.
For that, you need a user with the DBA role in the database, or with the "create user" and "create role" privileges "with admin option". A user with the admin option on a privilege can hand out this privilege to other users.
If you don't have any own users with these privileges yet, the SYSTEM user will work as well.
Regards,
Anton. -
ITunes will launch for specific admin but no other user (including root).
Mac OS X 10.6.3, iTunes 9.1.1
I have re-installed iTunes using a different admin user and even as root and the problem persists. I have repaired permissions with root as well (after trying with 2 admin users). Permissions show as being repaired.
I have never seen an issue on any *nix system where an app won't launch for root but will launch for a user.
Any ideas on how to fix it or anyone know how to completely uninstall iTunes from the system to try again from scratch?The application starts to launch in the Dock but never finishes and I've looked all over Console's logs to try and find an error message but there isn't one. It does not bring up the "Unexpectedly Quit" dialog, either.
If you are familiar with how apps crash on the iPhone, where they just immediately exit back to SpringBoard, it is like that.
The strange thing is, my main account which is an administrator, does not have any problems launching iTunes. I only discovered this problem because I can't use the File Sharing feature of any of my iPad apps so I was using a different test login (also an admin) to troubleshoot. Then I thought maybe there was a permissions error I couldn't find so I logged in with root and the problem persisted there, too. I am thinking if I fix this error I will be able to use File Sharing (which works on the same iPad with my VAIO and Win7).
I would just re-install Mac OS X but my optical drive doesn't work any more.
Maybe you are looking for
-
Getting Back Values from Shift Register from Other Loop (FPGA)
Referring to the picture above, both while loops are inside one while loop (not shown in picture). Problem is im trying to execute the numeric control once only and use the value from the second loop after that. I tried many ways and still have no id
-
Looking for a grid paper app HELP???
an app that when i open it has a graph paper on it and i can use the grid to draw things. something like paint but has graph paper on it
-
What are the effects to plug-in development when updating InDesign CS version to CC version?
Will there be a CC version SDK available? Or the CS6 plug-ins can be loaded in CC version? Otherwise the plug-ins are required to be re-compiled? Is there any official documentation about the inDesign development in CC? Thanks a lot.
-
How can I use java on the web?
hi I would like to learn about making websites using java?? do i have to learn about javascript or another type of java?? Im new in using java applet, threading and stuff like that :). And maybe I can make management systems in java language is this
-
How to pass class object as in parameter in call to pl/sql procedure ?
hi, i have to call pl/sql proecedure through java. In pl/sql procedure as "In" parameter i have created "user defined record type" and i am passing class object as "In" parameter in call to pl/sql procedure. but it is giving error. so, anyone can ple