Using RADIUS without enabling AAA

Similar Messages

• How to execute operation system commands by using TSQL without enabling xp_cmdshell.

  Hi Experts
  Looking for advise if one can use operation system commands using TSQL without enabling xp_cmdshell. 
  actually using xp_cmdshell requires sysadmin privs which I am unable to provide (directly or using proc) to a user  but the user needs some operating system commands to execute for file manipulation from sql server session. Please share your thought.
  Best Regards 
  khalil

  >but the user needs some operating system commands to execute for file manipulation from sql server session
  See article here
  http://www.mssqltips.com/sqlservertip/2014/replace-xpcmdshell-command-line-use-with-sql-server-agent/:
  "Problem
  I need to run something from the command-line, but based on best practices xp_cmdshell has been disabled. The task that needs to run is an internal process that will originate from within SQL Server. Is there a way to do this without using xp_cmdshell?
  Solution
  The use of xp_cmdshell is generally frowned upon and is now recommended to be disabled, unless it is absolutely necessary.  There is a solution that works around this restriction via the use of SQL Server Agent.
  Wherever SQL Server is installed, SQL Server Agent is installed with it (except for SQL Express). SQL Server Agent has the ability to run job steps which invoke the command shell. And in the case that the job is owned by a member of the sysadmin fixed server
  role, the job will execute as the service account under which the SQL Server Agent is running. "
  Kalman Toth Database & OLAP Architect
  SQL Server 2014 Database Design
  New Book / Kindle: Beginner Database Design & SQL Programming Using Microsoft SQL Server 2014

• Control access using Radius without ACS

  I want to log into my IPS using my existing RSA SecurID using Radius.  Is it possible to use a Radius attribute in the RSA to tell the IPS what privillege\role the user is?  The idea is I dont create users on the IPS, if a user tries to logon it authenticates them via radius running on the RSA server and if the user is allowed to log onto that clietn IP (the IPS) then it will allow them to logon but also pass a message back to the IPS to say this person has full admin access.  Is that possible using an attribute?  ANy guidance would be great.                  

  Yes, you should be able to specify the user role on the radius server.
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_setup.html#wp1276213
  Regards,
  Sawan Gupta

• AAA using RADIUS

  GOod morning all,
  I am trying to configure AAA using RADIUS with ACS 4.1 SE and various Cisco Devices. I have configured the ACS to perform group mapping on personnel who I want to give access privileges. What I would like to do is give that group privilege level 15 and do away with enable passwords. However, I need local level authentication for our console options with enable privileges. Can this be done? Any help would be appreciated.
  Dwane

  For routers and IOS switches:
  aaa new-model
  aaa authentication banner *Unauthorized Access Prohibited*
  aaa authentication login default group radius
  radius-server host 10.10.10.10 (your acs device)
  radius-server key cisco123
  radius-server configure-nas
  username nmg password telnet
  aaa authentication ppp dialins group radius local
  aaa authentication login nmg local
  aaa authorization network default group radius local
  aaa accounting network default start-stop group radius
  aaa processes 16
  line 1 16
  login authentication
  For CatOS switches:
  Set radius-server 10.10.10.10
  show radius
  set radius key cisco123
  set authentication login radius enable
  set authentication enable radius enable
  show authentication
  set radius timeout 5
  set radius retransmit 3
  set radius deadtime 3
  For Pix Firewalls:
  aaa authentication ssh console radius LOCAL
  aaa authentication telnet console radius LOCAL
  aaa-server radgroup protocol RADIUS
  max-failed-attempts 2
  reactivation-mode depletion deadtime 5
  exit
  (NOTE: This will depending on the location of the pix firewall)
  aaa-server radgroup (inside) host 10.10.10.10
  key XXXXXXX
  exit
  aaa-server radgroup(inside) host 10.10.10.10
  key XXXXXX
  exit
  This is pretty much what we used for configurations on our test. It looks like most of your switches are IOS based so that will be nice for you.
  If you are using local authentication, you can create a group and assign the local addresses to that group. What I did in the radius IETF attribute, you ensure that [006] Service-Type is checked and scroll down to Administrative and click Submit & Restart.
  Hope this helps some. I had alot of help from Cisco TAC on this.
  Dwane

• AAA using Radius with 802.1x

  Hello there,
  We're going to be implementing 802.1x on our network of some reaallly old switches (6509 Cat OS with MSFC 2).  We use radius for AAA authentication and I've been reading that .1x uses radius.  How is that going to work?  Do I just add another radius server in my radius server command and, more importantly, will .1x work on Cat OS running 8.2.1?  I've been trowling the forums and I can't seem to find anyone who's actually running .1x on the old Cat OS switches to see what kind of gotchas I can expect to run into.
  Any advise, assistance would be greatly appreciated!
  Thanks
  Kiley

  Salodh,
  Thanks but that document is for a 2950 and we have a 6509 but, the good thing is I just found out our Tier 3 engineers will not be adding dot1x to the 6509 since it has only trunks - no access ports.  Thanks very much for your reply!

• [svn] 3515: Catch misconfigured servers that attempt to use advanced messaging features without enabling the AdvancedMessagingSupport service .

  Revision: 3515
  Author: [email protected]
  Date: 2008-10-07 16:27:09 -0700 (Tue, 07 Oct 2008)
  Log Message:
  Catch misconfigured servers that attempt to use advanced messaging features without enabling the AdvancedMessagingSupport service.
  Bug: LCDS-397 - Not getting configuration exception when destination has reliable set to true but AdvancedMessagingSupport service is not defined.
  QA: Yes
  Doc: No
  Checkintests Pass: Yes
  Details:
  * ConfigurationException is now thrown during startup in the misconfigured scenario in the bug report.
  * Also cleanup up a few Java 1.5 warnings.
  Ticket Links:
  http://bugs.adobe.com/jira/browse/LCDS-397
  Modified Paths:
  blazeds/trunk/modules/common/src/flex/messaging/config/ConfigurationConstants.java
  blazeds/trunk/modules/common/src/flex/messaging/errors.properties
  blazeds/trunk/modules/common/src/flex/messaging/util/BasicPrettyPrinter.java
  blazeds/trunk/modules/common/src/flex/messaging/util/ExceptionUtil.java
  blazeds/trunk/modules/core/src/flex/messaging/config/ServerConfigurationParser.java

  Revision: 3515
  Author: [email protected]
  Date: 2008-10-07 16:27:09 -0700 (Tue, 07 Oct 2008)
  Log Message:
  Catch misconfigured servers that attempt to use advanced messaging features without enabling the AdvancedMessagingSupport service.
  Bug: LCDS-397 - Not getting configuration exception when destination has reliable set to true but AdvancedMessagingSupport service is not defined.
  QA: Yes
  Doc: No
  Checkintests Pass: Yes
  Details:
  * ConfigurationException is now thrown during startup in the misconfigured scenario in the bug report.
  * Also cleanup up a few Java 1.5 warnings.
  Ticket Links:
  http://bugs.adobe.com/jira/browse/LCDS-397
  Modified Paths:
  blazeds/trunk/modules/common/src/flex/messaging/config/ConfigurationConstants.java
  blazeds/trunk/modules/common/src/flex/messaging/errors.properties
  blazeds/trunk/modules/common/src/flex/messaging/util/BasicPrettyPrinter.java
  blazeds/trunk/modules/common/src/flex/messaging/util/ExceptionUtil.java
  blazeds/trunk/modules/core/src/flex/messaging/config/ServerConfigurationParser.java

• Local Webauth WLC using radius database

  Hi all,
  I was implement local Webauth WLC not using local auth . I use radius database.
  at least I try to add on my  WLAN:
  layer 3 web auth  authentication
  layer 2 security is WPA/WPA2 PSK
  adding aaa radius server
  aaa radius "network user" check list  enabled
  web auth priority order
  radius
  LDAP
  after I Test WLAN ,I cant login using radius database.
  but, if I implement security method wpa/wpa2 dot1x  I can login using radius database.
  is there any miss in my config for implement webauth  method?
  Thanks
  ridho

  Are you trying to use LDAP or Radius to authenticate the webauth users? Since you have 802.1x working, I don't see why you would use LDAP. What radius server are you using also? Typically if your using Microsoft IAS or NPS, you have to
  Change the device type to Login to get webauth with radius to work. Here is an example of 3 ways to authenticate webauth users. You should be able to find others out there also.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml
  Sent from Cisco Technical Support iPhone App

• Assigning privilege level using Radius

  I'm trying to assigned a privilege level on a Cisco router via Radius. I'm using the Cisco Secure ACS (Windows 2K).
  I have set the privilege level to 15. But when I telnet to the router, I always get the router> prompt instead of the router# prompt.
  How can I configured the Radius/router so that when I get successfully authenticated, the router# prompt is shown.
  I've configured the router as below:
  aaa authentication login vtymethod group radius enable
  aaa authorization exec vtymethod group radius local
  radius-server host 202.x.x.195 auth-port 1645 acct-port 1646 key cisco
  line vty 0 4
  authorization exec vtymethod
  login authentication vtymethod
  On the Radius, I've configured as below:
  In the group settings for IETF Radius attributes, the Service-Type is set to Nas Prompt.
  Also in the group settings, I've checked the Cisco-av-pair with the following configured: shell:priv-lvl=15.
  Is there something I'm missing.
  Appreciate the help.
  Thanks.
  sweeann

  Hi
  Im curious... what is the perceived benefit of using RADIUS instead of TACACS+ ?
  Given that ACS supports both and that T+ is a superior protocol for device admin.
  I once heard someone mutter that T+ was proprietry... but all they were doing was sending (effectively) T+ av-pairs via a Cisco RADIUS VSAs. Not significantly different one could argue!

• I want to use Thunderbird without saving e-mails to PC. How is this possible?

  I want to use Thunderbird without saving any e-mail to local folder in my PC.
  Can you please help me on this?
  thanks.

  There are two types - POP and IMAP
  You would need to logon to your webmail account using a browser and select the option to use IMAP forwarding - assuming that option is available.
  Pop mail accounts can only access the server Inbox.
  Emails are downloaded to your computer and stored in your Thunderbird Profile folder. So this type may not suit your requirements.
  IMAP mail accounts offer a remote view of folders and emails stored on the server.
  You subscribe to see those folders. Then Headers are downloaded and when you select to view an email, the email is downloaded to a temp cache.
  Subscribed folders that are synchronised, download a copy of the folder and store it in your Thunderbird Profile. But these folders are constantly updated to reflect what is stored on the server.
  So your best option would be to create IMAP mail account, subscribe to see folders on the server, but do not select to synchronise those subscribed folders.
  Emails stored in your Thunderbird Profile on your computer load faster than those that have to be retrieved from the server each time.
  Info on synchronising, so you can see how to enable/disable.
  * https://support.mozilla.org/en-US/kb/imap-synchronization

• Can port 25 be used for SSL-enable SMTP server ?

  Hi,
  Our customer is using port 25 for a SSL-enabled SMTP server without certificate. When our email client tried to connect to it, the following exception thrown:
  DEBUG SMTP: exception reading response: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
  Since we don't want to ask our customer to change their port configuration unless absolutely necessary, we did some tests with our own SSL-enabled SMTP server that uses certificate. Here is what I got:
  1) with port 25, got the same exception as above;
  2) with port 465, worked fine;
  3) with any other randomly pick up valid port, worked fine.
  This made me wonder if 25 is for non SSL SMTP server ONLY. By the way, I'm using Javamail 1.3.4 and JSDK 1.4.2_02. My question is whether we can configure javamail so that port 25 can be used by SSL-enabled SMTP server?
  Your help will be appreciated.

  Yes, port 25 is intended for non-SSL servers only, although that doesn't
  prevent a client from making a plain text connection and then using the
  STARTTLS command to switch the connection to SSL/TLS. JavaMail 1.4
  supports that usage.
  You can configure JavaMail to use port 25 for SSL connections if you
  really want to. JavaMail 1.3.x requires you configure an appropriate
  socket factory to get SSL connections; you can configure whatever port
  you want for use with that socket factory.

• Enabling aaa authorization on pix/asa

  I managed to get authentication on easy enough but now am having difficulty getting authorization to work properly. I have auth/author turned on for my IOS stuff so any techs logged in will have rights based on what I give them on secure ACS. However I can't get the same to work on PIX code. I can log in fine with aa authentication but it still prompts me for the enable password. End result is I want to be able to login just once (and enabled). Any white papers that can point me the right way?

  Thank you, Prem. here is my concern. When I enable AAA access on the firewalls, from what you said there is no way for me to govern what rights a tech has when accessing the device? I want to establish the same restrictions as the IOS gear I have where normal techs will only have certain commands and others have full command. The way it is now, anyone with an account on Secure ACS can access it via ASDM.
  EDIT:
  Also I'm a little confused about the various fields on the AAA Access (from Device Access) tab. In Authentication, there is an option to toggle to require auth to be able to use enable mode. I am not sure how this auth against our ACS server (i checked the various settings in ACS and enabled what I think are all PIX commands to permit enable) and it doesn't work. I entere the enable password when I telnet in and I get auth failed when running any commands.
  Also there is an Authorization tab which I am assuming allows to you to push down rights from an aaa server? Where on the ACS can I configure that?

• Unable to use keyboard without Caps Lock on

  Hi Guys, I gave my keyboard a little bit of a clean the other day (with relevant wipes) and since then my keyboard is not functioning correctly.  It did turn itself on once or twice during the process, so I have clearly hit something I shouldn't have
  The problem I have is that I can't use the keyboard without enabling the CAPS Lock.  Without using the CAPS Lock pressing random keys, produces random effects (mainly functional things) and with the CAPS LOCK on I can type normally, just all in caps (for this I am using my desktop!)
  Troubleshooting to date:-
  Accessibility => Mouse & Trackpad => Enable Mouse Keys (off) always has been
  Accessibilty => Keyboard Preferences => Short Cuts => Restored to Default
  Accessibilty => Keyboard Preferences => Input Sources => British
  Accessibilty => Keyboard Preferences => Modifier Keys => Restored to Default
  I have a setup another user account but the problem persists in all accounts
  I have tried other applications but the problem is replicated
  I have rebooted several times to no effect
  OSX 10.9 (all updates up to date)
  Any help would be greatly appreciated.
  Thanks in advance.
  Oh additionally the track pad seems to be doing slighly random things ie standard run click actually brings up sub menus!

  Since no one else is jumping it I’ll suggest the general cures of
  SMC reset
  http://support.apple.com/kb/HT3964
  and PRAM reset
  http://support.apple.com/kb/PH4405
  You have tried quite a few cures so if these don’t work take it to an Apple Genius Bar for a free diagnosis and estimate of repairs.
  Genius reservation http://www.apple.com/retail/geniusbar/ .

• Can you use AirPrint without a computer

  I found out that there will be no printer in the Paris apartment we will be using, but there is wifi.  We will have need of a printer, and would bring one, but don't want to bring our laptops.  We just want to use ipads and iphones this trip, but would need to be able to print via airprint to an airprint-enabled printer with no computer involved on any level.  Printers that seem to say no computer is needed to print via airprint still include CDs which must be installed on a computer.  Theoretically, I guess if you set the printer up here with a computer, the printer could then be used elsewhere without a computer--but there is no way to put a network wifi password into most printers without a computer.  Does anyone know of a transportable, relatively inexpensive printer that will truly not require a computer to work with airprint?
  Thanks!  This has been a continuing problem, as we will be there for a month.

  There are other technologies besides Airprint, and many of them require a computer.  An airprint printer does not.
  Check the airprint printers listed here (click on the brand to get a page of models) ...
  http://support.apple.com/kb/HT4356?viewlocale=en_US&locale=en_US

• 802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

  Currently Being Moderated
  802.1X for wired environments  using Radius/ACS for Dynamic Vlan Assignment
  Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
  If possible show:
  1. ACS/Radius Configurations.
  2. End User Switch Configurations
  Variables:
  Switch A
  MAC Address aaaa.bbbb.cccc     Vlan 10
              bbbb.cccc.dddd     Vlan 20
  Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
  Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
  Thanks in advance. .

  Hi Guys,
      Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
     So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
     Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
      Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
      If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

• How to launch an App with Root privileges - without enabling "root" user ac

  Is there a reliable way to launch an Application so that it can run with "root" privileges, but without enabling the OSX root account and logging in to that account?
  There is an old (and, presumably, obsolete) application called "Pseudo" which used to facilitate this, but I doubt it would be safe or reliable under OSX 10.5.
  So, does anyone have any suggestions?

  For a more permanent method, run the following command on the same file:
  sudo chmod u+s
  if the item is owned by root. This may be undone by the repair permissions command.
  (27138)