VCS Local database Authentication

Similar Messages

• Default VCS certificate - SIP-TLS Local Database Registration

  Hi,
  Can someone please tell me if it's possible to use the default VCS certificate for SIP-TLS registration for endpoints listed under the local database? If so will this work by default or is there extra configuration required?
  Thanks

  Hello Ovindo -
  Because you're running a VCS with X7.2.2 software, and using an guide that's meant for X7.0, what you're looking for has changed since that guide.
  Please take a look at the X7.2.2 release notes on page 10, "Device Authentication".
  You should be using this device authentication guide for your version of VCS software.

• ACS Authentications via RSA or local database

  Hi Expert,
  Currently, I have a group of devices authenticate through RSA. Now, we are implementing Nagios monitoring system that require backup device configuration through ACS local database. Is that possible to create a login credential using local database while maintain two form factor authentication?
  Cheers,
  Jeffrey

  Hi,
  We had a same sceraria as well, which is required login credential by using ACS local database only as our NMS do not support two form factor login. Currently, we are using ACS 5.2. Appreciate if you could provide us some idea on this. Thanks!

• After upgrading ACS 3.3.1 to 4.2 on windows the local database is not working

  Hi,
  I have upgaded the ACS 3.3.1 for windows server to 4.2. Everything went fine but the local database is not working.
  The CD is an upgrade kit from 3.x to 4.2 on windows. I tried to install directly the 4.2 I was able to install but integration with AD/LDAp is not working. Anysay its an upgrade kit so I cant expect it shoud work when install drectly the 4.2 but by upgrading from 3.3 to 4.2 everything should work fine.
  I followed the upgradation path as recomended.
  Also we have a requirment that once it is upgraded to 4.2 we need to shift the whole thing from the physical server to a virtual machine on VMware ESX server 3.5.
  Can anybody pls guide me if anything else to do after the upgradation.
  Thanks & Regards
  Sachi

  Hi Javier,
  First of all I was facing a problem of restoring the old database of 3.3 to 4.2. Somehow I overcame that issue by following the below steps. Now local authentication is working fine but AD/other External database authentication is not working. As you told the setting for the unknown users are configured to fetch the credentials from the external database if it is not in the local database.
  Do we need to do anything in the AD itself?
  Regards
  Sachi
  Steps for ACS upgrade to 4.2 version
  Below are the requested steps mentioned for the up gradation from ACS 3.3.2 to ACS 4.2.
          1)     Take a configuration backup from existing ACS. ACS--->System
  configuration----> ACS Backup
  2)    now if you have  ACS 3.3.2 on server. take backup of the ACS
  3)   Insert the cd or if you have the set up on the system then  Run the setup of ACS 3.3.4. During the process it will prompt you to
  upgrade existing configuration. Make sure you check that option else we will
  loose the database. Now you need to hit next.next to finish the 3.3.4 upgrade.
  4)     Once you are at 3.3.4, take a backup and keep it handy.
  5)     Run the setup of 4.1.1. During this process it will prompt you to
  upgrade existing configuration. Make sure you check that option else we will
  loose the database. Now you need to hit next.next to finish the 4.1 upgrade.
  6)Once you are at 4.1.1.24 take a backup and keep it handy.
  7)     Run the setup of 4.2. During this process it will prompt you to
  upgrade existing configuration. Make sure you check that option else we will
  loose the database. Now you need to hit next.next to finish the 4.2 upgrade.
  8)     Once you are at 4.2 take a backup and keep it handy. Now run the
  patch 12 and take a backup again.
  9)     Now fresh install 4.2 on your new production server and install patch
  12. Restore the 4.2 patch 12 backup and you should be all set.

• Trouble connecting Reporting Services to local database

  I am experiencing issues trying to configure/connect the Reporting Services in order to change the database to a local database.

  Hi Ralph,
  According to your description, it seems that you are trying to connect to a local database when create a data source in a Reporting Services report.
  If in this scenario, in the Connection Properties dialog box, we can type . or localhost or server_name in the Server name textbox. Then select the database, Windows Authentication or SQL Server Authentication to log on the server. For more details,
  please see the following blog:
  http://blogs.technet.com/b/microsoft_in_education/archive/2013/01/31/ssrs-101-creating-a-shared-data-source.aspx
  If there are any misunderstanding, please elaborate the issue for further investigation.
  Thanks,
  Katherine Xiong
  Katherine Xiong
  TechNet Community Support

• Connection String to Local Database Problem

  I just copied a database on the development server which I am not owner of, but I have rights to the database. I copied it to my local server. Now I need to connect to the local database and I don't know how.
  Dim MM_cnnName_STRING
  MM_cnnName_STRING = "Provider=SQLOLEDB.1;Password=xxx;Persist Security Info=True;User ID=xxx;Initial Catalog=DBName;Data Source=DevComputerName"
  The above is what I used to connect to the development server. How can I figure out the string for my local MS SQL Server

  Now I have this error once I try to bring up a page that calls the db
  Microsoft OLE DB Provider for SQL Server error  '80004005'
  Login failed. The login is from an untrusted domain  and cannot be used with Windows authentication.
  /CourseList.asp, line  9

• Configuring a 1230 AP as a "Local Radius Authenticator"

  Configuring a 1230 AP as a "Local Radius Authenticator"
  CCO-URL: Configuring an Access Point as a Local Authenticator
  http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080184a9b.html
  this is the minimal config, i think:
  AP# configure terminal
  AP(config)# radius-server local
  AP(config-radsrv)# nas 1.1.1.1 key 111
  AP(config-radsrv)# group clerks
  AP(config-radsrv-group)# vlan 2
  AP(config-radsrv-group)# ssid batman
  AP(config-radsrv-group)# reauthentication time 1800
  AP(config-radsrv-group)# lockout count 2 time 600
  AP(config-radsrv-group)# exit
  AP(config-radsrv)# user jsmith password twain74 group clerks
  AP(config-radsrv)# end
  whereas 1.1.1.1 is the IP of the AP himself ?
  is there a must for additional config commands like this:
  radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key 111
  aaa group server radius rad_eap
  server 1.1.1.1 auth-port 1812 acct-port 1813
  aaa group server radius rad_admin
  server 1.1.1.1 auth-port 1812 acct-port 1813
  all attempts didn't work
  "station <MAC> authentication failed"
  is there anything else nessecary ???

  You seem to be missing the following commands;
  authentication network-eap eap_methods
  authentication key-management cckm optional
  The following commands are useful for diagnosis;
  • Show radius local statistics
  • show interface dot11Radio 0 aaa client
  • Debug dot11 aaa dot1x state
  • Debug dot11 mgmt interface
  Local authentication is designed as a fall-back service for when the primary RADIUS server fails. We not encourage the use of Local authentication as a replacement for a radius server.
  * With an ACS you get Authentication, Authorization and Accounting. With Local authentication you only get Authentication.
  * ACS scales, supports external user-databases, supports multiple authentication types, supports database backup and replication, etc, etc... Local authentication supports a maximum of 50 users, internal static configuration only, and LEAP only.
  Following is an IOS configuration, that I have tested, and works on an AP1200 (should work on an 1100 too, I just haven’t tested it);
  · This configuration enables a single AP to do local authentication. No WDS is included for fast roaming.
  · This configuration can be cut-and-pasted into an AP that has been write-erased (blank config), and it will configure all the parameters to allow a client to LEAP authenticate to it (even if no Ethernet cable is connected to it)
  · Replace usernames/passwords with your own usernames/passwords
  · Replace ip-addresseswith the APs IP address
  · I added DHCP configuration so you can connect to a stand-alone AP with your DHCP-enabled laptop (with a profile that matches the test APs SSID and LEAP settings).
  conf t
  host loc-auth-ap-name
  enable secret cisco
  no ip domain-lookup
  line vty 0 4
  password cisco
  exec-timeout 0 0
  login
  int bvi 1
  ip address 10.11.12.13 255.255.255.0
  Interface dot11 0
  no ssid tsunami
  encryption mode ciphers ckip-cmic
  ssid test-loc-auth
  authentication network-eap eap_methods
  authentication key-management cckm optional
  ip dhcp excluded-address 10.11.12.13
  ip dhcp pool temp
  network 10.11.12.0 255.255.255.0
  interface BVI1
  ip address 10.11.12.13 255.255.255.0
  no ip route-cache
  aaa new-model
  aaa group server radius rad_eap
  ! add a real AAA server (with auth-port 1645) before
  ! the following statement if you are configuring a
  ! fallback authentication service instead of a
  ! standalone service
  server 10.11.12.13 auth-port 1812 acct-port 1646
  aaa authentication login eap_methods group rad_eap
  ! add a real AAA server (with auth-port 1645) before
  ! the following statement if you are configuring a
  ! fallback authentication service instead of a
  ! standalone service
  radius-server host 10.11.12.13 auth-port 1812 acct-port 1646 key 0 l0cal-key-secret
  radius-server deadtime 10
  dot11 holdoff-time 1
  ip radius source-interface BVI1
  radius-server local
  nas 10.11.12.13 key 0 l0cal-key-secret
  user testuser password 0 testuser-key-secret
  exit
  exit
  wri

• AAA and local user authentication

  Hi,
  I already have AAA authentication setup on my switch. And I can use local users to login when the AAA server is unreachable.
  But I want to know if it is possible to use local users even when the AAA server is reachable. Something like first it checks the local users databse and if the user does not exists then fallback to AAA or vice versa.
  Thanks.

  Ismail, the authentication method you define act as a service. So only when the service is not avilable the method fallback to the next methond you define.
  So in your case if the user account is not present in the local data base it will not fallback to aaa server.
  aaa authentication login default local group radius
  The same holds true if the user account is not there in the aaa server
  aaa authentication login default group radius local
  Only when the aaa server is not responding (service downe or not reachable) it will fallback to the local database.
  Hope this helps!

• Export User Accounts/AAA Local Database from 4404 WLC

  Hi,
  Guest User Accounts have been created in the local database of the WLC 4404. Because we are going to use Cisco ISE for Guest user authentication, I would like to know if there is a way to export these accounts and import them into Cisco ISE.
  Thanks in advance.
  Joana.

  Ok, thanks for your response.
  Joana.

• Access to local database

  I already posted this question in "LiveCycle Designer ES" but I didn't get any response. So, I am posting it here. Be patient.
  Hi All,
  I am having issue connecting to the local database from the Adobe Form.
  Here is the code that I have to open the connection:
  // Search for sourceSet node which matchs the DataConnection name
  var nIndex = 0;
  while(xfa.sourceSet.nodes.item(nIndex).name != sDataConnectionName)
  nIndex++;
  var oDB = xfa.sourceSet.nodes.item(nIndex);
  xfa.host.messageBox("Check 1: "+xfa.sourceSet.nodes.item(nIndex).name);   // I am getting the DSN name that I created.
  oDB.open();                                                                                           // I am getting the below message. Once I click "Yes". It is just opening the Form.
  xfa.host.messageBox("Check 2: "+xfa.sourceSet.nodes.item(nIndex).name);       //  I am NOT getting this message.
  oDB.first();
  Your help is appreciated.
  Thanks in advance,
  Chandra

  Hello,
  Early I saw one example when it was done with aaa atribute list, and it was working, but on 3945E it is not working.
  Here is example :
  aaa new-model
  aaa authentication login ezvpn_users local
  aaa authorization network ezvpn_users local
  aaa attribute list ezvpn_users
  attribute type service-type noopt service shell mandatory
  username user1 password 0 superpasword
  username user1 aaa attribute list ezvpn_users
  Do you have some  information about it ?

• Cannot connect local database using net service_name

  Good Morning to all ;
  FYI : This  question wrongly posted under high availability. Now it was removed from there.
  I am trying to connect my local database  using remote authentication.
  but getting error. Client & Server reside on same  server.
  SQL> conn u1/u1@primdb
  ERROR: ORA-12545: Connect failed because target host or object does not exist
  SQL> conn / as sysdba
  Connected.
  SQL> show parameter db_name;
  NAME                                 TYPE        VALUE
  db_name                              string      primary
  SQL> show parameter service_names;
  NAME                                 TYPE        VALUE
  service_names                        string      mydb
  SQL> show parameter db_domain;
  NAME                                 TYPE        VALUE
  db_domain                            string      primary.com
  SQL> show parameter global_name;
  NAME                                 TYPE        VALUE
  global_names                         boolean     FALSE
  SQL> select * from global_name;
  GLOBAL_NAME
  PRIMARY
  [oracle@localhost admin]$ lsnrctl start
  LSNRCTL for Linux: Version 10.2.0.1.0 - Production on 18-JAN-2014 16:32:08
  Copyright (c) 1991, 2005, Oracle.  All rights reserved.
  Starting /u01/app/oracle/product/10.2.0/db_1/bin/tnslsnr: please wait...
  TNSLSNR for Linux: Version 10.2.0.1.0 - Production
  System parameter file is /u01/app/oracle/product/10.2.0/db_1/network/admin/listener.ora
  Log messages written to /u01/app/oracle/product/10.2.0/db_1/network/log/listener.log
  Error listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=oel5.linuxserver)(PORT=1521)))
  TNS-12545: Connect failed because target host or object does not exist
  TNS-12560: TNS:protocol adapter error
  TNS-00515: Connect failed because target host or object does not exist
  Listener failed to start. See the error message(s) above...
  my listener.ora file contents :
  SID_LIST_LISTENER =
    (SID_LIST =
      (SID_DESC =
        (SID_NAME = primary)
        (ORACLE_HOME = /u01/app/oracle/product/10.2.0/db_1)
        (GLOBAL_DBNAME = mydb.primary.com)
  LISTENER =
    (DESCRIPTION_LIST =
      (DESCRIPTION =
        (ADDRESS = (PROTOCOL = TCP)(HOST = oel5.linuxserver)(PORT = 1521))
        (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
  my tnsnames.ora contents
  primdb= 
    (DESCRIPTION =
      (ADDRESS_LIST =
        (ADDRESS = (PROTOCOL = TCP)(HOST= oel5.linuxserver)(PORT=1521))
      (CONNECT_DATA =
        (SERVER=DEDICATED)
        (SERVICE_NAME = mydb)
  $ tnsping primdb
  TNS Ping Utility for Linux: Version 10.2.0.1.0 - Production on 18-JAN-2014 16:40:55
  Copyright (c) 1997, 2005, Oracle.  All rights reserved.
  Used parameter files:
  Used TNSNAMES adapter to resolve the alias
  Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST= oel5.linuxserver)(PORT=1521))) (CONNECT_DATA = (SERVER=DEDICATED) (SERVICE_NAME = mydb)))
  TNS-12545: Connect failed because target host or object does not exist
  Thanks in advance ..

  Good Morning  Ed Stevens ;
  Nice to see you once again !
  I remember , you are very familiar with  oracle net services.
  I read your article. Exploring the LOCAL_LISTENER parameter
  Now i have removed listener.ora & tnsnames.ora files .
  now the listener is registered as dynamically'
  SQL> alter system register;
  Ed Stevens wrote ..
  simply do a  "ping oel5.linuxserver"  and report the result.
  $ ping  oel5.linuxserver
  ping: unknown host oel5.linuxserver
  $ hostname
  localhost.localdomain
  $ echo $ORACLE_HOSTNAME
  oel5.linuxserver
  my new tnsnames.ora contents
  primdb = 
    (DESCRIPTION =
      (ADDRESS_LIST =
        (ADDRESS = (PROTOCOL = TCP)(HOST = oel5.linuxserver)(PORT=1521))
      (CONNECT_DATA =
        (SERVER = DEDICATED)
        (SERVICE_NAME = mydb)
  $ tnsping primdb
  TNS Ping Utility for Linux: Version 10.2.0.1.0 - Production on 18-JAN-2014 19:57:13
  Copyright (c) 1997, 2005, Oracle.  All rights reserved.
  Used parameter files:
  Used TNSNAMES adapter to resolve the alias
  Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = oel5.linuxserver)(PORT=1521)))
  (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = mydb)))
  TNS-12545: Connect failed because target host or object does not exist

• Same user in tacacs and local database with different privilege

  Hi there,
  i am just not sure if this is correct behavior.
  i am running NX-OS image n5000-uk9.5.1.3.N1.1.bin on the nexus 5020 platform.
  i have configured authorization with tacacs+ on ACS server version 5.2 with fall back to switch local database.
  aaa authentication login default group ACS
  aaa authorization commands default group ACS local
  aaa accounting default group ACS
  a user test with priv 15 is craeted on ACS server, password test2
  everything works fine, until i create the same username on the local database with privilege 0. ( it doesnt matter if the user in local database was created before user in ACS or after )
  e.g.:  
  username test password test1 role priv-0   (note passwords are different for users in both databases)
  after i create the same user in local database with privilege 0,
  if i try to connect to the switch with this username test and password defined on ACS,  i get only privilege 0 authorization, regardless, that ACS server is up and it should be primary way to authenticate and authorizate the user.
  is this normal?
  thank you for help...

  Hello.
  Privileges are used with traditional IOS. Privileges are part of "command authorization". Other operating systems (like IOS-XR, Nexus OS , Juniper JunOS) use "role-based authorization" instead of "command authorization".
  So traditional IOS can use the "privilege" attribute but other operating systems can not.
  Although IOS-XR, Nexus, ACE, Juniper  have "roled-based authorization" feature, every single one of them use their particular attributes.
  When I was configuring TACACS with ACE, Juniper and other devices I had to capture the packets to find out what were the particular attributes of ACE, what were the particular attributes of JunOS, etc, etc and to search deeply some hints the documentation , because sadly  documentation is not very good when talking about TACACS details.
  If you find which attributes to use, and what values to assign to the attributes then you can go to ACS and configure a "Shell Profile".
  Now back to Nexus 5000. It seems this particular device has the option to mix "role-based" with "command authorization" by overriding the default roles with other roles which names are called "priv". It seems this was an effort to try to map the old concept of "privileges" to the new concept of "roles". Although you see the word "priv", it's just the name of the role. My particular point of view is that this complicates the whole thing. I would recommend to use just the default roles, or customize some of them (only if needed), but not to use "command authorization".
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/security/502_n1_1/Cisco_n5k_security_config_gd_rel_502_n1_1_chapter5.html
  I will search the particular attributes Nexus use to talk to TACACS server. If I got them I will post them here.
  Please rate if it helps

• CSM 3.1 local user authentication problem

  Hi every one.i have strange problem with local user authentication.in our csm i have configured csm to auhenticate users using TACACS+ from our acs server which every thing is ok about this configurtion but also i have configured fall back authentication for user admin.here is the problem even when connection to ACS server is ok and server can send authentication requests to ACS we can authenticate with ACS and Local admin which i think this is wrong because using local admin is configured as fallback.so what do you think about this problem which CSM authenticates users with ACS and local database same time??

  You probably need to go under the system context and create the interface and also allocate vlans to it in CSM before you configure the context itself.
  I hope it helps.
  PK

• Can i use local database in webdynpro

  Hai,
  I want to store a string in the local database. is it possible to store in local dictionary-->structures.
  using this how cani store , retrieve, update and delete the data in the local dictionary.
  regards,

  Hi Naga,
  It was discussed already:
  store data in database and access
  making database connection
  REG: DATABASE Connection
  Best regards, Maksim Rashchynski.

• Remote and local databases

  let say that i access a oracle form through the web and that form access data from two distributed databases, then will there be a remote database and local database for the user or all the databases will be remote databases to the user

  In my opinion.
  using local databases -- access tables without DB_link
  using Remote databases -- access tables through DB_link