AAA authentication for external router through PIX 515

Similar Questions

• AAA authentication in Cisco router

  I want to create the user name and password with the level of prévilige for each user in the Cisco 3640 router. I don't have any authentication server, and I want to use the local database of the Cisco router to do this. Can someone suggest me how should I proceed.

  Thanks in advance

  Hello

  If you want to create users in the local database of the router, you must use the following command

  username cisco password privilege 5 test

  AAA new-model

  AAA authentic login default local

  AAA exec default local author

  http://www.Cisco.com/univercd/CC/TD/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfathen.htm#12277

  Thank you

  Sujit

• Separate authentication for external and internal users?

  Hello
  
  Asked me to come with a CEP for a client who wants a new system APEX is accessible to internal and external users. The client security team want to have two separate copies of the request for the APEX and both copies of the auditor of the APEX on separate databases on two separate servers from Weblogic to support different security requirements for both internal and external users. I don't think that is necessary as APEX should be able to impose conditions depending on what type of user is connected, by questioning the cookie passed in which could contain a flag to say whether the user is internally and externally. In addition, CAE can be used to further restrict external access.
  
  The middleware for the customer solution is managed by a third party, who have made the following recommendations:
  
  The domestic channel requires SSO to configure on WebLogic while the outside lane. Internal users must be validated on Active Directory, with RSA Authentication Manager used for external users. We cannot set up a listener APEX instance to use and not to use SINGLE sign-on at the same time. Two applications are necessary.
  
  Now, I understand from my understanding limited the listener of the APEX, it is possible to implement different rules depending on the type of user to access. However, might just as well not be managed from Magnatune APEX? We could write a custom authentication procedure that verifies again road and the SSO user authentication cookie or otherwise, as required.
  
  So my question is this: can it really be necessary to implement two versions of an APEX application, with two distinct on different servers APEX headphones, to meet the security requirements of separate here? Ultimately at the end of the day if that's what the customer wants, we have to build it, but I'm looking to reassure them via a CEP that won't be necessary. I think that the seller of hardware/middleware recommend that the client just because they do not know available in APEX itself custom authentication options.
  
  Please forgive any simplifications or the lack of details in the above - I'm more a developer APEX as a person of the infrastructure and a bit of a 'newbie' where the listener APEX is concerned. All advice gratefully appreciated!
  
  Graham.

  Hi Graham,

  It's a matter of people paranoid how and to what extent they trust their own infrastructure. Things could be easier than to split the environments, but I don't know if I just depends on the cookie because cookie can be easily rigged. But I think that the following architecture would be safe:
  1 internal users connect APEX listener somehow security team requires, come to APEX and maybe be identified using the internal IP address (range). To simulate the INVESTIGATION period should be difficult for external users.
  2. external users connect APEX listener through a defined gateway, preferably a proxy. All future requests through this gateway would be considered external users.
  You may add additional logic to the proxy, for example use something like 'mod_headers' in Apache HTTPD to add a page header to requests, so that you may identify as external users.
  You could, of course, also put it the other Tower and allow internal users to use some proxy to enforce certain rules of IP based address, or perhaps a few additional references as authentication for access to the proxy (which again could be transparent user in AD-configuration, at least if you stick with IE).

  You can easily implement the separation in your custom authentication process. But this architecture also allows some other compromise: even if someone does not trust your application logic to handle two types of application successfully, you can also use the proxy to enforce the specific call for an application id. Certainly you don't need to duplicate the infrastructure...
  Most of the companies already have a proxy for external users, for example to activate SSL and to hide other internal resources, for load balancing,... so I think you just need to put some configuration of the existing infrastructure and end up needing no component additional. Even if there is no proxy and yet, it would be an element of very light weight, easy to handle.

  So far, all this has nothing to do with the earpiece of the APEX. It's 'just' a web front-end for the instance of the APEX in the database. I wouldn't put a logic of network security in this service, but the split things upward front. The APEX listener can be patched to add some logic, but which was not supported.

  I think that this would work and should be sufficient for most of the safety requirements.
  If my picture was not painted understandable, let me know.

  -Udo

• No AAA authentication for switch

  I'm intrigued by my question. I have a switch on 9 that cannot authenticate with our server GANYMEDE. The configurations are the same as any other switch, but when I try to open a session using the account GANYMEDE + access is denied. This is the configuration for the AAA/GANYMEDE on the switch.

  AAA new-model

  AAA authentication login default group Ganymede + local
  authorization AAA console
  AAA authorization exec default group Ganymede + local

  radius-server X.X.33.XX host
  radius-server key 7?

  I deleted the aaa configuration and then reconfigured it as well as the information from the server RADIUS and no authentication Ganymede. I gave the Ganymede interface should use, but same result. Any ideas?

  Thank you

  Robert

  Robert,

  Please make sure following

  -Radius server is accessible from the switch and port 49 is not blocked.

  S ' it is layer 3 switch, then make sure to configure the interface source ip Ganymede XXXX (Interface IP set in radius server)

  -Check the secret key

  If the problem is still there then please get

  Debug aaa authentication

  debugging Ganymede

  Kind regards

  ~ JG

• Place a FIOS for VPN router behind PIX 501

  I have a Verizon FIOS internet connection and one of their routers wide wireless broadband, and this is a configuration of base completely... their router DHCP and firewalls, and the connection has a dynamic address.  I would put the PIX 501 behind the Verizon router as one of its clients and make the VPN PIX of other PIX 501 at other locations, such as my entire network has access to remote networks.

  Is this possible, and if yes, any who could some suggest configurations (how to address internal and external, static routes ports that may be required somewhere, etc.)?

  Thanks for any help.

  When installing my FiOS, I had already asked that it be installed on the Ethernet cable. Don't know they need to do something for you to spend the coax to Ethernet.

  The best way to test it would be to find the Media Converter (follow the coaxial cable between your FiOS router to the demarc and there should be a box with a coaxial port, some phone Sockets and an Ethernet port). If you unplug the coaxial cable and plug a laptop computer on the Ethernet port, see if your laptop takes a public IP address. If Yes, then you just have to run to your PIX501 Ethernet cable and you should be ready.

  Just to note that Verizon, according to your region, reserved DHCP assignments. This means that you may need to call Verizon and ask them to release the previous assignment of DHCP-MAC addresses. I had this happen recently. They must release the assignment then your PIX will pull a new IP address and they will book your new IP - MAC address assignment. They do this to speed up the connection to a cold start time on the router.

  Basically, they are filtering by MAC address, but rather through a sticky ARP where they clear the entry, and then the next device that connects records his MAC address and then only that device is permitted to connect to this leg of the cable. So there is a bit of work you have to do, but the most difficult part would be sitting on hold waiting for a tech, if you call to Verizon.

• NPS Windows Help for authentication of aaa for Cisco router - is it safe?

  I am very confused about how all this works and was hoping someone could help me.

  I followed a bunch of tutorials online for authentication RADIUS of installation on a Cisco router and he did to a NPS Windows Server. Now I can ssh into the router my AD account.

  Now that I got it to work, I go to the settings to make sure everything is secure.

  On my router, the config is pretty simple:

  aaa new-modelaaa group server radius WINDOWS_NPSserver-private 123.123.123.123 auth-port 1812 acct-port 1813 key mykeyaaa authentication login default local group WINDOWS_NPS
  
  ip domain-name MyDomcrypto key generate rsa
  
  (under vty and console)# login authentication default
  On the NPS Windows:
  I created a new RADIUS client for the router.
  Created a secret shared and specified Cisco as the name of the seller.
  Created a new strategy of network with my desired conditions.
  And now the frame of the configuration of the network policy that worries me:
  
  
  So initially I thought my AD credentials were being sent over the wire in plain text, but I did a capture and saw this:
  
  
  
  capture.jpg
  
          
      
  
  
  How is my password being encrypted and how strong is the encryption?
  
  Another thing is how can I configure aaa authentication with mschapv2? The documentation I saw for mschapv2 uses the "ppp authentication ms-chap-v2" command, but I'm not using ppp I'm using aaa with a radius server.
   
  			 
  Hello
  RADIUS encrypts the password, but sends the username in clear. GANYMEDE encrypts the user name and password.
  You can find the encryption used by RADIUS in the RFC scheme:
  https://Tools.ietf.org/html/rfc2865#page-27
  MS-Chap-V2 is used for the authentication of users such as the remote access and vpn, not management switch
  Thank you
  John
  		   

• Test command of the AAA for EAP - TLS authentication for wireless users

  Hi all

  Can anyone suggest me the test command to verify the eap - tls authentication for the Cisco WAP's wireless.

  If it's an authetication jump we can use the command to test the connection below

  Radius of group aaa Testwap-01 #test [email protected] / * / o4 & yJ) NoL$ new-code %0
  Trying to authenticate with the server radius group
  User successfully authenticated

  But eap - tls is not delivered with the password. He insists that for the user name.

  We strive for remote location then test remotely before production.

  If someone help pls in that if we have a command to test or debug command to test this authentication.

  EAP - TLS requires a client certificate. How can you have a simple command that analysis without loading any certificate on the router/switch? It does not exist. This is why eap - tls is not considered an easy to deploy eap method: because it can go wrong on several levels.

  The aaa command test performs a PAP authentication, therefore, it tests the connectivity of the base RADIUS and name of user and password.

  If it works, the only thing that can break for eap - tls are certificates, as well as the radius server will be able to tell if something worng.

• ACS5: method of different external authentication for each user account

  ACS4 I could specify a different external authentication for each user account. I'm trying to find a way to do the same thing to the ACS 5? When I go under identity in Access Services, I see the system requirement: username I can use to identify the user who logs in, so that I can directly to a source of different identity, but the separate political configuration for each user is very inconvinient and would require hundreds of policies, in our case.

  I was hoping that we can create a kind of attribute for each user. SysAdmin > Configuration > dictionaries > identity > internal users. I created the new attribute called 'Storage of identity' with the enumeration type, which has 4 values: internal, Entrust Token, Token RSA, counts AD and checked the box "add a political Condition." I can then go under each user and select the storage of identity for each user. But now I can't find where I can use under part of identity of an access policy. I can use it under "Group mapping" but that maps to one group and not to an identity store. I need to use it under the identity somehow, but I can't find how.

  Hello Roman,

  The attribute you created will be available when the user is authenticated through internel ID store, so that you cannot use to select the store ID.

  The best way to do this would be to use other attributes to differentiate the identity store.
  Allows you to create a sequence of identity store so that for each user, ACS will try to authenticate by using multiple identity store.

  For example, you can use these:

  Network status

  > End Station filter

  > Device filter

  > Devide filter Ports

  Here you can import filters from a file and it would therefore be more scalable.

  Hope this helps.

• PIX: Dialin routing through a different VPN VPN

  Here's the scenario: I have 2 PIX firewall on various sites connected to the internet with public (PIX A and B PIX) IP addresses.

  There is a permanent VPN site to site between the two and there is a clear separation between subnets between the two sites (internal network behind PIX is 10.10.4.0/24 and the internal network behind PIX B 192.168.0.0/16).

  I created dialin VPDN access to PIX for laptops to dialin via VPN - it currently allows access to the subnet 10.10.4.0/24 without problem.

  Now - I need these users of portable computers, when connects via the VPN to PIX has to be able to access the other remote site and access the subnet 192.168.0.0/16 of routing through the VPN site to site of PIX B.

  Is this possible? I would be grateful to anyone who helps with that. Thank you...

  This is currently not possible on the PIX as the PIX will not route traffic back on the same interface, it is entered in the.

  This feature will be available in the upcoming v7.0 version, which is currently in beta, so look out for it and you're ready to go.

• VPN for PIX 515 allowing access to a single host

  I have already setup on my PIX 515 a VPN connection, which allows the user to connect to our network via a cisco VPN client to access network resources.

  I want to configure now is an another VPN connection that external users can use but would only allow access to a host.

  E.g. I would like to VPN in my site but would be allowed to access the 10.1.1.1 on my network.

  How can I do this? What I have to install VPNGROUP another and somehow an access list to allow only traffic to a host of configuration. Can anyone help with the correct syntax for the PIX.

  Thank you

  Scott

  You will now have a bunch of commands "vpngroup" in your PIX, simply go into config mode and add more commands 'vpngroup' but with a different groupname. The VPN client then uses this group name to connect to the PIX.

  Another way to allow only access to a host for this PIX is to split tunnelling on this group, as well as in the tunnel of split ACL set only as a host.

• External SSL VPN via AAA authentication

  Greeting from all the

  How can I exchange a group policy for users between the SAA and an external AAA (authentication via ldap or RADIUS)

  Let's say I have user1 I want only him to use groupPolicy "gpSales" for its VPN access, how can the ASA Exchange this information with the radius or LDAP server

  Thank you

  Glad to hear that you guessed it work.  Please rate this post if you found it useful.

• Limit the number of users for a pix 515 uauth

  I have a PIX 515 authenticate and authorize against a Cisco Secure ACS server for outbound internet connections (using the web prompt). For the purposes of scale, I need to know the maximum number of sessions competitor for these types of users. I know there is a limit of 16 reviews on simultaneous approval process (the process of logging in first), but once they are connected, is there a limit?

  Once connected, the number of connections is limited by the number of concurrent connections that can handle a PIX. For example, the PIX 515 E can handle a maximum of 130 000 concurrent connections.

• Essbase security Migration to native mode for external authentication

  Hello!!
  
  I want advice on security setting, all users are currently in usermode native and Aboriginal groups.
  Now we want to migrate in external mode, the current version of hyperion is 11.1.1.3, the steps in
  that direction would be really useful.
  
  
  What is the best way of migration of the huge user base of native implementation for external authentication directory,
  It is the first step for the time of the native code for the external authentication, if anyone who did this will be useful.
  
  the installation procedure, maxl based migration will be useful or utility based.
  
  Thank you

  For services sharerd mode conversion to have a read of - http://download.oracle.com/docs/cd/E12825_01/epm.111/eashelp/sec_mode.htm

  To configure shared services to use an external directory have a reading of - http://download.oracle.com/docs/cd/E12825_01/epm.111/epm_security/frameset.htm?ch05.html

  For mass provision that you could use LCM or the utility CSSImportExport to export the provisioning of native users, update the file exported to include provisioning of users ad, then import them.
  LCM - http://download.oracle.com/docs/cd/E12825_01/epm.111/epm_lifecycle_management/launch.htm
  CSSImportExport utility - http://download.oracle.com/docs/cd/E12825_01/epm.111/epm_security/ch09s08.html

  See you soon

  John
  http://John-Goodwin.blogspot.com/

• Pass the authentication for applications through sqlplus scheme?

  Hello
  
  We want to change the schema of authentication for applications through sqlplus.
  
  Is it possible to do it with
  
  () www_flow_api.set_flow_authentication
  p_flow_id in the number default null,
  p_authentication in varchar2 default null);?
  
  Or will encounter us problems with this statement? Unfortunately, nothing is documented on this procedure!
  
  Thanks for any help!

  But does it work?

  Experience would give you the answer that is not.

  What is done, when I press the "make current" - button in the Application Builder? Is it the same?

  Not the same, no.

  The URL that is current when you are on the page with the button "Make Current" you tells the application and the page that does the job (4000:822). You can see that this page means when it is submitted by the consideration of this application and the page by using the f4000.sql file from distribution either by reading the code in the file, either by installing this application in your own workspace as an application ID different and using Report Builder to review the page works.

  How do you secure it, that is, who would be able to run the script?

  Scott

• Access for interal AND external users through a single login server?

  Hey,.

  Apart from redundancy, it is possible to have a single connection server that allows internal users AND external access virtual resources?

  For external access, I have associated my login server security server. It works perfectly if I activate the PCoIP Secure Gateway option on my server of connection and enter the public IP address of the Security server.

  But with this configuration internal users are not able to connect (listing the works of resources, but the connection fails).

  If I disable the PCoIP Secure Gateway option, internal users can access, but not external users via the Security server.

  Any contribution is appreciated.

  Thank you very much!

  No, it's the only way you can do it for internal users and external to share the same login server - activation of the MTP setting is by CS. If you want to PSG on for external users (and it is practically a necessity unless you use a third-party VPN), but offshore for internal users, they will point to the servers of different connection and so you'll need two.