authorization for AAA and GANYMEDE unavailable server scenario
I installed a PIX for users authentication for telnet and enable access. I have permission to install a subset of users can run only display orders. This set works as expected.
The problem is when I simulate and network failure and try to get access the PIX console. I can't run the enable command because the command shall not be permitted. I have to use means of recovery of password to access the PIX. How to do this? Can I have permission to order processed locally? Can I associated with the command show a lower level of the priveledge? If so, how and how can I limit the user to this level of privilege (via GANYMEDE)? I confiscate doing?
Thank you
If the PIX is configured for GANYMEDE authentiaction and RADIUS server is unavailable for authentication, there is no way to rescue or get around this issue at this time.
You can configure the pix to get back to local authentication if Ganymede is not available.
Release then (I think 6.3 and above) who will be available.
Tags: Cisco Security
Similar Questions
-
Hi all
I want to download a free, yet reliable servers AAA and GANYMEDE , can you guide me? Also, I need help with their configuration for study purpose.
Both of them are GANYMEDE, do you also need RADIUS (your post says AAA)? Assuming you just need GANYMEDE:
Probably the best known is:
http://www.shrubbery.NET/tac_plus/
Also, the go RANCID.
For a solution based on Windows you can also consult:
If cela messages answers your question or is useful, please consider rating it and/or mark as answered.
-
same host for radius and Ganymede
Hello
can I put a host (asa for example) twice in the acs Server? one for Ganymede to grant administrators access exec and the other for radius authenticate remote users.
I don't want remote users to be able to get exec mode.
Or how should I configure this?
Yes, you can do it. Network configuration ON acs
Add
ASA---> 10.1.1.1---> Auth using Ganymede +.
ASA1--> 10.1.1.1---> Auth using RADIUS
Host name cannot be the same.
Kind regards
~ JG
Note the useful messages
-
Need to set up Windows mail for incoming and outgoing mail server
I am trying to set up my mail in windows for the first time, can someone please help me with the details of the incoming and outgoing server (pop)
I am trying to set up my mail in windows for the first time, can someone please help me with the details of the incoming and outgoing server (pop)
Hey Kim Clement
Contact your ISP (internet service provider).
They offer your broad band/dial-up connection.
Ask them to:
username
password for your access broadband account / distance with them
Server of incoming POP3 mail
outgoing e-mail serverand read this on how to set up windows mail on the microsoft below link
Windows Mail: Setting up an account of end-to-end
Walter, the time zone traveller
-
IBM DB2 as external database for device and Windows based Server vCenter vCenter?
IBM DB2 AS DATABASE EXTERNAL TO VCENTER DEVICE AND WINDOWS BASE VCENTER SERVER IS SUPPORTED OR NOT?
Post edited by: a.p. - updated the title (in capital letters)
You will find an overview of the databases supported at http://partnerweb.vmware.com/comp_guide2/sim/interop_matrix.php by selecting "interoperability Solution/database.
André
-
Need for reports and the analysis down server move to a different server
I lost my original for RA and re-installed server components on another server, however, when I try to access the workspace site, I get the message * "did not find a server Hyperion Reporting and analysis 'former name of the server running" at the port of 6800. Please check your connection string server and confirm that the server is configured. *
I re - run the Setup and configuration without result. Is there a configuration file that I have to update somewhere?This essentially means that the HSS register always points to the old name of the server for the RA_FRAMEWORK component. You will need to check through the report of registry if there several instance of the RA registered (one with the old server) framework and the other with the new server. If Yes, you can remove the old a registry through the epmsys_registry command line tool and reconfigure with the new server.
If you need help with the same, if it please raise a SR with Oracle support and should be able to guide you through.
-
Can I use an ACS as RADIUS and GANYMEDE to the same ASA Server?
I want to GANYMEDE to make the accounting of the SAA, meanwhile, the ASA need RADIUS for authentication ssl vpn. Is it possible to reach this object with only a CSA?
Yes, you can use both. Allows you to add ASA as radius and Ganymede.
ACS-->---> aaa-client network configuration
(1) ASA---> 1.1.1.1---> authentic using Ganymede
(2) ASA1---> 1.1.1.1---> optout by radius
Don't forget the host name cannot be the same.
Kind regards
~ JG
Note the useful messages
-
Urgent - Custom authentication and authorization for the application of the ADF
Hi friends,
Custom implementation for authentication and authorization for the application of the ADF
My project to use the OID , authentication and authorization, we will need to support both OAM and DB tables ( according to the preferences of the client during the installation ).
I am new to this and do not have a clue about the same.
Please guide me how to set up both in JDeveloper 11 g + ADF
Thanks in advance.The answers you got up to present every point in the right direction. ADF security see the authentication of WLS, even for business authorization with respect to user roles defined on the WLS server. During the deployment, ADF security defined application roles are mapped to the user enterprise groups
Application developed using Jdeveloper ADF +.
This would use WLS for authentication
Users of authentication - LDAP (OID) - are stored in LDAP
Use the OID authentication provider in WLS
Authorization - OAM or database (authorization details are stored in the DB or OAM tables)
You can't allow users without authentication. If you need create authentication providers additional if they exist for OAM and RDBMS (there is a supplier of existing RDBMA, that you can use to identify users and to assign membership user groups). Then, you set the optional flag so that when authentication fails for additional providers you can always start the application.
When running Admin users - create users from roles to create and assign permission privileges to the role (for pages and workflows)
assign (or remove) the roles to/to leave users.ADF security uses JAAS to permissions that you can change using Enterprise Manager when running. Permissions are granted to the application roles and application roles are granted to business roles that which then has users become members of the. If you want to change the status of user account, then you don't do this the ADF or EM, but use a direct access to the provider of the user (for example, access OID, RDBMS access etc.) There is no unified administration API available that would allow you to do this via WLS (which uses OPSS).
If your question is in the context of the ADF, the documentation, with that you should follow is OPSS and WLS authentication providers.
Frank
-
ORIGINAL TITLE: updates XP
Update for Windows XP (KB2718704) and Microsoft SQL Server 2005 Express Edition Service Pack 4 (KB2463332) will BE WITHOUT INSTALLATION
Please answer each of the following [admittedly tedious] diagnostic questions in a numbered list type in your very next answer (no need to quote this post):
1. What is the full name of your application or the installed antivirus security suite and when (date about) is your subscription current expires? What (other than Defender) anti-spyware applications are installed? What third-party firewall (if applicable)?
2 a Norton or McAfee application ALREADY installed on the computer?
3. do you have a free trial Norton or a test of free McAfee [CHOOSE ONE ANSWER] come preinstalled on the computer when you bought it? (No matter if you have never used or activated).
4. open Add/Remove Programs and make sure that Show updates at the top is checked (and leave it checked); then select the name in the box sort by on the right. Now do scroll down & tell me if ALL the other updates following up-to-date are listed?
(a) KB2676562,262, KB2686509 & KB2695962KB2659;
(b) KB2675157, KB2653956 & KB2621440;
(c) KB2661637, KB2598479, KB2631813 & KB2585542;
(d) KB2633171, KB2393802 and especially KB971029
Most will appear as Windows XP security update , followed by the number in brackets.
If IE8 is installed, two 2 will appear as a security for Windows Internet Explorer 8 update , followed by the number in brackets.
5. is Firefox, Chrome or any other alternative browser installed?
6. what version of Java is installed? TEST HERE in USING IE (only!)-online http://java.com/en/download/installed.jsp
7. are you familiar with "Registry cleaners" (e.g., Registry Mechanic;) System Mechanic; RegCure; RegClean Pro. Advanced SystemCare. Registry Booster; McAfee QuickClean. AVG PC TuneUp. Norton Registry Cleaner; PCTools optimizer; SpeedUpMyPC; Advanced System Optimizer. TuneUp Utilities; WinMaximizer; WinSweeper; CCleaner)?
8 have you ever had the opportunity to do a repair install or clean install of Windows XP for some reason any?
Note: KB2463332 is a update optional, not security. Feel free to hide it.
-
Hello
We have planned the implementation of several node, where a server under Linux OS has foundation, OSH and weblogic domain. Server B on window has HFM. We know now that we can have single domain web-logic since HFM has no binary for Linux (and we must at least HFM web - app to install if we want common weblogic domain). In this case, what is the common practice. Should we local domain web-logic on the server HFM window? Is there a better way?
Thank you.
My understanding is that you need one,
#Separate Weblogic domain for the components installed on the Linux box (Foundation)
#Separate Weblogic domain for the HFM components installed on the Windows machine
Such as Weblogic in Linux can't talk to the components installed on the Windows machine.
Kind regards
Deker P.
-
Where to increase Java Heap for Admin settings and the managed server.
Hello Experts
I have issues with the JVM arguments of memory expansion for the Admin and managed servers. I tried in some places to increase the arguments of memory (Xms and Xmx 1024 m) but is not effective. When I start the Server Admin Server and managed, I don't see the segment increased memory settings. Here's what I see-
"From WLS line: / oracle/app/bi/Oracle_BI1/jdk/java - Server - Xms256m-Xmx512m - XX: MaxPermSize = 512 m.
I have the following arguments of memory in the setDomainEnv.sh located in < DOMAIN_HOME > / bin
XMS_SUN_64BIT = "2048".
export XMS_SUN_64BIT
XMX_SUN_64BIT = "2048".
export XMX_SUN_64BIT
It looks that it did not work, so I added an entry in the setOBIDomainEnv.sh file in the hope to increase the memory of Java, but that does not work either. Here is the setOBIDomainEnv.sh file.
Really, try to understand where and how the JVM settings are controlled from. Please guide me.
Enjoy your time.
Rakesh
Under the setobidomainenv.sh you will also find the tag server administrator to increase settings in jvm in there too. Depending on your version of the seller and little Java (Sun, Oracle, IBM, HP and vs 32 - bit 64-bit) so change accordingly
for example:
If the server group is not Olivier then we can assume that it is the server administrator
If ["${JAVA_VENDOR}" = "Sun"]; then
# - UseSSE42Intrinsics required for the server running EM
If ["${JAVA_USE_64BIT}" = "true"]; then
# Server Admin memory for 64-bit Sun JVM args
SERVER_MEM_ARGS = ""-Xms256m - Xmx1024m - XX: MaxPermSize = 512 m - XX:-UseSSE42Intrinsics ""
export SERVER_MEM_ARGS
Similarly, in setdomain.sh, you will find the args as below:
XMX_SUN_64BIT = '512 '.
export XMX_SUN_64BIT
XMS_SUN_64BIT = "256".
export XMS_SUN_64BIT
If ["${JAVA_VENDOR}" = "Sun"]; then
WLS_MEM_ARGS_64BIT = "- Xms256m - Xmx512m".
export WLS_MEM_ARGS_64BIT
WLS_MEM_ARGS_32BIT = "- Xms256m - Xmx512m".
export WLS_MEM_ARGS_32BIT
After setting their just executer./setdomain.sh et./setobidomainenv.sh and then try to start the admin and managed servers and see the processes running with the updated values.
-
packages and custom DB for authentication and authorization tables
I would like to build custom for my APEX 4.1 application authentication.
I need only a few basic actions and features.
My idea:
on these tables the tables USER, ROLES, the USER_ROLES and some package of action and pages (create user, grant the role, authenticate, change password, activate/deactivate the account etc...)
Before starting to write this litle "authentication framework", that I would like to ask you if you know existing solutions.
I would use some existing framework, checked the solution and save time :-)
Thanks for some tips...No. I have not found an existing solution. I have developed my own simple solution for authentication and authorization.
I recommend you do the same thing.
-
How to plan the windows Server 2008 for stopping and waking up
Hello everyone
I want t set hours that turn on and off the machine during business hours (09:00 to 17:00)
Could you please let me know how can I do this with windows scheduled task?
Concerning
This issue is beyond the scope of this site (for consumers) and to be sure, you get the best (and fastest) reply, we have to ask either on Technet (for IT Pro) or MSDN (for developers)* -
Nexus, authorization to order with GANYMEDE.
Hello.
Can anyone provide an example of configuration to use Cisco Secure ACS 4.2 to enable permission to order with GANYMEDE.
Thank you.
Kind regards.
Andrea
Hello Andrea,
We moved to GBA 5.3 now - but we had our 5520 Nexus running against our old 4.2 ACS before this - so I chose the relevant bits of the config below:
username admin password network-admin role; user local administrator
feature Ganymede +; turn on Ganymede
radius-server host key; set the key for RADIUS server
AAA server Ganymede group + Ganymede; create the group called "Ganymede".
Server; set the IP address of the RADIUS server
the vrf use management; tell him to use the default 'management' vrf to send queries for Ganymede
source-interface mgmt0;... .and send mgmt interfaceAAA authentication login default group Ganymede; Use Ganymede for auth login
AAA authentication login console Group Ganymede; Use Ganymede for auth login console
AAA authorization config-commands by default local group Ganymede; use Ganymede for permission to config command
AAA authorization by default Ganymede local group orders; use Ganymede for normal control authorization
Default accounting AAA group Ganymede; Send documents to GanymedeI hope that works for you!
(This may change a bit, when you move to ACS 5.x - that we chose not to do complex auth command (using only shell profiles) to remedy this you go back as a nexus for the 5 k - and it makes the command auth (operator network vs network-admin) based on the one - if you just do not configure authorization to order aaa on the 5 k)
Rob...
-
WLC with ACS 5.1 (RADIUS) for management * AND * Network users
Hello
I have authentication RADIUS of installation for the users of the network AND management on my NM - WLC (5.2 ongoing execution) against ACS 5.1
My Question is:-
For users to log in to Admin, I need to come back "Service-Type = Administrative - User" in order to make it work.
Because the ACS sees all applications from the same device (WLC) for Admin and network users,
the way I am currently treats it is by creating a filter based on the user name
Thus, users that contain 'admin' in their ID, use a set of
Network access policy authorization, who has an authorization associated with the attributes RADIUS profile.
Normal users have a ' network access policy authorization different rule ", with a different profile.
While this DOES WORK fine, still me I was wondering if there is a better way to do it, rather than create a rule
based on the user name.
I could use GANYMEDE + for the management, but I don't think that ACS allows the same client AAA (WLC) to use both protocols.
Thank you
I think it's something very common for things to do
You may notice that ACS 5 comes preinstalled with a selection policy of service that differentiates them the Protocol-based queries and orders or service 'Access to the network by default' or "Default Device Admin" out of the box
If you want only to RAY can either disable or delete the rule for applications of GANYMEDE + or not choose GANYMEDE + in the definitions of the unit
Maybe you are looking for
-
I had a desktop computer Pavilion a1720n and when I push the power button makes an internal beep sound. It will beep for a few seconds and stops then beeps for 5 seconds, I don't know what happens after that, after the last beep I hold down the powe
-
Satellite A100 - hard drive upgrade
Hi all I want to improve my Satellite A100-847 with disk bigger and harder. I chose hitachi "travelstar", like the original, but running on 7200 RPM. My question is can I use SATA II 3 Gb/s model, or should I choose SATA I 1.5 Gb/s as the original. b
-
have a Comcast wireless connection. 2 laptop HP & Gateway, HP, leaving work wireless, must connect directly with a wire to the router, what happened? How to fix? Colleen
-
Faulty Windows Update after installing Vista sp1
I finally got windows vista service pack 1 to install on my computer. After installing, windows update keeps failing when trying to update. I get the error code 80246008 I checked the BITS/Background Intelligent Transfer Service, and he was arrested.
-
I download the Kiddnation.com podcast through Itunes! Sanza Fuze will not play them.