GANYMEDE + authentication and authorization on IOS XR
Hi all
I tried to connect several devices IOS - XR on our laboratory (ASR, RSG and CRS) to our server GANYMEDE + (Cisco Secure ACS, release 4.2 (0)). The objective is that the GANYMEDE would achieve authentication authorization and control the user for all CLI connection non-console (telnet and SSH) types. I don't use any HTTP server to access devices and I want to keep the connection to the console to the powers the.
I have several devices connected to this GANYMEDE with the following configuration related to AAA. I would like to implement the same principles on the IOS - XR, but given that the command structure is different and I could not understand how to do this using the Manuel, I need your expert help:
AAA new-model
!
!
AAA Ganymede Server + acs servers group
Server
! AAA authentication login default local AAA authentication login local_vty local AAA authentication local console connection AAA authentication login acs acs-servers-group local group AAA authorization exec default group Ganymede +. AAA authorization commands 15 acs_cmds group Ganymede +. AAA authorization commands 15 local_cmds no ! ! ! ! ! AAA - the id of the joint session ! Saute... ! username * secret privilege 15 5 *. ! Saute... ! GANYMEDE server host
RADIUS-server application made ! Saute... ! Line con 0 StopBits 1 line to 0 StopBits 1 line vty 0 4 exec-timeout 0 0 privilege level 15 authorization orders 15 acs_cmds DCC connection authentication preferred transport telnet transport of entry all line vty 5 15 exec-timeout 0 0 * Note: Device to IOS - XR run versions 4.1.2 and 4.2.0 Many thanks for any help that you could provide Lior Lior, You must return the task ID and/or groups of task in order to make this work. According to my experience, working with these platforms is it is really unnecessary to proceed with approval of order if you trust the task-ID/groups, which are integrated in the ASR. The flow for Ganymede command auth for these devices is a bit different than your IOS essentially traditional (unless something has changed in the last 6 months), if the user tries to run a command, the Ganymede auth command is triggered if the user executes a command that falls under the umbrella of task. If she's not here command permission is never triggered. Here are some documents that I feel will help you: https://supportforums.Cisco.com/docs/doc-15944 Thank you Tarik Admani Tags: Cisco Security packages and custom DB for authentication and authorization tables No. I have not found an existing solution. I have developed my own simple solution for authentication and authorization. I recommend you do the same thing. authentication and authorization Hello Andy, That is right. As previously mentioned, a FK works only with objects that are located in the same database instance. -Udo Urgent - Custom authentication and authorization for the application of the ADF The answers you got up to present every point in the right direction. ADF security see the authentication of WLS, even for business authorization with respect to user roles defined on the WLS server. During the deployment, ADF security defined application roles are mapped to the user enterprise groups Application developed using Jdeveloper ADF +. This would use WLS for authentication Users of authentication - LDAP (OID) - are stored in LDAP Use the OID authentication provider in WLS Authorization - OAM or database (authorization details are stored in the DB or OAM tables) You can't allow users without authentication. If you need create authentication providers additional if they exist for OAM and RDBMS (there is a supplier of existing RDBMA, that you can use to identify users and to assign membership user groups). Then, you set the optional flag so that when authentication fails for additional providers you can always start the application. When running Admin users - create users from roles to create and assign permission privileges to the role (for pages and workflows) ADF security uses JAAS to permissions that you can change using Enterprise Manager when running. Permissions are granted to the application roles and application roles are granted to business roles that which then has users become members of the. If you want to change the status of user account, then you don't do this the ADF or EM, but use a direct access to the provider of the user (for example, access OID, RDBMS access etc.) There is no unified administration API available that would allow you to do this via WLS (which uses OPSS). If your question is in the context of the ADF, the documentation, with that you should follow is OPSS and WLS authentication providers. Frank order of the authentication and authorization air ISE Hello I am looking to configure ISE to authenticate joined AD PC (Anyconnect NAM help for user authentication and the machine with the EAP chaining) and profile Cisco IP phones. The Pc and phones connect on the same switchport. The switchport configuration was: switchport The configuration above worked well with authentication sessions 'show' of the switch showing dot1x as the method to the field of DATA and mab for VOICE. I decided to reverse the order of authentication/priority on the interface of the switch so that the phone would be authenticated first by mab. As a result, the authentication sessions 'show' of the switch showing mab as a method for both VOICE and DATA. To avoid this I created a permission policy on ISE to respond with an "Access-Reject" when the "UseCase = Lookup host" and the endpoint identity group was unknown (the group that contains the PC AD). This worked well worked - the switch would attempt to authenticate the PC and phone with mab. When an "Access-Reject" has been received for the PC, the switch would pass to the next method and the PC would be authenticated using dot1x. The only problem with this is that newspapers soon filled ISE with denys caused by the authorization policy - is possible to realize the scenario above without affecting the newspapers? Thank you Hi Andy -. Have you tried to have the config in the following way: This "order" will tell the switchport always start with mab , but the keyword 'priority' will allow the switchport to accept the authentications of dot1x to dot1x devices. For more information see this link: Thank you for evaluating useful messages! Authentication and authorization JPSUserProvider at the University Complutense of MADRID 11g Sometimes, you don't have no need to make changes, but other times, you may need to update the map attribute, the delimiter of account permissions, default roles and/or accounts. Occasionally, an ID card is applied to translate incoming AD group names to match the role names and/or account UCM. Meet real external LDAP permissions is made via the WLS, but the JPSProvider does the work of extracting data from WLS in object UserData of the AAU. -ryan Secure ACS Authentication and Authorization with SecurID I am able to authenticate connection attempts using an external database (RSA SecurID). The problem is that everyone with a token is authorized to connect on any switch with priv15 or whatever I put (but no way to control who gets what access). How can I allow users based on a certain type of belonging to a group? The SecurID server is already integrated with LDAP, it only checks to see if the user exists in the database. I need to create two groups, or even only allow a single group and deny everyone, but anyone in the organization with a token is allowed to connect. I can't find guides who do anything beyond authentication when you use a SecurID token. Thank you. Hello Have routers and switches, you given the command "authorization exec default group aaa GANYMEDE", it seems that you have only defined authentication on devices. When the control is in place, user access privileges may be governed by the ACS. In network administrator access by default policy (if you are using the default strategy for GANYMEDE), to set the authorization rule to verify membership in a user group and provide the appropriate profile of shell. Make the default rule to give DenyAccess shell profile to other users. Cisco ACS 5.2 authentication and authorization processes I am designing a network and I asked me a few questions that I don't know how respond to those so I thought putting it in the forum to see if I can get help. First, thank you very much for reading this post and thank you if you can add comments to help out me. installation program: Two ACS on each center data in Server and application to the switches by dc + hybrid mode the Ganymede and fold to the other on the failure scenario. ACS - version 5.2 planning upgrade to 5.8, if she is stable. Result of the will If users fails authentication AD then it should be rejected. If defective AD on ACS and ACS needs to check the other ACS and other ACS has connection AD, then it should demand more diver ACS... I'm sure it is not possible, but that it was the main application... I disputed so now the new request If AD fails ACS should fall back to the local database. If the local database is not authenticte then it should allow to switch to interrogate the same request of ACS secondary rather then to reject the application. Litt: local database is reserved for the network admin but maybe some contractor need to access switches and other devices and they will have the entry in listing so if fails AD, they can always authenticates agaist DC2 AD via DC2 ACS. I think to set up Authentication rule 1 - authenticate again AD, If authentication failed - Reject If usernot has been found - reject If the process failed - continue This should take by default which will be the internal database. If authentication failed - Reject If the user has not found - drop If the process failed - drop This should give no answer to switch and then switch should try the second radius server in the list... Please someone explain this flow chart for me... and it's correct assumptions... I would like to know if there are a few good diagram that I can refer to see the whole process and can use in my presentation... Thank you very much for reading and you answer it... Hello I'm not sure I get your question, but I will try to answer in the way that I understood. If you send a drop as a result, this means that ACS deposited the request, causing the AAA client to try again another failure on toward another AAA server. A tree had fallen on the community a few years ago: (https://supportforums.cisco.com/discussion/11811801/aaa-servers#3931298) I hope that's what you are pregnant. Different authentication and authorization providers JDeveloper 11.1.1.7 Hello Not sure if I'm posting in the right forum but here goes. We use ADF security and so far we have always had the user and roles in the same AD / LDAP. We now have a requirement for authentication via the AD / LDAP but approval of our application. We believe that we should be able to use SQL permission but we do not know how to configure things for authentication via AD / LDAP and authorization via SQL or something. Can anyone help? TIA Paul This should be possible. Look at http://www.onjava.com/excerpt/weblogic_chap17/index1.html , which gives an overview of the various suppliers. You should ask this question in the web space of logical security WebLogic Server - security Timo separate authentication and authorization for Active directory groups Hi all After a long search and failure, I write the question. I use apex oracle 4.2 on windows server 2012 on oracle 12 c, all 64 bits. We have configured Microsoft Active directory with LDAP. in LDAP, we have a core group which is say A and an is down there students and the two groups. According to the staff, there are many other groups and students, there are a lot of groups. I created a mobile application, it has a main page that is publicly accessible without username and password. in this home page, I have a list that contains two elements, personnel and another is a student. When one of the list item, the login screen appears. now I want to control when the user clicks on the staff list, only personnel should be authenticated. If the end user is a student, it doesn't have to be authenticated. the same goes for the student list item, if the end-user click on list of students, only students must be authenticated. someone please guide me, I'm failed in research and testing. Thank you. Kind regards. Hi Maahjoor, Try this (it is written all the attributes for the user) by logging in to your schema to SQL Developer: NOTE: The DN parameter on line 29 requires exact unique name for the user. In addition, on line 37 to filter, you can use username i.e. "cn = firstname.lastname." You can specify a specific attribute must be extracted from the user in order by changing line 33 of the: TO Then you can write a function based on above the code to extract the attribute LDAP user as follows: Then create an Application AI_USER_AD_TITLE tell you item request-> shared components. Create following procedure to define the point of application on the connection of the user in your APEX application: Change the "name of procedure after authentication' in your 'ldap_post_auth' authentication scheme Then modify the process in charge on your homepage to your application of PORTALS to: I hope this helps! Kind regards Kiran What is the authentication and authorization mechanism in Oracle EBS 12.2? 12.2 EBS is based on weblogic server, does this mean that he uses the weblogic users? The purpose of the use of Weblogic is explained in: Installation guide for Oracle E-Business Suite https://blogs.Oracle.com/stevenChan/entry/glimpses_of_e_business_suite Authentication is done via the FND_USER and FND_ORACLE_USERID tables. http://ETRM.Oracle.com/pls/ETRM/etrm_pnav.show_object?c_name=FND_USER&c_owner=APPLSYS&c_type=table Thank you Hussein After authentication and authorization modules? Hello Try GANYMEDE + authentication on Juniper screen OS using ACS 5.3 GANYMEDE authentication and authorization passed on ACS5.3, but enter username and password security (Juniper SSG5) gives access denied, joined Ganymede cfg. the value id GANYMEDE + auth-server 1 Set-server GANYMEDE + 10.10.xx.yy server name put server GANYMEDE +-type of admin account Set-server GANYMEDE + type Ganymede Set-server GANYMEDE + secret Ganymede xxxx the value auth-server GANYMEDE + Ganymede port 49 the admin server GANYMEDE value +. Set admin auth distance primary Remote admin auth root set Set admin privilege get set external auth-server GANYMEDE + id 1 Please advice I guess you posted a screenshot. I'm looking forward to having the file can be downloaded for analysis. ~ BR * Does the rate of useful messages *. PIX configuration as a blocking device w / GANYMEDE + authentication Hello I have a PIX running version 6.3 (1). The PIX is configured to use a Server 3.1 CSACS AAA authentication and authorization more GANYMEDE +. The sensor is 2.0000 Sig46 running. Before adding AAA for the PIX, the sensor has been able to connect and set up to Shun correctly. Since the addition of the configuration of the AAA for the PIX, I was unable to get the sensor to connect to the PIX for fleeing. I created a login and password with rights admin for the IDS sensor connect to create leaks. I could authenticate and build manually fled via a Telnet and SSH connection using this connection. I tried to remove and re-add lock several times. When I configure the PIX as a blocking Telnet device, I see the State of the Net as "initializing" device when you look at the statistics of the IDM. When I configure the PIX as a SSH blocking device-, I consider the State as "inactive". Please let me know if you have any suggestions - if not I guess I will open a case with TAC. Thanks in advance for the help! Kind regards Chad Make sure the PIX is in the list of allowed hosts. From the cli, type end of config SSH - key host (ip interface pix) Check that you have associated the pix of polarity logical device. The logical device record contains the username, password password and activate. Using IDM, it is selected in a drop-down list on the page of blocking devices. RADIUS and GANYMEDE + authentication We authenticate our systems through dot1x. I also need to be able to authenticate our Cisco admins using the same ACS server. I see how to configure a switch to make the two GANYMEDE + and RADIUS, but I do not see how implement GBA to allow a switch to use GANYMEDE + and RADIUS. Can someone give me a pointer? Thank you You need to put in place once the authentication on the switch. AAA authentication login default group local Ganymede Group AAA dot1x default authentication RADIUS AAA authorization exec default group Ganymede + authenticated if Group AAA authorization network default RADIUS Cisco RADIUS-server host 2.2.2.2 keys Cisco GANYMEDE-server host 2.2.2.2 keys The GBA, you must add the switch twice. ACS---> network configuration---> add aaa-clinet Host name switch1 IP: 3.3.3.3 With the help of authentic: RADIUS IETF Add another switch SWITCH2 host name IP: 3.3.3.3 With the help of authentic: Ganymede +. Kind regards ~ JG Note the useful messages Satellite A210 - 11 p I need BIOS Hello Where can I get the BIOS for my A210 - 11 p, model PSAELE.I searched Toshiba, but there is no BIOS for my exact model Thank you very much Tables and pictures IN setting? I use Pages to make storyboards for films. In earlier versions of the Pages I could drop a photo into a cell of a table... but then be able to re - size and use the tool 'Adapter the Image' lighten or more dark etc. etc. photo in the table cell. In USB-6009 slow output signals using SignalExpress - error 200077 We have a Council of USB-6009 and Signal Express version 3.5.0 We want to generate low-frequency, analog and digital outputs to simulate some slow movement process. We have created the signals and their generated as output, put when we RUN the projec The company I work for has a production with SQL Server Standard Edition (64-bit) database server. However when I try to configure Oracle as a linked server, the 'Microsoft OLE DB Oracle provider' does not appear in the drop down menu to the provider License with free network tools problem I downloaded and installed the free network tools for use with Foglight Network Manager, but I can't activate the product. He tries to communicate with the server and fails. Need help solve this problem.
* Please note the useful messages *.Similar Questions
I need only a few basic actions and features.
My idea:
on these tables the tables USER, ROLES, the USER_ROLES and some package of action and pages (create user, grant the role, authenticate, change password, activate/deactivate the account etc...)
Before starting to write this litle "authentication framework", that I would like to ask you if you know existing solutions.
I would use some existing framework, checked the solution and save time :-)
Thanks for some tips...
We currently lack of several Oracle databases in 2 separate servers - with APEX installed in each database. About authentication (authorization) and we have created a pattern 'user' for each of these databases, then one or more tables for requests for authorization under the table "user". In each of these tables in different databases user, we have a single column to store the name of each user Oracle database account, also 2 columns (username and hashed password) and another column to record his Microsoft Active Directory account name for custom authentication. In this way, different applications using the same schema can use a different way to the authentication method.
The problem is that, for different databases, we had to create at least a 'user' table or the schema for each database because there are a lot of other tables that refer to the PERS_PK. Is an elegant solution for implementing a solution of a store for the repository of user? Again, we must not only authentication and authorization, we also have tables in the different schema and different databases that refer to these PERS_PK.
Thank you.
Andy
Regarding option 2, bi-directional updates are usually difficult to manage. If you can't make it master / slave somehow, you better use the first option.
Custom implementation for authentication and authorization for the application of the ADF
My project to use the OID , authentication and authorization, we will need to support both OAM and DB tables ( according to the preferences of the client during the installation ).
I am new to this and do not have a clue about the same.
Please guide me how to set up both in JDeveloper 11 g + ADF
Thanks in advance.
assign (or remove) the roles to/to leave users.
switchport access vlan 102
switchport mode access
switchport voice vlan 101
authentication event fail following action method
multi-domain of host-mode authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
MAB
added mac-SNMP trap notification change
deleted mac-SNMP trap notification change
dot1x EAP authenticator
Andy authentication order mab dot1x authentication priority dot1x mab
Can someone direct me on where I can find more information on JPSUserProvider. Documentation of the Complutense University of MADRID just mentions that JPSUserProvider is configured in the UCM by default and used for authentication, the authorization. In another document that it is mentioned that UCM 11 g has nothing to do with the authentication of the user, all the authentication will be supported by Weblogic and SSO must be configured against weblogic. If SSO is configured and an external LDAP is used as a user store in weblogic, I need to make changes to the AAU? I want to know the role JSPUserProvider plays in the University Complutense of MADRID and the series of events that take place after the user enters the credentials to < Server >: < port > / cs/login/login.htm.
Any help in pointing the right resources is appreciated.
Thank you
Shyam
DECLARE
-- Adjust as necessary.
l_ldap_host VARCHAR2(256) := 'hct.org';
l_ldap_port VARCHAR2(256) := '389';
l_ldap_user VARCHAR2(256) := 'cn=hct\itnew';
l_ldap_passwd VARCHAR2(256) := 'itnew';
l_ldap_base VARCHAR2(256) := 'DC=hct,DC=org';
l_retval PLS_INTEGER;
l_session DBMS_LDAP.session;
l_attrs DBMS_LDAP.string_collection;
l_message DBMS_LDAP.message;
l_entry DBMS_LDAP.message;
l_attr_name VARCHAR2(256);
l_ber_element DBMS_LDAP.ber_element;
l_vals DBMS_LDAP.string_collection;
BEGIN
-- Choose to raise exceptions.
DBMS_LDAP.USE_EXCEPTION := TRUE;
-- Connect to the LDAP server.
l_session := DBMS_LDAP.init(hostname => l_ldap_host,
portnum => l_ldap_port);
l_retval := DBMS_LDAP.simple_bind_s(ld => l_session,
dn => l_ldap_user||','||l_ldap_base,
passwd => l_ldap_passwd);
-- Get all attributes
l_attrs(1) := '*'; -- retrieve all attributes
l_retval := DBMS_LDAP.search_s(ld => l_session,
base => l_ldap_base,
scope => DBMS_LDAP.SCOPE_SUBTREE,
filter => l_ldap_user,
attrs => l_attrs,
attronly => 0,
res => l_message);
IF DBMS_LDAP.count_entries(ld => l_session, msg => l_message) > 0 THEN
-- Get all the entries returned by our search.
l_entry := DBMS_LDAP.first_entry(ld => l_session,
msg => l_message);
<< entry_loop >>
WHILE l_entry IS NOT NULL LOOP
-- Get all the attributes for this entry.
DBMS_OUTPUT.PUT_LINE('---------------------------------------');
l_attr_name := DBMS_LDAP.first_attribute(ld => l_session,
ldapentry => l_entry,
ber_elem => l_ber_element);
<< attributes_loop >>
WHILE l_attr_name IS NOT NULL LOOP
-- Get all the values for this attribute.
l_vals := DBMS_LDAP.get_values (ld => l_session,
ldapentry => l_entry,
attr => l_attr_name);
<< values_loop >>
FOR i IN l_vals.FIRST .. l_vals.LAST LOOP
DBMS_OUTPUT.PUT_LINE('ATTIBUTE_NAME: ' || l_attr_name || ' = ' || SUBSTR(l_vals(i),1,200));
END LOOP values_loop;
l_attr_name := DBMS_LDAP.next_attribute(ld => l_session,
ldapentry => l_entry,
ber_elem => l_ber_element);
END LOOP attibutes_loop;
l_entry := DBMS_LDAP.next_entry(ld => l_session,
msg => l_entry);
END LOOP entry_loop;
END IF;
-- Disconnect from the LDAP server.
l_retval := DBMS_LDAP.unbind_s(ld => l_session);
DBMS_OUTPUT.PUT_LINE('L_RETVAL: ' || l_retval);
END;
/
l_attrs(1) := '*';
l_attrs(1) := 'title';
create or replace function fnc_get_ldap_user_attr_val ( p_username in varchar2
, p_password in varchar2
, p_attrname in varchar2 )
return varchar2
as
-- Adjust as necessary.
l_ldap_host VARCHAR2(256) := 'hct.org';
l_ldap_port VARCHAR2(256) := '389';
l_ldap_user VARCHAR2(256) := 'cn='||p_username;
l_ldap_passwd VARCHAR2(256) := p_password;
l_ldap_base VARCHAR2(256) := 'DC=hct,DC=org';
l_retval PLS_INTEGER;
l_session DBMS_LDAP.session;
l_attrs DBMS_LDAP.string_collection;
l_message DBMS_LDAP.message;
l_entry DBMS_LDAP.message;
l_attr_name VARCHAR2(256);
l_attr_value VARCHAR2(256);
l_ber_element DBMS_LDAP.ber_element;
l_vals DBMS_LDAP.string_collection;
BEGIN
-- Choose to raise exceptions.
DBMS_LDAP.USE_EXCEPTION := TRUE;
-- Connect to the LDAP server.
l_session := DBMS_LDAP.init(hostname => l_ldap_host,
portnum => l_ldap_port);
l_retval := DBMS_LDAP.simple_bind_s(ld => l_session,
dn => l_ldap_user||','||l_ldap_base,
passwd => l_ldap_passwd);
-- Get specific attributes
l_attrs(1) := p_attrname;
l_retval := DBMS_LDAP.search_s(ld => l_session,
base => l_ldap_base,
scope => DBMS_LDAP.SCOPE_SUBTREE,
filter => l_ldap_user,
attrs => l_attrs,
attronly => 0,
res => l_message);
IF DBMS_LDAP.count_entries(ld => l_session, msg => l_message) > 0 THEN
-- Get all the entries returned by our search.
l_entry := DBMS_LDAP.first_entry(ld => l_session,
msg => l_message);
<< entry_loop >>
WHILE l_entry IS NOT NULL LOOP
-- Get all the attributes for this entry.
DBMS_OUTPUT.PUT_LINE('---------------------------------------');
l_attr_name := DBMS_LDAP.first_attribute(ld => l_session,
ldapentry => l_entry,
ber_elem => l_ber_element);
<< attributes_loop >>
WHILE l_attr_name IS NOT NULL LOOP
-- Get all the values for this attribute.
l_vals := DBMS_LDAP.get_values (ld => l_session,
ldapentry => l_entry,
attr => l_attr_name);
<< values_loop >>
FOR i IN l_vals.FIRST .. l_vals.LAST LOOP
DBMS_OUTPUT.PUT_LINE('ATTIBUTE_NAME: ' || l_attr_name || ' = ' || SUBSTR(l_vals(i),1,200));
l_attr_value := l_vals(i);
END LOOP values_loop;
l_attr_name := DBMS_LDAP.next_attribute(ld => l_session,
ldapentry => l_entry,
ber_elem => l_ber_element);
END LOOP attibutes_loop;
l_entry := DBMS_LDAP.next_entry(ld => l_session,
msg => l_entry);
END LOOP entry_loop;
END IF;
-- Disconnect from the LDAP server.
l_retval := DBMS_LDAP.unbind_s(ld => l_session);
DBMS_OUTPUT.PUT_LINE('L_RETVAL: ' || l_retval);
DBMS_OUTPUT.PUT_LINE('Attribute value: ' || l_attr_value);
return l_attr_value;
END fnc_get_ldap_user_attr_val;
/
create or replace procedure ldap_post_auth
as
l_attr_value varchar2(512):
begin
l_attr_value := fnc_get_ldap_user_attr_val ( p_username => apex_util.get_session_state('P101_USERNAME')
, p_password => apex_util.get_session_state('P101_PASSWORD')
, p_attrname => 'title' );
apex_util.set_session_state('AI_USER_AD_TITLE', l_attr_value);
end ldap_post_auth;
begin
if :AI_USER_AD_TITLE = 'Student' then
apex_util.redirect_url(p_url=>'f?p=114:1');
else
apex_util.redirect_url(p_url=>'f?p=113:1');
end if;
end;
#{securityContext.userName}
{code}
Pedja
Set-server GANYMEDE + 10.10.xx.yy server name
put server GANYMEDE +-type of admin account
Set-server GANYMEDE + type Ganymede
Set-server GANYMEDE + secret Ganymede xxxx
the value auth-server GANYMEDE + Ganymede port 49
the admin server GANYMEDE value +.
Set admin auth distance primary
Remote admin auth root set
define outer-get administrator privileges
Jatin koneMaybe you are looking for