OIF & integration OAM as Authentication Mode

Similar Questions

• OIF / question OAM

  I have the internal users who authenticate to OAM to access internal applications.
  Some of these internal users will then access Federated Apps where we are the IdP for these sites. Currently my IdP performs authentication to LDAP (same as LDAP OAM server) server.
  According to me, which will cause the users authenticate to PDI again when accessing Federated applications because they are already authenticated to OAM. So, I think I IdP for authentication should be OAM and not LDAP. Is this correct?

  Fix. If your LDAP and OAM identitystore is the same, I would like to use authentication engine "Oracle Access MAnager" in the OIF to redirect all authentications of OAM. This way you can leverage SSO policies and authorization in OAM. You can do the integration via the mode of authentication or SP. OAM integration guide has more details.

  Sunil.

• "authentication control-direction in" CLOSED authentication mode

  Switch: 4510R-E, running a DEV version 3.6.0-based

  ISE: 1.2.0.899 patch 7

  Hi, I worked on a weird issue where some of my clients would pass through their IP address and the only way I could get it back was to spend their open port in authentication mode. I need to run in closed mode, because I change VLAN via MAB.

  I worked with TAC, and they suggested that add the command "authentication control direction in" in my config switchport (below). Couple tests Ive done, this seems to help. But I understand why. Isn't the direction-control a little command reduce to naught the principle of closed mode operation? That is, it allows a communication until the device is allowed. Thank you.

  interface GigabitEthernet2/18
  switchport access vlan 34
  switchport mode access
  switchport voice vlan 66
  events-the link status logging
  authentication event fail following action method
  action of death server authentication of the event allowed vlan 34
  action of death event authentication server allow voice
  living action of the server reset the authentication event
  the host-mode multi-auth authentication
  authentication order mab dot1x
  authentication priority dot1x mab
  Auto control of the port of authentication
  restrict the authentication violation
  MAB
  dot1x EAP authenticator
  dot1x tx-time 10
  service-policy input QoS-entry-policy
  Service-politique-accueil-port-sortie-strategie output QoS
  end

  I also need to use this command to preserve the authenticated devices. He was going on with a video surveillance system, which was an embedded Linux operating system. It's the MAB and because there was no transmission all noisy traffic (unlike a windows box) then the switch would not be able to reauth it as it had no mac address to auth, so show up with an 'unknown' in the MAC field.

  It allows essentially traffic flow out of the port. This active unit to receive HTTP traffic and respond, then the switch could auth it again once the device sent a frame.

  When you do a Show authentication sessions you will notice a Oper control dir: the two will pass to Oper control dir: in

• OIF - integrate OAM as a Module for the integration of MS

  We have a few problems integrating OIF OAM.
  
  We have installed the OAMSDK and configure the webgate on the server of the OIF and run listed here installation instructions (http://download.oracle.com/docs/cd/E12839_01/oim.1111/e13400/deployment.htm#DAFEEAAI)
  
  We put the %DOMAIN_HOME%\AccessServerSDK\oblix\lib folder into startweblogic.cmd.
  
  We tried %DOMAIN_HOME%\AccessServerSDK\oblix\lib with - Djava.library.path = in the arguments of weblogic server startup section.
  
  We have set any environment variables listed in the documentation.
  
  The error we receive the first time that we are trying to integrate with OAM, after we started the weblogic server is: caused by: java.lang.UnsatisfiedLinkError: no obaccess in java.library.path
  
  So if try again us, we get: caused by: java.lang.NoClassDefFoundError: com, oblix, access, ObConfig
  
  There is information about this error in Metalink but it refers only to a solution for Linux [579393.1 ID]
  
  Kind regards
  Tim

  I'm glad it helped.

  http://www.Oracle.com/technology/products/id_mgmt/coreid_acc/PDF/oracle_access_manager_certification_10.1.4_r3_matrix.xls<-- certification="" matrix="" that="" defines="" only="" 32-bit="" jvm="" as="" supported="" for="" oam="">

• Driver for Virtual PC integration device in XP Mode

  Finally got around to try XP (Ultimate x 64) Mode and some programs don't
  working with strange error messages.  Roxio Creator 2009 gives me an error
  message Remote Desktop is not supported by this application.  Do not
  know what has to do with MyDVD RD.
  In any case, I checked the XP mode in Device Manager and see 3 yellow? for Virtual
  Integration of PC device, but I have no idea where to find the drivers for it.
  Wanted and still nothing.  I do not know if this will fix my problem
  but this is where I begin.
  Any ideas where I can find these drivers?

  I doubt if there are any drivers for the device integration of virtual pc
  You must update the Bios. BIOS update should solve

  Kind regards
  DART

• Home-DOT1X authentication mode

  Question - which to choose?

  Scenarios with devices attached to 3850 s 150 - 1.EZ2, ISE v1.2

  1 IP Phone with PC connected in Garland

  2 dumb hub with several PC and IP phone

  multi-domain of host-mode authentication

  or

  the host-mode multi-auth authentication

  AND

  authentication violation replace

  or

  restrict the authentication violation

  Concerning

  For all of my tours, I used "host-mode multi-auth authentication" in this way, I generate a more generic model and not go back and touch ports that might have a switch connected to it. So I suggest to use this as well unless there is a pilot behing not to.

  Be careful with 'silent hubs' connection to a port 802. 1 x active. I've run into situations where the hub/switch mute would leave dot1x authenticatons pass but then wouldn't the logg-off EAPoL message, thus causing problems when connecting a new device. I guess in such situation, the "authentication violation replace" might help, but you can then run other unforeseen issues. I had a couple of deployments where EAPoL traffic was completely abandoned and never reached the Radius server. So I had the chance to convince my clients to replace those who have a "compact" version of the family of Cisco (2960c, 3560 c) switches, so I've always used "Restrict authentication violation".

  I know that that does not answer your questions directly, but I hope it helps

  Thank you for evaluating useful messages!

• Access to the private during authentication mode

  When I connect to a Cisco device, I'm prompeted enter name of user and password. Once authenticated, I need to enter the 'enable' command, then my password again in order to have access to privileged mode. I want to be able to go directly to the priv mode.

  My AAA configuration looks like this:

  AAA authentication login default group Ganymede + local

  AAA authentication login ciscoadmins group Ganymede + local

  the AAA authentication enable default group Ganymede +.

  AAA authorization config-commands

  AAA authorization exec ciscoadmins group Ganymede + local authenticated by FIS

  AAA authorization commands 1 default group Ganymede + local

  AAA authorization commands 15 ciscoadmins group Ganymede + local

  AAA authorization network default group Ganymede +.

  the Group ciscoadmins of network authorization Ganymede AAA +.

  On my ACS SE (ver. 4.1.4.13), I the user and group configured setting the same thing for the GANYMEDE section + with SHELL (exec) checked and controlled level PRIV and the value 15.

  I can get this working with RADIUS but failed with GANYMEDE.

  Does anyone have a solution for this?

  Thank you

  Keith

  Keith

  I believe that the question involves this line of the config:

  AAA authorization exec ciscoadmins group Ganymede + local authenticated by FIS

  It creates a list of method named for permission. IOS wants to see this list of method specified on your lines (or he wants to use the list of default method). I suggest that you include this line under the vty lines:

  authorization exec ciscoadmins

  or use this line in the section of the aaa:

  AAA authorization exec default group Ganymede + local authenticated by FIS

  HTH

  Rick

• issue of intrusion via CFMAIL authentication mod...

  Ok. I have a site of cf for a long time... Appears as in the old days, you could use little intrusion via cfmail tag with params as...

  < intrusion via cfmail to = "xxx".

  from = "xx".

  object = "xxx".

  Server = "xxx" >

  test

  < / intrusion via cfmail >

  but when you're working on a new mod site - NOW, it seems I need authentication more - with user and Pass as:

  Server = "xxx" username = "xxx" password = "xxx" >

  More information: in reality the MX mail is NOW on another server on the site of CF - then maybe this could lead to the necessary changes?

  Q: is it true?

  It really depends on your mail server.  Are they using the same email on its new server software as they did when he was on the same square as ColdFusion?  In addition, if you put the servername, username information and password in CF administrator, you shouldn't include in your tags.

  -Carl V.

• Authentication to the multi level in OAM - use authentication Plugin

  Hi all
  
  Please post your useful suggestion to reach the following requirement:
  
  The requirement must authenticate with username, password-I & II - password. To do this, so I need to customize the authentication form.
  I use OAM 10.1.4.3 wherein there is no auth plugin code example in the folder of the example mentioned in the developer's guide!
  
  So I try with the sample files available with OAM old version 10.1.4.1. There is a single file (makefile) DSP based window and I am working on Linux. Could someone help me to convert this file to a Linux compatible file?
  
  There is no clear instructions on customizing the authentication in the Dev guide scheme, so it will be great if someone could help me with this.
  
  See you soon,.
  Ashish

  Verification of authentication scheme - http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2authen.htm
  and for the creation of authorization plugins check - http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/e10355/authnapi.htm#BABJJFCE

  An example of authentication plugin is also present at-http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/e10355/authnapi.htm#BABFEAIA

  Create a makefile for linux should not be that difficult, here is an example of makefile you can use for your reference...

  #Make file for authentication and authorization plug-ins

  AUTHNAME auth =
  AUTH_SO_NAME = auth

  SRC_DIR =.
  Inclure_rep = include

  LIBNAME = auth.so
  SOURCES = auth.c
  OBJS = $(AUTH_SO_NAME) .o
  LIBS =

  INCLUDE_FLAGS = - I$ (INCLUDE_DIR)
  #ldflags case
  LD_FLAGS = - lodbc

  CC = gcc

  CC_CMD = $(CC) - D_REENTRANT
  LD_CMD = $(CC) - shared

  $(LIBNAME): $(OBJS)
  $(LD_CMD) $(OBJS) $(LD_FLAGS) o $@ $(LIBS)
  chmod + x $(LIBNAME)

  $(OBJS): $(SOURCES)
  $(CC_CMD) $(INCLUDE_FLAGS) $(CFLAGS) - c-o $@ $(SOURCES)

  clean:
  rm - rf $(OBJS) $(LIBNAME)

  #end

  Let me know if you need anything else, be it
  Sam

• Domain user in dell FS7610 authentication mode

  Hello world

  I have configured my first FS Nas.FS 7610 7610 are integrated with PS Series equallogic and we reached FS7610 by Group Manager gui. Container and actions are created via the gui Manager, shares are available on the network, but we are only successful connect CIFS share with CIFS administrator account storage not the domain administrator account even if the FS7610 are joined with domain name must also know what to authenticate the domain user to share any CIFS.

  Thank you best regards &,.

  Ali Hassan

  Problem has been solved by entering a DNS entery...

• Certificate authentication mode?

  I want to try to build a more secure LAN. I want that every client (with or without wire) to connect the network used a certificate not a username/password pair.

  But now, as I am a newbie, I don't know what to choose between GANYMEDE + and RADIUS. Because I have a Mac mini, RAY is perhaps more appropriate, but I don't know how to establish the certification authority.

  Any help or suggestion will be appreciated!

  More generally, we do this in the context of the implementation of a product as of Cisco Identity Services Engine (ISE). ISE uses 802. 1 x and has the ability to check clients for things such as a certificate during authentication / posture assessment / remediation process.

  Also, it acts as a RADIUS server, and can dynamically remove permission (CoA) change to the authenticator (i.e. switch or wireless controller) to control things like the assignment of VLAN client and everything you can apply access lists.

  Client side, a supplicant is used to interact with the authenticator. You can use native supplicants to OS X or Windows, etc, but we generally recommend use of the Cisco AnyConnect Secure Mobility client with its access network (NAM) Module, because it is much more complete for this purpose.

  You could also make 802. 1 x with certificate authentication and use an authentication server different backend (like a regular Cisco ACS or Microsoft Network Policy Server), but you get only basic authentication more vs rich functionality what ISE gives (although ISE is much more ;)).

  Take a look at this Youtube video for an example of setting up certificates of authentication on ACS:

  https://www.YouTube.com/watch?v=U7qWJ7bIMHA

• Authentication mode privilege using Ganymede for Cisco routers

  I'm trying to set up a test environment where I need to be able to be requested for both a user name and password entering mode mode exec on a cisco IOS router. I was told the only way to do is through Ganymede. But I didn't all these configuration on Ganymede options to put in right place. Someone has already done an installation like this before. I'd appreciate any help on this. Thank you.

  That's right, as I said in my previous post you can not accomplish what you're trying to do.  In IOS the username that you use to connect

  the router is ALWAYS used when you are in enable mode.  If you want to change the user logged in as you will need log on the

  router and log back in with the right user.

  -Jesse

• Help: Integration OAM 11 g R2 PS2 as an identity provider for the Federation of Salesforce

  Hi all

  I'm trying to integrate Salesforce as a provider of services using my OAM 11 g R2 PS2 as an identity provider.

  I'm stuck at after the step:

  (1) launch pad OAM-> Administration-> Service Provider attribute profile provider identity - > created SP attribute profile-> attribute Mapping-> IDPEmail = $user.attr.mail, true

  (2) launch pad OAM-> directors of the identity provider-> create partner service provider-> in the form, his request for the metadata from Salesforce metadata file.- NUMBER

  I went through the Salesforce dev instance, but could not able to download the Salesforce application metadata file. If someone has done something similar in the OAM or Salesforce?

  Any help will be appreciated.

  ~ Abhishek

  Go to {oam_host}: {oam_port} / oamfed/IDP/metadata

  Search for the tag "".

  Copy the contents of the tag "" and save it using a text editor as a .cer file

  Import this file cer as the certificate of identity provider

  Note: If Salesforce complains of an error in the certificate, simply double-click the .cer file that you saved in step above, click on the tab Details and 'Copy to file' and save as format DER

• UNIQUE between Simple mode and open authentication possible OAM?

  Hello
  
  Our SSO OAM in 'Open' mode (WP, PM, AM, AAA and ID).
  
  I would like to configure an applications in SIMPLE mode between the access server and webgate. But still I'd like to preserve, single sign - on, when the user accesses the protected open OAM application.
  
  Is this possible? Thank you.

  Yes, possible. The transport application component security mode has no impact on the end user SSO.

  Technically, the mix of modes (simple and open) is not supported. If you have installed some AAA servers more in simple mode you can connect your webgate to those simple ones more and not the other (open mode) to avoid this problem.

  If you need to share the existing AAA servers you will need to bring the listening in BOTH modes. This used to work even if I have not tried with recent versions. The technique is to (re) configure the AAA servers in Simple mode and then pass the parameter mode back to open the profile of component in the directory (via the admin UI).

  Mark

• OAM integration with Google login problem

  Hi all

  I'm OAM 11.1.2.2.0 integrating the Google authentication. Once Setup is complete, I can see Google a link in the OAM login page, but after clicking on it, I see an error on the screen:

  Exception in the processRequest method: oracle.security.idaas.rp.RPException: there is an error with the discovery of the Yadis OpenID Protocol

  In the logs:

  < failed to communicate with the proxy: myproxy.example.com/80. Try to login www.google.com/443 now.

  java.net.UnknownHostException: myproxy.example.com

  Proxy was not configured as it is not necessary to access the internet. I removed data proxy of "Mobile and social media", but he always compains thereon.

  Any help would be appreciated

  Javier

  Resolved:

  Navigate: OAM Console - launch pad - Mobile Services - Service Providers - user profile (edit)

  Section of Goto: attributes

  ADD Name: proxyAuth

  Value: false

  Click SAVE