SSO with WebVPN ASA using RSA tokens

Current configuration:

Chip & PIN the user authenticates for-> ASA5510 8.2 Clientless VPN-> past to the 7.2 SDI RSA Authentication Manager.

I've got of authentication works great, at the first connection, users can connect with their AD usernames and RSA tokens and generate his pin code.

We used to use ACS express and their advertising information for vpn authentication, but now we have to two factors of authentication.

Is it possible to some how to maintain SSO so that when the user authenticates via its RSA token they can always browse through OWA, Sharepoint, CIFS (file share) without having to enter their credentials for the AD?

Any help or information is much appreciated.

Thank you

You can activate the field "internal password" on the customization of WebVPN and also re-name-the ("Password AD" for example) and then configure the entries in the auto-code of access for internal URLS on NTLM. Such that when the guest servers the WebVPN session will send the user name used to connect to the ASA but send the internal password captured during the connection instead of the password used to connect to the WebVPN himself.

The only problem I saw during the test, there is no seam to be a graceful way to establishing a password incorrect or missing, then NTLM would fail and fall back basic over ssl. Finally it would block the AD accounts based on URL how much the user has tried when the password entered when the connection is bad or missing (because it failed to connect to the WebVPN).

Tags: Cisco Security

Similar Questions

ASA WebVPN SSO with cactus

Hello

I use SSO with HTTP POST parameters for SINGLE sign-on for web applications behind my ASA.

I am currently playing with cactus.

My settings are:

action = login

login_username = CSCO_WEBVPN_USERNAME

login_password = CSCO_WEBVPN_PASSWORD

Realm = ldap

The connection works fine, but after the post OFFICE, the Web server sends a HTTP "302 OK code." Normally, it should be "302 moved" or "200 OK".

The ASA does not include what to do, to do nothing and replies with an error "Server is not available >.

When I press the 'Home' button and click again on the bookmark of cactus, I'm connected to cactus. It seems that there is a cookie or something missing.

When I do exactly the same with a browser, it sends after the "302 OK" normal GET and I am connected.

Me seems a mistake in cactus, but I'm not also sure if ASA does not respond properly?

Also, when I change the type of bookmark of https to post, it works! BUT: post plugin only supports http and not https, so my connections has send in clear on the internal network.

Any ideas?

Thank you

MB
```
configure the POST plugin for HTTPS by using the csco_proto=https parameter

in the Post-Plugin URL
```

Remote access VPN integration with RSA token

Hello friends,

I currently have an ASA 5520 9.0 focusing distance french authenticated VPN access a Radius of the ACS server. I also have a server ACS Ganymede + allowing to authenticate access to network devices (routers, switches, etc.). My Manager asked me to include a second level of authentication through RSA token´s. Question´s:

How does it work?

Can I use my ACS Ganymede + as a method of redundancy for authentication of the VPN´s in the case where my Radius server goes down?

I can use my ACS server RADIUS as a method for redundancy for managing my network devices in the case of authentication my Ganymede + server goes down?

In addition, the RSA token can be used to authenticate access to manage network devices?

Any comments will be appreciated.

Kind regards!

RSA has built in the radius server and itself it can serve as a factor of two.

using Token RSA server inside itself is two factor when you use a PIN and access code.

Using of Ganymede + for VPN is not possible.

Check with your administrator RSA for the integration steps.

Is that you can directly integrate the ASA with RSA and integrate with RSA ACS as well.

This way you have redundancy in the RSA server.

http://www.Cisco.com/c/en/us/support/docs/security/secure-access-control...

http://www.Cisco.com/c/en/us/support/docs/security-VPN/SecureID-SDI/1163...

Rate if useful :)

Knowledge sharing makes you immortal.

Kind regards

Ed

Using a Cisco VPN on iPad and incorporating RSA tokens

Hello community of Cisco,

I have what seems like a simple question. I have almost no experience network so hopefully someone here can answer that. I have this project iPad for my internship in which they want to create a remote access to their network using a VPN and a soft/hard security token. It seems that they already use hard tokens RSA for their current home VPN connections. They use portable computers to their home but want to start using iPads as well. So my question is, an iPad can support a Cisco VPN using hard tokens RSA authentication? I just need a concrete answer to the management of work and literally just give them somewhere to start. Thank you for taking the time to read my question and reply.

Phil

Phil,

AnyConnect on iphone/ipad/ipod should be able to handle hardtoken auth, but with softoken itegration could be problematic (the last time I heard that it was not supported at all).

M.

WebVPN ASA "Customization of help" is not up to date

Hello

I have a set the clientless VPN (WebVPN) ASA for a customer portal that you am only using the plugin RDP Protocol. I would rephrase the RDP help that appears on the RIGHT side of the screen once the user is logged in, because the text is quite vervbose and especially does not apply to my deployment (I only provided bookmarks for RDP sessions, no manual entry or navigation were allowed).

I tried to download a .htm file to the 'personalization help' for RDP but after connection via a WebVPN session the new page simply does not, all I have is the standard on the box help page.

It sounds pretty simple and I followed the steps in this document

http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a008094abcb.shtml#helpapps

I tried a lot of files with different extensions all this without a bit of luck. Y at - there are simple somehting that I'm missing or that simply not work?

I tried on 8.0 (4) and 8.4 (1) with the same results (or not), someone at - he never had any luck with this?

Thanks to all in advance.

Hello

How do import you exactly? What language option do you use? Tried "in" ASA is set to default ' fr', for other languages that the "us - in ' respective translation table necessary to add

Thank you

Asim

Problem ACS 4.0 and Server RSA Token

Hello

We are having a problem trying to get 4.0 for Windows GBA authenticate users on a Server Token RSA wireless.

Our Cisco 1200 AP series is configured for WPA2 and LEAP Authentication. He points to the ACS server for RADIUS authentication. Now, it works very well for users with a static password defined on the internal database of GBA. However, for obvious security reasons, we? d as the transmitted authentication to our server internal RSA.

I installed RSA Agent on the same server as the ACS along (after adding the sdconf.rec file in the System32 folder). The RSA server was added to the ACS external database and a user configured to use the Token RSA server for password.

When we try to authenticate, the ACS fails the attempt with reason? External DB passes invalid?. The same user can authenticate successfully during the use of the RSA test authentication tool that is installed on the ACS server under the RSA Agent software.

After running some debugs a pix in front of the servers, I see traffic to and from the servers when you use the test tool (that works), but it looks like GBA doesn't? t even send traffic to the RSA server during authentication.

Any help or advice appreciated.

Thank you

no no no no! Do not use EVER of RSA with WIFI + PAP.

The token + pin can be sniffed and is good for 60 seconds... on the Wifi which is disastrous.

SSO with Cloud-based deployments hybrid

Hello

I m wondering, how SSO works with the Hybrid Cloud-Based deployments.

I want to use Jabber for Windows with WebEx Connect and unified with Cisco WebEx Communications integration.

Issues related to the:
1. How can I configure Jabber for Windows to use SSO with WebEx Connect after Installation of the Client?
2. I ve read, that the SSO with WebEx Connect username will be [email protected] / * /. Fix?
3. I ve read, that I need to create a jabber - config.xml with a following to apply Jabber for Windows to use the connection information Webex-Connect also for telephone Services. Fix?
4. presence
5. If this is correct, Jabber for Windows will use [email protected] / * / to authenticate with CUCM, but CUCM would need only the name without the domain name user. From my point of view, Jabber for Windows will not be able to authenticate with CUCM Telephony Services.
Any thoughts?

Thank you

Tino

Hi Tino,

You can use the command line arguments to specify the SSO with WebEx presence server. There is no real soloution SSO at present for hybrid mode (CUCM, unit Cxn). See the answer online for other issues.
- I ve read, that the SSO with WebEx Connect username will be [email protected] / * /. Fix?
>> Fix
- I ve read, that I need to create a jabber - config.xml with a following to apply Jabber for Windows to use the connection information Webex-Connect also for telephone Services. Fix?
>> Attribute 'PhoneService_UseCredentialsFrom' can only be used in the deployment prem No.. Check the section plan for authentication of the administration of Jabber for Windows for more information guide.

Thank you

Ménard

8.4 ASA using NAT VPN issue.

Hello

I'm working on a customer site and they have a problem with one of their VPN (we have other works well), but it is a major issue and I think it's because we use manual NAT and NAT of the object on the same server for different things.

Traffic between indoors and outdoors:

It works with a specific manual NAT rule of source from the server 10.10.10.10 object

Inside

SRC-> DST

10.10.10.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 SNAT = VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">

It works with a specific using the NAT on the server of 10.10.10.10 object

Remote

SRC-> DST

1.1.1.10-> 1.1.2.10 1.1.1.10-> 1.1.2.10 <3rd party="" fw="">= VPN =-> 1.1.2.10 1.1.1.10 1.1.1.10-> DNAT 10.10.10.10

If we have the manual NAT and NAT object it does anyway.

So the question is (as I am new to zip code 8.3 ASA) should not mix the 2 types of NAt and look at configuring it all with manual NAT or NAT object?

With the NAT object out it does not work as it is taken in ouside NAT inside all:

Dynamic NAT (inside, outside) source no matter what interface (this NAT to 1.1.1.1 then does not match the card encryption for VPN)

and I tried a no - nat above that, but that does not work either.

Straws and hugging come to mind try to configure a different config. Any pointers in the right direction would be great.

Kind regards

Z

Hello

I'm not sure that installing even with the explanation. Each NAT configuration I did for VPN used Section 1 Manual / NAT twice.

You have configured the rule by default PAT that you use as Section 1 NAT rule. NAT rules in the new software are divided into 3 sections
- Section 1: Manual / twice by NAT
- Section 2: Purpose NAT
- Section 3: Manual / double NAT (moved to section 3 using the setting "auto after")
- The Sections are passed by from 1 to 2 and 3 in order to find a match.
You should also notice that the Section 1 and Section 3 NAT has "line number" similar to the ACL parameter type. So if you have a default existing PAT rule configured for Section 1 and just add another Section 1 NAT rule without line/order number (VPN NAT) then it will just fall under the existing rule, making the new useless rule.

I would advice against the use of the rule by default PAT as Section 1 NAT rule. Finally, this means that you be constantly watch and edit its configuration when you try to configure more specific rules.

As a general rule 3 of the Section the PAT above default configuration would be the following

NAT (inside, outside) after the automatic termination of dynamic source no matter what interface

This would mean that you need to remove the old. That would mean as naturally as the change would temporarily dismantling all the current connections through "inside", "Outside" while you change the NAT rule format.

If after this configure a NAT twice to the VPN (wihtout the setting "auto after"), it will be the rule in article 1 while the default PAT will be Section 3. Of course, Section 1 will be matched first.

I'm not quite sure of what your setup of the foregoing have understood.

You're just source NAT?

I guess that the configuration you do is something like this?

network of the LAN-REAL object

10.10.10.0 subnet 255.255.255.0

purpose of the MAPPED in LAN network

1.1.1.0 subnet 255.255.255.0

being REMOTE-LAN network

1.1.2.0 subnet 255.255.255.0

NAT static destination of LAN LAN-REAL-MAPPED Shared source (indoor, outdoor) REMOTE - LAN LAN

If the network 1.1.1.0/24 is supposed to be one that is connected directly to your "external" to the format interface may need to be anything else.

-Jouni

OBIEE 11.1.1.6 SSO with OAM 11.1.1.5: problem of attribute OID 11.1.1.6
Hello world!

I configured an OAM (webgate) + DIO + OBIEE + OHS system.
The OBIEE is protected via OHS(weblogic module) and webgate. It works very well.
The CAO authenticates OID (default user identity store).
The * "User research Base" * is the same (* "cn = Users, dc is mydomain, dc = com" *) in the store of identity and authentication provider OID of OBIEE too.
SSO is enabled in OBIEE and suppliers are:
OID (provider that performs authentication LDAP 1.0) JUST
REQUIRED OAM (Oracle Access Manager identity Asserter 1.0) provider
DefaultAuthenticator (WebLogic Authentication Provider 1.0) SUFFICIENT
DefaultIdentityAsserter

IF the * "User name attribute" * is * '' cn '' * in-store OAM of identity of the users and the provider of the OID of the OBIEE * "user name attribute" * is * "cn" * (by default) also, everything works fine.

But I have to use * "orclSAMAccountName" * instead of * "cn" * (OAM and OID provider). And in this case, I have the problem.
The OID of the OBIEE provider are:
All users filter: (& (orclSAMAccountName = *)(objectclass=person))
The user of the name filter: (&(orclSAMAccountName=%u)(objectclass=person)))
Username attribute: orclSAMAccountName

I did a test user:
CN = test
SN = test_sn
orclsamaccountname = test_sama
UID = test_uid
krbprincipalname = test_krb
I can authenticate with test_sama OAM, but OBIEE say: * "" you are not logged here: Oracle BI Server. "*"
The bi log shows that:
+ By default (self-adjusting)' > < BISystemUser > <>< 00093dFuR ^ HFW7PMye7i6G00052S000Tt7 > < 1345642607333 > < BEA-000000 > < javax.security.auth.login.FailedLoginException: [Security: 090304] authentication failed: User test javax.security.auth.login.LoginException: identity [Security: 090300] Assertion failure: test user does not exist +.
+ oracle.security.jps.internal.api.jaas.AssertionException: javax.security.auth.login.FailedLoginException: [Security: 090304] authentication failed: User test javax.security.auth.login.LoginException: [Security: 090300] identity Assertion failure: test user does not exist.

Why does search OBIEE the * '' cn '' * and why does not use the * "orclsamaccountname?"

Any idea?

Best regards, Jani
Hello Joseph,.

This is a known issue in OBIEE 11.1.1.6.0, please see: OBIEE 11.1.1.6 Agent failed with error code: IHVF6OM7:OPR4ONWY:U9IM8TAC [nQSError: 13039] the imposter does not exist in the BI [1446877.1 ID] Security Service

We have configured OBIEE 11.1.1.6 on Linux and use Single Sign On (SSO) with authentication Native for Windows (Ondaaah).

Configured authenticator AD, select sAMAccountName instead of CN for the attribute of the user. SSO in MS license. When you try to access the OBIEE presentation services we met the below error.

«You are not logged here: Oracle BI Server.»

When to check the logfile biserver1 found: failure of the Assertion of identity [Security: 090300]: user OracleSystemUser does not exist

After you apply the hotfix 13553428 on top of 11.1.1.6.0 OBIEE we connected in OBIEE presentation services.

It works very well with OBIEE, 11.1.1.5.0 and 11.1.1.6.1

OBIEE fixed in 11.1.1.6.1. Apply Patch 13742915.

If you want to stay in OBIEE 11.1.1.6.0. Apply Patch 13553428.

Let me know if this solves the problem of Asserter.

Pls mark so useful or response.

Thank you
SVS-

SSO with ebs
Hi all

execution of 11.5.10.2 with 10.2.0.4 db multi-user.
intalled 10g as another break with the OID/SSO.
application server 10.1.2.0.2
DB server: 10.1.0.4

need to integrate SSO with ebs

following mos 233436.1

has confused with authentication UNIQUE task 2, step 5: run the registration script

as this mos says that:
A perl script is used to register the instance of Oracle E-Business Suite Oracle Internet Directory and Oracle Single Sign-On

txkrun.pl - script = SetSSOReg.
-provtmp = $FND_TOP/admin/template / < TemplName >

and a lot of google search wrote 3 steps:

-Registration of oracle home
$FND_TOP/bin/txkrun.pl-script = SetSSOReg - registerinstance = yes

-SSO registration
$FND_TOP/bin/txkrun.pl-script = SetSSOReg - registersso = yes

-Record OID
$FND_TOP/bin/txkrun.pl-script = SetSSOReg - registeroid = yes

What is the good?

If both are right, then how decide what trake should I take?

Please suggest!
Salvation;

If you have doupt that its go with sr. But if you follow google and if you hit error and if you mention your steps which is not covered in metalink with that you may have a support problem

Respect of
HELIOS

SSO with OBIEE 11 g
Hello

Has anyone use SSO with OBIEE? We have restricted MSAD/Windows with OBIEE SSO.

Let us know that it is possible to do with the authentication of the RPD?

Thank you!
Yes, as long as you're not on the v.3 version where the roles session variable cannot be initialized the. If you're on v.5, Yes, it's quite possible.

Software needed to achieve SSO with Webcenter Suite 11.1.1.2
Hi all

I installed Web center suite 11.1.1.2 on my Machine. Can someone suggest, what software I need to install in order to achieve
Oracle SSO with E-Business Suite and OBIEE.

Concerning
Nanfack marzolf

Published by: user11965597 on 15 Sep 2011 03:58
Using these business applications with WebCenter spaces? If you start a new project, why don't you use WebCenter 11 G PS3 or PS4 because there are a number of new features? Also the Oracle Access Manager (OAM) is the recommended method to achieve the goal of SSO.

Although Oracle SSO (OSSO) is the main solution for Oracle 10 G Infrastructure but Weblogic also support OSSO. Anyway, if you want to use Oracle SSO (OSSO) in WebCenter 11.1.1.2, you need after 2 software: -.

1 oracle HTTP Server (OHS)
2 oracle Internet Directory (OID)

You can find the configuration details in http://download.oracle.com/docs/cd/E15523_01/webcenter.1111/e12405/wcadm_security.htm#BGBDADFE.

You don't need additional software for E-business Suite as well.

SSO with Saml
Hi all

I train like in http://www.oracle.com/technology/pub/articles/dev2arch/2006/12/sso-with-saml4.html

But I get the following exception when I configure the Federation Service. I saw the same problem in the SAML in Weblogic 10.3 configuration , but when I try the same thing, I still have the same error.

< 4 June 2010 11:35:02 SGT > < error > < Console > < BEA-240003 > < Console met the following error weblogic.managemen
t.provider.UpdateException: [management: 141191] the phase of preparation of the configuration update failed with an exception:
at weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverService.prepare (RuntimeAccessDeploymentR
eceiverService.java:283)
to weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doPrepareCallback (Deploymen
tReceiverCallbackDeliverer.java:157)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.prepare (DeploymentReceiverC
allbackDeliverer.java:40)
at weblogic.deploy.service.internal.statemachines.targetserver.AwaitingContextUpdateCompletion.callDeploymentRec
eivers(AwaitingContextUpdateCompletion.Java:164)
at weblogic.deploy.service.internal.statemachines.targetserver.AwaitingContextUpdateCompletion.handleContextUpda
teSuccess(AwaitingContextUpdateCompletion.java:66)
to weblogic.deploy.service.internal.statemachines.targetserver.AwaitingContextUpdateCompletion.contextUpdated (Aw
aitingContextUpdateCompletion.java:32)
at weblogic.deploy.service.internal.targetserver.TargetDeploymentService.notifyContextUpdated (TargetDeploymentSe
service. Java:225)
to weblogic.deploy.service.internal.DeploymentService$ 1.run(DeploymentService.java:189)
to weblogic.work.SelfTuningWorkManagerImpl$ WorkAdapterImpl.run (SelfTuningWorkManagerImpl.java:516)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Caused by: weblogic.descriptor.BeanUpdateRejectedException: SAMLBeanUpdateListener SAMLSingleSignOnServiceConfigInfoImpl
: prepareUpdate() failed with exception: weblogic.security.spi.ProviderInitializationException: F.a [Security: 097558]
ionServicesMBean configuration testalias the protocol signing key is not valid.
at weblogic.security.providers.saml.SAMLBeanUpdateListener.prepareUpdate(SAMLBeanUpdateListener.java:84)
to weblogic.descriptor.internal.DescriptorImpl$ Update.prepare (DescriptorImpl.java:481)
at weblogic.descriptor.internal.DescriptorImpl.prepareUpdateDiff(DescriptorImpl.java:195)
at weblogic.descriptor.internal.DescriptorImpl.prepareUpdate(DescriptorImpl.java:174)
at weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverService.prepare (RuntimeAccessDeploymentR
eceiverService.java:269)
>
Yes, it's ok to have multiple keys in a JKS file. We can refer to the required private key by using the alias name, which is the use of the alias here.

Let's do simple.
You can try to use the default for SAML, for what we can do is to leave the SSL and the default keystore. In this secnario you Server are configured to use:
DemoIdentity.jks as the keystore.
DemoIdentity as an alias for the private key.
DemoIdentityPassPhrase the password for the private key.

In credentials for the Mapper to configure the following:
alias: DemoIdentity
signing key password: DemoIdentityPassPhrase

and configure the Federation Service:
alias: DemoIdentity

OBIEE SSO with permission
Hi gurus,

(1) I have configured instance SSO with windows Active Directory and OBIEE.

(2) I also have another instance (without configured SSO) with table external authentication (verification of name and password of the user) and authorization (groups, that populate the session for the filtering of data variables).

Now my question is, I want a combination of scenario 1 and scenario 2. I want OBIEE SSO with Active directory

and the groups in the external table.

The reason being, my groups are custom in the outer table groups, I do not want to keep users in the repository.

can you please give me some pointers if the scenario is possible. Thanks in advance

Thanks and greetings
Satya
Now my question is, I want a combination of scenario 1 and scenario 2. I want OBIEE SSO with Active directory and the groups in the external table.

I don't have what is your question? Just do SSO with AD, and then load the groups in the GROUP through SQL init block. What is your real problem?

To filter the report data, you must have the same structure of Group at Web cat I guess (correct me if I'm wrong).

Yes, even if you do not need to use the same workgroup name. Is MNI names I'd rather have completely separate groups, some for safety to the RPD for Web security catalog. As long as the groups exist in the appropriate location (RPD or Web catalog) and they are assigned in the block GROUP init then OBIEE will be happy, they do not need to exist in both places.

(2) No SSO will fill the Remote_User variable rather than the default USER variable.

No, you say OBIEE where to put the REMOTE_USER value. "You can simply select ': USER"FROM DUAL or if you have your users defined in a table, you can also authenticate the user exist in this table, SELECT": 'FROM USER_TABLE WHERE USER_ID =' USER: USER" which adds another layer of authentication to your SSO solution.

How to use the: token of $ $PROFILE in a game of validation of table values
Hello community,

Let me explain the scenario.

We have a set value (CLIENTS SERVICIO DIRECTO) Flex with a validation of the table included in the PO headers FDF, which shows a LOV with the recipient addressfrom the customer we want to serve the goods; that is, we act as a commisionists and the provider makes the goods to the customer's shipping address.

This Flex value, as I said, have a table, with the following table of validation validation:

Application of the table: Oracle receivables
Table name: RA_ADDRESSES_ALL a, RA_CUSTOMERS b

Table Columnns: b.CUSTOMER_NAME Varchar2 (20), a.PARTY_LOCATION_ID Varchar2 (20)

Where / Order By: a.CUSTOMER_ID = b.CUSTOMER_ID

Additional columns: a.ADDRESS1 "address" (20), a.CITY Ciudad "(10) «»

If we translate this to a SQL code:

Select a.address1,
a.City,
a.party_location_id,
b.Customer_name
ra_addresses_all a.,
ra_customers b
where a.customer_id = b.customer_id
and b.customer_id = 6283 <-this last condition clause is intended to reduce the result to the interested customer.

This select recover we two records; for the same customer, one of them for an organization_id (say 85) and one of them for the other organization_id (84).

What are looking for us, and want to, it's that the LOV, which actually display two records, only shows the recipient site to the client that belongs to the organization_id that belongs to the user who questioned or creates the purchase order.

That is, suppose that we enter in Purchasing using the who have been assigned to the business unit or Organization_id 84. We want this theLOV to show that the recipient Site to the client that belongs to the business unit or Organization_id 84.

I believe that we can achieve this by using the: token of $ $PROFILE, but we do not know how.

Any ideas?

Thanks a lot for your answer.
I think that we can use elsewhere as fnd_profile.value ('profile_name') (?)

Kind regards.

SSO with WebVPN ASA using RSA tokens

Similar Questions

Maybe you are looking for