It is to my knowledge that as I finished setup my FreeRadius on my CentOS server, I point my router to the server and all is done.
Any user will need to use WPA2-Enterprise to login.
I previously used DAC to authenticate my user, after setting up RADIUS, do I no longer need a web page like how DAC need, right? The login form will be presented on the users device OS, right?
After thinking a lot, this is what I know.
DAC Authentication is controller-based, and as I used local database for authentication check, changing it to RADIUS will still require that webpage to be present.
In order to switch to WPA2-Enterprise, I need to configure each and every access point to use WPA2-Enterprise, and point them to the RADIUS server. That's mainly because I use Fat APs, if the access points I have in my environment are thin APs, they can simply fetch configuration from my controller.
Related
I want to provide some administrative services that will be implemented against the Office365 PowerShell, but I don't want to store decryptable administrators credentials - is there any option for authenticating without direct usage of the credentials? I am thinking about something like OAuth or another application key system.
Not 100% clear from the question but since you don't want to store creds I assume that this will be running on client computers rather than on systems that are directly under your control. I can think of two options but they both add considerably to the complexity of a script like this.
Option 1
Split your script into 2 pieces, one set up as a web listener on a server that is running with elevated privileges and the other running on the system where you want the script to be placed that makes REST calls to your web listener, this lets you only expose the functions that you actually want the lower-privileged script to have access to without having to deal with storing the creds. This is more complex to set up but doesn't require anything third-party to be in place.
Option 2
Use a privledged identity management system(I'm most familiar with CyberArk but any of them should be ok for this purpose) to store the creds, You would then sign your script with a certificate and set the identity manager to only allow a process signed with that cert and connecting from a known valid IP to access the credential, again using a web call. This is easier to do once you get the PIM installed but that can be a massive headache to do properly, not to mention expensive.
Hope I understood the problem correctly and that one of these methonds helps you.
I am trying to implement serverSessionTimeout in worklight server. I enabled serverSessionTimeout=5 and sso.cleanup.taskFrequencyInSeconds=5 in worklight.properties but no luck. We have user db entry for each user login. Ideally it should remove the user db entry once the session reached 5 minutes, but I am not able do clean the user db entry from server side. I appreciate if anybody help me on this.
As Iddo mentioned in the comments:
sso.cleanup.taskFrequencyInSeconds is related to an entirely different feature
serverSessionTimeout instructs the application server to invalidate sessions after the specified amount of time, but the actual cleanup can occur at the application server's discretion (see jaalger2's answer in this question
So in order to control the session, you need to setup the values to your liking. After that, simply let the application sever handle the memory threads.
Is there any particular reason why after the above you also need to access the database and delete rows from it? This should be handled automatically, not "manually".
I need to add Relying parties in ADFS everytime a new client comes on. I would like to automate this by just specifying either the url to the federation metadata or a file picker for the admin to load the federation metadata file.
I have been following the instructions on this site Adding a New Relying Party Trust
However I get the following error
ADMIN0120: The client is not authorized to access the endpoint
net.tcp://localhost:1500/policy.
The client process must be run with elevated administrative privileges.
not sure what I am doing wrong. I guess the bigger question is : is this the best way to set up Relying parties and Claims using code or should I use powershell commands?
This error doesn't means you have code issue. It is something related to the privilege. Test it by right mouse click the client and "Run as administrator" to see if it goes through.
As per your link, there are three ways:
Using the AD FS 2.0 Management console
Using the Windows PowerShell command-line interface
Programmatically using the AD FS 2.0 application programming interface (API)
All three are equally valid - the only difference is how much work you have to do for each e.g. the wizard is lots of mouse clicks.
What I do is set up the RP the first time via the wizard and then save the setup using PowerShell (Get RP, Get Claims etc.) and then use these to set up subsequent ones as you migrate from dev. to test. to staging etc.
I'm creating a iOS app that requires the user to log in at startup, and then uses those credentials to query 4-5 different services on a server over the course of the session.
The server (xyz) it self doesn't accept the credentials, but if the services that it provides are queried then they get accepted. For example https://xyz/service1 works, https://xyz doesn't.
Now what I'm wondering about is if there is anything that stands in the way of creating 4-5 NSURLProtectionSpace's at log in, one for each service on the server, and then use the corresponding protection space when use each service?
Or is there a better way of implementing something that could work in this situation?
All help would be appreciated.
Turns out that there is nothing that stands in the way of creating multiple NSURLProtectionSpace's since each is created for a separate url.
I'm working on installing vPopMail on CentOS for use with a Qmail / Courier-IMAP mail-server setup. So far, everything is working out well enough. Mail sent to any virtual user I have setup under any virtual domain (assuming MX records are pointed correctly in the domain DNS) I add to vPopMail is routed correctly to the vPopMail ./Maildir/ and is viewable in /home/vpopmail/domains/domain-example.com/user.name/Maildir/new.
The problem I'm having now is telling the pop service to authenticate using vPopMail instead of the ~default~ Qmail / Courier-IMAP authentication method(s).
"You also need to modify your pop server startup line to use the vchkpw program for authentication." (found at http://www.inter7.com/vpopmail/vpopmail.html) is all I can find in any documentation to even give me the clue that that needs to be done.
So, the question:
How do I tell my pop server to authenticate with vPopMail?
Thanks so much in advance! :)
(Feel free to let me know what (if) more info is needed to answer my question..)
Id go ahead and check this out
http://www.inter7.com/vpopmail/install.txt
namely item 12
then go ahead and add those lines to your rc.local file or rc.sysinit
good luck