I've been banging my head against a brick wall with this one for a few hours now.. RSA authentication was working ok on the existing 48k Directors but not on a new pair of 5100's that I took the opportunity to upgrade to FabOS 6.3.
Running a command such as ipaddrshow results in an error saying "Invalid Chassis Role"
Running userconfig --show
returns the following:
> userconfig --show
Account name: xxxxx
Description: RADIUS Account
Enabled: Yes
Password Last Change Date: Unknown (UTC)
Password Expiration Date: Not Applicable (UTC)
Locked: No
Home LF Role: admin
Role-LF List: admin: 128
No chassis permission
Home LF: 128
The key bit here is "No chassis permission." - but we knew that!
A quick google returned one result suggesting the following attributes need setting:
HomeLF
LFRoleList
ChassisRole
Well after a lot of pissing about with the brocade.dcf file we had created on the securID appliance.. I realised that what I actually need to do is pass these values across in the AVPair1 - 5 attribute..
So I have ammended the /usr/local/RSASecurity/RSAAuthenticationManager/radius/brocade.dct file to read as follows now:
(I just edited this using vi - press I for insert mode.. edit the file then press esc to exit edit mode and then :wq to write and quit - I'm no vi expert so don't quote me on this)
###########################################################################
# brocade.dct -- Brocade Dictionary
###########################################################################
@radius.dct
MACRO Brocade-VSA(t,s) 26 [vid=1588 type1=%t% len1=+2 data=%s%]
ATTRIBUTE Brocade-Auth-Role Brocade-VSA(1,string) r
ATTRIBUTE Brocade-AVPairs1 Brocade-VSA(2,string) r
ATTRIBUTE Brocade-AVPairs2 Brocade-VSA(3,string) r
ATTRIBUTE Brocade-AVPairs3 Brocade-VSA(4,string) r
ATTRIBUTE Brocade-AVPairs4 Brocade-VSA(5,string) r
###########################################################################
# brocade.dct -- Brocade Dictionary
###########################################################################
After editing the file I restarted the RSA Services by running:
sudo /sbin/service rsaauthmgr restart
(be warned this can take a little while to restart all the services - Users may moan too if you dont tell them prior)
Now in the RSA console (Radius Profiles) I pass the following values in the following attributes.
Brocade-AVPairs1 = "HomeLF=128"
Brocade-AVPairs2 = "LFRoleList=admin;ChassisRole=admin"
Brocade-Auth-Role = "Admin"
I know this probably isnt the best way of passing the parameters at the moment, and they should be per user for true RBAC, but thats for another day.. (IE when I spend more time playing) and I didnt set it up this way!
Now after re-authenticating I now get the following response:
> userconfig --show
Account name: xxxxx
Description: RADIUS Account
Enabled: Yes
Password Last Change Date: Unknown (UTC)
Password Expiration Date: Not Applicable (UTC)
Locked: No
Home LF Role: admin
Role-LF List: admin: 128
Chassis Role: admin
Home LF: 128
Thats 1 more thing ticked off a long list!
Friday 17 December 2010
Tuesday 9 November 2010
Working with visual studio projects over unc paths
I've forever been working with local copies and then forgetting to copy them back to my central repository (I know I should use SVN or something similar)
Anyway just come across the following command that now allow's me to leave them alone on the network (I'm adding this here for myself and not any one else that may one day venture across this post - Probably when Visual Studio 2012 is released!)
Anyway:
%windir%\Microsoft.NET\Framework\v2.0.50727\caspol.exe -m -ag 1 -url "file:////\\computername\sharename\*" FullTrust -exclusive on
Obviously you need to change the computername and share name bits!
Anyway just come across the following command that now allow's me to leave them alone on the network (I'm adding this here for myself and not any one else that may one day venture across this post - Probably when Visual Studio 2012 is released!)
Anyway:
%windir%\Microsoft.NET\Framework\v2.0.50727\caspol.exe -m -ag 1 -url "file:////\\computername\sharename\*" FullTrust -exclusive on
Obviously you need to change the computername and share name bits!
Friday 1 October 2010
test
Test to try syntaxhighlighter
Imports System
Imports System.Messaging
Public Class MyNewQueue
Public Shared Sub Main()
' Create a new instance of the class.
Dim myNewQueue As New MyNewQueue()
' Output the count of Lowest priority messages.
myNewQueue.CountLowestPriority()
Return
End Sub 'Main
A new ping?
If like me you are a systems administrator and work with windows, you can sometimes find yourself rebooting boxes regularly (We'll not really if you are any good at your job)
But you will find yourself familiar with the command ping -t
This is all well and good, however just because the machine responds to a ping, doesn't mean it's going to let you RDP back onto it.
I wrote a console app in vb.net to get around this, what this app does is connect on a specified port to see if its listening, much the same as doing telnet servername 3389 and the usual control+c if you get a response would tell you.
The program is passed to arguments on the command line:
IsOpen.exe ServerName Port
For example
IsOpen.exe DC01 3389
This will return a message to whether it is or isn't responding based on whether a connection can be established.
The program is deliberately forced into an infinite loop to do the equivalent of a ping -t, just because I wrote it for myself and that's what I wanted!
Pressing Control + C will let you exit the app. (I was quite proud of finding that code on the Internet and I think it will be making it into all my future console applications) - Which are normally called ConsoleApplication1.exe ;)
Download it here: http://www.wallis2000.co.uk/isopen.rar
But you will find yourself familiar with the command ping -t
This is all well and good, however just because the machine responds to a ping, doesn't mean it's going to let you RDP back onto it.
I wrote a console app in vb.net to get around this, what this app does is connect on a specified port to see if its listening, much the same as doing telnet servername 3389 and the usual control+c if you get a response would tell you.
The program is passed to arguments on the command line:
IsOpen.exe ServerName Port
For example
IsOpen.exe DC01 3389
This will return a message to whether it is or isn't responding based on whether a connection can be established.
The program is deliberately forced into an infinite loop to do the equivalent of a ping -t, just because I wrote it for myself and that's what I wanted!
Pressing Control + C will let you exit the app. (I was quite proud of finding that code on the Internet and I think it will be making it into all my future console applications) - Which are normally called ConsoleApplication1.exe ;)
Download it here: http://www.wallis2000.co.uk/isopen.rar
Resoving Systems Center Operations Manager Alerts via Email
A breif post, a few years ago I wrote a service for MOM to allow you to close alerts via email. I saw a supplier we use had this functionality in their alerting and I wanted it!
Anyway we since upgraded versions of exchange and also MOM to SCOM and then SCOM R2, so the service has gone through a few versions, for example having to swap from exchange WebDAV to Exchange web services.
The code isnt pretty, I'm not a developer, but as a Systems Admin the code works fine in my mind, uses hardly any memory, doesn't crash and needs no intervention from me!
I wrote it, use it daily and forgot about it!
Anyway apparently I overwrote the copy on my website with the latest version of my SCOM to EMC Infra connector (thats a post for another time)
Anyway the updated link is here: http://www.wallis2000.co.uk/OpsMgrEmailService.rar
Anyway we since upgraded versions of exchange and also MOM to SCOM and then SCOM R2, so the service has gone through a few versions, for example having to swap from exchange WebDAV to Exchange web services.
The code isnt pretty, I'm not a developer, but as a Systems Admin the code works fine in my mind, uses hardly any memory, doesn't crash and needs no intervention from me!
I wrote it, use it daily and forgot about it!
Anyway apparently I overwrote the copy on my website with the latest version of my SCOM to EMC Infra connector (thats a post for another time)
Anyway the updated link is here: http://www.wallis2000.co.uk/OpsMgrEmailService.rar
Subscribe to:
Posts (Atom)