EDQ authentication through Novell

We are currently using AD as our authentication platform for EDQ. We need to set up additional configurations for authentication through Novell. Has anybody done this? What is different from the AD configuration?
Thanks
Craig

Hi Craig,
Apologies for the late response on this. I believe an SR has been logged, and a response will be available on the SR very shortly.
Some basic notes are as follows. The examples files are missing below (but will be on the SR):
EDQ does not have out of the box support for Novel eDirectory. However it can be configured easily. To do this, you need to define a ‘realm’ with connection details for the eDirectory server and an associated ‘profile’ defining the LDAP search filters and attributes to use with the eDirectory.
All this information can be added to the login.properties file but it is sometimes simpler to define the information in separate files. Realm information can be define in files in the realms subdirectory of the security directory and profile information can be stored in the profiles subdirectory.
These are the steps:
1. In the login.properties file, add a realm ‘edir’ to the realms list:
realms = internal,...,edir
2. Create a directory realms in the security directory and store the attached edir.properties there. Amend the file with:
•     The LDAP server address. The example file has 10.8.1.182.
•     The correct LDAP domain information. The example file users the domain o=rde
•     The DN and password of the user used to connect to LDAP. The example has cn=rde,ou=users,o=rde
•     The LDAP group used to contain EDQ users. The example has testgroup
•     If the server has a certificate installed, uncomment the ‘ldap.security’ line to enable SSL connections
3. Create a directory profiles in the security directory and save the attached novell.properties there. This file is suitable for a standard eDirectory setup and should not need any changes. It assumes:
•     An objectClass of inetOrgPerson for users
•     An objectClass of groupOfNames for groups
•     The unique ID of user and group entries is the GUID attribute
The profile can be tweaked if these assumptions are not correct.
Regards,
Mike

Similar Messages

How to capture userinfo after a partner application is authenticated through SSOSDK?

I have successfully installed and deployed the Partner application for Portal using SSOSDK. My question is, once the user is authenticated through SSOPartnerServlet.java and gets thrown back to the partner app(PAPP), how do we get the user info(i.e. username) from the PAPP?
Is there an API?
I have already asked this question from oracle tech and they told me to post it
Thanks,
Hamid

Pass the name of a subrotine to handle your user commands to the fm parameter.
I_CALLBACK_USER_COMMAND = 'USER_COMMAND'.
Then code for the user command function,
form user_command using r_ucomm type sy-ucomm.
case r_ucomm.
when '<FCODE of your button>'.
Code your logic....
endcase.
endform.
To add your button using your own pf-status, you should copy a standard gui status and modify it.
To trigger this pf-status you should pass routine name to I_CALLBACK_PF_STATUS_SET.(I_CALLBACK_PF_STATUS_SET = 'SET_PF_STATUS..)
form set_pf_status.
set pf-status 'ZSTAT'. "THis ZSTAT must be created by copying a STANDARD pf-status of say some std program like SAPLKKBL. and then modifying it.
endform.

Cannot use SASL Authentication Through GSSAPI on DS 6.3

I try to kerberized DS 6.3. I do step by step instruction from "Sun Java System Directory Server Enterprise Edition 6.3" and it doesn't work.
When I try to configure the Directory Server to Enable GSSAPI I get an error:
modifying entry cn=SASL,cn=security,cn=config
ldap_modify: DSA is unwilling to perform
ldap_modify: additional info: Modification not allowed on attribute dsSaslPluginsPath
After all when I try to authenticate to the Directory Server i get response:
ldap_sasl_interactive_bind_s: Authentication method not supported
ldap_sasl_interactive_bind_s: additional info: sasl mechanism not supported
Logs file:
+[22/Sep/2008:10:28:11 +0200] conn=2 op=-1 msgId=-1 - fd=22 slot=22 LDAP connection from 10.3.233.4:33054 to 10.3.233.4+
+[22/Sep/2008:10:28:11 +0200] conn=2 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=GSSAPI+
+[22/Sep/2008:10:28:11 +0200] conn=2 op=0 msgId=1 - RESULT err=7 tag=97 nentries=0 etime=0, sasl mechanism not supported+
+[22/Sep/2008:10:28:11 +0200] conn=2 op=1 msgId=2 - UNBIND+
+[22/Sep/2008:10:28:11 +0200] conn=2 op=1 msgId=-1 - closing from 10.3.233.4:33054 - U1 - Connection closed by unbind client -+
+[22/Sep/2008:10:28:12 +0200] conn=2 op=-1 msgId=-1 - closed.+
system specyfication:
Solaris 10 x86 64-bit
DS 6.3 B2008.0311.0212 NAT

See http://forums.sun.com/thread.jspa?forumID=761&threadID=5202246 for a description of the problem and a workaround.
If you have a Sun support contract, you can request an escalation of CR 6637404.
Also, note that it looks like part of the documentation went missing. In DS5.2 the docs included an additional step
Chapter 11 Implementing Security
Configuring Client Authentication
SASL Authentication Through GSSAPI (Solaris Only)
http://docs.sun.com/source/816-6698-10/ssl.html#18500
ldapmodify -D 'cn=directory manager'
dn: cn=SASL,cn=security,cn=config
changetype: modify
add: dsSaslPluginsEnable
dsSaslPluginsEnable: GSSAPI
replace: dsSaslPluginsPath
dsSaslPluginsPath: /usr/lib/mps/sasl2/libsasl.so
modifying entry cn=SASL,cn=security,cn=config
ldap_modify: DSA is unwilling to perform
ldap_modify: additional info: Adding attributes is not allowed
-------------------------------------------------------------

PL SQL Web Service Authentication through LDAP

I have created one PL SQL Web Service and I would like to provide token security through LDAP.
I have configured LDAP for deployed webservice in oracle IAS 10.1.3 Service.
Problem Description: <?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://dbconnection1/MobileWebService.wsdl/types/"><env:Body><env:Fault><faultcode>env:MustUnderstand</faultcode><faultstring>SOAP must understand error: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security</faultstring></env:Fault></env:Body></env:Envelope>
I have provided LDAP authentication through oracle iAS Setup.
Please help

Hi I am looking out for a good friend of mine, Rajeev Dave from Vijaywada, if your the one, please email me [email protected]
thanks,

How to do .1x port based network access authentication through ACS

How to do .1x port based network access authentication through ACS.

Hi,
802.1x can authenticate hosts either through the username/password or either via the MAC address of the clients (PC's, Printers etc.). This process is called Agentless Network Access which can be done through Mac Auth Bypass.
In this process the 802.1x switchport would send the MAC address of the connected PC to the radius server for authentication. If the radius server has the MAC address in it's database, the authentication would be successful and the PC would be granted network access.
To check the configuration on the ACS 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/noagent.html
To check the configuration on an ACS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/common_scenarios.html#wp1053005
Regards,
Kush

OBIEE 11.1.1.6.2 BP1 authentication through Shared Services EPM 11.1.2 .2

Hi,
Any idea how to get the authentication in OBIEE through Shared Services to work?
We use Native Directory and MSAD in SS, hence we need to get the authentication through Shared Services.
We were able to run this on EPM 11.1.1.3 through LDAP server of Shared services port 28089, surely not working now.
I've tried both of the following but still no luck:
http://gerdpee.wordpress.com/2011/06/17/oracle-weblogic-and-hyperion-shared-services-11-1-1-3/
http://gerdpee.wordpress.com/2011/06/17/integration-sort-of-of-obiee-11-1-1-5-and-hyperion-shared-services-11-1-1-3/
Please help. Many thanks!!!
Cheers,
Steve

Hi Steve,
I have not been through this, but hope this helps you though. While we run the System configurator Wizard (EPM 11.1.1.2), we are now having an option to integrate EPM with OBIEE. Have you given it a shot?
I am just thinking, if we could had it configure for us, we could directly access the Subject Areas from OBIEE, just like what Mark had mentioned here : http://www.rittmanmead.com/2009/01/epm-workspace-111-and-obiee-10134-updated/
You could further look into the "SSO using CSS Token" field in the connection pool, too.
Hope this helps and I will let you know, if I have any other information.
Thank you,
Dhar

ACS user authenticating through Windows Database

Hello,
Please, i need a document/ guideline on how to configure ACS 4.2 user authenticating through Windows Database and the ACS server is running on an appliance.
Please, help.
Regards,
Ethelbert

Hi,
If you delete the user in AD, then it would not authenticate the user even if the dynamic mapped user exists in the ACS database, as the password would not be verified from the AD for the user.
The dynamically mapped user entry would still exist in ACS and would not get deleted if the user is deleted from AD.
tnx
somishra

Centralized authentication through insecure net, ASA

Hi all,
I'm looking for some ideas, products e.g. that can help me to achieve the following scenario:
- We have several customers with Cisco ASA
- We want to provide our IT-Engineer staff a remote vpn access to each customer site
- We need a centraliced AAA for the enginer vpn-authentication (TACAC+, RADIUS e.g.)
- The centralized authentication server should be on our site. So each ASA (customer site) has to do the authentication
through the insecure internet to our AAA server
- Site-to-site is not an option (several customer sites have the same IP-range)
Any ideas?
Thanks a lot,
Norbert

Norbert
I would look at using certificates for this. So each customer ASA uses your centralised certificate server for authentication.
You can use something like Microsoft CA server to act as the certificate server.
There are plenty of docs on Cisco site for using certificates both with the VPN client and the ASA.
Jon

QuickTime Streaming through Novell BorderManager

Unable to get QuickTime Steaming to work through Novell BorderManager with HTTP Proxy & NAT.... Have changed QuickTime settings to use HTTP instead of UDP.... Any thoughts for a solution?

Unable to get QuickTime Steaming to work through Novell BorderManager with HTTP Proxy & NAT.... Have changed QuickTime settings to use HTTP instead of UDP.... Any thoughts for a solution?

WLAN connection: authentication through captive po...

Access to some Wifi hotspots requires an authentication through captive portal (ID and password must be entered on a special web page). Everything works on my E65 except that I did not find the method to avoid to retype my ID and password every time I try to connect. Any idea ?

Hello,
I've a e61i and I experience a similar problem. My phone work very well on WiFi network with no encryption as well as 64-bit wep.
At home I've 2 wireless routers, both encrypted at 128 bits, one with WEP and the other with WPA. On both of them I can correctly obtain an IP thru DHCP, but the traffic do not go thru.
By using IfInfo I think I discovered the reason of the problem (unless IfInfo is not working properly...) and it seems a bug related to the netmask, broadcast and gateway settings. The router is 192.168.15.1 and this is what I get:
1) DHCP case -- I get two IP adresses: the 169.254.x.x and the one assigned to the router. DNS is also set properly, but both gateway, broadcast and netmask are set to 0.0.0.0 for both IPs.
IP Addr: 169.254.162.106
Netmask: 0.0.0.0
Broadcast: 0.0.0.0
Gateway: 0.0.0.0
DNS1: 192.168.15.1
IP Addr: 192.168.15.100
Netmask: 0.0.0.0
Broadcast: 0.0.0.0
Gateway: 0.0.0.0
DNS1: 192.168.15.1
2) Static IP 192.168.15.64, netmask set to 255.255.255.0 and gateway and DNS set to 192.168.15.1. The 169.254.x.x disappears and I get only one IP which is set to:
IP Addr: 192.168.15.64
Netmask: 0.0.0.0
Broadcast:192.168.15.255
Gateway: 192.168.15.1
DNS1: 192.168.15.1
So in conclusion, it seems that with 128bit encryption, in the DHCP case gateway, broadcast and netmask are not assigned correctly! While in the Static IP case the netmask is still not assigned correctly!!!
Hope this can help...
--AP

ACS 5.2 LDAP authentication through groupMembership

Hi all,
I've succesfully configured ACS to authenticate users against our Novell DB through LDAP External Identity Store . With this setup all users having Novell account are authenticated.
There's an extra requirement that only users belong to group "Internet Access Users" can be authenticated. Running debugging on the ACS (5.2), I've been able to see that ACS can extract the user's group properties as bellow:
LDAP-response-search-entry-attr-value=groupMembership=cn=Internet Access Users\,ou=App Groups\,ou=ZENINTH\,o=Company
but I unable to create mapping/rules that filter this extra value. What I did is :
- Under External Identity Stores --> LDAP --> LDAP_Connection --> Directory Attributes, I added Attribute Name = "groupMembership", Type: "String", Policy Condition Name: "LDAP_Connection:groupMembership"
- Under Access Policies --> Internet Access --> Authorization, I create Rule-1 stated that "LDAP-LDAP_Connection:groupMembership contains cn=Internet Access Users", it will permitAccess. The default rules is denyAccess
But it seems it didn't work (never hit Rule-1)
Could anybody shed some lights ?
Thank you very much,

Ok All is working, consider this as solved.
A restart of the ACS service magically fixed whatever was going on.
Cheers

SharePoint 2010 with LDAP authentication, using NOVELL eDirectory

One of my customers needs a SharePoint application that allows people to authenticate with either an Active Directory account (internal staff) or a Novell eDirectory account (external customers).
Using the following article as a base guide (http://blogs.technet.com/b/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx)
I configured a claims-based test application that had Windows authentication enabled and Forms based authentication (FBA) enabled (this is on a Windows 2008 server and not a domain controller)
In the Membership provider name text box I entered "LdapMember"
In the Role provider name text box I entered "LdapRole"
In the web.config for the SharePoint Central Admin, I modified/added the following details right before </system.web>
<membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="((ObjectClass=group)"
userFilter="((ObjectClass=person)"
scope="Subtree" />
</providers>
</roleManager>
I modified the SecurityTokenServiceApplication web.config with these details
<system.web>
<membership>
<providers>
<add name="LdapMemebr"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true">
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
</providers>
</roleManager>
</system.web>
I modified the web.config of the test application I created with these details
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
groupContainer="OU=people,O=validobject"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="cn"
dnAttribute="dn"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
</providers>
</roleManager>
<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword= "validpassword"
useDNAttribute="true"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
With all of this configured, I can go to the new test site, I do see the form where I can choose either Windows authentication or Forms authentication. I can successfully login with Windows authentication, but forms authentication gives me me an error.
The server could not sign you in. Make sure your user name and password are correct, and then try again.
I can successfully login to a LDAP management tool, using the same credentials I entered on the form, so I know the username and password being submitted are correct. I get the following items in the event viewer
8306 - SharePoint Foundation - The security token username and password could not be validated.
in the SharePoint trace logs - Password check on 'testuser' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. and
then this:
Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
I monitored the LDAP server and did a packet-trace on the communication happening between the SharePoint server and the LDAP server and it is a bit odd. It goes like this:
The SharePoint server successfully connects to the LDAP server, binding the ldapserviceid+password
The LDAP server tells the SharePoint server it is ready to communicate
the SharePoint server sends an LDAP query to the LDAP server, asking if the name entered in the form authentication page can be found.
The LDAP server does the query, successfully finds the entered name and sends a success message back to SharePoint
The LDAP server sends notification that it is done and is closing the connection that was bound to theldapserviceid+password
The SharePoint server acknowledges the connection is closing
... and then nothing happens, except the error on SharePoint
What I understand is that the SharePoint server, once it gets confirmation that the submitted username exists in LDAP, should attempt to make a new LDAP connection, bound to the username and password submitted in the form (rather than the LDAP service account
specified in the web.config). That part does not seem to be happening.
I am at a standstill on this and any help would be greatly appreciated.

OK, our problem was resolved by removing any information about the ASP.NET role manager. Initially, we had information about a role manager defined in three different web.config files, as well as in the SharePoint Central Administration site, where there
is the checkbox to Enable Forms Based Authentication (you see this when you first create the new SharePoint app, or afterwards by modifying the Authentication Provider for the app.) In either case, you will see two text boxes, underneath the checkbox item
for enabling Forms Based Authentication:
"ASP.NET Membership provider name"
"ASP.NET Role manager name"
We entered a name for Membership provider, and left Role manager blank.
In the web.config for the SharePoint Central Administration site, the SecurityTokenServiceApplication app, and the web app we created with FBA enabled, we entered the following:
<membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="ldap.server.address"
port="389"
useSSL="false"
connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
connectionPassword="validpassword"
useDNAttribute="false"
userDNAttribute="dn"
userNameAttribute="cn"
userContainer="OU=people,O=validobject"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager>
<providers>
</providers>
</roleManager>
useDNAttribute="false" turned out to be important as well.
So, for us to get LDAP authentication working between SharePoint 2010 and Novel eDirectory, we had to:
leave anything related to the role provider blank
configure the web.config in three different applications, with the proper connection information to reach our Novel eDir
Ensure that useDNAttribute="false" was used in all three on the modified web.config files.
Since our eDir is flat and used pretty much exclusively for external users, we had never done any sort of advanced role management configuration in eDir. So, by having role manager details in the web.config files, SharePoint was waiting for information from
a non-existent role manager.

Remote Access VPN authentication through RADIUS

Hi,
I have configured remote access VPN (IPsec) in my Cisco ASA . Before there was only single username & password to for VPN client. Now I am planning to give access through RADIUS server. I have configured RADIUS server in WIN 2003 server.
Server configuration:
1) Administrative Tools > Internet Authentication Service and right-click on RADIUS Client to add a new RADIUS client with ip address of CISCO ASA (inside interface).
2) Remote Access Policies, right-click on Connections to Other Access Servers, and select Properties.
3) check Grant Remote Access Permissions is selected.Click Edit Profile and check these settings:On the Authentication tab, check Unencrypted authentication (PAP, SPAP), MS-CHAP,and MS-CHAP-v2.ï On the Encryption tab, ensure that the option for No Encryption is selected.Click OK when you are finished.
4.Select Administrative Tools > Computer Management > System Tools > Local Users and Groups, right-click on Users and select New Users to add a user into the local computer account.Add a user and check this profile information:On the General tab, ensure that the option for Password Never Expired is selected instead ofthe option for User Must Change Password.
On the Dial-in tab, select the option for Allow access
ASA configuration:
aaa-server vpn protocol radius
aaa-server vpn host 10.155.20.25 (RADIUS server IP )
key cisco321
tunnel-group vpnacc type ipsec-ra
tunnel-group vpnacc general-attributes
authentication-server-group vpn
but it is not working. Please guide to resolve this issue.
Regards,
som

Also, take a look at your logs on the windows server, and try debugging the asa. Try running wireshark or network monitor on the windows server to see if the requests are coming in. You should be able to figure out pretty quickly what is going on by debugging aaa on the asa and/or checking the logs on the server. Make sure the service is running on the windows box. Make sure that something stupid like windows firewall isnt blocking the connection. You can turn on debugging by typing "debug aaa" and type "logging console debugging" and "term mon". You can test aaa by typing "test aaa-server authentication vpn host x.x.x.x username someusername password somepassword"
Hopefully this will lead you in the right direction. Oh, one more thing, when you are done, don't forget to turn off the debug by typing "undebug all". Another word of warning, running debugs on a production firewall should be done at your own risk, it is very easy to overwhelm a device to the point it stops responding by running debugs.

Authentication through external trust doesn't work with rodc

We have an external sharepoint environment (B.com). For this environment we created a external trust. They trust our accounts (from A.com). On our side we have a site with an DC and a RODC (also DNS server). This site is in a DMZ. All required ports
for communication with DC's on the inside are open. The DC is used to set up the external to be removed after that. At the b.com side we've created an conditional forwarder for a.com (the rodc is used for the forwarder).
This setup is working fine. Users from both domains can access the sharepoint portal. But when we shut down the DC users from a.com aren't able to logon. We want to remove the DC cause we don't want it in the DMZ.
From online research I concluded this is because it doesn't know in what site it's in. The RODC only publishes site specific srv records. The option to change reg keys for the RODC to be able to register its srv records in the non zone specific part of dns.
This is not an option since the firewall prevents access to the rodc. This will cause all kinds of delays on our network with authentication (there's an option to make the RODC the least favorite option but this still won't prevent it from being consulted).
Is there an option to solve this through DNS on the b.com side by manually creating the srv records (which all point to the rodc)? Or are there other options perhaps (or am I on the wrong track with the not knowing in which site it is and thus not finding
the rodc)? Thanks!

anyone? Any tips would be helpful.

Wired guest lan authentication through NGS

Hello Guys,
We have 5508 controller running ver 7.2.110.0.We have configured wireless guest and wired guest WLAN profiles and assosicated necessary dynamic interfaces to it. The authentication for both wireless and wired guest is through Cisco NGS[NAC]. I have configured Webauth and added the server in the security tab for authentication. I have guest user accounts created in NGS, if I use wirless guest the auth works perfect. But the same credentials is not working with wired guest. Any advice on this issue would be really helpful
Regards
Krishna

Hey Scott,
Yes NGS is working as Radius. However I haven't checked on WLC neither NGS log to see if there is any but let me look into that. No other names also doesn't work. I did run a debug on WLC while the user was authenticating below is the output
Output of debug for wireless user where I am getting Accept message for auth at the end
User IP ADDR - 172.22.207.157
*aaaQueueReader: Aug 20 09:44:29.940: 00:23:14:ec:3d:38 Successful transmission of Authentication Packet (id 190) to 194.156.169.111:1812, proxy state 00:23:14:ec:3d:38-00:01
*aaaQueueReader: Aug 20 09:44:29.940: 00000000: 01 be 00 a2 cd 8f 91 44 a2 4f 85 f1 04 f7 14 9a .......D.O......
*aaaQueueReader: Aug 20 09:44:29.940: 00000010: d0 3e 42 94 01 1b 6d 61 68 65 62 6f 6f 62 2e 6b .>B...maheboob.k
*aaaQueueReader: Aug 20 09:44:29.940: 00000020: 68 61 6e 40 61 6d 61 64 65 75 73 2e 63 6f 6d 02 [email protected].
*aaaQueueReader: Aug 20 09:44:29.940: 00000030: 12 34 fc 96 01 47 ed 5e d3 8d 08 4e 72 ce 1d b5 .4...G.^...Nr...
*aaaQueueReader: Aug 20 09:44:29.940: 00000040: da 06 06 00 00 00 01 04 06 ac 16 cf 83 05 06 00 ................
*aaaQueueReader: Aug 20 09:44:29.940: 00000050: 00 00 0d 20 0b 42 4c 52 57 4c 43 4f 30 31 3d 06 .....BLRWLCO01=.
*aaaQueueReader: Aug 20 09:44:29.940: 00000060: 00 00 00 13 1a 0c 00 00 37 63 01 06 00 00 00 01 ........7c......
*aaaQueueReader: Aug 20 09:44:29.940: 00000070: 1f 10 31 37 32 2e 32 32 2e 32 30 37 2e 31 35 37 ..172.22.207.157
*aaaQueueReader: Aug 20 09:44:29.940: 00000080: 1e 10 31 37 32 2e 32 32 2e 32 30 37 2e 31 33 31 ..172.22.207.131
*aaaQueueReader: Aug 20 09:44:29.940: 00000090: 50 12 ef 00 53 8b 39 31 14 93 b3 82 1c f5 b5 51 P...S.91.......Q
*aaaQueueReader: Aug 20 09:44:29.940: 000000a0: 82 45                                             .E
*radiusTransportThread: Aug 20 09:44:30.516: 00000000: 02 be 00 1a 0c 8e d4 54 91 55 d6 ae b2 91 05 6e .......T.U.....n
*radiusTransportThread: Aug 20 09:44:30.516: 00000010: 93 f9 4b 7e 1b 06 00 21 70 70                    ..K~...!pp
*radiusTransportThread: Aug 20 09:44:30.517: ****Enter processIncomingMessages: response code=2
*radiusTransportThread: Aug 20 09:44:30.517: ****Enter processRadiusResponse: response code=2
*radiusTransportThread: Aug 20 09:44:30.517: 00:23:14:ec:3d:38 Access-Accept received from RADIUS server 194.156.169.111 for mobile 00:23:14:ec:3d:38 receiveId = 0
But for wired user below is the output
User IP ADDR - 172.22.207.151
5.338: 00:26:b9:e0:36:a6 Successful transmission of Authentication Packet (id 188) to 194.156.169.111:1812, proxy state 00:26:b9:e0:36:a6-00:01
*aaaQueueReader: Aug 20 09:35:15.338: 00000000: 01 bc 00 a2 2c fe c1 97 a7 d1 25 a0 59 34 89 38 ....,.....%.Y4.8
*aaaQueueReader: Aug 20 09:35:15.338: 00000010: c1 be 59 f3 01 1b 6d 61 68 65 62 6f 6f 62 2e 6b ..Y...maheboob.k
*aaaQueueReader: Aug 20 09:35:15.338: 00000020: 68 61 6e 40 61 6d 61 64 65 75 73 2e 63 6f 6d 02 [email protected].
*aaaQueueReader: Aug 20 09:35:15.338: 00000030: 12 37 c7 5c 52 27 41 5b 0d 60 98 70 76 3b b3 ba .7.\R'A[.`.pv;..
*aaaQueueReader: Aug 20 09:35:15.338: 00000040: f5 06 06 00 00 00 01 04 06 ac 16 cd 74 05 06 00 ............t...
*aaaQueueReader: Aug 20 09:35:15.338: 00000050: 00 00 0d 20 0b 42 4c 52 57 4c 43 4f 30 31 3d 06 .....BLRWLCO01=.
*aaaQueueReader: Aug 20 09:35:15.338: 00000060: 00 00 00 0f 1a 0c 00 00 37 63 01 06 00 00 02 02 ........7c......
*aaaQueueReader: Aug 20 09:35:15.338: 00000070: 1f 10 31 37 32 2e 32 32 2e 32 30 37 2e 31 35 31 ..172.22.207.151
*aaaQueueReader: Aug 20 09:35:15.338: 00000080: 1e 10 31 37 32 2e 32 32 2e 32 30 35 2e 31 31 36 ..172.22.205.116
*aaaQueueReader: Aug 20 09:35:15.338: 00000090: 50 12 36 60 54 47 0b 84 02 5c 0b da 19 a1 05 eb P.6`TG...\......
*aaaQueueReader: Aug 20 09:35:15.338: 000000a0: af 2b                                             .+
*aaaQueueReader: Aug 20 09:35:17.053: AuthenticationRequest: 0x2ab12b50

EDQ authentication through Novell

Similar Messages

Maybe you are looking for