802.1x, AD Authentication vs Local login
Hello,
I'm working to implement 802.1x on my LAN, using ACS 4.2 as my authentication server. I've gotten my ACS server to successfully authorize users / PCs to AD without issue. The problem I'm having is if a user uses a local-logon to the PC. Say a laptop that's not on the domain for some reason. I see the user authenticate as <hostname>\<local user>, like testmachine\Administrator. When dealing with 500+ PCs, I don't want to have to enter PC1\Admin, PC2\Admin etc etc into ACS as local usernames.I've tried just putting "Adminsitrator" along with the local admin PW into ACS, but it doesn't work, it wants the hostname\Administrator.
How have other people overcome this issue?
There are times when you don't want to or can't log into the domain but still need network access and unplugging / repatching a machine in someone's cube is not always feasible or convenient.
Is there a way I can change the username used to authenticate? If I login with a local account on a PC, windows asks for additional informaiton to authenticate to the network...
A window pops up with the username i'm logged in with, which is grayed out, password (editable), and a grayed out PC name. Can I change the username it tries to authenticate with easily? I.E. I'm logged into the PC as Administrator, but I want to authenticate as my user.
Thanks for any clarification you can provide.
Hello,
ACS will authenticate the user it receives so I don't know of a way to work around this on the
ACS that will be scalable. What supplicant are you using, you may be able to configure the supplicant
to only send the username instead of sending hostname\username when the PC is not joined to
the domain. Most supplicants allow you to configure the format the username that is sent to
the ACS for authentication.
--Jesse
Similar Messages
-
Failover to local login when TACACS is reachable but not authenticating
Hello, I'm confident I already know the answer to this question but I want to be sure.
I am moving a large number of Cisco devices to a new TACACS server, is there anything that can be done to allow local login if the new TACACS server is reachable but not authenticating for some reason? For example if the Cisco source IP is not built correctly into the server or the key is not configured properly on the device; in these situations the server is reachable but will not provide authentication.
I already have AAA authentication set similar to the following:
Router1(config)#aaa authentication login default group tacacs+ line
This will allow me to use line authentication if the tacacs server is not reachable but not if the server is reachable and not authenticating properly.
Any ideas on how/if I can failover to local login for the example situation I provided above?Looks like NX-OS will not allow me to do this.
Nexus001(config)# aaa authentication login default local group TACACS
^
% Invalid command at '^' marker.
Nexus001(config)# aaa authentication login default local ?
<CR>
Nexus001(config)# aaa authentication login ?
ascii-authentication Enable ascii authentication
chap CHAP authentication for login
console Configure console methods
default Configure default methods
error-enable Enable display of error message on login failures
mschap MSCHAP authentication for login
mschapv2 MSCHAP V2 authentication for login
Nexus001(config)# aaa authentication login default ?
fallback Configure fallback behavior
group Specify server groups
local Use local username authentication
none No authentication
Nexus001(config)# aaa authentication login default local ?
<CR> -
VPN Tunnel w/ 802.1X port authentication against remote RADIUS server
I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X. The tunnel works fine and comes up if theirs correct traffic. I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.
If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work. I'll see the following. This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone. No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.
If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly. In this situation, I can ping the RADIUS servers from VLAN10. If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.
Current configuration : 6199 bytes
! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router1
boot-start-marker
boot-end-marker
aaa new-model
aaa local authentication default authorization default
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
ip cef
ip dhcp pool pool
import all
network 192.168.28.0 255.255.255.248
bootfile PXEboot.com
default-router 192.168.28.1
dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2
domain-name domain.local
option 66 ip 192.168.23.10
option 67 ascii PXEboot.com
option 150 ip 192.168.23.10
lease 0 2
ip dhcp pool phonepool
network 192.168.28.128 255.255.255.248
default-router 192.168.28.129
dns-server 192.168.26.10 192.168.1.100
option 150 ip 192.168.1.132
domain-name domain.local
lease 0 2
ip dhcp pool guestpool
network 10.254.0.0 255.255.255.0
dns-server 8.8.8.8 4.2.2.2
domain-name local
default-router 10.254.0.1
lease 0 2
no ip domain lookup
ip domain name remote.domain.local
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO892-K9
dot1x system-auth-control
username somebody privilege 15 password 0 password
redundancy
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key secretpassword address 123.123.123.123
crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac
mode tunnel
crypto map pix 10 ipsec-isakmp
set peer 123.123.123.123
set transform-set pix-set
match address 110
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
interface FastEthernet0
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet1
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet2
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet3
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet4
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet5
switchport access vlan 12
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet6
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet7
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map pix
interface Vlan1
no ip address
interface Vlan10
ip address 192.168.28.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
interface Vlan11
ip address 192.168.28.129 255.255.255.248
interface Vlan12
ip address 10.254.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 101 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
ip radius source-interface Vlan10
ip sla auto discovery
access-list 101 deny ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.28.0 0.0.0.255 any
access-list 101 permit ip 10.254.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255
radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey
radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey
control-plane
mgcp profile default
line con 0
line aux 0
line vty 0 4
transport input all
ntp source FastEthernet0
ntp server 192.168.26.10
ntp server 192.168.1.100
endI have 802.1X certificate authentication enabled on the computers. As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication. It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.
-
LDAP vs local login for remote access
Hi Team,
I am evaluating the best means for single factor authentication for remote access (client to site or SSL VPN). The options I see are creating local usernames and password or integration with Active Directory via LDAP. What are the pros and cons of these solutions.
I feel local logins are more secure comparitavely because the user first login using local login and password and then has to use the domain credentials for accessing corporate resources. Of course, this comes at an admistrator overload and local management of user names and passwords. Do you have any opinion on this? Any acknowledgement will be highly appreciated.Hello Manoj,
IMO, I would never consider the LOCAL DB as an option for a corporate deployment. It does not scale and it is not easy to manage.
Local DB is used in case you need to manage a number of 15 users for instance, so in this case it is managable, but when it comes to a higher number it is not an option.
Active Directory is a better solution since it is meant to handle hundred of users and allows password-management for instance. Also you can have many ASA devices, performing DB bindings and queries to check the users credentials to the AD servers, so you don't need to deal with tons of user accounts on each ASA, for instance.
If you are looking for a more secure way to authenticate your users you can consider two-factor authentication using certificates for instance:
AnyConnect Certificate Based Authentication.
Why to use AD:
Pros
Scalable.
Easy to manage.
Allows password-management.
Cons:
Expensive (not open AD solution).
HTH.
Please rate helpful posts. -
802.1x Port Authentication via RADIUS
I am investigating implementing 802.1x port authentication on our network.
I have a test LAN with a Catalyst 2950 switch and 2 Win XP workstations, (I know its pretty basic, but should be enough for testing purposes). One of these XP PCs is running a Win32 RADIUS server and the other has been configured for 802.1x authentication with MD5-Challenge. Both switch ports are configured for the default vlan and can ping each other.
I have configured the switch with the following commands
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host x.x.x.x key test
and the port to be authorised has been configured with
dot1x port-control auto
As far as I can tell this is all I need to configure on the switch, please correct me if I am wrong.
When I plug the PC into the port I get the request to enter login details, which I do, the RADIUS server sees the request but rejects it, because 'the password wasnt available'. Here is the output from the request, but there isnt any password field and I know there should be as the RADIUS server comes with a test utility and the output from that is similar to below, but the password field is included. I have removed IP/MAC addresses.
Client address [x.x.x.x]
NAS address [x.x.x.x]
UniqueID=3
Realm = def
User = Administrator
Code = Access request
ID = 26
Length = 169
Authenticator = 0xCCD65F510764D2B2635563104D0C2601
NAS-IP-Address = x.x.x.x
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = Administrator
Called-Station-Id = 00-11-00-11-00-11
Calling-Station-Id = 11-00-11-00-11-00
Service-Type = Framed
Framed-MTU = 1500
State = 0x3170020000FCB47C00
EAP-Message = 0x0201002304106424F60D765905F614983F30504A87BA41646D696E6973747261746F72
Message-Authenticator = 0xA119F2FD6E7384F093A5EE1BF4F761EC
Client address [x.x.x.x]
NAS address [x.x.x.x]
UniqueID=4
Realm = def
User = Administrator
Code = Access reject
ID = 26
Length = 0
Authenticator = 0xCCD65F510764D2B2635563104D0C2601
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
On the 2950 I have turned on debugging with 'debug dot1x all' and part of the output is below:
*Mar 2 01:58:38: dot1x-ev:Username is Administrator
*Mar 2 01:58:38: dot1x-ev:MAC Address is 0011.0011.0011
*Mar 2 01:58:38: dot1x-ev:RemAddr is 00-11-00-11-00-11/00-11-00-11-00-11
*Mar 2 01:58:38: dot1x-ev:going to send to backend on SP, length = 26
*Mar 2 01:58:38: dot1x-ev:Received VLAN is No Vlan
*Mar 2 01:58:38: dot1x-ev:Enqueued the response to BackEnd
*Mar 2 01:58:38: dot1x-ev:Sent to Bend
*Mar 2 01:58:38: dot1x-ev:Received QUEUE EVENT in response to AAA Request
*Mar 2 01:58:38: dot1x-ev:Dot1x matching request-response found
*Mar 2 01:58:38: dot1x-ev:Length of recv eap packet from radius = 26
*Mar 2 01:58:38: dot1x-ev:Received VLAN Id -1
Again there doesnt appear to be a password, shouldn't I see one?
Ultimately we will be using a Unix RADIUS server but for testing purposes I have just configured an eval version of Clearbox's RADIUS server. I've tried others as I thought the problem maybe the software, but I get similar problems regardless. If anyone can recommend better Win32 software, please do so.
I'm struggling to figure out where the problem is, the XP machine, the switch or the RADIUS server. Any advice would be appreciated as it's getting quite frustrating.These are dot1x event debugs, so you wouldn't see this with that debug. The closest thing to seeing it would be to debug radius on the switch, and the password would be contained in RADIUS Attribute[79]. The switch uses this attribute to replay the EAP message (unmodified) to a RADIUS server. You might see it, but it's encrytped, so it might not buy you much. I'm sure you can imagine from a security point of view why the switch won't/shouldn't have this much visibility into this ;-).
I would recommend either:
a) Double-checking your RADIUS setup and logs to find out why the user failed. (double-check the RADIUS key configured on the switch too .. it must match).
b) Downloading a third-party supplicant from Meetinghouse or Funk to use as a control.
Eval copies are available on their websites.
Hope this helps, -
802.1x & Web Authentication
Dear All, Can any one help me to understand concept of web authentication. Can it be used for Guest users authentication whose pcs are not 802.1x capable. Can they be groupd ina vlan based on user name & password via web-authentication. My requirement is to use 802.1x in network for coporate users & for guest users. If corporate users are authenticated then they will be placed in corporate vlan. which is working quite well. if guest users are from same company they should be placed in same vlan somehow & if guests are from different company then they should be placed in different vlans based on credentials remember guest laptops are not 802.1x enable/capable.
any one has idea how to achieve this without NAC hardware.You can use the web-based authentication feature to authenticate end users on host systems that do not run the IEEE 802.1X supplicant. You can configure the web-based authentication feature on Layer 2 and Layer 3 interfaces.
When a user initiates an HTTP session, the web-based authentication feature intercepts ingress HTTP packets from the host and sends an HTML login page to the user. The user keys in their credentials, which the web-based authentication feature sends to the AAA server for authentication. If the authentication succeeds, web-based authentication sends a Login-Successful HTML page to the host and applies the access policies returned by the AAA server.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/webauth.html#wp1067205 -
802.1x Wireless Authentication
Hello
I am using a MS Certificate Server and MS Radius server with 802.1x Wireless Authentication. When the macs Authenticate I get a warning so to speak and the Cert will not save or trust. I have enter it in as a 509 anchor and other and still the same thing. Is anyone out there doing this.
The windows says
801x Authentication
The Server Certificate could not be validated becuase the root certificate is missing.
ThanksNo, CA wasn't changed with R2.
Are you able to see the User's certificate in the Keychain app under the login keychain & My Certificates? Can you see the CA's certificate under the X509Anchors?
In the login keychain, when looking at the Users certificate, does it show as valid? -
802.1X Machine Authentication ONLY!
Hi. I have a customer who wants to perform 802.1x machine authentication only to prevent users connecting there own devices to the corporate network. The machine credentials will be authenticated via Cisco ACS which will proxy the authentication to ActiveDirectory. If successful, the 802.1x assigns the port to a VLAN. At this point, the port is 'opened up' and the user can recieve an IP address and can then login to the domain as normal (AD username/password) via the network login screen. Is this a workable solution?
I basically want the end user to not notice anything new, but 802.1x operates in the background to authenticate the machine before displaying the network login box. To the user, the PC boots and displays the login box and they login as normal :-) If they bring in their own device, it will fail 802.1x machine authentication and will not get any access.
Has anyone implemented this? Is it a feasible design?
Thanks
DarrenHi Darren,
good news for you.. you can do this using the "Machine Access Restriction" on both ACS 4.x and ACS 5.x:
* ACS 5.x:
http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1254965
* ACS 4.x:
http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UsrDb.html#wp354105
As soon as the machine performs the 802.1x using the client credentials, the ACS will keep this info on a cache and it will match any further auth attempt (e.g. using the user credentials) for this client using the "Calling-Station-ID", so basically the client's MAC address.
Depending on whether a client performed or not Machine Authentication before, you can decide whether to assign a sort of restricted access/guest VLAN or to deny access.
If the personal client doesn't have a 802.1x supplicant at all, then you can decide to enable the guest vlan feature on the switch itself.
I hope this helps.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it. -
IPhone 802.1x WiFi authentication problem
my WiFi access works fine at home and almost all WiFi areas. but i go to school where wireless access is authenticated with a login and password. it works fine on my macbook. since the iPhone has OSX, i thought the school's WiFi would work on my iPhone, but it doesnt. i can see the Network on my iPhone and it has a check mark. but i cant connect to it because i am not authenticated (i think). anyone know how to do this?
On the iPhone when you try to connect to 802.1x it may ask for a password, no username, but this won't allow you access to the network. No support for it yet.
Some also allow IPSec and/or PPTP for WiFi you might check with your help desk people. In this case you might see the network but it would not allow you access to anything. You would need to setup VPN settings in Settings > General > Network > VPN > Settings to make a VPN connection. You have to go back to this location to enter your password because it does not save it. Also if you try to use Settings > VPN to connect, you get a number pad not a keyboard to enter your password. This works fine for Apple employes but almost no one else in the world. -
Using local login while RADIUS is running
Hello,
I would like to configure our switches to use the local login while RADIUS is working. Currently the switch just looks to the server to authenticate, so the local account will not work unless RADIUS is down. Here is our current config:
username networkteam privilege 15 password 7 0337572B035E95412B211F50
aaa new-model
aaa authentication login default local
aaa authentication login NetworkAuth group radius local
aaa authorization exec NetworkAuth group radius local
aaa session-id common
line vty 0 4
exec-timeout 30 0
privilege level 15
authorization exec NetworkAuth
logging synchronous
login authentication NetworkAuth
transport input ssh
line vty 5 15
transport input noneHi,
lemme make it simple.
The following is your configuration :
aaa new-model
aaa authentication login default local
aaa authentication login NetworkAuth group radius local
aaa authorization exec NetworkAuth group radius local
aaa session-id common
line vty 0 4
authorization exec NetworkAuth
login authentication NetworkAuth
transport input ssh
line vty 5 15
transport input none
This means that When you try login to the switch, the first 5 sessions will head for authentication to radius server because of the following configuration:
aaa authentication login NetworkAuth group radius local
aaa authorization exec NetworkAuth group radius local
line vty 0 4
authorization exec NetworkAuth
login authentication NetworkAuth
But when you have a 5th Session for the switch the authentication will happen locally because of the following configuration:
aaa authentication login default local
The default method list gets applied to the line vty, console and auxillary if no specific method is mentioned.
hence you can use local authenticatin for the session after 5.
Hope this helps.
Regards,
Anisha
P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts. -
Can't establish local login/authorization on 6500's
I have a need to allow a small group of users temporary level-15 access to several 6500
switches (running 12.2-33 SXJ2 code), but do not want to provide them with the enable secret password which is used on the
rest of the network (over 1200 devices). I tried to eliminate AAA using the "no aaa new-model" command, but was told I could not remove aaa while there were active sessions, and "login local" no longer appeared as an option for vty lines. So, I created a local user database called "support" which I used to replace the "group" entry in the authentication and authorization sections of our AAA config and for login on vty 0 4.
[The username is given a privilege level of 15 along with an individual password for authentication. (ex. username jsmith privilege 15 password 0 xxxxx)]
I modified our AAA configuration to support local login, but was unable to establish "enable mode" (i.e. # prompt) with any account. I
can login locally, but only to a normal "user mode" (i.e. > prompt).
Here is the current, unmodified and sanitized config for our AAA and line vty 0 4 sections. Please tell me what needs
to stay and what needs to go. Thank you!
P.S.: for security reasons, we want to track individual activity, so need the accounting portion of aaa to stay.
aaa new-model
aaa group server tacacs+ XXXXXX
server xxx.xxx.xxx.xxx
server xxx.xxx.xxx.xxx
aaa authentication login default group XXXXXX enable
aaa authentication enable default enable
aaa authorization exec default group XXXXXX none
aaa authorization commands 15 default if-authenticated
aaa authorization network default group XXXXXX none
aaa authorization network MLPPP-PPP none
aaa authorization network MLPPP none
aaa accounting exec default start-stop group XXXXXX
aaa accounting commands 15 default start-stop group XXXXXX
aaa accounting network default start-stop group XXXXXX
aaa accounting connection default start-stop group XXXXXX
aaa accounting system default start-stop group XXXXXX
line vty 0 4
access-class 75 in
exec-timeout 15 0
privilege level 0
password 7 xxxxxxxxxxxxxxxxxxx
transport input sshI will probably need more info before I can provide more help but from I am seeing in the snip-it, you have aaa configured and your AAA server is a TACACS+ server. If that is the case you should keep in mind the following:
1. If the authentication/authorization commands are referencing the TACACS+ group then you will need to add "local" at the end of the command. This will allow local accounts to be used when the AAA server is down/unreachable
2. Keep in mind that the local users will ONLY be used when the AAA server is down/unreachable. You cannot have a mixture of both
Side question, since you have a TACACS+ server, why don't you just create temporary accounts directly on the TACACS+ server vs local accounts? You can get very granular that way and only permit certain commands on certain devices, during certain time of the day, etc...
Hope this helps and thank you for rating! -
We are running ISE 1.3 tied to AD with WLC 7.6.130.0. Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP. We are just running PEAP. We have a mix of IOS, Android, and Windows 7/8 devices. IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue. Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication. This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only. This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity. The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication? I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list. Neither have helped. I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
Thank you for any help or ideas,When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile. In that profile, 802.1x computer authentication option is chosen by windows. That has to be changed to computer or user for the machine to function correctly on the network.
On 1.2, this behavior was different. The Windows device would auto select user authentication by default. At other customer sites, windows devices auto select user authentication. This of course needs to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with. -
How to get rid of 802.1x 'Default Authentication'?
Hi All,
Everytime I close my MBP's lid, put it to sleep, or simply turn it on... My wifi is no longer connected.
this all started ever since I decided to 'Turn Off Wifi' the very first time since I got my MBP this year 2011, in June.
Whenever I do any of the above (put MBP to sleep etc) then get back to working.. My Safari says I'm not connected to the internet.
And I see my Wifi signal "blinking" and trying to connect. So I go to my Network preferences and see this:
There's that '802.1X: Default Authenticating' that appears below my wireless network's name..
After which i have to Disconnect from twice - 1 time, before it tries to "authenticate" again.. and then a 2nd time.. and then it stops completely,
Then i have to proceed to click and choose my network again and re-enter my password just to get the Airport/Wifi working again..
Someone please give me a solution to get my Wifi to automatically connect whenever I switch on my MBP - and to get rid of this annoying 802.1X which does nothing and just continues to try and "authenticate" with no result.
It would be very very much appreciated! Thank You!
PS. I did read somewhere online about 802.11g newer wirelss network cards and how they may have issues with an 802.1x network etc..
Don't really understand it though. Please explain if you could. CheersRealized that OSX Lion as re-prioritized my Wi-Fi to the bottom of the list.
What I had to do was place it in first priority again in Network settings.
Quite a disappointment from OSX Lion since in OS Snow Leopard that was the default setting - and certainly a hassle for newbie Mac users like myself who may be clueless when faced with these "issues"
Also attached above is the picture that for some strange reason disappeared in the original post.. -
Server Intermittently refuses to display local login window - screen saver
Occasionally the local login window refuses to appear after the screen saver has been activated on my 10.5.8 Server, resulting in my inability to access the interface at all afterwards. Other symptoms of the problem are that remote logins (ssh) are also no longer possible because passwords aren't accepted for any user. The password prompt is simply displayed repeatedly in the remote user's terminal until the tries are used up, and this happens whether or not the password was entered correctly. In other words remote login is no longer possible because no password is accepted. Because of this, the computer must be forcibly restarted to achieve recovery, which has to be done locally, of course, by either holding in the power button or disconnecting power to the computer. The log entries that seem to coincide with the occurrence of the problem appear to refer to a screen saver crash. The next workaround solution I intend to try is to prevent screen saver activation altogether. What are possible causes for this? Thanks.
Removing the following two files and reinstalling the latest server combo update were recommended by the article to which you referred.
~/Library/Preferences/com.apple.desktop.plist
~/Library/Preferences/com.apple.preference.desktopscreeneffect.plist
I performed those steps and am still observing in order to establish whether or not they have provided a complete remedy. I haven't observed any occurrences of the problem since performing these steps, but the problem is quite intermittent, and the server remains configured to restart once every 24 hours. My next step is to remove the scheduled restart configuration so that the server runs continually. If the problem hasn't returned at all after a few weeks of continuous operation, then I'll consider the question answered. Thanks! -
Portal authentication using two login module stacks?
G'day,
I am noticing something odd when I authenticate to the portal: there are two login module stacks used.
Background: I have created a custom logon page, which is basically a form with username/password input as per [this guide|http://help.sap.com/saphelp_nw04/helpdata/en/62/601e1eebf54ca6a97e2873c8c63517/content.htm|Changing the logon screen]. I then modified the authschemes.xml file by defining a new authscheme "mylogon" that uses my own login module stack ("mystack") and uses the new logon page ("mylogonform"). This new authscheme is then made the default reference:
<authscheme name="mylogon">
<authentication-template>mystack</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.foo.bar.mylogonpage</frontendtarget>
</authscheme>
<authscheme-refs>
<authscheme-ref name="default"><authscheme>mylogon</authscheme></authscheme-ref>
<authscheme-ref name="UserAdminScheme"><authscheme>mylogon</authscheme></authscheme-ref>
</authscheme-refs>
When I want to access the portal, up pops the "mylogonform" page, and on clicking the "submit" button the portal page for the user is shown.
Now here is the interesting thing: when the "ticket" login module stack is unchanged (ie. it uses the BasicpasswordLoginModule), then the log shows that authentication to the portal uses just my login module.
This can be seen as follows, where I navigate to the portal, logon as one user, then logoff and logon as another user:
Message : LOGIN.OK
User: tu-1
Authentication Stack: mystack
Message : LOGOUT.OK
User: tu-1
Authentication Stack: mystack
Message : LOGIN.OK
User: Administrator
Authentication Stack: mystack
The "mylogonform" page is shown when logon is required in both cases.
However, if I modify the "ticket" login module stack by replacing the BasicPasswordLogonModule with a custom logon module that does automatic authentication, then the following is observed when the "mylogonform" page is displayed:
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Message : LOGIN.OK
User: tu-1
Authentication Stack: ticket
For some reason, the modified "ticket" login module stack is now being executed, which was not the case when this login module stack was unmodified.
This stack automatically authenticates the current user (the initial failure is because the new login module asks the browser to send authentication data), and this "failure" causes the logon form to be displayed.
I can logon to the portal as the same user, and the logs show that "mystack" login module stack is used:
Message : LOGIN.OK
User: tu-1
Authentication Stack: mystack
Logoff shows that "mystack" is used for the actual logoff, but "ticket" is called again automatically and succeeds:
Message : LOGOUT.OK
User: tu-1
Authentication Stack: mystack
Message : LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Message : LOGIN.OK
User: tu-1
Authentication Stack: ticket
(Again, the initial logon failure is the new login module requesting that the browser send authentication data in the next request).
This brings up the "mylogonform" page, even though it appears that a user has already been authenticated. If I try to logon as another user, the following is shown:
Message : LOGIN.FAILED
User: Administrator
Authentication Stack: mystack
Login Module Flag Initialize Login Commit Abort Details
com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok exception false true authscheme not sufficient: basicauthentication<mylogonform
Central Checks exception Call logout before login.
I guess one cannot authenticate as a new user until the current user has been logged out.
So ... why does the "ticket" login module get called in the second case, but not in the first case (or only shows logging in the second case) ?
What is the logic behind portal authentication and showing a logon page?
If I want to use custom authentication and a custom logon page, why is the "ticket" stack called at all?Jayesh,
there is no such thing like "login module stacks". The <b>do</b> exist on the other hand:
- login module
- logon stacks
Login module and logon stacks are part of the JAAS concept for defining a complex pluggable authentication scheme, original by SUN (see: java.sun.com/products/jaas)
A logon process is defined by a logon stack which itself consists of several login modules. Each login module performs an authentication step. Example:
login module 1: check if valid sap logon ticket provided
if module 1 fails: then login module 2: request user id/password
if module 2 succeeds: then login module 3: create new sap logon ticket for user
You can define multiple logon stacks and configure individual applications to use the one stack or the other.
The logon stack configuration is done using visual administrator. Here select the security provider service for configuring logon stacks.
btw: As logon stacks are "java-only", there are no transaction names (which only exist on Web AS ABAP).
Regards,
Dominik
Maybe you are looking for
-
How to download data in multiple sheets of one excel file
Hello, I want to download data in multiple sheets of one excel file ..through ole2_object. i have created program but it is not it is not giving the desird op. here is the code.. create object excel 'EXCEL.APPLICATION'. call method of excel 'WORKB
-
What properties do I set in custom rack stencils so that they have the snap-in behavior?
Hi Folks, Newbie here. I am working with Visio rack diagrams, and I am trying to modify some custom rack stencils so that they behave in the same manner as those belonging to Visio's built-in Rack Diagram template. Specifically, I want to ensure that
-
Do not like the look of Sharepoint 2013 Foundations
Recently, I migrated our Sharepoint 2007 site to Sharepoint 2013 Foundations. We do not like the look at all. The 2007 site looked much better. How would I go about making the 2013 site look like the 2007 site? I found some documents online that show
-
Upgrade to OS 10.4 to ????
I have the OS 10.4. I have found recently that I need to upgrade my Safari before getting on some sites that I usually go on, but first I need to upgrade to Mac OS 10.4.9 or 10. Do I have to install any other upgrades before I do the OS 10.9 or 10 ?
-
Oracle Universal Content Management11g - IRM 11g Integration
Hi, I want to integrate UCM11g with IRM 11g. I found the 10g document but i am unable to find 11g document. Can anyone provide the document link for integration process. Thanks, SEWSupport