802.1x multi-domain 3560catalyst nortel ip phone ntdu92
Hello everyone!
I have 3560 catalyst ios 12.2(55)SE5
I need to authorize PC and IP phone on this port. 212 data vlan 500 voice vlan, vlan 111 - Unauthorized VLAN with 256 kbit/sec INTERNET without any local resourses. IP phone authorizes by mab.
#sh mac address-table interface fastEthernet 0/2
212 001a.4b7b.0394 STATIC Fa0/2
500 001b.bafb.7c1c STATIC Drop
#sh running-config interface fastEthernet 0/2
interface FastEthernet0/2
switchport access vlan 212
switchport mode access
switchport voice vlan 500
authentication event fail action authorize vlan 111
authentication event no-response action authorize vlan 111
authentication host-mode multi-domain
authentication port-control auto
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 3
dot1x max-reauth-req 3
storm-control broadcast level 7.00 3.00
storm-control multicast level 15.00 10.00
storm-control action shutdown
no cdp enable
spanning-tree portfast
spanning-tree guard root
end
#sh logging
Jul 29 11:11:03: %DOT1X-5-FAIL: Authentication failed for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID
Jul 29 11:11:03: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-5-START: Starting 'mab' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %MAB-5-SUCCESS: Authentication successful for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/2, new MAC address (001b.bafb.7c1c) is seen.AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-5-MACREPLACE: MAC address (001a.4b7b.0394) on Interface FastEthernet0/2 is replaced by MAC (001b.bafb.7c1c) AuditSessionID 0A32FF150000005F25C42541
Jul 29 11:11:04: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:06: %AUTHMGR-5-START: Starting 'dot1x' for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87
Jul 29 11:11:06: %DOT1X-5-SUCCESS: Authentication successful for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID
Jul 29 11:11:06: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87
Jul 29 11:11:06: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/2, new MAC address (001a.4b7b.0394) is seen.AuditSessionID 0A32FF150000006125C52D87
Jul 29 11:11:06: %AUTHMGR-5-MACREPLACE: MAC address (001b.bafb.7c1c) on Interface FastEthernet0/2 is replaced by MAC (001a.4b7b.0394) AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:07: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87
What is necessary for collaboration PC+IP phone at the same time.
Thanks for your help.
Good afternoon. Thanks for Your advice. The problem was the following: forgot to add the command
aaa authorization network default group radius
Now everything is working.
Fa0/2 001b.bafb.7c1c mab VOICE Authz Success 0A32FF15000000B6500A0895
Fa0/2 001a.4b7b.0394 dot1x DATA Authz Success 0A32FF15000000C353ADA437
Thanks to all.
Similar Messages
-
I've got a unique setup I'm trying to get set up with regards to 802.1x and have ran into some issues. I've got Avaya phones that I need to authenticate onto the voice vlan that they are getting via LLDP. But I'm only using 802.1x to keep things off the voice VLAN which is in a VRF. The PCs that will either be connected to the back of the phone or plugged directly into the switch cannot be configured for 802.1x as these PCs are not owned by the department.
My idea was to run multi-domain as seems to be the suggestion for phone deployments and then put anything that fails authentication into the Data VLAN (30) using guest-vlan as well as authorizing them to Vlan 30 when authentication fails. It seems like authentication fail Vlan and guest Vlan cannot be used in multi-domain mode though, so I'm out of ideas and the port is not working properly. Here is my current config that is not working as it's not putting the PC into Vlan 30 when authentication fails. Vlan 40 is the voice Vlan. Vlan 30 is the data Vlan.
interface GigabitEthernet1/0/1
description Test 802.1x port
switchport mode access
switchport voice vlan 40
authentication event fail action authorize vlan 30
authentication event server dead action authorize vlan 30
authentication event no-response action authorize vlan 30
authentication host-mode multi-domain
authentication port-control auto
authentication violation restrict
dot1x pae authenticator
dot1x timeout server-timeout 15
dot1x timeout supp-timeout 2
spanning-tree portfast
Any ideas on how I can go about acheiving this?
Thanks,
BrianWell, you can use multiple-authentication mode.
Multiple-authentication (multiauth) mode allows one client on the voice VLAN and multiple authenticated clients on the data VLAN. When a hub or access point is connected to an 802.1x-enabled port, multiple-authentication mode provides enhanced security over multiple-hosts mode by requiring authentication of each connected client. For non-802.1x devices, you can use MAC authentication bypass or web authentication as the fallback method for individual host authentications to authenticate different hosts through by different methods on a single port.
Multiple-authentication mode is limited to eight authentications (hosts) per port.
Multiple-authentication mode also supports MDA functionality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN, depending on the VSAs received from the authentication server.
VERY IMPORTANT: When a port is in multiple-authentication mode, all the VLAN assignment features, including the RADIUS server supplied VLAN assignment, the Guest VLAN, the Inaccessible Authentication Bypass, and the Authentication Failed VLAN do not activate.
This is the configuration commands:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1271507.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?
Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?
Im trying to follow the trustsec 2.1 guide on IP Phones into LowImpact mode.
I can get a PC on its own to authenticate via dot1x/tls
I can get a Cisco IP Phone on its own to authenticate via MAB.
When the two are on the same switchport, the phone will authenticate but not the PC. ISE logs EAP timeouts.
The switchport has the LowImpact port ACL of
ip access-group ACL-DEFAULT in
The IP Phone gets a dACL that allows it ok.
I assume MAB phone and dot1x PC is supported? Any ideas?
Thanks in advance.The ISE log detailed steps are as follows:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12300 Prepared EAP-Request proposing PEAP with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12501 Extracted EAP-Response/NAK requesting to use EAP-TLS instead
12500 Prepared EAP-Request proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
5411 No response received during 120 seconds on last EAP message sent to the client -
802.1x and MS IAS and Nortel IP phone
hi,
i have setup 802.1x MS IAS. All seems to work fine when i am using a plain pc connection to switch but the moment IP phone is involved i start facing issues.
I am using cisco 3750 switch with version 12.2(25)SEB4
dhcp server is on windows which is on a different network i.e. 10.50.1.9
dhcp relay agent is defined on firewall subinterces
All works when phone is not involved. BTW i am using Nortel IP phone
when the phone is plugged and cable is throug the phone, i provide the user name and credentials and also when i say show vlan on switch i can see i am aprt of corrent vlan but i do not get an ip address.
This is the error i get on switch when is said debug radius:
pls find two attachments of debug dot1x events and radius.
pls help
Regards
AIHi Adil,
I'm testing with a Catalyst 3560 running IOS version 12.2(44)SE2.
I have a Nortel-LG IP phone which does not have 802.1x supplicant.
I tried configuring MDA on the switchport and use MAB to authenticate the phone.
My questions:
1. In the ACS, I created a group for the IP phone and specify "device-traffic-class=voice" as the cisco-av-pair. Is this what I should be doing for a non-Cisco phone?
2. I know the phone's MAC address is 00-40-5A-17-C6-30. I created a user 00405a17c630 (password is also 00405a17c630) and assign it to the IP phone group I created above. Is this correct?
My testing wasn't successful. I got the following output:
Switch#sh dot1x int f0/48 de
Dot1x Info for FastEthernet0/48
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_DOMAIN
Violation Mode = PROTECT
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Mac-Auth-Bypass = Enabled
Inactivity Timeout = None
Guest-Vlan = 999
Dot1x Authenticator Client List
Domain = UNKNOWN
Supplicant = 0040.5a17.c630
Auth SM State = AUTHENTICATING
Auth BEND SM State = REQUEST
Port Status = UNAUTHORIZED
Authentication Method = Dot1x
Domain = UNKNOWN
Port Status = UNAUTHORIZED
My switch config is as follows:
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host 1.1.1.1 auth-port 1645 acct-port 1646 key cisco123
radius-server source-ports 1645-1646
radius-server vsa send authentication
interface FastEthernet0/48
description *** 802.1x Test Port ***
switchport access vlan 70
switchport mode access
switchport voice vlan 71
no snmp trap link-status
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x violation-mode protect
dot1x guest-vlan 999
spanning-tree portfast
In the ACS' Failed Attempts logs, I saw entries for:
User-Name = 00405a17c630
Group-Name = IP_Phone_Test_Group
Caller-ID = 00-40-5A-17-C6-30
Authen-Failure-Code = Internal error
ACS version is 4.1.
what am I missing? Please advise.
Thank you.
B.Rgds,
Lim TS -
I've been working on getting 802.1x set up. I've so far gotten WinXP clients to authenticate through our HP ProCurve switch to the NPS server using PEAP/EAP-MSCHAPv2, and to put different authorized users on different VLANs based on AD Groups, as well
as unauthorized users onto a separate VLAN. Also, the switch is using the NPS server for securing management logons.
However, when I configure and plug in a Nortel phone, I can see the EAP packets going to the switch, which then send the Access-Request message to the NPS server. On the NPS server, I can see that the NIC receives the Access-Request packet, but it
never responds to it. When I compare the packet to an Access-Request packet from a WinXP client, the only differences I can see are User-Name (1), Port (5), Port-ID (87), Calling-Station-ID (31) and the EAP-Message (79), which to me are the fields that
*should* be different. I can also see that the packet is coming in on the correct port (1812). Nothing gets logged in Event Viewer, nor in the NPS log (c:\windows\system32\logfiles\inDDMMYY.log).
It's my understanding that at least, I should be getting an IAS_NO_POLICY_MATCH in the log, as I haven't set up a policy for it yet. Also, if I set up a dummy policy to accept all requests on all days and times, using any authentication method, I still
get nothing.
The phone is set to use PEAP, but if I understand correctly, even if that was set wrong, I should at least see an Access-Challenge response packet from the server; PEAP doesn't factor in quite that early. Or do I misunderstand?
Any help would be appreciated.Thanks for the reply.
> At the command prompt, type the following command, and then press ENTER:
> auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
I had read about that previously. I had checked whether it was enabled or not, and it only had failure enabled. So following the recomendation on that
page, I disabled both, then enabled both. So yes, it's currently enabled. And after this, I tried both the PC and phone again, and while I saw the PC's authentication succeed in the Event Log, I still see nothing for the phone.
> PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as Extensible
Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MS-CHAP v2), that can operate through the TLS encrypted channel provided by PEAP.
Yeah, but
if I understand correctly (and I'm going to read your link right after I post this), after the switch sends the initial Access-Request message in the clear, the RADIUS server should then respond with an Access-Challenge to begin securing the connection beween
itself and the phone, regardless of what the phone has set for it's security type. If the phone can't talk in a way that the server is set to accept, then it won't respond to the Access-Challenge packet, but the server should be sending that Access-Challenge
in the first place. Or is there something I've missed in the Access-Request packet that specifies what security type(s) it can handle? I thought that happened after the Access-Challenge?
> Please also provide us the type of your Nortel IP Phone, because some types of Nortel IP Phone may only support EAP-MS-CHAP v1 which is not supported by Windows
2008. We also suggest that you might post your issue on Nortel forums to ask for some more help.
I'm
using a Nortel 1120e phone for testing; we also have 1140e phones that will be used with this when it's working, but they should be the same as far as this setup is concerned. I read somewhere that perhaps the Nortel phones only support PEAP-MD5, which
doesn't seem to be an option in NPS without a reghack. I'm also following up with our Nortel support locally, as the phone itself and the manual for the phone only says "PEAP" without specifying what it's using inside, but right now I'm trying to determine
whether the problem lies with the phone or the server or both. So I thought I'd ask the experts here.
FWIW,
I've been testing using a HP ProCurve 3400cl with the lastest firmware. I've managed to get the same setup on a Cisco Catalyst 3550 switch, also on it's latest firmware, and I get the same results. The PCs can authenticate, the phone can't; NPS
still isn't responding. -
Good morning everybody,
I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
What I have successfully managed to get to work so far is this:
1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
show authentication sessions:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
What I want to get is an output like this:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
The configuration of the interface connected to the Dumb switch is as follows.
interface FastEthernet0/x
description Connection to DUMBswitch
switchport mode access
switchport voice vlan XXX
switchport port-security maximum 10
switchport port-security
switchport port-security violation protect
authentication host-mode multi-auth
authentication priority dot1x
authentication port-control auto
authentication timer reauthenticate 4000
authentication violation replace
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
The way I see it is explained in the following steps:
- PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
- When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
Thank you
Stoimen HristovHi Stoimen,
I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
From what I can see, you have 2 options available to you:
1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
Hopefully someone else will chime in with another option.
Xavier -
Difference between 802.1x multi-host and 802.1x multi-auth
Hi,
This is a bit confusing for me. Does someone has an easy explanation?
What I understand and looked up for the moment (correct me if I'm wrong):
802.1x multi-host: Good for an AP or a phone setup. Port becomes authorized as soon as one client is authenticated. In this situation the AP or the phone. Aftherwards pc's have access without any further 802.1x action.
802.1x multi-auth: Multiple devices are allowed to independently authenticate through the same port. More secure? Is this good for next setup: I have a 802.1x port on the managed 24p switch, but the customer decides to plug in a non-managed 8p cheap switch on his desk where different pc's will be plugged in. So I have a 802.1x port on the Cisco switch connected to a non-managed 8p switch. I suppose 802.1x multi-host configuration is not a secure option here.
I don't know if I am clear enough. Don't hesitate to ask if not.
Thanks for your reply.You are right with your understanding.
Multi-Host is a valid solution if a power-user for example is using many VMs on his PC. After authenticating initially, all VMs can communicate with the network.
Multi-Auth is more secure because each MAC address accessing the network is controlled.
A very good overview on 802.1x and the configuration can be found on the Cisco IOS Quick Reference Guide for IBNS. -
Multi-Domain LDAP UME configuration
Hello
We have EP 7.0 installed and want to connect the UME to our Corporate
LDAP (MSADS) as data source.
Our ADS is as follows:
domain.pt u2013 This is our top level domain. Here we have our main users.
Gs.domain.pt u2013 This is a child domain of ren.pt. Here are some special
users that cannot be moved to domain.pt level (because of this we have to
use multi-domain configuration)
According to some documents Step 2 of Note 762419 - Multi-Domain Logon
Using Microsoft Active Directory this configuration as to be done
according to a Multiple-Domain UME LDAP Configuration.
Following is is my configuration of LDAP access:
I have set the u201CUME LDAP Datau201D in Config Tool to point to
the u201CdataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xmlu201D configuration file that has been previously change by me following previous documents. The xml is is the end of the message
Also in the u201CUME LDAP Datau201D (Directory Server) I have defined the following settings:
Server Name: dc01.domain.pt (This is the DC of domain.pt)
Server port: 389
User: j2ee-pp3 @domain.pt
Pass: ******* (ok on all configuration tests and authentication)
SSL: NO.
User Path: DC=domain,DC=pt
Group Path: DC=domain,DC=pt
Checked the u201CFlat User Group Hierarchyu201D.
Checked the u201CUse UME Unique id with unique LDAP Attributeu201D.
At u201CAdditional LDAP Propertiesu201D I have set the properties of
ume.ldap.unique_user_attribute(global) and
ume.ldap.unique_uacc_attribute(global) to userprincipalname. This was
done according to the Multi-Domain configuration.
Also ume.ldap.access.multidomain.enabled=true was set the property
sheet of the UME service. After this all checks are ok including in
User Administration in Portal.
Conclusion: We have no problem with SSO and search capabilities
at u201Cdomain.ptu201D level. All users of this domain are able to access the
portal with SSO.
Nevertheless no user from u201Cgs.domain.ptu201D is able to logon. Additionally,
using User Admninistration in Portal with option u201CAll Data Sourcesu201D
returns no results when searching for users from this child domain. It
seems the the configuration file does not recognize gs.domain.pt.
Is it possible that our xml file is incorrectly adapted? Is there any
missing or wrong configuration for multi-domain LDAP access? Please
advice.
Thanks in advance
dataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xml
<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xml#6 $ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $) -->
<!DOCTYPE dataSources SYSTEM "dataSourceConfiguration.dtd">
<dataSources>
<dataSource id="PRIVATE_DATASOURCE"
className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</homeFor>
<notHomeFor/>
<responsibleFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</responsibleFor>
<privateSection>
</privateSection>
</dataSource>
<dataSource id="CORP_LDAP"
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
isReadonly="true"
isPrimary="true">
<homeFor/>
<responsibleFor>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="j_user"/>
<attribute name="j_password"/>
<attribute name="userid"/>
<attribute name="logonalias"/>
</attributes>
</nameSpace>
</principal>
<principal type="user">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="firstname" populateInitially="true"/>
<attribute name="displayname" populateInitially="true"/>
<attribute name="lastname" populateInitially="true"/>
<attribute name="fax"/>
<attribute name="email" populateInitially="true"/>
<attribute name="email"/>
<attribute name="title"/>
<attribute name="department"/>
<attribute name="description"/>
<attribute name="mobile"/>
<attribute name="telephone"/>
<attribute name="streetaddress"/>
<attribute name="uniquename" populateInitially="true"/>
<attribute name="krb5principalname"/>
<attribute name="kpnprefix"/>
<attribute name="dn"/>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</attributes>
</nameSpace>
<nameSpace name="$usermapping$">
<attributes>
<attribute name="REFERENCE_SYSTEM_USER"/>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
<principal type="group">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="displayname" populateInitially="true"/>
<attribute name="description" populateInitially="true"/>
<attribute name="uniquename"/>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE"/>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attributes>
<attribute name="dn"/>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
</responsibleFor>
<attributeMapping>
<principals>
<principal type="account">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="domain_j_user">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="j_user">
<physicalAttribute name="userprincipalname"/>
<attribute name="logonalias">
<physicalAttribute name="userprincipalname"/>
</attribute>
<attribute name="j_password">
<physicalAttribute name="unicodepwd"/>
</attribute>
<attribute name="userid">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
<principal type="user">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="firstname">
<physicalAttribute name="givenname"/>
</attribute>
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="lastname">
<physicalAttribute name="sn"/>
</attribute>
<attribute name="fax">
<physicalAttribute name="facsimiletelephonenumber"/>
</attribute>
<attribute name="uniquename">
<physicalAttribute name="userprincipalname"/>
</attribute>
<attribute name="loginid">
<physicalAttribute name="null"/>
</attribute>
<attribute name="email">
<physicalAttribute name="mail"/>
</attribute>
<attribute name="mobile">
<physicalAttribute name="mobile"/>
</attribute>
<attribute name="telephone">
<physicalAttribute name="telephonenumber"/>
</attribute>
<attribute name="department">
<physicalAttribute name="ou"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="streetaddress">
<physicalAttribute name="postaladdress"/>
</attribute>
<attribute name="pobox">
<physicalAttribute name="postofficebox"/>
</attribute>
<attribute name="krb5principalname">
<physicalAttribute name="userprincipalname"/>
</attribute>
<attribute name="kpnprefix">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="dn">
<physicalAttribute name="distinguishedname"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="$usermapping$">
<attributes>
<attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="sapusername"/>
</attribute>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
<principal type="group">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="uniquename" populateInitially="true">
<physicalAttribute name="ou"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE">
<physicalAttribute name="null"/>
</attribute>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attributes>
<attribute name="dn">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
</principals>
</attributeMapping>
<privateSection>
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.flat_group_hierachy>true</ume.ldap.access.flat_group_hierachy>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.objectclass.user>User</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>User</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.objectclass.grup>organizationalUnit</ume.ldap.access.objectclass.grup>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>samaccountname</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>samaccountname</ume.ldap.access.auxiliary_naming_attribute.uacc>
<ume.ldap.access.naming_attribute.grup>ou</ume.ldap.access.naming_attribute.grup>
<ume.ldap.access.pwd.via.usercontext>true</ume.ldap.access.pwd.via.usercontext>
<ume.ldap.access.set_pwd>true</ume.ldap.access.set_pwd>
<ume.ldap.access.multidomain.enabled>true</ume.ldap.access.multidomain.enabled>
<ume.ldap.access.extended_search_size>200</ume.ldap.access.extended_search_size>
<ume.ldap.access.domain_mapping>
[DOMAIN_PT;DC=domain,DC=pt]
[GS_DOMAIN_PT;DC=gs,DC=domain,DC=pt]
[gs;DC=DC=gs,DC=domain,DC=pt]
[domain;DC=pt]
</ume.ldap.access.domain_mapping>
</privateSection>
</dataSource>
</dataSources>
Edited by: Joaquim Pereira on Feb 7, 2009 1:34 PMHi Gaetano
I tried to set back the "uniqueid" in the XML to samaccountname.
Also, i changed the spnego to go only to domain.pt (gs.domain.pt is a child domain).
In the 1st tests this worked perfectly, but we still to do some testings with this config.
When i get confirmation, ill reply here.
Thank you.
PS:. we thought on defining the abap user for each user, but there are a lot of users...
we'll try this config, and if it doesn't work, probably, thats what we'll do.
Edited by: Joaquim Pereira on Feb 12, 2009 5:45 PM
Everything seams to be working now. setting back the uniqueid to samaccountname and configuring spnego to go to only 1 domain solved the issue.
I just need to test which change did the trick.
Edited by: Joaquim Pereira on Feb 13, 2009 1:02 PM -
Shared Services: Multi-domain MSAD based configuration issue
Hello to All,
Can someone tell me how to configure MSAD to use two domains X and Y under one user directory D.
My actual configuration is based on the domain X and provides some MSAD users groups in D user directory.
But I need to provisionne another user that belong to another AD in a foreign domain Y.
A trusted relationship (approbation relationship) have been created between the two domains X and Y.
Is this kind of multi-domain configuration allowed in Shared Services?
If yes, how can I configure this?
OS: Solaris
Hyperion Shared Services 9.3.1
Thanks in advance for your helpThere are a couple of ways:
1) Add a new provider in Shared Services
2) Modify your current provider to go to a higher level in your domain which will likely require different parameters on your existing Active Directory provider
Option 2 is preferable if you see this will cascade and other domains will be needed and they are all under a global company domain.
Regards,
John A. Booth
http://www.metavero.com -
802.1x problem with non-Cisco IP Phone, VVID enabled.
I am testing with a 3750 PoE switch running 12.2(25)SEE1 and trying to configure 802.1x to work with Mitel IP phones.
I have voice and data vlans configured on each port. Turning on 802.1x causes the phone to hang and timeout in DHCP Discovery. The port status from the switch is "Unauthorized".
interface FastEthernet1/0/2
switchport access vlan 1
switchport mode access
switchport voice vlan 2
dot1x pae authenticator
dot1x port-control auto
no mdix auto
spanning-tree portfast
end
Should anything be configured besides the Voice VLAN to let phones onto the network? There is no computer behind the phone right now. The only information I can find says I need a VVID, and any clients behind it will cross the PVID.
Thanks.Yes it does.
Apparently the Mitel phones (testing a 5215 dual-mode) we have support EAP-MD5, but we have a primarily PEAP/EAP-TTLS environment. Apparently the phones need to use a username/password entered on each phone before they will send that to a Radius server doing EAP-MD5. Our PEAP clients authenticate to a Microsoft Radius server, and our EAP-TTLS to a Funk box. Hopefully the Microsoft can support both EAP-MD5 phones and PEAP on the laptops, I'll have to find out.
I was hoping this was a quick and easy Cisco configuration error... oh well. -
Multi domains handling.
There has been many post regarding domain.sites splitting and how to handle multi-domain.
First you need to split your domain.sites package, with courtesy of Mark:
http://web.mac.com/mark8heaton/iWeb/DomainSeparation/SiteSeparation.html
What about handling multi-domain?
Make a master folder, and make sub-folders within this master folder to keep (split) domain.sites, then place the master folder in your Dock, ie:
http://www.geocities.com/[email protected]/images/domains.jpg
You can access your domain.sites at any time from the Dock.
What about making new domain.sites?
You can force iweb to create new domain.sites with shell script (Unix) or AppleScript - notice second item in domains.jpg.
_New Domain script forces iweb to create new domain.sites package - in your specify folder, as in this dialog box:
http://www.geocities.com/[email protected]/images/newDomain.jpg
There is no need for third-party application. Everything you see/need is free and is bundled in every mac.Vark,
Weird as heck, but it does happen.
I've had it happen to me a few times and I've had a
number of emails from others that have experienced
the same thing; enough to make me warn everyone
about it.
Funny, when I try to replicate the problem I'm unable
to; seems to strike at random.
Weird stuff!!! I believe it, just think it is extremely bizarre. -
I am planning to install BOE XI 3.1 on a windows server. It is a multi domain environment, so what are the important things I need to concentrate, for example opening up firewall, etc.
Is there any documents available for this, please guide.multi domain is not much of an issue, by default any domain joined to a single forest is automatically trusted bi-directionally. The only snags sometimes are with dns. We have a KB (search usefqdnfordirectoryservers) that will take care of that.
I don't know why you would firewall off your domains if they are joined in the same forest, this would prevent basic microsoft services from running as well. Another rule of thumb is that BOE simply runs on top of Microsoft and uses Microsoft API calls. If it works in Microsoft then we should be ok.
Now if you are using muliple forests then we have a KB on that as well (search multiple forests zie) In that case the forests must have a 2-way forest trust, be 2003 or above functional level, and basically act as 1 forest to our product. The rule here is if you don't trust a forest then BO will either not be able to query it or allow logins from it as we again use Microsoft API calls which require these things to be in place.
KB's can be searched in service market place. Also see KB 1261835 for setting up SSO on java.
Regards,
Tim -
Java and multi-domain certificates
Hi, I tried using a so called MDC or multi-domain certificate with my Java application but when connecting with a webbrowser I get the following error in Firefox (Internet Explorer gives a similar error but provides less info) :
"The certificate is only valid for www.somedomain.com%2Csub1.somedomain.com%2Csub2.somedomain.com%2C"
I assume the %2C should be commas or at least have been interpreted as commas.
My question, was this certificated created wrong or does Java not support this type of certificate?I doubt it is a Java issue. If your SSL handshake is reaching the stage where the server sends its certificate to your browser, then the server is already satisfied with its own certificate. I doubt the server pays much attention to the subject name or any of the subject alternative names of its own certificate. And the server cannot change any of the fields of this certificate, so what it is sending the browser is exactly what you got back from the CA.
You say you did not create the certificate, but you almost certainly created almost all the fields of the certificate by creating something called a certificate signing request. This is what you give to the CA. The CA uses this to populate the fields of a certificate that it signs and gives back to you. -
Zimbra Multi Domain SMTP auth/relay problem
I have a query in setting up a multi-domain Zimbra 8.6 OSE on Ubuntu 14.04.I have successfully setup Domain1 with Zimbra and added virtual host Domain2. Mails to each of them are routing to each other and sending from the server to outside is also working. However, I need to both domains to send emails using their respective ISP so domain1 would use ISP1 and domain2 ISP2. In my previous implementation, I have used successfully "zimbraMtaRelayHost" for single domain. Searching more, I have tried the "Relay per Domain" using "sender_dependent_relayhost_maps."I am, however, still unable to send mail using Zimbra. I have, upon instinct, put in the port after the IP address of the ISPs in /opt/zimbra/postfix/conf/bysender so it looks like the one below (based on thewiki):@domain1.com [10.10.10.1]:587
@domain2.com [20.20.20.1]:587Zimbra now...
This topic first appeared in the Spiceworks CommunityMicrosoft releases new license terms for Windows 10: Biggest surprise? No gotchasEd Bott has Just published an article on ZDNet which reviews in detail the just-released Windows 10 license agreementFirst published on ZDNet By Ed Bott for The Ed Bott Report | July 15, 2015 -- 18:30 GMT (19:30 BST) | Topic: Windows 10 "Two weeks ahead of the global launch of Windows 10, Microsoft has finalized the terms of its license agreements for the new operating system. I've had several days to study the documents in detail, and I can report that there are no surprises, no gotchas, and no hidden subscription traps waiting to be sprung in two or three or four years.""In fact, the new license agreement is simpler and written more clearly than any similar document I've reviewed in 20 years of examining Windows license agreements. There are a few...
-
I've just successfully implemented Multisite server 2012 R2 DirectAccess in a child domain of a global company with numerous sub domains. I'd like to limit the scope of the auto discovery of management servers in 2012 R2 DA is anyone aware of
any way of doing this?
During the default initial configuration of DirectAccess Auto-discovery of domain controllers is performed for all domains in the same forest as the DirectAccess server and client computers.
In my scenario the number of sub domains and multinational nature of the company means that the DA servers cannot contact all DCs for every child domain in the forest.
This means the Operations Status page in the Remote Access Management console always shows the status of the Domain Controller check as "critical" leaving a red X amongst my nice green ticks. It's untidy and at first glance it looks like there
are major problems with the service.
The DA servers, Client machines and users are in a single sub domain so we have no need to contact the other child domain DCs.
I looked into using the Remove-DAMgmtServer PowerShell cmdlet however this is not applicable since it cannot be used to remove automatically configured management servers such as DCs.
Also the child domain DCs don't actually appear in the management servers list.Hi, a colleague of mine had the same problem in a DirectAccess deployment in a large organization tat have a multi-domain forest. He had no choice to open network flow to have at least one domain controller per domain in the forest.
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
Maybe you are looking for
-
Just want to backup iTunes on an external hard drive
Greetings, I've been working on this for days without success. All I want to do is back up my iTunes on an external hard drive. Using iTunes 7.6 on an iMac G4; Music resides on an external hard drive. I want to back up to a different external hard dr
-
Update item in SharePoint 2010 list when a entry made in SQL server
Hi there, I have four lists on a SharePoint 2010 site. There is a column - Equipment Name - in each of the lists. I want only this column to be updated in all the lists, when a new entry is made in SQL server. I referred http://oszakiewski.net/eric/c
-
SCM SP Stack - Livecache 7.6 update
Hi I have installed an SCM 5 on Windows 2003 64 Bit and MS SQL, I am looking to apply the latest Support Pack stack froim SP 7 to SP 9, I have downloaded the stack and followed the SP stack guide for updating the kernel, ABAP Support packs using SPAM
-
No track information on Import
I use Windows Vista iTunes and on importing cds no cd information appears. Does anyone know any possible reasons for this? Thanks in advance.
-
Switch between base stations - wireless controller
Hi, I have a multiroom audio setup made with airport base stations. I'd like to choose where to listen my music without using a computer. Is there a controller that allows me to choose which base station I want to play music? I've posted this issue i