AAA acs 4.1 to generic ldap

Similar Messages

• Secure wireless and generic ldap

  Hi All,
  I'm looking into setting up a secure wireless network and can't seem to find a good fit with environment we have.
  Environment:
  WLC's
  ACS 4.1
  Generic ldap
  95% of laptops use built in Windows XP(SP3) configuration tool.
  I can get everything working fine with Dell Wireless Utility or Intel utility in XP, Vista built in or 3rd party client but I CAN'T seem to get Windows XP built in client to work with anything.
  I read the EAP Authentication Protocol and User Database Compatibility document and found out that I can use EAP-GTC, EAP-FAST phase 2 and EAP-TLS.
  I'm looking into the most seamless way for our users to connect and taking "20 minutes" to configure their network card isn't a really good option.
  Any ideas or suggestion (something I'm missing) would be greatly appreciated.
  Craig

  Hi. I am currently running a whole mix of clients with regards to WPA security. I have most of the laptops on their respective ccx supplicant / utility. However I do have users that run the WZC service from XP. I am not at SP3, but rather SP2 for most of the machines. I'm using PEAP (MSCHAPv2) and it works well in the SP2 environment. I did notice some issues running WZC on Vista with the new Intel N cards and early release drivers, but I didn't get a chance to try the updated versions to see if it would solve the problem. I'm running the Funk OAS radius server and the Microsoft IAS service. The problem with XP and WZC is the lack of EAP types supported. I lucked out because PEAP MSCHAPv2 is natively supported. I'm 99.9 percent positive that WZC under XP does not support LEAP and EAP-FAST since they are Cisco. So, unfortunately in order to get those clients going with WPA Enterprise security you're going to have to install the client card utility or have them run a different EAP type config.

• ACS can not access ADS-LDAP starting from "DC=..."

  Hi
  I have an ACS v4.2 from which I try to access an ADS LDAP directory. When I use "CN=Users,DC=Domain,DC=com" as the baseDN for the users and the groups everything works as it should. When I change the base DN to "DC=Domain,DC=com" only, then the ACS is not able to find any users or groups. Even when trying to configure the group mappings he claims: "LDAP Server NOT reachable. Please check the configuration.". Using an LDAP browser I don't have any issues accessing the directory from the shorter baseDN.
  Is this a v4.2 related problem or a general ACS problem?
  The point is that I need to find users in different OU's, which are based directly under the domain name, so that I need to search for them starting from "DC=Domain,DC=com". I know that with "Generic LDAP" I can make severeal "Databsae Configurations" to resolve the issue with the OU's. But not with a "RSA SecurID Token and LDAP Group Mapping" setup. There is only possible to have one LDAP group mapping configuration.
  Any input would be greatly appreciated.

  Hi
  We invested a lot of time together with TAC and development. Short answer: No it's not solved. It was an ACS bug. But development didn't realy understand the problem. We went ahead and restructured the ADS.
  The problem we had, is that a LDAP directory of a Windows is not fully accessible. Even if you connect as a Domain Administrator or to the Global Catalog. :-) And that's where the ACS fails. LDAP browsers just read over the unaccessible parts of a LDAP directory and show you all the accessible part. ACS doesn't. He stops and reports the failure. You can see that clearly when sniffing the access of the ACS and the LDAP browser to the directory. Unfortunately the unaccessible part is at the beginning of the ADS LDAP directory. :-(
  Maybe they resolved the problem nowadays. Or if you have a Windows Guru who can help you in making the directory fully accessible I would be interessted in the How-To.
  I wish you best luck with your issue.
  Kind regards
  Roberto

• How do I use Generic LDAP Authentication in JDeveloper?

  I have an existing JSP/Java Servlet application that uses a generic LDAP server for user authentication. Each JSP page checks the user name against a database entry for authorization to that page (it’s a legacy app).
  The following web.xml fragment describes the
  security/login configuration:
  <security-constraint>
  <display-name>I Security Constraint</display-name>
  <web-resource-collection>
  <web-resource-name>ALL</web-resource-name>
  <url-pattern>/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <description>I</description>
  <role-name>*</role-name>
  </auth-constraint>
  <user-data-constraint>
  <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>I Enterprise Server</realm-name>
  </login-config>
  I want to use JDeveloper and the built-in OC4J environment for development/debugging. I have tried configuring jazn.xml to use a LDAP provider (both in **\j2ee\home\config\ and **\jdev\system9.0.3.1035\oc4j-config\)
  1) How do I configure the internal OC4J environment to use the generic LDAP service?
  2) Does the JAZN LDAP only work with Oracle OID?
  3) Is there a document or list-of-documents that consolidates the JDeveloper OC4J server administration functions? The existing OC4J administrative documentation is splattered about various web documents.
  Thanks
  Jake

  Todd,
  This how-to may help answer some of your questions
  http://otn.oracle.com/tech/java/oc4j/htdocs/how-to-jazn.html
  If you have additional questions on configuring jazn.xml for LDAP and OiD, I think your best bet is post to 9iAS J2EE forum.
  Thanks,
  Yvonne

• NDS error: duplicate value (-614) on Generic LDAP Export to NetIQ eDirectory

  Dear community,
  using the Generic LDAP Agent, the latest eDirectory (8.8.SP8 (20806.01) and FIM Version (4.1.3627.0)) I encounter the following problem in very special situations (namely when the value in eDirectory only differs from the FIM value by different upper/lower
  case letters:
  NDS error: duplicate value (-614)
  DirectoryOperationException: (0) 0 Server Message: The attribute exists or the value has been assigned.

  I don't see that as a Problem, when it is in fact doing string comparison.  You may need to write an advanced flow rule to simply say something like this
  CSHARP Snippet.  (if not equal, case does not matter)
  if !(csentry["co"].ToUpper().Equals(mventry["co"].ToUpper()))
   csentry["co"].Value =mventry["co"].Value ;
  Nosh Mernacaj, Identity Management Specialist

• Multiple Filters in a Generic ldap Search.

  Hi all,
  'am involved in developing a generic ldap search utility. I would like to know if there is a provision to give multiple filters while searching the LDAP.
  The scenario is like this,
  like if i give the search criteria as java ldapSearch "empid=111*" I will get a series of results.
  WHAT I WANT:
  Will i be able to specify something like empid=11* and lastname=xxx*.
  Any pointers on this would be of tremendous help.
  Anticipating a reply.
  Regards,
  Sathya Sayee.S

  You can use | as 'or condition'. For example the condition
  sn=foo and (email=[email protected] or email=[email protected])
  (&(sn=foo) (|(email=[email protected]) (email=[email protected]))
  the operator are :
  AND : &
  OR : |
  NOT : !
  the notation works as HP calculator notation
  Simon Pierre NOLIN

• Generic LDAP Connector used against AD

  I am trying to use the generic LDAP connector to provision to a development AD. The only port available is 389 so the AD MA cannot be used because it requires 88 for Kerberos. 
  The generic LDAP hangs during configuration after the Configure Anchors screen.  The release notes say that it will work against 3389 on a GC.
  Is there some special set of choices to configure this to connect to Active Directory?
  Randy

  I let the process run for about an hour and the MA create wizard moved to the next step. It took about an hour on the last property panel of the create wizard as well. The configuration was limited to just the Users container and only the user object type
  and only a handful of attributes.
  Randy

• Generic LDAP Connector

  Hi,
  do we have in OIM such as a Generic LDAP connector to connect
  LDAPs like OpenLdap?
  Thanks.

  The traditional solution to your problem is to take the "Sun Java System Directory" connector and customize it. All the LDAP based connectors are based on JNDI so they will work fine with any LDAP v3 server.
  I seem to remember that there was some talk of LDAP support in the generic technology connector framework but it doesn't look like the support is there in 9.1.
  Best regards
  /M

• CS-Mars and AAA ACS - fail

  I try to setup a CS-Mars to AAA Cisco ACS
  I setup the mars to RADIUS(Cisco VPN 3000/ASA/PIX 7.x+) with shared secret 1234
  Cisco ACS hostname: cis04ba1
  CS-Mars hostname: mars01ba1
  I got this error logs in Failed Attempts
  Viewing CSV File
  Date
  Time Message-Type User-Name Group-Name Caller-ID Network  Access Profile Name Authen-Failure-Code Author-Failure-Code Author-Data NAS-Port NAS-IP-Address Filter  Information PEAP/EAP-FAST-Clear-Name EAP  Type EAP  Type Name Reason Access  Device Network  Device Group AAA  Server Cisco:PA:PA-Name Cisco:PA:PA-Version Cisco:PA:OS-Type Cisco:PA:OS-Version Cisco:PA:OS-Release Cisco:PA:Kernel-Version Cisco:PA:Machine-Posture-State Cisco:Host:ServicePacks Cisco:Host:HotFixes Cisco:Host:HostFQDN Cisco:Host:Package cisco-av-pair Cisco:HIP:CSAVersion Cisco:HIP:CSAOperationalState Cisco:HIP:CSAMCName Cisco:HIP:CSAStates Cisco:HIP:DaysSinceLastSuccessfulPoll NAI:AV:Software-Name NAI:AV:Software-ID NAI:AV:Software-Version NAI:AV:Scan-Engine-Version NAI:AV:Dat-Version NAI:AV:Dat-Date NAI:AV:Protection-Enabled Trend:AV:Software-Name Trend:AV:Software-ID Trend:AV:Software-Version Trend:AV:Scan-Engine-Version Trend:AV:Dat-Version Trend:AV:Dat-Date Trend:AV:Protection-Enabled
  27/11/2009
  08:42:02
  Authen failed
  test
  Administrator
  (Default)
  External DB user invalid or bad password
  test
  10.1.20.100
  mars01ba1
  Diverse
  CIS04BA1
  I have tried to set CS-Mars to RADIUS(IETF) this is the same
  But why is there a user with username test
  I upload a pdf file with screenshots

  Not sure which resources you used to configure this, but this looks like Cisco ACS server, so "Generic AAA server" will cause us to parse logs from this device wrong on MARS.
  Follow this guide to add the ACS server to MARS:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/cfgAaaSv.html#wp914530
  There is also a section in here on bootstrapping your ACS for MARS:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/cfgAaaSv.html#wp914530
  Make sure you have done both the above. You might even want to start over with everything you have done thus far.
  -Elly

• EAP-TLS Vista Machine Authentication to ACS integrated to non AD LDAP

  Hello all,
  I've been working on a scenario with ACS 4.2 (trial) for Proof of Concept to a customer of ACS's abilities.
  His intended network plan is to use Vista Laptops doing Machine authentication only towards a ACS server integrated with a non-microsoft LDAP server. The mechanism of choice is EAP-TLS.
  We've set up the PKI on the right places and it is all up. We do manage to get a user certificate on the PC, authenticate via ACS to the LDAP repository, and everything is good.
  The problem that we are facing is when we want to move to do machine authentication, the behaviour is inconsistent. I'll explain:
  When the first authentication is done, the EAP-Identity requests are always prepended with a "host/". What we see is that the CN of a certificate is TEST, and the Identity request appears as host/TEST. This is no problem to LDAP, as we can get rid of the "host/" part to do the user matching and in fact it does match. After TLS handshake (certificates are ok), ACS tries to check CSDB (the internal ACS db) and afterwards it will follow the unknown user policy and query LDAP.
  All of this appears to be successful the first time.
  If we disassociate the machine, the problems start. The accounting STOP message is never sent.
  Any new authentication will fail with a message that CS user is invalid. The AUTH log shows that ACS will never try again to check LDAP, and invalidates the user right after CSDB check. In fact if we do see the reports for RADIUS, the authenticated user is host/TEST, but if we check the dynamic users, only TEST appears. Even disabling caching for dynamic users the problem remains.
  Does anyone have an idea on how to proceed? If it was possible to handle the machine authentication without the "host/" part, that would be great, as it works.
  My guess is that ACS is getting confused with the host/, as I'm seeing its AUTH logs and I do see some messages like UDB_HOST_DB_FAILURE, after UDB_USER_INVALID.
  IF someone can give me a pointer on how to make this work, or if I'm hitting a bug in ACS.
  Thanks
  Gustavo

  Assuming you're using the stock XP wifi client.
  When running XPSP3, you need to set two things:
  1) force one registry setting.
  According to
  http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
  You need to force usage of machine cert-store certificate:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
  "AuthMode"=dword:00000002
  2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
  - show available wireless networks
  - change advanced settings
  - wireless networks tab
  - select your SSID, and then hit the "properties" button
  - select authentication tab, and then hit "properties" button
  - search for your signing CA, and check the box.
  I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
  Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
  please cross reference to
  https://supportforums.cisco.com/message/3280232
  for a better description of the whole setup.
  Ivan

• AAA ACS and Nexus

  Hello,
  i am setting up tacacs+ aaa on nexus switch.
  Using nexus cli i can record all entered commands (see example 1).
  Using Cisco Device Manager with the same switch i cannot get a record of entered commands (see example 2).
  Via CDM, nexus is using snmpv3 and MD5 for authentication allowing me to type username/password to authenticate.
  How can i setup aaa on nexus to provide same level of reporting when using CDM and CLI?
  If anyone can provide some config info would be greatly appreciated.
  AAA config lines:
  feature tacacs+
  aaa authentication login default group AAA
  aaa accounting default group AAA
  tacacs-server host 5.5.5.5 key <key>
  aaa group server tacacs+ AAA
      server 5.5.5.5
      use-vrf management
  Example 1
  22/03/2011,14:45:57,MaxPower,Nexus,terminal length 0 (SUCCESS),0,none,0,10.2.2.44@pts/0,1.1.1.1,
  22/03/2011,14:45:57,MaxPower,Nexus,terminal session-timeout 60 (SUCCESS),0,none,0,10.2.2.44@pts/0,1.1.1.1,
  22/03/2011,14:45:57,MaxPower,Nexus,sync-snmp-password ******** MaxPower 10.2.2.44 (SUCCESS),0,none,0,10.2.2.44@pts/0,1.1.1.1,
  22/03/2011,14:46:02,MaxPower,Nexus,terminal length 0 (SUCCESS),0,none,0,10.2.2.44@pts/3,1.1.1.1,
  22/03/2011,14:46:02,MaxPower,Nexus,terminal session-timeout 60 (SUCCESS),0,none,0,10.2.2.44@pts/3,1.1.1.1,
  22/03/2011,14:46:03,MaxPower,Nexus,sync-snmp-password ******** MaxPower 10.2.2.44 (SUCCESS),0,none,0,10.2.2.44@pts/3,1.1.1.1,
  22/03/2011,14:46:11,MaxPower,Nexus,target (name:10.2.2.44/2162/0 address:10.2.2.44:2162 timeout:1500 retry:3 tagList:trap params:10.2.2.44/2162/0) added ,0,none,0,snmp_3277_10.2.2.44,1.1.1.1,
  22/03/2011,14:46:16,MaxPower,Nexus,target (name:10.2.2.44/2162/0 address:10.2.2.44:2162 timeout:1500 retry:3 tagList:trap params:10.2.2.44/2162/0) added ,0,none,0,snmp_3279_10.2.2.44,1.1.1.1,
  Example 2
  22/03/2011,14:46:36,MaxPower,ACSGroup,write <cr>,15,shell,tty2,2,10.10.10.15,
  22/03/2011,14:48:26,MaxPower,ACSGroup,configure terminal <cr>,15,shell,tty1,29,10.10.10.34,
  22/03/2011,14:49:06,MaxPower,ACSGroup,aaa group server tacacs+ AAA <cr>,15,shell,tty1,31,10.10.10.34,

  Hi
  there are many ways to achieve this, but the *correct* and most scalable is to enable command authorisation on your devices.
  In ACS create some groups based on the permissions levels each group should have.
  In the groups enable the shell (exec) service.
  At this point you can either list the denied commands for certains groups right in the group edit page itself.
  Alternatively, you can created Device Command Sets in the share profiles UI. These are more flexible because inside a single group you cap map to different DCSs based on the device being managed (either by device ip or by network device group)
  Its all there in the ACS docs!
  Good luck.

• Cisco ACS Server Tacacs Based on LDAP AND Source IP Possible???

  Hi All,
  I have used Cisco ACS tacacs for authentication based on Active Directory. Is it possible to use Active Directory as a criteria for authentication AND source IP?
  For example, if someone wants to log in to a certain device... they must have correct credentials AND their IP must be sourcing from the acceptable subnet range.
  Thanks!

  I see your point. This will depend if the user's IP is provided in the authentication request, if this information is provided then you can use the feature called "End Station Filter". This feature is used as a Condition in the Access Policy to deny or allow access. Below are the steps:
  1. Create a End Station Filter, here configure the user's IP
  2. Customize your Conditions under Access Policies/Authorization to use End Station Filter
  3. Define your rule with the required result

• Integration problem between Cisco Seure ACS 4.2 with LDAP

  Hi expert,
  I have a problem with the integration between Cisco Secure ACS 4.2 with SUN Java System Directory (LDAP). During the integration, I noticed that user failed to authenticate against LDAP via Cisco Secure ACS. The error message is "Authentication Type is not supported by external DB". In this case the "external DB" refer to LDAP. Anyone of you having an experience on integration on both product before? Can any of you give me some pointers about this. Attached are both screen capture on my ACS server.
  Thanks very much,
  Daniel

  Hi,
  Thanks for the compatibility chart. Oh dear ..., it seems that the LDAP does not supports PEAP (EAP-MS CHAPv2) at all. Am not sure if the latest LDAP (particularly for SUN Java System Directory) able to support this authentication protocol.
  Just to clarify with you all just in case if you wonder what I'm trying to do; our company wants to implement 802.1x over the network. So, every staff on the network must authenticated before able to access the network resources. Our Linksys switches supports this standard including Cisco switches of course. Our RADIUS server is Cisco Secure ACS 4.2 but all those users information including username and passwords are stored in our directory server (LDAP) which is SUN Java System Directory.
  Since most of our staff machines are running on XP and Vista, the only available authentication method (beside certificate based) is PEAP (EAP-MSCHAPv2). Based on the compatibility chart, the generic LDAP does not supports this authentication protocol as what we noted the "authentication type not supported by external database" error message in the ACS logs.
  From what I learned that the latest LDAP (version 3.0?) able to support this authentication protocol, but yet to be confirmed on my further research.
  So... Anyone can advice me on this matter? Thanks very much !

• ACS LDAP authenication - restrict to only certain LDAP users?

  I'm configuring Secure ACS v4.2 for TACACS+ authentication/authorization and command logging. I'd like to use my external LDAP user database for authentication.
  I have this fucntionality up and working and have one of our 3550 switches able to sucessfully authenticate against ACS with one of my LDAP username/passwords. Command logging and authorization also appear to be working as I can see them in the TACACS+ Accounting/Administration logs on the ACS server.
  Is there a way to restrict what LDAP users are allowed to authenticate? For example, out of my 16000 users in LDAP, I only want only a handfull of users to be able to authenticate against the LDAP server via TACACS+ and get into my devices.
  Can I create an LDAP filter someplace in ACS that specifies only XXX users can
  authenticate against LDAP and to deny all other users?
  Oh and we do not use the "group" functionality on our LDAP server. All users are part of the same OU in LDAP and are not seperated out by a different group OU. I know I know.....I could probably do it this way, but since that info doesn't exist in our LDAP server I'm looking for another solution.
  I'm running ACS v4.2.0.124.

  Sure, add the allowed users to a group in ACS, then use NAR to restrict what devices they can get to. This link might help as well.
  http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&topicID=.ee6e1fe&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc25eb6
  Hope that helps.

• Need Help With ACS LDAP setup to Query AD

  I have 2 Win 2003 ADs, one of them is configured and working under Windows Database (using remote agent) configuration. I am trying to setup the second AD with Generic LDAP setup. I want to know what exactly I should use in the fields UserObjectType and Class, and GroupObjectType and Class for Windows 2003 AD. All Cisco documents give example of Netscape LDAP syntax. I was told by our server admin. what to put under Admin DN, CN=myid,OU=mygroup,OU=myorg,DC=mydomain,DC=com
  I have both user & group directory subtree fields filled with DC=mydomain,DC=com.
  I am using the ip address for Primary LDAP server, and port is 389, LDAP version 3 is checked.
  Is any of these DC, OU, etc. case sensitive?
  With all entries that I have tried, when I go to map a group, I am getting error "LDAP server NOT reachable. Please check the configuration". My ACS can ping the domain controller's IP address fine.
  Please help. Thank you in advance,
  Murali

  Murali,
  These references may help...
  http://download.microsoft.com/download/3/d/3/3d32b0cd-581c-4574-8a27-67e89c206a54/uldap.doc
  http://www.microsoft.com/technet/archive/winntas/plan/dda/ddach02.mspx?mfr=true
  http://technet.microsoft.com/en-us/library/aa996205.aspx
  Regards,
  Richard