ACS 5.3, EAP-TLS Machine Authentication with Active Directory

Similar Messages

• EAP-TLS machine authentication problems

  Well..
  I have the following devices:
  WCS
  Wlan controller 4402
  AP 1130 LWAPP
  Workstation XP sp2
  Secure ACS 4.0
  Windows CA
  Windows AD
  Everything else is working properly, except EAP-TLS. Server certificate is installed in ACS and trust list is OK. Client certificate is installed in workstation machine store. PEAP-MsCHAPv2 working OK, ACS logging prompts successful authentication. I tried to use the certificate authentication from windows wlan properties, but the log was still empty.
  Which clarifications do I have to do in ACS and AD?
  Can someone help me and give me very detailed instructions on how to make it work.

  Hi,
  We had a same problem until we ran 2 windows hotfixs. Those are: WindowsXP-KB893357-v2-x86-ENU.exe and WindowsXP-KB890046-x86-ENU.exe Have you tried to do this. Our EAP-TLS machine authentication is working fine now.
  Have you enabled EAP-TLS authentication in ACS? ACS-> System configuration: Mark Allow EAP-TLS

• How to ACS 5.0.0.21 Expresss integrate with Active Directory Standar 2003 and authenticate PEAP MSCHAPV2

  Hi:
  My name is Ivan, I have a trouble
  I have a ACS 5.0.0.21 express, and i have to integrate with Active Directory (AD)  2003 Standar. I should authenticate the users of the Domain in the LAN with PEAP MSCHPAV2, using the follow:
  Cisco WLC 4402 + Cisco ACS 5.0.0.21 + Active Directory
  I need to know if i should to install a certificate in the ACS 5.0.0.21 or some agent remote install  in the AD.
  I put in the ACS a external database with the AD, and i already select the users on the domain in the ACS Express.
  Please could you tell me all the steps to autenticate the users on the Domain using the ACS Express and the Active Directory,
  I would like to know wich are the configuration that i have to do in my ACS express to authenticate using PEAP MSCHAPV2
  Regards
  Ivan

  See the below URL - multiple config guides on what you want to do:-
  http://www.cisco.com/en/US/products/ps6366/prod_configuration_examples_list.html
  HTH>

• EAP-TLS Machine Authentication/Certificate

  Hi,
  I'm having problems getting EAP-TLS to work when a client machine needs to connect to a WLAN.  I can make each user get a user cert from my CA and if I use an admin account I can get windows to put these certs into the machine store, but when it comes to a login attempt my RADIUS failure messages look like host/axelfoley001 instead of host/MACHINE001xp, which is how the login looks on RADIUS when using EAP/PEAP.
  Clients are WinXPSP3, and I'm using CiscoACS 4.1, MS Certificate Services CA.
  When a user gets its own cert it can log into the WLAN fine after already logging onto the machine, but i can't seem to figure out how to pass the machine name with the cert on machine login (pre-auth).
  Do I need to alter some setting in the cert to pass a different user/machine name or do i need to get a different kind of cert from the CA?
  Any help will be greatfully received.
  Thanks,

  It sounds like your supplicant isn't configured to use machine credentials. In WZC there is a checkbox for "user machine credentials if available".... Perhaps that isn't enabled?
  Or perhaps you don't have a machine cert on the computer.  You mentioned a "user cert", but I think if you want machine credentials, don't you need a certificate for the machine itself? I could be wrong on this though.

• SAP R/3 Authentication with Active Directory on Win2k server.

  Hello list ,
  We are running SAP R/3 4.7 with WebAS 6.2 on Solaris and a Windows 2000 Active Directory domain. Our users access SAP in 3 ways
  1) SAP GUI .
  2) SAP BW
  3) Travel & Expense - a java application that records users travel details and posts a transaction to SAP using the SAP userid and password.
  Wish to implement SSO for all our users.
  Some research we have done suggests
  1) Using Kerberos for authentication. while it appears that microsoft krb 5 implementation will work only on windows servers, it is not clear how well are other krb implementations supported by SAP. OSS note # 150380 and link http://help.sap.com/saphelp_nw2004s/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm
  2) OSS note # 352295 suggest there could be some issue using KRB 5 shipped with unixes.
  "All of the major Unix vendors seem to be shipping a version of Kerberos 5 these days. These implementations should be wire-interoperable with each other and with Microsoft W2K (not necessarily W2K3!), however they may not be interoperable with SAP's shared library interface to GSS-API v2 mechanisms."
  3) There are some commercial solutions like - CyberSafe that provides krb based SSO at a fee. Has anyone tried this software ?
  I have created an OSS ticket but we are still in a queue since 5 days already.
  Has any one from the list implemented a similar solution ? What are the best practices and way to go for a robust solution.
  4) Another option that we have is to start with user synchronization. Where in Users created in Active Directory get synchronized with SAP .
  What is mandatory for us is that Users marked disabled in Active Directory should be blocked in SAP by synchronizing user information at regular interval. If anyone has implemented this solution I will appreciate if they give me some pointers.
  Thanks in advance.
  Harsh Busa

  Tim,
  you are perfectly right: that Vintela product is not certified (as SNC solution).
  But you are not quite right regarding the separate treatment. The major difference between that product and the SNC certified products (such as CyberSafe, Entrust, ...) is: Vintela uses different SNC libraries on the client side (=> our Windows SSPI wrappers, see <a href="http://service.sap.com/~iron/fm/011000358700000431401997E/352295">SAP note 352295</a>) and the server side (=> their own SNC library, not certified). And that is actually also one reason why that solution cannot be certified ...
  Well, those Windows SSPI wrappers provided by SAP (=> gsskrb5.dll, for example) are also not "SNC certified", but SAP provides support (being in contact with Microsoft). Well, as some people might know, there are also some interoperability issues between different Microsoft OS versions ... - resulting in reactive patches of our SSPI wrappers.
  I really do <u>not</u> want to promote <u>any</u> product - neither the one of Quest Software Inc., nor the one of <a href="http://www.cybersafe.ltd.uk/">CyberSafe Ltd</a>, nor <a href="http://www.entrust.com">Entrust Inc.</a>, nor <a href="http://www.secude.com/">SECUDE IT Security GmbH</a>, nor ...
  I do not even want to disencourage anyone from implementing his own Kerberos-based solution (or any other solution which provides an GSS API), provided that this person is able to help himself. Reason: if products of different vendors are used and interoperability problems occur the usual finger-pointing will start. In the end you'll not get support by anyone ... - as long as you are aware of this (and capable of helping yourself) you can go ahead. Some (known) universities are belonging to that group ... - but it might not be appropriete to the vast majority of customers.

• Problem authenticating with Active Directory

  Hi,
  We want to authenticate the users from Microsoft Active directory.We created users by doing a bootstrapping from AD to OID (10.1.2).
  I enabled the plug in by following the Chapter 18 Configuring Active Directory External Authentication plug -in.
  After running through the plug in is installed if i try to login with AD user id I am getting authentication failure error.
  I am not sure whether OID is connecting to Active Directory for authentication.How to ensure that it is connecting to AD
  I am giving uid attribute as login id.What is the login id to be given
  I have tried many combinations no luck. I am getting following error in ssoServer.log
  Sun Dec 11 19:44:13 EST 2005 [ERROR] AJPRequestHandler-ApplicationServerThread-5 Communication Exception received. Cleaning up the stale connection
  oracle.ldap.util.CommunicationErrorException: Unable to establish connection to directory. Please verify the input parameters: host, port, dn & password connection closed
       at oracle.ldap.util.Subscriber.getUser_NICKNAME(Subscriber.java:1213)
       at oracle.ldap.util.Subscriber.getUser(Subscriber.java:912)
       at oracle.ldap.util.Subscriber.getUser(Subscriber.java:859)
       at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:493)
       at oracle.security.sso.server.auth.SSOServerAuth.authenticate(SSOServerAuth.java:485)
       at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:796)
       at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:328)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:824)
       at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:330)
       at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:830)
       at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:224)
       at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:133)
       at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
       at java.lang.Thread.run(Thread.java:534)
  Thanks

  Did you check the debug information from the external auth plugin.?
  This is mentioned in metalink note https://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=277382.1
  here an excerpt:
  D) Enabled plug in debugging at the database level. Reference documentation: Oracle Internet Directory Administrator's Guide 10g (9.0.4) Chapter 43 Integration with the Microsoft Windows Environment - Troubleshooting Integration with Microsoft Windows Under section "Debugging the Microsoft Active Directory External Authentication Plug-in"
  ...enable the plug-in debugging. To do this, enter:
  sqlplus ods/odspassword @$ORACLE_HOME/ldap/admin/oidspdon.plsTo check the plug-in debugging log, enter:
  sqlplus system/managerSQL> select * from ods.plg_debug_log order by id;
  (To delete the plug-in debugging log:
  sqlplus system/managerSQL> truncate table ods.plg_debug_log
  To disable the plug-in debugging:
  sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.plsE) Dump the plug-in profile to make sure it is enabled and configured correctly:
  ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w <orcladmin password> -b "cn=plugin,cn=subconfigsubentry" -L -s sub "(objectclass=*)" "*"please take also a look into the DIPTESTER tool available in
  http://www.oracle.com/technology/sample_code/products/oid/java_diptester.tar
  regards
  --Olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

• Oracle forms authentication with active directory without OID

  Hi Gurus,
  I need to implement active directory authentication in oracle forms.
  My scenario is this:
  1. The user is created in active directory
  2. The user is imported in our aplication, and then I assign the roles in Oracle, and create the user in my aplicattion.
  When the user logs, the system have to validate the password with MS-AD. If the password is right, then, the system start a session in Oracle.
  My questions are:
  1. How can I validate the password in AD ? Is it in clear text, unix crypt, AES ?
  2. In case the user has changed the password in AD, how can obtain he logs in oracle with the new password ?
  We use oracle enterprise edition, but we don't have oracle applications, so i can't use identity management.
  Thanks in advance for your help

  You will need Oracle SSO and OID to implement Active Directory authentication for Oracle Forms. It comes with Oracle Application Server. You will need to read up on how to use AD instead of OID as the user store for Oracle Single Sign-on (SSO). Forms will use SSO to login not really knowing which user store is used so there is no config needed on the Forms side (except enabling SSO).

• Kerberos authentication with Active Directory

  I have tried using JAAS to authenticate to MS Active Directory and keep getting "javax.security.auth.login.LoginException: Pre-Authentication Information was invalid"
  I have tried authenticating with multiple user accounts and on three different realms (Active Directory domains).
  How do I need to format the username? I know that when using JNDI to access Active Directory I have to use the format "[email protected]" or the RDN. I have tried it both ways with JAAS kerberos authentication as well as with just the username by itself. I don't think that the username format is the problem though because if I set the account lockout policy to 5 failed attempts, sure enough my account will be locked out after running my code 5 times. If I give a username that doesn't exist in Active Directory I get the error "javax.security.auth.login.loginexception: Client not found in Kerberos database" Is there something special that I have to do to the password?
  I know that there is just something stupid that I'm missing. Here is the simplest example of code that I'm working with:
  import java.io.*;
  import javax.security.auth.callback.*;
  import javax.security.auth.login.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  public class krb5ADLogin1 {
  public static void main(String[] args){
  LoginContext lc = null;
  try {
  lc=new LoginContext("krb5ADLogin1", new TextCallbackHandler());
  lc.login();
  catch(Exception e){
  e.printStackTrace();
  Here is my config file:
  krb5ADLogin1 {
  com.sun.security.auth.module.Krb5LoginModule required;
  The command I use to start the program is:
  java -Djava.security.krb5.realm=mydomain.com
  -Djava.security.krb5.kdc=DomainController.mydomain.com
  -Djava.security.auth.login.config=sample.conf krb5ADLogin1

  Hi there ... the Sun web site has the following snippet:
  http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorials/Troubleshooting.html
  + javax.security.auth.login.LoginException: KrbException::
  Pre-authentication information was invalid (24) - Preauthentication failed
  Cause 1: The password entered is incorrect.
  Solution 1: Verify the password.
  Cause 2: If you are using the keytab to get the key (e.g., by
  setting the useKeyTab option to true in the Krb5LoginModule entry
  in the JAAS login configuration file), then the key might have
  changed since you updated the keytab.
  Solution 2: Consult your Kerberos documentation to generate a new
  keytab and use that keytab.
  Cause 3: Clock skew - If the time on the KDC and on the client
  differ significanlty (typically 5 minutes), this error can be
  returned.
  Solution 3: Synchronize the clocks (or have a system administrator
  do so).
  Good luck,
  -Derek

• Db10g external password authentication with Active Directory via OID

  HI ALL
  - i have the synchronization AD-to-OID
  - i have the external authorization of AD users via SSO (external authorization plug-in)
  - i have the DB10g enterprise authorization of OID native users who have their password in OID (global schema)
  - but i cann't configure the DB10g autorization of AD-to-OID synchronized users who don't have their password in OID
  error:
  ORA-28274: No ORACLE password attribute corresponding to user nickname exists.
  i.e. those users are not recognized as users with external passwords.
  Any ideas, please ...

  Funny thing - LDAP (OID and Active Directory) defines a generic heirachical database. Like any other generic database, you need to define the schema to define what data is to be captured.
  Each LDAP application expects a certain schema. That includes Enterprise User Security (part of the Advanced Security Option).
  To accomplish what you want to do
  1) get familiar with the Enterprise User Security capability (see the EUS documentation at tahiti)
  2) learn to configure SQLNet / Oracle Networking to use LDAPthat is responsib (''cause it's Oracle Networking responsible for the login)
  3) Reverse the schema from OID and transport it to AD
  Aside from that, it's a no-brainer.

• Oracle Apps User Authentication with Active Directory

  Greetings,
  I am running Oracle Apps 12.1.1 using native login authentication. What I would like to do is set it up so that it uses our Active Directory to authenticate users. Does anyone know if there is an easy way to configure this or do I need to use OIM to accomplish it?
  Thanks

  Have a look here
  http://www.oracle.com/products/middleware/identity-management/docs/db-users-roles-management-whitepaper.pdf

• Solaris authentication with Active Directory

  Our shop is a mixed environment of Unix and Windows users. Many use both environments daily and there has been a desire to have a common authentication scheme. We have been able to successfully configure our RH Linux clients to authenticate against our Windows or NIS environment using pam and krb5, but have not been able to successfully adapt this to our Solaris (9/10) environment. Our Unix/Linux client environment is in a common NIS domain. We want to continue to use NIS for account management and add AD for authentication only i.e. if the username/password authenticates against AD or NIS, then the user login proceeds.
  On Solaris I have been able to successfully configure the /etc/krb5/krb5.conf file so that a kinit can be done successfully. klist list out the info and kdestroy removes it. However, figuring out how to properly configure the /etc/pam.conf file to use this login/rlogin/ssh authentication is not making any progress. Various attempts to add the pam_krb5.so.1 plugin in various sections of the file have not worked. Can you advise me on the proper configuration for this to work and or the means to get it working?

  Read up on Enterprise User Security (EUS), a feature of Oracle Enterprise Database.
  Mark Wilcox also has several posts related to OVD/AD/EUS integration on his blog:
  http://blogs.oracle.com/mwilcox/2008/09/clarifying_eus_and_kerberos.html
  A simple google search for oracle eus will also turn up a lot of useful info.
  And then there is Oracle's identity website, where there are white papers like this one:
  Manage Oracle Database Users and Roles Centrally in Active Directory or Sun Directory
  http://www.oracle.com/us/products/middleware/identity-management/059380.pdf

• Authentication with Active Directory Group in WLS 10.0

  Hi,
  By using the Active Directory authenticator in WLS 10.0, I managed to get connected to the AD and can see the groups and users in the administration console.
  But, I am having troubles setting up the security role(s) in my web app. I can't figure out how to configure it so that I can actually sign in to my web app using an AD group.
  Here are the web.xml & weblogic.xml files:
  web.xml
  <web-app>
  <welcome-file-list>
  <welcome-file>/SecuredPage.jsp</welcome-file>
  </welcome-file-list>
  <security-constraint>
  <display-name/>
  <web-resource-collection>
  </web-resource-collection>
  <auth-constraint>
  <description>Constraint for aduser</description>
  <role-name>aduser</role-name>
  </auth-constraint>
  </security-constraint>
  <!-- Login Config -->
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>myrealm</realm-name>
  </login-config>
  <!-- Security Roles -->
  <security-role>
  <description>Users of myADgroup</description>
  <role-name>aduser</role-name>
  </security-role>
  </web-app>
  weblogic.xml
  <weblogic-web-app>
  <security-role-assignment>
  <role-name>aduser</role-name>
  <principal-name>ADUserGroup</principal-name>
  </security-role-assignment>
  </weblogic-web-app>
  For the above config, my intention is to give access only the members of ADUserGroup to my webapp. This group is listed in myrealm at WLS as well as members of this group (ADUserGroup). But while trying to login as any members of this group, got 403 error!
  Any siggestion!!
  Thanx in advance!
  Any help would be appreciated!

  Okay, guys, now it seems working as I changed group type from distrubtion to security in Active Directory.
  Edited by ronobi at 02/18/2008 6:27 AM

• Authentication with Active Directory

  Hi All,
  Please help me how i can implement user authnication using active directory.
  I have a jsp page where the user enters the userid and password, these i have to authniticate with that of the active directory list and if successfull then depending upon the user dept have to redirect the user to diff pages.
  please help me how can i implement this functionality
  I am using tomcat and jsp on windows 2000 server
  Thanks in Advance
  Ravi

  Ok, just a few keywords:
  JAAS and Kerberos
  There are already some postings in this forum that belong to this term.

• Mac OSX Tiger Authentication with Active Directory

  I'm at my wits end and need some help. We have a Windows network, that we joined a designers new Mac to. When he, or an administrator logs into the network from the Mac, when they try to access network shares, (GO-->Connect to Server) they get permission denied.
  Any Ideas??
  Thanks

  Hi Daniel,
  you can use the User Management Engine (UME) to do that. Just map your AD to UME (its done via xml-mapping file and pretty simple, although I dont have an example at hand).
  You can then use the UME-API to check user Roles and Groups or access their attributes.
  regards
  Jan

• 802.1x eap-tls machine + user authentication (wired)

  Hi everybody,
  right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
  You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
  Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
  1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
  <key>SetupModes</key>
  <array>
      <string>System</string>
      <string>Loginwindow</string>
  </array>
  <key>PayloadScope</key>
      <string>System</string>
  but it does not work
  2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
  Thanks

  Unfortunatelly this documents do not describe how to do what I want.
  I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
  I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
  The certificates are in my System keychain.
  Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
  Any ideas ?