ACS authentication against AD

I am in the process of installing an ACS demo and tying it to AD. I have the base stuff installed meaning ACS is in and operational and I have it joined to my domain. I am now to the point of selecting my AD groups and Attributes within those groups. I know very little about AD so that may be part of my confusion.
First off I gathere that I need to specify a specific group to get the actual user name / password authentication process to work? I loaded the windows Active Director Editor (ADExplorer from Sysinternals) so that I could see and browse what AD groups I have available. I also thinkthat if my domain is 123.abc.corp that I need to use DC=123,DC=abc,DC=corp then pick the correct CN that I need?
I have two ultimate goals for the use of ACS. First, we want to look into using it for our VPN authentication so figure we need say a remote group that has the users for VPN connectivity. Is it a simple matter of adding the group or are there any specific or recommended fields I need to have with this group?
Secondly, we also want to use ACS for Dot1.x authentication on our Cisco switches but need VLAN information tied to the user. My question here is this something that we can add as a field to the user information or better to add it as a field in another group?
I am looking for configuration examples but wanted to also make sure that I am following best practices so any assistance is appreciated.
brent

If you have single domain then you don't need to specify the domain name, just click on the 'select' button under directory groups to fetch/retrieve the AD groups and then add them.
Use this page to select groups that can then be available for policy condition,
Select Users and Identity Stores > External Identity Stores > Active Directory, then click the Directory Groups tab.
For more information, you may visit the below listed URL
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1140999
Once you are done, go to the access-policy >> on the right bottom corner, you would see a tab "customize" click on it and move the attribute AD1:ExternalGroups to thr right end side >> click ok >> create a new authorization policy and select the group you fetched in the directory groups under AD configuration.
In order to do dynamic vlan assignment on ACS 5.1 you do the following:
Policy elements >> Authorization and permissions >> Network Access >> Authorization profile >> Create >> Give it a name like example "switch" >> Common tasks >> Click on VLAN ID name >> Select Static >> Give Vlan Number >> Click Submit >> Go to Access Policies >> Under default network access click on authorization >> Create >> Give the Rule a name like "vlan assignment for SWITCH" >> Click on Ad1:external groups >> Contains any >> Select -> choose the appropriate AD group >> Click ok >> Click select for authorization profiles >> Choose the profile that was previously create called "switch" >> Click ok >> Now you assign the VLAN of "SWICTH" to the Group to the AD group >> Click OK.
HTH
Regds, Jatin
Do rate helpful posts~

Similar Messages

ACS Authentication against Lotus Notes

Hi Team, is it possible to authenticate Users via ACS against Lotus Notes, similar to MS AD? Regards, Michael

I don't think it is possible to use ACS with Lotus notes for user authentication. These are the external databases supported with ACS.
a) Windows User Database
b) Generic Lightweight Directory Access Protocol (LDAP)
c) Novell NetWare Directory Services (NDS) when used with Generic LDAP
d) LEAP Proxy Remote Authentication Dial-In User Service (RADIUS) servers
e) Token servers
f) Open Database Connectivity (ODBC)-compliant relational databases (ACS for Windows)

ACS 5.1 Authentication against AD problem

I have a pair of ACS 5.1 virtual appliances in a master/slave configuration, running build 5.1.0.44. We have it configured to authenticate TACACS against Active Directory, but have run into a problem with the account of one my colleagues. His account password recently expired and since changing it he is no longer able to authenticate on devices pointing to the master ACS server, but has no issue with devices pointing to the slave ACS server. Several other users have changed their passwords in AD and have not encountered this problem.
ACS View shows the following error in the TACACS+ authentication log: "24421 Change password against Active Directory failed since it is disabled in configuration". The account we use to connect to active directory does not have permission to send password changes, so I have disabled changing passwords in the AD identity store configuration. As a test, I enabled password changing and instead saw this error: "24407 User authentication against AD failed since user is required to change his password".
I've had him change passwords numerous times, try different SSH clients, and different PCs. I also had him lock his account out, and then try logging on and instead was presented with this error: "24415 User authentication against AD failed since user's account is locked out". So it seems that ACS is correctly querying AD but seems to be caching the fact that his account has expired.
The only difference between the two ACS servers are that they are querying different AD servers. I've gotten our AD team to reset his password, check that his account is not locked on a particular AD server, and that replication is functioning. I've also restarted the services and cold started the ACS virtual machine to no effect. I have yet to try clearing the AD configuration and re-entering it.
show logging application acs reveals the following:
ActiveDirectoryClient,19/10/2011,08:46:25:307,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
ying to reconnect.,ActiveDirectoryClient.cpp:2429
ActiveDirectoryClient,19/10/2011,08:46:25:311,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
ActiveDirectoryClient,19/10/2011,08:49:27:468,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
ying to reconnect.,ActiveDirectoryClient.cpp:2429
ActiveDirectoryClient,19/10/2011,08:49:27:475,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
ActiveDirectoryIDStore,19/10/2011,08:49:27:475,ERROR,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,ActiveDirectoryIDStore::onPlainAuthenticateAndQueryEvent - User password expired but change
password configuration is disabled - authentication failed,ActiveDirectoryIDStore.cpp:525
I am aware that I can upgrade to 5.1.0.44.6 and intend to do so (although CSCsr81297 concerns me as we make extensive use of AD for authentication), but I don't know that there is any guarantee that this will fix it.
Any ideas on what might be the cause, and how I can fix this?
Thanks!

Hello,
It is complicated to explain this rule but hopelly you will understand.
I suggest you to do an identity store sequence that will point to the AD and RSA. this is like the user unknow policy in ACS 4.x
Once this is done you can create 2 authorization policies 1 based on RSA authentication and another based on AD authentication.
To give you a better clear example is there any difference between AD and RSA authentication? Do they have the same rights? Please detail what you need to configure besides AD and RSA simultanuos authentication.
Regards,
Sebastian Aguirre

ISE 1.1 - 24492 Machine authentication against AD has failed

We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
Authentication Summary
Logged At:
March 11,2015 7:00:13.374 AM
RADIUS Status:
RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
RadiusPacketType=Drop
AuthenticationResult=Error
Related Events
Authentication Details
Logged At:
March 11,2015 7:00:13.374 AM
Occurred At:
March 11,2015 7:00:13.374 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
host/LENOVO-PC.tdsouth.com
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:
TDS-PEAP-TLS
Service Type:
Framed
Identity Store:
AD1
Authorization Profiles:
Active Directory Domain:
tdsouth.com
Identity Group:
Allowed Protocol Selection Matched Rule:
TDS-WLAN-DOT1X-EAP-TLS
Identity Policy Matched Rule:
Default
Selected Identity Stores:
Authorization Policy Matched Rule:
SGA Security Group:
AAA Session ID:
ISE-TDS/215430381/40
Audit Session ID:
c0a801e10000007f54ffe828
Tunnel Details:
Cisco-AVPairs:
audit-session-id=c0a801e10000007f54ffe828
Other Attributes:
ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
Posture Status:
EPS Status:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12571 ISE will continue to CRL verification if it is configured for specific CA
12571 ISE will continue to CRL verification if it is configured for specific CA
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
Evaluating Identity Policy
15006 Matched Default Rule
24433 Looking up machine/host in Active Directory - [email protected]
24492 Machine authentication against Active Directory has failed
22059 The advanced option that is configured for process failure is used
22062 The 'Drop' advanced option is configured in case of a failed authentication request
But the user can authenticated by EAP-TLS
AAA Protocol > RADIUS Authentication Detail
RADIUS Audit Session ID :
c0a801e10000007f54ffe828
AAA session ID :
ISE-TDS/215430381/59
Date :
March 11,2015
Generated on March 11, 2015 2:48:43 PM ICT
Actions
Troubleshoot Authentication
View Diagnostic MessagesAudit Network Device Configuration
View Network Device Configuration
View Server Configuration Changes
Authentication Summary
Logged At:
March 11,2015 7:27:32.475 AM
RADIUS Status:
Authentication succeeded
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
TDS-WLAN-PERMIT-ALL
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
[email protected]
State=ReauthSession:c0a801e10000007f54ffe828
Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
Termination-Action=RADIUS-Request
cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
Airespace-Wlan-Id=1
Related Events
Authentication Details
Logged At:
March 11,2015 7:27:32.475 AM
Occurred At:
March 11,2015 7:27:32.474 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
[email protected]
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:

Hello,
I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network.

ISE and authenticating against Windows AD with RADIUS realm that is different from the Windows domain

Hello
We are in the process of evaluating the Cisco ISE VMWare appliance with a view to replace our existing FreeRADIUS installation as authentication provider for our wireless network and VPN service. As a part of this we are hoping to migrate our user authentication to Microsoft Active Directory - we have previously authenticated against a different identity store (not MS AD). Because of this legacy our Windows domain is not the same as our RADIUS realm name - the Windows domain is "win.mydomain" whereas we wish to allow users to authenticate using "username@mydomain" or even "[email protected]" as they are doing today. We are experiencing an issue where authentication requests with the format "[email protected]" will be forwarded to the Windows AD whereas authentication requests with the format "username@mydomain" will fail with the log message "User not found in Active Directory". We do not know if the ISE itself is validating the username and triggering this error, or if the error originates from AD. We suspect the that the ISE is not even asking AD because "win.mydomain" is the domain configured in "Active Directory" in "External Identity Sources".
Authentication requests against the AD without a realm are successful (that is, using only "username"). With this in mind we located a post on the Cisco support forums that described a process of proxying the request back to the ISE and strip the realm information, but this was specific for the ACS platform. We have attempted to implement this solution but it is still not working as we would have hoped, and we are not entirely certain where the fault might lie. We are currently using PEAP with MSCHAPv2 for authentication in our WLAN where the main problem is. We suspect that the "proxy-to-self" with realm stripping is an issue with PEAP.
Is there a supported method of achieving our goal, or should we abandon the ISE platform as our scenario is simply not supported?

Seems like your issue maybe related to DNS, when ISE receives the format [email protected], the dns request is failing. However, there is a setting for alternate UPN Suffixes that can be configured to include domain.com and student.domain.com.
Here is a windows article that should fix this for you. Once you get this updated please reboot ISE so it rejoins AD. Try your tests again.
http://technet.microsoft.com/en-us/library/cc772007.aspx
Thanks,
Tarik Admani
*Please rate helpful posts*

Ubuntu Karmic authentication against Snow leopard open directory server

Hi,
I'm looking for help. I've tried to configure an installation of Karmic to authenticate against our office's open directory server running on an osx snow leopard server. Currently `getent password` show all users including those from the open directory server when running the command as both root and normal users. However authentication against the open directry users fails with the following messages in the /var/log/auth.log:-
Dec 7 22:42:05 [hostname] getent: nss_ldap: failed to bind to LDAP server ldap://server.domain.com: Invalid credentials
Dec 7 22:42:05 [hostname] getent: nss_ldap: could not search LDAP server - Server is unavailable
(I've changed the hostname and ldap url)
/etc/ldap.conf has:-
base dc=server,dc=domain,dc=com
ldap_version 3
rootbinddn cn=diradmin,dc=server,dc=domain,dc=com
bind_policy soft
pam_password md5
/etc/ldap.secret is set to the password of the diradmin user and has a permission mask of 600
/etc/pam.d/common-passwd :-
password sufficient pam_ldap.so md5
password required pam_unix.so nullok obscure md5
password optional pam_smbpass.so nullok use_authtok tryfirstpass missingok
/etc/pam.d/common-auth:-
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so usefirstpass
auth requisite pam_deny.so
auth required pam_permit.so
/etc/pam.d/common-account:-
account [success=2 newauthtokreqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
/etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_ldap.so
session optional pamckconnector.so nox11
Does anyone have any ideas where to go from here?
Message was edited by: zebardy

Hi
It's easy enough to 'connect' any version of OS X Server to any other version of OS X Server. Use the Join button in the Users & Groups Preferences Pane. Alternatively use the Directory Utility itself.
You seem to be misunderstanding what an Open Directory Master and Replica are? They are not what I think you think they are. They are not a 'back-up' of each other if you're providing more than the shared Directory Service.
An OD Replica maintains a read-only copy of the LDAP Database (Usernames, Passwords and Policies etc) that's stored on the OD Master and nothing more. If the Master was to go offline for any reason the Replica can be quickly promoted to a Master Role and continue to provide information for the shared directory. This assumes it has easy and quick access to the Volume storing networked home folders? The LDAP Database in that case would then become writable. Later on and whenever you've fixed the problem with the old Master it can quickly be demoted and made a Replica of the now new Master.
Although this is for 10.6 Server (it is nevertheless still applicable) everything you need to know about Master and Replica relationships is here:
http://manuals.info.apple.com/en_US/OpenDirAdmin_v10.6.pdf
Page 55 onwards.
From Page 64:
"The Open Directory master and its replicas must use the same version of Mac OS X Server. . ."
If your OD Master is also providing Mail, Calendar and Contact Services then none of these will be replicated. You will have to maintain a backup of these databases yourself using whatever method you deem fit for your needs.
HTH?
Tony

How can I tell if a user has already authenticated against AD?

Sorry to begin with if this has been dealt with in another thread already. Ive taken a look around and cant see something that answers my questions exactly. If such a thread exists, please point me in that direction.
We have a product that needs to be installed on a customer site. Its a windows based, web fronted application with a client program on the user's pc and a server side component that handles requests for data. What I need to do is to check if the user has already authenticated against active directory. If so then I dont need to ask for authentication (single sign on).
This is my first look at jndi so Im in the dark about how this should be done. Is there a way to use the user's credentials (is there a token?) to check or do I need a specific login for my application to access the customer AD?
Any tips would be very welcome,
Mark

You may want to refer to the Java Security forum at http://forum.java.sun.com/forum.jspa?forumID=545 for information on Kerberos & JAAS.
There is a also a post in this forum, outlining how to utilise Kerberos, JAAS with JNDI to access Active Directory. JNDI, Active Directory and Authentication (Part 1) (Kerberos)
at http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
Possibly the part you are looking for is the functionality included in the class that implements java.security.PrivilegedAction
Good luck.

ISE 1.2 - 24492 Machine authentication against AD has failed

Currently experiencing a machine authentication problem between ISE 1.2 patch 2 and a customer AD installation.
AuthZ policy is set to match agains /Users/Domain Computers and /Users Domain Users. User authentication works, machine auth doesnt.
Machine authentication box is ticked.
If you try to disable an AD machine, or try a machine not in the domain you get the appropriate different response in the ISE logs which sugests it has the right access into AD to check this info.
This happens on all computers, both WinXP and Win7 corporate builds.
I know its not an ISE policy configuration as I have resorted to testing the same ISE against a vanilla lab AD environment with the same AD domain name (just by changing the DNS servers ISE uses) and the computer lookup works!
Anybody got any ideas?
thanks.

24492
External-Active-Directory
Machine authentication against Active Directory has failed
Machine authentication against Active Directory has failed.
Error
Please check NTP is in sync or not ISE

Authentication against users in a table

I am somewhat familiar with JAZN authentication but here is what I need to do and would GREATLY appreciate as much details as you can provide:
Say, I have a table USERS(USER_ID, NAME, ...) and several other tables in the DB. Let's say I have another table ADDRESS(ID, USER_ID, ADDRESS, ...). Several things needs to be done:
1. When user attempts to access a Input Form page to add new record in ADDRESS, a login screen should appear. I KNOW how to do this with either basic or form based authentication. However in this case user credentials will be stored using jazn tool.
2. Since I need USER_ID to be passed to my Input Form page I believe that I cannot use jazn for this, but rather to authenticate against my USERS table. How?
3. In this case (authentication against my USERS table) where the paswords are kept?
4. Also in this case, is it possible to provide several levels of access, ie all to managers, some to data enter people etc.
We are new to Oracle and JDev so any help is appreciated. The more the better...
Cheers!
Rade

Here is what I did and it does not work:
I have 'login.uix' page with username and password entries:
<form name="form0" method="post">
<contents>
   <pageLayout>
    <pageButtons>
     <pageButtonBar>
      <contents>
       <submitButton text="Sign In" event="verifySignin"/>
       <submitButton text="Login" event="login"/>
      </contents>
     </pageButtonBar>
    </pageButtons>
   <contents>
<tableLayout>
   <contents>
    <rowLayout>
     <contents>
      <messageTextInput name="username" prompt="Enter Name"/>
     </contents>
    </rowLayout>
    <rowLayout>
     <contents>
      <messageTextInput name="password" prompt="Enter Password" secret="true"/>
     </contents>
    </rowLayout>
   </contents>
   </tableLayout>
</contents>
</pageLayout>
</contents>
</form>
...Then in its Action class I have:
public void onLogin(DataActionContext ctx)
    //ctx.getBindingContainer();
    HttpServletRequest r = ctx.getHttpServletRequest();
    String userName = r.getParameter("username");
    String password = r.getParameter("password");
    // username and password required
    if (userName.length()==0 || password.length()==0)
      ctx.setActionForward("loginFailed");
      return;
try
      // Get handle to Application Module that "carries" Staff View
      DCDataControl dc = ctx.getBindingContext().findDataControl("AppModuleDataControl");
      ApplicationModule am = dc.getApplicationModule();
      // find the Staff view object that holds username and password
      ViewObject vo = am.findViewObject("StaffView1");
      //find user
      Row[] userRow = vo.getRowSet().getFilteredRows("StaffId",userName.toUpperCase());
      System.out.println(" I never get here!?!?!!!!!");
catch (Exception ex)
      //Set Main Error Page here
      System.out.println(ex.toString());
      ctx.setActionForward("loginFailed");
      return;
}Seems like Row[] userRow = vo.getRowSet().getFilteredRows("StaffId",userName.toUpperCase());
is not properly executed?!?
Anybody know what the problem is??? This is based on Frank's code sample that I found on forum.

Oracle 10g Reports Server - problem authenticating against DB

I have a problem with Oracle 10g Reports server authenticating against an Oracle RDBMS.
When I try to run reports, an authentication form screen is presented, with the password field empty (the URL in explorer that loads this page contains the username and DB instance, but is missing the password) and the following error message:
REP-51018: Need database user authentication
When the password is entered into the empty field in the form and submitted, another 2 authentication errors are given.
REP-51018: Need database user authentication
REP-12545: java.sql.SQLException: ORA-12545: Connect failed because target host or object does not exist
When the URL in the browser location field is manually altered to include the DB password, the reports are authenticated fine.
Any ideas which config file I should be looking in?
Any pointers would, of course, be much appreciated.
thanks,
Brian

Hello, i finally have discovered what was happening, it has to be with the way FreeBSD passes the password field. By default FreeBSD passes the password field with a '*' while Oracle Linux (and Red Hat clones) expect an 'x' to look into shadow maps (Linux uses the '*' character in the password file to not allow login to that user).
To solve it the password field served by the NIS server must be substituted, which is accomplished with nsswitch.conf and adding a line to the /etc/password file on the NIS Client, so the final files will look this way:
# nsswitch.conf (compat directive allows us to use the '+' sintaxis in /etc/passwd file)
passwd files compat
# /etc/passwd (just add at the end of file)
+:x:::::

AD authentication against Shared Services failing randomly

We're seeing random failures in AD authentication against Shared Services both via the Excel Addin and via Maxl scripts.
SQL server (v 10.50.2500), Shared Services and OHS (v 11.1.2.2.303), and Essbase server (v11.1.2.2.104) are installed on the same physical box (16 cores, 192GB RAM) in a single-server configuration. It happens every few days at no fixed time and is resolved either by itself in a few hours, or by stopping and starting EPM services (Hyperion Foundation Services - Managed Server, OPMN service for Essbase, and OPMN service for OHS are stopped by running <Middleware_Home>\user_projects\epmsystem1\bin\stop.bat, and started by running start.bat).
While the AD authentication is down, nobody is able to connect (via the Excel Add-in or Maxl scripts) using their AD accounts and get the following error - "Analytical Services user [AD_user1] Authentication Fails against the Shared Services Server with Error [EPMCSS-00301: Failed to authenticate user. Invalid credentials. Enter valid credentials.]". Native authentication works at all times (even when AD authentication fails).
Although it seems to apply to an older version and to Planning/Workspace, we did look into "Error "EPMCSS-00301: Failed To Authenticate User. Invalid credentials" Intermittently When MSAD User Logs Into Workspace. (Doc ID 1389871.1)". But even after making the suggested changes, the problem persists. Any ideas what might be causing AD authentication to fail randomly like this? Below are some relevant portions of the logs -
From ESSBASE_ODL.log -
[2014-01-10T04:41:06.693-05:00] [ESSBASE0] [ERROR:32] [AGENT-1440] [] [ecid: 1388972435616,0] [tid: 6312] Essbase user [hyperion_admin] Authentication Fails against the Shared Services Server with Error [EPMCSS-00301: Failed to authenticate user. Invalid credentials. Enter valid credentials.]
[2014-01-10T04:41:06.693-05:00] [ESSBASE0] [WARNING:1] [AGENT-1003] [] [ecid: 1388972435616,0] [tid: 6312] Error 1051440 processing request [Login] - disconnecting
From SharedServices_Security_Client.log -
[2014-01-10T04:39:00.490-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required. [2014-01-10T04:39:42.547-05:00] [EPMCSS] [ERROR] [EPMCSS-07047] [oracle.EPMCSS.CSS] [tid: 150] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to get connection from connection pool for user directory AD. Error executing query. adweilcom:389. Verify user directory configuration.
[2014-01-10T04:39:42.547-05:00] [EPMCSS] [ERROR] [EPMCSS-09102] [oracle.EPMCSS.CSS] [tid: 150] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to initialize group cache for MSAD user directory AD. Error connecting to url. ad.weil.com:389. Verify MSAD user directory configuration.
[2014-01-10T04:39:42.547-05:00] [EPMCSS] [ERROR] [EPMCSS-00107] [oracle.EPMCSS.CSS] [tid: 150] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.CSSManager] [SRC_METHOD: pingConfiguredProviders] Failed to refresh group cache. Some of configured user directories not initialized [AD]. Verify user directory configuration.
[2014-01-10T04:39:42.547-05:00] [EPMCSS] [WARNING] [EPMCSS-10029] [oracle.EPMCSS.CSS] [tid: 150] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: run] Exception while building asynchronous group cache for user directory. EPMCSS-00107: Failed to refresh group cache. Some of configured user directories not initialized [AD]. Verify user directory configuration.. Verify Shared Services security user directory configuration.
[2014-01-10T04:40:24.605-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to authenticate user. Invalid credentials. Enter valid credentials.
[2014-01-10T04:40:24.605-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to authenticate user. Invalid credentials. Enter valid credentials.
[2014-01-10T04:41:06.662-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to authenticate user. Invalid credentials. Enter valid credentials.
[2014-01-10T04:41:06.662-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to authenticate user. Invalid credentials. Enter valid credentials.
[2014-01-10T04:41:06.693-05:00] [EPMCSS] [WARNING] [EPMCSS-10033] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.facade.impl.CSSAbstractAuthenticator] [SRC_METHOD: authenticateUser] Skipping user directory {0} failed to communicate with server. {1}. No action required.
[2014-01-10T04:41:06.693-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.facade.impl.CSSAbstractAuthenticator] [SRC_METHOD: authenticateUser] Failed to authenticate user. Invalid credentials. Enter valid credentials.
From console~Essbase1~EssbaseAgent~AGENT~1.log -
[Fri Jan 10 04:40:22 2014EPMCSS-00301: Failed to authenticate user. Invalid credentials. Enter valid credentials.
at com.hyperion.css.facade.impl.CSSAbstractAuthenticator.authenticateUser(CSSAbstractAuthenticator.java:658)
at com.hyperion.css.facade.impl.CSSAPIAuthenticationImpl.authenticate(CSSAPIAuthenticationImpl.java:69)
at com.hyperion.css.facade.impl.CSSAPIImpl.authenticate(CSSAPIImpl.java:102)
at com.hyperion.css.facade.impl.CSSAPIImpl.login(CSSAPIImpl.java:794)
at com.hyperion.css.facade.CSSAPIFacade.login(CSSAPIFacade.java:776) ]
Local/ESSBASE0///9180/Info(1042059)

Server times are in sync. In fact, we see no such issues on the 9.3.1 environments (which are in the same server farm as the 11.1.2.2 environments).
We're using the same MSAD configuration we have in the 9.3.1 environments as follows -
Directory Server: Microsoft
Name: AD Host Name: ad.mycompany.com
Port: 389
SSL Enabled: unchecked
Base DN: DC=ad,DC=mycompany,DC=com
ID Attribute: objectguid (greyed)
Maximum Size: 200
Trusted: checked
Anonymous Bind: unchecked
User DN: ad\hyperion_admin
Append Base DN: unchecked
User RDN: blank
Login Attribute: cn
First name Attribute: givenName
Last name Attribute: sn
Email Attribute: mail
Object Class: person,organizationalPerson,user
Support Groups: checked
Group RDN: OU=groups
Name Attribute: CN
object class: group?member
I also tried disabling AD groups (Support Groups = unchecked), but I still see a random AD authentication failure. Below are logs based on automated retrievals using an AD account at 14:37, 17:37, 20:37 and 21:40 today. The first 2 worked fine, the 3rd failed, the fourth worked fine again. From SharedServices_Security_Client.log -
[2014-01-11T14:37:00.574-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 42] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required.
[2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 43] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory Native Directory. Status message. No action required.
[2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 43] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory AD. Status message. No action required.
[2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20008] [oracle.EPMCSS.CSS] [tid: 44] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.MSADProvider] [SRC_METHOD: createCache] Group support is disabled for MSAD user directory AD returning empty cache map. Status message. No action required.
[2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 44] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory AD and size of group cache is 0. Status message. No action required.
[2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 45] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory Native Directory and size of group cache is 19. Status message. No action required.
[2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20331] [oracle.EPMCSS.CSS] [tid: 43] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Cache building is done for the providers, now started unifying the cache. This is a status messages. No action required.
[2014-01-11T14:37:01.151-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20332] [oracle.EPMCSS.CSS] [tid: 43] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Unify cache done and cache object set to the cache manager. This is a status messages. No action required.
[2014-01-11T17:37:00.752-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 46] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required.
[2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 47] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory Native Directory. Status message. No action required.
[2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 47] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory AD. Status message. No action required.
[2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20008] [oracle.EPMCSS.CSS] [tid: 48] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.MSADProvider] [SRC_METHOD: createCache] Group support is disabled for MSAD user directory AD returning empty cache map. Status message. No action required.
[2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 48] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory AD and size of group cache is 0. Status message. No action required.
[2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 49] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory Native Directory and size of group cache is 19. Status message. No action required.
[2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20331] [oracle.EPMCSS.CSS] [tid: 47] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Cache building is done for the providers, now started unifying the cache. This is a status messages. No action required.
[2014-01-11T17:37:01.361-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20332] [oracle.EPMCSS.CSS] [tid: 47] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Unify cache done and cache object set to the cache manager. This is a status messages. No action required.
[2014-01-11T20:37:00.634-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required.
[2014-01-11T20:37:42.707-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to authenticate user. Invalid credentials. Enter valid credentials.
[2014-01-11T20:37:42.707-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to authenticate user. Invalid credentials. Enter valid credentials.
[2014-01-11T20:38:24.748-05:00] [EPMCSS] [ERROR] [EPMCSS-07047] [oracle.EPMCSS.CSS] [tid: 51] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to get connection from connection pool for user directory AD. Error executing query. adweilcom:389. Verify user directory configuration.
[2014-01-11T20:38:24.748-05:00] [EPMCSS] [ERROR] [EPMCSS-09102] [oracle.EPMCSS.CSS] [tid: 51] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to initialize group cache for MSAD user directory AD. Error connecting to url . ad.weil.com:389. Verify MSAD user directory configuration.
[2014-01-11T20:38:24.748-05:00] [EPMCSS] [ERROR] [EPMCSS-00107] [oracle.EPMCSS.CSS] [tid: 51] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.CSSManager] [SRC_METHOD: pingConfiguredProviders] Failed to refresh group cache. Some of configured user directories not initialized [AD]. Verify user directory configuration.
[2014-01-11T20:38:24.748-05:00] [EPMCSS] [WARNING] [EPMCSS-10029] [oracle.EPMCSS.CSS] [tid: 51] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: run] Exception while building asynchronous group cache for user directory. EPMCSS-00107: Failed to refresh group cache. Some of configured user directories not initialized [AD]. Verify user directory configuration.. Verify Shared Services security user directory configuration..
[2014-01-11T20:39:06.806-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to authenticate user. Invalid credentials. Enter valid credentials.
[2014-01-11T20:39:06.806-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to authenticate user. Invalid credentials. Enter valid credentials.
[2014-01-11T20:39:06.806-05:00] [EPMCSS] [WARNING] [EPMCSS-10033] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.facade.impl.CSSAbstractAuthenticator] [SRC_METHOD: authenticateUser] Skipping user directory {0} failed to communicate with server. {1}. No action required.
[2014-01-11T20:39:06.806-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.facade.impl.CSSAbstractAuthenticator] [SRC_METHOD: authenticateUser] Failed to authenticate user. Invalid credentials. Enter valid credentials.
[2014-01-11T21:40:41.799-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 52] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required.
[2014-01-11T21:40:41.986-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 53] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory Native Directory. Status message. No action required.
[2014-01-11T21:40:41.986-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 53] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory AD. Status message. No action required.
[2014-01-11T21:40:41.986-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20008] [oracle.EPMCSS.CSS] [tid: 54] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.MSADProvider] [SRC_METHOD: createCache] Group support is disabled for MSAD user directory AD returning empty cache map. Status message. No action required.
[2014-01-11T21:40:41.986-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 54] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory AD and size of group cache is 0. Status message. No action required.
[2014-01-11T21:40:42.002-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 55] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory Native Directory and size of group cache is 19. Status message. No action required.
[2014-01-11T21:40:42.002-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20331] [oracle.EPMCSS.CSS] [tid: 53] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Cache building is done for the providers, now started unifying the cache. This is a status messages. No action required.
[2014-01-11T21:40:42.080-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20332] [oracle.EPMCSS.CSS] [tid: 53] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Unify cache done and cache object set to the cache manager. This is a status messages. No action required.

Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

Hi,
I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
Error is enclosed & here is the port configuration.
Port Configuration.
interface GigabitEthernet0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30
Please help.

The error message means that Active Directory server Reject the authentication attempt
as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
Event Logs why did the user account got locked.
Under Even Viewers, You can find it out
Regards
Minakshi (Do rate the helpful posts)

Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

Hi,
Since we implemented Cisco ISE we receive the following failure on several Notebooks:
Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
Why is this happening?
Thanks,
Marc

The possible causes of this error message are:
1.] If the end user entered an incorrect username.
2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
In your cases, the 3rd option seems to be the most closest one.
Jatin Katyal
- Do rate helpful posts -

User authentication against LDAP - Non-AD

Hi,
We are trying to setup LDAP authentication against an LDAP, Oracle Unified Directory and below are the parameters of ldap.properties file:
ldapAuthentication.defaultRole = ROLE_AUTHENTICATED_PRINCIPAL
ldapAuthentication.enabled = true
ldapAuthentication.tryNextProviderIfNoAuthenticated = true
ldapAuthentication.stopIfCommunicationError = true
ldapAuthentication.url=ldap\://localhost:389/
ldapAuthentication.rootContext=DC=test,DC=com
ldapAuthentication.securityPrincipal=CN=Directory Manager
ldapAuthentication.securityCredential.encrypted=password
ldapAuthentication.keepContextPrefix=false
ldapAuthentication.isAD=false
ldapAuthentication.userAccountSearchKey=CN
ldapAuthentication.firstNameSearchKey=givenName
ldapAuthentication.lastNameSearchKey=sn
Still I am getting while I try to login to OIA as an OUD user:
WARN [UserManagerImpl] RbacxUser with username: 'cn=oiaadmin' not found
Please help

Hi Jcorker,
According to your description, you need to access the SQL Serve Analysis Services database which is configured as cluster for SQL & SSAS from another domain, right?
In SSAS we can use the solution below achieve the requirement.
1.Create new domain account and impersonate the web site with that.
2.Create local user account on the analysis service with same exact username/password as like domain account created in the previous step.
However, you cannot create a local account with the same name on both servers. I have tested it on my local environemnt, we can create the same local account with the same name on both servers. In your scenario, if DB1 and DB2 on different server, you can
create a local account with the same name on both servers. Please post the detail errors, so that we can make further analysis.
Besides, SSAS only allows users of the same domain or trusted domains and it does not allow users from any domain except from these two. You can configure the trust relationship between the domains.
http://technet.microsoft.com/en-us/library/cc961481.aspx
Regards,
Charlie Liao
If you have any feedback on our support, please click
here.
Charlie Liao
TechNet Community Support

Oracle Database Authentication against Microsoft Active Directory

Hello
Does anyone know if it is possible or can point me in the right direction of some documentation that discuss Oracle database user authentication against and Enterprise Directory Service, in my cases MS AD?
My environment consists of Oracle RDBMS 10.2.0.3 on Linux Red Hat AS 4. Our users connect in from Window clients. I would like to know if there is a way to autheticate users from Windows to the database using LDAP based (AD) authentication. In oters words how do I configure authentication to be done for "identified globally accounts"? I know that the identified by globally accounts require the use of the CN which I have done, but it seems like there is some piece missing. Perhaps an Oracle schema or modification to Active Directory??
So my questions are
1. Is it possible to authenticate users against AD without the implementation of OID?
2. Is there documentation someone has or can point me to that outlines the required steps?
3. Anything I should know?
I appreciate any help. The documentation I have found so far doesn't seem to be what I need... So I am looking for some advice.
Thanks.

Sure, two methods to auth from Oracle DB to MSAD:
OID and OVD
I am working on our own proof of concept configuring EUS connect to OVD with an MSAD as auth at the moment. OVD basically is presenting the database with OracleSchema and OracleContext info. And when you connect via netca (ldap.ora), you assign it as OID directory authentication type.
Here's an OVD manual on Integrating with EUS (chapter 7 is for MSAD)http://www.oracle.com/technology/products/id_mgmt/ovds/pdf/e10286.pdf
And this would be what the EUS config should look like:
http://www.oracle.com/technology/deploy/security/database-security/howtos/eus-how-to.html
If you've done everything in the first doc...
Hope this answers your questions.

ACS authentication against AD

Similar Messages

Maybe you are looking for