ACS cannot Authenticate Aironet Users against Exernal DB (LDAP)

ACS cannot Authenticate Aironet Users against Exernal DB (LDAP)
Can anyone point me to a technical explanation of why this is true?
All I have found so far is one small note in a help file and something that might be related under EAP-FAST explanation.
I have posed this question to our Cisco account team but no response yet.
Just need to have a good explanation when explaining to mgmt why we need to have a special setup for WLAN users.

Hmmm....you should be getting more than that from debug radius and debug aaa authen if your AP is truly attempting EAP authentication. The debugs I generally use for this are 'debug aaa authen', 'debug radius', and 'debug dot11 aaa dot1x all' coupled with gathering the detailed support logs from ACS. A warning about 'debug dot11 aaa dot1x all'....it is VERY verbose and cryptic if you don't have alot of experience looking at it so it may be best to open up a TAC case. With these debugs turned on, you should see an EAPOL logon show up from the client (usually says 'received EAPOL packet...') and then a request for identity from the switch and a response from the client with a username and password. Then a series of RADIUS challenge/response packets will be passed which consists of the server cert being passed to the client for validation and then the client sending the username and password to the server. Then you will finally get an access-reject or access-accept packet from the RADIUS server. The failed and passed attempts logs in ACS can also provide good info as to what the source of the failure may be. Do you get any passed or failed attempts for these authentications?

Similar Messages

  • SEEBURGER AS2: AS2 Adapter failure - Cannot authenticate the user

    Hello,
    All was working fine but now I got these errors in an AS2 scenario. Sending a message via AS2. Also we don't receive any messages via AS2 anymore. This is the error when sending a message:
    Unable to forward message to JCA adapter. Reason: Fatal exception: com.sap.aii.af.ra.cci.XIRecoverableException: SEEBURGER AS2: AS2 Adapter failure # java.lang.Exception: AS2 message composition failed: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: Cannot authenticate the user., SEEBURGER AS2: AS2 Adapter failure # java.lang.Exception: AS2 message composition failed: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: Cannot authenticate the user.
    MP: Exception caught with cause javax.resource.ResourceException: Fatal exception: com.sap.aii.af.ra.cci.XIRecoverableException: SEEBURGER AS2: AS2 Adapter failure # java.lang.Exception: AS2 message composition failed: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: Cannot authenticate the user., SEEBURGER AS2: AS2 Adapter failure # java.lang.Exception: AS2 message composition failed: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: Cannot authenticate the user.
    Exception caught by adapter framework: Fatal exception: com.sap.aii.af.ra.cci.XIRecoverableException: SEEBURGER AS2: AS2 Adapter failure # java.lang.Exception: AS2 message composition failed: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: Cannot authenticate the user., SEEBURGER AS2: AS2 Adapter failure # java.lang.Exception: AS2 message composition failed: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: Cannot authenticate the user
    Delivery of the message to the application using connection AS2_http://seeburger.com/xi failed, due to: com.sap.aii.af.ra.ms.api.RecoverableException: Fatal exception: com.sap.aii.af.ra.cci.XIRecoverableException: SEEBURGER AS2: AS2 Adapter failure # java.lang.Exception: AS2 message composition failed: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: Cannot authenticate the user., SEEBURGER AS2: AS2 Adapter failure # java.lang.Exception: AS2 message composition failed: com.seeburger.ksm.cryptoapi.exception.CryptoApiException: Cannot authenticate the user.: javax.resource.ResourceException: Fatal exception: com.sap.aii.af.ra.cci.XIRecoverableException: SEEBURGER AS2: AS2 Adapter failure.
    Please advice, many thanks!
    Erik

    Are you using the "Use Authentication" option in the communication channel? If yes, then ensure that the user provided is correct and is not locked. Also recheck the authentication certificate settings.
    Regards,
    Prateek

  • Have OAM authenticate/authorize users against diff dir servers

    Hi folks,
    Is there a way to have OAM authenticate/authorize users against diff dir server under single OAM instance?
    We have standalone OAM 10_1_4_3_0 w OHS11g installed on linux and connected to a particular directory server (sun ldap). We also have an OAM-protected app which authenticate/authorizes users against the same dir server. Can we somehow configure rules/policies/etc, so that users accessing app B will be authenticated/authorized against dir server B; users accessing app C will be authenticated/authorized against dir server c; etc, without having multiple OAM instances?
    Any help is greatly appreciated
    Thank you, Roman

    OVD will not be able to figure out what directory servers its getting authenticated to. OVD is a virtual directory server which can talk to different data sources and fetch a match according to the request.
    For instance, if OVD is configured to AD, SunOne LDAP, OID and Oracle DB. When you call OVD for authentication, it will make a call to all the data sources (AD/OID/LDAP/DB) and gets a match and provides to OAM. If you have 2 Auth modules one with Sun LDAP and other with Oracle DB, OVD will not remember to which data source it should make a call. All it does is dynamically makes calls to all the configured data source and gets a matching results.
    To tell you in more detail - Consider App A is configured to authenticate against SunOne LDAP and App B is configured to get authenticate against Oracle DB. When user tries to login to App A; OAM makes a call to OVD and OVD [OVD don't have capability of maintaining the info of users and where they reside] will make a call to both SunOne LDAP and Oracle DB and when SunOne returns a matching record, OVD sends the authentication info to OAM.
    For better results, try to maintain the same set of schema across all your data sources.

  • Authenticating a User against UNIX LDAP

    I recently submitted a post to determine how to authenticate a user against the Windows Active Directory. Is this also possible with UNIX? Is the code syntax basically the same? Thanks in advance.

    "Yonatan Taub" <[email protected]> wrote in message
    news:[email protected]..
    I'm using Weblogic server 7.
    I need to authenticate a user against a domain: establish whether the user
    exists and if so, verify his password.
    Code samples would be most welcome.
    You can use the login method .
    http://e-docs.bea.com/wls/docs81/javadocs/weblogic/security/services/Authent
    ication.html

  • How to authenticate CXF-Webservice against external LDAP in WebLogic?

    Hi there,
    I'm trying to integrate our Camel-application into WebLogic 12c. All the incoming endpoints are CXF-based webservices. These are secured by "UsernameToken Timestamp" with the WSS4JInInterceptor configured like this:
    <bean id="wss4jInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
              <constructor-arg>
                   <map>
                        <entry key="action" value="UsernameToken Timestamp" />
                        <entry key="passwordType" value="PasswordDigest" />
                        <entry key="passwordCallbackClass"
                             value="de.mycompany.camel.cxf.UserTokenCallbackHandler" />
                   </map>
              </constructor-arg>     
    </bean>
    My problem is: WSS4JInInterceptor expects the UserTokenCallbackHandler to return the password of the user delivered in the header <wsse:Username>. Is there any way to retrieve this from an external LDAP configured in WebLogic? I've already managed to retrieve the users, groups etc with JMX (javax.management.MBeanServerConnection and weblogic.security.providers.authentication.LDAPAuthenticatorMBean), but I can't figure out how to authenticate the user against the LDAP, i. e. retrieve the password.
    Or am I heading in a completely wrong direction and this is not the way to achieve authentication for CXF-Webservices in WebLogic?
    Please give me a hint (code-snippets preferred ;-) ) how to solve this.
    Regards,
    Frank

    I have run into the exact same situation ? Did you ever get around this ? If so, how ? Please let me know.

  • ACS 4.1 failure to authenticate Windows users.

    Hello.
    We are running Cisco Secure ACS for Windows version 4.1(1)b23p5 on a Windows 2000 member server.
    Starting from today, ACS fails to authenticate users.
    Using the same external user (andrea-meconi) I can verify successfull and failed authentication.
    This is the AUTH.log for a genericRADIUS request...
    AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [NTAuthenDLL.dll]: Starting authentication for user [andrea-meconi]
    AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user andrea-meconi
    AUTH 25/02/2013 15:30:24 E 0396 3900 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1783L)
    AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [ODBCAuthDll.dll]: Starting 1 odbc workers
    AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [ODBCAuthDll.dll]: DLL initialised OK
    AUTH 25/02/2013 15:30:24 I 0571 3900 AuthenLoadLibrary: Loaded DLL for External ODBC Database
    AUTH 25/02/2013 15:30:24 I 1645 3900 pvAuthenticateUser: authenticate 'andrea-meconi' against External ODBC Database
    This is the log for an EAP request...
    AUTH 25/02/2013 16:23:56 I 1645 4568 pvAuthenticateUser: authenticate 'venezia\andrea-meconi' against Windows NT/2000
    AUTH 25/02/2013 16:23:56 I 0396 4568 External DB [NTAuthenDLL.dll]: Starting MSCHAP authentication for user [venezia\andrea-meconi]
    AUTH 25/02/2013 16:23:56 I 0396 4568 External DB [NTAuthenDLL.dll]: Got WorkStation CISCO
    AUTH 25/02/2013 16:23:56 I 0396 4568 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user andrea-meconi
    AUTH 25/02/2013 16:23:56 I 0396 4568 External DB [NTAuthenDLL.dll]: Windows authentication SUCCESSFUL (by RVVMDCC01PW)
    AUTH 25/02/2013 16:23:56 I 0396 4568 External DB [NTAuthenDLL.dll]: User mapped to ACS group id [20]
    Windows AD running now on Windows 2008 server, migrating from 2003.
    Any idea?
    Thanks.
    Andrea

    Windows authentication FAILED (error 1783L)
    The above error indicates that the migration happened over night. In order to resolve this issue you need to upgrade your ACS to atleast ACS 4.2.0.124 patch 4 or above.
    Supported Operating Systems section
    --Windows Server 2008, Standard Edition
    --Windows Server 2008, Enterprise Edition
    --Japanese Windows Server 2008, Standard Edition, Service Pack 2
    --Japanese Windows Server 2008, Enterprise Edition, Service Pack 2
    NOTE: No version of ACS 4.x support 2008 R2. Only ACS 5.2 support it.
    Regards,
    Jatin Katyal
    - Do rate helpful posts -

  • ACS 4.2 failure to authenticate windows users

    Hi all , we have a bit of a problem which we cannot seem to resolve.
    The ACS can authenticate people using local database , it can also authenticate a single user (using windows database) if you are fast after the service is restarted , however after a few secounds, it fails to authenticate any users , the error we are seeing on the logs appear as authentication failure type : internal error. Also on the log files, the authentication request from the user does not appear in the correct group, it is thrown into the default group.
    Any ideas on where we should look to the problem?

    Hi,
    Its running on windows 2003 server, is running as the system account.
    Auth.log details below on a failed authentication
    AUTH 04/09/2009 17:02:13 A 5789 3000 0x69 Worker 0 waiting for work
    AUTH 04/09/2009 17:02:13 A 5789 1400 0x6 Worker 3 waiting for work
    AUTH 04/09/2009 17:02:13 A 5789 0368 0x4 Worker 1 waiting for work
    AUTH 04/09/2009 17:02:23 E 6028 3888 0x0 AllocateThread returned 0
    AUTH 04/09/2009 17:02:23 A 5821 3000 0x69 Worker 0 established conn 166 with 127.0.0.1:1879
    AUTH 04/09/2009 17:02:23 E 6028 3888 0x0 AllocateThread returned 1
    AUTH 04/09/2009 17:02:23 A 5821 0368 0x4 Worker 1 established conn 167 with 127.0.0.1:1881
    AUTH 04/09/2009 17:02:23 E 6028 3888 0x0 AllocateThread returned 3
    AUTH 04/09/2009 17:02:23 A 5821 1400 0x6 Worker 3 established conn 168 with 127.0.0.1:1883
    AUTH 04/09/2009 17:02:24 A 5853 0236 0x51 Worker 4 error/timeout, forcing API disconnect of connection 165.
    AUTH 04/09/2009 17:02:24 A 5887 0236 0x51 Worker 4 closing conn 165 endpoint. Handled 2 messages.
    AUTH 04/09/2009 17:02:24 A 5789 0236 0x51 Worker 4 waiting for work
    AUTH 04/09/2009 17:02:30 E 2100 4080 0x6d External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1783L)

  • Samba Users Cannot Authenticate?

    I just want to start this thread by saying samba makes me want to kill myself. I love it so much, that it makes me want to rip my heart out and feed it to stray dogs every time I need to write a new configuration. Because I truly hate configuring it. Ok, with that steam having been blown off, let's jump into the problem I've been chasing for hours.
    My users cannot login to samba shares. Simple as dirt. Every single time I access the shares as a user, I am prompted for my password, I enter my password, and the prompt immediately asks me again, as if I've entered the wrong password.
    Heading off the obvious: Yes, I've added samba users with pdbedit -a -u [username]. The unix permissions on the folder I am trying to access as a samba user are 755, and I am trying to access the folder as its owner. My server smb.conf is included below.
    [global]
    workgroup = WORKGROUP
    passdb backend = tdbsam
    netbios name = ArchServ
    name resolve order = bcast host lmhosts wins
    server string = ""
    printing = cups
    printcap name = cups
    printcap cache time = 750
    cups options = raw
    use client driver = yes
    map to guest = Bad User
    local master = yes
    preferred master = yes
    os level = 65
    usershare allow guests = Yes
    usershare max shares = 100
    usershare owner only = False
    security = share
    #username map = /etc/samba/smbusers
    [printers]
    comment = All Printers
    path = /var/spool/samba
    create mask = 0700
    guest ok = Yes
    printable = Yes
    print ok = Yes
    browseable = No
    [print$]
    comment = Printer Drivers
    path = /var/lib/samba/printers
    [Home - user1]
    comment = Deyla's Home folder
    path = /home/user1
    create mask = 0755
    guest ok = yes
    browsable = yes
    write list = user1
    public = yes
    [Home - user2]
    comment = James' Home folder
    path = /home/user2
    create mask = 0755
    guest ok = yes
    browsable = yes
    write list = user2
    public = yes
    [Transmission Home]
    comment = Torrent downloads
    path = /home/transmission
    create mask = 0775
    guest ok = yes
    browsable = yes
    write list = user1 user2
    public = yes
    They work flawlessly as guest shares, and I have no problem gaining access... but when I try to log into a share as a user, the user will absolutely not authenticate, and it is the most frustrating, puzzling enigma to me. I formerly had this very samba configuration on an Ubuntu file server, and had no problems with the share behaving exactly as I wanted it to. I cannot for the life of me figure out why my users cannot authenticate.
    Please help! Any and all tips are appreciated! Thank you in advance!

    Thanks to Swerdina over at the OpenSUSE forums, I was able to solve my samba issue (thread). In a nutshell, my problem was the last active line in my [global] stanza, which was set to "security = share". By setting this global setting to "security = user" it fixed my problem and now allows me to invoke my shares with user privileges if I so choose to. Hopefully this helps someone who may have had a similar problem.

  • Guest portal using ACS to authenticate against AD

    Running ACS 5.3, I have a Wireless Access policy that authenticates wireless users either by mac address, AD user name or computer name, depending on what AD groups the accounts belong to.  My Network Authorization policy has rules because only certain groups should access certain SSIDs.
    I am trying to get the Guest authentication portal to accept and authenticate AD users belonging to a certain group, but I run into 15039 Selected Authorization Profile is DenyAccess
    Somewhere for some reason my authorization policy is denying access. 
    Needing some assistance in troubleshooting these rules.

    You have to change the Group Map Attribute to "member" and authorization  will work.

  • Users cannot authenticate

    Hello
    I recently had a lot of errors on two ML servers actinbg as OD Master/Replica, so decided to reinstall from scratch. One is running OS X 10.8.2, the other 10.8. Both are vanilla installs (going so far as to recreate the RAID), and both have the latest version of server.app installed.
    Network users cannot authenticate.
    Running slapconfig -ver gives the following errors on both machines:
    bubbles:~ administrator$ sudo slapconfig -ver
    2012-11-27 20:17:31 +0000 command: /usr/libexec/slapd -T cat -c -f /etc/openldap/slapd.conf -s ou=macosxodconfig,cn=config,dc=test249,dc=home
    2012-11-27 20:17:31 +0000 Error execing slapcat: 50b51fdb /etc/openldap/slapd_macosxserver.conf: line 303: unknown directive <TLSCertificatePassphrase> inside backend database definition.
              slapcat: bad configuration file!
    LDAP Setup Tool (slapconfig), Apple, Inc.,  Version 1.2
    Obviously ou=macosxodconfig,cn=config,dc=test249,dc=home is wrong, but I don't know where this setting is held to correct it to ou=macosxodconfig,cn=config,dc=server,dc=domain,dc=tld
    Opeining slapd_macosxserver.conf shows the last four lines to be:
    TLSCertificateFile      /etc/certificates/server.mydomain.LONGHASH.cert.pem
    TLSCACertificateFile    /etc/certificates/server.mydomain.LONGHASH.chain.pem
    TLSCertificateKeyFile   /etc/certificates/server.mydomain.LONGHASH.key.pem
    TLSCertificatePassphrase        "Mac OS X Server certificate management.LONGHASH"
    I can 'fix' the second error by commenting out that last line. But that just results in a new and exciting error:
    bubbles:~ administrator$ sudo slapconfig -ver
    2012-11-27 20:43:00 +0000 command: /usr/libexec/slapd -T cat -c -f /etc/openldap/slapd.conf -s ou=macosxodconfig,cn=config,dc=test249,dc=home
    2012-11-27 20:43:00 +0000 Error execing slapcat: slapcat: slap_init no backend for "ou=macosxodconfig,cn=config,dc=test249,dc=home"
    LDAP Setup Tool (slapconfig), Apple, Inc.,  Version 1.2

    Hi
    i get the same error but authentication still works.
    Are you sure that the recovery of your password worked ?
    In case I have this issue i can only authenticate as a local user, not as an opeddir user.
    This user must have admin rights to make sudo, afaik.
    But it is interesting that my error comes on line 302 and yours on line 303.
    Below i have attache the auth part from my /etc/openldap/slapd_macosxserver.conf
    Check for any difference.
    macmini:~] user% sudo slaptest -f /private/etc/openldap/slapd.conf -v
    Password:
    52054639 /etc/openldap/slapd_macosxserver.conf: line 302: unknown directive <TLSCertificatePassphrase> inside backend database definition.
    slaptest: bad configuration file!
    # authdata database definitions
    database        bdb
    suffix          "cn=authdata"
    rootdn          "uid=root,cn=users,dc=macmini,dc=domain,dc=TL"
    directory       "/var/db/openldap/authdata"
    checkpoint      128 1
    index           default eq
    index           objectClass eq
    index           authGUID eq
    index           entryUUID eq
    index           entryCSN eq
    index           draft-krbPrincipalAliases eq
    index           draft-krbPrincipalName eq
    timelimit 60
    idletimeout 300
    cachesize       20000
    idlcachesize    10000
    sizelimit size.pr=11000 size.prtotal=unlimited
    #limits          set="computer/cn & [cn=com.apple.opendirectory.group,cn=computer_groups,dc=macmini,dc=domain,dc=TL ]/memberUid" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
    access to *
                    by dn.exact="uid=_ldap_replicator,cn=users,dc=macmini,dc=domain,dc=TL" write
                    by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
    TLSCertificateFile      /etc/certificates/macmini.D5473ED3099C09ACE59C2944EA9FDDFC024DC07.cert.pem
    TLSCertificateKeyFile   /etc/certificates/macmini.D5473ED3099C09ACE59C2944EA9FDDFC024DC07.key.pem
    TLSCertificatePassphrase        "Mac OS X Server certificate management.D5473ED3099C09ACE59C2944EA9FDDFC024DC07"
    TLSCACertificateFile    /etc/certificates/macmini.D5473ED3099C09ACE59C2944EA9FDDFC024DC07.chain.pem

  • Authenticate windows users via ACS

    Hi,
    Expert insight required for Cisco ACS, Is it possible to authentication windows user via ACS & apply ACL policies over network devices.
    I would appreciate valued inputs.
    Regards,

    Yes, it's possible to authenticate windows users via ACS and push DACL via radius.
    Seems you are looking for DACL. Here is a document that can help you to understand the same
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml#user
    Let me know if you need any further help.
    Jatin Katyal
    - Do rate helpful posts -

  • Org.jboss.mq.SpyJMSException: Cannot authenticate user;

    JBoss 3.2.1 (also seeing the same problem on 3.2.5)
    Java 1.4.1_05
    The following Exception is thrown when a client (external to my firewall) attempts to createTopicConnection():
    org.jboss.mq.SpyJMSException: Cannot authenticate user; - nested throwable: (java.net.ConnectException: Connection timed out: connect)
    When I used a packet sniffer on a client machine, I noticed the Client was trying to connect on the server's internal IP address, which obviously is an unresolvable address to external clients.
    Where should I configure JBoss to force the client to create connections on the external address?
    After some research, I have seen one suggestion:
    run.bat --host=<your-host-or-ip-address>
    which has not helped me.
    Of course, clients within my firewall have no problems.
    Any suggestions?
    Regards,
    AE

    HI
    I am the same problem so that please tell me how tom solver if you have been worked.

  • How can I authenticate users against a WAS system from third-party app?

    We are looking at developing a third-party standalone web application e.g. in Rails (but it could be on any framework for that matter).
    How would we go about authenticating users against a SAP WAS backend? Are there some standard web services for this? What other means are there for authentication?
    Kind Regards,
    Martin

    From the comment in SUSR_LOGIN_CHECK_RFC you just need to pass user name and it will return if user can still log on. Only your system will know credentials for this user so an attacker won't be able to use this service for cracking passwords.
    This FM is in the same function group as:
    CREATE_RFC_REENTRANCE_TICKET
    SUSR_CHECK_LOGON_DATA
    SUSR_DELETE_OWN_PASSWORD
    SUSR_GENERATE_PASSWORD
    SUSR_GET_ADMIN_USER_LOGIN_INFO
    SUSR_GET_X509CERT_MAPPING_LIST
    SUSR_LOGIN_CHECK_RFC
    SUSR_USER_CHANGE_PASSWORD_RFC
    SUSR_USER_EXTID_DEL
    SUSR_USER_EXTID_GET
    SUSR_USER_EXTID_GET_ALL
    SUSR_USER_EXTID_LOOKUP
    SUSR_USER_EXTID_RENAME
    SUSR_USER_EXTID_SET
    SUSR_USER_EXTID_SET_ALL
    SUSR_USER_FROM_CERTIFICATE_RFC
    SUSR_USER_SETEXTID
    You would need to ensure that only the service exposing the "login check" can be called, and not the FM's in the group.
    BTW: SAP Java WAS can provide SAML 2.0 assersions (technically a component shipped with IdM, but you don't have to use the rst of the IdM if you don't want to..). If your applications are all web enabled ones (WDA?) then that is an option to consider, which is also strategically supported.
    SSO2 Logon tickets are not really a strategy anymore... and installing a double-stack system on all ECC sytems just to have SAML is not strategic either.. 
    I have heard several wishes for SAML authentication for SAPGui, but not seen anything official yet in that direction.
    Cheers,
    Julius

  • Authenticate Users against external RADIUS-Server

    Hi,
    i have some users in the local LDAP database of an 10.5 Server.
    Is there a way to store their passwords on an external RADIUS-Server?
    Thank you very much,
    macservo
    Message was edited by: macservo

    CryptoCard does this.
    We use it at one customer for L2TP VPN authentication.
    This way the VPN user get's a yes or no to use the VPN server and then has to give his credentials: name and VPN shared secret or certificate (support for CryptoCard is in the OS X VPN client) to get on the network. The password is in 2 halves, one half is static and the rest is added to it from the Token.
    You then have to authenticate to any service you want to use (Kerberos?).
    We only had to alter a PPP config file on the OS X server and add a small file to both server (and client) to make it contact their Radius server instead of it using Apples regular internal VPN authentication (not the Radius one). And we had to add a shared secret corresponding to what was setup for the customer at CryptoCard (in the server only) for the OS X Server (Radius client) to CryptoCard server (Radius server) communication. You can't use Server Admin to alter VPN settings afterwards without messing up the PPP settings file.
    Maybe possible to us it for Ethernet/Wireless 802.1X authentication too?
    For just AFP server auth I don't know.

  • Messages (Jabber) Refuses to Authenticate AD Users after 10.9.2/Server 3.0.3 update

    Once again, an update appears to have broken Messages/Jabber's ability to authenticate AD users after the 10.9.2/Server 3.0.3 update even though it was working well before. Hoping someone here has some ideas for how to help!
    I can log in just fine as a local user (e.g. [email protected]), but no luck with AD users (e.g. [email protected]). As always, it fails with no intelligible error message whatsoever:
    Mar  1 09:46:00 comet.ADdomain.private jabberd/c2s[604]: [9] [::ffff:76.24.227.229, port=58658] connect
    Mar  1 09:46:01 comet.ADdomain.private jabberd/c2s[604]: [9] [::ffff:76.24.227.229, port=58658] disconnect jid=unbound, packets: 0
    Mar  1 09:48:00 comet.ADdomain.private jabberd/c2s[604]: [9] [::ffff:76.24.227.229, port=58667] connect
    Mar  1 09:48:01 comet.ADdomain.private jabberd/c2s[604]: [9] [::ffff:76.24.227.229, port=58667] disconnect jid=unbound, packets: 0
    I reset the jabber server configuration as described here to no avail: https://discussions.apple.com/thread/5354428
    The DNS configuration looks good:
    changeip -checkhostname
    Primary address     = 10.0.17.15
    Current HostName    = comet.ADdomain.private
    DNS HostName        = comet.ADdomain.private
    The names match. There is nothing to change.
    dirserv:success = "success"
    The Jabber status from jabber:
    serveradmin fullstatus jabber
    jabber:state = "RUNNING"
    jabber:roomsState = "RUNNING"
    jabber:logPaths:PROXY_LOG = "/private/var/jabberd/log/proxy65.log"
    jabber:logPaths:MUC_STD_LOG = "/var/log/system.log"
    jabber:logPaths:JABBER_LOG = "/var/log/system.log"
    jabber:proxyState = "RUNNING"
    jabber:currentConnections = "0"
    jabber:currentConnectionsPort1 = "0"
    jabber:currentConnectionsPort2 = "0"
    jabber:pluginVersion = "10.8.211"
    jabber:servicePortsAreRestricted = "NO"
    jabber:servicePortsRestrictionInfo = _empty_array
    jabber:hostsCommaDelimitedString = "comet.ADdomain.private"
    jabber:hosts:_array_index:0 = "comet.ADdomain.private"
    jabber:setStateVersion = 1
    jabber:startedTime = "2014-03-01 17:39:06 +0000"
    jabber:readWriteSettingsVersion = 1
    Full jabber server startup log:
    Mar  1 09:52:19 comet.ADdomain.private servermgrd[180]: servermgr_jabber[N]: waiting for jabberd to finish startup...
    Mar  1 09:52:19 comet.ADdomain.private jabberd/router[1785]: starting up
    Mar  1 09:52:19 comet.ADdomain.private jabberd/router[1785]: loaded user table (1 users)
    Mar  1 09:52:19 comet.ADdomain.private jabberd/router[1785]: couldn't open filter file /etc/jabberd/router-filter.xml: No such file or directory
    Mar  1 09:52:19 comet.ADdomain.private servermgrd[180]: servermgr_jabber[N]: jabberd service startup completed.
    Mar  1 09:52:19 comet.ADdomain.private jabberd/c2s[1786]: starting up
    Mar  1 09:52:19 comet.ADdomain.private jabberd/s2s[1787]: starting up (interval=60, queue=60, keepalive=0, idle=86400)
    Mar  1 09:52:19 comet.ADdomain.private jabberd/sm[1784]: starting up
    Mar  1 09:52:19 comet.ADdomain.private jabberd/c2s[1786]: modules search path: /Applications/Server.app/Contents/ServerRoot/usr/libexec/jabberd/modules
    Mar  1 09:52:19 comet.ADdomain.private jabberd/c2s[1786]: initialized auth module 'apple_od'
    Mar  1 09:52:19 comet.ADdomain.private jabberd/sm[1784]: initialised storage driver 'sqlite'
    Mar  1 09:52:19 comet.ADdomain.private jabberd/sm[1784]: modules search path: /Applications/Server.app/Contents/ServerRoot/usr/libexec/jabberd/modules
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-last' added to chain 'sess-end' (order 0 index 0 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'validate' added to chain 'in-sess' (order 0 index 1 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'privacy' added to chain 'in-sess' (order 1 index 2 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'roster' added to chain 'in-sess' (order 2 index 3 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=5347] listening for incoming connections
    Mar  1 09:52:20 comet.ADdomain.private jabberd/c2s[1786]: [comet.ADdomain.private] configured; realm=comet.ADdomain.private, registration disabled, using PEM:/etc/certificates/mail.ADdomainbio.com.E41BBC081993E348B26181D9CB334A28137A8D8D.concat.pem
    Mar  1 09:52:20 comet.ADdomain.private jabberd/c2s[1786]: attempting connection to router at 127.0.0.1, port=5347
    Mar  1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49353] connect
    Mar  1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49353] authenticated as jabberd
    Mar  1 09:52:20 comet.ADdomain.private jabberd/c2s[1786]: connection to router established
    Mar  1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [c2s] online (bound to 127.0.0.1, port 49353)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/c2s[1786]: [::, port=5222] listening for connections
    Mar  1 09:52:20 comet.ADdomain.private jabberd/c2s[1786]: [::, port=5223] listening for SSL connections
    Mar  1 09:52:20 comet.ADdomain.private jabberd/c2s[1786]: ready for connections
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'vacation' added to chain 'in-sess' (order 3 index 4 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/s2s[1787]: attempting connection to router at 127.0.0.1, port=5347
    Mar  1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49354] connect
    Mar  1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49354] authenticated as jabberd
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-vcard' added to chain 'in-sess' (order 4 index 5 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/s2s[1787]: connection to router established
    Mar  1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [s2s] set as default route
    Mar  1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [s2s] online (bound to 127.0.0.1, port 49354)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/s2s[1787]: ready for connections
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-ping' added to chain 'in-sess' (order 5 index 6 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-private' added to chain 'in-sess' (order 6 index 7 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private Rooms[1792]: Starting up...
    Mar  1 09:52:20 comet.ADdomain.private Rooms[1792]: Loading persistent rooms from disk...
    Mar  1 09:52:20 comet.ADdomain.private Rooms[1792]: Finished loading rooms from disk
    Mar  1 09:52:20 comet.ADdomain.private Rooms[1792]: Connecting to XMPP server at 'comet.ADdomain.private' as 'rooms.comet.ADdomain.private'...
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'disco' added to chain 'in-sess' (order 7 index 8 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'amp' added to chain 'in-sess' (order 8 index 9 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'offline' added to chain 'in-sess' (order 9 index 10 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'announce' added to chain 'in-sess' (order 10 index 11 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'presence' added to chain 'in-sess' (order 11 index 12 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'deliver' added to chain 'in-sess' (order 12 index 13 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'session' added to chain 'in-router' (order 0 index 14 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'validate' added to chain 'in-router' (order 1 index 1 seq 1)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'presence' added to chain 'in-router' (order 2 index 12 seq 1)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'privacy' added to chain 'in-router' (order 3 index 2 seq 1)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'privacy' added to chain 'out-router' (order 0 index 2 seq 2)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-last' added to chain 'pkt-sm' (order 0 index 0 seq 1)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-ping' added to chain 'pkt-sm' (order 1 index 6 seq 1)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-time' added to chain 'pkt-sm' (order 2 index 15 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-version' added to chain 'pkt-sm' (order 3 index 16 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'amp' added to chain 'pkt-sm' (order 4 index 9 seq 1)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'disco' added to chain 'pkt-sm' (order 5 index 8 seq 1)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'announce' added to chain 'pkt-sm' (order 6 index 11 seq 1)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'help' added to chain 'pkt-sm' (order 7 index 17 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'echo' added to chain 'pkt-sm' (order 8 index 18 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'presence' added to chain 'pkt-sm' (order 9 index 12 seq 2)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'roster' added to chain 'pkt-user' (order 0 index 3 seq 1)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'presence' added to chain 'pkt-user' (order 1 index 12 seq 3)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-vcard' added to chain 'pkt-user' (order 2 index 5 seq 1)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'amp' added to chain 'pkt-user' (order 3 index 9 seq 2)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'deliver' added to chain 'pkt-user' (order 4 index 13 seq 1)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'vacation' added to chain 'pkt-user' (order 5 index 4 seq 1)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'offline' added to chain 'pkt-user' (order 6 index 10 seq 1)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-last' added to chain 'pkt-user' (order 7 index 0 seq 2)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'session' added to chain 'pkt-router' (order 0 index 14 seq 1)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'disco' added to chain 'pkt-router' (order 1 index 8 seq 2)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'active' added to chain 'user-load' (order 0 index 19 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'autobuddy' added to chain 'user-load' (order 1 index 20 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'roster' added to chain 'user-load' (order 2 index 3 seq 2)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'roster-publish' added to chain 'user-load' (order 3 index 21 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'privacy' added to chain 'user-load' (order 4 index 2 seq 3)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'vacation' added to chain 'user-load' (order 5 index 4 seq 2)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'active' added to chain 'user-create' (order 0 index 19 seq 1)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'template-roster' added to chain 'user-create' (order 1 index 22 seq 0)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'active' added to chain 'user-delete' (order 0 index 19 seq 2)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'announce' added to chain 'user-delete' (order 1 index 11 seq 2)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'offline' added to chain 'user-delete' (order 2 index 10 seq 2)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'privacy' added to chain 'user-delete' (order 3 index 2 seq 4)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'roster' added to chain 'user-delete' (order 4 index 3 seq 3)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'vacation' added to chain 'user-delete' (order 5 index 4 seq 3)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-last' added to chain 'user-delete' (order 6 index 0 seq 3)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-private' added to chain 'user-delete' (order 7 index 7 seq 1)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-vcard' added to chain 'user-delete' (order 8 index 5 seq 2)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'iq-version' added to chain 'disco-extend' (order 0 index 16 seq 1)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: module 'help' added to chain 'disco-extend' (order 1 index 17 seq 1)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: version: jabberd sm 2.2.17-409
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: [comet.ADdomain.private] configured
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: attempting connection to router at 127.0.0.1, port=5347
    Mar  1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49355] connect
    Mar  1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49355] authenticated as jabberd
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: connection to router established
    Mar  1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [sm] online (bound to 127.0.0.1, port 49355)
    Mar  1 09:52:20 comet.ADdomain.private jabberd/sm[1784]: sm ready for sessions
    Mar  1 09:52:20 comet.ADdomain.private jabberd/router[1785]: [comet.ADdomain.private] online (bound to 127.0.0.1, port 49355)
    Mar  1 09:52:22 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49356] connect
    Mar  1 09:52:22 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49356] authenticated as proxy65.comet.ADdomain.private
    Mar  1 09:52:22 comet.ADdomain.private jabberd/router[1785]: [proxy65.comet.ADdomain.private] online (bound to 127.0.0.1, port 49356)
    Mar  1 09:52:23 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49357] connect
    Mar  1 09:52:24 comet.ADdomain.private jabberd/router[1785]: [127.0.0.1, port=49357] authenticated as rooms.comet.ADdomain.private
    Mar  1 09:52:24 comet.ADdomain.private jabberd/router[1785]: [rooms.comet.ADdomain.private] online (bound to 127.0.0.1, port 49357)
    Mar  1 09:52:24 comet.ADdomain.private Rooms[1792]: Successfully connected to XMPP server, ready for activity
    I am not sure if it's attempting to authenticate to AD or not, and if so, why it might be failing. Any suggestions would be greatly appreciated!

    uscadvit wrote:
    Here is the output without the name of our AD:
    Advanced Options - User Experience
      Create mobile account at login = Disabled
         Require confirmation        = Enabled
      Force home to startup disk     = Enabled
         Mount home as sharepoint    = Enabled
      Use Windows UNC path for home  = Enabled
         Network protocol to be used = smb
      Default user Shell             = /bin/bash
    Advanced Options - Mappings
      Mapping UID to attribute       = not set
      Mapping user GID to attribute  = not set
      Mapping group GID to attribute = not set
      Generate Kerberos authority    = Enabled
    Advanced Options - Administrative
      Preferred Domain controller    = not set
      Allowed admin groups           = not set
      Authentication from any domain = Enabled
      Packet signing                 = allow
      Packet encryption              = allow
      Password change interval       = 14
      Restrict Dynamic DNS updates   = not set
      Namespace mode                 = domain
    That looks correct. Lets collect a few more config items.
    Copy / paste the output of this command when run against c2s.xml:
    sudo grep '<id require-starttls="true" pemfile="' /Library/Server/Messages/Config/jabberd/c2s.xml
    Ours looks like this:
    <id require-starttls="true" pemfile="/etc/certificates/chat.example.com.1234567890.concat.pem" private-key-password="12345678-1234-1234-12345678" cachain="/etc/certificates/chat.example.com.1234567890.chain.pem" realm="example.com">example.com</id>
    Copy / paste the output of this command when run against sm.xml. To give us context, it will display the 6 lines above and below the text:
    sudo grep -C 6 'If not set, the SM id is used. -->' /Library/Server/Messages/Config/jabberd/sm.xml
    Ours looks like this:
    <!-- Local network configuration -->    <local>        <!-- Who we identify ourselves as.         Users will have this as the domain part of their JID.         If you want your server to be accessible from other         Jabber servers, this IDs must be FQDN resolvable by DNSes.         If not set, the SM id is used. -->        <id>example.com</id>        <!--    <id>vhost1.localdomain</id>    <id>vhost2.localdomain</id>    -->    </local>
    Copy / paste the output of this command:
    sudo serveradmin settings jabber
    Ours looks like this:
    jabber:dataLocation = "/Library/Server/Messages"jabber:s2sRestrictDomains = nojabber:jabberdDatabasePath = "/Library/Server/Messages/Data/sqlite/jabberd2.db"jabber:sslCAFile = "/etc/certificates/chat.example.com.1234567890.chain.pem"jabber:jabberdClientPortTLS = 5222jabber:sslKeyFile = "/etc/certificates/chat.example.com.1234567890.concat.pem"jabber:initialized = yesjabber:enableXMPP = nojabber:savedChatsArchiveInterval = 7jabber:authLevel = "STANDARD"jabber:hostsCommaDelimitedString = "example.com"jabber:jabberdClientPortSSL = 5223jabber:requireSecureS2S = nojabber:savedChatsLocation = "/Library/Server/Messages/Data/message_archives"jabber:enableSavedChats = nojabber:enableAutoBuddy = yesjabber:s2sAllowedDomains = _empty_arrayjabber:logLevel = "ALL"jabber:hosts:_array_index:0 = "example.com"jabber:eventLogArchiveInterval = 7jabber:jabberdS2SPort = 0
    Also, while you're troubleshooting, I found Adium's debug window to be invaluble for showing errors during logon (even if you plan to use Messages).
    You can open it in debug mode by holding option + click Adium.app, select "start in debug mode". Then in Adium menu > Debug window.

Maybe you are looking for

  • T-SQL to PL/SQL

    Hi, I'm trying to convert some code in T-SQL into PL/SQL (see below). The trouble is that my PL/SQL is mediocre and my T-SQL is almost non-existent. Short of spending the next couple of months learning T-SQL is there an easy way to convert the code b

  • Apparent Bug in Saving ACR Presets

    I was experimenting with some Camera Raw presets for a new camera and discovered that when I saved a preset for the Detail panel, some of the values were omitted.  Specifically, the preset did not save the values for Luminous Detail, Luminous Contras

  • SQL Plus login

    Installed Oracle 9i enterprise edition from disk set provided with course text on advanced database concepts. Received registration key from oracle but no user name or password to open a session on SQL Plus. Cannot logon. Does anyone have info on who

  • Upgrade not applicable

    i am having a similar problem with Mavericks. ( I have AE 11.0.2 on a MBP Early 2011)  I followed your advice and the link led me to a file that says it's a trial version update (AfterEffectsTrial-11.0.4-mul-AdobeUpdate.dmg.)  Downloaded it anyway an

  • Help - I keep getting the message your apple id is disabled - contact support

    Nothing is working - I have reset my id and passwords. When I go to purhcase something it says the above message!