ACS SE 4.2, 802.1x and certificates for machine authentication
I'm trying to figure out how to put this lot together, but dont know enough about ACS when used with an external CA.
What I want to get working is:
A PC with a machine cert gets connected to a switch running 802.1x. The switch uses EAP with .1x to query PC, handing this off to ACS, that bit I'm ok with. The ACS needs to query the CA server to authenticate the PC, its this process I'm not sure about.
Reading the documentation I think that I need to configure LDAP between the ACS and the CA, which is running on 64-bit 2008 server. But, ACS SE remote agent is 32 bit only.
Is this correct, if so how do I get ACS SE to communicate with a 64-bit 2008 CA server?
Hi Bernhard,
That answers my questions, having never worked with AD, CA and LDAP etc I didn’t realise that you could assign attributes at a user (machine in my case) level, although it makes perfect sense when you indicated that, as LDAP is a method of supporting user accounts right?
I suppose in that case I'll be able to assign an attribute through LDAP, which ACS will use to map that account/machine to a specific VLAN. The attribute value will be used to represent the VLAN mapping.
What component in ACS do I use to match against attributes? I don’t see anything in the NAP, NAF or RAC sections about this.
As an alternative, your reply prompted me to look at the ACS User Group mapping section, it describes mapping a windows group to an ACS group, which may also be a solution, although not as flexible as being able to match on an LDAP attribute associated with the machine accounts.
Reading through this it seems this is an area where the SE and Windows based ACS platforms differ, I'm using SE.
Andy
Similar Messages
-
What is the option client certificate for user authentication used for?
Hi All,
I have to work on a FTPS - XI -SAP scenario.
I can see an option for client certificate for user authentication when security is enabled for the FTP adapter. what exactly is this option used for?
P.S: I went through sap help but couldnt quite understand.Thanks a lot Mark.
So for a FTPS -> XI -> SAP scenario the following settings are required.
1. I have to create a certificate in Visual Admin for the XI server , send a csr to a CA and get it signed by them, and i have to add this to the ssl_service view.
2. I have to hand over the public key to the FTPS server & this key will be used for encryption of the file
the above 2 steps are mandatory.
If i choose to use the client certificate option , i have to get the client certificate from the FTPS server and add it into the TrustedCAs list. This certificate is just to imply that the client is what it claims to be.
Will this certificate be used for encryption?
To make it clear let me put it this way. The certificate created in the XI Server is used for encryption and also for ascertaining that the its what it claims to be.
The clients certificate option is used only to make sure that the client is what its claiming to be & this is not used for encryption? -
My app store is not working after installing mavericks. When I open app store it repeatedly asking me to login with apple ID and to provide User name and Password for proxy authentication in a loop.I am a newbie to mac,Please help me.
Hmmmm... would appear that you need to be actually logged in to enable the additional menu features.
Have you tried deletting the plists for MAS?
This page might help you out...
http://www.macobserver.com/tmo/answers/how_to_identify_and_fix_problems_with_the _mac_app_store
Failing that, I will have to throw this back to the forum to see if anyone else can advise further.
Let me know how you get on?
Thanks. -
NLB Unicast and certificate for the machine
Hello,
I have set up a two node nlb cluster, in unicast.
On the other hand, I have a GPO with which every computer in the network gets a
certificate from the CA, through auto enrollment.
I am new to NLB , but from what I gather, the CA machine won't be able to issue any certificate to any of the two NLB nodes, because the virtual ip replaces to the actual ips's of the two machines ?. I am a bit confused.
Thanks in advance !!
Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)It's the Mac addresses that are (sort of) replaced, not the IP addresses. The two nodes of an NLB cluster can make outbound connections to a CA and other machines, and using the nodes' individual IP addresses each of them can still be contacted from other
machine (in addition to using the cluster IP address).
The only thing that does not work is: With unicast the nodes cannot communicate with each other over the network that has the shared IP address but you could use an additional NIC if you need inter-node communication.
With multicast on the other hand there is a chance you run into
this issue described here for CISCO routers (just have observed this myself); this article also gives an overview on how NLB works at the Mac address level.
Re CA and certificates: Note that autoenrolled certificates will contain the nodes' individual names retrieved from AD. If you need a certificate that includes the cluster name you have to issue this certificate manually.
Elke -
How to use digital certificate for client authentication in PCK
My sap jca adapter need support digital certificate on client authentication. how to implement it in j2ee or pck?
Message was edited by: Spring Tangrefer the following links
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/092dddc6-0701-0010-268e-fd61f2035fdd
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/b2a56861-0601-0010-bba1-e37eb5d8d4a9
please let me know if u dont find relevant information -
ISE and Microsoft AD machine authentication
Hello Security masters,
my goal is to perform a PEAP authentication against Microsoft AD with the machine credentials of the Windows PC.
The question is, how my authorization policy looks like? From my understanding I have different possibilities to solve this:
1.) Directly referencing to the AD group, where the computer objects are stored:
If "Any" and <AD-NAME>:ExternalGroups equals <DOMAIN>/COMPUTERS then PermitAccess
Drawback: If I have multiple subdomains or if the computer accounts are stored in different OUs or groups, I have to check all of them (multiple rules or compound conditions)
2.) Username checking
If "Any" and Network Access:UserName STARTS_WITH host\ then "PermitAccess"
I'm checking if the username starts with "host\", which is normally an indicator for a machine/computer account
3.) Attribute checking
If "Any" and <AD-NAME>:servicePrincipalName STARTS_WITH host\ then "PermitAccess"
I'm checking the value of the "servicePrincipalName" of the AD. Normally only computers have this attribute and the value is "host\<PC-NAME>
Is one of these three approaches the right way to do it, or am I doing it completely wrong.
Is there a best-practice approach to do this? How did you guys solve this?
Best regards and thank you in advance
JohannesHi Neno,
thank you for your answer.
There are multiple domains in the forest and the computer / machine accounts are in multiple groups.
So a trust relationship is not enough to reach the goal. In the ISE you have to add all these groups to the ISE search index in the External Identity Sources - AD settings. Plus you'll have to check for all these groups in the authorization policy (either manually or with a compound condition).
Is that right? -
This maybe a bit off topic but I am struggling trying to get some answers out of HP.
We have some HP iPAQ 5450/5550's all running Windows Mobile 2003 - to use 802.1x Authentication with PEAP or TLS-EAP we need certificates installing on the PocketPCs. We have a Windows 2000 Active-Directory integrated Certificate Authority that publishes certificates to W2K machines OK - initially HP didn't include any way of importing Certificates but have released the SDK Certificate Enrolment Tool (enroll.exe). We have tried for several days to get a certificate but to no avail and we are struggling to find any information out. Has anyone on here managed this? If so how?
Thanks
AndyObviously the WindowsCE devices can't be 'members' of the domain as they would need W2K to do that (create a computer account etc). The enrollment tool is available from HP's website (software & drivers etc). Once I installed the enroll.exe tool I modified the enroll.cfg file to request a 'computer' certificate from my CA, this is now installed and appears in 'Settings, System, Certificates'. I have yet to actually test this with a Cisco AP as I just can't get my hands on one.......
Andy -
Connecting laptops to wireless APs using RADIUS 802.1x and certificates set-up questions
I am working at a small school with 25 laptops for a mobile cart. We upgraded to new dual radio APs and I want to set up the laptops to connect to the APs and validate user credentials at logon. The person before me made a generic username "Student"
on each laptop locally so they could start the laptop and then connect to the wireless with a password. This is less than ideal for many reasons.
I have configured NPS on the server and on the AP. When I login locally and then select the AP I am prompted for credentials and can log in. On NPS's eventlog I can see it granting full access. At that point I do not have internet access which is going to
be a vendor call. I can ping 8.8.8.8 successfully but not the local.domain.org address, nor the server ip 192.168.25.5 which is also the DNS Server. I am thinking that there is a NAT issue there.
When I try to login to the laptops with my AD credentials it is not connected to the AP yet and tells me there is no logon server available.
Is that where the certificates should be used at computer/machine level?
I want to get this setup correctly so anyone who has done this and has some advice for best practice would be greatly appreciated!Hi,
According your description, we can ping 8.8.8.8 successfully. It means that we have connected to the network.
Due to we can't resolve the domain name, it should be a DNS issue. As you have mentioned, the DNS server is unavailable. Please check if there is something wrong with the DNS server.
If we want client to connect to AP before implement AD authentication, we need to enable single sign on. For detailed information, please refer to the link below,
http://technet.microsoft.com/en-us/magazine/2007.11.cableguy.aspx
Best Regards.
Steven Lee
TechNet Community Support -
How to set up Windows with Reader and certificate for all users
Good afternoon (GMT),
we're dealing with a Win XP (SP3) system that is set up by an Administrator. One task is to set up the system in a way that all users (w/o admin rights) become able to read a certified-protected PDF. Currently we know a way to install the "public key" for this certificate only for one known user. But how to proceed when not all users are known? The users shall later on never be asked to confirm the certification installation/registration.
If it helps, here is the software version:
Acrobat 8.12 to encrypt the PDF via certification. In near future I will switch to Acrobat 9.x
Reader 7.x and/or 8.x on customer PCs.
Thank you for ideas and hints.
BTW: Next time we want to provide a solution for Win7 systems, too.
CarstenCheck
Time Zone Specification from http://docs.oracle.com/cd/E12844_01/doc/bip.1013/e12187/T421739T481157.htm#4535403
just in case https://blogs.oracle.com/xmlpublisher/entry/how_to_keep_your_dates_from_go -
Multiple signatures (and certificates) for one user
I’m using Adobe 8 Standard.
I need two signatures with the same name but with two separate and distinct companies (old and new). Thus, I would two separate and distinct signatures to be associated with two certificates (old and new respectively). I was able to create a second “new” signature and a second “new” certificate. However, when I sign with the second “new” signature, the signature’s properties show the first “old” certificate.
Can this be fixed?*Couldn't see the forest for the trees ... select the appropriate certificate at the top of the Sign Document dialogue box ... duuhhh!!!!
-
Replacing SSL keys and certificates for already defined services
I have about 10 new 2048-bit keys and certs to replace existing 1024 bit keys and certs on my CSS11500 with SSL modules.
I'm trying to figure out my options, now that I've got the files SFTP'ed to the CSS.
I can create a new startup-config file for the CSS with the new files referenced by the SSL associate commands in the startup-config. This will require a reboot (not desired).
I can come up with new associations for the new files, then suspend the ssl-proxy-list and edit it to use the new associations. This doesn't require a reboot but then I have to clear out the old associations before I can delete the old key/cert files.
Is there any way to force the CSS to "overwrite" an existing SSL association without rebooting the CSS?"Clear file filename "password" commad will help you to clear SSL certificates and private keys from the CSS that are no longer valid.
Please check if the below URL: could help:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/command/reference/CmdGenA.html#wp1030153 -
How can i specify a specific certificate for client authentication
hi all,
i'm currently using a pkcs11 smartcard device to authenticate aigainst a directory server from java.
everything works perfectly when using cards with the authentication certificate as the first in the keystore.
unfortunately the cards i need to handle can have both auth or sign as first certificate.
is there a way to select explicitely which certificate to present during the ssl handshake ?
thanks a lot in advanceLook into the following:
-- page protect property of the repeating frame
-- Maximum number of records per page property -
IMQ 2.0 and LDAP for user authentication
Using the notes at http://knowledgebase.iplanet.com/ikb/kb/articles/7772.html
i set up an LDAP with iMQ. The LDAP works OK for storing topics,
connection factories, etc from jmqadmin
The LDAP also now contains the 2 users as outlined in article 7772 -
admin and guest.
The broker stats up OK, but
when I try to use
jmqcmd query bkr -b localhost:7844 -u admin -p admin
this is what I get:
ERROR [B3018]: Unable to run the service admin, the broker will no longer accept connections on this service:
com.sun.messaging.jmq.jmsserver.util.BrokerException: [B4077]: Undefined authentication type basic
at com.sun.messaging.jmq.jmsserver.auth.AccessController.init(AccessController.java:99)
at com.sun.messaging.jmq.jmsserver.auth.AccessController.loadProps(AccessController.java:251)
at com.sun.messaging.jmq.jmsserver.auth.AccessController.getInstance(AccessController.java:206)
at com.sun.messaging.jmq.jmsserver.service.Connection.<init>(Connection.java:144)
at com.sun.messaging.jmq.jmsserver.service.standard.StandardConnection.<init>(StandardConnection.java:49)
at com.sun.messaging.jmq.jmsserver.service.standard.StandardService.run(StandardService.java:547)
at java.lang.Thread.run(Thread.java:484)It's likely caused by trailing space after 'basic' in configuration
imq.authantication.type=basic
This has been fixed in MQ 3.0. -
Glassfish 3.1.2 configuration Client Certificate for Mutual Authentication
Hi
I need help in configuring GF3.1.2 i have done following changes, please do let me know if i am missing anything important as after changes it is not working.
my id is [email protected]
I could not found any particular thread or answers in forum if any link is there will be helpful.
if you have any document for this please forward.
please do the needful
App Web.xml
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/faces/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>authorized</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<description/>
<role-name>authorized</role-name>
</security-role>
sun-web.xml
<security-role-mapping>
<role-name>authorized</role-name>
<principal-name>admin</principal-name>
<group-name>authorized</group-name>
</security-role-mapping>
Domain.xml
<security-service>
<auth-realm classname="com.sun.enterprise.security.auth.realm.file.FileRealm" name="admin-realm">
<property name="file" value="${com.sun.aas.instanceRoot}/config/admin-keyfile"></property>
<property name="jaas-context" value="fileRealm"></property>
</auth-realm>
<auth-realm classname="com.sun.enterprise.security.auth.realm.file.FileRealm" name="file">
<property name="file" value="${com.sun.aas.instanceRoot}/config/keyfile"></property>
<property name="jaas-context" value="fileRealm"></property>
</auth-realm>
<auth-realm classname="com.sun.enterprise.security.auth.realm.certificate.CertificateRealm" name="certificate">
<property name="assign-groups" value="authorized"></property>
</auth-realm>Hi,
May be below links will be helpful
Check the following links.. you will get the information all about the securities...
http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/content.htm
Also read thru this link for message level security - https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
Also find soeminformation in these links
http://help.sap.com/saphelp_nw2004s/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
/people/aparna.chaganti2/blog/2007/01/23/how-xml-encryption-can-be-done-using-web-services-security-in-sap-netweaver-xi
Step by step guide for SSL security
step by step guide to implement SSL
Please go through below link for referance (above information is from below link)
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/ff/7932e4e9c51c4fa596c69e21151c7d/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/13/4a3ad42ae78e4ca256861e078b4160/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/3a/7cddde33ff05cae10000000a128c20/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e0fef6211d3a6510000e835363f/content.htm
General guide
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a09f3d8e-d478-2910-9eb8-caa6516dd7d9
Message level security
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
Regarding message level you can encrypt the message using certificates.
For both of this basis team has to deploy the releavant certificates in XI ABAP Stack or Java stack.
Generally if the scenarios are intra company we dont use any transport level or message level security since the network is already secured.
Thanks
Swarup -
Apache and WebDB for Linux - AUTHENTICATION PROBLEM
I have WebDB on a Linux box (redhat 6) and I 'd like to run
Apache as interface to an Oracle 8i (linux) database.
I did all requested configuration tasks and it works, but it
cannot connect to oracle database because it gets an
authentication failure (it seems browser postes a NULL value in
Userid and Password fields).
Can anyone help me please ?
thanks
Fabrizio
nullWe are testing webdb for linux and it's great !
More stable than NT/2K.
Install one DB Server, after it the webdb.
Just download, rapdily read de install guide, and start to work.
We are trying now 9iAS. It's more complete than WebDB, int truth
Oracle Portal (old webdb) is now part of 9iAS.
Start using it !
Minoru.
Maybe you are looking for
-
How 2 creat report for displaying the details of a Delivery Document using
how to create report for displaying the details of a Delivery Document using the tables LIKP, LIPS thank you regards, jagrut bharatkumar shukla points will be rewarded
-
Cross-references to numbered steps in a procedure?
RoboHelp 9 - Is it possible to create cross-references to numbered steps in a procedure? For example, if step 19 in a procedure refers back to step 3, can this reference be set so that it can automatically update if new steps are added before step 3?
-
Has anyone experienced a problem with trying to open and view a model created and saved in ODM ver 3.0.0 Build 653 When attempting to reopen it in ODM, the file opens, but none of the model objects exist. The model appears to be empty....HELP!! Edite
-
MacBook Pro Boot Problems Yet Again
Earlier last month, I posted a topic about how my Macbook Pro "crashed" and I ended up having to reformat my HD and it was working fine afterwards as long as I didn't install any OS X updates. Just yesterday my Macbook started to just randomly freeze
-
Slow boot after latest updates
My system boots in ~ 40 seconds (ready to use). I timed it since I recently was a Windows user & that took MUCH longer. After the most recent update, a day or two ago, it now takes over 5 minutes! Has anyone else seen this? Thanks.