ACS v5.1 - LDAP and PEAP

Similar Messages

• ACS 4.2.1 AND WINDOWS 7

  HI all,
             We are having some authentication issues with windows 7. The issue some windows 7 machine fails randomly. We are using ACS 4.2.1 MS-PEAP with machine authentication, every now and then a pc fails to authen. And the log always show that: External DB user invalid or bad password. And the user to whom the machine belongs always says that did not change their password! So the error message it clear, but as we are doing machine authentication can the machine change their password on their own? Or can group policy push a password change? Last week, I have the server guys to check for the log in the AD server, the log confirmed that was a password change prior the user try to authen.
  Has any one had experienced this?
  Thanks,
  Jean Paul---

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Hello Jean,
  I am guessing that you are using 802.1x wireless.
  This is a expected behaving because the AD force the computer to change his password every month and if the computer is not on the domain at that moment the computer won't take that change.
  This is a Microsoft issue and unfortunately Cisco does not have any workaround for that.
  Please see links below that explain this situation.
  http://support.microsoft.com/kb/216393/en-us
  http://support.microsoft.com/kb/904943
  Hope this helps
  Erdelgad
  Cisco CSE

• Windows Mobile 5.0 and PEAP

  We have successfully configured a group of 1200 series access points to use PEAP. I have installed a puplic Thawte certificate on ACS and configured group policy in Active Directory to issue certificate and set wireless settings. All of this works great with XP. I am now trying a Dell Axim running Windows Mobile. This handheld uses the Odyssey client and has all the required PEAP settings. This device works fine if configured with LEAP. I am getting an error on ACS "EAP-TLS or PEAP authentication failed during SSL handshake" .Since this handhelp and OS is not a domain member how does the machine authentication take place? I have tried creating AD accounts that match the device name, I have tried creating local ACS users that match the device name and nothing seems to matter. I am also not clear how the handheld knows how to deal with the certificate from ACS. I purposely purchased and installed a certificate from a well known CA so that the trusted Roots would be in the handheld so we would not need to deal with importing Root certificates from our internal CA. Also I should say we are running ACS version 3.3 and the latest 1200AP firmware.
  Any help appreciated.
  Thanks

  Well an update on this issue. I am not able to get the PPC to connect with WPA and TKIP. It either get's and SSL handshake or fails machine authentication. The only way I can get this to work is to add a local account in ACS and supply the ACS username and password to get it to authenticate.
  I realize that the PPC or Windows mobile device cannot be a domain member therfor mapping to a machine name in Active Directory would be a challenge. Is there any way to get these devices to access a domain username and password? I have tried creating dummy domain account for the machine name but it does not seem to matter. I have also tried creating a dummy machine account in ACS but that does not work either. Does anybody have PPC or Windows Mobile devices authenticating using ACS and Active directory? Any help appreciated.

• ACS Wildcard Certificate Install for PEAP

  Does ACS support Wildcard certificate authentication, such as *.domain.com?  We installed the certificate through ACS using CA, but when using wireless devices, the certificate is still not verified.  Any information would be helpful before we go and purchase another certificate.  Thank you.

  Can someone validate whether wildcard certs are supported with ACS and PEAP, please.  I'm running into the same issue that Jason outlines above.  It seems that Windows clients specifically don't like the wildcard cert. I have tried with Mac and iPhone and they seem to work if you accept the cert into the keychain on first connect.

• OSX and PEAP machine authentication

  We are starting to get a few OSX users in our environment, and they can't seem to authenticate to our wireless network using machine authentication with PEAP. They can bind to AD and I see the computer name in AD, but PEAP fails. Has anyone gotten this working successfully?
  The error we get in the RADIUS logs is:
  ACS has not been able to confirm previous successful machine authentication for user in Active Directory
  Thanks!

  If you configure PEAP MsChapv2 properly along with the client side, it will work and you will not get any type of error.  I run PEAP or EAP-TLS on customer environments with ACS, ISE, Microsoft Radius and other radius servers with no issues. If you look at the Apple device guide or search for supported 802.1x encryption types, you will see what type of encryption is supported. You just have to setup the radius and the back end to work.
  Scott

• ACS 4.2 - LDAP TCP Keepalive

  Hello
  I have an ACS 4.2.1.15 patch 3 and Novell Netware LDAP Server separated by a Firewall. The Firewall's default tcp session timeout is 3600 seconds.
  When no LDAP-Request is made for over one hour, the Firewall drops the connection from its table. The Problem is, that the ACS-Server thinks the connection is still open. When it tries to send an LDAP-Query this results in retransmissions and finally a RST... On the User side the Authentication attempt fails (timeout).
  I tried to enable TCP Keepalives on the Windows-Server side, but this has no effect on the LDAP-Connections used by ACS.
  Is there any possibility to enable Keepalives in ACS?
  Thanks in advance for any help!

  I'm seeing this issue too on 5.2.0.26.1, running LDAP auth through a F5 Load Balancer to a pair of Sun directory servers.
  Did you make any progress with your TAC case?
  Without using the root patch, this command is useful for finding out what is going on (it's just netstat):
  # show tech-support | i ldap | i tcp
  ldap            389/tcp
  ldaps           636/tcp                         # LDAP over SSL
  tcp        0      0 exc2-acscor-1401:53892      acs.ldapunix.co:ldap ESTABLISHED
  tcp        0      0 exc2-acscor-1401:53893      acs.ldapunix.co:ldap ESTABLISHED
  tcp        0      0 exc2-acscor-1401:53890      acs.ldapunix.co:ldap ESTABLISHED
  tcp        0      0 exc2-acscor-1401:53891      acs.ldapunix.co:ldap ESTABLISHED
  tcp        0      0 exc2-acscor-1401:53889      acs.ldapunix..co:ldap ESTABLISHED
  Also try adjusting "Max. Admin Connections" for LDAP.
  From the admin guide:
  LDAP Connection Management
  ACS 5.1 supports multiple concurrent LDAP connections. Connections are opened on demand at the time of the first LDAP authentication. The maximum number of connections is configured for each LDAP server. Opening connections in advance shortens the authentication time. You can set the maximum number of connections to use for concurrent binding connections. The number of opened connections can be different for each LDAP server (primary or secondary) and is determined according to the maximum number of administration connections configured for each server.
  ACS retains a list of open LDAP connections (including the bind information) for each LDAP server that is configured in ACS. During the authentication process, the connection manager attempts to find an open connection from the pool. If an open connection does not exist, a new one is opened.
  If the LDAP server closed the connection, the connection manager reports an error during the first call to search the directory, and tries to renew the connection.
  After the authentication process is complete, the connection manager releases the connection to the connection manager.
  I'd be interested to hear if you have fixed your issue, or if anyone else is facing similar problems load balancing LDAP servers for the ACS.
  Cheers
  R.

• OD, LDAP and DNS

  I am new to LDAP and I believe I have everything setup correctly on the server (everything under Open Directory in SA says "Running", logs don't show any errors). However, I can not access the LDAP server from a client machine using Directory Access. I suspect that client machines still can not "see" my LDAP server.
  I believe the issue may be with DNS and I am trying to understand the interaction between DNS and OD, etc. First off, I do not have DNS turned on for my Mac OS X Server since my ISP has always hosted our DNS. Is this a problem? Do I need DNS activated on the same server that I am running this LDAP server? I have tried entering the IP and DNS name on the client server using Directory Access and neither worked.

  The requirement is that references using your server's Fully Qualified Domain Name look up to its IP Address and its IP Address looks up to its Fully Qualified Domain Name. If your ISP does that for you, and does it correctly, Merry Christmas!
  All others must set up their own tiny DNS service to do the lookups. If you are behind an NAT firewall, you can Make Up whatever names you like and look them up locally, because they are invisible from the Internet.
  Remember that each workstation must have the address of the DNS available to it. It needs to be configured in the TCP/IP setup or dispensed via DHCP. If you use your own DNS (highly recommended) you must also dispense or configure the next upstream DNS (your ISP's DNS Address).
  "An Open Directory master requires properly configured DNS so it can provide single sign-on Kerberos authentication.
  Make sure DNS service is configured to resolve fully qualified DNS names and provide corresponding reverse lookups.
  DNS must resolve the fully qualified DNS name and provide reverse lookups for the Open Directory master server, all replica servers, and other servers that are members of the Kerberos realm.
  You can use the Lookup pane of Network Utility (in /Applications/Utilities/) to do a DNS lookup of a server's DNS name and a reverse lookup of the server's IP address.
  For instructions on setting up DNS service, browse Network Services Overview."
  -- from Server Admin 10.4 Help: Kerberos is Stopped on an Open Directory Master or Replica
  Message was edited by: Grant Bennet-Alder

• 10.6.6 Server Combo Update Crashes LDAP and Kerberos Services

  Just updated apple server from 10.6.4 to 10.6.6 with combo server overnight.
  Everything was working fine under 10.6.4
  All users can no longer authenticate to server via mail or ldap logins
  LDAP and Kerberos Services stopped.
  Will downgrade from an open directory master to standalone then back to master again and post status...

  I think there is something with LDAP on 10.6.6
  I was forced to make clean install in combo from 10.6.0 to 10.6.6 and today LDAP crashed.
  It seems to be an issue on ldap ACL.
  Message was edited by: Xalio

• MAC OS and LDAP and Samba Server

  How can I make my Mac OS authenticate against LDAP and automatically map shared by a Samba server folders? (samba domain)? The idea is that any person who is registered in the database of LDAP can log into any Mac machine and automatically access the folders stored on the Samba server.

  Are you using TopLink 11g or TopLink Essentials?
  You seem to be wanting to use TopLink 11g, but you have the provider set to Essentials in your persistence.xml.
  <provider>oracle.toplink.essentials.PersistenceProvider</provider>
  Change this to,
  <provider>oracle.toplink.PersistenceProvider</provider>
  The sessions-xml properties are only supported with TopLink 11g.
  Note that currently in 11g when using a sessions-xml it must contain a project xml that completely defines the mappings. It will not merge with annotations nor defaults.

• LDAP and OID

  FYI: I am new to Oracle (<1 month), and new to APEX (<3 weeks) so forgive me if I am asking the obvious.
  I would like to have APEX authenticate against LDAP (active directory), and went about trying to set that up. Got all AD settings from our sys admin, and then tried them in the LDAP test tool. I kept getting " Authentication failed!" no matter what I did. Due to the detailed nature of that error message, I started trying to track down every possible avenue so I talked to one of our DBA's about DBMS_LDAP.SIMPLE_BIND_S. The answer I got back was that we don't have access to it because it is part of OIN which we would have to pay outrageous amounts of money for if we wanted to use it. Not likely to happen, so I was hoping that there was another way to authenticate APEX via LDAP.
  Any suggestions would be most helpful.

  John - DBMS_LDAP is not part of OID so you can use it as part of your existing database product installation. Search this forum for LDAP and AD and you'll find lots of discussions about what you are trying to do.
  Also, just to clarify, you're not trying to authenticate Application Express using AD, you'll be authenticating users to your application (essentially a PL/SQL application in the database) using account information stored in AD. The authentication code that gets executed will belong to your application.
  Scott

• Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

  Hi,
  I would be very appreciated if anyone can share their experience. Thanks in advance.
  Issue:
  I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
  Problems encountered:
  Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
  In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
  Questions:
  1. Please kindly advise how I should resolve this problem.
  2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
  Troubleshooting steps I have done:
  Below is the steps I took to setup the external DB.
  1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
  2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
  2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
  Thank you.

  I have NO experience with ACS SE 4.2 and
  RSA SecurID Token Server BUT I have
  experiences with Cisco ACS 4.1 running on
  Windows 2003 SP2 Enterprise Edition and
  RSA SecurID Token Server.
  All the troubleshoot you've done is correct.
  In Windows 2003 running Cisco ACS, you can
  install the test authentication RSA client
  and that you can verify that the setup
  is correct (by verifying that the sdconf.rec
  is not corrupted).
  One thing I can think of is that when you
  setup the ACS SE box, under external
  database, configure unknown user policy,
  did you check it to tell how to define users
  when they are not found in the ACS internal
  database. Did you select RSA SecurID token
  server?
  Other than that, from what I understand,
  you've done everything correctly.

• Cisco Secure ACS with UCP assistance and enable password

  I am running Cisco Secure ACS version 4.2 running on a
  Standalone Windows 2003 Enterprise 2003with the lastest
  windows service pack and update. Secure ACS is running
  fine and I can authenticate with Cisco routers and
  switches. The Windows 2003 server is also running Microsoft
  IIS Server. In other words, the IIS server and Cisco
  Secure ACS is running on the same windows 2003 server.
  I am trying to get Cisco User-Changeable password to work
  with Cisco Secure ACS. I followed the release notes lines
  by lines and the work around provided below:
  Also server require more privileges for the internal windows user that runs CSusercgi.exe.
  The name of the windows user that runs UCP is IUSR_<machine_name>.
  Workaround steps:
  1) Install UCP 4 on a machine that runs IIS server.
  2) Open IIS manager
  3) Locate Default Web Site
  4) Double click on the virtual name 'securecgi-bin'
  5) Right click on CSusercgi.exe and choose Properties
  6) Choose 'File Security' tab
  7) Choose 'Edit' in 'Authentication and access control' area
  8) Change username from IUSR_<machine_name> to 'Administrator' and enter his
  password (make sure that 'Integrated Windows authentication' is checked)
  I still can NOT get this to work. I got this error:
  It says:
  The page cannot be found
  The page you are looking for might have been removed,
  had its name changed, or is temporarily unavailable.
  HTTP Error 404 - File or directory not found.
  Internet Information Services (IIS)
  I modified everything in the Windows 2003 to be "ALLOWED" by
  EVERYONE. In other words, there are NO security on the windows 2003.
  It is still NOT working.
  The other question I have is that can Cisco UCP allow user
  to change his/her enable password?
  Can someone help? Thanks.

  Yes bastien,
  Thank you.
  But one thing more i want to know that in its Redundant AAA server, when i try to open IIS 6.0 window 2003; it prompts for Username and Password.
  I've given it several time; also going through Administrator account with administrative credentials but it always failed.
  Any suggestions/solution/?
  This time many thanks in advance.
  Regards
  Mehdi Raza

• LDAP and SAP integration

  Hi,
  As a part of a project requirement, we are trying to integrate Solution manager with LDAP (Lightweight Directory Access Protocol).
  Using the directory service, we are trying to synchronize the CUA (Central user administration within Solution manager) with Active directory of LDAP so that we can maintain the User data centrally from a single point in LDAP.
  Problem description:
  Currently, Client has implemented the LDAP and CUA integration and when a new user is added in LDAP, it is automatically getting copied in all SAP systems and at real time, when the useru2019s u201CLASTNAMEu201D field is updated in LDAP, it is automatically getting synchronized in all SAP systems.
  But, If any attribute other than u201CLASTNAMEu201D is changed (i.e. The expiry /validity date of the User in LDAP, GLTGB in SAP), then the field value is not getting synchronized in the SAP Central User Adm.
  Our Findings:
  We have checked the configurations and imported mappings in SAP Solution Manager and everything looks fine. We have debugged the standard program RSLDAPSYNC_USER extensively and found out that an RFC call to function module LDAPRFC_SEARCH is not returning the expected values.
  Thanks
  Deb

  Hi Deb,
  It would be really nice if you can elaborate on the configurations that need to be done as part of this integration. I hope, you have been successfull by now.
  Actually, I too need to perform the same as part of a project.
  Thanks in advance.

• Hello, Identity manager fail to add entries in the LDAP and database table

  Hello,
  Well I installed identity manager 7 in a windows 2003 advanced server.
  I I appended an NT server resource, a Mysql table, a solaris server resource and an ldap server resource.
  I created the roles for these resources and then I assigned them to an account that I created for testing purposes.
  After the aprooval, in the solaris machine, the user has been added in the user database but no home directory has been created as I didn't set the apropriate flag to true.
  I the windows resource everything worked very smooth and with no problem.
  In the ldap and mysql table resources I recieved a failure having error message null. and from a sniffing that I did for investigation I never saw a sigle packed arrive to the mysql server or to the directory server from the idm server.
  Any ideas or suggestions on what to do ?

  Well the problem with the directory server just solved.
  But the problem with mysql remains.
  The first thing that I do when I add a resource is to test the connection.
  The problem with the LDAP is that the dn was not present in the directory server. They gave me an ou that didn't exist.

• Domino ldap and weblogic server 6.1

  Hi,
  I am trying to use domino ldap for authentication in weblogic server 6.1
  I configured a custom ldap realm.
  But the users were not listed from domino ldap and authentication also failed.
  Can anybody help me?
  Thanx in advance.
  - prabha.

  at the moment it is possible for me to work, though. i worked around the
  problem and i set web.xml as a read only file. i still can't use wizards to
  create servlets and i can't edit web.xml with jbuilder.