Authenticate users by Windows group using ACS

Currently we are using Windows IAS/RADIUS to authenticate users onto out wireless network and it is set to allow users in a certain Windows group to connect.
Is there a way to do this with ACS?
Please note that we are using ACS Solution Engine, not ACS for Windows.
Thanks.

Use Remote Agent for Windows user authentication feature or configure Windows AD as the LDAP on ACS SE.
then configure group mapping, and put the restrictions accordingly.
Regards,
Prem
Please rate if it helps!

Similar Messages

Add user to sharepoint group using REST API

I am trying to add a user to sharepoint group with following code
serviceUrl= Appweb + "/_api/SP.AppContextSite(@target)/web/sitegroups("+GroupId+")/users?@target='host web'";
$.ajax({
url: serviceUrl,
type: "POST",
contentType: "application/json; charset=utf-8",
dataType: 'json',
body: "{'__metadata': { 'type': 'SP.User' },'LoginName':'i:0#.f|membership|'+email }",
headers: {"accept":"application/json;odata=verbose",
"content-type": "application/json;odata=verbose",
"X-RequestDigest":$("#__REQUESTDIGEST").val()
async: false,
success: function (data) {
alert('success');
error: function (data) {
alert('fail');
The request goes to error function. Response of the request is Microsoft.SharePoint.Client.InvalidClientQueryException and message is A node of type 'EndOfInput' was read from the JSON reader when trying to read the start of an entry. A 'StartObject' node was
expected
I tried the sample from following link but fail it
https://msdn.microsoft.com/en-us/library/office/dn531432.aspx

Hi,
Per my understanding, you might want to add an user to a SharePoint group in host web from a SharePoint Hosted App using REST API.
Here is a working demo for your reference:
var hostweburl;
var appweburl;
$(document).ready(function () {
//Get the URI decoded URLs.
hostweburl = decodeURIComponent(getQueryStringParameter("SPHostUrl"));
appweburl = decodeURIComponent(getQueryStringParameter("SPAppWebUrl"));
// Resources are in URLs in the form:
// web_url/_layouts/15/resource
var scriptbase = hostweburl + "/_layouts/15/";
// SP.RequestExecutor.js to make cross-domain requests
$.getScript(scriptbase + "SP.RequestExecutor.js", loadPage);
// Utilities
// Retrieve a query string value.
// For production purposes you may want to use a library to handle the query string.
function getQueryStringParameter(paramToRetrieve)
var params = document.URL.split("?")[1].split("&");
for (var i = 0; i < params.length; i = i + 1)
var singleParam = params[i].split("=");
if (singleParam[0] == paramToRetrieve) return singleParam[1];
function addUsersInGroup() {
var executor;
// Initialize the RequestExecutor with the app web URL.
executor = new SP.RequestExecutor(appweburl);
executor.executeAsync({
url: appweburl + "/_api/SP.AppContextSite(@target)/web/sitegroups(8)/users?@target='" + hostweburl + "'",
method: "POST",
contentType: "application/json; charset=utf-8",
dataType: 'json',
body: "{'__metadata': { 'type': 'SP.User' },'LoginName':'i:0#.f|membership|[email protected]'}",
headers: {
"Accept": "application/json; odata=verbose",
"content-type": "application/json;odata=verbose",
"X-RequestDigest":$("#__REQUESTDIGEST").val()
success: addUsersInGroupSuccessHandler,
error: addUsersInGroupErrorHandler
function addUsersInGroupSuccessHandler(data)
console.log(data);
var jsonObject = JSON.parse(data.body);
console.log(jsonObject);
function addUsersInGroupErrorHandler(data)
console.log(data);
var jsonObject = JSON.parse(data.body);
console.log(jsonObject);
Thanks
Patrick Liang
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected].

How can point single user to multiple groups in ACS

Hi,
we are having almost 150 NDG groups in my ACS Server, in that one group is specifically for Security devices like pix & ASA's.
Now My requirement is that i want to Restrict this Security NDG group to one Specific Group under Group setup menu in ACS.
is it possible in ACS Server.
If it possible how can i point multiple multiple groups to single user.
Because not all users required access to this Security NDG group. only few users require the access.

Give a read to how NAR works, then apply it to the security group on ACS.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
Regards,
Prem
Please rate if it helps!

Unable to remove user from SharePoint Group using PowerShell

I am trying to remove a user from a SharePoint Group using PowerShell.
I can see the user in the Site Collection as part of the SharePoint Group, however, when I attempt to run the script, I get an error message stating "Can not find the user with ID: 10"
Below is the PowerShell script that I am using:
$url = "https://sharepointdev.spfarm.spcorp.com/sites/desitecoll"
$userName = "spfarm\sp2013_svc"
#$userName = "spfarm\spprofileimport";
$site = New-Object Microsoft.SharePoint.SPSite($url)
$web = $site.OpenWeb()
$siteGroups = $web.SiteGroups;
Clear-Host
$mySiteGroups = @();
foreach($group in $siteGroups)
Write-Host $group
$mySiteGroups += $group;
}#foreach
$members = $web.SiteGroups[$mySiteGroups[0]];
$owners = $web.SiteGroups[$mySiteGroups[1]];
$visitors = $web.SiteGroups[$mySiteGroups[2]];
#Remove the user from the specified SharePoint Group
$spUser = Get-SPUser -Identity $userName -Web $url
Write-Host $spUser.ID
Remove-SPUser -Identity $spUser -Web $url -Group $owners
$web.Update();
$web.Dispose();
Write-Host "User " $userName "removed from " $owners
Please advise.

I had to update the code to the following because Get-SPUser was not working properly:
$url = "https://sharepointdev.spfarm.spcorp.com/sites/desitecoll"
$userName = "spfarm\spprofileimport";
$site = New-Object Microsoft.SharePoint.SPSite($url)
$web = $site.OpenWeb()
$siteGroups = $web.Groups;
Clear-Host
$mySiteGroups = @();
foreach($group in $siteGroups)
Write-Host $group
$mySiteGroups += $group;
}#foreach
$members = $web.Groups[$mySiteGroups[0]];
$owners = $web.Groups[$mySiteGroups[1]];
$visitors = $web.Groups[$mySiteGroups[2]];
#Convert the user name to an SPUser account
$spUser = $web.Site.RootWeb.EnsureUser($userName);
Write-Host $spUser.ID
Remove-SPUser -Identity $spUser -Web $url -Group $owners
$web.Update();
$web.Dispose();
Write-Host "User " $userName "removed from " $owners
Was I not using Get-SPUser correctly?

Add multiple users to AD Group using AddRange

All,
I am trying to add multiple users to an AD security group using AddRange method but no luck.
Reason why I am using AddRange method is, the memberlist is pretty big (30K users) and Quest or MSFT AD Cmdlets taking plenty of time to add them.
I am following the instruction per http://msdn.microsoft.com/en-in/library/ms180904(v=vs.80).aspx but no luck.
Code snippet:
$groupmembers = Get-Content C:\Temp\MemberDN.txt
$getgroup = [ADSI]"LDAP://CN=MYADGROUP,OU=GROUPS,DC=CONTOSO,DC=COM"
$getgroup.properties.member.AddRange($groupmembers)
#$getgroup.properties["member"].AddRange($groupmembers)
$getgroup.CommitChanges()
#$getgroup.SetInfo()
I tried using ADSPATH as well but no luck.
Any help or pointers are appreciated.
Thanks.

Hi PSPR,
I agree with David .
Also I tested that on my server2012r2 , please refer to :
$user="cn=test1,cn=users,dc=test,dc=com","cn=test2,cn=users,dc=test,dc=com"
$obj=[adsi]"LDAP://cn=test,cn=users,dc=test,dc=com"
$obj.member.addrange($user)
$obj.commitchanges()
Hope it helps
Best Regards
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

How to authenticate outgoing FW users by Windows group membership

Hi,
I need to authenticate all (windows) users who access the internet through an IOS firewall. Applies not only to web traffic (which is easy to do), but also to other applications (e.g. some telebanking programs, RDP sessions etc.)
Basically, I need to use dynamic access lists, and use a different access list for each Windows user group.
Is there any way to do this?
Hans van der Poel
Consultant
NextiraOne

You can do this with the help of an authentication server.

How to get Portal Login user ID and Groups using UME API in JSPDynpages

Hi Experts,
How can I get the portal logged user ID and bsed on that ID need to get his assigend groups.
For this Initially I need to get the logged user ID using UME API.
Can you drop the code to write and display using JSP Dynpages?
Thanks
Venkat.

Hi,
Try the below code
IUserFactory userfact=UMFactory.getUserFactory();
IUser user=userfact.getUserByUniqueName(request.getUser().getUserId());
String usrid=user.getUniqueName();
And also you can get the groups assigned to user by using the below code
Iterator groups = user.getParentGroups(true);
while (groups.hasNext()) {
     String groupstr = (String) groups.next();
     IGroup g = UMFactory.getGroupFactory().getGroup(groupstr);
     response.write("Group name "g.getUniqueName()"<br>");
Regards
Suresh

Is user member of group in C#

Hello everyone,
I have to bind our application from ActiveDirectory to eDirectory. Is
there a simple way to determine if the currently logged in user is a
member of a group?
In ActiveDirectory this is really simple but in eDirectory (using the
LDAP C#-library) it seems that I always have to create LDAP strings
which always have to contain username and password (which is an
absolutely no-go in my opinion).
I found many articles to my problem but no one with an easy solution.
Perhaps someone got this running without the novell LDAP library through
Microsoft DirectoryServices-Namespace.
inno1
inno1's Profile: http://forums.novell.com/member.php?userid=109362
View this thread: http://forums.novell.com/showthread.php?t=437637

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A few things come to mind. First your authentication problem; binding
anonymously is definitely allowed in eDirectory, and is even allowed by
default, but that doesn't mean the environment you are hitting will allow
it. This is something you'll need to check with whomever setup the
eDirectory environment. The documentation should cover how to set
restrictions like anonymous binds.
Next we have what I'm guessing is how you are searching for the group. I
do not see how you are going to find either your group or your user in the
group using that code so I'll suggest something else that I think is
better taking advantage of the power of eDirectory and LDAP. First a
little more information about eDirectory. By default group memberships
are shown on both the group and user sides so you can either query the
entire directory for groups that have users in their 'members' attribute,
or you can go to the user and simply get a listing of all of the values in
the groupMembership attribute. This is the best way, in my opinion, to
see if a user is a member of a group.
Now, about finding the user. In LDAP environments objects are found by
full DNs, not just their relative DNs or usernames. If you do not have a
full DN (users seldom know the full DN or use them) the first step is to
find these, which you can do with a search like you are doing, although
hopefully you wouldn't need to loop through results. Having a query like
the following should find the user in one shot in a well-designed environment:
(&(objectClass=inetorgperson)(cn=userNameHere))
Once you have found the resulting DN of the user you can find the
groupMembership attribute and either use the full set of values in that
attribute or you can iterate through the values looking for the group DN.
For both user and group you must use the full DN to verify membership.
Good luck.
On 04/28/2011 02:36 AM, inno1 wrote:
>
> ab;2100491 Wrote:
>> The check for is a user is a member of a group does not require the
>> password...I ask because the samples from the LDAP-library (ListGroup.cs, for
> example) all seem to require a password. The samples check the number of
> command line arguments and if something is missing the program does not
> work.
>
> ab;2100491 Wrote:
>> what do you mean[..]
> I need a function like
> Code:
> --------------------
> bool UserIsMemberOf(string groupName) {}
> --------------------
> to determine if a user is a member of a group.
>
> I get the userName from Environment.UserName and the groupName the user
> has to be a member of is configured somewhere in my application.
>
> In ActiveDirectory I just connect to LDAP://RootDSE and everything
> works fine.
>
> ab;2100491 Wrote:
>> [..] and what does your code look like?
> I used the 'Using .NET C# LDAP Library'
> (http://www.novell.com/coolsolutions/...e/11204.html):
>
>
> Code:
> --------------------
> Anonymous Binding
>
> // C# Library namespace
> using Novell.Directory.Ldap;
>
> // Creating an LdapConnection instance
> LdapConnection ldapConn= new LdapConnection();
>
> //Connect function will create a socket connection to the server
> ldapConn.Connect (ldapHost,ldapPort);
>
> //Bind function with null user dn and password value will perform anonymous bind
> //to LDAP server
> ldapConn.Bind (null, null);
> --------------------
>
> After this ldapConn.Bound is false. Is this correct? It could be
> correct because I didn't really authenticate when doing anonymous
> binding but it could be also wrong because even an anonymous bind should
> be a form of authentication.
>
> I also tried Identity Bind:
>
>
> Code:
> --------------------
> Binding using an Identity
>
> // C# Library namespace
> using Novell.Directory.Ldap;
>
> // Creating an LdapConnection instance
> LdapConnection ldapConn= new LdapConnection();
>
> //Connect function will create a socket connection to the server
> ldapConn.Connect(ldapHost,ldapPort);
>
> //Bind function will Bind the user object Credentials to the Server
> ldapConn.Bind(userDN,userPasswd);
> --------------------
> After this, ldapConn.Bound is true but the user has to give a password.
> I don't want the user to have to use a password because in this case the
> user has to configure it somewhere in the configuration of my
> application.
>
> Then - for testing purposes - I wrote a function to get the users of a
> group:
>
>
> Code:
> --------------------
> LdapSearchResults lsc=ldapConn.Search("ou=Users,o=DomainAdmins", LdapConnection.SCOPE_ONE, "objectClass=*", null, false);
>
> string result = String.Empty;
>
> while (lsc.hasMore()) {
> LdapEntry nextEntry = null;
>
> try {
> nextEntry = lsc.next(); // <--- EXCEPTION: see [1]
> } catch(LdapException e) {
> result = String.Concat(result, "Error: ", e.LdapErrorMessage, Environment.NewLine);
> // Exception is thrown, go for next entry
> continue;
> }
>
> result = String.Concat(result, nextEntry.DN, Environment.NewLine);
>
> LdapAttributeSet attributeSet = nextEntry.getAttributeSet();
> System.Collections.IEnumerator ienum = attributeSet.GetEnumerator();
>
> while(ienum.MoveNext()) {
> LdapAttribute attribute=(LdapAttribute)ienum.Current;
> string attributeName = attribute.Name;
> string attributeVal = attribute.StringValue;
> result = String.Concat(result, attributeName, "value:", attributeVal, Environment.NewLine);
> }
> }
> --------------------
>
>
> [1] "00000000: LdapErr: DSID-0C090627, comment: In order to perform
> this operation a successful bind must be completed on the connection.
>
> I think this is the problem:
>
>
> Code:
> --------------------
> LdapSearchResults lsc=ldapConn.Search("ou=Users,o=DomainAdmins", LdapConnection.SCOPE_ONE, "objectClass=*", null, false);
> --------------------
>
>
> So, how does this have to look for a domain named "MyDomain.com" for a
> group named "DomainAdmins" if I want to get all members of this group?
>
> And how does this have to look if I want to know if a user named
> "myuser" is member of a group "mygroup" in domain "MyDomain.com"?
>
> I think this would help me a lot.
>
> ab;2100491 Wrote:
>> There may be a need for authentication that would require a
>> username/password but that depends on the rights you assign to your
>> tree
>> to allow (or deny) anonymous access.So, this is someone the customer has to configure I think. Since I only
> want to read from a domain it has to work some way without giving a
> password.
>
> ab;2100491 Wrote:
>> Good luck.Thank you very much!
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNujvFAAoJEF+XTK08PnB5Vn4QAJ8wDKZw5h Q5AWWkeMhKZ57U
DctNKO9Wl1xU3agTp+PjgFFCQMHTiME7/UFU7/KR+eyY0hgp9R6r0k2lK3iX1TFd
1Zwg0rkEjV+Pydy7vHk/LvqpoyWYKhrSGHhvkj/RChiIj1yEKR0rgAXGZG8NPemO
nIXJtPHQ8ZkH8ZrEGfL+25abIc5b0Ch5KXN76nSFRGORgqPRvO 2gpQW36KKj+Tfq
RZARJgBKyKaG4MOlatnS2ZNuAy1meI/1oTN/ouO8K1MR+Hey2ZvI85VUSlg3nG/z
fgj6QdIMj80KRnpgJCO4K7SFO6effHQaijRUIszz5xHxSEaPXv FcB/xPhRdedzxb
NKZu/rti0Jt3PABCG3nibbUcA05vbb6mLbufwDISJGXyUp5PK3533yT xoGFjkt1I
PL+p7ZpL4Q5s4wHBGME0y579V5EfncqqUsFh2aONzhIAmOSxu0 huaqcLG5QWmQnQ
HMn8+npkdlyGGJy4hslpyoTQefYNsn7PdXig1KAMEZjQHGlI1S WJf/hsztcP4/jM
Zf8oKMZz/35+EphCgRgXl0h5gOFk+WpxHRJ8NyAVLZioV4mcUwBzLDD7d9z lW47/
SZxxlIOKpFB1c0FokkFR2SBteDsd4dzfMPgD7MTDBNj174u7wn y3LkSvWfPTDjBS
12SwchOZ+PPL3PxfsUNc
=/n4u
-----END PGP SIGNATURE-----

Error when adding an AD user to OID group

I'm getting a very unhelpful message when trying to add a user to a group using the oiddas console.
We have synchronized our existing Active Directory ldap into a 10.1.4 OID. We now have an OID group that we want to add existing AD users to. I can select 'Add User' and see the user I want to add. But, after selecting the user the page returns with the single message of 'Error!'. That's it. Also, the page becomes unusable. Clicking tab menus like Configuration or Directory does nothing. You have to log out and back in to get the console to work again
I can't find anything in the logs......can anyone help?

Are you using any of the following "Sum, Count, Min, Max, and Avg" as member names, if so then this can generate the error and you would need to change the name.
Cheers
John
http://john-goodwin.blogspot.com/

Trying to add a user to a Group thru JNDI. Insuffficient Access Rights

I am trying to add a user to a group using JNDI with,
DirContext.modifyAttributes()
I have set up the tree structure outside the default cn=Users setup and defined the Group as auxiliary class.
I haven't set up any Access Controls. But it fails with "Ldap Error code 50. Insufficient Access Rights".
If I try to add the same user using the uniquemember attribute to the group I am interested in, it works fine in Directory Manager and Generic Ldap browser. I even tried setting up the JNDI user credentials to "orcladmin" still doesn't work. Any idea??

Maybe the example code from OID developers guide gives an idea
http://download-west.oracle.com/docs/cd/A97329_03/manage.902/a95193/smplcode.htm#637267
--Olaf

Problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN c

I met a problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN clients:
1. Background:
We have two WLAN: staff and student, both of them will use PEAP-MSCHAPv2, ACSE will be the Radius server, it will use Windows AD's user database. In AD, they create two groups: staff and student. The testing account for staff is staff1, the testing account for student is student1.
2. Problem:
If student1 try to associate to staff WLAN, since both staff and student WLAN using the same authentication method, the auth request will be send to AD user database, since student1 is a valid user account in AD, then it will pass the authentication, then it will join the staff WLAN. How to prevent this happen?
3. Potential solution and its limitation:
1) Use group mapping in ACSE(Dynamic VLAN Assignment with WLCs based on ACS to Active Directory Group Mapping), but ACS can only support group mapping for those groups that have no more than 500 users. But the student group will definitely exceed 500 users, how to solve it?
2) Use methods like âRestrict WLAN Access based on SSID with WLC and Cisco Secure ACSâ: Configure DNIS with ssid name in NAR of ACSE, but since DNIS/NAR is only configurable in ACSE, don't know if AD support it or not, is there any options in AD like DNIS/NAR in ACSE?
Thanks for any suggestions!

I think the documentation for ACS states:
ACS can only support group mapping for users who belong to 500 or fewer Windows groups
I read that as, If a user belongs to >500 Windows Group, ACS can't map it. The group can have over 500 users, its just those users can't belong to more than 500 groups.

How to use CSACS 3.3 to authenticate users from multiple windows domain?

Can Cisco Secure ACS 3.3 be used to authenticate users from another Windows domain that is not a child nor a trusted domain???
hello, here is my scenario:
ACS 3.3 was installed on a member server on domain1. I need to authenticate and ultimately populate the users into ACS from another domain. The service already works perfect on just domain1, but now I need to authenticate users from another domain.
And adding those domains as trusted domains in domain1 is not an option.
Is Generic LDAP my only other option? Any config guides that you guys know with regard to doing this?
Any input is much appreciated.

Hi Betcy,
I am not familiar with sharepoint solutions, but as you mentioned about windows credentials I believe it refers to kerberos tokens. On this case you can take advantage of SPNego authentication.
You can find more details on following SAP note:
#[1488409|https://service.sap.com/sap/support/notes/1488409] - New SPNego Implementation
I hope it helps.
Kind regards,
Lisandro Magnus

User in a windows group - mapping to acs group appears not be working

I have a user in a windows group, this windows group is mapped to an ACS group but when the user logs in it appears as default group in ACS.
Any suggestion?

Hello, I recently implemented this very thing, actually integrated it with Authentication Proxy. Here are some settings to check:
1. External User Databases - Database Configuration - Windows Database - Configure
Make sure your domain is listed on moved to the Domain List section
2. External User Databases - Database Group Mappings - Windows Database - - Add Manual Mapping
Make sure you have the right AD group mapped to the internal ACS group, you can even set users* if you want to include all users.
3. External User Databses - Unknown User Policy
Check the "Check the following external user databases" radio dial and move Windows Database to Selected Databases
Check âThe database in which the user profile is heldâ radio dial in the Configure Enable Password Behaviour section
Hope that helps!

Using Windows Group Policies in User policy package

I've been using the gp under User Config > Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings in the User policy Package for a while now to prevent students from getting to https sites.
There are some sites though that we had to the Exception list which has worked fine until I added a new one which is: https://secure.ontariocolleges.ca/sso/auth
When this one is added it seems the gp doesn't work at all, ie students can go to any https site they want, when I remove this exception they're blocked again.
Someone else told me there was a character limit to the exception list so I tried removing all other exceptions except the one above and it still doesn't work.
I am unable to find any other info on this. Does anyone have any ideas?
Thanks.

Thanks for answering your own question :>
I'm sure the answer will help others.
Craig Wilson - MCNE, MCSE, CCNA
Novell Support Forums Volunteer Sysop
Novell does not officially monitor these forums.
Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
"jdwall" <[email protected]> wrote in message
news:[email protected]..
>
> I think I found the problem, I replaced
> https://secure.ontariocolleges.ca/sso/auth with
> https://*.ontariocolleges.ca and that resolved it.
>
>
>
>
> jdwall;1693410 Wrote:
>> I've been using the gp under User Config > Windows Settings > Internet
>> Explorer Maintenance > Connection > Proxy Settings in the User policy
>> Package for a while now to prevent students from getting to https sites.
>>
>>
>> There are some sites though that we had to the Exception list which has
>> worked fine until I added a new one which is:
>> https://secure.ontariocolleges.ca/sso/auth
>>
>> When this one is added it seems the gp doesn't work at all, ie students
>> can go to any https site they want, when I remove this exception they're
>> blocked again.
>>
>> Someone else told me there was a character limit to the exception list
>> so I tried removing all other exceptions except the one above and it
>> still doesn't work.
>>
>> I am unable to find any other info on this. Does anyone have any
>> ideas?
>>
>> Thanks.
>
>
> --
> jdwall
> ------------------------------------------------------------------------
> jdwall's Profile: http://forums.novell.com/member.php?userid=2475
> View this thread: http://forums.novell.com/showthread.php?t=353133
>

Failed to authenticate user to ACS 5.1 with LDAP as external identity storage

Hi , I have an ACS and Open-LDAP server running on my company network.
Now, I 'm setting up a new linksys WAP-54G and choose WPA2-Enterprise option with ACS as the radius server.
first thing first, I created new internal user on ACS, and trying to join the wireless network from my computer. I made it....
then, I'm moving on external entity (LDAP Server). I've set up the LDAP configuration and identity sequence, also select it on access service. but when I tried to authenticate from my computer, an error was occurred. I received :
the following error 22056 Subject not found in the applicable identity store (s)
Wonder 'bout this thing, I set up a cisco 1841 router to become AAA client. and surprisingly... it works !!!
so, is there any problem to authenticate from windows platform to ACS (pointing to LDAP) ?
any suggestion ?
thanks

This is the log when using windows 7 as authentication client (Failed) :
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started.
12805 Extracted TLS ClientHello message.
12806 Prepared TLS ServerHello message.
12807 Prepared TLS Certificate message.
12810 Prepared TLS ServerDone message.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message.
12804 Extracted TLS Finished message.
12801 Prepared TLS ChangeCipherSpec message.
12802 Prepared TLS Finished message.
12816 TLS handshake succeeded.
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store -
22043 Current Identity Store does not support the authentication method; Skipping it.
24210 Looking up User in Internal Users IDStore - xxxxx
24216 The user is not found in the internal users identity store.
22016 Identity sequence completed iterating the IDStores
22056 Subject not found in the applicable identity store(s).
22058 The advanced option that is configured for an unknown user is used.
22061 The 'Reject' advanced option is configured in case of a failed authentication request.
11815 Inner EAP-MSCHAP authentication failed
11520 Prepared EAP-Failure for inner EAP method
22028 Authentication failed and the advanced options are ignored.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12307 PEAP authentication failed
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
This is the log when using 1841 router as authentication client (succeded) :
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11049 Settings of RADIUS default network will be used
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - LDAPyyyy
24031 Sending request to primary LDAP server
24015 Authenticating user against LDAP Server
24022 User authentication succeeded
22037 Authentication Passed
22023 Proceed to attribute retrieval
22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against
24210 Looking up User in Internal Users IDStore - xxxxx
24216 The user is not found in the internal users identity store.
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
11002 Returned RADIUS Access-Accept
I realized that Windows is using PEAP-MSCHAPv2 while Router is using PAP-ASCII as it's protocol.
so now, why PEAP-MSCHAPv2 can't authenticate to LDAP ?
is there anything I can do to make it work ?

Authenticate users by Windows group using ACS

Similar Messages

Maybe you are looking for