Authenticating Unix users with LEAP

Similar Messages

• Problem authenticating Wireless users with peap

  Good afternoon,
  I am currently trying to authenticate wireless users using PEAP and an external RADIUS server. The problem is when I try to authenticate I get this error :
  AAA/AUTHEN/PPP : Pick method list 'Permanent Local'
  DOT11-7-AUTH_FAILED : Station ... Authentication failed
  It shouldn't use local authentication, but the aaa server I configured.
  I looked on the internet but didn't find a working solution.
  Does anyone know why it is not working ?
  Here is my running configuration :
  Current configuration : 4276 bytes
  ! Last configuration change at 00:45:40 UTC Mon Mar 1 1993
  ! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
  ! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  logging rate-limit console 9
  enable secret 5 $1$QVC3$dIVAarlXOo52rN3ceZm1k0
  aaa new-model
  aaa group server radius rad_eap
   server 192.168.2.2 auth-port 1812 acct-port 1813
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  no ip routing
  no ip cef
  dot11 syslog
  dot11 ssid test
     authentication open eap eap_list
     authentication key-management wpa version 2
     guest-mode
  eap profile peap
   method peap
  crypto pki token default removal timeout 0
  bridge irb
  interface Dot11Radio0
   no ip address
   no ip route-cache
   encryption mode ciphers aes-ccm
   ssid test
   antenna gain 0
   stbc
   beamform ofdm
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio1
   no ip address
   no ip route-cache
   shutdown
   antenna gain 0
   no dfs band block
   channel dfs
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface GigabitEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
   dot1x pae authenticator
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface BVI1
   ip address 192.168.3.10 255.255.255.0
   no ip route-cache
  ip default-gateway IP
  ip forward-protocol nd
  ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.2.2 auth-port 1812 acct-port 1813 key 7 140441081E501F0B7D
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 0 4
   transport input all
  end
  Thank you

  I haven't setup autonomous APs before but I think I might see the problem. You are defining an authentication list called "eap_methods" but you never call for it in your SSID settings. Instead there you call a list named "eap_list" In addition, I think you might be missing one more command. So perhaps try this:
  dot11 ssid test
  authentication open eap eap_methods
  authentication network-eap eap_methods
  authentication key-management wpa version 2
  guest-mode
  Hope this helps!
  Thank you for rating helpful posts!

• UNIX user with Oracle software group settings

  I am seeking help on this issue.
  When I installed Oracle 10g on Solaris 9 sparc box, I created user oracle and assigned oracle user to primary group Oinstall and second group dba. Then installation went successful. After that, I created another user ccmm and assigned ccmm to dba group. Then I created some UNIX scripts and SQL scripts stored on system. When I log into server as ccmm user and tried to connect to Oracle database, it failed. If I log in as oracle user and tried to connect to Oracle database, everything runs fine. My purpose is to log in as ccmm user and connect to Oracle database or start Oracle utilities from there. So where is the problem for ccmm user settings? How can I make ccmm user as Oracle database user on UNIX machine? Thanks in advance.

  Not sure if I quite understand what you're looking to do, but have you added the 'ccmm' user to the 'oinstall' group?
  vi /etc/group
  oinstall::101:ccmm
  Don't know if that helps ya or not.
  g/l

• Is roaming transparent to users when authenticating with LEAP or EAP-TLS?

  We are planning the installation of a number of Access Points with LEAP authentication to ACS. We want to know upfront whether the users have to reautenticate everytime they roam from one Access Point to another. Is it the same with EAP-TLS or EAP-TTLS?

  Your users will have to re-authenticate to each AP but it happens automaticaly throught the client. IF all of your APs are on the same segment/subnet you shouldn't have a problem.

• Check_ntlm_password:  Authentication for user ['name'] - ['name'] FAILED with error NT_STATUS_LOGON_FAILURE

  Hi,
  We are running a Mountain Lion Server with Open Directory / LDAPv3, as far as I can tell.  My responsibility is to get my CentOS 6.3 box running Samba v. 3.5.10-125.el6 to authenticate users against the ML / OD box.  I can ssh to the CentOS box OK and I can get Guest access to the Samba share to go OK too.  Also, the OD passwords on the LDAP server are set to 'Open Directory' so I guess that means that they are encrypted and the Samba server is set to send encrypted passwords.  But when a user tries to properly authenticate using either say via a Mac client Finder [Command-K], or smbclient, the Samba server will generate this message:
  check_ntlm_password:  Authentication for user ['name'] -> ['name'] FAILED with error NT_STATUS_LOGON_FAILURE
  (I am blanking out the user name on purpose).
  Of course there is more to the story, but those are the basics.
  Here are the relevant parts of my smb.conf.  FWIW, the CentOS / Samba box is called Jupiter.
  Thank you,
  NickZ
  [smb.conf]
  [global]
            display charset = UTF-8
            realm = SATURN.MCLEAN.HARVARD.EDU
            netbios aliases = ANL
            server string = Welcome To The Jupiter Samba Server Version 3.5.10-125.el6
            interfaces = lo, em1
            security = SERVER
            update encrypted = Yes
            password server = saturn.mclean.harvard.edu
            smb passwd file = /var/lib/samba/private/secrets.tdb
            passdb backend = ldapsam:ldap://saturn.mclean.harvard.edu
            passwd program = /usr/bin/passwd %u
            unix password sync = Yes
            lanman auth = Yes
            client NTLMv2 auth = Yes
            client use spnego principal = Yes
            kerberos method = system keytab
            log level = 2
            syslog = 3
            log file = /var/log/samba/log.%m
            max log size = 50
            name resolve order = host lmhosts wins bcast
            server signing = auto
            preferred master = Auto
            ldap admin dn = uid=DirAdmin,cn=users,dc=saturn,dc=mclean,dc=harvard,dc=edu
            ldap group suffix = cn=groups
            ldap passwd sync = yes
            ldap suffix = dc=saturn,dc=mclean,dc=harvard,dc=edu
            ldap ssl = no
            ldap user suffix = cn=users
            usershare allow guests = Yes
            idmap backend = ldap:ldap://saturn.mclean.harvard.edu
            idmap uid = 10000-20000
            idmap gid = 30000-40000
            cups options = raw
  [homes]
            comment = Home Directories
            read only = No
  [printers]
            comment = All Printers
            path = /var/spool/samba
            printable = Yes
            browseable = No
  [anl]
            comment = Main ANL Share
            path = /anl
            read only = No
            guest ok = Yes
            hide dot files = No

  Turns out a printer driver installed on an XP (even W2K(?)) was (apparently?) flooding the OS X SMB server to the point of collapse. Uninstalling the "HP Tools" part of the driver cleared it up. The printer is an HP LJ1300. I had downloaded the full driver from HP.com. I don't know if any/all these conditions need to be matched, but: the printer was on the network using an HP print server JetDirect EX Plus, and the computer(s) in question were connecting directly to it (not via a print server). It's been too long ago, but there were always several errors in the System Log (Win XP Event Viewer) that correlated with the errors on the OS X server.
  Proud to say that since that day (10+ months ago) I've not seen it happen again. whew.

• Authenticating agains AD with Kerberos, by a user with an explicit UPN

  Hello
  My situation :
  I have a 2008 functionnal level domain with a technical name, lets say tec.domain.com
  I have for this domain configured an alternate UPN : domain.com (that is only a DNS domain name, not an existing AD domain)
  My users have a SamAccountName like j.doe and a UPN like [email protected] (which is their email address, on our Exchange organization)
  Now, from a Linux server (running Apache and kerberos), i can do a kinit with [email protected], but not with [email protected]
  When i capture trafic, the DC answers "error-code: eRR-WRONG-REALM (68)", saying it is not able to handle the DOMAIN.COM realm.
  According to this article ( http://msdn.microsoft.com/en-us/library/Cc212351.aspx ) , my DC should be able to handle it, as far as i understand it.
  Am i missing something ?
  Thanks in advance.

  Hi,
  Thanks for your post.
  It seems like you could not enable Kerberos authentication for users logon using their alternative UPNs.
  Please refer to the similar thread:
  Authenticating to Active Directory using an alternate UPN
  http://social.technet.microsoft.com/Forums/en-US/f93e23d7-e910-4ae7-96ba-3a8038766f9f/authenticating-to-active-directory-using-an-alternate-upn?forum=winserverDS
  Regards.
  Vivian Wang

• Need MBAM 2.5 Helpdesk and selfservice sites to open for authenticated users with no password prompt

  I Need MBAM 2.5 Helpdesk and self service sites to open for authenticated users with no password prompt. I just cant seem to get this to work. The account used in the application pool has its SPN registered and delegation set. I can use that account to login
  to the sites but am prompted for a password. That said anyone I add into the helpdesk users group cannot negotiate the sites. Only the account I have set in the application pool can. I want domain authenticated users that have been added to the MBAM Help Desk
  Users group to negotiate the site with NO password challenge at all.
  tconners

  This generally means that your SPN is not set up correctly.  Let's say the web server you installed the SSP on is lance.contoso.com and your app pool creds are corp\lance.  You should set an SPN similar to setspn -s http/lance.contoso.com
  corp\lance.  In your browser, you should now be able to access the SSP without prompts.  However, if you still get prompted, generally that means that your local intranet zone in IE does not have an entry for *.contoso.com.  Since you are entering
  an FQDN in your browser, IE interprets the "." to mean "on the internet" which breaks Kerberos authentication.  By adding *.contoso.com to your local intranet zone, you are telling it that lance.contoso.com is on the intranet, so use
  Kerberos.
  I can confirm, that I have exact configuration and I always get the password promt for the very first time. We have 2 server (1xIIS and 1xSQL) infrastructure in production with SPN set like it should and I get the password prompt.

• How to access oracle with any unix user (like root)?

  I installed Oracle 10g on Redhat Enterprise Linux 3.
  I created one oracle user, and installed oracle in oracle users home directory. In oracle user I can access oracle very well. But I can not use oracle with other unix users like root. What kind of permissions I need to set to do so?

  You should never try to connect to Oracle as root, but if you want to connect as any other OS user, you will need to run ChangePerm.sh in $ORACLE_HOME/install in order to do this. It may not be present until you upgrade above the base release (like 10.2.0.3).
  Can not Logon To SQL*Plus as non-Oracle User: Libclntsh.So.10.1: Permission Denied
  http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=420083.1

• Presenting users with authentication menu

  Hi,
  I have a need to present the users with the option to either authenticate with LDAP or RADIUS. All the users go through a gateway. The only way I understand to do this is to prepend "&authlevel=0" at the end of the URL. I am wondering if there is a way to have the gateway do this automatically.
  The user would enter: https://host.domain.com and this would present the user with the authentication menu for the selected modules.
  We are using JES 2003Q4 (portal 6.2).
  any help would be appreciated,
  wiggam

  Hmm, the authentication method can be choosen using "module, e.g.
  input type="hidden" name="module" value="LDAP"
  in the login form.
  You could put a dropdownbox there or something like that.
  hth Chris

• Authenticating, Authorizing VPN user with AAA

  Hello,
  I have ACS1113(4.2) solution Engine and ASA 5550 which have been integrated with ACS. I need to authenticate and authorize the VPN users form ACS.
  Also I need to have different access for different group in ACS
  please help me in this.
  Thanks
  Ritesh

  Hi,
  I am finding one problem. Well I have done the configurations in ASA for Authentication through ACS but when attempt to autehnticate through user then i get autehentication message. here is the command configure in ASA and debug msg
  Command:
  aaa-server ACSCHN protocol radius
  aaa-server ACSCHN (WAN) host 10.132.15.26
  key _____
  aaa authentication telnet console ACSCHN LOCAL
  aaa authentication enable console ACSCHN LOCAL
  Debug Msg:
  Initiating authentication to primary server (Svr Grp: ACSCHN)
  AAA FSM: In AAA_BindServer
  AAA_BindServer: Using server:
  AAA FSM: In AAA_SendMsg
  User: wipro
  Resp:
  In localauth_ioctl
  Local authentication of user wipro
  callback_aaa_task: status = -1, msg =
  AAA FSM: In aaa_backend_callback
  aaa_backend_callback: Handle = 868, pAcb = 1a3363f8
  aaa_backend_callback: Error: sorry
  AAA task: aaa_process_msg(185f00e8) received message type 1
  AAA FSM: In AAA_ProcSvrResp
  Back End response:
  Authentication Status: -1 (REJECT)
  AAA FSM: In AAA_NextFunction
  AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
  AAA_NextFunction: authen svr = ACSCHN, author svr = , user pol = , tunn pol =
  AAA_NextFunction: New i_fsm_state = IFSM_DONE,
  AAA FSM: In AAA_ProcessFinal
  AAA FSM: In AAA_Callback
  user attributes:
  None
  user policy attributes:
  None
  tunnel policy attributes:
  None
  Auth Status = REJECT
  aaai_internal_cb: handle is 868, pAcb is 1a3363f8, pAcb->tq.tqh_first is 1841ce20
  AAA API: In aaa_close
  AAA task: aaa_process_msg(185f00e8) received message type 3
  In aaai_close_session (868)
  Please help why it authenticated with internal server not with ACS server.
  Regards
  Ritesh

• Kerberos Authentication - more than one user with same sAMAccountName

  I am configuring Kerberos Authentication on SAP AS Java. The single-domain SSO is done and working. Now I need to configure multiple domains in a domain forest. How to resolve issue regarding multiple users with same account ID (same sAMAccountName) under different domains?

  We thought about using the userprincipalname, but decided against it once we had the realization that if SPNego failed for any reason, and the user had to logon manually, they would not know their userprincipalname.  This was a wise decision, as SPNego does fail for a variety of reasons.  The most common is that there appears to be a 1-2 day timeout of the Kerberos ticket, and if a user leaves their computer on for that long, it will challenge them to logon manually.
  Andrew Castillo

• Machine Authentication and User Authentication with ACS v5.1... how?

  Hi!
  I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
  This is the goal:
  On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
  Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
  I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
  I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
  "Certificate Dictionary:Common Name contains .admin.testdomain.lan"
  But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
  I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
  Thank you.

  Hello again.
  I found out how to do this now..
  What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
  After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
  You must also remember to change the AuthMode option in Windows XP Registry to "1".
  What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
  That would have plugged a few security holes for me.

• Perl script and unix users

  Hi, I have a perl script that connects to a regular users account, using DBI/DBD::Oracle. It works fine is the UNIX user is in the oinstall group, but if its in oracle, dba or neither it gives me the following error:
  DBI connect('orcl','xxxxxxx',...) failed: ORA-24327: need explicit attach before authenticating a user (DBD ERROR: OCISessionBegin) at /terida/opt/smarthost/updatedatabases.pl line 15
  I'm guessing here that Perl DBD::Oracle needs access to a specific file in the oracle installation perhaps ? I'm also gonna wager that letting it live in the oinstall group is not recommended..
  Tips?
  Thanks

  For people running into ORA-24327 errors with DBD::Oracle: the underlying cause is often a missing hostname, but the ORA-24327 error message is misleading. I've submitted a patch for DBD::Oracle to trap and report errors like this in OCIServerAttach, which will hopefully make it into the 1.29 release.
  https://rt.cpan.org/Public/Bug/Display.html?id=68958
  Marc

• Site Login Behavior For SharePoint Foundation 2013 Users With Expired Passwords?

  What are the most user-friendly ways of getting external users with expired AD passwords back into the SharePoint site with a new working password?
  We already send automated email notifications to users reminding them to change their soon-to-expire passwords.  However, sometimes they miss seeing the email notifications before the password expires (such as after returning from vacation or just carelessness
  and lack of attention to email messages) or they see the warning messages and forget to act on it.
  When this happens and they try to log into the SharePoint site from the Internet, their login fails without telling the user the reason they can't log in is because their password expired.  So, they end up confused and call the help desk to get their
  password reset.
  Is there a way to set up SharePoint Foundation 2013 login in a similar way to the OWA login so that, when a user with a correct but expired password tries to log in, it gives them a prompt to set a new password right there rather than just an error indicating
  their login failed for unknown reasons or password is "incorrect?"

  It could be done. You get a different event log entry for an expired login attempt than for a wrong password, 4625 events denote a login failure and an error ID of 23 denotes a logon failure.
  A naff, but simple, approach would be to create a tool that checks your server logon event log for 4625 entries and then emails that user, or the help desk, or security, that they're trying to get onto your system with expired credentials.
  For a more polished experience you've got a lot more work and bluntly it's going to be impractical for you. You'd have to re-write sections of the SharePoint authentication process or intercept the process, both are risky and not a good idea to try.
  There's a really interesting paper here that might be of interest, it won't help you in your current situation but it might shed more light on the overall authentication/authorisation process.
  http://www.sans.org/reading-room/whitepapers/forensics/windows-logon-forensics-34132

• How to use CMS Users with SAP BOPC NW 7.5

  Hello,
  I have problems importing and using CMS Users with BO PC 7.5 NW.
  I am trying two types of CMS-users
  1. CMS Enterprise Users created in CMS and using "Enterprise" authentication
  2. SAP BW Users imported into CMS using their SAP authentication "secSAPR3")
  but both don't work:
  In the BOPC Admin Client, I can succesfully select Security->Users->"Add new Users". Both CMS "Enterprise Users" and CMS Users that use SAP authentication are displayed in the "Everyone" Group.
  The CMS Enterprise Users are displayed as <username>, e.g. "Miller".
  The CMS users with sap authentication are displayed as <SAPSystem><Client>/<SAPusername>, e.g. "KBE100/Smith".
  Now If I try to import a user...
  1. CMS Enterprise Users
  If can successfully import CMS Enterprise Users and add them to the ADMIN Team, e.g. "Miller".
  The problem is they can't be used to log in to the Admin Client and Excel Client:
  E.g. I enterUser-ID "Miller" and his CMS-Enterprise-password under password after starting Excel Client, an error message shows up: "The UserID, Password or Domain cannot be authenticated. Go back and make sure you entered valid credentials" ... (same error message as if the user wouldn't exist/wrong pw.).
  Seems the user wasn't added as BO PC user. Or do I need to use any prefix before the "user ID" for CMS Enterprise users in the User_ID field instead of just "Miller"?! 
  2. CMS Users which use SAP-authentication (users imported into CMS from BW and use SAP-authentication)
  In the BO PC Admin Client, I can't import them: I go through "1. User Setup" select "KBE~100/Smith", "2. User Detail", "3. Assignments", but if I am in "4. Finish" and click on "Apply", the following error shows up:
  "Failed to create directory \root\Webfolders\<AppSetName>\<Appname>" for "KBE~100/Smith".
  My guess is that the operating system doesn't like the "/" in the Username - but I guess this can't be changed  bc. these Users from CMS and are already displayed with the "/" between SAPSystemID~ClientNummer and username in the User-list in BOPC Admin Client!
  side remark: if I create a SAP CMS Enterprise user which contains a "/" in the username (on pupose ), I am getting the same error message.
  Any help, explanations and workarounds are greatly appreciated - Any solution will be awarded with maximum points!
  Best Regards and thanks a lot for your help!

  Hi Florian,
  The problem seems indeed the file system on the bw not being able to handle "/". The automatic user import from the bw role into the CMC does not give you an option to replace the "/" character with anything else.
  This should solve it:
  - Go to the CMC double click the user. Delete the server part "KBE100/" and click save. Make sure the default system is set to "KBE100". The user should now be able to login from BPC with the user Smith.
  Good luck,
  Martin