Authenticating Unix users with LEAP
Scenario : WLAN (AP350 V11.21) with LEAP authentication against an ACS V3.0 server (on W2K). Pre-existing Unix users with traditional Unix-crypted passwords. Usernames with their associated encrypted passwords are successfully imported on ACS database with the csutil utility.
Authorization fails because LEAP uses a derivative of CHAP/MS-CHAP and it needs the plain password on the ACS side.
WLANs are increasingly used on places like educational campuses where Unix is widely deployed. Has anyone found a solution to authenticate Unix users with LEAP?
Thanks in advance
I know it's It's not supported yet. When PEAP is added to Aironet and ACS, this problem will go away. I believe that is happening in ACS 3.1 and some future version of the Aironet software.
An ugly workaround would be to setup User Changeable Passwords. You'd inform people with UNIX accounts that they have an ACS account created, but that wireless will not work for them until they use a LAN-based system to log in and change their ACS password. You could give them the option of using the same password, of course.
Similar Messages
-
Problem authenticating Wireless users with peap
Good afternoon,
I am currently trying to authenticate wireless users using PEAP and an external RADIUS server. The problem is when I try to authenticate I get this error :
AAA/AUTHEN/PPP : Pick method list 'Permanent Local'
DOT11-7-AUTH_FAILED : Station ... Authentication failed
It shouldn't use local authentication, but the aaa server I configured.
I looked on the internet but didn't find a working solution.
Does anyone know why it is not working ?
Here is my running configuration :
Current configuration : 4276 bytes
! Last configuration change at 00:45:40 UTC Mon Mar 1 1993
! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
logging rate-limit console 9
enable secret 5 $1$QVC3$dIVAarlXOo52rN3ceZm1k0
aaa new-model
aaa group server radius rad_eap
server 192.168.2.2 auth-port 1812 acct-port 1813
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
no ip routing
no ip cef
dot11 syslog
dot11 ssid test
authentication open eap eap_list
authentication key-management wpa version 2
guest-mode
eap profile peap
method peap
crypto pki token default removal timeout 0
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid test
antenna gain 0
stbc
beamform ofdm
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
dot1x pae authenticator
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
ip address 192.168.3.10 255.255.255.0
no ip route-cache
ip default-gateway IP
ip forward-protocol nd
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.2.2 auth-port 1812 acct-port 1813 key 7 140441081E501F0B7D
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
transport input all
end
Thank youI haven't setup autonomous APs before but I think I might see the problem. You are defining an authentication list called "eap_methods" but you never call for it in your SSID settings. Instead there you call a list named "eap_list" In addition, I think you might be missing one more command. So perhaps try this:
dot11 ssid test
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
guest-mode
Hope this helps!
Thank you for rating helpful posts! -
UNIX user with Oracle software group settings
I am seeking help on this issue.
When I installed Oracle 10g on Solaris 9 sparc box, I created user oracle and assigned oracle user to primary group Oinstall and second group dba. Then installation went successful. After that, I created another user ccmm and assigned ccmm to dba group. Then I created some UNIX scripts and SQL scripts stored on system. When I log into server as ccmm user and tried to connect to Oracle database, it failed. If I log in as oracle user and tried to connect to Oracle database, everything runs fine. My purpose is to log in as ccmm user and connect to Oracle database or start Oracle utilities from there. So where is the problem for ccmm user settings? How can I make ccmm user as Oracle database user on UNIX machine? Thanks in advance.Not sure if I quite understand what you're looking to do, but have you added the 'ccmm' user to the 'oinstall' group?
vi /etc/group
oinstall::101:ccmm
Don't know if that helps ya or not.
g/l -
Is roaming transparent to users when authenticating with LEAP or EAP-TLS?
We are planning the installation of a number of Access Points with LEAP authentication to ACS. We want to know upfront whether the users have to reautenticate everytime they roam from one Access Point to another. Is it the same with EAP-TLS or EAP-TTLS?
Your users will have to re-authenticate to each AP but it happens automaticaly throught the client. IF all of your APs are on the same segment/subnet you shouldn't have a problem.
-
Hi,
We are running a Mountain Lion Server with Open Directory / LDAPv3, as far as I can tell. My responsibility is to get my CentOS 6.3 box running Samba v. 3.5.10-125.el6 to authenticate users against the ML / OD box. I can ssh to the CentOS box OK and I can get Guest access to the Samba share to go OK too. Also, the OD passwords on the LDAP server are set to 'Open Directory' so I guess that means that they are encrypted and the Samba server is set to send encrypted passwords. But when a user tries to properly authenticate using either say via a Mac client Finder [Command-K], or smbclient, the Samba server will generate this message:
check_ntlm_password: Authentication for user ['name'] -> ['name'] FAILED with error NT_STATUS_LOGON_FAILURE
(I am blanking out the user name on purpose).
Of course there is more to the story, but those are the basics.
Here are the relevant parts of my smb.conf. FWIW, the CentOS / Samba box is called Jupiter.
Thank you,
NickZ
[smb.conf]
[global]
display charset = UTF-8
realm = SATURN.MCLEAN.HARVARD.EDU
netbios aliases = ANL
server string = Welcome To The Jupiter Samba Server Version 3.5.10-125.el6
interfaces = lo, em1
security = SERVER
update encrypted = Yes
password server = saturn.mclean.harvard.edu
smb passwd file = /var/lib/samba/private/secrets.tdb
passdb backend = ldapsam:ldap://saturn.mclean.harvard.edu
passwd program = /usr/bin/passwd %u
unix password sync = Yes
lanman auth = Yes
client NTLMv2 auth = Yes
client use spnego principal = Yes
kerberos method = system keytab
log level = 2
syslog = 3
log file = /var/log/samba/log.%m
max log size = 50
name resolve order = host lmhosts wins bcast
server signing = auto
preferred master = Auto
ldap admin dn = uid=DirAdmin,cn=users,dc=saturn,dc=mclean,dc=harvard,dc=edu
ldap group suffix = cn=groups
ldap passwd sync = yes
ldap suffix = dc=saturn,dc=mclean,dc=harvard,dc=edu
ldap ssl = no
ldap user suffix = cn=users
usershare allow guests = Yes
idmap backend = ldap:ldap://saturn.mclean.harvard.edu
idmap uid = 10000-20000
idmap gid = 30000-40000
cups options = raw
[homes]
comment = Home Directories
read only = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[anl]
comment = Main ANL Share
path = /anl
read only = No
guest ok = Yes
hide dot files = NoTurns out a printer driver installed on an XP (even W2K(?)) was (apparently?) flooding the OS X SMB server to the point of collapse. Uninstalling the "HP Tools" part of the driver cleared it up. The printer is an HP LJ1300. I had downloaded the full driver from HP.com. I don't know if any/all these conditions need to be matched, but: the printer was on the network using an HP print server JetDirect EX Plus, and the computer(s) in question were connecting directly to it (not via a print server). It's been too long ago, but there were always several errors in the System Log (Win XP Event Viewer) that correlated with the errors on the OS X server.
Proud to say that since that day (10+ months ago) I've not seen it happen again. whew. -
Authenticating agains AD with Kerberos, by a user with an explicit UPN
Hello
My situation :
I have a 2008 functionnal level domain with a technical name, lets say tec.domain.com
I have for this domain configured an alternate UPN : domain.com (that is only a DNS domain name, not an existing AD domain)
My users have a SamAccountName like j.doe and a UPN like [email protected] (which is their email address, on our Exchange organization)
Now, from a Linux server (running Apache and kerberos), i can do a kinit with [email protected], but not with [email protected]
When i capture trafic, the DC answers "error-code: eRR-WRONG-REALM (68)", saying it is not able to handle the DOMAIN.COM realm.
According to this article ( http://msdn.microsoft.com/en-us/library/Cc212351.aspx ) , my DC should be able to handle it, as far as i understand it.
Am i missing something ?
Thanks in advance.Hi,
Thanks for your post.
It seems like you could not enable Kerberos authentication for users logon using their alternative UPNs.
Please refer to the similar thread:
Authenticating to Active Directory using an alternate UPN
http://social.technet.microsoft.com/Forums/en-US/f93e23d7-e910-4ae7-96ba-3a8038766f9f/authenticating-to-active-directory-using-an-alternate-upn?forum=winserverDS
Regards.
Vivian Wang -
I Need MBAM 2.5 Helpdesk and self service sites to open for authenticated users with no password prompt. I just cant seem to get this to work. The account used in the application pool has its SPN registered and delegation set. I can use that account to login
to the sites but am prompted for a password. That said anyone I add into the helpdesk users group cannot negotiate the sites. Only the account I have set in the application pool can. I want domain authenticated users that have been added to the MBAM Help Desk
Users group to negotiate the site with NO password challenge at all.
tconnersThis generally means that your SPN is not set up correctly. Let's say the web server you installed the SSP on is lance.contoso.com and your app pool creds are corp\lance. You should set an SPN similar to setspn -s http/lance.contoso.com
corp\lance. In your browser, you should now be able to access the SSP without prompts. However, if you still get prompted, generally that means that your local intranet zone in IE does not have an entry for *.contoso.com. Since you are entering
an FQDN in your browser, IE interprets the "." to mean "on the internet" which breaks Kerberos authentication. By adding *.contoso.com to your local intranet zone, you are telling it that lance.contoso.com is on the intranet, so use
Kerberos.
I can confirm, that I have exact configuration and I always get the password promt for the very first time. We have 2 server (1xIIS and 1xSQL) infrastructure in production with SPN set like it should and I get the password prompt. -
How to access oracle with any unix user (like root)?
I installed Oracle 10g on Redhat Enterprise Linux 3.
I created one oracle user, and installed oracle in oracle users home directory. In oracle user I can access oracle very well. But I can not use oracle with other unix users like root. What kind of permissions I need to set to do so?You should never try to connect to Oracle as root, but if you want to connect as any other OS user, you will need to run ChangePerm.sh in $ORACLE_HOME/install in order to do this. It may not be present until you upgrade above the base release (like 10.2.0.3).
Can not Logon To SQL*Plus as non-Oracle User: Libclntsh.So.10.1: Permission Denied
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=420083.1 -
Presenting users with authentication menu
Hi,
I have a need to present the users with the option to either authenticate with LDAP or RADIUS. All the users go through a gateway. The only way I understand to do this is to prepend "&authlevel=0" at the end of the URL. I am wondering if there is a way to have the gateway do this automatically.
The user would enter: https://host.domain.com and this would present the user with the authentication menu for the selected modules.
We are using JES 2003Q4 (portal 6.2).
any help would be appreciated,
wiggamHmm, the authentication method can be choosen using "module, e.g.
input type="hidden" name="module" value="LDAP"
in the login form.
You could put a dropdownbox there or something like that.
hth Chris -
Authenticating, Authorizing VPN user with AAA
Hello,
I have ACS1113(4.2) solution Engine and ASA 5550 which have been integrated with ACS. I need to authenticate and authorize the VPN users form ACS.
Also I need to have different access for different group in ACS
please help me in this.
Thanks
RiteshHi,
I am finding one problem. Well I have done the configurations in ASA for Authentication through ACS but when attempt to autehnticate through user then i get autehentication message. here is the command configure in ASA and debug msg
Command:
aaa-server ACSCHN protocol radius
aaa-server ACSCHN (WAN) host 10.132.15.26
key _____
aaa authentication telnet console ACSCHN LOCAL
aaa authentication enable console ACSCHN LOCAL
Debug Msg:
Initiating authentication to primary server (Svr Grp: ACSCHN)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: wipro
Resp:
In localauth_ioctl
Local authentication of user wipro
callback_aaa_task: status = -1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 868, pAcb = 1a3363f8
aaa_backend_callback: Error: sorry
AAA task: aaa_process_msg(185f00e8) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Authentication Status: -1 (REJECT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
AAA_NextFunction: authen svr = ACSCHN, author svr = , user pol = , tunn pol =
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
AAA FSM: In AAA_Callback
user attributes:
None
user policy attributes:
None
tunnel policy attributes:
None
Auth Status = REJECT
aaai_internal_cb: handle is 868, pAcb is 1a3363f8, pAcb->tq.tqh_first is 1841ce20
AAA API: In aaa_close
AAA task: aaa_process_msg(185f00e8) received message type 3
In aaai_close_session (868)
Please help why it authenticated with internal server not with ACS server.
Regards
Ritesh -
Kerberos Authentication - more than one user with same sAMAccountName
I am configuring Kerberos Authentication on SAP AS Java. The single-domain SSO is done and working. Now I need to configure multiple domains in a domain forest. How to resolve issue regarding multiple users with same account ID (same sAMAccountName) under different domains?
We thought about using the userprincipalname, but decided against it once we had the realization that if SPNego failed for any reason, and the user had to logon manually, they would not know their userprincipalname. This was a wise decision, as SPNego does fail for a variety of reasons. The most common is that there appears to be a 1-2 day timeout of the Kerberos ticket, and if a user leaves their computer on for that long, it will challenge them to logon manually.
Andrew Castillo -
Hi!
I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
This is the goal:
On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
"Certificate Dictionary:Common Name contains .admin.testdomain.lan"
But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
Thank you.Hello again.
I found out how to do this now..
What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
You must also remember to change the AuthMode option in Windows XP Registry to "1".
What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
That would have plugged a few security holes for me. -
Hi, I have a perl script that connects to a regular users account, using DBI/DBD::Oracle. It works fine is the UNIX user is in the oinstall group, but if its in oracle, dba or neither it gives me the following error:
DBI connect('orcl','xxxxxxx',...) failed: ORA-24327: need explicit attach before authenticating a user (DBD ERROR: OCISessionBegin) at /terida/opt/smarthost/updatedatabases.pl line 15
I'm guessing here that Perl DBD::Oracle needs access to a specific file in the oracle installation perhaps ? I'm also gonna wager that letting it live in the oinstall group is not recommended..
Tips?
ThanksFor people running into ORA-24327 errors with DBD::Oracle: the underlying cause is often a missing hostname, but the ORA-24327 error message is misleading. I've submitted a patch for DBD::Oracle to trap and report errors like this in OCIServerAttach, which will hopefully make it into the 1.29 release.
https://rt.cpan.org/Public/Bug/Display.html?id=68958
Marc -
Site Login Behavior For SharePoint Foundation 2013 Users With Expired Passwords?
What are the most user-friendly ways of getting external users with expired AD passwords back into the SharePoint site with a new working password?
We already send automated email notifications to users reminding them to change their soon-to-expire passwords. However, sometimes they miss seeing the email notifications before the password expires (such as after returning from vacation or just carelessness
and lack of attention to email messages) or they see the warning messages and forget to act on it.
When this happens and they try to log into the SharePoint site from the Internet, their login fails without telling the user the reason they can't log in is because their password expired. So, they end up confused and call the help desk to get their
password reset.
Is there a way to set up SharePoint Foundation 2013 login in a similar way to the OWA login so that, when a user with a correct but expired password tries to log in, it gives them a prompt to set a new password right there rather than just an error indicating
their login failed for unknown reasons or password is "incorrect?"It could be done. You get a different event log entry for an expired login attempt than for a wrong password, 4625 events denote a login failure and an error ID of 23 denotes a logon failure.
A naff, but simple, approach would be to create a tool that checks your server logon event log for 4625 entries and then emails that user, or the help desk, or security, that they're trying to get onto your system with expired credentials.
For a more polished experience you've got a lot more work and bluntly it's going to be impractical for you. You'd have to re-write sections of the SharePoint authentication process or intercept the process, both are risky and not a good idea to try.
There's a really interesting paper here that might be of interest, it won't help you in your current situation but it might shed more light on the overall authentication/authorisation process.
http://www.sans.org/reading-room/whitepapers/forensics/windows-logon-forensics-34132 -
How to use CMS Users with SAP BOPC NW 7.5
Hello,
I have problems importing and using CMS Users with BO PC 7.5 NW.
I am trying two types of CMS-users
1. CMS Enterprise Users created in CMS and using "Enterprise" authentication
2. SAP BW Users imported into CMS using their SAP authentication "secSAPR3")
but both don't work:
In the BOPC Admin Client, I can succesfully select Security->Users->"Add new Users". Both CMS "Enterprise Users" and CMS Users that use SAP authentication are displayed in the "Everyone" Group.
The CMS Enterprise Users are displayed as <username>, e.g. "Miller".
The CMS users with sap authentication are displayed as <SAPSystem><Client>/<SAPusername>, e.g. "KBE100/Smith".
Now If I try to import a user...
1. CMS Enterprise Users
If can successfully import CMS Enterprise Users and add them to the ADMIN Team, e.g. "Miller".
The problem is they can't be used to log in to the Admin Client and Excel Client:
E.g. I enterUser-ID "Miller" and his CMS-Enterprise-password under password after starting Excel Client, an error message shows up: "The UserID, Password or Domain cannot be authenticated. Go back and make sure you entered valid credentials" ... (same error message as if the user wouldn't exist/wrong pw.).
Seems the user wasn't added as BO PC user. Or do I need to use any prefix before the "user ID" for CMS Enterprise users in the User_ID field instead of just "Miller"?!
2. CMS Users which use SAP-authentication (users imported into CMS from BW and use SAP-authentication)
In the BO PC Admin Client, I can't import them: I go through "1. User Setup" select "KBE~100/Smith", "2. User Detail", "3. Assignments", but if I am in "4. Finish" and click on "Apply", the following error shows up:
"Failed to create directory \root\Webfolders\<AppSetName>\<Appname>" for "KBE~100/Smith".
My guess is that the operating system doesn't like the "/" in the Username - but I guess this can't be changed bc. these Users from CMS and are already displayed with the "/" between SAPSystemID~ClientNummer and username in the User-list in BOPC Admin Client!
side remark: if I create a SAP CMS Enterprise user which contains a "/" in the username (on pupose ), I am getting the same error message.
Any help, explanations and workarounds are greatly appreciated - Any solution will be awarded with maximum points!
Best Regards and thanks a lot for your help!Hi Florian,
The problem seems indeed the file system on the bw not being able to handle "/". The automatic user import from the bw role into the CMC does not give you an option to replace the "/" character with anything else.
This should solve it:
- Go to the CMC double click the user. Delete the server part "KBE100/" and click save. Make sure the default system is set to "KBE100". The user should now be able to login from BPC with the user Smith.
Good luck,
Martin
Maybe you are looking for
-
If I buy an iPhone in the US, could I use it in other country?
Hi. I wanna buy an iPhone 5S at the on line store, but I live in Peru (South America). The reason is that in the on line store is cheaper and a relative is coming soon from US to Peru. So, if I buy an iPhone in that way will it be unlocked and ready
-
How do I create a "command-line-interface" for a game?
Hey people, For a game I need to make a DOS-like command-line-interface where the user has at least 3 options to answer with, does anyone know how to go about this? Hope someone here can help me out! Kind regards, Angela
-
Problem with intercompany invoicing
Hi guys, We have this auto LIV being configured in our company and for some reason when an invoice is being generated it would create inbound invoice correctly but could'nt post it, because its giving a status message 51 saying that "The IDOC does no
-
Procedural message handling with Multiuser?
I am developing a multiplayer game. I am having issues structuring how to handle incoming messages from the Multiuser server to the client. At the moment I have a default message handler function that references the message subject using jump lists (
-
Xhost +: unable to display
Dear Linux and SAP Expert: I am facing a problem, I want to install Oracle 9i on SUSE Linux, I need to use ora<sid> to install it, but when I use xhost +, i am prompted "xhost +: unable to display" I have already set the followings: setenv DISPLAY <m