Authentication ACS LDAP PEAP ?

Hello
Could you tell me if its possible to do 802.1X authentication with LDAP server using PEAP MS-CHAP v2 (Machine autentication) ?
in fact, with Windows external database, its work fine.
We use only machine authentication with vlan assignement over PEAP.
Another think, we wan't to use Mac authentication Bypass for printers or other laptop... but we wonder if it could be work with an external Windows database or LDAP ?
Thanks for your help

No this isnt possible as LDAP servers do not support MSCHAP v1 or v2.
You'd need something that can carry a plain text password inside the EAP tunnel - like EAP-GTC

Similar Messages

  • RSA authentication with LDAP group mapping

    Greetings,
    I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
    The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
    As far as I know, you can only use one LDAP configuration with RSA.
    Any thoughts on this?

    @Tarik
    I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
    I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
    Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
    I would still prefer to do this dynamically.
    Scott

  • Error in authentication with ldap server with certificate

    Hi,
    i have a problem in authentication with ldap server with certificate.
    here i am using java API to authenticate.
    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
    I issued the new certificate which is having the up to 5 years valid time.
    is java will authenticate up to one year only?
    Can any body help on this issue...
    Regards
    Ranga

    sorry i am gettting ythe same error
    javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
    here when i am using the old certificate and changing the system date means i can get the authentication.
    can you tell where we can concentrate and solve the issue..
    where is the issue
    1. need to check with the ldap server only
    2. problem in java code only.
    thanks in advance

  • Shared Services External Authentication using LDAP in 9.3.1

    Hi,
    I have installed Hyperion Shared Services with native directory. And now planning to setup external authentication using LDAP. I need some guidance to understanding how the external authentication works.
    Questions:
    1. Is it possible to setup Shared Services to use both Native and LDAP user directory? What I mean is some users will be able to login using Native directory, and some others will need to login using User Directory (external authentication).
    2. For User Directory (say we use LDAP), when the user is added into Shared Services, can they be assigned with Groups created in Native directory? We want to explore to use just the external authentication and define all of the groups within shared services.
    If not possible, can we manage the Groups of the User directory using shared services? How is the groups work with external authentication?
    Any feedback would be much appreciated.
    Thanks,
    Lian

    Hi,
    Yes you can use both Native and external authentication. When you add the external provider the native is left by defaut anyway.
    Yes you can add your external users to native groups. You can also provision the groups in the AD if you wish.
    Gee

  • SAP J2EE Engine -Config Tool authentication test(LDAP only)

    Hello. Can i know what causes the directory server authentication test(LDAP only) in the SAP J2EE Engine config Tool to fail to authenticate.
    Error message i got was: authentication failed: Unprocessed Continuation Reference(s).
    Please advise.

    Hi,
    what kind of directory server are you using?
    I'm not sure but it is possible that your ds uses referrals returns a referral to your client and the client does not follow them. Do you have any referrals configured?
    Cheers

  • How can I implement Authentication in LDAP

    How can I implement Authentication in LDAP.

    Hi,
    If ur using JAAS, then use NTLoginModule in ur conf file and your own defined CallbackHandler for validating and obtaining the Subject (user connected to your domain).
    Remember the user is the one which the code obtains when u login to your Domain based machine.
    Apart from this, Apache Http Server also provides you with a popup window asking for the user's credentials when u set the SSPIDomain in the httpd.conf file.
    httpd.conf
    ========
    <Location /Seet/servlet/ >
    SSPIAuth On
    AllowOverride None
    Order allow,deny
    Allow from all
    AuthName "seet190 auth"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    require valid-user
    SSPIDomain seet190
    </Location>
    seet190 is the domain name
    Actually so far in the Security Forum, u might refer to some of the replies posted for more help but actual LDAP authentication can be done by passing the user's info too.
    HTH,
    Seetesh

  • APEX 3.2:  Switching between APEX authentication and LDAP?

    I'm building an APEX 3.2 application that has to be deployed automatically to the target environments (by executing the APEX export SQL in the relevant parsing schema).
    One problem is that different environments will have to use different authentication mechanisms:
    Development and System Test will use simple APEX authentication (i.e. APEX users).
    Acceptance Test and Production will use LDAP via OID for single sign-on.
    So how do I set the application up so that it can switch from APEX authentication to LDAP authentication if it is in the Acceptance Test or Production environments?
    My customers seem very reluctant to have a manual step in the process e.g. to switch the authentication scheme for the application after installation, so I need to find a way to do this automatically if possible.
    Any suggestions?
    Thanks.
    Chris

    Chris,
    We do something similar, in that we dynamically switch authentication based on the application you're trying to log in to. Basically, you need to set up a custom authentication procedure which checks which system you're in, and then validates the user appropriately.
    Does that help?
    -David

  • PEAP authentication to LDAP

    Hi,
    I have a working WLAN solution that uses PEAP (1252 AP's, WCS, 4400 controllers etc.). At the moment we authenticate against Active Directory via a Cisco ACS appliance (v4.1) - this works fine.
    We are trying to also get authentication working to our LDAP Server - however, ACS keeps reporting "Authentication type not supported by external DB". It also doesn't seem to even try to contact the LDAP server looking at our LAN sniffer logs.
    Any ideas ? Thanks, Tim.

    You can't authenticate PEAP against LDAP (at least a non-Active Directory LDAP; I've never tried pointing to an Active Directory LDAP). PEAP is a Microsoft-funded "standard". If you still want to use EAP but don't want to deal with client certs (as in EAP-TLS), you can do EAP-GTC or EAP-FAST. The problem for lots of people with that is that Windows XP and Vista do not support it natively via ZeroConfig. You have to use a client such as Intel ProSet, Juniper Oddysey, or Cisco Secure Services Client.
    See http://en.wikipedia.org/wiki/EAP-TLS#PEAPv1.2FEAP-GTC for more info about EAP.

  • ACS 5.1---AD Authentication VS LDAP

    Any help on this subject would be great
    I can manage to get my account logging into the cisco switch throught the Active Directory setup in external Idenity stores but not my LDAP setup here are some logs from the successful log in and unsuccessful log in with ldap.
    AD-SETUP
    Selected Identity Store - AD1
    Current Identity Store does not support the authentication method; Skipping it.
    TACACS+ will use the password prompt from global TACACS+ configuration.
    Returned TACACS+ Authentication Reply
    Received TACACS+ Authentication CONTINUE Request
    Using previously selected Access Service
    Identity Policy was evaluated before; Identity Sequence continuing
    Authenticating user against Active Directory
    User's Groups retrieval from Active Directory succeeded
    User authentication against Active Directory succeeded
    Authentication Passed
    Access Policy
    Access Service:
    Default Device Admin
    Identity Store:
    AD1
    Selected Shell Profile:
    Privilege Mode
    Active Directory Domain:
    Blah.com
    Identity Group:
    Access Service Selection Matched Rule :
    Rule-2
    Identity Policy Matched Rule:
    Default
    Selected Identity Stores:
    AD1
    Query Identity Stores:
    Selected Query Identity Stores:
    Group Mapping Policy Matched Rule:
    Authorization Policy Matched Rule:
    Rule-1
    The only issue with this setup is that i can only add the domain example blah.com and i get massive latency occuring since the authentication process goes over state to other domain controllers instead of the local ones.
    I can tell from the AAA STATUS in monitoring DASHBOARD cause the Latency is around 8000ms, and the slow log in on the switch.
    LDAP-SETUP
    In my LDAP setup i point a primary and secondary hostname closer to home to avoid latency i do a bind test which returns successful on both hosts. Setup my directory Orgainzation Tab and do a test configuration get a return of Group > 100 Subject >100.
    I reset my indenities stores to LDAP instead of AD and try again, but for some reason i get error 22056 subject not found! i just can't work this out here are the details
    Matched rule
    Selected Access Service - Default Device Admin
    Evaluating Identity Policy
    Matched Default Rule
    Selected Identity Store -
    Current Identity Store does not support the authentication method; Skipping it.
    TACACS+ will use the password prompt from global TACACS+ configuration.
    Returned TACACS+ Authentication Reply
    Received TACACS+ Authentication CONTINUE Request
    Using previously selected Access Service
    Identity Policy was evaluated before; Identity Sequence continuing
    Sending request to primary LDAP server
    Authenticating user against LDAP Server
    User search ended with an error
    Primary server failover. Switching to secondary server
    Sending request to secondary LDAP server
    Authenticating user against LDAP Server
    User not found in LDAP Server
    Subject not found in the applicable identity store(s).
    The advanced option that is configured for an unknown user is used.
    The 'Reject' advanced option is configured in case of a failed authentication request.
    Returned TACACS+ Authentication Reply
    Is there any ideas what i can try so it can find my account like the AD structure did? ideas please?
    cheers

    Hi JG,
    Thanks for replying to my post, I am currently using Softerra LDAP adminsitrator software to verify the base DN structure. I now run the test configuration button and i get a return of 1 Group and 1 subject which is correct for the settings i have choosen.
    So LDAP is now seeing my group and seeing my AD user but i still have the same problem when trying to log into my network device. The user is not found?
    can you help with anything else i might need to check JG this is driving me and everyone else in the office up the wall   let me know if you would like some screenshots.
    Regards
    Ed 

  • ACS - LDAP TCP Keepalive (v5.2)

    reposting as with subject including v5.2:
    Hello
    I have an ACS 4.2.1.15 patch 3 and Novell Netware LDAP Server separated by a Firewall. The Firewall's default tcp session timeout is 3600 seconds.
    When no LDAP-Request is made for over one hour, the Firewall drops the connection from its table. The Problem is, that the ACS-Server thinks the connection is still open. When it tries to send an LDAP-Query this results in retransmissions and finally a RST... On the User side the Authentication attempt fails (timeout).
    I tried to enable TCP Keepalives on the Windows-Server side, but this has no effect on the LDAP-Connections used by ACS.
    Is there any possibility to enable Keepalives in ACS?
    Thanks in advance for any help!
    Average Rating: 0 (0 Votes)
    Reply
    Outline View
    Javier Henderson
    159 posts sinceMar 12, 2010
    1. Dec 28, 2010 5:54 PM in response to: Zentraler Informatikdienst
    Re: ACS 4.2 - LDAP TCP Keepalive
    You are seeing the effects of bug CSCti03338 which I filed a few months ago, though it is supposed to be fixed on 4.2.1(15) patch 3. Please open a TAC case so we can look into this in detail.
    ACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP Keepalive
    Average Rating: 0 (0 Votes)
    Report Abuse
    Reply
    Juergen Meier
    2 posts sinceSep 28, 2010
    2. Jan 17, 2011 5:46 AM in response to: Javier Henderson
    Also ACS 5.2 (was: ACS 4.2 - LDAP TCP Keepalive)
    Apparently this bug has re-appeared in ACS 5.2 (5.2.0.26). ACS re-uses stale TCP connections many hours after the last TCP packet was sent.
    It also uses different TCP connections for LDAP search queries and the subsequent authentication bind requests, so sometimes the search query and sometimes the bind request fails due to the TCP connection been timed-out long ago on all network devices (stateful firewalls, IDS/IPS, load balancers) between the ACS and the LDAP servers.
    Further ACS fails to detect stale TCP connections and reports bogus authentication failures back to the NAS.
    A new ticket will be filed with TAC today.
    ACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP Keepalive
    Average Rating: 0 (0 Votes)
    Report Abuse
    Reply
    ROB SCHIERON
    5 posts sinceOct 20, 2010
    3. Feb 14, 2011 10:29 PM in response to: Juergen Meier
    Re: Also ACS 5.2 (was: ACS 4.2 - LDAP TCP Keepalive)
    I'm seeing this issue too on 5.2.0.26.1, running LDAP auth through a F5 Load Balancer to a pair of Sun directory servers.
    Did you make any progress with your TAC case?
    Without using the root patch, this command is useful for finding out what is going on (it's just netstat):
    # show tech-support | i ldap | i tcp
    ldap            389/tcp
    ldaps           636/tcp                         # LDAP over SSL
    tcp        0      0 exc2-acscor-1401:53892      acs.ldapunix.co:ldap ESTABLISHED
    tcp        0      0 exc2-acscor-1401:53893      acs.ldapunix.co:ldap ESTABLISHED
    tcp        0      0 exc2-acscor-1401:53890      acs.ldapunix.co:ldap ESTABLISHED
    tcp        0      0 exc2-acscor-1401:53891      acs.ldapunix.co:ldap ESTABLISHED
    tcp        0      0 exc2-acscor-1401:53889      acs.ldapunix..co:ldap ESTABLISHED
    Also try adjusting "Max. Admin Connections" for LDAP.
    From the admin guide:
    LDAP Connection Management
    ACS 5.1 supports multiple concurrent LDAP connections. Connections are opened on demand at the time of the first LDAP authentication. The maximum number of connections is configured for each LDAP server. Opening connections in advance shortens the authentication time. You can set the maximum number of connections to use for concurrent binding connections. The number of opened connections can be different for each LDAP server (primary or secondary) and is determined according to the maximum number of administration connections configured for each server.
    ACS retains a list of open LDAP connections (including the bind information) for each LDAP server that is configured in ACS. During the authentication process, the connection manager attempts to find an open connection from the pool. If an open connection does not exist, a new one is opened.
    If the LDAP server closed the connection, the connection manager reports an error during the first call to search the directory, and tries to renew the connection.
    After the authentication process is complete, the connection manager releases the connection to the connection manager.
    I'd be interested to hear if you have fixed your issue, or if anyone else is facing similar problems load balancing LDAP servers for the ACS.
    Cheers
    R.

    reposting as with subject including v5.2:
    Hello
    I have an ACS 4.2.1.15 patch 3 and Novell Netware LDAP Server separated by a Firewall. The Firewall's default tcp session timeout is 3600 seconds.
    When no LDAP-Request is made for over one hour, the Firewall drops the connection from its table. The Problem is, that the ACS-Server thinks the connection is still open. When it tries to send an LDAP-Query this results in retransmissions and finally a RST... On the User side the Authentication attempt fails (timeout).
    I tried to enable TCP Keepalives on the Windows-Server side, but this has no effect on the LDAP-Connections used by ACS.
    Is there any possibility to enable Keepalives in ACS?
    Thanks in advance for any help!
    Average Rating: 0 (0 Votes)
    Reply
    Outline View
    Javier Henderson
    159 posts sinceMar 12, 2010
    1. Dec 28, 2010 5:54 PM in response to: Zentraler Informatikdienst
    Re: ACS 4.2 - LDAP TCP Keepalive
    You are seeing the effects of bug CSCti03338 which I filed a few months ago, though it is supposed to be fixed on 4.2.1(15) patch 3. Please open a TAC case so we can look into this in detail.
    ACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP Keepalive
    Average Rating: 0 (0 Votes)
    Report Abuse
    Reply
    Juergen Meier
    2 posts sinceSep 28, 2010
    2. Jan 17, 2011 5:46 AM in response to: Javier Henderson
    Also ACS 5.2 (was: ACS 4.2 - LDAP TCP Keepalive)
    Apparently this bug has re-appeared in ACS 5.2 (5.2.0.26). ACS re-uses stale TCP connections many hours after the last TCP packet was sent.
    It also uses different TCP connections for LDAP search queries and the subsequent authentication bind requests, so sometimes the search query and sometimes the bind request fails due to the TCP connection been timed-out long ago on all network devices (stateful firewalls, IDS/IPS, load balancers) between the ACS and the LDAP servers.
    Further ACS fails to detect stale TCP connections and reports bogus authentication failures back to the NAS.
    A new ticket will be filed with TAC today.
    ACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP Keepalive
    Average Rating: 0 (0 Votes)
    Report Abuse
    Reply
    ROB SCHIERON
    5 posts sinceOct 20, 2010
    3. Feb 14, 2011 10:29 PM in response to: Juergen Meier
    Re: Also ACS 5.2 (was: ACS 4.2 - LDAP TCP Keepalive)
    I'm seeing this issue too on 5.2.0.26.1, running LDAP auth through a F5 Load Balancer to a pair of Sun directory servers.
    Did you make any progress with your TAC case?
    Without using the root patch, this command is useful for finding out what is going on (it's just netstat):
    # show tech-support | i ldap | i tcp
    ldap            389/tcp
    ldaps           636/tcp                         # LDAP over SSL
    tcp        0      0 exc2-acscor-1401:53892      acs.ldapunix.co:ldap ESTABLISHED
    tcp        0      0 exc2-acscor-1401:53893      acs.ldapunix.co:ldap ESTABLISHED
    tcp        0      0 exc2-acscor-1401:53890      acs.ldapunix.co:ldap ESTABLISHED
    tcp        0      0 exc2-acscor-1401:53891      acs.ldapunix.co:ldap ESTABLISHED
    tcp        0      0 exc2-acscor-1401:53889      acs.ldapunix..co:ldap ESTABLISHED
    Also try adjusting "Max. Admin Connections" for LDAP.
    From the admin guide:
    LDAP Connection Management
    ACS 5.1 supports multiple concurrent LDAP connections. Connections are opened on demand at the time of the first LDAP authentication. The maximum number of connections is configured for each LDAP server. Opening connections in advance shortens the authentication time. You can set the maximum number of connections to use for concurrent binding connections. The number of opened connections can be different for each LDAP server (primary or secondary) and is determined according to the maximum number of administration connections configured for each server.
    ACS retains a list of open LDAP connections (including the bind information) for each LDAP server that is configured in ACS. During the authentication process, the connection manager attempts to find an open connection from the pool. If an open connection does not exist, a new one is opened.
    If the LDAP server closed the connection, the connection manager reports an error during the first call to search the directory, and tries to renew the connection.
    After the authentication process is complete, the connection manager releases the connection to the connection manager.
    I'd be interested to hear if you have fixed your issue, or if anyone else is facing similar problems load balancing LDAP servers for the ACS.
    Cheers
    R.

  • ACS LDAP authenication - restrict to only certain LDAP users?

    I'm configuring Secure ACS v4.2 for TACACS+ authentication/authorization and command logging. I'd like to use my external LDAP user database for authentication.
    I have this fucntionality up and working and have one of our 3550 switches able to sucessfully authenticate against ACS with one of my LDAP username/passwords. Command logging and authorization also appear to be working as I can see them in the TACACS+ Accounting/Administration logs on the ACS server.
    Is there a way to restrict what LDAP users are allowed to authenticate? For example, out of my 16000 users in LDAP, I only want only a handfull of users to be able to authenticate against the LDAP server via TACACS+ and get into my devices.
    Can I create an LDAP filter someplace in ACS that specifies only XXX users can
    authenticate against LDAP and to deny all other users?
    Oh and we do not use the "group" functionality on our LDAP server. All users are part of the same OU in LDAP and are not seperated out by a different group OU. I know I know.....I could probably do it this way, but since that info doesn't exist in our LDAP server I'm looking for another solution.
    I'm running ACS v4.2.0.124.

    Sure, add the allowed users to a group in ACS, then use NAR to restrict what devices they can get to. This link might help as well.
    http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&topicID=.ee6e1fe&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc25eb6
    Hope that helps.

  • ACS - LDAP or AD

    Hi PPL,
    Currently i have 4 ACS's synced with AD.
    Due to security concern we thinking of going to LDAP.
    I can't find exactly what i'll lose/gain on each method.
    Can someone provide more information ?
    Thanks!

    Chen,
    You lose the ability to failover to more than two servers in your deployment. If your ACS are spread across all datacenters you do not have the ability to configure seperate ldap servers for each DC as well. ACS and AD operations rely on sites and services so that the closest DC based on this configuration is preferred.
    If password management for remote access vpn (anyconnect) is desired you need MS-CHAP to accomplish this, LDAP does not support this protocol.
    Also if you are using 802.1x, there are only a few eap authentication methods referenced here that support LDAP.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1014889
    Tarik Admani
    *Please rate helpful posts*

  • ACS Radius + Peap + MSChapV2

    I am using a wireless setup
    Aironet 1100, ACS 4.0, 3rd party Client adapter
    I am able to connect to my wireless network by keying in username&pass created on the ACS user setup. Also by using a self signed certificate from the ACS.
    Doubts: In ACS logs - Radius accounting is empty.
    Failed attempts.csv shows "Authen failed, EAP-TLS or PEAP authentication failed during SSL handshake"
    But i am able to authenticate my users successfully into the wireless network. What went wrong?

    Hi
    Try enabling the Passed Authentications report and see whats in there. It could be that the failure is perhaps purely transient and rectified by a subsequent attempt.
    For example a re-key authentication requires SSL state on the ACS, it could be that the supplicant and ACS have to revert to performing a full authentication.
    Im guessing but it is entirely possible to have entries in the failed attempts and still get access.
    Darran

  • ASA Remote Access Authentication with LDAP Server

    Thank you in advance for your help.
    I am configuring an ASA to authenticate with a ldap server for ipsec vpn access.  My customer has 3 networks that are to be accessed by remote users.  However they want to be able to say that one user can get to 2 of the networks and not the 3rd.  So basically they want control over what network behind the firewall each user can access.  This seems doable from my reading and I had planned to creating a group for each network that needs accessible and either do attribute maps to each group with a separate group created on the ldap server for authentication.  Basically a ldap group on the ldap server that will have the users name in the group in order for access.  I can restrict access via acl's or filtering to force my group to only be allowed access to a specific network.  Here is the problem I am having now.
    The ldap server has been created and seems to be working fine.  I have created my AAA groups and servers and I have done the ldap test with a test user vpntest and a password on the ldap server.  When I run the authentication test from the ADSM or command line I get a good authentication successful message.  So I configured a vpn client remotely and attempted to authenticate to this group and it says there is no user by that name.  Below is a paste of the debug.  The second part is when I did a successful test from the ASDM or CLI and it worked great.  The first part is when I attempted from the vpn client.  It all looks the same from the search criteria.  What am I missing here or does anyone more knowledgeable see anything that I am doing wrong.  Can this be done this way or should I try radius.  The customer was just adament about using ldap.
    extvpnasa5510#
    [243] Session Start
    [243] New request Session, context 0xd5713fe0, reqType = 1
    [243] Fiber started
    [243] Creating LDAP context with uri=ldaps://130.18.22.44:636
    [243] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
    [243] supportedLDAPVersion: value = 2
    [243] supportedLDAPVersion: value = 3
    [243] No Login DN configured for server 130.18.22.44
    [243] Binding as administrator
    [243] Performing Simple authentication for  to 130.18.22.44
    [243] LDAP Search:
            Base DN = [ou=employees,o=msues]
            Filter  = [uid=vpntest]
            Scope   = [SUBTREE]
    [243] User DN = [uid=vpntest,ou=employees,o=msues]
    [243] Talking to iPlanet server 130.18.22.44
    [243] No results returned for iPlanet global password policy
    [243] Fiber exit Tx=386 bytes Rx=414 bytes, status=-1
    [243] Session End
    extvpnasa5510#
    [244] Session Start
    [244] New request Session, context 0xd5713fe0, reqType = 1
    [244] Fiber started
    [244] Creating LDAP context with uri=ldaps://130.18.22.44:636
    [244] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
    [244] supportedLDAPVersion: value = 2
    [244] supportedLDAPVersion: value = 3
    [244] No Login DN configured for server 130.18.22.44
    [244] Binding as administrator
    [244] Performing Simple authentication for  to 130.18.22.44
    [244] LDAP Search:
            Base DN = [ou=employees,o=msues]
            Filter  = [uid=vpntest]
            Scope   = [SUBTREE]
    [244] User DN = [uid=vpntest,ou=employees,o=msues]
    [244] Talking to iPlanet server 130.18.22.44
    [244] Binding as user
    [244] Performing Simple authentication for vpntest to 130.18.22.44
    [244] Processing LDAP response for user vpntest
    [244] Authentication successful for vpntest to 130.18.22.44
    [244] Retrieved User Attributes:
    [244]   sn: value = test user
    [244]   givenName: value = vpn
    [244]   uid: value = vpntest
    [244]   cn: value = vpn test user
    [244]   objectClass: value = top
    [244]   objectClass: value = person
    [244]   objectClass: value = organizationalPerson
    [244]   objectClass: value = inetOrgPerson
    [244] Fiber exit Tx=284 bytes Rx=414 bytes, status=1
    [244] Session End

    Hi Larry,
    You can map AD group memberships to specific group policies on the ASA, you can find that configuration here:
    - http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html
    Let me know if further assistance is required!
    Please proceed to rate and mark as correct the helpful Post!
    David Castro,
    Regards,

  • PL SQL Web Service Authentication through LDAP

    I have created one PL SQL Web Service and I would like to provide token security through LDAP.
    I have configured LDAP for deployed webservice in oracle IAS 10.1.3 Service.
    Problem Description: <?xml version="1.0" encoding="UTF-8"?>
    <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://dbconnection1/MobileWebService.wsdl/types/"><env:Body><env:Fault><faultcode>env:MustUnderstand</faultcode><faultstring>SOAP must understand error: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security</faultstring></env:Fault></env:Body></env:Envelope>
    I have provided LDAP authentication through oracle iAS Setup.
    Please help

    Hi I am looking out for a good friend of mine, Rajeev Dave from Vijaywada, if your the one, please email me [email protected]
    thanks,

Maybe you are looking for

  • Windows 7 - 64 Bit Driver Needed For Sound Blaster Live! 5.1 Model SB0100

    I am having trouble finding a working driver for Windows 7 - 64 Bit for a Sound Blaster Li've! 5. Audo Card Model# SB000 I downloaded driver file SBL_PC64DRVBETA_LB_2_03_0005.exe which I think is a 64 Bit Sound Blaster Li've! update, but Windows 7 do

  • Illustrator CS5.5 won't open

    Recently purchased Design Premium CS5.5 and all programs have been working up until yesterday. Illustrator gets stuck on the loading screen.  Usually it stops when reading fonts -but not always and never on the same font and no new fonts have been in

  • Will not shut down (must use Task Manager) & will not open new window

    When I shutdown FF the FF window disappears, but a new FF cannot be started unless I manually end FF from Task Manager. When running I cannot "open Link in a new window" - nothing happens, but opening a link in a new tab works. I am running FF3.6.13

  • Color of Axis Label and Line

    Hi, Forum. Is it possible to change the color of "one" line or label of Axis on XYChart ? For example, I would like to change the color of only 100% line and label to red (and the others are with no change). thank you.

  • Removing client's ability to use play/pause button

    Hi all I am keen to use Presenter to put together a language listening test for some clients. My clients want their students to not be able to pause the presentation so, say, they can't pause, translate word, pause, translate word and so on. In order