Authentication on a Windows Domain

Okay, I am not only new here, but new to the MAC world so if this is in the wrong forum, please don't flame me like Windows users do
I administer a network (ALL Windows machines) of about 300 PCs and 6 servers. Our PR lady had been using Vista for a while. It was a nice machine, but frankly, Vista *****. I spent more time dealing with her machine than all the other computers combined.
She likes Macs, uses one at home. I love my little Macbook at home but just use it for basic home needs. I was very excited to get our first Mac on campus (Oh,sorry, I administer a K-12 School's network).
SO it is here and it is the most lovely machine I have ever seen. I'm drooling. It found all the network settings automatically which was nice. But what I need more than anything is some way to authenticate to my network. Meaning, her username and password and our domain.
Our firewall looks at who is logged in and based upon who is logged in (based upon the information it gathers from my Active Directory server) it allows access to services and websites or prohibits. Student logins are more restrictive, Staff logins are more lax. No login is assumed a guest and is almost locked down. Since she is not 'logged in' to this iMac, she has very limited access to the internet...
Ill post this in another forum, but I am also looking at some sort of VM software (vmware, parallels, etc) that will allow me to pull her Vista 'image' off her machine and slap it on the imac. She has LOAD$ of Adobe software on her Vista machine and it would be nice to not have to reload it all, and start from scratch with getting access to her Vista machine on her Mac...
Again, I am new to Apple so sorry for my lack of knowledge and poor choice of words.
Jamison

You can bind the Mac to AD in similar way to binding Windows clients to AD.
Check this link it may help.
http://docs.info.apple.com/article.html?path=ServerAdmin/10.5/en/c7od44.html
There should be plenty of Info if you Google about a bit.
If this plugin does not give you enough facilities there are third party plugins that may help such as AdmitMac.
regards

Similar Messages

Windows domain authentication on Oracle Secure Global Desktop

Hello,
I made an upgrade of my oracle secure global desktop 4.62 version to 5.1 version.
The problem is, I was using Windows Domain Authentication in 4.62 and this kind of authentication is not available in the 5.1 version.
So now, my users cannot log in the application.
Do you have a solution ?
Thanks

What are you authenticating to specifically? An AD server? Are you using any of the supported authentication mechanisms now supported?
http://docs.oracle.com/cd/E41492_01/E41495/html/sgd-authentication.html#system-authentication-mechanisms-table

ISE and authenticating against Windows AD with RADIUS realm that is different from the Windows domain

Hello
We are in the process of evaluating the Cisco ISE VMWare appliance with a view to replace our existing FreeRADIUS installation as authentication provider for our wireless network and VPN service. As a part of this we are hoping to migrate our user authentication to Microsoft Active Directory - we have previously authenticated against a different identity store (not MS AD). Because of this legacy our Windows domain is not the same as our RADIUS realm name - the Windows domain is "win.mydomain" whereas we wish to allow users to authenticate using "username@mydomain" or even "[email protected]" as they are doing today. We are experiencing an issue where authentication requests with the format "[email protected]" will be forwarded to the Windows AD whereas authentication requests with the format "username@mydomain" will fail with the log message "User not found in Active Directory". We do not know if the ISE itself is validating the username and triggering this error, or if the error originates from AD. We suspect the that the ISE is not even asking AD because "win.mydomain" is the domain configured in "Active Directory" in "External Identity Sources".
Authentication requests against the AD without a realm are successful (that is, using only "username"). With this in mind we located a post on the Cisco support forums that described a process of proxying the request back to the ISE and strip the realm information, but this was specific for the ACS platform. We have attempted to implement this solution but it is still not working as we would have hoped, and we are not entirely certain where the fault might lie. We are currently using PEAP with MSCHAPv2 for authentication in our WLAN where the main problem is. We suspect that the "proxy-to-self" with realm stripping is an issue with PEAP.
Is there a supported method of achieving our goal, or should we abandon the ISE platform as our scenario is simply not supported?

Seems like your issue maybe related to DNS, when ISE receives the format [email protected], the dns request is failing. However, there is a setting for alternate UPN Suffixes that can be configured to include domain.com and student.domain.com.
Here is a windows article that should fix this for you. Once you get this updated please reboot ISE so it rejoins AD. Try your tests again.
http://technet.microsoft.com/en-us/library/cc772007.aspx
Thanks,
Tarik Admani
*Please rate helpful posts*

Machine authentication by certificate and windows domain checking

Hi,
We intend to deploy machine?s certificate authentication for wifi users.
We want to check certificate validity of the machine, and also that the machine is included on the windows domain.
We intend to use EAP-TLS :
- One CA server.
- each machine (laptop) retrieves its own certificate from GPO or SMS
- the public certificate of the CA is pushed on the ACS as well as on each of the machine (laptop)
- ACS version is the appliance one
- one ACS remote agent installed on the A.D.
- when a user intends to log on the wifi network :
- the server (ACS appliance) sends its certificate to the client. This client checks the certificate thanks to the CA server certificate he already trusts, results : the client also trusts the ACS?s certificate signed by the CA server .
- the client sends its certificate to the server (ACS appliance). This ACS checks the certificate thanks to the CA server certificate he already trusts, results : the ACS also trusts the client?s certificate signed by the CA server but the ACS also checks that this certificate isn?t revocated (the ACS checks this thanks to the CA server CRL ? certificate revocation list).
Am I right about these previous points ?
And then my question is : is it possible to check that the machine is also included in the windows domain ?
That is, is it possible for the ACS to retrieve the needed field (perhaps CN ?? certificate type "host/....") and then perform an authentication request to the A.D. (active directory) thanks to the ACS remote agent ? We want to perform only machine authentication, not user authentication.
Thanks in advance for your attention.
Best Regards,
Arnaud

Hi Prem,
Thanks for these inputs.
I've passed the logs details to full, performed other tests and retrieved the package.cab.
I've started investigating the 2 log files you pointed.
First, we can see that the requests reach the ACS, so that's a good point.
Then, I'm not sure how to understand the messages.
In the auth.log, we can see the message "no profile match". I guess it is about network access profile. For my purpose (machine authentication by certificate), I don't think Network Access Profiles to be mandatory to be configured.
But I'm not sure this NAP problem to be the root cause of my problem.
And when no NAP is matched, then the default action should accept.
We can see the correct name of the machine (host/...). We can see that he's trying to authenticate this machine "against CSDB". Then we have several lines with "status -2046" but I can't understand what the problem is.
I don't know what CSDB is.
I've configured external user database: for this, I've configured windows database with Remote Agent. The domain is retrieved and added in the domain list. And EAP-TLS machine authentication is enabled.
I copy below an extract of the auth.log.
I also attach parts of auth.log and RDS.log.
If you have any ideas or advices ?
Thanks in advance for your attention.
Best Regards,
Arnaud
AUTH 04/07/2007 12:25:41 S 5100 16860 Listening for new TCP connection ------------
AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::CreateContext: new context id=1
AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/nomadev2001.lab.fr
AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::SelectService: context id=1; no profile was matched - using default (0)
AUTH 04/07/2007 12:25:41 I 0143 1880 [PDE]: PolicyMgr::Process: request type=5; context id=1; applied default profiles (0) - do nothing
AUTH 04/07/2007 12:25:41 I 5388 1880 Attempting authentication for Unknown User 'host/nomadev2001.lab.fr'
AUTH 04/07/2007 12:25:41 I 1645 1880 pvAuthenticateUser: authenticate 'host/nomadev2001.lab.fr' against CSDB
AUTH 04/07/2007 12:25:41 I 5081 1880 Done RQ1026, client 50, status -2046

Android, Ipad authentication under windows domain environment

I’m really confused about the best practice to set up these devices in a 802.1x and Windows Domain network using ISE.
I had seen the Ipad download the ISE certificate the very first time the device is connected to the SSID. In Android device (Galaxy phone) I don’t see the device download certificate.
Testing with the Android device I was able to install the root CA certificate (a not easy procedure), then when the SSID is configured in the device I have the option to choice the root CA certificate.
Now if I don’t include the certificate in the SSID configuration, the device is able to connect with an Identity and Password only. If I include the certificate in the SSID configuration, the device ask for the certificate storage password if the option for use secure credentials is not enabled before.
How can I validate through the ISE the android device is using the certificate? Is it possible to set a rule in the ISE denying access if the device does not validate the certificate? I think EAP necesarity use certificates, but the Android device does not show anything.
I had read about provisioning and profiling the Android devices. I think the Network Setup Assistant available through Google Play is an easy procedure to install the root CA certificate. Am I Right?
The customer said it appears the certificate is being used to encrypt the username and password not for do the authentication itself. Reading about EAP functionality I believe it is right, I understand the EAP-MSCHAP actually creates a tunnel to passthrough the username and password. Right?
As the Ipad and Android devices are not in the windows domain, what should be expected when the password is expired? Customer Policy indicates users must change domain passwords every four months. In a Windows PC users receive warnings some days before the expiration but it appears nothing happen in non-domain devices. A co-worker told me the easy way is that when this happen the user should remove the SSID in the device and create it again. The customer does not like this behavior, so what should be a best practice work around?
I hope you can help me to clarify my doubts.
Regards.
Daniel Escalante

Client Provisioning for Android you can refer thease guides:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_ISE.html#wp1024291
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html#anc10

WIndows 7 and Windows 2008 authentication failed in Windows 2003 Domain

Hi,
We have Domain with Windows 2003 and recently Windows 2008 Doamin controllers also added.
We are facing authentication failure for Windows 7 and Windows 2008 Domain members when user is trying to login.
Schema Master is on Windows 2003 and remaining roles on Windows 2008 Domain controller.
Windows XP clients login is working fine.
Problem si for Windows 7 and Windows 2008 Domain members login.
Any hint/solution will be really great help.
Pls share if you have any solutions.
Regards:Mahesh

Hi,
I found some more details about issue
Below are the events getting generated. It looks like due to encryption mismatch with Windows 2003 Domain and Windows7 and Windows 2008 clients. However i am looking for solution if someone tested this case.
Event Type:        Error
Event Source:    KDC
Event Category:                None
Event ID:              26
Date:                     08/06/2014
Time:                     9:41:04 AM
User:                     N/A
Computer:          AAAAAA
Description:
While processing an AS request for target service krbtgt, the account ADDADA$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 2). The requested etypes were 17. The accounts
available etypes were 23 -133 -128 3 -140.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type:        Error
Event Source:    Kerberos
Event Category:                None
Event ID:              4
Date:                     08/06/2014
Time:                     9:34:17 AM
User:                     N/A
Computer:          AAAAAA
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server ADADDFHDHDH$. The target name used was . This indicates that the password used to encrypt the kerberos service ticket is different than that on the
target server. Commonly, this is due to identically named machine accounts in the target realm (DOMAINNAME.COM), and the client realm.   Please contact your system administrator.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Regards:Mahesh

Java webservice client with windows domain authentication

I'm writing (well attempting to) a Java web service client using netbeans that consumes a web service written in C#, that uses NTLM authentication.
If I consume the webservice from a .NET client, authentication isn't a problem; I can just pass the crediantails in on an engine object.
eg engine.Credentials = System.Net.CredentialCache.DefaultCredentials.
Upon consuming this webservice in java the Credentials method doesn't appear on the engine object like it doesn't with it's C# counterpart.
I assume that Java goes about a different way of doing windows domain authentication?
Cheers

for what ever reason it just seemed to start working.

Authenticating to Windows Domain for Printing

From my PowerBook, I'm trying to print to a printer in a Windows domain. I know how to connect and stuff, that is not the issue.
The issue is, when I first connected, it prompted me for my domain, domain ID & password. I entered the info and put a check mark in save password to keychain. But my fingers were too fast for my brain. I realized that I had made a typo but had pressed Enter already. And so, I can't print to that printer because it always denies my login.
I can't find where to edit my login info. I looked in the Keychain Access app but could not find the entry in there. Do you know how I can get the login box back to fix my login info?
Ron

I'm not sure what exactly fixed the problem.
Last night, I disconnected the printer from my pc and connected it to an external print server box that I borrowed. I was able to connect and print from my PowerBook.
I then reconnected the printer back to the pc (LPT1) and re-shared it. This time, in reconnecting the PowerBook to the printer, the login dialogue box reappeared and so my problem is fixed.
I would guess that the deletion of the initial share and re-sharing the printer forced the login box to come back. However, I'm not 100% percent sure.
Ron

How to use CSACS 3.3 to authenticate users from multiple windows domain?

Can Cisco Secure ACS 3.3 be used to authenticate users from another Windows domain that is not a child nor a trusted domain???
hello, here is my scenario:
ACS 3.3 was installed on a member server on domain1. I need to authenticate and ultimately populate the users into ACS from another domain. The service already works perfect on just domain1, but now I need to authenticate users from another domain.
And adding those domains as trusted domains in domain1 is not an option.
Is Generic LDAP my only other option? Any config guides that you guys know with regard to doing this?
Any input is much appreciated.

Hi Betcy,
I am not familiar with sharepoint solutions, but as you mentioned about windows credentials I believe it refers to kerberos tokens. On this case you can take advantage of SPNego authentication.
You can find more details on following SAP note:
#[1488409|https://service.sap.com/sap/support/notes/1488409] - New SPNego Implementation
I hope it helps.
Kind regards,
Lisandro Magnus

Leap and windows domain logon

I'm doing some test with an Air 1200 and some 352 Pc card for one of our customers.
With ACU ver. 4.25.23, I enabled LEAP authentication using the windows user name and password.
Leap authentication is successful, while windows domain logon not.
Not to say using a "normal" NIC that logon succeed.
Sniffing the packets that come out the AP, it seems the domain logon happens... I see the requests/answers between my client and the domain controller...
However, after canceling the windows domain logon I have normal connectivity with the entire network.
Someone experienced that? Any help will be greatly appreciated.
Antonio Tassone

Sure.
My attempts to logon in a windows domain using the same user/password for LEAP authentication and windows logon were unsuccessful (either using Win9x or Win NT/2000 on the client), indeed the login dialog box was stuck in something like "searching primary domain controller" or similar (I'm sorry but it's been some month ago).
Looking the Radius server log, I found an error like " xxxxx DLL rejected".
Searching the Cisco web site and the forums for that error, I read the advice to make the authentication services on the NT server to run with the privileges of one of the Windows Domain Administrator accounts.
Following that advice, and with some other tweaking explained in the document I read, I reached my goal.
I regret I can't be more precise.
Regards.

ISE and Two distinct Windows Domains

All,
I have a customer who wants to integrate ISE with two seperate Windows Domains, they have no trust releationship. We can integrate with one of the domains and can make use of LDAP for the other but can only get Machine Authentication working with the domain with the full integration. Machine authentication will not work with LDAP, only user authentication. The problem is the config of the switches places the client in the guest network as they fail machine auth and then client auth is not recognised by the switch. I'm thinking about either not going direct to MAB if a user fails machine auth or diabling guest all together as the porblem is a guest with a dot1x suplication is not given guest access in a timely mannor without this command. Another option I have thought about is to use the radius token external identity store to talk to a Cisco ACS server attached to the other domain.
Any help would be greatly appreciated
Thanks
Simon

Here's the list of which methods are supported when using different kinds of user databases :
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1053140

Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008

Hi Guys,
I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser
This is my Configure file on Aironet 2702i
Aironet2702i#show run
Building configuration...
Current configuration : 8547 bytes
! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Aironet2702i
logging rate-limit console 9
aaa new-model
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login DTSGROUP group radius
aaa authentication login webauth group radius
aaa authentication login weblist group radius
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa session-id common
clock timezone +0700 7 0
no ip source-route
no ip cef
ip admission name webauth proxy http
ip admission name webauth method-list authentication weblist
no ip domain lookup
ip domain name dts.com.vn
dot11 syslog
dot11 activity-timeout unknown default 1000
dot11 activity-timeout client default 1000
dot11 activity-timeout repeater default 1000
dot11 activity-timeout workgroup-bridge default 1000
dot11 activity-timeout bridge default 1000
dot11 vlan-name DTSGroup vlan 46
dot11 vlan-name L6-Webauthen-test vlan 45
dot11 vlan-name NetworkL7 vlan 43
dot11 vlan-name SGCTT vlan 44
dot11 ssid DTS-Group
vlan 46
authentication open eap DTSGROUP
authentication key-management wpa version 2
mbssid guest-mode
dot11 ssid DTS-Group-Floor7
vlan 43
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
dot11 ssid SaigonCTT-Public
vlan 44
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
dot11 arp-cache optional
dot11 adjacent-ap age-timeout 3
eap profile DTSGROUP
description testwebauth-radius
method peap
method mschapv2
method leap
username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 46 mode ciphers aes-ccm
encryption mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid DTS-Group
ssid DTS-Group-Floor7
ssid L6-Webauthen-test
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
stbc
mbssid
packet retries 128 drop-packet
channel 2412
station-role root
rts threshold 2340
rts retries 128
ip admission webauth
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface Dot11Radio1
no ip address
shutdown
encryption vlan 46 mode ciphers aes-ccm
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 45 mode ciphers ckip-cmic
ssid DTS-Group
ssid DTS-Group-Floor7
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
peakdetect
dfs band 3 block
stbc
mbssid
packet retries 128 drop-packet
channel 5745
station-role root
rts threshold 2340
rts retries 128
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
dot1x pae authenticator
dot1x authenticator eap profile DTSGROUP
dot1x supplicant eap profile DTSGROUP
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface BVI1
mac-address 58f3.9ce0.8038
ip address 172.16.1.62 255.255.255.0
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius server 172.16.50.99
address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
key 7 104A1D0A4B141D06421224
bridge 1 route ip
line con 0
logging synchronous
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
end
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
Account Name: xxxxxxxxxxxxxxxx
Account Domain: xxxxxxxxxxx
Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
Client Machine:
Security ID: S-1-0-0
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
So i will explain problems what i have seen:
SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
=> I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
Any idea or recommend for me ?
Thanks for see my case

Hi Dhiresh Yadav,
Many thanks for your reply me,
I will explain again for clear my problems.
At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
I had login SSID by Account create in AD =>  It's work okay with me. Done
Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
Im think ROOT CAUSE is :
PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet

ACS and Windows Domain / AD

Hi All,
In my environment there are two Windows Domain - Doamin A and B. ACS is configured on member server in domain B and hence Windows Authentication for users in Domain B is working fine. However I'm unable to see domain A in Configure Domain List on ACS server in Windows Domain configuration menu.
Please note, there is one way trust between domain A and B with Domain A trusting Domain B.
Is there a way I can use the same instance of ACS to authenticate the users in Domain A as well? If YES, can you please guide me with some pointers - thanks.
I'm using ACS and Windows AD elements to authenticate users for SSL Web VPN on ASA 5540.
Apprecaite quick help on this.
-Satishcp

Unfortunatley we are not using the Cisco Secure ACS Appliances, rather its ACS Ver 3.3 running on Windows 2000 Server (member server in Domain B).
My guess Remote Agents for Windows / Solaris works with Appliances alone.

Anybody done USERID/PASSWORD authentication against aWindows NT Domain

I think I'll have to write a C++ Program to the WinNT API to do it
(LogonUser). Then I'll wrap it with a service object for authentication. Has
it been done before? Or something similar? We want to validate users against
a WindowsNT Server DOMAIN.
-martin ([email protected])

Hi Martin & All,
Yes you are right, wrap the API in C++/C then write a PEX file for interface to Forté and use the method to invoke the WinNT API authentication. Do not forget to validate the return values from the methods. They are very crucial in handling exceptions etc., in forte.
I've done the same to provide the mail user authentication in MAPI API wrapper for Forté.
Is this what you looking for????
Regards,
Sivaram S Ghorakavi mailto:[email protected]
International Business Corporation http://www.ibcweb.com/
From: Martin G Nystrom
Sent: Wednesday, November 26, 1997 1:53 PM
To: [email protected]
Subject: Anybody done USERID/PASSWORD authentication against a Windows NTDomain?
I think I'll have to write a C++ Program to the WinNT API to do it
(LogonUser). Then I'll wrap it with a service object for authentication. Has
it been done before? Or something similar? We want to validate users against
a WindowsNT Server DOMAIN.
-martin ([email protected])

Windows Domain in log files

When doing a show transaction-log on a CE 560 running Application and Content Networking Software Release 4.1.3 the following line shows up:
"Windows domain is not logged with the authenticated username"
How do i turn this option on?
Thanks.

Thanks for the info. That works great. Only problem now is that it won't stick between reboots of the cache. I tried copy running-config startup-config and also tried to save the config via the GUI, but this option seems to get turned off once the cache reboots.
Any ideas on getting this turned on permanently.

Authentication on a Windows Domain

Similar Messages

Maybe you are looking for