Authentication on port 25 fro though who telnet at 25

Similar Messages

• Xserve ethernet ports shows connected though no physical connection

  Hi all...
  We have a very strange issue in the 3 latest xserves (with Nehalem processors)that is purchsed couple of days back. The issue is, in the Network, System preference, both the ethernet ports shows green and displays as "Connected" even though there is no physical connectivity. This active state of the eth ports is visible only in the network system preference and the port state shows as inactive if we check through CLI and the server monitor. Both the ports functions normally except for these wrong info in the system preference.
  Have anyone faced any issue with the latest Nehalem processor Xserves or is this be a bug in the OS X. The installed OS version is 10.5.7 and the firmware is up to date.
  Please help !!
  Message was edited by: SREEKAR

  Call Apple Support for assistance; this looks to be a nasty error with multiple new Xserve boxes and given these are likely covered under their initial warranty, which implies there's something seriously weird with 10.5.6 or 10.5.7, or with the Xserve early 2009 boxes, or firmware, or with what the configuration tools allow.
  It appears that [threadID=2021235|http://discussions.apple.com/thread.jspa?threadID=2021235] and [threadID=2021817|http://discussions.apple.com/thread.jspa?threadID=2021817&tst art=0] are the same case?

• Authenticating Trunk Ports - VLAN list

  I have a requirement to authenticate trunk ports to wireless access-points on our Cisco switch, By default all ports are access ports and we run MAB authentication. I have managed to change the port to a trunk using Cisco-av-pair attribute in ACS (cisco-av-pair = deivce-traffic-class=switch)
  My problem now is that I need to add a VLAN allowed list on the port once it has changed to a trunk port (switchport trunk allowed vlan x,y,z). ideally we would not want to statically assign the VLAN's on each port as an AP could be on any port and may wish to authenticate other trunk ports using different VLAN's in the future. Below is the configuration used on the ports.
  cisp enable
  interface FastEthernet0/2
   description *** Client Device ***
   switchport access vlan 2
   switchport mode access
   no logging event link-status
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 3
   authentication event server alive action reinitialize
   authentication order mab dot1x webauth
   authentication priority mab dot1x webauth
   authentication port-control auto
   authentication fallback GUEST_FALLBACK
   mab eap
   dot1x pae authenticator
   dot1x timeout tx-period 3
   dot1x timeout supp-timeout 10
   dot1x max-reauth-req 1
   dot1x timeout auth-period 600
   no cdp enable
   spanning-tree portfast
  Any help will be greatly appreciated. 
  Thanks
  John

  Hello
  I would suggest the following:
  >> Arrange for some physical enclosure (locked) or  any other physical security control to ensure authorized access to the device. Any technical work-around or band-aid solution should only be temporary. What is someone just switches of your switches? DOS attack!! This could also be done by mistake, resulting in an unstructred threat.
  >> Enable monitoring for these switches (ICMP,SNMP) so that you are alerted when they are unplugged.
  >> Change the NATIVE VLAN from the default (VLAN 1)
  >> Disable Trunk negotiation (ON mode)
  Regards
  Farrukh

• Unable to connect my I-phone 4S via wifi from the Air-port express even though the signal is good and all my other devices (macBook air and speakers) are working properly? Already tried to change the channels on the Airport but still nothing.

  Since I've instaled the Airpor express, everithing connected to it works properly, My wifi network signal is good and I able to browse with my mac air, bu with my I-phone 4S even though the signal apears to be good and on the it shows is connected to my wifi network I can't open any web-site, instead I keep getting the same message: "Cannot Open Page - Safari could not open the page because the server stopped responding.", wich is not true because I'm connected with my lap-top. The sound wifi system works perfectly but reggarding the wifi on my 4S I've tried changing through different chanels on the Airport (I saw people were having the same problem and aparently by changing the channels on the Airport the internet on the phone worked properly, but I'm still stuck with a brand new I-phone unable to opem my pages) I've also tried changing the Radio modes and still nothing.
  Any suggestions?

  Since I've instaled the Airpor express, everithing connected to it works properly, My wifi network signal is good and I able to browse with my mac air, bu with my I-phone 4S even though the signal apears to be good and on the it shows is connected to my wifi network I can't open any web-site, instead I keep getting the same message: "Cannot Open Page - Safari could not open the page because the server stopped responding.", wich is not true because I'm connected with my lap-top. The sound wifi system works perfectly but reggarding the wifi on my 4S I've tried changing through different chanels on the Airport (I saw people were having the same problem and aparently by changing the channels on the Airport the internet on the phone worked properly, but I'm still stuck with a brand new I-phone unable to opem my pages) I've also tried changing the Radio modes and still nothing.
  Any suggestions?

• Errors at startup when initializing USB (ports still work though)

  Hi. I've recently returned to using Arch Linux after a hiatus of about 2 years. I'm loving it so far and I've managed to set up everything relatively easily, but I've got some mysterious error strings at system startup. I see them shortly after Grub messages disappear, before X launches and loads.  They usually appear thrice.
  The below code is a fragment of dmesg output that seems relevant. The actual error string I see at bootup is the last line of this output.
  [ 7.644410] usbcore: registered new interface driver ath3k
  [ 7.644439] usb 1-10: USB disconnect, device number 4
  [ 7.675574] input: ETPS/2 Elantech Touchpad as /devices/platform/i8042/serio4/input/input14
  [ 7.954663] usb 1-10: new full-speed USB device number 5 using xhci_hcd
  [ 7.969827] usb 1-10: string descriptor 0 malformed (err = -61), defaulting to 0x0409
  USB devices simply work, without any unusual behaviour. My mouse works without batting an eye anywhere I plug it, same for memory sticks. I suppose the same would be true for any other devices.
  What does this error string mean then? And how should I correct whatever the hell is wrong?

  The error string means that the language descriptor could not be read from the device (-61 is ENODATA), and thus is defaulting to English. (0x0409).
  As to why you're receiving that error, I'm uncertain, though I'd be inclined to believe it's that the firmware for the device is responding to the get string descriptor request in an unexpected manner.
  You could try updating firmware, but honestly, if everything is working, it's safe to ignore. I presume the device descriptions aren't garbled?

• Help Please :) LInksys WRVS4400N 802.1X port authentication setup

  HI all,
  I am trying to configure 802.1X port authentication on my Linksys WRVS4400N. I created a test lab in order to do this, currently I am using
  1x Linksys WRVS4400N
  1x Microsoft Server 2003 with IAS and Active Directory services
  1x Dell Laptop (Used for testing Radius Athentication)
  I Created 4 VLAN(s) to test with this LAB
  VLAN 1 Managament. Addr Range 192.168.1.0 /24. GW 192.168.1.254
  VLAN 10 Servers. Addr Range 172.16.1.0 /24. GW 172.16.1.254
  VLAN 20 IT. Addr Range 172.16.2.0 /24. GW 172.16.2.254
  VLAN 30 Design. Addr Range 172.16.3.0 /24. GW 172.16.3.254
  This is how I assigned my VLAN(s) to my ports. This is found on the VLAN & Port Assignment Screen
  Port 1 -> Mode: General -> Frame Type: All -> PVID 1 (Port 1 is used for VLAN 1: Management)
  Port 2 -> Mode: General -> Frame Type: All -> PVID 10 (Port 2 is used for VLAN 20: Servers)
  Port 3 -> Mode: Access -> Frame Type: All (Port 3 is used for RADIUS. DHCP enabled)
  Port 4 -> Mode: Access -> Frame Type: All (Port 4 is used for RADIUS. DHCP enabled)
  VLAN 1: Default
  Port 1: Untagged, Port 2: Tagged, Port(s): 3, 4 & Wireless: Excluded
  VLAN 10: Servers
  Port(s): 1, 3, 4 & Wireless: Excluded. Port 2: Untagged
  VLAN 20: IT
  Port(s): 1, 2: Excluded, Port(s): 3,4 & Wireless: Untagged
  VLAN 30: Design
  Port(s): 1, 2: Excluded, Port(s): 3,4 & Wireless: Untagged
  This is how my Radius is setup
  Mode: Enabled
  RADIUS IP: 172.16.1.1 (IP of the WIN2K3 Server)
  UDP Port: 1812
  Secret: Password1
  Port(s) 1 & 2: Force Authorized
  Port(s) 3 & 4: Force UnAuthorized
  On the Server this is what I have configured
  1. Created a domain: GLAB. Created two groups: IT LAN, Design LAN, then assigned users to those groups. IE: User1 belongs to IT LAN
  2. Created a IAS Remote Access Policy and named it IT LAN. The profile settings are listed below
  Tunnel-Medium-Type: 802
  Tunnel-PVT-Group-ID: 20
  Tunnel-Type: Virtual LAN
  My goal is to test RADIUS authentication on ports 3 and 4 on the Linksys WRV . I tested everything else I made sure the VLAN's were working ok so what I did was took a Dell Laptop and joined it to my domain. I pluged the Dell Laptop into port 4 to test Radius Authentication. When I tried to log in as User1 it didn't work.
  I am new to setting up 802.1X, I wanted to know if I missed a setting or I misconfigured something. I even ran wireshark on my Windows 2003 machine to see if any RADIUS data is coming from my router (172.16.1.254) and I didn't see anything
  If anybody can help me out that would be great!
  Cheers
  Graham

  1. I don't think the WRVS4400N supports RADIUS assigned VLANs. I can't find anything in the manual suggesting it would. I would say you can only use the RADIUS server for authentication on a port but the VLAN must be configured before.
  2. You don't write what is exactly connected to each port on the WRVS. For instance, it is unclear whether the MS Server is connected directly to port 2 or whether it connects to another switch to which you have connected other servers as well.
  3. The VLAN configuration looks very odd to me. If I see it correctly you have:
  Port 1: General mode, PVID 1, 1U
  Port 2: General mode, PVID 10, 1T, 10U
  Port 3: Access mode, PVID ???, 20U, 30U
  Port 4: Access mode, PVID ???, 20U, 30U
  I wonder why you are even able to set this up...
  a. Port 1 should be set to Access mode with PVID 1 and 1U. With access mode the port is member of a single VLAN and all traffic is untagged. That is exactly what you have set up, but with General mode.
  b. Port 2 must be connected to a server (or a managed switch). The NIC in the server must be configured for 802.1q tagged frames. On the server NIC you must configure VLAN 1 as tagged VLAN and VLAN 10 as default/native/untagged VLAN. Only then the server is able to communicate on VLAN 1 and VLAN 10.
  c. Port 3&4 are in access mode. In access mode the port can only be member of a single VLAN. What you post suggests that they are member of two VLANs. That should not even be possible to configure. If it is possible, that it is definitively incorrect. You must decide to which VLAN these ports belong to.
  4. To use RADIUS authentication on a port you must set it to "Auto". "Force UnAuthorized" sets it unauthorized, i.a.W. you disable the port completely. To traffic will go through. See the manual: "Force Unauthorized—Controlled port state is set to Force-Unauthorized (discard traffic). All connections are blocked."
  5. Did you verify that your RADIUS server is actually using port 1812? 1645 is also commonly used for radius authentication. Check the configuration on the RADIUS server or check with "netstat -a" to see if 1812 is used.
  6. Also check, whether the RADIUS traffic is sent on the management VLAN 1. The WRVS uses VLAN 1 as management VLAN and it might well be that it expects the RADIUS server to be in the management VLAN. Use the server IP address in VLAN 1 as RADIUS server IP address to check that.
  7. Did you check with wireshark the traffic on the 802.1x client machine? Does it send something out? Does it receive anything?

• 802.1x per host authentication under one port with multi-host access by hub

  Dear,
  While multi-host connect to one port by hub, it seems that in multi-host mode, after one host passed the authentication, the port change state to up, and the other hosts do not need to authenticate any more. And in single host mode, only one host could access to the network under one port.
  In the situation with multi-host access to one port by hub, is it possible that we could control per user access by authentication for each?
  We did some test on 3550, it seems that the 3550 doesnot support what we need. And what about 4506?
  Thanks!

  Multiauthentication Mode
  Available in Cisco IOS Release 12.2(33)SXI and later releases, multiauthentication (multiauth) mode allows one 802.1X/MAB client on the voice VLAN and multiple authenticated 802.1X/MAB/webauth clients on the data VLAN. When a hub or access point is connected to an 802.1X port (as shown in Figure 60-5), multiauth mode provides enhanced security over the multiple-hosts mode by requiring authentication of each connected client. For non-802.1X devices, MAB or web-based authentication can be used as the fallback method for individual host authentications, which allows different hosts to be authenticated through different methods on a single port.
  Multiauth also supports MDA functionality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN depending on the data that the VSAs received from the authentication server.
  Release 12.2(33)SXJ and later releases support the assignment of a RADIUS server-supplied VLAN in multiauth mode, by using the existing commands and when these conditions occur:
  •The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.
  •Subsequent hosts are authorized with a VLAN that matches the operational VLAN.
  •A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no VLAN assignment, or their VLAN information matches the operational VLAN.
  •The first host authorized on the port has a group VLAN assignment, and subsequent hosts either have no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent hosts must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all hosts are subject to the conditions specified in the VLAN list.
  •After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port.
  •The behavior of the critical-auth VLAN is not changed for multiauth mode. When a host tries to authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured VLAN.
  NOTE :
  •Only one voice VLAN is supported on a multiauth port.
  •You cannot configure a guest VLAN or an auth-fail VLAN in multiauth mode.
  for more information :
  http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html

• 802.1X Port Authentication\ACS Question

  Hello,
  I"m troubleshooting a 3560 port authentication issue. From what I was told from other members of my team when we upgraded to windows 7 at this site authentication no longer works. I compared an old config to a recent one and noticed there was no command dot1x system-auth-control.
  I have only been dealing with 802.1x for a short time and my other configs have this command. My question is without this command could there still have been port authentication working? On a inteface for ex. they do have the following which are inligned with my other configs. FYI, I didn't set this site up and it has the rest of the config correct like radius and aaa.  When I went onsite to test I shut down the service on my laptop for 802.1x which should of blocked me so I thought. When I checked the ACS server for the log it showed my username and my correct IP address along with the correct switch but it showed I connected using PAP_ASCII, I"m not sure how this protocol got used since we don't use that.  Thanks for any suggestions you might have.
  dot1x pae authenticator
  dot1x port-control auto
  dot1x host-mode multi-host
  dot1x violation-mode protect
  dot1x reauthentication
  aaa new-model
  aaa authentication password-prompt PASSCODE---->
  aaa authentication login default group radius local
  aaa authorization exec default group radius local
  aaa session-id common

  I have a little more to add. I was looking in the ACS and did find PAP_ASCII checked so at my home office which I know port security to be working at least that's what I thought. I turned off wired auto config and could still get on and when I looked at the ACS logs I saw my name with this protocol again. Not sure how this got turned on but my questionbecomes if 802.1x is setup on the switch but ACS allows this protocol and my laptop isn't running any 802.1x settings I can still get on the network, is this the correct behavior for this setup?
  Thanks,

• NAC controlled port don't return to authentication vlan

  Hi All,
  I have NAC version 4.7.1 and i have implmented it as out of band virtual gateway and when i make the port NAC controlled and try to test it works properly but when i remove the pc from the port, the port doesn't go back to authentication vlan.
  if i put the same pc in another NAC controlled port it doesn't require authentication and it changes itself directly to authenticated.
  the port remains authenticated until i clear the certified list.
  can anyone help me to make nac change the port to unauthenticated once i remove the port.
  Best regards,
  Ayman Yehia

  Ayman,
  Sorry for the delay. Two things to check here. First, are you able to control the switch from your CAM successfully? In other words can you set the initial vlans successfully?
  Second, what are you using for your switches? MAC-Notifications or Linkup-Linkdown notifications? Can you check the CAM logs as to what shows up there when you put a new PC in an authenticated port? Does it get a trap? What does it do with that trap?
  Post your CAM logs with such an attempt where it didn't work, along with the MAC and IP information of the client. Also post the screen shots of your CAS configuration, specifically the managed subnet page, vlan mapping page, and network information page.
  Thanks
  Faisal

• Terminal Adapter (Telnet) to Console Port Server?

  Has anyone been able to connect to a device on a console port server?
  Problem: the telnet session needs a crlf to be sent upon initial connect in order to trigger the device to send its login prompt. CPO cannot see the prompt and therefore times-out waiting for it to arrive
  Thanks
  Mike

  We've found quite a few flavours of behaviour in ConsolePort servers. Some require crlf, others don't, while some require a password before it gives you access to the requested device. The CNOAS team has just produced a console port server workflow that presents a real time web page showing activity across ports, auto-recognition of devices etc., and allows user-written CPO provisioners and configurators to be launched to service the device. Please drop me an email for more info
  /Mike
  Sent from Cisco Technical Support iPad App

• 802.11 X port-level authentication or user-level authentication

  I have read many online documents about 802.11x, all that i found they named port-level authentication.
  It makes sense for a wired network, since we have got a physical port, then if the supplicant has been authenticated, his port will be open to transfer data.
  And same thing with a wireless network, but we do not have physical port, we have got logical port.
  I have read one document that mentioned that 802.11 is user-level authentication,,,any comment about this ?
  Regards

  Thanks steprodr
  That means in both cases (wired. wireless) a client has to be authenticated to pass through physical port or logical port to be able to access(use)network resources,,,,,
  What is my interpretation (correct me) to your reply, that with the wire we call it port level while with wireless (my conclusion, because explicitly you have mentioned that)we do not call it port level (i.e. it is called user level) ?

• Rsa/ace server radius authentication

  Hi ,
  I am in the process of setting up cisco routers/swithces to authenticate to an RSA/ACE radius server. Basically I would like it to work as follows.
  SSH/Telnet to router switch.I have ace side configured. I have added the necessary users to authenticate list on agent host.
  Username:joebloggs
  Password : ( rsa secure id token here ). Do I have to authenticate then using enable password or what is best practice here ??
  router>en
  router#
  I have the following lines added so far and need some help on the aaa authentication as there seems to be a lot of options
  aaa new-model
  aaa authentication banner # Connection to this device is for authorized users only #
  aaa authentication fail-message # You are not authorized to log on to this device #
  radius-server host x.x.x.x auth-port 1645 acct-port 1813
  radius-server retransmit 3
  radius-server key xxxxxx

  francis
  if you want users who telnet/SSH to vty ports or who are on the console to authenticate with the radius server you should add something like this to your configuration:
  aaa authentication login default group radius line
  This will send an authentication request to the configured radius server and if there is an error from the radius server (this is different from a negative response) then the router will authenticate using the configured line password. This will work for both telnet and SSH connections and for login from the console.
  You are correct that there are quite a few optional parameters. These are to allow flexibility in what is the primary authentication method and what (if any) fall back methods you wish to use.
  From user mode going to enable mode you could configure the router to use the enable password/enable secret or you can configure it to use radius. I believe that best practice is to use radius rather than the local enable password/enable secret.
  aaa authentication enable default group radius enable
  HTH
  Rick

• Authentication type is pap

  I have a switch setup to use radius. I have the aaa-new model list applied to my console and telnet ports, but they only work with pap. If I try chap in my remote access policy, login is not allowed, and the radius server's event viewer reads, incorrect authentication type. If I allow pap at the remote access policy, it works fine. I don't know how to change the authentication protocol used on the console and telnet ports. Can you change it? I know you can change it on serial interfaces with ppp. Isn't telnet clear text only? If so, what good is radius when trying to account for who has been accessing, and who is allowed to access the cisco equipment via telnet or the console? I don't want active dir domain account's passwords being sent clear text. Is there a better alternative?
  thank you,

  I think I found the answer to part of my question in the CCSP SECUR text, "If you are using the Windows NT or Windows 2000 user database to authenticate users, you must use PAP password encryption" Further down, "If you are using the Cisco Secure ACS for Windows users databse for authentication, you can use either PAP or CHAP."

• Open and Network-EAP authentication - difference in security?

  As far as security goes, and assuming Radius authentication wil actually authenticate and allow users access to the wireless network (or not), it there any difference (once again, as far as security goes), between Open Authentication and Network-EAP as described below?
  In any EAP/802.1x-based authentication method, you may question what the differences are between Network-EAP and Open authentication with EAP. These items refer to values in the Authentication Algorithm field in the headers of management and association packets. Most manufacturers of wireless clients set this field at the value 0 (Open authentication), and then signal their desire to do EAP authentication later in the association process. Cisco sets the value differently, from the start of association with the Network EAP flag.

  1. Join process - comparable to connecting a cable in the wired network world. Usually "OPEN".2. Authentication - this verifies the client is who they claim they are because they possess a certificate (EAP-TLS), know the password or a PSK.3. Encryption with TKIP or AES - this is about protecting data as it is transmitted through the air AFTER authentication.
  You are correct.
  What confuses me when attempting to configure the Aironet I'm working with is the difference in terminology with the familiar choices I had in Linksys access points, something like this:- WEP- WPA- WPA-Enterprise- WPA2- WPA2-EnterpriseI thought WPA-Enterprise has to do with Radius and indeed I was able to create a test network in which a Windows XP laptop could connect via a Linksys access point, authenticating with EAP-TLS, with WPA-Enterprise selected on the AP. The Windows 2008 server was both a certificate authority, a radius (NPS) server and a domain controller.With the Aironet, I'm not sure what the equivalent choices should be, because, if you look at the link in my last post, there is a larger selection: WEP 40 bit, WEP 128 bit, TKIP, AES, combinations of what precedes and no reference to WPA or WPA2. I'm guessing TKIP = WPA and AES = WPA2.And while I can select "EAP" in the Express Security Setup tab, I cannot see where I would opt for EAP-TLS rather than PEAP or EAP-TTLS and so forth.I'm going to take a look at your blog now and see if that doesn't enlighten me further.
  You are on track my friend keep the thinking going .... you are very close!
  Some more foundation for you ...
  WPA   -  Is PSK with TKIP
  WPA2 -  Is PSK with AES
  WPA Enterprsie -  EAP- ??? with TKIP
  WAP2 Enterprsie - EAP - ??? with AES
  ??? = Your selected EAP type
  Now, why dont you have to configure EAP type on the AP? Great question, lets break this down.
  1. The AP or WLC for that matter doesnt care what EAP type you use . Why you ask?
  When you configure 802.1X, there are 2 virtual ports . These are virtual and you do nothing to configure these. Once you connect to an AP and EAP starts, the ap BLOCKS ALL TRAFFIC except for EAPOL  traffic. This is the ONLY traffic allowed past the until the AP / WLC receives a RADIUS SUCCESS. Once the AP/WLC sees this radius success it then switches virtually over to the controlled port and allows ALL your traffic to pass.
  2. With that being said, your client is only passing traffic through the ap and wlc. The ap / wlc doesnt care what EAP you are using. Your client is talking directly to the radius server at that point. The AP/WLC at this point is only a pass through, nothing more.
  Does that help ?
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

• Active Directory synchronization working, authentication not on CUBM BE5000 8.6(1a)

  I successfully set up Active Directory synchronization between my CUCM BE5000 appliance running 8.6(1a) and our Windows 2008 Server Active Directory.  Users are replicating successfully, but authentication is not working even though I am using the same LDAP manager distinguished name and password for both.  I have a suspicion to the cause of this problem but for the record, the following is my relevant configuration:
  System/LDAP/LDAP System:
  LDAP Server Type Microsoft Active Directory iPlanet or Sun ONE LDAP Server OpenLDAP Microsoft Active Directory Application Mode
  LDAP Attribute for User ID userPrincipalName sAMAccountName mail employeeNumber telephoneNumber
  LDAP Server Type: Microsoft Active Directory
  LDAP Attribute for User ID: userPrincipalName
  System/LDAP/LDAP Directory:
  LDAP Configuration Name: bgctnv.local
  LDAP Manager Distinguished Name: CN=cm.sync,OU=BGCTNV Users,DC=bgctnv,DC=local
  LDAP User Search Base: DC=bgctnv,DC=local
  LDAP Server Information: bgctnv.local, port 389 (to query any domain controller in DNS; I have also tried specific IP addresses)
  System/LDAP/LDAP Authentication:
  LDAP Manager Distinguished Name: CN=cm.sync,OU=BGCTNV Users,DC=bgctnv,DC=local
  LDAP User Search Base: LDAP user search base is formed using the User ID information (pre-populated, I cannot change this)
  LDAP Server Information: bgctnv.local, port 3268
  All of my Active Directory users are now populated and active under End Users.  However, I am not able to log into /ccmuser among other things using my valid domain credentials.  I am a super user as well as a standard end user.
  Curiously, invalid usernames (userPrincipalName in my case) return the error "Log on failed - Invalid User ID or Password" while a valid username, with or without the correct password, returns only "Log on failed."  That seems to imply that some part of the authentication or LDAP bind is taking place.
  Here's the catch.  The base domain here is bgctnv.local while we use bgctnv.org as a valid and acceptable alternative UPN suffix in Active Directory.  Every Microsoft and every third-party program I have used will accept [email protected], but I'm beginning to think that CM will not, or is having some sort of translation issue.  I read that alternative suffixes can cause problems in Active Directory forests with multiple trees, but this is a vanilla, single domain environment.
  I don't even know where to look to debug this issue.  Has anyone seen this before or can anyone tell me where to look for logs?
  Thanks,
  John

  I found the following:
  http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/8x/directry.html
  As mentioned in the section on LDAP Synchronization, in order to support synchronization with an AD forest that has multiple trees, the UserPrincipalName (UPN) attribute must be used as the user ID within Unified CM. When the user ID is the UPN, the LDAP authentication configuration page within Unified CM Administration does not allow you to enter the LDAP Search Base field, but instead it displays the note, "LDAP user search base is formed using userid information."
  This may help in some situations where there are multiple trees in an AD forest, but it is definitely not the solution.  Even with multiple trees, it is common to use alternative UPN suffixes.  Nothing in AD requires or even recommends that you exclusively use your AD domain root as the UPN suffix.
  For example, company.local may use company.com as an alternative but primary UPN suffix to provide simplicity for users.  Users can then achieve more broad SSO capabilities by using their familiar email credentials when authenticating for company.local services.
  When using UserPrincipalName as the LDAP synchronization attribute for the CM User ID, the configuration requires that the search base for authentication be derived from the UPN suffix, regardless of whether it is a single domain or multiple trees within a forest.  This makes it impossible to authenticate by UPN unless your UPN is explicitly your root domain name.  From the example above, CM would try to bind [email protected] against DC=company,DC=com instead of the correct DC=company,DC=local.
  The logical solution would be to allow the administrator the option.  Why not have a choice of whether to generate the user search base from the userid (UPN) information, or be able to specify the search base as well like it allows with any other synchronization attribute?
  Would this be a feature request, bug report, or neither?  I'd really appreciate it if Cisco considered this but I don't know the proper channel.