Authentication with SASL

Similar Messages

• I get error message: "An error occurred with the  publication of album...Authentication with server failed...whenever I open a facebook file in my iPhoto. In each file, most of my photos have disappeared. What do I need to do?

  I get error message: "An error occurred with the  publication of album...Authentication with server failed. Please check your login and password information" whenever I open a facebook file in my iPhoto. In each file, most of my photos have disappeared. I am hoping I can retrieve these "lost" files. What do I need to do?

  Message was edited by: leroydouglas
  better yet, try this solution:
  https://discussions.apple.com/message/12351186#12351186

• Error in authentication with ldap server with certificate

  Hi,
  i have a problem in authentication with ldap server with certificate.
  here i am using java API to authenticate.
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
  I issued the new certificate which is having the up to 5 years valid time.
  is java will authenticate up to one year only?
  Can any body help on this issue...
  Regards
  Ranga

  sorry i am gettting ythe same error
  javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
  here when i am using the old certificate and changing the system date means i can get the authentication.
  can you tell where we can concentrate and solve the issue..
  where is the issue
  1. need to check with the ldap server only
  2. problem in java code only.
  thanks in advance

• Ricoh Aficio MP C2051 Scan to Folder - Windows 7 64 bit Error: Authentication with the destination has failed check settings

  I got an issue with OS of widows 7.
  unable to scan  documents to user's PC.am getting error message "Authentication with the destination has failed. Check settings. To check the current status, press [Scanned Files Status
  Other Windows xp  PC can do this.
  How can I fix this problem?
  Printer Model :C2051 /mp2001sp

  Hi,
  I searched for the error and it is mentioned in Ricoh's website:
  Messages Displayed on the Control Panel When Using the Scanner Function
  http://support.ricoh.com/bb_v1oi/pub_e/oi_view/0001045/0001045718/view/trouble/int/0036.htm
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  Message
  Cause
  Solution
  “Authentication with the destination has failed. Check settings. To check the current status, press [Comm. Status/Print].”
  The entered login user name or login password is not correct.
  Check that the user name and password are correct.
  Check that the ID and password for the destination folder are correct.
  A password of 128 or more characters may not be recognized.
  From the solution, it mentioned that the issue could relate to user account or its password.
  Please let me know if it is in domain environment. If so, please test to log the same user account currently on Windows 7 to Windows XP and see if issue persists.
  Also please test to directly access the scanning folder on printer server to see if there is any issue in accessing the destination folder. 

• Not Working-central web-authentication with a switch and Identity Service Engine

  on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
  I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
  The interface configuration looks like this:
  interface FastEthernet0/24
  switchport access vlan 6
  switchport mode access
  switchport voice vlan 20
  ip access-group webauth in
  authentication event fail action next-method
  authentication event server dead action authorize
  authentication event server alive action reinitialize
  authentication order mab
  authentication priority mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  spanning-tree portfast
  end
  The ACL's
  Extended IP access list webauth
      10 permit ip any any
  Extended IP access list redirect
      10 deny ip any host 172.22.2.38
      20 permit tcp any any eq www
      30 permit tcp any any eq 443
  The ISE side configuration I follow it step by step...
  When I conect the XP client, e see the following Autenthication session...
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
             Interface:  FastEthernet0/24
            MAC Address:  0015.c549.5c99
             IP Address:  172.22.3.184
              User-Name:  00-15-C5-49-5C-99
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  single-host
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
       URL Redirect ACL:  redirect
           URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC16011F000000490AC1A9E2
        Acct Session ID:  0x00000077
                 Handle:  0xB7000049
  Runnable methods list:
         Method   State
         mab      Authc Success
  But there is no redirection, and I get the the following message on switch console:
  756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
  756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  I have to mention I'm using an http proxy on port 8080...
  Any Ideas on what is going wrong?
  Regards
  Nuno

  OK, so I upgraded the IOS to version
  SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
  I tweak with ACL's to the following:
  Extended IP access list redirect
      10 permit ip any any (13 matches)
  and created a DACL that is downloaded along with the authentication
  Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
      10 permit ip any any
  I can see the epm session
  swlx0x0x#show epm session ip 172.22.3.74
       Admission feature:  DOT1X
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
  And authentication
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
       Interface:  FastEthernet0/24
       MAC Address:  0015.c549.5c99
       IP Address:  172.22.3.74
       User-Name:  00-15-C5-49-5C-99
       Status:  Authz Success
       Domain:  DATA
       Oper host mode:  multi-auth
       Oper control dir:  both
       Authorized By:  Authentication Server
       Vlan Group:  N/A
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
       Session timeout:  N/A
       Idle timeout:  N/A
       Common Session ID:  AC16011F000000160042BD98
       Acct Session ID:  0x0000001B
       Handle:  0x90000016
       Runnable methods list:
       Method   State
       mab      Authc Success
  on the logging, I get the following messages...
  017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
  017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
  017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
  017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
  017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
  017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
  What I'm I missing?

• Ricoh Aficio MP C2051 Scan to Folder - Windows Server 2012 Error: Authentication with the destination has failed check settings

  I have recently upgraded a clients servers to Windows Server 2012 & since doing so have lost the ability to scan to folder.
  Both servers are domain controllers and previously on a 2008 domain controller I would have had to make the following change to allow scan to folder:
   Administrative Tools
   Server Manager
   Features
   Group Policy Manager
   Forest: ...
   Default Domain Policy
  Computer configuration
   Policies
   Windows Settings
   Security Settings
   Local Policies
   Security Options
   Microsoft Network Server: Digitally Sign Communications (Always)
   - Define This Policy
   - Disabled
  However I have applied this to the Windows 2012 server but am still unable to scan, possibly due to added layers of security in server 2012. The error on the scanner is Authentication with the destination has failed check settings.
  I have also tried the following at the server:
  Policies -> Security Policies
  Change Network Security: LAN Manager authentication level to: Send LM & NTLM - Use NTLMv2 session security if negotiated.
  Network security: Minimum session security for NTLM SSP based (including secure RPC) clients and uncheck the require 128 bit.
  Network security: Minimum session security for NTLM SSP based (including secure RPC) servers and uncheck the require 128 bit
  I have created a user account on the server for the ricoh and set this in the settiings of the Ricoh and verified everything is correct.
  Are there any other things I have missed?

  I can email anybody the firmware module if interested and how to...
  Tell me your model and email
  If your offer still stands we have an Aficio MP C3300
  Firmwareversion
  Modulnavn Version Delnummer 
  System/Copy  1.13  D0255562H  
  Network Support  8.16.1  D0255563D  
  Font EXP  1.03  D0255588  
  OptionPCLFont  1.02  D0255589  
  animation  1.3.1  D0255568A  
  Fax  01.10.00  D0255569B  
  RemoteFax  01.10.00  D0255564B  
  Printer  1.11  D0255572A  
  RPCS  3.7.5.4.1  D0255574A  
  Option PCL  1.00  D0255580A  
  Scanner  01.17  D0255570C  
  Network DocBox  1.00  D0255567B  
  Web Support  1.06  D0255565B  
  Web Uapl  1.07  D0255566C  
  libcvm(v4)  4.13  D4135765B  
  GWFCU3-13(WW)  03.00.00  D3935570C  
  PowerSaving Sys  1.10  D0255560C  
  Engine 1.51:09 D0255117E 
  OpePanel 1.03 D0251492A 
  LANG0 1.03 D0251496 
  LANG1 1.03 D0251496 
  ADF 03.420:02 D3665604 
  Finisher 01.090:03 D3725112
  Best Regards/
  Henrik Plougstad
  henrik(a)pieroth.dk

• Policy agent 2.2 amfilter local authentication with session binding failed

  Hi All,
  I have policy agent 2.2 for weblogic 8.1 sp4 installed on redhat linux. All are working fine in my development box. But I was running all the process under user root, so today I decided to change it to a regular user, joe. I changed all the files' owner for weblogic server and policy agent from root to joe, and restart server as user Joe. After the change, I can not access the application on Weblogic server. I changed file ownership back to root and restart weblogic server as root, still same error.
  Here is the error I got:
  10.4.4 403 Forbidden
  The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
  Here is the error I found from agent log file, amFilter:
  AmFilter: now processing: SSO Task Handler
  05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  SSOTaskHandler: caching SSO Token for user uid=amAdmin,ou=People,dc=etouch,dc=net
  05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  AmBaseSSOCache: cached the sso token for user principal : uid=amadmin,ou=people,dc=etouch,dc=net sso token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#, cache size = 1
  05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  SSOTaskHandler: SSO Validation successful for uid=amAdmin,ou=People,dc=etouch,dc=net
  05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  AmFilter: now processing: J2EE Local Logout Task Handler
  05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  AmFilter: local logout skipped SSO User => amAdmin, principal =>null
  05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  AmFilter: now processing: J2EE Local Auth Task Handler
  05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  LocalAuthTaskHandler: No principal found. Initiating local authentication for amAdmin
  05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  LocalAuthTaskHandler: doing local authentication with session binding
  05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  LocalAuthTaskHandler: Local authentication failed, invalidating session.05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  WARNING: LocalAuthTaskHandler: Local authentication failed for : /portal/index.jsp, SSO Token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#
  05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  AmFilter: result =>
  FilterResult:
       Status      : FORBIDDEN
       RedirectURL     : null
       RequestHelper:
            null
       Data:
            null
  -----------------------------------------------------------

  Hi,
  I'm having the exact same problem in the Prod environment, but on a Sun App Server. In development all is fine, in prod we now have:
  ERROR: AmFilter: Error while delegating to inbound handler: J2EE Local Auth Task Handler, access will be denied
  java.lang.IllegalStateException: invalidate: Session already invalidated
  at org.apache.catalina.session.StandardSession.invalidate(StandardSession.java:1258)
  at org.apache.catalina.session.StandardSessionFacade.invalidate(StandardSessionFacade.java:164)
  at com.sun.identity.agents.filter.LocalAuthTaskHandler.doLocalAuthWithSessionBinding(LocalAuthTaskHandler.java:289)
  at com.sun.identity.agents.filter.LocalAuthTaskHandler.authenticate(LocalAuthTaskHandler.java:159)
  at com.sun.identity.agents.filter.LocalAuthTaskHandler.process(LocalAuthTaskHandler.java:106)
  at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:185)
  at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:152)
  at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:38)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)
  at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
  at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
  at java.security.AccessController.doPrivileged(Native Method)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
  at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
  FilterResult:
  Status : FORBIDDEN
  RedirectURL : null
  RequestHelper:
  null
  Data:
  null
  Also, we I debug I see:
  LocalAuthTaskHandler: No principal found. Initiating local authentication for ...
  Did you receive any solution for this?
  Many, many thanks,
  Philip

• Certificate based authentication with sender SOAP adapter. Please help!

  Hi Experts,
     I have a scenario where first a .Net application makes a webservice call to XI via SOAP Adapter. Then the input from the .Net application is sent to the R/3 system via RFC adapter.
  .Net --->SOAP -
  >XI -
  >RFC -
  R/3 System
  Now as per client requirement I have to implement certificate based authentication in the sender side for the webservice call. In this case the .Net application is the "client" and XI is the "server". In other words the client has to be authenticated by XI server. In order to accomplish this I have setup the security level in the SOAP sender channel as "HTTPS  with client authentication". Additionally I have assigned a .Net userid in the sender agreement under "Assigned users" tab.
  I have also installed the SSL certificate in the client side. Then generated the public key and loaded it into the XI server's keystore.
  When I test the webservice via SOAPUI tool I am always getting the "401 Unauthorized" error. However if I give the userid/password for XI login in the properties option in the SOAPUI tool then it works fine. But my understanding is that in certificate based authentication, the authentication should happen based on the certificate and hence there is no need for the user to enter userid/password. Is my understanding correct? How to exactly test  certificate based authentication?
  Am I missing any steps for certificate based authentication?
  Please help
  Thanks
  Gopal
  Edited by: gopalkrishna baliga on Feb 5, 2008 10:51 AM

  Hi!
  Although soapUI is a very goot SOAP testing tool, you can't test certificate based authentication with it. There is no way (since I know) how to import certificat into soapUI.
  So, try to find other tool, which can use certificates or tey it directly with the sender system.
  Peter

• LDAP authentication with MD5 passwords

  Hi,
  in one of our Linux servers we have MD5 passwords stored in /etc/shadow. We want to implement pam_ldap on that machine, and move passwords to an LDAP database.
  I know it is to be done with {crypt} storage scheme.
  This works with DS 5.2 running on a Linux box, but under Solaris 8 I couldn't get it working. I know that Solaris 8 doesn't support MD5 passwords in its crypt(3) function, and I suppose Directory Server uses that. Somewhere I read that, however crypt() in Solaris 9 does support MD5.
  Can you confirm that after upgrading to Solaris 9, authentication with MD5-hashed passwords will be possible? Has anyone tried it?
  Thanks in advance,
  Kristof

  Thanks you for your reply.
  Our openldap version is openldap-2.3.39
  And all passwords are encrypted with : Base 64 encoded md5
  Below is a sample password:
  {md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help..

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• Solaris 10 openldap authentication with md5 passwords

  Hello to everyone,
  We are trying to enable ldap authentication with pam_ldap and md5 passwords on a Solaris 10 system to an openldap server. If passwords are stored using crypt, everything works correctly. But if the password in openldap is in md5, then authentication fails.
  We have installed openldap client along with pam_ldap and nss_ldap from padl (http://www.padl.com/pam_ldap.html)
  The error messages when trying to 'su -' to the ldap user are:
  Jun  1 18:35:23 servername su: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:35:23 servername su: [ID 810491 auth.crit] 'su ldapuser' failed for mike on /dev/pts/4and for ssh:
  Jun  1 18:35:54 servername sshd[14197]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:35:54 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
  Jun  1 18:36:00 servername sshd[14224]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:00 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
  Jun  1 18:36:02 servername sshd[14278]: [ID 800047 auth.info] Accepted publickey for scponly from 10.24.4.52 port 35390 ssh2
  Jun  1 18:36:04 servername sshd[14270]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:04 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
  Jun  1 18:36:04 servername sshd[14191]: [ID 800047 auth.info] Failed keyboard-interactive/pam for ldapuser from 192.168.1.25 port 41075 ssh2
  Jun  1 18:36:08 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:08 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
  Jun  1 18:36:12 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:12 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
  Jun  1 18:36:17 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:17 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2Below are the configuration files (pam.conf, nsswitch.conf, ldap.conf) and anything else that I imagine could help (comments of the files have been removed).
  Please feel free to ask for any other configuration file:
  */etc/pam.conf*
  login   auth requisite        pam_authtok_get.so.1
  login   auth required         pam_dhkeys.so.1
  login   auth required         pam_unix_cred.so.1
  login   auth required         pam_dial_auth.so.1
  login   auth sufficient       pam_unix_auth.so.1  server_policy debug
  login   auth required           /usr/lib/security/pam_ldap.so.1 debug
  rlogin auth sufficient       pam_rhosts_auth.so.1
  rlogin auth requisite        pam_authtok_get.so.1
  rlogin auth required         pam_dhkeys.so.1
  rlogin auth required         pam_unix_cred.so.1
  rlogin  auth required          pam_unix_auth.so.1 use_first_pass
  rsh    auth sufficient       pam_rhosts_auth.so.1
  rsh    auth required         pam_unix_cred.so.1
  rsh    auth required         pam_unix_auth.so.1
  ppp     auth requisite        pam_authtok_get.so.1
  ppp     auth required         pam_dhkeys.so.1
  ppp     auth required         pam_dial_auth.so.1
  ppp     auth sufficient       pam_unix_auth.so.1 server_policy
  other   auth sufficient         /usr/lib/security/pam_ldap.so.1 debug
  other   auth required           pam_unix_auth.so.1 use_first_pass debug
  passwd  auth sufficient          pam_passwd_auth.so.1 server_policy
  passwd  auth required           /usr/lib/security/pam_ldap.so.1 debug
  cron    account required      pam_unix_account.so.1
  other   account requisite     pam_roles.so.1
  other   account sufficient       pam_unix_account.so.1 server_policy
  other   account required        /usr/lib/security/pam_ldap.so.1 debug
  other   session required      pam_unix_session.so.1
  other   password required     pam_dhkeys.so.1
  other   password requisite    pam_authtok_get.so.1
  other   password requisite    pam_authtok_check.so.1
  other   password required     pam_authtok_store.so.1 server_policy*/etc/ldap.conf*
  base ou=users,ou=Example,dc=staff,dc=example
  ldap_version 3
  scope sub
  pam_groupdn [email protected],ou=groups,ou=Example,dc=staff,dc=example
  pam_member_attribute memberUid
  nss_map_attribute uid displayName
  nss_map_attribute cn sn
  pam_password_prohibit_message Please visit https://changepass.exapmle.int/ to change your password.
  uri ldap://ldapserver01/
  ssl no
  bind_timelimit 1
  bind_policy soft
  timelimit 10
  nss_reconnect_tries 3
  host klnsds01
  nss_base_group         ou=system_groups,ou=Example,dc=staff,dc=example?sub
  pam_password md5*/etc/nsswitch.conf*
  passwd:     files ldap
  group:      files ldap
  hosts:      files dns
  ipnodes:   files dns
  networks:   files
  protocols:  files
  rpc:        files
  ethers:     files
  netmasks:   files
  bootparams: files
  publickey:  files
  netgroup:   files
  automount:  files
  aliases:    files
  services:   files
  printers:       user files
  auth_attr:  files
  prof_attr:  files
  project:    files
  tnrhtp:     files
  tnrhdb:     files*/etc/security/policy.conf*
  AUTHS_GRANTED=solaris.device.cdrw
  PROFS_GRANTED=Basic Solaris User
  CRYPT_ALGORITHMS_DEPRECATE=__unix__
  LOCK_AFTER_RETRIES=YES
  CRYPT_ALGORITHMS_ALLOW=1,2a,md5
  CRYPT_DEFAULT=1Thanks in advance for any response...!!

  Thanks you for your reply.
  Our openldap version is openldap-2.3.39
  And all passwords are encrypted with : Base 64 encoded md5
  Below is a sample password:
  {md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help..

• Machine authentication with Windows 7

  Version: ISE 1.2p12
  Hello,
  I'm doing user and machine authentication with ISE.
  I use a first authorization rule to authenticate the machine against the AD. If it's part computers of the domain.
  Then I use an authorization rule to check if the user's group in AD with the credential he used to open the session + "Network Access:WasMachineAuthenticated = True"
  Things seems to be working and I see my switch port is "Authz Success" but shortly after the Windows 7 machine is behaving like 802.1X authentication fails. The little computer on the bottom right has a cross on it.
  If I disable and enable again the network card of that windows machine it works.
  Does any one of you have an idea about this problem ? something to tweak on Windows 7 like timers...
  Thank you

  Hi Mika. My comments below:
  a) You told me that MAR ("Network Access:WasMachineAuthenticated = True") has some drawbacks. When hibernation is used it can cause problems since the MAC address could have been removed from the cache when the user un-hibernate its computer. Then why not increasing the MAR cache to a value of 7 days then ? Regarding the roaming between wire and wireless it's a problem indeed.
  NS: I don't believe that the MAR cache would be affected by a machine hibernating or going to sleep. There are some dot1x related bug fixes that Massimo outlined in his first pos that you should look into. But yes, you can increase the MAR timer to a value that fits your environent
  b) You suggest to use one authorization rule for the device which should be part of the AD and one authorization rule for the user with the extra result "IdentityAccessRestricted = False". By the was, are we really talking about authorization rules here ? I will try this but it's difficult for me to imagine how it would really work.
  NS: Perhaps there is some confusion here but let me try to explain this again. The "IdentityAccessRestricted" is a check that can be done against a machine or a user account in AD. It is an optional attribute and you don't have to have it. I use it so I can prevent terminated users from gaining access to the network by simply disabling their AD account. Again, that account can be either for a "user" or for a "machine"
  z) One question I was asking myself for a long time. All of us want to do machine+user authentication but Windows write Machine OR User Authentication. This "OR" is very confusing.
  NS: At the moment, the only way you can accomplish a true machine+user authentication is to use the Cisco AnyConnect supplicant. The process is also known as "EAP-Chaining" and/or "EAP-TEAP." In fact there is an official RFC (RFC 7170 - See link below). Now the question is when and if Microsoft, Apple, Linux, etc will start supporting it:
  https://tools.ietf.org/html/rfc7170
  Thank you for rating helpful posts!

• ISE Web Authentication with Profile

     Hi,
     I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
     The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
     But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
     the Web Authentication cause the endpoint is already in the internal endpoint store.
     What's the better way to solve this problem ?
     Thanks in Advanced
     Andre Gustavo Lomonaco

      Hi Neno, let me clarify my question
      I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers.  I'm using Profile to be able to populate this ISE internet database.
      Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.

• Apple macosx machine authentication with ISE using EAP-TLS

  Hello,
  On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
  With windows machines all is working well. We are using computer authentication only.
  Now the problem is that we wish to do the same with MAC OSX machines.
  We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
  in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
  When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
  The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
  Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
  Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
  Thanks
  Gustavo Novais

  Additional information from the above question.
  I have the following setup;
  ACS 3.2(3) built 11 appliance
  -Cisco AP1200 wireless access point
  -Novell NDS to be used as an external database
  -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
  -Windows XP SP2 Client
  My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
  Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
  When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
  Please help...
  Thanks

• ISE mab authentication with Avaya/Nortel switches

  Currently using Cisco ISE 1.1 to authentication both dot1x and mab from Cisco switches. Both features are authenticating properly.
  When we use a Nortel/Avaya switch for the authenticator, we are unable to authenticate using mac bypass (non-eap (or neap) in Avaya talk..). The correct authentication policy is found in the ISE, but the mac address is not found in the database. We know it is there because the same mac is authenticating with the Cisco switch. Dot1x authenticates properly from both the Cisco and Avaya authenticators.
  Could this be an issues with the username/password format in the Radius packet from the Cisco?
  Thanks in advance for any assistance.
  -Kurt

  As requested...
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet
  chBugDetails&bugId=CSCuc22732
  MAB works from a cisco switch because the cisco switch places the mac address in the calling-station-attribute and the user-name attribute. The Cisco ISE platform is looking at the calling-station attribute to find the user name.This is the problem.
  The radius RFC says the user name must be in the user-name attribute. The calling-station-attribute is not a required field and is used for the phone number of a voip phone. Basically, the ISE platform is looking at the wrong field for the mac address.