BOE on multi domain
I am planning to install BOE XI 3.1 on a windows server. It is a multi domain environment, so what are the important things I need to concentrate, for example opening up firewall, etc.
Is there any documents available for this, please guide.
multi domain is not much of an issue, by default any domain joined to a single forest is automatically trusted bi-directionally. The only snags sometimes are with dns. We have a KB (search usefqdnfordirectoryservers) that will take care of that.
I don't know why you would firewall off your domains if they are joined in the same forest, this would prevent basic microsoft services from running as well. Another rule of thumb is that BOE simply runs on top of Microsoft and uses Microsoft API calls. If it works in Microsoft then we should be ok.
Now if you are using muliple forests then we have a KB on that as well (search multiple forests zie) In that case the forests must have a 2-way forest trust, be 2003 or above functional level, and basically act as 1 forest to our product. The rule here is if you don't trust a forest then BO will either not be able to query it or allow logins from it as we again use Microsoft API calls which require these things to be in place.
KB's can be searched in service market place. Also see KB 1261835 for setting up SSO on java.
Regards,
Tim
Similar Messages
-
How to provide access to multiple users connected to a Dumb switch? (multi-auth/multi-domain)
Good morning everybody,
I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
What I have successfully managed to get to work so far is this:
1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
show authentication sessions:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
What I want to get is an output like this:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
The configuration of the interface connected to the Dumb switch is as follows.
interface FastEthernet0/x
description Connection to DUMBswitch
switchport mode access
switchport voice vlan XXX
switchport port-security maximum 10
switchport port-security
switchport port-security violation protect
authentication host-mode multi-auth
authentication priority dot1x
authentication port-control auto
authentication timer reauthenticate 4000
authentication violation replace
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
The way I see it is explained in the following steps:
- PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
- When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
Thank you
Stoimen HristovHi Stoimen,
I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
From what I can see, you have 2 options available to you:
1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
Hopefully someone else will chime in with another option.
Xavier -
Multi-Domain LDAP UME configuration
Hello
We have EP 7.0 installed and want to connect the UME to our Corporate
LDAP (MSADS) as data source.
Our ADS is as follows:
domain.pt u2013 This is our top level domain. Here we have our main users.
Gs.domain.pt u2013 This is a child domain of ren.pt. Here are some special
users that cannot be moved to domain.pt level (because of this we have to
use multi-domain configuration)
According to some documents Step 2 of Note 762419 - Multi-Domain Logon
Using Microsoft Active Directory this configuration as to be done
according to a Multiple-Domain UME LDAP Configuration.
Following is is my configuration of LDAP access:
I have set the u201CUME LDAP Datau201D in Config Tool to point to
the u201CdataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xmlu201D configuration file that has been previously change by me following previous documents. The xml is is the end of the message
Also in the u201CUME LDAP Datau201D (Directory Server) I have defined the following settings:
Server Name: dc01.domain.pt (This is the DC of domain.pt)
Server port: 389
User: j2ee-pp3 @domain.pt
Pass: ******* (ok on all configuration tests and authentication)
SSL: NO.
User Path: DC=domain,DC=pt
Group Path: DC=domain,DC=pt
Checked the u201CFlat User Group Hierarchyu201D.
Checked the u201CUse UME Unique id with unique LDAP Attributeu201D.
At u201CAdditional LDAP Propertiesu201D I have set the properties of
ume.ldap.unique_user_attribute(global) and
ume.ldap.unique_uacc_attribute(global) to userprincipalname. This was
done according to the Multi-Domain configuration.
Also ume.ldap.access.multidomain.enabled=true was set the property
sheet of the UME service. After this all checks are ok including in
User Administration in Portal.
Conclusion: We have no problem with SSO and search capabilities
at u201Cdomain.ptu201D level. All users of this domain are able to access the
portal with SSO.
Nevertheless no user from u201Cgs.domain.ptu201D is able to logon. Additionally,
using User Admninistration in Portal with option u201CAll Data Sourcesu201D
returns no results when searching for users from this child domain. It
seems the the configuration file does not recognize gs.domain.pt.
Is it possible that our xml file is incorrectly adapted? Is there any
missing or wrong configuration for multi-domain LDAP access? Please
advice.
Thanks in advance
dataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xml
<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xml#6 $ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $) -->
<!DOCTYPE dataSources SYSTEM "dataSourceConfiguration.dtd">
<dataSources>
<dataSource id="PRIVATE_DATASOURCE"
className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</homeFor>
<notHomeFor/>
<responsibleFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</responsibleFor>
<privateSection>
</privateSection>
</dataSource>
<dataSource id="CORP_LDAP"
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
isReadonly="true"
isPrimary="true">
<homeFor/>
<responsibleFor>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="j_user"/>
<attribute name="j_password"/>
<attribute name="userid"/>
<attribute name="logonalias"/>
</attributes>
</nameSpace>
</principal>
<principal type="user">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="firstname" populateInitially="true"/>
<attribute name="displayname" populateInitially="true"/>
<attribute name="lastname" populateInitially="true"/>
<attribute name="fax"/>
<attribute name="email" populateInitially="true"/>
<attribute name="email"/>
<attribute name="title"/>
<attribute name="department"/>
<attribute name="description"/>
<attribute name="mobile"/>
<attribute name="telephone"/>
<attribute name="streetaddress"/>
<attribute name="uniquename" populateInitially="true"/>
<attribute name="krb5principalname"/>
<attribute name="kpnprefix"/>
<attribute name="dn"/>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</attributes>
</nameSpace>
<nameSpace name="$usermapping$">
<attributes>
<attribute name="REFERENCE_SYSTEM_USER"/>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
<principal type="group">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="displayname" populateInitially="true"/>
<attribute name="description" populateInitially="true"/>
<attribute name="uniquename"/>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE"/>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attributes>
<attribute name="dn"/>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
</responsibleFor>
<attributeMapping>
<principals>
<principal type="account">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="domain_j_user">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="j_user">
<physicalAttribute name="userprincipalname"/>
<attribute name="logonalias">
<physicalAttribute name="userprincipalname"/>
</attribute>
<attribute name="j_password">
<physicalAttribute name="unicodepwd"/>
</attribute>
<attribute name="userid">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
<principal type="user">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="firstname">
<physicalAttribute name="givenname"/>
</attribute>
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="lastname">
<physicalAttribute name="sn"/>
</attribute>
<attribute name="fax">
<physicalAttribute name="facsimiletelephonenumber"/>
</attribute>
<attribute name="uniquename">
<physicalAttribute name="userprincipalname"/>
</attribute>
<attribute name="loginid">
<physicalAttribute name="null"/>
</attribute>
<attribute name="email">
<physicalAttribute name="mail"/>
</attribute>
<attribute name="mobile">
<physicalAttribute name="mobile"/>
</attribute>
<attribute name="telephone">
<physicalAttribute name="telephonenumber"/>
</attribute>
<attribute name="department">
<physicalAttribute name="ou"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="streetaddress">
<physicalAttribute name="postaladdress"/>
</attribute>
<attribute name="pobox">
<physicalAttribute name="postofficebox"/>
</attribute>
<attribute name="krb5principalname">
<physicalAttribute name="userprincipalname"/>
</attribute>
<attribute name="kpnprefix">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="dn">
<physicalAttribute name="distinguishedname"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="$usermapping$">
<attributes>
<attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="sapusername"/>
</attribute>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
<principal type="group">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="uniquename" populateInitially="true">
<physicalAttribute name="ou"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE">
<physicalAttribute name="null"/>
</attribute>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attributes>
<attribute name="dn">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
</principals>
</attributeMapping>
<privateSection>
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.flat_group_hierachy>true</ume.ldap.access.flat_group_hierachy>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.objectclass.user>User</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>User</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.objectclass.grup>organizationalUnit</ume.ldap.access.objectclass.grup>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>samaccountname</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>samaccountname</ume.ldap.access.auxiliary_naming_attribute.uacc>
<ume.ldap.access.naming_attribute.grup>ou</ume.ldap.access.naming_attribute.grup>
<ume.ldap.access.pwd.via.usercontext>true</ume.ldap.access.pwd.via.usercontext>
<ume.ldap.access.set_pwd>true</ume.ldap.access.set_pwd>
<ume.ldap.access.multidomain.enabled>true</ume.ldap.access.multidomain.enabled>
<ume.ldap.access.extended_search_size>200</ume.ldap.access.extended_search_size>
<ume.ldap.access.domain_mapping>
[DOMAIN_PT;DC=domain,DC=pt]
[GS_DOMAIN_PT;DC=gs,DC=domain,DC=pt]
[gs;DC=DC=gs,DC=domain,DC=pt]
[domain;DC=pt]
</ume.ldap.access.domain_mapping>
</privateSection>
</dataSource>
</dataSources>
Edited by: Joaquim Pereira on Feb 7, 2009 1:34 PMHi Gaetano
I tried to set back the "uniqueid" in the XML to samaccountname.
Also, i changed the spnego to go only to domain.pt (gs.domain.pt is a child domain).
In the 1st tests this worked perfectly, but we still to do some testings with this config.
When i get confirmation, ill reply here.
Thank you.
PS:. we thought on defining the abap user for each user, but there are a lot of users...
we'll try this config, and if it doesn't work, probably, thats what we'll do.
Edited by: Joaquim Pereira on Feb 12, 2009 5:45 PM
Everything seams to be working now. setting back the uniqueid to samaccountname and configuring spnego to go to only 1 domain solved the issue.
I just need to test which change did the trick.
Edited by: Joaquim Pereira on Feb 13, 2009 1:02 PM -
Shared Services: Multi-domain MSAD based configuration issue
Hello to All,
Can someone tell me how to configure MSAD to use two domains X and Y under one user directory D.
My actual configuration is based on the domain X and provides some MSAD users groups in D user directory.
But I need to provisionne another user that belong to another AD in a foreign domain Y.
A trusted relationship (approbation relationship) have been created between the two domains X and Y.
Is this kind of multi-domain configuration allowed in Shared Services?
If yes, how can I configure this?
OS: Solaris
Hyperion Shared Services 9.3.1
Thanks in advance for your helpThere are a couple of ways:
1) Add a new provider in Shared Services
2) Modify your current provider to go to a higher level in your domain which will likely require different parameters on your existing Active Directory provider
Option 2 is preferable if you see this will cascade and other domains will be needed and they are all under a global company domain.
Regards,
John A. Booth
http://www.metavero.com -
Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?
Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?
Im trying to follow the trustsec 2.1 guide on IP Phones into LowImpact mode.
I can get a PC on its own to authenticate via dot1x/tls
I can get a Cisco IP Phone on its own to authenticate via MAB.
When the two are on the same switchport, the phone will authenticate but not the PC. ISE logs EAP timeouts.
The switchport has the LowImpact port ACL of
ip access-group ACL-DEFAULT in
The IP Phone gets a dACL that allows it ok.
I assume MAB phone and dot1x PC is supported? Any ideas?
Thanks in advance.The ISE log detailed steps are as follows:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12300 Prepared EAP-Request proposing PEAP with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12501 Extracted EAP-Response/NAK requesting to use EAP-TLS instead
12500 Prepared EAP-Request proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
5411 No response received during 120 seconds on last EAP message sent to the client -
I've got a unique setup I'm trying to get set up with regards to 802.1x and have ran into some issues. I've got Avaya phones that I need to authenticate onto the voice vlan that they are getting via LLDP. But I'm only using 802.1x to keep things off the voice VLAN which is in a VRF. The PCs that will either be connected to the back of the phone or plugged directly into the switch cannot be configured for 802.1x as these PCs are not owned by the department.
My idea was to run multi-domain as seems to be the suggestion for phone deployments and then put anything that fails authentication into the Data VLAN (30) using guest-vlan as well as authorizing them to Vlan 30 when authentication fails. It seems like authentication fail Vlan and guest Vlan cannot be used in multi-domain mode though, so I'm out of ideas and the port is not working properly. Here is my current config that is not working as it's not putting the PC into Vlan 30 when authentication fails. Vlan 40 is the voice Vlan. Vlan 30 is the data Vlan.
interface GigabitEthernet1/0/1
description Test 802.1x port
switchport mode access
switchport voice vlan 40
authentication event fail action authorize vlan 30
authentication event server dead action authorize vlan 30
authentication event no-response action authorize vlan 30
authentication host-mode multi-domain
authentication port-control auto
authentication violation restrict
dot1x pae authenticator
dot1x timeout server-timeout 15
dot1x timeout supp-timeout 2
spanning-tree portfast
Any ideas on how I can go about acheiving this?
Thanks,
BrianWell, you can use multiple-authentication mode.
Multiple-authentication (multiauth) mode allows one client on the voice VLAN and multiple authenticated clients on the data VLAN. When a hub or access point is connected to an 802.1x-enabled port, multiple-authentication mode provides enhanced security over multiple-hosts mode by requiring authentication of each connected client. For non-802.1x devices, you can use MAC authentication bypass or web authentication as the fallback method for individual host authentications to authenticate different hosts through by different methods on a single port.
Multiple-authentication mode is limited to eight authentications (hosts) per port.
Multiple-authentication mode also supports MDA functionality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN, depending on the VSAs received from the authentication server.
VERY IMPORTANT: When a port is in multiple-authentication mode, all the VLAN assignment features, including the RADIUS server supplied VLAN assignment, the Guest VLAN, the Inaccessible Authentication Bypass, and the Authentication Failed VLAN do not activate.
This is the configuration commands:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1271507.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
802.1x multi-domain 3560catalyst nortel ip phone ntdu92
Hello everyone!
I have 3560 catalyst ios 12.2(55)SE5
I need to authorize PC and IP phone on this port. 212 data vlan 500 voice vlan, vlan 111 - Unauthorized VLAN with 256 kbit/sec INTERNET without any local resourses. IP phone authorizes by mab.
#sh mac address-table interface fastEthernet 0/2
212 001a.4b7b.0394 STATIC Fa0/2
500 001b.bafb.7c1c STATIC Drop
#sh running-config interface fastEthernet 0/2
interface FastEthernet0/2
switchport access vlan 212
switchport mode access
switchport voice vlan 500
authentication event fail action authorize vlan 111
authentication event no-response action authorize vlan 111
authentication host-mode multi-domain
authentication port-control auto
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 3
dot1x max-reauth-req 3
storm-control broadcast level 7.00 3.00
storm-control multicast level 15.00 10.00
storm-control action shutdown
no cdp enable
spanning-tree portfast
spanning-tree guard root
end
#sh logging
Jul 29 11:11:03: %DOT1X-5-FAIL: Authentication failed for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID
Jul 29 11:11:03: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-5-START: Starting 'mab' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %MAB-5-SUCCESS: Authentication successful for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/2, new MAC address (001b.bafb.7c1c) is seen.AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-5-MACREPLACE: MAC address (001a.4b7b.0394) on Interface FastEthernet0/2 is replaced by MAC (001b.bafb.7c1c) AuditSessionID 0A32FF150000005F25C42541
Jul 29 11:11:04: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:06: %AUTHMGR-5-START: Starting 'dot1x' for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87
Jul 29 11:11:06: %DOT1X-5-SUCCESS: Authentication successful for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID
Jul 29 11:11:06: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87
Jul 29 11:11:06: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/2, new MAC address (001a.4b7b.0394) is seen.AuditSessionID 0A32FF150000006125C52D87
Jul 29 11:11:06: %AUTHMGR-5-MACREPLACE: MAC address (001b.bafb.7c1c) on Interface FastEthernet0/2 is replaced by MAC (001a.4b7b.0394) AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:07: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87
What is necessary for collaboration PC+IP phone at the same time.
Thanks for your help.Good afternoon. Thanks for Your advice. The problem was the following: forgot to add the command
aaa authorization network default group radius
Now everything is working.
Fa0/2 001b.bafb.7c1c mab VOICE Authz Success 0A32FF15000000B6500A0895
Fa0/2 001a.4b7b.0394 dot1x DATA Authz Success 0A32FF15000000C353ADA437
Thanks to all. -
There has been many post regarding domain.sites splitting and how to handle multi-domain.
First you need to split your domain.sites package, with courtesy of Mark:
http://web.mac.com/mark8heaton/iWeb/DomainSeparation/SiteSeparation.html
What about handling multi-domain?
Make a master folder, and make sub-folders within this master folder to keep (split) domain.sites, then place the master folder in your Dock, ie:
http://www.geocities.com/[email protected]/images/domains.jpg
You can access your domain.sites at any time from the Dock.
What about making new domain.sites?
You can force iweb to create new domain.sites with shell script (Unix) or AppleScript - notice second item in domains.jpg.
_New Domain script forces iweb to create new domain.sites package - in your specify folder, as in this dialog box:
http://www.geocities.com/[email protected]/images/newDomain.jpg
There is no need for third-party application. Everything you see/need is free and is bundled in every mac.Vark,
Weird as heck, but it does happen.
I've had it happen to me a few times and I've had a
number of emails from others that have experienced
the same thing; enough to make me warn everyone
about it.
Funny, when I try to replicate the problem I'm unable
to; seems to strike at random.
Weird stuff!!! I believe it, just think it is extremely bizarre. -
Java and multi-domain certificates
Hi, I tried using a so called MDC or multi-domain certificate with my Java application but when connecting with a webbrowser I get the following error in Firefox (Internet Explorer gives a similar error but provides less info) :
"The certificate is only valid for www.somedomain.com%2Csub1.somedomain.com%2Csub2.somedomain.com%2C"
I assume the %2C should be commas or at least have been interpreted as commas.
My question, was this certificated created wrong or does Java not support this type of certificate?I doubt it is a Java issue. If your SSL handshake is reaching the stage where the server sends its certificate to your browser, then the server is already satisfied with its own certificate. I doubt the server pays much attention to the subject name or any of the subject alternative names of its own certificate. And the server cannot change any of the fields of this certificate, so what it is sending the browser is exactly what you got back from the CA.
You say you did not create the certificate, but you almost certainly created almost all the fields of the certificate by creating something called a certificate signing request. This is what you give to the CA. The CA uses this to populate the fields of a certificate that it signs and gives back to you. -
Zimbra Multi Domain SMTP auth/relay problem
I have a query in setting up a multi-domain Zimbra 8.6 OSE on Ubuntu 14.04.I have successfully setup Domain1 with Zimbra and added virtual host Domain2. Mails to each of them are routing to each other and sending from the server to outside is also working. However, I need to both domains to send emails using their respective ISP so domain1 would use ISP1 and domain2 ISP2. In my previous implementation, I have used successfully "zimbraMtaRelayHost" for single domain. Searching more, I have tried the "Relay per Domain" using "sender_dependent_relayhost_maps."I am, however, still unable to send mail using Zimbra. I have, upon instinct, put in the port after the IP address of the ISPs in /opt/zimbra/postfix/conf/bysender so it looks like the one below (based on thewiki):@domain1.com [10.10.10.1]:587
@domain2.com [20.20.20.1]:587Zimbra now...
This topic first appeared in the Spiceworks CommunityMicrosoft releases new license terms for Windows 10: Biggest surprise? No gotchasEd Bott has Just published an article on ZDNet which reviews in detail the just-released Windows 10 license agreementFirst published on ZDNet By Ed Bott for The Ed Bott Report | July 15, 2015 -- 18:30 GMT (19:30 BST) | Topic: Windows 10 "Two weeks ahead of the global launch of Windows 10, Microsoft has finalized the terms of its license agreements for the new operating system. I've had several days to study the documents in detail, and I can report that there are no surprises, no gotchas, and no hidden subscription traps waiting to be sprung in two or three or four years.""In fact, the new license agreement is simpler and written more clearly than any similar document I've reviewed in 20 years of examining Windows license agreements. There are a few...
-
2012 R2 DirectAccess multi domain forest: Is it possible Limit Auto-discovery of domain controllers?
I've just successfully implemented Multisite server 2012 R2 DirectAccess in a child domain of a global company with numerous sub domains. I'd like to limit the scope of the auto discovery of management servers in 2012 R2 DA is anyone aware of
any way of doing this?
During the default initial configuration of DirectAccess Auto-discovery of domain controllers is performed for all domains in the same forest as the DirectAccess server and client computers.
In my scenario the number of sub domains and multinational nature of the company means that the DA servers cannot contact all DCs for every child domain in the forest.
This means the Operations Status page in the Remote Access Management console always shows the status of the Domain Controller check as "critical" leaving a red X amongst my nice green ticks. It's untidy and at first glance it looks like there
are major problems with the service.
The DA servers, Client machines and users are in a single sub domain so we have no need to contact the other child domain DCs.
I looked into using the Remove-DAMgmtServer PowerShell cmdlet however this is not applicable since it cannot be used to remove automatically configured management servers such as DCs.
Also the child domain DCs don't actually appear in the management servers list.Hi, a colleague of mine had the same problem in a DirectAccess deployment in a large organization tat have a multi-domain forest. He had no choice to open network flow to have at least one domain controller per domain in the forest.
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx -
MDT from Single Site for Multi Domain OS Deployment
Hi all,
We are looking for a solution which will make it possible to use MDT from a single site to deploy Windows 7 or Windows 8 and join different domains of different customers without trust relationships between domains.
We are a service provider which supports different customers with separate domains. At this moment those different customers have their own WDS server on site and administration is time consuming because a lot of hardware changes occur.
We are now searching for a solution which is easier to manage and one of the solutions we are thinking about is to install a WDS server in our office and use MDT for some custom task sequences but just build one image with all the different driver packs we
have.
Does anyone know how to deal with this from our point of view. All tooling I can find is based on Enterprise clients with one Domain Forest and maybe some different sites but all in one domain, which makes deployment a bit easier then in our situation I guess
as we are looking for a solution that supports Multi-domain deployment.
Hope someone might experienced this before and can help us in the right direction. If someone has experience with additional tooling which might help us I am more then interested to know how the tooling helped in solving this.
Preferrably we had a tool which was Multi-tenant and multiple domains could be managed from a single console, but I think that tool just doesn't exist.
Hope someone is able to help us in the right direction. Please let me know if you have any tips or did experience the same while making a Deployment plan for the service provider you are working for.
Many thanks in advance!Hi all,
We are looking for a solution which will make it possible to use MDT from a single site to deploy Windows 7 or Windows 8 and join different domains of different customers without trust relationships between domains.
We are a service provider which supports different customers with separate domains. At this moment those different customers have their own WDS server on site and administration is time consuming because a lot of hardware changes occur.
We are now searching for a solution which is easier to manage and one of the solutions we are thinking about is to install a WDS server in our office and use MDT for some custom task sequences but just build one image with all the different driver packs we
have.
Does anyone know how to deal with this from our point of view. All tooling I can find is based on Enterprise clients with one Domain Forest and maybe some different sites but all in one domain, which makes deployment a bit easier then in our situation I guess
as we are looking for a solution that supports Multi-domain deployment.
Hope someone might experienced this before and can help us in the right direction. If someone has experience with additional tooling which might help us I am more then interested to know how the tooling helped in solving this.
Preferrably we had a tool which was Multi-tenant and multiple domains could be managed from a single console, but I think that tool just doesn't exist.
Hope someone is able to help us in the right direction. Please let me know if you have any tips or did experience the same while making a Deployment plan for the service provider you are working for.
Many thanks in advance!
So is the goal is not only to get multiple domains to select from, if so you could use a DomainOUList.xml file .
Also would the clients be imaged at your site or your clients site?
If this post is helpful please click "Mark for answer", thanks! Kind regards -
Portal 7 Multi Domain authentication (AD)/ISA 2006 KCD SSO
I am new to SAP portal etc. I have read posts and want some more clarification and pointers.
Basically want to achieve SSO.
We have Portal 7 on Red Had Linux in a thid party data center with SAP ECC/BI etc at backend.
Active directory is windows 2003 forest which has three domains suppose
domain A (for internal employees),
domain B (for internal employees),
and domain C (for suppliers).
assume all domains have bidirectional windows trust.
Scenario 1
We want to authenticate both domain A and domain B user to Portal.
a) Can we do this by using integrated windows authentication and SPNEGO.
b) Does SPNEGO works with multidomain scenario.
c) Do I have to point to Global Catalog or separate KDC for each domain in portal.
d) Does the windows trust matter between domain A and domain B for SPNEGO to work. To me it seems that the trust shoudn't matter if we SPNEGO is using separate KDC for each domain. If going to Global catalog than it might matter.
d) All SPNEGO configuration are on Portal regardless of underlying of OS. Mine is red hat linux.
Scenario 2
We want to bring domain C to access portal also. Since domain C is for suppliers we will authenticate them using Basic authentication over SSL on ISA 2006 reverse proxy and than use Kerberos constrained delegation (KCD) to pass them to portal. so to achieve SSO.
1) if portal is using SPNEGO for this domain C than will it work.
2) I have to check whether ISA 2006 can do multi domain KCD if I change my design where i push all domain A, Domain B and domain C user to go through ISA server reverse proxy before going to portal.
Thanks for helping out.
triwhdxk
Moved by moderator to the correct forum
Edited by: Hilit Fisch on May 25, 2009 1:55 PMHi Gaetano
I tried to set back the "uniqueid" in the XML to samaccountname.
Also, i changed the spnego to go only to domain.pt (gs.domain.pt is a child domain).
In the 1st tests this worked perfectly, but we still to do some testings with this config.
When i get confirmation, ill reply here.
Thank you.
PS:. we thought on defining the abap user for each user, but there are a lot of users...
we'll try this config, and if it doesn't work, probably, thats what we'll do.
Edited by: Joaquim Pereira on Feb 12, 2009 5:45 PM
Everything seams to be working now. setting back the uniqueid to samaccountname and configuring spnego to go to only 1 domain solved the issue.
I just need to test which change did the trick.
Edited by: Joaquim Pereira on Feb 13, 2009 1:02 PM -
ACE multi domain SSL certificate
Hello there,
this may sound an obvious question maybe, but I didn't find a proper answer:
does ACE supports SSL termination using a multi domain certificate? CN + several SANs
and how do I issue a certificate request on the LB for this kind of cert?
Thanks in advance.
S.Hello S.
Yes the ACE does support SAN certificates, the process to import and configure it's the same as if you would be importing
a "regular" SSL cert.
About the CSR for multiple domains I've checked the latest version release notes and it seems the feature has not been added yet. When I've been asked to create a SAN CRS I always do it using OpenSSL, here is a link that explains what you need to do in order to get your pem files.
http://xrl.us/bkrr56
HTH
Pablo -
Custom AccessGate not support Multi-domain SSO
Hi,
I have a requirement to implement the Multi-domain Single Sign-On with custom built SSO plugin (i.e Webgate/AccessGate/WebAgent), we have proposed OAM to implement Multi-domain SSO with custom built accessGate, now we are facing issue is, as per Oracle Access Manager documentation, Multi-domain SSO will not work if we use Custom Built webgate/AccessGate. Do you know whether OAM 11g or CA or Tivoli will support Multi-domain single sign-on with custom WebAgents?? Your quick response is highly appreciated.
Regards
SomSince you have MDSSO implemented you need to figure out a way for multidomain logout as well.
In the step 3 since you logged out of abc.com, the obSSOCookie for that domain is deleted but the cookie in the domain def.com still remains so you are able to login again in def.com. If the central domain was completely different from the other domain than you would have got the SSO even after logout.
Seems like you have a configuration where you will never be able to logout of def.com because the cookie in the central domain will always be there until it times out.
Here's what you need to do..
-During logout call logout for all the domains configured
Maybe you are looking for
-
How to query latency with HistoryVerbose 0
We're using Transactional Replication in SQL 2008R2 SP2 I'm trying to evaluate whether using a HistoryVerbose setting of 0 on the Log Reader and Distribution agents is a worthwhile modification to make, but still need to know Latency in these agents
-
HTMLDB_ITEM.SELECT_LIST function returns wrong result in 1.6?
Look at following select statements: 1. select flows_010600.htmldb_item.select_list(1,null,'Full;F,Read;R,No;N', '','YES',null,'Derived','f01_'||TO_CHAR(ROWNUM,'FM0000'),'D') from dual <label for="f01_0001" class="hideMe508">D</label><select name="f0
-
Backupd process using too much memory, blocking up system (Yosemite)
Hello, Since I upgraded to Yosemite (maybe even only after I installed 10.10.1) on my Early 2009 17" MacBook Pro, after a while, a process called "backupd" is started, using all available memory, then switching to virtual memory. After a few hours, i
-
MAP 9.2 SQL Server inventory not finishing
Hi all, I'm running MAP 9.2 with an AD account as administrator on my Windows 7 laptop. I'm running it looking for SQL Server with database details. It discovers 1622 machines relatively quickly but never finishes. It gets to 1 collection remainin
-
A visitor to my client's site reports that prior to printing the page, in print preview mode, the page numbers keep increasing and don't stop. When I inspected the HTML, other than there are several tables (which is unlike the other site pages which