CSM 3.1 local user authentication problem

Hi every one.i have strange problem with local user authentication.in our csm i have configured csm to auhenticate users using TACACS+ from our acs server which every thing is ok about this configurtion but also i have configured fall back authentication for user admin.here is the problem even when connection to ACS server is ok and server can send authentication requests to ACS we can authenticate with ACS and Local admin which i think this is wrong because using local admin is configured as fallback.so what do you think about this problem which CSM authenticates users with ACS and local database same time??

You probably need to go under the system context and create the interface and also allocate vlans to it in CSM before you configure the context itself.
I hope it helps.
PK

Similar Messages

AAA and local user authentication

Hi,
I already have AAA authentication setup on my switch. And I can use local users to login when the AAA server is unreachable.
But I want to know if it is possible to use local users even when the AAA server is reachable. Something like first it checks the local users databse and if the user does not exists then fallback to AAA or vice versa.
Thanks.

Ismail, the authentication method you define act as a service. So only when the service is not avilable the method fallback to the next methond you define.
So in your case if the user account is not present in the local data base it will not fallback to aaa server.
aaa authentication login default local group radius
The same holds true if the user account is not there in the aaa server
aaa authentication login default group radius local
Only when the aaa server is not responding (service downe or not reachable) it will fallback to the local database.
Hope this helps!

User authentication problem

Hi,
I am using OC4J that comes with the Jdeveloper. i have a login page that i wanna use for my projects. i put user name and password info in jazn-data.xml and also in principals.xml found in the same directory. but it is not working.
Please help me
Tareq

You can refer following article to enable JAZN for your applications
http://otn.oracle.com/sample_code/tech/java/codesnippet/security/JaasProvider/content.html
Chandar

How to use different (not local) user for NTLM auth in Authenticator?

Hi All,
I use custom authenticator to provide user / passwords to connect to .NET Web Services. I overloaded function getPasswordAuthentication() that returns right user / password combination for the requested URL. It all works perfectly for many kinds of HTTP connections: basic, ntlm, ntlm-v2, through proxy, ssl, etc.
My problem is that during NTLM authentication from Windows computers JVM uses credentials of the currently logged in domain user instead of calling Authenticator to get other user / password provided by the user. In case when local user credentials fail to authenticate, JVM calls my Authenticator but in case authentication is successful it does uses local domain user and never calls my Authenticator. The issue is when this local domain user does not have enough permissions but authenticated correctly there is no way to supply JVM with another user to begin with.
What can I do to force JVM to ignore local domain user and to use Authenticator to collect credentials during NTLM authentication requested by the server in case the software runs on a Windows box with currently logged in domain user?
I am looking for the answer for a long time already but found only questions and suggestions to switch server from NTLM authentication which is not an option for me. From the developer's view it has to be pretty simple change for Sun to do in Java networking API. Is there any way to escalate it to Sun support? Maybe there is some property in some JRE patch level that allows to do this?
Thank you very much!
Mark

Thank you for the reply. I have kind of an opposite problem. I can perfectly connect from Linux computers to Microsoft IIS servers using NTLM or even NTLMv2 authentication. My problem is connecting from Windows client computer joined to the same domain as IIS server with the domain user logged in to this computer. In this case this user account will be used in any HTTP connections I initiate to this IIS server instead of the one that I want to supply in my custom Authenticator.
I have graphical interactive application that connects to IIS Server. When user runs it and connects to IIS server I want to prompt for the user/password regardless whether JRE may correctly authenticate using current user account credentials. The current user may not have enough permissions in IIS application so I want to use different user to login to IIS application.
Thank you anyway,
Mark

Problem with local users printing to the printer queue

We have just upgraded our servers to 2.8GHz Quad-core Intel Xeon which is running OS X 10.5.6
I have set up the printer queue to the network printers, through LPD.
Open directory users are able to print to the network printers without any problem however when a user local user to a machine (all 10.5.6 but different models) are not able to print.
The printer pauses and does not print.
Any solutions?

Hi there,
I am not quite sure of your setup based on your posting so apologies if my reply is not appropriate.
Are you saying that when the Mac attempts to print directly to the network printer (rather than via a queue created by selecting an Open Directory printer) the printer queue pauses?
If yes, then I would ensure that the LPD protocol was selected and the correct queue name was entered - as this can often cause the spooler to pause.
PaHu

Problems with 802.1x MS PEAP machine and user authentication

Using Microsoft PEAP 802.1x client on Windows XP SP2, if we enable machine authentication against a Windows Domain, the machine authentication is successful and the machine gets access to the network. However, when user logon occurs to the domain, contrary to the flow given in ACS and Windows documentation, no user authentication takes place.
We need to differentiate user access based on their identities. We need machine authentication only to allow users access to the domain controller and also GP implementation.
Any idea why user does not get prompted when they logon. 802.1x is configured in users profile and I have tried with both integrated and non-integrated with Domain logon (i.e. "use my windows logon name and password and domain (if any) option"
There is no record of any identity request/response in ACS after the initial machine authentication (which appears in successful authentication log)
We are using MS-CHAPv2.

Update...The problem of cached credentials in MS PEAP does not occur if "enable logon using Windows username and password (and domain if any) is checked. Using this option, MS PEAP always uses logged on users most current credentials.
However, using this option sends the username as "DOMAIN\USERNAME". Since we are using ACS internal database for user authentication (even though the ACS and Windows passwords are same - using an identity management system) ACS does not recognize the user.
I have tried proxy distribution with prefix stripping but it does not seem to work when it is pointing to the same ACS server on which proxy distribution is configured and which receives the request.
Any idea how the domain\ can be ignored by ACS?

Login problem in that the radius server is not configured. And the local user does not authenticate

When trying to login, the message appears "No radius server configured" and the local user does not authenticate. How do I access without rebooting the Switch 6500 with CatOS.

Hi PK.
Thanks for your Attention. You know how to insert a line configuration via SNMP RW "set radius server 10.112.15.21 auth-port 1645 primary"?
I believe this way or can I work around the problem.

550 Local user only or Authentication mechanism

follow is the source code of a jsp page used to send mail, while when ran ,i got an exception :
Invalid Addresses; nested exception is: class com.sun.mail.smtp.SMTPAddressFailedException: 550 Local user only or Authentication mechanism
why?
and following is the source code of the jsp page:
<%@ page import="javax.mail.Session,
javax.mail.Message,
javax.mail.internet.MimeMessage,
javax.mail.internet.InternetAddress,
javax.activation.DataHandler,
javax.mail.Transport"%>
<%
     String host = "mail.server.com.cn";
     String username = "mayf";
     String password = "1111111";
     String from = "[email protected]";
     String to = "[email protected]";
     String content = ""; // it could be just a line of text or some HTML.
     content += "<html><head><title></title>";
     content += "</head>";
     content += "<body>";
     content += "HTML works fine but you could just cut these lines...";
     content += "</body>";
     content += "</html>";
     String subject = "test SMTP";
     java.util.Properties props = System.getProperties();
     props.put("mail.smtp.host", host);
     props.put("mail.smtp.auth","true");
     Session mailSession = Session.getDefaultInstance(props, null);
     Message message = new MimeMessage(mailSession);
     message.setSubject(subject);
     message.setFrom(new InternetAddress(from));
     try {
          message.addRecipient(Message.RecipientType.TO, new InternetAddress(to));
     } catch (Exception e) {
          out.print(e.getMessage());
     message.setDataHandler(new DataHandler(content, "text/html"));
     try {
          Transport transport = mailSession.getTransport("smtp");
          transport.connect(host, username, password);
          transport.sendMessage(message, message.getAllRecipients());
          transport.close();
     } catch (Exception e) {
          out.print(e.getMessage());
%>

Hi, i'd try getReturnCode since it involves some server error response..
Class SMTPAddressFailedException
public int getReturnCode()
Return the return code from the SMTP server that indicates the reason for the failure. See RFC 821 for interpretation of the return code.
--------------------------------------------------

Dreamweaver Server Bahavior, User Authentication, Logout User Problem

Hi! I want to add a 'logout user' functionality to the PHP
page using Server Behavior, User Authentication, Logout User option
in Dreamweaver CS3.
I highlight the text, Logout, then clicked on the above
mentioned option and I get an error message:
While executing onLoad in Log Out User.htm, the following
JavaScript error(s) occurred:
At line 603 of file "C:\Program Files\Adobe\Adobe Dreamweaver
CS3\Configuration\Shared\Controls\Script\TagMenu.js": The object is
not currently contained in a document.
In the Log Out User form, the "link clicked" is blank and
"when done" is not selectable.
Can anyone help me out? Thanks!

Hi! I'm not using Javascript. I'm using PHP to log in and log
out a user. The log in implementation works fine. It's the log out
that is giving me problems.
Below is the code:
<?php
if (!isset($_SESSION)) {
session_start();
$MM_authorizedUsers = "admin";
$MM_donotCheckaccess = "false";
// *** Restrict Access To Page: Grant or deny access to this
page
function isAuthorized($strUsers, $strGroups, $UserName,
$UserGroup) {
// For security, start by assuming the visitor is NOT
authorized.
$isValid = False;
// When a visitor has logged into this site, the Session
variable MM_Username set equal to their username.
// Therefore, we know that a user is NOT logged in if that
Session variable is blank.
if (!empty($UserName)) {
// Besides being logged in, you may restrict access to only
certain users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(",", $strUsers);
$arrGroups = Explode(",", $strGroups);
if (in_array($UserName, $arrUsers)) {
$isValid = true;
// Or, you may restrict access to only certain users based
on their username.
if (in_array($UserGroup, $arrGroups)) {
$isValid = true;
if (($strUsers == "") && false) {
$isValid = true;
return $isValid;
$MM_restrictGoTo = "denied.html";
if (!((isset($_SESSION['MM_Username'])) &&
(isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'],
$_SESSION['MM_UserGroup'])))) {
$MM_qsChar = "?";
$MM_referrer = $_SERVER['PHP_SELF'];
if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
if (isset($QUERY_STRING) && strlen($QUERY_STRING)
> 0)
$MM_referrer .= "?" . $QUERY_STRING;
$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar .
"accesscheck=" . urlencode($MM_referrer);
header("Location: ". $MM_restrictGoTo);
exit;
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Transitional//EN" "
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="
http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8" />

<title>Admin</title>



<link href="../twoColFixLtHdr.css" rel="stylesheet"
type="text/css" />
<style type="text/css">

</style></head>
<body class="twoColFixLtHdr">
<div id="container">
<div id="header">
<h1 class="style1">Welcome to EMART</h1>
</div>

<div id="sidebar1">
<h3 class="style1">Emart</h3>
<ul type="square">
<li><a href="../index.php"
class="style1">Home</a> </li>
<li><a href="admin.php"
class="style1">Admin</a> </li>
<li><a href="add_product.php" class="style1">Add
Product</a> </li>
<li><a href="edit_product.php"
class="style1">Edit Product</a> </li>
<li><a href="delete_product.php"
class="style1">Delete Product</a> </li>
<li>Logout</li>
</ul>
<p> </p>

</div>

<div id="mainContent">
<h1>Admin</h1>
<p>
Logout</p>
<p> </p>
</div>

<br class="clearfloat" />
<div id="footer">
<p>© 2008
</p>
</div>
</div>
</body>
</html>

Local Radius Authentication - Fails

Hello all,
Access Point 1230AG (c1200-k9w7-mx.123-2.JA)
Client Adapter ABG (PCI)
I am new to Wireless Lan configuration with Aironet products (first project). I am configuring an Access Point for a small LAN and i can not get local radius authentication working. The password always fails if I try:
test aaa group radius xxxxx port 1812 new-code
although the password is matching..........
another thing is that in the configuration, it always defaults to 'nthash' mode. is this normal? in other words if i type:
radius-server local
user dgarnett password xxxx
when i do a 'show run' it displays as
user xxxx
I also get the following during a debug:
There is no RADIUS DB Some Radius attributes may not be stored
any help greatly appreciated
ap#test aaa group radius dgarnett 123456789 port 1812 new-code
Trying to authenticate with Servergroup radius
User rejected
ap#
Feb 19 20:57:44.535: RADIUS(00000000): Config NAS IP: 10.14.14.14
Feb 19 20:57:44.535: RADIUS(00000000): Config NAS IP: 10.14.14.14
Feb 19 20:57:44.535: RADIUS(00000000): sending
Feb 19 20:57:44.535: RADIUS(00000000): Send Access-Request to 10.14.14.14:1812 id 21645/14, len 64
Feb 19 20:57:44.535: RADIUS: authenticator 9C C4 E8 64 80 8B 64 8A - E7 5F 0A 64 14 2F 5D B6
Feb 19 20:57:44.536: RADIUS: User-Password [2] 18 *
Feb 19 20:57:44.536: RADIUS: User-Name [1] 10 "dgarnett"
Feb 19 20:57:44.536: RADIUS: Service-Type [6] 6 Login [1]
Feb 19 20:57:44.536: RADIUS: NAS-IP-Address [4] 6 10.14.14.14
Feb 19 20:57:44.536: RADIUS: Nas-Identifier [32] 4 "ap"
Feb 19 20:57:44.537: RADSRV: Client dgarnett password failed
Feb 19 20:57:44.537: RADIUS: Received from id 21645/14 10.14.14.14:1812, Access-Reject, len 88
Feb 19 20:57:44.538: RADIUS: authenticator 3C B3 9A 7F 61 27 3A A6 - 84 39 B6 DF 22 DF 45 26
Feb 19 20:57:44.538: RADIUS: State [24] 50
Feb 19 20:57:44.538: RADIUS: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF [????????????????]
Feb 19 20:57:44.539: RADIUS: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF [????????????????]
Feb 19 20:57:44.539: RADIUS: 6B 7C 18 EA F0 20 A4 E5 B1 28 0E BD 57 61 24 9A [k|??? ???(??Wa$?]
Feb 19 20:57:44.539: RADIUS: Message-Authenticato[80] 18 *
Feb 19 20:57:44.539: RADIUS(00000000): Received from id 21645/14
Feb 19 20:57:44.539: RADIUS(00000000): Unique id not in use
Feb 19 20:57:44.540: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored

Just as an update.......I set this up authenticating to an external (ACSNT) Radius server and it authenticates successfully. But still will not for the local dbase. My goal is to use the Corporate ACS as primary and the local as backup. I think my problem has to do with the Radius attributes 24 (State) and 80 (Message Auth). I also think that it points back to the NTHash stuff. Please advise as I am not new security practices and wireless, but I am new to Cisco Wireless networking.

Cannot connect to a local user in pdborcl

Hi all,
I created a local user named "dwh" in the pdborcl (a pdb)...Impossible to connect using sqlplus...(On windows 7)
So ..
SELECT v.name, v.open_mode, NVL(v.restricted, 'n/a') "RESTRICTED", d.status
FROM v$pdbs v, dba_pdbs d
WHERE v.guid = d.guid
ORDER BY v.create_scn;
NAME                           OPEN_MODE RES STATUS
PDB$SEED                       READ ONLY NO NORMAL
PDBORCL                        READ WRITE NO NORMAL
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1521)))
STATUS of the LISTENER
Alias                     LISTENER
Version                   TNSLSNR for 64-bit Windows: Version 12.1.0.1.0 - Produ
ction
Start Date                16-D╔C. -2013 08:34:15
Uptime                    0 days 2 hr. 38 min. 14 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   D:\Oracle\OracleDb12c\product\12.1.0\dbhome_1\network\
admin\listener.ora
Listener Log File         D:\Oracle\OracleDb12c\diag\tnslsnr\CHPRUVOS-FR\listene
r\alert\log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=CHPRUVOS-FR.fr.oracle.com)(PORT=1521
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=CHPRUVOS-FR.fr.oracle.com)(PORT=550
1))(Security=(my_wallet_directory=D:\ORACLE\ORACLEDB12C\admin\orcl\xdb_wallet))(
Presentation=HTTP)(Session=RAW))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=CHPRUVOS-FR.fr.oracle.com)(PORT=550
0))(Security=(my_wallet_directory=D:\ORACLE\ORACLEDB12C\admin\orcl\xdb_wallet))(
Presentation=HTTP)(Session=RAW))
Services Summary...
Service "CLRExtProc" has 1 instance(s).
Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "orcl.fr.oracle.com" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
Service "orclXDB.fr.oracle.com" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
Service "pdborcl.fr.oracle.com" has 1 instance(s).
Instance "orcl", status READY, has 1 handler(s) for this service...
and in tnsnames.ora
PDBORCL =
(DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = CHPRUVOS-FR.fr.oracle.com)(PORT = 1521))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = pdborcl.fr.oracle.com)
When doing tnsping PDBORCL --> TNS-03505: Failed to resolve name
What is wrong ?

I created a local user named "dwh" in the pdborcl (a pdb)...Impossible to connect using sqlplus...(
You haven't posted ANYTHING showing that you cannot connect to that user using sql*plus.
If you have a problem connecting post the EXACT command you are using and the results that you get.
When doing tnsping PDBORCL --> TNS-03505: Failed to resolve name
What is wrong ?
What is 'wrong' is that 'PDBORCL' is NOT a service name. The service name is 'pdborcl.fr.oracle.com'.
Use s service name when you use tnsping.

Connecting Outlook 2013 for a local user

We’re having trouble connecting a users connecting a domain user’s Outlook 2013 to our Exchange 2013 server. The user has a domain user account, and an Exchange mailbox.
However;
The user in question uses a PC that is physically connected to the network, but isn’t a domain-joined machine. The user is using a locally-provisioned account on the PC.
The machine can query internal DNS servers, and has network connectivity through to the Exchange server.
The user can successfully log in to OWA, where everything functions as normal. The user wishes to use Outlook 2013 for archiving of PST files.
We are having issues creating a mail profile for the user, whether manually configuring or utilising autodiscover.
With autodiscover, the user enters her name, email address and password in the initial wizard in Outlook 2013. 2 of the 3 steps succeed, before ‘The action cannot be completed. The name cannot be matched to a name in the address list’ error window is displayed.
Is this because Exchange is having issues with the account being used to create the profile (the local user account on the PC)?
Now what’s really odd, is that when using Outlook 2013 away from the network (at home), with any PC, the autodiscover method succeeds. What is causing it to fail internally?
So, with the autodiscover method out of the window, we turned to manually configuring the profile.
The local name of the Exchange server is entered for the server name, with the user’s email address for the username.
In ‘More Settings’, the connection tab is configured to ‘Connect to Microsoft Exchange using HTTP’.
The URL used to connect the proxy server for Exchange, is the external name used for OWA. This is the same address used when the user is using OWA internally/externally, which works without issue.
Options ‘Connect using SSL only’, along with ‘Only connect to proxy servers that have this principal name in their certificate’ are selected with
msstd:<external FQDN name> being entered.
Basic Authentication is selected for the proxy authentication settings section.
The user is then prompted for credentials. The following formats have been attempted;
Domain.local\username
Email Address
[email protected]
The correct password is used, but nothing is accepted.
How can we get Outlook 2013 configured for this non-domain joined PC?
Many thanks.

We’re having trouble connecting a users connecting a domain user’s Outlook 2013 to our Exchange 2013 server. The user has a domain user account, and an Exchange mailbox.
However;
The user in question uses a PC that is physically connected to the network, but isn’t a domain-joined machine. The user is using a locally-provisioned account on the PC.
The machine can query internal DNS servers, and has network connectivity through to the Exchange server.
The user can successfully log in to OWA, where everything functions as normal. The user wishes to use Outlook 2013 for archiving of PST files.
We are having issues creating a mail profile for the user, whether manually configuring or utilising autodiscover.
With autodiscover, the user enters her name, email address and password in the initial wizard in Outlook 2013. 2 of the 3 steps succeed, before ‘The action cannot be completed. The name cannot be matched to a name in the address list’ error window is displayed.
Is this because Exchange is having issues with the account being used to create the profile (the local user account on the PC)?
Now what’s really odd, is that when using Outlook 2013 away from the network (at home), with any PC, the autodiscover method succeeds. What is causing it to fail internally?
So, with the autodiscover method out of the window, we turned to manually configuring the profile.
The local name of the Exchange server is entered for the server name, with the user’s email address for the username.
In ‘More Settings’, the connection tab is configured to ‘Connect to Microsoft Exchange using HTTP’.
The URL used to connect the proxy server for Exchange, is the external name used for OWA. This is the same address used when the user is using OWA internally/externally, which works without issue.
Options ‘Connect using SSL only’, along with ‘Only connect to proxy servers that have this principal name in their certificate’ are selected with
msstd:<external FQDN name> being entered.
Basic Authentication is selected for the proxy authentication settings section.
The user is then prompted for credentials. The following formats have been attempted;
Domain.local\username
Email Address
[email protected]
The correct password is used, but nothing is accepted.
How can we get Outlook 2013 configured for this non-domain joined PC?
Many thanks.
The first problem is, if this Exchange 2013 then the server name in Outlook isn't really a server name, it is in actuality the ExchangeGUID of the mailbox.
Since you are trying to access the mailbox from a machine that is not on the domain you will need to make sure the externalURLs resolve properly internally. Meaning either the user can access them by going out to the internet and getting routed back
in (not ideal) or you configure them to resolve to the internal IPs on your internal DNS servers.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread
Thank you for your reply.
As I mentioned, this machine can query internal DNS servers without issue. Autodiscover is working in a fashion, as the name of the mail server is hashed.
In an update to the post, I have exported a working profile from the registry of the machine for a domain user, and have imported for a local user. This actually works, but I'd still like to know the reason for not being able to configure it in the first
instance.

Authentication problem - solved, but maybe a bug in Mac OS X?

Hi,
I've a rather small installation with only a handful of users configured on a Mac mini (Mac OS X Server, 10.6.8). All of them use the mail, calendar and addressbook server on the Mac, nothing more. They use it with Mac, iPhone and iPad. Everything worked fine for months but suddenly all of them were faced authentication problems: it was not possible to login on the imap server, the calendar server, the addressbook server. It was possible to login using the admin account on the server directly. Moreover, all users disappeared from the workgroup manager, however they still were available on the servers LDAP server and findable using ldapsearch.
First, I used to completely restart the server to solve the problem, but it reappeared after only few hours again.
Second, after understanding more about the authentication process, I found the "killall DirectoryService" was sufficient to solve the problem, but it still reappeared after few hours.
Then I found the, once the problem occured, there was nearly no more communication to the local LDAP server on port 389 on localhost. When everything was working fine, the was a lot of such communication, including queries for usernames, when a login attempt was made. I started a "tcpdump -n -i lo0 port 389" and waited for the problem again. After the problem occured, I found in the pcap files that there were a few final query attempts, actually attempts the open a port 389 TCP connection to the slapd running on localhost, which were answered with a TCP RST. Then, no more attempts were made until l restarted the DirectoryService. Using the logfile of the slapd I found that this happened exactly at the time the slapd was stopped and restarted. And - surprisingly for me - stopping and restarting the slapd happened exactly once an hour.
I then found that it happened exactly at the time the time machine backup process was started and indeed it was possible to trigger the event of restarting the slapd by manually starting a time machine backup.
(Indeed, I switched my backup strategy from SuperDuper to time machine the other day and maybe that was the time the problem occured for the first time. I know that time machine is not considered as the best backup strategy for a server but I wanted to try on my own.)
Google helped my to find a hint that time machine will actually stop and restart slapd - which is a generally a good idea, since otherwise a backup from some open database files would be made, which could work but may fail. So, I thing, someone of the developers thought about that problem too and has considered time machine for backups of a server.
However, a not running slapd can not answer queries from a DirectoryService and a stopping or starting process might indeed end up with TCP SYNs answered with TCP RST.
My solution was to disable time machine again and from that time the problem does not occur again.
I'm wondering why the DirectoryService process isn't starting to query the slapd again after a failed connection. Isn't this a bug? After this experience I consider time machine as not only the not preferred backup solution for a server but as completely incompatible with Mac OS X server - although, as I said, it seems that someone thought about backing up the LDAP database using time machine.
(On a Lion server this problem does not occur, the slapd will not be stopped and restarted when time machine is running. Moreover, I saw a com.apple.slapd.start notification in the slapd.log ... maybe this tells DirectoryService to try again.)
Cheers,
Wolfgang

Another problem I found with the MacOS X key bindings: the 6 key doesn't work!
In the config that ships with SQL Developer, I found this:
<Item class="oracle.javatools.util.Pair">
<first class="java.lang.String">DOCUMENT_6_CMD_ID</first>
<second class="oracle.ide.keyboard.KeyStrokes">
<data>
<Item class="javax.swing.KeyStroke">6</Item>
</data>
</second>
</Item>
which should be:
<Item class="oracle.javatools.util.Pair">
<first class="java.lang.String">DOCUMENT_6_CMD_ID</first>
<second class="oracle.ide.keyboard.KeyStrokes">
<data>
<Item class="javax.swing.KeyStroke">meta 6</Item>
</data>
</second>
</Item>

802.1x eap-tls machine + user authentication (wired)

Hi everybody,
right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
<key>SetupModes</key>
<array>
    <string>System</string>
    <string>Loginwindow</string>
</array>
<key>PayloadScope</key>
    <string>System</string>
but it does not work
2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
Thanks

Unfortunatelly this documents do not describe how to do what I want.
I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
The certificates are in my System keychain.
Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
Any ideas ?

802.1x Authentication problems

I configured dot1x port authentication on the switched network using an cisco ACS SE and on the computers (windows XP/SP2) PEAP and EAP-MSCHAPV2, everything works ok while the user have got already loaded his credentials on the PC, but if somebody tries to log in on the pc as a new user the authentication process fails, so i have to force the authentication process to gain access to network after that i reverse the authentication proccess to auto and the user log off and then the authentication process works again.
what am i missing??
Please some help...

What we are seeing here is the known behavior of dot1x authentication. To bypass this issue we would need to set up machine authentication along with user auth. Here is the 802.1x Process that explains the behavior that we were experiencing with the cached credentials,
When machine authentication is enabled, the authentications occur in this order:
When starting a computer,
* Machine authentication-ACS authenticates the computer prior to user authentication. ACS checks the credentials that the computer provides against the Windows user database. If you use Active Directory and the matching computer account in Active Directory has the same credentials, the computer gains access to Windows domain services.
* User domain authentication-If machine authentication succeeded, the windows domain authenticates the user. If machine authentication failed, the computer does not have access to Windows domain services and the user credentials are authenticated by using cached credentials that the local operating system retains. When a user is authenticated by cached credentials instead of the domain, the computer does not enforce domain policies, such as running login scripts that the domain dictates.
* You can also have only user authentication without machine authentication. It only gives problem in case of first time user that is not yet registered once on the AD. So with machine authentication you have network connection to AD, and therefore first time user have no problem. In addition without machine authentication (no access to AD during user login) you need to make sure to have user credential cashing on the workstation. In machine authentication AD and machine will generate its own password (you don't know it) and username = machinename, for the dot1x authentication. So after boot up
the machine will do dot1x with this machine credetial. As soon you type CTRL-ALT-DEL user login will start.
Regards,
~JG
Do rate helpful posts

CSM 3.1 local user authentication problem

Similar Messages

Maybe you are looking for