Delay in authentication EAP client

Similar Messages

• Authentication Delays / Slow Authentication for Open Directory Users

  I'm experiencing delays when authenticating Open Directory users and it absolutely has me at my wit's end.
  The problem is quite simple: any time an Open Directory user authenticates his password there is a delay of at least 5-10 seconds. This goes for clients that are bound to the directory server and also authenticating locally on the server. Here are some examples:
  * On the server, there is a several second delay on the Login Window screen when trying to log in using an Open Directory account. Logging in as a local user is instantaneous.
  * In Workgroup manager, authenticating as the Directory Administrator takes several seconds.
  * On a remote computer, sharing the screen using an Open Directory user take several seconds and again, a local user is instantaneous. Screen sharing takes particularly long and often temporarily shows a sheet saying it has lost the connection with the server while authenticating.
  * Connecting with AFP takes several seconds when using an Open Directory login
  * On a client computer, unlocking the screen after sleep or screen saver takes several seconds for Open Directory users
  * Connecting with SSH does NOT exhibit the behavior
  In addition to all of this, I've seen periodic random unexplainable freezes for several seconds on client computers that are bound to the directory even when logged in as a local user account (and with no other users logged in.) For example, launching applications often results in a freeze. After unbinding the computer from the directory the problem goes away entirely.
  The history of the problem:
  Used Tiger Server for over a year = no problems
  Clean install of Leopard Server 10.5.0 back in October = no problems
  Update to Leopard Server 10.5.1 = no problems
  Then, all of the sudden one day several weeks back I started having problems. The server had been up for a few weeks. I didn't install any updates. I didn't change any configuration. Literally the only thing that I had done recently was unplug the Apple Cinema Display and keyboard+mouse that was connected to the server. Then I started having problems so I plugged the display, keyboard and mouse back in to troubleshoot it. I cleared the directory services caches on my server and clients and rebooted the Airport Base Station that's serving as my router and eventually the problem went away. I wish I could tell you which of those things resolved the problem but I have no idea. It was fine for a couple more weeks (and incidentally I once again unplugged the display, keyboard and mouse from the server). Then last week I started having problems again and this time no amount of rebooting, cache clearing, rebinding, troubleshooting using information in these forums or anything else will fix the problem. I only mention the display/keyboard/mouse thing because it's literally the only thing I changed around the time the problems started happening. I truly don't think it has anything to do with it.
  So in desperation I backed up and did a clean install today. Here's the process I used:
  0. Erase the disk
  1. Install Leopard Server 10.5.0 from the install DVD
  2. In the setup assistant, use the Advanced Configuration option but I didn't enable any services. Set up network settings and host name of myserver.mydomain.private.
  3. Reboot
  4. Use Software Update to update to 10.5.1 and Security Update 2007-009 v1.1
  5. Reboot
  6. Configure DNS (see below for detailed configuration)
  7. Reboot
  8. Change role to Open Directory Master
  9. Reboot
  ... and the problem is still there. Simply logging into the server GUI with the Directory Administrator account has the delay. Authenticating in Workgroup Manager has the delay. I haven't even bothered to set up AFP or any other users yet. I'm truly at my wit's end and I'm ready to chuck the server out the window.
  I've done a lot of googling and searching of these forums looking for answers. All of the responses seem to point to a problem with DNS or with the Kerberos realm. I believe all of my setup is correct. Here it is:
  == Basic Configuration ==
  OS: Mac OS X Server 10.5.1 (9B18) with Security Update 2007-009 v.1.1
  Services Enabled:
  DNS
  Open Directory
  (All other services are not yet enabled)
  == DNS Setup ==
  Primary Zone: mydomain.private.
  Allows zone transfer: no
  Nameservers: ns.mydomain.private.
  myserver (Machine) 10.0.22.201
  ns (Alias) myserver.mydomain.private.
  Reverse Zone: 22.0.10.in-addr.arpa.
  10.0.22.201 (Reverse Mapping) myserver.mydomain.private.
  Accept recursive queries from the following networks:
  localnets
  Forwarder IP Addresses:
  208.67.222.222
  208.67.220.220
  == Open Directory Setup ==
  Role: Open Directory Master
  LDAP Search Base: dc=myserver,dc=mydomain,dc=private
  Kerberos Realm: myserver.mydomain.private
  == Network Configuration ==
  Configure: Manually
  IP Address: 10.0.22.201
  Subnet Mask: 255.255.255.0
  Router: 10.0.22.1
  DNS Server: 127.0.0.1
  Search Domains: mydomain.private
  == Other Stuff ==
  Using 'changeip -checkhostname' verifies that the hostname and DNS hostname are both myserver.mydomain.private.
  I set the realm to myserver.mydomain.private (though the default was myserver.local) based on the advice of another poster to this forum. Kerberos.app reveals something interesting: the kdc and admin servers are both myserver.local and the domains are .local and local. I tried changing all instances of 'local' to 'mydomain.private' to see if that would solve the problem. No luck.
  I verified on a client that 'host myserver' and 'host 10.0.22.201' return proper DNS and reverse DNS resolutions.
  Hopefully one of the gurus out there will be able to help me out.
  Thanks,
  jeff

  I gathered together some log information for when I try to authenticate user 'diradmin' in Workgroup Manager. You can see from the log messages that this authentication took 4 seconds. There's an interesting error message in slapd.log (see below) but it doesn't say what it's looking for in the keytab that it's not finding. Grr! I've provided a listing of the principles in my keytab. I haven't monkeyed around with it at all -- this is just what resulted from promoting the server to an Open Directory Master.
  == kdc.log ==
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  == slapd.log ==
  Dec 30 18:21:48 myserver slapd[36]: <= bdbsubstringcandidates: (authAuthority) index_param failed (18)
  Dec 30 18:21:52 myserver slapd[36]: SASL [conn=20] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
  == sudo klist -k ==
  Keytab name: FILE:/etc/krb5.keytab
  KVNO Principal
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]

• Urgent : problems in authenticating the client

  Hi every one,
  Im new to SSL and have a problem in authenticating the client with the server. when i disable
  ((SSLServerSocket)serversocket).setNeedClientAuth(true);
  both the server and client work fine and i get the required output.
  if i use -Djavax.net.ssl.truststore=trustStoreName and -Djavax.net.ssl.keyStore=keystoreName in the command line for the client then it works but i want to do it without the commandline options
  I tried to debug the clients ssl handshake where it seams that if i dont mention the truststore and keystore in the command line it wont take the ones mentioned in the code.
  If anyone has a solution for this or any idea can you please help me out im stuck on it for about a week now. Thanks in advance.
  uzi
  Message was edited by:
  Deo_Zone
  Message was edited by:
  Deo_Zone

  Hi...
  i'm new to ssl connection....i implement the code for ssl connection through java program...i use the following code
  String keystore = "<java_home>/jre/lib/security/cacerts";
  System.setProperty("javax.net.ssl.trustStore",keystore);
  env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.SECURITY_AUTHENTICATION,"simple");
  env.put(Context.SECURITY_PRINCIPAL,adminName);
  env.put(Context.SECURITY_CREDENTIALS,adminPassword);
  env.put(Context.SECURITY_PROTOCOL,"ssl");
  String ldapURL = "ldaps://mydc.speedrock.com:636";
  env.put(Context.PROVIDER_URL,ldapURL);
  DirContext ctx = new InitialLdapContext(env,null);
  i use this code in my web application and using server tomcat 5.5 server...
  Steps:
  1. Started my tomcat server
  2. attempt to change ActiveDirectory user password.
  At this time i'm not importing AD server certificate into cacerts file..
  In this situation it throws exception.
  3. now i import the valid certificate into cacerts file using keytool command
  keytool -import -alias xyzADCert -keystore <javahome>/jre/lib/security/cacerts -keypass changeit -storepass changeit -noprompt -file <java_home>/jre/lib/security/ca.cer;
  when i run this command from console, import the certificate successfully....
  4. now again attempts to change password...
  In this situation it gives same previous exception....
  But, when i restart the tomcat server and attempts change password, its working fine...
  The same thing happens in case of delete certificate...
  Steps:
  1.Start the tomcat server
  2. import valid certificate using keytool command
  keytool -import -alias xyzADCert -keystore <javahome>/jre/lib/security/cacerts -keypass changeit -storepass changeit -noprompt -file <java_home>/jre/lib/security/ca.cer;
  3. Try to change password....working fine
  4. delete the certificate using keytool command
  keytool -delete -alias xyzADCert -keystore <javahome>/jre/lib/security/cacerts -keypass changeit -storepass changeit
  when i run this command certificate deleted from cacerts file....
  for confirmation, once again i run this command...it gives alias does not exit message.
  5. Now, i re attempts to change password with out restaring tomcat server...
  instead of throwing exception like "simple bind failed", password updated in server for user.
  6. But, when i restart the tomcat server, it gives the exception like "simple bind failed" when i try to change password.
  my target is with out restarting server ..do change password successfully when i import the certificate and throw exception when i delete the certificate from cacerts file...
  please give me some help...

• ISE 1.3 - internal CA for EAP client

  Hi Experts,
  Could you please give me the right way and step to configure ISE 1.3 built in CA for EAP client auth. I'm trying to complete my dual SSIDs procedure. My configure may has some missing config on Certificate section. That make client can not get through device enrollment & provisioning but auth, authorise are fine.
  It s hard to config 100% correctly with out detailed guide. I know by fundamental setup the config must comprise of subordinate CA, OCSP, endpoint RA which I can not figure out those steps myself.
  The steps or complete document are welcome. Official document does not help me get through. 
  Thank you in advance,
  Nipat CCIE#29422

  I would like to see something similar if anyone has anything with a little more detail then what the Admin Guide has.

• Lync 2013 I have a strange problem concerning group call pickup in lync 2013.the pickup calls on snom 710 having only a second delay, but in lync client it having about 5-7 second Anybody out there having similar problems with call pickup Groups?

  HI
  I have a strange problem concerning  group call pickup  in lync 2013.the pickup calls on snom 710 having only a second delay, but in lync client it having  about 5-7 second
  Anybody out there having similar problems with call pickup Groups?

  Hi,
  Did you meet any other call delay when you using Lync?
  As the issue happen for Lync desktop client, it can be performance issue. Please check if there is any error message from FE Server when the issue happen.
  Also please check if you have updated Lync Server to the latest version, if not, update it and then test again.
  Best Regards,
  Eason Huang  
  Eason Huang
  TechNet Community Support

• Authentication eap-tls on ACS or local EAP WLC over Lwapp and 7921

  Hi All,
  I install WLC to provide Wlan architecture and the project was extended for VoWLAN. we have 7921 and E51 running over the wide WLAN architecture.
  Computer using Data over wirless are working over PEAP done by ACS and CA signed certificate + user secret on PC is link to the domain account and secret stay the login and password. Our problem is that user and password is link via ACS to Active Directory. The policy of password is to change frequently.
  For the Phone we are actually running authentication over Leap but I'm working to define the best security solution for us.
  I confront PEAP and Eap-TLS for now:
  1) PEAP check the authentication of ACS via certificate trust and authenticate via MS-Chapv2 and the secret password known by user. My problem here is the phone can only be static what is potentially not acceptable
  2) Eap-tls which is the best secured security due to the double side certificate authentication + (login / password) on the phone
  so I need to manage here Certificate Management ? I mean I can use either the MIC CA certificate on the phone or User CA defined one which I can put on ACS or Local EAP WLC and the put the ACS CA trust on the Phone.
  If I understood well I have to put User.cer and ACS_CA.cer on each phone and pout the User_CA on the ACS ?
  I have already Certificate on the ACS signed by CA (like veri-signed) so I must create CSR for any phones to be able to use the same CA ?
  I'm thinking to use also the local Eap certificate of Controller to manage all of that to avoid every potential money to pay to the trust CA of ACS
  can you help me to know if I understood everything good ? I would be please to exchange experience on that
  thanks ;)
  bye

  I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
  Setup a Microsoft Certificate server as my
  CA. You can use same machine wih your ACS and CA.
  Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
  On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
  At that poit you should be able to connect you r wireless client using EAP-TLS.

• Long delay for authentication dialog 10.6.x to Windows 2008 SBS

  I am encountering a very long delay (30-45 seconds) for the authentication dialog when connecting from Mac OS X 10.6.2 clients to a Windows 2008 Small Business Server.
  We are connecting using the "Connect to Server" dialog, using smb://<server host name> and smb://<server IP address> as the URIs. Once the authentication dialog eventually comes up the users can log in successfully and access the shares on the server normally and at normal speed.
  I see this entry show up in the system.log when a smb connection is started:
  /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent ### * process ### exceeded 500 log message per second limit - remaining messages this second discarded *
  I would like to see the NetAuthAgent log that is referred to in the error but I haven't been able to determine where this log resides or it I need to set NetAuthAgent or the smb client into a debug mode to capture logging.
  I have tried many of the usual fixes on the server side when it comes to Mac compatibility including:
  •Disabled SMB signing
  •Setting these registry values to 0:
  HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Enablesecurity signature
  HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Requiresecurit ysignature
  This was asked last October with no resolution:
  http://discussions.apple.com/thread.jspa?messageID=9804807
  If anyone has encountered this issue and discovered a solution please help. Thanks in advance!

  I'm having an issue with 10.6.x lately and Windows 2003.
  Random disconnects and the same log errors about the message limit.
  Feb 24 11:20:02 macpro-phil KernelEventAgent[73]: tid 00000000 received event(s) VQ_DEAD (32)
  Feb 24 11:20:02 macpro-phil KernelEventAgent[73]: tid 00000000 type 'smbfs', mounted on '/Volumes/VideoSAN', from '//ACC;Phillip.Roncoroni@acc-office/VideoSAN', dead
  Feb 24 11:20:02 macpro-phil KernelEventAgent[73]: tid 00000000 type 'smbfs', mounted on '/Volumes/ACC_docs', from '//ACC;Phillip.Roncoroni@acc-office/ACC_docs', dead
  Feb 24 11:20:02 macpro-phil KernelEventAgent[73]: tid 00000000 type 'smbfs', mounted on '/Volumes/Drop Box', from '//ACC;Phillip.Roncoroni@acc-office/Drop%20Box', dead
  Feb 24 11:20:02 macpro-phil KernelEventAgent[73]: tid 00000000 found 3 filesystem(s) with problem(s)
  Feb 24 11:20:02 macpro-phil KernelEventAgent[73]: tid 00000000 received event(s) VQ_DEAD (32)
  Feb 24 11:20:02 macpro-phil KernelEventAgent[73]: tid 00000000 type 'smbfs', mounted on '/Volumes/Photos', from '//ACC;Phillip.Roncoroni@acc-office/Photos', dead
  Feb 24 11:20:02 macpro-phil KernelEventAgent[73]: tid 00000000 found 1 filesystem(s) with problem(s)
  Also looking for a resolution.

• Using Lion Server Radius for authenticating "other" clients

  Hi I've been trying to get the Radius service in Lion Server to authenticate users of my SQUID web proxy. I have followed the squid wiki's instructions to configure the squid server as a radius client and pass authentication requests to the Lion Server Radius (I hope). However I'm trying to configure and test the Lion Server Radius. As Lions Server Admin GUI for radius only lets to add Airport Basestations, I've been trying to dig around for what underlying config files to edit.  I have tried 2 methods of adding the client details to radius:
  1. By editing the /etc/raddb/client.conf, and adding/changing (for example):
  client localhost {
       secret     = mysecretpassphrase
  client 192.168.0.0/24 {
       secret              = mysecretpassphrase
       shortname       = local-lan-clients
  and restarting squid. Nothing seems to get mentioned in the radius log file! So I'm not completely convinced that the Lion Radius took any notice of this!
  2. Instead of above, added the same client info using radiusconfig:
  $ sudo radiusconfig -addclient 192.168.0.0/24 local-lan-clients other <return>
  - then it prompts for the secret. With this command I notice the entry/event is recognised in the radius log file, and also looks like some SQL activity. If I dont specify "other" for the nas-type, it defaults to "Aiport Base Station" or similar.
  OK, so forgetting about SQUID for a minute, I can't even get that far as I'm just trying to test the config using the "radclient" utility from the Lion Server and the squid server:
  $ sudo radclient localhost auth mysecretpassphrase <return>
  and... no response, just hangs, nothing in radius log either.
  The Lion Firewall allows TCP and UDP requests into the Radius authentication port.
  Any ideas what else I need to do? Scratching my head, I'm wondering if it is anything to do with SSL? e.g. do I need to make the authentication using the self-signed certificate that Open Directory has? I presume any Airport Base Stations added to radius will use this certificate to establish a secure connection for authentication.

  The RADIUS server in OS X Server is a standard FreeRADIUS implementation with Apple's own custom GUI frontend for configuring it and which only allows adding AirPort base-stations. In Mountain Lion Server it is even limited to a specific configuration for the AirPort base-station.
  However if you follow the normal command-line instructions and steps for configuring FreeRADIUS then it will be possible to add any type of RADIUS client.
  While as far as I can see by manually configuring the FreeRADIUS server in OS X Server should enable you to do what you want, most people chose to configure Squid to use either a PAM or the LDAP modules for Squid to in this case authenticate directly to Open Directory (which is of course based on LDAP).
  I myself have used a PAM in the past with Squid to successfully configure Squid to authenticate users via Open Directory. I was even able to specific an Open Directory group and only allow members of that group access via the Squid Proxy Server. I then went a bit OTT and set up another open-source tool (which was discontinued and I had to fix to get working) to process the Squid logs and store them in MySQL, and then setup FileMaker Pro to connect to the MySQL database via ODBC to allow producing reports.
  Unfortunately the AFP458 website had a major redesign a while ago and many previous technical articles on it are now hard to find. I had used two articles on that site to guide me through setting up Squid and the PAM on a Mac server. I believe the two articles I used are the ones listed below.
  http://afp548.com/2004/09/08/using-os-x-open-directory-to-authenticate-squid-pro xy-server/
  http://afp548.com/2004/12/13/squid-server-using-ldap-authentication/

• Authentication in Client/Server form Application

  Hi
  My client/server application is not using oracle authentiacation, I have maintained user table from that user is authenticated, but any user logins in a application it uses same oracle username/PWD which I currently hardcoded in a forms 6i (C/S type on logon event) application.
  My client is located in different geographicaly location, when I change oracle database password I need to compile client application and diployed it again.
  Is there any way that I can avoid this. I don't want to give database Un/Pwd to any client user. He only have application username and password.
  Thanks
  Sudarshan

  Hello,
  While installing developer you can select components to
  Install, Options listed are Forms runtime and Reports runtime.
  and it will make your work done.
  Adi

• Machine authentication over Client IPSEC tunnel

  I am in the process of converting our existing remote access from Microsoft Threat Management Gateway to Cisco ASA.  Our security folks just made me aware that in addition to the Radius authentication against AD credentials that they also want me to do machine authentication to make sure that the machine name of the system trying to get remote access has a machinea account in AD.
  I have been looking for a way to do this with the IPSEC client but havent found anything as yet.  Would appreciate any links that show me how to get this done.  Moving to Anyconnect isnt an option at this point due to budgetary issues.  I am using the latest Cisco VPN client in the 5.x train and have 8.2.5 code running on my 5520.
  What I may be looking at might be NAC (Network Admission Control ?).  Looking for all suggestions at this point.
  Thanks,
  Ron

  I've used enrolled user X.509 USER certificates with Cisco VPN Client 4.x / 5.x into an ASA. They were issued by a partner's root CA and the connection was allowed on the basis of that root CA being trusted by the remote ASA.
  But yes, what you are asking about is more of a NAC, or the successor Identity Services Engine (ISE) product type of feature. In the case of ISE, it can do what you ask but requires a good bit of investment to get that and many many other features.
  I strongly suspect that some additional investment will be necessary to get what your security team is requesting. At the very least AnyConnect Premium licenses and use of the Network Access Manager (NAM) feature. See this reference.

• Browser authentication from client program

  How is it possible to authenticate a browser from a client program? For example, how does the small "mail" icon in yahoo messenger open up a browser, then authenticate it against yahoo.com and display the email Inbox? Do browsers provide some API through which this kind of authentication is possible? Any insights in this direction would be greatly appreciated.
  Thanks

  Karthikeyan,
  The error message says it all: feature is not supported.
  For your information, your question has been asked (and answered) several times previously in this forum. Did you try searching the forum archives?
  Personally, I just live with this limitation -- it's not critical for me. Have you tried the MetaLink Web site?
  Good Luck,
  Avi.

• H-REAP Local Authentication eap-fast not working

  Hi, I'm using a central Radius Server and have leap and eap-fast working fine, but when the wan link fail(local authentication) the new user that try to conect via leap get authenticated but eap-fast fail.
  any ideas?. Im using wlc 5.01

  If your radius is centrally located and your WAN links goes down, any authentication thats need to go back centrally will fail, unless you have local authentication. Don't know why LEAP would still work if authentication to the radius server has stopped.
  Howerver, if you are using local EAP configured on the WLC, then you still will fail authentication because your wlc is centrally located.

• Authentication using Client Certificates

  Has anyone implmented client certificate authentication where after user has entered her certificate id/pwd they get direct access to the portal without getting the portal logon page again.
  I am using EP6 SP2, i get the request for client certficates but after that i get directed to the portal form based logon page. How do i bypass this and gain access to the portal.
  regards
  anton

  Hi Kyle,
  Here is my authscheme.xml file....i placed the CreateTicketLoginModule after the CertLoginModule but it didnt work. Have i done this correctly. By the way i am using EP6sp2 J2EE 6.20 pl 28
  thanks anton
  authschemes>
          <!--  authschemes, the name of the node is used -->
          <authscheme name="uidpwdlogon">
              <!-- multiple login modules can be defined -->
              <loginmodule>
                  <loginModuleName>com.sap.security.core.logon.imp.CertLoginModule</loginModuleName>
                  <controlFlag>SUFFICIENT</controlFlag>
                  <options></options>
              </loginmodule>
           <loginmodule>
                  <loginModuleName>com.sap.security.core.logon.imp.CreateTicketLoginModule</loginModuleName>
                  <controlFlag>SUFFICIENT</controlFlag>
                  <options></options>
              </loginmodule>
              <loginmodule>
                  <loginModuleName>com.sap.security.core.logon.imp.DefaultLoginModule</loginModuleName>
                  <!-- specifying whether this LoginModule is REQUIRED, REQUISITE, SUFFICIENT, or OPTIONAL -->
                  <controlFlag>REQUISITE</controlFlag>
                  <options></options>
              </loginmodule>
              <loginmodule>
                  <loginModuleName>com.sap.security.core.logon.imp.CertPersisterLoginModule</loginModuleName>
                  <controlFlag>REQUIRED</controlFlag>
                  <options></options>
              </loginmodule>
              <priority>21</priority>
              <!-- the frontendtype TARGET_FORWARD = 0, TARGET_REDIRECT = 1, TARGET_JAVAIVIEW = 2 -->
              <frontendtype>2</frontendtype>
              <!-- target object -->
              <frontendtarget>com.sap.portal.runtime.logon.default</frontendtarget>
          </authscheme>
          <authscheme name="certlogon">
              <loginmodule>
                  <loginModuleName>com.sap.security.core.logon.imp.CertLoginModule</loginModuleName>
                  <controlFlag>REQUISITE</controlFlag>
                  <options></options>
              </loginmodule>
           <priority>20</priority>
              <frontendtype>2</frontendtype>
              <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
          </authscheme>
          <authscheme name="basicauthentication">
              <loginmodule>
                  <loginModuleName>com.sap.security.core.logon.imp.DefaultLoginModule</loginModuleName>
                  <controlFlag>REQUIRED</controlFlag>
                  <options></options>
              </loginmodule>
              <priority>20</priority>
              <frontendtype>2</frontendtype>
              <frontendtarget>com.sap.portal.runtime.logon.basicauthentication</frontendtarget>
          </authscheme>
          <authscheme name="header">
              <loginmodule>
                  <loginModuleName>com.sap.security.core.logon.imp.HeaderVariableLoginModule</loginModuleName>
                  <controlFlag>OPTIONAL</controlFlag>
                  <options>Header=remote-user</options>
              </loginmodule>
              <priority>5</priority>
              <frontendtype>2</frontendtype>
              <frontendtarget>com.sap.portal.runtime.logon.header</frontendtarget>
          </authscheme>
          <authscheme name="guest">
              <loginmodule>
                  <loginModuleName>com.sap.security.core.logon.imp.AnonymousLoginModule</loginModuleName>
                  <controlFlag>OPTIONAL</controlFlag>
                  <options></options>
              </loginmodule>
              <priority>1</priority>
              <frontendtype>2</frontendtype>
              <frontendtarget>com.sap.portal.runtime.logon.anonymous</frontendtarget>
          </authscheme>
          <!-- Reserved 'anonymous' authscheme added for being in the list of authschemes -->
          <authscheme name="anonymous">
              <priority>-1</priority>
          </authscheme>
      </authschemes>
      <!--  References for Authentication Schemes, this section must be after authschemes -->
      <authscheme-refs>
          <authscheme-ref name="default">
              <authscheme>uidpwdlogon</authscheme>
          </authscheme-ref>
      </authscheme-refs>
      <authscheme-refs>
          <authscheme-ref name="UserAdminScheme">
              <authscheme>uidpwdlogon</authscheme>
          </authscheme-ref>
      </authscheme-refs>
  </document>

• Delayed Web Authentication on 5500 WLC

  Hi
  I have setup a Guest WLAN on 5508 WLC with web authentication, I noticed during tests that it takes about 2 to 3 minutes to complete authentication process and providing access to the client machine. My WLC is running version 7.3.101.0.
  Has anyone came across similar situation or can suggest a solution to this issue?
  Feel free to ask if you need more details.
  Thanks
  Sunil

  Well what I would do for testing is the following:
  Remove WebAuth to see if there is an issue with connectivity on that subnet
  Map the Guest WLAN to a working subnet or create a new SSID and map that to a known working subnet
  If your using a custom WebAuth, try using the default internal WebAuth page to see if there is any difference
  If your authenticating Guest using radius, check the radius logs for errors
  Is it all devices or is it an issue with few or a certain model
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Setting up authentication for client proxy in SOAMANAGER

  Hi all,
            I have a webservice in .NET system and i have created Client proxy in ABAP.
            I have created logical port also.
            When i am testing the service I am getting a POP-UP to enter username and password.
            Is there any setting for athentication in SOAMANAGER where we can specify the USERNAME &
            Password so that POP-UP for the same is surpassed while testing.
            This, can help calling the service in background.
            Please help am on the end of my wits.
  Thanks & Regards.
  Yats.

  hope below docuements would help you.
  Re: Inbound Proxy as WebService
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b04408cc-f10e-2c10-b5b7-af11026b2393
  regards
  nag