Determining active wireless users with ACS

Similar Messages

• Automate the creation of Active Directory users with organization/address information

  On one of our Domain Controllers we regularly have to create new users with fully populated organisation/address information, as they use a server-side application which appends email signatures at the end of all of their emails created from this information.
  At the moment we have to fill this information out manually and it can sometimes cause inconsistencies if the information is not uniform or is typed incorrectly.
  Is there any way to automate this/do it in bulk?

  This is another Powershell script that can be used:
  http://www.wictorwilen.se/how-to-use-powershell-to-populate-active-directory-with-plenty-enough-users-for-sharepoint
  Note that you have two ways to do that:
  Create a new User account Provisioning script and include the Street update as part of it
  Have a daily scheduled script that will run against your users OUs and update the Street address for user accounts having it wrong or missing
  From my point of view, option 2 would be the best as it will make a Bulk update and Bulk correction if required.
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• Creating active directory users with dscl

  Our mac workstations (OSX 10.8) are bound to a 2008 Active Directory server.  We are attempting to use some existing dscl scripts on the mac client computer to create Active directory users.  We can successfully read and change AD attributes of an existing user with dscl, but creating new users or new attributes for an existing user gives us an error.  Here are some examples.
  SUCCESSFUL READ OF AD USER ATTRIBUTE:
  root# dscl -u administrator  "/Active Directory/CXAD/All Domains" -read /Users/jholmes SMBHomeDrive
  Password:
  SMBHomeDrive: H:
  root#
  SUCCESSFUL DELETE OF ABOVE USER ATTRIBUTE
  root# dscl -u administrator  "/Active Directory/CXAD/All Domains" -delete /Users/jholmes SMBHomeDrive
  Password:
  root#
  FAILED ATTEMPT AT RE-CREATING THE DELETED ATTRIBUTE
  root# dscl -u administrator "/Active Directory/CXAD/All Domains" -create /Users/jholmes SMBHomeDrive
  Password:
  <main> attribute status: eDSInvalidRecordType
  <dscl_cmd> DS Error: -14130 (eDSInvalidRecordType)
  root#
  The same error occurs when attempting to create a new user.  Any ideas?  Thanks in advance for any suggestions.

  In the end I could not find them; account info is ONLY stored locally in Open Directory when they have mobile accounts.
  However, I found I could migrate their user directories in Terminal via ditto ( I connected the old macs via Firewire Target mode) , and when they log in all their stuff and settings are there.
  the command is: ditto /Volumes/<old mac hard drive>/Users/<username> /Users/<username>

• Problem authenticating Wireless users with peap

  Good afternoon,
  I am currently trying to authenticate wireless users using PEAP and an external RADIUS server. The problem is when I try to authenticate I get this error :
  AAA/AUTHEN/PPP : Pick method list 'Permanent Local'
  DOT11-7-AUTH_FAILED : Station ... Authentication failed
  It shouldn't use local authentication, but the aaa server I configured.
  I looked on the internet but didn't find a working solution.
  Does anyone know why it is not working ?
  Here is my running configuration :
  Current configuration : 4276 bytes
  ! Last configuration change at 00:45:40 UTC Mon Mar 1 1993
  ! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
  ! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  logging rate-limit console 9
  enable secret 5 $1$QVC3$dIVAarlXOo52rN3ceZm1k0
  aaa new-model
  aaa group server radius rad_eap
   server 192.168.2.2 auth-port 1812 acct-port 1813
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  no ip routing
  no ip cef
  dot11 syslog
  dot11 ssid test
     authentication open eap eap_list
     authentication key-management wpa version 2
     guest-mode
  eap profile peap
   method peap
  crypto pki token default removal timeout 0
  bridge irb
  interface Dot11Radio0
   no ip address
   no ip route-cache
   encryption mode ciphers aes-ccm
   ssid test
   antenna gain 0
   stbc
   beamform ofdm
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio1
   no ip address
   no ip route-cache
   shutdown
   antenna gain 0
   no dfs band block
   channel dfs
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface GigabitEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
   dot1x pae authenticator
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface BVI1
   ip address 192.168.3.10 255.255.255.0
   no ip route-cache
  ip default-gateway IP
  ip forward-protocol nd
  ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.2.2 auth-port 1812 acct-port 1813 key 7 140441081E501F0B7D
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 0 4
   transport input all
  end
  Thank you

  I haven't setup autonomous APs before but I think I might see the problem. You are defining an authentication list called "eap_methods" but you never call for it in your SSID settings. Instead there you call a list named "eap_list" In addition, I think you might be missing one more command. So perhaps try this:
  dot11 ssid test
  authentication open eap eap_methods
  authentication network-eap eap_methods
  authentication key-management wpa version 2
  guest-mode
  Hope this helps!
  Thank you for rating helpful posts!

• What are steps configure Certificate based authentication for Wireless clients with ACS 5.3?

  I need to autheticate my clients connecting via wireless.
  clients have user certificate installed on them, i need help configuring the ACS to do the authentication.
  can some one please help me with the steps.
  Thanks

  Two primary steps
  - define the trust certificates needed to verify the clients user certificates
  Users and Identity Stores > Certificate Authorities
  - change result of identity policy to select a certificate authorization profile. If have the defautl config
  Access Policies > Access Services > Default Network Access > Identity
  by default can select the "CN Username" as a result

• 802.1x EAP-TLS for wired users with ACS 5.5

  Hi All,
  We are configuring a new setup for wired users authentication with 802.1x(EAP-TLS). ACS 5.5 we are using as authentication server.
  We have added the root CA(internal) certificate and certifcate for ACS signed by CA. Now We want to check the authentication is working or not . I hope both root CA and identity certifcate also we need to install in the laptops. But I am not sure how to download the certifcates for client machine manually from CA.
  Kindly suggest on how to get certificates for clients both manually as well as automatically?
  Thanks,
  Vijay

  Hi Vijay,
     for the Wired 802.1x (EAP-TLS) you need to have following certificates:
  On ACS--- Root CA, Intermediate CA, Server Certificate
  On Client-- Root CA, Intermediate CA, User certificate(In case of user authentication) OR Machine certificae(In case of Machine authentication)
   I am not sure which third party certificate are you using, If its in house Microsoft or any other certificate server then you need download the client certificate from the server itself. 
  In case of Microsoft, There will be a template for user certificate. You can select it and create user certificate
  This one is an old document, But has steps to configure Machine certificate for the user, You can see the steps to download user certificate if its Microsoft server:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/43722-acs-eap.html#wc-2
  In case You are using the third party certificate serevr , Then you need to check with them on how to download the user certificate
  Cheers
  Minakshi(rate the helpful post)

• Restriction SSID Per User with ACS 5.x version

  Hi
  I would like to ask some question on WLAN technology, which I using WiSM version 2. And i get requirement that user must be restrict with SSID, so, i found that it can do it on ACS version 4.x via NAR for SSID-based authentication feature. Then, is it possible to do restriction on ACS Version 5.x?
  Please give me the idea or help
  Thanks

  There is a guide how to achieve this with ACS4.2:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
  (you probably know that one)
  This is also working with ACS5.x, maybe this can help you:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/pol_elem.html#wp1074194
  Be careful when configuring a DNIS in ACS5, maybe you are hitting CSCtk16271 (but there is an easy workaround, so this will definitely work!)
  Regards
  Stefan

• EAP-TLS on ACS v4 for wireless users

  Hi,
  I?m trying to deploy EAP-TLS authentication method on ACS v4.0 for my local wireless users; really I stuck with the certificate issue and need your assistance to understand the required procedures to accomplish the task.
  As mentioned on the ACS configuration guide I have to have CA server to generate certificates for both ACS and wireless users, but I found an option on the ACS under System configuration tab then ACS Certificate Setup a Generate Self-Signed Certificate, I generated a certificate and uploaded a copy to my PC, installed and followed the recommended steps to configure the Microsoft XP client configuration but still I got the error ?Windows was unable to find a certificate to log you on to the network SSID? . Honestly I don?t know if this is possible but I gave it a try but failed.
  Kindly advice what is the appropriate and easiest way to accomplish the task, if you could provide me with helpful documents I?ll appreciate it.
  Regards,
  Belal

  I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
  Setup a Microsoft Certificate server as my
  CA. You can use same machine wih your ACS and CA.
  Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
  On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
  At that poit you should be able to connect you r wireless client using EAP-TLS.

• WPA2 enterprise, Can not authenticate with ACS

  Hi, I am setting up WPA2 enterprise for wireless users with PEAP authentication, but can not get authentication server to authenticate them, and failed reason is generic "EAP-TLS or PEAP authentication failed during SSL handshake"
  The AP I am using is 1240AG running 12.3(8)JA, Radius server is ACS 4.0, I don't have any problem to get dot1x with PEAP authentication working for wired access, and I have almost identical client side configuration for wired and wireless user.
  From ACS's point of view, it should not be aware of any difference between wired and wireless user, but ACS log shows otherwise:
  1)AP is connected to a cat4k switch, I suppose AP should be the authenticator for wireless users, but ACS "failed attempts" log for attempted wireless user shows that the NAS IP is cat4k in stead of AP, why?
  2)I am using the same laptop for both wireless/wired testing, ACS "failed attempts" log shows that for wired user, it correctly interpreted cached domain\login name, but for failed wireless user, the user-name field is totally different, yet debug on AP clearly shows that correct domain\login has been received by AP.
  Debug output on AP is attached, hope experts here can quickly identify the problem.

  Got it working by adding radius server configuration under GUI generated configuration:
  aaa group server radius your-AAA-group-name
  server your-radius-server#1-IPaddress auth-port 1645 acct-port 1646

• Setting disk quota on Mac server for Active Directory users

  I'm having trouble setting disk quotas for Active Directory users with home folders on our Mac server.
  I've enabled disk quotas on the disk I'm putting home folders on, and I can set disk quotas for local users on the server just fine. But it doesn't seem to work for Active Directory users. I've tried setting disk quotas via Workgroup Manager and via the command line using edquota. But when I use the repquota command there is no quota entry for the AD user. I've run quotacheck and that didn't help either.
  I also understand there's a setquota command but there's no man page on how that works.
  Has anyone got disk quota for AD users working.
  Better still has someone got a shell or perl script for setting quotas they could post.
  Thanks
  - Cameron

  sorry.. I am soooooo stupid... I have to activate "File Sharing" as well.. for the user everything was already pre-activated, not for the AD users, I just saw the Time Machine checkbox grayed out ...

• Failed to authenticate user to ACS 5.1 with LDAP as external identity storage

  Hi ,  I have an ACS and Open-LDAP server running on my company network.
  Now, I 'm setting up a new linksys WAP-54G and choose WPA2-Enterprise option with ACS as the radius server.
  first thing first, I created new internal user on ACS, and trying to join the wireless network from my computer. I made it....
  then, I'm moving on external entity (LDAP Server). I've set up the LDAP configuration and identity sequence, also select it on access service.  but when I tried to authenticate from my computer, an error was occurred. I received : 
  the following error 22056 Subject not found in the applicable identity store (s)
  Wonder 'bout this thing, I set up a cisco 1841 router to become AAA client. and surprisingly... it works !!!
  so, is there any problem to authenticate from windows platform to ACS (pointing to LDAP) ?  
  any suggestion ?
  thanks

    This is the log when using windows 7 as authentication client (Failed) :
  Steps
  11001  Received RADIUS  Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - Default Network  Access
  11507  Extracted  EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with  challenge
  11006  Returned RADIUS  Access-Challenge
  11001  Received RADIUS  Access-Request
  11018  RADIUS is re-using an existing  session
  12301  Extracted EAP-Response/NAK requesting to use  PEAP instead
  12300  Prepared EAP-Request proposing PEAP with  challenge
  11006  Returned RADIUS  Access-Challenge
  11001  Received RADIUS  Access-Request
  11018  RADIUS is re-using an existing  session
  12302  Extracted EAP-Response containing PEAP  challenge-response and accepting PEAP as negotiated
  12318  Successfully negotiated PEAP version  0
  12800  Extracted first TLS record; TLS handshake  started.
  12805  Extracted TLS ClientHello  message.
  12806  Prepared TLS ServerHello  message.
  12807  Prepared TLS Certificate  message.
  12810  Prepared TLS ServerDone  message.
  12305  Prepared EAP-Request with another PEAP  challenge
  11006  Returned RADIUS  Access-Challenge
  11001  Received RADIUS  Access-Request
  11018  RADIUS is re-using an existing  session
  12304  Extracted EAP-Response containing PEAP  challenge-response
  12318  Successfully negotiated PEAP version  0
  12812  Extracted TLS ClientKeyExchange  message.
  12804  Extracted TLS Finished  message.
  12801  Prepared TLS ChangeCipherSpec  message.
  12802  Prepared TLS Finished  message.
  12816  TLS handshake succeeded.
  12310  PEAP full handshake finished  successfully
  12305  Prepared EAP-Request with another PEAP  challenge
  11006  Returned RADIUS  Access-Challenge
  11001  Received RADIUS  Access-Request
  11018  RADIUS is re-using an existing  session
  12304  Extracted EAP-Response containing PEAP  challenge-response
  12313  PEAP inner method started
  11521  Prepared EAP-Request/Identity for inner EAP  method
  12305  Prepared EAP-Request with another PEAP  challenge
  11006  Returned RADIUS  Access-Challenge
  11001  Received RADIUS  Access-Request
  11018  RADIUS is re-using an existing  session
  12304  Extracted EAP-Response containing PEAP  challenge-response
  11522  Extracted EAP-Response/Identity for inner  EAP method
  11806  Prepared EAP-Request for inner method  proposing EAP-MSCHAP with challenge
  12305  Prepared EAP-Request with another PEAP  challenge
  11006  Returned RADIUS  Access-Challenge
  11001  Received RADIUS  Access-Request
  11018  RADIUS is re-using an existing  session
  12304  Extracted EAP-Response containing PEAP  challenge-response
  11808  Extracted EAP-Response containing EAP-MSCHAP  challenge-response for inner method and accepting EAP-MSCHAP as  negotiated
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store -
  22043  Current Identity Store does not support the  authentication method; Skipping it.
  24210  Looking up User in Internal Users IDStore -  xxxxx
  24216  The user is not found in the internal users  identity store.
  22016  Identity sequence completed iterating the  IDStores
  22056  Subject not found in the applicable identity  store(s).
  22058  The advanced option that is configured for  an unknown user is used.
  22061  The 'Reject' advanced option is configured  in case of a failed authentication request.
  11815  Inner EAP-MSCHAP authentication  failed
  11520  Prepared EAP-Failure for inner EAP  method
  22028  Authentication failed and the advanced  options are ignored.
  12305  Prepared EAP-Request with another PEAP  challenge
  11006  Returned RADIUS  Access-Challenge
  11001  Received RADIUS  Access-Request
  11018  RADIUS is re-using an existing  session
  12304  Extracted EAP-Response containing PEAP  challenge-response
  12307  PEAP authentication failed
  11504  Prepared EAP-Failure
  11003  Returned RADIUS Access-Reject
  This is the log when using 1841 router as authentication client (succeded)  :
  Steps
  11001  Received RADIUS  Access-Request
  11017  RADIUS created a new session
  11049  Settings of RADIUS default network will be  used
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - Default Network  Access
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store -  LDAPyyyy
  24031  Sending request to primary LDAP  server
  24015  Authenticating user against LDAP  Server
  24022  User authentication  succeeded
  22037  Authentication Passed
  22023  Proceed to attribute  retrieval
  22038  Skipping the next IDStore for attribute  retrieval because it is the one we authenticated against
  24210  Looking up User in Internal Users IDStore -   xxxxx
  24216  The user is not found in the internal users  identity store.
  22016  Identity sequence completed iterating the  IDStores
  Evaluating Group Mapping Policy
  Evaluating Exception Authorization  Policy
  15042  No rule was matched
  Evaluating Authorization Policy
  15006  Matched Default Rule
  15016  Selected Authorization Profile - Permit  Access
  11002  Returned RADIUS Access-Accept
  I realized that Windows is using PEAP-MSCHAPv2 while Router is using PAP-ASCII as it's protocol.
  so now, why PEAP-MSCHAPv2 can't authenticate to LDAP ?
  is there anything I can do to make it work ?

• Cannot log into DTR with Active Directory User

  Greetings,
  I have set up and installed JDI correctly.  I can log into /devinf, the cbs, cms and sld systems with no problem using both Administrator and my JDI.Administrator that I assigned to an Active Directory user.  I can log into the DTR using a user from the database (i.e. Administrator), however, when trying to access the DTR with an Active Directory user, I get the following message:
  500   Internal Server Error
    SAP J2EE Engine/6.40 
    Application error occurred during the request procession.
    Details:   Error [javax.servlet.ServletException: Group found, but unique name "businessUnit.all.guests" is not unique!], with root cause [com.tssap.dtr.server.deltav.InternalServerException: Group found, but unique name "businessUnit.all.guests" is not unique!].  The ID of this error is
  Exception id: [0012798F81680042000000090000165C0003FE9AA3C0B86B].
  This group exists in multiple domainshowever, this has not caused us any issues to date with our portal and other pieces of SAP WASit's only this DTR error. 
  Any help is greatly appreciated.
  Thanks,
  Marty

  Hi Marty,
  In the document available at the link enclosed below, there is a part that explains how to configure DTR so that it always uses "Unique-IDs".
  http://help.sap.com/saphelp_nw04/helpdata/en/20/f4a94076b63713e10000000a155106/frameset.htm
  It is mentioned that this is valid for LDAP, but the information is applicable for Active Directory as well.
  Regards,
  Manohar

• Issue with Active Directory User Target Recon

  Hi ,
  I am facing an issue with Active Directory User Target Recon
  My environment is OIM 11g R2 with BP03 patch applied
  AD Connector is activedirectory-11.1.1.5 with bundle patch 14190610 applied
  In my Target there are around 28000 users out of which 14000 have AD account (includes Provisioned,Revoked,Disabled accounts)
  When i am running Active Directory User Target Recon i am not putting any filter cleared the batch start and batch size parameters and ran the recon job .Job ran successfully but it stopped after processing around 3000 users only.
  Retried the job two three times but every time it is stopping after processing some users but not processing all the users.
  Checked the log file oimdiagnostic logs and Connector server logs cannot see any errors in it.
  Checked the user profile of users processed can see AD account provisioned for users
  My query is why this job is not processing allthe users.Please point if i am missing some thing .
  thanks in advance

  Check the connector server load when you are running the recon. Last time I checked the connector, the way it was written is that it loads all the users from AD into the connector server memory and then sends them to OIM. So if the number was huge, then the connector server errored out and did not send data to OIM. We then did recon based on OUs to load/link all the users into OIM. Check the connector server system logs and check for memory usage etc.
  -Bikash

• New itouch user here, We had a wireless connection with a password all set up but we couldn't remember the password meanwhile there are other connections around us but locked. So i decided to make a new one yet it still will not allow to go on safari HELP

  new itouch user here, We had a wireless connection with a password all set up but we couldn't remember the password meanwhile there are other connections around us but locked. So i decided to make a new one yet it still will not allow to go on safari after i type in the password PLEASE HELP ive turned on and off etc

  My guess is that the security settings on your router and iPod do not match.
  For a test, change your router so there is no security.  See if you can connect and get to the Internet. If that works, set up the router with security and use the same settings for the iPod.

• Wireless users not visible in PRSM with CDA integration

  I have ASA 5515x v 9.1 with CX module v 9.1.3 and CDA integrated into the AD domain. I can see the users to IP mappings for domain windows users , like desktops and laptops. I can not see the users to ip mappings for the wireless users. I see their IP adddresses but the usernames don't come in.  I have the PRSM configured to use CDA. Do I need to also add the WLC somehow to the CDA setup?

  Hi, Try one of the following:
  1. Provision the native users with viewer role for BI+, if not done already
  2. For the folder, containing the reports, have these users being provisioned? Are you able to view the users with provisioning access to the folder?
  3. Do not put any filter for users and begins with combination to display all possilble users
  Let me know if that works!