LDAP Multi Domain (organization) auth
Hello everybody,
Actually, I have the following working configuration:
LDAP server (SUN DS) with the following schema for user:
ou=People,o=aOrgName,ou=People,dc=...
I have multiple organization sharing the same servers, it's working fine, but each users need to been unique "cross organization wide".
I mean, I can't have a user name userA in ou=People,o=orgA,... and an other user named userA in ou=People,o=orgB...
No problem with uid (I mean uidNumber LDAP and unix user id), I can make them unique accross organization.
But for the user name, it's a bit tricky, because I can't make it unique. (until now I can, but soon it will be hard, and user don't want to have userA2 as a username).
So, I thought of the following solutions:
- Configuring solaris LDAP client in such way, he will append the orgName to the username. (like userA-orgA) Would be the cleanest solution, but I really don't think it's possible without rewrite on ldap client layer of solaris.
- Having ldap server automaticaly create a fqun (fully qualified user name) of the form: userA-orgA and having solaris use this in place of uid. But I don't know if we can create entries based on other entries, like we can on SQL db.
- Manualy add an fqun field.
For the last two, I really don't know how to configure solaris 10 ldap client to user fqun in place of uid. I'm sure it is possible somehow using SSD, but after reading the documentation, I'm not sure how.
Finaly, no I can't change the uid to user-orgname because the uid is used by many other services, like email, web application... And in those application you add a @orgName after your username to do the trick.
Any idea, experience are really appreciated.
Regards
Kuon
Microsoft releases new license terms for Windows 10: Biggest surprise? No gotchasEd Bott has Just published an article on ZDNet which reviews in detail the just-released Windows 10 license agreementFirst published on ZDNet By Ed Bott for The Ed Bott Report | July 15, 2015 -- 18:30 GMT (19:30 BST) | Topic: Windows 10 "Two weeks ahead of the global launch of Windows 10, Microsoft has finalized the terms of its license agreements for the new operating system. I've had several days to study the documents in detail, and I can report that there are no surprises, no gotchas, and no hidden subscription traps waiting to be sprung in two or three or four years.""In fact, the new license agreement is simpler and written more clearly than any similar document I've reviewed in 20 years of examining Windows license agreements. There are a few...
Similar Messages
-
Zimbra Multi Domain SMTP auth/relay problem
I have a query in setting up a multi-domain Zimbra 8.6 OSE on Ubuntu 14.04.I have successfully setup Domain1 with Zimbra and added virtual host Domain2. Mails to each of them are routing to each other and sending from the server to outside is also working. However, I need to both domains to send emails using their respective ISP so domain1 would use ISP1 and domain2 ISP2. In my previous implementation, I have used successfully "zimbraMtaRelayHost" for single domain. Searching more, I have tried the "Relay per Domain" using "sender_dependent_relayhost_maps."I am, however, still unable to send mail using Zimbra. I have, upon instinct, put in the port after the IP address of the ISPs in /opt/zimbra/postfix/conf/bysender so it looks like the one below (based on thewiki):@domain1.com [10.10.10.1]:587
@domain2.com [20.20.20.1]:587Zimbra now...
This topic first appeared in the Spiceworks CommunityMicrosoft releases new license terms for Windows 10: Biggest surprise? No gotchasEd Bott has Just published an article on ZDNet which reviews in detail the just-released Windows 10 license agreementFirst published on ZDNet By Ed Bott for The Ed Bott Report | July 15, 2015 -- 18:30 GMT (19:30 BST) | Topic: Windows 10 "Two weeks ahead of the global launch of Windows 10, Microsoft has finalized the terms of its license agreements for the new operating system. I've had several days to study the documents in detail, and I can report that there are no surprises, no gotchas, and no hidden subscription traps waiting to be sprung in two or three or four years.""In fact, the new license agreement is simpler and written more clearly than any similar document I've reviewed in 20 years of examining Windows license agreements. There are a few...
-
How to provide access to multiple users connected to a Dumb switch? (multi-auth/multi-domain)
Good morning everybody,
I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
What I have successfully managed to get to work so far is this:
1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
show authentication sessions:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
What I want to get is an output like this:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
The configuration of the interface connected to the Dumb switch is as follows.
interface FastEthernet0/x
description Connection to DUMBswitch
switchport mode access
switchport voice vlan XXX
switchport port-security maximum 10
switchport port-security
switchport port-security violation protect
authentication host-mode multi-auth
authentication priority dot1x
authentication port-control auto
authentication timer reauthenticate 4000
authentication violation replace
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
The way I see it is explained in the following steps:
- PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
- When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
Thank you
Stoimen HristovHi Stoimen,
I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
From what I can see, you have 2 options available to you:
1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
Hopefully someone else will chime in with another option.
Xavier -
Multi-Domain LDAP UME configuration
Hello
We have EP 7.0 installed and want to connect the UME to our Corporate
LDAP (MSADS) as data source.
Our ADS is as follows:
domain.pt u2013 This is our top level domain. Here we have our main users.
Gs.domain.pt u2013 This is a child domain of ren.pt. Here are some special
users that cannot be moved to domain.pt level (because of this we have to
use multi-domain configuration)
According to some documents Step 2 of Note 762419 - Multi-Domain Logon
Using Microsoft Active Directory this configuration as to be done
according to a Multiple-Domain UME LDAP Configuration.
Following is is my configuration of LDAP access:
I have set the u201CUME LDAP Datau201D in Config Tool to point to
the u201CdataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xmlu201D configuration file that has been previously change by me following previous documents. The xml is is the end of the message
Also in the u201CUME LDAP Datau201D (Directory Server) I have defined the following settings:
Server Name: dc01.domain.pt (This is the DC of domain.pt)
Server port: 389
User: j2ee-pp3 @domain.pt
Pass: ******* (ok on all configuration tests and authentication)
SSL: NO.
User Path: DC=domain,DC=pt
Group Path: DC=domain,DC=pt
Checked the u201CFlat User Group Hierarchyu201D.
Checked the u201CUse UME Unique id with unique LDAP Attributeu201D.
At u201CAdditional LDAP Propertiesu201D I have set the properties of
ume.ldap.unique_user_attribute(global) and
ume.ldap.unique_uacc_attribute(global) to userprincipalname. This was
done according to the Multi-Domain configuration.
Also ume.ldap.access.multidomain.enabled=true was set the property
sheet of the UME service. After this all checks are ok including in
User Administration in Portal.
Conclusion: We have no problem with SSO and search capabilities
at u201Cdomain.ptu201D level. All users of this domain are able to access the
portal with SSO.
Nevertheless no user from u201Cgs.domain.ptu201D is able to logon. Additionally,
using User Admninistration in Portal with option u201CAll Data Sourcesu201D
returns no results when searching for users from this child domain. It
seems the the configuration file does not recognize gs.domain.pt.
Is it possible that our xml file is incorrectly adapted? Is there any
missing or wrong configuration for multi-domain LDAP access? Please
advice.
Thanks in advance
dataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xml
<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_ads_readonly_db_with_krb5_multipledomain.xml#6 $ from $DateTime: 2004/08/20 09:55:24 $ ($Change: 17140 $) -->
<!DOCTYPE dataSources SYSTEM "dataSourceConfiguration.dtd">
<dataSources>
<dataSource id="PRIVATE_DATASOURCE"
className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</homeFor>
<notHomeFor/>
<responsibleFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</responsibleFor>
<privateSection>
</privateSection>
</dataSource>
<dataSource id="CORP_LDAP"
className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
isReadonly="true"
isPrimary="true">
<homeFor/>
<responsibleFor>
<principal type="account">
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="j_user"/>
<attribute name="j_password"/>
<attribute name="userid"/>
<attribute name="logonalias"/>
</attributes>
</nameSpace>
</principal>
<principal type="user">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="firstname" populateInitially="true"/>
<attribute name="displayname" populateInitially="true"/>
<attribute name="lastname" populateInitially="true"/>
<attribute name="fax"/>
<attribute name="email" populateInitially="true"/>
<attribute name="email"/>
<attribute name="title"/>
<attribute name="department"/>
<attribute name="description"/>
<attribute name="mobile"/>
<attribute name="telephone"/>
<attribute name="streetaddress"/>
<attribute name="uniquename" populateInitially="true"/>
<attribute name="krb5principalname"/>
<attribute name="kpnprefix"/>
<attribute name="dn"/>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</attributes>
</nameSpace>
<nameSpace name="$usermapping$">
<attributes>
<attribute name="REFERENCE_SYSTEM_USER"/>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
<principal type="group">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="displayname" populateInitially="true"/>
<attribute name="description" populateInitially="true"/>
<attribute name="uniquename"/>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE"/>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE"/>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attributes>
<attribute name="dn"/>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
</responsibleFor>
<attributeMapping>
<principals>
<principal type="account">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="domain_j_user">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="j_user">
<physicalAttribute name="userprincipalname"/>
<attribute name="logonalias">
<physicalAttribute name="userprincipalname"/>
</attribute>
<attribute name="j_password">
<physicalAttribute name="unicodepwd"/>
</attribute>
<attribute name="userid">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
<principal type="user">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="firstname">
<physicalAttribute name="givenname"/>
</attribute>
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="lastname">
<physicalAttribute name="sn"/>
</attribute>
<attribute name="fax">
<physicalAttribute name="facsimiletelephonenumber"/>
</attribute>
<attribute name="uniquename">
<physicalAttribute name="userprincipalname"/>
</attribute>
<attribute name="loginid">
<physicalAttribute name="null"/>
</attribute>
<attribute name="email">
<physicalAttribute name="mail"/>
</attribute>
<attribute name="mobile">
<physicalAttribute name="mobile"/>
</attribute>
<attribute name="telephone">
<physicalAttribute name="telephonenumber"/>
</attribute>
<attribute name="department">
<physicalAttribute name="ou"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="streetaddress">
<physicalAttribute name="postaladdress"/>
</attribute>
<attribute name="pobox">
<physicalAttribute name="postofficebox"/>
</attribute>
<attribute name="krb5principalname">
<physicalAttribute name="userprincipalname"/>
</attribute>
<attribute name="kpnprefix">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="dn">
<physicalAttribute name="distinguishedname"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="$usermapping$">
<attributes>
<attribute name="REFERENCE_SYSTEM_USER">
<physicalAttribute name="sapusername"/>
</attribute>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
<principal type="group">
<nameSpaces>
<nameSpace name="com.sap.security.core.usermanagement">
<attributes>
<attribute name="displayname">
<physicalAttribute name="displayname"/>
</attribute>
<attribute name="description">
<physicalAttribute name="description"/>
</attribute>
<attribute name="uniquename" populateInitially="true">
<physicalAttribute name="ou"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.usermanagement.relation">
<attributes>
<attribute name="PRINCIPAL_RELATION_MEMBER_ATTRIBUTE">
<physicalAttribute name="null"/>
</attribute>
<attribute name="PRINCIPAL_RELATION_PARENT_ATTRIBUTE">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
<nameSpace name="com.sap.security.core.bridge">
<attributes>
<attribute name="dn">
<physicalAttribute name="null"/>
</attribute>
</attributes>
</nameSpace>
</nameSpaces>
</principal>
</principals>
</attributeMapping>
<privateSection>
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.context_factory>com.sun.jndi.ldap.LdapCtxFactory</ume.ldap.access.context_factory>
<ume.ldap.access.authentication>simple</ume.ldap.access.authentication>
<ume.ldap.access.flat_group_hierachy>true</ume.ldap.access.flat_group_hierachy>
<ume.ldap.access.user_as_account>true</ume.ldap.access.user_as_account>
<ume.ldap.access.dynamic_groups>false</ume.ldap.access.dynamic_groups>
<ume.ldap.access.ssl_socket_factory>com.sap.security.core.server.https.SecureConnectionFactory</ume.ldap.access.ssl_socket_factory>
<ume.ldap.access.objectclass.user>User</ume.ldap.access.objectclass.user>
<ume.ldap.access.objectclass.uacc>User</ume.ldap.access.objectclass.uacc>
<ume.ldap.access.objectclass.grup>organizationalUnit</ume.ldap.access.objectclass.grup>
<ume.ldap.access.naming_attribute.user>cn</ume.ldap.access.naming_attribute.user>
<ume.ldap.access.auxiliary_naming_attribute.user>samaccountname</ume.ldap.access.auxiliary_naming_attribute.user>
<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.naming_attribute.uacc>
<ume.ldap.access.auxiliary_naming_attribute.uacc>samaccountname</ume.ldap.access.auxiliary_naming_attribute.uacc>
<ume.ldap.access.naming_attribute.grup>ou</ume.ldap.access.naming_attribute.grup>
<ume.ldap.access.pwd.via.usercontext>true</ume.ldap.access.pwd.via.usercontext>
<ume.ldap.access.set_pwd>true</ume.ldap.access.set_pwd>
<ume.ldap.access.multidomain.enabled>true</ume.ldap.access.multidomain.enabled>
<ume.ldap.access.extended_search_size>200</ume.ldap.access.extended_search_size>
<ume.ldap.access.domain_mapping>
[DOMAIN_PT;DC=domain,DC=pt]
[GS_DOMAIN_PT;DC=gs,DC=domain,DC=pt]
[gs;DC=DC=gs,DC=domain,DC=pt]
[domain;DC=pt]
</ume.ldap.access.domain_mapping>
</privateSection>
</dataSource>
</dataSources>
Edited by: Joaquim Pereira on Feb 7, 2009 1:34 PMHi Gaetano
I tried to set back the "uniqueid" in the XML to samaccountname.
Also, i changed the spnego to go only to domain.pt (gs.domain.pt is a child domain).
In the 1st tests this worked perfectly, but we still to do some testings with this config.
When i get confirmation, ill reply here.
Thank you.
PS:. we thought on defining the abap user for each user, but there are a lot of users...
we'll try this config, and if it doesn't work, probably, thats what we'll do.
Edited by: Joaquim Pereira on Feb 12, 2009 5:45 PM
Everything seams to be working now. setting back the uniqueid to samaccountname and configuring spnego to go to only 1 domain solved the issue.
I just need to test which change did the trick.
Edited by: Joaquim Pereira on Feb 13, 2009 1:02 PM -
2012 R2 DirectAccess multi domain forest: Is it possible Limit Auto-discovery of domain controllers?
I've just successfully implemented Multisite server 2012 R2 DirectAccess in a child domain of a global company with numerous sub domains. I'd like to limit the scope of the auto discovery of management servers in 2012 R2 DA is anyone aware of
any way of doing this?
During the default initial configuration of DirectAccess Auto-discovery of domain controllers is performed for all domains in the same forest as the DirectAccess server and client computers.
In my scenario the number of sub domains and multinational nature of the company means that the DA servers cannot contact all DCs for every child domain in the forest.
This means the Operations Status page in the Remote Access Management console always shows the status of the Domain Controller check as "critical" leaving a red X amongst my nice green ticks. It's untidy and at first glance it looks like there
are major problems with the service.
The DA servers, Client machines and users are in a single sub domain so we have no need to contact the other child domain DCs.
I looked into using the Remove-DAMgmtServer PowerShell cmdlet however this is not applicable since it cannot be used to remove automatically configured management servers such as DCs.
Also the child domain DCs don't actually appear in the management servers list.Hi, a colleague of mine had the same problem in a DirectAccess deployment in a large organization tat have a multi-domain forest. He had no choice to open network flow to have at least one domain controller per domain in the forest.
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx -
Shared Services: Multi-domain MSAD based configuration issue
Hello to All,
Can someone tell me how to configure MSAD to use two domains X and Y under one user directory D.
My actual configuration is based on the domain X and provides some MSAD users groups in D user directory.
But I need to provisionne another user that belong to another AD in a foreign domain Y.
A trusted relationship (approbation relationship) have been created between the two domains X and Y.
Is this kind of multi-domain configuration allowed in Shared Services?
If yes, how can I configure this?
OS: Solaris
Hyperion Shared Services 9.3.1
Thanks in advance for your helpThere are a couple of ways:
1) Add a new provider in Shared Services
2) Modify your current provider to go to a higher level in your domain which will likely require different parameters on your existing Active Directory provider
Option 2 is preferable if you see this will cascade and other domains will be needed and they are all under a global company domain.
Regards,
John A. Booth
http://www.metavero.com -
Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?
Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?
Im trying to follow the trustsec 2.1 guide on IP Phones into LowImpact mode.
I can get a PC on its own to authenticate via dot1x/tls
I can get a Cisco IP Phone on its own to authenticate via MAB.
When the two are on the same switchport, the phone will authenticate but not the PC. ISE logs EAP timeouts.
The switchport has the LowImpact port ACL of
ip access-group ACL-DEFAULT in
The IP Phone gets a dACL that allows it ok.
I assume MAB phone and dot1x PC is supported? Any ideas?
Thanks in advance.The ISE log detailed steps are as follows:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12300 Prepared EAP-Request proposing PEAP with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12501 Extracted EAP-Response/NAK requesting to use EAP-TLS instead
12500 Prepared EAP-Request proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
5411 No response received during 120 seconds on last EAP message sent to the client -
I've got a unique setup I'm trying to get set up with regards to 802.1x and have ran into some issues. I've got Avaya phones that I need to authenticate onto the voice vlan that they are getting via LLDP. But I'm only using 802.1x to keep things off the voice VLAN which is in a VRF. The PCs that will either be connected to the back of the phone or plugged directly into the switch cannot be configured for 802.1x as these PCs are not owned by the department.
My idea was to run multi-domain as seems to be the suggestion for phone deployments and then put anything that fails authentication into the Data VLAN (30) using guest-vlan as well as authorizing them to Vlan 30 when authentication fails. It seems like authentication fail Vlan and guest Vlan cannot be used in multi-domain mode though, so I'm out of ideas and the port is not working properly. Here is my current config that is not working as it's not putting the PC into Vlan 30 when authentication fails. Vlan 40 is the voice Vlan. Vlan 30 is the data Vlan.
interface GigabitEthernet1/0/1
description Test 802.1x port
switchport mode access
switchport voice vlan 40
authentication event fail action authorize vlan 30
authentication event server dead action authorize vlan 30
authentication event no-response action authorize vlan 30
authentication host-mode multi-domain
authentication port-control auto
authentication violation restrict
dot1x pae authenticator
dot1x timeout server-timeout 15
dot1x timeout supp-timeout 2
spanning-tree portfast
Any ideas on how I can go about acheiving this?
Thanks,
BrianWell, you can use multiple-authentication mode.
Multiple-authentication (multiauth) mode allows one client on the voice VLAN and multiple authenticated clients on the data VLAN. When a hub or access point is connected to an 802.1x-enabled port, multiple-authentication mode provides enhanced security over multiple-hosts mode by requiring authentication of each connected client. For non-802.1x devices, you can use MAC authentication bypass or web authentication as the fallback method for individual host authentications to authenticate different hosts through by different methods on a single port.
Multiple-authentication mode is limited to eight authentications (hosts) per port.
Multiple-authentication mode also supports MDA functionality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN, depending on the VSAs received from the authentication server.
VERY IMPORTANT: When a port is in multiple-authentication mode, all the VLAN assignment features, including the RADIUS server supplied VLAN assignment, the Guest VLAN, the Inaccessible Authentication Bypass, and the Authentication Failed VLAN do not activate.
This is the configuration commands:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1271507.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
802.1x multi-domain 3560catalyst nortel ip phone ntdu92
Hello everyone!
I have 3560 catalyst ios 12.2(55)SE5
I need to authorize PC and IP phone on this port. 212 data vlan 500 voice vlan, vlan 111 - Unauthorized VLAN with 256 kbit/sec INTERNET without any local resourses. IP phone authorizes by mab.
#sh mac address-table interface fastEthernet 0/2
212 001a.4b7b.0394 STATIC Fa0/2
500 001b.bafb.7c1c STATIC Drop
#sh running-config interface fastEthernet 0/2
interface FastEthernet0/2
switchport access vlan 212
switchport mode access
switchport voice vlan 500
authentication event fail action authorize vlan 111
authentication event no-response action authorize vlan 111
authentication host-mode multi-domain
authentication port-control auto
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x timeout supp-timeout 3
dot1x max-reauth-req 3
storm-control broadcast level 7.00 3.00
storm-control multicast level 15.00 10.00
storm-control action shutdown
no cdp enable
spanning-tree portfast
spanning-tree guard root
end
#sh logging
Jul 29 11:11:03: %DOT1X-5-FAIL: Authentication failed for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID
Jul 29 11:11:03: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-5-START: Starting 'mab' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %MAB-5-SUCCESS: Authentication successful for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/2, new MAC address (001b.bafb.7c1c) is seen.AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:03: %AUTHMGR-5-MACREPLACE: MAC address (001a.4b7b.0394) on Interface FastEthernet0/2 is replaced by MAC (001b.bafb.7c1c) AuditSessionID 0A32FF150000005F25C42541
Jul 29 11:11:04: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001b.bafb.7c1c) on Interface Fa0/2 AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:06: %AUTHMGR-5-START: Starting 'dot1x' for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87
Jul 29 11:11:06: %DOT1X-5-SUCCESS: Authentication successful for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID
Jul 29 11:11:06: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87
Jul 29 11:11:06: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface FastEthernet0/2, new MAC address (001a.4b7b.0394) is seen.AuditSessionID 0A32FF150000006125C52D87
Jul 29 11:11:06: %AUTHMGR-5-MACREPLACE: MAC address (001b.bafb.7c1c) on Interface FastEthernet0/2 is replaced by MAC (001a.4b7b.0394) AuditSessionID 0A32FF150000006025C481C2
Jul 29 11:11:07: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001a.4b7b.0394) on Interface Fa0/2 AuditSessionID 0A32FF150000006125C52D87
What is necessary for collaboration PC+IP phone at the same time.
Thanks for your help.Good afternoon. Thanks for Your advice. The problem was the following: forgot to add the command
aaa authorization network default group radius
Now everything is working.
Fa0/2 001b.bafb.7c1c mab VOICE Authz Success 0A32FF15000000B6500A0895
Fa0/2 001a.4b7b.0394 dot1x DATA Authz Success 0A32FF15000000C353ADA437
Thanks to all. -
X-MS-Exchange-Organization-AuthAs is configured as Internal other than Anonymous from internet mails
Hi Admin,
We want to restrict distribute group not to receive internet mails, but the internet mails are still going through even if the option"only senders inside my organize" is selected. The part of mail header is below,
X-MS-Exchange-Organization-AuthSource: myexchange.com
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 10
The value of X-MS-Exchange-Organization-AuthAs is configured as "Internal" other than "Anonymous" from internet mails. Maybe this is the root cause, but I don't know how to resolve it. Currently the internet mails are first checked by
our symantec mail gateway then transfer to our CAS server (myexchange.com) as above.
Could somebody instruct me on this?
Many thanks in advanced.
Leon
LeonDid you check "Externally Secured" on the anonymous receive connector or add the ip address of the Symantec Gateway to the allowed IP anti-spam list in Exchange?
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied. -
There has been many post regarding domain.sites splitting and how to handle multi-domain.
First you need to split your domain.sites package, with courtesy of Mark:
http://web.mac.com/mark8heaton/iWeb/DomainSeparation/SiteSeparation.html
What about handling multi-domain?
Make a master folder, and make sub-folders within this master folder to keep (split) domain.sites, then place the master folder in your Dock, ie:
http://www.geocities.com/[email protected]/images/domains.jpg
You can access your domain.sites at any time from the Dock.
What about making new domain.sites?
You can force iweb to create new domain.sites with shell script (Unix) or AppleScript - notice second item in domains.jpg.
_New Domain script forces iweb to create new domain.sites package - in your specify folder, as in this dialog box:
http://www.geocities.com/[email protected]/images/newDomain.jpg
There is no need for third-party application. Everything you see/need is free and is bundled in every mac.Vark,
Weird as heck, but it does happen.
I've had it happen to me a few times and I've had a
number of emails from others that have experienced
the same thing; enough to make me warn everyone
about it.
Funny, when I try to replicate the problem I'm unable
to; seems to strike at random.
Weird stuff!!! I believe it, just think it is extremely bizarre. -
I am planning to install BOE XI 3.1 on a windows server. It is a multi domain environment, so what are the important things I need to concentrate, for example opening up firewall, etc.
Is there any documents available for this, please guide.multi domain is not much of an issue, by default any domain joined to a single forest is automatically trusted bi-directionally. The only snags sometimes are with dns. We have a KB (search usefqdnfordirectoryservers) that will take care of that.
I don't know why you would firewall off your domains if they are joined in the same forest, this would prevent basic microsoft services from running as well. Another rule of thumb is that BOE simply runs on top of Microsoft and uses Microsoft API calls. If it works in Microsoft then we should be ok.
Now if you are using muliple forests then we have a KB on that as well (search multiple forests zie) In that case the forests must have a 2-way forest trust, be 2003 or above functional level, and basically act as 1 forest to our product. The rule here is if you don't trust a forest then BO will either not be able to query it or allow logins from it as we again use Microsoft API calls which require these things to be in place.
KB's can be searched in service market place. Also see KB 1261835 for setting up SSO on java.
Regards,
Tim -
Java and multi-domain certificates
Hi, I tried using a so called MDC or multi-domain certificate with my Java application but when connecting with a webbrowser I get the following error in Firefox (Internet Explorer gives a similar error but provides less info) :
"The certificate is only valid for www.somedomain.com%2Csub1.somedomain.com%2Csub2.somedomain.com%2C"
I assume the %2C should be commas or at least have been interpreted as commas.
My question, was this certificated created wrong or does Java not support this type of certificate?I doubt it is a Java issue. If your SSL handshake is reaching the stage where the server sends its certificate to your browser, then the server is already satisfied with its own certificate. I doubt the server pays much attention to the subject name or any of the subject alternative names of its own certificate. And the server cannot change any of the fields of this certificate, so what it is sending the browser is exactly what you got back from the CA.
You say you did not create the certificate, but you almost certainly created almost all the fields of the certificate by creating something called a certificate signing request. This is what you give to the CA. The CA uses this to populate the fields of a certificate that it signs and gives back to you. -
Identity firewall with Single Forest/Multi-Domain
I have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.
Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:
I have 3 domains.
domain1.test.com
domain2.domain1.test.com
domain3.domain2.domain1.test.com
Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains. I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent. I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1. I looked to see if I could see domain 2 and domain 3 users and found none. I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2. Instead, it shows domain1 users as domain2\user1. I also configured another adserver in the ASA to search ldap on domain 2 to no avail.
The cisco documentation states the following:
•Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine).
Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.
Reading that it sounds like it should just work. I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains. I wanted to ask though before I blow everything up and start over. The instructions are not overwhelming clear on what needs to done in this scenario. Suggestions?Hi Matthew,
If I understand your post correctly, the problem is that the ASA is unable to search users in domain2, correct? This portion of the communication is unrelated to the AD Agent, but it sounds like the Agent can talk to the DC just fine. The ASA searches for users directly on the DC via LDAP queries. The communication between the ASA and the Agent is all done via RADIUS.
If the above is correct, I would focus on why the LDAP queries are failing between the ASA and the domain2 DC. Feel free to open a TAC case on this as well for additional assistance from the AAA experts.
-Mike -
MDT from Single Site for Multi Domain OS Deployment
Hi all,
We are looking for a solution which will make it possible to use MDT from a single site to deploy Windows 7 or Windows 8 and join different domains of different customers without trust relationships between domains.
We are a service provider which supports different customers with separate domains. At this moment those different customers have their own WDS server on site and administration is time consuming because a lot of hardware changes occur.
We are now searching for a solution which is easier to manage and one of the solutions we are thinking about is to install a WDS server in our office and use MDT for some custom task sequences but just build one image with all the different driver packs we
have.
Does anyone know how to deal with this from our point of view. All tooling I can find is based on Enterprise clients with one Domain Forest and maybe some different sites but all in one domain, which makes deployment a bit easier then in our situation I guess
as we are looking for a solution that supports Multi-domain deployment.
Hope someone might experienced this before and can help us in the right direction. If someone has experience with additional tooling which might help us I am more then interested to know how the tooling helped in solving this.
Preferrably we had a tool which was Multi-tenant and multiple domains could be managed from a single console, but I think that tool just doesn't exist.
Hope someone is able to help us in the right direction. Please let me know if you have any tips or did experience the same while making a Deployment plan for the service provider you are working for.
Many thanks in advance!Hi all,
We are looking for a solution which will make it possible to use MDT from a single site to deploy Windows 7 or Windows 8 and join different domains of different customers without trust relationships between domains.
We are a service provider which supports different customers with separate domains. At this moment those different customers have their own WDS server on site and administration is time consuming because a lot of hardware changes occur.
We are now searching for a solution which is easier to manage and one of the solutions we are thinking about is to install a WDS server in our office and use MDT for some custom task sequences but just build one image with all the different driver packs we
have.
Does anyone know how to deal with this from our point of view. All tooling I can find is based on Enterprise clients with one Domain Forest and maybe some different sites but all in one domain, which makes deployment a bit easier then in our situation I guess
as we are looking for a solution that supports Multi-domain deployment.
Hope someone might experienced this before and can help us in the right direction. If someone has experience with additional tooling which might help us I am more then interested to know how the tooling helped in solving this.
Preferrably we had a tool which was Multi-tenant and multiple domains could be managed from a single console, but I think that tool just doesn't exist.
Hope someone is able to help us in the right direction. Please let me know if you have any tips or did experience the same while making a Deployment plan for the service provider you are working for.
Many thanks in advance!
So is the goal is not only to get multiple domains to select from, if so you could use a DomainOUList.xml file .
Also would the clients be imaged at your site or your clients site?
If this post is helpful please click "Mark for answer", thanks! Kind regards
Maybe you are looking for
-
My K8N Neo4 v1.0 (MS-7125) has worked perfectly with 2 * 256Mb, DDR, 400 CL3 DIMMS since new, just over two years. I purchased and installed 2 * 512Mb, DDR400 DIMMS - within minutes of loading XP SP2 the machine simply stopped dead without any warnin
-
Hello everyone - I'm new to Apple and these forums. I just bought an iMac 21.5" the cheapest version. I have a couple of programs that I use that will only run on Windows. What is the best way to go about that? Bootcamp? Paralells? or something else?
-
New HD and new motherboard on Mac Mini and OSX will not start.
Long story but will do my best to keep it short... Purchased Mac mini #1 at CompUSA years back and bought their extended warranty. Mini died 2+ years later which coincided with CUSA going out of business. Problem was a flashing folder with the Mac lo
-
Login Page takes long time to load
Hi, There is a peculiar issue with one of the portal we have. If portal is being accessed through the standard url i.e http://<fqdn>:<port>/irj/portal its takes more than 3-4 min everytime to load on the browser. Even once user id & pwd given it take
-
I scanned an old image using my Epson NX515 printer, used GIMP to make some minor repairs on the image and printed it out. I noticed there were a number of evenly spaced thin blue lines across the image, approximately six of them. I opened & printed