Leap and windows domain logon

Similar Messages

• Configure Windows Domain Logon on Airport Express

  The question is... How can I configure Windows Domain Logon data on an Airport Express so it connects automatically without asking each of my other devices for login credentials?
  I use my Airport Express at work connecting it through ethernet, and the network uses Windows Domain credemtials to login, that is user, password and domain server. I have all data needed, this is, static IP, Gateway, DNS, user, password, etc., but I haven't found how to do this inside de Airport Express so I configure just one device instead of 3 or more.
  I have tryed configuring the Airport Express as PPPoE, but that's not the solution for this problem.
  Thanks in advance for the answer.

  Your wireless Netgear router and AirPort Express Base Station (AX) are pretty much useless if you don't have wireless capability for your Dell desktop. The AX uses AirTunes to receive, wirelessly, iTunes from your desktop.
  Just add a wireless card to your Dell and you should be in good shape. In fact, once you go wireless, you can return the Netgear router as your AX will provide Internet connectivity, stream iTunes, and share a USB printer.

• Slow window domain logon over ezvpn netw ext mode tunnel

  I have 4 branch offices connected to a central EZVPN server in network extension mode.
  tunnels are working correctly but domain logon is extremely low (often more than 10 minutes).
  Do you think it could be a fragmentation issue?
  If it is, do you know any way to solve it?
  The errors reported are in windows XP system logs are the following:
       System     > LSASRV 40961 no secure connection with server, no authentication protocol available
       Application> usernv 1030
       Application> usernv 1006
  Thanks
  Johnny

  Hi
  I am in exactly the same situation with the ASA 5510 running security plus license, version 8.0(5) 512 MB RAM
  going to try to upgrade the IOS tonight and upgrade the RAM to 1GB to take it up to version 9 will let you know if it helps,
  cureently download speeds are very bad aroudn 14MB where as uploads are around 96 MB

• Machine authentication by certificate and windows domain checking

  Hi,
  We intend to deploy machine?s certificate authentication for wifi users.
  We want to check certificate validity of the machine, and also that the machine is included on the windows domain.
  We intend to use EAP-TLS :
  - One CA server.
  - each machine (laptop) retrieves its own certificate from GPO or SMS
  - the public certificate of the CA is pushed on the ACS as well as on each of the machine (laptop)
  - ACS version is the appliance one
  - one ACS remote agent installed on the A.D.
  - when a user intends to log on the wifi network :
  - the server (ACS appliance) sends its certificate to the client. This client checks the certificate thanks to the CA server certificate he already trusts, results : the client also trusts the ACS?s certificate signed by the CA server .
  - the client sends its certificate to the server (ACS appliance). This ACS checks the certificate thanks to the CA server certificate he already trusts, results : the ACS also trusts the client?s certificate signed by the CA server but the ACS also checks that this certificate isn?t revocated (the ACS checks this thanks to the CA server CRL ? certificate revocation list).
  Am I right about these previous points ?
  And then my question is : is it possible to check that the machine is also included in the windows domain ?
  That is, is it possible for the ACS to retrieve the needed field (perhaps CN ?? certificate type "host/....") and then perform an authentication request to the A.D. (active directory) thanks to the ACS remote agent ? We want to perform only machine authentication, not user authentication.
  Thanks in advance for your attention.
  Best Regards,
  Arnaud

  Hi Prem,
  Thanks for these inputs.
  I've passed the logs details to full, performed other tests and retrieved the package.cab.
  I've started investigating the 2 log files you pointed.
  First, we can see that the requests reach the ACS, so that's a good point.
  Then, I'm not sure how to understand the messages.
  In the auth.log, we can see the message "no profile match". I guess it is about network access profile. For my purpose (machine authentication by certificate), I don't think Network Access Profiles to be mandatory to be configured.
  But I'm not sure this NAP problem to be the root cause of my problem.
  And when no NAP is matched, then the default action should accept.
  We can see the correct name of the machine (host/...). We can see that he's trying to authenticate this machine "against CSDB". Then we have several lines with "status -2046" but I can't understand what the problem is.
  I don't know what CSDB is.
  I've configured external user database: for this, I've configured windows database with Remote Agent. The domain is retrieved and added in the domain list. And EAP-TLS machine authentication is enabled.
  I copy below an extract of the auth.log.
  I also attach parts of auth.log and RDS.log.
  If you have any ideas or advices ?
  Thanks in advance for your attention.
  Best Regards,
  Arnaud
  AUTH 04/07/2007 12:25:41 S 5100 16860 Listening for new TCP connection ------------
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::CreateContext: new context id=1
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/nomadev2001.lab.fr
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::SelectService: context id=1; no profile was matched - using default (0)
  AUTH 04/07/2007 12:25:41 I 0143 1880 [PDE]: PolicyMgr::Process: request type=5; context id=1; applied default profiles (0) - do nothing
  AUTH 04/07/2007 12:25:41 I 5388 1880 Attempting authentication for Unknown User 'host/nomadev2001.lab.fr'
  AUTH 04/07/2007 12:25:41 I 1645 1880 pvAuthenticateUser: authenticate 'host/nomadev2001.lab.fr' against CSDB
  AUTH 04/07/2007 12:25:41 I 5081 1880 Done RQ1026, client 50, status -2046

• ACS and Windows Domain / AD

  Hi All,
  In my environment there are two Windows Domain - Doamin A and B. ACS is configured on member server in domain B and hence Windows Authentication for users in Domain B is working fine. However I'm unable to see domain A in Configure Domain List on ACS server in Windows Domain configuration menu.
  Please note, there is one way trust between domain A and B with Domain A trusting Domain B.
  Is there a way I can use the same instance of ACS to authenticate the users in Domain A as well? If YES, can you please guide me with some pointers - thanks.
  I'm using ACS and Windows AD elements to authenticate users for SSL Web VPN on ASA 5540.
  Apprecaite quick help on this.
  -Satishcp

  Unfortunatley we are not using the Cisco Secure ACS Appliances, rather its ACS Ver 3.3 running on Windows 2000 Server (member server in Domain B).
  My guess Remote Agents for Windows / Solaris works with Appliances alone.

• Parallels Desktop and Windows Domain

  Ive installed Parallels 3 onto my MacBook and am now using Windows XP Pro.
  Ive tried to join my Windows OS to my domain on our Windows 2003 Server but the computer cannot find the domain. I think its something to do with the network connection with the Mac preventing the outward connection.
  Anyone know how to use a Windows Domain through Parallels 3?
  PLease help

  I would suggest changing the network settings in parallels so that your virtual host is getting an IP address straight from your companies DHCP server.
  Dont use shared networking but bridged networking.

• 802.1x and Windows Domain Controller with ACS

  Wow, I am having a tough time getting my ACS and the Domain controller to work with 802.1x PEAP. Can somebody explane to me how to set up the domain controller (Active directry) to get a PEAP cert? Some other questions. If I am using PEAP and 802.1x how does my computer get a cert. from the CA if the port is disabled by 802.1x? And How do I set up my domain controller to work with ACS to authenticate users. I have been beating my self to death to figure this out. Any help would be ausome. I am really stuck on trying to make this work.
  Thanks a ton in advance
  Justin

  I as a Cisco customer would like to see answers to our questions based on some real world experience or something you've noticed in a lab environment.
  By simply posting links is not very helpful. The reason most of us come to this site and post our questions, is because we already went to the Cisco website and found the explanation to be vague. In the future, please post answers to our question, intead of referring us to a link.
  Thank you,
  John...

• SPNego and Windows domain

  Hi,
  just to make sure: when the windows 2003 domain is MYDOMAIN and not MYDOMAIN.COM or anything with a dot in it (so users logon via MYDOMAIN\username), but the FQDN of the J2EE server is j2eehost.mydomain.com, then MYDOMAIN should be used to create the keytab file, instead of MYDOMAIN.COM, correct?
  Thus host/j2eehost.mydomain.com@MYDOMAIN instead of host/[email protected] is the service principal name?

  Hi Yonko,
  thanks again. Yes I understand why you would assume that there would be a MYDOMAIN.COM domain but it isn't as far as I know (result of upgrades all the way back from NT4).
  I actually forgot to write that the windows logon dialog shows DOMAIN, but the FQDN is AMUCHBIGGERDOMAIN.COM. For example, the logon is COMPANYNAME\username, but the FQDN of all servers (all domain memebers) are <i>host.globalcompanyname.com</i>
  interesting enough, we cannot logon using [email protected]
  None the less, I'll double check using TweakUI.
  Cheers
  Marcel

• Funk odyssey and windows authentication

  Currently using funk odyssey client and ACS server software with radius for wireless lan authentication to AD.
  Authentication works fine but fails to work when a user is forced to change a password after its windows domain logon has expired or when the user has lost their password and is given a temporary one which they are forced to change at the next login.
  Does anyone know how to get around this problem ?

  If you have enabled the GINA feature and Odyssey is using your Windows credentials for logging in try doing the following - after logging in locally and seeing that the Odyssey authentication has failed press ctrl-alt-delete and select Lock Computer. Then ctrl-alt-delete and log back in. You should be prompted to enter your new password at that time.

• Android, Ipad authentication under windows domain environment

  I’m really confused about the best practice to set up these devices in a 802.1x and Windows Domain network using ISE.
  I had seen the Ipad download the ISE certificate the very first time the device is connected to the SSID. In Android device (Galaxy phone) I don’t see the device download certificate.
  Testing with the Android device I was able to install the root CA certificate (a not easy procedure), then when the SSID is configured in the device I have the option to choice the root CA certificate.
  Now if I don’t include the certificate in the SSID configuration, the device is able to connect with an Identity and Password only. If I include the certificate in the SSID configuration, the device ask for the certificate storage password if the option for use secure credentials is not enabled before.
  How can I validate through the ISE the android device is using the certificate? Is it possible to set a rule in the ISE denying access if the device does not validate the certificate? I think EAP necesarity use certificates, but the Android device does not show anything.
  I had read about provisioning and profiling the Android devices. I think the Network Setup Assistant available through Google Play is an easy procedure to install the root CA certificate. Am I Right?
  The customer said it appears the certificate is being used to encrypt the username and password not for do the authentication itself. Reading about EAP functionality I believe it is right, I understand the EAP-MSCHAP actually creates a tunnel to passthrough the username and password. Right?
  As the Ipad and Android devices are not in the windows domain, what should be expected when the password is expired? Customer Policy indicates users must change domain passwords every four months. In a Windows PC users receive warnings some days before the expiration but it appears nothing happen in non-domain devices. A co-worker told me the easy way is that when this happen the user should remove the SSID in the device and create it again. The customer does not like this behavior, so what should be a best practice work around?
  I hope you can help me to clarify my doubts.
  Regards.
  Daniel Escalante

  Client Provisioning for Android you can refer thease guides:
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_ISE.html#wp1024291
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html#anc10

• Leap authentication and windows Logon

  Folks,
  Is it possible to login only one into windows and not login to the leap client, assuming that you are using ACS whihc is point LEAP credidentails to the WINDOWS domain controller so same password and username. Users in my company do not want to logon twice (windows and leap client) with the same credidentails.
  Thanks

  If you mean you want to still use LEAP but only want the users to have to log into WIndows to do so then the anser is yes. You just need to configure this on the ACU application. Under the profile go to Edit,Network Security. Make sure that you have LEAP selected. Click the configure button. Select Use WIndows Logon User Name and Password. That should do it. Take a look at the screen shot. Please be aware that the authenticatio will appear to be hung on the finding a Domain Controller section. Just give it about a minute or so to complete. Cisco is working on fixing this. Usually if you hit cancel once it gets to that point it still authenticates you and takes you onto your desktop.
  Please remember to rate all replies.

• Windows 8.1 Group Policy to Force Domain Logon as Default?

  I recently purchased a new Windows 8.1 computer for use in our organization.  The default logon option for the device is for a Microsoft Account (the default username field prompt is for an e-mail address, rather than for a username.)  However,
  I would prefer that the default logon option be for a Windows domain account logon, so that users don't have to click the "Sign-in options" link and select "Local or domain account password" each time they need to log onto the computer.
  I have learned that setting the "Interactive logon:  Do not display last user name"
  policy (located under Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options) to
  Disabled allows the domain logon option to be retained across sessions.  However, I would prefer to keep this option set to Enabled so that the previous user name is not displayed.
  Does anyone have any suggestions on how the default logon option can be forced to a domain logon, while still suppressing the display of the last username?

  Hi Arowitv,
  According to your description, we can use the following policy to check the result.
  Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options:
  Accounts: Block Microsoft accounts
  Click this option, and select" Users can't add or log on with Microsoft account"
  Note: Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
  Computer Configuration\Administrative Templates\System\Logon :Assign default domain for logon
  Set the option to Enabled, and add the Default Logon domain.
  Hope this helps.
  Regards,
  Kelvin Xu
  TechNet Community Support

• Business Management Error: You are attempting to create a user with a domain logon that does not exist. Select another domain logon and try again.

  Hello,
  Suddenly the working CRM is being stopped for some group of users.
  I drilled down to the issue and have checked that the users from Domain in which CRM is installed are having CRM access.
  But for other domain user having problem to access CRM.
  I tried to add a user from a domain which is not of CRM domain then it gives following error.
  "Business Management Error: You are attempting to create a user with a domain logon that does not exist. Select another domain logon and try again.
  <Message>LookupAccountNameW failed with error</Message> "
  The change is made - AD group have upgraded Activer Directory server to 2012 R2
  Please help as the Production CRM is not working for other domain user.

  We have Activer Directory Structure like below.
  One Root Domain says A
  and there are multiple child domain like B,C,D etc...
  B,C and D are all in same level,they are child of A domain.
  There are two way transitive trusts between A and all the child Domain.
  But there is no trust in between B and C and so on.
  Our CRM server is in B domain and B domain's user can access CRM but users of Domain C,D and so on can not access CRM.
  If this post answers your question, please click &quot;Mark As Answer&quot; on the post and &quot;Mark as Helpful&quot;

• ISE and authenticating against Windows AD with RADIUS realm that is different from the Windows domain

  Hello
  We are in the process of evaluating the Cisco ISE VMWare appliance with a view to replace our existing FreeRADIUS installation as authentication provider for our wireless network and VPN service. As a part of this we are hoping to migrate our user authentication to Microsoft Active Directory - we have previously authenticated against a different identity store (not MS AD).  Because of this legacy our Windows domain is not the same as our RADIUS realm name - the Windows domain is "win.mydomain" whereas we wish to allow users to authenticate using "username@mydomain" or even "[email protected]" as they are doing today. We are experiencing an issue where authentication requests with the format "[email protected]" will be forwarded to the Windows AD whereas authentication requests with the format "username@mydomain" will fail with the log message "User not found in Active Directory". We do not know if the ISE itself is validating the username and triggering this error, or if the error originates from AD. We suspect the that the ISE is not even asking AD because "win.mydomain" is the domain configured in "Active Directory" in "External Identity Sources".
  Authentication requests against the AD without a realm are successful (that is, using only "username"). With this in mind we located a post on the Cisco support forums that described a process of proxying the request back to the ISE and strip the realm information, but this was specific for the ACS platform. We have attempted to implement this solution but it is still not working as we would have hoped, and we are not entirely certain where the fault might lie. We are currently using PEAP with MSCHAPv2 for authentication in our WLAN where the main problem is. We suspect that the "proxy-to-self" with realm stripping is an issue with PEAP.
  Is there a supported method of achieving our goal, or should we abandon the ISE platform as our scenario is simply not supported?

  Seems like your issue maybe related to DNS, when ISE receives the format [email protected], the dns request is failing. However, there is a setting for alternate UPN Suffixes that can be configured to include domain.com and student.domain.com.
  Here is a windows article that should fix this for you. Once you get this updated please reboot ISE so it rejoins AD. Try your tests again.
  http://technet.microsoft.com/en-us/library/cc772007.aspx
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE and Two distinct Windows Domains

  All,
  I have a customer who wants to integrate ISE with two seperate Windows Domains, they have no trust releationship. We can integrate with one of the domains and can make use of LDAP for the other but can only get Machine Authentication working with the domain with the full integration. Machine authentication will not work with LDAP, only user authentication. The problem is the config of the switches places the client in the guest network as they fail machine auth and then client auth is not recognised by the switch. I'm thinking about either not going direct to MAB if a user fails machine auth or diabling guest all together as the porblem is a guest with a dot1x suplication is not given guest access in a timely mannor without this command. Another option I have thought about is to use the radius token external identity store to talk to a Cisco ACS server attached to the other domain.
  Any help would be greatly appreciated
  Thanks
  Simon                  

  Here's the list of which methods are supported when using different kinds of user databases :
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1053140