PEAP with Novell NDS and LDAP?

I was reading this Cisco Q&A doc (http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item0900aecd801764fa.shtml) that contained the following question and answer:
Q. Can I use PEAP with LDAP or Novell NDS databases?
A. Yes. PEAP provides interoperability with both LDAP and Novell NDS.
I was under the impression that LDAP and Netware only supported EAP-GTC, EAP-Fast (phase 2 only), or EAP-TLS???
Can anyone comment?

Getting 802.1x to work with novell using PEAP w/ GTC is a slam dunk with some exceptions. I'm using Cisco ACS with Backend connection to NDS. If you have XP clients you can easily use the Cisco PEAP supplicant to allow connecting with EAP-GTC. I ran into problems with the mixture of cards and Client OS. I turned to Funk Odyssey Client to solve all my problems on the clients.

Similar Messages

  • EAP-TLS with Novell NDS

    I configured EAP-TLS for the wireless LAN in the Novell 6 environment. However encountered a problem on the ACS with Novell NDS. Attached is the error messge, any advice on how to overcome ? I have generated the server key and the client key from Windows 2000 server. The error message is 'AUth type not supported by Ext DB'

    EAP-TLS is not supported with Novell NDS as per the compatability matrx shown in the following document,
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/o.htm

  • UME with ABAP AS and LDAP Datasource

    Hello SDN´s
    We have tried very hard for the last days configuring the ume-xml for the following scenario:
    -     LDAP is used to authenticate the user
    -     AS ABAP is used to store the roles of the user (because they automatically becomes groups in the portal)
    - the portal and the ABAP-system are  on different servers
    Given facts:
    1)     we canu2019t synchronize the roles of the ABAP system to the LDAP
    2)     we have to use the open-LDAP for the authentication
    3)     DataSources are readonly
    4)     User can have similar or different userid´s on the DataSources (Mapping required)
    Therefore, we read the user and account information from the LDAP and groups/roles form the ABAP AS.
    Result:
    a)     user with similar userid on LDAP and ABAP AS: These user were no longer able to log on to the portal
    b)     user with different id´s (mapped) on LDAP and ABAP: Can log on
    Questions:
    -     Is it true that similar userid´s leads to inherent problems of the UME Persistence Manager?
    -     Did we set up a wrong config-xml?
    -     Is there any other way how we could authenticate to the LDAP and having the Roles of a user read from the ABAP system dynamically?
    Thank you very much for your help
    Sincerely, A. Hunziker

    Hi Andre,
    Not sure if my remarks below can help you but I do hope that it can shine you some light.
    We have LDAP as our main UME, which is configured in our Portal7.0. This means that security groups created in LDAP are "replicated" into the Portal. We created Portal Roles which are assigned to the security groups created in LDAP. We also use SSO and it was setup via the SPNego Wizard (http://help.sap.com/saphelp_nw70/helpdata/EN/45/40a0de773a7527e10000000a114a6b/frameset.htm). This way, the user only needs to login via Windows and access the Portal without having to login (when users have the same Windows userID as that of their SAP ID). If the users have a different userID between Windows and SAP, then they do a user map under personalization of the Portal.
    To connect our Portal to our backend systems, we created a reference system (http://help.sap.com/saphelp_nw70/helpdata/EN/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm) and we have our Portal certificates in all backend systems (http://help.sap.com/saphelp_nw70/helpdata/EN/d3/41c8efb31d11d5993800508b6b8b11/frameset.htm).
    With the above, users have SSO from Windows to Portal and via the reference system, they can enjoy SSO as well into our backend systems.
    Basically we have control what the users can see from the Portal (directly from LDAP security groups with users assigned to that) and what the user can do on backend is still maintain in the backend authorisation setup.
    Hope that can help you.
    Ray

  • Radius server (not elektron!) interacting with mysql DB and LDAP

    I am installing a service that requires a radius server. I have tried to build and install freeradius from source, as well as used the installer packages that are out there. None of them include support for mysql. As soon as you turn on sql in the radiusd.conf you get an error like this:
    rlm_sql: Could not link driver rlmsqlmysql: file not found
    Similar to the problem described here:
    http://www.freeradius.org/faq/#4.14
    Except that I get an error saying that rlmsqlmysql.a is an invalid image. The file exists and freeradius sees it and can find it, it's just not usable by freeradius. Like I said I have tried building this from the latest cvs source, and finally got it to build completely fine, and even except connections.
    I just need it to authenticate to mysql now.
    Anybody have any pointers. I have tried some of the suggestions on the freeradius faq, but I think what I am encountering is an issue specific to os x tiger. I have even tried to install using darwinports, but the installation fails.
    The system I am trying to install this on is running 10.4.2 (I am apprehensive about updating the system, because of issues with mysql being hosed.)
    If anyone thinks or knows that 10.4.2 has specific issues as to why it cannot be installed on 10.4.2 I may need to look into doing a backup and then upgrade of the server, and attempt freeradius install on 10.4.7.
    Thanks in advance for any and all help!

    Big help you OS Xers are. J/P!
    Since this place is supposed to be about education, let's educate!
    I ended up installing OpenRadius and using RADsql (it comes with openradius). It's a bit finicky, but in the end it seems to be working. You also have to install Perl DBI, and Perl DBD Mysql, all of which I installed using darwing ports (also btw, you are better off getting the darwin/macports source and compiling it yourself, rather than using the DMG installer) If you are paranoid about using terminal there is an app out their called PORT AUTHORITY which is basically a gui front end to install darwinport apps.
    You may have to do a little searching, but the key is getting the behaviour file and the config file correct, I found examples of the two I needed here:
    http://www.mirrors.wiretapped.net/security/authentication/radius/openradius/exam ples/0.9.10/
    I am attempting to also have openradius look at ldap if it can't auth to sql, I think this is possible, since it seemed to be in freeradius. So that our users don't need to choose a seperate auth protocol.
    I hope at least part of what I have to say will help someone out there, I will update this as I find out more. Right now I can only auth via clear-password, which is not really much of an issue, since this will all be LAN and WAN behind a firewall. But it would be nice if it was at least MD5 which openradius is supposed to support.

  • OBIEE with both SSO and LDAP

    I need to be able to run OBIEE using SSO with LDAP to 'reauthenticate' the user and then provide information as to which user groups they are in.
    The overall idea is that the user logs in to the 'system' as a whole and is then provided a hyperlink to OBIEE. Behind the scenes, the system login process will set a cookie holding the users name, thus allowing SSO to be used with OBIEE. When the user logs in, LDAP will then be used to determine which groups the user is a member of.
    I can get SSO working (on its own) and I can get LDAP authentication working (on its own), but when I try to combine the two I just get user authentication errors.
    I suspect that what is happening is that the OBIEE login process is passing the correct username to LDAP (i.e. the one from the cookie), but the IMPERSONATOR password rather than the user one (at this point OBIEE does not know the user password).
    Is there any way of getting around this? as far as I can tell the LDAP authentication mechanism requires both a username and password to be passed to it, but since we are using SSO, we only have the username.
    Note: is it not considered secure enough to hold the user password as a cookie or as part of a 'GO' URL, which is why we wish to use SSO.
    Many thanks,
    Chris

    We have the init block set up to login to LDAP and authenticate the user. The ID we use is not the user account that logged in to the BI Server, but an id we have that only has the ability to read users and groups.
    You probably need to also uncheck "required for authorization" in this init block, otherwise the impersonator account will not be able to authenticate.
    To get our group assignment we have a PL/SQL program that uses the ldap utils to connect to the ldap server and get the group membership and return it in a "GROUP" variable (row-wise) back to the BI Server.
    I'm a relative newbie to BIEE, so this may not be the best or most secure way, but it is working.

  • Trouble with Unity Connection and LDAP

    Our CUCM 8.6 is currently integrated with LDAP, this was done before I started with the company, I'm working on getting the CUC integrated as well, but I keep getting the following error message:
    Error while Connecting to ldap://xx.xx.xx.xx:389, null   
    I took the exact same settings that was used on the cucm (the LDAP syncs fine with CUCM)  
    LDAP Configuration name: ActiveDirectory
    LDAP Manager Distinguished Name: [email protected]
    LDAP Password: *******
    LDAP User Search Base: DC=xyz,DC=net
    User ID: sAMAccountName
    Middle Name: middleName
    Manage ID: manager
    phone number: ipPhone
    First name: givenName
    Last Name: sn
    Department: department
    Mail ID: mail
    User ID: sAMAccountName
    Middle Name: middleName
    Manage ID: manager
    phone number: ipPhone
    First name: givenName
    Last Name: sn
    Department: department
    Mail ID: mail    
    Any ideas what could be causing that error? I've ran into this before somewhere but was able to figure out that it was something with the way I had put in the OU..This time I'm really I have not idea, especially since I took the settings from the LDAP setup in CUCM. 

    Hi Chris,
    Yes I'm sure the sync is still working, I've went into CUCM and did a full sync and it was successful, I also hit save and that was successful as well, that was the first thing I did just to make sure it was working, I was thinking like you that maybe it wasn't working properly ...I'll take some screen shots and post shortly
    Fred
    Here's a screenshot of both CUCM and CUC
    Message was edited by: Fred Rawlings

  • PEAP with Intel Centrino

    Hi
    I have a Toughbook from Pansonic. We use want to use peap with acs and ap 1200. with cisco cards everything works. on the nb we use windows 2k NOT XP with the 802.1x patch from ms. and the latest intel pro set 7.1.1 there you can configure PEAP click on the right ca and enter the MSCHAP2 username and password. but it doesnt work. when i just enter static wep 111111 as a profil in the intel pro and configure peap on the OS (2k) with the patch it works. I have also configured LEAP with the Intel pro and that works fine. but not peap. i have also entered the roaming identity as the AD username. if i dont enter anything there i can see on the radius debug on the ap that the username is the mac of the intel centrino card.
    does anybody have same issues? whats the solution, dont use intel pro set? =:-)
    regards Bernhard

    Hello,
    I use PEAP with WIN2K (SP4)and Centrino INTEL 2100 B card.
    You must install the PEAP supplicant from Cisco ACU
    version 6.2. Then can you use Intel ProSet, but you must select "PEAP".
    The authentication works fine , but I get never a DHCP address. If I use a Cisco PCMCIA card 350 it works fine.The different in both situation is, in case of use INTEL card, the broadcast flag is set to 1 in the Discover message.
    regards Ulrich

  • PEAP EAP-MSCHAP and Novell(NDS)

    We have several 350/1220/1131 ap's and would like to implement a 802.1x solution. We have a ACS 4.0 and are running Novell(NDS) as userdatabase.
    As far as I have understood, PEAP MSCHAP only support Microsoft databases, and only EAP-GTC can be used with NDS/LDAP databases.
    Is this correct ?
    Johann Folkestad

    PEAP uses TLS to encrypt any subsequent CHAP exchanges. Yes, MSCHAP uses a hashing algorithym. But it runs within a server-side cert TLS tunnel for server-side authentication and encryption.
    peter

  • 4402 PEAP w/ACS3.3 using Novell NDS.

    I am trying to configure WPA2 with 802.1x authentication through ACS 3.3. Having issue with using PEAP authentication through ACS 3.3 configured for Novell NDS as External Database. Client is stuck "Verifying credentials". Controller sends authentication requests to ACS, but it is not getting any response back from ACS. ACS is on the same subnet, no firewalls of any kind in between. Under Failed Authentication on ACS nothing gets logged if I have PEAP enabled under Global Authentication Setup (EAP-MSCHAPv2). If I uncheck PEAP options under Global Authentication, then ACS will log under Failed Attempts error message saying that "EAP type not configured. Check Global Authentication Setup". Correct IP address of ACS and secret key is entered in Wireless Controller. I have also tried using port 1645 and 1812 with the same result.
    Any ideas would be appreciated. Thanks.

    If you are authenticating against Novell eDirectory/NDS, you should use EAP-GTC. Also, when you create your database configuration, be sure to enter all contexts (separated by commas) in which your user accounts reside.

  • Login intermittently slow with ZCM agent AND Novell client

    We continue to struggle with intermittently slow logins in our environment. In testing, we noticed that logins are very fast (10-20 seconds) when only the Novell Client is installed, and very fast (~10 seconds) when only the ZCM agent is installed. However, when they are both installed, logins slow down, sometimes to 1.5 minutes or longer.
    We have checked DNS and rDNS, and they are both configured properly. SLP is working properly as demonstrated by the fast logins when only the client is installed. We use LDAP for user lookup, and it also works very fast to resolve user names (~ 1 second).
    We are using ZCM 10.3.1, and the client is fully patched as well (both Novell Client 2 and 4.91)
    Are there any specific settings (for the ZCM agent or the client itself) that might address this issue?

    My apologies, I told you to remove the wrong thing.
    I should have said NMAS instead of CASA.
    I am just so used to saying CASA when talking about ZCM.
    In regards to NMAS, you could simply rename "NWSSO.DLL" as a test.
    If NMAS is installed which is tested by the existence of this DLL, then
    a certain NMAS call is always made, which in some cases can take a long
    time.
    On 11/9/2010 12:06 PM, dshofkom33 wrote:
    >
    > craig_wilson;2042688 Wrote:
    >> Try removing CASA from the device and see if that makes a difference.
    >> A TID will be out on the issue soon.
    >>
    >> On 10/5/2010 4:36 PM, kjhurni wrote:
    >>>
    >>> Hmm, I will have to try that. I've only observed that with ZCM
    >>> installed (with Novell Client 4.91 SP5 on XP) that the login time
    >> goes
    >>> from about 12-15 seconds to about 50-70 seconds.
    >>>
    >>> But I've not tried "just" the ZCM agent.
    >>>
    >>>
    >>
    >>
    >> --
    >> Craig Wilson - MCNE, MCSE, CCNA
    >> Novell Knowledge Partner
    >>
    >> Novell does not officially monitor these forums.
    >>
    >> Suggestions/Opinions/Statements made by me are solely my own.
    >> These thoughts may not be shared by either Novell or any rational
    >> human.
    >
    > I removed CASA and now I cannot sign into ZCM. I get the "unable to
    > login to network because the login credentials are incorrect" Windows
    > Security Message. Any ideas?
    >
    >
    Craig Wilson - MCNE, MCSE, CCNA
    Novell Knowledge Partner
    Novell does not officially monitor these forums.
    Suggestions/Opinions/Statements made by me are solely my own.
    These thoughts may not be shared by either Novell or any rational human.

  • Problem with ADS and LDAP

    Problem with ADS and LDAP
    I have installed Win2000 + sp1 and ADS on a computer. This computer is PDC.
    After connection via LDAP I cann't get any object ( users or goups etc. ).
    I try connect to ADS by java ( JNDI ).
    When I use another clients of LDAP ( eg. Maxware Directory Explorer) I have
    the same problem - no objects.
    Can anybody help me?
    Grzegorz Pszona
    my e-mail: [email protected]

    Thanks a lot.
    Softerra's browser is really good.
    Thanks
    Rashmi
    "Anant Kadiyala" <[email protected]> wrote:
    >
    I used Softerra's LDAP browser. The browser is free. There is also a
    java baded
    LDAP browser from Univ of Michigan. I found the Softerra browser to be
    more easier
    to use.
    -anant
    "rashmi" <[email protected]> wrote:
    Hi,
    Can you please let me know which exact ADS tool that you used to examine
    the
    DN. I have Active Directory Users and Computers, Sites and Servicesand
    Domain
    and Trusts installed on my machine but I am not able to figure out how
    to get
    the DN?
    Thanks
    Rashmi
    for Stephen Davies <[email protected]> wrote:
    Grzegorz,
    I have had WLS6.1 & ADS working ok using LDAP V2. Mind you it did take
    a
    fair bit of messing around to get it going. MS does have a few oddities,
    for example the Administrators DN might look something like this:
    cn=Administrator,cn=Users,dc=eglobal,dc=net
    One tool that I found invaluable came with the additional support tools
    for Windows 2000. The 'Active Directory Administration Tool' made it
    easy to list the directory contents and examine the DNs.
    Regards,
    Steve
    Stephen Davies
    Principal Consultant
    eGlobal Services Pty. Ltd.
    Sydney, Australia
    Ph. +61 2 9283 1033
    http://www.eglobal.net/

  • Adding phones and users with bat and LDAP sync

    What are the various ways of importing users with phones when the Communications Manager 9.0 is sync'd with LDAP.  Also, what method is the easiest and fastest?
    For example, I could do the following steps:
    Sync CUCM with LDAP to import new users, add phones using bat files, manually update users to associate devices etc
    I believe I should also be able to do the above method and use a bat file to update the users to associate devices etc.  This method still involves 2 steps and the creation of 2 seperate bat files.
    In CUCM version 9 it is possible to have local and LDAP users, so is it possible to add the phones and users using the phones/users tab of the bat file and have them beocme LDAP users?
    Thank you,
    Danny

    #1 Remove this embedded CSS code from your HTML document(s).  You don't need it.
    body {
        background-color: #CCC;
    body,td,th {
        color: #FFF;
        font-size: 14px;
    #2 Open  PW.css file and add this to the top:
    body {
    font-family: Arial, Helvetica, sans-serif;
    font-size: 14px;
    background-color: #CADFEB;
    /**or insert a background-image using the CSS editor**/
    #3 Remove font-family and font-size from all your other CSS selectors.  You don't need to duplicate styles on every element. 
    #4 Replace this:
    #content {
        position:absolute;
        left:199px;
        top:10px;
        width:860px;
        z-index:1;
        right: auto;
        background-color: #FFF;
        text-align: center;
        color: #000;
        height: auto;
    with this:
    #content {
         width:860px;
         margin: 20px auto;
         border: 4px solid silver;
         background-color: #FFF;
         text-align: center;
         color: #000;
         -moz-box-shadow: 5px 5px 5px #888;
         -webkit-box-shadow: 5px 5px 5px #888;
         box-shadow: 5px 5px 5px #888;
    #5 Save your PW.css file and upload to server.
    Nancy O.
    Alt-Web Design & Publishing
    Web | Graphics | Print | Media  Specialists 
    http://alt-web.com/
    http://twitter.com/altweb

  • Connect to LDAP with Address Book and Mail

    The admin guide for OD is pretty vague from what I've been able to figure out. How do I connect to my LDAP with Address Book and Mail? I'm sure this is a really simple setup and I'm just missing some minor detail.

    Address Book > Preferences > LDAP
    HTH
    Martin

  • Big problem with Nokia E60 and EAP-PEAP connection

    At our University we have Wlan now.
    The Lan based on the standart 802.11 b/g with 54 Mbit/s
    The Authentifikation based on the standart 802.1x (Peap) with the connection WPA/TKIP.
    My Firmware:
    V3.0633.09.04
    20-11-06
    RM-49
    Nokia E60
    My Configuration:
    Connection Name: FH-Hof
    Data Bearer:Wireless LAN
    WLAN netw.Name: FHHof
    Network status: Hidden
    WLAN netw.mode: Infrastructure
    WLAN security Mode: WPA/WPA2
    WLAN security settings:
    WPA mode: EAP
    TKIP-Security: allowed
    EAP plugin settings:EAP-PEAP
    User Cert: not defined
    CA Cert: CA-FH-Hof
    username in use: User configured
    username: aschmidt
    real in use: user configured
    realm: FH-Hof
    Allow PEAPv0: yes
    Yes for v1 and v2
    EAP: EAP-mschapv2
    Username: aschmidt
    prompt password: Yes
    password: entered my password
    Extended Settings:
    IPv4-Settings: No Changes
    IPv6-Settings: No Changes
    Proxserver-Address: proxy.fh-hof.de
    Prxy-Port-Number: 3128
    If I started to try the connection I have to enter my Username and my password. After that the handy asked me about my username and password again after a time.
    Now it takes circa one minute and the connection failed.
    The Error-Message ist: No Connection! WPA authentification failed.
    My´account is not blocked.
    Have I to enter any Ciphers?
    Thanks for every help and sorry for my bad English!
    EDIT: Removed non english linkMessage Edited by sailer_one on 27-Apr-200710:07 AM
    Message Edited by sailer_one on 27-Apr-200710:07 AM
    Message Edited by sailer_one on 27-Apr-200710:12 AM
    Message Edited by ajak on 27-Apr-2007 10:21 AM

    also try change "WLAN security Mode" from WPA to 802.1x
    I think Nokia referrs to WPA as WPA-PSK, but when you say TKIP then it also could be 802.1x as TKIP is the encryption used.
    So infact your wireless domain might be a 802.1x/EAP-PEAP/MS-CHAPv2 network.Message Edited by mbil on 30-Apr-200702:58 PM

  • How to config messaging 5.2 and ldap 5.2 with smtp auth?

    Hello.
    I want to config smtp auth for msg 5.2 and ldap 5.2.
    How to step of work.
    I config follow admin guide but it not work.
    Please help me and advice me.

    For your internal clients to be authenticated,
    replace "mustsaslserver" instead of "maysaslserver" in tcp_intranet channel on your imta.cnf file. Then all clients connecting from your internal IPs (listed on your mappings file) will be authenticated.
    Add the below two parameters for messenger express users to use the same system.
    configutil -o local.service.http.smtpauthuser -v "store admin user name"
    configutil -o local.service.http.smtpauthpassword -v "store admin password"
    All other external smtp connections (MX pointed) are not authenticated since they are directed to tcp_local channel.

Maybe you are looking for