Use Profile Manager to configure 802.1x authentication to Active Directory
I have an OS X Lion Server running profile manager, and I want to authenticate Macs against Active Directory. My test machine is running Lion as well.
If I configure the profile to for WPA/WPA2 Enterprise security type and PEAP protocol with a generic user name and password with explicit access on the RADIUS server, the machine can get on the 802.1x network
If I configure the profile to "Use as a Login Window configuration", the machine can get on the 802.1x network after entering the user name and password of an authorized RADIUS user.
Here's my problem:
I want to enable authentication for machines that are members of the Active Directory domain, but when I use the "Use Directory Authentication" option to authenticate with the target machine's directory credentials, the machine does not connect to my 802.1x network.
Any thoughts?
Thanks!!!!
I'm trying to do the same thing, but I'm using Mountain Lion Profile Manager. If I can't get this to work I'm going to try SCEP and certificate authentication.
Similar Messages
-
Can I configure WS-Sec authentication via Active Directory with OSB or OWSM
Hi
I'm planning a project where I need to add security to a group of proxy services in OSB. I need to authenticate them via WS-Security using Active Directory. Is this possible with OSB or adding OWSM?
Regards,
Néstor BoscánHi.
OSB http://docs.oracle.com/cd/E23943_01/dev.1111/e15866/model.htm#i1088877
OWSM
http://docs.oracle.com/cd/E17904_01/doc.1111/e15866/owsm.htm
and
http://docs.oracle.com/cd/E21764_01/web.1111/e13713/owsm_appendix.htm
hope this helps
best
rolando -
Managed App Configuration using Profile Manager
Hello,
We're using Profile Manager as the MDM server of our iPads. Everything works fine except that recently we want to manage some app configurations through MDM, but were unable to find the Managed App Configuration settings from Profile Manager.
May I know if Profile Manager supports Managed App Configuration for iOS?
Thanks,
JackyWe are not running it yet but I am believe that when you setup a user in airwatch or another MDM and you install the agent on a device the user has to authenticate with AD creds, so then you can configure it to pull a cert from your SCEP server using those creds and it will then pull a user cert. instead of a generic certificate. Obviously that is a pretty dumbed down explination but in a nutshell that is how it is going to work.
-
HT5188 Can I use Profile Manager to deploy paid Apps?
Can I import VPP codes and push the apps to the ipads without user interaction?
No, some user interaction will be required. With any MDM they will have to accept the app.
While we use the term push, the user has to accept all App installations on the device. They will have to touch install. Please read below from:
http://krypted.com/iphone/configuring-using-profile-manager-2-in-os-x-mountain-l ion-server/
" This brings up an interesting limitation of how Profile Manager interacts with the App Store. It kinda’ doesn’t. If I were pushing apps to elementary school iPads in a 1:1 I could either use Apple Configurator (if I wanted to burn up a VPP code per student per year) or I could use iTunes (if I wanted a labor intensive process of restoring an iPad per computer rather than a parallel process). But either way, I’m gonna’ stay away from Profile Manager for apps.
So if you push an app to a device and the user taps on the app and the screen goes black then make sure the app is owned by the AppleID signed into the device. If it is, have the user open App Store and update any other app and see if the app then opens." -
Authentication on Active Directory using JNDI (A Proffessional Appraoch)
I am using following code for getting authenticated on Active Directory by user logon name.
Can any one tell me a more proffessional and fool proof appraoch for authenticating a user on Active Dir through my web interface ???
thanks in advance
* Created on Nov 10, 2004
package auth;
import java.util.Hashtable;
import javax.naming.AuthenticationException;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
* @author Tushar Agrawal
* Created On Nov 10, 2004
public class UserAuthentication {
public UserAuthentication() {
super();
public NamingEnumeration loginToActiveDirectory(
String logonName,
String password,
String domain) {
boolean success = false;
NamingEnumeration attrs = null;
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.PROVIDER_URL, "ldap://domain:389/dc=SECLORE,dc=com");
env.put(Context.SECURITY_PRINCIPAL, logonName + "@" + domain);
env.put(Context.SECURITY_CREDENTIALS, password);
//env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put("java.naming.ldap.version", "3");
env.put(Context.REFERRAL, "follow");
try {
String base = "";
DirContext ctx = new InitialDirContext(env);
SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
controls.setReturningAttributes(
new String[] {
"sAMAccountName",
"userPrincipalName",
"displayName",
"memberOf",
"objectSid",
"title" });
NamingEnumeration e =
ctx.search(base, "sAMAccountName=" + logonName, controls);
if (e.hasMore()) {
SearchResult r = (SearchResult) e.next();
attrs = r.getAttributes().getAll();
/*while (attrs.hasMore()) {
System.out.println(attrs.next());
ctx.close();
} catch (AuthenticationException e) {
System.err.println("Problem getting attribute: " + e);
success = false;
} catch (NamingException e) {
System.err.println("Problem getting attribute: " + e);
success = false;
return attrs;
tushar agrawalYou''l find more info at :
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/funcspecs/fs-jndi-realm.html
http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html
That's the right way to do it. -
Hi,
I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
Error is enclosed & here is the port configuration.
Port Configuration.
interface GigabitEthernet0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30
Please help.The error message means that Active Directory server Reject the authentication attempt
as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
Event Logs why did the user account got locked.
Under Even Viewers, You can find it out
Regards
Minakshi (Do rate the helpful posts) -
Hi,
Since we implemented Cisco ISE we receive the following failure on several Notebooks:
Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
Why is this happening?
Thanks,
MarcThe possible causes of this error message are:
1.] If the end user entered an incorrect username.
2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
In your cases, the 3rd option seems to be the most closest one.
Jatin Katyal
- Do rate helpful posts - -
Wrong Mail Domain after using Profile Manager
Hi,
we've set up a Lion 10.7.2 Server with Directory Services, Web, Mail and a few other services. The hostname of our system is mail.mydomain.com, the internet hostname ist mail.mydomain.com, it's mail domain setting is of course set to mydomain.com. Now, when setting up a user using Server.app it correctly fills the Email account with [email protected] So far so good.
After logging in as the user on a client, setting the Network account server in Preferences -> Users to "mail.mydomain.com" - which happens to be the Directory Server as well - i go to https://mail.mydomain.com/profilemanager. The Administrator configured a payload in "Settings for everyone" which has been assigned to me containing the correct Mail setup preferences (Mailserver: mail.mydomain.de, CORRECT Mail adress nothing wrong noticable) In the browser, i download and install it on my machine.
Here's the problem:
Now, after opening my Apple Mail (which has been automatically setup up due to the profile) and try sending mail i'll always get the account [email protected] which is clearly not right. I could change the adress by hand in my accounts but i don't want to Could this just be a profile manager or Apple Mail bug? We've triple checked the settings and everything looks ok.Having the same problem ... setup in profile manager:
protocol: IMAP
email address: [email protected]
incomming mail: mail.company.com
username: [email protected]
on the client:
email address: [email protected]@mail.company.com
Since the outgoing server doesn't need authentication in my network (its an SSL relay), it's pulling the IMAP Email address field for identification rather than than the username, so configuring this from Profile Manager doesn't work. -
How do I push VPP managed apps to devices using Profile Manager silently?
Here is my setup.
100 to 150 Ipads in carts used by their departments in classrooms.
OSX Mavericks Server running Profile manager
I use Apple Configurator to push a wifi payload to the ipads as well as an auto enrollment profile to connect to Profile Manager.
That part works like a dream.
Now that I have that working. I am having a problem pushing apps to the Ipads. I downloaded some free apps, GDrive for example, using the managed distribution.
But I cannot figure out how to push the apps to the iPads without having the iPads asking for an Apple ID and password.
I just want to push VPP apps to the iPads silently.
Thanks for any help.Sorry. Added this to the wrong section.
-
How to install managed apps to iPads silently OTA using Profile Manager
Here is my setup.
100 to 150 Ipads in carts used by their departments in classrooms.
OSX Mavericks Server running Profile manager
I use Apple Configurator to push a wifi payload to the ipads as well as an auto enrollment profile to connect to Profile Manager.
That part works like a dream.
Now that I have that working. I am having a problem pushing apps to the Ipads. I downloaded some free apps, GDrive for example, using the managed distribution.
But I cannot figure out how to push the apps to the iPads without having the iPads asking for an Apple ID and password.
I just want to push VPP apps to the iPads silently.
Thanks for any help.Then you need include the apps when you clone with Configurator.
Managed Distribution of Apps is flexible because it works for the following scenarios:
Device
• Device is owned by the company and distributed to the user
• Device is BYOD and enrolled in corporate MDM
• Device is BYOD and unmanaged
User
• Device is "assigned' or used by a single individual
• The individual has an Apple ID (or is capable of getting one)
• The user is entered into your Profile Manager and has an email address (or device is enrolled and you do a push notify to ask for enrollment - remember, Managed Distro works without MDM)
• User accepts the invitation to your VPP program with an Apple ID of choice - enterprise does not care what it is
Apps
• Apps are assigned to the user account in Profile Manager
• Apps become visible in the Apple ID's App Store account as available for install
• If the device is set to autoinstall "purchased" apps, the apps for iPad will just appear
• Apps can be "revoked" by the enterprise, returning the license to the available pool
• Apps do not dissapear from devices
Managed Distro does not really fit education as depending on age your students may not be able to have an Apple ID, may not have email, and the devices may not be deployed in a one-to-one.
You are back to master image cloning through Configurator.
R-
Apple Consultants Network
Apple Professional Services
Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store -
How to add network volume to dock using profile manager
I'm trying to set up my network machines so that when users log into their network account, their Dock is pre-populated with one of the shared network volumes.
I've set up the network volume (called /Archive) in the Server app. Users can successfully mount it when logged in. Also I succeeded in using the Profile Manager to automatically mount it upon network user login.
However when I try entering the volume name into the "Dock Items" list in Profile Manager, it does not work. I've tried "Archive", "/Archive", "/Volumes/Archive", etc.
Anyone know how to do this? I know I can simply ask all users to manually drag the folder to their Dock the first time they log in ... but I want Profile Manager to automagically do it for all users.Are you trying to add a network volume or folder? I believe you can only add folders. Have you tried: Volumes/Archive, losing the first slash. I was successful in adding a group folder to the dock by using: Volumes/Groups/Example
-
How to set up authentication against Active Directory using custom account
Hi All,
Our development BPC server (version 7.0.112, MSSQL Server 2005) was installed using a local user in domain X. It is a single-server installation (meaning all services were installed on that server). The dev server always has the latest data/users by restoring the production backup on the dev server. For testing purpose, I need to allow a user of domain X to log in and do a testing.
Is there a way to configure the dev server to authenticate against an Active Directory in domain X using a special user in the domain X? If yes, how can I configure the dev server?
Thanks.The installation user must be a domain user with rights to browse domain X.
Otherwise you are not able to add users fom domain.
In your case installation was done with a local user which means you willnot be able to use domain users.
It can be an workaround if you will change the identity for 2 COM+ components to be a domain user instead to be that local user.
Any way I don't advice you to do this. It will be better to reinstall the dev using a domain user.
The COM+ which has to be changed are:
OsoftAdminServer
OsoftUserManage
Attention domain user used must be added into administartor group of BPC server and also to have sys admin right to SQL Server.
I hope this will help you.
Regards
Sorin Radulescu -
ACS 5.3, EAP-TLS Machine Authentication with Active Directory
I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
Evaluating Identity Policy
15006 Matched Default Rule
22037 Authentication Passed
22023 Proceed to attribute retrieval
24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
24437 Machine not found in Active Directory
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
12506 EAP-TLS authentication succeeded
11503 Prepared EAP-Success
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
22065 Max sessions policy passed
22064 New accounting session created in Session cache
11002 Returned RADIUS Access-Accept
I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
Note: In my Identity Store Sequence, I did enable the option:
For Attribute Retrieval only:
If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
but this only seems to work for internal identity stores (at least based on my testing)
Under my Access Policy Identity tab, I configured the following Advanced features:
Advanced Options
If authentication failed
RejectDropContinue
If user not found
RejectDropContinue
If process failed
RejectDropContinue
And that didn't do anything either.
Any ideas? Thanks in advance.Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
Then can make a rule in the authorization policy such as
If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess" -
T5-2 ILOM authentication via Active Directory
Hello,
We are trying to leverage AD to authenticate our ILOMs. However I am seeing the following when I set the method to None (server authentication)
(ActDir) ServerUserAuth - Error 0, failed to validate user group access
We have a group defined and I have set it under Admin groups using the DN.
Any ideas on this or has anyone been successful getting this to work with AD and AD Groups?
TIA.
JeffHello Man !
your provided documents and links are very effective. thank you guy for your help. right now i have to problem below listed,
I have Cisco aironet 1142n access point. I have no ACS / WLC
but want to authenticate end users 802.1x with Active directory 2003/2008 using RADIUS (IAS/NPS).
These APs are standalone. Please provide any configuration document
"How to authenticate end users with active directory using cisco 1142n Standalone (Without WLC/ACS)".
Thanks & Regards,
Rizwan Haider Siddiqui. -
Oracle Apps User Authentication with Active Directory
Greetings,
I am running Oracle Apps 12.1.1 using native login authentication. What I would like to do is set it up so that it uses our Active Directory to authenticate users. Does anyone know if there is an easy way to configure this or do I need to use OIM to accomplish it?
ThanksHave a look here
http://www.oracle.com/products/middleware/identity-management/docs/db-users-roles-management-whitepaper.pdf
Maybe you are looking for
-
Can't Transfer App to iPod? iPod must have Installing Applications ON
If you can't transfer iTunes app to iPod or check the iTunes box for "Automatically Install New Apps", make sure your iPod has the setting for "Installing Applications" set to ON. (Settings --> General --> Restrictions --> Installing Applicatons == "
-
I have been using a WD Passport with Time Machine on my iMac. Since I upgraded to Mavericks, the backup no longer works. What do I need to do? I assume that upgrading the WD SmartWare is irrelevant as it is not being used. Should I upgrade just as
-
Advice / opinions on new Flash project I am starting
Hello, I am an occasional Flash user but a full time website designer. I have a new project that requires me to learn a bit more about using Flash. I am looking for advice on which way to proceed with this since I am sure there are different avenues
-
No mxf ingest in PP for certain folders
some files can be ingested but others can't, the folder appears with a zero. Alternatively some files have the identical properties, length and size, but clip name changes back to original When clicked upon the MXF rushes are always the first clip TH
-
Why does it do this and what can I do to fix it I want to use my light at all times