Use Profile Manager to configure 802.1x authentication to Active Directory

I have an OS X Lion Server running profile manager, and I want to authenticate Macs against Active Directory. My test machine is running Lion as well.
If I configure the profile to for WPA/WPA2 Enterprise security type and PEAP protocol with a generic user name and password with explicit access on the RADIUS server, the machine can get on the 802.1x network
If I configure the profile to "Use as a Login Window configuration", the machine can get on the 802.1x network after entering the user name and password of an authorized RADIUS user.
Here's my problem:
I want to enable authentication for machines that are members of the Active Directory domain, but when I use the "Use Directory Authentication" option to authenticate with the target machine's directory credentials, the machine does not connect to my 802.1x network.
Any thoughts?
Thanks!!!!

I'm trying to do the same thing, but I'm using Mountain Lion Profile Manager.  If I can't get this to work I'm going to try SCEP and certificate authentication.

Similar Messages

  • Can I configure WS-Sec authentication via Active Directory with OSB or OWSM

    Hi
    I'm planning a project where I need to add security to a group of proxy services in OSB. I need to authenticate them via WS-Security using Active Directory. Is this possible with OSB or adding OWSM?
    Regards,
    Néstor Boscán

    Hi.
    OSB http://docs.oracle.com/cd/E23943_01/dev.1111/e15866/model.htm#i1088877
    OWSM
    http://docs.oracle.com/cd/E17904_01/doc.1111/e15866/owsm.htm
    and
    http://docs.oracle.com/cd/E21764_01/web.1111/e13713/owsm_appendix.htm
    hope this helps
    best
    rolando

  • Managed App Configuration using Profile Manager

    Hello,
    We're using Profile Manager as the MDM server of our iPads. Everything works fine except that recently we want to manage some app configurations through MDM, but were unable to find the Managed App Configuration settings from Profile Manager.
    May I know if Profile Manager supports Managed App Configuration for iOS?
    Thanks,
    Jacky

    We are not running it yet but I am believe that when you setup a user in airwatch or another MDM and you install the agent on a device the user has to authenticate with AD creds, so then you can configure it to pull a cert from your SCEP server using those creds and it will then pull a user cert. instead of a generic certificate. Obviously that is a pretty dumbed down explination but in a nutshell that is how it is going to work.

  • HT5188 Can I use Profile Manager to deploy paid Apps?

    Can I import VPP codes and push the apps to the ipads without user interaction?

    No, some user interaction will be required. With any MDM they will have to accept the app.
    While we use the term push, the user has to accept all App installations on the device. They will have to touch install. Please read below from:
    http://krypted.com/iphone/configuring-using-profile-manager-2-in-os-x-mountain-l ion-server/
    " This brings up an interesting limitation of how Profile Manager interacts with the App Store. It kinda’ doesn’t. If I were pushing apps to elementary school iPads in a 1:1 I could either use Apple Configurator (if I wanted to burn up a VPP code per student per year) or I could use iTunes (if I wanted a labor intensive process of restoring an iPad per computer rather than a parallel process). But either way, I’m gonna’ stay away from Profile Manager for apps.
    So if you push an app to a device and the user taps on the app and the screen goes black then make sure the app is owned by the AppleID signed into the device. If it is, have the user open App Store and update any other app and see if the app then opens."

  • Authentication on Active Directory using JNDI (A Proffessional Appraoch)

    I am using following code for getting authenticated on Active Directory by user logon name.
    Can any one tell me a more proffessional and fool proof appraoch for authenticating a user on Active Dir through my web interface ???
    thanks in advance
    * Created on Nov 10, 2004
    package auth;
    import java.util.Hashtable;
    import javax.naming.AuthenticationException;
    import javax.naming.Context;
    import javax.naming.NamingEnumeration;
    import javax.naming.NamingException;
    import javax.naming.directory.DirContext;
    import javax.naming.directory.InitialDirContext;
    import javax.naming.directory.SearchControls;
    import javax.naming.directory.SearchResult;
    * @author Tushar Agrawal
    * Created On Nov 10, 2004
    public class UserAuthentication {
         public UserAuthentication() {
              super();
         public NamingEnumeration loginToActiveDirectory(
              String logonName,
              String password,
              String domain) {
              boolean success = false;
              NamingEnumeration attrs = null;
              Hashtable env = new Hashtable(11);
              env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
              env.put(Context.SECURITY_AUTHENTICATION, "simple");
              env.put(Context.PROVIDER_URL, "ldap://domain:389/dc=SECLORE,dc=com");
              env.put(Context.SECURITY_PRINCIPAL, logonName + "@" + domain);
              env.put(Context.SECURITY_CREDENTIALS, password);
              //env.put(Context.SECURITY_PROTOCOL, "ssl");
              env.put("java.naming.ldap.version", "3");
              env.put(Context.REFERRAL, "follow");
              try {
                   String base = "";
                   DirContext ctx = new InitialDirContext(env);
                   SearchControls controls = new SearchControls();
                   controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
                   controls.setReturningAttributes(
                        new String[] {
                             "sAMAccountName",
                             "userPrincipalName",
                             "displayName",
                             "memberOf",
                             "objectSid",
                             "title" });
                   NamingEnumeration e =
                        ctx.search(base, "sAMAccountName=" + logonName, controls);
                   if (e.hasMore()) {
                        SearchResult r = (SearchResult) e.next();
                        attrs = r.getAttributes().getAll();
                        /*while (attrs.hasMore()) {
                             System.out.println(attrs.next());
                        ctx.close();
              } catch (AuthenticationException e) {
                   System.err.println("Problem getting attribute: " + e);
                   success = false;
              } catch (NamingException e) {
                   System.err.println("Problem getting attribute: " + e);
                   success = false;
              return attrs;
    tushar agrawal

    You''l find more info at :
    http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/funcspecs/fs-jndi-realm.html
    http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html
    That's the right way to do it.

  • Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

    Hi,
    I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
    Error is enclosed & here is the port configuration.
    Port Configuration.
    interface GigabitEthernet0/2
    switchport access vlan 120
    switchport mode access
    switchport voice vlan 121
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 120
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 60
    spanning-tree portfast
    ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
    switchport access vlan 120
    switchport mode access
    switchport voice vlan 121
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 120
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 60
    spanning-tree portfast
    ip dhcp snooping limit rate 30
    Please help.

    The error message means that Active Directory server Reject the authentication attempt
    as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
    Event Logs why did the user account got locked.
    Under Even Viewers, You can find it out
    Regards
    Minakshi (Do rate the helpful posts)

  • Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

    Hi,
    Since we implemented Cisco ISE we receive the following failure on several Notebooks:
    Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
    This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
    The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
    Why is this happening?
    Thanks,
    Marc

    The possible causes of this error message are:
    1.] If the end user entered an incorrect username.
    2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
    3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
    In your cases, the 3rd option seems to be the most closest one.
    Jatin Katyal
    - Do rate helpful posts -

  • Wrong Mail Domain after using Profile Manager

    Hi,
    we've set up a Lion 10.7.2 Server with Directory Services, Web, Mail and a few other services. The hostname of our system is mail.mydomain.com, the internet hostname ist mail.mydomain.com, it's mail domain setting is of course set to mydomain.com. Now, when setting up a user using Server.app it correctly fills the Email account with [email protected] So far so good.
    After logging in as the user on a client, setting the Network account server in Preferences -> Users to "mail.mydomain.com" - which happens to be the Directory Server as well - i go to https://mail.mydomain.com/profilemanager. The Administrator configured a payload in "Settings for everyone" which has been assigned to me containing the correct Mail setup preferences (Mailserver: mail.mydomain.de, CORRECT Mail adress nothing wrong noticable) In the browser, i download and install it on my machine.
    Here's the problem:
    Now, after opening my Apple Mail (which has been automatically setup up due to the profile) and try sending mail i'll always get the account [email protected] which is clearly not right. I could change the adress by hand in my accounts but i don't want to Could this just be a profile manager or Apple Mail bug? We've triple checked the settings and everything looks ok.

    Having the same problem ... setup in profile manager:
    protocol: IMAP
    email address: [email protected]
    incomming mail: mail.company.com
    username: [email protected]
    on the client:
    email address: [email protected]@mail.company.com
    Since the outgoing server doesn't need authentication in my network (its an SSL relay), it's pulling the IMAP Email address field for identification rather than than the username, so configuring this from Profile Manager doesn't work.

  • How do I push VPP managed apps to devices using Profile Manager silently?

    Here is my setup.
    100 to 150 Ipads in carts used by their departments in classrooms.
    OSX Mavericks Server running Profile manager
    I use Apple Configurator to push a wifi payload to the ipads as well as an auto enrollment profile to connect to Profile Manager.
    That part works like a dream.
    Now that I have that working. I am having a problem pushing apps to the Ipads. I downloaded some free apps, GDrive for example, using the managed distribution.
    But I cannot figure out how to push the apps to the iPads without having the iPads asking for an Apple ID and password.
    I just want to push VPP apps to the iPads silently.
    Thanks for any help.

    Sorry. Added this to the wrong section.

  • How to install managed apps to iPads silently OTA using Profile Manager

    Here is my setup.
    100 to 150 Ipads in carts used by their departments in classrooms.
    OSX Mavericks Server running Profile manager
    I use Apple Configurator to push a wifi payload to the ipads as well as an auto enrollment profile to connect to Profile Manager.
    That part works like a dream.
    Now that I have that working. I am having a problem pushing apps to the Ipads. I downloaded some free apps, GDrive for example, using the managed distribution.
    But I cannot figure out how to push the apps to the iPads without having the iPads asking for an Apple ID and password.
    I just want to push VPP apps to the iPads silently.
    Thanks for any help.

    Then you need include the apps when you clone with Configurator.
    Managed Distribution of Apps is flexible because it works for the following scenarios:
    Device
         • Device is owned by the company and distributed to the user
         • Device is BYOD and enrolled in corporate MDM
         • Device is BYOD and unmanaged
    User
         • Device is "assigned' or used by a single individual
         • The individual has an Apple ID (or is capable of getting one)
         • The user is entered into your Profile Manager and has an email address (or device is enrolled and you do a push notify to ask for enrollment - remember, Managed Distro works without MDM)
         • User accepts the invitation to your VPP program with an Apple ID of choice - enterprise does not care what it is
    Apps
         • Apps are assigned to the user account in Profile Manager
         • Apps become visible in the Apple ID's App Store account as available for install
         • If the device is set to autoinstall "purchased" apps, the apps for iPad will just appear
         • Apps can be "revoked" by the enterprise, returning the license to the available pool
         • Apps do not dissapear from devices
    Managed Distro does not really fit education as depending on age your students may not be able to have an Apple ID, may not have email, and the devices may not be deployed in a one-to-one. 
    You are back to master image cloning through Configurator.
    R-
    Apple Consultants Network
    Apple Professional Services
    Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

  • How to add network volume to dock using profile manager

    I'm trying to set up my network machines so that when users log into their network account, their Dock is pre-populated with one of the shared network volumes.
    I've set up the network volume (called /Archive) in the Server app. Users can successfully mount it when logged in. Also I succeeded in using the Profile Manager to automatically mount it upon network user login.
    However when I try entering the volume name into the "Dock Items" list in Profile Manager, it does not work. I've tried "Archive", "/Archive", "/Volumes/Archive", etc.
    Anyone know how to do this? I know I can simply ask all users to manually drag the folder to their Dock the first time they log in ... but I want Profile Manager to automagically do it for all users.

    Are you trying to add a network volume or folder? I believe you can only add folders. Have you tried: Volumes/Archive, losing the first slash.  I was successful in adding a group folder to the dock by using: Volumes/Groups/Example

  • How to set up authentication against Active Directory using custom account

    Hi All,
    Our development BPC server (version 7.0.112, MSSQL Server 2005) was installed using a local user in domain X. It is a single-server installation (meaning all services were installed on that server). The dev server always has the latest data/users by restoring the production backup on the dev server. For testing purpose, I need to allow a user of domain X to log in and do a testing.
    Is there a way to configure the dev server to authenticate against an Active Directory in domain X using a special user in the domain X? If yes, how can I configure the dev server?
    Thanks.

    The installation user must be a domain user with rights to browse domain X.
    Otherwise you are not able to add users fom domain.
    In your case installation was done with a local user which means you willnot be able to use domain users.
    It can be an workaround if you will change the identity for 2 COM+ components to be a domain user instead to be that local user.
    Any way I don't advice you to do this. It will be better to reinstall the dev using a domain user.
    The COM+ which has to be changed are:
    OsoftAdminServer
    OsoftUserManage
    Attention domain user used must be added into administartor group of BPC server and also to have sys admin right to SQL Server.
    I hope this will help you.
    Regards
    Sorin Radulescu

  • ACS 5.3, EAP-TLS Machine Authentication with Active Directory

    I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
    My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
    Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
    Evaluating Identity Policy
    15006 Matched Default Rule
    22037 Authentication Passed
    22023 Proceed to attribute retrieval
    24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
    24437 Machine not found in Active Directory
    22016 Identity sequence completed iterating the IDStores
    Evaluating Group Mapping Policy
    12506 EAP-TLS authentication succeeded
    11503 Prepared EAP-Success
    Evaluating Exception Authorization Policy
    15042 No rule was matched
    Evaluating Authorization Policy
    15006 Matched Default Rule
    15016 Selected Authorization Profile - Permit Access
    22065 Max sessions policy passed
    22064 New accounting session created in Session cache
    11002 Returned RADIUS Access-Accept
    I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
    Note: In my Identity Store Sequence, I did enable the option:
    For Attribute Retrieval only:
    If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
    but this only seems to work for internal identity stores (at least based on my testing)
    Under my Access Policy Identity tab, I configured the following Advanced features:
    Advanced Options
    If authentication failed
    RejectDropContinue
    If user not found
    RejectDropContinue
    If process failed
    RejectDropContinue
    And that didn't do anything either.
    Any ideas? Thanks in advance.

    Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
    Then can make a rule in the authorization policy such as
    If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

  • T5-2 ILOM authentication via Active Directory

    Hello,
    We are trying to leverage AD to authenticate our ILOMs. However I am seeing the following when I set the method to None (server authentication)
    (ActDir) ServerUserAuth - Error 0, failed to validate user group access
    We have a group defined and I have set it under Admin groups using the DN.
    Any ideas on this or has anyone been successful getting this to work with AD and AD Groups?
    TIA.
    Jeff

    Hello Man !
    your provided documents and links are very effective. thank you guy for your help. right now i have to problem below listed,
    I have Cisco aironet 1142n access point. I have no ACS / WLC
    but want to authenticate end users 802.1x with Active directory 2003/2008 using RADIUS (IAS/NPS).
    These APs are standalone. Please provide any configuration document
    "How to authenticate end users with active directory using cisco 1142n Standalone (Without WLC/ACS)".
    Thanks & Regards,
    Rizwan Haider Siddiqui.

  • Oracle Apps User Authentication with Active Directory

    Greetings,
    I am running Oracle Apps 12.1.1 using native login authentication. What I would like to do is set it up so that it uses our Active Directory to authenticate users. Does anyone know if there is an easy way to configure this or do I need to use OIM to accomplish it?
    Thanks

    Have a look here
    http://www.oracle.com/products/middleware/identity-management/docs/db-users-roles-management-whitepaper.pdf

Maybe you are looking for