WLC AAA Radius to ISE - Multiple Domains in Single Forrest
I am currently having a problem configuring AAA for management access to our wireless controllers.
Our active directory structure is as below: (note all domains are part of the same forest and full trusts between the domains)
Root Domain
Americas domain UK Domain EU Domain APAC Domain
Because of the multiple domains that exist when admins login they need to use their full UPN ([email protected]), since just using username will only authenticate agains the Root Domain and there may be duplicate usernames between the domains.
I cant even see the radius request hitting ISE and i found out that this is due to a 24 character limit on the username field on the WLC's.
I dont have this issue with other IOS based devices.
I could just create some admin accounts in the root domain but the problem is that lobbyadmin staff also needs to authenticate and they will run into the same issue.
Dont know if someone has any suggestions for a possible workaround?
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_45_multiple_active_directories.pdf
Similar Messages
-
Facing issue while provisioning to AD which is in multiple domain in single forest
Hi All,
I am facing issue while user provisioning to AD which is in multiple domain in single forest.I can Synchronize the OU and Groups from Global Catalog i.e. root domain,but unable to Synchronize OU and Groups from child domains.Following is depict of my domain.
Root ------- example.com
|_______doamin1.example.com
|_______doamin2.example.com
|_______domain3.example.com
My global catalog is example.com where I have configure my connector.Following is the snippets of it.
Parameter
Value
ADLDSPort
BDCHostNames
Configuration Lookup
Lookup.Configuration.ActiveDirectory.Trusted
Connector Server Name
Active Directory Connector Server
Container
DC=example,DC=com
DirectoryAdminName
DWPTEST\adm
DirectoryAdminPassword
DomainName
example.com
IsADLDS
no
LDAPHostName
GlobalCatalog server name -> where my root domain is present
SyncDomainController
SyncGlobalCatalogServer
GlobalCatalog server name -> where my root domain is present
UseSSL
no
Above configuration I am using to Synch my OU and Groups using scheduler Job.Following changes I have made in connector configuration.
1. Set the value of the SearchChildDomains entry to yes in one of the following lookup definitions:
For trusted source reconciliation: Lookup.Configuration.ActiveDirectory.Trusted
For target resource reconciliation: Lookup.Configuration.ActiveDirectory
2. Specify the name of the domain controller that is hosting the Global Catalog Server as the value of the SyncGlobalCatalogServer IT resource parameter.
For provisioning purpose I am trying to find following configuration which is mentioned in connector document,but unable to locate it.
In the connector, the referral chasing option is set to All, which means that all referrals are chased when any referral is provided by the domain controller
Thanks in advance.
Regards,
Nitin NatekarHi All,
Thanks all for the reply.I was not getting an error,but once I changed the connector configuration,It started working. I Kept the LDAPHostName parameter blank in connector configuration.
Thanks all for reply
Regards,
Nitin Natekar -
ISE - AAA radius authentication for NAD access
Hi ,
I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
While testing the login access to the switches we've come up with 2 results :
1.A domain user can indeed login to the switch as intended.
2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
of the IT_department only .
I haven't been successfull , would appreciate any ideas on how to accomplish this .
Switch configurations :
=================
aaa new-model
aaa authentication login default group radius local
ISE Authentication policy
==================
Policy Name : NADs Authentication
Condition: "DEVICE:Device Type Equals :All Device Types#Wired"
Allowed Protocol : Default Network Access
use identity source : AD1Thank you for the quick replys , and now ok , I've configured the following authorization policy :
Rule Name : Nad Auth
Conditions
if: Any
AND : AD1:ExternalGroups EQUALS IT_Departments
Permissions , then PermitAccess
What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ? -
Multiple domains authentication on Cisco ISE
Hi,
Does the current Cisco ISE supports for authenticating on multiple Active Directories ?
I can only set Cisco ISE to join on single active directory and LDAP
Does anyone have set Cisco ISE to support EAP-FAST with WPAD or PAC provisioning ?
Thanks
PongsatornHi,
We are into a situation where we need to authenticate users of two domains and these two domains are completely independent (no common DNS server). ISE is not able to resolve one of the domain using the DNS server settings and Adding a host entry for the domain name is not sufficient since Kerberos, GC and LDAP SRVs need to be resolvable as well.
From what I know ISE 1.3 should supports disjointed domains and there is no requirement for ISE to have 2 way trust relationship with domains.
Please share your experience if someone has faced similar situation before.
Regards,
Akhtar -
Strip multiple @domain used in username on AD Integration with Cisco ISE?
Hi there ,
How to strip multiple domain suffixes from username through ISE with AD being used as external Identity Source. Username is being used in username@domain format.
Cisco ISE 1.2 patch 4 introduced strip prefix or suffix @domain realm from username through ISE with AD being used as external Identity Source. But the documentation is not updated for this feature. I am able to strip 1 domain suffix successfully but subsequent ones listed in the suffix list fails to get stripped.
Any thoughts on the same.
Thanks KumarIn the ISE Under Administration > Identity Management > External Identity Sources
Choose Active Directory on the Left, Select your AD Server and select Advanced Settings
Under Identity Suffix Strip, Make sure Strip prefixes listed below: is selected (I know, it says prefix).
In the List of Suffixes box, enter your list of domain suffixes to strip. The separating character is a comma (,).
If this doesn't fix your issue, then I am afraid that a call to TAC may be in order.
*****UPDATE*****
Spaces are significant characters. When listing domains, do so as such:
@domain.com,@domain.local,@testdomain.com
*****END UPDATE*****
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton
Message was edited by: Charles Moreton -
Multiple domains for tracker.js
I'm using the personalization functionality of CQ 5.4, which appears to force a request for http://localhost:4502/libs/wcm/stats/tracker.js when pages load. According to the docs at http://dev.day.com/docs/en/cq/5-4/deploying/configuring_cq.html#OSGi Configuration in the Repository , I should be able to override this URL by adding some nodes to /apps/projectName. However, my tests seem to show that doing so for one project affects all sites on the server. In production, the client has a number of domains all running on one CQ instance.
1) Is there a way to remove this request altogether without modifying any JSPs in the /libs folder, or inheriting/overriding them?
2) Is there a way to support multiple domains?
The best solution I've come up with so far is creating a generic domain like cq-tracking.clientName.com, and having all sites use that.See the following:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.
shtml
*Perform Multi-Domain Searches (Optional) *
*Optional.* The ASA currently does not support the LDAP referal
mechanism for multi-domain searches (Cisco bug ID CSCsj32153).
Multi-domain searches are supported with the AD in Global Catalog Server
mode. In order to perform multi-domain searches, setup up the AD server
for Global Catalog Server mode, usually with the these key parameters
for the LDAP server entry in the ASA. The key is to use an
ldap-name-attribute that must be unique across the directory tree.
server-port 3268
ldap-scope subtree
ldap-naming-attribute userPrincipalName
If global catalog server is not an option for you, you can always create two seperate SSL tunnel-groups and two seperate LDAP aaa-server groups and this would also allow you to do two AD domains (but the drawback is that you would have to inform the user which group they should select)
-heather -
What do IPSEC mean under Security - AAA - Radius - Authentication
I can't find exact information regarding the IPSec checkbox in Security -> AAA -> Radius -> Authentication.
On the Cisco Wireless LAN Controller Configuration Guide 5.1, it says "Check the IPSec check box to enable the IP security mechanism, or uncheck it to disable this feature.
The default value is unchecked."
What is exactly mean by IP security mechanism?
Does this mean that I can terminate VPN client over my WLC?
Take note that this options appeared even though no crypto card installed in my controller.This is old code from the Airespace days. There used to be a VPN module that would ride in the WLC. No longer supported, well can't buy it new, but if you had one already...you get the idea.
HTH,
Steve -
Guest WLC not talking to ISE it is in a DMZ
I have allowed all IP to the ISE servers from the DMZ the Guest 5508 WLC sits. I see requests coming in from a WLAN configured on the inside WLC but nothing from the SSID that comes from the WLC within the DMZ it is a mobility anchor for the guest network on all my WLC's. What needs to be opened for this communication? or will the mobility anchor type setup not work in the ISE world? I have uploaded the config of the guest WLC we are on 7.6.130
Does the anchor controller send this request? I see nothing from teh WLC thru the monitor in my ASA firewall for any WLAN traffic. Only talking back to the other controllers. I'm confused over how this traffic flows, the main WLC holds the SSID's the Guest is handed off to the Guest controller thru the mobility but does the request to the radius or ISE servers come from the guest controller or the main controller the AP's belong to?
-
Have a couple of switches setup for AAA/Radius (Microsoft IAS running Radius). All authentication fails when I configure it with a radius key (matching on switch and server).
When I remove the key, I still cant authenticate with my domain credentials, and can only authenticate using the local admin password configured on the switch on a few occasions.
To get back into the switch I have to stop the IAS service on the Microsoft Radius server, log into the switch with the local admin password, before restarting the IAS service.
How can I make AAA/Radius work effectively.Mark
There are several things that you might do:
- reconfigure a switch and reconfigure the Radius server for that switch to eliminate the possibility of configuration mismatch. I would be sure to key in clear text keys rather than cut and paste some encrypted value which you assume will be the same on both ends.
- look on the server to see if there are any log entries that indicate that it saw authentication requests and why they failed.
- run debugs on the switches to see what they are reporting.
HTH
Rick -
Local Webauth WLC using radius database
Hi all,
I was implement local Webauth WLC not using local auth . I use radius database.
at least I try to add on my WLAN:
layer 3 web auth authentication
layer 2 security is WPA/WPA2 PSK
adding aaa radius server
aaa radius "network user" check list enabled
web auth priority order
radius
LDAP
after I Test WLAN ,I cant login using radius database.
but, if I implement security method wpa/wpa2 dot1x I can login using radius database.
is there any miss in my config for implement webauth method?
Thanks
ridhoAre you trying to use LDAP or Radius to authenticate the webauth users? Since you have 802.1x working, I don't see why you would use LDAP. What radius server are you using also? Typically if your using Microsoft IAS or NPS, you have to
Change the device type to Login to get webauth with radius to work. Here is an example of 3 ways to authenticate webauth users. You should be able to find others out there also.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml
Sent from Cisco Technical Support iPhone App -
Issuing Multiple MYSAPSSO2 tickets for Multiple Domains
Hi,
I am having a problem understanding the SAP documentation on how to go about issuing SAP login tickets in multiple domains. In the documentation it states that in order to do so, you require either a IRJ or the SAP ISAPI Web Filter installed in on a server in the target Domain. I have now setup the IIS_SSO.dll ISAPI filter in the domain I require the SSO ticket to be issued in however when I make a request to that webserver I do not see the MYSAPSSO2 cookie being created in my browser, I do see in the ISAPI logs that the request has been filtered and the portal username extracted and set to the configured HTTP Header, but no new Cookie created in the DOMAIN.
Can anyone help? Has anyone done something like this before?
Basically I have a portal in the domain <b>myportal.subdomain.domain.com</b> and an ITS in the domain <b>myits.domain.com</b>. With this configuration the MYSAPSSO2 cookie is not sent to the ITS server as it is in a Super Domain. So what I want is to configure the portal to issue a Cookie in the super domain (domain.com) rather then subdomain.domain.com. I thought I could do this with the parameter login.ticket_recieving_hosts in the usermanagment.properties file (EP5) and the IIS ISAPI filter to SSO (IIS_SSO.dll) configured on a website in the super domain (domain.com).
Any help would be greatly appriciated.
Simon.I believe we had to set the domain relax level (ume.logon.security.relax_domain.level) but needed to make sure this was secure since it changes the domain scope of cookies that are valid for the system.
See the following:
http://scn.sap.com/thread/1534863
http://help.sap.com/saphelp_nw70ehp3/helpdata/en/5e/473d4124b08739e10000000a1550b0/frameset.htm
Hope this helps. -
Multiple Domain files, Multiple Sites, Publishing Problems
I am frustrated beyond belief. I'm an old hand-coder, coming from BBEdit, but I've been using iWeb almost exclusively since its release, because it really is a great product for quick, easy, stylish designs.
However.... In that year, my collection of sites has grown to 12. Discovering that iWeb becomes a major dog when dealing with that much material, I found and followed the instructions - today - to separate my sites into individual domain files, and edit them individually. iWeb is much snappier and publishing goes much more quickly.
The problem? Well... after editing, "Publish to .Mac" rarely works. Only "Publish All to .Mac" will get the site online (something about an error with the index.html file). But "Publish All to .Mac", I've just discovered, DELETES the other websites that I have previous published. All day I've been doing updates and publishing my sites, only to discover that the uploads have all been wiped out by the most recent one!
I'm a big enough fellow to admit that my knowledge isn't total nor perfect - so please, would someone out there with a better handle on iWeb than I (preferably someone who actually deals with multiple domain files rather than someone who thinks they can guess the problem) please clue me into how we make use of this program non-destructively?
I suppose I could always publish everything to folders and upload it to my iDisk (which itself remains ridiculously slow after how many years now? Sheesh!), but that detracts from the elegance of the .Mac integration, the counter features, - not to mention the little fact that I'm a paying .Mac customer and this darn thing should just work, no?Mark:
I was where you were also. You should give iWebSites a try. It's to iWeb what iPhoto Library Manager is to iPhoto.
I use iWebSites to manage multiple sites.. It lets me create multiple sites and multiple domain files.
If you have multiple sites in one domain file here's the workflow I used to split them into individual site files with iWebSites. Be sure to make a backup copy of your Domain.sites files before starting the splitting process.
This lets me edit several sites and only republish the one I want. Just remember to put a copy of your current Domain.sites file somewhere else on your HD in case the splitting gets messed up. It went very smoothly for me and I now manage 19 or so sites.
Do you Twango? -
How do I host multiple domains on a single Messaging Server?
How do I host multiple domains on a single Messaging Server?
<p>
To host multiple domains on one Messaging Server, use the
mailAlternateAddress attribute. If you want to host two domains
(customer1.com and customer2.com) on your server mail1.domain.com,
make sure that:
The various domains (in DNS) point to the installed mail server
(you must have the MX records that
points mail for customer1.com to mail1.domain.com and
customer2.com to mail1.domain.com)
That each person receiving mail at customer1.com and
customer2.com has an appropriate mailAlternateAddress
attribute describing the appropriate email address. For
instance, John Doe can have an email address (i.e. the value
of the 'mail' attribute for the John Doe LDAP entry) of
[email protected] and receive his mail on
[email protected] (the value of the mailAlternateAddress
attribute)
With Messaging Server 3.5, mailAlternateAddress can take the
form of @mail1.domain.com. If jdoe's mailAlternateAddress is
set to @mail1.domain.com, mail sent to [email protected]
will be delivered to [email protected]jaygatsby1123 wrote:
So what exactly am I doing with virtual hosts? There is a place for Aliases... What would I put in the "Aliases" box?
Any other host name that you want to resolve to the specified virtual host. It's quite literally an alias.
if you want www.example.com and www.example.org to end up at the same web site and you already have a virtual host — Apple refers to virtual hosts as sites — configured for www.example.com in Server.app, then you'd add www.example.org as an alias for the www.example.com virtual host (site).
Virtual hosts are implemented in a web server using some details of the HTTP or HTTPS protocol, and what the web browser (client) specified. The client gets handed an IP address or a domain name by the user, and the client then fetches the associated IP address for the target web server from the client's DNS services or local host database, and the client then connects to the IP address and passes over the text string that the user had requested — the IP address or domain name or even some local shortcut set up in the client system — via the HTTP or HTTPS protocol. The web server receives and processes this arriving text string from the client, and uses it to select which web site to render back to the web client. One subtle detail lurks here, too: the server's own DNS configuration really isn't involved in the selection of the virtual host. -
How to create a muse site in various languages with multiple domains
I have been asked to create a website for a product. A very simple website with maybe one or two pages and one product for sale for which the client would like Paypal as the payment gateway. Simple right?
No! This client would like to market their product into Europe, they would like to purchase multiple European domains ( .fr, .de for example).
So how on earth can I do this? I will be using Muse for build and Business Catalyst for hosting.
Bearing in mind the client will not want to pay for separately hosted sites. Is there a way of translating the text for each domain. Or could I assign multiple domains but direct them to different home pages within the same site?
I haven’t a clue how to problem solve this.Hi,
Some links that might be useful,
how to set up a multilingual website with Adobe Muse and push it live to Adobe Business Catalyst
Re: How can i create different languages for my page?
How can i create a multilingual website?
how to create a multilingual site
Do let me know if you have any question. -
How to use the Load Balancer Plug-in to serve multiple domains
In SJSAS8.1 SE/EE the asadmin commands that create and maintain a load balancer configuration operate within a domain. When the load balancer configuration is exported an xml file is created that contains all the information for that domain. To make the load balancer plug-in balance the load for multiple domains, the loadbalancer.xml files can be manually merged to conatin the data that is exported from each domain's load balancer configuration.
For example, 2 domains are created, both having a load balancing configuration. After exporting both configurations using the asadmin export-http-lb-config command, the user would then cut and past the cluster information into the single loadbalancer.xml file that resides under the web server's config directory.
An example of the manually merged loadbalancer.xml file follows:
<?xml version="1.0" encoding="UTF-8"?>
<loadbalancer>
<cluster name="domain1">
<instance disable-timeout-in-minutes="30" enabled="true" listeners="http://localhost:1026 https://localhost:38181" name="i1"/>
<instance disable-timeout-in-minutes="30" enabled="true" listeners="http://localhost:1027 https://localhost:38182" name="i2"/>
<web-module context-root="ab" disable-timeout-in-minutes="30" enabled="true"/>
<health-checker interval-in-seconds="5" timeout-in-seconds="60" url="/"/>
</cluster>
<cluster name="domain2">
<instance disable-timeout-in-minutes="30" enabled="true" listeners="http://localhost:1029 https://localhost:38189" name="i3"/>
<instance disable-timeout-in-minutes="30" enabled="true" listeners="http://localhost:1030 https://localhost:38188" name="i4"/>
<web-module context-root="webservice" disable-timeout-in-minutes="30" enabled="true"/>
<health-checker interval-in-seconds="5" timeout-in-seconds="60" url="/"/>
</cluster>
<property name="response-timeout-in-seconds" value="60"/>
<property name="reload-poll-interval-in-seconds" value="5"/>
<property name="https-routing" value="false"/>
<property name="require-monitor-data" value="false"/>
<property name="route-cookie-enabled" value="true"/>
</loadbalancer>
Hope this helps - MarkMark, be my savior, I work for SUN as subcontractor at client site. the only one at site ...so I depend on this forum for solutions........
still having trouble failingover to second instance. I have two AccessManagers behind this loadbalancer.
Here is what I saw......
**************LOGS**********************
[20/Jun/2005:14:22:47] failure (15102): for host 128.114.65.13 trying to GET /amconsole/base/AMA
dminFrame, service-passthrough reports: timed out waiting for request body
[20/Jun/2005:14:22:47] warning (15102): reports: lb.runtime: ROUT1014: Non-idempotent request /
amconsole/base/AMAdminFrame cannot be retried.
So I went and updated the loadbalancer.xml (see at the end of the msg). Now I get a different kind of problem...
**************LOGS******************************
[20/Jun/2005:15:25:18] failure (15295): for host 128.114.65.13 trying to GET /amconsole/base/AMA
dminFrame, service-passthrough reports: timed out waiting for request body
[20/Jun/2005:15:25:18] info (15295): reports: lb.runtime: RNTM3003 : Error servicing the request : NoVal
Here is my loadbalancer.xml file...
<loadbalancer>
<cluster name="cluster1">
<instance name="instance1" enabled="true" disable-timeout-in-minutes="1" listeners="http://idm-test-1.ucsc.
edu:80 "/>
<instance name="instance2" enabled="true" disable-timeout-in-minutes="1" listeners="http://idm-test-2.ucsc.
edu:80 "/>
<web-module context-root="amconsole" disable-timeout-in-minutes="1" enabled="true" error-url="sun-http-lber
ror.html" >
<idempotent-url-pattern url-pattern="/*" no-of-retries="3" />
</web-module>
<web-module context-root="amserver" disable-timeout-in-minutes="1" enabled="true" error-url="sun-http-lberr
or.html" >
<idempotent-url-pattern url-pattern="/*" no-of-retries="3" />
</web-module>
<web-module context-root="ampassword" disable-timeout-in-minutes="1" enabled="true" error-url="sun-http-lb
error.html" />
<web-module context-root="amcommon" disable-timeout-in-minutes="1" enabled="true" error-url="sun-http-lberr
or.html" >
<idempotent-url-pattern url-pattern="/*" no-of-retries="3" />
</web-module>
<health-checker url="/" interval-in-seconds="15" timeout-in-seconds="2" />
</cluster>
<property name="reload-poll-interval-in-seconds" value="60"/>
<property name="response-timeout-in-seconds" value="30"/>
<property name="https-routing" value="false"/>
<property name="require-monitor-data" value="true"/>
<property name="active-healthcheck-enabled" value="true"/>
<property name="number-healthcheck-retries" value="3"/>
<property name="route-cookie-enabled" value="true" />
</loadbalancer>
**************************************************************
Maybe you are looking for
-
I can't print my aol emails satisfactorily in firefox - they come out too small and incomplete
I use aol for emails, and I used to use aol as my browser. I now access my emails via firefox. for some reason, when I print my emails now, they are printed in tiny print and are incomplete. how do i change the settings?
-
Cannot unlock my Photoshop album Starter 3.0
I have been attempting to unlock my Adobe Photoshop album starter Ed. 3.0 I just spent forever waiting for assistance from adobe and after I got (Trish) she was of no help what so ever and she hung up on me when I needed to be told that I had to regi
-
I have trying to have my contacts and calendar info transferred to my new 4s from my 3g
Please help. I have been trying to transfer my contacts and calendar info from my old phone 3GS which I had already updated to iCloud-to my new iPhone 4s. I have one apple I'd for I tunes and now 2 apple is for me.com. Thanks
-
Dear Sir's, Our user wants to see the Rejection reason in stock report i.e MB52,MB51. Is it any t-code where we can seen the Block stock with rejection reason. The rejection reason feed at the time of "Usage Decision". Please suggest me. Thanks in ad
-
Custom fields in critical path report of project server 2013
Hi All I want to create critical path report for the completed path projects.As client would like to know at which stage they are at the time of particular duration. They want the milestones to be shown in that. I need custom fields to be shown in th