WLC and LDAP Groups

Similar Messages

• WLC and LDAP

  Hi to all,
  i want to use local-eap+LDAP (microsoft AD) and i'm experiencing some issue.
  First of all i'm not able to bind WLC and LDAP...if a perform a debug aaa ldap enable i get this output:
  Any idea about how to solve this issue?
  Regards
  Ale

  It sounds like .... invalid credentials ? :-)
  Please post your LDAP config on WLC.
  Is your admin username with which you're binding within the search context that you defined ? this is very important

• VPN with RSA and LDAP Groups

  I'm tryin to rebuild our VPN environment with a pair of 5520. WE're going to use Anyconnect mobility exclusively with SSL. No IPSec and no SSL Webvpn.
  We have a large number of contractors using the VPN to access specific internal resources so I would like to use different IP subnets for each contractor assigned through group policy. I don't want to have a different URL for each contractor so I want to assign the group policy through LDAP group memebership. However, primary authentication will be via RSA 2 factor.
  How do I get the ASA to check group membership and hense assign the right group when primary authentication is through RSA?
  Thanks for any help.

  yes you can do the Authentication to an RSA server and the Authorization to the LDAP server.
  Please configure LDAP as an authorization server.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
  Do let me know how it goes.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• AAA, WLC, and AP Groups, Anchor Controller, Problem

  All,
  First, I have a TAC case open on this problem, but they seem to be stumped and I have been unable to get them to mock it up.  Here are the details and the problem(s):
  Have Cisco ACS using backend AD for user authentication
  MSCHAP, 802.1x
  Three wireless controllers running ver 7.0.98.0; one controller is 4404 the other two are on WiSM blade in 6509.
  Many AP Groups and a few mobility achor setups.
  Wifi clients used to test are Intel and have the proper drivers 12.4.4.5 and 13.1.1.1
  First authentication problem is via SSIDs associated with anchor contollers.  Whenever the SSID is set to use 802.1x, the anchor controller sends message to ACS(RADIUS), but ACS never sees the communication.
  Second authentication problem is related to AP Groups.  Whenever a client associates with an AP that is in a specific AP group and that SSID is also associated with that AP group's interface, I get the same result as above - the contoller talks to the ACS, but the ACS never sees the communication.
  Note that all the above works fine as long as I am not using 802.1x.  If I am using PSK, it all works flawlessly.
  One other thing to note is that, in the case of the AP Group problem, if withing the AP group I associate the SSID with the management interface, the 802.1x works perfectly.  The problem with that is that the client get assigned an IP address from the management Vlan... not what I want, instead, I want the client to get it's IP address from the interface associated with the AP Group.
  It is not a routing problem....
  I have gone through two TAC engineers and the problem is still not resolved.  So close, but not succesfull.
  Any interoperability/Security experts out there that can help nail this thing?
  Thanks

  Jeff,
  Sorry for the late reply.... of course your suggestion was right-on the mark and a wireshark trace uncovered the problem.  I had already re-engaged Cisco TAC and between the wireless engineer and one of their security engineers, they were able to point out that the Cisco ACS 5.0 has a bug specific to this particular problem.  They told me to apply patch, apply OS upgrade, then apply ACS 5.1 upgrade to the ACS.  I was able to apply the patch, but never could get the OS upgrade to take.  For the heck of it, I re-checked the problem after applying the patch and YooHoo!  Works as advertised!
  Thanks for showing the interest, it was definetly a pain-point for my customer.

• Enforced disk quota on LDAP group users

  Hi,
  Currently, i have created individual LDAP users and LDAP group users. I have created individual network shared folder and common network shared folder with disk quotas enforced. I would appreciate if anyone could help me on how i could allow the LDAP user to access their own network shared folder as well as the common folder with disk quota enforced?
  Thank you!
  Stephanie

  Hello Perry,
  I recommend to post this query to the [BusinessObjects Enterprise Administration|BI Platform; forum.
  This forum is dedicated to topics related to administration and configuration of BusinessObjects Enterprise, BusinessObjects Edge, and Crystal Reports Server.
  It is monitored by qualified technicians and you will get a faster response there.
  Also, all BOE Administration queries remain in one place and thus can be easily searched in one place.
  Best regards,
  Falk

• WLC 5508 LDAP Windows 2008 Server - auth based on AD groups

  hi NG,
  i'm trying to web-authenticate my Wifi user of an WLC 5508 against LDAP.
  Thereby i'm trying to autenticate all users within a GROUP, not an OU within the MS Active Directory based upon an Windows 2008 Server.
  I can authenticate against a user, witch is beeing put into an OU, according to examples based here: https://www.cisco.com/en/US/products/ps6366/prod_configuration_examples_list.html
  Checking based upon Users within OUs works fine.
  But i have not got all of those users wihin one single OU!
  Need help for following:    LDAP-Auth based on AD Groups:
  Using:
  MS-Domain:                          MY-DOMAIN.CH
  AD-GROUP:                          VPN-USERS
  AD-Structure:
  MY-DOMAIN.CH
  |
  GROUPS
          |
      Administrative Groups
                        |
                   VPN-USERS
                            (-> Member of this Groups (Wireless1, Wirless2, ...)
  Server Adress:               IP.IP.IP.IP
  Port:                                 389
  Enable Server Stats      YES
  Simple Bind                    Authenticated
  Bind Username              LDAP-USER
  Bind Password               supersecret
  Bind Passw. confirm      supersecret
  User Base DN:               ?-1-?
  User Attribute:                ?-2-?
  User Object Type:          Person
  Server Timeout               2
  What happens for instance, if i put a GROUP within a GROUP regarding the LDAP Authentication.
  I guess i have to authenticate against the "upper" GROUP, or do i have to create an entry on the WLC for every GROUP i'm questoning?
  Could some one provide my with an example, since i have not found documentation regarding this topic.
  Thank you.

  Hi,
  User Base DN : this is in case you want to restrict the search area. If you put "dc=mydomain,dc=CH", you will search your whole AD. Depending on the size, it can be slow ...
  Remember that the User Base DN is also used for the admin user.
  In conclusion, User Base DN should be the most restrictive path that leads to both the admins and the users you want to authenticate.
  Example :
  OU=Employees,OU=Humans,DC=Mydomain,DC=CH
  This would prevent to search in machines or any assets. This implies that the admin you bind with is an employee and you are only authenticating employees. You can have any number of OUs under employees, it doesn't matter
  Attribute : This is the object attribute that the WLC uses to compare with the user name. In general, you would go with sAMAccountName in AD. CN would be another common example for LDAP databases.
  If what you are looking for is to restrict access and only authenticate people who belong to a certain group. Then you need a radius server like ACS.
  That server will be able to make selections and check the "memberOf" attribute to make sure it is in a certain group.
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• LDAP groups and WebLogic Roles - Urgent ( weblogic 6.1 sp1, iPLanet 5.1)

  I have 2 questions and these are very urgent :-
  1. Where the mapping can be defined between LDAP groups and WebLogic Roles. I have
  2 groups in iPLanet :- Contarctors and employees and I have 2 security roles in weblogic:-
  contractactors and employess. How do I map LDAP group contractors to weblogic security
  Role contractors? Similarly for employees ?
  2. I have not defined contarctors and employeees under People container in IPlanet.
  e.g. The RDN for contractor is
  uid=1234,ou=dir,dc=orams,dc=com
  Can I still use the defualt security realm of weblogic (the WebLogic Security Realm
  under People ) OR I have to write my own custom code ?
  3. I am planning to use Roles insetad of groups to manage the logical grouping in
  iPLant. Can I still use the groups in WebLogic security realm ( in the configuratin
  parameters ?)
  This is very urgent ....so if any of you can throw any hints that will be greatly
  appreciated.
  --Sunita

  Hi Ariel,
  The driver is bundled with the product in WLS 6.1sp1. you don't have to
  download any additional driver. Use it as you normally would only thing to
  remember is if you are trying to write standalone java code then you have to
  have weblogic.jar in your classpath. For the rest of the info follow the wls
  docs for 6.1
  HTH
  sree
  "Ariel" <[email protected]> wrote in message
  news:3bb4a643$[email protected]..
  We want to connect our Weblogic 6.1 sp1 server to a SQLServer 2000 db. We
  downloaded the JDriver from bea.com, but all the istructions that camewith
  it are for WLserver 5.1.
  What has to be done to do this with 6.1 sp1?
  Thanks,
  Ariel

• Managing LDAP groups and roles through SUN IDM

  Hi Guys,
  We have a requirement to build the following functionality in our Sun IDM tool.
  1.     Ability to create/manage Static LDAP group.
  2.     Ability to create/manage filtered LDAP group.
  3.     Ability to create/manage Static LDAP roles.
  4.     Ability to create/manage filtered LDAP roles.
  Can anyone let us know any pointers as to how to accomplish this or any ideas for the path to follow for this.
  Any reply will be appreciated.

  http://myidm.blogspot.com/2009/06/how-to-create-groups-in-ldap-or-active.html

• Dynamic LDAP groups

  Hi All,
  Weblogic Server 5.1 doesn't support dynamic LDAP groups.
  Our experience shows that the same problem is present with WLCS 3.11
  Is the problem solved in WS 6 and WLCS 3.5?
  Kind Regards,
  Panu Harkonen

  Hello J.P.,
  Note that LDAP realm v2 which is the default realm in WLS 6.1 can only show
  group names in the WLS admin console, not the group members (LDAP realm v1,
  the same realm in previous versions of WLS servers does show group members
  in admin console).
  From my understanding of dynamic groups they are still conceptually similar
  to a regular group, albeit its members are stored differently. So with this
  understanding I don't see why WLS 6.1 LDAP realm wouldn't be able to use
  dyanmic groups. You can probably run a quick test yourself to see.
  Regards,
  BEA WebLogic Support
  "Jose Perez" <[email protected]> wrote in message
  news:3c838ce2$[email protected]..
  >
  Hi all,
  Does anyone know if weblogic 6.1 supports dynamic LDAP groups?
  Thacks in advance,
  J.P.

• JDNI and LDAP

  We are running WL 5.1 w/ SP6, and eDirectory from Novell. We are using the
  novell LDAP for storing users. I need to rewrite the implementation to add,
  modify and delete users from LDAP. Do I need to get a connection to LDAP
  and modify it directly, or can I maintain users by writing to the WL
  security realm? I have seen a bunch of scattered documentation on these
  things, but nothing concrete. Any help and links to documentation would be
  greatly appreciated.
  -Jake

  The statement in the Personalization Server documentation is basically
  correct,
  at this time. The basic thinking is that you've chosen an external realm
  because
  it already contains users and groups, thus you must have used an external
  mechanism to populate it.
  Probably a better illustration is imagine how your NT domain administrator
  would
  feel if anyone with admin privileges for WebLogic server could add users and
  groups
  to their NT domain. I think, that in the case of NT and Unix realms that
  this seem
  pretty reasonable. One could argue that the same is not true for LDAP, but
  for
  consistency it was kept the same.
  Paul Patrick
  "Cameron Purdy" <[email protected]> wrote in message
  news:[email protected]...
  Jake,
  AFAIK the LDAP realm implementation in WebLogic is read-only. The best
  explanations that I have seen are in the rationalizations that the
  Personalization Server documentation makes with regards to its dependenceon
  RDBMS realm, and why its extended features do not support the LDAP realm:
  "To ensure behavior consistent with Personalization Server purposes, the
  UserManager employs two primary strategies. For certain operations,
  (com.beasys.commerce.axiom.contact.UserManager), the UserManager qualifies
  the security realm being used before taking action. These operations can
  only be performed if the current security realm class is
  com.beasys.commerce.axiom.contact.security.RDBMSRealm. See UserManager EJB
  in Javadoc for details. For example, the createGroup() method throws a
  UserManagementException if the out-of-the-box RDBMSRealm is not beingused.
  The logic behind such an exception is that the UserManager is designed to
  work with the default Personalization database schema. If another realm is
  being used (e.g.,WebLogic LDAPRealm), it is assumed that the client has
  another means, besides the Personalization Server administration tools,that
  should be used for adding and removing groups and users to/from therealm."
  (http://edocs.bea.com/wlcs/p13n/users.htm)
  Cameron Purdy
  Tangosol, Inc.
  http://www.tangosol.com
  +1.617.623.5782
  WebLogic Consulting Available
  "Jake" <[email protected]> wrote in message
  news:[email protected]...
  We are running WL 5.1 w/ SP6, and eDirectory from Novell. We are usingthe
  novell LDAP for storing users. I need to rewrite the implementation toadd,
  modify and delete users from LDAP. Do I need to get a connection to
  LDAP
  and modify it directly, or can I maintain users by writing to the WL
  security realm? I have seen a bunch of scattered documentation on these
  things, but nothing concrete. Any help and links to documentation wouldbe
  greatly appreciated.
  -Jake

• Single sign-on using Kerberos and Ldap

  I am currently setting up single sign-on using Kerberos for authentication and Ldap for authorization and information store.
  The setup includes several Solaris 8 & 9 workstations, a couple of SGI's, as well as a M$ terminal server farm, several WinXP desktops and their associated Active Directory.
  I am required to authenticate etc against the AD. (which has M$ SFU3.5 installed)
  I have the Kerberos authentication and part of the Ldap service working via pam & nss.
  ie. I can logon to the solaris worksatations using the AD username and password, mount the home directory from a M$ NFS server.
  BUT...
  id gives:- userID, groupID (primary group only)
  groups :- primary group only. (no secondary groups are listed)
  Question: what additional configuration information do I need in the pam, nss &/or ldap config files, so that I can list the secondary groups.
  Thanks in advance for any help.

  After evaluating (giving up on, and finally throwing out) the Sun Directory server it looks like we are going to endup with a similar solution..
  Sadly enough, the MS AD seems much more stable and easier to handle than Suns DS, kerberos and associated services.
  Anyway, currently we are evaluating a product called vintela ( www.vintela.com ), and it seems very promising; its easy, robust, stable and does what we require it to do, as well as more :) It comes with an additional nss module called 'vas', so you easily can retrieve data like hosts/groups from your AD.
  //M.

• Error while adding LDAP group

  Hi, I configured LDAP authentication on BOXI R2 SP3 on IIS. The settings are as given below.
  To change a setting, click on the value to start the LDAP Configuration Wizard.  I have replaced few entries with XXXX and YYYY due to security.
  LDAP Hosts: nccXXX.XXX.YYYY.XX.YY:636
  LDAP Server Type: Novell eDirectory
  Base LDAP Distinguished Name: ou=XXXXX,dc=YY
  LDAP Server Administration Distinguished Name: cn=XXX,o=YYYYY
  LDAP Referral Distinguished Name: ""
  Maximum Referral Hops: 0
  SSL Type: Server Authentication
  Server Side SSL Strength: Always accept server certificate
  Single Sign On Type: None
  When I add any new group then its not added and I get below error message in the Logging directory  for WCA.
  Error: 2009-08-24 14:56:30, Thread:161, WriteData::_Flush catch unexcepted exception, source: System.Web, message: Specified argument was out of the range of valid values.
  Parameter name: offset, stack:    at System.Web.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 count)
     at BusinessObjects.Enterprise.WebComponentAdapter.WriteData._Flush(IntPtr handle)
  Can anyone help to find if LDAP is configured correctly before adding group?
  Thanks,

  Resolved. It was due to wrong LDAP group given to me.
  Thanks,

• Can an email address be a member of an LDAP group even if it isn't associated with an object in the Directory Server?

  Can an email address be a member of an LDAP group even if it isn't
  associated with an object in the Directory Server?
  <P>
  General members of a group are the members defined in the
  Directory Server. They are full-fledged members of the group who
  may have a set of permissions associated with their membership,
  a title, or other attributes. Mail-specific users are users who
  are not full-fledged members of the group, but who receive mail
  sent to the group. Mail-specific users need not be identified as
  a user in the Directory Server--an email address is sufficient.
  An example of this is a group of salespeople, all of whom are in
  the group "North American Sales Team." They have access to a
  sales-tracking database, on-line quota information, and
  competitive information. The mail-specific users of this group
  are the admins who support the members of the sales team, who need
  to get the mail that goes out to the group, but don't need access
  to the applications and information that the salespeople do.

  Hey EllyK,
  Welcome to the BlackBerry Support Community Forums.
  Thanks for the question.
  I would suggest performing this workaround and then try to login to BlackBerry Link:
  Open BlackBerry World on the BlackBerry smartphone and sign in using the BlackBerry ID. 
  Connect the BlackBerry 10 smartphone to the computer. 
  Open BlackBerry Link
  Sign in using the BlackBerry ID. 
  Let me know if the issue still persists.
  Cheers.
  -ViciousFerret
  Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
  Be sure to click Like! for those who have helped you.
  Click  Accept as Solution for posts that have solved your issue(s)!

• ISE 1.2 With WLC and AD

  Hi everyone,
  What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.
  The wireless network is configured with 2 SSID (Staff and Guest) 
  Active Directory, DNS, DHCP, and  NTP configured & synced.
  ISE and AD running on C220 VMs, and WLC is 5760 Appliance.
  Please provide your thoughts and assistance.
  Regards

  You have to implement dot1x and radius between your NAD and ISE device.
  Using the switch 3850, that are the steps: 
  username RADIUS-HEALTH password radiusKey1 privilege 15
  aaa new-model
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  !this password will be used to communicate with ISE and to verify reachability
  !between ISE and Switch
  aaa server radius dynamic-author
   client 172.16.1.18 server-key 7 radiuskey
   client 172.16.1.20 server-key 7 radiuskey
  ip domain-name lab.local
  ip name-server 172.16.1.1
  dot1x system-auth-control
  interface GigabitEthernet1/0/3
   switchport mode access
   switchport voice vlan 50
   switchport access vlan 10
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize voice
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  ip access-list extended ACL-ALLOW
   permit ip any any
  !the comm between radius and ise will occur on these Port
  ip radius source-interface Vlan100
  logging origin-id ip
  logging source-interface Vlan100
  logging host 172.16.1.20 transport udp port 20514
  logging host 172.16.1.18 transport udp port 20514
  ip radius source-interface Vlan100
  logging origin-id ip
  logging source-interface Vlan100
  logging host 172.16.1.20 transport udp port 20514
  logging host 172.16.1.18 transport udp port 20514
  snmp-server community ciscoro RO
  snmp-server community public RO
  snmp-server trap-source Vlan100
  snmp-server source-interface informs Vlan100
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 10 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  !defining ISE servers
  radius server ISE-RADIUS-1
   address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
   automate-tester username RADIUS-HEALTH idle-time 15
   key radiusKey
  Please be sure that NTP servers and time are synchronized. 
  enable dot1X on windows machine, or using cisco NAM. 
  you can enable debugging on aaa authentication to see the events. 
  you have to create this user on ISE (RADIUS-HEALTH). 
  3850#test aaa group radius username password new-code 
  and observe the result. You are supposed to have user authenticated successfully. 
  You Must also have define these device in ISE on the radius interface.
  ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE. 
  administration-->network resources -->Network Devices-->Add
  input the name
  input the Ip address for radius communication
  select the authentication settings and field the corresponding shared secret radius key
  select snmp settings and select version 2c. 
  snmp community : ciscoro
  you can customize the polling interval if you want and that all. 
  you are supposed to received message communication between your NAD and ISE. 
  After you can do the procedure for WLC device. 
  I will fill it after you have passed the first steps (3850 authentication). 

• Creating a report containing Report Names and associated Groups in XIr3.2

  Hi -- Does anyone know if we have the ability to create a report that contains Report Names and their associated Groups (like LDAP groups)? 
  We actually have Groups associated at the Report Level as well as the Folder level. 
  This functionality did not exist in XIr2.

  I'm inferring you want to report on the CMS repository database, specifically UserGroups and which reports are accessible by those UserGroups.
  That would involve Java SDK coding if you're looking for detailed ACL list information.  You'd need to implement Enterprise Java SDK code to retrieve the InfoObject/SecurityInfo2/Principal information, and create adapter classes to make that information consumable via one of the supported reporting connectivities.
  For this, you'd need experience with both Enterprise Java SDK and supported reporting connectivity APIs (such as POJOs or JavaBeans).
  Sincerely,
  Ted Ueda