WLC and LDAP Groups
Is there any way on an LDAP server to create an LDAP group that can be tied to the WLC for LDAP authentication. I have this url that explains local authentication and LDAP... http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml . That helps with local authentication but one thing I don't see is any guidance on how to create a group in a DC to communicate with anything on WLC. Any ideas?
You are right. You need a radius server overall that integrates with AD and do AD-to-radius group mapping. This way authentication is allowed/denied from radius, not WLC itself.
If the user can get a radius server to achieve this that will be great (especially if the user is using 802.1x/EAP authenticaion). If not, what I described about OU mapping is the only solution to get the users classified as per what I understood from users requirements.
The user is not only limited to Microsoft RADIUS (IAS or NPS). However, any radius server that supports AD group mapping can be used. with cisco ACS for example this is supported as well. I am not sure if this is also supported with open-source radius (openRadius for example). But if it is then openRadius can also be used.
Similar Messages
-
Hi to all,
i want to use local-eap+LDAP (microsoft AD) and i'm experiencing some issue.
First of all i'm not able to bind WLC and LDAP...if a perform a debug aaa ldap enable i get this output:
Any idea about how to solve this issue?
Regards
AleIt sounds like .... invalid credentials ? :-)
Please post your LDAP config on WLC.
Is your admin username with which you're binding within the search context that you defined ? this is very important -
I'm tryin to rebuild our VPN environment with a pair of 5520. WE're going to use Anyconnect mobility exclusively with SSL. No IPSec and no SSL Webvpn.
We have a large number of contractors using the VPN to access specific internal resources so I would like to use different IP subnets for each contractor assigned through group policy. I don't want to have a different URL for each contractor so I want to assign the group policy through LDAP group memebership. However, primary authentication will be via RSA 2 factor.
How do I get the ASA to check group membership and hense assign the right group when primary authentication is through RSA?
Thanks for any help.yes you can do the Authentication to an RSA server and the Authorization to the LDAP server.
Please configure LDAP as an authorization server.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
Do let me know how it goes.
~BR
Jatin Katyal
**Do rate helpful posts** -
AAA, WLC, and AP Groups, Anchor Controller, Problem
All,
First, I have a TAC case open on this problem, but they seem to be stumped and I have been unable to get them to mock it up. Here are the details and the problem(s):
Have Cisco ACS using backend AD for user authentication
MSCHAP, 802.1x
Three wireless controllers running ver 7.0.98.0; one controller is 4404 the other two are on WiSM blade in 6509.
Many AP Groups and a few mobility achor setups.
Wifi clients used to test are Intel and have the proper drivers 12.4.4.5 and 13.1.1.1
First authentication problem is via SSIDs associated with anchor contollers. Whenever the SSID is set to use 802.1x, the anchor controller sends message to ACS(RADIUS), but ACS never sees the communication.
Second authentication problem is related to AP Groups. Whenever a client associates with an AP that is in a specific AP group and that SSID is also associated with that AP group's interface, I get the same result as above - the contoller talks to the ACS, but the ACS never sees the communication.
Note that all the above works fine as long as I am not using 802.1x. If I am using PSK, it all works flawlessly.
One other thing to note is that, in the case of the AP Group problem, if withing the AP group I associate the SSID with the management interface, the 802.1x works perfectly. The problem with that is that the client get assigned an IP address from the management Vlan... not what I want, instead, I want the client to get it's IP address from the interface associated with the AP Group.
It is not a routing problem....
I have gone through two TAC engineers and the problem is still not resolved. So close, but not succesfull.
Any interoperability/Security experts out there that can help nail this thing?
ThanksJeff,
Sorry for the late reply.... of course your suggestion was right-on the mark and a wireshark trace uncovered the problem. I had already re-engaged Cisco TAC and between the wireless engineer and one of their security engineers, they were able to point out that the Cisco ACS 5.0 has a bug specific to this particular problem. They told me to apply patch, apply OS upgrade, then apply ACS 5.1 upgrade to the ACS. I was able to apply the patch, but never could get the OS upgrade to take. For the heck of it, I re-checked the problem after applying the patch and YooHoo! Works as advertised!
Thanks for showing the interest, it was definetly a pain-point for my customer. -
Enforced disk quota on LDAP group users
Hi,
Currently, i have created individual LDAP users and LDAP group users. I have created individual network shared folder and common network shared folder with disk quotas enforced. I would appreciate if anyone could help me on how i could allow the LDAP user to access their own network shared folder as well as the common folder with disk quota enforced?
Thank you!
StephanieHello Perry,
I recommend to post this query to the [BusinessObjects Enterprise Administration|BI Platform; forum.
This forum is dedicated to topics related to administration and configuration of BusinessObjects Enterprise, BusinessObjects Edge, and Crystal Reports Server.
It is monitored by qualified technicians and you will get a faster response there.
Also, all BOE Administration queries remain in one place and thus can be easily searched in one place.
Best regards,
Falk -
WLC 5508 LDAP Windows 2008 Server - auth based on AD groups
hi NG,
i'm trying to web-authenticate my Wifi user of an WLC 5508 against LDAP.
Thereby i'm trying to autenticate all users within a GROUP, not an OU within the MS Active Directory based upon an Windows 2008 Server.
I can authenticate against a user, witch is beeing put into an OU, according to examples based here: https://www.cisco.com/en/US/products/ps6366/prod_configuration_examples_list.html
Checking based upon Users within OUs works fine.
But i have not got all of those users wihin one single OU!
Need help for following: LDAP-Auth based on AD Groups:
Using:
MS-Domain: MY-DOMAIN.CH
AD-GROUP: VPN-USERS
AD-Structure:
MY-DOMAIN.CH
|
GROUPS
|
Administrative Groups
|
VPN-USERS
(-> Member of this Groups (Wireless1, Wirless2, ...)
Server Adress: IP.IP.IP.IP
Port: 389
Enable Server Stats YES
Simple Bind Authenticated
Bind Username LDAP-USER
Bind Password supersecret
Bind Passw. confirm supersecret
User Base DN: ?-1-?
User Attribute: ?-2-?
User Object Type: Person
Server Timeout 2
What happens for instance, if i put a GROUP within a GROUP regarding the LDAP Authentication.
I guess i have to authenticate against the "upper" GROUP, or do i have to create an entry on the WLC for every GROUP i'm questoning?
Could some one provide my with an example, since i have not found documentation regarding this topic.
Thank you.Hi,
User Base DN : this is in case you want to restrict the search area. If you put "dc=mydomain,dc=CH", you will search your whole AD. Depending on the size, it can be slow ...
Remember that the User Base DN is also used for the admin user.
In conclusion, User Base DN should be the most restrictive path that leads to both the admins and the users you want to authenticate.
Example :
OU=Employees,OU=Humans,DC=Mydomain,DC=CH
This would prevent to search in machines or any assets. This implies that the admin you bind with is an employee and you are only authenticating employees. You can have any number of OUs under employees, it doesn't matter
Attribute : This is the object attribute that the WLC uses to compare with the user name. In general, you would go with sAMAccountName in AD. CN would be another common example for LDAP databases.
If what you are looking for is to restrict access and only authenticate people who belong to a certain group. Then you need a radius server like ACS.
That server will be able to make selections and check the "memberOf" attribute to make sure it is in a certain group.
Nicolas
===
Don't forget to rate answers that you find useful -
I have 2 questions and these are very urgent :-
1. Where the mapping can be defined between LDAP groups and WebLogic Roles. I have
2 groups in iPLanet :- Contarctors and employees and I have 2 security roles in weblogic:-
contractactors and employess. How do I map LDAP group contractors to weblogic security
Role contractors? Similarly for employees ?
2. I have not defined contarctors and employeees under People container in IPlanet.
e.g. The RDN for contractor is
uid=1234,ou=dir,dc=orams,dc=com
Can I still use the defualt security realm of weblogic (the WebLogic Security Realm
under People ) OR I have to write my own custom code ?
3. I am planning to use Roles insetad of groups to manage the logical grouping in
iPLant. Can I still use the groups in WebLogic security realm ( in the configuratin
parameters ?)
This is very urgent ....so if any of you can throw any hints that will be greatly
appreciated.
--SunitaHi Ariel,
The driver is bundled with the product in WLS 6.1sp1. you don't have to
download any additional driver. Use it as you normally would only thing to
remember is if you are trying to write standalone java code then you have to
have weblogic.jar in your classpath. For the rest of the info follow the wls
docs for 6.1
HTH
sree
"Ariel" <[email protected]> wrote in message
news:3bb4a643$[email protected]..
We want to connect our Weblogic 6.1 sp1 server to a SQLServer 2000 db. We
downloaded the JDriver from bea.com, but all the istructions that camewith
it are for WLserver 5.1.
What has to be done to do this with 6.1 sp1?
Thanks,
Ariel -
Managing LDAP groups and roles through SUN IDM
Hi Guys,
We have a requirement to build the following functionality in our Sun IDM tool.
1. Ability to create/manage Static LDAP group.
2. Ability to create/manage filtered LDAP group.
3. Ability to create/manage Static LDAP roles.
4. Ability to create/manage filtered LDAP roles.
Can anyone let us know any pointers as to how to accomplish this or any ideas for the path to follow for this.
Any reply will be appreciated.http://myidm.blogspot.com/2009/06/how-to-create-groups-in-ldap-or-active.html
-
Hi All,
Weblogic Server 5.1 doesn't support dynamic LDAP groups.
Our experience shows that the same problem is present with WLCS 3.11
Is the problem solved in WS 6 and WLCS 3.5?
Kind Regards,
Panu HarkonenHello J.P.,
Note that LDAP realm v2 which is the default realm in WLS 6.1 can only show
group names in the WLS admin console, not the group members (LDAP realm v1,
the same realm in previous versions of WLS servers does show group members
in admin console).
From my understanding of dynamic groups they are still conceptually similar
to a regular group, albeit its members are stored differently. So with this
understanding I don't see why WLS 6.1 LDAP realm wouldn't be able to use
dyanmic groups. You can probably run a quick test yourself to see.
Regards,
BEA WebLogic Support
"Jose Perez" <[email protected]> wrote in message
news:3c838ce2$[email protected]..
>
Hi all,
Does anyone know if weblogic 6.1 supports dynamic LDAP groups?
Thacks in advance,
J.P. -
We are running WL 5.1 w/ SP6, and eDirectory from Novell. We are using the
novell LDAP for storing users. I need to rewrite the implementation to add,
modify and delete users from LDAP. Do I need to get a connection to LDAP
and modify it directly, or can I maintain users by writing to the WL
security realm? I have seen a bunch of scattered documentation on these
things, but nothing concrete. Any help and links to documentation would be
greatly appreciated.
-JakeThe statement in the Personalization Server documentation is basically
correct,
at this time. The basic thinking is that you've chosen an external realm
because
it already contains users and groups, thus you must have used an external
mechanism to populate it.
Probably a better illustration is imagine how your NT domain administrator
would
feel if anyone with admin privileges for WebLogic server could add users and
groups
to their NT domain. I think, that in the case of NT and Unix realms that
this seem
pretty reasonable. One could argue that the same is not true for LDAP, but
for
consistency it was kept the same.
Paul Patrick
"Cameron Purdy" <[email protected]> wrote in message
news:[email protected]...
Jake,
AFAIK the LDAP realm implementation in WebLogic is read-only. The best
explanations that I have seen are in the rationalizations that the
Personalization Server documentation makes with regards to its dependenceon
RDBMS realm, and why its extended features do not support the LDAP realm:
"To ensure behavior consistent with Personalization Server purposes, the
UserManager employs two primary strategies. For certain operations,
(com.beasys.commerce.axiom.contact.UserManager), the UserManager qualifies
the security realm being used before taking action. These operations can
only be performed if the current security realm class is
com.beasys.commerce.axiom.contact.security.RDBMSRealm. See UserManager EJB
in Javadoc for details. For example, the createGroup() method throws a
UserManagementException if the out-of-the-box RDBMSRealm is not beingused.
The logic behind such an exception is that the UserManager is designed to
work with the default Personalization database schema. If another realm is
being used (e.g.,WebLogic LDAPRealm), it is assumed that the client has
another means, besides the Personalization Server administration tools,that
should be used for adding and removing groups and users to/from therealm."
(http://edocs.bea.com/wlcs/p13n/users.htm)
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"Jake" <[email protected]> wrote in message
news:[email protected]...
We are running WL 5.1 w/ SP6, and eDirectory from Novell. We are usingthe
novell LDAP for storing users. I need to rewrite the implementation toadd,
modify and delete users from LDAP. Do I need to get a connection to
LDAP
and modify it directly, or can I maintain users by writing to the WL
security realm? I have seen a bunch of scattered documentation on these
things, but nothing concrete. Any help and links to documentation wouldbe
greatly appreciated.
-Jake -
Single sign-on using Kerberos and Ldap
I am currently setting up single sign-on using Kerberos for authentication and Ldap for authorization and information store.
The setup includes several Solaris 8 & 9 workstations, a couple of SGI's, as well as a M$ terminal server farm, several WinXP desktops and their associated Active Directory.
I am required to authenticate etc against the AD. (which has M$ SFU3.5 installed)
I have the Kerberos authentication and part of the Ldap service working via pam & nss.
ie. I can logon to the solaris worksatations using the AD username and password, mount the home directory from a M$ NFS server.
BUT...
id gives:- userID, groupID (primary group only)
groups :- primary group only. (no secondary groups are listed)
Question: what additional configuration information do I need in the pam, nss &/or ldap config files, so that I can list the secondary groups.
Thanks in advance for any help.After evaluating (giving up on, and finally throwing out) the Sun Directory server it looks like we are going to endup with a similar solution..
Sadly enough, the MS AD seems much more stable and easier to handle than Suns DS, kerberos and associated services.
Anyway, currently we are evaluating a product called vintela ( www.vintela.com ), and it seems very promising; its easy, robust, stable and does what we require it to do, as well as more :) It comes with an additional nss module called 'vas', so you easily can retrieve data like hosts/groups from your AD.
//M. -
Hi, I configured LDAP authentication on BOXI R2 SP3 on IIS. The settings are as given below.
To change a setting, click on the value to start the LDAP Configuration Wizard. I have replaced few entries with XXXX and YYYY due to security.
LDAP Hosts: nccXXX.XXX.YYYY.XX.YY:636
LDAP Server Type: Novell eDirectory
Base LDAP Distinguished Name: ou=XXXXX,dc=YY
LDAP Server Administration Distinguished Name: cn=XXX,o=YYYYY
LDAP Referral Distinguished Name: ""
Maximum Referral Hops: 0
SSL Type: Server Authentication
Server Side SSL Strength: Always accept server certificate
Single Sign On Type: None
When I add any new group then its not added and I get below error message in the Logging directory for WCA.
Error: 2009-08-24 14:56:30, Thread:161, WriteData::_Flush catch unexcepted exception, source: System.Web, message: Specified argument was out of the range of valid values.
Parameter name: offset, stack: at System.Web.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 count)
at BusinessObjects.Enterprise.WebComponentAdapter.WriteData._Flush(IntPtr handle)
Can anyone help to find if LDAP is configured correctly before adding group?
Thanks,Resolved. It was due to wrong LDAP group given to me.
Thanks, -
Can an email address be a member of an LDAP group even if it isn't
associated with an object in the Directory Server?
<P>
General members of a group are the members defined in the
Directory Server. They are full-fledged members of the group who
may have a set of permissions associated with their membership,
a title, or other attributes. Mail-specific users are users who
are not full-fledged members of the group, but who receive mail
sent to the group. Mail-specific users need not be identified as
a user in the Directory Server--an email address is sufficient.
An example of this is a group of salespeople, all of whom are in
the group "North American Sales Team." They have access to a
sales-tracking database, on-line quota information, and
competitive information. The mail-specific users of this group
are the admins who support the members of the sales team, who need
to get the mail that goes out to the group, but don't need access
to the applications and information that the salespeople do.Hey EllyK,
Welcome to the BlackBerry Support Community Forums.
Thanks for the question.
I would suggest performing this workaround and then try to login to BlackBerry Link:
Open BlackBerry World on the BlackBerry smartphone and sign in using the BlackBerry ID.
Connect the BlackBerry 10 smartphone to the computer.
Open BlackBerry Link
Sign in using the BlackBerry ID.
Let me know if the issue still persists.
Cheers.
-ViciousFerret
Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
Be sure to click Like! for those who have helped you.
Click Accept as Solution for posts that have solved your issue(s)! -
ISE 1.2 With WLC and AD
Hi everyone,
What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.
The wireless network is configured with 2 SSID (Staff and Guest)
Active Directory, DNS, DHCP, and NTP configured & synced.
ISE and AD running on C220 VMs, and WLC is 5760 Appliance.
Please provide your thoughts and assistance.
RegardsYou have to implement dot1x and radius between your NAD and ISE device.
Using the switch 3850, that are the steps:
username RADIUS-HEALTH password radiusKey1 privilege 15
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
!this password will be used to communicate with ISE and to verify reachability
!between ISE and Switch
aaa server radius dynamic-author
client 172.16.1.18 server-key 7 radiuskey
client 172.16.1.20 server-key 7 radiuskey
ip domain-name lab.local
ip name-server 172.16.1.1
dot1x system-auth-control
interface GigabitEthernet1/0/3
switchport mode access
switchport voice vlan 50
switchport access vlan 10
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip access-list extended ACL-ALLOW
permit ip any any
!the comm between radius and ise will occur on these Port
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
snmp-server community ciscoro RO
snmp-server community public RO
snmp-server trap-source Vlan100
snmp-server source-interface informs Vlan100
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!defining ISE servers
radius server ISE-RADIUS-1
address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
automate-tester username RADIUS-HEALTH idle-time 15
key radiusKey
Please be sure that NTP servers and time are synchronized.
enable dot1X on windows machine, or using cisco NAM.
you can enable debugging on aaa authentication to see the events.
you have to create this user on ISE (RADIUS-HEALTH).
3850#test aaa group radius username password new-code
and observe the result. You are supposed to have user authenticated successfully.
You Must also have define these device in ISE on the radius interface.
ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE.
administration-->network resources -->Network Devices-->Add
input the name
input the Ip address for radius communication
select the authentication settings and field the corresponding shared secret radius key
select snmp settings and select version 2c.
snmp community : ciscoro
you can customize the polling interval if you want and that all.
you are supposed to received message communication between your NAD and ISE.
After you can do the procedure for WLC device.
I will fill it after you have passed the first steps (3850 authentication). -
Creating a report containing Report Names and associated Groups in XIr3.2
Hi -- Does anyone know if we have the ability to create a report that contains Report Names and their associated Groups (like LDAP groups)?
We actually have Groups associated at the Report Level as well as the Folder level.
This functionality did not exist in XIr2.I'm inferring you want to report on the CMS repository database, specifically UserGroups and which reports are accessible by those UserGroups.
That would involve Java SDK coding if you're looking for detailed ACL list information. You'd need to implement Enterprise Java SDK code to retrieve the InfoObject/SecurityInfo2/Principal information, and create adapter classes to make that information consumable via one of the supported reporting connectivities.
For this, you'd need experience with both Enterprise Java SDK and supported reporting connectivity APIs (such as POJOs or JavaBeans).
Sincerely,
Ted Ueda
Maybe you are looking for
-
Can connect to wifi but not to Internet
I had the problem that iPad2 suddenly could connect to wifi, and to 3G for that matter, but got an error trying to acces the Internet (from Safari or mail). Tried for hours all the advice foud here and other places, like resetting this and that. I ha
-
How to disable Check for Updates in Lightroom 4.1
Can some one help me out please. Working on lightroom 4 failing to disable updates
-
Send files as attachment with BCS-methods
Hi, I want to load file(s) from application server and send it as attachment per mail. In 4.6c I had a program with fm 'SO_DOCUMENT_SEND_API1' that worked fine. But not any longer in 7.01. So i tried it with the new method of BCS* But it worked not f
-
A wishlist for Apple: Leopard Server mail services
Apple, At 10.5.2, we find that most of the problems with email accounts and VH sites are ... still broken. After they are addressed (cull these forums for an indication of the problems the current code does not address), I'd like to suggest some othe
-
Problems syndicating Vendor from MDM5.5 to BI via XI
Hello colleagues: So far I've been succesful when syndicating products from MDM 5.5 Material repository to SAP BW 3.5 using XI 3.0. We are using the standard business content for BW in BW as well as in XI, and the standard GenericProduct MAP. I've ac