WLC integration with LDAP
Hi all and thank you in advance for any you help/advice you might be able to offer....
I'm having problems getting a WLC (7.0.220.0) working using LDAP (Windows 2008). This evening, in an effort to troubleshoot the problem further, I have configured the customer's ASA to use LDAP too and run a test....as you can see below, the test works flawlessly (on the ASA).
aaa-server LDAP_TEST protocol ldap
aaa-server LDAP_TEST host x.x.x.x
server-port 389
ldap-base-dn OU=Users,OU=IT Dept (South),DC=yyy,DC=co,DC=zzz
ldap-scope subtree
ldap-login-password *
ldap-login-dn CN=ldap,OU=Users,OU=IT Dept (South),DC=yyy,DC=co,DC=zzz
server-type microsoft
ASA/act# test aaa-server authentication LDAP_TEST host x.x.x.x username ldap password password
INFO: Attempting Authentication test to IP address <x.x.x.x> (timeout: 12 seconds)
INFO: Authentication Successful
ASA/act#
Now, my understanding is that the ASA only supports PAP (clear text) as Authentication method when communicating to an LDAP server....while on the Controller, I am using EAP-FAST....so my understanding would be that only EAP-FAST/GTC or EAP-FAST/MSCHAPv2 (IF the LDAP server is setup to return a clear text password) are supported.
On the Controller, I am using the very same settings as I have used on the ASA (for the LDAP server configuration). However, users are still unable to Authenticate....they Associate, but do not Authenticate. The clients are all Windows 7 and are setup to use the in-built Cisco EAP-FAST as Authentication method. We are not using certificates.
The thing is that I'm pretty sure that both the Windows 7 clients and the Controller are setup correctly but, as I said, the clients are still unable to authenticate.
I guess that my questions are these:
- on the client side, you can setup the laptops to use "Any method" as authentication method...but how does this exactly work? do they try both EAP-GTC and EAP-MSCHAPv2 (i.e. if it can't authenticate through EAP-GTC will then try EAP-MSCHAPv2?)
- is it better to hardcode the clients to use EAP-GTC or EAP-MSCHAPv2 (instead of default "Any method")....when working on an LDAP environment
- how can I check that the MS 2008 server is indeed setup to "return a clear text password" if using EAP-FAST/MSCHAPv2 (and I do realize that this is probably a question for a Microsoft forum)
- how can I check the the LDAP server is configured to support EAP-GTC and/or EAP-MSCHAPv2??
Thanks again.
This is not an acceptable answer. Steve, do you work for Cisco, or are you commenting on personal experience & knowledge?
I have had a working RADIUS configuration for 2 years+ of an ASA 5510 for authentication of AnyConnect SSL & IPSEC VPN clients with AD, and a WLC 2106 for authentication of WPA2-Enterprise w/802.1x certificates with AD. Both were configured to communication to the same RADIUS server that is a Windows Server 2003 DC with IAS/RADIUS and a CA installed. During the planning for installing a new Windows Server 2008 R2 DC, I decided to attempt to remove my reliance on RADIUS since authenticating directly with LDAP is becoming more common. I was successfully able to configure our ASA to do direct LDAP queries to AD, but similar to "superduperlopez" and "rschwenderman", I have been unable to configure the WLC the same way.
I feel like the following line in Cisco's documentation is unsatisfactory: "For example, Microsoft Active Directory is not supported because it does not return a clear-text password."
I would take this to mean that the ASA is working correctly due to either:
A) The ASA is accepting clear-text passwords from AD, and AD is configured to pass clear-text passwords, or
B) The ASA is not accepting clear-text passwords from AD, and AD is not configured to pass clear-text passwords
Now this would lead me to the following:
A) Cisco has not properly updated the WLC documentation to instruct users how to correctly configured the WLC to do backend LDAP queries, or
B) Cisco has not implemented the technology changes that were made in the ASA to the WLC
This frustrates the average network admin, as it is seen by us as "If the ASA can do it, why can't the WLC". Also, don't get this confused with any "client" issues, as all that is being asked for is the WLC to using a different backend "authentication" server while not modifying the client side at all. The concept of "Local EAP" seems to fit, but doesn't work.
I would really appreciate someone giving some insight on this topic, as there are three customers on this forum post that have had the same problem withing the last 2 months.
The previous posters, and myself, are not looking for someone to retype the documentation, but rather explain how it is working on one of Cisco's security products, but not the other.
Similar Messages
-
WLC integration with LDAP to authenticate domain users without Radius
Dear All,
I have a WLC 4404 with LWAPs, the customer has a microsoft LDAP and all users are joined to the domain and he wants the users to be authenticated against their domain accounts and this should be done automatically so that when users login to windows they are also authenticated and joined the WLAN.
so how we can do that with the simplest way, without Radius server using only the LDAP and wwithout envolving any certificates.
also i need to know when i add LDAP server to the WLC, how can i know that this LDAP is properly inegrated with the WLC ?
thanks and BRHi,
I have followed the following document to make users authenticate against their AD domain accounts:
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
the device and the root of PKI certificates for the WLC were generated and installed successfully on the WLC, and now we are in the client (end user) part starting from the section "Generating a device certificate for the client" page 17, which as per the document to be done from the client PC using the client domain account, which consequently means this process is to be repeated for each end user separately, so my question is there any way to generate some sort of general certificate for all clients to be pushed through group policy to all client instead of making it PC by PC ? -
Hi.
Has anyone successfully integrated with LDAP using the C library from
LDAP SDK?
Currently I'm facing a problem when I tried to generate the C++ wrapper
for the C library. The compiler is unable to resolved the data type of
some data structs. This is because the definition for these structs are
not defined in any of the include files provided. According to the LDAP
SDK doc, this is because the fields for those data structs are not
intended to be accessible to the clients.
That is why in my wrapper project, I defined these struct, each has the
property Opaque = TRUE.
The following is the error message:
BEGIN FILE
Working directory is d:\forte\tmp\cg13\pc_nt\ldapsrch
Processing BOM file: LDAPSrch.bom
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 11.00.7022 for
80x86
Copyright (C) Microsoft Corp 1984-1997. All rights reserved.
LDAPSrch.cc
LDAPSrch.cc(70) : error C2027: use of undefined type 'BerElement'
LDAPSrch.cc(127) : error C2027: use of undefined type 'LDAP'
LDAPSrch.cc(184) : error C2027: use of undefined type 'LDAPMessage'
LDAPSrch.cc(203) : error C2733: second C linkage of overloaded function
'ldap_init' not allowed
LDAPSrch.cc(204) : error C2733: second C linkage of overloaded function
'ldap_simple_bind_s' not allowed
LDAPSrch.cc(205) : error C2733: second C linkage of overloaded function
'ldap_perror' not allowed
LDAPSrch.cc(206) : error C2733: second C linkage of overloaded function
'ldap_search_s' not allowed
LDAPSrch.cc(207) : error C2733: second C linkage of overloaded function
'ldap_first_entry' not allowed
LDAPSrch.cc(208) : error C2733: second C linkage of overloaded function
'ldap_next_entry' not allowed
LDAPSrch.cc(209) : error C2733: second C linkage of overloaded function
'ldap_get_dn' not allowed
LDAPSrch.cc(210) : error C2733: second C linkage of overloaded function
'ldap_first_attribute' not allowed
LDAPSrch.cc(211) : error C2733: second C linkage of overloaded function
'ldap_next_attribute' not allowed
LDAPSrch.cc(212) : error C2733: second C linkage of overloaded function
'ldap_get_values' not allowed
LDAPSrch.cc(213) : error C2373: 'ldap_value_free' : redefinition;
different
type modifiers
LDAPSrch.cc(214) : error C2733: second C linkage of overloaded function
'ldap_ber_free' not allowed
LDAPSrch.cc(215) : error C2733: second C linkage of overloaded function
'ldap_msgfree' not allowed
LDAPSrch.cc(216) : error C2373: 'ldap_memfree' : redefinition; different
type modifiers
LDAPSrch.cc(217) : error C2733: second C linkage of overloaded function
'ldap_unbind' not allowed
cl /W3 /Gf /GX /MD /c /Ob1 /vmg /DSTRICT /DWIN32 /D__WIN32__
/DLIBOO_DLL
WIN32_LEAN_AND_MEAN /Id
:\forte\install\inc\cmn /Id:\forte\install\inc\os
/Id:\forte\install\inc\ds
/Id:\forte\install\inc\handles /Id:\forte :\forte\LdapAPIs\include
/FoLDAPSrch.obj /Tp LDAPSrch.cc
So, please advise on how should I proceed.
Thanks in advance.
from: suen
To unsubscribe, email '[email protected]' with
'unsubscribe forte-users' as the body of the message.
Searchable thread archive <URL:http://pinehurst.sageit.com/listarchive/>Hi Anoop,
To adapt an SAP Workflow, you can create a configuration. In this configuration you can redefine values for steps of the workflow definition. These values are evaluated at runtime instead of the values originally defined.
You can configure the following step types:
Activity
User decision
Document from template
Wait
Moreover,Features
You can set the following data individually in the step definition of the configurable step types:
1)Responsible agents
2)Excluded agents
3)Message recipient for completion
4)Priority
5)Requested start
6)Indicator denoting whether the step is included in the workflow log
7)Activation of a latest end, a latest start, or a requested end with the reaction Send mail
This URL privides info about various workflow codes http://help.sap.com/erp2005_ehp_02/helpdata/en/9b/572614f6ca11d1952e0000e82dec10/content.htm
Regds,
Krutarth
· Reference date/time for latest end, latest start, and requested end
· Message recipient for missed deadline
· Information about the work item display -
Is possible this integration?. The idea is that the agent will do authentication with LDAP directly
Hi Anoop,
To adapt an SAP Workflow, you can create a configuration. In this configuration you can redefine values for steps of the workflow definition. These values are evaluated at runtime instead of the values originally defined.
You can configure the following step types:
Activity
User decision
Document from template
Wait
Moreover,Features
You can set the following data individually in the step definition of the configurable step types:
1)Responsible agents
2)Excluded agents
3)Message recipient for completion
4)Priority
5)Requested start
6)Indicator denoting whether the step is included in the workflow log
7)Activation of a latest end, a latest start, or a requested end with the reaction Send mail
This URL privides info about various workflow codes http://help.sap.com/erp2005_ehp_02/helpdata/en/9b/572614f6ca11d1952e0000e82dec10/content.htm
Regds,
Krutarth
· Reference date/time for latest end, latest start, and requested end
· Message recipient for missed deadline
· Information about the work item display -
CUP (AE) integrated with LDAP
Hi GRC Guys,
I had a question about the integration between CUP (AE) and LDAP.
I know that with LDAP as the detail user source and Manager as the standard approver, AE will automatically find the manager and route the approval flow to this person. However my request is can we use this LDAP integration to automatically find the manager's manager, or more freely any person within the organization? Do we need to use some CAD to realize this?
Thanks.
Benny Ren From Deloitte GRC TeamDear Alpesh,
Many thanks for your reply.
Since LDAP is not able to achieve my goal, can HR system do that?
I have very little information about the integration between HR system and CUP (AE). Can you shed me some light on where to find that?
Best Regards,
Benny Ren -
Problem about BIEE Integration with LDAP
Hello,
I have a problem in OBIEE11.1.1.6
I do BI EE 11g Security Integration with OPENLDAP follow below link,
http://www.rittmanmead.com/2010/11/oracle-bi-ee-11g-security-integration-with-microsoft-active-directory/
It works well using user that store in OPENLDAP ,
now I want to realize this function,
that user roles store in external db table,then get roles by init block,
but I faced a problem, If I use session system variable 'WEBGROUPS' to get some value in db,when user login BIEE,it can get values of 'WEBGROUPS'
but If I use session system variable 'ROLES' ,when user login BIEE,it can't get values of 'ROLES' that store in db,
the value will always show 'BIConsume;Authenticated User',It is default value in OBIEE11.1.1.6,
so I doubt way I can't user variable 'ROLES' to get value???
init block lik follow,
SQL: select T.att1,T.att2 FROM USER_ACCESS T
T.att1 is for variable 'WEBGROUPS'
T.att2 is for variable 'ROLES'
the value of 'WEBGROUPS' is correct.
but 'ROLES' not got the values that stored in db.
anyone know???
thank you in advance!VITAS wrote:
that user roles store in external db table,then get roles by init block,
but I faced a problem, If I use session system variable 'WEBGROUPS' to get some value in db,when user login BIEE,it can get values of 'WEBGROUPS'
but If I use session system variable 'ROLES' ,when user login BIEE,it can't get values of 'ROLES' that store in db,
the value will always show 'BIConsume;Authenticated User',It is default value in OBIEE11.1.1.6,
so I doubt way I can't user variable 'ROLES' to get value???
init block lik follow,
Go to Enterprise Manager and create the ROLES named the same as the one you named in DB values. Now you should see them magically appear when you click on My account > Roles and Catalog Groups. :)
SQL: select T.att1,T.att2 FROM USER_ACCESS T
T.att1 is for variable 'WEBGROUPS'
T.att2 is for variable 'ROLES'
the value of 'WEBGROUPS' is correct.
but 'ROLES' not got the values that stored in db.Hope you did you enable Row Wise Init here ?
Let us know. Mark if helps.!
Thanks,
SVS -
I need to integrate 4402 Controller with Active Directory.
If I have two distinguished names, can I use two OU like:
OU=HQ,OU=Branch1,DC=DC1,DC=com
Is it OK???
shall I use spaces between the patrs?
Please any useful points I should consider them?Thank you,
I already have the configuration guide,
but this is the first time that I need to do the configuration between the LDAP and controller. and I did not find information about many things like:
how to got the distinguished names?
if I have more than one distinguished name, how I should deal with this issue?
what about EAP configuration? Is there any recommended EAP with LDAP?? -
WLC integrating with Windows 2008 AD
Hi,
I want to integrate WLC with windows 2008 server. If anybody done this integration i would like to know what are the step i need to do in the Microsoft Side, If you have any document related to MS 2008 integration pls share the information with me.
Thanks in adavence.
Regards,
SunishCan you provide more detail around what you mean by integrate? I don't think a WLC can talk directly to AD (Kerberos, LDAP, or otherwise).
If what you mean by "integrate" is to be able to authenticate wireless users against AD, then you will need something to proxy that authentication. That is usually a RADIUS server. Cisco ACS and Microsoft IAS and two common RADIUS servers, both of which can talk to AD. Check out the Cisco ACS 4.2 configuration guide for a good example. Here's a link to an older Microsoft article, but it still applies to 2008 (Microsoft IAS is still included with Windows Server).
http://www.microsoft.com/downloads/details.aspx?familyid=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&displaylang=en -
SAP IDM Integration with LDAP VS Rest.
Hi,
I'm looking for an best approach through I can integrate my custom application with SAP IDM 7.2. I have read couple of article and found IDM is based on VDS and allow LDAP as well as Restful web services.
Would like to know the best approach.
Here what I want to achieve:
1. Dynamic Schema detection for User, Role and Employee
2. Get all User List and there corresponding Role.
3. Password Reset/Set/Change
Thanks
ShitalHi Nits,
This guide presents the official SAP Connectors for IdM. SAP and 3rd-party.
It seems that are no official connector for ADOBE CQ and HYBRIS.
But you can build you own connector. (JDBC, WebServices, LDAP)
Using the same concept as the SAP Standard connectors, Folders (Aplication Actions, Plugins) HOOK Tasks.
It will depended in what integration layer this solutions offer. -
About EP(on UNIX) UME integration with LDAP
Hello guys,
We want that UME use LDAP(read-only) as data source .
Our EP installed on UNIX , LDAP on Windows.
Connection data
Server Name: sapsso
Server Port: 389
User: p106658 (an administrator user)
Password: ******
User Path : ou=test,c=us,o=gnpjvc
Group Path: ou=test,c=us,o=gnpjvc
We fill the data reference document on help websit :Configuring the UME to Use an LDAP Directory as Data Source .
But test connection always failed.
Is there any solution?
Thank you!
LouisHi,
check your JDK version, some SUN version (>1.4.2_13) won't work with Kerberos. Start with SAP Note 968191 to gain more information.
For checking the Java JDK parameters and recommendations / bugs, take a look at these Notes:
716604 for the Sun JDK (Windows, Linux, Solaris)
716926 for the HP JDK (HP-UX)
716927 for the IBM JDK (AIX)
1234382 for the IBM JDK IT4J (IBM i, iSeries, OS/400)
717376 for the IBM JDK Classic (IBM i, iSeries, OS/400)
746299 for the IBM JDK (Linux for zSeries)
810008 for the IBM JDK (Linux on POWER)
861215 for the IBM JDK (Linux on AMD64/EM64T)
br,
Tobias -
ACS 4.2 Appliance integration with LDAP
Hi,
I would like to ask some question from the expert here.
1. I'm building 802.1x infra for my customer.
2. We are using ACS SE version 4.2
3. We have successfully integrate the ACS with AD using Remote Agent.
4. Using will authenticate using PEAP MS-CHAP v2.
5. However, my customer dont want to use Remote Agent (RA) because the want the ACS talk to the external database directly.
6. Their argument is, if they bought other Radius appliance for this project, the appliance should have the same function in order to authenticate the user.
7. What are needed to complete this requirement?
I saw in this table http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp857274 the LDAP does not support PEAP MS-Chap v2.
Can any expert give opinion on this issue?Despite various efforts a few years back, LDAP vendors could not be persuaded to implement an MSCHAP interface - which is technically possible.
That said ACS also has its Windows External Authenticator that will do MSCHAP just fine to a Windows AD Server (via a different interface).
The old LEAP protocol was mschap inside EAP. EAP-FAST can also do mschap too.
The key is not use the LDAP authenticator in ACS. If you really must use it, you'll have to make sure you use EAP-GTC inside your PEAP/FAST tunnel -
Strip @domain on LDAP Integration with Cisco ISE?
Hi there ,
I got a WLC conntect with a Cisco ISE. There are two SSID authenticated against the ISE.
One SSID has AD-Integration as External Identity Source, the other SSID is authenticated through LDAP.
Authentication ist working fine.
When an user authenticates through LDAP, he/she has to enter "username@domain". The protocol is EAP-GTC.
How can I change the ISE that the user has only to enter "username" and the "@domain" part ist already set on the ISE?
Thansk a lot,
NorbertFrom the user guide it seems that LDAP only allows you to strip the prefix/suffix and can't add the suffix.
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1054421
Strip start of subject name up to the last occurrence of the separator
Strip end of subject name from the first occurrence of the separator
Regards,
Jatin
Do rate helpful posts- -
Jabber for Windows - without LDAP integrated with CUCM Jabber UDS - NO PEOPLE CAN SEARCH
Hi all Jabber Experts,
I have the CUCM, which is the versin 8.6 and the Presence Server, which is the version 8.6, that is not integrated the LDAP, but I want to deploy the Jabber for Windows.
So I would use the UDS to deploy the Jabber for Windows (modified the XML and uploaded to the CUCM TFTP server).
Finally, that can login the users, which is manually added from CUCM.
But I cannot search other users from the Bubby List. Any idea for that?First of all, either you use CUCM 8.6 with CUPS 8.6, or you use CUCM 9.1 with IM&P 9.1, what you're mentioning is just impossible as they're not compatible and that's not supported.
HTH
java
if this helps, please rate
www.cisco.com/go/pdihelpdesk -
WLC not integrating with Radius Server
Hello world,
I have the following situation:
One WLC 2000 Series (software version 7.0.230.0) with multiple SSID`s, one is with 802.1x integrated with a Radius Server.
Everything worked fine until fiew days ago, when users were unable to logon via they`re certificates on Windows XP.
The infrastracture didn`t suffer modifications.
What i have checked: Radius certification isn`t expired, client certification isn`t expired, the password between controller and Radius is correct.
There are no ACL`s between the WLC and the remote Server. I can ping the devices, other SSIDs on the same controller (wpa/psk) are working correct.
The AP`s are 1242.
I have tried deleting the SSID, configure it back. The OS on Windows Server is 2003 Standard. The AP`s are configured H-Reap.
I have increased the Server Timeout from Radius Authentication Servers from 2 to 30 sec.
The message logs recived on WLC Trap Logs:
RADIUS server X.X.X.X:1812 failed to respond to request (ID 161) for client xx.xx.xx.xx.xx.xx/ user 'unknown'
The message from the debug dot1x aaa enable:
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLING_STATION_ID(31) index=1
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLED_STATION_ID(30) index=2
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT(5) index=3
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_VAP_ID(1) index=7
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_SERVICE_TYPE(6) index=8
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_FRAMED_MTU(12) index=9
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_EAP_MESSAGE(79) index=11
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_RAD_STATE(24) index=12
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_MESS_AUTH(80) index=13
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df AAA EAP Packet created request = 0x1cff348c.. !!!!
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Sending EAP Attribute (code=2, length=6, id=10) for mobile xx.xx.xx.xx.xx.xx.
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00000000: 02 0a 00 06 0d 00 ......
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] AAA response 'Interim Response'
*radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] Returning AAA response
*radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df AAA Message 'Interim Response' received for mobile xx.xx.xx.xx.xx.xx.
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.329: 00:15:e9:33:75:df Skipping AVP (0/27) for mobile xx.xx.xx.xx.xx.xx.
The messages on Windows 2003 Standard:
User Y was denied access.
Fully-Qualified-User-Name = xx.domain.com/Users_T/user
NAS-IP-Address = X.X>X.X
NAS-Identifier = Cisco_
Called-Station-Identifier = ---------------------
Calling-Station-Identifier = ---------------------
Client-Friendly-Name = ---------------------
Client-IP-Address = ---------------------
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Policy
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 262
Reason = The supplied message is incomplete. The signature was not verified.User Y was denied access.
Fully-Qualified-User-Name = xx.domain.com/Users_T/user
NAS-IP-Address = X.X>X.X
NAS-Identifier = Cisco_
Called-Station-Identifier = ---------------------
Calling-Station-Identifier = ---------------------
Client-Friendly-Name = ---------------------
Client-IP-Address = ---------------------
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Policy
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 262
Reason = The supplied message is incomplete. The signature was not verified.
Can anyone help why i cannot log the users via 802.1x ?Okay that is good..... this is what I would do next. I would create a test ssid that uses PEAP MSchapv2 and create a new policy in IAS that is basic. Allow 802.1x wireless and user group only and see if you can reconfigure one of the XP machines for PEAP. Can you also post a screen shot of your polices (connection and network) so we can review it.
-
Issue while integrating external LDAP with weblogic
Hi,
i am trying integrating external LDAP (OpenLdap) with weblogic 10.3. I created a provider and provided required credentials and able to see users and group of the LDAP into the weblogic console. I am also able to login in the weblogic console with the users available in the LDAP after assigning the admin role to the ldap group. But i when i see the user's property (by clicking on the user in the admin console) it only shows the tabs for General, Password and Group only. on the other hand if i see the users from DefaultAuthenticator, it shows the Attribute tab apart from the General, Password and Group.
Can anyone let me knwo how can we get the Attribute tab for the Ldap users.
thx,
AjayHi Ajay
By default Weblogic has READ ONLY adapters for any External Security Providers that are configured like any AD Providers. READ ONLY means, you can only read the data from the ldap but not modify it, hence may be its not showing the Attributes tag. For Default Authenticator, see the first paragraph note in Attributes tab, that says the same thing. NOW, may be WLS can atleast show Attributes in READ only format, but it needs some sort of mappings to be defined. Say on Weblogic side, we have like firstName, lastName which on any typical AD will be like sn (surname = lastname), givenname (firstname) etc etc. This mapping is tough to generalize.
One thing for sure is, from Weblogic you cannot modify or edit any attributes for any user in external AD. If you really want to get those attributes, you may need to use some javax.ldap apis or some 3rd party ready to use tools/apis. I remember Weblogic Portal has a facility to configure a xml file that defines attributes mapping and get all attributes for any user. But again thats in Weblogic Portal product and not part of weblogic server.
If you have any SOA Software, they have some utilities for the same.
Thanks
Ravi Jegga
Maybe you are looking for
-
I can't get my Norton Identity Safe Toolbar to shows up .
-
My IMac is bringing up an old AppleID no longer in use
I have a late 2013 iMac G4. Prior to that I had a 2011 iMac. At some point, I had an old Apple ID that I forgot the PW to. It used a comcast email. So in 2013 I created a new Apple ID, (lost all my purchases, but that is another long, story). and I
-
1099 vendors, S_PL0_09000314 - 1099-Misc
Hi, I have an issue while running the S_PL0_09000314 - 1099-Misc report. I created a test 1099 vendor, by maintaining (1) tax number under tax information and (2) Witholding tax code 07 for the vendor. With these settings, I posted an invoice and pai
-
Problem installing Adobe Reader
Hello. When installing Adobe Reader, more specifically when the process is "extracting files" suddenly appears "Error 13042". Finding out in the internet i found that the problem may be because of a corrupted installer file, but that file i downloade
-
Photoshop CC: Hand Tool/Spacebar-shortcut not working
I can't use the hand tool or the space bar shortcut for said tool in Photoshop CC 2014. But It seems to work in illustrator though. I have already tried: Closing my browser (Chrome) Resetting my Photoshop preferences Rebooting my computer