LDAP - conditional authentication

Similar Questions

• Cisco VCS and LDAP for authentication of users

  I have a question about setting up LDAP for authentication of the user on the VCS. I want to have redundancy in my LDAP link. I believe that this is possible by setting a FULL domain name to the address of the LDAP server, then selecting a type of SRV resolution. What I'm not clear on is what the value for the server address would be if I used actually as SRV type of resolution. I should also add that I am looking to use TLS

  To clarify, if my AD domain name is myad.netcraftsmen.net. I have set the field as server address:

  myad.netcraftsmen.NET: assuming that VCS properly interrogate the DNS for the _service._proto correct parameters?

  or would I need to create an SRV record to that effect and set the field server address with the address (including the fields of _service._proto)

  or I need to specify one of the SRV records formats used by MS AD areas (there are several).

  If the latter, then what SRV record for TLS. I don't see records with port 389 (non-secure).

  My intuition tells me that this is probably the first option, but I could be far away.

  Anyway, thanks in advance for any input.

  Kind regards

  Bill

  Hi William,.

  I just checked it on a X6.1 VCS, and it seems that VCS searches SRV _ldap._tcp.domain (where 'domain' has been entered as the server address), both when the encryption is set to 'None' and 'TLS '.

  Hope this helps,

  Andreas

• 4.0.1 4.1.1 - LDAP Directory authentication scheme fails

  Using out of the box of LDAP Directory authentication scheme that has worked well in v. 4.0.1 fails to v. 4.1.1. User authentication fails with "Invalid Login Credentials". Debugging shows that the user "nobody". Watching v 4.0.1 user shows "Admin". In addition, the "test LDAP connection" is no longer available in 4.1.1 - that's a bummer.
  
  Example 4.1 bug .1:
  4161 426774014496602 person 103 101 50 6 hours ago 0.8562
  
  Example 4.0 bug .1:
  661 3340172823117775 ADMIN 130 101 57 36 seconds ago 0.3298
  
  Anyone know if something has changed with the standard LDAP Directory schema? Or am I missing some configuration?

  Hi Julie: I suspected that maybe the question earlier and actually run PL/SQL anonymous block of doc you referenced to create ACL previously but that it either did not run as user SYS or has not committed or something. In any event, afer re-running as SYS and making sure to commit it, I now see expected line returned after you select in dba_network_acl_privileges. I run apxremov.sql to remove the recent installation of 4.1 for go ahead and execute basic install for 4.1.1 as opposed to the application of the hotfix to upgrade 4.1 in point 4.1.1. ACL entry is deleted as a result of execution of script apxremov.sql... so the block pl/sql to create the ACL entry had to be run again. Thank you, Glenn

• is it possible to use two external LDAP and authentication of external Table?

  Hi, is it possible to use both external LDAP and authentication of the external table?
  
  they all need two initialization blocks to access a session system variable, USER?
  
  Thank you

  Hello
  I don't think it's possible to impliment the LDAP authentication both extenal together. The reasons are,
  1. we cannot define two sources (LDAP and Extenal DB) in the same blocks of justine initialization user information.
  2. If two different (one for LDAP) initialization blocks and one for extenal DB are used, we cannot use variable USER twice it's a defined system variable.

  Thank you
  Swami

• About WLC 4402 LDAP client authentication

  Hello

  I'm install a WLC 4402, the client wants to authenticate users with the LDAP and what he expected to use current users in AD, however

  I just read some documents as reference 'Local EAP authentication server on the Wireless LAN Controller with EAPFAST and LDAP
  Configuration example"and «Web authentication via LDAP on LAN Protocol wireless controllers (WLCs) example Configuration»

  Require both the then to define a new OU and define a new user and select anonymous feature of Bind.

  My question is, should I add all current on AD users on the new ORGANIZATIONAL unit in order to be authenticated as a wireless client?

  I hope that someone of you can clear my doubt

  Kind regards

  Note that LDAP with AD requires no methods EAP-mschapv2. If you can't do PEAP-mschapv2 with AD as LDAP backend. EAP-FAST EAP-FAST (GTC) and no EAP-FAST (mschapv2). It is a limitation due to the way in which AD works in LDAP mode.

  The anonymous bind is not required at all, that it is to be like this in the example. Usually, anonymous bind is not allowed by default on the current version of windows server.

  You are not forced to push all the users in an OU. Simply give a search base DN to the WLC where the WLC can reach all customers on AD. If all your users organizational units are at the root of your domain, you will need to give "DC = domain, DC = com" as base DN and it means that each search will arrive on your entire ad, which isn't super effective. That's all.

  Nicolas

• LDAP user authentication and database standard version

  Hello

  Is it possible to use authentication user LDAP (data of the user in OUD or ODSEE) for the standard version of Oracle database? We have license Services Plus directory but you don't want to buy the company database version to get only feature user security company for the management of users.

  Thank you

  Hello

  Epizootic ulcerative syndrome requires issuance of the DB EE. This is independent of the directory system of license services.

  See http://docs.oracle.com/cd/E11882_01/license.112/e47877.pdf for more details.

  Sylvain

• Fabric connecting LDAP authentication

  Hi guys,.

  I am running 2.0(2q) UCSM

  I was wondering if there was a way of configuring LDAP authentication by logging in via SSH to the FIs?

  I installed all group mappings and adds users to these groups without any problems, but I can't seem to figure out how to get LDAP for authentication when you use a session SSH on the FI.

  Someone at - he put in place before?

  Thank you

  Doug,

  Are you sure you are using the correct syntax when connecting via CLI?

  If AD authentication works through the GUI, it should work in CLI.

  http://www.Cisco.com/en/us/docs/unified_computing/UCS/SW/CLI/config/Guide/2.0/b_UCSM_CLI_Configuration_Guide_2_0.PDF

  

  Kind regards

  Robert

• LDAP authentication on vty router login

  I'm trying to deploy authentication ldap (AD MS) for a connection vty router. I used the manual like this - http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ldap/configuration/15-2mt/sec_conf_ldap.html

  But my scenario was unlucky

  My config is...

  _____

  AAA new-model

  !

  !

  AAA server ldap ad1 group

  test server

  !

  AAA authentication login default group local ad1

  AAA authorization exec default authenticated if

  !

  jump...

  !

  map1 LDAP attribute-map

  user name of card type sAMAccountName

  !

  test LDAP server

  IPv4 172.16.107.145

  attribute map map1

  Retransmission Timeout 20

  bind authenticates root-dn CN = Administrator, CN = users, DC = fabrikam, dc = com password 7 02050D 480809

  base-dn CN = users, DC = fabrikam, dc = com

  _____

  instead of "ldap attribute-map map1" I tried to use "search user-object-type-filter name. No effect

  I used wireshark for sniffer of cisco to AD packages. No package at the port of AD (389 or 3268) have been captured.

  I used the ldap debugging all the

  This is the output

  * Jun 9 19:38:45.414: LDAP: LDAP: AAA Queuing 117 of treatment application

  * Jun 9 19:38:45.414: LDAP: received the queue event, new demand for AAA

  * Jun 9 19:38:45.414: LDAP: LDAP authentication request

  * Jun 9 19:38:45.414: LDAP: no attributes to check username mental health

  * Jun 9 19:38:45.414: LDAP: name of user/password validation test failed!

  * Jun 9 19:38:45.414: LDAP: LDAP not suport interactive logon

  Note the last string. Is that what it means I can't use ldap for this?

  What I've done wrong?

  I am grateful for!

  LDAP on IOS support is limited to the VPN authentication and unfortunately cannot be used for authentication of the Admin (exec).

  CSCug65194    Document nonsupport LDAP for authentication of connection

  AAA does not support using a LDAP method for interactive logon authentication. Customers can configure 'aaa authentication login default group ldap', but when an interactive session (Terminal) attempts to authenticate via the LDAP protocol, the

  following message is syslogged:

  "LDAP: LDAP does not support interactive logon [sic]."

  This is due to the aaa/ldap/src/ldap_main.c of next record ldap_authen_req():

  If (intf & intf-> ATS) {}

  LDAP_EVENT ("LDAP don't suport interactive logon");

  ldap_method_failover (proto_req);

  Jatin kone
  -Does the rate of useful messages-

• Change the role of the user once authenticated LDAP authentication

  Hi forum,
  
  I do know that if it is possible, I have not found a solution so far
  
  I have a simple web application with LDAP authentication. We would like to use LDAP for authentication and store the information of user roles in the database. After authentication, LDAP assigns the role of "guest" to the user and the home page (the only page available for this role) is displayed.
  
  In this home page, the user must select a profile (the same user can have multiple profiles) in a list retrieved from the database. The profile of each user has an associated role. After selection, we want to change the role of the user "guest" to the role associated with the selected profile.
  
  I don't think that implementation of a custom plug-in fits my needs because the role assignment requires the participation of the user.
  
  Any suggestions?
  
  Thanks in advance,
  
  Tatiana.

  Hello

  Well, the problem is that you need to change the subject of the user authenticated, who's a JAAS thing to do. The only way this can work is indeed use a custom LoginModule and then access the user object to add a security principal that represents the role you want to add.

  Frank

• SSL VPN client authentication

  Currently our ASA is configured to use LDAP for authentication of VPN clients.  I have read several books that show how to set the ASA to LDAP, RADIUS and LOCAL authentication.  I want to make use of LDAP and LOCAL authentication.  So that if a client connects, it would check for local authentication before check LDAP.  Has anyone successful cela and could share an example config?

  Thank you!

  Looks like double authentication is not what you are looking for.  Based on the above condition, you will be better of setting up a tunnel for your closed user group that uses local authentication exclusively.  You can then present the user with a drop-down menu on the auth portal where they choose their desired tunnel group.  You can also configure the group URL to direct users to the correct tunnel group.  For example, you might have https://vpn.vpn.com/employee and https://vpn.vpn.com/vendor where it used TG uses LDAP and the TG seller will use local auth.

• DAP using LDAP and attributes of Cisco

  I would like to be able to implement a strategy of dynamic access to the criteria that all the following conditions:

  Cisco.GroupPolicy = Sales

  ldap.memberOf = Remote_Access

  can have a specific set of access. My connection profile uses a Radius Server to authenticate and assign group policy.

  Is it possible to do this? Since then, it doesn't seem to work for me.

  Hi Luis,.

  If you want to use LDAP attributes in your strategy of DAP, you will need to use LDAP for authentication or authorization in your tunnel-group.

  Thus you will be either have to replace ray with ldap for authentication, OR keep radius for authentication and add ldap for authorization on top.

  HTH

  Herbert

• LDAP attribute on user card match no group

  We currently have Anyconnect (client based) up and running on our ASA 5515 X 9.5 (1) running. I use AD LDAP for authentication and configuration of LDAP attribute maps and assigned to our LDAP on the ASA server config. Like many, we use these cards to allow ASA assign a group policy to a user based on the AD group membership. Basically I have one AD Group for regular of VPN users and a group for users Admin VPN advertising. It works pretty well, but there are cases where the user profile specific related to group policy 'Regular users of VPN' does not work for all users of this ad group. I was trying to find a way to adjust the settings for certain users based on the user name. Say the user needs setting up VPN from an RDP session, but I'm not all users have that so I would attribute a group different local\Configuration user profile based on the AD username that would allow the VPN from a RDP session. Still, the rest of the users would be blocked to the RDP VPN. Here is my map to attribute LDAP database:

  map-attribute LDAP
  name of the memberOf Group Policy map
  map-value memberOf "LDAP path."
  msRADIUSFramedIPAddress IETF-RADIUS-Framed-IP-Address card name

  Now I could do here with the above configuration, I think it's to create a new group policy on the SAA for a certain group of users and then create a new value of the card with a new LDAP path that would point to a new group in AD, say "RDP VPN users". I then add the users I want Anyconnect group policies\user specific profiles for this particular ad group. But the question is that I would prefer not to have to create as many groups in AD.

  I want to know is if there is a way to have a path of card value of LDAP attribute to a certain username AD somehow. As if the LDAP path was something like "CN =, OU = users, DC =, DC ='.»» This way I could affect a group policy to the majority of users in the group "Regular users of VPN" AD, but then assign a different policy to some users who require slightly different settings. That would allow me to match on a certain user, not one ad group? The Group cisco-attribute-name strategy addresses a user as if it were an ad group? I guess not, but not sure. I looked through the list of names of attributes-cisco - but didn't see anything that looked like it worked for AD user names.

  Also, if anyone knows a better way please let me know I am open to suggestions. I hope that makes sense. Thanks in advance to the community for help.

  I think that you need a completely different approach - DAP (dynamic access policies).

  DAP allows a lot of motion of things, and you can create additive strategies.  So if you are a member of the group 'A' you add to this URL.  If you are also a member of the group 'B' you add this ACL.  If it can also do other things, like checking the registry keys, etc.

  The Guide deployment of DAP.

  https://supportforums.Cisco.com/document/7691/ASA-8X-dynamic-access-policies-DAP-deployment-guide

  I pretty much don't use DAP now (and no attribute is mapped) due to the significant increase in flexibility.

• ICPPX 4.05 and/or call Mgr 4.13 multiple LDAP servers for redundancy

  We run IPCCX 4.05 to high availability (active / standby) and Call Manager 4.13 Pub/Sub. In this configuration, we use LDAP for authentication AD instead of the directory of DC (not my choice... things you inherit in life).

  The call of Bishop and/or the servers IPCCX can be setup to point to multiple LDAP servers for redundancy?

  CAN CM 4.13 and/or IPCCX 4.05 LDAPS support (as I have said, things you inherit)?

  Our sysadmin team won our main server to the DC, and with him all functins LDAP search broke. Needless to say they will be put in place of LDAP or LDAPS on our main and backup DC in the near future.

  Any information/suggestions/recommendatinos are appreciated.

  Thank you

  -Scott

  Hello

  This IS possible.

  If the CRS web interface admin (/ appadmin) is available:

  1. open a session

  2. go to the system > LDAP information

  3 type the FQDN / IP addresses (I recommend the latter) for LDAP servers, separated by commas (for example, I have something like in our laboratory: "ldapserver.domain.as, 10.1.1.1" - works like charm)

  4. a window will appear asking if the LDAP information must be created or you just want to add another LDAP server (~ configuration already there). Choose wisely :-)

  5. restart the server. No, restart the CRS engine is not enough.

  If the CRS web administration interface is not available (~ as you said Mr. Sysadmin won DC backend), the there is a chance to get rid of this guy ;-) Anyway, there is always a chance that you can make it work. Of course, the LDAP server must already contain the appropriate configuration.

  1. connect to the CRS Server using rdesktop/VNC

  2. look for this file: C:\Program Files\wfavvid\properties\directory.properties it's just a plain text file. Look for this CCNIniFile=c:\\winnt\\system32\\ccn\\ccndir.ini

  In fact, it can be something else too, this is the default path.

  3. this file contains the information that we are looking for: LDAPURL 'ldap://10.1.1.1:389, ldap://10.1.1.2:389' and other important things like passwords and base DN

  Change it according to your needs. :-)

  4. restart the server.

  Good luck.

  G.

• HOW TO INTEGRATE NAC INTO LDAP?

  Hello

  I'm integrating my NAC to LDAP, I added the LDAP protocol using simple authentication, but when I connect a user from LDAP. It does not authenticate. I followed the procedure of cisco, (Add LDAP at authentication using simple authentication server). What are other procedures, after that I added the LDAP protocol to the list of authentication servers?

  Thank you and best regards,

  Hello

  You must then activate the Auth provider in your login pages. Click on user-> Edit-> content Pages and make sure that the LDAP provider, you have set is checked here.

  HTH,

  Faisal

• The number of devices (MAB) can be authenticated via the internal identity stores ACS 5.3? ACS 1120 (802.1 x))

  Hello

  I m currently looking for a document that specify the number of MAC addresses can be stored and authenticated via a GBA (1120)? I prefer to use the identity store internal AD or LDAP for authentication of the MAB for 802.1 X project.

  I would like to know what impact the GBA? CPU/MEM?

  What is the impact on the user authentication? delay, delay, etc.

  Please specify any other restrictions or side effect.

  Thanks for your comments

  Concerning

  Torsten Hello,

  I have confirmed on our database as well as this community and the answer is the same

  Refer to:

  https://supportforums.Cisco.com/thread/2101657

  Added additional information:

  Internal Users : 300000 Internal Hosts : 50000

  Best regards.