Network Management

Hello All,

I have the question about user login format within follwoing setup:

- UAM successfully integrated with AD
- As the 802.1x supplicant Windows 7 64-bit is used and Windows XP SP3
- NO iNode 802.1x Client should be used, because of the project implementation solution/restriction

By default iMC UAM accept following user login format from switch:

LOGIN@DOMAIN.COM

This format for UAM is using with success on the Windows 7 or XP by 802.1x POP'up user login window by strictly typing required user logon format  - everything is fine, but...

Our client NOT agreed to use:

- iNode for Windows 7 or Windows XP
- 802.1x POP'ups Windows for authentication after logon to domain PC

He wants to enter credentilas ONLY ONCE (using ONE SCREEN) at Windows Domain Logon screen. In this way username is always sent from Windows native supplicant as the:

LOGIN\DOMAIN.COM

Of course this user login format is not acceptable for UAM and authentication failed - only logon to PC is possible without access to
802.1x network.

As the workaround SSO was turned on for Windows 7 64-bit. It gives possiblity at Windows Domain Logon Screen to provide credentials both for PC domain account and 802.1x UAM account but within login@domain.com format acceptable for UAM.
It works fine, but anyway SSO is the only partially solution - not avaiable in the Windows XP SP3!

So please advice what to do:

- does UAM can CONVERT Windows native supplicant user login format from received LOGIN\DOMAIN.COM to LOGIN@DOMAIN.COM???

Following UAM option: "Username Prefix Conversion Mode->remove->change to suffix" with our account/domain prefixes was tested without success.

Please provide quick reply if possible!!! Thank you

BR,
Michal

Hi,

try to keep a separation between the window term domain and the hp/imc term domain.

The switches and IMC will use the domain suffix to identify/recognize that a login should be processed by a different backend auth system (like different radius servers for instance).

This allows you to distinguish on the switch:

* 802.1x user auth (can be send to e.g. radius1)

* mac auth (can be send to e.g. radius2)

* management auth (can be send to e.g. radius3)

In this context, you do not need to replicate the windows domain into the network auth domain. You just need to get rid of the windows domain prefix for UAM to recognize the user.

This is what the replacement option should do for you, so I would recommend to re-verify that option.

Hi,

I just did a similar lab setup and I can only confirm what you see.

The IMC UAM does accept a plain username (john) or a username@domain format (john@domain.local), but not the built-in windows supplication format (domain\john).

I have tried the ldap sync options:

* OU based

* AD Group based

No change.

I have tried the PEAP mschap integration option server type:

* windows 2003

* windows 2008

Both failed.

Tried the UAM system settings of username prefix (remove or use), both options failed again.

All debugging shows that the UAM does not recognize the domain\user format as the account 'user' , therefor just rejecting the authentication request.

Manually creating a user domain\username is not supported.

The computer accounts cannot be synced either (due to the endin $ sign, which is rejected, but the $ sign does not appear in the reported invalid character list...).

At this point I do not have any other suggestions, and would open a case with HP.

Best regards,Peter

Hi Peter,

Many thanks for your effort, I am confusing why most popular OS (Windows XP, 7) is not fully supported by UAM - maybe iMC v5.2 will change it.

We must change our project assumptions and use iNode. Anyway, do you know if the iNode 802.1x version is avaiable and stable for the Windows Vista and Windows 8?

BR,

Mike

Hello Mike.

I can confirm that the same problem exists with iMC 5.2

There are no changes in 5.2 in regard to this issue.

There is one implication about iNode you should be aware of:

if you switch iNode client to autostart it will request to disable Windows UAC.

I can also point to active iMC user community here:

http://www.netopscommunity.net/

and i created a topic about issue there as well, as you can see from answers:

http://www.netopscommunity.net/forums/-/message_boards/view_message/61825#_19_message_61486

this issue is not fixed and i am going to create a ticket to HP tomorrow.

When i receive ticket number i am going to post it here and in netops forums as well so all of you who had the same issue can add your input or refer to it.

Hi,

we also have this issue, although we upgraded to UAM 5.2 (E0402P5) today.

The LDAP Server is configured as follows:

• Account Triming: Trim Prefix
• Delimiter: \

When changing the UAM System Parameter Username Prefix Conversion Mode from Change to Suffix to Remove only the logged error changes from E63053::Invalid authentication type. to E63032::Incorrect password. The user will be added into blacklist.

The Microsoft AD Domain Controller runs W2K8R2.

Has anyone solved this issue?

Regards, Leonardo