- Community Home
- >
- Networking
- >
- IMC
- >
- Re: Computer account issue in IMC/UAM for 802.1x a...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-05-2014 11:23 AM
11-05-2014 11:23 AM
Hi,
I want migrate a PCM+/IDM 4.2 by a IMC/UAM 7.0 but i have a problem for the computer authentication.
The user account is synchronized by the custumer active directory, and i use the eap-peap for the authentication, this is ok, it's work well, no problem.
But i do also authenticated the computer, but when i syncrhonize with the AD (cn=computer), i import the name of the computer same as a simple user.
And the machine authentication don't work, because this is seen as a user authentication without password...
When i manuelly created a user account with the computer option check box, it's ok the machine authentication work well.
i can't create all computer account, because they are a lot of computer.
How i can do, when i import the computer name by the AD, for change the account type by computer account in IMC/UAM?
I tried to import a file with the batch function, but it's create user account, it's not possible to create computer account...
Thanks a lot.
PS: with the PCM+/IDM, i don't have the problem and i don't use EAP-TLS.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-06-2014 11:01 AM
11-06-2014 11:01 AM
Re: Computer account issue in IMC/UAM for 802.1x authentication
Hi,
I will ask a few experts and see what they recommend...stay tuned. :)
LM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-06-2014 11:50 AM
11-06-2014 11:50 AM
Re: Computer account issue in IMC/UAM for 802.1x authentication
Thank you very much, this is very nice! :-)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-06-2014 03:37 PM - edited 11-06-2014 03:55 PM
11-06-2014 03:37 PM - edited 11-06-2014 03:55 PM
Re: Computer account issue in IMC/UAM for 802.1x authentication
I had this very same problem, so curious to hear another answer/opinion on this - I was on the phone with HP as we tried to work through this but couldn't get them to sycnhronize and authenticate by LDAP.
Here's what I tried:
Need to set up an ldap synch for hosts. Which means you need a filter condition like this:
(&(objectclass=computer)(dNSHostName=*)(accountExpires>=now))
because workstations look different in LDAP. Then I created a policy using eap-peap/mschapv2. Because hosts come across as host/<hostname.domain.net> or whatever your domain is - and yes the slash is the other way from domain\user, so unclear as whether the prefix filters work properly - and you need a suffix in a service to use the policy.
For whatever reason the above, which looks like it should work, did not authenticate. In PCM its all MS NPS, so it reads AD fine for users and workstations. But in LDAP the credentials work differently for hosts. Maybe I got the certificate type wrong.
I could only get the imc computer user to work. I really just need to make sure the trusted machines do authenticate, so it can connect users to domain controllers. And I can remote into them. You may have additional requirements.
But sounds like you already tried this:
Set up the computer account. Create a PEAP service for it, point to an EAP-PEAP policy.
Then configure the virtual computer in IMC User>User Access Policy >Service Parameters> System Settings>Domain Controller-Assisted PEAP Authentication.
The workstations show up in online users as Account Name: computer, Login Name: <hostname>, Username: computer, so you can at least see them as separate line items and track them. But not as separate "accounts"
And only one domain is supported...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-07-2014 05:03 AM
11-07-2014 05:03 AM
Re: Computer account issue in IMC/UAM for 802.1x authentication
This is exactly what I tried, but the computer can't to be authenticate....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-07-2014 09:21 AM - edited 11-07-2014 09:25 AM
11-07-2014 09:21 AM - edited 11-07-2014 09:25 AM
Re: Computer account issue in IMC/UAM for 802.1x authentication
I have these settings for adapater 802.1x:
Auth method: Microsoft EAP (PEAP)
> Settings: Validate server certifiacte checked - Trusted root cert auth checked - your windows domain checked (would not work without this set - with PCM I left validate cert unchecked and it worked ok)
> Auth method secured password EAP mschapv2 > configure use my windows credentials is checked, enable fast reconnect checked
Advanced settings > Specify auth mode > user or computer authentication
Also maybe you missed this step:
User>User Access Policy>Service Parameters>Certificate > Root Certificate > import EAP root certificate your domain root certificate - I think the virtual computer needs this as well as validate above to match
If screen shots would help let me know and I'll upload...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-12-2014 01:21 AM
11-12-2014 01:21 AM
Re: Computer account issue in IMC/UAM for 802.1x authentication
NeilR thank you,
My goal is to make no change in configuration of computers. But I see that it is not possible to make authentication machine without certificate.
Can you send me the screen shots, configuration with certificate authentication machine?
Thank you.
PS: I don't missed this step: User>User Access Policy>Service Parameters>Certificate > Root Certificate > import EAP root certificate your domain root certificate - I think the virtual computer needs this as well as validate above to match.
PS: The Auth method secured password EAP mschapv2 for AD's user account, works well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-12-2014 11:33 AM - edited 11-13-2014 12:55 PM
11-12-2014 11:33 AM - edited 11-13-2014 12:55 PM
SolutionI agree with goal to minimize configuration change on computers. My goal also.
But you will need to make 802.1x settings active.
These changes can easily be set, and enforced, by a Windows Policy Object in the Active Directory, set by OU
Users can be prohibted from changes if desired.
The attached PDF shows the client adapter setup, UAM user configuration, UAM service and policy configurations, and access details for user and computer, and telnet session to switch.
I am using Procurve 2910 series switches with recent firmware.
Update: Added screen shots of AD CA - I think they are pretty generic
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2014 02:20 AM
11-14-2014 02:20 AM
Re: Computer account issue in IMC/UAM for 802.1x authentication
Thanks a lot NeilR.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-23-2014 06:03 AM
11-23-2014 06:03 AM
Re: Computer account issue in IMC/UAM for 802.1x authentication
Hi Neil!
Thanks for your Infos!!!
Can you please send us the LDAP Server and LDAP Sync Policy Setup Info’s. I wonder because the machine account in your example was named just "Computer" for the User Name, ID Number and Account Name... So you have a lot of Computer Users in your User List? I mean the Accounts looks all the same?
I used UAM 7.1 and the machine user looks very different in our case... Does not work right now either. Struggle with the MSCHAPv2 Certificate verification against the MS AD.
I heard that only EAP-TLS-AuthN (with Client Certs) is supported and works and wonder how this can work for you?
Thanks a lot!
Andreas