- Community Home
- >
- Networking
- >
- Wireless
- >
- M and MSM Series
- >
- Active Directory group issue after applying 5.5.3
-
- Forums
-
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
- HPE Blog, Austria, Germany & Switzerland
- Blog HPE, France
- HPE Blog, Italy
- HPE Blog, Japan
- HPE Blog, Middle East
- HPE Blog, Russia
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
-
Blogs
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Blog, Latin America
- HPE Blog, Middle East
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
-
Information
- Community
- Welcome
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Tips and Tricks
- Resources
- Announcements
- Email us
- Feedback
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Aruba Airheads Community
- Enterprise.nxt
- HPE Dev Community
- Cloud28+ Community
- Marketplace
-
Forums
-
Blogs
-
Information
-
English
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
10-31-2011 12:17 PM
10-31-2011 12:17 PM
Active Directory group issue after applying 5.5.3
This all seemed to work fine on 5.5.1 but had to upgrade to 5.5.3 due to a AP firmware corruption issue I was having under 5.5.1 that was slowly killing my APs.
The problem I'm seeing is as follows. 2 VSCs defined, SECURE and GUEST. SECURE is authentication only, authenticating over 802.1x against AD. Guest is authentication and access control authenticating over http also against AD.
SECURE - VSC configured for auth over 802.1x, users are member of HP_SECURE group in AD
GUEST - VSC configured for auth/access control over http, users are member of HP_GUEST group in AD
If a user is a member of one or the other group then the coresponding VSC works perfectly fine. The problem is when a user is a member of BOTH of the created AD groups. When a user is a member of both then the group on the top of the list in the "Active directory settings" page at Controller -> Authentication -> Active Directory works, but no other group works. Basically it seems that if a user is a member of 2 groups where one group is set for "Access Control" and the second group is NOT set for "Access Control" then whichever group is at the top of the list will work.
I can replicate this very easily by adding a user to both groups, then that user can only authenticate if the group is at the top of the "Active Directory Settings" list. If the user is removed from either group and is left with only one group defined in the AD Settings list then the respective VSC works fine.
Is this a known issue or just how it all works under 5.5.3 now?
- Tags:
- LDAP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
11-02-2011 11:28 PM
11-02-2011 11:28 PM
Re: Active Directory group issue after applying 5.5.3
As per the manuals this is the normal behavior, check below from the "Managment and Configuration Guide" please:
Once a user is authenticated by Active Directory, the controller retrieves the names of all
the active directory groups of which the user is a member.
If the user is a member of only one Active Directory group, and that group name appears in the list, the controller applies the attributes from that group.
If the user is a member of more than one Active Directory group, the controller applies the attributes from the matching group name with the highest priority (highest in the list).
If no match is found, the attributes defined for one of the default groups are applied as follows:
If the VSC the user logged in on is access-controlled then the Default AC Active Directory group is used.
If the VSC the user logged in on is not access-controlled then the Default non AC Active Directory group is used.
Does that confirm your findings ? ;)
Kind Regards,
Islam
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
11-03-2011 08:15 AM
11-03-2011 08:15 AM
Re: Active Directory group issue after applying 5.5.3
Sorry, I should have mentioned that I have read the documentation and found that exact entry.
I'll refine my question, here we go.
If a user is a member of 2 groups, one group being assigned to a access-controlled VSC and another group being assigned a non-AC VSC, will that user only ever be able to join whichever VSC is in the top of the list? If this is the case, then this is working as designed?
I think it's kind of funny that in this situation a user would be completely excluded from using a VSC that they are clearly a member of through no fault of that group or how it was setup. Being a member 2 groups I'd think should give access to any VSCs they are bound to, regardless if either are access controlled or not or the order in the group list. If I setup 2 VSCs with corresponding groups, one access controlled for guest usage and general Internet surfing and the other one setup for secure 802.1x authentication and no access control, then you will only ever be able to use the VSC that is highest in the list, the other VSC in the second spot on the list will give you an access denied message.
Weird.
Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2021 Hewlett Packard Enterprise Development LP