M and MSM Series
1748266 Members
3281 Online
108760 Solutions
New Discussion юеВ

MSM765 + WINDOWS AD

 
Pavel Chelisant
Advisor

Re: MSM765 + WINDOWS AD

HI! here is the sreenshot
Fred!
Trusted Contributor

Re: MSM765 + WINDOWS AD

OK, I see that I was wrong. Everything seems fine with your VSC and AD setup. Well then we will have to go deeper in order to figure out what's going on. Can you do the following:

Can you start the extra Radius/AD debug in the Tools > System Tools, put in place an external/remote syslog to make sure all the info is captured, as well as starting a trace on 127.0.0.1 radius port 1645 (the MSM controller loopback interface and internal RADIUS server).

And post/attach the captured remote syslog, and trace as well as providing the SW version number that you are using so that we can have more details around what's going on within the controller?
Pavel Chelisant
Advisor

Re: MSM765 + WINDOWS AD

Here the log file
Pavel Chelisant
Advisor

Re: MSM765 + WINDOWS AD

Generally i dont understand to get it worked one day. Theoretically its all clear for me. But..
Just a few words in addition:
In official HP Installation giude said that controller which joined to AD "retrieves the names of all the active directory groups of which the user is a member". Prior said that we should define group attributes with the same name that OU containers in Domain controller. My user belongs to OU = IT (and this attribute defined). In all ways controller should pass through this to find out if user belongs to this group. Forthemore if i deactivate the DEFAULT GROUP the user becomes unknown (invalid), but it found in AD (the attached log this shows). If I turn back on i receive "A:Login OK" but then access reject......
In addition i liked "Egress VLAN" feature in the attributes configration because my users are in different OU and i want to make this OU users connected to the network with their "wired" dhcp range and existing VLAN..
But how to get it worked....
Fred!
Trusted Contributor

Re: MSM765 + WINDOWS AD

My assessment from the log and the screen captures is that the system does not find the proper group that matches your user and reject the authentication because it cannot find the attributes to be applied.

The name of the groups that you configure in the Authentication > Active Directory page MUST absolutely match what is returned by your Active Directory server.

It seems from the more detailed log that your Active Directory server returns groups like "GIT", "(MX) Administrators", (MX) IT Group", "DIAL IN", "(MX) All Employees", "(MX) TO", "(MX) HD" and "GRASIT" for your user.

The issue is that none of these group names correspond to a profile in your MSM Active Directory page, which defines groups like "it", "departments", and "users". Try renaming the "it" group on the MSM controller to "GIT" or whatever name that correspond to a real Active Directory group returned by your server to see if that works.

I strongly suspect this is why the system cannot match the user attributes and refuses the authentication.

Again, to match the user attributes, the MSM controller much have an EXACT match between what's returned from the Active Directory server and what has been configured as group locally on the MSM controller.
Pavel Chelisant
Advisor

Re: MSM765 + WINDOWS AD

Just only today morning i parsed log file one more time and made as you advised. And its all WORKED. The documentation made me a bit confused because it said (as i could understand) there that groups should match the OU containers... I consulted with my DOAMIN admin and he provided me the OU names without "G". Nevertheless thank you much for your help.
One more thing, egress vlan directly from GROUP ATTRIBUTE page doesnt work, only works if i assign an account profile and put VLAN there...
Is it ok?
Fred!
Trusted Contributor

Re: MSM765 + WINDOWS AD

Not supposed to happen. When you click on the checkbox next to Egress VLAN in the group attribute and specify a VLAN it should override any potential assignment in the account profile.

Actually a pretty good feature of the product is to be able to "see" the result in the effective attributes. I have attached an example.

So I would say make sure the checkbox is on next to the VLAN that you don't have an account listed and that the result windows shows the actual VLAN that will be assigned.

If you have all that, then it should work and the VLAN should get assigned.