- Community Home
- >
- Networking
- >
- Wireless
- >
- M and MSM Series
- >
- Re: Active Directory group issue after applying 5....
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-31-2011 12:17 PM
10-31-2011 12:17 PM
Active Directory group issue after applying 5.5.3
This all seemed to work fine on 5.5.1 but had to upgrade to 5.5.3 due to a AP firmware corruption issue I was having under 5.5.1 that was slowly killing my APs.
The problem I'm seeing is as follows. 2 VSCs defined, SECURE and GUEST. SECURE is authentication only, authenticating over 802.1x against AD. Guest is authentication and access control authenticating over http also against AD.
SECURE - VSC configured for auth over 802.1x, users are member of HP_SECURE group in AD
GUEST - VSC configured for auth/access control over http, users are member of HP_GUEST group in AD
If a user is a member of one or the other group then the coresponding VSC works perfectly fine. The problem is when a user is a member of BOTH of the created AD groups. When a user is a member of both then the group on the top of the list in the "Active directory settings" page at Controller -> Authentication -> Active Directory works, but no other group works. Basically it seems that if a user is a member of 2 groups where one group is set for "Access Control" and the second group is NOT set for "Access Control" then whichever group is at the top of the list will work.
I can replicate this very easily by adding a user to both groups, then that user can only authenticate if the group is at the top of the "Active Directory Settings" list. If the user is removed from either group and is left with only one group defined in the AD Settings list then the respective VSC works fine.
Is this a known issue or just how it all works under 5.5.3 now?
- Tags:
- LDAP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2011 11:28 PM
11-02-2011 11:28 PM
Re: Active Directory group issue after applying 5.5.3
As per the manuals this is the normal behavior, check below from the "Managment and Configuration Guide" please:
Once a user is authenticated by Active Directory, the controller retrieves the names of all
the active directory groups of which the user is a member.
If the user is a member of only one Active Directory group, and that group name appears in the list, the controller applies the attributes from that group.
If the user is a member of more than one Active Directory group, the controller applies the attributes from the matching group name with the highest priority (highest in the list).
If no match is found, the attributes defined for one of the default groups are applied as follows:
If the VSC the user logged in on is access-controlled then the Default AC Active Directory group is used.
If the VSC the user logged in on is not access-controlled then the Default non AC Active Directory group is used.
Does that confirm your findings ? ;)
Kind Regards,
Islam
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-03-2011 08:15 AM
11-03-2011 08:15 AM
Re: Active Directory group issue after applying 5.5.3
Sorry, I should have mentioned that I have read the documentation and found that exact entry.
I'll refine my question, here we go.
If a user is a member of 2 groups, one group being assigned to a access-controlled VSC and another group being assigned a non-AC VSC, will that user only ever be able to join whichever VSC is in the top of the list? If this is the case, then this is working as designed?
I think it's kind of funny that in this situation a user would be completely excluded from using a VSC that they are clearly a member of through no fault of that group or how it was setup. Being a member 2 groups I'd think should give access to any VSCs they are bound to, regardless if either are access controlled or not or the order in the group list. If I setup 2 VSCs with corresponding groups, one access controlled for guest usage and general Internet surfing and the other one setup for secure 802.1x authentication and no access control, then you will only ever be able to use the VSC that is highest in the list, the other VSC in the second spot on the list will give you an access denied message.
Weird.