ASA Local Authentication Using Active Directory

/ Konkretor / Leave a comment

I had a heck of a time figuring out how to set this up. Cisco’s documentation related to LDAP authentication is all over the place and there isn’t one article that describes just this. If you want to use Microsoft Active Directory to authenticate users locally logging in to the ASA and give them privileged exec access based on a Group, here are the steps.

These steps assume you are using ASDM, but I have attached the CLI equivalents as well.

Prep

  • Create a group in Active Directory that will be used to define access to the ASA. I.e. ASA Admins.
  • Create a service account (password not expiring unless you want to change it in AD and your ASA every month) that will be used by the ASA to bind with AD.

Do it

1. Log in to the ASA with ASDM (CLI steps below)

2. Go to Device…

View original post 1,113 more words

Mount cif share as user

/ Konkretor / Leave a comment

On Ubuntu you need the cifs-utils

apt-get install cifs-utils

Add the share to the /etc/fstab

//10.10.100.10/blob /mount/share cifs username=john,domain=contoso,noauto,rw,users 0 0

set the correct rights for the local user to the mount share.

sudo mkdir /mount/share
sudo chown -R john:john contoso
sudo chmod -R 774 contoso

Mount the share with mount.cifs

mount.cifs  //10.10.100.10/blob /mount/share

Don´t use mount -t cifs

read more here

https://www.strika.co/ubuntu-14-04-how-to-properly-mount-a-cifs-share-as-a-normal-user/

Exchange 2010/2013 – ActiveSync devices are not able to send e-mails sporadically. E-mails with attachment and long conversation history.

/ Konkretor / Leave a comment

Exchange-Fix

Issue:

ActiveSync devices are not able to send e-mails sporadically. E-mails with attachment and long conversation history.

IPhone Error “Message cannot be sent” , “The message was rejected from the server”

Solution:

Browsed to configuration editor of IIS ->Microsoft-Server-ActiveSync Virtual Directory -> select ConfigurationEditor -> system.webServer -> serverRuntime -> uploadReadAheadSize.

Change value to 15728640

Recycle MSExchange ActiveSync AppPool.

Additional Info:

https://www.iis.net/configreference/system.webserver/serverruntime

  • The maxRequestEntityAllowedand uploadReadAheadSize attributes respectively configure limits for the maximum number of bytes allowed in the entity body of a request and the number of bytes a Web server will read into a buffer and pass to an ISAPI extension.

https://support.microsoft.com/en-us/kb/810957

View original post

Manually remove old CA references in Active Directory

/ Konkretor / Leave a comment

Microsoft Security Solutions

directory-icon

Summary

When a CA server is uninstalled or crashes beyond recovery some objects are left in Active Directory. It’s good practice to remove these obsolete objects.

Background

When you install a version of Certificate Authority that is Active Directory-integrated (i.e. Enterprise Root or Enterprise Subordinate) the following 6 objects are created/modified in the Active Directory database:

Name: <CA Common Name>
Type: certificateAuthority
LDAP Path: CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=DC=example,DC=com
Used for: Contains CA certificates that clients can fetch when validating a certificates chain. Certificates can point to this location via the Authority Information Access (AIA) certificate extension.

Name: <CA Common Name>
Type: crlDistributionPoint
LDAP Path: CN=<CAServerName>,CN=CDP,CN=Public Key Service,CN=Services,CN=Configuration,DC=DC=example,DC=com
Used for: Contains CRLs (base and delta) that CAs has published in the AD. Certificates can point to this location via the CRL Distribution Point (CDP) certificate extension.

Name: <Root CA Common…

View original post 706 more words

Always On VPN and Windows Server 2019 NPS Bug

/ Konkretor / Leave a comment

Richard M. Hicks Consulting, Inc.

When deploying a Windows Server 2019 Network Policy Server (NPS) to support a Windows 10 Always On VPN implementation, administrators may encounter the following error when attempting to establish a VPN connection on a remote Windows 10 client.

Can’t connect to [connection name].

The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

Always On VPN and Windows Server 2019 Network Policy Server Bug
In addition, an event ID 20227 from the RasClient will be recorded in the application event log with the following error message.

The user [username] dialed a connection named [connection name] which has failed. The error code returned on failure is 812.

Always On VPN and Windows Server 2019 Network Policy Server Bug

Common Causes

Always On VPN error code 812 indicates an authentication policy mismatch…

View original post 276 more words

unifi dynamic vlan with nps

/ Konkretor / Leave a comment

NPS with dynamic vlan is working fine, but you have restrictions.

You can use dynamic vlan only when it´s not used by a another network.

Look below, 1, 5, 1 is used, now you can´t use this in your dynamic vlan configuration with nps.

Under profiles you must enable radius assigned vlan for wired/wireless network in your radius profile

How to configure dynamic vlan with nps, you can look here
http://wifinigel.blogspot.com/2014/03/microsoft-nps-as-radius-server-for-wifi_18.html

Dynamic VLAN Assignment (Cisco and NPS)

/ Konkretor / Leave a comment

Mike Pemberton's Blog

In an earlier post we used 802.1x to authenticate users into the network and assign them into a VLAN based on either a successful or unsuccessful authentication as well as a VLAN for clients who did not send an initial EAPOL message. While this can be quite useful, it can also be quite restrictive – what if we wanted different authenticated users into different VLANs rather than just the authenticated VLAN? This is entirely do-able. An example use case would be having be an office with several hot desks, used by various departments, but a compliance restriction that places heavy restrictions on network access into particular resources such as HR, finance and so on. It would be an administrative headache to keep logging into the switch each time to change the VLAN depending on who was sat at these hot desks for the day, so we can leverage 802.1x to do…

View original post 468 more words

Filter or LDAP filter

/ Konkretor / Leave a comment

Richard Siddaway's Blog

Many of the Microsoft AD cmdlets have a –Filter and an –LDAPFilter parameter. So what’s the difference?

PS> Get-Help Get-ADUser -Parameter *Filter*

-Filter <String>
Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression
Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value. For more information about the Filter parameter, see about_ActiveDirectory_Filter.

-LDAPFilter <String>
Specifies an LDAP query string that is used to filter Active Directory objects. You can use this parameter to run your existing LDAP queries. The Filter parameter syntax supports the same functionality as the LDAP syntax. For more information, see the Filter parameter description and the about_ActiveDirectory_Filter.

This means you have two ways to approach a problem. Lets think about finding a…

View original post 171 more words