The log shows "EAP NAK received. Client requesting EAP protocol 0,25 for username testuser" This means the client sent a NAK and requested EAP protocol 25(PEAP) to the SBR. These sequence is like below Client SBR Request --------------> <-------------- offer EAP (not PEAP) NAK --------------> <-------------- Reject It seems PEAP protocol didn't be enabled in the SBR. The SBR seems to offer another EAP protocol to the Client in the previous transaction. Please check whether the peap protocol is enable in the setting 'Order of Methods' of SBR GUI. ... View more

I think you are mixing up 802.1x authentication and windows logon (novell logon) If your requirement is 802.1x and user based VLAN assignment, IC can do it by using TLS and PEAP. As for TLS, IC can assign VLAN by a user client certificate. As for PEAP, IC can assign VLAN by User name. I think you want to also make novell logon successful. This means you want to make a 802.1x authentication before novel logon. For the solution of this issue, Windows7's supplicant has two feature, Machine auth and single sign on. If you want to use TLS, you use Machine auth. Machine auth can complete 802.1x authentication before novel logon. If novell supports Windows7's single sign on, you can use PEAP. This solution makes both novel logon and 802.1x at the same time. ... View more

Hi You can use TTLS(JUAC) protocol instead of TLS. TTLS is a password based protocol and additionally can define various Host Checker policies. Host Checker can check Antivirus, Firewall, process, files, and also Machine Certificate. If you enable this policy, both password and Machine Certificate will be checked in 802.1x authentication. I guess this option can meet your requirement. See the section 'Specifying Customized Requirements Using Custom Rules' in the Administration Guide. ... View more

Hi Regardless of agent mode of agentless mode, Regardless of whether a user is in idle or not, A host checker periodically communicates with IC at the Heartbeat Interval. When Max Session Length is expired, In agentless mode, A user have to login again. In agent mode, OAC will do re-authentication in the background. When Heartbeat Timeout is expired, The situation is the same as the Max Session Length. ... View more

That's a known issue. The GUI are refusing a 2048-bit certificate. The SBR itself can load a 2048-bit certificate, you can directly replace the certificates in radius directory. The SBR saved a server certificate as a PFX file, you have to make up a PFX server certificate. The cert.cer and the server.sbrpvk file can't be merged into a PFX file You have to create a CSR by other CSR requester, like a windows IIS. ... View more

Hi You can see a sample config in the next thread to this. Another person was asking same things you wanted to know. Please check the next thread "RE: Help on UAC with 802.1x authentication" ... View more

HI No.3's advantages are You don't need to register any user entry to IC or domain for IC's authentication . All users can use own windows username and password for IC's authentication. This prevent users from having a new password and prevent you from registration work. If the customer has already had own AD, you can add IC to their network quit easily. No.1's disadvantages are You need to register all user entry to IC. All users have to memorize an additional username and password for IC's authentication. No.2's disadvantages are You need to register all user entry to AD. If user's laptop didn't join a domain, you can't benefit from Odysey's one feature. If the user join a domain, odyssey client automatically recognize windows username and password from the OS. And automatically set it to Odyssey's setting during installation. if user's laptop didn't join a domain, users have to enter a username and password to Odyssey's setting at first configuration. ... View more

Hi What are you looking for ? ... View more

Hi The cisco's VPN server can't be as a enforcer. You need to add Juniper SSG or SRX as a enforcer. After establishing VPN connection, you need to check policy through this FW. ... View more

Hi You can't export the profile. Odyssey save profiles in windows registry. You can see the all profile data in the registry below. HKEY_CURRENT_USER\Software\Funk Software, Inc.\Odyssey\client\profiles The users password is encrypted in the registry You can't see the original password value. ... View more

Hi The Administration and Configuration Guide describes that functions. Chapter 37 Overview of the Optional Session Control Module on page 557. http://www.juniper.net/techpubs/software/aaa_802/sbrc/sbrc72/bookpdfs/sw-sbrc-admin.pdf You will understand how the DM feature work in SBR. ... View more

Hi The Bind authentication is just sending a username and a password to LDAP. To search username and to compare password is role of LDAP server. Thus, LDAP server determines which of the password field is used for Bind. If you can change the field, you have to use Steel-Belted Radius instead of UAC. SBR can use BindName instead of Bind. In the case of Bindname, SBR compares the value of the password returned from the LDAP database with the password from the incoming Access-Request. If the two values are the same, the password is considered validated. You can also configure manually which LDAP field is got form LDAP as Password value,_so you can change the field which is used by Radius server to authenticate users. Message Edited by zopilote on 10-07-2009 06:53 PM ... View more

Hi The UAC is just attempting authentication to LDAP by using NTLM, if you chose the server type as "Active Directory". Thus you need to change it by LDAP configuration. Even if you change the server type as "LDAP server", The UAS attempt authentication by using BIND, you also need to change it by LDAP configuration. ... View more

Hi I think you are using PEAP protocol. In PEAP and TTLS protocol, two users exist, inner user and outer user. The outer user is used for establishing securely encrypted tunnel. The inner user is actually used for authentication through the tunnel. And the check list is applied only at inner authentication. The reason that the check list isn't applied if using PEAP or TTLS is Most adjunctive attributes, stuff like Colubris-AVPAIR, NAS-Identifier, are attached to outer user. Thus, the check list can't find these attributes. If you want to check these attributes, you must enable "Request filters" feature. The Request filters can copy outer attributes to inner authentication. The configuration steps are below 1. Open the admin GUI. 2. Create a new filter, Select "allow", Specify the attribute name you want to copy. 3. When you finished, Click "Authentication Policies, Double click "PEAP" Select "Request Filters", enable "Transfer Outer Attribs to New" and "Transfer Outer Attribs to Continue" and select the filter you created. If the check list still doesnÍt be applied, change the LogLevel to 2 and the TraceLevel to 1 in the radius.ini. then, Check the debug log starting with "Tunneled Authentication Request", you can detect whether the attributes are copied to inner authentication. 04/02/2009 11:30:47 ----------------------------------------------------------- 04/02/2009 11:30:47 Tunneled Authentication Request 04/02/2009 11:30:47 Packet : Code = 0x1 ID = 0x32 04/02/2009 11:30:47 Client Name = <ANY> Dictionary Name = Radius.dct 04/02/2009 11:30:47 Vector = 04/02/2009 11:30:47 000: 478c56d2 43358b89 ad959947 16ffbfcb |G.V.C5.....G....| 04/02/2009 11:30:47 Parsed Packet = 04/02/2009 11:30:47 User-Name : String Value = testsuser 04/02/2009 11:30:47 User-Password : String Value = <suppressed> 04/02/2009 11:30:47 ----------------------------------------------------------- ... View more