About josh.mehl_

josh.mehl_ · ‎03-05-2012

So we arrived at the answer. I had the firewall locked down too tight. So my advice from my mistakes, when setting this up and testing, let your firewall wide open. Figure out what ports you need from there and lock it down.

josh.mehl_ · ‎03-01-2012

I have opened a case and am awaiting results. Thanks

josh.mehl_ · ‎02-28-2012

I am not sure what you would consider an excessive amount of time here. I can tell you that when I did test configuration on the authentication server, it took about one minute or more to test successfully. When I created role mapping rules, those went through pretty quickly. Attached are the full trace files.

josh.mehl_ · ‎02-27-2012

To answer your questions, no Trusted Domains is not enabled. I changed the server names over to the IP addresses and it failed the test configuration. I changed them back to the server names and that test configuration passed. I am assuming for the last question you mean see the objects on the domain controller. Yes, those objects were confirmed by my server administrator. To reiterate, I am trying to set this up as close to our 4610 as possible. The 4610 works. Thanks

josh.mehl_ · ‎02-23-2012

This will be lengthy so apologies in advance. I am having a problem getting a MAG 2600 to map roles using Active Directory. I have two MAG-2600s setup in a cluster. I have cribbed a lot of the configuration from an existing MAG-4610 we have in our network. This device is stand alone. I setup the authentication servers exactly the same except for one detail. On the 4610, the primary and secondary domain controllers are specified by IP address. I tried to do this with the 2600s, but the tests would fail. So when I entered the computer names for the domain controllers, that worked fine. (Go figure!) They are setup as Active Directory/Windows NT server types. I setup the Admin realm exactly the same on all devices. The only exception is I left out one rule from the 4610 that will not be used on the 2600s. Everything is exactly the same. I have the rules mapping to the default roles for admins. I did a policy trace on both the 4610 and the 2600 for logging in. The main thing I have found is that the 4610 starts matching against the Role Mapping in short order and the 2600 does not. Below are the relevant policy traces for each. I can provide the full trace if needed. Originally the package running on the 2600s was 7.1R1. I read on the forums about active directory problems so upgraded to 7.1R5. The problems persist. The 4610 is running 7.1R3 (which purportedly has AD problems). So does anyone know in advance why the 4610 will immediately start matching on the Role Mapping but the 2600s will not? And on a side note, does anyone know why the 2600 would fail a test on an authentication server when given the IP address? Thanks in advance. 4610 Trace: info - [10.30.56.112] - jmehl(PA Admin)[] - 2012/02/20 15:20:40 - pa-mag4610 - NTLogin(10.30.0.248, PA\jmehl, PA, juniperssl, no, , no, 1, 6, pa-mag4610 Computers) info - [10.30.56.112] - jmehl(PA Admin)[] - 2012/02/20 15:20:40 - pa-mag4610 - Use any auth protcols info - [10.30.56.112] - jmehl(PA Admin)[] - 2012/02/20 15:20:40 - pa-mag4610 - Performing Authentication using NTLMSSP ... info - [10.30.56.112] - jmehl(PA Admin)[] - 2012/02/20 15:20:40 - pa-mag4610 - Authentication using NTLMSSP is successful info - [10.30.56.112] - jmehl(PA Admin)[] - 2012/02/20 15:20:40 - pa-mag4610 - NTLogin done. info - [10.30.56.112] - PA\jmehl(PA Admin)[] - 2012/02/20 15:20:40 - pa-mag4610 - Authentication successful to auth server "PA.CMS.LAN AD" info - [10.30.56.112] - PA\jmehl(PA Admin)[] - 2012/02/20 15:20:40 - pa-mag4610 - Getting directory information from auth server "PA.CMS.LAN AD" info - [10.30.56.112] - PA\jmehl(PA Admin)[] - 2012/02/20 15:20:41 - pa-mag4610 - GetUserGroups(10.30.0.248, PA\jmehl, PA, juniperssl, no, , no, 3, 6, pa-mag4610, Computers, 0) info - [10.30.56.112] - PA\jmehl(PA Admin)[] - 2012/02/20 15:20:41 - pa-mag4610 - Rule Groups defined for the Realm are - PA/PA Tech Team==S-1-5-21-1961451770-2848275316-117541738-1162 info - [10.30.56.112] - PA\jmehl(PA Admin)[] - 2012/02/20 15:20:41 - pa-mag4610 - Rule Groups defined for the Realm are - CMS/Telecom Admins info - [10.30.56.112] - PA\jmehl(PA Admin)[] - 2012/02/20 15:20:41 - pa-mag4610 - Rule Groups defined for the Realm are - CMS/Network Admins 2600 Trace: info - [10.30.56.112] - jmehl(PA Admin)[] - 2012/02/20 15:09:26 - BMWMAG1 - NTLogin(pa1.pa.cms.lan, PA\jmehl, PA, juniperssl, no, , no, 1, 6, BMWMAG1 Computers) info - [10.30.56.112] - jmehl(PA Admin)[] - 2012/02/20 15:09:26 - BMWMAG1 - Use any auth protcols info - [10.30.56.112] - jmehl(PA Admin)[] - 2012/02/20 15:09:26 - BMWMAG1 - Performing Authentication using NTLMSSP ... info - [10.30.56.112] - jmehl(PA Admin)[] - 2012/02/20 15:09:26 - BMWMAG1 - Authentication using NTLMSSP is successful info - [10.30.56.112] - jmehl(PA Admin)[] - 2012/02/20 15:09:26 - BMWMAG1 - NTLogin done. info - [10.30.56.112] - PA\jmehl(PA Admin)[] - 2012/02/20 15:09:26 - BMWMAG1 - Authentication successful to auth server "PA.CMS.LAN AD" info - [10.30.56.112] - PA\jmehl(PA Admin)[] - 2012/02/20 15:09:26 - BMWMAG1 - Getting directory information from auth server "PA.CMS.LAN AD" info - [10.30.56.112] - jmehl(PA Admin)[] - 2012/02/20 15:11:26 - BMWMAG1 - NTLogin(pa1.pa.cms.lan, PA\jmehl, PA, juniperssl, no, , no, 1, 6, BMWMAG1 Computers) info - [10.30.56.112] - jmehl(PA Admin)[] - 2012/02/20 15:11:26 - BMWMAG1 - Use any auth protcols info - [10.30.56.112] - jmehl(PA Admin)[] - 2012/02/20 15:11:26 - BMWMAG1 - Performing Authentication using NTLMSSP ... info - [10.30.56.112] - jmehl(PA Admin)[] - 2012/02/20 15:11:26 - BMWMAG1 - Authentication using NTLMSSP is successful info - [10.30.56.112] - jmehl(PA Admin)[] - 2012/02/20 15:11:26 - BMWMAG1 - NTLogin done.

Re: MAG 2600 authentication problem

Re: MAG 2600 authentication problem

Re: MAG 2600 authentication problem

Re: MAG 2600 authentication problem

MAG 2600 authentication problem