01-19-2012 06:15 AM
Just installed Network Advisor (NA) 11.1.2 - trying to get authentication to work against either LDAP or AD (same server in my case)
In DCFM it was required user was created locally, blank password and then authenticated against LDAP worked - this is no good in my book.
In NA it have this nice fetch button, works great, found my AD/LDAP group, granted AOR all and SAN System Administrator to it, saved (and rebooted just to be sure) and cant login
Created my user locally, no AOR or groups - got error, saying I need to map my user to some AOR/gruops - when doing so I can login.
Question is; Why have LDAP/AD Groups which have been granted AOR/roles when it cant be used without creating user locally ?
Does anyone know a work around or can point me in the the right direction on this user issue ?
Secondly: Where to set the user id to be used to fetch information from LDAP/AD - is it the one used during configuration of AAA ?
Bonus question: Does NA still require admin access to SAN Switchs to collect data ? Sofar I have read Chassis Admin, but also Admin role?!
Thanx in advance
03-07-2013 06:54 AM
Just installed 11.3.0 - now it says you must use Window Domain as primary authentication mechanism and none as secondary - sounds good. Only issue is, it dosnt work
I can fetch my groups and assign Fabric and Roles to the AD group but I get permissions denied when trying to login - until I create the user on BNA with blank(!!) password and assign the needed Fabric and Roles to that user.
09-07-2017 02:35 AM
You're right that if creating a "dummy" user in the local database it works perfectly with domain authentification. This issue still persist on BNA 14.0.0.
Have you investigated it further and got a final fix for it?
Otherwise I'll create a support case for this issue.
09-07-2017 12:50 PM
->Otherwise I'll create a support case for this issue.
in BNA higher 14.x release, are diverse Defect closed.
you can open a TAC, but if this is a Closed DEFECT, need to Upgade to.
what I want to say, you get most probable the same answer from Support.
09-08-2017 04:50 AM
I've upgraded to 14.3.0 but the problem is stil the same.
I've now played with the AAA settings, and i found that if i change the primary authentification source from "Windows Domain" to "LDAP Server", choose "Authentication Server Groups" in "authorization Preference" and add the AD LDAP server to the LDAP Servers list it works perfectly.
It can now both authenticate the user and give the user the permisions that I've applied to the AD security group.
I hope others find this handy.
09-08-2017 05:26 AM - edited 09-08-2017 05:47 AM
This solved my issue, but required a small change to ensure that local users still worked in the event that LDAP wasn't available...
For Fail Over Option I needed select LDAP Authentication Failed along with having the Secondary Authentication set to Local Database. Without doing this, my local admin account was not able to login due to not being found within LDAP. If you don't want an emergency local account in the event that LDAP is unreachable, this may not matter to you. However, it's my belief that you should always have a local admin account that can access the system in the event of an emergency. Works perfectly now. For the record I am running CMCNE 14.2.0. Thanks!