Trying to implement EAP/TLS using java (as part of RADIUS server)

Hi
This is a cross port since I didn't know which forum to post in!
I'm trying to implement a RADIUS server (EAP/TLS) as part of my master thesis. I'm not used to Java SSL libraries and can't get it to work. The server will respond to an accesspoint that uses 802.1x. I have created certificates using openssl and imported the "cert-clt.pl2"and "root.pem" to a laptop trying to connect to the accesspoint. On the server side i imported the "cacert.pem" and "cert-srv.der" using keytool to a keystore. In my code I read the keystore and create the SSLEngine with following code:
          KeyStore ksKeys = KeyStore.getInstance("JKS");
            ksKeys.load(new FileInputStream("certs/FeebeeCommunity.keystore"), passphrase);
            KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
            kmf.init(ksKeys, passphrase);
            KeyStore ksTrust = KeyStore.getInstance("JKS");
            ksTrust.load(new FileInputStream("FeebeeCommunity.keystore"), passphrase);
            TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
            tmf.init(ksKeys);
            sslContext = SSLContext.getInstance("TLS");
            sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
            sslEngine = sslContext.createSSLEngine();
            sslEngine.setUseClientMode(false);
            sslEngine.setNeedClientAuth(true);
            sslEngine.setWantClientAuth(true);
            sslEngine.setEnableSessionCreation(true);
            appBuffer = ByteBuffer.allocate(sslEngine.getSession().getApplicationBufferSize());
            appBuffer.clear();
            netBuffer = ByteBuffer.allocate(sslEngine.getSession().getPacketBufferSize());
            netBuffer.clear();All I want to do with TLS is a handshake.
I'm not talking ssl using sockets instead I receive and send all TLS data encapsulated in EAP packet that are incapsulated in RADIUS packets. I start off with sending TLS-Start upon I recive TLS data. I handle it with the following code:
       SSLEngineResult result = null;
        SSLEngineResult.HandshakeStatus hsStatus = null;
        if( internalState != EAPTLSState.Handshaking ) {
            if( internalState == EAPTLSState.None ) {
                TLSPacket tlsPacket = new TLSPacket( packet.getData() );
                peerIdentity = tlsPacket.getData();
                internalState = EAPTLSState.Starting;
                try {
                    sslEngine.beginHandshake();
                } catch (SSLException e) {
                    e.printStackTrace();
                return;
            else if(internalState == EAPTLSState.Starting ) {
                internalState = EAPTLSState.Handshaking;
                try {
                    sslEngine.beginHandshake();
                } catch (SSLException e) {
                    e.printStackTrace();
        TLSPacket tlsPacket = new TLSPacket( packet.getData() );
        netBuffer.put( tlsPacket.getData() );
        netBuffer.flip();
        while(true) {
            hsStatus = sslEngine.getHandshakeStatus();
            if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                Runnable task;
                while((task=sslEngine.getDelegatedTask()) != null) {
                    new Thread(task).start();
            else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP) {
                try {
                    result = sslEngine.unwrap( netBuffer, appBuffer );
                } catch (SSLException e) {
                    e.printStackTrace();
            else {
                return;
        }When I try to send data I use the following code:
           SSLEngineResult.HandshakeStatus hsStatus = null;
            SSLEngineResult result = null;
//            netBuffer = ByteBuffer.allocate(EAPTLSMethod.BUFFER_SIZE);
            netBuffer.clear();
            while(true) {
                hsStatus = sslEngine.getHandshakeStatus();
                if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                    Runnable task;
                    while((task=sslEngine.getDelegatedTask()) != null) {
                        new Thread(task).start();
                else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
                    try {
                        result = sslEngine.wrap( dummyBuffer, netBuffer );
                    } catch (SSLException e) {
                        e.printStackTrace();
                else {
                    if( result != null && result.getStatus() == SSLEngineResult.Status.OK ) {
                        int size = Math.min(result.bytesProduced(),this.MTU);
                        byte [] tlsData = new byte[size];
                        netBuffer.flip();
                        netBuffer.get(tlsData,0,size);
                        TLSPacket tlsPacket = new TLSPacket((byte)0,tlsData);
                        if( size < result.bytesProduced() ) {
                            tlsPacket.setFlag(TLSFlag.MoreFragments);
                        return new EAPTLSRequestPacket( ID,
                                (short)(tlsPacket.getData().length + 6),
                                stateMachine.getCurrentMethod(), tlsPacket );
                    else {
                        return null;
                }After I sent TLS-Start I receive data and manage to process it but when then trying to produce TLS data I get the following error:
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:992)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1054)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1026)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.java:125)
at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStateMachine.java:358)
at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.java:262)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:930)
Any help wold be most greatfull, if any questions or anything unclear plz let me know.
add some additional information here is a debug output
Before this I have sent a TLS-star package and this is when I receive new information and then try to create the answer
[Raw read]: length = 5
0000: 16 03 01 00 41 ....A
[Raw read]: length = 65
0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
0040: 00 .
Thread-2, READ: TLSv1 Handshake, length = 65
*** ClientHello, TLSv1
RandomCookie: GMT: 1084488726 bytes = { 168, 20, 137, 240, 89, 129, 200, 201, 4
1, 194, 9, 209, 10, 112, 24, 88, 220, 46, 176, 200, 20, 144, 212, 253, 164, 198,
50, 201 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH
_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA,
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EX
PORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DE
S_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
Compression Methods: { 0 }
[read] MD5 and SHA1 hashes: len = 65
0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
0040: 00 .
Thread-5, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
Thread-5, SEND TLSv1 ALERT: fatal, description = handshake_failure
Thread-5, WRITE: TLSv1 Alert, length = 2
Thread-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeEx
ception: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:9
92)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineI
mpl.java:459)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineIm
pl.java:1054)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:10
26)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.ja
va:153)
at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStat
eMachine.java:358)
at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.j
ava:262)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1
352)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(Serve
rHandshaker.java:638)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHands
haker.java:450)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHa
ndshaker.java:178)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:4
95)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.
java:930)
... 1 more

I am developing a simple client/server SSL app using sdk 1.4 (no SSLEngine) and am faced with the same problem. Could anybody track down the problem further?

Similar Messages

  • I tried to implement photo albums using iweb and got a publishing error.

    I tried to implement photo albums using iweb and got a publishing error. All was fine with my site until I added the photo album page. The software doesnt say what the error is exactly, only that it is a publishing error to my ftp
    Exact message "There was an error communicating with the FTP server. Try again later, or check with your service provider."
    If I reduce the albums inside to 1 then it seems to work but that takes away from the usefullness of multiple albums.
    my iWeb version is 3.0.4 (601)

    Publish your site to a folder on your hard drive to see if the publication will proceed successfully and open the site locally with your browser to confirm all of the alums are there and work.  If they do try the following:
    delete the iWeb preference files, com.apple.iWeb.plist and com.apple.iWeb.plist.lockfile, that resides in your Home() /Library/Preferences folder.
    go to your Home()/Library/Caches/com.apple.iWeb folder and delete its contents.
    Click to view full size
    launch iWeb and try again.
    If you're still not able to publish from iWeb to your server download and use the free  Cyberduck to upload your website files to the server. Users have found that CD has been successful when iWeb had problems.
    OT

  • How to implement route cipher using java?

    Hi guys,,,
    I really got a headache solving how to implement route cipher using java lang,,i already got the concept but i really dont get how to implement it using java actually i want to make a presentation of how route cipher works using "adobe flash" but first i will implement it using java coz flash actionscripts are closer to java lang.
    Hope you could post some examples or ideas...i would really appreciate it!
    thank you so much...

    just add an action listener (either keypressed or keytyped) to the frame that you want to record. I did this in NetBeans in about 2 seconds. I can simplify it if you need. As for loging it just write the characters to a file output stream.
    public class test extends javax.swing.JFrame {
        /** Creates new form test */
        public test() {
            initComponents();
        /** This method is called from within the constructor to
         * initialize the form.
         * WARNING: Do NOT modify this code. The content of this method is
         * always regenerated by the Form Editor.
        // <editor-fold defaultstate="collapsed" desc=" Generated Code ">
        private void initComponents() {
            setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON_CLOSE);
            addKeyListener(new java.awt.event.KeyAdapter() {
                public void keyTyped(java.awt.event.KeyEvent evt) {
                    formKeyTyped(evt);
            pack();
        // </editor-fold>
        private void formKeyTyped(java.awt.event.KeyEvent evt) {
            System.out.println(evt.getKeyChar());
         * @param args the command line arguments
        public static void main(String args[]) {
            java.awt.EventQueue.invokeLater(new Runnable() {
                public void run() {
                    new test().setVisible(true);
        // Variables declaration - do not modify
        // End of variables declaration
    }

  • Use java code to start  ftp server in Windows

    I am writing an application using java to start the FTP server on Windows system Could anybody give me an idea on how to start?

    http://java.sun.com/docs/books/tutorial/
    http://java.sun.com/developer/onlineTraining/Programmin
    /BasicJava1/compile.html
    http://java.sun.com/learning/new2java/index.html
    http://javaalmanac.com
    http://www.jguru.com
    http://www.javaranch.com
    Bruce Eckel's
    Thinkin
    in Java
    Joshua Bloch's
    [url=http://www.amazon.co.uk/exec/obidos/Author=Bloch,%
    0Josh]Effective Java
    Bert Bates and Kathy Sierra's
    [url=http://www.amazon.com/exec/obidos/tg/detail/-/0596
    04656?v=glance]Head First Java
    lol. That's one way to start.
    But really, why would you want to start an ftp server from java?? You should use the right tool for whatever job you need to accomplish and you can set up windows to automatically start the server when it boots.
    majinda might say: it si lkie thrownig chickne at palm to knock datse to ground. bettre to let donkey kick tree.
    But if you insist, you'll probably need JNI.

  • Implementing EAP-TLS in the enterprise

    Hi all,
    I'm currently performing a review of our global corporate wireless network with a view to implementing user and device authentication. We currently use PEAP-Ms Chapv2 and i'm considering the move to EAP-TLS, however I understand this has its pitfalls in terms of added administrative overheads, particularly around manging user certs.
    Does anyone have any experiencing in rolling EAP-TLS that can provide me with some advice about what to look out for? We have a full PKI and I understand auto enrolment of user certs can be done using group policy and AD but has anyone seen any other issues I should be wary of?
    We have a full Cisco autonomous unified wireless network with Cisco ACS servers for our Radius, tied into AD.
    Appreciate any comments, advice or even direction to other resources where I can find some valuble info.
    cheers.
    Rob

    Rob,
    Since you are already using PEAP, moving to EAP-TLS is not that bad.  Again.... you already have a PKI infrastructure and domain computers should have a certificate already.  So with GPO, you just make a change to the wireless profile to change from PEAP to EAP-TLS.  Peolpe do look at it as more management.... well it sort of is, but if you have staff that is experience in setting up the PKI, GPO, etc, it really isn't that bad.  Client device support is what you will need to look at.  If you have devices like iPads, non domain computers that need to be on the network, then maybe you will need to add EAP-TLS and keep PEAP for those other devices.

  • Error trying to open a file using java.io.* in an Applet

    I have a file called wordlist.txt and I am using java.io.* to open it. When I try it
    in Applet Viewer it runs without a hitch. But when I try to run it in a
    browser as an Applet, it errors out saying:
    com.ms.security.SecurityExceptionEx[package3/SpellCheck.setWordList]: cannot access file wordlist.txt
    I have tried adding this file to my Project and accessing it that way but I still get
    the same message. If anyone can help with this, I sure would appreciate it.
    My code is as follows:
    String inWord = new String("zzz");
    try {
    File myWordList = new File("wordlist.txt");
    BufferedReader inWordList = new BufferedReader(
    new FileReader(myWordList));
    inWord = inWordList.readLine();
    while (inWord != null) {
    wordList.addElement(inWord);
    inWord = inWordList.readLine();
    } // end while
    inWordList.close();
    } // end try
    catch (Exception e1) {
    // Pr is equivalent System.out.println();
    Pr("Error Reading this line " + '\n' + inWord + '\n' + e1);
    } // end catch
    } // end setWordList()

    Applets are generally prevented from reading as well as writing files, but appletviewer can load files from the hard drive, so, that is the cause of the behaviour you have observed. To know more about enabling applets load files, you have to sign your applets,
    learn more at
    http://java.sun.com/sfaq/#prevent

  • Implement Firewall by using Java

    I want to create a firewall(3rd layer) by using Java. Is it possible? Is there any class for these purposes?
    I'm not sure if the "DatagramPacket" is the class that I'm looking for.
    What is the lower level of network programming which is supported by Java?
    Thanks

    hm, although i'm not in the "java is too slow" camp i'm still surprised. but then, when using a box as dedicated firewall, java performance is surely good enough.
    what made me wonder is that java does not give access to network functionality on a low level which is required for packet filtering. so it would only be feasible to accomplish an application level firewall. i'm no expert at this but i would guess that this kind of firewall has more overhead than a packet filtering firewall.
    some research revealed that only the frontend seems to be written in java while the firewall is a configured linux system:
    Developed with NetMaster's own Linux distribution tailored specifically for firewall applications, Gateway Guardian is a very flexible, high-end firewall that takes a revolutionary approach to allowing a company to use a lower-end PC as their Internet gateway. Running on a PC that is not the Internet gateway, Gateway Guardian uses a pure Java application to preconfigure hardware, Internet provider settings, and firewall rules through a wizard like format. When the information has been entered, the Java application writes an entire Linux operating system and the custom firewall configuration onto a 3-1/4" floppy diskette.
    http://online.securityfocus.com/products/category/134
    Gateway Guardian (see Resources) is a one-floppy Linux distribution customized for ipchains-based firewalls. Guardian was developed by NetMaster Solutions and uses a Java GUI application to configure hardware, network settings, and firewall rules through a wizard-like format. When the information has been entered, the Java application writes a Linux image and the custom firewall configuration onto a floppy diskette.
    http://www.linuxworld.com/linuxworld/lw-2000-10/lw-10-fwproducts2-p5.html
    see here as well:
    http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2806287,00.html
    any more insights?
    robert

  • EAP-TLS on WLC 5508 agains IAS RADIUS

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin-top:0cm;
    mso-para-margin-right:0cm;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0cm;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Hi, anyone experienced issue like this?
    I am installing a WLC 5508 using EAP-TLS authentication with an IAS Radius server.
    I got “Access-Accept” debug message received from RADIUS server.
    However the wireless client failed to connect.
    Below is partially the debug message from the WLC
    Any feedbacks are welcome
    *Oct 07 15:08:24.403:     Callback.....................................0x10c527d0
    *Oct 07 15:08:24.403:     protocolType.................................0x00140001
    *Oct 07 15:08:24.403:     proxyState...................................00:19:7D:72:B4:3B-09:00
    *Oct 07 15:08:24.403:     Packet contains 12 AVPs (not shown)
    *Oct 07 15:08:24.403: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *Oct 07 15:08:24.404: 00:19:7d:72:b4:3b Successful transmission of Authentication Packet (id 101) to 10.86.8.105:1812, proxy state 00:19:7d:72:b4:3b-00:00
    *Oct 07 15:08:24.404: 00000000: 01 65 00 d2 d0 bc 95 1b  f7 c9 71 dd 32 cb b7 0a  .e........q.2...
    *Oct 07 15:08:24.404: 00000010: 52 eb 0c 3e 01 22 68 6f  73 74 2f 49 44 31 30 2d  R..>."host/ID10-
    *Oct 07 15:08:24.404: 00000020: 30 41 46 4a 30 33 31 2e  65 75 63 2e 6e 65 73 74  0AFJ031.euc.test
    *Oct 07 15:08:24.404: 00000030: 6c 65 2e 63 6f 6d 1f 13  30 30 2d 31 39 2d 37 64  01.com..00-19-7d
    *Oct 07 15:08:24.404: 00000040: 2d 37 32 2d 62 34 2d 33  62 1e 1a 30 30 2d 33 61  -72-b4-3b..00-3a
    *Oct 07 15:08:24.404: 00000050: 2d 39 38 2d 39 35 2d 34  36 2d 35 30 3a 57 57 53  -98-95-46-50:TES
    *Oct 07 15:08:24.404: 00000060: 33 30 30 05 06 00 00 00  01 04 06 0a 56 0c d2 20  300.........V...
    *Oct 07 15:08:24.404: 00000070: 0c 49 44 48 4f 4a 58 43  30 30 31 1a 0c 00 00 37  .IDHOJXC001....7
    *Oct 07 15:08:24.404: 00000080: 63 01 06 00 00 00 01 06  06 00 00 00 02 0c 06 00  c...............
    *Oct 07 15:08:24.404: 00000090: 00 05 14 3d 06 00 00 00  13 4f 27 02 03 00 25 01  ...=.....O'...%.
    *Oct 07 15:08:24.404: 000000a0: 68 6f 73 74 2f 49 44 31  30 2d 30 41 46 4a 30 33  host/ID10-0AFJ03
    *Oct 07 15:08:24.404: 000000b0: 31 2e 65 75 63 2e 6e 65  73 74 6c 65 2e 63 6f 6d  1.euc.nestle.com
    *Oct 07 15:08:24.404: 000000c0: 50 12 80 be 54 a7 26 52  8e 63 0f 2f 87 a5 78 53  P...T.&R.c./..xS
    *Oct 07 15:08:24.404: 000000d0: 68 6e                                             hn
    *Oct 07 15:08:24.405: 00000000: 02 65 00 34 3e c1 67 35  f7 be 57 75 43 ce 19 ca  .e.4>.g5..WuC...
    *Oct 07 15:08:24.405: 00000010: 83 5d 83 95 19 20 31 b1  03 a2 00 00 01 37 00 01  .]....1......7..
    *Oct 07 15:08:24.405: 00000020: 0a 56 08 69 01 cb 63 8b  13 1e 16 37 00 00 00 00  .V.i..c....7....
    *Oct 07 15:08:24.405: 00000030: 00 00 00 5f                                       ..._
    *Oct 07 15:08:24.405: ****Enter processIncomingMessages: response code=2
    *Oct 07 15:08:24.405: ****Enter processRadiusResponse: response code=2
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Access-Accept received from RADIUS server 10.86.8.105 for mobile 00:19:7d:72:b4:3b receiveId = 9
    *Oct 07 15:08:24.405: AuthorizationResponse: 0x1524b3d8
    *Oct 07 15:08:24.405:     structureSize................................78
    *Oct 07 15:08:24.405:     resultCode...................................0
    *Oct 07 15:08:24.405:     protocolUsed.................................0x00000001
    *Oct 07 15:08:24.405:     proxyState...................................00:19:7D:72:B4:3B-09:00
    *Oct 07 15:08:24.405:     Packet contains 1 AVPs:
    *Oct 07 15:08:24.405:         AVP[01] Class....................................DATA (30 bytes)
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Applying new AAA override for station 00:19:7d:72:b4:3b
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
        source: 4, valid bits: 0x0
        qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
        dataAvgC: -1, rTAvgC
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Inserting new RADIUS override into chain for station 00:19:7d:72:b4:3b
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
        source: 4, valid bits: 0x0
        qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
        dataAvgC: -1, rTAvgC
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:24.405: 00000000: 01 00 00 04 03 ff 00 04                           ........
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:24.405: 00000000: 01 03 00 5f fe 00 89 00  20 00 00 00 00 00 00 00  ..._............
    *Oct 07 15:08:24.405: 00000010: 00 3e 5d 2a e3 2a c2 22  71 0b 06 e8 42 6c 3c bf  .>]*.*."q...Bl<.
    *Oct 07 15:08:24.405: 00000020: 45 1e 5c e7 a1 68 ae 0c  c0 9f 22 ce 0c 3e 96 45  E.\..h...."..>.E
    *Oct 07 15:08:24.405: 00000030: ee 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:24.405: 00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:24.405: 00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:24.405: 00000060: 00 00 00                                          ...
    *Oct 07 15:08:25.316: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:25.317: 00000000: 01 03 00 5f fe 00 89 00  20 00 00 00 00 00 00 00  ..._............
    *Oct 07 15:08:25.317: 00000010: 01 3e 5d 2a e3 2a c2 22  71 0b 06 e8 42 6c 3c bf  .>]*.*."q...Bl<.
    *Oct 07 15:08:25.317: 00000020: 45 1e 5c e7 a1 68 ae 0c  c0 9f 22 ce 0c 3e 96 45  E.\..h...."..>.E
    *Oct 07 15:08:25.317: 00000030: ee 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:25.317: 00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:25.317: 00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:25.317: 00000060: 00 00 00                                          ...
    *Oct 07 15:08:26.317: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:26.317: 00000000: 01 03 00 5f fe 00 89 00  20 00 00 00 00 00 00 00  ..._............
    *Oct 07 15:08:26.317: 00000010: 02 3e 5d 2a e3 2a c2 22  71 0b 06 e8 42 6c 3c bf  .>]*.*."q...Bl<.
    *Oct 07 15:08:26.317: 00000020: 45 1e 5c e7 a1 68 ae 0c  c0 9f 22 ce 0c 3e 96 45  E.\..h...."..>.E
    *Oct 07 15:08:26.317: 00000030: ee 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:26.317: 00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:26.317: 00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:26.317: 00000060: 00 00 00                                          ...
    *Oct 07 15:08:27.753: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:27.753: 00000000: 01 00 00 30 01 01 00 30  01 00 6e 65 74 77 6f 72  ...0...0..networ
    *Oct 07 15:08:27.753: 00000010: 6b 69 64 3d 57 57 53 33  30 30 2c 6e 61 73 69 64  kid=TES300,nasid
    *Oct 07 15:08:27.753: 00000020: 3d 49 44 48 4f 4a 58 43  30 30 31 2c 70 6f 72 74  =IDHOJXC001,port
    *Oct 07 15:08:27.753: 00000030: 69 64 3d 31                                            id=1
    *Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 5) from mobile 00:19:7d:72:b4:3b
    *Oct 07 15:08:27.760: 00000000: 01 01 00 00 00                                    .....
    *Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:27.760: 00000000: 01 00 00 30 01 02 00 30  01 00 6e 65 74 77 6f 72  ...0...0..networ
    *Oct 07 15:08:27.760: 00000010: 6b 69 64 3d 57 57 53 33  30 30 2c 6e 61 73 69 64  kid=TES300,nasid
    *Oct 07 15:08:27.760: 00000020: 3d 49 44 48 4f 4a 58 43  30 30 31 2c 70 6f 72 74  =IDHOJXC001,port
    *Oct 07 15:08:27.760: 00000030: 69 64 3d 31                                       id=1
    *Oct 07 15:08:27.762: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
    *Oct 07 15:08:27.762: 00000000: 01 00 00 25 02 01 00 25  01 68 6f 73 74 2f 49 44  ...%...%.host/ID
    *Oct 07 15:08:27.762: 00000010: 31 30 2d 30 41 46 4a 30  33 31 2e 65 75 63 2e 6e  10-0AFJ031.euc.t
    *Oct 07 15:08:27.762: 00000020: 65 73 74 6c 65 2e 63 6f  6d                       est01.com
    *Oct 07 15:08:27.764: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
    *Oct 07 15:08:27.764: 00000000: 01 00 00 25 02 02 00 25  01 68 6f 73 74 2f 49 44  ...%...%.host/ID
    *Oct 07 15:08:27.764: 00000010: 31 30 2d 30 41 46 4a 30  33 31 2e 65 75 63 2e 6e  10-0AFJ031.euc.t
    *Oct 07 15:08:27.764: 00000020: 65 73 74 6c 65 2e 63 6f  6d                       est01.com
    *Oct 07 15:08:27.765: AuthenticationRequest: 0x1ad0b36c

    Thanks for your reply jedubois
    Really appreciate it.
    I have tried to change the value for EAPOL-Key Timeout, still the client won't connect.
    Below are the outputs for the eap advanced config
    (Cisco Controller) >show advanced eap
    EAP-Identity-Request Timeout (seconds)........... 30
    EAP-Identity-Request Max Retries................. 2
    EAP Key-Index for Dynamic WEP.................... 0
    EAP Max-Login Ignore Identity Response........... enable
    EAP-Request Timeout (seconds).................... 30
    EAP-Request Max Retries.......................... 2
    EAPOL-Key Timeout (milliseconds)................. 5000
    EAPOL-Key Max Retries............................ 2
    (Cisco Controller) >
    Any other suggestion?

  • How to use Java to connect to LDAP server

    We have a requirement is to get LDAP service through XI.
    Scenario is SAP <-> XI <-> LDAP
    It seems there is not a LDAP adapter for XI now, so, is it possible to embed a Java program to access LDAP server? We already have a program like this:
    SAP <-> Java (through JCo) <-> LDAP

    Thanks, I checked this document. Does it mean we still need to run a standalone java application?
    SAP -> RFC Adapter -> XI -> Java Proxy -> Java Application -> LDAP Server
    Is it possible just build the java application to a jar in XI ? The reason is, if we still need to run a Java application, and it can connect to SAP directly (through JCo). I cannot find any benefit to migrate to XI.
    Our wish is
    SAP -> RFC Adapter -> XI -> Java Proxy -> LDAP Server

  • Error while trying to save a report using Java SDK for CR server 2011

    I use the java sdk to update the report database jndi alias and then save the report. While saving the report, the utility throws the following exception. It only happens to 3 reports out of more than 70 reports. What could be the problem with report that is causing this problem ?
    Thanks.
    com.crystaldecisions.sdk.occa.report.lib.ReportSDKServerException: Failed to read data from report file C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\Data\CrystalRep
    ortsRasServer\temp\{56586260-E771-4C63-BF8B-F3CF14BB508A}.rpt. Reason: Repository object could not be found.---- Error code:-2147467259 [CRSDK00000000] Error code name:failed
            at com.crystaldecisions.sdk.occa.report.lib.ReportSDKServerException.throwReportSDKServerException(ReportSDKServerException.java:109)
            at com.crystaldecisions.proxy.remoteagent.ExceptionHelper.throwResultInfoException(ExceptionHelper.java:192)
            at com.crystaldecisions.sdk.occa.report.application.ReportClientDocument.sendSyncRequest(ReportClientDocument.java:803)
            at com.crystaldecisions.sdk.occa.report.application.ReportClientDocument.doSave(ReportClientDocument.java:820)
            at com.crystaldecisions.sdk.occa.report.application.ReportClientDocument.save(ReportClientDocument.java:2245)

    The error points to the report using a repository object that it cannot be found.  What happens if you try and update the reports using the Crystal Report Designer instead of the SDK?

  • Using a BM 3.8 RADIUS Server to Assign Users to VLANs

    I'm trying to use Bordermanager 3.8 RADIUS to assign VLANs to users. The
    users are accessing the network via Cisco 1100 Aironet Wireless Access
    Points. We have defined two VLANs on the network. One goes directly to
    the internet for GUEST, VLAN1, and the other goes to our private network
    MEMBERS, VLAN2. The problem I'm having is getting the RADIUS to assign
    attributes to the user accounts. I need attribute: IETF 64 (Tunnel Type)
    set to VLAN, IETF 54 (Tunnel Medium Type) set to 802, and IETF (Tunnel
    Private Group ID) set the VLAN-ID which is 1 or 2. These attribute are
    not available in the RADIUS.ATR file. Is there some way of editing the
    ATR file to add these attributes? Is there another solution to assign
    VLANs with Bordermanager?

    > I need attributes: IETF 64 (Tunnel Type) set to VLAN, IETF 65 (Tunnel
    Medium Type) set to 802, and IETF 81 (Tunnel Private Group ID) set the
    VLAN-ID which is 1 or 2. These attribute are not available in the
    RADIUS.ATR file. Is there some way of editing the ATR file to add these
    attributes? Is there another solution to assign VLANs with Bordermanager?

  • [ ISSUE ] NCS / PI authentication using Microsoft NPS as a RADIUS server

    So here is my goal:
    Authenticate employees who use NCS or PI with their ActiveDirectory credentials against Microsoft NPS.
    Background:
    I have successfully configured our switches to use the NPS server and our AD credentials to log into and receive plvl=15 access.
    I've also used NPS to authenticate wireless clients in a lab setting.
    Problem:
    I cannot figure out what is going on with NCS/PI authentication against NPS.
    Here are a couple/few steps I've taken:
    - I've added the RADIUS client to the list.
    - I've created a network policy to grant access to a specific group of users (AD group).  It accepts either CHAP or PAP authentication
    - I've also taken out the default radius attributes and inserted these:
    - - Vendor Specific, Cisco-AV-Pair
    - - - - I've used both the ASCII format of the task list and/or variations of the HEX value
    - - Vendor-Specific, RAIDUS Standard
    - - - - I've used both the ASCII format of the task list and/or variations of the HEX value
    On the NPS server I can see the request coming in on the NPS logs.  Access has been granted and it matches the Network Policy I created.
    The usual message I receive is this:
    No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server
    Attached is a picture from a packet capture.  The RAIDUS "Access-Accept" message has something under the Attribute Value Pairs section:
    - "[Not enough room in packet for AVP] "
    This capture was taken when I was only using the RAIDUS role value and not all the RAIDUS Tasks.
    Has anyone gotten this to work using Cisco NCS/PI and Microsoft NPS?
    Here are some of guides I used:
    http://mihai.radoveanu.ro/2010/11/configuring-the-radius-authentication-with-cisco-wireless-control-system-6-0-196-0/
    https://supportforums.cisco.com/thread/339057
    http://www.cisco.com/en/US/products/ps6305/products_tech_note09186a00809038e6.shtml

    Hi Kyujin,
    I wish I had finished my guide.  Didn't realize it would take this long.
    But what I meant is that when adding the attributes to my NPS (Microsoft's Network Policy Server) I only had to add the role and virtual domain if using Prime Infrastructure.
    If you use NCS, you have to add the role, all the tasks, and the virtual domain.
    See the screenshots and see if that helps explain it.  Not sure how TACACS will work as I'm not familiar with it.
    Microsoft NPS - Attributes for NCS
    Microsoft NPS - Attributes for PI

  • EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s

    We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
    Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
    For example:
    Policy 1: allowed-certificate-OID --> corporate
    Policy 2: allowed-certificate-OID --> private
    Client authenticates with EKU corporate --> success
    Client authenticates with EKU private --> reject
    My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
    Has anyone a simmilar setup or can help to figure out what is going wrong?
    We have a WLC 5508 with Software Version                 7.4.100.0 and a NPS on a Windows Server 2008 R2
    regards
    Fabian

    The policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
    This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
    The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
    The certificate does include this OID but not the custom EKU.

  • 5508 - iPad getting disconnected from WLAN Using EAP-TLS

    We are seeing an issue with an ipad connecting to a WLAN configured for EAP-TLS using ISE 1.2, getting disconnected.  The ipad will hop top another SSID.  It will connect back to the other ssid when selected.  Any ideas? I have a debug client for when this happened.
    *apfMsConnTask_0: Apr 08 14:03:57.508: Association request from the P2P Client Process P2P Ie and Upadte CB
    *apfMsConnTask_7: Apr 08 14:04:57.855: Association request from the P2P Client Process P2P Ie and Upadte CB
    *apfMsConnTask_5: Apr 08 14:05:17.345: 04:54:53:7b:9e:7a Association received from mobile on BSSID 54:78:1a:2f:84:56
    *apfMsConnTask_5: Apr 08 14:05:17.345: 04:54:53:7b:9e:7a Global 200 Clients are allowed to AP radio
    *apfMsConnTask_5: Apr 08 14:05:17.345: 04:54:53:7b:9e:7a Max Client Trap Threshold: 0  cur: 4
    *apfMsConnTask_5: Apr 08 14:05:17.345: 04:54:53:7b:9e:7a Rf profile 600 Clients are allowed to AP wlan
    *apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 172.30.230.213 RUN (20) Skipping TMP rule add
    *apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a apfMsRunStateDec
    *apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 172.30.230.213 RUN (20) Change state to DHCP_REQD (7) last state RUN (20)
    *apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Complete to Mobility-Incomplete
    *apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 0.0.0.0 DHCP_REQD (7) Reached ERROR: from line 6355
    *apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
    *apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [54:78:1a:2f:84:50]
    *apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 730
    *apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a Re-applying interface policy for client 
    *apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 0.0.0.0 DHCP_REQD (7) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
    *apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 0.0.0.0 DHCP_REQD (7) Changing IPv6 ACL 'none' (ACL ID 

    Use profiles for the wifi settings on the iPad
    A reset of network settings will clear the network history, but the profile will add it back in automatically
    http://images.apple.com/ipad/business/docs/iOS_Deployment_Technical_Reference_EN_Feb14.pdf
    Great Cisco doc for BP and troubleshooting of Apple devices:
    Enterprise Best Practices for Apple Mobile Devices on Cisco ...
    Make sure the app uses URIPersistWifi call 
    https://developer.apple.com/library/ios/documentation/iphone/conceptual/iphoneosprogrammingguide/PerformanceTuning/PerformanceTuning.html

  • Eap-tls configuration assistance

    I am trying to get eap-tls working on my wireless network, with machine authentication. I have followed the numerous configuration guides on CCO but seem to be running around in circles. So can someone please give me a sanity check.
    Scenario
    MS CA (Windows 2008 Server)
    MS DC (Windows 2003 Server)
    ACS 4.2 (Windows 2003 Server)
    WLC 4402 (5.2)
    LWAP AIR-LAP1142N-N-K9
    Client MS XP SP3
    I have confirmed that the certficates are valid on both the ACS and client.
    The problem I have is, I see the client associate, but fails authentication. I look in the ACS failed log attempts, I see:
    13/07/2009 11:19:17 Authen failed host/e26458.internal.company Default Group 00-12-F0-82-77-2D (Default) External user not found .. .. 1 10.10.10.100 .. .. 13 EAP-TLS .. TWLC01 CITY
    I have configured ACS for Unkown User Policy and have the client e26458 in AD.
    I would like some advice from some people who have successfuly implemented EAP-TLS, as I have hit a brick wall. I have attached the results of the debug aaa events enable,debug aaa detail enable,
    debug dot1x events enable,debug dot1x states enable on the WLC.
    frustratingly yours

    I am unable to open the attachment, anyway let me tell you few things which you should conform while using certificates.
    1. Both your client and server certificates should be from same authority
    2. You should have the same username in which the certificate issued should be in your ACS database.
    3. Conform the validity of both your CA and device certificate
    Just to conform this is not an issue with your ACS server you can install the cert in your controller and try to authenticate the client using local auth.If this works then your certs are perfect and verify your ACS configurations

Maybe you are looking for

  • Fed up With BT....................full stop!

    3 months ago after repeatedly phoning CS's regarding slow BB,V04 erros on Vision-intermittant disconnections BT agreed to investigate the problem.    #they sent an engineer to my house and he replaced  the faceplate on the main socket and installed a

  • MS 8606

    Built A MSI Mega PC and installed the optional TV Tuner Card (MS 8606). The drivers have loaded on ok and the card is working, however the is software which is suppossed to be on the installation disc which I cannot load. I cannot find MSI PVS 2.0 no

  • Infopath form as Agent test

    Hello.  We've set up numerous InfoPath Forms as tests for our agents to take to test their industry/company knowledge of our business.  I use drop-down list box fields for each question but use option buttons in the form itself.  We set 3 of the "Val

  • Does e-filing on erp6 support Business Connector 4.8.

    We are planning to upgrade to ERP6 we are currently using business connector 4.7 for e-filiing GB. From my investigations so far it seems that we need to implement PI for e-filing GB on ERP6 but since Business Connector 4.8 has now been released and

  • I can't find the "start up" option in the tools - options - general tab.

    I have lost the "restore previous session" action from Firefox at start up. Looked in Tools - Options - General and there is no option to change behavior at start up.