802.1X authentication and roaming issues

Similar Messages

• 802.1x multipoint authenticator and security issue

  Hi everybody
  Let say we have following set up:
  host1
  host2   ) ----------------hub------ f1/0-switch( authenticator)-------------------------Radius server.
  host3
  The switch is configured as follows.
  Switch(config)#interface FastEthernet 1/0
  Switch(config-if)#dot1x port-control auto
  Switch(config-if)#dot1x host-mode multi-host
  Let  say only host1 has valid credentials and the rest hosts i.e h2,h3 are  rogue hosts.  host1 sends authentication request and successfully  authenticated and switch transition its port to an authorized state.  But does it not mean  the other hosts h2 and h3 which were not  authenticated but yet are able to access network ?
  thanks and have a great weekend.

  This board is more for Wireless Security not LAN. but I would think it's because you are connecting through a hub instead of a switch. Hubs share the data, so when the switch gets the auth for the valid client it turns that port as it should.
  Now an invalid client connects and because the port is already thinking the client is valid, it passes all the traffic.
  Make sense?
  Steve
  Sent from Cisco Technical Support iPhone App

• 7925g phones static/hissing and roaming issues

  Hello,
  We've been having an issue for several months now with our over 200 7925g phones.  Nurses are complaining that the phones have static and will drop the voice of the other caller and several times need to repeat the conversation.  We have confirmed several scenario's.  It occurs when both callers are on 7925g inside the coverage areas in the hospital; between 7925g and 7940 desk phone; 7925g and Nortel desk phone.  We've tested on 802.11a and 802.11b/g.  I do see a difference when on 802.11b/g however still get a hissing when connecting to a different AP.
  4 - 4400 controllers,  6.0.202 firmware
  1 - 5508 controller, 6.0.202 firmware
  234 - LAP1131AG AP's
  6 - AP1131AG AP's
  7 - LAP1142N AP's
  3 - LAP1310G AP's
  AP's are on 6.0.202.0 firmware
  7925g's all are on 1.3.3 firmware but we have a select few that we are testing at both hospitals with the newest firmware 1.4.1 and still same results.
  235  - 7925g phones.
  We have followed the 7925g setup & deployment guide, WLC Config Analyzer and made sure all checks were made.  The only setting we plan on testing this week is changing the CCKM authentication change which was recommended.  Currently we are WPA TKIP
  We have disabled the higher rates (36-54) on the 802.11a.
  We also have AirMagnet VoFi analyzer which is showing issues when roaming from AP.  The alarms indicate a one-way audio issue and points to the AP's and phones power not matching.  We have our Tx power level on the controller to automatic, Max Power Level at 30 dBm, Min. at -10 dBm, power Threshold at -70 (WLC Config Analyzer recommendation).  The phone TX Power is set at 8 dBm.  Call Power Save Mode has been tested with both None and U-APDS/PS-Poll.
  We have a case open with Cisco TAC and she has requested debugs from our controllers.  I have sent over 7 and she is not coming back with anything solid and not much help so far.
  Our tests between 802.11a and 802.11b/g (RSSI setting on phone Auto-a and Auto-bg) have shown better with the bg mode but still static and/or hissing.
  Any help would be greatly appreciated!  Thanks.

  Thanks!
  We finally had an awesome Cisco Engineer on our SR.  We straightened out the code and now have the correct 1.4.1.1.1.7 ES image and also configured CCKM.
  We are currently testing with about 20 phones before we deploy it to over 200 phones. 
  Below are the steps we took and so far the tests have resolved the issue.
  1. Downloaded & installed the 1.4.1.1.1.7 code on the 7925g's.
  2. Changed the Scan Mode on the device in Call Manager to 'continuous'
  3. On the Controllers, configured & implemented CCKM on the voice WLAN only.
  4.  Set the Radio Policy for the Voice WLAN to 802.11a only.
  5.  Only using channels 36, 40, 44, 48, 149, 153, 157, 161 on 802.11a
  6.  Disabled the 6,9,36,48 & 54 Mbps rates for 802.11a only
  7. Configured the phone with the new voice SSID with CCKM, Security Mode as EAP-Fast, & 802.11 Mode = Auto-a.
  We are following up with these test users next week so I will post if this fixes our issue.
  Thanks for all the assistance everyone!

• Web Service authentication and PROXY Issue

  HI All,
  Recently I developed an application in Flex 2 which uses
  webservices to access remote data.One more point to be noted, that
  these webservices are secured( i.e they need username and password
  to access)
  I got a production server ( say
  myProduction server) and all my webservices are deployed on
  it. We have a SAP portal running on this server. I have created a
  PAR file of my applications .SWF file and hosted it on the portal.
  When I run my application from myProduction, it runs fine, no
  issues with it.
  Now, I have a proxy server ( say
  myProxy server), which is used to make my application
  available on the internet.
  This proxy redirects all the requests to myProduction server.
  When I try to run my application from myProxy Server, I am
  getting the following error:
  [RPC Fault faultString="Security error accessing url"
  faultCode=
  Channel.Security.Error"
  faultDetail="Unable to load WSDL". If currently online,
  please verify the URI and/or format of the WSDL (
  http://myProduction:50000/WS_Resource/Config1?wsdl&style=rpc_enc)"
  at mx.rpc.soap::WSDLParser/::dispatchFault()
  at mx.rpc.soap::WSDLParser/
  http://www.adobe.com/2006/flex/mx/internal::httpFaultHandler()
  at
  flash.events::EventDispatcher/flash.events:EventDispatcher::dispatchEventFunction()
  at flash.events::EventDispatcher/dispatchEvent()
  at mx.rpc::AbstractInvoker/
  http://www.adobe.com/2006/flex/mx/internal::dispatchRpcEvent()
  at mx.rpc::AbstractInvoker/
  http://www.adobe.com/2006/flex/mx/internal::faultHandler()
  at mx.rpc::Responder/fault()
  at mx.rpc::AsyncRequest/fault()
  at ::DirectHTTPMessageResponder/securityErrorHandler()
  at
  flash.events::EventDispatcher/flash.events:EventDispatcher::dispatchEventFunction()
  at flash.events::EventDispatcher/dispatchEvent()
  at flash.net::URLLoader/flash.net:URLLoader::redirectEvent()
  Do I need any configuration files to be maintained? How do I
  resolve this proxy issue??
  myProxy server is not able to load the WSDL from
  myProduction.I am not usinfgFlex Data Services. I am directly
  accessing the services.
  If anyone knows about this issue please help me. Any help
  would be greatly appreciated.
  This issues has been unresolved since 15 days now.
  Thanks in advance

  Hi,
  I am not sure if what I am suggesting may be the source for
  the problem, but it could be that you will need a
  crossdomain.xml file deployed on your production server, so
  that it can accept the requests from the Portal. Also, I guess you
  will be using a
  flex-config.xml or
  services-config.xml. Just make sure that all server paths
  have been properly mapped to the values entered in the destination
  attributes of the WebService tags.
  I hope that helps.

• 802.1X Authentication + PKI encryption

  Hi Guys,
  I want to know if there is a relationship between 802.1x authentication and cisco PKI encryption.
  We are facing some problems with many IP Phones that were using 802.1x without problems. Once we we installed PKI encryption on ip phones , many of them began to fail : the ip phone shows phone not registered and on the status messages we can see authentication fail. I have to restart security settings on ip phones or disabling 802.1x on the switches to get phones registering again
  I am using CUCM 8.5 with 6961 phones
  Regards

  We ran into the same situation from time to time. We implemented 802.1x authentication using the Cisco Secure Services Client (SSC) on the windows hosts.
  At the beginning we were completly unable to logon on the maschines where no locally stored windows profile exists. After change to timeout to authenticate at the network in the SSC options we are able to logon to the network and also be authenticated by the domain controller.
  Sadly this works out often as a timing issue. Most times the user needs to try a couple of times. At the moment, I'm also very interessted in a good way to avoid this (as it seems to be) racecondition.
  Hope that someone else has any clue?

• 802.1x Authentication on Wired and Wireless LAN

  I have successfully configured 802.1x authentication on wired and wireless Lan. We have Cisco Switches, ACS SE and Windows AD.
  But i have one issue regarding the Single Sign on while authentication using the 802.1x with Windows Active directory the users that are login first time not able to logon but the users that have their profiles already existed in their PC then there is no issue and they successfully authenticated and login easily.
  Is there any way of login successfully for the users first time using 802.1x authentication with Windows AD like a Single Sign On?

  We ran into the same situation from time to time. We implemented 802.1x authentication using the Cisco Secure Services Client (SSC) on the windows hosts.
  At the beginning we were completly unable to logon on the maschines where no locally stored windows profile exists. After change to timeout to authenticate at the network in the SSC options we are able to logon to the network and also be authenticated by the domain controller.
  Sadly this works out often as a timing issue. Most times the user needs to try a couple of times. At the moment, I'm also very interessted in a good way to avoid this (as it seems to be) racecondition.
  Hope that someone else has any clue?

• 802.1x port authentication and Windows Radius, possible?

  Hello,
  I'm just testing at the moment before implementing on our netowrk, but has anyone implemented 802.1x port authentication on there Cisco switch and used a Windows IAS server?  See out users are all all on a Windows domain and I want to authenticate using their active directory credentials.  I think I am fine with the switch config, but it is the Windows IAS/Raduis server.  I have added the switch IP's and secret, but I need to create a policy to accept the domain users and need help.
  Thanks

  Andy:
  Yes of course you can use whatever radius server as a AAA server for 802.1x authentication on the switches. NPS, IAS, ACS, Open RADIUS ....etc.
  If you have problem with configuring the IAS then I would suggest that you post your quesiton in a microsoft forum and not here. They would be able to better assist you with your issue. But you can still look somewhere in this forum or in google to help yourself.
  See this link, it could be useful for you:  https://supportforums.cisco.com/thread/2090403
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• 802.1X Authentication issues when moving between switch ports

  Hi Guys,
  We are having some issues at our office where when users move from one switch to another, the 802.1X authentication does not want to take place. The PC just gets an APIPA address. Now I have read about features that MAC Move and MAC replace but they seem to be used when moving from one port a switch to another port on that same switch. Will MAC move help for issues between switches? And should I focus my attention on the switch's configuration or have a look at the NPS server that might be blocking that authentication as the user is already authenticated?
  My configuration we have on the switch ports look as follows:
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  dot1x pae authenticator
  Your help is greatly appreciated.
  Grant

  Hi Neno,
  Thanks for the reply. We are using NPS on a Server 2008 R2 virtual machine. The switches are stacked 2960S-48FPS-L running 15.0(2)SE. I will quickly do the debugs and get back to you.
  Here is the config:
  aaa group server radius customer-nps
   server name radius1
   server name radius2
  aaa authentication dot1x default group radius
  dot1x system-auth-control
  radius server radius1
   address ipv4 172.28.130.52 auth-port 1645 acct-port 1646
   key 7 05392415365959251C283630083D2F0B3B2E22253A
  radius server radius2
   address ipv4 172.28.131.52 auth-port 1645 acct-port 1646
   key 7 107C2B031202052709290B092719181432190D000C
  interface GigabitEthernet1/0/1
   switchport access vlan 300
   switchport mode access
   switchport voice vlan 2
   srr-queue bandwidth share 1 30 35 5
   queue-set 2
   priority-queue out
   authentication host-mode multi-domain
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication periodic
   authentication timer reauthenticate 28800
   authentication timer inactivity 1800
   mab
   no snmp trap link-status
   mls qos trust cos
   dot1x pae authenticator
   auto qos trust cos
   storm-control broadcast level 1.00
   storm-control multicast level 1.00
   spanning-tree portfast
   spanning-tree bpdufilter enable

• Z10 802.1x Authentication Issue

  I am a network administrator. I have found Z10 cannot connect to our corporate's PEAP 802.1X SSID. All other devices can connect without problem. Z10 can connect to our open authentication SSID.  Any ideas? Thanks.

  We ran into the same situation from time to time. We implemented 802.1x authentication using the Cisco Secure Services Client (SSC) on the windows hosts.
  At the beginning we were completly unable to logon on the maschines where no locally stored windows profile exists. After change to timeout to authenticate at the network in the SSC options we are able to logon to the network and also be authenticated by the domain controller.
  Sadly this works out often as a timing issue. Most times the user needs to try a couple of times. At the moment, I'm also very interessted in a good way to avoid this (as it seems to be) racecondition.
  Hope that someone else has any clue?

• An issue with authentication and authorization on ISE 1.2

  Hi, I'm new to ISE.
  I have an issue with authentication and authorization.
  I have ISE 1.2 plus patch 6 installed on VMware.
  I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
  On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
  I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
  I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
  I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
  What  should I do to resolve this issue?
  Switch configuration:
   testISE#sh runn
  Building configuration...
  Current configuration : 7103 bytes
  ! Last configuration change at 12:20:15Tue Apr 15 2014
  ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname testISE
  boot-start-marker
  boot-end-marker
  no logging console
  logging monitor informational
  enable secret 5 ************
  enable password ********
  username radius-test password 0 ********
  username admin privilege 15 secret 5 ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
   client 172.16.0.90 server-key ********
  aaa session-id common
  clock timezone 4 0
  system mtu routing 1500
  authentication mac-move permit
  ip dhcp snooping vlan 1,22
  ip dhcp snooping
  ip domain-name elauloks
  ip device tracking probe use-svi
  ip device tracking
  epm logging
  crypto pki trustpoint TP-self-signed-1888913408
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1888913408
   revocation-check none
   rsakeypair TP-self-signed-1888913408
  crypto pki certificate chain TP-self-signed-1888913408
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  ip ssh version 2
  interface FastEthernet0/5
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/6
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/7
  interface Vlan1
   ip address 172.16.0.204 255.255.240.0
   no ip route-cache
  ip default-gateway 172.16.0.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   deny   icmp any host 172.16.0.1
   permit ip any any
  ip radius source-interface Vlan1
  logging origin-id ip
  logging source-interface Vlan1
  logging host 172.16.0.90 transport udp port 20514
  snmp-server community public RO
  snmp-server community ciscoro RO
  snmp-server trap-source Vlan1
  snmp-server source-interface informs Vlan1
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host 172.16.0.90 ciscoro
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  radius server ISE-Alex
   address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key ******
  ntp server 172.16.0.1
  ntp server 172.16.0.5
  end

  Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

• Issue in External Table Authentication and Authorization in OBIEE11G

  Hello Gurus,
  Can anyone help me how to configure External Table Authentication and Authorization in OBIEE11g through weblogic server not like in 10g style(Through INIT Blocks).
  I've followed the (Doc ID 1338007.1) document. But when i'm restart the Managed servers and Admin servers after configuring the SQLAuthenticator all my services are showing down.
  I already raised the SR (SR 3-6286054151) on this issue. But still i didn't get any reply from them.
  Can anyone help me out on this issue or can anyone me send the document for "how to configure External Table Authentication and Authorization in OBIEE11g" . It's really appreciate for your quick response.
  my mail ID [email protected]
  Thanks,
  Syam.
  Edited by: 942658 on Oct 13, 2012 10:55 AM

  Hi John,
  Thanks for your quick response.
  We configured "ReadOnlySQL Provider" by following the Oracle's white paper(Doc ID 1338007.1) Please find the below steps what we configured in weblogic console.
  1. Created the Data Source
  2. In the data source specified the Database driver--> *Oracle's Driver Thin for service connections: Versions:9.0.1 and later.
  3. Defined the connection Properties .
  4. Selected targets as Admin server and bi_server.
  Then Activate changes
  5. Created new provider by using ReadOnlySQL Authenticator
  6. In the provider specific tab we given the SQL statements and saved it.
  7. Restarted the Admin and Managed servers.
  After restarted the services when we open the Enterprise Manager page all the services are showed as Undefined - means red.
  Apart from that we followed your suggested link http://askjohnobiee.blogspot.com/2012/09/how-to-oid-authentication-with-groups.html
  For External table authentication do we need to configure BISQLAuthenticator or ReadOnlySQLAuthenticator ?
  If we configure BISQLAuthenticator we just import Groups from database to Console application. Then how can it Authenticated to the User ?
  Please let me know your ideas on this.
  Thanks,
  Syam

• 802.1x Authentication with Windows and MAC

  Hello Team;
                I have one SSID configured with 802.1x . The clients with Mac machines can directly join to the network by just entering the AD usrename and password. For the windows machines we need to do some configuration in the clients machines to work with the SSID.
  Could you please clarify ? Whether the windows machines will just work like the Mac or the preconfiguration is mandatory to work windows with 802.1x.

  Hello Sreejith,
  As per your query i can suggest you the following steps-
  No, the preconfiguration is not mandatory to work windows with 802.1x.To enable 802.1x authntication on wireless follow the steps-
  1.Open Manage Wireless Networks by clicking the Start button , clicking Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then, in the left pane, clicking Manage wireless networks.
  2.Right-click the network that you want to enable 802.1X authentication for, and then click Properties.
  3.Click the Security tab, and then, in the Security Type list, click 802.1X.
  4.In the Encryption Type list, click the encryption type you want to use.
  On wireless networks, 802.1X can be used with Wired Equivalent Privacy (WEP) or Wi‑Fi Protected Access (WPA) encryption.
  5.In the Choose a network authentication method list, click the method you want to use.
  To configure additional settings, click Settings.
  Hope this will help you.

• How can i deploy macbooks and 802.1x authentication using PEAP/MSChap version 2

  How can i deploy macbooks and 802.1x authentication for wireless connectivity using PEAP/MSChap version 2. The Cert is generated by a 2008 Windows CA authority. I am trying to get to join but the MAC doesnt seem to want to accecpt the cert. Can i not validate the cert and still have it join the 802.1x wireless netqwotk? The wireless netwotk is using a Cisco 5508 wireless controller and Cisco 1142 access points. All works fine with Windows devices.

  Hi Tarik,
  Thanks for your answers,
  I've attached my configured AuthZ rules and AuthZ profile for provisioning,
  I want the process to be the same for iPhone, Android and Windows.
  1) Connect to the SSID
  2) Login using your AD credentials PEAP-MS-CHAP-v2
  3) Redirect to device registration portal (So I can set a limit of 3 devices per employee)
  4) As soon as the client click "register" no more redirects and PERMIT-ALL
  I think that I don't need to rely on profiling because In terms of AuthZ policies it should be something like this:
  1) if WIRELESS802.1x and PEAP-MS-CHAPV2 and BYODREGISTRATION=!YES(Unknown or not reg) then "Redirect to device registration(that is NSP right?)"
  2) if WIRELESS802.1x and PEAP-MS-CHAPV2 then PERMIT-ALL(no redirection)
  3) everything else = DENY-ALL
  But the NSP looks for Client Provisioning policies, so if I don't configure any policy it should Allow Network Access(See attachment photo3.png) but as I said on the post it shows that cannot retrieve the MAC-Address so the client can't register his device and don't have access to the network. (To grant access I've configured provisioning policies, that way the clients can register their devices but they are redirected to google play or are forced to install the profile at iOS and this is what I don't want because it is not necessary)
  What screenshoot do you need after the registration? the Auth report?
  Thank you very much for your time!

• ACS for 802.1x Authentication using RSA Tokens and Microsoft PEAP

  Has anyone been able to configure 802.1x authentication on Windows XP machines using RSA tokens using Cisco ACS as the RADIUS server?
  I have come up with bunch of incompatibilities between the offered support e.g.
  1. Microsoft PEAP does not support anything but smartcard/certificate or MSCHAP2.
  2. Cisco support PEAP and inside it MSCHAP2 or EAP-GTC
  We tried using RSA provided EAP client both the EAP security and EAP-OTP options within Microsoft PEAP but ACS rejects that as "EAP type not configured"
  I know it works with third party EAP software like Juniper Odyssey client and the Cisco Aegis Client but we need to make it work with the native Windows XP EAP client.

  Hi,
  We have tried to do the exact same setup as you and we also failed.
  When we tried to authenticate the user with PEAP-MSCHAPv2 (WinXP native) ACS gives "external DB password invalid", and does not even try (!) to send the login to the RSA server. No traffic is seen between RSA and ACS.
  MS-PEAP relies on hashing the password with MS-CHAPv2 encoding. This is not reversible. RSA, on the other hand, does not require hashing of the password due to the one time nature of it. So they (RSA) don't.
  When we authenticate using e.g. a 3rd party Dell-client, we can successfully authenticate using either PEAP-GTC (Cisco peap), EAP-FAST and EAP-FAST-GTC.
  A list with EAP protocols supported by the RSA is in attach.
  Also below is the link which says the MS-PEAP is NOT supported with the RSA, please check the
  table "EAP Authentication Protocol and User Database Compatibility "
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/o.htm#wp792699
  What we are trying to do now in the project is leaving the AP authentication open and try to authenticate it using RADIUS through a firewall or Cisco router authentication proxy.

• Issue with Anonymous Authentication and updating or starting new projects

  So 2 weeks ago I had a post about Anonymous Authentication found here:
  https://social.technet.microsoft.com/Forums/office/en-US/9b0e6eec-190a-4b48-a280-6adef441659a/issue-with-anonymous-authentication-and-people-picker-and-reports?forum=sharepointgeneral&prof=required
  That issue has been resolved but has created a new issue. We have Anonymous Authentication disabled but when one of our users tries to make a new project she gets the following:
  Unexpected response from server. The status code of response is '0'. The status text of response is ''.
  When she tries to edit an existing project, she gets the following:
  The server was unable to save the form at this time. Please try again.
  If I re-enable the Anonymous Auth. everything works for her again, but then we face the issue from the original post with reports not publishing.
  Any ideas on how to make everything get along?

  #apDiv2 {
      position: absolute;
      width: 698px;
      height: 299px;
      z-index: 1;
      left:50px;
      top: 117px;
      overflow: scroll;
  Don't forget to fix your code errors.  You're still missing a <body> tag in your markup. 
  Nancy O.