802.1x Failed Authentication with WS-C3750G-24T

Hi,
I have already set up a lab  comprising of  1x2950-24 switch, 2x3750-24T in stack mode and 2x MS Domain Controller with AD 2008 Servers and NPS enabled (Domain level 2008). I use NPS as a Radius Server. I am trying to test the 802.1x framework in two scenarios.
1.     I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant. As authenticator use the 2950 switch and as authentication servers I use the two NPS integrated in MS DCs. Everything is working fine as I expected with basic configuration guidelines from Cisco & Microsoft.
2.      I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant (the same as before). As authenticator I use the 3750 Stack switch and as authentication servers I use the two NPS integrated in MS DCs (the same as before). I have configured the supplicant for both machine or user authentication in both scenarios. However the client never pass the authentication in the second one. I disconnect and connect the same supplicant in the 2950 switch and the authentication is completed successfully. Getting back to the 3750 stack the authentication failed and the laptop gains network access in the configured Auth-Failed Vlan. I have tried several configuration changes without success. I cannot understand why does this happen. I have made some debugs and I am sending them a long with a partial basic configuration of 3750 stack switch.
If anyone could check it and suggest  anything it could be appreciated!!!
Thank you in advance!                 

Hi,
basically what happens is that the maximum EAP packet size for communication between client and RADIUS server is negotiated. Therefore, in your case the switch notifies NPS that the client is capable of handling packets up to 9000 bytes in size.
EAP messages, especially those containing the server certificate, are usually bigger than 1500 bytes and arrive at the switch in multiple fragments:
Mar  6 15:50:11.881: RADIUS(0000002C): Received from id 1645/41
Mar  6 15:50:11.881: RADIUS/DECODE: EAP-Message fragments, 253+253+253+253+253+253+253+253+20, total 2044 bytes
Having learned that 2044 bytes is acceptable for the client, the switch forwards the full message in one chunk, but since your client is likely to have set the interface MTU to 1500, the packet is oversized and never reaches its destination.
And yes, I think changing the System Jumbo MTU to 1500 bytes would lead to the same result. If my memory serves me right, a new setting takes effect only after a reboot, so I'd suggest giving it a go in your lab first.
Best regards,
Josef

Similar Messages

  • 802.1x wireless authentication with certificates

    Hi.
    I have configured and working 802.1x authentication with certificates for Wired connections. with no problem.
    when i try to authenticate the same machine with 802.1x and certificates , on Wirelss, the ACS rejects it  with:
    "12520  EAP-TLS failed SSL/TLS handshake because the client rejected the ACS local-certificate."
    the ACS is the same, the certificate the same, and the root ca is the same.
    what's hapenning????
    Antero Vasconcelos

    What supplicant are we using for wireless authentication? Do we have complete chain of certificates installed on the client machine? Can you check if we have root CA/intermediate correctly installed in client and ACS.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • 802.1x fail authentication - packets keep discarded

    Hi all,
    I'm implementing 802.1x using Catalyst 3560 and MS IAS as radius server. The plan is, every PC needs to authenticate using PEAP with radius and assigned to a VLAN. Fail authentication will be assigned to guest VLAN.
    The problem is when I'm testing a PC, set the PC withouth 802.1x enabled, plug it to the 3560 port, the port keeps that PC packets discarded forever. I remove dot1x configuration on the interface, but it keep discard all packets (can't ping anywhere). When I plugged the PC to other port with the same configuration (no dot1x), it works. I have tried shut and no shut the interface, disable - enable devices, remove config and etc but the PC can't ping anywhere.
    I'm happy to paste the config. Could anyone please explain me why it happens and what is the solution? Many thanks.

    Here's an example config that should work:
    interface GigabitEthernet1/0/5
    switchport access vlan 31
    switchport mode access
    dot1x pae authenticator
    dot1x port-control auto
    dot1x guest-vlan 35
    dot1x auth-fail vlan 35
    end
    This should NOT keep a non-1x machine from accessing the network forever. With the above, and default timers, it's a 90-sec timeout of 802.1X. You can tweak the tx-period and the maz-reauth-req variable to get this down to 2-sec if you wish. If you remove 802.1X, then this should also not discard packets. If the 2 items above are truly occurring, then you have hit a software bug, and a TAC case should be opened immediately. Are you sure something like DHCP just hasn't timed out on you though?
    NOTE: The config above has vlan 35 for the guest-vlan being equal to the auth-fail-vlan based on you stating the need for this above. It could be different than the guest-vlan if you wanted it to be. Either/both could be the same vlan as what's statically configured on the port as well [31].
    Hope this helps,

  • 802.1x Wireless Authentication with 10.8.4 Build 12E3067

    Hello All,
    Work in a school and we use 802.1x authentication for Wi-Fi and access to our server and Staff wireless VLAN.  We use a login window profile that authenticates with our Active Directory.
    Previous and working set up was MBA (Mid 2012) 5,1. Running OS 10.8.4 build 12E55.  This OS was downloaded from Mac App Store. Bound to domain and using authorization certificates for our active directory controllers. Created Wi-Fi 802.1x authentication profile with Profile Manager on 10.8 server.  No issue.  Units authenticate with server at user login, join Wi-Fi and mounts home folder. 
    New and not working set up is MBA (Mid 2013) 6,2 running OS 10.8.4 build 12E3067.  This unit will not run build 12E55, boots to prohibitory sign. Unit is set up with same certificates and 802.1x profile. When first booting up the Wi-Fi signal appears to be attached to the network, unlike previous setup when unit will Wi-Fi indicator will appear disconnected until user logs in.  90% of the time new units will not authenticate. States unable to connect to server and then loads into mobile user account.  Will not attached to Wi-Fi. There are instances when it does authenticate properly.  However logging out and then back in will cause the failure.
    Also note, I have made an image of the 6,2 MBA with build 12E3067 and installed in on MBA 5,1. Same Failure happens.  This leads me to believe the issue lies in OS 10.8.4 build 12E3067.
    Troubleshooting:
    -I have taken OS build 12E3067 on MBA 6,2 (failing to authenticate) and removed Wi-Fi profile. Unit authenticates over Ethernet with no issue. Add profile back and issue surfaces.
    -Created new profile using profile manager and issue continues. Verified proper certificates are being used. Would the previous profile
    -Restarted domain controllers. Issue continues.
    Any thoughts or questions would be appreciated.

    did you find any resolution to this?  our mba- mid 2013 deployment is having a very similar problem.  We've gone through loads of troubleshooting and have yet to come to a resolution.  all our mid 2012 mba's are working fine they're 10.7.5/10.8.4 mixed.  console logs don't show much, i'll try the wireless diags tomorrow.  our other 10.8.4 build appears fine on other models of machines.  i've read posts about deleteing the adapters, deleting the system config plists and changing the mtu size, these steps do not work for us.
    we don't have as high a failure rate with our deployment, but 25%-30% of our clients randomly drop connectivity and are unable to reconnect (fluttering wi-fi wave).  when you slect the wifi symbol in the menu bar other wireless networks do not show, the 'looking for networks' fly wheel continues to spin.  ocasionaly on login the yellow jelly bean will appear then disappear before finally timeing out without logging the user in (depsite having mobile accounts enabled).    mostly the problem manifests itself when waking from sleep - the wifi symbol flutters endlessly without connecting.  deleting the 8021x profile and readding it will reenable connectivity.  we've tried new profiels, but to the same end.  i know our certs and systems are fine because previous mac os x builds work fine as do our windows clients.
    any input would be much appreciated.

  • Pb 802.1X Computer authentication

    Hello
    I want to know if some GPO parameters can prevent computer authentication 802.1X ?
    Because we use ACS4.1 and 802.1X PEAP authentication with Vlan assignement and MACHINE authentication Only
    And certain PC works fine and other not
    And if we disconnect the PC to the domain and after we reconnect th PC to the donain, all works fine ==> Authentication is OK
    If you have a solution to prevent out/in PC in the domain ?
    Thanks for your help

    Hello
    When i do the command csagent -v the result is:
    ACSRemoteAgent version 4.1(3.12)
    and I have an Appliance ACS:
    Cisco Secure ACS 4.1.3.12
    Appliance Management Software 4.1.3.12
    Appliance Base Image 4.1.1.4
    CSA build 4.0.1.543.2 (Patch: 4_0_1_543)
    and in the file cswinAgent i have this error
    CSWinAgent 08/07/2007 11:32:33 A 0386 6040 0x0 RPC: NT_MSCHAPAuthenticateUser received
    CSWinAgent 08/07/2007 11:32:33 A 1711 6040 0x0 NTLIB: Got WorkStation CISCO
    CSWinAgent 08/07/2007 11:32:33 A 1712 6040 0x0 NTLIB: Attempting Windows authentication for user GVAL0594$
    CSWinAgent 08/07/2007 11:32:33 A 1764 6040 0x0 NTLIB: Windows authentication FAILED (error 1326L)
    CSWinAgent 08/07/2007 11:32:33 A 0332 6040 0x0 NTLIB: Reattempting authentication at domain DOMAIN-TEST
    CSWinAgent 08/07/2007 11:32:33 A 1711 6040 0x0 NTLIB: Got WorkStation CISCO
    CSWinAgent 08/07/2007 11:32:33 A 1712 6040 0x0 NTLIB: Attempting Windows authentication for user GVAL0594$
    CSWinAgent 08/07/2007 11:32:33 A 1764 6040 0x0 NTLIB: Windows authentication FAILED (error 1326L)
    CSWinAgent 08/07/2007 11:32:33 A 0452 6040 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
    I don't know if this that you want
    I have just change the domain name (DOMAIN-TEST) to confidential resaon
    Thanks

  • 802.1x & windows Authentication

    Hi There, Any body has implemented 802.1x port authentication with ACS & windows AD. which authentication is supported in this kind of setup ms-chap or MD5 or PEAP (on the clients).
    and what are the challenges if windows user accounts password changed frequently..
    can any body explain adv & dis adv of 802.1x before I deploy it in network..

    There's a decent guide in the ACS 4.2 documentation on enabling machine access (chapter 12). Basically, you just enable it on the client and the ACS server, and POOF! On the client side, you should have a "Authenticate as computer..." option on your wireless networks tab. Wired is the same, unless you are running XP SP3, Vista, or Windows 7 where machine auth is enabled when you enable user auth.
    MAB with Guest VLAN *should* work, but I have not configured/tested it. Just be aware that MAF on the ACS side is just another form of auth where the user id and password is the MAC address of the client. For this reason, I recommend you put the MAC "users" in your ACS database, not in AD. Otherwise, you'll probably need to create an AD password group policy object for the user group holding your "mac address user accounts" so that they can have a password that matches their user name.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/ACSug.pdf

  • VWLC 802.1x NPS authentication Fails

    Hi Guys,
    Hopefully someone can help me with the following problem i'm facing...
    I've a vWLC running 7.3 deployed in our HQ site.
    At the HQ we have a W2k8 R2 NPS deployed at works fine for VPN, Router and Switch Authentication
    In a few remote branch offices which are connected to the HQ over DMVPN we have a couple of 3500's running in flexconnect mode with local switching.
    These AP's register just fine through the VPN link back to the vWLC.
    We deployed a few SSID's that are bound to AP groups.
    All SSID's that use WPA2 with PSK work fine
    All SSID's that use WPA2 with 802.1x Fail
    The Security Settings for the failing SSID's are:
    WPA2 Policy
    WPA2 Encryption AES
    Key Man 802.1x
    AAA Server is pointing to the right NPS for Auth and Accounting
    Radius overwrite IF is disabled
    The settings of the NPS are:
    Conditions:
    Win Group: DOMAIN\Groupxx
    NAS Port Type: Wireless - IEEE 802.11
    Settings:
    EAP Conf: Configured
    Access Perm: Granted
    EAP Method: MS PEAP
    Auth Method: EAP
    NAP Enforcement: Allow full access
    Update non complient: True
    Service Type: Login
    When a laptop (Mac os 10.8) tries to connect to a 802.1x SSID It Prompts for a username and passwd.
    Using DOMAIN\user + passwd the client tries to authenticate for a couple of times and fails
    On the vWLC i can see trap:
    AAA Authentication Failure for UserName:user  User Type: WLAN USER
    At the NPS i can see:
    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
    Security ID:                              DOMAIN\user
    Account Name:                              user
    Account Domain:                              DOMAIN
    Fully Qualified Account Name:          dom.com/OU/OU/OU/USER full name
    Client Machine:
    Security ID:                              NULL SID
    Account Name:                              -
    Fully Qualified Account Name:          -
    OS-Version:                              -
    Called Station Identifier:                    34-a8-4e-70-0b-90:test.sec
    Calling Station Identifier:                    10-40-f3-8f-ac-62
    NAS:
    NAS IPv4 Address:                    IP vWLC
    NAS IPv6 Address:                    -
    NAS Identifier: VWLC001
    NAS Port-Type:                              Wireless - IEEE 802.11
    NAS Port:                              1
    RADIUS Client:
    Client Friendly Name: vWLC001
    Client IP Address:                              IP vWLC
    Authentication Details:
    Connection Request Policy Name:          Use Windows authentication for all users
    Network Policy Name:                    Cisco WiFi
    Authentication Provider:                    Windows
    Authentication Server:                    FQDN NPS server
    Authentication Type:                    PEAP
    EAP Type:                              -
    Account Session Identifier:                    -
    Logging Results:                              Accounting information was written to the local log file.
    Reason Code:                              23
    Reason:                                        An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
    Hopefully someone can point me in the right direction.
    Cheers,
    JP

    Find below the output of the debug:
    (Cisco Controller) >
    (Cisco Controller) >*Dot1x_NW_MsgTask_4: May 27 10:08:51.567: 00:21:6a:72:3c:ec apfMsRunStateInc
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Processing RSN IE type 48, length 20 for mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Received RSN IE with 0 PMKIDs from mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Setting active key cache index 8 ---> 8
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 unsetting PmkIdValidatedByAp
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 apfMsAssoStateInc
    *dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Station 10:40:f3:8f:ac:62 setting dot1x reauth timeout = 1800
    *dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 1)
    *dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *dot1xMsgTask: May 27 10:09:41.429: 00000000: 02 00 00 32 01 01 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *dot1xMsgTask: May 27 10:09:41.429: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *dot1xMsgTask: May 27 10:09:41.429: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *dot1xMsgTask: May 27 10:09:41.429: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 00000000: 01 00 00 0e 02 01 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received Identity Response (count=1) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=1) for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 00000000: 02 01 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 00000000: 01 01 00 00 ....
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 3)
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000000: 02 00 00 32 01 03 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 00000000: 01 00 00 0e 02 03 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received Identity Response (count=2) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=3) for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 00000000: 02 03 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Unable to send AAA message for mobile 10:40:F3:8F:AC:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000000: 01 01 00 00 ....
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 5)
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000000: 02 00 00 32 01 05 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Reached Max EAP-Identity Request retries (3) for STA 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Not sending EAP-Failure for STA 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Station 10:40:f3:8f:ac:62 setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 00000000: 01 00 00 0e 02 05 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received EAP Response packet with mismatching id (currentid=0, eapid=5) from mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Processing RSN IE type 48, length 20 for mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Received RSN IE with 0 PMKIDs from mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Setting active key cache index 8 ---> 8
    *apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 unsetting PmkIdValidatedByAp
    *dot1xMsgTask: May 27 10:09:54.676: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 1)
    *dot1xMsgTask: May 27 10:09:54.676: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *dot1xMsgTask: May 27 10:09:54.676: 00000000: 02 00 00 32 01 01 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *dot1xMsgTask: May 27 10:09:54.676: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *dot1xMsgTask: May 27 10:09:54.676: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *dot1xMsgTask: May 27 10:09:54.676: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000000: 01 00 00 0e 02 01 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received Identity Response (count=1) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=1) for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000000: 02 01 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000000: 01 01 00 00 ....
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 3)
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000000: 02 00 00 32 01 03 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000000: 01 00 00 0e 02 03 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received Identity Response (count=2) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=3) for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000000: 02 03 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Unable to send AAA message for mobile 10:40:F3:8F:AC:62
    *radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
    *radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
    *radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-resp] AAA request requeued OK
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-resp] Requeue failed. Returning AAA response
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 AAA Message 'Timeout' received for mobile 10:40:f3:8f:ac:62
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 Filtering AAA Response with invalid Session ID - proxy state 10:40:f3:8f:ac:62-02:00
    *radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
    *radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
    *radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-resp] AAA request requeued OK
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-resp] Requeue failed. Returning AAA response
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 AAA Message 'Timeout' received for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:11:11.529: 10:40:f3:8f:ac:62 Processing AAA Error 'Timeout' (-5) for mobile 10:40:f3:8f:ac:62

  • 802.1x PEAP Machine Authentication with MS Active Directory

    802.1x PEAP Machine and User Authentication with MS Active Directory:
    I have a simple pilot-text environment, with
    - Microsoft XP Client,
    - Cisco 2960 Switch,
    - ACS Solution Engine (4.1.4)
    - MS Active Directory on Win 2003 Server
    The Remote Agent (at 4.1.4) is on the same server as the MS AD.
    User Authentication works correctly, but Machine Authentication fails.
    Failed machine authenticaton is reported in the "Failed Attempts" log of the ACS SE.
    The Remote Agent shows an error:
    See Attachment.
    Without Port-Security the XP workstation is able to log on to the domain.
    Many thanks for any indication.
    Regards,
    Stephan Imhof

    Is host/TestClientMan.Test.local the name of the machine? What does the AAA tell for you the reason it fails?

  • I get error message: "An error occurred with the  publication of album...Authentication with server failed...whenever I open a facebook file in my iPhoto. In each file, most of my photos have disappeared. What do I need to do?

    I get error message: "An error occurred with the  publication of album...Authentication with server failed. Please check your login and password information" whenever I open a facebook file in my iPhoto. In each file, most of my photos have disappeared. I am hoping I can retrieve these "lost" files. What do I need to do?

    Message was edited by: leroydouglas
    better yet, try this solution:
    https://discussions.apple.com/message/12351186#12351186

  • Ricoh Aficio MP C2051 Scan to Folder - Windows 7 64 bit Error: Authentication with the destination has failed check settings

    I got an issue with OS of widows 7.
    unable to scan  documents to user's PC.am getting error message "Authentication with the destination has failed. Check settings. To check the current status, press [Scanned Files Status
    Other Windows xp  PC can do this.
    How can I fix this problem?
    Printer Model :C2051 /mp2001sp

    Hi,
    I searched for the error and it is mentioned in Ricoh's website:
    Messages Displayed on the Control Panel When Using the Scanner Function
    http://support.ricoh.com/bb_v1oi/pub_e/oi_view/0001045/0001045718/view/trouble/int/0036.htm
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Message
    Cause
    Solution
    “Authentication with the destination has failed. Check settings. To check the current status, press [Comm. Status/Print].”
    The entered login user name or login password is not correct.
    Check that the user name and password are correct.
    Check that the ID and password for the destination folder are correct.
    A password of 128 or more characters may not be recognized.
    From the solution, it mentioned that the issue could relate to user account or its password.
    Please let me know if it is in domain environment. If so, please test to log the same user account currently on Windows 7 to Windows XP and see if issue persists.
    Also please test to directly access the scanning folder on printer server to see if there is any issue in accessing the destination folder. 

  • Ricoh Aficio MP C2051 Scan to Folder - Windows Server 2012 Error: Authentication with the destination has failed check settings

    I have recently upgraded a clients servers to Windows Server 2012 & since doing so have lost the ability to scan to folder.
    Both servers are domain controllers and previously on a 2008 domain controller I would have had to make the following change to allow scan to folder:
     Administrative Tools
     Server Manager
     Features
     Group Policy Manager
     Forest: ...
     Default Domain Policy
    Computer configuration
     Policies
     Windows Settings
     Security Settings
     Local Policies
     Security Options
     Microsoft Network Server: Digitally Sign Communications (Always)
     - Define This Policy
     - Disabled
    However I have applied this to the Windows 2012 server but am still unable to scan, possibly due to added layers of security in server 2012. The error on the scanner is Authentication with the destination has failed check settings.
    I have also tried the following at the server:
    Policies -> Security Policies
    Change Network Security: LAN Manager authentication level to: Send LM & NTLM - Use NTLMv2 session security if negotiated.
    Network security: Minimum session security for NTLM SSP based (including secure RPC) clients and uncheck the require 128 bit.
    Network security: Minimum session security for NTLM SSP based (including secure RPC) servers and uncheck the require 128 bit
    I have created a user account on the server for the ricoh and set this in the settiings of the Ricoh and verified everything is correct.
    Are there any other things I have missed?

    I can email anybody the firmware module if interested and how to...
    Tell me your model and email
    If your offer still stands we have an Aficio MP C3300
    Firmwareversion
    Modulnavn Version Delnummer 
    System/Copy  1.13  D0255562H  
    Network Support  8.16.1  D0255563D  
    Font EXP  1.03  D0255588  
    OptionPCLFont  1.02  D0255589  
    animation  1.3.1  D0255568A  
    Fax  01.10.00  D0255569B  
    RemoteFax  01.10.00  D0255564B  
    Printer  1.11  D0255572A  
    RPCS  3.7.5.4.1  D0255574A  
    Option PCL  1.00  D0255580A  
    Scanner  01.17  D0255570C  
    Network DocBox  1.00  D0255567B  
    Web Support  1.06  D0255565B  
    Web Uapl  1.07  D0255566C  
    libcvm(v4)  4.13  D4135765B  
    GWFCU3-13(WW)  03.00.00  D3935570C  
    PowerSaving Sys  1.10  D0255560C  
    Engine 1.51:09 D0255117E 
    OpePanel 1.03 D0251492A 
    LANG0 1.03 D0251496 
    LANG1 1.03 D0251496 
    ADF 03.420:02 D3665604 
    Finisher 01.090:03 D3725112
    Best Regards/
    Henrik Plougstad
    henrik(a)pieroth.dk

  • Policy agent 2.2 amfilter local authentication with session binding failed

    Hi All,
    I have policy agent 2.2 for weblogic 8.1 sp4 installed on redhat linux. All are working fine in my development box. But I was running all the process under user root, so today I decided to change it to a regular user, joe. I changed all the files' owner for weblogic server and policy agent from root to joe, and restart server as user Joe. After the change, I can not access the application on Weblogic server. I changed file ownership back to root and restart weblogic server as root, still same error.
    Here is the error I got:
    10.4.4 403 Forbidden
    The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
    Here is the error I found from agent log file, amFilter:
    AmFilter: now processing: SSO Task Handler
    05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    SSOTaskHandler: caching SSO Token for user uid=amAdmin,ou=People,dc=etouch,dc=net
    05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmBaseSSOCache: cached the sso token for user principal : uid=amadmin,ou=people,dc=etouch,dc=net sso token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#, cache size = 1
    05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    SSOTaskHandler: SSO Validation successful for uid=amAdmin,ou=People,dc=etouch,dc=net
    05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmFilter: now processing: J2EE Local Logout Task Handler
    05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmFilter: local logout skipped SSO User => amAdmin, principal =>null
    05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmFilter: now processing: J2EE Local Auth Task Handler
    05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    LocalAuthTaskHandler: No principal found. Initiating local authentication for amAdmin
    05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    LocalAuthTaskHandler: doing local authentication with session binding
    05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    LocalAuthTaskHandler: Local authentication failed, invalidating session.05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    WARNING: LocalAuthTaskHandler: Local authentication failed for : /portal/index.jsp, SSO Token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#
    05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmFilter: result =>
    FilterResult:
         Status      : FORBIDDEN
         RedirectURL     : null
         RequestHelper:
              null
         Data:
              null
    -----------------------------------------------------------

    Hi,
    I'm having the exact same problem in the Prod environment, but on a Sun App Server. In development all is fine, in prod we now have:
    ERROR: AmFilter: Error while delegating to inbound handler: J2EE Local Auth Task Handler, access will be denied
    java.lang.IllegalStateException: invalidate: Session already invalidated
    at org.apache.catalina.session.StandardSession.invalidate(StandardSession.java:1258)
    at org.apache.catalina.session.StandardSessionFacade.invalidate(StandardSessionFacade.java:164)
    at com.sun.identity.agents.filter.LocalAuthTaskHandler.doLocalAuthWithSessionBinding(LocalAuthTaskHandler.java:289)
    at com.sun.identity.agents.filter.LocalAuthTaskHandler.authenticate(LocalAuthTaskHandler.java:159)
    at com.sun.identity.agents.filter.LocalAuthTaskHandler.process(LocalAuthTaskHandler.java:106)
    at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:185)
    at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:152)
    at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:38)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
    at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
    FilterResult:
    Status : FORBIDDEN
    RedirectURL : null
    RequestHelper:
    null
    Data:
    null
    Also, we I debug I see:
    LocalAuthTaskHandler: No principal found. Initiating local authentication for ...
    Did you receive any solution for this?
    Many, many thanks,
    Philip

  • Ipad 2 802.1X PEAP Authentication problem (With profile from IPCU)

    Hi!
    I'm in the processes of setting up a new wireless network for a costumer.
    A little info about the hardware:
    Cisco WLC 5508
    Cisco AP 2602i
    Cisco ISE - radius server
    ipads gen 4 (iOS 6)
    EAP-TLS (windows machines) and PEAP (Other stuff, ipads, andriod etc) as authentications methods
    The radius server is using a server certificate from thier own PKI infrastructure therefor i need to push the root certificate of their CA to the clients in order to verify the authentication server. For this I use the iphone/ipad configuration utility.
    I use the Use Per-connection password option
    User that are allowed to connect are placed in a specific group in there AD.
    The problem that I have is:
    When a user thats not allowed to connect tries to authenticate to the network the ipad says stop and thats the way it supposed to be.
    BUT after someone has faild to authenticate to the network and somebody else tries to connect the ipad only ask for a password and not a username.
    I cant seem to get rid of this popup and therefor the ipad cant connect.
    If I don't use the profile I can forget about the network and after that i can connect with a different user.
    But then i can't verify the server-certificate and use the option per-connection password!
    Please help!
    Has someone else seen this type of bug.
    //Simon

    Hi, I am new with 802.1x, and was hoping that someone would help with these queries:
    1. How is a certificate requested without being allowed on a network that is not authenticated with 802.1x. I had to first connect to an active network, retrieve a certificate with the proper username and password, and then physically connect to the port on the 2950 switch which was enabled to do 802.1x
    2. My config is as below:
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authenication login default group radius
    dot1x system-auth-control
    interface f0/1
    switchport mode access
    dot1x port-control auto
    end
    I able to login using the radius server, so radius is working (on ports other than f1/0). However when connecting to f1/0, the port on the 2950 remains blocked.
    3. The certificate is issued by the ca server, is viewable via Internet explorer,and is issued to the correct username which is on the active directory.
    I even tried using local authenication with 802.1x, this did not work
    4. If I have a certificate, will this automatically give me access to the 802.1x port?
    5. I have windows 2000, and authenication is set to 'Smart Card or other certificate.
    Am I missing anything?
    Any advise will be greatly appreciated
    Chris

  • 802.1x EAP-TLS with NPS/W2008 - Authentication result 'timeout'

    Hello
    [Env on my lab investigation]
    supplicant - W7 with cert
    authenticator - Catalyst 2960 with IOS 15.0(1)SE2 /newest/
    authentication server 2x - W2008/NPS like a RADIUS server
    [Config some part of authenticator]
    interface FastEthernet0/1
    switchport access vlan 34
    switchport mode access
    authentication event fail retry 1 action authorize vlan 47
    authentication event server dead action authorize vlan 35
    authentication event no-response action authorize vlan 47
    authentication event server alive action reinitialize
    authentication port-control auto
    dot1x pae authenticator
    dot1x timeout quiet-period 15
    dot1x timeout tx-period 15
    spanning-tree portfast
    [Symptoms]
    After reboot authenticator the supplican connected to FE0/1 finally put into the Guest VLAN 47 and before that I saw on the authenticators console Authentication result 'timeout', but when the switch is up and running the the same port authenticator FE0/1 the same supplicant W7 with cert now I connect to authenticator finally supplicant put into static VLAN 34.
    [Summary]
    The problem is the end station that are still connected to the supplicant port /use a EAP-TLS/ after the reboot supplicant! All of them will be put into the Guest VLAN instead of static VLAN 34!
    [The question]
    What is wrong and how to configure/tune and what authenticator or authentication server to prevent after the reboot to observe a authentication timeouts?
    Of course the supplicant after 20 minutes /next EAPOL start farmet put into VLAN 34 .
    [Logs]
    During this I observed the wireshark supplicant and authenticator console and NPS wireshark, below:
    1. supplicant and authenticator orderflow at wireshar:
    - supplicant EAPOL Start
    - authenticator EAP Request Identity
    - supplicat  Response Identity, 3 times
    - supplicant EAPOL Start
    - authenticator EAP Failure
    - authenticator EAP Request Identity x2
    - supplicat  Response Identity x2
    and again, more detail about flow from whireshar chart at the end
    2. authenticator console saw like this:
    *Mar  1 00:02:51.563: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    *Mar  1 00:02:51.563: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    *Mar  1 00:02:51.563: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    krasw8021x>
    *Mar  1 00:03:52.876: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    *Mar  1 00:03:52.876: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    *Mar  1 00:03:52.876: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    and finaly
    *Mar  1 00:05:00.286: %AUTHMGR-5-VLANASSIGN: VLAN 47 assigned to Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
    *Mar  1 00:05:01.167: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
    *Mar  1 00:05:01.302: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
    3. Authentication server:
    - NPS doesn'e recived any RADIUS Access-Request/Response.
    [supplicant EAPOL flow chart, source wireshark]
    |Time     | Cisco_f9:98:81                        | Dell_12:cf:80                         |
    |         |                   | Nearest           |                  
    |0,041    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |0,045    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |0,051    |                   |         Start     |                   |EAPOL: Start
    |         |                   |(0)      <------------------  (0)      |
    |0,065    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |0,075    |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
    |         |                   |(0)      <------------------  (0)      |
    |0,075    |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
    |         |                   |(0)      <------------------  (0)      |
    |18,063   |                   |         Start     |                   |EAPOL: Start
    |         |                   |(0)      <------------------  (0)      |
    |18,065   |         Failure   |                   |                   |EAP: Failure
    |         |(0)      ------------------>  (0)      |                   |
    |18,268   |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |18,303   |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
    |         |                   |(0)      <------------------  (0)      |
    |18,307   |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |18,307   |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
    |         |                   |(0)      <------------------  (0)      |
    |37,073   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
    |         |(0)      ------------------>  (0)      |                   |
    |67,941   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
    |         |(0)      ------------------>  (0)      |                   |
    |98,805   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
    |         |(0)      ------------------>  (0)      |                   |
    |129,684  |         Failure   |                   |                   |EAP: Failure
    |         |(0)      ------------------>  (0)      |                   |
    |144,697  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |160,125  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |175,561  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |190,996  |         Failure   |                   |                   |EAP: Failure
    |         |(0)      ------------------>  (0)      |                   |
    |206,002  |         Failure   |                   |                   |EAP: Failure
    |         |(0)      ------------------>  (0)      |                   |
    |206,204  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |212,103  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |227,535  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |242,970  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    /regards Piter 

    Hi,
    Did you ever try to configure re-authentication?
    Is the client is up and running if you connect it to the switch?
    Sent from Cisco Technical Support iPad App

  • 802.1x authentication with ACS 4.1 for MAC OSX

    Hi,
    I simply wanted to know if it's possible to have 802.1x authentication with MAC OSx on ACS Plateform 4.1?
    If yes, what pre-required on ACS and MAC OSx? Methods of authentification which are recommended ?
    I'm sorry, but i don't find documents which show validated test on 802.1x implementation method on ACS 4.1 with MAC OSx supplicant.
    Thanks in advance
    Best regards
    Thanks

    Yes, Refer to the below DOC
    http://support.apple.com/kb/HT2717
    Port settings and ACS configuration remain the same as you do it for windows based clients

Maybe you are looking for

  • Root/Totals item in FS Item hierarchy - not flipping properly

    Hi all, can you point me towards a solution?  I think I am missing something: in the hierarchy, but default the <b>Root/Totals Item</b> appears above the rest of the nodes.  I need to display it on the bottom. I've gone to the DW Workbench and looked

  • Battery drains during sleep!

    My almost 2 year old battery for my 15" PB G4 keeps losing its' charge when sleeping. After fully charging, I put it to sleep by closing the lid (and confirming the flashing LED). A few hours later when on the train, it won't wake up, until I get hom

  • From Which table Title is coming ?

    Hi Experts, Am currently learning hr abap, while fetching employee personnel details, am not getting from where title(Mr and Mrs) is coming, in screen pa30 it showing that is coming from Q0002 but it is a structure. plz help me to know this. Thanks a

  • To delete the default flag set in ship to address screen in shopping car.

    Hi All,         I have a requirement to delete the default flag that will be set in ship to address screen in shopping cart in SRM system. I am able to view the list of ship to address throuh Edit internal address ( transaction BBPADDRINTC) and I am

  • Exchange 2013 Install Readiness check problem

    We have a test environment which was 2008R2 AD.  We properly went through the migration path and are currently at 2012R2 Active Directory functional level. I'm installing Exchange 2013 with Sp1 into the domain.  I have successfully prepared the domai