802.1x RADIUS authentication problem with Cat 2950 to CiscoSecure ACS 3.3

Similar Messages

• Ipad 2 802.1X PEAP Authentication problem (With profile from IPCU)

  Hi!
  I'm in the processes of setting up a new wireless network for a costumer.
  A little info about the hardware:
  Cisco WLC 5508
  Cisco AP 2602i
  Cisco ISE - radius server
  ipads gen 4 (iOS 6)
  EAP-TLS (windows machines) and PEAP (Other stuff, ipads, andriod etc) as authentications methods
  The radius server is using a server certificate from thier own PKI infrastructure therefor i need to push the root certificate of their CA to the clients in order to verify the authentication server. For this I use the iphone/ipad configuration utility.
  I use the Use Per-connection password option
  User that are allowed to connect are placed in a specific group in there AD.
  The problem that I have is:
  When a user thats not allowed to connect tries to authenticate to the network the ipad says stop and thats the way it supposed to be.
  BUT after someone has faild to authenticate to the network and somebody else tries to connect the ipad only ask for a password and not a username.
  I cant seem to get rid of this popup and therefor the ipad cant connect.
  If I don't use the profile I can forget about the network and after that i can connect with a different user.
  But then i can't verify the server-certificate and use the option per-connection password!
  Please help!
  Has someone else seen this type of bug.
  //Simon

  Hi, I am new with 802.1x, and was hoping that someone would help with these queries:
  1. How is a certificate requested without being allowed on a network that is not authenticated with 802.1x. I had to first connect to an active network, retrieve a certificate with the proper username and password, and then physically connect to the port on the 2950 switch which was enabled to do 802.1x
  2. My config is as below:
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authenication login default group radius
  dot1x system-auth-control
  interface f0/1
  switchport mode access
  dot1x port-control auto
  end
  I able to login using the radius server, so radius is working (on ports other than f1/0). However when connecting to f1/0, the port on the 2950 remains blocked.
  3. The certificate is issued by the ca server, is viewable via Internet explorer,and is issued to the correct username which is on the active directory.
  I even tried using local authenication with 802.1x, this did not work
  4. If I have a certificate, will this automatically give me access to the 802.1x port?
  5. I have windows 2000, and authenication is set to 'Smart Card or other certificate.
  Am I missing anything?
  Any advise will be greatly appreciated
  Chris

• RADIUS Authentication Problems with NPS Server Eventid 6274

  Hi,
  We have struggled for a while with RADIUS auth for some clients against an NPS Server when the user or computer tries to connect to the wireless network the following error can be seen on the NPS server:
  Network Policy Server discarded the request for a user
  Contact the Network Policy Server administrator for more information.
  User:
      Security ID:            NULL SID
      Account Name:            host/hostname.domainname.com
      Account Domain:            -
      Fully Qualified Account Name:    -
  Client Machine:
      Security ID:            NULL SID
      Account Name:            -
      Fully Qualified Account Name:    -
      OS-Version:            -
      Called Station Identifier:        40-20-B1-F4-BB-15:Wireless-SSID
      Calling Station Identifier:        C1-18-85-08-10-E1
  NAS:
      NAS IPv4 Address:        192.168.10.10
      NAS IPv6 Address:        -
      NAS Identifier:            AP name
      NAS Port-Type:            Wireless - IEEE 802.11
      NAS Port:            0
  RADIUS Client:
      Client Friendly Name:        name
      Client IP Address:            192.168.10.10
  Authentication Details:
      Connection Request Policy Name:    Secure Wireless Connections
      Network Policy Name:        -
      Authentication Provider:        Windows
      Authentication Server:        NPS servername
      Authentication Type:        -
      EAP Type:            -
      Account Session Identifier:        -
      Reason Code:            3
      Reason:                The RADIUS Request message that Network Policy Server received from the network access server was malformed.
  Network Policy Server discarded the request for a user.
  Contact the Network Policy Server administrator for more information.
  User:
      Security ID:            NULL SID
      Account Name:            domainname\username
      Account Domain:            -
      Fully Qualified Account Name:    -
  Client Machine:
      Security ID:            NULL SID
      Account Name:            -
      Fully Qualified Account Name:    -
      OS-Version:            -
      Called Station Identifier:        20-18-B1-F4-BB-15:Wireless-SSID
      Calling Station Identifier:        09-3E-8E-3E-5A-C9
  NAS:
      NAS IPv4 Address:        192.168.10.10
      NAS IPv6 Address:        -
      NAS Identifier:            AP name
      NAS Port-Type:            Wireless - IEEE 802.11
      NAS Port:            0
  RADIUS Client:
      Client Friendly Name:        name
      Client IP Address:            192.168.10.10
  Authentication Details:
      Connection Request Policy Name:    Secure Wireless Connections
      Network Policy Name:        -
      Authentication Provider:        Windows
      Authentication Server:        NPS server name
      Authentication Type:        -
      EAP Type:            -
      Account Session Identifier:        -
      Reason Code:            3
      Reason:                The RADIUS Request message that Network Policy Server received from the network access server was malformed.
  Message seen from the AP's logs:
  (317)IEEE802.1X auth is starting (at if=wifi0.2)
  (318)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=157 length=162,  User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
  (319)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=157 length=90
   (320)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=158 length=286,  User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
   (321)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=161 length=162,  User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
   (322)Receive message from RADIUSServer: code=11 (Access-Challenge) identifier=161 length=90 BASIC  
  Output omitted
  (330)Sta(at if=wifi0.2) is de-authenticated because of notification of driver
  We have other NPS Servers with corresponding policy settings which are working so I am having trouble to understand why this errors occurs.
  Initally the problem seemed to be related to the Cert on the NPS server cause it used the cert generated from the Somputer template. Now it uses the template for Domain controller just as the other NPS servers so this should not be the issue(Not sure if
  this matters?)
  Please guide me on how to take this further
  Thank you :)
  //Cris

  Hi,
  NPS Event ID: 6274.
  This condition occurs when the NPS discards accounting requests because the structure of the accounting request message that was sent by a RADIUS client does not comply with the RADIUS protocol. You should reconfigure, upgrade, or replace the RADIUS client.
  Detailed information reference：
  Event ID 6274 — NPS Accounting Request Message Processing
  https://technet.microsoft.com/en-us/library/cc735339(v=WS.10).aspx
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• ESW 520 802.1x MAB authentication problem

  Hello,
  I am having problem with 802.1x MAB authentication on ESW 520 switch, the authentication server is ACS 5.3.
  The Authentication method on ESW is 802.1x & MAC, and Host Authentication mode is Multi Session. When i plug ip phone it never authenticate the phone, and on ACS I get following error message:
  Radius authentication failed for USER: aa1effbb8fd4  MAC: aa-1E-FF-bb-8F-D4  AUTHTYPE:  Radius authentication failed
  RADIUS Status:Authentication failed    : 11509 Access Service does not allow any EAP protocols
  15004  Matched rule
  15012  Selected Access Service - MAB
  11507  Extracted EAP-Response/Identity
  11509  Access Service does not allow any EAP protocols
  11504  Prepared EAP-Failure
  11003  Returned RADIUS Access-Reject
  For that Access Service I have configured only Host Lookup.
  The same ACS configuration is working perfectly on Catalyst 3560G switche.
  It seems that ESW switch is not telling ACS that authentication is going to be by MAC address.
  Do you have any idea what can be the problem.

  Are you hitting the same selection rule? Also is "mab eap" configured globally on the switch, or on the port itself?
  Also can you post the port configuration and the show ver of the ESW?
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE 1.2 web authentication problem with wired clients

  Hello,
  i am having problems with centralized web authentication using a Catalyst 3650X with IOS 15.0.2 SE01 and ISE 1.2.
  Redirecting the client works fine, but as soon the client opens a web browser and ISE websites open to authenticate the client, the switch port resets, the authentication process restarts and the session ID changes. After the client enters the credentials a session expired messages appears on the client and i get an 86017 Session Missing message in ISE.
  here the output form the debug aaa coa log.
  Any ideas
  thanks in advanced
  Alex
  ! CLIENT CONNECT TO SWITCHPORT
  ISE-TEST-SWITCH#show authentication sessions interface gi0/3
              Interface:  GigabitEthernet0/3
            MAC Address:  001f.297b.bd82
             IP Address:  10.2.12.45
              User-Name:  00-1F-29-7B-BD-82
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
                ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://nos-ch-wbn-ise1.nosergroup.lan:8443/guestportal/gateway?sessionId=AC1484640000026B28C02CDC&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1484640000026B28C02CDC
        Acct Session ID:  0x0000029C
                 Handle:  0x8C00026C
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  ! CLIENT OPENS INTERNETEXPLORER -> REDIRECTS TO ISE 
  ! SWITCHPORT GOES IN ADMINISTRATIVE DOWN STARTS AUTHENTICATION AGAIN
  ISE-TEST-SWITCH#
  191526: .Jun 24 10:42:24.340 UTC: COA: 10.0.128.38 request queued
  191527: .Jun 24 10:42:24.340 UTC: RADIUS:  authenticator 7F A9 85 AB F6 4A D0 F3 - B4 E6 F2 56 74 C6 2D 33
  191528: .Jun 24 10:42:24.340 UTC: RADIUS:  NAS-IP-Address      [4]   6   172.20.132.100
  191529: .Jun 24 10:42:24.340 UTC: RADIUS:  Calling-Station-Id  [31]  19  "00:1F:29:7B:BD:82"
  191530: .Jun 24 10:42:24.340 UTC: RADIUS:  Acct-Terminate-Cause[49]  6   admin-reset               [6]
  191531: .Jun 24 10:42:24.340 UTC: RADIUS:  Event-Timestamp     [55]  6   1403606529
  191532: .Jun 24 10:42:24.340 UTC: RADIUS:  Message-Authenticato[80]  18
  191533: .Jun 24 10:42:24.340 UTC: RADIUS:   E0 3C B2 8C 89 47 67 A8 69 F5 3D 08 61 FF 53 6E          [ <Ggi=aSn]
  191534: .Jun 24 10:42:24.340 UTC: RADIUS:  Vendor, Cisco       [26]  43
  191535: .Jun 24 10:42:24.340 UTC: RADIUS:   Cisco AVpair       [1]   37  "subscriber:command=bounce-host-port"
  191536: .Jun 24 10:42:24.340 UTC: COA: Message Authenticator decode passed
  191537: .Jun 24 10:42:24.340 UTC:  ++++++ CoA Attribute List ++++++
  191538: .Jun 24 10:42:24.340 UTC: 06D96C58 0 00000001 nas-ip-address(600) 4 172.20.132.100
  191539: .Jun 24 10:42:24.349 UTC: 06D9AC18 0 00000081 formatted-clid(37) 17 00:1F:29:7B:BD:82
  191540: .Jun 24 10:42:24.349 UTC: 06D9AC4C 0 00000001 disc-cause(434) 4 admin-reset
  191541: .Jun 24 10:42:24.349 UTC: 06D9AC80 0 00000001 Event-Timestamp(445) 4 1403606529(53A95601)
  191542: .Jun 24 10:42:24.349 UTC: 06D9ACB4 0 00000081 ssg-command-code(490) 1 33
  191543: .Jun 24 10:42:24.349 UTC:
  191544: .Jun 24 2014 10:42:24.365 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-RELEASE
  191545: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-WAIT
  191546: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT REMOVE
  191547: .Jun 24 2014 10:42:24.390 UTC: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL-OPEN| EVENT DETACH-SUCCESS
  191548: .Jun 24 2014 10:42:26.353 UTC: %LINK-5-CHANGED: Interface GigabitEthernet0/3, changed state to administratively down
  191549: .Jun 24 2014 10:42:27.359 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
  ISE-TEST-SWITCH#
  191550: .Jun 24 2014 10:42:36.366 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
  191551: .Jun 24 10:42:40.592 UTC: AAA/BIND(000002A7): Bind i/f
  191552: .Jun 24 2014 10:42:41.129 UTC: %AUTHMGR-5-START: Starting 'dot1x' for client (001f.297b.bd82) on Interface Gi0/3 AuditSessionID AC1484640000026C28C2FA05
  191553: .Jun 24 2014 10:42:42.580 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
  191554: .Jun 24 2014 10:42:43.586 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
  ! SESSION ID CHANGES, USER ENTERS CREDENTIALS 
  ! ERROR MESSAGE AT CLIENT "YOUR SESSION HAS EXPIRED"
  ! ERROR MESSAGE IN ISE "86017 SESSION MISSING"
  ISE-TEST-SWITCH#show authentication sessions interface gi0/3
              Interface:  GigabitEthernet0/3
            MAC Address:  001f.297b.bd82
             IP Address:  10.2.12.45
                 Status:  Running
                 Domain:  UNKNOWN
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1484640000026C28C2FA05
        Acct Session ID:  0x0000029D
                 Handle:  0x2C00026D
  Runnable methods list:
         Method   State
         dot1x    Running
         mab      Not run

  Guest authentication failed: 86017: Session cache entry missing
  try adjusting the UTC timezone during the guest creation in the sponsor portal.
  86017
  Guest
  Session Missing
  Session ID missing. Please contact your System Administrator.
  Info

• 802.1x re authentication problem

  Hello,
  I have problem with 802.1x authentication on switch ports which are configured in "Multi Session" mode. In Single host mode and Multiple Host mode it works just fine.
  The problem is following, when PC  is first connected on switch port it authenticates successfully. After about 1-2 minutes windows 7 NIC notifies that its going to authenticate again, and after couple of minutes NIC status is changed to “Authentication Failed”. On ACS I only see first authentication request which is successful.  If I unplug PC from port and plug it again. It authenticates successfully and then starts again with same problems.
  I was doing packet sniffing on PC, and it seems that after pc first authentication completes successful, switch starting to sent EAP Identity/Request packets to host, for that host is sending EAP Identity/Response to switch, but switch don’t continues authentication process and starts again with new EAP Identity/Request packets.
  On Windows 7 host Event viewer I see  following log messages:
                  Reason: 0x70004
                  Reason Text: The network stopped answering authentication requests
                  Error Code: 0x0
  The ACS version is 5.3. Authentication method is PEAP.  Supplicant OS is Windows 7 I also trued with Windows XP, with same result. The Authentication switch is ESW 520 with latest firmware. I also trued with 2960/3560 switches and it works perfectly. On ESW 520 switch if port mode is other  than “Multi Session" if works without any issue.
  Do you have any Idea how can i fix this ?

  Hi ngtransge,
  Thanks for rating the replies. You need to select "User Authentication". I am pasting some screenshots which might help you out.

• 802.1X wireless network problems with Intel Mac

  To login to the wireless network at my school I have to use an 802.1X connection authenticating with TTLS, TLS, EAP-FAST and PEAP protocols.
  This works intermitently. Some days my MacBook logs on quickly with no problems at all but most days it has a self assigned IP address and I can't use the internet. My friend also uses a MacBook, which acts in the same way. Some days she manages to get on, some days I can get on and some days we are both on together. The problem is really irritating!! We get no support from the techs as we are the only Mac people in the school. The rest of the staff have PCs. The techs are just trying to use this issue to justify why letting people lease Macs is a problem and stop other staff from leasing them in the future.
  I did find a solution at
  http://discussions.apple.com/thread.jspa?threadID=425113&tstart=0
  but this was written in 2006 and I wonderered if this was still valid.
  Can anyone help? please???

  I am a tech at our school and we have the same problems. still trying to find a permanent solution!
  If you turn airport off, then turn on again, (from system prefs > network) does it change from "self-assigned IP Address" to "Authenticated via PEAP)?
  the macs are more and more popular at our school, so its becoming more and more of an issue.
  cheers,
  Harry

• ESW 520 802.1x re authentication problem

  Hello
  I have problem with ESW 520, on 802.1x authentication. The problem is when host authenticates successfully it works about couple of minutes, after it truest too authenticate again but it lags. On network interface it shows notification that if Failed authentication. On ACS I see only one authentication attempt which is successful. This problem is happening on Win7 and Win XP. If I unplug and plug cable it authenticates successfully, but then about couple of minutes it again lags. Switch sees port as authenticated. On Win7 event viewer I have following error:
                  Reason: 0x70004
                  Reason Text: The network stopped answering authentication requests
                  Error Code: 0x0
  If I connect same hosts on Catalyst 2960 switch, they work successfully.

  Hi  ngtransge
  There are  tree possible explanations about  why the authentications  fails.
  A)the network interface is shut down after failed computer authentication. You can see this on the switch as line protocol down for that port.
  To verify the client has a domain certificate:
  1. Click Start and click Run.
  2. Type mmc, and then press ENTER.
  3. On the File menu, click Add/Remove Snap-in.
  4. Click Certificates, click Add, select Computer account, and then click Next.
  5. Verify that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK.
  6. In the console tree, double-click Certificates (Local Computer), double-click Personal, and then click Certificates.
  On a domain joined client, you should see a certificate here with Intended Purposes of Client Authentication. Make sure this certificate is not expired. If it is expired, you will need to regain connection to your CA to request a new one.
  B) You should check your switch's configuration, perhaps a port or some ports could be blocked by an access-list and interrupt the re authentication.
  C) If this two solutions don't work, you have to try to change the authentication method (PEAP-MSCHAPv2 or PEAP-EAP-TLS)
  Greetings, Johnnatn Rodriguez Miranda

• 802.11n 5ghz Connection Problem with OS X 10.4.11 Tiger

  I've searched the communities for answer to this vexing issue to no avail, so I am trying a post.
  Situation:
  I have a dual-band 1TB TC at home set up with three networks: 802.11g/b/a, 802.11n ((5ghz), and Guest Network (g/b).  There are four Macs accessing it: (2) mid-2009 15" MacBook Pros, 2009 MacBook Air, mid-2006 24" iMac.  All are running Snow Leopard 10.6.7 except the 24" iMac (Core 2 Duo) running 10.4.11.
  All Macs can connect to to all networks EXCEPT the iMac which has a problem with the 802.11n (5ghz) connection ONLY.  The iMac has the n-enabler installed (can see it registered when looking at Network Utility).  In fact, the iMac will connect but any attempt to access to the Internet or TC disk stalls the system.  Switch back to 802.11g and everything is fine.
  I've looked at the Console for guidance but cannot find anything problematic (to my eyes, anyway).  I booted this iMac to Snow Leopard from an external disk and the problem cannot be duplicated, so I am assuming this is not a hardware issue with the iMac.  I also, did a fresh install of Tiger and updated it to 10.4.11 plus all Airport updates and n-ebabler on an external drive, booted from this drive and have the same issue with the 5 ghz n-connection.
  By the way, when connected to 802.11n (5ghz) network with the iMac, I have full bars on the menubar fan, but then one bar drops after a minute or so.  When this happens, I cannot access the Internet nor the TC disk.
  I've tried various tweaks as described in the many, many discussion threads here: resets, establish new locations, clear/repair the keychain, and many others.
  I did not have this problem in the past with this iMac, so don't know what has changed with the system configuration.  The g-connection is rock-solid, so Internet access is fine, but file transfer speeds ober the network are obviously much slower now than with the 5ghz n-connection.
  Anyone have any ideas?  Without suggesting an upgrade to 10.6...clearly that should do the trick.  I have other reasons for running Tiger on the iMac.
  Thanks.

  I wonder if all the activity was too much for the hard drive and it failed....you might contact Apple about this repair extension program to see if you qualify...
  http://www.apple.com/support/macbook/hd/repairextension/

• CSS - Radius authentication problem

  Hi,
  for a customer we need to configure Radius authentication working like this:
  - CSS administrator login to device at user level
  - then switch to "enable" mode using a superuser level account.
  First login to CSS with a Radius account at user level works fine, but (after enable command) the login at superuser level doesn't work neighter with Radius account nor with local superuser account.
  Ver.: 08.10.4.01
  This is the configuration:
  radius-server primary 10.113.212.17 secret XXX auth-port 1645
  radius-server source-interface 10.113.212.32
  sntp primary-server 10.113.205.1 version 3
  date european-date
  radius-server secondary 10.113.197.24 secret XXX auth-port 1645
  radius-server dead-time 15
  radius-server retransmit 15
  radius-server timeout 15
  virtual authentication primary radius
  virtual authentication secondary local
  username ZZZ des-password ZZZ superuser
  Any idea?
  Thanks in advance.

  is your server correctly configured as described at :
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/security/guide/Radius.html#wp1108380
  "From the Group Settings section of the Cisco Secure ACS HTML interface, click the IETF RADIUS Attributes, [006] Service-Type checkbox. Then select Administrative. Administrative is required to enable RADIUS authentication for privileged user (SuperUser) connection with the CSS. "
  Gilles.

• Form-based authentication problem with weblogic

  Hi Everyone,
  The following problem related to form-based authentication
  was posted one week ago and no reponse. Can someone give it
  a shot? One more thing is added here. When I try it on J2EE
  server and do the same thing, I didn't encounter this error
  message, and I am redirected to the homeage.
  Thanks.
  -John
  I am using weblogic5.1 and RDBMSRealm as the security realm. I am having the following problem with the form-based authentication login mechanism. Does anyone have an idea what the problem is and how to solve it?
  When I login my application and logout as normal procedure, it is OK. But if I login and use the browser's BACK button to back the login page and try to login as a new user, I got the following error message,
  "Form based authentication failed. Could not find session."
  When I check the LOG file, it gives me the following message,
  "Form based authentication failed. One of the following reasons could cause it: HTTP sessions are disabled. An old session ID was stored in the browser."
  Normally, if you login and want to relogin without logout first, it supposes to direct you to the existing user session. But I don't understand why it gave me this error. I also checked my property file, it appears that the HTTP sessions are enabled as follows,
  weblogic.httpd.session.enable=true

  Hi...
  Hehe... I actually did implement the way you implement it. My login.jsp actually checks if the user is authenticated. If yes, then it will forward it to the home page. On the other hand, I used ServletAuthentication to solve the problem mentioned by Cameron where Form Authentication Failed usually occurs for the first login attempt. I'm also getting this error occasionally. Using ServletAuthentication totally eliminates the occurence of this problem.
  I'm not using j_security_check anymore. ServletAuthentication does all the works. It also uses RDBMSRealm to authenticate the user. I think the biggest disadvantage I can see when using ServletAuthentication is that the requested resource will not be returned after authentication cause the page returned after authenticating the user is actually hard coded (for my case, it's the home.jsp)
  cheers...
  Jerson
  "John Wang" <[email protected]> wrote:
  >
  Hi Jerson,
  I tried your code this weekend, it didn't work in my case. But
  I solved my specific problem other way. The idea behind my problem is that the user tries to relogin when he already logs in. Therefore, I just redirect the user into another page when he is getting the login page by htting the BACK button, rather than reauthenticate the user as the way you did.
  But, I think your idea is very helpful if it could work. Problems such multiple concurrence logins can be solved by pre-processing.
  In your new code, you solved the problem with a new approach. I am just wondering, do you still implement it with your login.jsp file? In other word, your action in login.jsp is still "Authenticate"? Where do you put the URL "j_security_check"?
  Thanks.
  -John
  "Jerson Chua" <[email protected]> wrote:
  I've solved the problem by using ServletAuthentication. So far I'm not getting the error message. One of the side effects is that it doesn't return the requested URI after authentication, it will always return the home page.
  Jerson
  package com.cyberj.catalyst.web;
  import weblogic.servlet.security.*;
  import javax.servlet.*;
  import javax.servlet.http.*;
  import java.io.*;
  public class Authenticate extends HttpServlet {
  private ServletAuthentication sa = new ServletAuthentication("j_username", "j_password");
  public void doPost(HttpServletRequest request, HttpServletResponse response)
  throws ServletException, java.io.IOException {
  int authenticated = sa.weak(request, response);
  if (authenticated == ServletAuthentication.NEEDS_CREDENTIALS ||
  authenticated == ServletAuthentication.FAILED_AUTHENTICATION) {
  response.sendRedirect("fail_login.jsp");
  } else {
  response.sendRedirect("Home.jsp");
  public void doGet(HttpServletRequest request, HttpServletResponse response)
  throws ServletException, java.io.IOException {
  doPost(request, response);
  "Jerson Chua" <[email protected]> wrote:
  The problem is still there even if I use page redirection. Grrr... My boss wants me to solve this problem so what are the alternatives I can do? Are there any other ways of authenticating the user? In my web tier... I'm using isUserInRole, getRemoteUser and the web tier actually connects to EJBs. If I implement my custom authentication, I wouldn't be able to use this functionalities.
  Has anyone solved this problem? I've tried the example itself and the same problem occurs.
  Jerson
  "Cameron Purdy" <[email protected]> wrote:
  Jerson,
  First try it redirected (raw) to see if that indeed is the problem ... then
  if it works you can "fix" it the way you want.
  Peace,
  Cameron Purdy
  Tangosol, Inc.
  http://www.tangosol.com
  +1.617.623.5782
  WebLogic Consulting Available
  "Jerson Chua" <[email protected]> wrote in message
  news:[email protected]...
  Hi...
  Thanks for your suggestion... I've actually thought of that solution. Butusing page redirection will expose the user's password. I'm thinking of
  another indirection where I will redirect it to another servlet but the
  password is encrypted.
  What do you think?
  thanks....
  Jerson
  "Cameron Purdy" <[email protected]> wrote:
  Maybe redirect to the current URL after killing the session to let the
  request clean itself up. I don't think that a lot of the request (such
  as
  remote user) will be affected by killing the session until the nextrequest
  comes in.
  Peace,
  Cameron Purdy
  Tangosol, Inc.
  http://www.tangosol.com
  +1.617.623.5782
  WebLogic Consulting Available
  "Jerson Chua" <[email protected]> wrote in message
  news:[email protected]...
  Hello guys...
  I've a solution but it doesn't work yet so I need your help. Because
  one
  of the reason for getting form base authentication failed is if an
  authenticated user tries to login again. For example, the one mentionedby
  John using the back button to go to the login page and when the user logsin
  again, this error occurs.
  So here's my solution
  Instead of submitting the page to j_security_check, submit it to a
  servlet
  which will check if the user is logged in or not. If yes, invalidates its
  session and forward it to j_security_check. But there's a problem in this
  solution, eventhough the session.invalidate() (which actually logs theuser
  out) is executed before forwarded to j_security_check, the user doesn't
  immediately logged out. How did I know this, because after calling
  session.invalidate, i tried calling request.RemoteUser() and it doesn't
  return null. So I'm still getting the error. What I want to ask you guyis
  how do I force logout before the j_security_check is called.
  here's the code I did which the login.jsp actually submits to
  import javax.servlet.*;
  import javax.servlet.http.*;
  import java.io.*;
  public class Authenticate extends HttpServlet {
  public void doPost(HttpServletRequest request, HttpServletResponseresponse)
  throws ServletException, java.io.IOException {
  if (request.getRemoteUser() != null) {
  HttpSession session = request.getSession(false);
  System.out.println(session.isNew());
  session.invalidate();
  Cookie[] cookies = request.getCookies();
  for (int i = 0; i < cookies.length; i++) {
  cookies.setMaxAge(0);
  getServletContext().getRequestDispatcher("/j_security_check").forward(reques
  t, response);
  public void doGet(HttpServletRequest request, HttpServletResponseresponse)
  throws ServletException, java.io.IOException {
  doPost(request, response);
  let's help each other to solve this problem. thanks.
  Jerson
  "Jerson Chua" <[email protected]> wrote:
  I thought that this problem will be solved on sp6 but to my
  disappointment, the problem is still there. I'm also using RDBMSRealm,same
  as John.
  Jerson
  "Cameron Purdy" <[email protected]> wrote:
  John,
  1. You are using a single WL instance (i.e. not clustered) on that
  NT
  box
  and doing so without a proxy (e.g. specifying http://localhost:7001),
  correct?
  2. BEA will pay more attention to the problem if you upgrade to SP6.If
  you don't have a reason NOT to (e.g. a particular regression), then
  you
  should upgrade. That will save you one go-around with support: "Hi,I
  am
  on SP5 and I have a problem.", "Upgrade to SP6 to see if that fixes
  it.
  Call back if that doesn't work."
  3. Make sure that you are not doing anything special before or after
  J_SECURITY_CHECK ... make sure that you have everything configuredand
  done
  by the book.
  4. Email BEA a bug report at [email protected] ... see what they say.
  Peace,
  Cameron Purdy
  Tangosol, Inc.
  http://www.tangosol.com
  +1.617.623.5782
  WebLogic Consulting Available
  "John Wang" <[email protected]> wrote in message
  news:[email protected]...
  Cameron,
  It seems to me that the problem I encountered is different a little
  from
  what you have, evrn though the error message is the same eventually.
  Everytime I go through, I always get that error.
  I am using weblogic5.1 and sp5 on NT4.0. Do you have any solutions
  to
  work
  around this problem? If it was a BUG as you
  pointed out, is there a way we can report it to the Weblogic
  technical support and let them take a look?
  Thnaks.
  -John
  "Cameron Purdy" <[email protected]> wrote:
  John,
  I will verify that I have seen this error now (after having read
  about it
  here for a few months) and it had the following characteristics:
  1) It was intermittent, and appeared to be self-curing
  2) It was not predictable, only seemed to occur at the first
  login
  attempt,
  and may have been timing related
  3) This was on Sun Solaris on a cluster of 2 Sparc 2xx's; the
  proxy
  was
  Apache (Stronghold)
  4) After researching the newsgroups, it appears that this "bug"
  may
  have gone away temporarily (?) in SP5 (although Jerson Chua
  <[email protected]> mentioned that he still got it in SP5)
  I was able to reproduce it most often by deleting the tmpwar and
  tmp_deployments directories while the cluster was not running,
  then
  restarting the cluster. The first login attempt would fail(roughly
  90%
  of
  the time?) and that server instance would then be ignored by the
  proxy
  for a
  while (60 seconds?) -- meaning that the proxy would send all
  traffic,
  regardless of the number of "clients", to the other server in thecluster.
  As far as I can tell, it is a bug in WebLogic, and probably has
  been
  there
  for quite a while.
  Peace,
  Cameron Purdy
  Tangosol, Inc.
  http://www.tangosol.com
  +1.617.623.5782
  WebLogic Consulting Available
  "John Wang" <[email protected]> wrote in message
  news:[email protected]...
  Hi Everyone,
  The following problem related to form-based authentication
  was posted one week ago and no reponse. Can someone give it
  a shot? One more thing is added here. When I try it on J2EE
  server and do the same thing, I didn't encounter this error
  message, and I am redirected to the homeage.
  Thanks.
  -John
  I am using weblogic5.1 and RDBMSRealm as the security realm. I
  am
  having
  the following problem with the form-based authentication login
  mechanism.
  Does anyone have an idea what the problem is and how to solve it?
  When I login my application and logout as normal procedure, it
  is
  OK.
  But
  if I login and use the browser's BACK button to back the login
  page
  and
  try
  to login as a new user, I got the following error message,
  "Form based authentication failed. Could not find session."
  When I check the LOG file, it gives me the following message,
  "Form based authentication failed. One of the following reasons
  could
  cause it: HTTP sessions are disabled. An old session ID was stored
  in
  the
  browser."
  Normally, if you login and want to relogin without logout first,
  it
  supposes to direct you to the existing user session. But I don'tunderstand
  why it gave me this error. I also checked my property file, it
  appears
  that
  the HTTP sessions are enabled as follows,
  weblogic.httpd.session.enable=true

• Authentication problem with JWS and TOMCAT

  Hi everyone !
  I have a problem with Java Web Start (1.0.1) and Tomcat (4.0.4).
  I'm trying to call my application via Web server Tomcat with restricting access.
  My configuration is the following :
  The deployment descriptor web.xml is:
  <?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE web-app
  PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
  "http://java.sun.com/dtd/web-app_2_3.dtd">
  <web-app>
  <mime-mapping>
  <extension>jar</extension>
  <mime-type>application/java-archive</mime-type>
  </mime-mapping>
  <mime-mapping>
  <extension>java</extension>
  <mime-type>text/plain</mime-type>
  </mime-mapping>
  <mime-mapping>
  <extension>jnlp</extension>
  <mime-type>application/x-java-jnlp-file</mime-type>
  </mime-mapping>
  <mime-mapping>
  <extension>JNLP</extension>
  <mime-type>application/x-java-jnlp-file</mime-type>
  </mime-mapping>
  <!-- Define a Security Constraint on this Application -->
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Entire Application</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <!-- NOTE: This role is not present in the default users file -->
  <role-name>standard</role-name>
  </auth-constraint>
  </security-constraint>
  <!-- Define the Login Configuration for this Application -->
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>MY APPL</realm-name>
  </login-config>
  </web-app>
  And jnlp File is:
  <jnlp
  spec="1.0+"
  codebase="http://host:8080/Official/"
  href="Application.jnlp">
  <information>
  <title>Application release 0.10</title>
  <vendor> XXXX </vendor>
  <homepage href="/"/>
  <description>Application</description>
  <description kind="short">My Application</description>
  <icon href="Icon.gif"/>
  </information>
  <security>
  <all-permissions/>
  </security>
  <resources>
  <j2se version="1.3"/>
  <jar href="Jar1.jar"/>
  <jar href="Jar2.jar"/>
  <jar href="Jar3.jar"/>
  <jar href="Jar4.jar"/>
  <jar href="Jar5.jar"/>
  <jar href="Jar6.jar"/>
  <jar href="Jar7.jar"/>
  <jar href="Jar8.jar"/>
  <jar href="Jar9.jar"/>
  <jar href="Jar10.jar"/>
  <jar href="MyApplication.jar"/>
  </resources>
  <application-desc main-class="com.xxxx.tool.cm.MyApplication"/>
  </jnlp>
  With the above configuration the Java Web Start not work.
  I'm expecting the message box for insert username and password instead it returns the messagge error :
  An error occurred while launching/running the application.
  Vendor: XXXX
  Category: Download Error
  Unable to load resource: http://host:8080/Official/Application.jnlp
  The Exception error is:
  JNLPException[category: Download Error : Exception: java.lang.NullPointerException : LaunchDesc: null ]
       at com.sun.javaws.cache.DownloadProtocol.doDownload(Unknown Source)
       at com.sun.javaws.cache.DownloadProtocol.isLaunchFileUpdateAvailable(Unknown Source)
       at com.sun.javaws.LaunchDownload.getUpdatedLaunchDesc(Unknown Source)
       at com.sun.javaws.Launcher.downloadResources(Unknown Source)
       at com.sun.javaws.Launcher.handleApplicationDesc(Unknown Source)
       at com.sun.javaws.Launcher.handleLaunchFile(Unknown Source)
       at com.sun.javaws.Launcher.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  I have tried to remove the restrict access in the deployment descriptor (web.xml) and java Web Start WORKS !!!!!!
  I'll appreciate any idea or hint!
  Thanks in advance

  Check this out
  http://forum.java.sun.com/thread.jsp?forum=38&thread=456250
  Mad Einstein

• Poweredge (Win 2003) port teaming problem with Cat 6509s

  Hi
  One of our server guys has reported a problem with port teaming his Win 2003 Dell servers (running MS Exchange). He has set them up with an active port attached to 6509-A and a standby port attached to 6509-B. The servers have Broadcom NICs. At times the server is completely unavailable - unable to RDP or telnet and users have complained of poor performance.
  Does anyone hae any experience - any info gratefully received.
  Regards,
  Paul

  I'm not so sure CSCsj55739 is the issue. I have a few questions:
  1) Can you post a text dump of the Broadcom team config (usually available from the teaming GUI).
  2) Are both NICs connected to the same VLAN?
  3) Is this same VLAN carried between 6509-A and 6509-B?
  4) Have you tried removing the team and putting the team address on one physical NIC at a time, to see if simply one NIC or the other has a connection issue?

• SG 300-10 802.1x radius authentication slowness

  We have 802.1x authentication via radius and vlan-id tagging with guest vlan fallback working successfully, but we've noticed that no matter what settings we try for the port, it seems that the switch takes about 20 seconds after the port comes up before it sends the authentication request to the radius server.
  We tried enabling portfast under stp and when the port is connected, it does immediately come up, and the user is pushed to the guest vlan, and then after about 20 seconds the prompt comes up and credentials can be entered and then it will send the request to the radius server. If the credentials are saved, it still takes the same amount of time before it sends those saved credentials. 
  I'm curious if this intended behavior, a limitation of hardware, or a setting on the port I'm missing. We tried lowering the various quiet-period, silence-period, etc timeouts, and are still seeing the same results. All tested os's (OSX, Windows 7+8, Ubuntu + Arch nix) experienced the same results.
  Any advice would be appreciated, thank you!
  See below for our conf:
  net055#show running-config 
  config-file-header
  net055
  v1.3.7.18 / R750_NIK_1_35_647_358
  CLI v1.0
  set system mode switch 
  file SSD indicator encrypted
  ssd-control-start
  ssd config
  ssd file passphrase control unrestricted
  no ssd file integrity control
  ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
  dot1x guest-vlan timeout 30
  vlan database
  default-vlan vlan 3333
  exit
  vlan database
  vlan 1,100,102,104,111
  exit
  voice vlan oui-table add 0001e3 Siemens_AG_phone________
  voice vlan oui-table add 00036b Cisco_phone_____________
  voice vlan oui-table add 00096e Avaya___________________
  voice vlan oui-table add 000fe2 H3C_Aolynk______________
  voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
  voice vlan oui-table add 00d01e Pingtel_phone___________
  voice vlan oui-table add 00e075 Polycom/Veritel_phone___
  voice vlan oui-table add 00e0bb 3Com_phone______________
  dot1x system-auth-control
  hostname net055
  line console
  exec-timeout 30
  exit
  line ssh
  exec-timeout 0
  exit
  encrypted radius-server host 172.16.200.57 key REMOVED= usage dot1.x
  radius-server host source-interface vlan 100
  management access-list mlist2
  permit ip-source 172.16.202.0 mask 255.255.255.0
  permit ip-source 172.16.200.0 mask 255.255.255.0
  exit
  management access-class mlist2
  aaa authentication enable default enable none         
  aaa accounting dot1x start-stop group radius
  enable password level 15 encrypted REMOVED
  no service password-recovery
  no passwords complexity enable
  passwords aging 0
  username REMOVED privilege 15
  username REMOVED privilege 15
  ip ssh server
  ip ssh password-auth
  ip http timeout-policy 1800 https-only
  no ip http server
  tacacs-server timeout 10
  clock timezone EST -5
  clock source sntp
  sntp unicast client enable
  sntp server 172.16.100.95
  ip name-server  8.8.4.4
  interface vlan 100
   ip address 172.16.200.21 255.255.255.0
   no ip address dhcp
  interface vlan 102
   name dev-0-Gnv-202.0
  interface vlan 104
   name gen-0-Gnv-204.0
  interface vlan 111
   name guest-0-Gnv-10-66-61.0
   dot1x guest-vlan
  interface gigabitethernet1
   switchport trunk allowed vlan add 100,102,104,111
  interface gigabitethernet2
   dot1x guest-vlan enable
   dot1x reauthentication
   dot1x timeout supp-timeout 5
   dot1x radius-attributes vlan static
   dot1x port-control auto
   spanning-tree portfast
  interface gigabitethernet3                            
   dot1x guest-vlan enable
   dot1x reauthentication
   dot1x radius-attributes vlan static
   dot1x port-control auto
  interface gigabitethernet4
   dot1x guest-vlan enable
   dot1x reauthentication
   dot1x radius-attributes vlan static
   dot1x port-control auto
  interface gigabitethernet5
   dot1x guest-vlan enable
   dot1x reauthentication
   dot1x radius-attributes vlan static
   dot1x port-control auto
   spanning-tree portfast
  interface gigabitethernet6
   dot1x guest-vlan enable
   dot1x reauthentication
   dot1x radius-attributes vlan static                  
   dot1x port-control auto
   spanning-tree portfast
  interface gigabitethernet7
   dot1x guest-vlan enable
   dot1x max-req 10
   dot1x reauthentication
   dot1x timeout quiet-period 5
   dot1x radius-attributes vlan static
   dot1x port-control auto
  interface gigabitethernet8
   dot1x guest-vlan enable
   dot1x reauthentication
   dot1x radius-attributes vlan static
   dot1x port-control auto
  interface gigabitethernet9
   dot1x guest-vlan enable
   dot1x reauthentication
   dot1x radius-attributes vlan static
   dot1x port-control auto                              
   spanning-tree portfast
  interface gigabitethernet10
   dot1x guest-vlan enable
   dot1x reauthentication
   dot1x radius-attributes vlan static
   dot1x port-control auto
  exit
  ip default-gateway 172.16.200.1

  Forgot to follow up here. 
  This is a known deficiency of how the SG300 line implements 802.1x vs how all other cisco switches implement it (and how other vendors implement it). The support tech said Cisco was unwilling to fix this deficiency (he would never provide a reason why). 
  If you have OSX and 802.1x and dont want it to take >30 seconds for users to get auth'd I would suggest going to another vendor since Cisco has said they will not fix this issue. 

• Macs joined to AD Domain, and 802.1x/mab authentication problems

  Hello, I've got a situation where i have a small handful of Mac Pro's running OS 10.6 that are having some trouble with wired 802.1x/MAB (Mac Autehntication Bypass) on our cisco switches. We have our macs setup so that they autenticate to our windows domain for user login, plus, we have 802.1x authenciation (for our windows clients) and MAB bypass for our macs, printers, and assorted other equipment. Problem seems to be, the Mac boots up before the switch goes into MAB bypass and wont let the user login to the network. Has anyone ran across this problem before and found a solution?

  hello,
  in my organization we have multiple 3560/2960 series switches and some 4500 with MAB.
  the interfaces have the following config:
   authentication host-mode multi-auth
   authentication order mab dot1x
   authentication priority mab dot1x
   authentication port-control auto
   authentication periodic
   authentication timer restart 120
   authentication timer reauthenticate server
   authentication timer inactivity 600
   mab
   dot1x pae authenticator
  Good luck