802.1x re authentication problem

Similar Messages

• ESW 520 802.1x MAB authentication problem

  Hello,
  I am having problem with 802.1x MAB authentication on ESW 520 switch, the authentication server is ACS 5.3.
  The Authentication method on ESW is 802.1x & MAC, and Host Authentication mode is Multi Session. When i plug ip phone it never authenticate the phone, and on ACS I get following error message:
  Radius authentication failed for USER: aa1effbb8fd4  MAC: aa-1E-FF-bb-8F-D4  AUTHTYPE:  Radius authentication failed
  RADIUS Status:Authentication failed    : 11509 Access Service does not allow any EAP protocols
  15004  Matched rule
  15012  Selected Access Service - MAB
  11507  Extracted EAP-Response/Identity
  11509  Access Service does not allow any EAP protocols
  11504  Prepared EAP-Failure
  11003  Returned RADIUS Access-Reject
  For that Access Service I have configured only Host Lookup.
  The same ACS configuration is working perfectly on Catalyst 3560G switche.
  It seems that ESW switch is not telling ACS that authentication is going to be by MAC address.
  Do you have any idea what can be the problem.

  Are you hitting the same selection rule? Also is "mab eap" configured globally on the switch, or on the port itself?
  Also can you post the port configuration and the show ver of the ESW?
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Ipad 2 802.1X PEAP Authentication problem (With profile from IPCU)

  Hi!
  I'm in the processes of setting up a new wireless network for a costumer.
  A little info about the hardware:
  Cisco WLC 5508
  Cisco AP 2602i
  Cisco ISE - radius server
  ipads gen 4 (iOS 6)
  EAP-TLS (windows machines) and PEAP (Other stuff, ipads, andriod etc) as authentications methods
  The radius server is using a server certificate from thier own PKI infrastructure therefor i need to push the root certificate of their CA to the clients in order to verify the authentication server. For this I use the iphone/ipad configuration utility.
  I use the Use Per-connection password option
  User that are allowed to connect are placed in a specific group in there AD.
  The problem that I have is:
  When a user thats not allowed to connect tries to authenticate to the network the ipad says stop and thats the way it supposed to be.
  BUT after someone has faild to authenticate to the network and somebody else tries to connect the ipad only ask for a password and not a username.
  I cant seem to get rid of this popup and therefor the ipad cant connect.
  If I don't use the profile I can forget about the network and after that i can connect with a different user.
  But then i can't verify the server-certificate and use the option per-connection password!
  Please help!
  Has someone else seen this type of bug.
  //Simon

  Hi, I am new with 802.1x, and was hoping that someone would help with these queries:
  1. How is a certificate requested without being allowed on a network that is not authenticated with 802.1x. I had to first connect to an active network, retrieve a certificate with the proper username and password, and then physically connect to the port on the 2950 switch which was enabled to do 802.1x
  2. My config is as below:
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authenication login default group radius
  dot1x system-auth-control
  interface f0/1
  switchport mode access
  dot1x port-control auto
  end
  I able to login using the radius server, so radius is working (on ports other than f1/0). However when connecting to f1/0, the port on the 2950 remains blocked.
  3. The certificate is issued by the ca server, is viewable via Internet explorer,and is issued to the correct username which is on the active directory.
  I even tried using local authenication with 802.1x, this did not work
  4. If I have a certificate, will this automatically give me access to the 802.1x port?
  5. I have windows 2000, and authenication is set to 'Smart Card or other certificate.
  Am I missing anything?
  Any advise will be greatly appreciated
  Chris

• 802.1x RADIUS authentication problem with Cat 2950 to CiscoSecure ACS 3.3

  I wondered if anyone can help or shed any light on the following problem.
  I am getting an authentication error when doing a RADIUS authentication to CiscoSecure ACS 3.3 running on a Windows 2003 server, the authentication request is coming from a Catalyst 2950 switch which is doing 802.1x for Windows XP clients. This problem only happens when the XP client connects to 2950 switches, Cat 3550s and 3560s work fine.
  The Cat2950 is running 12.1.20 (EA1) which is more or less the latest IOS.
  The error I get from ACS 3.3 is "Invalid message authenticator in EAP request" when the 2950 tries to authenticate an XP client for 802.1x to the ACS server using RADIUS.
  Doing a RADIUS and 802.1x debug on the 2950 I see a message about 'Unknown EAP type', I am using PEAP on the XP client doing EAP-MS-CHAPv2 authentication, the same XP client authenticates fine with 3550 and 3560 switches problem only affects 2950s. Can anyone confirm the 2950 supports EAP-MS-CHAPv2?
  I have checked and re-checked the shared secret and it definitely matches on 2950 and ACS.
  One thing I noticed in the RADIUS debug is the 2950 sends 18 bytes for attribute 79 when the RFC defines attribute 79 should be 3 bytes or less, I don't know if this is related to the problem or is correct behaviour.

  Hi, I am new with 802.1x, and was hoping that someone would help with these queries:
  1. How is a certificate requested without being allowed on a network that is not authenticated with 802.1x. I had to first connect to an active network, retrieve a certificate with the proper username and password, and then physically connect to the port on the 2950 switch which was enabled to do 802.1x
  2. My config is as below:
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authenication login default group radius
  dot1x system-auth-control
  interface f0/1
  switchport mode access
  dot1x port-control auto
  end
  I able to login using the radius server, so radius is working (on ports other than f1/0). However when connecting to f1/0, the port on the 2950 remains blocked.
  3. The certificate is issued by the ca server, is viewable via Internet explorer,and is issued to the correct username which is on the active directory.
  I even tried using local authenication with 802.1x, this did not work
  4. If I have a certificate, will this automatically give me access to the 802.1x port?
  5. I have windows 2000, and authenication is set to 'Smart Card or other certificate.
  Am I missing anything?
  Any advise will be greatly appreciated
  Chris

• ESW 520 802.1x re authentication problem

  Hello
  I have problem with ESW 520, on 802.1x authentication. The problem is when host authenticates successfully it works about couple of minutes, after it truest too authenticate again but it lags. On network interface it shows notification that if Failed authentication. On ACS I see only one authentication attempt which is successful. This problem is happening on Win7 and Win XP. If I unplug and plug cable it authenticates successfully, but then about couple of minutes it again lags. Switch sees port as authenticated. On Win7 event viewer I have following error:
                  Reason: 0x70004
                  Reason Text: The network stopped answering authentication requests
                  Error Code: 0x0
  If I connect same hosts on Catalyst 2960 switch, they work successfully.

  Hi  ngtransge
  There are  tree possible explanations about  why the authentications  fails.
  A)the network interface is shut down after failed computer authentication. You can see this on the switch as line protocol down for that port.
  To verify the client has a domain certificate:
  1. Click Start and click Run.
  2. Type mmc, and then press ENTER.
  3. On the File menu, click Add/Remove Snap-in.
  4. Click Certificates, click Add, select Computer account, and then click Next.
  5. Verify that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK.
  6. In the console tree, double-click Certificates (Local Computer), double-click Personal, and then click Certificates.
  On a domain joined client, you should see a certificate here with Intended Purposes of Client Authentication. Make sure this certificate is not expired. If it is expired, you will need to regain connection to your CA to request a new one.
  B) You should check your switch's configuration, perhaps a port or some ports could be blocked by an access-list and interrupt the re authentication.
  C) If this two solutions don't work, you have to try to change the authentication method (PEAP-MSCHAPv2 or PEAP-EAP-TLS)
  Greetings, Johnnatn Rodriguez Miranda

• Macs joined to AD Domain, and 802.1x/mab authentication problems

  Hello, I've got a situation where i have a small handful of Mac Pro's running OS 10.6 that are having some trouble with wired 802.1x/MAB (Mac Autehntication Bypass) on our cisco switches. We have our macs setup so that they autenticate to our windows domain for user login, plus, we have 802.1x authenciation (for our windows clients) and MAB bypass for our macs, printers, and assorted other equipment. Problem seems to be, the Mac boots up before the switch goes into MAB bypass and wont let the user login to the network. Has anyone ran across this problem before and found a solution?

  hello,
  in my organization we have multiple 3560/2960 series switches and some 4500 with MAB.
  the interfaces have the following config:
   authentication host-mode multi-auth
   authentication order mab dot1x
   authentication priority mab dot1x
   authentication port-control auto
   authentication periodic
   authentication timer restart 120
   authentication timer reauthenticate server
   authentication timer inactivity 600
   mab
   dot1x pae authenticator
  Good luck

• IPhone 802.1x WiFi authentication problem

  my WiFi access works fine at home and almost all WiFi areas. but i go to school where wireless access is authenticated with a login and password. it works fine on my macbook. since the iPhone has OSX, i thought the school's WiFi would work on my iPhone, but it doesnt. i can see the Network on my iPhone and it has a check mark. but i cant connect to it because i am not authenticated (i think). anyone know how to do this?

  On the iPhone when you try to connect to 802.1x it may ask for a password, no username, but this won't allow you access to the network. No support for it yet.
  Some also allow IPSec and/or PPTP for WiFi you might check with your help desk people. In this case you might see the network but it would not allow you access to anything. You would need to setup VPN settings in Settings > General > Network > VPN > Settings to make a VPN connection. You have to go back to this location to enter your password because it does not save it. Also if you try to use Settings > VPN to connect, you get a number pad not a keyboard to enter your password. This works fine for Apple employes but almost no one else in the world.

• ISE 1.3 Why are Windows endpoints defaulting to 802.1x machine authentication in wireless profile and not User or User&Computer

  We are running ISE 1.3 tied to AD with WLC 7.6.130.0.  Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP.  We are just running PEAP.  We have a mix of IOS, Android, and Windows 7/8 devices.  IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue.  Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication.  This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only.  This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity.  The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication?  I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list.  Neither have helped.  I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
  Thank you for any help or ideas,

  When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile.  In that profile, 802.1x computer authentication option is chosen by windows.  That has to be changed to computer or user for the machine to function correctly on the network.
  On 1.2, this behavior was different.  The Windows device would auto select user authentication by default.  At other customer sites, windows devices auto select user authentication.  This of course needs  to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.

• 802.1X wireless network problems with Intel Mac

  To login to the wireless network at my school I have to use an 802.1X connection authenticating with TTLS, TLS, EAP-FAST and PEAP protocols.
  This works intermitently. Some days my MacBook logs on quickly with no problems at all but most days it has a self assigned IP address and I can't use the internet. My friend also uses a MacBook, which acts in the same way. Some days she manages to get on, some days I can get on and some days we are both on together. The problem is really irritating!! We get no support from the techs as we are the only Mac people in the school. The rest of the staff have PCs. The techs are just trying to use this issue to justify why letting people lease Macs is a problem and stop other staff from leasing them in the future.
  I did find a solution at
  http://discussions.apple.com/thread.jspa?threadID=425113&tstart=0
  but this was written in 2006 and I wonderered if this was still valid.
  Can anyone help? please???

  I am a tech at our school and we have the same problems. still trying to find a permanent solution!
  If you turn airport off, then turn on again, (from system prefs > network) does it change from "self-assigned IP Address" to "Authenticated via PEAP)?
  the macs are more and more popular at our school, so its becoming more and more of an issue.
  cheers,
  Harry

• 802.1x Port Authentication via RADIUS

  I am investigating implementing 802.1x port authentication on our network.
  I have a test LAN with a Catalyst 2950 switch and 2 Win XP workstations, (I know its pretty basic, but should be enough for testing purposes). One of these XP PCs is running a Win32 RADIUS server and the other has been configured for 802.1x authentication with MD5-Challenge. Both switch ports are configured for the default vlan and can ping each other.
  I have configured the switch with the following commands
  aaa new-model
  aaa authentication dot1x default group radius
  dot1x system-auth-control
  radius-server host x.x.x.x key test
  and the port to be authorised has been configured with
  dot1x port-control auto
  As far as I can tell this is all I need to configure on the switch, please correct me if I am wrong.
  When I plug the PC into the port I get the request to enter login details, which I do, the RADIUS server sees the request but rejects it, because 'the password wasn’t available'. Here is the output from the request, but there isnt any password field and I know there should be as the RADIUS server comes with a test utility and the output from that is similar to below, but the password field is included. I have removed IP/MAC addresses.
  Client address [x.x.x.x]
  NAS address [x.x.x.x]
  UniqueID=3
  Realm = def
  User = Administrator
  Code = Access request
  ID = 26
  Length = 169
  Authenticator = 0xCCD65F510764D2B2635563104D0C2601
  NAS-IP-Address = x.x.x.x
  NAS-Port = 50024
  NAS-Port-Type = Ethernet
  User-Name = Administrator
  Called-Station-Id = 00-11-00-11-00-11
  Calling-Station-Id = 11-00-11-00-11-00
  Service-Type = Framed
  Framed-MTU = 1500
  State = 0x3170020000FCB47C00
  EAP-Message = 0x0201002304106424F60D765905F614983F30504A87BA41646D696E6973747261746F72
  Message-Authenticator = 0xA119F2FD6E7384F093A5EE1BF4F761EC
  Client address [x.x.x.x]
  NAS address [x.x.x.x]
  UniqueID=4
  Realm = def
  User = Administrator
  Code = Access reject
  ID = 26
  Length = 0
  Authenticator = 0xCCD65F510764D2B2635563104D0C2601
  EAP-Message = 0x04010004
  Message-Authenticator = 0x00000000000000000000000000000000
  On the 2950 I have turned on debugging with 'debug dot1x all' and part of the output is below:
  *Mar 2 01:58:38: dot1x-ev:Username is Administrator
  *Mar 2 01:58:38: dot1x-ev:MAC Address is 0011.0011.0011
  *Mar 2 01:58:38: dot1x-ev:RemAddr is 00-11-00-11-00-11/00-11-00-11-00-11
  *Mar 2 01:58:38: dot1x-ev:going to send to backend on SP, length = 26
  *Mar 2 01:58:38: dot1x-ev:Received VLAN is No Vlan
  *Mar 2 01:58:38: dot1x-ev:Enqueued the response to BackEnd
  *Mar 2 01:58:38: dot1x-ev:Sent to Bend
  *Mar 2 01:58:38: dot1x-ev:Received QUEUE EVENT in response to AAA Request
  *Mar 2 01:58:38: dot1x-ev:Dot1x matching request-response found
  *Mar 2 01:58:38: dot1x-ev:Length of recv eap packet from radius = 26
  *Mar 2 01:58:38: dot1x-ev:Received VLAN Id -1
  Again there doesn’t appear to be a password, shouldn't I see one?
  Ultimately we will be using a Unix RADIUS server but for testing purposes I have just configured an eval version of Clearbox's RADIUS server. I've tried others as I thought the problem maybe the software, but I get similar problems regardless. If anyone can recommend better Win32 software, please do so.
  I'm struggling to figure out where the problem is, the XP machine, the switch or the RADIUS server. Any advice would be appreciated as it's getting quite frustrating.

  These are dot1x event debugs, so you wouldn't see this with that debug. The closest thing to seeing it would be to debug radius on the switch, and the password would be contained in RADIUS Attribute[79]. The switch uses this attribute to replay the EAP message (unmodified) to a RADIUS server. You might see it, but it's encrytped, so it might not buy you much. I'm sure you can imagine from a security point of view why the switch won't/shouldn't have this much visibility into this ;-).
  I would recommend either:
  a) Double-checking your RADIUS setup and logs to find out why the user failed. (double-check the RADIUS key configured on the switch too .. it must match).
  b) Downloading a third-party supplicant from Meetinghouse or Funk to use as a control.
  Eval copies are available on their websites.
  Hope this helps,

• 802.1x port authentication and Windows Radius, possible?

  Hello,
  I'm just testing at the moment before implementing on our netowrk, but has anyone implemented 802.1x port authentication on there Cisco switch and used a Windows IAS server?  See out users are all all on a Windows domain and I want to authenticate using their active directory credentials.  I think I am fine with the switch config, but it is the Windows IAS/Raduis server.  I have added the switch IP's and secret, but I need to create a policy to accept the domain users and need help.
  Thanks

  Andy:
  Yes of course you can use whatever radius server as a AAA server for 802.1x authentication on the switches. NPS, IAS, ACS, Open RADIUS ....etc.
  If you have problem with configuring the IAS then I would suggest that you post your quesiton in a microsoft forum and not here. They would be able to better assist you with your issue. But you can still look somewhere in this forum or in google to help yourself.
  See this link, it could be useful for you:  https://supportforums.cisco.com/thread/2090403
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• WLC 5508 WPA Authentication Problems

  Hello,
  We have a WLC 5508 with 7.4.100.0 Firmware.
  We are using 1141 and 1142 APs and we are having authentication problems with clients that are connecting to our WLAN with WPA+AES autentication. The clients receive in her laptop a password error, and we receive the following log in wlc:
  Client Excluded: MACAddress:f8:f1:eb:dd:ff:cd Base Radio MAC :08:ad:dd:76:4d:30 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4
  The strange thing is that the problem is solved restarting the Access-points.
  Anyone had this problem previusly?
  Thanks in advance.

  I made the configuration using the Cisco Recommended settings, the strange thing its that the users connect normally, until they starts with authentication problems. I restart the access points and the problem its solved.
  Cisco Recommended  and not recommended Authentication Settings
  Security encryption settings need to be identical for WPA and WPA2 for TKIP and AES as shown in this image:
  These images provide examples of incompatible settings for TKIP and AES:
  Note: Be aware that security settings permit unsupported features.
  These images provide examples of compatible settings:

• SQLNET authentication problem!

  Hi,
  We have a setup in which the database server is running on a 'XXX' domain and all the clients are running in domain 'YYY'.
  On the client, if following is the setup, then the clients face ORA-03113 after around 45 to 90 minutes of idle time.
  SQLNET.ORA
  NAMES.DEFAULT_DOMAIN=YYY
  TNSNames.ORA
  DBName.YYY = (..........
  Note: This is not happening with all the clients in 'YYY' domain.
  Now, we thought this was a domain authentication problem and removed the DEFAULT_DOMAIN setup from the client. Still the client faces ORA-03113.
  As a part of trial, we moved one of the machines which was facing the problem to the domain of the database server and the error is gone.
  But, due to obvious reasons, it is not possible to move all the clients to the domain of database server.
  Is there any way to get around this problem?
  Why is it that only some of the clients are facing this problem?
  Why is it that the error occurs only after idle time and not during work?
  Do we need to set NAMES.DEFAULT_DOMAIN=XXX at client? (I apologize for this question but I am really confused with the matters now)
  Addition info: The database server is Oracle 10.1.0.2.0 and clients are ranging from Oracle 8.1.6 to Oracle 10.1.0. And the errors occur on clients with any version of Oracle.
  Please help us out in this regard.
  Thanks in advance,
  Satish

  I have gone thorugh the Action suggested for this oracle error.
  If problematic machine is shifted to the domain XXX, error is gone,Do you shift physically to some other network?? if yes then there might be a problem with your network. The machines which are disconnected, might be on the same network channel or switch which is creating some problem in your network. this is only luck that your failure occur when there is no activity from that client which is disconnected.
  Shift the places of problem facing client and non-problem facing client with each other and then check. It will clear the mind about the netrowk problem
  Regards

• Webservice authentication problem

  Web Service Authentication problem
  Posted: Jun 17, 2005 3:32 PM        Reply      E-mail this post 
  Hi
  I have created a portal service and exposed this service as a webservice. I am consuming this webservice in webdynpro. Portal service contains 2 simple methods putdata() and getdatat().
  When i access the webservice i am getting the following error.
  "javax.xml.rpc.soap.SOAPFaultException: The User Authentification is not correct to access to the Portal Service com.sap.portal.prt.soap.GlobalData or the service was not found"
  My Enterprise portal server is configured for SSO to back end R/3 system. I have checked for portal service availability and it is fine.
  My Webdynpro and Portal are running on different machines. EP is running on AIX with SP11.
  Any help please.
  Regards
  NagaKishore V

  Hi Shahab,
  Can you reproduce the issue if you create 2 applications. One that exposes a secured web service and the other one the one, consumes the web service? This would help to isolate the issue and move forward in case is a bug.
  Thanks,
  Juan Camilo

• Authentication problem - solved, but maybe a bug in Mac OS X?

  Hi,
  I've a rather small installation with only a handful of users configured on a Mac mini (Mac OS X Server, 10.6.8). All of them use the mail, calendar and addressbook server on the Mac, nothing more. They use it with Mac, iPhone and iPad. Everything worked fine for months but suddenly all of them were faced authentication problems: it was not possible to login on the imap server, the calendar server, the addressbook server. It was possible to login using the admin account on the server directly. Moreover, all users disappeared from the workgroup manager, however they still were available on the servers LDAP server and findable using ldapsearch.
  First, I used to completely restart the server to solve the problem, but it reappeared after only few hours again.
  Second, after understanding more about the authentication process, I found the "killall DirectoryService" was sufficient to solve the problem, but it still reappeared after few hours.
  Then I found the, once the problem occured, there was nearly no more communication to the local LDAP server on port 389 on localhost. When everything was working fine, the was a lot of such communication, including queries for usernames, when a login attempt was made. I started a "tcpdump -n -i lo0 port 389" and waited for the problem again. After the problem occured, I found in the pcap files that there were a few final query attempts, actually attempts the open a port 389 TCP connection to the slapd running on localhost, which were answered with a TCP RST. Then, no more attempts were made until l restarted the DirectoryService. Using the logfile of the slapd I found that this happened exactly at the time the slapd was stopped and restarted. And - surprisingly for me - stopping and restarting the slapd happened exactly once an hour.
  I then found that it happened exactly at the time the time machine backup process was started and indeed it was possible to trigger the event of restarting the slapd by manually starting a time machine backup.
  (Indeed, I switched my backup strategy from SuperDuper to time machine the other day and maybe that was the time the problem occured for the first time. I know that time machine is not considered as the best backup strategy for a server but I wanted to try on my own.)
  Google helped my to find a hint that time machine will actually stop and restart slapd - which is a generally a good idea, since otherwise a backup from some open database files would be made, which could work but may fail. So, I thing, someone of the developers thought about that problem too and has considered time machine for backups of a server.
  However, a not running slapd can not answer queries from a DirectoryService and a stopping or starting process might indeed end up with TCP SYNs answered with TCP RST.
  My solution was to disable time machine again and from that time the problem does not occur again.
  I'm wondering why the DirectoryService process isn't starting to query the slapd again after a failed connection. Isn't this a bug? After this experience I consider time machine as not only the not preferred backup solution for a server but as completely incompatible with Mac OS X server - although, as I said, it seems that someone thought about backing up the LDAP database using time machine.
  (On a Lion server this problem does not occur, the slapd will not be stopped and restarted when time machine is running. Moreover, I saw a com.apple.slapd.start notification in the slapd.log ... maybe this tells DirectoryService to try again.)
  Cheers,
  Wolfgang

  Another problem I found with the MacOS X key bindings: the 6 key doesn't work!
  In the config that ships with SQL Developer, I found this:
  <Item class="oracle.javatools.util.Pair">
  <first class="java.lang.String">DOCUMENT_6_CMD_ID</first>
  <second class="oracle.ide.keyboard.KeyStrokes">
  <data>
  <Item class="javax.swing.KeyStroke">6</Item>
  </data>
  </second>
  </Item>
  which should be:
  <Item class="oracle.javatools.util.Pair">
  <first class="java.lang.String">DOCUMENT_6_CMD_ID</first>
  <second class="oracle.ide.keyboard.KeyStrokes">
  <data>
  <Item class="javax.swing.KeyStroke">meta 6</Item>
  </data>
  </second>
  </Item>