9iAS certificate authentication problem

Similar Messages

• Certificate authentication problem, accessing hotmail through safari

  When trying to access hotmail on my Mac I keep getting a invalid security certificate. eg: The certificate for accessing blu169.mail.live.com is not valid etc.... When I click on expand the certificate looks ok (it is mail.live.com signed by Verisign).
  I have checked the date and time are both correct and is set to auto. I have cleared cache and cookies with no change. It is isolated to the Mac, as I can still access the account from my iphone. It affects multiple accounts, as I cannot access using an alternate email address either.

  This could be a complicated problem to solve, as there are several possible causes for it.
  Back up all data, then take each of the following steps that you haven't already taken. Stop when the problem is resolved.
  Step 1
  From the menu bar, select
             ▹ System Preferences... ▹ Date & Time
  Select the Time Zone tab in the preference pane that opens and check that the time zone matches your location. Then select the Date & Time tab. Check that the data and time shown (including the year) are correct, and correct them if not.
  Check the box marked 
            Set date and time automatically
  if it's not already checked, and select one of the Apple time servers from the menu next to it.
  Step 2
  Triple-click anywhere in the line below on this page to select it:
  /System/Library/Keychains/SystemCACertificates.keychain
  Right-click or control-click the highlighted line and select
            Services ▹ Show Info
  from the contextual menu.* An Info dialog should open. The dialog should show "You can only read" in the Sharing & Permissions section.
  Repeat with this line:
  /System/Library/Keychains/SystemRootCertificates.keychain
  If instead of the Info dialog, you get a message that either file can't be found, reinstall OS X.
  *If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. Open a TextEdit window and paste into it by pressing command-V. Select the line you just pasted and continue as above.
  Step 3
  Launch the Keychain Access application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Keychain Access in the icon grid.
  In the upper left corner of the window, you should see a list headed Keychains. If not, click the button in the lower left corner that looks like a triangle inside a square.
  In the Keychains list, there should be items named System and System Roots. If not, select
            File ▹ Add Keychain
  from the menu bar and add the following items:
  /Library/Keychains/System.keychain
  /System/Library/Keychains/SystemRootCertificates.keychain
  Open the View menu in the menu bar. If one of the items in the menu is
            Show Expired Certificates
  select it. Otherwise it will show
            Hide Expired Certificates
  which is what you want.
  From the Category list in the lower left corner of the window, select Certificates. Look carefully at the list of certificates in the right side of the window. If any of them has a a blue-and-white plus sign or a red "X" in the icon, double-click it. An inspection window will open. Click the disclosure triangle labeled Trust to disclose the trust settings for the certificate. From the menu labeled
            Secure Sockets Layer (SSL)
  select
            no value specified
  Close the inspection window. You'll be prompted for your administrator password to update the settings.
  Now open the same inspection window again, and select
            When using this certificate: Use System Defaults
  Save the change in the same way as before.
  Revert all the certificates with non-default trust settings. Never again change any of those settings.
  Step 4
  Select My Certificates from the Category list. From the list of certificates shown, delete any that are marked with a red X as expired or invalid.
  Export all remaining certificates, delete them from the keychain, and reimport. For instructions, select
            Help ▹ Keychain Access Help
  from the menu bar and search for the term "export" in the help window. Export each certificate as an individual file; don't combine them into one big file.
  Step 5
  From the menu bar, select
            Keychain Access ▹ Preferences... ▹ Certificates
  There are three menus in the window. Change the selection in the top two to Best attempt, and in the bottom one to  CRL.
  Step 6
  Triple-click anywhere in the line of text below on this page to select it:
  /var/db/crls
  Copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
            Go ▹ Go to Folder...
  from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
  A folder named "crls" should open. Move all the files in that folder to the Trash. You’ll be prompted for your administrator login password.
  Restart the computer, empty the Trash, and test.
  Step 7
  Triple-click anywhere in the line below on this page to select it:
  open -e /etc/hosts
  Copy the selected text to the Clipboard by pressing the key combination command-C.
  Launch the built-in Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
  Paste into the Terminal window by pressing command-V. I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting. A TextEdit window should open. At the top of the window, you should see this:
  # Host Database
  # localhost is used to configure the loopback interface
  # when the system is booting.  Do not change this entry.
  127.0.0.1                              localhost
  255.255.255.255          broadcasthost
  ::1                                        localhost
  fe80::1%lo0                    localhost
  If that's not what you see, post the contents of the window.

• SSO Certificate-based authentication problem

  Hello,
  I have successfully configured certificate-based authentication, and I am able to authenticate with a user certificate that I created with OCA which is stored in the user's profile in OID. Here lies my problem, it seems as if the authentication module (ssomappernickname) only validates against the first certificate stored in the user's profile(userCertificate attribute). This is after I add another certificate to the user's profile. Below is the problem I am describing during my tests:
  Order of certificates stored in user's profile.
  1. valid cert, invalid cert -> successful authentication
  2. invalid cert, valid cert -> unsuccessful authentication (it should STILL be successful here)
  Shouldn't the SSO authentication module search each binary certificate in the multi-value attribute for the correct certificate? Or is there some LDAP control that I need to set in order to get this problem solved? Basically, I need to be able let user's perform certificate authentication against multiple certificates in their profiles.

  For the benefit of anyone finding this, in my case this problem was resolved by reimporting my internal CA's Cert into the ASA.
  I suspect I had inadvertently imported an expired CA Cert into the ASA and this rather un-informative error 1838 is trying to tell you this. 

• Unable to achieve client certificate authentication

  I am trying to do mutual certificate authentication (client/server authentication), and getting following error.
  Anybody has any clue?
  SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
  My code is below.
  import com.sun.net.ssl.HttpsURLConnection;
  import java.security.cert.*;
  import javax.net.ssl.*;
  import java.security.*;
  import java.net.URL;
  import java.io.*;
  import java.util.Enumeration;
  public class ClientCert {
  private static SSLSocketFactory getSocketFactory() {
  SSLSocketFactory theFactory = null;
  try {
  // set up key manager to do server authentication
  SSLContext theContext;
  KeyManagerFactory theKeyManagerFactory;
  KeyStore theKeyStore;
  char[] thePassword = "goldy123".toCharArray();
  theContext = SSLContext.getInstance("TLS");
  theKeyManagerFactory = KeyManagerFactory.getInstance("SunX509");
  theKeyStore = KeyStore.getInstance("JKS");
  theKeyStore.load(new FileInputStream("c:/castore"), thePassword);
  //java.security.cert.Certificate certi[] = theKeyStore.getCertificateChain("ca");
  // System.out.println("Certificate "+certi.length);
  theKeyManagerFactory.init(theKeyStore, thePassword);
  KeyManager managers[] = theKeyManagerFactory.getKeyManagers();
  theContext.init(managers, null, null);
  theFactory = theContext.getSocketFactory();
  return theFactory;
  } catch (Exception e) {
  System.err.println("Failed to create a server socket factory...");
  e.printStackTrace();
  return null;
  public static void main(String[] args) {
  try {
  System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
  java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  com.sun.net.ssl.HostnameVerifier hv=new com.sun.net.ssl.HostnameVerifier() {
  public boolean verify(String urlHostname, String certHostname) {
  return true;
  HttpsURLConnection.setDefaultHostnameVerifier(hv);
  URL mioUrl = new URL("https://viveksharma:9090/LoginPage.do?userName=root&password=password");
  //URL mioUrl = new URL("https://www.verisign.com");
  //SSLSocketFactory factory = getFactorySSLFromCert(mioCertFile ,mioCertPswd );
  //HttpsURLConnection.setDefaultSSLSocketFactory(factory);
  //System.setProperty("javax.net.ssl.keyStore","C:/castore");
  //System.setProperty("javax.net.ssl.keyStorePassword","goldy123");
  System.setProperty("javax.net.ssl.trustStore","C:/vivekstore");
  System.setProperty("javax.net.ssl.trustStorePassword","goldy123");
  HttpsURLConnection.setDefaultSSLSocketFactory(getSocketFactory());
  HttpsURLConnection urlConn = (HttpsURLConnection)mioUrl.openConnection();
  urlConn.connect();
  //urlConn.setDoInput(true);
  // urlConn.setUseCaches(false);
  javax.security.cert.X509Certificate ch[] = urlConn.getServerCertificateChain();
  System.out.println(ch[0]);
  InputStreamReader streamIn = new InputStreamReader(urlConn.getInputStream());
  BufferedReader in = new BufferedReader(streamIn);
  String inputLine;
  while ((inputLine = in.readLine()) != null)
  System.out.println(inputLine);
  in.close();
  } catch (Exception e) { 
  e.printStackTrace();

  Hello guys!
  I've had this problem twice (once with Tomcat server and once with OC4J -- Oracle 9iAS) and was able to resolve it.
  First of, make sure that the certificate your client is passing is valid (I always use JKS format... i think its a must when using JSSE) and is in your server's truststore (and that you specify which truststore file for your server to look at in your config file).
  Secondly, also import the root CA of your client cerficate (if it isn't there yet) to the cacert file in $JAVA_HOME/jre/lib/security.
  Hope this helps.

• Can't install Outlook Connector - authentication problem

  Hello:
  We are not being able to install Outlook Connector in two PC's running Windows XP. After filling authentication data the installation program states that the information is not valid. With the same installation files and the same authentication data we can install Outlook Connector in every other computer without any problem. We have tried to install the Microsoft update for root certificates KB931125 but the problem still occur. We have been performing search regarding errors logged in sjoc.log with no success:
  07/14/2010 18:44:48.687 (0x00d0) {Genrl } [Warning]: =============== Sun ONE Outlook Connector OpenLogFile ===============
  07/14/2010 18:44:48.687 (0x00d0) {Genrl } [Warning]: =============== Sun ONE Outlook Connector: Version 7.3.110.0
  07/14/2010 18:44:49.421 (0x00d0) {Genrl } [Warning]: =============== Sun ONE Outlook Connector _UnInit===============
  07/14/2010 18:45:04.734 (0x0a60) {Genrl } [Warning]: =============== Sun ONE Outlook Connector OpenLogFile ===============
  07/14/2010 18:45:04.734 (0x0a60) {Genrl } [Warning]: =============== Sun ONE Outlook Connector: Version 7.3.110.0
  07/14/2010 18:45:05.062 (0x0a60) {Genrl } [Warning]: =============== Sun ONE Outlook Connector _UnInit===============
  07/14/2010 18:45:46.640 (0x0da4) {Genrl } [Warning]: =============== Sun ONE Outlook Connector OpenLogFile ===============
  07/14/2010 18:45:46.671 (0x0da4) {Genrl } [Warning]: =============== Sun ONE Outlook Connector: Version 7.3.110.0
  07/14/2010 18:45:46.671 (0x0da4) {Store } [Warning]: S1OC ******ServiceEntry****** Opened log file.
  07/14/2010 18:45:46.718 (0x0da4) {Store } [Warning]: MSG_SERVICE_CREATE
  07/14/2010 18:45:46.828 (0x0da4) {Store } [Error  ]: S1OC ServiceEntry Create - UI Not allowed?
  07/14/2010 18:45:46.828 (0x0da4) {Genrl } [Warning]: =============== Sun ONE Outlook Connector _UnInit===============
  07/14/2010 18:45:46.875 (0x0da4) {Genrl } [Warning]: =============== Sun ONE Outlook Connector OpenLogFile ===============
  07/14/2010 18:45:46.875 (0x0da4) {Genrl } [Warning]: =============== Sun ONE Outlook Connector: Version 7.3.110.0
  07/14/2010 18:45:46.875 (0x0da4) {Store } [Warning]: S1OC ******ServiceEntry****** Opened log file.
  07/14/2010 18:45:46.890 (0x0da4) {Store } [Warning]: MSG_SERVICE_CONFIGURE
  07/14/2010 18:45:46.890 (0x0da4) {Store } [Error  ]: S1OC ServiceEntry Config - GetProps PropCount = 72
  07/14/2010 18:45:47.281 (0x0da4) {Store } [Error  ]: S1OC ServiceEntry Config - GAL Server Name = directorio.mydomain.com
  07/14/2010 18:45:47.312 (0x0da4) {Genrl } [Warning]: =============== Sun ONE Outlook Connector _UnInit===============
  07/14/2010 18:45:47.656 (0x0da4) {Genrl } [Warning]: =============== Sun ONE Outlook Connector OpenLogFile ===============
  07/14/2010 18:45:47.656 (0x0da4) {Genrl } [Warning]: =============== Sun ONE Outlook Connector: Version 7.3.110.0
  07/14/2010 18:45:47.734 (0x0da4) {Genrl } [Warning]: =============== Sun ONE Outlook Connector OpenLogFile ===============
  07/14/2010 18:45:47.734 (0x0da4) {Genrl } [Warning]: =============== Sun ONE Outlook Connector: Version 7.3.110.0
  07/14/2010 18:45:47.734 (0x0da4) {Store } [Warning]: S1OC ******MSProviderInit****** Opened log file.
  07/14/2010 18:45:47.843 (0x0da4) {Store } [Error  ]: CS1OCConnection::ValidateFolderTree Get Drafts failed 0x80004005
  07/14/2010 18:45:47.843 (0x0da4) {Store } [Error  ]: CS1OCConnection::ValidateFolderTree Get Contacts failed 0x80004005
  07/14/2010 18:45:47.843 (0x0da4) {Store } [Error  ]: CS1OCConnection::ValidateFolderTree Get Calendar failed 0x80004005
  07/14/2010 18:45:47.843 (0x0da4) {Store } [Error  ]: CS1OCConnection::ValidateFolderTree Get Tasks failed 0x80004005
  07/14/2010 18:45:47.843 (0x0da4) {Store } [Error  ]: CS1OCConnection::ValidateFolderTree Get Notes failed 0x80004005
  07/14/2010 18:45:47.843 (0x0da4) {Store } [Error  ]: CS1OCConnection::ValidateFolderTree Get Journal failed 0x80004005
  07/14/2010 18:45:51.984 (0x0da4) {XIMAP } [Error  ]: mm_log ERROR: Can not authenticate to IMAP server: Authentication failed.
  07/14/2010 18:45:52.031 (0x0da4) {XIMAP } [Error  ]: XIMAPStore::setActiveMS: mail_open failed (folder={mail.mydomain.com:993/ssl/novalidate-cert}INBOX)
  07/14/2010 18:45:52.031 (0x0da4) {XIMAP } [Error  ]: XIMAPStoreImpl::login: setActiveMS failed: 1
  07/14/2010 18:45:52.031 (0x0da4) {Store } [Error  ]: CSOMSConnection::Logon error in m_lpXImapStore->login(): 1
  07/14/2010 18:45:52.031 (0x0da4) {Store } [Error  ]: CSOMSConnection::Logon m_lpXImapStore->login failed 1
  07/14/2010 18:45:52.031 (0x0da4) {Store } [Warning]: CSOMSConnection::Logon not setting m_bSpoolerLogonDelayed to false
  07/14/2010 18:45:52.031 (0x0da4) {Store } [Error  ]: CS1OCConnection::Logon MAIL Logon failed 0x802c1001
  07/14/2010 18:45:52.031 (0x0da4) {Store } [Warning]: CS1OCConnection::Uninitialize Final release(1) of Our MDB
  07/14/2010 18:45:52.250 (0x0da4) {Genrl } [Warning]: =============== Sun ONE Outlook Connector: Version 7.3.110.0
  07/14/2010 18:45:52.250 (0x0da4) {Store } [Warning]: S1OC ******ServiceEntry****** Opened log file.
  07/14/2010 18:45:52.250 (0x0da4) {Store } [Warning]: MSG_SERVICE_INSTALL MSG_SERVICE_UNINSTALL
  07/14/2010 18:45:52.312 (0x0da4) {Genrl } [Warning]: =============== Sun ONE Outlook Connector _UnInit===============
  07/14/2010 18:45:52.375 (0x0da4) {Genrl } [Warning]: =============== Sun ONE Outlook Connector _UnInit===============
  Any clue will be very helpful. Thanks in advance.

  shjorth wrote:
  Deprecated wrote:
  We are not being able to install Outlook Connector in two PC's running Windows XP. After filling authentication data the installation program states that the information is not valid.Are you able to connect to the users account using the same authentication details/host/port information using another IMAP client e.g. Thunderbird?
  I'm sorry, I forgot saying that via webmail the authentication is OK, so user and password information is right. I have asked the users to try what you suggest.
  shjorth wrote:
  Deprecated wrote:
  With the same installation files and the same authentication data we can install Outlook Connector in every other computer without any problem. We have tried to install the Microsoft update for root certificates KB931125 but the problem still occur.Are you using a self-signed certificate or one signed by a vendor (which one)?
  Also have you tried accessing the https webmail front-end using Internet Explorer and permanently accepting the SSL certificate?We use a Verisign certificate.
  I have asked the used to try to permanentle accepting the certificate. I have the feeling that it's a certificate relating problem and I think that it can make it.
  07/14/2010 18:45:51.984 (0x0da4) {XIMAP } [Error  ]: mm_log ERROR: Can not authenticate to IMAP server: Authentication failed.What is the error at the Messaging Server end (imap logs)?I was not able to find anything relevant, the only thing that I thing that could be related (because of date and time) is:
  [14/Jul/2010:18:45:00 +0200] mail1 imapd[3106]: Account Notice: close [127.0.0.1:47197] [unauthenticated] 2010/7/14 18:45:00 0:00:00
  32 606 0
  [14/Jul/2010:18:45:05 +0200] mail1 imapd[3106]: Account Notice: close [10.75.80.129:1753] [unauthenticated] 2010/7/14 18:45:05 0:00:
  00 0 316 0
  Thank you very much, Shane, I really appreciate your help.

• Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

  Hello,
  I'm trying to do machine and user authentication using EAP-TLS and digital certificates.  Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
  In ISE, I can define multiple Certificate Authentication Profiles (CAP).  For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
  Problem is how do you specify ISE to check both in the Authentication Policy?  The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.  
  Any way to resolve this?
  Thanks,
  Steve

  You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
  an example (uses user/pass though, but same concept)
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

• Configure Certificate Authentication.

  I'm configuring a SOAP adapter (receiver) and in the SAP Doc Libray this is what it says to use a certificate :
  If the server requests a certificate from the client, set the indicator Configure Certificate Authentication.
  ¡        Specify the Keystore Entry.
  ¡        Specify the Keystore View.
  Problem is this indicator doesn't even show up in my adapter communication channel!
  Has anyone had this issue?
  Thanks - Andrew

  Hi Andrew,
  have you got XI with SP13?
  this is a feature available only from SP13:
  Receiver SOAP Adapter
  You can now configure a certificate authentication for the HTTPS and SMTPS transport protocols.
  if you want to check you SP level
  open IR or ID then <b>Help</b> menu and choose <b>Information</b>
  if your SP is lower then you'll have to update your XI
  Regards,
  michal

• Get message, "certificate authentication failed" when downloading

  Get message "certificate authentication failed" when downloading Adobe flash

  Download and run the offline installers
  Flash Player: http://helpx.adobe.com/content/help/en/flash-player/kb/installation-problems-flash-player- windows.html#main-pars_header
  Adobe Reader: http://get.adobe.com/reader/enterprise/

• SP13 - missing indicator Configure Certificate Authentication

  Hi all,
  We are trying to set up configuration for scenario with certificate authentication. XI will send data to remote system using certificate authentication. Even if we are on SP13, we don't see any "Configure Certificate Authentication" indicator in SOAP communication channel, which should allow us to enter the keystore value for the certificate to be used. In documentation for SP13 release there is written that the authentication should be enabled.
  Is there anything we should switch or turn on to have this indicator displayed in SP13?
  Thank you for your help.
  Jozef

  Hi,
  thank you for your answer. The problem is probably in the update which has not been done correctly. One of the system components (SAP-XI-TOOLS or something like this) was not properly updated (patched to SP13).
  Thank you for you suggestion.
  Best regards,
  Jozef

• EAP-TLS machine authentication problems

  Well..
  I have the following devices:
  WCS
  Wlan controller 4402
  AP 1130 LWAPP
  Workstation XP sp2
  Secure ACS 4.0
  Windows CA
  Windows AD
  Everything else is working properly, except EAP-TLS. Server certificate is installed in ACS and trust list is OK. Client certificate is installed in workstation machine store. PEAP-MsCHAPv2 working OK, ACS logging prompts successful authentication. I tried to use the certificate authentication from windows wlan properties, but the log was still empty.
  Which clarifications do I have to do in ACS and AD?
  Can someone help me and give me very detailed instructions on how to make it work.

  Hi,
  We had a same problem until we ran 2 windows hotfixs. Those are: WindowsXP-KB893357-v2-x86-ENU.exe and WindowsXP-KB890046-x86-ENU.exe Have you tried to do this. Our EAP-TLS machine authentication is working fine now.
  Have you enabled EAP-TLS authentication in ACS? ACS-> System configuration: Mark Allow EAP-TLS

• How would i setup certificate authenticated activesync on a windows phone 8 device? Without intune or sccm?

  I've searched all over for this and can find no clues in the interface.
  We have certificate authentication to activesync, via tmg working well for IOS devices and android, we issue the user a certificate, they use it to authenticate, boom no problems.
  We're considering a move to issuing windows phone 8 devices as well, yet i see no way, or instructions on how to actually set these things up to authenticate with a certificate? I see some rumblings about airwatch and sccm with intune, but i don't want to
  pay for a subscription just to use this when it works fine without on other platforms.
  Can anyone shed any light?
  Many thanks,
  Jim

  Hi - we're authenticating with internally issued certificates against a TMG listener, not sure if that is or isn't mutual certification - I have installed the root on the devices so they are trusted, works great with ios, android etc.
  The main issue is there is no place in the setup where you can specify the certificate to use, i have a feeling they (like blackberry) are railroading you into using a paid for mdm solution for cert auth. Be delighted if that isn't the case tho. It is easy
  enough to do this for WP8 with SCCM and InTune but i'm not keen on taking out a subscription just for WP8 devices when we can do it gratis with ios and android.
  Thanks for the reply.
  Jim

• Switch refuses EAP Certificate Authentication

  Hi Everyone,
  I'm hoping someone will be able to help me out here.
  The problem is that with any EAP method of authentication that utilizes authentication with a certificate or smart card the switch will somehow impede authentication with the radius server.
  The EAP Methods I have tried on a SG-300-28P and ESW-540-24p switch are:
  EAP-TLS
  EAP-FAST
  PEAP (Smart Card)
  Smart Card
  I know that the radius server works because when I switch to a different switch the client works just fine, or if I keep the client on this switch and use any password method (PEAP (MSCHAPv2), MSCHAPv2, EAP-MD5) it also works.
  The log file for EAP-FAST on a SG-300 switch is:
      2147483643   2012-Jan-27 00:28:34 Informational   %LINK-I-Up:  gi10, aggregated (1)       
      2147483644   2012-Jan-27 00:28:31 Warning   %LINK-W-Down:  gi10, aggregated (1)       
      2147483645   2012-Jan-27 00:28:31 Informational   %LINK-I-Up:  gi10       
      2147483646   2012-Jan-27 00:28:16 Warning   %LINK-W-Down:  gi10       
  I noticed that on this method it doesnt even report a result from the radius server, however the radius server reports an EAP Timeout
  The log file for EAP-TLS on a SG-300 switch is:
       2147483642   2012-Jan-27 00:37:00 Warning   %SEC-W-SUPPLICANTUNAUTHORIZED: MAC xx:xx:xx:xx:xx:xx was rejected on port gi10     because Radius server does not respond       
      2147483643   2012-Jan-27 00:36:23 Informational   %LINK-I-Up:  gi10, aggregated (1)       
      2147483644   2012-Jan-27 00:36:20 Warning   %LINK-W-Down:  gi10, aggregated (1)       
      2147483645   2012-Jan-27 00:36:20 Informational   %LINK-I-Up:  gi10       
      2147483646   2012-Jan-27 00:36:02 Warning   %LINK-W-Down:  gi10       
  In both cases the radius server logged a EAP Timeout. Again this only happens when any EAP method or version of authentication used deals with certificate authentication.
  Only with the 3 Cisco small business switches we have, have I ran into this problem. The Cisco Aironet and Other Switches (by other manufacturers) work just fine.
  Please help me.
  Thanks!
  zidacjarrett

  Hi Stefanobi
  do you use in your configuration dynamic vpn assignment to authenticated ports? I have very simillar configuration in my network and port based authentication utilising computer certificates works without any problems except from Vlan assignments.
  I have two core switches catalyst 3560 and three esw540 access switches, trunk ports between switches are correctly configured, I have also network policies for 802.1x authentication and Vlan assignments, all works fine on 3560 switches and my workstations are authenticated correctly and also assigned to the correct Vlan, based on policy but somehow this doesn't work on my esw540 switches. I can see on my NHS that authentication works only when I specify access Vlan for the specific port otherwise Vlan is not assigned dynamically. hope I described my issue as clear as possible and someone can give me a tip how to make this up and running.

• SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certificate Authentication failed

  Hello,
  i have a problem regarding the authentication with a certificate from the iPhone Anyconnect 2.5 Client to a 1802 Cisco Router.
  Cisco 1802 Router:
  Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.1(1)T, RELEASE SOFTWARE (fc1)
  First i configured SSLVPN with username and password, in this configuration the Anyconnect Client of my iPhone works.
  then i enrolled a certificate from my Windows 2008 R2 CA to the Router with the Attributes: Server Authentication and IPSEC
  and i enrolled a certificate for my iPhone with Client Authentication and IPSEC
  after a bunch of time ( i realy could not find a really good documentation on how to do this) i got it done, in the webvpn context configuration i made this changes here:
  no aaa authentication list default
  authentication certificate
  ca trustpoint CA
  as the "SSL VPN Configuration Guide, Cisco IOS Release 15.1M&T" says: if i want only certificate authentication i had to user the "authentication certificate" command and thats it.
  as i look into the debugs it seems to me that the Router accepts the certificate of the iPhone, but then i receive a window on the iphone that wants an additional username and password authentication, and no matter what i enter there's always the same dialog coming back..
  any ideas what the problem could be???
  here is the configuration:
  webvpn gateway WEBVPN_GW_OFFICE2
  ip interface Dialer0 port 1444
  ssl trustpoint CA
  inservice
  webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 1
  webvpn install svc flash:/webvpn/anyconnect-win-3.0.4235-k9.pkg sequence 2
  webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 3
  webvpn context WEBVPN_CONTEXT2
  secondary-color white
  title-color #669999
  text-color black
  ssl authenticate verify all
  policy group WEBVPN_POLICY2
     functions svc-enabled
     mask-urls
     svc address-pool "SSLVPN_OFFICE1"
     svc default-domain "domain.internal"
     svc keep-client-installed
     svc split include 192.168.0.0 255.255.0.0
     svc dns-server primary 192.168.53.33
     svc dns-server secondary 192.168.53.35
  virtual-template 3
  default-group-policy WEBVPN_POLICY2
  gateway WEBVPN_GW_OFFICE2
  authentication certificate
  ca trustpoint CA
  inservice
  here is the debug:
  OfficeRouter1# PASSING appctx is [0x89FAFFCC]
  Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
  Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
  Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
  Nov 19 22:39:53.607: WV: Entering APPL with Context: 0x86529380,
        Data buffer(buffer: 0x86543A40, data: 0x15A07AB8, len: 469,
        offset: 0, domain: 0)
  Nov 19 22:39:53.607: WV: http request: / with no cookie
  Nov 19 22:39:53.607: WV: validated_tp : CA cert_username :  matched_ctx :
  Nov 19 22:39:53.607: WV: Received appinfo
  validated_tp : CA, matched_ctx : ,cert_username :
  Nov 19 22:39:53.607: WV: Trustpoint match successful
  Nov 19 22:39:53.607: WV: Extracted username:  pass: ?
  Nov 19 22:39:53.607: WV: Client side Chunk data written..
  buffer=0x86543640 total_len=661 bytes=661 tcb=0x8811FE60
  Nov 19 22:39:53.607: WV: Appl. processing Failed : 2
  Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
  BueroRouter1# PASSING appctx is [0x89FAEEC4]
  Nov 19 22:40:24.028: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:24.032: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:24.132: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:24.132: WV: Entering APPL with Context: 0x86529380,
        Data buffer(buffer: 0x86543A40, data: 0x160C4038, len: 469,
        offset: 0, domain: 0)
  Nov 19 22:40:24.132: WV: http request: / with no cookie
  Nov 19 22:40:24.132: WV: validated_tp : CA cert_username :  matched_ctx :
  Nov 19 22:40:24.132: WV: Received appinfo
  validated_tp : CA, matched_ctx : ,cert_username :
  Nov 19 22:40:24.132: WV: Trustpoint match successful
  Nov 19 22:40:24.132: WV: Extracted username:  pass: ?
  Nov 19 22:40:24.132: WV: Client side Chunk data written..
  buffer=0x86543640 total_len=661 bytes=661 tcb=0x88D11EEC
  Nov 19 22:40:24.136: WV: Appl. processing Failed : 2
  Nov 19 22:40:24.136: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.764: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.880: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.892: WV: Entering APPL with Context: 0x86529380,
        Data buffer(buffer: 0x86543A40, data: 0x1616FD38, len: 610,
        offset: 0, domain: 0)
  Nov 19 22:40:39.892: WV: http request: /webvpn.html with domain cookie
  Nov 19 22:40:39.892: WV: validated_tp :  cert_username :  matched_ctx :
  Nov 19 22:40:39.892: WV: Received appinfo
  validated_tp : CA, matched_ctx : ,cert_username :
  Nov 19 22:40:39.892: WV: Trustpoint match successful
  Nov 19 22:40:39.892: WV: Client side Chunk data written..
  buffer=0x86543640 total_len=607 bytes=607 tcb=0x88D11EEC
  Nov 19 22:40:39.892: WV: Appl. processing Failed : 2
  Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event

  http://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml
  HI,
  Refer to
  AnyConnect VPN Client FAQ
  Q. Is it possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router?
  A. No. It is not possible to connect  the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router.  AnyConnect on iPad/iPhone can connect only to an ASA that runs version  8.0(3).1 or later. Cisco IOS is not supported by the AnyConnect VPN  Client for Apple iOS. For more information, refer to the Security Appliances and Software Supported section of the Release Notes for Cisco AnyConnect Secure Mobility Client 2.4, Apple iOS 4.2 and 4.3.

• OAM certificate Authentication failure redirection with no user certificate

  Hi,
  I am using Certificate authentication. I need to do an authentication fail redirect.
  When I have valid certificate in my browser - authentication is successful. This is fine.
  When I have invalid certificate (credential mapping failure) it redirects me to the intended url.
  The problem is when I do not have a user certificate in my web browser. It does not redirect to the url.
  Anyone has a solution? any suggesstion?
  Please let me know. Its an urgent requirment.
  Thanks.
  Himadri

  Hi Himadri,
  It's some time since I have tested this, but I believe that what you have discovered is unavoidable behaviour, and you will need to handle this condition somehow in the configuration of the web server. The behaviour is:
  - user presents certificate that is accepted by web server, but not OAM, then the OAM authentication failure redirect takes effect ;
  - user presents certificate that is not accepted by web server (or no certificate as you discovered) then the web server handles the failure without giving the WebGate the chance to intervene.
  Sorry I'm not sure how to do this in the web server.
  Regards,
  Colin

• Any one used certificate authentication module?

  Hi
  Does any one used certificate authentication module successfully?
  I am trying to do it but there are no resources available about how to configure and use it.
  Indeed i want to use Certification authentication module from within a j2se application using AMSDK.
  Thanks

  OK, thanks to Peter Hanusiak, and Oracle Consulting consultant in Slovakia, I have resolved my issue and I'm hoping that the same solution may apply for you. See below for the instructions from Peter that helped me out. Note that since our applications are different, the specific libraries and locations that you need to confirm compatibility for may be different.
  Hope this helps,
  Dave
  I had similar problem. And in my case it was caused by different ADF from JDev and SOA Suite and SOA order booking demo.
  Because I can't test it now, I'll tell just what I remember.
  In SOADEMO is somewhere folder SOADEMO-CLIENT\UserInterface\public_html\WEB-INF\lib
  where you can find
  adf-faces-impl.jar
  jsf-impl.jar
  Try to find exactly the same libs in Jdev and copy&paste from Jdev to SOADEMO folder. then find the libs in SOASuite, and copy&paste from Jdev to SOA Suite those libs. Restart SOA Suite. Deploy Soademo-Client. And hopefully it will work.