Auth issue
If a user is given SAP_ALL access and if I run ST01 on the user , I will not be able to get any data because there are no auth failures for the user. I hope I am correct. In my case the user is assigned 2 roles. lets say role 1 and role 2. Role 1 has the object S_SCMG_TXT . I ran the Tcode HREIC and did a trace on the user and the trace results failed at the object S_SCMG_TXT. ( RC = 4 ). The trace does not tell which role was checked. However, the object in question is already assigned to the user's UMR. What could be the issue in this case?.Below is an excerpt from the trace. These two objects are already available with the correct values in one of the roles of the UMR.
P_ORGIN RC=4 INFTY=0001;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
S_SCMG_TXT RC=4 SPS_ID=HREIC_SPS_ACTIVITY_NOTES;CASETYPE=' ';TEXTID=0005;ACTVT=03;
> If a user is given SAP_ALL access and if I run ST01 on the user , I will not be able to get any data because there are no auth failures for the user. I hope I am correct.
Not completely,
All authority checks will always show up in the trace, also the ones that do succeed (with RC=0). So this is a good way to see which checks are actually performed while running a certain program/job/task etc. The output can then be compared to the actual role values.
About your trace output, to have us compare it with the users' roles please post the relevant records from table AGR_1251:
AGR_NAME=your role(s), OBJECT= P_ORGIN and S_SCMG_TXT
Similar Messages
-
We have an issue which I'm not sure if it's an authorization issue. One test user TST101 has a role assignement ZBC-CU-FULL which has all authorization to run UCWB & UCMON however, test user TST101 can run UCMON with no problem at all but when I go to menu GOTO > List of Totals Records and input the 0010 in the company field, it gives me an authorization issue that is says "Insufficient authorization for data from InfoProvider" but when I run the SU53, it gives me no missing objects or anything and even in ST01 it gives me no error auth issue.
But when I add SAP_ALL & SAP_NEW profile to the test user TST101, it then gave me a result.
The problem now here is, the client doesn't want us to use SAP_ALL/NEW profile in production.
Your help is very much appreciated.
Regards,
tedHi,
I hope it is not to late...
You need also BI/BW-Authorization-Objects to allow "writing" on InfoProviders!
You Sum-Cube is BW, so that user needs a role with permission to write and read the Sum-cube of SEM-BCS! It should be S_RS_ICUBE.
Check these authorization-objects, these reguard development and usage of SEM-BCS, its customizing and reporting.
AAAB
S_TCODE
Business Information Warehouse (RS)
S_RS_HIER
S_RS_ICUBE
S_RS_MPRO
S_RS_ODSO
S_RS_IOMAD
Strategic Enterprise Management (SEM)
R_UC_ODSM
R_UC_PERIO
R_UC_RECON
R_UC_TASK
R_UGMD_ATT
R_UGMD_CHA
R_UGMD_FLD
Financial Basis (FINB)
FB_SRV_DMS
FB_SRV_GC
FB_SRV_TR
R_CONFIG
R_FINB_TYP
R_UGMD_SNG
BR
Benjamin Maier -
Analysis Auth issue - multiple objects
Currently we have different roles define for each separate section of our business with Comp code and Profit center (along with Hierarchy on PC).
For e.g.
Section 1
Company Code u2013 1010,1050,1500,1520,1700,1800
Profit Center u2013 150000 u2013 159999 and Profit Center hierarchy u2013 ZPROFIT_CTR_GROUP/99991231/G_15
Section 2
Company Code u2013 1110,1150,1500,1520,1700,1800,1980,2050
Profit Center u2013 190000 u2013 199999 and Profit Center hierarchy u2013 ZPROFIT_CTR_GROUP/99991231/G_19
Currently there are 30 such roles define, we have quite a segregation within the business. So each BW user generally has one of the 30 roles assign to them. This is working perfectly fine.
Now because of the consolidations, there are some users who would manage information from different section. So now a user can have access to Section 1 as well as Section 2. Whenever we tried giving access to 2 roles directly to any user, the results of the query comes back as u201CNo Authorizationu201D
If you notice in the difference between section 1 and 2 is additional company code and some matching company codes along with that is complete different Profit center range and profit center hierarchy node. I am not sure where exactly it is failing.
Now one more thing for you information is that we have defined Auth variables on Company code (input/Auth/multiple Values) and Profit Center (Input/Authorization/Selection) and Profit Center hierarchy (hierarchy node variable / Authorization)
I am just trying to understand where the No Auth error msg is coming. Is there some intersection which is killing the query result itself?
Please let me know if any of you have any suggestion.A common problem when authorizing using two different Characteristics is how the authorization variables are filled.
If a user has access to both section 1 and section 2, a authorization varible for Company Code will contain the values
1010,1050,1500,1520,1700,1800, 1110,1150,1980,2050
and the authorization variable for Profit Cetre will contain
150000 u2013 159999 and 190000 u2013 199999
If the user doesn't restrict the query further, the system will issue a correct authorization error since the user is not authorized for the selection CC=2050 PC=150000 and all the other "cross-combinations".
Try creating variants of the selection screen for section 1 and section 2 respectively and force the user to select one of these when executing the query.
Regards,
Lars -
Hi,
We have a scenario where we have 2 user IDs:
X
Y
We have a report R1 which has values for an infoobject IO as 1,2,3,4,5
Now User X is restricted to see only data for values 1,2,3 and Y is restricted for 4,5
We have created Analysis auth object and assigned it to users. Then we added an auth variable in the report which will restrict data as per user authorization.
Now the issue is that when we execute the report for User X, only values for 1 is displaying and data for 2 and 3 are not showing up inspite of data being avalable in the underlying Infoprovider.
Same is the case with User Y where the data is only visible or 4.
What can be the issue?Hi Debanshu,
Though I could not understand the exact issue, I would rather suggest you to check the authorizations checked while executing the report in Transaction RSECADMIN. In the Transaction goto Analysis tab ->Log Administration. there in the Configure Log recording provide the userid for which you want to test the authorizations And save it.
When that perticular user runs the report will will be able to see the logs for it using the option "Authorization Logs" screen. And this log will have a detailed information regarding the entire authorization trace for that user for that report.
Regards,
Pratap Sone -
Domain Controller cannot access \\domain\netlogon causing Auth issues
Hi everyone, I have been spent all day trying to figure out what is going on here, I have a Domain controller (only DC in the environment) that is acting funny
I first noticed when I was attempting to RDP into a server in my domain I was getting "access denied" (but I could log in as a local admin). So when I looked at the Domain Controller, I ran a DCDiag DNS test and got some an AUTH error, but am not
able to figure out how to fix this.
Another thing I notice is when I am signed into the domain Controller (GP2010-a), I cannot browse to
\\contoso.com\netlogon or any similar share.
Here is the kicker, other servers on this domain, server3, server4, server5 etc... THEY CAN access
\\contoso.com\netlogon It is ONLY the Domain controller and Server2 that CANNOT access this share. The other servers also allow me to RDP into them fine, it is only 1 server that is affected by this strange behavior.
I have checked for no IP conflicts and as far as I can tell all the DNS records are correct.
Regarding the DYNAMIC ip warning, we have a reservation that assigns the IP
thanks for any input here as i'm really stuck,
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = GP2010-A
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\GP2010-A
Starting test: Connectivity
......................... GP2010-A passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\GP2010-A
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... GP2010-A passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : contoso
Running enterprise tests on : contoso.com
Starting test: DNS
Test results for domain controllers:
DC: GP2010-A.contoso.com
Domain: contoso.com
TEST: Authentication (Auth)
Error: Authentication failed with specified credentials
TEST: Basic (Basc)
Warning: Adapter 00:0D:3A:00:0D:01 has dynamic IP address
(can be a misconfiguration)
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 128.8.10.90 (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
DNS server: 2001:500:1::803f:235 (h.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:1::803f:235
DNS server: 2001:500:2::c (c.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2::c
DNS server: 2001:500:2d::d (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2d::d
DNS server: 2001:500:2f::f (f.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2f::f
DNS server: 2001:500:3::42 (l.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:3::42
DNS server: 2001:500:84::b (b.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:84::b
DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:ba3e::2:30
DNS server: 2001:503:c27::2:30 (j.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:c27::2:30
DNS server: 2001:7fd::1 (k.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fd::1
DNS server: 2001:7fe::53 (i.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fe::53
DNS server: 2001:dc3::35 (m.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:dc3::35
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: contoso.com
GP2010-A FAIL WARN PASS PASS PASS PASS n/a
......................... contoso.com failed test DNSHi,
TEST: Basic (Basc)
Warning: Adapter 00:0D:3A:00:0D:01 has dynamic IP address
(can be a misconfiguration)
Do you have any NIC conifgured to get dynamic IP on your DC which is having issue? If yes, please disable that NIC. Also, please provide me the result of the below
1) On your DC which is having issue, run "ipconfig /all"
2) Repadmin /showrepl
Thanks,
Umesh.S.K
Thanks, there is only 1 nic card. It is getting a dhcp address because this is an AZURE Hyper-v machine and I have set an IP reservation for it. I have no way to hardcode the IP because it gets shut off/on all the time
C:\Users\Administrator>repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\GP2010-A
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 007c755c-f56c-4e51-a211-fd4431f63927
DSA invocationID: 007c755c-f56c-4e51-a211-fd4431f63927 -
For those having EAP auth issue using the ACS appliance
Thought I'd pass along my config and resolution to an issue I was having concerning EAP-TLS auth on an ACS appliance.
We have two ACS Solution Engines (3.2.2) running and doing a database synch and using Generic LDAP as the external database. We did the certificate walk through for the ACS and then turned on EAP-TLS auth. We are trying to use EAP-TLS auth for wireless access through our AP1200s and Windows XP laptops, but we kept getting errors.
After digging for days I found out that when you request a certificate it pulls the CN name. Our CN name in Active Directory did not match our login name. I changed my CN name to match my login name and I was then able to grab a certificate and authenticate using EAP-TLS for our wireless.
I am in the process of upgrading our ACSes to ver 3.3.2 so that I can run the Remote Agent for Windows on a Windos 2003 server and then use the Windows database as the external database and not Generic LDAP.
I hope this helps someone!
JeffThe document discusses the Extensible Authentication Protocol Transport Layer Security (EAP-TLS) authentication protocol deployment in wireless networks.
http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/acstl_wp.htm -
SSL VPN on C2821 Radius auth issues
I've been looking through the discussions and I can't seem to nail this one down. I'm implimenting SSL VPN on a 2821 to do SMTP only. I need it to auth off the radius server and it is only asking for local router login P/Ws. It will not auth against Radius. I've created a seperate aaa auth group to no avail and tried a few different tweaks. I'm throwing science at the wall and seeing what sticks at this point.
I've made a new group server for Radius to test it, not working. I've tried variations in domain, not working. Can't use SDM, nor want to.
This is what the config looks like
Building configuration...
Current configuration : 24735 bytes
! Last configuration change at 08:19:39 Arizona Tue Aug 28 2012 by dci
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname N****
aaa new-model
aaa group server radius IAS_AUTH
server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
aaa group server radius Global ***made for testing. Redundant
server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 group IAS_AUTH
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login SSL_Global group Global ** created for SSL VPN redundant, but did for testing
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa session-id common
clock timezone Arizona -7
dot11 syslog
ip source-route
ip cef
password encryption aes
crypto pki trustpoint TP-self-signed-2464190257
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2464190257
revocation-check none
rsakeypair TP-self-signed-2464190257
crypto pki certificate chain TP-self-signed-2464190257
certificate self-signed 01
REMOVED
interface GigabitEthernet0/0
INTERFACES REMOVED
ip local pool SDM_POOL_2 10.12.252.1 10.12.252.254
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
ip flow-export source GigabitEthernet0/0
ip flow-export version 5 peer-as
ip flow-export destination 10.12.1.17 2048
ROUTES REMOVED
ACLS REMOVED SSL IS ALLOWED
route-map STAT_NAT permit 10
match ip address 109
route-map DYN_NAT permit 10
match ip address 108
snmp-server community $DCI$ RO
control-plane
banner login ^C
line con 0
password 7 01100F175804
login authentication local
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
webvpn gateway gateway_1
ip address **outside ip*** port 443
http-redirect port 80
ssl trustpoint TP-self-signed-2464190257
no inservice
webvpn context webvpn
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
port-forward "portforward_list_1"
local-port 3000 remote-server "10.12.1.23" remote-port 25 description "Email"
policy group policy_1
port-forward "portforward_list_1"
default-group-policy policy_1
aaa authentication list SSL_Global
aaa authentication domain @n****
gateway gateway_1 domain N****
max-users 10
no inservice
end
Can't change "no inservice" to "inservice" and I can't figure out why. Any help with this?OK, upgraded IOS to most current stable version and I'm now able to do inservice on the context and gateway. I'm trying to go through the SDM route, but Java crashes with ValidatorException errors. I'm going to try updating the SDM since it's the original version to the 2008 version since all the little "fixes" for this do not work. Any ideas on that?
-
I have several Aironet 1100 AP's which are configure to use EAP/TLS to authenticate against a Cisco ACS server.
We are using Aironet 350 pcmcia cards. This setup had been working up until friday when we moved the ACS server to a new IP address. Since then if I try to connect using the Cisco software bundled with the 350 pcmcia card it fails authentication. If I use the windows wireless config it works perfectly. Unfortuantley most of the pcs are running win 2000 so I need to get the cisco software working again.
In ACS failed Auth logs I get the following message "Invalid message authenticator in EAP request" but from the other AP's I see nothing in the logs.
I have checked the keys are correct and the user certificate is ok as I can connect using the inbuilt Win XP config util.
I'm at a bit of a loss as to what to do next.Hi Rob,
The error is common for 802.1x.
You mentioned the problem started when you assigned new IP to the ACS. Have you tried to generate new ACS cert (running on new IP) again and load it to the client?
*http://www.ciscotaccc.com/kaidara-advisor/wireless/showcase?case=K56560228
*http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml
*http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml
Rgds,
AK -
Auths issue or configuration: Adding qualifications in portal.
Dear all,
I am wondering whether someone can advice to me whether this issue which I am having is a Security and Authorisation or is it a functional or portal issue/conern.
scenario is as follows
In transaction OOQA (catalog qualifications) I can see in R/3 a list of catalogs of qualifications, under each number is set out ike the following
QK1 6272727272 All qualifications
QK2 6272727272 GENERAL
When I log into the front end portal, I can see perfectly how I would expect QK1 All qualifications showing what I must see, and I can here add the qualifactions and save them.
The issue here is there is a search facility on the portal, and when I click on it I can search for additional qualification catalogues which is FINE, but it than allows me to click on ADD and to ADD the qualifaction, ( WHICH IS NOT WHAT I WANT) this is wrong.
I am confused I have access to see and add 9 qualifiactions on the skill page, but I can add alot more if I go throught the search facility.
I was looking for whether there is a way via AUTHORISATION to restrict the adding of the remaining qualifiactions, i.e be able to search them, but not be able to add these when searching.
Can i use PLOG, or P_ORGIN or PERNR authorisation objects to control this?
thanks all
Edited by: Julius Bussche on Sep 10, 2009 1:18 PM
Please use meaningfull subject titlesPlease first let us know if you have done the configuration as per
the Note 779075, Please do this and re register the work items and
let us know.
Make
Check the configuration of SAP_WebDynpro_XSS
Here is the help documentation:
http://help.sap.com/saphelp_nw70/helpdata/en/92
/a88931f2dd4631b9e8d530697d89c9/content.htm
in regards to this parameter.
IF the LeaveRequestApprover application is deployed on the SAP_Local
System, you needed the system alias of SAP_LocalSystem in the
Webdynpro Launch System value. With this setting when the user
manager clicks on the item, it will work fine.
the system SAP_Webdynrpo_XSS should have maintained the WAS properties
with the port of the portal. This is for normal working for
Leave request
"Mapping Logical Systems" in the following documentation:
http://help.sap.com/SAPHELP_NW04S/helpdata/EN/2a/7a754297fdd142e10000000
a1550b0/content.htm
and the "sap-wd-arfc-useSys" bullet point in the following
documentation:
http://help.sap.com/saphelp_sm32/helpdata/en/f4/651741f163f023e10000000a
155106/content.htm
See in bold where it mentions that "The prerequisite for this is that,
in addition to the default JCo connections, you created the new logical
system name with the Web Dynpro Content Administrator and configured it
for the required SAP system." Meaning that there needs to be a JCO
Connection for "SAP_R3_SelfServiceGenerics_MetaData" since these are
the default JCo connections. In this case I kindly ask that you create
the default metadata and model JCO connections for
SAP_R3_SelfServiceGenerics and see if that resolves the issue. -
Hello,
My company just moved to 10.7, and it used to be the case in 10.6 if I needed to connect to a server I could use user@servername if I wanted to authenticate as another user. It seems in 10.7 and 10.8 it is automatically using my currently logged in user only and it just ignores anything specified in user@. I can't find anything conclusive in Keychain Access, and it persist over mutliple machines so it's not my specific computer or user that has issues.
We are on an AD domain and this is happening over SMB and AFP.
thanks!It's not even listed in the keychain access list. I tried to manually input it, but still to no avail. When I say I click somewhere else I mean I might click on my documents for example to drag something into the ftp server, but when i come back to the ftp it's just kind of stuck saying "connecting" and trying to reconnect does nothing but give me an error and trying to eject does nothing at all.
-
Aironet 1130ag RAIDUS auth issues - what is no sg in radius-timers?
Hi All.
wonder if anyone can help
We have an aironet 1130ag in a remote office connected to the data centre over MPLS. The Radius server is based on server 2003
We have hundreds of these points set up exactly the same but this is the only one giving me issues, I even stripped the config and rebuilt it and then swapped with a new access point
The issue is that clients can't authenticate when connecting to the access point but provides nothing in event viewer. Checking the RADIUs server provides nothing either.
The access point error logs just state station: authentication failed
On looking deeper into the problem I enabled RADIUS debugging on the access point and got some interesting results, in particular is the line:
no sg in radius-timers: ctx 0x12EF0A4 sg 0x0000
I can't find out what no SG in Radius-timers actually means, but after that line appears I just see more retransmits and no sg fails.
I inspected the packets on the RADIUs server and found lots access requests coming from my access point and lots of access-challenges returning back from my RADIUS server - I'm not sure how often that's supposed to happen or if it's a one time occurance. I did however see directly after the first access-request that the RADIUS server returns with UDP and is fragmented, length is 1514...... could this be the problem? If so why cannot it hanlde fragmented packets? And what do I need to do to fix?
Many thanks for the help
Markthe fragmented packet might be a red herring as I've just done the same packet inspection on the same radius server but coming from a different access point which works, I get the same fragmented UDP packet but the connection works.
any ideas? -
3620 Console Server - Double Auth issues....
Hi,
I have a 3620 with a NM-32A cabled to numerous Cisco consoles with CAB-OCTAL-ASYNC cable to each console port.
CONSOLE SERVER:
interface Ethernet1/0
ip address 192.168.10.180 255.255.255.224
no ip directed-broadcast
ip host SWITCH4 2001 192.168.10.180
line 1 32
session-timeout 20
no exec
exec-timeout 0 0
transport input telnet
transport output pad v120 telnet rlogin udptn
SWITCH4:
aaa authentication login default local-case
aaa authorization exec default local
username user password Pass
enable secret SECRET
line con 0
exec-timeout 0 0
transport preferred telnet
CONSOLE#teln SWITCH4
Trying SWITCH4 (192.168.10.180, 2001)... Open
User Access Verification
Username: user
Password:<Pass>
This times out....I then auth again and sometimes get in, sometimes not. Same behaviour across 4 out of 13 devices (so far).....!!
Has anyone had similar problems?
Thanks,
MarkMark
I suggest, as an experiment, that you remove this line from the config and see if the behavior improves:
aaa authorization exec default local
I do not see that this is doing much for you (at least in the small amount of configuration that you posted) and potentially could cause symptoms such as you describe. If the behavior does improve you might leave it out or you might change it to this:
aaa authorization exec default if-authenticated
HTH
Rick -
So I got SP3 Beta 3 running on a SLES10 box. I freshly installed the agent on a test workstation and registered it all up. The zone I have is pretty empty (for testing). I added an eDir ldap user source and got it all running on the primary server. The problem is I logged in once fine, but now it will not authenticate to the realm for the workstation (as a user). I still get my device associated app but when I log in all I get is this error: "Unable to log into the ZENworks realm because the system has disconnected from the network and the specified credentials did not match with the credentials cached on the system."
I did packet captures on the workstation and it never seems to even try to authenticate. The user source checks out fine in the ZCC and I can browse around and assign policies/bundles.tersteew,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/ -
hi,
i'm trying to download the lnx_920_disk*.cpio.gz files from Europe and the connection is so slow.
is there any mirror in europe? i was on the www.oracle.de but when it came to downloading i was sent back to otn.oracle.com.
i tried to put downloads on a remote server where i have a shell account but the oracle auth system requires cookies (that's ok) and js, which wget,lynx,links don't support.
any idea?
MichalSIMs and the Tetris icons are ONLY isntallation shortcuts which will take you to the app to install.
You can't really delete them, just hide them. They are enabled via a service book pushed to your by your carrier, and if you delete that service book, it will just get pushed back.
1. If any post helps you please click the below the post(s) that helped you.
2. Please resolve your thread by marking the post "Solution?" which solved it for you!
3. Install free BlackBerry Protect today for backups of contacts and data.
4. Guide to Unlocking your BlackBerry & Unlock Codes
Join our BBM Channels (Beta)
BlackBerry Support Forums Channel
PIN: C0001B7B4 Display/Scan Bar Code
Knowledge Base Updates
PIN: C0005A9AA Display/Scan Bar Code -
Hello,
I am experiencing an issue with my model 4404 Wireless controllers that has plagued me for some time now. I have two controllers with 106 AP's split evenly between the two controllers. One of my SSID's is setup with web authentication. I have one Radius server (Cisco ACS v 4.1). The problem only exists for the SSID that uses web authentication. Reports begin to come in that students cannot login to the wireless using the student SSID that uses web authentication. The student can get to the web authentication page, but when they put in their username and password both fields go blank. You can do this over and over with no errors, and the logs in the controller show nothing to indicate any issues (you don't even see the attempted login). I obtain one of the student logins for testing and here is what I have found. I attempt to login to the student wireless with this account and recieve the same results as the student. I have an AP in my office that I use for testing so I force it on to the other controller. At that point the account in question works. I can login without any issues. I force the AP back to the initial controller and experience the same issue, I cannot login. No error of bad username and password, just login fields that go blank. More reports come in that students cannot login and I find that all issues are related to this controller. The next morning I reboot the controller and everything works for a week or more and then it all starts over again. The next time it may be the other controller that is experienceing this issue. A reboot of the controller always fixes the issue for the short term. The issue appears to be controller related but I cannot pin it down. I recently upgraded my controller code from 4.2.61.0 to 6.0.188.0 at Cisco's recommendation. Unfortunately the issue still exists. Scouring the forums produces a few other people encountering the same issue but none seem to have found a fix. Does anyone know if this is a known issue with this model controller?
Thanks much for any help.Thank you for your response Dennis, it is greatly appreciated. I do not find any mount errors in the crash log. However I did finally find something in the message logs that I was unable to find before. I did not copy this message so it is not verbatim. The error message states that the user cannot be logged in possibly due to being logged in somewhere else. At that point I pour over every client on the controller even filtering by mac address. I see no evidence of the client being associated or authenticated. On a side note I can see the client as associated if the wireless card is enabled. Checking the ACS does not show a failed authentication. Again, rebooting the controller seems to clear some sort of radius accounting on the controller that I am unable to clear manually without a reboot. Thanks again for your response.
Maybe you are looking for
-
When assigning a name to an object is it possible to do it dynamically? What I mean by this is can you name a list of objects with a name such as pic_# ( # is a number) within a for loop, instead having to write out every name,ie pic_1, pic_2, etc. T
-
Using an external waveform monitor
I have an external waveform monitor (SDI input) and a Black Magic Decklink Extreme which has an SDI output. I'm trying to get output from Final Cut Pro so I can read the images on the waveform. I've tried "Refresh AV Devices" and enables "All Frames"
-
My ipad is going nuts !!!!
My ipad is going crazy the keyboard is typing by it self its really annoying. aswelll as going in an out of apps and the screen is also zooming in and out and slowing down my skype camera !!! :/ someone please help grrr
-
Hi All, Could please give me idea of How to get Estimated Revenue, current YTD Realized Revenue, Prior YTD Realized Revenue and Prior Year total Actual? It would be great if you can provide me Table names and field names. Thanks for your help. Regard
-
Creating objects and efficiency
I am implementing bounding circles for my game and I have a question. I have heard that creating a new object takes up a lot of time (i.e doing it every update). Should I give each of my objects a BoundingSphere instance variable (I created my own si