Auth issue

If a user is given SAP_ALL access and if I run ST01 on the user , I will not be able to get any data because there are no auth failures for the user. I hope I am correct. In my case the user is assigned 2 roles. lets say role 1 and role 2. Role 1 has the object S_SCMG_TXT . I ran the Tcode HREIC and did a trace on the user and the trace results failed at the object S_SCMG_TXT. ( RC = 4 ). The trace does not tell which role was checked. However, the object in question is already assigned to the user's UMR. What could be the issue in this case?.Below is an excerpt from the trace. These two objects are already available with the correct values in one of the roles of the UMR.
P_ORGIN    RC=4  INFTY=0001;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
S_SCMG_TXT RC=4  SPS_ID=HREIC_SPS_ACTIVITY_NOTES;CASETYPE=' ';TEXTID=0005;ACTVT=03;

> If a user is given SAP_ALL access and if I run ST01 on the user , I will not be able to get any data because there are no auth failures for the user. I hope I am correct.
Not completely,
All authority checks will always show up in the trace, also the ones that do succeed (with RC=0). So this is a good way to see which checks are actually performed while running a certain program/job/task etc. The output can then be compared to the actual role values.
About your trace output, to have us compare it with the users' roles please post the relevant records from table AGR_1251:
AGR_NAME=your role(s), OBJECT= P_ORGIN and S_SCMG_TXT

Similar Messages

  • UCMON auth issue

    We have an issue which I'm not sure if it's an authorization issue. One test user TST101 has a role assignement ZBC-CU-FULL which has all authorization to run UCWB & UCMON however, test user TST101 can run UCMON with no problem at all but when I go to menu GOTO > List of Totals Records and input the 0010 in the company field, it gives me an authorization issue that is says "Insufficient authorization for data from InfoProvider" but when I run the SU53, it gives me no missing objects or anything and even in ST01 it gives me no error auth issue.
    But when I add SAP_ALL & SAP_NEW profile to the test user TST101, it then gave me a result.
    The problem now here is, the client doesn't want us to use SAP_ALL/NEW profile in production.
    Your help is very much appreciated.
    Regards,
    ted

    Hi,
    I hope it is not to late...
    You need also BI/BW-Authorization-Objects to allow "writing" on InfoProviders!
    You Sum-Cube is BW, so that user needs a role with permission to write and read the Sum-cube of SEM-BCS! It should be S_RS_ICUBE.
    Check these authorization-objects, these reguard development and usage of SEM-BCS, its customizing and reporting.
    AAAB
    S_TCODE
    Business Information Warehouse (RS)
    S_RS_HIER
    S_RS_ICUBE
    S_RS_MPRO
    S_RS_ODSO
    S_RS_IOMAD
    Strategic Enterprise Management (SEM)
    R_UC_ODSM
    R_UC_PERIO
    R_UC_RECON
    R_UC_TASK
    R_UGMD_ATT
    R_UGMD_CHA
    R_UGMD_FLD
    Financial Basis (FINB)
    FB_SRV_DMS
    FB_SRV_GC
    FB_SRV_TR
    R_CONFIG
    R_FINB_TYP
    R_UGMD_SNG
    BR
    Benjamin Maier

  • Analysis Auth issue - multiple objects

    Currently we have different roles define for each separate section of our business with Comp code and Profit center (along with Hierarchy on PC).
    For e.g.
    Section 1
              Company Code u2013 1010,1050,1500,1520,1700,1800
              Profit Center u2013 150000 u2013 159999 and Profit Center hierarchy u2013 ZPROFIT_CTR_GROUP/99991231/G_15
    Section 2
              Company Code u2013 1110,1150,1500,1520,1700,1800,1980,2050
              Profit Center u2013 190000 u2013 199999 and Profit Center hierarchy u2013 ZPROFIT_CTR_GROUP/99991231/G_19
    Currently there are 30 such roles define, we have quite a segregation within the business. So each BW user generally has one of the 30 roles assign to them. This is working perfectly fine.
    Now because of the consolidations, there are some users who would manage information from different section. So now a user can have access to Section 1 as well as Section 2. Whenever we tried giving access to 2 roles directly to any user, the results of the query comes back as u201CNo Authorizationu201D
    If you notice in the difference between section 1 and 2 is additional company code and some matching company codes along with that is complete different Profit center range and profit center hierarchy node. I am not sure where exactly it is failing.
    Now one more thing for you information is that we have defined Auth variables on Company code (input/Auth/multiple Values) and Profit Center (Input/Authorization/Selection) and Profit Center hierarchy (hierarchy node variable / Authorization)
    I am just trying to understand where the No Auth error msg is coming. Is there some intersection which is killing the query result itself?
    Please let me know if any of you have any suggestion.

    A common problem when authorizing using two different Characteristics is how the authorization variables are filled.
    If a user has access to both section 1 and section 2, a authorization varible for Company Code will contain the values
    1010,1050,1500,1520,1700,1800, 1110,1150,1980,2050
    and the authorization variable for Profit Cetre will contain
    150000 u2013 159999  and 190000 u2013 199999
    If the user doesn't restrict the query further, the system will issue a correct authorization error since the user is not authorized for the selection CC=2050 PC=150000 and all the other "cross-combinations".
    Try creating variants of the selection screen for section 1 and section 2 respectively and force the user to select one of these when executing the query.
    Regards,
    Lars

  • Analysis auth issue

    Hi,
    We have a scenario where we have 2 user IDs:
    X
    Y
    We have a report R1 which has values for an infoobject IO as 1,2,3,4,5
    Now User X is restricted to see only data for values 1,2,3 and Y is restricted for 4,5
    We have created Analysis auth object and assigned it to users. Then we added an auth variable in the report which will restrict data as per user authorization.
    Now the issue is that when we execute the report for User X, only values for 1 is displaying and data for 2 and 3 are not showing up inspite of data being avalable in the underlying Infoprovider.
    Same is the case with User Y where the data is only visible or 4.
    What can be the issue?

    Hi Debanshu,
    Though I could not understand the exact issue, I would rather suggest you to check the authorizations checked while executing the report in Transaction RSECADMIN. In the Transaction goto Analysis tab ->Log Administration. there in the Configure Log recording provide the userid for which you want to test the authorizations And save it.
    When that perticular user runs the report will will be able to see the logs for it using the option "Authorization Logs" screen. And this log will have a detailed information regarding the entire authorization trace for that user for that report.
    Regards,
    Pratap Sone

  • Domain Controller cannot access \\domain\netlogon causing Auth issues

    Hi everyone, I have been spent all day trying to figure out what is going on here, I have a Domain controller (only DC in the environment) that is acting funny
    I first noticed when I was attempting to RDP into a server in my domain I was getting "access denied" (but I could log in as a local admin). So when I looked at the Domain Controller, I ran a DCDiag DNS test and got some an AUTH error, but am not
    able to figure out how to fix this.
    Another thing I notice is when I am signed into the domain Controller (GP2010-a), I cannot browse to
    \\contoso.com\netlogon or any similar share.
    Here is the kicker, other servers on this domain, server3, server4, server5 etc... THEY CAN access
    \\contoso.com\netlogon It is ONLY the Domain controller and Server2 that CANNOT access this share. The other servers also allow me to RDP into them fine, it is only 1 server that is affected by this strange behavior.
    I have checked for no IP conflicts and as far as I can tell all the DNS records are correct.
    Regarding the DYNAMIC ip warning, we have a reservation that assigns the IP
    thanks for any input here as i'm really stuck,
    Directory Server Diagnosis
    Performing initial setup:
       Trying to find home server...
       Home Server = GP2010-A
       * Identified AD Forest.
       Done gathering initial info.
    Doing initial required tests
       Testing server: Default-First-Site-Name\GP2010-A
          Starting test: Connectivity
             ......................... GP2010-A passed test Connectivity
    Doing primary tests
       Testing server: Default-First-Site-Name\GP2010-A
          Starting test: DNS
             DNS Tests are running and not hung. Please wait a few minutes...
             ......................... GP2010-A passed test DNS
       Running partition tests on : ForestDnsZones
       Running partition tests on : DomainDnsZones
       Running partition tests on : Schema
       Running partition tests on : Configuration
       Running partition tests on : contoso
       Running enterprise tests on : contoso.com
          Starting test: DNS
             Test results for domain controllers:
                DC: GP2010-A.contoso.com
                Domain: contoso.com
                   TEST: Authentication (Auth)
                      Error: Authentication failed with specified credentials
                   TEST: Basic (Basc)
                      Warning: Adapter 00:0D:3A:00:0D:01 has dynamic IP address
                      (can be a misconfiguration)
             Summary of test results for DNS servers used by the above domain
             controllers:
                DNS server: 128.8.10.90 (d.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90              
                DNS server: 2001:500:1::803f:235 (h.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:1::803f:235              
                DNS server: 2001:500:2::c (c.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2::c              
                DNS server: 2001:500:2d::d (d.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2d::d              
                DNS server: 2001:500:2f::f (f.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2f::f              
                DNS server: 2001:500:3::42 (l.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:3::42              
                DNS server: 2001:500:84::b (b.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:84::b              
                DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:ba3e::2:30              
                DNS server: 2001:503:c27::2:30 (j.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:c27::2:30              
                DNS server: 2001:7fd::1 (k.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fd::1              
                DNS server: 2001:7fe::53 (i.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fe::53              
                DNS server: 2001:dc3::35 (m.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:dc3::35              
             Summary of DNS test results:
    Auth Basc Forw Del  Dyn  RReg Ext
                Domain: contoso.com
                   GP2010-A                     FAIL WARN PASS PASS PASS PASS n/a 
             ......................... contoso.com failed test DNS

    Hi,
    TEST: Basic (Basc)
                      Warning: Adapter 00:0D:3A:00:0D:01 has dynamic IP address
                      (can be a misconfiguration)
    Do you have any NIC conifgured to get dynamic IP on your DC which is having issue? If yes, please disable that NIC. Also, please provide me the result of the below
    1) On your DC which is having issue, run "ipconfig /all"
    2) Repadmin /showrepl
    Thanks,
    Umesh.S.K
    Thanks, there is only 1 nic card. It is getting a dhcp address because this is an AZURE Hyper-v machine and I have set an IP reservation for it. I have no way to hardcode the IP because it gets shut off/on all the time
    C:\Users\Administrator>repadmin /showrepl
    Repadmin: running command /showrepl against full DC localhost
    Default-First-Site-Name\GP2010-A
    DSA Options: IS_GC
    Site Options: (none)
    DSA object GUID: 007c755c-f56c-4e51-a211-fd4431f63927
    DSA invocationID: 007c755c-f56c-4e51-a211-fd4431f63927

  • For those having EAP auth issue using the ACS appliance

    Thought I'd pass along my config and resolution to an issue I was having concerning EAP-TLS auth on an ACS appliance.
    We have two ACS Solution Engines (3.2.2) running and doing a database synch and using Generic LDAP as the external database. We did the certificate walk through for the ACS and then turned on EAP-TLS auth. We are trying to use EAP-TLS auth for wireless access through our AP1200s and Windows XP laptops, but we kept getting errors.
    After digging for days I found out that when you request a certificate it pulls the CN name. Our CN name in Active Directory did not match our login name. I changed my CN name to match my login name and I was then able to grab a certificate and authenticate using EAP-TLS for our wireless.
    I am in the process of upgrading our ACSes to ver 3.3.2 so that I can run the Remote Agent for Windows on a Windos 2003 server and then use the Windows database as the external database and not Generic LDAP.
    I hope this helps someone!
    Jeff

    The document discusses the Extensible Authentication Protocol Transport Layer Security (EAP-TLS) authentication protocol deployment in wireless networks.
    http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/acstl_wp.htm

  • SSL VPN on C2821 Radius auth issues

    I've been looking through the discussions and I can't seem to nail this one down. I'm implimenting SSL VPN on a 2821 to do SMTP only. I need it to auth off the radius server and it is only asking for local router login P/Ws. It will not auth against Radius. I've created a seperate aaa auth group to no avail and tried a few different tweaks. I'm throwing science at the wall and seeing what sticks at this point.
    I've made a new group server for Radius to test it, not working. I've tried variations in domain, not working. Can't use SDM, nor want to.
    This is what the config looks like
    Building configuration...
    Current configuration : 24735 bytes
    ! Last configuration change at 08:19:39 Arizona Tue Aug 28 2012 by dci
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname N****
    aaa new-model
    aaa group server radius IAS_AUTH
    server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
    aaa group server radius Global ***made for testing. Redundant
    server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_1 group IAS_AUTH
    aaa authentication login sdm_vpn_xauth_ml_2 local
    aaa authentication login SSL_Global group Global ** created for SSL VPN redundant, but did for testing
    aaa authorization network sdm_vpn_group_ml_1 local
    aaa authorization network sdm_vpn_group_ml_2 local
    aaa session-id common
    clock timezone Arizona -7
    dot11 syslog
    ip source-route
    ip cef
    password encryption aes
    crypto pki trustpoint TP-self-signed-2464190257
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-2464190257
    revocation-check none
    rsakeypair TP-self-signed-2464190257
    crypto pki certificate chain TP-self-signed-2464190257
    certificate self-signed 01
    REMOVED
    interface GigabitEthernet0/0
    INTERFACES REMOVED
    ip local pool SDM_POOL_2 10.12.252.1 10.12.252.254
    ip forward-protocol nd
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip flow-cache timeout inactive 10
    ip flow-cache timeout active 5
    ip flow-export source GigabitEthernet0/0
    ip flow-export version 5 peer-as
    ip flow-export destination 10.12.1.17 2048
    ROUTES REMOVED
    ACLS REMOVED SSL IS ALLOWED
    route-map STAT_NAT permit 10
    match ip address 109
    route-map DYN_NAT permit 10
    match ip address 108
    snmp-server community $DCI$ RO
    control-plane
    banner login ^C
    line con 0
    password 7 01100F175804
    login authentication local
    line aux 0
    line vty 0 4
    privilege level 15
    transport input telnet ssh
    line vty 5 15
    privilege level 15
    transport input telnet ssh
    scheduler allocate 20000 1000
    webvpn gateway gateway_1
    ip address **outside ip*** port 443
    http-redirect port 80
    ssl trustpoint TP-self-signed-2464190257
    no inservice
    webvpn context webvpn
    secondary-color white
    title-color #CCCC66
    text-color black
    ssl authenticate verify all
    port-forward "portforward_list_1"
       local-port 3000 remote-server "10.12.1.23" remote-port 25 description "Email"
    policy group policy_1
       port-forward "portforward_list_1"
    default-group-policy policy_1
    aaa authentication list SSL_Global
    aaa authentication domain @n****
    gateway gateway_1 domain N****
    max-users 10
    no inservice
    end
    Can't change "no inservice" to "inservice" and I can't figure out why. Any help with this?

    OK, upgraded IOS to most current stable version and I'm now able to do inservice on the context and gateway. I'm trying to go through the SDM route, but Java crashes with ValidatorException errors. I'm going to try updating the SDM since it's the original version to the 2008 version since all the little "fixes" for this do not work. Any ideas on that?    

  • EAP/TLS Auth issues

    I have several Aironet 1100 AP's which are configure to use EAP/TLS to authenticate against a Cisco ACS server.
    We are using Aironet 350 pcmcia cards. This setup had been working up until friday when we moved the ACS server to a new IP address. Since then if I try to connect using the Cisco software bundled with the 350 pcmcia card it fails authentication. If I use the windows wireless config it works perfectly. Unfortuantley most of the pcs are running win 2000 so I need to get the cisco software working again.
    In ACS failed Auth logs I get the following message "Invalid message authenticator in EAP request" but from the other AP's I see nothing in the logs.
    I have checked the keys are correct and the user certificate is ok as I can connect using the inbuilt Win XP config util.
    I'm at a bit of a loss as to what to do next.

    Hi Rob,
    The error is common for 802.1x.
    You mentioned the problem started when you assigned new IP to the ACS. Have you tried to generate new ACS cert (running on new IP) again and load it to the client?
    *http://www.ciscotaccc.com/kaidara-advisor/wireless/showcase?case=K56560228
    *http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml
    *http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml
    Rgds,
    AK

  • Auths issue or configuration: Adding qualifications in portal.

    Dear all,
    I am wondering whether someone can advice to me whether this issue which I am having is a Security and Authorisation or is it a functional or portal issue/conern.
    scenario is as follows
    In transaction OOQA (catalog qualifications) I can see in R/3 a list of catalogs of qualifications, under each number is set out ike the following
    QK1 6272727272  All qualifications
    QK2 6272727272 GENERAL
    When I log into the front end portal, I can see perfectly how I would expect QK1 All qualifications showing what I must see, and I can here add the qualifactions and save them.
    The issue here is  there is a search facility on the portal, and when I click on it I can search for additional qualification catalogues which is FINE, but it than allows me to click on ADD and to ADD the qualifaction, ( WHICH IS NOT WHAT I WANT) this is wrong.
    I am confused I have access to see and add 9 qualifiactions on the skill page, but I can add alot more if I go throught the search facility.
    I was looking for whether there is a way via AUTHORISATION to restrict the adding of the remaining qualifiactions, i.e be able to search them, but not be able to add these when searching.
    Can i use PLOG, or P_ORGIN or PERNR authorisation objects to control this?
    thanks all
    Edited by: Julius Bussche on Sep 10, 2009 1:18 PM
    Please use meaningfull subject titles

    Please first let us know if you have done the configuration as per
    the Note 779075, Please do this and re register the work items and
    let us know.
    Make
    Check the configuration of SAP_WebDynpro_XSS
    Here is the help documentation:
    http://help.sap.com/saphelp_nw70/helpdata/en/92
    /a88931f2dd4631b9e8d530697d89c9/content.htm
    in regards to this parameter.
    IF the LeaveRequestApprover application is deployed on the SAP_Local
    System, you needed the system alias of SAP_LocalSystem in the
    Webdynpro Launch System value.  With this setting when the user
    manager clicks on the item, it will work fine.
    the system SAP_Webdynrpo_XSS should have maintained the WAS properties
    with the port of the portal. This is for normal working for
    Leave request
    "Mapping Logical Systems" in the following documentation:
    http://help.sap.com/SAPHELP_NW04S/helpdata/EN/2a/7a754297fdd142e10000000
    a1550b0/content.htm
    and the "sap-wd-arfc-useSys" bullet point in the following
    documentation:
    http://help.sap.com/saphelp_sm32/helpdata/en/f4/651741f163f023e10000000a
    155106/content.htm
    See in bold where it mentions that "The prerequisite for this is that,
    in addition to the default JCo connections, you created the new logical
    system name with the Web Dynpro Content Administrator and configured it
    for the required SAP system." Meaning that there needs to be a JCO
    Connection for "SAP_R3_SelfServiceGenerics_MetaData" since these are
    the default JCo connections. In this case I kindly ask that you create
    the default metadata and model JCO connections for
    SAP_R3_SelfServiceGenerics and see if that resolves the issue.

  • Connect to server auth issues

    Hello,
    My company just moved to 10.7, and it used to be the case in 10.6 if I needed to connect to a server I could use user@servername if I wanted to authenticate as another user. It seems in 10.7 and 10.8 it is automatically using my currently logged in user only and it just ignores anything specified in user@. I can't find anything conclusive in Keychain Access, and it persist over mutliple machines so it's not my specific computer or user that has issues.
    We are on an AD domain and this is happening over SMB and AFP.
    thanks!

    It's not even listed in the keychain access list. I tried to manually input it, but still to no avail. When I say I click somewhere else I mean I might click on my documents for example to drag something into the ftp server, but when i come back to the ftp it's just kind of stuck saying "connecting" and trying to reconnect does nothing but give me an error and trying to eject does nothing at all.

  • Aironet 1130ag RAIDUS auth issues - what is no sg in radius-timers?

    Hi All.
    wonder if anyone can help
    We have an aironet 1130ag in a remote office connected to the data centre over MPLS. The Radius server is based on server 2003
    We have hundreds of these points set up exactly the same but this is the only one giving me issues, I even stripped the config and rebuilt it and then swapped with a new access point
    The issue is that clients can't authenticate when connecting to the access point but provides nothing in event viewer. Checking the RADIUs server provides nothing either.
    The access point error logs just state station: authentication failed
    On looking deeper into the problem I enabled RADIUS debugging on the access point and got some interesting results, in particular is the line:
    no sg in radius-timers: ctx 0x12EF0A4 sg 0x0000
    I can't find out what no SG in Radius-timers actually means, but after that line appears I just see more retransmits and no sg fails.
    I inspected the packets on the RADIUs server and found lots access requests coming from my access point and lots of access-challenges returning back from my RADIUS server - I'm not sure how often that's supposed to happen or if it's a one time occurance. I did however see directly after the first access-request that the RADIUS server returns with UDP and is fragmented, length is 1514...... could this be the problem? If so why cannot it hanlde fragmented packets? And what do I need to do to fix?
    Many thanks for the help
    Mark

    the fragmented packet might be a red herring as I've just done the same packet inspection on the same radius server but coming from a different access point which works, I get the same fragmented UDP packet but the connection works.
    any ideas?

  • 3620 Console Server - Double Auth issues....

    Hi,
    I have a 3620 with a NM-32A cabled to numerous Cisco consoles with CAB-OCTAL-ASYNC cable to each console port.
    CONSOLE SERVER:
    interface Ethernet1/0
    ip address 192.168.10.180 255.255.255.224
    no ip directed-broadcast
    ip host SWITCH4 2001 192.168.10.180
    line 1 32
    session-timeout 20
    no exec
    exec-timeout 0 0
    transport input telnet
    transport output pad v120 telnet rlogin udptn
    SWITCH4:
    aaa authentication login default local-case
    aaa authorization exec default local
    username user password Pass
    enable secret SECRET
    line con 0
    exec-timeout 0 0
    transport preferred telnet
    CONSOLE#teln SWITCH4
    Trying SWITCH4 (192.168.10.180, 2001)... Open
    User Access Verification
    Username: user
    Password:<Pass>
    This times out....I then auth again and sometimes get in, sometimes not. Same behaviour across 4 out of 13 devices (so far).....!!
    Has anyone had similar problems?
    Thanks,
    Mark

    Mark
    I suggest, as an experiment, that you remove this line from the config and see if the behavior improves:
    aaa authorization exec default local
    I do not see that this is doing much for you (at least in the small amount of configuration that you posted) and potentially could cause symptoms such as you describe. If the behavior does improve you might leave it out or you might change it to this:
    aaa authorization exec default if-authenticated
    HTH
    Rick

  • SP3 Beta 3 - User auth issues

    So I got SP3 Beta 3 running on a SLES10 box. I freshly installed the agent on a test workstation and registered it all up. The zone I have is pretty empty (for testing). I added an eDir ldap user source and got it all running on the primary server. The problem is I logged in once fine, but now it will not authenticate to the realm for the workstation (as a user). I still get my device associated app but when I log in all I get is this error: "Unable to log into the ZENworks realm because the system has disconnected from the network and the specified credentials did not match with the credentials cached on the system."
    I did packet captures on the workstation and it never seems to even try to authenticate. The user source checks out fine in the ZCC and I can browse around and assign policies/bundles.

    tersteew,
    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.
    Has your problem been resolved? If not, you might try one of the following options:
    - Visit http://support.novell.com and search the knowledgebase and/or check all
    the other self support options and support programs available.
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.novell.com)
    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://forums.novell.com/faq.php
    If this is a reply to a duplicate posting, please ignore and accept our apologies
    and rest assured we will issue a stern reprimand to our posting bot.
    Good luck!
    Your Novell Product Support Forums Team
    http://support.novell.com/forums/

  • Download, auth issues

    hi,
    i'm trying to download the lnx_920_disk*.cpio.gz files from Europe and the connection is so slow.
    is there any mirror in europe? i was on the www.oracle.de but when it came to downloading i was sent back to otn.oracle.com.
    i tried to put downloads on a remote server where i have a shell account but the oracle auth system requires cookies (that's ok) and js, which wget,lynx,links don't support.
    any idea?
    Michal

    SIMs and the Tetris icons are ONLY isntallation shortcuts which will take you to the app to install.
    You can't really delete them, just hide them. They are enabled via a service book pushed to your by your carrier, and if you delete that service book, it will just get pushed back.
    1. If any post helps you please click the below the post(s) that helped you.
    2. Please resolve your thread by marking the post "Solution?" which solved it for you!
    3. Install free BlackBerry Protect today for backups of contacts and data.
    4. Guide to Unlocking your BlackBerry & Unlock Codes
    Join our BBM Channels (Beta)
    BlackBerry Support Forums Channel
    PIN: C0001B7B4   Display/Scan Bar Code
    Knowledge Base Updates
    PIN: C0005A9AA   Display/Scan Bar Code

  • WLC 4400 web auth issues

    Hello,
    I am experiencing an issue with my model 4404 Wireless controllers that has plagued me for some time now. I have two controllers with 106 AP's split evenly between the two controllers. One of my SSID's is setup with web authentication.  I have one Radius server (Cisco ACS v 4.1). The problem only exists for the SSID that uses web authentication. Reports begin to come in that students cannot login to the wireless using the student SSID that uses web authentication. The student can get to the web authentication page, but when they put in their username and password both fields go blank. You can do this over and over with no errors, and the logs in the controller show nothing to indicate any issues (you don't even see the attempted login). I obtain one of the student logins for testing and here is what I have found. I attempt to login to the student wireless with this account and recieve the same results as the student. I have an AP in my office that I use for testing so I force it on to the other controller. At that point the account in question works. I can login without any issues. I force the AP back to the initial controller and experience the same issue, I cannot login. No error of bad username and password, just login fields that go blank. More reports come in that students cannot login and I find that all issues are related to this controller. The next morning I reboot the controller and everything works for a week or more and then it all starts over again. The next time it may be the other controller that is experienceing this issue. A reboot of the controller always fixes the issue for the short term. The issue appears to be controller related but I cannot pin it down.  I recently upgraded my controller code from 4.2.61.0 to 6.0.188.0 at Cisco's recommendation. Unfortunately the issue still exists. Scouring the forums produces a few other people encountering the same issue but none seem to have found a fix. Does anyone know if this is a known issue with this model controller?
    Thanks much for any help.

    Thank you for your response Dennis, it is greatly appreciated. I do not find any mount errors in the crash log. However I did finally find something in the message logs that I was unable to find before. I did not copy this message so it is not verbatim. The error message states that the user cannot be logged in possibly due to being logged in somewhere else. At that point I pour over every client on the controller even filtering by mac address. I see no evidence of the client being associated or authenticated. On a side note I can see the client as associated if the wireless card is enabled. Checking the ACS does not show a failed authentication. Again, rebooting the controller seems to clear some sort of radius accounting on the controller that I am unable to clear manually without a reboot. Thanks again for your response.

Maybe you are looking for

  • Dynamic naming

    When assigning a name to an object is it possible to do it dynamically? What I mean by this is can you name a list of objects with a name such as pic_# ( # is a number) within a for loop, instead having to write out every name,ie pic_1, pic_2, etc. T

  • Using an external waveform monitor

    I have an external waveform monitor (SDI input) and a Black Magic Decklink Extreme which has an SDI output. I'm trying to get output from Final Cut Pro so I can read the images on the waveform. I've tried "Refresh AV Devices" and enables "All Frames"

  • My ipad is going nuts !!!!

    My ipad  is going crazy the keyboard is typing by it self its really annoying. aswelll as going in an out of apps and the screen is also zooming in and out and slowing down my skype camera !!! :/ someone please help grrr

  • Year to Date Revenue

    Hi All, Could please give me idea of How to get Estimated Revenue, current YTD Realized Revenue, Prior YTD Realized Revenue and Prior Year total Actual? It would be great if you can provide me Table names and field names. Thanks for your help. Regard

  • Creating objects and efficiency

    I am implementing bounding circles for my game and I have a question. I have heard that creating a new object takes up a lot of time (i.e doing it every update). Should I give each of my objects a BoundingSphere instance variable (I created my own si