Authentication Failed to 2008 NPS from Cisco IOS VPN

Similar Messages

• Resend captured packets from cisco ios? (tcpreplay w/o WireShark)

  Hello again,
  As the title of the thread implies, is there a way to replay captured packets (as in a pcap file from the EPC protocol) from cisco ios? I am trying a work around by calling it from a connected computer, but I can't launch tcpreplay dynamically from an EEM script (mainly because I can't target the host OS from the EEM scope).
  Basically I am capturing packets in order to delay them until some arbitrary time determined by another (or even the same) EEM script. Is there a function I don't know about that I can call to put previously captured packets (stored in a pcap file) directly back on the bus as if nothing happened?
  Thanks in advance,
  -Heath

  You can't replay packets right now.  The upcoming onePK APIs will allow you to do this, however.  If you want to call tcpreplay from your EEM policy, you could send a trap to the host, which triggers the excution, or use the Remote Command Shell policy from http://www.cisco.com/go/easy to telnet/SSH to the host from the device to run the command.

• Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS

  I have a Nexus 7010 running
  Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
  >>ip radius source-interface mgmt 0
  >>radius-server key XXXXX
  >>radius-server host X.X.X.X key XXXXX authentication accounting
  >>radius-server host X.X.X.X key XXXXX authentication accounting aaa
  >>authentication login default group Radius_Group aaa authentication
  >>login console local aaa group server radius Radius_Group
  >>    server X.X.X.X
  >>    server X.X.X.X
  >>    source-interface mgmt0
  Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
  shell:roles="vdc-admin" in the  Attribute Value field in the RADIUS server
  Does anyone know if this works????
  Thanks

  I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
  Attribute: cisco-av-pair
  Requirement: Mandatory
  Value: shell:roles*"network-admin vdc-admin"
  For more information take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
  Hope this helps
  Thank you for rating helpful posts!

• ISE failed to update resource from Cisco

  Guys,
  I try to update the client provisioning from cisco.com but it failed (print screen can see in attachment). I try from Cisco ISE, it can ping www.cisco.com.
  Do you have any idea ?

  Hi rizalferdiyan,
  Can you please check the certificate store of ISE for the following certificate :
  Baltimore CyberTrust Root.
  If this certificate is not available you will not be able to download the resources from cisco.com site.

• Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2

  This setup is to try routing Cisco VPN to either RSA or Entrust from Cisco ACS 5.2, depending on some parameter in incoming AUTH request from Cisco IPSec VPN Client 5.x. Tried playing with pcf files and user names/identity stores, none seems working

  Hi Tony,
  to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
  CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
  You may want to try and ask in the AAA forum if there is anything you can do on ACS...
  hth
  Herbert

• NPS Authentication Fails (Reason 16) After Migration to 2012 R2 from 2008 R2

  I'm using NPS for wired dot1x authentication and I just migrated my NPS server from 2008 R2 to 2012 R2.  When I point the network switch to start using the new 2012 R2 NPS as the RADIUS server, I get authentication failures - event 6273, reason code
  16.  When I switch it back to the 2008 R2 server, it works fine.  The two servers are configured EXACTLY the same as far as I can tell - same RADIUS client config, same connection request policies, same network policies - and it should be since I
  used the MS prescribed migration process.  The only thing that differs is the server's certificate name used in the PEAP setup screen.
  I'm using computer authentication only, so everything is based on computer accounts and I've selected to NOT validate server credentials on the group policy.
  I've verified the shared secrets multiple times.  Both servers are domain controllers.
  Here is an example of the errors logged on the 2012 R2 server.
  ========================================
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
      Security ID:            FAITHCHURCH\youthroom$
      Account Name:            host/YOUTHROOM.faithchurch.net
      Account Domain:            FAITHCHURCH
      Fully Qualified Account Name:    FAITHCHURCH\youthroom$
  Client Machine:
      Security ID:            NULL SID
      Account Name:            -
      Fully Qualified Account Name:    -
      OS-Version:            -
      Called Station Identifier:        -
      Calling Station Identifier:        44-37-E6-C0-32-CA
  NAS:
      NAS IPv4 Address:        192.168.1.1
      NAS IPv6 Address:        -
      NAS Identifier:            -
      NAS Port-Type:            Ethernet
      NAS Port:            1010
  RADIUS Client:
      Client Friendly Name:        Extreme X440
      Client IP Address:            192.168.1.1
  Authentication Details:
      Connection Request Policy Name:    Secure Wired (Ethernet) Connections 2
      Network Policy Name:        Secure Wired (Ethernet) Connections 2
      Authentication Provider:        Windows
      Authentication Server:        Sigma.faithchurch.net
      Authentication Type:        PEAP
      EAP Type:            -
      Account Session Identifier:        -
      Logging Results:            Accounting information was written to the local log file.
      Reason Code:            16
      Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
  ========================================

  Hi,
  Have you added the NPS server to the RAS and IAS Servers
  security group in AD DS?
  The NPS server needs permission to read the dial-in properties of user accounts during the authorization process.
  Try to add a loal user on the NPS server, then test with the local user. If it works, it means that there is something wrong between NPS and DC.
  If the issue persists, it means that the configuration between NPS and NAS is wrong.
  Steven Lee
  TechNet Community Support

• SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certificate Authentication failed

  Hello,
  i have a problem regarding the authentication with a certificate from the iPhone Anyconnect 2.5 Client to a 1802 Cisco Router.
  Cisco 1802 Router:
  Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.1(1)T, RELEASE SOFTWARE (fc1)
  First i configured SSLVPN with username and password, in this configuration the Anyconnect Client of my iPhone works.
  then i enrolled a certificate from my Windows 2008 R2 CA to the Router with the Attributes: Server Authentication and IPSEC
  and i enrolled a certificate for my iPhone with Client Authentication and IPSEC
  after a bunch of time ( i realy could not find a really good documentation on how to do this) i got it done, in the webvpn context configuration i made this changes here:
  no aaa authentication list default
  authentication certificate
  ca trustpoint CA
  as the "SSL VPN Configuration Guide, Cisco IOS Release 15.1M&T" says: if i want only certificate authentication i had to user the "authentication certificate" command and thats it.
  as i look into the debugs it seems to me that the Router accepts the certificate of the iPhone, but then i receive a window on the iphone that wants an additional username and password authentication, and no matter what i enter there's always the same dialog coming back..
  any ideas what the problem could be???
  here is the configuration:
  webvpn gateway WEBVPN_GW_OFFICE2
  ip interface Dialer0 port 1444
  ssl trustpoint CA
  inservice
  webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 1
  webvpn install svc flash:/webvpn/anyconnect-win-3.0.4235-k9.pkg sequence 2
  webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 3
  webvpn context WEBVPN_CONTEXT2
  secondary-color white
  title-color #669999
  text-color black
  ssl authenticate verify all
  policy group WEBVPN_POLICY2
     functions svc-enabled
     mask-urls
     svc address-pool "SSLVPN_OFFICE1"
     svc default-domain "domain.internal"
     svc keep-client-installed
     svc split include 192.168.0.0 255.255.0.0
     svc dns-server primary 192.168.53.33
     svc dns-server secondary 192.168.53.35
  virtual-template 3
  default-group-policy WEBVPN_POLICY2
  gateway WEBVPN_GW_OFFICE2
  authentication certificate
  ca trustpoint CA
  inservice
  here is the debug:
  OfficeRouter1# PASSING appctx is [0x89FAFFCC]
  Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
  Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
  Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
  Nov 19 22:39:53.607: WV: Entering APPL with Context: 0x86529380,
        Data buffer(buffer: 0x86543A40, data: 0x15A07AB8, len: 469,
        offset: 0, domain: 0)
  Nov 19 22:39:53.607: WV: http request: / with no cookie
  Nov 19 22:39:53.607: WV: validated_tp : CA cert_username :  matched_ctx :
  Nov 19 22:39:53.607: WV: Received appinfo
  validated_tp : CA, matched_ctx : ,cert_username :
  Nov 19 22:39:53.607: WV: Trustpoint match successful
  Nov 19 22:39:53.607: WV: Extracted username:  pass: ?
  Nov 19 22:39:53.607: WV: Client side Chunk data written..
  buffer=0x86543640 total_len=661 bytes=661 tcb=0x8811FE60
  Nov 19 22:39:53.607: WV: Appl. processing Failed : 2
  Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
  BueroRouter1# PASSING appctx is [0x89FAEEC4]
  Nov 19 22:40:24.028: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:24.032: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:24.132: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:24.132: WV: Entering APPL with Context: 0x86529380,
        Data buffer(buffer: 0x86543A40, data: 0x160C4038, len: 469,
        offset: 0, domain: 0)
  Nov 19 22:40:24.132: WV: http request: / with no cookie
  Nov 19 22:40:24.132: WV: validated_tp : CA cert_username :  matched_ctx :
  Nov 19 22:40:24.132: WV: Received appinfo
  validated_tp : CA, matched_ctx : ,cert_username :
  Nov 19 22:40:24.132: WV: Trustpoint match successful
  Nov 19 22:40:24.132: WV: Extracted username:  pass: ?
  Nov 19 22:40:24.132: WV: Client side Chunk data written..
  buffer=0x86543640 total_len=661 bytes=661 tcb=0x88D11EEC
  Nov 19 22:40:24.136: WV: Appl. processing Failed : 2
  Nov 19 22:40:24.136: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.764: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.880: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.892: WV: Entering APPL with Context: 0x86529380,
        Data buffer(buffer: 0x86543A40, data: 0x1616FD38, len: 610,
        offset: 0, domain: 0)
  Nov 19 22:40:39.892: WV: http request: /webvpn.html with domain cookie
  Nov 19 22:40:39.892: WV: validated_tp :  cert_username :  matched_ctx :
  Nov 19 22:40:39.892: WV: Received appinfo
  validated_tp : CA, matched_ctx : ,cert_username :
  Nov 19 22:40:39.892: WV: Trustpoint match successful
  Nov 19 22:40:39.892: WV: Client side Chunk data written..
  buffer=0x86543640 total_len=607 bytes=607 tcb=0x88D11EEC
  Nov 19 22:40:39.892: WV: Appl. processing Failed : 2
  Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event

  http://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml
  HI,
  Refer to
  AnyConnect VPN Client FAQ
  Q. Is it possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router?
  A. No. It is not possible to connect  the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router.  AnyConnect on iPad/iPhone can connect only to an ASA that runs version  8.0(3).1 or later. Cisco IOS is not supported by the AnyConnect VPN  Client for Apple iOS. For more information, refer to the Security Appliances and Software Supported section of the Release Notes for Cisco AnyConnect Secure Mobility Client 2.4, Apple iOS 4.2 and 4.3.

• AiroNet 1140 Authentication Issues Windows Server 2008 NPS

  Hello,
  We have an AiroNet 1140 AP that we are trying to configure RADIUS authentication. Our RADIUS server is a Microsoft Windows Server 2008 NPS server. Unfortunately, our Wi-Fi clients are unable to authenticate. We appear to have everything configured on the AP and RADIUS server correctly, but we receive the following errors from the debug on the AP. Doug
  *Mar 14 05:46:58.413: RADIUS/DECODE: No response from radius-server; parse response; FAIL
  *Mar 14 05:46:58.413: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response;
  FAIL
  *Mar 14 05:46:58.413: RADIUS/DECODE: No response from radius-server; parse response; FAIL
  *Mar 14 05:46:58.413: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response;
  FAIL

  Hi Steve, Here is the config for the AP.  Some screenshots of the NPS config are below, too.  Please let me know if you need more information from our NPS server.  Thanks, Doug
  ap#sh run
  Building configuration...
  Current configuration : 2971 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  logging rate-limit console 9
  enable secret 5 $1$1IPZ$WkdzqdeeGvEPvQLCHfGXU.
  aaa new-model
  aaa group server radius rad_eap
  server 10.20.2.96 auth-port 1645 acct-port 1646
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  server 10.20.2.96 auth-port 1645 acct-port 1646
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 syslog
  dot11 ssid wifi
     authentication open eap eap_methods
     authentication network-eap eap_methods
     authentication key-management wpa
  username pg_ap privilege 15 secret 5 $1$rg0/$hTYIn.lysNUfxhzxqXonl/
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid wifi
  antenna gain 0
  speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7.
  m8. m9. m10. m11. m12. m13. m14. m15.
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid wifi
  antenna gain 0
  dfs band 3 block
  speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11
  . m12. m13. m14. m15.
  channel dfs
  station-role root access-point
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface GigabitEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  no keepalive
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 10.40.0.200 255.255.0.0
  no ip route-cache
  ip default-gateway 10.40.0.1
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server local
    no authentication mac
    nas 10.20.2.96 key 7 003555402B5F012F3D007B16062C46430759550B3A232F7E0A1636472C01402573
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 10.20.2.96 auth-port 1645 acct-port 1646 key 7 08100A08261D0F3E202A3B5C251E677C26
  677B1C171E08576F7A4C077F19403C337F0C7C7D035B172550305F756934172E327A1B13250C154D4C3F1319305C3514
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 0 4
  end
  ap#

• EAP-TLS problems with Cisco AP541N and Server 2008 NPS

  Hi,
  I want to use EAP-TLS with my shiny new certificates issued by my new Windows CA, and what happens? Nothing works.
  I don't have a clue what I should do. I try to establish a EAP-TLS connection using my Windows CE mobile device, but my cisco AP541N logs this:
  Oct 18 15:42:58
  info
  hostapd
  wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: Supplicant used different EAP type: 3 (Nak)
  Oct 18 15:42:58
  warn
  hostapd
  wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: authentication failed - identity 'XXXXXX' EAP type: 13 (TLS)
  Oct 18 15:42:58
  info
  hostapd
  The wireless client with MAC address 00:17:23:xx:xx:xx had an authentication failure.
  NPS logs this:
  Name der Verbindungsanforderungsrichtlinie: Sichere Drahtlosverbindungen 2
  Netzwerkrichtlinienname: XXXXXX
  Authentifizierungsanbieter: Windows
  Authentifizierungsserver: XXXXX
  Authentifizierungstyp: EAP
  EAP-Typ: -
  Kontositzungs-ID: -
  Protokollierungsergebnisse: Die Kontoinformationen wurden in die lokale Protokolldatei geschrieben.
  Ursachencode: 22
  Ursache: Der Client konnte nicht authentifiziert werden, da der angegebene EAP (Extensible Authentication-Protokoll)-Typ vom Server nicht verarbeitet werden kann.
  I'm sorry it's german, but the gist is: The server can't process the authentication with the specified EAP type, which should be EAP-TLS.
  I think the NAK answer in my cisco AP logs is the problem. Well, not the problem, since it is the standard procedure in the EAP request / challenge, I think, but somebody messes up with it.
  Did anybody encounter something like this before? Or just knows what to do?
  Thanks in advance
  Lenni

  Joe:
  Having NPS, you have the options to configure PEAP-MSCHAPv2 or EAP-TLS.
  EAP-TLS: mandates a certificate on the server as well as a certificate on every single machine for authentication purposes.
  PEAP-MSCHAPv2: mandates a certificate on the server only. Users connecting to the wireless network must trust the certificate (or, user devices can be configured to escape this trust and connect even if the server cert is not trusted).
  for PEAP-MSCHAPv2, Your options are:
  - Buy a certificate for the server from a trusted party (Verisign for example [which was bought later by Symantec]). This way all devices will - by default - trust the server's cert.
  - Install local CA. Install a cert on the server and then push the root CA cert for your CA to all client device so they trust this issuer.
  - If both up options are not valid for you, what you can do is to configure every single client to ignore the untrusted cert and proceed with the connectoin. (This is a security concern though. not recommended unless really needed).
  You must get a cert on the server and all clients must trust that certificate's issuer. Otherwise you'll not be able to user PEAP.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• NPS and Cisco ASA 5510 - AnyConnect Certificate based authentication

  Hi everyone,
  Hoping someone can help please.
  We're trying to go for a single VPN solution at our company, as we currently have a few through, when buying other companies.
  We're currently running a 2008 R2 domain, so we're looking at NPS and we have Cisco ASA 5510 devices for the VPN side.
  What we would like to achieve, is certificate based authentication. So, user laptop has certificate applied via group policy based on domain membership and group settings, then user goes home. They connect via Cisco AnyConnect via the Cisco ASA 5510 and
  then that talks to MS 2008 R2 NPS and authenticates for VPN access and following that, network connectivity.
  Has anyone implemented this before and if so, are there any guides available please?
  Many Thanks,
  Dean.

  Hi Dean,
  Thanks for posting here.
  Yes, this is possible . But we have guide about a sample that using Windows based server (RRAS) to act as VPN server and working with Windows RADIUS/NPS server and use certificate based authentication method (Extensible Authentication Protocol-Transport
  Layer Security (EAP-TLS) or PEAP-TLS without smart cards) for reference :
  Checklist: Configure NPS for Dial-Up and VPN Access
  http://technet.microsoft.com/en-us/library/cc754114.aspx
  Thanks.
  Tiger Li
  Tiger Li
  TechNet Community Support

• Cisco ISE authentication failed because client reject certificate

  Hi Experts,
  I am a newbie in ISE and having problem in my first step in authentication. Please help.
  I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
  Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
  I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
  Regards,
  Ratna

  Certificate-Based User Authentication via Supplicant Failing
  Symptoms or
  Issue
  User authentication is failing on the client machine, and the user is receiving a
  “RADIUS Access-Reject” form of message.
  Conditions (This issue occurs with authentication protocols that require certificate validation.)
  Possible Authentications report failure reasons:
  • “Authentication failed: 11514 Unexpectedly received empty TLS message;
  treating as a rejection by the client”
  • “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
  the client rejected the Cisco ISE local-certificate”
  Click the magnifying glass icon from Authentications to display the following output
  in the Authentication Report:
  • 12305 Prepared EAP-Request with another PEAP challenge
  • 11006 Returned RADIUS Access-Challenge
  • 11001 Received RADIUS Access-Request
  • 11018 RADIUS is reusing an existing session
  • 12304 Extracted EAP-Response containing PEAP challenge-response
  • 11514 Unexpectedly received empty TLS message; treating as a rejection by the
  client
  • 12512 Treat the unexpected TLS acknowledge message as a rejection from the
  client
  • 11504 Prepared EAP-Failure
  • 11003 Returned RADIUS Access-Reject
  • 11006 Returned RADIUS Access-Challenge
  • 11001 Received RADIUS Access-Request
  • 11018 RADIUS is re-using an existing session
  • 12104 Extracted EAP-Response containing EAP-FAST challenge-response
  • 12815 Extracted TLS Alert message
  • 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
  Cisco ISE local-certificate
  • 11504 Prepared EAP-Failure
  • 11003 Returned RADIUS Access-Reject
  Note This is an indication that the client does not have or does not trust the Cisco
  ISE certificates.
  Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
  The client machine is configured to validate the server certificate, but is not
  configured to trust the Cisco ISE certificate.
  Resolution The client machine must accept the Cisco ISE certificate to enable authentication.

• Failed to retrieve data from the database crystal reports 2008 in SAP  B1

  Hello friends,
               I am using Crystal report 2008 with SAP B1 PL 8.8. When I run any report,  it runs correctly from Crystal Report. But whenever I try to open the same report through SAP ( Tools -> Preview External Crystal Report ), it prompts the parameters for that report and then open up the crystal report window and throws an Error message ("failed to retrieve data from the database. Details [Database Vendor Code: 156]").
             Please any one suggest me the corrective solution.
  Thanks in Advance,
  Keyur Raval.

  I had the same problem in SAP B1 2007. Report worked fine except when it was open from B1. Generally there may be different problems. In my case the same problem was caused by using some procedure which was in a specific schema. Changing the schema into "dbo" solved the problem.
  Radoslaw Blaniarz

• Authentication failed while using the function from JSP.

  I am facing a issue with the mail functionality with JAVA Mailing.The problem is that when I am running the stand alone program it is working fine but when same function is called from a JSP it gives Authentication failed Exception.I am attaching the code with the case.testMail() Is the function called from the JSP.
  Please Look in to the issue its urgent.
  import javax.mail.*;
  import javax.mail.internet.*;
  import java.util.*;
  import java.io.*;
  import javax.activation.DataHandler;
  import javax.mail.MessagingException;
  import javax.mail.internet.MimeBodyPart;
  import javax.mail.internet.MimeMessage;
  import javax.mail.internet.MimeMultipart;
  import javax.mail.internet.MimePartDataSource;
  To use this program, change values for the following three constants,
  SMTP_HOST_NAME -- Has your SMTP Host Name
  SMTP_AUTH_USER -- Has your SMTP Authentication UserName
  SMTP_AUTH_PWD -- Has your SMTP Authentication Password
  Next change values for fields
  emailMsgTxt -- Message Text for the Email
  emailSubjectTxt -- Subject for email
  emailFromAddress -- Email Address whose name will appears as "from" address
  Next change value for "emailList".
  This String array has List of all Email Addresses to Email Email needs to be sent to.
  Next to run the program, execute it as follows,
  SendMailUsingAuthentication authProg = new SendMailUsingAuthentication();
  public class SendMailUsingAuthentication
  private static final String SMTP_HOST_NAME = "host";
  private static final String SMTP_AUTH_USER = "username";
  private static final String SMTP_AUTH_PWD = "password";
  private static final String emailMsgTxt = "Test Msg";
  private static final String emailSubjectTxt = "Notification: New User created";
  private static final String emailFromAddress = "[email protected]";
  // Add List of Email address to who email needs to be sent to
  private static final String[] emailList = {"[email protected]"};
  public static void main(String args[]) throws Exception
  SendMailUsingAuthentication smtpMailSender = new SendMailUsingAuthentication();
  smtpMailSender.postMail( emailList, emailSubjectTxt, emailMsgTxt, emailFromAddress);
  System.out.println("Sucessfully Sent mail to All Users");
  public void testMail(String msgBody,String senderEmail)throws MessagingException
  try{
       String mailBody = msgBody;
       String senderEmailAdd = senderEmail;
       SendMailUsingAuthentication smtpMailSender = new SendMailUsingAuthentication();
       smtpMailSender.postMail( emailList, emailSubjectTxt, mailBody , senderEmail);
       catch(MessagingException me) {
                 //System.out.println("Mail not sent");
                 throw me;
  public void postMail( String recipients[ ], String subject,
  String message , String from) throws MessagingException
  try{
       boolean debug = false;
  //Set the host smtp address
  Properties props = System.getProperties();
  props.put("mail.smtp.host", SMTP_HOST_NAME);
  props.put("mail.smtp.auth", "true");
  Authenticator auth = new SMTPAuthenticator();
  Session session = Session.getInstance(props, auth);
  session.setDebug(debug);
  // create a message
  Message msg = new MimeMessage(session);
  // set the from and to address
  InternetAddress addressFrom = new InternetAddress(from);
  msg.setFrom(addressFrom);
  InternetAddress[] addressTo = new InternetAddress[recipients.length];
  for (int i = 0; i < recipients.length; i++)
  addressTo[i] = new InternetAddress(recipients);
  msg.setRecipients(Message.RecipientType.TO, addressTo);
  // Setting the Subject and Content Type
  msg.setSubject(subject);
  msg.setContent(message, "text/plain");
  Transport.send(msg);
       catch(MessagingException me) {
                 //System.out.println("Mail not sent");
                 throw me;
  * SimpleAuthenticator is used to do simple authentication
  * when the SMTP server requires it.
  public static class SMTPAuthenticator extends javax.mail.Authenticator
  public PasswordAuthentication getPasswordAuthentication()
  String username = SMTP_AUTH_USER;
  String password = SMTP_AUTH_PWD;
            return new PasswordAuthentication(username, password);

  Your code doesn't work in stand alone program... just little mistake!
  Miss port property :
  props.put("mail.smtp.port", "25");
  props.put("mail.smtp.starttls.enable", "true"); // tls for gmail
  AddressTo method didn' t compile :
  InternetAddress[] addressTo = new InternetAddress[recipients.length];
  for (int i = 0; i < recipients.length; i++)
       addressTo[i] = new InternetAddress((String) recipients);
  msg.setRecipients(Message.RecipientType.TO, addressTo);
  And see this post for jsp integration :
  http://forum.java.sun.com/thread.jspa?threadID=5184860&tstart=0

• Cisco ISE authentication failed for Win XP SP3

  Hello,
  I have some trouble this Win XP wired Client authentication. With Win7 everything works well.
  ISE 1.2 (patch 4)
  Switch: 2960 / 2960S (15.0.(2)SE2)
  Authentication details:
  Event:
  5400 Authentication failed:
  Failure Reason
  11514 Unexpectedly received empty TLS message; treating as a rejection by the client
  Resolution
  Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
  Root cause While trying to negotiate a TLS handshake with the client, ISE expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ISE and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
  I try to disable validate server certificates on Win XP Clients, but it won´t work for me.
  Add ISE self-sign certificate to clients trusted root certification authorities and enable validate server certificates also won´t work.
  Any idea?
  thanks

  The ISE use a self-signed certificate. I add this self-signed certificate to the clients "trusted root certification authorities", enable validate server certificates at the eap properties and select the added certificate from the trust list. But if I uncheck validate server certificates, I see the same error message as well.
  Are there any differences between xp client config and win7 client config?
  thanks,

• Cisco 2960 802.1x authentication fail

  Physical switch version:
  C2960 Boot Loader (C2960-HBOOT-M) Version 15.0(2r)EZ1, RELEASE SOFTWARE (fc1)
  System image file is "flash:/c2960-lanbasek9-mz.150-2.SE5/c2960-lanbasek9-mz.150-2.SE5.bin"
  The goal of this lab is only authenticated by the MAC address of the laptop.
  Currently,I have a trouble as following and don't know what is this root cause .
  Please give me a guide point. 
  Thanks so much
  *Mar  2 20:45:03.908: %AUTHMGR-5-START: Starting 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
  *Mar  2 20:45:04.218: %MAB-5-FAIL: Authentication failed for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
  *Mar  2 20:45:04.218: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
  *Mar  2 20:45:04.218: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
  *Mar  2 20:45:04.218: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
  *Mar  2 20:45:04.218: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
  *Mar  2 20:45:05.720: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
  *Mar  2 20:45:06.726: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

  I have a few questions:
  1. What type of Radius server do you have?
  2. Can you post a screen shot of your Radius AAA policies
  3. Do you have the mac address entered in your Radius server
  4. Provide the output from the following commands:
  - show aaa servers
  - show authentication session interface interface_name_number
  Thank you for rating helpful posts!