Authentication Failed to 2008 NPS from Cisco IOS VPN
I'm trying to authenticate VPN connections to a Windows 2008 NPS Radius server.
Local authentication works fine.
Here are cisco configs:
aaa new-model
aaa authentication login default local
aaa authentication login VPNauth group radius local
aaa authorization network VPNgroup local
aaa session-id common
ip radius source-interface Loopback0
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 xxxx
crypto map VPNMAP client authentication list VPNauth
crypto map VPNMAP isakmp authorization list VPNgroup
crypto map VPNMAP client configuration address respond
crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
... other crypto commands
This is the section of the log from NPS:
Authentication Details:
Connection Request Policy Name: VPN
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: x.x.x.x
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
I do have PAP enabled on the Network/Connection Request Policies...
I'm stuck
Please help
Can you run a "teat aaa " command to see if the user can be authenticated successfully?
I think this might be a configuration issue on NPS. You can google it. Here is one I found, refer to "irishHam" post.
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bfbbbae4-a280-4b3f-b214-02867b7d33e3
Similar Messages
-
Resend captured packets from cisco ios? (tcpreplay w/o WireShark)
Hello again,
As the title of the thread implies, is there a way to replay captured packets (as in a pcap file from the EPC protocol) from cisco ios? I am trying a work around by calling it from a connected computer, but I can't launch tcpreplay dynamically from an EEM script (mainly because I can't target the host OS from the EEM scope).
Basically I am capturing packets in order to delay them until some arbitrary time determined by another (or even the same) EEM script. Is there a function I don't know about that I can call to put previously captured packets (stored in a pcap file) directly back on the bus as if nothing happened?
Thanks in advance,
-HeathYou can't replay packets right now. The upcoming onePK APIs will allow you to do this, however. If you want to call tcpreplay from your EEM policy, you could send a trap to the host, which triggers the excution, or use the Remote Command Shell policy from http://www.cisco.com/go/easy to telnet/SSH to the host from the device to run the command.
-
Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS
I have a Nexus 7010 running
Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
>>ip radius source-interface mgmt 0
>>radius-server key XXXXX
>>radius-server host X.X.X.X key XXXXX authentication accounting
>>radius-server host X.X.X.X key XXXXX authentication accounting aaa
>>authentication login default group Radius_Group aaa authentication
>>login console local aaa group server radius Radius_Group
>> server X.X.X.X
>> server X.X.X.X
>> source-interface mgmt0
Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
shell:roles="vdc-admin" in the Attribute Value field in the RADIUS server
Does anyone know if this works????
ThanksI have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*"network-admin vdc-admin"
For more information take a look at this link:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
Hope this helps
Thank you for rating helpful posts! -
ISE failed to update resource from Cisco
Guys,
I try to update the client provisioning from cisco.com but it failed (print screen can see in attachment). I try from Cisco ISE, it can ping www.cisco.com.
Do you have any idea ?Hi rizalferdiyan,
Can you please check the certificate store of ISE for the following certificate :
Baltimore CyberTrust Root.
If this certificate is not available you will not be able to download the resources from cisco.com site. -
Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2
This setup is to try routing Cisco VPN to either RSA or Entrust from Cisco ACS 5.2, depending on some parameter in incoming AUTH request from Cisco IPSec VPN Client 5.x. Tried playing with pcf files and user names/identity stores, none seems working
Hi Tony,
to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
CSCsw31922 Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
You may want to try and ask in the AAA forum if there is anything you can do on ACS...
hth
Herbert -
NPS Authentication Fails (Reason 16) After Migration to 2012 R2 from 2008 R2
I'm using NPS for wired dot1x authentication and I just migrated my NPS server from 2008 R2 to 2012 R2. When I point the network switch to start using the new 2012 R2 NPS as the RADIUS server, I get authentication failures - event 6273, reason code
16. When I switch it back to the 2008 R2 server, it works fine. The two servers are configured EXACTLY the same as far as I can tell - same RADIUS client config, same connection request policies, same network policies - and it should be since I
used the MS prescribed migration process. The only thing that differs is the server's certificate name used in the PEAP setup screen.
I'm using computer authentication only, so everything is based on computer accounts and I've selected to NOT validate server credentials on the group policy.
I've verified the shared secrets multiple times. Both servers are domain controllers.
Here is an example of the errors logged on the 2012 R2 server.
========================================
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: FAITHCHURCH\youthroom$
Account Name: host/YOUTHROOM.faithchurch.net
Account Domain: FAITHCHURCH
Fully Qualified Account Name: FAITHCHURCH\youthroom$
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: 44-37-E6-C0-32-CA
NAS:
NAS IPv4 Address: 192.168.1.1
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Ethernet
NAS Port: 1010
RADIUS Client:
Client Friendly Name: Extreme X440
Client IP Address: 192.168.1.1
Authentication Details:
Connection Request Policy Name: Secure Wired (Ethernet) Connections 2
Network Policy Name: Secure Wired (Ethernet) Connections 2
Authentication Provider: Windows
Authentication Server: Sigma.faithchurch.net
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
========================================Hi,
Have you added the NPS server to the RAS and IAS Servers
security group in AD DS?
The NPS server needs permission to read the dial-in properties of user accounts during the authorization process.
Try to add a loal user on the NPS server, then test with the local user. If it works, it means that there is something wrong between NPS and DC.
If the issue persists, it means that the configuration between NPS and NAS is wrong.
Steven Lee
TechNet Community Support -
SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certificate Authentication failed
Hello,
i have a problem regarding the authentication with a certificate from the iPhone Anyconnect 2.5 Client to a 1802 Cisco Router.
Cisco 1802 Router:
Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.1(1)T, RELEASE SOFTWARE (fc1)
First i configured SSLVPN with username and password, in this configuration the Anyconnect Client of my iPhone works.
then i enrolled a certificate from my Windows 2008 R2 CA to the Router with the Attributes: Server Authentication and IPSEC
and i enrolled a certificate for my iPhone with Client Authentication and IPSEC
after a bunch of time ( i realy could not find a really good documentation on how to do this) i got it done, in the webvpn context configuration i made this changes here:
no aaa authentication list default
authentication certificate
ca trustpoint CA
as the "SSL VPN Configuration Guide, Cisco IOS Release 15.1M&T" says: if i want only certificate authentication i had to user the "authentication certificate" command and thats it.
as i look into the debugs it seems to me that the Router accepts the certificate of the iPhone, but then i receive a window on the iphone that wants an additional username and password authentication, and no matter what i enter there's always the same dialog coming back..
any ideas what the problem could be???
here is the configuration:
webvpn gateway WEBVPN_GW_OFFICE2
ip interface Dialer0 port 1444
ssl trustpoint CA
inservice
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 1
webvpn install svc flash:/webvpn/anyconnect-win-3.0.4235-k9.pkg sequence 2
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 3
webvpn context WEBVPN_CONTEXT2
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
policy group WEBVPN_POLICY2
functions svc-enabled
mask-urls
svc address-pool "SSLVPN_OFFICE1"
svc default-domain "domain.internal"
svc keep-client-installed
svc split include 192.168.0.0 255.255.0.0
svc dns-server primary 192.168.53.33
svc dns-server secondary 192.168.53.35
virtual-template 3
default-group-policy WEBVPN_POLICY2
gateway WEBVPN_GW_OFFICE2
authentication certificate
ca trustpoint CA
inservice
here is the debug:
OfficeRouter1# PASSING appctx is [0x89FAFFCC]
Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.607: WV: Entering APPL with Context: 0x86529380,
Data buffer(buffer: 0x86543A40, data: 0x15A07AB8, len: 469,
offset: 0, domain: 0)
Nov 19 22:39:53.607: WV: http request: / with no cookie
Nov 19 22:39:53.607: WV: validated_tp : CA cert_username : matched_ctx :
Nov 19 22:39:53.607: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:39:53.607: WV: Trustpoint match successful
Nov 19 22:39:53.607: WV: Extracted username: pass: ?
Nov 19 22:39:53.607: WV: Client side Chunk data written..
buffer=0x86543640 total_len=661 bytes=661 tcb=0x8811FE60
Nov 19 22:39:53.607: WV: Appl. processing Failed : 2
Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
BueroRouter1# PASSING appctx is [0x89FAEEC4]
Nov 19 22:40:24.028: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.032: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.132: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.132: WV: Entering APPL with Context: 0x86529380,
Data buffer(buffer: 0x86543A40, data: 0x160C4038, len: 469,
offset: 0, domain: 0)
Nov 19 22:40:24.132: WV: http request: / with no cookie
Nov 19 22:40:24.132: WV: validated_tp : CA cert_username : matched_ctx :
Nov 19 22:40:24.132: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:40:24.132: WV: Trustpoint match successful
Nov 19 22:40:24.132: WV: Extracted username: pass: ?
Nov 19 22:40:24.132: WV: Client side Chunk data written..
buffer=0x86543640 total_len=661 bytes=661 tcb=0x88D11EEC
Nov 19 22:40:24.136: WV: Appl. processing Failed : 2
Nov 19 22:40:24.136: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.764: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.880: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.892: WV: Entering APPL with Context: 0x86529380,
Data buffer(buffer: 0x86543A40, data: 0x1616FD38, len: 610,
offset: 0, domain: 0)
Nov 19 22:40:39.892: WV: http request: /webvpn.html with domain cookie
Nov 19 22:40:39.892: WV: validated_tp : cert_username : matched_ctx :
Nov 19 22:40:39.892: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:40:39.892: WV: Trustpoint match successful
Nov 19 22:40:39.892: WV: Client side Chunk data written..
buffer=0x86543640 total_len=607 bytes=607 tcb=0x88D11EEC
Nov 19 22:40:39.892: WV: Appl. processing Failed : 2
Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue eventhttp://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml
HI,
Refer to
AnyConnect VPN Client FAQ
Q. Is it possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router?
A. No. It is not possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router. AnyConnect on iPad/iPhone can connect only to an ASA that runs version 8.0(3).1 or later. Cisco IOS is not supported by the AnyConnect VPN Client for Apple iOS. For more information, refer to the Security Appliances and Software Supported section of the Release Notes for Cisco AnyConnect Secure Mobility Client 2.4, Apple iOS 4.2 and 4.3. -
AiroNet 1140 Authentication Issues Windows Server 2008 NPS
Hello,
We have an AiroNet 1140 AP that we are trying to configure RADIUS authentication. Our RADIUS server is a Microsoft Windows Server 2008 NPS server. Unfortunately, our Wi-Fi clients are unable to authenticate. We appear to have everything configured on the AP and RADIUS server correctly, but we receive the following errors from the debug on the AP. Doug
*Mar 14 05:46:58.413: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Mar 14 05:46:58.413: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response;
FAIL
*Mar 14 05:46:58.413: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Mar 14 05:46:58.413: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response;
FAILHi Steve, Here is the config for the AP. Some screenshots of the NPS config are below, too. Please let me know if you need more information from our NPS server. Thanks, Doug
ap#sh run
Building configuration...
Current configuration : 2971 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
logging rate-limit console 9
enable secret 5 $1$1IPZ$WkdzqdeeGvEPvQLCHfGXU.
aaa new-model
aaa group server radius rad_eap
server 10.20.2.96 auth-port 1645 acct-port 1646
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
server 10.20.2.96 auth-port 1645 acct-port 1646
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 syslog
dot11 ssid wifi
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
username pg_ap privilege 15 secret 5 $1$rg0/$hTYIn.lysNUfxhzxqXonl/
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid wifi
antenna gain 0
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7.
m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid wifi
antenna gain 0
dfs band 3 block
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11
. m12. m13. m14. m15.
channel dfs
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.40.0.200 255.255.0.0
no ip route-cache
ip default-gateway 10.40.0.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
no authentication mac
nas 10.20.2.96 key 7 003555402B5F012F3D007B16062C46430759550B3A232F7E0A1636472C01402573
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.20.2.96 auth-port 1645 acct-port 1646 key 7 08100A08261D0F3E202A3B5C251E677C26
677B1C171E08576F7A4C077F19403C337F0C7C7D035B172550305F756934172E327A1B13250C154D4C3F1319305C3514
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
end
ap# -
EAP-TLS problems with Cisco AP541N and Server 2008 NPS
Hi,
I want to use EAP-TLS with my shiny new certificates issued by my new Windows CA, and what happens? Nothing works.
I don't have a clue what I should do. I try to establish a EAP-TLS connection using my Windows CE mobile device, but my cisco AP541N logs this:
Oct 18 15:42:58
info
hostapd
wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: Supplicant used different EAP type: 3 (Nak)
Oct 18 15:42:58
warn
hostapd
wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: authentication failed - identity 'XXXXXX' EAP type: 13 (TLS)
Oct 18 15:42:58
info
hostapd
The wireless client with MAC address 00:17:23:xx:xx:xx had an authentication failure.
NPS logs this:
Name der Verbindungsanforderungsrichtlinie: Sichere Drahtlosverbindungen 2
Netzwerkrichtlinienname: XXXXXX
Authentifizierungsanbieter: Windows
Authentifizierungsserver: XXXXX
Authentifizierungstyp: EAP
EAP-Typ: -
Kontositzungs-ID: -
Protokollierungsergebnisse: Die Kontoinformationen wurden in die lokale Protokolldatei geschrieben.
Ursachencode: 22
Ursache: Der Client konnte nicht authentifiziert werden, da der angegebene EAP (Extensible Authentication-Protokoll)-Typ vom Server nicht verarbeitet werden kann.
I'm sorry it's german, but the gist is: The server can't process the authentication with the specified EAP type, which should be EAP-TLS.
I think the NAK answer in my cisco AP logs is the problem. Well, not the problem, since it is the standard procedure in the EAP request / challenge, I think, but somebody messes up with it.
Did anybody encounter something like this before? Or just knows what to do?
Thanks in advance
LenniJoe:
Having NPS, you have the options to configure PEAP-MSCHAPv2 or EAP-TLS.
EAP-TLS: mandates a certificate on the server as well as a certificate on every single machine for authentication purposes.
PEAP-MSCHAPv2: mandates a certificate on the server only. Users connecting to the wireless network must trust the certificate (or, user devices can be configured to escape this trust and connect even if the server cert is not trusted).
for PEAP-MSCHAPv2, Your options are:
- Buy a certificate for the server from a trusted party (Verisign for example [which was bought later by Symantec]). This way all devices will - by default - trust the server's cert.
- Install local CA. Install a cert on the server and then push the root CA cert for your CA to all client device so they trust this issuer.
- If both up options are not valid for you, what you can do is to configure every single client to ignore the untrusted cert and proceed with the connectoin. (This is a security concern though. not recommended unless really needed).
You must get a cert on the server and all clients must trust that certificate's issuer. Otherwise you'll not be able to user PEAP.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you" -
NPS and Cisco ASA 5510 - AnyConnect Certificate based authentication
Hi everyone,
Hoping someone can help please.
We're trying to go for a single VPN solution at our company, as we currently have a few through, when buying other companies.
We're currently running a 2008 R2 domain, so we're looking at NPS and we have Cisco ASA 5510 devices for the VPN side.
What we would like to achieve, is certificate based authentication. So, user laptop has certificate applied via group policy based on domain membership and group settings, then user goes home. They connect via Cisco AnyConnect via the Cisco ASA 5510 and
then that talks to MS 2008 R2 NPS and authenticates for VPN access and following that, network connectivity.
Has anyone implemented this before and if so, are there any guides available please?
Many Thanks,
Dean.Hi Dean,
Thanks for posting here.
Yes, this is possible . But we have guide about a sample that using Windows based server (RRAS) to act as VPN server and working with Windows RADIUS/NPS server and use certificate based authentication method (Extensible Authentication Protocol-Transport
Layer Security (EAP-TLS) or PEAP-TLS without smart cards) for reference :
Checklist: Configure NPS for Dial-Up and VPN Access
http://technet.microsoft.com/en-us/library/cc754114.aspx
Thanks.
Tiger Li
Tiger Li
TechNet Community Support -
Cisco ISE authentication failed because client reject certificate
Hi Experts,
I am a newbie in ISE and having problem in my first step in authentication. Please help.
I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
Regards,
RatnaCertificate-Based User Authentication via Supplicant Failing
Symptoms or
Issue
User authentication is failing on the client machine, and the user is receiving a
“RADIUS Access-Reject” form of message.
Conditions (This issue occurs with authentication protocols that require certificate validation.)
Possible Authentications report failure reasons:
• “Authentication failed: 11514 Unexpectedly received empty TLS message;
treating as a rejection by the client”
• “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
the client rejected the Cisco ISE local-certificate”
Click the magnifying glass icon from Authentications to display the following output
in the Authentication Report:
• 12305 Prepared EAP-Request with another PEAP challenge
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is reusing an existing session
• 12304 Extracted EAP-Response containing PEAP challenge-response
• 11514 Unexpectedly received empty TLS message; treating as a rejection by the
client
• 12512 Treat the unexpected TLS acknowledge message as a rejection from the
client
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is re-using an existing session
• 12104 Extracted EAP-Response containing EAP-FAST challenge-response
• 12815 Extracted TLS Alert message
• 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
Cisco ISE local-certificate
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
Note This is an indication that the client does not have or does not trust the Cisco
ISE certificates.
Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
The client machine is configured to validate the server certificate, but is not
configured to trust the Cisco ISE certificate.
Resolution The client machine must accept the Cisco ISE certificate to enable authentication. -
Failed to retrieve data from the database crystal reports 2008 in SAP B1
Hello friends,
I am using Crystal report 2008 with SAP B1 PL 8.8. When I run any report, it runs correctly from Crystal Report. But whenever I try to open the same report through SAP ( Tools -> Preview External Crystal Report ), it prompts the parameters for that report and then open up the crystal report window and throws an Error message ("failed to retrieve data from the database. Details [Database Vendor Code: 156]").
Please any one suggest me the corrective solution.
Thanks in Advance,
Keyur Raval.I had the same problem in SAP B1 2007. Report worked fine except when it was open from B1. Generally there may be different problems. In my case the same problem was caused by using some procedure which was in a specific schema. Changing the schema into "dbo" solved the problem.
Radoslaw Blaniarz -
Authentication failed while using the function from JSP.
I am facing a issue with the mail functionality with JAVA Mailing.The problem is that when I am running the stand alone program it is working fine but when same function is called from a JSP it gives Authentication failed Exception.I am attaching the code with the case.testMail() Is the function called from the JSP.
Please Look in to the issue its urgent.
import javax.mail.*;
import javax.mail.internet.*;
import java.util.*;
import java.io.*;
import javax.activation.DataHandler;
import javax.mail.MessagingException;
import javax.mail.internet.MimeBodyPart;
import javax.mail.internet.MimeMessage;
import javax.mail.internet.MimeMultipart;
import javax.mail.internet.MimePartDataSource;
To use this program, change values for the following three constants,
SMTP_HOST_NAME -- Has your SMTP Host Name
SMTP_AUTH_USER -- Has your SMTP Authentication UserName
SMTP_AUTH_PWD -- Has your SMTP Authentication Password
Next change values for fields
emailMsgTxt -- Message Text for the Email
emailSubjectTxt -- Subject for email
emailFromAddress -- Email Address whose name will appears as "from" address
Next change value for "emailList".
This String array has List of all Email Addresses to Email Email needs to be sent to.
Next to run the program, execute it as follows,
SendMailUsingAuthentication authProg = new SendMailUsingAuthentication();
public class SendMailUsingAuthentication
private static final String SMTP_HOST_NAME = "host";
private static final String SMTP_AUTH_USER = "username";
private static final String SMTP_AUTH_PWD = "password";
private static final String emailMsgTxt = "Test Msg";
private static final String emailSubjectTxt = "Notification: New User created";
private static final String emailFromAddress = "[email protected]";
// Add List of Email address to who email needs to be sent to
private static final String[] emailList = {"[email protected]"};
public static void main(String args[]) throws Exception
SendMailUsingAuthentication smtpMailSender = new SendMailUsingAuthentication();
smtpMailSender.postMail( emailList, emailSubjectTxt, emailMsgTxt, emailFromAddress);
System.out.println("Sucessfully Sent mail to All Users");
public void testMail(String msgBody,String senderEmail)throws MessagingException
try{
String mailBody = msgBody;
String senderEmailAdd = senderEmail;
SendMailUsingAuthentication smtpMailSender = new SendMailUsingAuthentication();
smtpMailSender.postMail( emailList, emailSubjectTxt, mailBody , senderEmail);
catch(MessagingException me) {
//System.out.println("Mail not sent");
throw me;
public void postMail( String recipients[ ], String subject,
String message , String from) throws MessagingException
try{
boolean debug = false;
//Set the host smtp address
Properties props = System.getProperties();
props.put("mail.smtp.host", SMTP_HOST_NAME);
props.put("mail.smtp.auth", "true");
Authenticator auth = new SMTPAuthenticator();
Session session = Session.getInstance(props, auth);
session.setDebug(debug);
// create a message
Message msg = new MimeMessage(session);
// set the from and to address
InternetAddress addressFrom = new InternetAddress(from);
msg.setFrom(addressFrom);
InternetAddress[] addressTo = new InternetAddress[recipients.length];
for (int i = 0; i < recipients.length; i++)
addressTo[i] = new InternetAddress(recipients);
msg.setRecipients(Message.RecipientType.TO, addressTo);
// Setting the Subject and Content Type
msg.setSubject(subject);
msg.setContent(message, "text/plain");
Transport.send(msg);
catch(MessagingException me) {
//System.out.println("Mail not sent");
throw me;
* SimpleAuthenticator is used to do simple authentication
* when the SMTP server requires it.
public static class SMTPAuthenticator extends javax.mail.Authenticator
public PasswordAuthentication getPasswordAuthentication()
String username = SMTP_AUTH_USER;
String password = SMTP_AUTH_PWD;
return new PasswordAuthentication(username, password);Your code doesn't work in stand alone program... just little mistake!
Miss port property :
props.put("mail.smtp.port", "25");
props.put("mail.smtp.starttls.enable", "true"); // tls for gmail
AddressTo method didn' t compile :
InternetAddress[] addressTo = new InternetAddress[recipients.length];
for (int i = 0; i < recipients.length; i++)
addressTo[i] = new InternetAddress((String) recipients);
msg.setRecipients(Message.RecipientType.TO, addressTo);
And see this post for jsp integration :
http://forum.java.sun.com/thread.jspa?threadID=5184860&tstart=0 -
Cisco ISE authentication failed for Win XP SP3
Hello,
I have some trouble this Win XP wired Client authentication. With Win7 everything works well.
ISE 1.2 (patch 4)
Switch: 2960 / 2960S (15.0.(2)SE2)
Authentication details:
Event:
5400 Authentication failed:
Failure Reason
11514 Unexpectedly received empty TLS message; treating as a rejection by the client
Resolution
Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
Root cause While trying to negotiate a TLS handshake with the client, ISE expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ISE and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
I try to disable validate server certificates on Win XP Clients, but it won´t work for me.
Add ISE self-sign certificate to clients trusted root certification authorities and enable validate server certificates also won´t work.
Any idea?
thanksThe ISE use a self-signed certificate. I add this self-signed certificate to the clients "trusted root certification authorities", enable validate server certificates at the eap properties and select the added certificate from the trust list. But if I uncheck validate server certificates, I see the same error message as well.
Are there any differences between xp client config and win7 client config?
thanks, -
Cisco 2960 802.1x authentication fail
Physical switch version:
C2960 Boot Loader (C2960-HBOOT-M) Version 15.0(2r)EZ1, RELEASE SOFTWARE (fc1)
System image file is "flash:/c2960-lanbasek9-mz.150-2.SE5/c2960-lanbasek9-mz.150-2.SE5.bin"
The goal of this lab is only authenticated by the MAC address of the laptop.
Currently,I have a trouble as following and don't know what is this root cause .
Please give me a guide point.
Thanks so much
*Mar 2 20:45:03.908: %AUTHMGR-5-START: Starting 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %MAB-5-FAIL: Authentication failed for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:05.720: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 2 20:45:06.726: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to upI have a few questions:
1. What type of Radius server do you have?
2. Can you post a screen shot of your Radius AAA policies
3. Do you have the mac address entered in your Radius server
4. Provide the output from the following commands:
- show aaa servers
- show authentication session interface interface_name_number
Thank you for rating helpful posts!
Maybe you are looking for
-
Using More Than One iPod On One Computer
Hi everyone, I am sure my question will be an easy one to answer for the right person - who will no doubt have more experience than Apple's helpline which I just tried. I have a 60gb iPod with Colour display, which syncs with my iTunes (version 7.0)
-
Can't install on Mac OS 10.6
I am trying to install Adobe Premiere Elements 10 on a Mac OS 10.6 operating system. I keep getting an exit code 7 with 0 fatal errors, 8 errors and 7 warnings. Error DW006 Apple Package failed to install successfully and payload errors are the mai
-
I'm trying to implement the UoM conversion that is now standard in BI 7.0. I think I have all the backend work done, but I'm having trouble converting the UoM on the front end when running a query. Here's what I did on the backend to set it up. 1- I
-
Where are my contacts in the Backup Assistant for Droid X????
I have a Motorola Android X2. I want to edit and delete some of my contacts. I get the message that says I cannot from my phone, but have to use the backup assistant online. However, the only contacts that show up online are the contacts I've added
-
Automate Video conversion..
Hi im not sure if this is possible but i would like to use automator to convert avi files in to two mpeg-4 files one for apple tv and one for iphone. The iphone file needs to be less than 300mb. is there a way to do this? Thanks Steve