Authentication PEAP issue (I believe!).

Similar Messages

• 5760 WLC & ISE 1.2 PEAP Issues

  I have the following setup:
  WLC 5508 (7.4.100)
  WLC 5760 (03.03.02)   (I'm replacing the 5508 with the 5760)
  ISE 1.2
  Im currently running 802.1x PEAP with external AD authentication, on the 5508 and everything is working 100%.
  As soon as I switch the users over to the 5760 I get the following errors on the ISE:
  Event
  5440 Endpoint abandoned EAP session and started new
  Failure Reason
  5440 Endpoint abandoned EAP session and started new
  Resolution
  Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
  Root cause
  Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.
  I took the config of a working 5760, why would this one give the above errors ?
  Jaco

  Hello!
  Turn on debugs on your 5760 to track authentication activities. Most probably you'll spot the issue from them. If not - post them here, so we'll have a look as well.
  Thanks, Irina

• 3945BG Intel Adapter PEAP issue

  Hi, We have few SONY laptops with this builtin adapter.. Unfortunately, these adapters do not seem to work when PEAP with WinXP, is used with Cisco APs. TAC has already disowned this issue, saying it is a Intel issue. As we are not getting much of support from our Laptop vendor, i am just curious if anyone has this issue and found any good workaround...
  If any third party supplicant can overcome this issue, please provide pointers.. We would like to evaluate before purchasing it..
  Well, fyi.. i have upgraded the latest firware on Intel.

  Checked this link the SONY only support CCX v3 that part of the PEAP may not work w/ Cisco AP.
  http://www.cisco.com/web/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html
  http://www.cisco.com/warp/public/765/ccx/versions_and_features.shtml
  Better check w/ SONY what is their CCX support ver., or try to use other authentication method....
  Hopes this help.

• Claims Based Authentication SPSecurityTokenService.Issue() failed: The security token username and password could not be validated.

  Please excuse the lousy table...Its late :-)
  I have a multi-server SP2010 farm.  Patched up to
  Configuration database version: 14.0.6106.5002
  My goal is to have a claims based web application that authenticated to ADAM for Extranet.  I have configured the servers exactly to MSDN and technet specs (following this spec to the
  letter (
  http://technet.microsoft.com/en-us/library/ee806882.aspx) to allow the forms side of the web app to authenticate to ADAM.
  IT WORKS IN DEV!!! , which is a single server farm.  However, it does not work in production.  I get the following:
  Claims Auth log entries:
  1:06:25 AM
  w3wp.exe (0x0EDC)                      
  0x1790
  SharePoint Foundation        
  Claims Authentication        
  f2ut
  Verbose
  Authenticated with login provider. Validating request security token.
  1:06:25 AM
  w3wp.exe (0x0EDC)                      
  0x1790
  SharePoint Foundation        
  Claims Authentication        
  0
  Verbose
  Using membership provider 'ADAMProvider'.
  1:06:25 AM
  w3wp.exe (0x0EDC)                      
  0x1790
  SharePoint Foundation        
  Claims Authentication        
  0
  Verbose
  Doing password check on '[email protected]'.
  1:06:46 AM
  w3wp.exe (0x0EDC)                      
  0x1790
  SharePoint Foundation        
  Claims Authentication        
  0
  Verbose
  Failed password check on '[email protected]'.
  1:06:46 AM
  w3wp.exe (0x0EDC)               
  0x1790
  SharePoint Foundation        
  Claims Authentication        
  0
  Unexpected
  Password check on '[email protected]' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security
  token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).'.
  1:06:46 AM
  w3wp.exe (0x0EDC)                      
  0x1790
  SharePoint Foundation        
  Claims Authentication        
  fo1t
  Monitorable
  SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password
  could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).
  1:06:46 AM
  w3wp.exe (0x1B34)                      
  0x08A0
  SharePoint Foundation        
  Claims Authentication        
  fsq7
  High   
  Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.    
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)    
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)  
    at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)    
  at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
  1:06:46 AM
  w3wp.exe (0x1B34)                      
  0x08A0
  SharePoint Foundation        
  Claims Authentication        
  8306
  Critical
  An exception occurred when trying to issue security token: The security token username and password could not be validated..
  1:06:46 AM
  w3wp.exe (0x1B34)                      
  0x08A0
  SharePoint Foundation        
  Claims Authentication        
  f2un
  Verbose
  Form authentication failed.
  I have tried EVERYTHING (well, nt everything, I don’t have the fix I suppose). 
   I found plenty out there and nothing directly correlates with this issue. 
  I searched on all parts of the errors I got.
  This contains an interesting blurb about setting up access for the apppool id correctly. 
  That’s not the case for me.  It works in dev and the same id are used there. 
  http://sharepoint-2010-world.blogspot.com/2011/03/adam-forms-based-authentication-in.html
  This was good but it doesn’t give specs on what the environment looks like:
  http://social.msdn.microsoft.com/Forums/en/sharepoint2010general/thread/557143a6-4b36-4939-bb7f-d62a9335fd18
  The was interesting…but I am patched up beyond the June 2011 CU so it’s a moot point:
  http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/9b8368ef-c5e5-4ead-b348-7b2b5587cfc8
  Any and all help would be greatly appreciated!

  Hi.
  You say its a multiserver farm, do you have more than one web server then?
  If thats the case, have you tried accessing the site on each server directly?
  Found this for you, maybe that can help?
  Troubleshooting Exceptions: System.ServiceModel.FaultException`1
  http://msdn.microsoft.com/en-us/library/bb907220.aspx
  and this:
  SharePoint 2010 Claims Authentication - The security token username and password could not be validated reoccurring every morning
  http://social.technet.microsoft.com/Forums/pl-PL/sharepoint2010setup/thread/383f1f9b-5c4a-4e19-b770-2a54b7ab1ca1
  and
  This seems to be a good guide:
  http://donalconlon.wordpress.com/2010/02/23/configuring-forms-base-authentication-for-sharepoint-2010-using-iis7/
  Good luck
  Thomas Balkeståhl - Technical Specialist - SharePoint - http://blksthl.wordpress.com

• Ap authentication/join issue

  i am having issues joining new 1242LAP's to my controller.  i am receiving the follwing error on my controller:
  AAA Authentication Failure for UserName:5475d01144f0 User Type: WLAN USER
  username is the MAC of my new 1242LAP.  older 1242LAP's have no issue.  i have 70 of the newer ones that i have just installed and fail to join the controller with the above error message.  i'm not sure how to resolve.  any help would be appreciated.  thanks.
  Brandon

  Hi Brandon,
  Good question.  Sounds like your WLC may be authorizing LAPs via an Auth-list or AAA.  You can view these settings here:
  Web GUI --> Secuirty --> AAA --> AP Policies
  If you do not wish to authorize the APs via an auth-list or AAA, simply uncheck the following option:
  Authorize MIC APs against auth-list or AAA
  Cheers.
  Drew

• AP 1200 local authentication PEAP

  Can I use AP 1200 with configured local radius server as authenticator for Windows XP clients using PEAP auhentication metod ?

  Unfortunately the answer is no because the PEAP method is based on a certificate authentication that you install on the Server and on the client, so since you cannot install the certificate on the AP it would not work.

• MS Active Directory LDAP Authentication/Locking Issue.

  Dear All,
  We are a software company; we have implemented feature of LDAP Authentication in our product using Java API and its working fine from our network environment.
  We have used following things with LDAP feature.
  1. User Authentication.
  2. Locking account after exceed the maximum attempts that has configured in window server.
  Main our issue is: The LDAP feature is not working properly from our client side. They are able to authenticate their LDAP user but do not able to lock user account however they have exceeded the maximum attempts from login dialog of our products but it still working in our side.
  If anybody has any experienced about it then please reply with positvie solution or any other information like require do the specific configuration for different version of Windows and Active Directory Server etc.
  Can any body know what are the possibilities for identifying and resolving this issue?
  Please help us if anybody has any experienced about it.
  Please do the needful.
  Thanks,
  Mehul.

  Hi,
  Thanks for your reply.
  We have used java package of javax.naming.* and javax.naming.directory.* for LDAP Authentication.
  Following code for checking whether ADS User is valid or not.
  * Function checks whether ADSUser is valid user or not
  * @returns int value indicating result.
  public int isValidADSUser() {
  Hashtable env = new Hashtable(5);
  Vector adsInfoVec = getADSInfo();
  env.put("java.naming.referral", "ignore");
  // env.put("java.naming.security.authentication", "simple");
  env.put(Context.SECURITY_AUTHENTICATION,"simple");
  String provider = "com.sun.jndi.ldap.LdapCtxFactory";
  env.put("java.naming.factory.initial", provider);
  //For handling Uncontinued reference found message of partial result exception
  env.put(Context.REFERRAL, "follow");
  env.put("java.naming.ldap.derefAliases", "always");
  env.put("java.naming.ldap.deleteRDN", "false");
  env.put("java.naming.ldap.attributes.binary", "");
  env.put(Context.PROVIDER_URL,
  "ldap://" + (String) adsInfoVec.elementAt(0) + ":" +
  (String) adsInfoVec.elementAt(1));
  // env.put("java.naming.security.principal",
  // userNameStr + "@" + (String) adsInfoVec.elementAt(0));
  env.put(Context.SECURITY_PRINCIPAL,
  userNameStr + "@" + (String) adsInfoVec.elementAt(0));
  if (userPassStr == null) {
  userPassStr = "";
  // env.put("java.naming.security.credentials", userPassStr);
  env.put(Context.SECURITY_CREDENTIALS, userPasswordStr);
  try {
  DirContext ctx = new InitialDirContext(env);
  ctx.lookup("");
  //System.out.println(ctx.lookup(""));
  ctx.close();
  catch (javax.naming.AuthenticationException ex) {
  //System.out.println();
  ex.printStackTrace();
  return AUTHENTICATION_ERROR;
  catch (javax.naming.PartialResultException pex) {
  pex.printStackTrace();
  return COMMUNICATION_ERROR;
  catch (javax.naming.CommunicationException pex) {
  pex.printStackTrace();
  return COMMUNICATION_ERROR;
  catch (NamingException e) {
  System.out.println("Failed to connect to ");
  e.printStackTrace();
  return COMMUNICATION_ERROR;
  return SUCCESS;
  Result of this code from our company: We are able to Authenticate LDAP user and also Lock User Account after exceed the Max Failure Attempt that configured from Windows Server.
  Result of this code from our client side: They are able to Authenticate LDAP user but they can't User Accout Lock however exceed the Max Failure Attemp that configured from their Windows Server.
  Can u please help us if any experience about it and suggest if any other configuration require from Windows Server / Active Directory Server OR also if some other implementation require for resolving this issue.
  Your optimistic reply is much appreciated.
  Thanks,
  Mehul Garnara.
  Edited by: [email protected] on Mar 6, 2008 10:24 PM
  Edited by: [email protected] on Mar 6, 2008 10:25 PM
  Edited by: [email protected] on Mar 6, 2008 10:25 PM

• Missing machine authentication - peap acs

  Hi,
  my setup is:
  Cisco ACS 4.0 Release 4.0(1) Build 27 (with thawte certificate)
  WLC 4402 ver 4.0.179.8
  Aironet 1131 LWAPP
  dell laptop with windows xp sp2 with peap auth (using win control of wlan card)
  I experience problem with missing machine authentication even though I have enabled this in acs (Enable PEAP machine authentication). The regkey on the pc's are standard windows (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global with no value set = 0)
  http://support.microsoft.com/kb/309448/en-us
  I get these messages in the wlc log:
  AUTH 14/09/2006 08:48:58 E 0143 2688 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
  AUTH 14/09/2006 08:48:58 E 0376 3852 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
  anyone who can point me in the right direction?
  Is it a windows client problem or a WLC/ACS problem?
  regards rolf

  Hi,
  still have problem with machine authentication that stops working after 3-4days. I narrowed this down to the Cisco ACS, as the only way to resolve this is to reboot the win2003 server running Cisco ACS. I did put en error in my first post, it's not the wlc log that reports this:
  AUTH 26/09/2006 07:51:16 E 0143 0500 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
  AUTH 26/09/2006 07:51:16 E 0376 0132 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
  It is the Csauth log on the ACS. Have anybody seen this error message and know what it refers to?
  My problem now is that machine authentication works ok for some days, then stops and then the listed error messages starts coming in the csauth log.
  regards rolf

• Anchor Guest 3.2.171.6 Web Authentication page issue

  Hi folks,
  I'm having issues with our Anchor controller here running 3.2.171.6. Using a chain certificate for our Web authentication re-direct Page to a WEB-server. sometimes the Guest Clients are not re-directed to the WEb authentication page. After I reboot the Anchor this resolves the issue. I need to use this code to support the ipsec vpn module. any ideas would be appreciated.

  you need to try to find a non-chained certificate. I know that most CA do not use these anymore, but need to find one. WLC does not support chained-certificate until 5.2. It may work, but it is not supported.
  HTH,
  Steve

• "Authentication Failure" Issue on most devices.

  I'm getting an "Authentication Failure" when installing my J2ME app OTA to most devices I've tried, including Pantech, Samsung, and Nokia ones (all AT&T or unlocked). I've included my (censored) JAD file below.
  The entire application downloads to the device, and I can view the certificate info and there are three Thawte certificates, as expected.
  All http reference exists.
  The Thawte Root Certificate is present on the device.
  I signed the JAD during NetBeans build by choosing so in the Signing section of the project properties.
  I've tried using jarsigner in lieu of and in addition to the NetBeans method.
  I've experimented with various MIDlet-Permissions as required/optional, and including/excluding various JAD parameters like MIDlet-Data-Size.
  I've even tried desperate things like changing the CLDC/MIDP config, messing with the version number, and changing the icon file type.
  I've read dozens on posts on the subject and I am really stumped. Thanks in advance for any assistance.
  MIDlet-1: Example,http://www.example.com/dist/desktop_32.png,com.example.mobile.view.View
  MIDlet-Certificate-1-1: (removed)
  MIDlet-Certificate-1-2: (removed)
  MIDlet-Certificate-1-3: (removed)
  MIDlet-Data-Size: 3000000
  MIDlet-Description: App Description
  MIDlet-Icon: http://www.example.com/dist/desktop_32.png
  MIDlet-Info-URL: http://www.example.com/help.php
  MIDlet-Jar-RSA-SHA1: (removed)
  MIDlet-Jar-Size: 148060
  MIDlet-Jar-URL: http://www.example.com/test/ExampleMobile.jar
  MIDlet-Name: ExampleMobile
  MIDlet-Permissions-Opt: javax.microedition.io.Connector.file.read, javax.microedition.io.Connector.file.write, javax.microedition.io.Connector.https, javax.microedition.io.Connector.http, javax.microedition.pim.ContactList.read, javax.microedition.pim.ContactList.write, javax.microedition.pim.EventList.read, javax.microedition.pim.EventList.write, javax.microedition.location.Location
  MIDlet-Vendor: Example
  MIDlet-Version: 0.2.18
  MicroEdition-Configuration: CLDC-1.1
  MicroEdition-Profile: MIDP-2.0

  one of the stupid reason of the invalid descriptor (ota 907) in samsung : (to my opinion samsung is just a visual device, has buggy implementations and lack of documentation, comparing to nokia and sony ericsson)
  if you specify an https url in jad for "midlet-jar-url", then samsung gives this error.
  And why? i don't know, anybody doesnot know.
  No documentation.
  Read midp specs and no such a thing.
  Read samsung docs if you find any, no result.
  And you spend your time for stupid samsung issues, again.
  Anyway, look at this, the problem can be resolved as :
  Here is a typical jad runs on nokia devices well and fails with 907 in samsung:
  MIDlet-1: Test OTP, /smlogo.png, testMIDlet
  MIDlet-Icon: /smlogo.png
  MIDlet-Jar-Size: 39122
  MIDlet-Name: Test OTP
  MIDlet-Vendor: None
  MIDlet-Version: 2.12
  Manifest-Version: 1.0
  MicroEdition-Configuration: CLDC-1.0
  MicroEdition-Profile: MIDP-2.0
  MIDlet-Jar-URL: https://xx/wap/midlet/xx.jad
  MIDlet-Install-Notify: https://xx/wap/notify.jsk?jaduid=123
  MIDlet-Delete-Notify: https://xx/wap/notify.jsk?jaduid=123
  and if you change https into http, then it runs well.
  All is this.

• Authentication prompt issue when opening an office file in a document library with read permission for domain users

  An user as part of the domain users tries to open an office file from a document library but he got an authentication prompt asking him to authenticate. Domain users has only access to this library and not to the whole site. This uses to work in SharePoint
  2007 without any problem but not in SharePoint 2013, we didn't have a workflow on SP2007.
  Domain users has read access to only this document library in the site, but he shouldn't get an authentication prompt since he is part of the domain users and he is not trying to modify the document, he can open the document but gets two prompts, he can't
  also see the list using explorer view since nothings appears using the explorer view.
  Now, when opening the file, we can see..Updating Workflow Status, but we don't have any workflow working on this site or library, event any feature related to workflow.
  If we go to the event viewer in the server, we find this information,
  I also checked this thread but I couldn't find this scenario.
  https://social.technet.microsoft.com/Forums/sharepoint/en-US/91bc770b-bb70-4885-a4ad-a243edb88753/event-id-8026-workflow-soap-getworkflowdataforitem-failed-doc-library-no-workflow?forum=sharepointgeneralprevious
  I also created another list with the same permissions and using other office files but got the same behavior.
  Now, we have migrated this site from SP2007 to SP2013.
  Any ideas?

  OK, I am going to throw out a lot of ideas here so hopefully they get you closer to a diagnosis. Hang on :)
  Does it happen to work for some users but not others? If so, try logging in on the "good" computer with the "bad" username. This will tell you if the problem is related to the end-user's system. Also, once the user downloads a document
  successfully can they open and work on it in Word? Also, does the document library have any custom content types associated with it or does it just use 'Document'?
  I notice that there are other folks on the web that have run into this same problem and the similarity seems to be that they are either on SharePoint 2007 or have upgraded from 2007. Did this doc library start out as a 2007 library?
  What you might want to do is this: Make a site collection from scratch in 2013 (or find one that you know was created in 2013). Choose team site (or whatever you want) for the root web and set up the security the same way you have it on the malfunctioning
  library. Now, use windows explorer to copy and paste some of the documents to the new location. Be sure you recreate any needed content types. Now test it from the troubled user's computer.
  I'm thinking there may be something that is different about the library since it was migrated through various versions and updates since 2007. I've sometimes found that there can be problems (especially with user profiles but that's a different story) with
  things that go through this evolution.

• Authentication/Time issue

  iTunes U has just started rejecting our authentication credentials, debug shows that the credentials are valid but originated too far in the past. We understand there is a 90 second time window. We seem to be within a few seconds of Apple's time server.
  Bumping the time ahead by one minute on our server allows the scripts to start working... but then fail again (like the next day)
  Is it possible that the server that generates our tokens on Apple's side might be out of phase?
  Any help would be appreciated.
  thanks
  db

  I don't want to rule out the possibility that Apple's clocks are out-of-phase ... but if what you're describing were happening at our site, I would so totally think it a problem with our clocks. The reason is that such a wide variety of computers hook up with Apple ... we probably all sink or swim together on this.
  But hey, lessay there is some kind of problem with Apple's iTunes U clock. A sneaky, sneaky way of fixing it would be to tell your server to use Apple's NTP server as it's NTP server. That way, if Apple's clock is wrong, yours will be wrong by the same amount.
  NTP to time.apple.com

• ISE Authentication timers issues

  Is there a way within ISE so that when a machine uses dot1x to authenticate that it will not occur for an extended period of time?

  You can disable re-authentication or send the values from ISE.
  It's actually best practice to disable reauthentication or if needed, keep it above 2 hours.

• Authentication distance issues

  hello,
  I have the same issues on multiple access points (all cisco 1200s - in different sites) in which users cannot authenticate until they walk close to the AP. (a site survey was done before installation) - and I get good link quality from the users cards. (always in the green) but for some reason they cannot authenticate until they get closer to the AP. After they authenticate they are able to roam anywhere with good signal strength.
  I am running:
  WPA w/ tkip, with EAP (GTC is the second stage) with the certificate stored in the correct store on the client.
  "Best Range" has been selected in the settings page of the radio. (require 1 mb/sec and enable all the other speeds)
  CCK and OFDM transmit power are both set to "Max" on the same page.
  Limit Client Power is set to max also.
  anybody have any ideas?
  thanks in advance,
  Blaine

  Are you using multiple vlans and DHCP? We had a similar problen; the root cause was failue of the client to receive an IP. On the AP that the client is associating with you can issue the command
  sh wlccp wds mn
  to see if the client is reciving an IP although my prefered way is to watch the network connection progress displayed by windows.
  Did you have this problem with 12.2(15)JA?

• Access gate SDK, authentication and issues/bug

  I have been trying to test authentication against CORE ID using the access gate SDK for java and following the samples that installed with the SDK.
  I simulate user account lock-out and pwd to expire ( in two days) situations. Doing the form based access server authentication, I am able to see the error messages and in the case of locked a/c, it doesn't log me in.
  Using access gate SDK, it successfully creates a ObUserSession object for the protected resource, shows user as LOGGED_IN and the getStatus() returns normal. There is no indication of the actual status of the user account on the server !
  It does, catch the actual pwd expired status, as mentioned in the documentation.
  Is there anything missing here ?

  Couple of options. You seem have to taken the Access Gate based approach. I will throw this in any way and you can make a call which one you want to use.
  If its a web application you can control authorization based on Resource by defining policy in the Access Manager.
  You mentioned aout display of one area in one page. That should be driven off of User attribute or custom logic. If it is driven off of User attribute then you can return header variable and you can check in the code as opposed to writing custom access gate.
  Now if you do want to write custom access gate when the resource is already protected by a Web gate,
  you can get the ObSSOCookie from the users browser session.
  You can pass the URL to the IsAuthorized method and call.
  Now here you have to install the Access Server SDK on the server, create custom access gate and then write the code and deploy it on that server.
  THanks
  Ram