Authentication Problem with ACS 5.2 Using LDAP

Similar Messages

• Problem with ACS 4.1 using certificate

  I have an ACS 4.1 appliance, I have already configured ACS in order to work with certificate. I got the certificate from ACS, I already installed it as the installation guide says . Additionally I configured the card's controller in my PC in order to manage certificate.
  Whe I try to be validated from ACS I can not go on because a message appears and says " click to select a certificate " , after click a windows appears asking user and password however I expected not receive this window.
  The switch's port were configured as follows:
  aaa new-model
  aaa authentication dot1x default group radius+
  dot1x system-auth-control
  interface GigabitEthernet1/0/4
  switchport mode access
  dot1x mac-auth-bypass eap
  dot1x pae authenticator
  dot1x port-control auto
  dot1x timeout quiet-period 15
  dot1x timeout tx-period 3
  dot1x reauthentication
  radius-server host (ip address) auth-port 1645 acct-port 1646
  radius-server source-ports 1645-1646
  radius-server key password
  What am I doing wrong or there is something left???

  1) Did you install the Certificate file in the local machine? (Right click >> Install Certificate >> And so on..)
  2) Are you using the built-in Dot1x supplication in WIndows XP? Is the setting to MD5?
  3) Did you Selected this installed certificate from the drop-down Menu in the wireless software?
  Regards
  Farrukh

• TS3899 With Yahoo Mail, and anotare account (Inacap Mail), I can only receive mails but I can't send emails. I don't know if this is a problem of the iPad or it is a problem with yahoo mail, because using Gmail and the email of my job I don' have this pro

  With Yahoo Mail, and anotare account (Inacap Mail), I can only receive mails but I can't send emails. I don't know if this is a problem of the iPad or it is a problem with yahoo mail, because using Gmail and the email of my job I don' have this problem.

  Google them to confirm the settings that you need for the outgoing server, then check the setting you entered on the pad.  Pay real close attention to the outgoing server name, and port.  You may need to change in on the pad. 

• Problems with a shared calendar using Outlook 2007 and Exchange 2010

  Hello all,
  We are having a problem with sharing a calendar using Outlook 2007 and Exchange 2010.
  I will start with some background. I have just started my position with this company. I have been working with networks for awhile at the small business level. I have not had much production experience with exchange. There is only myself and my supervisor
  who has inherited a midsized network which was built by five previous techs that are no longer with the company. Of course, the previous techs did not leave much documentation, so the original hows and whys for our system setup has been lost.
  One of the managers has a calendar she shares with some of our users. I believe this calendar has been in use since sometime in 2006. A mailbox was created to hold this calendar to keep it separate from the managers calendar. I am not sure what version
  of exchange they were using at that time, but I assume there was one or two migrations of it getting to its current state on our exchange 2010 server. At some point it was observed that the other workers she was sharing with were not able to access it correctly.
  I am not fully sure what the original problem was (possibly some people not being able to see or connect to the calendar), but it was decided to give everyone who needed access to this calendar full access permissions through exchange. Correct me if I
  am wrong, but I believe that gave everyone connected the ability to do anything with the calendar. Of course the manager was not happy about that. This is where I started working on the problem.
  I removed everyone, except the manager who wants to control the calendar, from having "Full Access Permissions". This did have the effect of making some people just able to see the calendar and not make changes. Though there were others that were
  able to connect to the calendar who I thought would not be able to. The manager that originally created the calendar did try to manage access to it through the Outlook interface, though it currently does not seem to be fully in effect.
  So, to get to the point of what we are trying to do, is there a way to get the original manager back into control of the calendar though Outlook? It would be preferred to be able to keep the history of what they tracked of this calendar, so starting a new
  one would be something we would rather avoid. After that, getting all of the users that need to connect to the calendar reconnected with the correct access permissions and making sure they are all synchronized.
  I realize this is a big mess, and your help would be greatly appreciated.

  Hi Nigel,
  How is the impact, just one user or all users, Outlook or OWA?
  If just one user, it seems like an issue on the Outlook Client side.
  Please trying to re-create new profile to fresh the caches.
  Please runing Outlook under safe mode to avoid some AVs, add-ins and firewall.
  Found a similar thread for your reference:
  Calendar Sharing not available error message
  http://social.technet.microsoft.com/Forums/exchange/en-US/d9b33281-d7bb-4608-8025-16fb26643d0d/calendar-sharing-not-available-error-message?forum=exchangesvrclientslegacy
  Hope it is helpful
  Thanks
  Mavis
  Mavis Huang
  TechNet Community Support

• Both xp and windows 7 have video problems with my VGA connection using TV

  both xp and windows 7 have video problems with my VGA connection using TV as my monitor when it gets to starting up windows no matter what version it will not I have let my mac on all night and still says starting windows or the windows 7 logo and nothing else will happen also when I use a 3rd patty software like peraills or other it works like a charm how to fix it?

  To map the drive on your computer click on Start - RUN - type "\\192.168.1.1" and click ok... When prompted for Username and Password type "admin" and click ok... Now you will be able to see the folder which you have shared on  your router, right click on it and select "Map network drive" and click on finish.
  Now it will map the drive on your computer and you should be able to transfer the file from your computer to the USB drive.

• Problems with a VBA Userform using Multipage (2) and DTPicker.

   
  Hi
  Problems with a VBA Userform using Multipage (2) and DTPicker (4)
  On Page1 I've got 2 DTPicker, one for the date and the second for the time.
  Same thing on Page 2.
  Problem:
  Only one set will work, if I close the Userform with" MultiPage"on page2, only that set will work.
  Same thing if I close on Page 1 then just the set on Page 1 will work.
  As anyone seen this problem and any work around you may think would help.
  I'm using Windows 7 , Ms Office Pro. 2003
  same problem on Windows Vista , XL2003
  Cimjet

  There are a number of issues relating to the way that date pickers are handled, but the most important is that their output is text. In order to get the values into Excel, you need to format the Excel columns as Date and Custom (time format) and convert
  the output to the worksheet from text to date values.
  Date pickers also display a few anomalies on multi-page forms, so you need a belt and braces approach. Personally I would put the code to call the form and enter the values in a standard module (as now in the example) and use a belt and braces approach to
  maintaining the format.
  I think you will find the example now works.
  Revised Example
  Graham Mayor - Word MVP
  www.gmayor.com

• Problem with Progress DB while using to connect using JDBC Adapter

  Hi,
    I am facing Problem with Progress DB while using to connect using JDBC Adapter. I am getting the following error in auditlog file like,
  Error during database connection to the database URL  jdbc:JdbcProgress:T:156.5.31.65:2545:/mfgprodev/devbadb 
  /devsche/i_apoext.db using the  JDBC driver "com.progress.sql.jdbc.JdbcProgressDriver" : com.sap.aii.adapter.jdbc.sql.DriverManagerException: Unable to locate a suitable JDBC driver to establish a connection to URL " jdbc:JdbcProgress:T:156.5.31.65:2545:/mfgprodev/devbadb 
  /devsche/i_apoext.db "
  I tried using the following all URLs,
  1. jdbc:JdbcProgress:T:156.5.31.65:2545:i_apoext.       
  2. jdbc:JdbcProgress:T:156.5.31.65:2545:i_apoext.db     
  3.                                                      
  jdbc:JdbcProgress:T:156.5.31.65:2545:/mfgprodev/devbadb 
  /devsche/i_apoext.                                      
  4.                                                      
  jdbc:JdbcProgress:T:156.5.31.65:2545:/mfgprodev/devbadb 
  /devsche/i_apoext.db.                                  
  Can anyone please help me out in solving this issue.
  May be the cause for this is :
  1) The Wrong URL  format
  2) CLASSPATH is not setted properly..
  Can you look more into this stuff.
  Thanks,
  Soorya.

  Hi,
  To access any database fromm XI, using the JDBC adapter, the corresponding drivers have to be installed on the XI server.
  Just check this note 831162.
  Also, check this PDF to install Drivers in XI,
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/3867a582-0401-0010-6cbf-9644e49f1a10

• Problem with Pole zero analysis using multisim

  Problem with Pole zero analysis using multisim
  When I tried to find input impedance function's pole zero of a parallel LC network using Multisim
  pole zero analysis, I get following message
  | | doAnalyses: matrix is singular
  | |
  | |
  | | pz simulation(s) aborted "
  The circuit as well as log file attached.
  How to correctly perform pole zero analysis?
  Solved!
  Go to Solution.
  Attachments:
  Parallel LC.JPG ‏8 KB
  parallel LC.txt ‏7 KB

  dear sir,
  thanks for your earlier reply to my question on pole zero analysis
  one more problem on pole zero analysis ;
  i tried to do pole zero analysis for circuit(shown in attached file where C1=1/6F(167mF) C2=5/18F(278mF) for which
  z(s)= (s^2+9)(s^2+1)
             s(s^2+4)
  for which zeros are at  +/-3j ,+/-1j
                poles at       0 ,+/-2j          as per theory:
  But multisim gives different values (shown in attached file)
  what is the problem?
  please clarify.
  thanks & regards
  sagar vanarase
  Attachments:
  1portLC.JPG ‏219 KB

• Problem with two monitors while using Photoshop, windows move from 2nd screen to 1st screen.

  Problem with two monitors while using Photoshop, windows move from 2nd screen to 1st screen.
  I saved a new workspace and it did not help.
  No problem before I went to Maverick.

  I found the fix, go to System Preferences and open Mission Control and uncheck the box to keep monitors as they were (When switching to an application...........)

• Is anyone using iPhoto having a problem with the slide show using shatter where it does not let you put a title over photo?

  Is anyone using iPhoto having a problem with the slide show using shatter where it does not let you put a title over photo? It use to work but it no longer lets you place a title over the opening photo.

  Is your signature still current?(iPhoto '08, OS X Mountain Lion (10.8.4))    I can confirm this for iPhoto '11; Shatter will only show the text slide title between the slides. Ken Burns and Classic theme can still be set to overlay the caption and title directly over the slides.

• I had a problem with slowness so I used "reset". The popup ran forever so I stopped it. Now I can't remove or add the program.

  I had a problem with slowness so I used "reset". The popup ran forever so I stopped it. Now I can't use, remove, or add the program. How do I proceed?
  TIA,
  BWSwede

  You can paste that path in the command line in the Windows Explorer file manager.

• 802.1x RADIUS authentication problem with Cat 2950 to CiscoSecure ACS 3.3

  I wondered if anyone can help or shed any light on the following problem.
  I am getting an authentication error when doing a RADIUS authentication to CiscoSecure ACS 3.3 running on a Windows 2003 server, the authentication request is coming from a Catalyst 2950 switch which is doing 802.1x for Windows XP clients. This problem only happens when the XP client connects to 2950 switches, Cat 3550s and 3560s work fine.
  The Cat2950 is running 12.1.20 (EA1) which is more or less the latest IOS.
  The error I get from ACS 3.3 is "Invalid message authenticator in EAP request" when the 2950 tries to authenticate an XP client for 802.1x to the ACS server using RADIUS.
  Doing a RADIUS and 802.1x debug on the 2950 I see a message about 'Unknown EAP type', I am using PEAP on the XP client doing EAP-MS-CHAPv2 authentication, the same XP client authenticates fine with 3550 and 3560 switches problem only affects 2950s. Can anyone confirm the 2950 supports EAP-MS-CHAPv2?
  I have checked and re-checked the shared secret and it definitely matches on 2950 and ACS.
  One thing I noticed in the RADIUS debug is the 2950 sends 18 bytes for attribute 79 when the RFC defines attribute 79 should be 3 bytes or less, I don't know if this is related to the problem or is correct behaviour.

  Hi, I am new with 802.1x, and was hoping that someone would help with these queries:
  1. How is a certificate requested without being allowed on a network that is not authenticated with 802.1x. I had to first connect to an active network, retrieve a certificate with the proper username and password, and then physically connect to the port on the 2950 switch which was enabled to do 802.1x
  2. My config is as below:
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authenication login default group radius
  dot1x system-auth-control
  interface f0/1
  switchport mode access
  dot1x port-control auto
  end
  I able to login using the radius server, so radius is working (on ports other than f1/0). However when connecting to f1/0, the port on the 2950 remains blocked.
  3. The certificate is issued by the ca server, is viewable via Internet explorer,and is issued to the correct username which is on the active directory.
  I even tried using local authenication with 802.1x, this did not work
  4. If I have a certificate, will this automatically give me access to the 802.1x port?
  5. I have windows 2000, and authenication is set to 'Smart Card or other certificate.
  Am I missing anything?
  Any advise will be greatly appreciated
  Chris

• LMS 3.2 - Problem with inventory of switches using AAA authentication

  Hi all,
  we want to migrate our network equpiment from local authentication (telnet password, enable password) to AAA authentication (Cisco ACS server - username, password for priv level 15). The network devices are managed with CiscoWorks 3.2 and inventory works fine when device login credentials are telnet password, enable password.
  I have configured a switch for testing the authentication to the ACS server, and tested the logon manually. After the successful test I reconfigured the device credentials in CiscoWorks and checked it by a device export with credentials. The credentials in CW were OK, but from this time CiscoWorks could't pull an inventory of the switch any more. Every inventory job failed.
  Any help would be appreciated. Thanks a lot.
  Regards
  fred

  Joe,
  excuse me, I've made a mistake. It's the malfunction of the configuration *archiving* which depends on telnet services. I have included the trace file of the failed CW archiving job. I can see that CW receives the banner and the username prompt, but doesn't send back any telnet credentials. I have also checked the correctness of the device credentials by a DCR export.
  fred

• ISE 1.2 web authentication problem with wired clients

  Hello,
  i am having problems with centralized web authentication using a Catalyst 3650X with IOS 15.0.2 SE01 and ISE 1.2.
  Redirecting the client works fine, but as soon the client opens a web browser and ISE websites open to authenticate the client, the switch port resets, the authentication process restarts and the session ID changes. After the client enters the credentials a session expired messages appears on the client and i get an 86017 Session Missing message in ISE.
  here the output form the debug aaa coa log.
  Any ideas
  thanks in advanced
  Alex
  ! CLIENT CONNECT TO SWITCHPORT
  ISE-TEST-SWITCH#show authentication sessions interface gi0/3
              Interface:  GigabitEthernet0/3
            MAC Address:  001f.297b.bd82
             IP Address:  10.2.12.45
              User-Name:  00-1F-29-7B-BD-82
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
                ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://nos-ch-wbn-ise1.nosergroup.lan:8443/guestportal/gateway?sessionId=AC1484640000026B28C02CDC&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1484640000026B28C02CDC
        Acct Session ID:  0x0000029C
                 Handle:  0x8C00026C
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  ! CLIENT OPENS INTERNETEXPLORER -> REDIRECTS TO ISE 
  ! SWITCHPORT GOES IN ADMINISTRATIVE DOWN STARTS AUTHENTICATION AGAIN
  ISE-TEST-SWITCH#
  191526: .Jun 24 10:42:24.340 UTC: COA: 10.0.128.38 request queued
  191527: .Jun 24 10:42:24.340 UTC: RADIUS:  authenticator 7F A9 85 AB F6 4A D0 F3 - B4 E6 F2 56 74 C6 2D 33
  191528: .Jun 24 10:42:24.340 UTC: RADIUS:  NAS-IP-Address      [4]   6   172.20.132.100
  191529: .Jun 24 10:42:24.340 UTC: RADIUS:  Calling-Station-Id  [31]  19  "00:1F:29:7B:BD:82"
  191530: .Jun 24 10:42:24.340 UTC: RADIUS:  Acct-Terminate-Cause[49]  6   admin-reset               [6]
  191531: .Jun 24 10:42:24.340 UTC: RADIUS:  Event-Timestamp     [55]  6   1403606529
  191532: .Jun 24 10:42:24.340 UTC: RADIUS:  Message-Authenticato[80]  18
  191533: .Jun 24 10:42:24.340 UTC: RADIUS:   E0 3C B2 8C 89 47 67 A8 69 F5 3D 08 61 FF 53 6E          [ <Ggi=aSn]
  191534: .Jun 24 10:42:24.340 UTC: RADIUS:  Vendor, Cisco       [26]  43
  191535: .Jun 24 10:42:24.340 UTC: RADIUS:   Cisco AVpair       [1]   37  "subscriber:command=bounce-host-port"
  191536: .Jun 24 10:42:24.340 UTC: COA: Message Authenticator decode passed
  191537: .Jun 24 10:42:24.340 UTC:  ++++++ CoA Attribute List ++++++
  191538: .Jun 24 10:42:24.340 UTC: 06D96C58 0 00000001 nas-ip-address(600) 4 172.20.132.100
  191539: .Jun 24 10:42:24.349 UTC: 06D9AC18 0 00000081 formatted-clid(37) 17 00:1F:29:7B:BD:82
  191540: .Jun 24 10:42:24.349 UTC: 06D9AC4C 0 00000001 disc-cause(434) 4 admin-reset
  191541: .Jun 24 10:42:24.349 UTC: 06D9AC80 0 00000001 Event-Timestamp(445) 4 1403606529(53A95601)
  191542: .Jun 24 10:42:24.349 UTC: 06D9ACB4 0 00000081 ssg-command-code(490) 1 33
  191543: .Jun 24 10:42:24.349 UTC:
  191544: .Jun 24 2014 10:42:24.365 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-RELEASE
  191545: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-WAIT
  191546: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT REMOVE
  191547: .Jun 24 2014 10:42:24.390 UTC: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL-OPEN| EVENT DETACH-SUCCESS
  191548: .Jun 24 2014 10:42:26.353 UTC: %LINK-5-CHANGED: Interface GigabitEthernet0/3, changed state to administratively down
  191549: .Jun 24 2014 10:42:27.359 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
  ISE-TEST-SWITCH#
  191550: .Jun 24 2014 10:42:36.366 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
  191551: .Jun 24 10:42:40.592 UTC: AAA/BIND(000002A7): Bind i/f
  191552: .Jun 24 2014 10:42:41.129 UTC: %AUTHMGR-5-START: Starting 'dot1x' for client (001f.297b.bd82) on Interface Gi0/3 AuditSessionID AC1484640000026C28C2FA05
  191553: .Jun 24 2014 10:42:42.580 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
  191554: .Jun 24 2014 10:42:43.586 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
  ! SESSION ID CHANGES, USER ENTERS CREDENTIALS 
  ! ERROR MESSAGE AT CLIENT "YOUR SESSION HAS EXPIRED"
  ! ERROR MESSAGE IN ISE "86017 SESSION MISSING"
  ISE-TEST-SWITCH#show authentication sessions interface gi0/3
              Interface:  GigabitEthernet0/3
            MAC Address:  001f.297b.bd82
             IP Address:  10.2.12.45
                 Status:  Running
                 Domain:  UNKNOWN
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1484640000026C28C2FA05
        Acct Session ID:  0x0000029D
                 Handle:  0x2C00026D
  Runnable methods list:
         Method   State
         dot1x    Running
         mab      Not run

  Guest authentication failed: 86017: Session cache entry missing
  try adjusting the UTC timezone during the guest creation in the sponsor portal.
  86017
  Guest
  Session Missing
  Session ID missing. Please contact your System Administrator.
  Info

• Problem with sun outlook connector,  Microsoft LDAP services

  Dear All
  I have big problem with sun outlook connector and I can find any way to fix the problem,
  I am using sun java system connector deployment to create installation script for my clients.
  in the tool I have specify the location of Microsoft LDAP services, I am using outlook 2003 and sun say this option is not needed for outlook 2003, if I try to create the script and run the script on target client I will receive below error,
  I tried the office CD-ROM as path for LDAP services but the outlook connector says there is no LDAP services on the CD and I receive same error,
  19:02:29 [5365] Outlook version is 11.0.5608.0.
  19:02:29 [5376] Adding MAPI directory 'C:\Program Files\Common Files\System\MAPI\1033' to PATH.
  19:02:29 [5475] TMP directory is 'C:\DOCUME~1\MMESKA~1\LOCALS~1\Temp'.
  19:02:31 [5362] Checking Windows version.
  19:02:31 [5363] Windows version is 5.1.
  19:02:31 [5364] Checking Outlook version.
  19:02:31 [5509] Checking default mail client.
  19:02:31 [5508] Default mail client is 'Microsoft Outlook'.
  19:02:31 [5178] Verifying that Outlook is not running.
  19:02:31 [5179] Trying to login to shared session.
  19:02:31 [5369] Installing Sun Java System MAPI Service Providers using 'C:\DOCUME~1\MMESKA~1\LOCALS~1\Temp\Sun Outlook Connector\sunone-mapi-services.msi'.
  19:02:32 [5502] Upgrading the Sun Java System MAPI Service Providers.
  19:02:40 [5370] Finished installing Sun Java System MAPI Service Providers.
  19:02:40 [5366] Checking whether Sun Java System MAPI Service Providers are installed.
  19:02:40 [5367] Sun Java System MAPI Service Providers are installed.
  19:02:40 [5416] Checking whether Microsoft LDAP Directory MAPI Service Provider is installed.
  19:02:40 [5418] The Microsoft LDAP Directory MAPI Service Provider is not installed:
  19:02:40 File 'C:\Program Files\Common Files\System\MAPI\1033\EMABLT32.DLL' does not exist.
  19:02:40 [5416] Checking whether Microsoft LDAP Directory MAPI Service Provider is installed.
  19:02:40 [5418] The Microsoft LDAP Directory MAPI Service Provider is not installed:
  19:02:40 File 'C:\Program Files\Common Files\System\MAPI\1033\EMABLT32.DLL' does not exist.
  19:02:41 ERROR: Microsoft LDAP Directory MAPI Service Provider must first be installed.
  Best regards
  Mo

  This is likely to depend on the version of the OC you have. The released one isn't supposed to work with Outlook 2003. Please contact Tech Support for the latest version and help.