Authentication Problem with ACS 5.2 Using LDAP
HI!
I want to use LDAP for connecting to active directory but I get this Error from ACS 5.2 ( 22056 subject not found in the applicable identity stores).Is there anyone who can HELP me?
I used this configuration in ACS 5.2:
Users and Identity Stores / External identity store / ldap / Directory Organization
Subject ObjectClass : User
Subject Name attribute ; sAMAccountName
Group ObjectClass : Group
Group Map Attribute : MemberOf
Two questions:
- did you press "Test Bind to Server" from LDAP "Server Connection" tab and "Test Configuration" from "Directory Organization" tab?
- did you select the LDAP database as the result in the identity policy?
Similar Messages
-
Problem with ACS 4.1 using certificate
I have an ACS 4.1 appliance, I have already configured ACS in order to work with certificate. I got the certificate from ACS, I already installed it as the installation guide says . Additionally I configured the card's controller in my PC in order to manage certificate.
Whe I try to be validated from ACS I can not go on because a message appears and says " click to select a certificate " , after click a windows appears asking user and password however I expected not receive this window.
The switch's port were configured as follows:
aaa new-model
aaa authentication dot1x default group radius+
dot1x system-auth-control
interface GigabitEthernet1/0/4
switchport mode access
dot1x mac-auth-bypass eap
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
dot1x reauthentication
radius-server host (ip address) auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key password
What am I doing wrong or there is something left???1) Did you install the Certificate file in the local machine? (Right click >> Install Certificate >> And so on..)
2) Are you using the built-in Dot1x supplication in WIndows XP? Is the setting to MD5?
3) Did you Selected this installed certificate from the drop-down Menu in the wireless software?
Regards
Farrukh -
With Yahoo Mail, and anotare account (Inacap Mail), I can only receive mails but I can't send emails. I don't know if this is a problem of the iPad or it is a problem with yahoo mail, because using Gmail and the email of my job I don' have this problem.
Google them to confirm the settings that you need for the outgoing server, then check the setting you entered on the pad. Pay real close attention to the outgoing server name, and port. You may need to change in on the pad.
-
Problems with a shared calendar using Outlook 2007 and Exchange 2010
Hello all,
We are having a problem with sharing a calendar using Outlook 2007 and Exchange 2010.
I will start with some background. I have just started my position with this company. I have been working with networks for awhile at the small business level. I have not had much production experience with exchange. There is only myself and my supervisor
who has inherited a midsized network which was built by five previous techs that are no longer with the company. Of course, the previous techs did not leave much documentation, so the original hows and whys for our system setup has been lost.
One of the managers has a calendar she shares with some of our users. I believe this calendar has been in use since sometime in 2006. A mailbox was created to hold this calendar to keep it separate from the managers calendar. I am not sure what version
of exchange they were using at that time, but I assume there was one or two migrations of it getting to its current state on our exchange 2010 server. At some point it was observed that the other workers she was sharing with were not able to access it correctly.
I am not fully sure what the original problem was (possibly some people not being able to see or connect to the calendar), but it was decided to give everyone who needed access to this calendar full access permissions through exchange. Correct me if I
am wrong, but I believe that gave everyone connected the ability to do anything with the calendar. Of course the manager was not happy about that. This is where I started working on the problem.
I removed everyone, except the manager who wants to control the calendar, from having "Full Access Permissions". This did have the effect of making some people just able to see the calendar and not make changes. Though there were others that were
able to connect to the calendar who I thought would not be able to. The manager that originally created the calendar did try to manage access to it through the Outlook interface, though it currently does not seem to be fully in effect.
So, to get to the point of what we are trying to do, is there a way to get the original manager back into control of the calendar though Outlook? It would be preferred to be able to keep the history of what they tracked of this calendar, so starting a new
one would be something we would rather avoid. After that, getting all of the users that need to connect to the calendar reconnected with the correct access permissions and making sure they are all synchronized.
I realize this is a big mess, and your help would be greatly appreciated.Hi Nigel,
How is the impact, just one user or all users, Outlook or OWA?
If just one user, it seems like an issue on the Outlook Client side.
Please trying to re-create new profile to fresh the caches.
Please runing Outlook under safe mode to avoid some AVs, add-ins and firewall.
Found a similar thread for your reference:
Calendar Sharing not available error message
http://social.technet.microsoft.com/Forums/exchange/en-US/d9b33281-d7bb-4608-8025-16fb26643d0d/calendar-sharing-not-available-error-message?forum=exchangesvrclientslegacy
Hope it is helpful
Thanks
Mavis
Mavis Huang
TechNet Community Support -
Both xp and windows 7 have video problems with my VGA connection using TV
both xp and windows 7 have video problems with my VGA connection using TV as my monitor when it gets to starting up windows no matter what version it will not I have let my mac on all night and still says starting windows or the windows 7 logo and nothing else will happen also when I use a 3rd patty software like peraills or other it works like a charm how to fix it?
To map the drive on your computer click on Start - RUN - type "\\192.168.1.1" and click ok... When prompted for Username and Password type "admin" and click ok... Now you will be able to see the folder which you have shared on your router, right click on it and select "Map network drive" and click on finish.
Now it will map the drive on your computer and you should be able to transfer the file from your computer to the USB drive. -
Problems with a VBA Userform using Multipage (2) and DTPicker.
Hi
Problems with a VBA Userform using Multipage (2) and DTPicker (4)
On Page1 I've got 2 DTPicker, one for the date and the second for the time.
Same thing on Page 2.
Problem:
Only one set will work, if I close the Userform with" MultiPage"on page2, only that set will work.
Same thing if I close on Page 1 then just the set on Page 1 will work.
As anyone seen this problem and any work around you may think would help.
I'm using Windows 7 , Ms Office Pro. 2003
same problem on Windows Vista , XL2003
CimjetThere are a number of issues relating to the way that date pickers are handled, but the most important is that their output is text. In order to get the values into Excel, you need to format the Excel columns as Date and Custom (time format) and convert
the output to the worksheet from text to date values.
Date pickers also display a few anomalies on multi-page forms, so you need a belt and braces approach. Personally I would put the code to call the form and enter the values in a standard module (as now in the example) and use a belt and braces approach to
maintaining the format.
I think you will find the example now works.
Revised Example
Graham Mayor - Word MVP
www.gmayor.com -
Problem with Progress DB while using to connect using JDBC Adapter
Hi,
I am facing Problem with Progress DB while using to connect using JDBC Adapter. I am getting the following error in auditlog file like,
Error during database connection to the database URL jdbc:JdbcProgress:T:156.5.31.65:2545:/mfgprodev/devbadb
/devsche/i_apoext.db using the JDBC driver "com.progress.sql.jdbc.JdbcProgressDriver" : com.sap.aii.adapter.jdbc.sql.DriverManagerException: Unable to locate a suitable JDBC driver to establish a connection to URL " jdbc:JdbcProgress:T:156.5.31.65:2545:/mfgprodev/devbadb
/devsche/i_apoext.db "
I tried using the following all URLs,
1. jdbc:JdbcProgress:T:156.5.31.65:2545:i_apoext.
2. jdbc:JdbcProgress:T:156.5.31.65:2545:i_apoext.db
3.
jdbc:JdbcProgress:T:156.5.31.65:2545:/mfgprodev/devbadb
/devsche/i_apoext.
4.
jdbc:JdbcProgress:T:156.5.31.65:2545:/mfgprodev/devbadb
/devsche/i_apoext.db.
Can anyone please help me out in solving this issue.
May be the cause for this is :
1) The Wrong URL format
2) CLASSPATH is not setted properly..
Can you look more into this stuff.
Thanks,
Soorya.Hi,
To access any database fromm XI, using the JDBC adapter, the corresponding drivers have to be installed on the XI server.
Just check this note 831162.
Also, check this PDF to install Drivers in XI,
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/3867a582-0401-0010-6cbf-9644e49f1a10 -
Problem with Pole zero analysis using multisim
Problem with Pole zero analysis using multisim
When I tried to find input impedance function's pole zero of a parallel LC network using Multisim
pole zero analysis, I get following message
| | doAnalyses: matrix is singular
| |
| |
| | pz simulation(s) aborted "
The circuit as well as log file attached.
How to correctly perform pole zero analysis?
Solved!
Go to Solution.
Attachments:
Parallel LC.JPG 8 KB
parallel LC.txt 7 KBdear sir,
thanks for your earlier reply to my question on pole zero analysis
one more problem on pole zero analysis ;
i tried to do pole zero analysis for circuit(shown in attached file where C1=1/6F(167mF) C2=5/18F(278mF) for which
z(s)= (s^2+9)(s^2+1)
s(s^2+4)
for which zeros are at +/-3j ,+/-1j
poles at 0 ,+/-2j as per theory:
But multisim gives different values (shown in attached file)
what is the problem?
please clarify.
thanks & regards
sagar vanarase
Attachments:
1portLC.JPG 219 KB -
Problem with two monitors while using Photoshop, windows move from 2nd screen to 1st screen.
I saved a new workspace and it did not help.
No problem before I went to Maverick.I found the fix, go to System Preferences and open Mission Control and uncheck the box to keep monitors as they were (When switching to an application...........)
-
Is anyone using iPhoto having a problem with the slide show using shatter where it does not let you put a title over photo? It use to work but it no longer lets you place a title over the opening photo.
Is your signature still current?(iPhoto '08, OS X Mountain Lion (10.8.4)) I can confirm this for iPhoto '11; Shatter will only show the text slide title between the slides. Ken Burns and Classic theme can still be set to overlay the caption and title directly over the slides.
-
I had a problem with slowness so I used "reset". The popup ran forever so I stopped it. Now I can't use, remove, or add the program. How do I proceed?
TIA,
BWSwedeYou can paste that path in the command line in the Windows Explorer file manager.
-
802.1x RADIUS authentication problem with Cat 2950 to CiscoSecure ACS 3.3
I wondered if anyone can help or shed any light on the following problem.
I am getting an authentication error when doing a RADIUS authentication to CiscoSecure ACS 3.3 running on a Windows 2003 server, the authentication request is coming from a Catalyst 2950 switch which is doing 802.1x for Windows XP clients. This problem only happens when the XP client connects to 2950 switches, Cat 3550s and 3560s work fine.
The Cat2950 is running 12.1.20 (EA1) which is more or less the latest IOS.
The error I get from ACS 3.3 is "Invalid message authenticator in EAP request" when the 2950 tries to authenticate an XP client for 802.1x to the ACS server using RADIUS.
Doing a RADIUS and 802.1x debug on the 2950 I see a message about 'Unknown EAP type', I am using PEAP on the XP client doing EAP-MS-CHAPv2 authentication, the same XP client authenticates fine with 3550 and 3560 switches problem only affects 2950s. Can anyone confirm the 2950 supports EAP-MS-CHAPv2?
I have checked and re-checked the shared secret and it definitely matches on 2950 and ACS.
One thing I noticed in the RADIUS debug is the 2950 sends 18 bytes for attribute 79 when the RFC defines attribute 79 should be 3 bytes or less, I don't know if this is related to the problem or is correct behaviour.Hi, I am new with 802.1x, and was hoping that someone would help with these queries:
1. How is a certificate requested without being allowed on a network that is not authenticated with 802.1x. I had to first connect to an active network, retrieve a certificate with the proper username and password, and then physically connect to the port on the 2950 switch which was enabled to do 802.1x
2. My config is as below:
aaa new-model
aaa authentication dot1x default group radius
aaa authenication login default group radius
dot1x system-auth-control
interface f0/1
switchport mode access
dot1x port-control auto
end
I able to login using the radius server, so radius is working (on ports other than f1/0). However when connecting to f1/0, the port on the 2950 remains blocked.
3. The certificate is issued by the ca server, is viewable via Internet explorer,and is issued to the correct username which is on the active directory.
I even tried using local authenication with 802.1x, this did not work
4. If I have a certificate, will this automatically give me access to the 802.1x port?
5. I have windows 2000, and authenication is set to 'Smart Card or other certificate.
Am I missing anything?
Any advise will be greatly appreciated
Chris -
LMS 3.2 - Problem with inventory of switches using AAA authentication
Hi all,
we want to migrate our network equpiment from local authentication (telnet password, enable password) to AAA authentication (Cisco ACS server - username, password for priv level 15). The network devices are managed with CiscoWorks 3.2 and inventory works fine when device login credentials are telnet password, enable password.
I have configured a switch for testing the authentication to the ACS server, and tested the logon manually. After the successful test I reconfigured the device credentials in CiscoWorks and checked it by a device export with credentials. The credentials in CW were OK, but from this time CiscoWorks could't pull an inventory of the switch any more. Every inventory job failed.
Any help would be appreciated. Thanks a lot.
Regards
fredJoe,
excuse me, I've made a mistake. It's the malfunction of the configuration *archiving* which depends on telnet services. I have included the trace file of the failed CW archiving job. I can see that CW receives the banner and the username prompt, but doesn't send back any telnet credentials. I have also checked the correctness of the device credentials by a DCR export.
fred -
ISE 1.2 web authentication problem with wired clients
Hello,
i am having problems with centralized web authentication using a Catalyst 3650X with IOS 15.0.2 SE01 and ISE 1.2.
Redirecting the client works fine, but as soon the client opens a web browser and ISE websites open to authenticate the client, the switch port resets, the authentication process restarts and the session ID changes. After the client enters the credentials a session expired messages appears on the client and i get an 86017 Session Missing message in ISE.
here the output form the debug aaa coa log.
Any ideas
thanks in advanced
Alex
! CLIENT CONNECT TO SWITCHPORT
ISE-TEST-SWITCH#show authentication sessions interface gi0/3
Interface: GigabitEthernet0/3
MAC Address: 001f.297b.bd82
IP Address: 10.2.12.45
User-Name: 00-1F-29-7B-BD-82
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://nos-ch-wbn-ise1.nosergroup.lan:8443/guestportal/gateway?sessionId=AC1484640000026B28C02CDC&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1484640000026B28C02CDC
Acct Session ID: 0x0000029C
Handle: 0x8C00026C
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
! CLIENT OPENS INTERNETEXPLORER -> REDIRECTS TO ISE
! SWITCHPORT GOES IN ADMINISTRATIVE DOWN STARTS AUTHENTICATION AGAIN
ISE-TEST-SWITCH#
191526: .Jun 24 10:42:24.340 UTC: COA: 10.0.128.38 request queued
191527: .Jun 24 10:42:24.340 UTC: RADIUS: authenticator 7F A9 85 AB F6 4A D0 F3 - B4 E6 F2 56 74 C6 2D 33
191528: .Jun 24 10:42:24.340 UTC: RADIUS: NAS-IP-Address [4] 6 172.20.132.100
191529: .Jun 24 10:42:24.340 UTC: RADIUS: Calling-Station-Id [31] 19 "00:1F:29:7B:BD:82"
191530: .Jun 24 10:42:24.340 UTC: RADIUS: Acct-Terminate-Cause[49] 6 admin-reset [6]
191531: .Jun 24 10:42:24.340 UTC: RADIUS: Event-Timestamp [55] 6 1403606529
191532: .Jun 24 10:42:24.340 UTC: RADIUS: Message-Authenticato[80] 18
191533: .Jun 24 10:42:24.340 UTC: RADIUS: E0 3C B2 8C 89 47 67 A8 69 F5 3D 08 61 FF 53 6E [ <Ggi=aSn]
191534: .Jun 24 10:42:24.340 UTC: RADIUS: Vendor, Cisco [26] 43
191535: .Jun 24 10:42:24.340 UTC: RADIUS: Cisco AVpair [1] 37 "subscriber:command=bounce-host-port"
191536: .Jun 24 10:42:24.340 UTC: COA: Message Authenticator decode passed
191537: .Jun 24 10:42:24.340 UTC: ++++++ CoA Attribute List ++++++
191538: .Jun 24 10:42:24.340 UTC: 06D96C58 0 00000001 nas-ip-address(600) 4 172.20.132.100
191539: .Jun 24 10:42:24.349 UTC: 06D9AC18 0 00000081 formatted-clid(37) 17 00:1F:29:7B:BD:82
191540: .Jun 24 10:42:24.349 UTC: 06D9AC4C 0 00000001 disc-cause(434) 4 admin-reset
191541: .Jun 24 10:42:24.349 UTC: 06D9AC80 0 00000001 Event-Timestamp(445) 4 1403606529(53A95601)
191542: .Jun 24 10:42:24.349 UTC: 06D9ACB4 0 00000081 ssg-command-code(490) 1 33
191543: .Jun 24 10:42:24.349 UTC:
191544: .Jun 24 2014 10:42:24.365 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-RELEASE
191545: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-WAIT
191546: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT REMOVE
191547: .Jun 24 2014 10:42:24.390 UTC: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL-OPEN| EVENT DETACH-SUCCESS
191548: .Jun 24 2014 10:42:26.353 UTC: %LINK-5-CHANGED: Interface GigabitEthernet0/3, changed state to administratively down
191549: .Jun 24 2014 10:42:27.359 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
ISE-TEST-SWITCH#
191550: .Jun 24 2014 10:42:36.366 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
191551: .Jun 24 10:42:40.592 UTC: AAA/BIND(000002A7): Bind i/f
191552: .Jun 24 2014 10:42:41.129 UTC: %AUTHMGR-5-START: Starting 'dot1x' for client (001f.297b.bd82) on Interface Gi0/3 AuditSessionID AC1484640000026C28C2FA05
191553: .Jun 24 2014 10:42:42.580 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
191554: .Jun 24 2014 10:42:43.586 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
! SESSION ID CHANGES, USER ENTERS CREDENTIALS
! ERROR MESSAGE AT CLIENT "YOUR SESSION HAS EXPIRED"
! ERROR MESSAGE IN ISE "86017 SESSION MISSING"
ISE-TEST-SWITCH#show authentication sessions interface gi0/3
Interface: GigabitEthernet0/3
MAC Address: 001f.297b.bd82
IP Address: 10.2.12.45
Status: Running
Domain: UNKNOWN
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1484640000026C28C2FA05
Acct Session ID: 0x0000029D
Handle: 0x2C00026D
Runnable methods list:
Method State
dot1x Running
mab Not runGuest authentication failed: 86017: Session cache entry missing
try adjusting the UTC timezone during the guest creation in the sponsor portal.
86017
Guest
Session Missing
Session ID missing. Please contact your System Administrator.
Info -
Problem with sun outlook connector, Microsoft LDAP services
Dear All
I have big problem with sun outlook connector and I can find any way to fix the problem,
I am using sun java system connector deployment to create installation script for my clients.
in the tool I have specify the location of Microsoft LDAP services, I am using outlook 2003 and sun say this option is not needed for outlook 2003, if I try to create the script and run the script on target client I will receive below error,
I tried the office CD-ROM as path for LDAP services but the outlook connector says there is no LDAP services on the CD and I receive same error,
19:02:29 [5365] Outlook version is 11.0.5608.0.
19:02:29 [5376] Adding MAPI directory 'C:\Program Files\Common Files\System\MAPI\1033' to PATH.
19:02:29 [5475] TMP directory is 'C:\DOCUME~1\MMESKA~1\LOCALS~1\Temp'.
19:02:31 [5362] Checking Windows version.
19:02:31 [5363] Windows version is 5.1.
19:02:31 [5364] Checking Outlook version.
19:02:31 [5509] Checking default mail client.
19:02:31 [5508] Default mail client is 'Microsoft Outlook'.
19:02:31 [5178] Verifying that Outlook is not running.
19:02:31 [5179] Trying to login to shared session.
19:02:31 [5369] Installing Sun Java System MAPI Service Providers using 'C:\DOCUME~1\MMESKA~1\LOCALS~1\Temp\Sun Outlook Connector\sunone-mapi-services.msi'.
19:02:32 [5502] Upgrading the Sun Java System MAPI Service Providers.
19:02:40 [5370] Finished installing Sun Java System MAPI Service Providers.
19:02:40 [5366] Checking whether Sun Java System MAPI Service Providers are installed.
19:02:40 [5367] Sun Java System MAPI Service Providers are installed.
19:02:40 [5416] Checking whether Microsoft LDAP Directory MAPI Service Provider is installed.
19:02:40 [5418] The Microsoft LDAP Directory MAPI Service Provider is not installed:
19:02:40 File 'C:\Program Files\Common Files\System\MAPI\1033\EMABLT32.DLL' does not exist.
19:02:40 [5416] Checking whether Microsoft LDAP Directory MAPI Service Provider is installed.
19:02:40 [5418] The Microsoft LDAP Directory MAPI Service Provider is not installed:
19:02:40 File 'C:\Program Files\Common Files\System\MAPI\1033\EMABLT32.DLL' does not exist.
19:02:41 ERROR: Microsoft LDAP Directory MAPI Service Provider must first be installed.
Best regards
MoThis is likely to depend on the version of the OC you have. The released one isn't supposed to work with Outlook 2003. Please contact Tech Support for the latest version and help.
Maybe you are looking for
-
how do i merge icloud ifo/backup to itunes info/backup. i want to use itunes rather than icloud or how do i transferitunes music (from computer) to my phone which is backed up from icloud
-
Could you please help me with the problem. I have macbook with retina with mac os 10.7.4 ann want to update it to mac os 10.7.5. I had been waiting for 2 hours to do it and had tried 3 times but it appeared that it was impossible. What should I do?
-
Communication Channel is not working
I have moved the design and configuration from quality XI server to product XI server. But when I start the Communication Channel in RWB, the LED is green, and I cannot get the log details at log area. The communication Channel is file adapter for FT
-
Adobe export - exported files are skewed
I purchased adobe export 3/26/2013, yesterday. I needed to be able to export some PDF files to a docx file. When I do this the documents are skewed. There are no spaces between the words, so it takes longer for me do re-work the entire document.
-
Hi all, I have a requirement where i must spilt the number of records in my internal table itab .Say if i have 2000 records , i must spilt it taking the first 990 records and doing some posting using Bapi and again take the next 990 records and do th