CacheGetDNForName: NWDSReadObjectInfo returned -601
Hi,
I did install 2 radius servers.
1 server is good.
and the other server is so bad.
what's '-601'...???? help me...!!!
[2004-12-04 00:33:56 AM] CopyCache:
[2004-12-04 00:33:59 AM] CopyCache:
[2004-12-04 00:34:02 AM] 5) [(ip) 123.456.789.000:16384], Received 169 Bytes
(Accounting-Request (4))
[2004-12-04 00:34:02 AM] [(total=5) (p=4) (d=0) (r=0) (acc=0) (rej=0)]
[2004-12-04 00:34:02 AM] <5> Done GetNextMessage [(ip)
123.456.789.000:16384]: time:4683767
[2004-12-04 00:34:02 AM] -------- START : (Accounting-Request (4)) [(ip)
123.456.789.000:16384]: time:5915609---
[2004-12-04 00:34:02 AM] AcctRequestHandler(), userName = user.abc
[2004-12-04 00:34:02 AM] CACHE:
CacheReadSecretForNASAddress(nw6-radius.radius.pb), using cache
[2004-12-04 00:34:02 AM] CacheGetDNForName entered
[2004-12-04 00:34:02 AM] CACHE:
CacheGetEnableCNLogin(nw6-radius.radius.pb), using cache
[2004-12-04 00:34:02 AM] CacheGetDNForName: NWDSReadObjectInfo returned -601
[2004-12-04 00:34:02 AM] CacheGetDNForName(user.abc), Using cache
[2004-12-04 00:34:02 AM]
(->)CacheGetDNForName:NWDSReadObjectInfo(user.abc) , succeeded, time:23
[2004-12-04 00:34:02 AM] CacheFindContext - GetParentDN(userDN)
(abc.dial.pb)
[2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
contextName(dial.pb)
[2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
contextName(dial.pb)
[2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
contextName(hd.dial.pb)
[2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
contextName(at.dial.pb)
[2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
contextName(kma.dial.pb)
[2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
contextName(at.dial.pb)
[2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
contextName(mt.dial.pb)
[2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
contextName(dial.pb)
[2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
contextName(ts.dial.pb)
[2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
contextName(ts.dial.pb)
[2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
contextName(kb.dial.pb)
[2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
contextName(kb.dial.pb)
[2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
contextName(cm.dial.pb)
[2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
contextName(cm.dial.pb)
[2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
contextName(cr.dial.pb)
[2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
contextName(cr.dial.pb)
[2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
contextName(ht.dial.pb)
[2004-12-04 00:34:02 AM] CacheFindContext - tmpContext (abc.dial.pb),
contextName(abc.dial.pb)
[2004-12-04 00:34:02 AM] Handling local accounting request.
[2004-12-04 00:34:02 AM] HandleLocalAcctRequest(), oldName=user.abc,
userName=user.abc, userDN=user.abc.dial.pb, reportName=user.abc
[2004-12-04 00:34:02 AM] CacheGetDNForName entered
[2004-12-04 00:34:02 AM] CACHE:
CacheGetEnableCNLogin(nw6-radius.radius.pb), using cache
[2004-12-04 00:34:02 AM] CacheGetDNForName: NWDSReadObjectInfo returned -601
[2004-12-04 00:34:02 AM] CacheGetDNForName(user.abc), Using cache
[2004-12-04 00:34:02 AM]
(->)CacheGetDNForName:NWDSReadObjectInfo(user.abc) , succeeded, time:14
[2004-12-04 00:34:02 AM] Built attr RADIUS:Active Connections for user
user.abc.dial.pb, succeeded
[2004-12-04 00:34:02 AM] Built attr RADIUS:Connection History for user
user.abc.dial.pb, succeeded
[2004-12-04 00:34:02 AM] Start reconciliation algorithm.
[2004-12-04 00:34:02 AM] Stop reconciliation algorithm.
[2004-12-04 00:34:02 AM] Start Interim Timeout Cleanup.
[2004-12-04 00:34:02 AM] CACHE:
CacheGetInterimTimeout(nw6-radius.radius.pb), using cache
[2004-12-04 00:34:02 AM] Stop Interim Timeout Cleanup.
[2004-12-04 00:34:02 AM] Stop Packet in History List of user
user.abc.dial.pb
[2004-12-04 00:34:02 AM] CACHE:
CacheGetIntervalForAging(nw6-radius.radius.pb), using cache
[2004-12-04 00:34:02 AM] Start Aging Cleanup.
[2004-12-04 00:34:02 AM] Stop Aging Cleanup.
[2004-12-04 00:34:02 AM] User:user.abc.dial.pb, Attribute:RADIUS:Connection
History
[2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
VR(123.456.789.000):11]
[2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
VR(123.456.789.000):13]
[2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
VR(123.456.789.000):27]
[2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
VR(123.456.789.000):3]
[2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
VR(123.456.789.000):5]
[2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
VR(123.456.789.000):14]
[2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
VR(123.456.789.000):2]
[2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
VR(123.456.789.000):6]
[2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
VR(123.456.789.000):8]
[2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
VR(123.456.789.000):24]
[2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
VR(123.456.789.000):7]
[2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
VR(123.456.789.000):1]
[2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
VR(123.456.789.000):10]
[2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
VR(123.456.789.000):17]
[2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
VR(123.456.789.000):4]
[2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
VR(123.456.789.000):9]
[2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
VR(123.456.789.000):12]
[2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
VR(123.456.789.000):20]
[2004-12-04 00:34:02 AM] State:2,SrcID:,SessionID:IKE[VPN(3110)
VR(123.456.789.000):16]
[2004-12-04 00:34:02 AM] ->Sending Accounting-Response (5) [(ip)
123.456.789.000(16384)] count=20
[2004-12-04 00:34:02 AM] -------- END : (Accounting-Request (4)) [(ip)
123.456.789.000:16384]: time:5915760---
[2004-12-04 00:34:02 AM] CopyCache:
[2004-12-04 00:34:05 AM] CopyCache:
Benjamin,
It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
- Check all of the other support tools and options available at http://support.novell.com in both the "free product support" and "paid product support" drop down boxes.
- You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/
Similar Messages
-
I have a BMAS radius authenticating users to a Cisco PIX firewall forInternet access. This process works fine for short periods of time
and then
users begin reporting that they have to try logging in several times
before
they are authenticated. The radius debug screen on the server will at
this
point be denying somewhere around half of the requests it receives
with the
error (access rejected <username> no more search domain). If I unload
and
reload radius.nlm, the problem goes away for a period of time.
Any IdeasI can see from the debug log that RADIUS is receiving a -601 error (user not
found) while attempting to locate the user in eDirectory. This appears to be
an eDirectory problem, rather than a RADIUS problem. The -601 is being
returned to RADIUS from an eDirectory call.
You might have a problem with one or more of the replica servers in your
environment. Try running DSRepair. If that does not fix your problem, then
you will probably have better luck asking in a forum that deals specifically
with eDirectory issues.
>>> JIM BLANKENAGEL<[email protected]> 5/17/2004 2:24:23
PM >>>
[2004-05-17 07:52:58 AM] -------- START : (Access-Request (1)) [(ip)
205.119.79.242:1645]: time:1937906322---
[2004-05-17 07:52:58 AM] CACHE:
CacheDomainListExist(radius.bordermanager.common.s jsd), using cache
[2004-05-17 07:52:58 AM] AuthRequestHandler(), Calling NewRequestHandler.
[2004-05-17 07:52:58 AM] NewRequestHandler(): !domainName: fausr_sara
[2004-05-17 07:52:58 AM] NewRequestHandler(): Calling CacheGetDNForName
[2004-05-17 07:52:58 AM] CacheGetDNForName entered
[2004-05-17 07:52:58 AM] CACHE:
CacheGetEnableCNLogin(radius.bordermanager.common. sjsd), using cache
[2004-05-17 07:52:58 AM] CopyCache:
[2004-05-17 07:52:58 AM] CacheGetDNForName: NWDSReadObjectInfo returned
-601
[2004-05-17 07:52:58 AM] CacheGetDNForName(fausr_sara), Using cache
[2004-05-17 07:52:59 AM]
(->)CacheGetDNForName:NWDSReadObjectInfo(fausr_sara) , failed, no such entry
(-601), time:15888
[2004-05-17 07:52:59 AM] NewRequestHandler(): Error -601 from
CacheGetDNForName
[2004-05-17 07:52:59 AM] User (fausr_sara) not exist in local NDS tree. Use
search domains instead.
[2004-05-17 07:52:59 AM] No more search domain, end of search doman list is
reached.
[2004-05-17 07:52:59 AM] CACHE:
CacheReadSecretForNASAddress(radius.bordermanager. common.sjsd), using cache
[2004-05-17 07:52:59 AM] ->Sending Access-Reject (3) [(ip)
205.119.79.242(1645)] count=20
[2004-05-17 07:52:59 AM] ->Inserting into RespQ , code(3) id(231).
[2004-05-17 07:52:59 AM] -------- END : (Access-Request (1)) [(ip)
205.119.79.242:1645]: time:1937922218--- -
Please, can somebody help me with this error on my radius server?
Miscellaneous Error 1642
this is the log in the RADDBG file.
Debug logging enabled to file sys:etc\radius\debug\raddbg.log
[2004-10-19 06:27:54 PM] 18) [(ip) 192.168.5.248:1104], Received 52 Bytes
(Access-Request (1))
[2004-10-19 06:27:54 PM] [(total=18) (p=17) (d=0) (r=0) (acc=0) (rej=0)]
[2004-10-19 06:27:54 PM] <5> Done GetNextMessage [(ip) 192.168.5.248:1104]:
time:5958411
[2004-10-19 06:27:54 PM] -------- START : (Access-Request (1)) [(ip)
192.168.5.248:1104]: time:203715714---
[2004-10-19 06:27:54 PM] CACHE:
CacheDomainListExist(radiusserv.radiuser.redes), using cache
[2004-10-19 06:27:54 PM] AuthRequestHandler(), Calling NewRequestHandler.
[2004-10-19 06:27:54 PM] CACHE:
CacheGetEnableCNLogin(radiusserv.radiuser.redes), using cache
[2004-10-19 06:27:54 PM]
(->)CacheGetDNForName:NWDSReadObjectInfo(gcastellano s), succeeded, time:13
[2004-10-19 06:27:54 PM] CacheFindContext - GetParentDN(userDN) (redes)
[2004-10-19 06:27:54 PM] CacheFindContext - tmpContext (REDES),
contextName(REDES)
[2004-10-19 06:27:54 PM] Handling local authentication request.
[2004-10-19 06:27:54 PM] CACHE:
CacheReadSecretForNASAddress(radiusserv.radiuser.r edes), using cache
[2004-10-19 06:27:54 PM]
(->)NDSVerifyAttr:NWDSRead(gcastellanos.REDES,RADIUS :Dial Access Group)
succeeded, time:5
[2004-10-19 06:27:54 PM] (->)NWDSCompare:(gcastellanos.REDES) succeeded,
time:3
[2004-10-19 06:27:54 PM] (->)NWDSRead(gcastellanos.REDES,RADIUS Enable
Attr) succeeded, time:3
[2004-10-19 06:27:54 PM] User Name: gcastellanos, User DN:
gcastellanos.REDES, Domain: , Service Tag:
[2004-10-19 06:27:54 PM] (->)NADMAuthRequest()
[2004-10-19 06:27:54 PM] (->)NADMAuthRequest(gcastellanos.REDES)
failed, -1665 (0xfffff97f), time:172
[2004-10-19 06:27:54 PM] (->)Authenticate (0 policy, NDS pswd) (for
gcastellanos.REDES), failed, -1665 (0xfffff97f)
[2004-10-19 06:27:54 PM] (->)Authentication FAILED
[2004-10-19 06:27:54 PM] ->Sending Access-Reject (3) [(ip)
192.168.5.248(1104)] count=20
[2004-10-19 06:27:54 PM] ->Inserting into RespQ , code(3) id(5).
[2004-10-19 06:27:54 PM] -------- END : (Access-Request (1)) [(ip)
192.168.5.248:1104]: time:203715926---
[2004-10-19 06:27:59 PM] Debug logging disabled
I hope somebody can help to me!!
Thanks and sorry for my bad english!
Genaro Castellanos Lpez
[email protected]
Departamento de Redes
Universidad Iberoamericana LenCraig is right, this is a problem with NMAS. Craig is correct that RADIUS
does not yet support EAP, but the RADIUS server is not receiving an EAP
request in this case. If the RADIUS server were receiving an EAP request, it
would be returning a -803 (RDERR_NO_SUCH_ATTRIBUTE) error, since it would
not be able to find a PAP or CHAP password attribute in the access-request
packet.
The following snippet from your original message shows the problem:
[2004-10-19 06:27:54 PM] (->)NADMAuthRequest(gcastellanos.REDES)
failed, -1665 (0xfffff97f), time:172
The -1665 error is NMAS_E_LOGIN_ATTRIBUTE_NOT_FOUND. This probably means
that RADIUS is trying to execute a method for which the user does not have
any credentials. For example, I would expect to see this error if you had
configured RADIUS to execute the Simple Password method, but had not set a
Simple Password for the user. Which login sequence have you configured for
your DAS?
>>> Genaro Castellanos Lpez<[email protected]> 10/25/04 3:28
PM >>>
Thanks, I think the error is because i'm using EAP login method and BM does
not support that kind of authentication, please if you know a new issue for
this problem letme know it.
Regards
"Craig Johnson" <[email protected]> escribi en el mensaje
news:[email protected]..
> In article <xridd.7270$[email protected]>, Genaro
> Castellanos Lpez wrote:
>> Please, can somebody help me with this error on my radius server?
>> Miscellaneous Error 1642
>>
> Looks like a password error with NMAS:
>
> http://support.novell.com/cgi-bin/se...?/10074688.htm
>
> http://support.novell.com/cgi-bin/se...?/10087319.htm
>
> http://support.novell.com/cgi-bin/se...?/10074868.htm
>
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://www.craigjconsulting.com ***
> -
Error: Fatal error in function BldAlter on call to function GetOldRecDefn.
At step "Generating the Updated PeopleTools Script" to generate "PPLTLS84CURTables.sql", more than 2270 errors occured:
Example Error 1:
System Error : File: E:\pt85403d-retail\peopletools\src\psbld\bldalter.cppSQL error. Stmt #: 4550 Error Position: 0 Return: 601 - [Microsoft][SQL Server Native Client 11.0][SQL Server]Invalid object name 'SYSCOLUMNS'.
Failed SQL stmt: select c.name,c.colid,t.name,c.length,c.prec,c.scale,c.isnullable from SYSCOLUMNS c, SYSOBJECTS o, SYSTYPES t where c.id = o.id and c.usertype = t.usertype and o.type = 'U' and o.name = :1 order by c.colid
After changing table/view names from upper case to lower case. the query works.
Example Error 2:
Error: Fatal error in function BldAlter on call to function GetOldRecDefn. Return code = 1. (76,6)
Error: MENU_LANG_TMP - SQL Error. Error Position: 0 Return: 601 - [Microsoft][SQL Server Native Client 11.0][SQL Server]Invalid object name 'SYSOBJECTS'.
SELECT NAME FROM SYSOBJECTS WHERE TYPE = 'TR' AND NAME = :1
Error: PSMSFTMPCOM - SQL Error. Error Position: 0 Return: 601 - [Microsoft][SQL Server Native Client 11.0][SQL Server]Invalid object name 'SYSOBJECTS'.
SQL Build process ended on 11/7/2014 at 10:39:42 AM.
2698 records processed, 2274 errors, 0 warnings.
SQL Build script for all processes written to file E:/temp/CAOutput/softwareupdatePeopleTools_Only_Upgrade{HR90UPG}/PPLTLS84CURTables.sql.
SQL Build log file written to E:/temp/CAOutput/softwareupdatePeopleTools_Only_Upgrade{HR90UPG}/BuildPPLTLS84CURTables.log.
Thanks for any suggestions!
DongmeiPassed the above error by changing object owner from ACCESSID to dbo. Now on the same task "Generating the Updated PeopleTools Scripts", there are 516 errors, sample error messages:
Error: PS_APP_DES_OBJ_CST - Alter failed due to an unknown column type (NVARCHAR) found for field PSOWNER. (76,22)
Error: Fatal error in function BldAlter on call to function GetOldRecDefn. Return code = 1. (76,6)
Error: PS_APP_DES_OBJ_LNG - Alter failed due to an unknown column type (NVARCHAR) found for field PSOWNER. (76,22)
Error: Fatal error in function BldAlter on call to function GetOldRecDefn. Return code = 1. (76,6)
Error: PS_APP_DES_OBJECTS - Alter failed due to an unknown column type (NVARCHAR) found for field PSOWNER. (76,22)
Error: Fatal error in function BldAlter on call to function GetOldRecDefn. Return code = 1. (76,6)
Warning: MCF_IM_DEMO_REC.MCF_IMUSERID - Default record.field MCF_IM_DEMO_REC.USER_OPRID has no rows, field type default used. (76,66)
Error: PS_PRCSDEFN - Alter failed due to an unknown column type (NVARCHAR) found for field PRCSTYPE. (76,22)
Appreciate any help!!
Dongmei -
Hello,
i have the following Setup:
1x Single Tree Server with Nw 6.5 SP1a / BM3.8 SP2
This is a simple authentication Server which is placed in our dmz. Some users are synchronized with dirxml from the productive main tree to the authentication tree.
Primary this box is used for client2site vpn with vasco digipass tokens. This setup is working.
Now i wish to use the same box for ichain Radius authentication.
I have setup a 2nd box in the dmz for ichain 2.3. I have made the necessary schema extension on the Authentication server and installed the snapins for ichain.
I tested authentication with ldap to the authentication server.... no problem
Now the problems:
I setup a authentication profile on the ichain server for radius
I configured the authentication servers lpo and radius objects. All this is described in the ichain admin book page 89 (chapter 7 using radius authentication)
When i check the radius console i get the following message:
[DATE TIME] Access Request Dropped
IchainIP, cn, Unknown Radius client
What i did again: I found several tid's where the problem is described. I Changed rights to the lpo, installed the nmas234.tar, changed userprops.....but till now nothing works.
MoreSysinfos:
Radius.nlm V 4.14 / 6.March 2003
nmas.nlm 2.68 / 17.June 2004
nmasldap.nlm V 1.20 / 31.March 2004
Here the RadiusDebugLog, during authentication:
[2004-08-09 02:42:40 PM] Deleting file "sys:etc\radius\log\20040802.log", failed
[2004-08-09 02:42:40 PM] Parameter count = 1
[2004-08-09 02:42:40 PM] argv[0] = SYS:\SYSTEM\RADIUS.NLM
[2004-08-09 02:42:40 PM] Tree Name = "<null>"
[2004-08-09 02:42:40 PM] Login Name = "<null>"
[2004-08-09 02:42:40 PM] Name = "<null>"
[2004-08-09 02:42:40 PM] Workers = 0
[2004-08-09 02:42:40 PM] Port = 0
[2004-08-09 02:42:40 PM] Error encountered = 0
[2004-08-09 02:42:40 PM] Checking if parameters are to be retrieved from Registry
[2004-08-09 02:42:40 PM] Got Tree Name from registry, "<null>"
[2004-08-09 02:42:40 PM] Got Login Name from registry, "<null>"
[2004-08-09 02:42:40 PM] Got Service Name from registry, "<null>"
[2004-08-09 02:42:40 PM] Got Number Threads from registry, 5
[2004-08-09 02:42:40 PM] Got Service Port from registry, 1645
[2004-08-09 02:42:40 PM] Got Accounting Port from registry, 1646
[2004-08-09 02:42:40 PM] Got Accounting Path from registry, "sys:\etc\radius\acct"
[2004-08-09 02:42:40 PM] Got Accounting File Format from registry, "comma"
[2004-08-09 02:42:40 PM] Got RollOver from registry, "daily"
[2004-08-09 02:42:40 PM] Services supported, [2004-08-09 02:42:40 PM] "authentication" [2004-08-09 02:42:40 PM] "accounting" [2004-08-09 02:42:40 PM]
[2004-08-09 02:42:40 PM] Got Accounting Attribute File from registry, sys:\etc\radius\radacct.atr
[2004-08-09 02:42:40 PM] Got Authentication Path from registry, sys:etc\radius
[2004-08-09 02:43:03 PM] Debug logging enabled to file sys:etc\radius\debug\raddbg.log
[2004-08-09 02:43:17 PM] 1) [(ip) 62.200.168.121:1812], Received 43 Bytes (Access-Request (1))
[2004-08-09 02:43:17 PM] [(total=1) (p=0) (d=0) (r=0) (acc=0) (rej=0)]
[2004-08-09 02:43:17 PM] <2> Done GetNextMessage [(ip) 62.200.168.121:1812]: time:208207
[2004-08-09 02:43:17 PM] -------- START : (Access-Request (1)) [(ip) 62.200.168.121:1812]: time:-35971301---
[2004-08-09 02:43:17 PM] CACHE: CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-09 02:43:17 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-09 02:43:17 PM] CACHE: CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-09 02:43:17 PM] HandleLocalRequest(), CacheReadSecretForNASAddress failed, no such RADIUS client (-822), Packet Dropped
[2004-08-09 02:43:17 PM] -------- END : (Access-Request (1)) [(ip) 62.200.168.121:1812]: time:-35971299---
[2004-08-09 02:43:23 PM] 2) [(ip) 62.200.168.121:1812], Received 43 Bytes (Access-Request (1))
[2004-08-09 02:43:23 PM] [(total=2) (p=1) (d=0) (r=0) (acc=0) (rej=0)]
[2004-08-09 02:43:23 PM] <3> Done GetNextMessage [(ip) 62.200.168.121:1812]: time:266774
[2004-08-09 02:43:23 PM] -------- START : (Access-Request (1)) [(ip) 62.200.168.121:1812]: time:-35912704---
[2004-08-09 02:43:23 PM] CACHE: CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-09 02:43:23 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-09 02:43:23 PM] CACHE: CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-09 02:43:23 PM] HandleLocalRequest(), CacheReadSecretForNASAddress failed, no such RADIUS client (-822), Packet Dropped
[2004-08-09 02:43:23 PM] -------- END : (Access-Request (1)) [(ip) 62.200.168.121:1812]: time:-35912701---
[2004-08-09 02:48:42 PM] (->)Cacher: NWDSReadObjectInfo(ichaindas.ichain.netstal), succeeded, time:2
Thanks
StefanIt's working now.
The Problem was the LPO. In the LoginSequences tab i have modified the standard digipass entry and added a
NDS entry. This was necessary for BM3.8 VPN Logins in our environment.
So I createt a new one, with only digipass inside and associate this LoginSequence to the Radius DAS.
Have a nice time
Stefan
>>> Scott Kiester<[email protected]> 11.08.04 22:21 >>>
You can't execute two login sequences with RADIUS, because there is no way
for RADIUS to prompt for a second set of credentials over the PAP or CHAP
protocols. The ConsoleOne snapin should not be allowing you to mark more
than one sequence as mandatory, as this configuration is invalid.
The recommended way of supporting multiple methods through RADIUS is by
creating a single NMAS "OR" login sequence, rather than using multiple
rules. You could create a sequence that specified "NDS" OR "Digipass." In
this case RADIUS would first execute the NDS method, and only execute the
Digipass method if NDS fails.
I realize that you want to require NDS AND Digipass, not NDS OR Digipass. A
login sequence that specifies NDS AND Digipass would always fail, because
the password supplied by the user would never be valid for both methods.
Unfortunately, there is not a way to require both NDS and Digipass through
RADIUS.
>>> Stefan Winterberg<[email protected]> 08/11/04 2:43 AM >>>
Hello Scott,
thank you very much. it seems that your eyes are better than ours.
The unknown client is now gone, but we still have some problems.
I have the new raddbg and nmasmon-log file below.
We have set the Sequences in the LPO for this DAS-Object to:
NDS Mandatory
Digipass Mandatory
On the UserObject the DefaultLoginClearance is set to password&token.
When we attemp to login we can see that the vasco digipass successfull login
counter is incremented by 1.
--Raddbg.log------------------------------
[2004-08-11 10:38:36 AM] Debug logging enabled to file
sys:etc\radius\debug\raddbg.log
[2004-08-11 10:38:42 AM] Cacher: Console initiated rebuild of cache
[2004-08-11 10:38:42 AM] (->)Cacher:
NWDSReadObjectInfo(ichaindas.ichain.netstal), succeeded, time:3
[2004-08-11 10:38:42 AM] Cacher: Rebuilding cache, mod time different,
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:DAS Version)
succeeded, time:2
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Password Policy)
failed, no such attribute (-603), time:2
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Common Name
Resolution) succeeded, time:2
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Concurrent Limit)
failed, no such attribute (-603), time:1
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Interim Accting
Timeout) failed, no such attribute (-603), time:2
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Aged Interval)
failed, no such attribute (-603), time:2
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Maximum History
Record) failed, no such attribute (-603), time:1
[2004-08-11 10:38:42 AM] CACHE: Use Netware Password for
"ichaindas.ichain.netstal": Enabled
[2004-08-11 10:38:42 AM] CACHE: CN Login for "ichaindas.ichain.netstal":
Enabled
[2004-08-11 10:38:42 AM] CACHE: Concurrent Limit for
"ichaindas.ichain.netstal": 0x80000000
[2004-08-11 10:38:42 AM] CACHE: Interim Timeout for
"ichaindas.ichain.netstal": 10 minutes
[2004-08-11 10:38:42 AM] CACHE: Interval For Aging for
"ichaindas.ichain.netstal": 7 days
[2004-08-11 10:38:42 AM] CACHE: Max History Record for
"ichaindas.ichain.netstal": 30
[2004-08-11 10:38:42 AM]
Context Lookup List set to:
[2004-08-11 10:38:42 AM] 1) USERS.NETSTAL
[2004-08-11 10:38:42 AM] Number of contexts = 1
[2004-08-11 10:38:42 AM] tag extracted: 62.200.168.121, size: 15, tagLength:
30
[2004-08-11 10:38:42 AM] Cache: Successfully set up client table
[2004-08-11 10:38:42 AM]
(->)NDSSetUpContextList(ichaindas.ichain.netstal), ProxyContext is empty
[2004-08-11 10:38:42 AM] Cache: Successfully set up context list
[2004-08-11 10:38:42 AM] (->)NDSSetUpDomainList(ichaindas.ichain.netstal),
Domain list is empty.
[2004-08-11 10:38:42 AM] Cache: Successfully set up domain list
[2004-08-11 10:38:42 AM] Cache: Successfully set up search domain list
[2004-08-11 10:38:42 AM] Cache: Successfully build context list
[2004-08-11 10:38:42 AM] CACHE: Cache reloaded at [2004-08-11 10:38:42
AM], current reload count is 5
[2004-08-11 10:38:42 AM] Cacher: RefreshCache(), succeeded
[2004-08-11 10:38:42 AM] CACHE: Cache loaded at [2004-08-11 10:38:11 AM]
has been discarded , current reload count is 5
[2004-08-11 10:38:57 AM] 7) [(ip) 62.200.168.121:1812], Received 43 Bytes
(Access-Request (1))
[2004-08-11 10:38:57 AM] [(total=7) (p=6) (d=0) (r=0) (acc=0) (rej=0)]
[2004-08-11 10:38:57 AM] <3> Done GetNextMessage [(ip) 62.200.168.121:1812]:
time:7776133
[2004-08-11 10:38:57 AM] -------- START : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:1545446252---
[2004-08-11 10:38:57 AM] CACHE:
CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-11 10:38:57 AM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-11 10:38:57 AM] CACHE:
CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-11 10:38:57 AM] CACHE:
CacheGetEnableCNLogin(ichaindas.ichain.netstal), using cache
[2004-08-11 10:38:57 AM] CacheGetDNForName(wst), Using cache
[2004-08-11 10:38:57 AM] (->)CacheGetDNForName:NWDSReadObjectInfo(wst),
succeeded, time:9
[2004-08-11 10:38:57 AM] userName: wst
[2004-08-11 10:38:57 AM] userDN: WST.USERS.NETSTAL
[2004-08-11 10:38:57 AM]
(->)NDSVerifyAttr:NWDSRead(WST.USERS.NETSTAL,RADIUS: Dial Access Group)
succeeded, time:3
[2004-08-11 10:38:57 AM] (->)NWDSCompare:(WST.USERS.NETSTAL) succeeded,
time:2
[2004-08-11 10:38:57 AM] (->)NWDSRead(WST.USERS.NETSTAL,RADIUS Enable
Attr) failed, no such attribute (-603), time:2
[2004-08-11 10:38:57 AM] (->)User "WST.USERS.NETSTAL", Looking in
(USERS.NETSTAL) for (RADIUS:Enable Dial Access)
[2004-08-11 10:38:57 AM] (->)NWDSRead(USERS.NETSTAL,RADIUS Enable Attr)
succeeded, time:2
[2004-08-11 10:38:57 AM] User Name: wst, User DN: WST.USERS.NETSTAL,
Domain: , Service Tag:
[2004-08-11 10:38:57 AM] (->)NADMAuthRequest()
[2004-08-11 10:38:57 AM] (->)NADMAuthRequest(WST.USERS.NETSTAL) failed,
-1642 (0xfffff996), time:1776
[2004-08-11 10:38:57 AM] (->)Authenticate (0 policy, NDS pswd) (for
WST.USERS.NETSTAL), failed, -1642 (0xfffff996)
[2004-08-11 10:38:57 AM] (->)Authentication FAILED
[2004-08-11 10:38:57 AM] ->Sending Access-Reject (3) [(ip)
62.200.168.121(1812)] count=20
[2004-08-11 10:38:57 AM] ->Inserting into RespQ , code(3) id(6).
[2004-08-11 10:38:57 AM] -------- END : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:1545448063---
----nmasmon.log-------------------------------------------------------------
NMAS Enterprise Edition
0: Screen and file output started at Wed Aug 11 10:37:47 2004
GetLoginConfig: 0
NMAS_GetLoginConfig: 0
GetLoginConfig: 0
NMAS_GetLoginConfig: 0
GetLoginConfig: 0
NMAS_GetLoginConfig: 0
4: Destroy NMAS Session for reuse
4: Create NMAS Session
4: RemoteCheckIfLocalUser checking WST.USERS.NETSTAL.
4: RemoteCheckIfLocalUser is a local user.
4: Server thread started
4: NMAS_CanDo StartClientSession 0
4: >>ClientPut: message size=8 queue Size 0
4: >>ClientPut: message size=35 queue Size 8
4: NMAS_CanDo sendMessage 0
4: <<ClientGet: message size=8 queue Size 0
4: >>ServerGet: message size=8 queue size 0
4: >>ServerGet: message size=35 queue size 35
4: CanDo
4: Sequence Selected == "Digipass"
4: Login Method 0x00000050
4: MAF_Begin LSM 0x00000050
4: <<ServerPut: message size=8 queue size 0
4: <<ServerPut: message size=5 queue size 8
4: MAF_GetAttribute LSM 0x00000050 AID: 1 Value: WST.USERS.NETSTAL
4: <<ClientGet: message size=5 queue Size 0
4: NMAS_CanDo sendMessage 0
4: NMAS_CanDo disassembleDoPacket 0
4: MAF_Begin LCM 0x00000050
4: MAF_XRead LCM 0x00000050
4: <<ClientGet: message size=8 queue Size 0
4: MAF_GetAttribute LSM 0x00000050 AID: 22 Tag: digipass
4: MAF_XWrite LSM 0x00000050
4: <<ServerPut: message size=8 queue size 0
4: <<ServerPut: message size=60 queue size 8
4: MAF_XRead LSM 0x00000050
4: >>ServerGet: message size=8 queue size 0
4: <<ClientGet: message size=60 queue Size 0
4: MAF_GetAttribute LCM 0x00000050 AID: 6
4: MAF_XWrite LCM 0x00000050
4: >>ClientPut: message size=8 queue Size 0
4: >>ClientPut: message size=29 queue Size 8
4: MAF_XRead LCM 0x00000050
4: <<ClientGet: message size=8 queue Size 0
4: >>ServerGet: message size=29 queue size 0
4: MAF_PutAttribute LSM 0x00000050 AID: 22 Tag: digipass
4: MAF_XWrite LSM 0x00000050
4: <<ServerPut: message size=8 queue size 0
4: <<ServerPut: message size=16 queue size 8
4: MAF_End LSM 0x00000050 successful
4: >>ServerGet: message size=8 queue size 0
4: <<ClientGet: message size=16 queue Size 0
4: MAF_End LCM 0x00000007
4: >>ClientPut: message size=8 queue Size 0
4: <<ClientGet: message size=8 queue Size 0
4: WhatNext
4: Login Method 0x00000007
4: MAF_GetAttribute LSM 0x00000007 AID: 2
4: MAF_GetAttribute LSM 0x00000007 AID: 1 Value: WST.USERS.NETSTAL
4: MAF_Begin LSM 0x00000007
4: <<ServerPut: message size=8 queue size 0
4: <<ServerPut: message size=5 queue size 8
4: MAF_AllowPasswordSet LSM 0x00000007
4: MAF_GetPassword LSM 0x00000007
4: MAF_Write LSM 0x00000007
4: <<ServerPut: message size=8 queue size 5
4: <<ServerPut: message size=40 queue size 13
4: MAF_GetNDSPasswordHash LSM 0x00000007
4: MAF_XWrite LSM 0x00000007
4: <<ServerPut: message size=8 queue size 53
4: <<ServerPut: message size=36 queue size 61
4: MAF_XRead LSM 0x00000007
4: >>ServerGet: message size=8 queue size 0
4: <<ClientGet: message size=5 queue Size 0
4: MAF_Begin LCM 0x00000007
4: MAF_GetAttribute LCM 0x00000007 AID: 6
4: MAF_GetAttribute LCM 0x00000007 AID: 1 Value: WST.USERS.NETSTAL
4: MAF_Read LCM 0x00000007
4: <<ClientGet: message size=8 queue Size 92
4: <<ClientGet: message size=40 queue Size 84
4: MAF_XRead LCM 0x00000007
4: <<ClientGet: message size=8 queue Size 44
4: <<ClientGet: message size=36 queue Size 36
4: MAF_XWrite LCM 0x00000007
4: >>ClientPut: message size=8 queue Size 0
4: >>ClientPut: message size=56 queue Size 8
4: MAF_XRead LCM 0x00000007
4: <<ClientGet: message size=8 queue Size 0
4: >>ServerGet: message size=56 queue size 0
4: MAF_GetNDSPasswordHash LSM 0x00000007
4: MAF_XWrite LSM 0x00000007
4: <<ServerPut: message size=8 queue size 0
4: <<ServerPut: message size=32 queue size 8
4: MAF_End LSM 0x00000007 failed
4: ERROR: -1642 Login Method
4: ERROR: -1642 WhatNext
4: ERROR: -1642 NMAS Manager
4: <<ServerPut: message size=8 queue size 32
4: <<ServerPut: message size=4 queue size 40
4: >>ServerGet: message size=8 queue size 0
4: <<ClientGet: message size=32 queue Size 0
4: MAF_Write LCM 0x00000007
4: >>ClientPut: message size=8 queue Size 0
4: >>ClientPut: message size=12 queue Size 8
4: MAF_End LCM 0x00000007
4: >>ClientPut: message size=8 queue Size 12
4: <<ClientGet: message size=8 queue Size 12
4: <<ClientGet: message size=4 queue Size 4
4: >>ClientPut: message size=8 queue Size 20
4: <<ClientGet: message size=8 queue Size 0
4: >>ServerGet: message size=12 queue size 0
4: >>ServerGet: message size=8 queue size 16
4: >>ServerGet: message size=8 queue size 8
4: <<ServerPut: message size=8 queue size 0
4: Server thread exited
4: Client Session Destroy Request
4: Local Session Cleared (Not Destroyed)
Thanks
>>> Scott Kiester<[email protected]> 10.08.04 19:14 >>>
It looks like you transposed the middle two octets in the client IP
address.
Here's what RADIUS.NLM is reading out of the client table:
[2004-08-10 04:44:21 PM] tag extracted: 62.168.200.121, size: 15,
tagLength:
30
And here's the access-request:
[2004-08-10 04:45:32 PM] -------- START : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:901386806---
>>> Stefan Winterberg<[email protected]> 08/10/04 8:52 AM >>>
Hello Scott,
there is no problem with the tree key. ConsoleOne can add , remove and
modify these properties.
here the actual raddbg.log:
[2004-08-10 04:44:21 PM] Cacher: Console initiated rebuild of cache
[2004-08-10 04:44:21 PM] (->)Cacher:
NWDSReadObjectInfo(ichaindas.ichain.netstal), succeeded, time:2
[2004-08-10 04:44:21 PM] Cacher: Rebuilding cache, mod time different,
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:DAS Version)
succeeded, time:3
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Password Policy)
failed, no such attribute (-603), time:2
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Common Name
Resolution) succeeded, time:2
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Concurrent Limit)
failed, no such attribute (-603), time:1
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Interim Accting
Timeout) failed, no such attribute (-603), time:2
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Aged Interval)
failed, no such attribute (-603), time:2
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Maximum History
Record) failed, no such attribute (-603), time:2
[2004-08-10 04:44:21 PM] CACHE: Use Netware Password for
"ichaindas.ichain.netstal": Enabled
[2004-08-10 04:44:21 PM] CACHE: CN Login for "ichaindas.ichain.netstal":
Enabled
[2004-08-10 04:44:21 PM] CACHE: Concurrent Limit for
"ichaindas.ichain.netstal": 0x80000000
[2004-08-10 04:44:21 PM] CACHE: Interim Timeout for
"ichaindas.ichain.netstal": 10 minutes
[2004-08-10 04:44:21 PM] CACHE: Interval For Aging for
"ichaindas.ichain.netstal": 7 days
[2004-08-10 04:44:21 PM] CACHE: Max History Record for
"ichaindas.ichain.netstal": 30
[2004-08-10 04:44:21 PM]
Context Lookup List set to:
[2004-08-10 04:44:21 PM] 1) USERS.NETSTAL
[2004-08-10 04:44:21 PM] Number of contexts = 1
[2004-08-10 04:44:21 PM] tag extracted: 62.168.200.121, size: 15,
tagLength:
30
[2004-08-10 04:44:21 PM] Cache: Successfully set up client table
[2004-08-10 04:44:21 PM]
(->)NDSSetUpContextList(ichaindas.ichain.netstal), ProxyContext is empty
[2004-08-10 04:44:21 PM] Cache: Successfully set up context list
[2004-08-10 04:44:21 PM]
(->)NDSSetUpDomainList(ichaindas.ichain.netstal),
Domain list is empty.
[2004-08-10 04:44:21 PM] Cache: Successfully set up domain list
[2004-08-10 04:44:21 PM] Cache: Successfully set up search domain list
[2004-08-10 04:44:21 PM] Cache: Successfully build context list
[2004-08-10 04:44:21 PM] CACHE: Cache reloaded at [2004-08-10 04:44:21
PM], current reload count is 5
[2004-08-10 04:44:21 PM] Cacher: RefreshCache(), succeeded
[2004-08-10 04:44:21 PM] CACHE: Cache loaded at [2004-08-10 04:43:05 PM]
has been discarded , current reload count is 5
[2004-08-10 04:45:21 PM] (->)Cacher:
NWDSReadObjectInfo(ichaindas.ichain.netstal), succeeded, time:1
[2004-08-10 04:45:32 PM] 15) [(ip) 62.200.168.121:1812], Received 43 Bytes
(Access-Request (1))
[2004-08-10 04:45:32 PM] [(total=15) (p=14) (d=0) (r=0) (acc=0)
(rej=0)]
[2004-08-10 04:45:32 PM] <6> Done GetNextMessage [(ip)
62.200.168.121:1812]:
time:124205589
[2004-08-10 04:45:32 PM] -------- START : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:901386806---
[2004-08-10 04:45:32 PM] CACHE:
CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-10 04:45:32 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-10 04:45:32 PM] CACHE:
CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-10 04:45:32 PM] HandleLocalRequest(),
CacheReadSecretForNASAddress
failed, no such RADIUS client (-822), Packet Dropped
[2004-08-10 04:45:32 PM] -------- END : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:901386809---
[2004-08-10 04:45:38 PM] 16) [(ip) 62.200.168.121:1812], Received 43 Bytes
(Access-Request (1))
[2004-08-10 04:45:38 PM] [(total=16) (p=15) (d=0) (r=0) (acc=0)
(rej=0)]
[2004-08-10 04:45:38 PM] <2> Done GetNextMessage [(ip)
62.200.168.121:1812]:
time:124022378
[2004-08-10 04:45:38 PM] -------- START : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:901444855---
[2004-08-10 04:45:38 PM] CACHE:
CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-10 04:45:38 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-10 04:45:38 PM] CACHE:
CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-10 04:45:38 PM] HandleLocalRequest(),
CacheReadSecretForNASAddress
failed, no such RADIUS client (-822), Packet Dropped
[2004-08-10 04:45:38 PM] -------- END : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:901444857---
Thanks
Stefan
>>> Scott Kiester<[email protected]> 10.08.04 01:07 >>>
You might have a problem with the tree key in your environment. First of
all, make sure that ConosleOne is storing the client data. After you add a
new entry to the client table on your DAS, close the DAS properties dialog
and re-open it. If the new client is not there when you re-open the dialog,
then ConsoleOne may have been unable to save the data due to a problem with
the tree key. You can confirm this by executing ConsoleOne with the
following command line: "consoleone -debug -windowout". This will make
ConsoleOne display a debug window in the top-left portion of your screen.
If
there is a problem saving the client data, then ConsoleOne will display an
exception and an error code in this window. If the error is in the -14xx
range, (-1460 and -1418 are most common) then you most likely have a
problem
with your tree key.
If ConsoleOne is saving the data correctly, then you'll need to see what is
happening when RADIUS.NLM reads this data. To do this, issue a "radius
refreshcache" command at the server console after you enable debug logging.
Please post this file here and I'll take a look at it.
Tree key problems can be corrected with SDIDIAG, which IIRC is available as
a free download from the support site.
>>> Stefan Winterberg<[email protected]> 08/09/04 8:16 AM >>>
Hello,
i have the following Setup:
1x Single Tree Server with Nw 6.5 SP1a / BM3.8 SP2
This is a simple authentication Server which is placed in our dmz. Some
users are synchronized with dirxml from the productive main tree to the
authentication tree.
Primary this box is used for client2site vpn with vasco digipass tokens.
This setup is working.
Now i wish to use the same box for ichain Radius authentication.
I have setup a 2nd box in the dmz for ichain 2.3. I have made the necessary
schema extension on the Authentication server and installed the snapins for
ichain.
I tested authentication with ldap to the authentication server.... no
problem
Now the problems:
I setup a authentication profile on the ichain server for radius
I configured the authentication servers lpo and radius objects. All this is
described in the ichain admin book page 89 (chapter 7 using radius
authentication)
When i check the radius console i get the following message:
[DATE TIME] Access Request Dropped
IchainIP, cn, Unknown Radius client
What i did again: I found several tid's where the problem is described. I
Changed rights to the lpo, installed the nmas234.tar, changed
userprops.....but till now nothing works.
MoreSysinfos:
Radius.nlm V 4.14 / 6.March 2003
nmas.nlm 2.68 / 17.June 2004
nmasldap.nlm V 1.20 / 31.March 2004
Here the RadiusDebugLog, during authentication:
[2004-08-09 02:42:40 PM] Deleting file "sys:etc\radius\log\20040802.log",
failed
[2004-08-09 02:42:40 PM] Parameter count = 1
[2004-08-09 02:42:40 PM] argv[0] = SYS:\SYSTEM\RADIUS.NLM
[2004-08-09 02:42:40 PM] Tree Name = "<null>"
[2004-08-09 02:42:40 PM] Login Name = "<null>"
[2004-08-09 02:42:40 PM] Name = "<null>"
[2004-08-09 02:42:40 PM] Workers = 0
[2004-08-09 02:42:40 PM] Port = 0
[2004-08-09 02:42:40 PM] Error encountered = 0
[2004-08-09 02:42:40 PM] Checking if parameters are to be retrieved from
Registry
[2004-08-09 02:42:40 PM] Got Tree Name from registry, "<null>"
[2004-08-09 02:42:40 PM] Got Login Name from registry, "<null>"
[2004-08-09 02:42:40 PM] Got Service Name from registry, "<null>"
[2004-08-09 02:42:40 PM] Got Number Threads from registry, 5
[2004-08-09 02:42:40 PM] Got Service Port from registry, 1645
[2004-08-09 02:42:40 PM] Got Accounting Port from registry, 1646
[2004-08-09 02:42:40 PM] Got Accounting Path from registry,
"sys:\etc\radius\acct"
[2004-08-09 02:42:40 PM] Got Accounting File Format from registry,
"comma"
[2004-08-09 02:42:40 PM] Got RollOver from registry, "daily"
[2004-08-09 02:42:40 PM] Services supported, [2004-08-09 02:42:40 PM]
"authentication" [2004-08-09 02:42:40 PM] "accounting" [2004-08-09
02:42:40
PM]
[2004-08-09 02:42:40 PM] Got Accounting Attribute File from registry,
sys:\etc\radius\radacct.atr
[2004-08-09 02:42:40 PM] Got Authentication Path from registry,
sys:etc\radius
[2004-08-09 02:43:03 PM] Debug logging enabled to file
sys:etc\radius\debug\raddbg.log
[2004-08-09 02:43:17 PM] 1) [(ip) 62.200.168.121:1812], Received 43 Bytes
(Access-Request (1))
[2004-08-09 02:43:17 PM] [(total=1) (p=0) (d=0) (r=0) (acc=0) (rej=0)]
[2004-08-09 02:43:17 PM] <2> Done GetNextMessage [(ip)
62.200.168.121:1812]:
time:208207
[2004-08-09 02:43:17 PM] -------- START : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:-35971301---
[2004-08-09 02:43:17 PM] CACHE:
CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-09 02:43:17 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-09 02:43:17 PM] CACHE:
CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-09 02:43:17 PM] HandleLocalRequest(),
CacheReadSecretForNASAddress
failed, no such RADIUS client (-822), Packet Dropped
[2004-08-09 02:43:17 PM] -------- END : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:-35971299---
[2004-08-09 02:43:23 PM] 2) [(ip) 62.200.168.121:1812], Received 43 Bytes
(Access-Request (1))
[2004-08-09 02:43:23 PM] [(total=2) (p=1) (d=0) (r=0) (acc=0) (rej=0)]
[2004-08-09 02:43:23 PM] <3> Done GetNextMessage [(ip)
62.200.168.121:1812]:
time:266774
[2004-08-09 02:43:23 PM] -------- START : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:-35912704---
[2004-08-09 02:43:23 PM] CACHE:
CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-09 02:43:23 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-09 02:43:23 PM] CACHE:
CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-09 02:43:23 PM] HandleLocalRequest(),
CacheReadSecretForNASAddress
failed, no such RADIUS client (-822), Packet Dropped
[2004-08-09 02:43:23 PM] -------- END : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:-35912701---
[2004-08-09 02:48:42 PM] (->)Cacher:
NWDSReadObjectInfo(ichaindas.ichain.netstal), succeeded, time:2
Thanks
Stefan -
Radius-Authentication / Cisco 2600 fails MiscError -1642
Hi,
Im trying to configure BM 3.8 SP3ir3, Radius (NMAS 2.3) to
authenticate a Cisco 2600 against my BM. Under BM 3.7 this
setup is working fine, but now with 3.8 I get the following
error:
Access rejected, Miscellaneous error (-1642)
Ive configured the LPO with the following sequences:
NDS acceptable, simple acceptable
A test with NTRADPING:
with CHAP disabled, it works fine (LPO sequence is NDS)
with CHAP enabled, Ive got the error above
I tried the simple login sequence also (like a posting
in this newsgroup), but no change.
Hope you can help me, I need chap-authentication...
From Radius-Debug:
This one works (without CHAP):
[2005-07-28 05:52:43 PM] (->)Cacher:
NWDSReadObjectInfo(das01.radius.bmanager.informati k.kli_pa),
succeeded, time:7
[2005-07-28 05:52:43 PM] 31) [(ip) 172.24.4.2:2642], Received 46 Bytes
(Access-Request (1))
[2005-07-28 05:52:43 PM] [(total=31) (p=30) (d=0) (r=0) (acc=0)
(rej=0)]
[2005-07-28 05:52:43 PM] <2> Done GetNextMessage [(ip)
172.24.4.2:2642]: time:2611012
[2005-07-28 05:52:43 PM] -------- START : (Access-Request (1)) [(ip)
172.24.4.2:2642]: time:640356694---
[2005-07-28 05:52:43 PM] CACHE:
CacheDomainListExist(das01.radius.bmanager.informa tik.kli_pa), using cache
[2005-07-28 05:52:43 PM] AuthRequestHandler(), Calling
NewRequestHandler.
[2005-07-28 05:52:43 PM] CACHE:
CacheGetEnableCNLogin(das01.radius.bmanager.inform atik.kli_pa), using
cache
[2005-07-28 05:52:43 PM]
(->)CacheGetDNForName:NWDSReadObjectInfo(NAS2-1), succeeded, time:72
[2005-07-28 05:52:43 PM] CacheFindContext - GetParentDN(userDN)
(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
[2005-07-28 05:52:43 PM] CacheFindContext - tmpContext
(RADIUS.BMANAGER.INFORMATIK.KLI_PA),
contextName(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
[2005-07-28 05:52:43 PM] Handling local authentication request.
[2005-07-28 05:52:43 PM] CACHE:
CacheReadSecretForNASAddress(das01.radius.bmanager .informatik.kli_pa),
using cache
[2005-07-28 05:52:43 PM]
(->)NDSVerifyAttr:NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS:Dial
Access Group) succeeded, time:47
[2005-07-28 05:52:43 PM]
(->)NWDSCompare:(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA) succeeded,
time:42
[2005-07-28 05:52:43 PM]
(->)NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS Enable
Attr) succeeded, time:45
[2005-07-28 05:52:43 PM] User Name: NAS2-1, User DN:
NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA, Domain: , Service Tag:
[2005-07-28 05:52:43 PM] (->)NADMAuthRequest()
[2005-07-28 05:52:43 PM]
(->)NADMAuthRequest(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA)
succeeded, time:961
[2005-07-28 05:52:43 PM] (->)Authenticate (0 policy, NDS pswd) (for
NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA), succeeded
[2005-07-28 05:52:43 PM]
(->)NDSReadData:NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS:Concurr ent
Limit) failed, no such attribute (-603), time:50
[2005-07-28 05:52:43 PM] CACHE:
CacheGetConcurrentLimit(das01.radius.bmanager.info rmatik.kli_pa),
using cache
[2005-07-28 05:52:43 PM]
User:NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA, Current Login:0, Login
Limit:-1, succeeded
[2005-07-28 05:52:43 PM] (->)Authentication SUCCEEDED
[2005-07-28 05:52:43 PM] Tag "DIALIN" uses profile
"DIALIN.RADIUS.BMANAGER.INFORMATIK.KLI_PA"
[2005-07-28 05:52:43 PM] FDN:
CN=NAS2-1.OU=RADIUS.OU=BMANAGER.OU=INFORMATIK.O=KLI_PA
[2005-07-28 05:52:43 PM] PutAttributesInBuffer, calling FilterAttribute
[2005-07-28 05:52:43 PM] Filter attribute, vendorID: 0, attribute: 6
[2005-07-28 05:52:43 PM] PutAttributesInBuffer, calling FilterAttribute
[2005-07-28 05:52:43 PM] Filter attribute, vendorID: 0, attribute: 7
[2005-07-28 05:52:43 PM] ->Sending Access-Accept (2) [(ip)
172.24.4.2(2642)] count=32
[2005-07-28 05:52:43 PM] ->Inserting into RespQ , code(2) id(7).
[2005-07-28 05:52:43 PM] -------- END : (Access-Request (1)) [(ip)
172.24.4.2:2642]: time:640358122---
This one dont work (chap enabled):
[2005-07-28 05:52:55 PM] 32) [(ip) 172.24.4.2:2647], Received 47 Bytes
(Access-Request (1))
[2005-07-28 05:52:55 PM] [(total=32) (p=31) (d=0) (r=0) (acc=0)
(rej=0)]
[2005-07-28 05:52:55 PM] <4> Done GetNextMessage [(ip)
172.24.4.2:2647]: time:2426593
[2005-07-28 05:52:55 PM] -------- START : (Access-Request (1)) [(ip)
172.24.4.2:2647]: time:640481075---
[2005-07-28 05:52:55 PM] CACHE:
CacheDomainListExist(das01.radius.bmanager.informa tik.kli_pa), using cache
[2005-07-28 05:52:55 PM] AuthRequestHandler(), Calling
NewRequestHandler.
[2005-07-28 05:52:55 PM] CACHE:
CacheGetEnableCNLogin(das01.radius.bmanager.inform atik.kli_pa), using
cache
[2005-07-28 05:52:55 PM]
(->)CacheGetDNForName:NWDSReadObjectInfo(NAS2-1), succeeded, time:72
[2005-07-28 05:52:55 PM] CacheFindContext - GetParentDN(userDN)
(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
[2005-07-28 05:52:55 PM] CacheFindContext - tmpContext
(RADIUS.BMANAGER.INFORMATIK.KLI_PA),
contextName(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
[2005-07-28 05:52:55 PM] Handling local authentication request.
[2005-07-28 05:52:55 PM] HandleCHAPRequest(NAS2-1)
[2005-07-28 05:52:55 PM] CACHE:
CacheReadSecretForNASAddress(das01.radius.bmanager .informatik.kli_pa),
using cache
[2005-07-28 05:52:55 PM] CHAP chapCSize: 16
[2005-07-28 05:52:55 PM] [CHAP]User Name: NAS2-1, User DN:
NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA, Domain: , Service Tag:
[2005-07-28 05:52:55 PM]
(->)NDSVerifyAttr:NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS:Dial
Access Group) succeeded, time:53
[2005-07-28 05:52:55 PM]
(->)NWDSCompare:(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA) succeeded,
time:42
[2005-07-28 05:52:55 PM]
(->)NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS Enable
Attr) succeeded, time:44
[2005-07-28 05:52:55 PM] (->)NADMAuthRequest()
[2005-07-28 05:52:59 PM] ->Sending Access-Reject (3) [(ip)
172.24.4.2(2647)] count=20
[2005-07-28 05:52:59 PM] ->Inserting into RespQ , code(3) id(8).
[2005-07-28 05:52:59 PM] -------- END : (Access-Request (1)) [(ip)
172.24.4.2:2647]: time:640512029---
I cannt see an error with chap enabled..
Regards
GuentherI'm having the same problem. radping works with chap and simple passwords
but gives the -1642 error when I'm authenticating from my cisco vpn router.
BTW, I had everything working for YEARS with nds passwords and earlier
versions of bordermanager. BM 3.8 broke it.
Thanks
David
> Hi Jake,
>
> yes, its a cisco-issue. For downloading dynamic routes with
> radius you need the cisco-default-pw called "cisco". Strange
> and a big security leak....
>
> The authentication with ppp-user and chap / simple password
> works fine now.
>
> Regards
> Guenther
>
> Jake Speed schrieb:
> > Hi,
> > yes it's woking fine !
> > Working with a 3640, and 8 Bri/40 Async Interaces. With Chap enabeld,
> > and simple password used.
> > Seems to be a problem on the cisco site, so if radping works NW Radius
> > and the objects are ok.
> >
> > by
> > Jake
> >
> > Guenther Rasch wrote:
> >
> >> Hi Craig,
> >>
> >> I dont know why, but now CHAP works with ntradping.exe
> >> - Cisco router still doesnt work. Ive configured
> >> "simple password" in the lp-object...
> >>
> >> Does anyone have a working configuration nmas radius /
> >> cisco nas-router?
> >>
> >> Regards
> >> Guenther
> >>
> >> Craig Johnson schrieb:
> >>
> >>> In article <Yg0He.13962$[email protected]>,
> >>> Guenther Rasch wrote:
> >>>
> >>>> is it possible in BM 3.8? Which password / login sequence do I need
to
> >>>> get CHAP working?
> >>>>
> >>>
> >>> As far as I know, you cannot make CHAP work against an NDS password,
> >>> in any version of Novell RADIUS.
> >>> I don't really know about getting the dial access system password
> >>> working 3.8 (NMAS) RADIUS. I would assume there would be a login
> >>> policy object rule for it.
> >>>
> >>> Craig Johnson
> >>> Novell Support Connection SysOp
> >>> *** For a current patch list, tips, handy files and books on
> >>> BorderManager, go to http://www.craigjconsulting.com ***
> >>>
> >>> -
Hi i am running radius from border manager 3.8 on a nw6.5 sp2 server.I
followed the directions for setting up Radius.I have thought it was a
rights issue so i gave the server hosting radius supe rights to the
security container,i have both a root replica,security replica and
replica of where the users reside on the server with radius.I enabled the
container where the users reside for dial access with the DAS and DAP
object selected.When i try to use ntradping i get unable to locate
authentication rule i know i have a rule in the Login Policy for NDS
etc..here is the log anyone have any ideas?
1) Dr.Test
[2005-02-08 09:35:06 AM] 2) IT.Dr.Test
[2005-02-08 09:35:06 AM] Number of contexts = 2
[2005-02-08 09:35:06 AM] tag extracted: 10.1.32.183, size: 12, tagLength:
24
[2005-02-08 09:35:06 AM] Cache: Successfully set up client table
[2005-02-08 09:35:06 AM] (->)NDSSetUpContextList
(DENDAS.RADIUS.DR.Test), ProxyContext is empty
[2005-02-08 09:35:06 AM] Cache: Successfully set up context list
[2005-02-08 09:35:06 AM] (->)NDSSetUpDomainList(DENDAS.RADIUS.DR.Test),
Domain list is empty.
[2005-02-08 09:35:06 AM] Cache: Successfully set up domain list
[2005-02-08 09:35:06 AM] Cache: Successfully set up search domain list
[2005-02-08 09:35:06 AM] Cache: Successfully build context list
[2005-02-08 09:35:06 AM] CACHE: Cache reloaded at [2005-02-08 09:35:06
AM], current reload count is 1
[2005-02-08 09:35:06 AM] Cacher: RefreshCache(), succeeded
[2005-02-08 09:35:06 AM] (->)Cacher: NWDSReadObjectInfo
(DENDAS.RADIUS.DR.Test), succeeded, time:1
[2005-02-08 09:35:06 AM] Starting up 5 worker threads
[2005-02-08 09:35:06 AM] <Rx thread started>
[2005-02-08 09:35:06 AM] <Rx thread started>
[2005-02-08 09:35:06 AM] RADIUS Service started successfully
[2005-02-08 09:35:06 AM] <Worker (0) started (count=1)>
[2005-02-08 09:35:06 AM] <Worker (2) started (count=2)>
[2005-02-08 09:35:06 AM] <Worker (1) started (count=3)>
[2005-02-08 09:35:06 AM] <Worker (3) started (count=4)>
[2005-02-08 09:35:06 AM] <Worker (4) started (count=5)>
[2005-02-08 09:35:38 AM] 1) [(ip) 10.1.32.183:1447], Received 46 Bytes
(Access-Request (1))
[2005-02-08 09:35:38 AM] [(total=1) (p=0) (d=0) (r=0) (acc=0) (rej=0)]
[2005-02-08 09:35:38 AM] <2> Done GetNextMessage [(ip) 10.1.32.183:1447]:
time:323249
[2005-02-08 09:35:38 AM] -------- START : (Access-Request (1)) [(ip)
10.1.32.183:1447]: time:-1274981604---
[2005-02-08 09:35:38 AM] CACHE: CacheDomainListExist
(DENDAS.RADIUS.DR.Test), using cache
[2005-02-08 09:35:38 AM] AuthRequestHandler(), Calling RequestHandler.
[2005-02-08 09:35:38 AM] CACHE: CacheReadSecretForNASAddress
(DENDAS.RADIUS.DR.Test), using cache
[2005-02-08 09:35:38 AM] CACHE: CacheGetEnableCNLogin
(DENDAS.RADIUS.DR.Test), using cache
[2005-02-08 09:35:38 AM] CacheGetDNForName(ddietz), Using cache
[2005-02-08 09:35:38 AM] (->)CacheGetDNForName:NWDSReadObjectInfo
(ddietz), succeeded, time:10
[2005-02-08 09:35:38 AM] userName: skippy
[2005-02-08 09:35:38 AM] userDN: skippy.IT.Dr.Test
[2005-02-08 09:35:38 AM] (->)NDSVerifyAttr:NWDSRead
(skippy.IT.Dr.Test,RADIUS:Dial Access Group) succeeded, time:8
[2005-02-08 09:35:38 AM] (->)NWDSCompare:(skippy.IT.Dr.Test) succeeded,
time:4
[2005-02-08 09:35:38 AM] (->)NWDSRead(skippy.IT.Dr.Test,RADIUS Enable
Attr) failed, no such attribute (-603), time:5
[2005-02-08 09:35:38 AM] (->)User "skippy.IT.Dr.Test", Looking in
(IT.Dr.Test) for (RADIUS:Enable Dial Access)
[2005-02-08 09:35:38 AM] (->)NWDSRead(IT.Dr.Test,RADIUS Enable Attr)
succeeded, time:3
[2005-02-08 09:35:38 AM] User Name: skippy, User DN: skippy.IT.Dr.Test,
Domain: , Service Tag:
[2005-02-08 09:35:38 AM] (->)NADMAuthRequest()
[2005-02-08 09:35:38 AM] (->)NADMAuthRequest(skippy.IT.Dr.Test)
succeeded, time:152
[2005-02-08 09:35:38 AM] (->)Authenticate (0 policy, NDS pswd) (for
skippy.IT.Dr.Test), failed, -941 (0xfffffc53)
[2005-02-08 09:35:38 AM] (->)Authentication FAILED
[2005-02-08 09:35:38 AM] ->Sending Access-Reject (3) [(ip) 10.1.32.183
(1447)] count=20
[2005-02-08 09:35:38 AM] ->Inserting into RespQ , code(3) id(0).
[2005-02-08 09:35:38 AM] -------- END : (Access-Request (1)) [(ip)
10.1.32.183:1447]: time:-1274981407---Hey Craig,
That was the missing link not having the current patches.Great site you
have there, I followed all the steps up to the nmas patch.Thanks man
> Got the latest NMAS patches installed? See tip #1 at the URL below.
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://www.craigjconsulting.com ***
> -
Here is the error message from the log
[2004-03-24 03:40:29 PM] Access Rejected
10.10.10.10, username, Unable to locate authentication rule
Here is the message from the debug screen
(->)NADMAuthRequest()
(->)NADMAuthRequest(username.tree) succeeded, time:125
(->)Authenticate (0 policy, NDS pswd) (for username.Tree), failed -941
(0xfffffc53)
(->)Authenticate FAILED
-> Sending Access-Reject (3) [(10.10.10.10(1645)] count=20
->Inserting into RespQ. code(3) id(8)Error -941 is ERR_UNABLE_TO_LOCATE_RULE, which indicates that the server was
unable to locate a login rule that applies to your DAS and your user. Since
you're using BorderManager 3.8, make sure that you are using ConsoleOne to
configure your login rules instead of NWAdmin.
Please send me some screen shots of your login rules. If you're not
comfortable posting them here, you may send them to me at
[email protected].
>>> Bryan Diller<[email protected]> 3/29/2004 10:18:59 AM >>>
Here is the what get put in the debug log file. I swapped out the
username, ip address and tree information for security purposes. I found
the document you referenced late last week and have gone through it
several times. The only thing I can find about -941 error message is the
server needs a replicate which I did.
[2004-03-29 11:10:52 AM] 6) [(ip) user ip address:2423], Received 53
Bytes (Access-Request (1))
[2004-03-29 11:10:52 AM] [(total=6) (p=5) (d=0) (r=0) (acc=0) (rej=
0)]
[2004-03-29 11:10:52 AM] <4> Done GetNextMessage [(ip) ip address:2423]:
time:-758218349
[2004-03-29 11:10:52 AM] -------- START : (Access-Request (1)) [(ip)
user ip address:2423]: time:653292746---
[2004-03-29 11:10:52 AM] CACHE: CacheDomainListExist
(radiusserver.tree), using cache
[2004-03-29 11:10:52 AM] AuthRequestHandler(), Calling
NewRequestHandler.
[2004-03-29 11:10:52 AM] CACHE: CacheGetEnableCNLogin
(radiusserver.tree), using cache
[2004-03-29 11:10:52 AM] (->)CacheGetDNForName:NWDSReadObjectInfo
(user), succeeded, time:48
[2004-03-29 11:10:52 AM] CacheFindContext - GetParentDN(userDN) (tree)
[2004-03-29 11:10:52 AM] CacheFindContext - tmpContext (tree),
contextName(tree)
[2004-03-29 11:10:52 AM] Handling local authentication request.
[2004-03-29 11:10:52 AM] CACHE: CacheReadSecretForNASAddress
(radiusserver.tree), using cache
[2004-03-29 11:10:52 AM] (->)NDSVerifyAttr:NWDSRead
(user.tree,RADIUS:Dial Access Group) succeeded, time:22
[2004-03-29 11:10:52 AM] (->)NWDSCompare:(user.tree) succeeded, time:14
[2004-03-29 11:10:52 AM] (->)NWDSRead(user.tree,RADIUS Enable Attr)
succeeded, time:18
[2004-03-29 11:10:52 AM] User Name: user, User DN: user.tree, Domain: ,
Service Tag:
[2004-03-29 11:10:52 AM] (->)NADMAuthRequest()
[2004-03-29 11:10:52 AM] (->)NADMAuthRequest(user.tree) succeeded,
time:245
[2004-03-29 11:10:52 AM] (->)Authenticate (0 policy, NDS pswd) (for
user.tree), failed, -941 (0xfffffc53)
[2004-03-29 11:10:52 AM] (->)Authentication FAILED
[2004-03-29 11:10:52 AM] ->Sending Access-Reject (3) [(ip) user ip
address(2423)] count=20
[2004-03-29 11:10:52 AM] ->Inserting into RespQ , code(3) id(0).
[2004-03-29 11:10:52 AM] Deleting file "sys:etc\radius\log
\20040322.log", succeeded
[2004-03-29 11:10:52 AM] -------- END : (Access-Request (1)) [(ip) user
ip address:2423]: time:653293535---
"Scott Kiester" <[email protected]> wrote in
news:[email protected]:
> It looks like you're getting farther. You now need to configure a
> login rule for your users. Follow the instructions in TID 10078616.
> You should start at the section titled "Configuring the Login Policy
> Object." Here's a link:
>
> http://support.novell.com/cgi-bin/se...?/10078616.htm
>
>>>> Bryan Diller<[email protected]> 3/24/2004 2:49:19 PM >>>
> Here is the error message from the log
>
> [2004-03-24 03:40:29 PM] Access Rejected
> 10.10.10.10, username, Unable to locate authentication rule
>
>
> Here is the message from the debug screen
>
> (->)NADMAuthRequest()
> (->)NADMAuthRequest(username.tree) succeeded, time:125
> (->)Authenticate (0 policy, NDS pswd) (for username.Tree), failed -941
>
> (0xfffffc53)
> (->)Authenticate FAILED
> -> Sending Access-Reject (3) [(10.10.10.10(1645)] count=20
> ->Inserting into RespQ. code(3) id(8)
>
> -
Hi!
I am installing a new server sles11sp2 with OES11 sp1 and when I run ndsconfig I get this error
from ndsd.log
Jun 26 13:05:34 Successfully started Novell PKI Services
Jun 26 13:05:34 SecurityInstall: Calling pkiInstallSetIdentity . . .
Jun 26 13:05:34 SecurityInstall: Returned from pkiInstallSetIdentity.
Jun 26 13:05:34 SecurityInstall: Calling pkiInstallsetCRLfile . . .
Jun 26 13:05:34 SecurityInstall: Returned from pkiInstallsetCRLfile.
Jun 26 13:05:34 SecurityInstall: Error from pkiInstallGetDistributionPointInfo (-1266).
Jun 26 13:05:46 SecurityInstall: Error from pkiInstallCreatePKIObjects (ccode = -601; retval = -4).
Configuring Distribution Points for Certificate Revocation List:
Jun 26 13:05:46 An error occurred while configuring product SAS. Error description no such entry.-601
Jun 26 13:05:46 NDSIInstallDSProduct: Returning -601.
Jun 26 13:05:46 DHModuleInit_dsi: Returning -601.
Jun 26 13:05:46 Module dsi is not loaded
What could cause this error?
and how to fix it :-)
more info see here
https://forums.netiq.com/showthread....779#post230779
Br
MatiasThe -1266 error, per iMonitor:
<quote>
-1266 FFFFFB0E PKI E NO IP ADDRESSES
Source
Novell� Certificate Server
Explanation
No IP can be found for the specified server.
IP has not been configured for the specified server.
Possible Cause
IP was not set up or was not configured correctly for the server.
</quote>
Now to be clear, I'm certain this box has IP addresses because they show
up other places in ndsd.log, but if there are networking issues then this
could be related. Also, the fact that this happens when trying to get CRL
DPs makes me wonder if the listing on the object of class
ndspkiCRLConfiguration has DPs listed but they are not resolvable, or
maybe doesn't have them listed at all. My guess, based on the error, is
that this has more to do with something about the DP listed not being
resolvable properly, but it's just a guess. In my non-OES tree this is on
the object below:
..CN=CRL Container.CN=Security.T=MYTREE0
If you look at that object do you see ndspkiDistributionPoints attributes,
and if so what are there values?
Good luck. -
Hi
Netware 6.5, BM 3.8. NMAS 2.2 or 2.3.3.
Some users get authenticated, some not (within the same container). The
das object is associated to the container. The problem affects users from
different containers, etc.
Previous version of Radius (BMAS) worked OK. See the debug log:
[2004-06-08 01:12:56 PM] Debug logging enabled to file
sys:etc\radius\debug\raddbg.log
[2004-06-08 01:13:32 PM] (->)Cacher: NWDSReadObjectInfo
(radius_das2.serveis.sscc.autopistas), succeeded, time:5
[2004-06-08 01:13:58 PM] 290) [(ip) 10.210.207.2:3769], Received 58 Bytes
(Access-Request (1))
[2004-06-08 01:13:58 PM] [(total=290) (p=289) (d=0) (r=0) (acc=0)
(rej=0)]
[2004-06-08 01:13:58 PM] <5> Done GetNextMessage [(ip) 10.210.207.2:3769]:
time:16398177
[2004-06-08 01:13:58 PM] -------- START : (Access-Request (1)) [(ip)
10.210.207.2:3769]: time:-358282289---
[2004-06-08 01:13:58 PM] CACHE: CacheDomainListExist
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:13:58 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-06-08 01:13:58 PM] CACHE: CacheReadSecretForNASAddress
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:13:58 PM] CACHE: CacheGetEnableCNLogin
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:13:58 PM] (->)CacheGetDNForName:NWDSReadObjectInfo
(ojulia), succeeded, time:10
[2004-06-08 01:13:58 PM] userName: ojulia
[2004-06-08 01:13:58 PM] userDN: OJULIA.Srvinfor.SSCC.Autopistas
[2004-06-08 01:13:58 PM] (->)NDSVerifyAttr:NWDSRead
(OJULIA.Srvinfor.SSCC.Autopistas,RADIUS:Dial Access Group) succeeded,
time:5
[2004-06-08 01:13:58 PM] User "OJULIA.Srvinfor.SSCC.Autopistas", does
not have "RADIUS:Dial Access Group" defined, trying
parent "Srvinfor.SSCC.Autopistas"
[2004-06-08 01:13:58 PM] (->)NWDSCompare:(Srvinfor.SSCC.Autopistas)
succeeded, time:13
[2004-06-08 01:13:58 PM] (->)NWDSRead
(OJULIA.Srvinfor.SSCC.Autopistas,RADIUS Enable Attr) failed, no such
attribute (-603), time:6
[2004-06-08 01:13:58 PM] (->)User "OJULIA.Srvinfor.SSCC.Autopistas",
Looking in (Srvinfor.SSCC.Autopistas) for (RADIUS:Enable Dial Access)
[2004-06-08 01:13:58 PM] (->)NWDSRead(Srvinfor.SSCC.Autopistas,RADIUS
Enable Attr) succeeded, time:3
[2004-06-08 01:13:58 PM] User Name: ojulia, User DN:
OJULIA.Srvinfor.SSCC.Autopistas, Domain: , Service Tag:
[2004-06-08 01:13:58 PM] (->)NADMAuthRequest()
[2004-06-08 01:13:58 PM] (->)NADMAuthRequest
(OJULIA.Srvinfor.SSCC.Autopistas) failed, -1688 (0xfffff968), time:53
[2004-06-08 01:13:58 PM] (->)Authenticate (0 policy, NDS pswd) (for
OJULIA.Srvinfor.SSCC.Autopistas), failed, -1688 (0xfffff968)
[2004-06-08 01:13:58 PM] (->)Authentication FAILED
[2004-06-08 01:13:58 PM] ->Sending Access-Reject (3) [(ip) 10.210.207.2
(3769)] count=20
[2004-06-08 01:13:58 PM] ->Inserting into RespQ , code(3) id(136).
[2004-06-08 01:13:58 PM] -------- END : (Access-Request (1)) [(ip)
10.210.207.2:3769]: time:-358282186---
[2004-06-08 01:14:18 PM] Debug logging disabled
[2004-06-08 01:26:46 PM] Debug logging enabled to file
sys:etc\radius\debug\raddbg.log
[2004-06-08 01:26:59 PM] 299) [(ip) 10.200.110.2:3253], Received 48 Bytes
(Access-Request (1))
[2004-06-08 01:26:59 PM] [(total=299) (p=298) (d=0) (r=0) (acc=0)
(rej=0)]
[2004-06-08 01:26:59 PM] <4> Done GetNextMessage [(ip) 10.200.110.2:3253]:
time:1294958
[2004-06-08 01:26:59 PM] -------- START : (Access-Request (1)) [(ip)
10.200.110.2:3253]: time:-350470241---
[2004-06-08 01:26:59 PM] CACHE: CacheDomainListExist
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:26:59 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-06-08 01:26:59 PM] CACHE: CacheReadSecretForNASAddress
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:26:59 PM] CACHE: CacheGetEnableCNLogin
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:26:59 PM] (->)CacheGetDNForName:NWDSReadObjectInfo
(jsanchem), succeeded, time:10
[2004-06-08 01:26:59 PM] userName: jsanchem
[2004-06-08 01:26:59 PM] userDN: JSANCHEM.Srvinfor.SSCC.Autopistas
[2004-06-08 01:26:59 PM] (->)NDSVerifyAttr:NWDSRead
(JSANCHEM.Srvinfor.SSCC.Autopistas,RADIUS:Dial Access Group) succeeded,
time:6
[2004-06-08 01:26:59 PM] (->)NWDSCompare:
(JSANCHEM.Srvinfor.SSCC.Autopistas) succeeded, time:3
[2004-06-08 01:26:59 PM] (->)NWDSRead
(JSANCHEM.Srvinfor.SSCC.Autopistas,RADIUS Enable Attr) failed, no such
attribute (-603), time:5
[2004-06-08 01:26:59 PM] (->)User "JSANCHEM.Srvinfor.SSCC.Autopistas",
Looking in (Srvinfor.SSCC.Autopistas) for (RADIUS:Enable Dial Access)
[2004-06-08 01:26:59 PM] (->)NWDSRead(Srvinfor.SSCC.Autopistas,RADIUS
Enable Attr) succeeded, time:3
[2004-06-08 01:26:59 PM] User Name: jsanchem, User DN:
JSANCHEM.Srvinfor.SSCC.Autopistas, Domain: , Service Tag:
[2004-06-08 01:26:59 PM] (->)NADMAuthRequest()
[2004-06-08 01:27:00 PM] (->)NADMAuthRequest
(JSANCHEM.Srvinfor.SSCC.Autopistas) succeeded, time:1714
[2004-06-08 01:27:00 PM] (->)Authenticate (0 policy, NDS pswd) (for
JSANCHEM.Srvinfor.SSCC.Autopistas), succeeded
[2004-06-08 01:27:00 PM] (->)NDSReadData:NWDSRead
(JSANCHEM.Srvinfor.SSCC.Autopistas,RADIUS:Concurre nt Limit) failed, no
such attribute (-603), time:9
[2004-06-08 01:27:00 PM] CACHE: CacheGetConcurrentLimit
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:27:00 PM] User:JSANCHEM.Srvinfor.SSCC.Autopistas, Current
Login:0, Login Limit:-1, succeeded
[2004-06-08 01:27:00 PM] (->)Authentication SUCCEEDED
[2004-06-08 01:27:00 PM] ->Sending Access-Accept (2) [(ip) 10.200.110.2
(3253)] count=20
[2004-06-08 01:27:00 PM] ->Inserting into RespQ , code(2) id(12).
[2004-06-08 01:27:00 PM] -------- END : (Access-Request (1)) [(ip)
10.200.110.2:3253]: time:-350468469---
[2004-06-08 01:27:10 PM] 300) [(ip) 10.200.110.2:3254], Received 46 Bytes
(Access-Request (1))
[2004-06-08 01:27:10 PM] [(total=300) (p=299) (d=0) (r=0) (acc=0)
(rej=0)]
[2004-06-08 01:27:10 PM] <5> Done GetNextMessage [(ip) 10.200.110.2:3254]:
time:1275741
[2004-06-08 01:27:10 PM] -------- START : (Access-Request (1)) [(ip)
10.200.110.2:3254]: time:-350361566---
[2004-06-08 01:27:10 PM] CACHE: CacheDomainListExist
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:27:10 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-06-08 01:27:10 PM] CACHE: CacheReadSecretForNASAddress
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:27:10 PM] CACHE: CacheGetEnableCNLogin
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:27:10 PM] (->)CacheGetDNForName:NWDSReadObjectInfo
(ojulia), succeeded, time:10
[2004-06-08 01:27:10 PM] userName: ojulia
[2004-06-08 01:27:10 PM] userDN: OJULIA.Srvinfor.SSCC.Autopistas
[2004-06-08 01:27:10 PM] (->)NDSVerifyAttr:NWDSRead
(OJULIA.Srvinfor.SSCC.Autopistas,RADIUS:Dial Access Group) succeeded,
time:5
[2004-06-08 01:27:10 PM] User "OJULIA.Srvinfor.SSCC.Autopistas", does
not have "RADIUS:Dial Access Group" defined, trying
parent "Srvinfor.SSCC.Autopistas"
[2004-06-08 01:27:10 PM] (->)NWDSCompare:(Srvinfor.SSCC.Autopistas)
succeeded, time:3
[2004-06-08 01:27:10 PM] (->)NWDSRead
(OJULIA.Srvinfor.SSCC.Autopistas,RADIUS Enable Attr) failed, no such
attribute (-603), time:4
[2004-06-08 01:27:10 PM] (->)User "OJULIA.Srvinfor.SSCC.Autopistas",
Looking in (Srvinfor.SSCC.Autopistas) for (RADIUS:Enable Dial Access)
[2004-06-08 01:27:10 PM] (->)NWDSRead(Srvinfor.SSCC.Autopistas,RADIUS
Enable Attr) succeeded, time:3
[2004-06-08 01:27:10 PM] User Name: ojulia, User DN:
OJULIA.Srvinfor.SSCC.Autopistas, Domain: , Service Tag:
[2004-06-08 01:27:10 PM] (->)NADMAuthRequest()
[2004-06-08 01:27:11 PM] (->)NADMAuthRequest
(OJULIA.Srvinfor.SSCC.Autopistas) failed, -1688 (0xfffff968), time:1442
[2004-06-08 01:27:11 PM] (->)Authenticate (0 policy, NDS pswd) (for
OJULIA.Srvinfor.SSCC.Autopistas), failed, -1688 (0xfffff968)
[2004-06-08 01:27:11 PM] (->)Authentication FAILED
[2004-06-08 01:27:11 PM] ->Sending Access-Reject (3) [(ip) 10.200.110.2
(3254)] count=20
[2004-06-08 01:27:11 PM] ->Inserting into RespQ , code(3) id(13).
[2004-06-08 01:27:11 PM] -------- END : (Access-Request (1)) [(ip)
10.200.110.2:3254]: time:-350360087---
[2004-06-08 01:27:19 PM] 301) [(ip) 10.200.110.2:3255], Received 46 Bytes
(Access-Request (1))
[2004-06-08 01:27:19 PM] [(total=301) (p=300) (d=0) (r=0) (acc=0)
(rej=0)]
[2004-06-08 01:27:19 PM] <3> Done GetNextMessage [(ip) 10.200.110.2:3255]:
time:1249810
[2004-06-08 01:27:19 PM] -------- START : (Access-Request (1)) [(ip)
10.200.110.2:3255]: time:-350277185---
[2004-06-08 01:27:19 PM] CACHE: CacheDomainListExist
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:27:19 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-06-08 01:27:19 PM] CACHE: CacheReadSecretForNASAddress
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:27:19 PM] CACHE: CacheGetEnableCNLogin
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:27:19 PM] (->)CacheGetDNForName:NWDSReadObjectInfo
(ojulia), succeeded, time:12
[2004-06-08 01:27:19 PM] userName: ojulia
[2004-06-08 01:27:19 PM] userDN: OJULIA.Srvinfor.SSCC.Autopistas
[2004-06-08 01:27:19 PM] (->)NDSVerifyAttr:NWDSRead
(OJULIA.Srvinfor.SSCC.Autopistas,RADIUS:Dial Access Group) succeeded,
time:6
[2004-06-08 01:27:19 PM] User "OJULIA.Srvinfor.SSCC.Autopistas", does
not have "RADIUS:Dial Access Group" defined, trying
parent "Srvinfor.SSCC.Autopistas"
[2004-06-08 01:27:19 PM] (->)NWDSCompare:(Srvinfor.SSCC.Autopistas)
succeeded, time:42
[2004-06-08 01:27:19 PM] (->)NWDSRead
(OJULIA.Srvinfor.SSCC.Autopistas,RADIUS Enable Attr) failed, no such
attribute (-603), time:7
[2004-06-08 01:27:19 PM] (->)User "OJULIA.Srvinfor.SSCC.Autopistas",
Looking in (Srvinfor.SSCC.Autopistas) for (RADIUS:Enable Dial Access)
[2004-06-08 01:27:19 PM] (->)NWDSRead(Srvinfor.SSCC.Autopistas,RADIUS
Enable Attr) succeeded, time:3
[2004-06-08 01:27:19 PM] User Name: ojulia, User DN:
OJULIA.Srvinfor.SSCC.Autopistas, Domain: , Service Tag:
[2004-06-08 01:27:19 PM] (->)NADMAuthRequest()
[2004-06-08 01:27:19 PM] (->)NADMAuthRequest
(OJULIA.Srvinfor.SSCC.Autopistas) failed, -1688 (0xfffff968), time:1541
[2004-06-08 01:27:19 PM] (->)Authenticate (0 policy, NDS pswd) (for
OJULIA.Srvinfor.SSCC.Autopistas), failed, -1688 (0xfffff968)
[2004-06-08 01:27:19 PM] (->)Authentication FAILED
[2004-06-08 01:27:19 PM] ->Sending Access-Reject (3) [(ip) 10.200.110.2
(3255)] count=20
[2004-06-08 01:27:19 PM] ->Inserting into RespQ , code(3) id(14).
[2004-06-08 01:27:19 PM] -------- END : (Access-Request (1)) [(ip)
10.200.110.2:3255]: time:-350275562---
[2004-06-08 01:27:26 PM] Debug logging disabled
User "jsanchem" logged on OK, user "ojulia" don't. You can see two
attempts of ojulia, one of them wrong password.
Please advice.
Jesus.The -1688 error is an NMAS error, which indicates that the user has reached
their maximum number of concurrent logins. This is not the RADIUS concurrent
login restriction that you're running into, it's the eDirectory concurrent
login restriction. Users who are getting this error already have one or more
eDirectory connections open.
>>> <[email protected]> 6/9/2004 10:44:22 AM >>>
Hi
Netware 6.5, BM 3.8. NMAS 2.2 or 2.3.3.
Some users get authenticated, some not (within the same container). The
das object is associated to the container. The problem affects users from
different containers, etc.
Previous version of Radius (BMAS) worked OK. See the debug log:
[2004-06-08 01:12:56 PM] Debug logging enabled to file
sys:etc\radius\debug\raddbg.log
[2004-06-08 01:13:32 PM] (->)Cacher: NWDSReadObjectInfo
(radius_das2.serveis.sscc.autopistas), succeeded, time:5
[2004-06-08 01:13:58 PM] 290) [(ip) 10.210.207.2:3769], Received 58 Bytes
(Access-Request (1))
[2004-06-08 01:13:58 PM] [(total=290) (p=289) (d=0) (r=0) (acc=0)
(rej=0)]
[2004-06-08 01:13:58 PM] <5> Done GetNextMessage [(ip) 10.210.207.2:3769]:
time:16398177
[2004-06-08 01:13:58 PM] -------- START : (Access-Request (1)) [(ip)
10.210.207.2:3769]: time:-358282289---
[2004-06-08 01:13:58 PM] CACHE: CacheDomainListExist
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:13:58 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-06-08 01:13:58 PM] CACHE: CacheReadSecretForNASAddress
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:13:58 PM] CACHE: CacheGetEnableCNLogin
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:13:58 PM] (->)CacheGetDNForName:NWDSReadObjectInfo
(ojulia), succeeded, time:10
[2004-06-08 01:13:58 PM] userName: ojulia
[2004-06-08 01:13:58 PM] userDN: OJULIA.Srvinfor.SSCC.Autopistas
[2004-06-08 01:13:58 PM] (->)NDSVerifyAttr:NWDSRead
(OJULIA.Srvinfor.SSCC.Autopistas,RADIUS:Dial Access Group) succeeded,
time:5
[2004-06-08 01:13:58 PM] User "OJULIA.Srvinfor.SSCC.Autopistas", does
not have "RADIUS:Dial Access Group" defined, trying
parent "Srvinfor.SSCC.Autopistas"
[2004-06-08 01:13:58 PM] (->)NWDSCompare:(Srvinfor.SSCC.Autopistas)
succeeded, time:13
[2004-06-08 01:13:58 PM] (->)NWDSRead
(OJULIA.Srvinfor.SSCC.Autopistas,RADIUS Enable Attr) failed, no such
attribute (-603), time:6
[2004-06-08 01:13:58 PM] (->)User "OJULIA.Srvinfor.SSCC.Autopistas",
Looking in (Srvinfor.SSCC.Autopistas) for (RADIUS:Enable Dial Access)
[2004-06-08 01:13:58 PM] (->)NWDSRead(Srvinfor.SSCC.Autopistas,RADIUS
Enable Attr) succeeded, time:3
[2004-06-08 01:13:58 PM] User Name: ojulia, User DN:
OJULIA.Srvinfor.SSCC.Autopistas, Domain: , Service Tag:
[2004-06-08 01:13:58 PM] (->)NADMAuthRequest()
[2004-06-08 01:13:58 PM] (->)NADMAuthRequest
(OJULIA.Srvinfor.SSCC.Autopistas) failed, -1688 (0xfffff968), time:53
[2004-06-08 01:13:58 PM] (->)Authenticate (0 policy, NDS pswd) (for
OJULIA.Srvinfor.SSCC.Autopistas), failed, -1688 (0xfffff968)
[2004-06-08 01:13:58 PM] (->)Authentication FAILED
[2004-06-08 01:13:58 PM] ->Sending Access-Reject (3) [(ip) 10.210.207.2
(3769)] count=20
[2004-06-08 01:13:58 PM] ->Inserting into RespQ , code(3) id(136).
[2004-06-08 01:13:58 PM] -------- END : (Access-Request (1)) [(ip)
10.210.207.2:3769]: time:-358282186---
[2004-06-08 01:14:18 PM] Debug logging disabled
[2004-06-08 01:26:46 PM] Debug logging enabled to file
sys:etc\radius\debug\raddbg.log
[2004-06-08 01:26:59 PM] 299) [(ip) 10.200.110.2:3253], Received 48 Bytes
(Access-Request (1))
[2004-06-08 01:26:59 PM] [(total=299) (p=298) (d=0) (r=0) (acc=0)
(rej=0)]
[2004-06-08 01:26:59 PM] <4> Done GetNextMessage [(ip) 10.200.110.2:3253]:
time:1294958
[2004-06-08 01:26:59 PM] -------- START : (Access-Request (1)) [(ip)
10.200.110.2:3253]: time:-350470241---
[2004-06-08 01:26:59 PM] CACHE: CacheDomainListExist
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:26:59 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-06-08 01:26:59 PM] CACHE: CacheReadSecretForNASAddress
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:26:59 PM] CACHE: CacheGetEnableCNLogin
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:26:59 PM] (->)CacheGetDNForName:NWDSReadObjectInfo
(jsanchem), succeeded, time:10
[2004-06-08 01:26:59 PM] userName: jsanchem
[2004-06-08 01:26:59 PM] userDN: JSANCHEM.Srvinfor.SSCC.Autopistas
[2004-06-08 01:26:59 PM] (->)NDSVerifyAttr:NWDSRead
(JSANCHEM.Srvinfor.SSCC.Autopistas,RADIUS:Dial Access Group) succeeded,
time:6
[2004-06-08 01:26:59 PM] (->)NWDSCompare:
(JSANCHEM.Srvinfor.SSCC.Autopistas) succeeded, time:3
[2004-06-08 01:26:59 PM] (->)NWDSRead
(JSANCHEM.Srvinfor.SSCC.Autopistas,RADIUS Enable Attr) failed, no such
attribute (-603), time:5
[2004-06-08 01:26:59 PM] (->)User "JSANCHEM.Srvinfor.SSCC.Autopistas",
Looking in (Srvinfor.SSCC.Autopistas) for (RADIUS:Enable Dial Access)
[2004-06-08 01:26:59 PM] (->)NWDSRead(Srvinfor.SSCC.Autopistas,RADIUS
Enable Attr) succeeded, time:3
[2004-06-08 01:26:59 PM] User Name: jsanchem, User DN:
JSANCHEM.Srvinfor.SSCC.Autopistas, Domain: , Service Tag:
[2004-06-08 01:26:59 PM] (->)NADMAuthRequest()
[2004-06-08 01:27:00 PM] (->)NADMAuthRequest
(JSANCHEM.Srvinfor.SSCC.Autopistas) succeeded, time:1714
[2004-06-08 01:27:00 PM] (->)Authenticate (0 policy, NDS pswd) (for
JSANCHEM.Srvinfor.SSCC.Autopistas), succeeded
[2004-06-08 01:27:00 PM] (->)NDSReadData:NWDSRead
(JSANCHEM.Srvinfor.SSCC.Autopistas,RADIUS:Concurre nt Limit) failed, no
such attribute (-603), time:9
[2004-06-08 01:27:00 PM] CACHE: CacheGetConcurrentLimit
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:27:00 PM] User:JSANCHEM.Srvinfor.SSCC.Autopistas, Current
Login:0, Login Limit:-1, succeeded
[2004-06-08 01:27:00 PM] (->)Authentication SUCCEEDED
[2004-06-08 01:27:00 PM] ->Sending Access-Accept (2) [(ip) 10.200.110.2
(3253)] count=20
[2004-06-08 01:27:00 PM] ->Inserting into RespQ , code(2) id(12).
[2004-06-08 01:27:00 PM] -------- END : (Access-Request (1)) [(ip)
10.200.110.2:3253]: time:-350468469---
[2004-06-08 01:27:10 PM] 300) [(ip) 10.200.110.2:3254], Received 46 Bytes
(Access-Request (1))
[2004-06-08 01:27:10 PM] [(total=300) (p=299) (d=0) (r=0) (acc=0)
(rej=0)]
[2004-06-08 01:27:10 PM] <5> Done GetNextMessage [(ip) 10.200.110.2:3254]:
time:1275741
[2004-06-08 01:27:10 PM] -------- START : (Access-Request (1)) [(ip)
10.200.110.2:3254]: time:-350361566---
[2004-06-08 01:27:10 PM] CACHE: CacheDomainListExist
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:27:10 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-06-08 01:27:10 PM] CACHE: CacheReadSecretForNASAddress
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:27:10 PM] CACHE: CacheGetEnableCNLogin
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:27:10 PM] (->)CacheGetDNForName:NWDSReadObjectInfo
(ojulia), succeeded, time:10
[2004-06-08 01:27:10 PM] userName: ojulia
[2004-06-08 01:27:10 PM] userDN: OJULIA.Srvinfor.SSCC.Autopistas
[2004-06-08 01:27:10 PM] (->)NDSVerifyAttr:NWDSRead
(OJULIA.Srvinfor.SSCC.Autopistas,RADIUS:Dial Access Group) succeeded,
time:5
[2004-06-08 01:27:10 PM] User "OJULIA.Srvinfor.SSCC.Autopistas", does
not have "RADIUS:Dial Access Group" defined, trying
parent "Srvinfor.SSCC.Autopistas"
[2004-06-08 01:27:10 PM] (->)NWDSCompare:(Srvinfor.SSCC.Autopistas)
succeeded, time:3
[2004-06-08 01:27:10 PM] (->)NWDSRead
(OJULIA.Srvinfor.SSCC.Autopistas,RADIUS Enable Attr) failed, no such
attribute (-603), time:4
[2004-06-08 01:27:10 PM] (->)User "OJULIA.Srvinfor.SSCC.Autopistas",
Looking in (Srvinfor.SSCC.Autopistas) for (RADIUS:Enable Dial Access)
[2004-06-08 01:27:10 PM] (->)NWDSRead(Srvinfor.SSCC.Autopistas,RADIUS
Enable Attr) succeeded, time:3
[2004-06-08 01:27:10 PM] User Name: ojulia, User DN:
OJULIA.Srvinfor.SSCC.Autopistas, Domain: , Service Tag:
[2004-06-08 01:27:10 PM] (->)NADMAuthRequest()
[2004-06-08 01:27:11 PM] (->)NADMAuthRequest
(OJULIA.Srvinfor.SSCC.Autopistas) failed, -1688 (0xfffff968), time:1442
[2004-06-08 01:27:11 PM] (->)Authenticate (0 policy, NDS pswd) (for
OJULIA.Srvinfor.SSCC.Autopistas), failed, -1688 (0xfffff968)
[2004-06-08 01:27:11 PM] (->)Authentication FAILED
[2004-06-08 01:27:11 PM] ->Sending Access-Reject (3) [(ip) 10.200.110.2
(3254)] count=20
[2004-06-08 01:27:11 PM] ->Inserting into RespQ , code(3) id(13).
[2004-06-08 01:27:11 PM] -------- END : (Access-Request (1)) [(ip)
10.200.110.2:3254]: time:-350360087---
[2004-06-08 01:27:19 PM] 301) [(ip) 10.200.110.2:3255], Received 46 Bytes
(Access-Request (1))
[2004-06-08 01:27:19 PM] [(total=301) (p=300) (d=0) (r=0) (acc=0)
(rej=0)]
[2004-06-08 01:27:19 PM] <3> Done GetNextMessage [(ip) 10.200.110.2:3255]:
time:1249810
[2004-06-08 01:27:19 PM] -------- START : (Access-Request (1)) [(ip)
10.200.110.2:3255]: time:-350277185---
[2004-06-08 01:27:19 PM] CACHE: CacheDomainListExist
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:27:19 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-06-08 01:27:19 PM] CACHE: CacheReadSecretForNASAddress
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:27:19 PM] CACHE: CacheGetEnableCNLogin
(radius_das2.serveis.sscc.autopistas), using cache
[2004-06-08 01:27:19 PM] (->)CacheGetDNForName:NWDSReadObjectInfo
(ojulia), succeeded, time:12
[2004-06-08 01:27:19 PM] userName: ojulia
[2004-06-08 01:27:19 PM] userDN: OJULIA.Srvinfor.SSCC.Autopistas
[2004-06-08 01:27:19 PM] (->)NDSVerifyAttr:NWDSRead
(OJULIA.Srvinfor.SSCC.Autopistas,RADIUS:Dial Access Group) succeeded,
time:6
[2004-06-08 01:27:19 PM] User "OJULIA.Srvinfor.SSCC.Autopistas", does
not have "RADIUS:Dial Access Group" defined, trying
parent "Srvinfor.SSCC.Autopistas"
[2004-06-08 01:27:19 PM] (->)NWDSCompare:(Srvinfor.SSCC.Autopistas)
succeeded, time:42
[2004-06-08 01:27:19 PM] (->)NWDSRead
(OJULIA.Srvinfor.SSCC.Autopistas,RADIUS Enable Attr) failed, no such
attribute (-603), time:7
[2004-06-08 01:27:19 PM] (->)User "OJULIA.Srvinfor.SSCC.Autopistas",
Looking in (Srvinfor.SSCC.Autopistas) for (RADIUS:Enable Dial Access)
[2004-06-08 01:27:19 PM] (->)NWDSRead(Srvinfor.SSCC.Autopistas,RADIUS
Enable Attr) succeeded, time:3
[2004-06-08 01:27:19 PM] User Name: ojulia, User DN:
OJULIA.Srvinfor.SSCC.Autopistas, Domain: , Service Tag:
[2004-06-08 01:27:19 PM] (->)NADMAuthRequest()
[2004-06-08 01:27:19 PM] (->)NADMAuthRequest
(OJULIA.Srvinfor.SSCC.Autopistas) failed, -1688 (0xfffff968), time:1541
[2004-06-08 01:27:19 PM] (->)Authenticate (0 policy, NDS pswd) (for
OJULIA.Srvinfor.SSCC.Autopistas), failed, -1688 (0xfffff968)
[2004-06-08 01:27:19 PM] (->)Authentication FAILED
[2004-06-08 01:27:19 PM] ->Sending Access-Reject (3) [(ip) 10.200.110.2
(3255)] count=20
[2004-06-08 01:27:19 PM] ->Inserting into RespQ , code(3) id(14).
[2004-06-08 01:27:19 PM] -------- END : (Access-Request (1)) [(ip)
10.200.110.2:3255]: time:-350275562---
[2004-06-08 01:27:26 PM] Debug logging disabled
User "jsanchem" logged on OK, user "ojulia" don't. You can see two
attempts of ojulia, one of them wrong password.
Please advice.
Jesus. -
Can I assign diffierent GL to movement type 601(GI) and 459(return to bl ?
dear friends,
we have GL50000 (cost of goods sales) assigned to both movement type 601(goods issue) and 459( transfer posting from return to bloked stock).
My question is :
1. Can I assign different GL to these two types of goods movement?
2. in which configuration can I find movement key , such as 601 behind a transaction, such as goods issue?
Your advice will be deeply appreciated.
Thanks,
LindaHi
Yes, you can assign
The Key for 601 PGI is VAX & VAY
The Key for 459 is is also VAX as per OMJJ... However, you can type ZAX in the place of VAX and assign a diff GL Account in OBYC: GBB-ZAX
Go to OMJJ > Tick Movement type > Enter > Specify the Mvt Type 459 > Enter > CLick on "Account Grouping Tab" on Top Left side
br, Ajay M -
Different "cost of goods sold" for goods issue and return (mov.typ 601/602)
Hello everyone,
I have posted outgoing delivery to the client. During the goods issue posting (HAWA u2013 with Moving Price Control), system took a moving price for this material u2013 letu2019s say 100 EUR. After a month moving price for this particular material has been changed, letu2019s say actual average price is now 120 EUR.
Now when I made return delivery, system took on material document actual moving price 120 EUR. Is there a possibility to change this rule, so each time I will make return delivery system will take price from a document Iu2019m referring to?
Please give me some advice.
MK
Edited by: Maciej Kromolicki on Jun 4, 2008 9:59 PMHi kromolicki
If you have maintained moving avg price for the material in accounting1 tab then , system will pick the price on the avg basis only
Say for example
you have sales order for 10qty
Moving avg price is Rs100/-
system will calculate , the moving avg price on the basis of the quantity. That is why the COGS will vary
Regards
Srinath -
Amount on Goods receipt for return orders is wrong with movement type 653
Hi All, I am sorry if it is a simple question because i am an abap'er.
My requirement is to create return sales order (with ref.to Billing document) and deliver and PGI for the return orders. This should go to sales order stock. Accounting document should be generated for material document and the amount should be picked up from condition type (if man.cond. type exist) else from material master.
1) Created a sales order (Bought in item cat) - Create PO (Non stock) - Receive goods (MIGO) - Create Delivery (VL01N) - PGI (Movement type 601 and special stock indic. 'E') - Create billing document (F2 type from VF01)
So far it is good. The account document is created (PGI - cost of goods) with correct amount as desired
The next scenario is if the material is returned? This is where we are having issues
Created sales order with ref.to billing doc. (S.O: RE. Item.Cat. Return Bought in (YRBI)... this is pretty much same as bought in except few things which are YRBI - Delivered - PGI (Goods returns. unrestricted) Movement type 653 - Problem comes here.
a) If i put special stock indic 'E' in 'Return bought in item.cat - There is no accounting document generated for 653 movement type.
b) if i maintain space instead of 'E' in return bought in item.cat - there is an accounting document but the manual cost is not copied to accounting document and it is picking up from material master which we dont want and The stock is not showing up in sales order.
I did my research (forum, OSS, google, and in help.sap.com) before posting here but no help.
I have checked account assignment categories for 'A' - (some post explained this) I tried changing values but no help.
I even tried changing the schedule line category to DN but no help.
I dont know what i forgot to change or check but i have tried everything what i know and from help from different sources ... still couldnt get it.
Original requirement is to make the return stock as sales order stock and this can also be returned to vendor. If there is a manual cost in return sales order, the PGI accounting document should be created with this condition value else from material master.
My pricing settings are good.
It would be really helpful if any one guide me to configure the process or atleast if anyone tells me what am i missing... .Have a look at any of the following notes:-
1) Note 171989 - Sales-order-related productn: Custmr exit COPCP002
2) Note 520000 - FAQ: Valuated special stocks
3) Note 557582 - User exit and valuated sales order stock
4) Note 580228 - Incorrect prices for materials procured externally
5) Note 983193 - Docu:Externally procurd material in valtd sales order stock
thanks
G. Lakshmipathi -
Returnable packaging in customer consignment process
I have this scenario:
I have returnable packaging (drums) that have been setup as non valuated materials in SAP. The item category in deliveries in YB10.
These drums have serial numbers. Since some maintenance needs to be done on these drums from time to time, therefore, equipment's need to be created for the drums. The equipment number and serial number are the same and the serial number profile is setup in such a way that the equipment is created automatically when the serial number is created
When the drums are in stock, the status is ESTO
Now, in the normal order to cash process, this is what happens:
1) Sales order - order is created for a material
2) Delivery - The drums are added to the delivery along with the material through a packing proposal. A serial number is specified for the drum and the order is PGI'ed to the customer
At this point, the status of the equipment/serial number changes to ECUS
3) Billing - normal billing (drums are billed)
4) Return delivery YBG5 - the empty drum is accepted back into warehouse
After PGR, the status of the serial number changes back to ESTO
During the customer consignment process, this is what is happening:During the consignment fill up when stock goes from warehouse to customer, the status of the serial number is changing to ECUS
During consignment issue, since we can only issue whatever material is there, the same serial number that was used during fill up is being used
However, when we do a delivery against the consignment issue, we are getting an error that the status of the serial number is ECUS and it is not suitable for movement
Since consignment stock is still owned by the company until an consignment issue is done, I am wondering whether SAP is behaving correctly by changing the status of the serial umber to ECUS after the consignment fill up.
Is there a way to use the same serial number in the consignment issue as the consignment fill up?
Please reply urgentlyTry the following
Go to OMWB transaction and simulate the posting using your plant, material and movement type
The simulation will show the standard postings based upon goods movement
E.G. 601 GBB VAX valuation class, account
Identify your accounts assigned to both sides of the posting and then you should be able to re-assign the g/l accounts to the appropriate modifier string within OBYC
Hope it helps
Steve -
Return of Make to order material
Hi Friends,
I configured the make to order scenario and delivered the same material by VL01N and movement type 601 E.
Now can anybody guide me as if this material is returned. What sort of settings do I require to maintain. As I made a return order and trying to return delivery (PGR), but I am getting error as sales order stock E not supported.
Kindly guide me
Thanks in advance
ShaileshDear Shailesh
For return order, you would have created a new schedule line category. If not create it via VOV6 and maintain the movement type 655 there.
By doing so, when you do PGR, the stock will be allocated in a seperate storage location (which also you should have created for quality, in ox09) and you can decide whether these stocks are to be scrapped or can be reused
thanks
G. Lakshmipathi
Maybe you are looking for
-
Letter of Credit treatment in liquidity forecast FF7B
Hi there, My client has a requirement to display letter of credit for import purchase in the liquidity forecast report. My original thought is to treat the L/C as the the noted item using a special G/L indicator, so it can be captured in FF7B. Howeve
-
10.8.4 (server) and windows file sharing problem
Hello This is a clean install of 10.8.4 and server apps not and upgrade of 10.5.8 (This server had a working 10.5.8 server install.... sigh!) AFP, SMB and guest access enabled on all shares Guest sharing enabled in the User accounts in System prefenc
-
Hi, I was given a task of changing the existing query the COPA. I want to aggregate the last three months data into a single month. Any suggestions for doing so. Thanks,
-
How to configure marketing org model in sap crm
Hi Folks, I want to configure my clients marketing,sales organization structure in my SAP CRM system.Currently all these have been replicated from ECC (HR&SD) to CRM and I have to modify, enhance the structure by adding positions and users based on c
-
Macbook Pro won't boot AT ALL with USB HD plugged in
This is a recent problem and I don't know if it's an issue with my external HD or the macbook. I have a Western Digital 500GB MyBook HD that I use for Time Machine. When I reboot my computer with the hard drive plugged in, it hangs endlessly when boo