CHARM: SDHF_04 auths failure

Similar Messages

• ISE - Periodic Dynamic Auth Failures

  I am running into an issue where I get a handful of Dynamic Auth Failure errors in ISE. In the results it's showing a CoANAK and the error cause is 200. In the steps it's showing:
  11204 Received reauthenticate request
  11220 Prepared the reauthenticate request
  11100 RADIUS-Client about to send request
  11101 RADIUS-Client received response
  Which shows successful communications between ISE and the NAD. When I look at the logs for Radius Authentication for one of the hosts I see it pass MAB with one session ID then Dynamic Auth CoA Fail then pass dot1x with a different session ID.
  I was reading up on the Dynamic Auth RFC (http://tools.ietf.org/html/rfc5176) and in Section 3.5 it states:
  "Values 200-299 represent successful completion, so that these values may only be sent within CoA-ACK or Disconnect-ACK packets and MUST NOT be sent within a CoA-NAK or Disconnect-NAK packet."
  Am I missing something here? Is anyone else having this issue?

  All Cisco Phones. Switches are 4510's running 03.02.03
  Here's a sample port config:
  interface GigabitEthernetX/X/X
  switchport access vlan XX
  switchport mode access
  switchport voice vlan XX
  srr-queue bandwidth share 10 10 60 20
  queue-set 2
  priority-queue out
  authentication event fail action next-method
  authentication host-mode multi-auth
  authentication open
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  mab
  mls qos trust device cisco-phone
  mls qos trust cos
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  spanning-tree guard root
  service-policy input AutoQoS-Police-CiscoPhone
  end
  No I don't see multiple session id's for the same user. We are using EAP-TLS and cert auth.
  Server keys are good. I've debugged a couple of these. Only thing I could find was the session ID is different between mab and dot1x.

• AUTH FAILURE.problem

  I use the following command to install OC4J 10g standalone but got error
  how to fix it?
  I haven't installed J2SE SDK as i discover jdevstudio have it
  i configure global environment variable in right click my computer
  as JAVA_HOME = C:\jdevstudio10133\jdk\bin\
  cmd still do not have java command, when i use the full link following
  i do not know username or password , then i read some blog use oc4jadmin
  to set password , but failed, how to install it?
  C:\OC4J10g\j2ee\home>C:\jdevstudio10133\jdk\bin\java -jar jazn.jar -activateAdmi
  n adminpassword
  AbstractLoginModule username: oc4jadmin
  AbstractLoginModule password:
  2008年6月26日 下午07:06:07 oracle.security.jazn.spi.xml.XMLRealmUser authenticate
  information: User(jazn.com/oc4jadmin) is deactivated. AUTH FAILURE.
  2008年6月26日 下午07:06:07 oracle.security.jazn.login.module.RealmLoginModule au
  thenticate
  Serious: [RealmLoginModule] authentication failed
  Authentication Failed

  i configure global environment variable in right
  click my computer
  as JAVA_HOME = C:\jdevstudio10133\jdk\bin\
  JAVA_HOME should be one level up before "bin"
  BTW I think you posted this on the wrong forum .

• System wide auth failure

  How do I log into my administrative account via terminal and then use the password command to change my password to fix a system wide auth failure?

  HI,
  I'm not sure how to do this using Terminal, but you can change the admin password using your instal disk.
  To reset the administrator password using the Mac OS X Install disc:
  Insert the Mac OS X Install disc and restart the computer.
  When you hear the startup tone, press and hold down the C key until you see the spinning gear.
  When the Language Chooser appears, select your language and click Continue.
  In the Installer, choose Utilities > Reset Password.
  Follow the onscreen instructions to change the password.
  Be sure to change your login keychain password in Keychain Access to match your new account password so your keychain is unlocked when you log in.
  I did find this thread re: Using Terminal to change the admin password.
  http://forums.macosxhints.com/archive/index.php/t-6906.html
  Carolyn

• Prime 2.0: User Auth Failure Count

  Hello
  In Prime 2.0, on the Home page> General, you can view dashlets showing various bits of information.
  One of those available is User Auth Failure Count and I am trying to establish what this table is showing me and if I can get this information out of Prime in a CSV format for example, in order to do some correlation with RADIUS logs.
  I want to establish whether the users being reported as having an auth failure are actually managing to get onto the network eventually, or whether we have an authentication problem we need to tackle.
  The only reference in Cisco documentation I have found to date says the following, which is not helpful to me:
  "User Auth Failure Count
  This dashlet displays a chart which shows user authentication failure count trend over time.  "
  Does anyone know if this information is exportable somehow?
  thanks
  Bryn

  Hi Scott
  I agree with your point that the historical data is available via MSE, but I now come round to my first question, which is how do I get to the data from Prime?
  I cannot find a report to run to get the Failed Auth User Count data, although it must be there for the information to be populating the dashlet
  I think I will have to try our Cisco contact
  thanks
  Bryn

• Auth Failure Traps

  After i changed snmp strings on our network devices , I see a list of devices with Auth Failure Traps on Syslog server.
  Ive check the snmp credential strings on CW for each device and they're correct.
  This is the error message on my syslog server:
  mm-dd-yyyy    11:23:16    Local0.Info    10.1.1.1    10.1.1.2.150 4 0  Authentication failure 10.1.1.254(CiscoWorks) 1 10.1.1.254(CiscoWorks)
  This message wasnt there before i re-new the snmp community string. After I chnage the snmp string on my routers and switches, I a lots of traps on my syslog server.
  How can I stop this?
  Thank you for your help
  Thanks

  Hi Joe,
  The root cause of authentication failure messages was due to dfmserver. When I stop it, the message disappeared.
  Process:
  DfmServer
  Path:
  C:\PROGRA~1\CSCOpx\objects\smarts\bin\CS_sm_server.exe
  Flags:
  Startup:
  Started automatically at boot.
  Dependencies:
  DfmBroker
  Before applying the patch, when I shutdown dfmserver, I could still see the polling. After applying the patch, the polling stop.
  There are only 2 patches for DFM. I have also applied fix CSCta56151.
  Patches installed
  Patch Name
  Version
  Installed Date
  CSCtb87449-0
  0
  02 Mar 2010, 11:28:07 WST
  CSCta56151-0
  0
  04 Mar 2010, 14:18:46 WST
  Any more tips Joe?

• Pound sign (#) in auth failure in BI

  We get a pound sign in an RSSM trace of an auth failure.  It is related to a profit center hierarchy.
  When we grant a different hierarchy, there is no auth failure, but the pound sign still shows up in the trace, just with a green light.
  What might cause this?  Is it wise to grant the pound sign, or does it signify a data problem?

  Hello,
  Pound sign minds unassigned hierarchie value.
  The value displayed on the report cannot be assigned to a hierarchie node.
  If the light is green : No problem
  Did you read the following guide : How Tou2026 Work With Hierarchy Authorizations.pdf ?
  Hope this helps

• DirectoryService reports mysterious auth failures

  My console log is full of log messages like ones included below. I would love to know where they come from, so I can fix whatever is wrong.
  I don't think that there is someone trying to break in, as I don't see corresponding failed ssh connections, or any errors in the afp / smb logs. I do see some break in attempts over ssh, but they don't correspond to the events / names reported for these errors in the console. The user names below also only match local users, and if this had been break in attempts, I wouldn't expect them to know the exact names of all my users. I also don't think that this problem is caused by the connecting LAN clients, as I also see the error for the admin & root accounts.
  To me it seems that some local service / facility is not configured correctly, but I'm at loss as to how to track this down.
  I'm running Mac OS X Server 10.4.3, and have the following things enabled:
  ssh, ard, afp, smb, httpd+webdav (for iCal sharing).
  ===============================================
  Nov 22 15:21:33 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: mikael.
  Nov 22 15:26:10 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: root.
  Nov 22 17:38:59 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: root.
  Nov 22 17:45:19 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: admin.
  Nov 22 17:48:04 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: joar.
  Nov 22 17:50:15 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: david.
  Nov 22 17:52:27 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: johan.
  Nov 22 17:54:38 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: fredrika.
  Nov 22 17:56:50 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: tove.
  Nov 22 17:59:02 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: mikael.
  Nov 22 18:53:47 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: admin.
  Nov 22 18:53:47 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: joar.
  Nov 22 22:34:15 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: mikael.
  Nov 22 23:33:35 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: root.
  Nov 22 23:41:23 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: admin.
  Nov 22 23:44:28 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: joar.
  Nov 22 23:47:36 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: david.
  Nov 22 23:50:32 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: johan.
  Nov 22 23:52:32 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: fredrika.
  Nov 22 23:54:32 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: tove.
  Nov 22 23:56:36 server DirectoryService[41]: Failed Authentication return is being delayed due to over five recent auth failures for username: mikael.
    Mac OS X (10.4.3)  

  Hi,
  I've seen this as well and I think the cause is someone trying to use either Server Admin or Server Monitor without the correct credentials on that server.
  I haven't verified this, but I had a colleague reenter the username and password in both of these programs on his machine and the messages went away on the server.
  Hope that helps.
  Kevin Anderson
  Fairbanks School District
  Fairbanks, Alaska
  20 in iMac G5   Mac OS X (10.4.3)   Many, many Xserves

• ISE 1.2 EAP Chaining and Windows 8 - Auth failures

  Hi All,
  I've got a couple sites that appear to have issues with EAP chaining, ISE 1.2 and Anyconnect client on windows 8 enterprise.
  Basically the windows 8 machines authenticate intermittently and randomly but largely fail auth. 
  Often the client will work perfectly for a boot even after a few reboots etc and then might stop working.  Other clients won't work at all no mater what settings you configure.
  Outer Method - EAP-FASTv2
  Inner Method - MSChapV2
  ISE 1.2 with Patch 1 (latest)
  Windows 8 Enterprise - with patch http://support.microsoft.com/kb/2743127
  Anyconnect Client  3.1.0466 (latest)
  Machine and User Auth Against AD.
  Cert checks disabled for testing.
  Clients using same configuration.xml file
  Symptom is Anyconnect prompts for username / password instead of using existing credentials.  Typing credentials doesn't work.
  Logs show failed "anonymous" authentications or client EAP timeouts.
  Cheers
  Peter.

  Hi Peter,
  It sounds like the Inner Method is not being negotitated properly so its only reading the Outer Method which by default is set to show "Anonymous" in AnyConnect Profiles.
  Is it possible to upload a PDF version or copy paste the output of the failure from ISE's perspective?
  Kind Regards,
  Vlad

• ':' in SQL Format causes analysis auth failure

  Hi,
  When running a SEM-BPS planning folder it fails due to analysis authorisation errors. On doing a trace it fails as the SQL Format has PLANT = ':' and SALESORG = ':'. These values are not within the analysis auths set-up.
  Talking to the SEM-BPS person here they don't know how those got into the query.
  Any ideas how we can get round this?
  Thanks,
  Nick.

  hello,
  does oracle showing any errors in user_scheduler_job_run_details for this job ? I would advise try inserting some debug statement to identify where exactly its stuck. Also please check sample configurations syntax for user_scheduler_jobs.
  Cheers
  Sush

• Client Auth failure:SSLException Received fatal alert: bad_certificate

  Friends,
  I have managed to establish a one -way https connection between the client and the tomcat-server by keeping the client-Authentication=false
  <Connector
  enableLookups="true"
  port="8443"
  scheme="https"
  secure="true"
  maxProcessors="75"
  debug="0"
  clientAuth="false"
  keystorePass="arps3241"
  keystoreFile="/usr/local/tomcat/bin/arps-dev.keystore"
  className="org.apache.coyote.tomcat5.CoyoteConnector"
            minProcessors="5"
  sslProtocol="TLS">
  </Connector>
  . However , when i switch- 'on' the client-Authetication parameter i.e.clientAuth="true" in the server.xml for 2 way trust, I get the following error :-
  javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:117)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1584)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:866)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:622)
       at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
       at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
       at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
       at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:827)
       at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1975)
       at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
       at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397)
       at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
       at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
       at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
  Can any body please guide me?

  The server's truststore doesn't trust or possibly even recognize the client's certificate which came from the client's keystore.

• 10.[4-5] Supplicant does not update stored password on dot1x auth failures.

  Hello All,
  Here's a problem that is making me insane.
  If you use dot1x authentication at your site and your users store their password in their keychain and the password changes (via helpdesk, one-time password, or whatever) the next time the client attempts to connect and the authentication fails, the supplicant in 10.4-5 doesn't offer any dialog for the user to enter a new password and update the entry in the keychain.
  On 10.4: Manually clear out the keychain entry for the SSID in question.
  On 10.5: The key doesn't appear in the keychain (dumb) and you have to deactivate/reactivate the interface and hope it clears out the saved password.
  Does anyone know if there are any tweaks that can be done via command line for the eapolclient to work properly instead of just leaving users in the enterprise dead or confused?
  --tk

  Actually I have your book already! Thanks so much for taking the time to write it. I'm a long time Oracle DBA, but I had a hard time with JDeveloper before your book came along. I'm working through it as we speak. Congrats to all at Oracle...for all the hard work on Fusion and ADF. What incredible power in these products and your book started me off and gave me a giant head-start. Great Book!!! Thanks again, Don

• Irregular failure to authenticate OpenDirectory users via password-based ssh

  TL;DR - my Yosemite Open Directory server irregularly fails to properly authenticate users (via password-based ssh). 
  I recently moved an Open Directory server from an Xserve running 10.6 to a new Mini running 10.10.  I archived the OD config on the Xserve and then took it offline.  Then I brought the Mini online using the same hostname/IP address, created a new OD master using the archived configuration.  Everything seemed to work well, however sometimes the server will not authenticate users via password when logging in with ssh/sftp/scp.  This is also true of a few OS X machines that bind to the OD server (i.e. they usually authenticate users properly, but sometimes fail for no discernable reason). 
  The failures are only for password authentication using ssh.  Other mechanisms do not exhibit the auth failures.  For instance, AFP and SMB user auth never fails (with proper credentials).  Nor do users to a FileMaker Server machine that authenticate via the OD server have problems.  Public key based ssh authentication never fails.  Local accounts (non-OD, aka "Local Network Accounts") also do not fail using password-based authentication.
  The failures are irregular.  The only pattern that I can find at all is that sometimes when the failures start happening, they keep happening continuously until...at some point they work properly again.  That is, they may fail from 11:15 am to 2:01 pm, and if so, then all of them fail in that time range.  Sometimes that time range lasts seconds, sometimes it lasts hours.
  The time range failure pattern is host specific.  For instance, if password authentication is failing on the main OD server, authentication may be fine on the other bound machines.  If authentication is failing on one of the bound machines, then it may be fine on all others and fine on the OD server itself.
  The failure pattern does not seem to correlate to any other events or activity on the server (even remotely).  CPU utilization never gets above about 15%.  Memory utilization is similarly very low.  Network traffic is occasionally high, but it does not seem in any way related to the auth failures.  There are not other log messages that occur before or after the failures with any consistency.
  I've been monitoring the auth failures by attempting to login to the OD server and two other bound hosts once per minute so that I can tell when the auth is failing (before getting calls from the users). 
  The adaptive firewall is not running on the OD server.  Nor is any other firewall.
  Below are a comparison of the system.log entries for a failed and successful auth (I've stripped out those lines that are identical in both instances).  The log entries have been sanatized as described.
  Rebooting the OD server does not affect the bound clients' authentication.  Rebooting the OD server is problematic, and I cannot do it often.  When I do, sometimes failures start soon after reboot, and sometimes that don't come back for many hours - again, no discernable pattern.
  If anyone has any ideas what I can do to discover the source of this problem and come up with a solution, I'd very much appreciate it.  Note that I'm aware that I can export all users and group and reconstruct a new, clean OD master, but without the ability to save the passwords, this becomes a large logisitcal problem, and I'm saving it as a last resort (particularly since if it doesn't solve my problem, I will have inconvenienced many users and be right back in the same place).
  Thanks for reading.
  First failure:
      Feb 11 00:00:20 odserver.myorg.gov kdc[67]: TGS-REQ [email protected] from 127.0.0.1:65373 for host/[email protected] [canonicalize, forwardable]
      Feb 11 00:00:20 odserver.myorg.gov opendirectoryd[67268]: GSSAPI Error:  Miscellaneous failure (see text (unable to reach any KDC in realm ODSERVER.MYORG.GOV, tried 2 KDCs (negative cache))
      Feb 11 00:00:20 odserver.myorg.gov sshd[72974]: error: PAM: authentication error for myusername from clienthost.myorg.gov via 10.50.50.50
      Feb 11 00:00:20 odserver.myorg.gov sshd[72974]: Connection closed by 10.50.50.99 [preauth]
  Now successful auth:
      Feb 11 01:03:20 odserver.myorg.gov kdc[67]: TGS-REQ [email protected] from 127.0.0.1:63978 for host/[email protected] [canonicalize, forwardable]
      Feb 11 01:03:20 odserver.myorg.gov kdc[67]: TGS-REQ [email protected] from 127.0.0.1:62346 for ldap/[email protected] [canonicalize, forwardable]
      Feb 11 01:03:20 odserver.myorg.gov sshd[73786]: Accepted keyboard-interactive/pam for myusername from 10.50.50.99 port 53361 ssh2
      Feb 11 01:03:20 odserver.myorg.gov NetAuthSysAgent[73789]: GetStatus: connecting to self not allowed
     Feb 11 01:03:20 odserver.myorg.gov NetAuthSysAgent[73789]: ERROR: AFP_GetServerInfo - connect failed 62
  I've sanitized the entries as follows, replacing...
  My username by myusername
  The ssh source host IP address by 10.50.50.99
  The ssh source hostname by clienthost.myorg.gov
  The server hostname by odserver.myorg.gov
  The server hostname (in caps) by ODSERVER.MYORG.GOV
  The server IP address by 10.50.50.50

  Hello James,
  I have not had a chance to look for the Router configuration document, however, for one of my certificate exams I did configure Authentication Proxy on an IOS router. The config for that lab was:
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authorization auth-proxy default group tacacs+ local
  aaa session-id common
  ip auth-proxy name AUTHPROXY http inactivity-time 60
  interface FastEthernet0/0
  ip address 192.168.250.19 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 192.168.200.120 255.255.255.0
  ip access-group 110 in
  ip nat inside
  ip virtual-reassembly
  ip auth-proxy AUTHPROXY
  duplex auto
  speed auto
  ip route 0.0.0.0 0.0.0.0 192.168.250.1
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip nat inside source list nat interface FastEthernet0/0 overload
  ip access-list extended nat
  permit ip 192.168.200.0 0.0.0.255 any
  access-list 110 permit ip any any
  tacacs-server host 192.168.250.20
  tacacs-server key cisco123
  end
  Please check if the commands are supported on your router as well.
  If this ws helpful please rate.
  Regards.

• WLC 7.5 Sleeping clients with ISE and Central WEB Auth(CWA)

  Hi there,
  Is it possibe to use sleeping clients when using ISE and CWA?
  I was thinking of enabling layer3 auth with web auth on mac auth failure, but will that work with CWA?
  Or is the only solution to use LWA?

  Controller-> General-> User Idle Timeout (seconds) = 50 000 sec.
  And your users will be connected all this time even if they going in sleepmode
  be carefull with CPU loading

• TACACS auth and RADIUS accounting with ACS

  I am having RADIUS accounting issues with an ASA 5520 that uses TACACS for authentication. Both are hosted on the same ACS server. I can send RADIUS info to my Microsoft IAS box but get Syslog ID 113022 errors when trying to send to the ACS RADIUS. A packet capture shows the RADIUS accounting request getting to the ACS box (Windows Server 2003 R2) but syslog shows failedauth. Any ideas?

  Thank you for the response. I did verify the syslog explanation you gave below and the AAA server is online as TACACS message are getting to it. My configuration for the ASA for RADIUS is as follows
  Server Group - RADIUS
  Protocol - RADIUS
  Accounting Mode - Simultaneous
  Reactivation Mode - Timed
  Max Failed attempts - 3
  Two servers in the Server Group
  ACS - Not working
  Microsoft IAS - Working
  I have tried removing the IAS server and changing the accounting mode to single and still getting auth failures.
  ACS is configured as follows
  Network Configuration
  AAA Clients - ASA authenticate using TACACS+
  AAA Servers - None listed. When I tried to add the ACS machine the error said the server already existed (In another Network Device Group)