[Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid

Similar Messages

• Cisco ISE throws "11036 The Message-Authenticator RADIUS attribute is invalid "

  Hello,
  I am trying to authenticate my server(running an NMS) with an Cisco ISE with EAP-TLS protocol.
  I am seeing "11036 The Message-Authenticator RADIUS attribute is invalid " in the ISE when the ACCESS-REQUEST is sent from NMSServer to ISE. The RADIUS shared secret key is same in both the NMS server and the ISE server .
  Is the some java samples for Message authenticator attribute which I can refer. I think, I am missing something in Message authenticator attribute.
  Any pointers or suggestions to overcome this ?

  To login to Prime GUI, the authentication will be done by ISE.
  The flow goes like this, Admins will login to Prime GUI with default username/pwd and add the RADIUS/ISE details to it which will be used by prime for authentication/authorization.
  Once its done, any other user who tries to login to Prime GUI with their own credentials will be validated against the Identity details in ISE. So even to login to Prime GUI, authentication should be successful in ISE.

• When trying to launch iTunes it freezes and I get the message: "Authentication Required. To access this site you need to log in to area "100656 on mellor.co. Your password will be sent in the clear." I am unable to enter a uname or password. Please help!!

  When trying to launch iTunes on my PC running Windows 7 it freezes and I get the message: "Authentication Required. To access this site you need to log in to area "100656 on mellor.co. Your password will be sent in the clear." Because iTunes is frizen at this point I am unable to enter a username or password, or in fact do anything. Please help!! I have uninstalled and reinstalled iTunes numerous times as well as attempting all of the fixes that I could find on-line and still no joy.

  That sounds extremely phishy to me... iTunes does not require authentication simply to launch it. I suspect you've got something nasty intercepting network traffic. That server may be set up to log the Apple ID that you enter so it can be used fraudulently. Try ComboFix from Bleeping Computer.
  FWIW the domain mellor.co is registered to an accountants in Knutsford, Cheshire, UK, and produces the same authentication request if visited with a browser. There is no sign of a "real" publicly visible website at that domain which is a somewhat odd.
  tt2

• [svn] 1743: In the process of changing the messaging authentication tests to run over individual channels .

  Revision: 1743
  Author: [email protected]
  Date: 2008-05-15 12:26:11 -0700 (Thu, 15 May 2008)
  Log Message:
  In the process of changing the messaging authentication tests to run over individual channels. Before the tests were just running over the first/default channel in the destination. Now the tests will be hardcoded to run over a particular channel. In this checkin I am removing the existing authentication tests and checking in tests that run over a polling amf channel. Tests for other channels are coming soon.
  Modified Paths:
  blazeds/branches/3.0.x/qa/apps/qa-regress/WEB-INF/flex/messaging-config.mods.xml
  Added Paths:
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/JMSAuthConSubscribeTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/JMSAuthProSendTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/JMSAuthSendSubscribeConstraintTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/MessagingAuthConSubscribeTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/MessagingAuthProSendTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/MessagingAuthSendSubscribeConstraintTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/MessagingAuthenticationTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/MessagingAuthenticationTest2.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/polling-amf/MultiTopicMessagingAuthConSubscribeTest.mxml
  Removed Paths:
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/JMSAuthConSubscribeTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/JMSAuthProSendTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/JMSAuthSendSubscribeConstraintTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/JMSAuthSendSubscribeConstraintTest_Streaming.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/MessagingAuthConSubscribeTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/MessagingAuthProSendTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/MessagingAuthSendSubscribeConstraintTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/MessagingAuthenticationTest.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/MessagingAuthenticationTest2.mxml
  blazeds/branches/3.0.x/qa/apps/qa-regress/testsuites/mxunit/tests/messagingService/securi ty/MultiTopicMessagingAuthConSubscribeTest.mxml

  Remember that Arch Arm is a different distribution, but we try to bend the rules and provide limited support for them.  This may or may not be unique to Arch Arm, so you might try asking on their forums as well.

• Airport keeps giving me the message that I entered an invalid password for my wireless network.

  When I use network preferences to connect wirelessly to my wifi home network and enter the correct password that works on my iPad and other computers, I keep getting the message that I entered an invalid password. I have checked my keychain and made certain the correct password in saved there. Any suggestions?

  It is asking for your security phrase not the router's password, in case you are entering the wrong password. If you are sure you are entering the correct phrase, you can reset your router to factory defaults then set up your security again.

• I am trying to install Adobe Premiere Elements 9 without success. I successfully installed Photoshop Elements 9 without a problem. The message I am getting is 'Invalid Unicode file - .\Autoplay\LangData\en_US\lang.dat'. Anyone out there who can help pleas

  I am trying to install Adobe Premiere Elements 9 without success. I successfully installed Photoshop Elements 9 without a problem. The message I am getting is 'Invalid Unicode file - .\Autoplay\LangData\en_US\lang.dat'. Anyone out there who can help please?

  click setup, not autoplay.

• Cisco 2960-X & ISE accounting- username Radius attribute missing

  Hi,
  I'm facing an issue with cisco 2960 switch radius accounting with Cisco ISE1.2.1 .here is my senario:
  - Username (vendor1) is configured in ISE local database, under  group (VENDOR)
  - Authentication protocol : wired  MAB 
  - Authentication method : webauth  using guest portal  , the user is a  vendor  , so no dot1x configured on his NIC .
  the problem is that , the switch is not sending the username as a part of radius attribute , in the authentication log , the username shown as the MAC address of the user machine , therefor , I can not configure my authorization condition using  internaluser:Name  Equal  vendor1
  while if  I configure the condition using the identity group condition  IdentityGroup:Name  Equal  VENDOR  , it works .
  The same configuration is working on 3750 switch  with no issue .
  Here is my Switch config:
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius 
  aaa authorization auth-proxy default group radius 
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting update periodic 5
  username admin password 
  username radius-test password 
  aaa server radius dynamic-author
   client 172.16.2.20 server-key 7 04490A0206345F450C00
   client 172.16.2.21 server-key 7 03165A0F0F1A32474B10
  radius server ISE-RADIUS-1
   address ipv4 172.16.2.20 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key 7 111B18011E0718070133
  radius server ISE-RADIUS-2
   address ipv4 172.16.2.21 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key 7 0214055F02131C2A4957
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server attribute 31 mac format ietf upper-case
  radius-server attribute 31 send nas-port-detail
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  any help  !!!

  Thanks for your reply , I know what's MAB , if you read my explanation again , i mentioned that the user is authenticated in the guest portal which mean that I have web authentication , and it is working fine .. The only issue is that I can not use the vendor1 username as part of authorization condition and this is because the switch is not sending the radius attribute type 1 to the ISE , thus , on the ise authentication log the MAC address  of the client machine is shown as a username not the actual username ( vendor1) 
  as I mentioned also , I have exactly the same setup with ise 1.2 and 3750 switch and I do not have this issue .I experience this with 2960x only . 

• Using Cisco ACS for Solaris login authentication

  Hi all
  I am planning to authenticate ssh logins to Solaris 8/9 systems using PAM and radius (while radius is considered the primary solution, tacacs+ could be used, too). The radius/tacacs+ server is provided by a Cisco ACS.
  Can anybody out there confirm that the combination "Solaris & PAM & radius/tacacs+ & Cisco ACS" is correctly doing this authentication stuff? Is there anything to specially consider?
  Thanks, David

  Hard to comment with any certainty but provided the client implementation of RADIUS is sound AND the authentication protocol is one that ACS supports, eg PAP, CHAP, MSCHAP, LEAP, EAP (PEAP/FAST/TLS/GTC/MSCHAP) then should be fine.

• Cisco Security Manager Local RBAC Authentication Radius assign user role

  Is it possible to use Cisco Security Manager with local RBAC, authenticate the user to Radius and retrieve it's role from Radius. Getting the authentication to work isn't the problem, but is it also possible to return the role the user has (i.e. Super Admin) via Radius, without having to create all the users one-by-one in the local CSM database with the correct role.
  Can i use a certain Cisco-AV-Pair attribute to return the user role via Radius?

  I just got asked to look at the same situation by one of our security people.
  We have exactly the same problem but it reports a username of "*****" and we are running CSM 4.7 (upgraded last week)

• Cisco ACS 4.2.1 authentication problem

  We are using cisco ACS 4.2.1 on windows 2003  to authenticate  with windows 2003 Actice Directory. We have update Active directory server windows 2008 version. We have checked the configuration of ACS on windows database and no problem but we can't see in ACS dynamic user. I have authentication problem ACS 4.2.1 to Windows 2008 R2 active directory.

  Hi there,
  There is a section in the ACS 4.x where you can define if the ACS should show the dynamic users or not, make sure that this option is unchecked, for this go to External User Databases/Unknown User Policy/Configure Caching Unknown Users
  Also if you are facing authentication issues with ACS 4.x and Windows 2008 R2, you may want ready my previous answer.
  Let me know if this helps.

• I changed nothing in my email account but can no longer send emails on my talktalk account and get the message, "authentication required." I am running Mavericks on my MacBook Pro. I can receive messages on talktalk. Can send

  I changed nothing in my email account, talktalk.net, but can no longer send (server's response, "authentication required) No problem receiving, I am using Mavericks on my MacBookPro. No problem using Cloud, but I want to use my talktalk account as before the problem
  I can send and receive using talktalk without any problems using my iPod and iPad.
  I would be most grateful for help - in simple form, please, I am an 80 plus female Mac lover!

  Hello Hazel139,
  I found this in one of the similar post hope it helps you.
         Level 6 (14,190 points)             
  X423424X 
  This helped meRe: Problem SENDING email     Jun 17, 2012 1:40 PM    (in response to Casanewton) 
  The error I see is you did not specify the proper authentication for the smtp server.
  In the Mail preferences for the account, smtp popup, select Edit SMTP Server List.  A sheet will drop down.  Select Advanced tab on that sheet.  You should, I assume, set the Authentication to password, and set the proper username and password.  That's where the poper would be set if 587 is not the one you should be using.  Maybe it is.  I only bring it up since I see it trying to use port 587.
  If you got this stuff already set correctly then I don't know.  Mail has a problem in your setup.  Maybe delete the account and recreate it from scratch.
  https://discussions.apple.com/message/18670442#18670442

• Cisco ACS Appliance and Passed Authentication Logs

  I'm seeing something on our ACS appliance logs that looks kind of odd (but it is working fine).
  When I look at the "Passed Authentication" logs, the users seem to show up about 3 time a minute (each). Maybe I am missing something, but this seems like some type of over-reporting.
  Any ideas why this would be happening? I'm probably missing something obvious, but since I'm new to this I can't find the problem.
  Thanks for any suggestions!

  What version of CSACS are you running? Has this just started happening, or was the problem just identified? It could be a performance issue if in fact everything was reauthenticating every 20 sec. Are all your devices showing up, or just wired or wireless? It could be a slight misconfiguration that could be hard to find. If you have the capability, you might want to capture the traffic going to your CSACS server to see if the authentications are actually happening, or like you mentioned...just reporting issues. I ope this helps.

• When I try to download the latest version of iTunes on my iPod Classic I get the message that "iTunes has an invalid signature" and that "Content was blocked because it was not signed by a valid security certificate.  Anyone know how to fix this?

  When I try to download the latest version of iTunes from apple.com, I get the message "Content was blocked because it was not signed by a valid security certificate."When I open iTunes and try to download the latest version there, I get the message "iTunes has an invalid signature.  The download has been removed."  I have also gotten an Internet Script Error stating that an error has occured in Line 0, Char O and that "Access is denied to images.apple.com/global/scripts/lib/iepngfix.htc."  This problem has never occurred with earlier versions of ITunes.  Anyone know how to fix this problem? 

  Are you downloading iTunes form an Apple website or somewhere else? If the answer is somewhere else, try downloading it from Apple. Click on iTunes in the black menu bar above and go from there.
  Let us know what happens.

• System log query is flooded with the message.. WindowServer[]: WSSetTrackingAreaEnabled : Invalid tracking area

  Hello apple community (: quick question
  my system log query is flooded with the message..
  "8/29/14 12:10:12.258 PM WindowServer[176]: WSSetTrackingAreaEnabled : Invalid tracking area 0x61000089f220"
  it has shown me after i run Mavericks Cache Cleaner to clean my computer. in my Activity Log, WindowServer[176] is taking up anywhere from 5 - 20 cpu at a time. (maybe more haven't watched it for too long)
  what do i do fix this? i recently updated to OS X and i haven't payed attention to the errors until now (i'm an idiot i know..) so i don't exactly know when it all started happening. sorry all just hoping someone will have an idea.
  -Ali

  What functional problem do you have, if any? Log messages are not a problem in themselves.

• ACS 5.5 Radius Attribute not listed in Radius Directory

                     Hello Community,
  iam on the evaluation on Cisco ACS 5.5, and iam trying some scenarios for my company.
  I have to authenticate a ip phone . here i need one VLan tagged and one vlan untagged.
  In the authorization profile u can add the Radius Attributes, we got hp switches and i need the attribute  with the ID-56, but this ID ist not listed in the Authorization Profiles--> Radius Attributes-->select Part.
  But it is listed under system-administration->Configuration-->dictionaries-->Protocols->Radius--> Radius IETF
  come somebody tell me how i can selct this Attributes under Authorization Profiles--> Radius Attributes-->select Part. ??
  Thanks a lot
  regards

  Hi
  As you are using HP switches, certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality, and are therefore not supported with non-Cisco devices.
  For more information regarding Authorization profile configuration, please go through the following link:
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/pol_elem.html